Discussion:
Is anyone else getting hammered by Russian spam
Philip Parsons
2014-03-06 15:56:45 UTC
Permalink
Any pointers of a rule that can block it ? It is all just Russian words.

Thank you
P Parsons
Richard Siddall
2014-03-06 16:10:52 UTC
Permalink
Post by Philip Parsons
Any pointers of a rule that can block it ? It is all just Russian words.
Thank you
P Parsons
This was posted to the list in 2012:
http://lists.mailscanner.info/pipermail/mailscanner/attachments/20120829/ea410e7b/attachment.obj

I haven't tried it.

Richard.
Steve Campbell
2014-03-06 16:16:34 UTC
Permalink
Russian Federation, Ukraine, Taiwan. I put these IP blocks in my
firewall since I see them trying to hack email passwords as well, along
with user accounts on my other servers.

steve
Post by Philip Parsons
Any pointers of a rule that can block it ? It is all just Russian words.
Thank you
P Parsons
Philip Parsons
2014-03-06 17:11:22 UTC
Permalink
Can you supply the IP lists that you have had success with ?

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Campbell
Sent: March-06-14 8:17 AM
To: MailScanner discussion
Subject: Re: Is anyone else getting hammered by Russian spam

Russian Federation, Ukraine, Taiwan. I put these IP blocks in my
firewall since I see them trying to hack email passwords as well, along
with user accounts on my other servers.

steve
Post by Philip Parsons
Any pointers of a rule that can block it ? It is all just Russian words.
Thank you
P Parsons
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Steve Campbell
2014-03-06 17:56:03 UTC
Permalink
Way too many to even try looking up. Look at the headers of the email,
and find a site that lists the IP block for that IP. You sometimes can
just do a "whois" and get this information.

China is another one that seems to be attempting the hacks as well.

steve
Post by Philip Parsons
Can you supply the IP lists that you have had success with ?
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Campbell
Sent: March-06-14 8:17 AM
To: MailScanner discussion
Subject: Re: Is anyone else getting hammered by Russian spam
Russian Federation, Ukraine, Taiwan. I put these IP blocks in my
firewall since I see them trying to hack email passwords as well, along
with user accounts on my other servers.
steve
Post by Philip Parsons
Any pointers of a rule that can block it ? It is all just Russian words.
Thank you
P Parsons
Terry Hulen Jr
2014-03-06 18:29:56 UTC
Permalink
The only time I had to start going through and listing IP blocks to be,
erm, blocked, was before I was using RBLs. Do you have those configured?
If so, are they configured on the MTA's config? If not, put them there.
That cut down on so much crap when I started doing that years ago.
Post by Steve Campbell
Way too many to even try looking up. Look at the headers of the email,
and find a site that lists the IP block for that IP. You sometimes can
just do a "whois" and get this information.
China is another one that seems to be attempting the hacks as well.
steve
Post by Philip Parsons
Can you supply the IP lists that you have had success with ?
-----Original Message-----
mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Campbell
Post by Philip Parsons
Sent: March-06-14 8:17 AM
To: MailScanner discussion
Subject: Re: Is anyone else getting hammered by Russian spam
Russian Federation, Ukraine, Taiwan. I put these IP blocks in my
firewall since I see them trying to hack email passwords as well, along
with user accounts on my other servers.
steve
Post by Philip Parsons
Any pointers of a rule that can block it ? It is all just Russian words.
Thank you
P Parsons
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20140306/a48e16f7/attachment.html
Richard Mealing
2014-03-07 05:05:42 UTC
Permalink
Hi Philip,

Have you looked at RelayCountry plugin for spamassassin?

# Block countries
loadplugin Mail::SpamAssassin::Plugin::RelayCountry

header RELAYCOUNTRY_BAD X-Relay-Countries =~ /^(RU|CN)/
describe RELAYCOUNTRY_BAD foreign spam
score RELAYCOUNTRY_BAD 3.0

I also add Russian uri links to a rule and this catches loads of stuff.

uri LOCAL_URI_RU m{https?://.{1,40}\.ru\b}
describe LOCAL_URI_RU Contains a URI hosted in RU
score LOCAL_URI_RU 1.5


Hope this helps,
Rich

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Philip Parsons
Sent: 06 March 2014 15:57
To: MailScanner discussion
Subject: Is anyone else getting hammered by Russian spam

Any pointers of a rule that can block it ? It is all just Russian words.

Thank you
P Parsons
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!
Loading...