spam forex from .ru domain
95 views
Skip to first unread message
Sophie Loe
Sep 14, 2018, 3:14:46 AM9/14/18
to rspamd@googlegroups com
Hi,
Saw this come through the server this morning, it’s scored a minus figure giving it a free pass. Is there a spam/ham corpus Rspamd.com needs?
Best, Sophie
Return-Path: <no-r...@perm-forex.ru>
Delivered-To: te...@example.co.uk
Received: from mxrelay.example.co.uk
by mxrelay (Dovecot) with LMTP id BtkUBTgVm1tlQAAAQEGcbA
for <te...@example.co.uk>; Fri, 14 Sep 2018 01:56:08 +0000
Received: from perm-forex.ru (mail.perm-forex.ru [176.9.238.85])
by mxrelay.example.co.uk (Postfix) with ESMTPS id 863A63C
for <redc...@example.co.uk>; Fri, 14 Sep 2018 01:56:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=perm-forex.ru; s=mail; h=List-Id:List-Unsubscribe:Content-Type:MIME-Version
:To:Reply-To:From:Subject:Date:Message-ID:Sender:Cc:Content-Transfer-Encoding
:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Help:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=0GoUYI1wNoBV0N0N34qYNiaDcHUtZFs9nGPHv3Ntrxw=; b=dmpgHMP+ZClT491ajinEBrKKnM
wLqALs1kcNzBB/SZmYveg495006fZwzmh9Em7DgMi1Vrz+iy1MT4GrFewjlJQeHgxcGA5LJv51Htq
oNCZcKHsBY+KSPqRNgcvYByusEDDnaQpxc6H/8YQSoZGIDU7wsk/kCXU3YRz2EzQ60Lk=;
Received: from static.19.179.40.188.clients.your-server.de ([188.40.179.19] helo=mw.fresh-forex.com)
by black-smtp-1.smolensk-forex.ru with esmtpa (Exim 4.90_1)
(envelope-from <no-r...@perm-forex.ru>)
id 1g0dL1-0002fL-JI
for redc...@example.co.uk; Fri, 14 Sep 2018 04:56:03 +0300
Message-ID: <75a76449e54fc102...@perm-forex.ru>
Date: Fri, 14 Sep 2018 01:55:58 +0000
Subject: Up to 5000usd per month on Forex without risk!
=?utf-8?Q?/=D0=94=D0=BE?= 5000usd =?utf-8?Q?=D0=B2_=D0=BC=D0=B5?=
=?utf-8?Q?=D1=81=D1=8F=D1=86_=D0=BD=D0=B0_=D1=84=D0=BE=D1=80=D0=B5=D0=BA?=
=?utf-8?Q?=D1=81_=D0=B1=D0=B5=D0=B7_=D1=80=D0=B8=D1=81=D0=BA=D0=B0!?=
From: FreshForex <no-r...@perm-forex.ru>
Reply-To: FreshForex <in...@take-profit24.com>
To: "redc...@example.co.uk" <redc...@example.co.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_=_swift_v4_1536890158_530c86ce34b0a23d20246c871d7e1e76_=_"
X-Sender: no-r...@perm-forex.ru
X-Rmtj-Tracking-Did: 0
X-Rmtj-Subscriber-Uid: vw759ah8z0f56
X-Rmtj-Mailer: SwiftMailer - 5.4.x
X-Rmtj-EBS: https://mw.fresh-forex.com/lists/block-address
X-Rmtj-Delivery-Sid: 21
X-Rmtj-Customer-Uid: qz3307kzd9c9e
X-Rmtj-Customer-Gid: 1
X-Rmtj-Campaign-Uid: qh8580fpomad8
X-Report-Abuse: Please report abuse for this campaign here:
https://mw.fresh-forex.com/campaigns/qh8580fpomad8/report-abuse/oe1321f1fs8a6/vw759ah8z0f56
X-Receiver: redc...@example.co.uk
Precedence: bulk
List-Unsubscribe: <https://mw.fresh-forex.com/lists/oe1321f1fs8a6/unsubscribe/vw759ah8z0f56/qh8580fpomad8/unsubscribe-direct?source=email-client-unsubscribe-button>,
<mailto:in...@take-profit24.com?subject=Campaign-Uid:qh8580fpomad8 /
Subscriber-Uid:vw759ah8z0f56 - Unsubscribe request&body=Please unsubscribe
me!>
List-Id: oe1321f1fs8a6 =?utf-8?Q?=3C=D0=A1=D0=BC=D0=B5?=
=?utf-8?Q?=D1=88=D0=B0=D0=BD=D0=BD=D0=B0=D1=8F_20=D0=BA=3E?=
Feedback-ID: qh8580fpomad8:vw759ah8z0f56:oe1321f1fs8a6:qz3307kzd9c9e
X-Spamd-Bar: /
Authentication-Results: mxrelay.example.co.uk;
dkim=pass header.d=perm-forex.ru;
dmarc=pass (policy=reject) header.from=perm-forex.ru;
spf=pass smtp.mailfrom=no-r...@perm-forex.ru
X-Rspamd-Server: mxrelay
X-Rspamd-Queue-Id: 863A63C
X-Spamd-Result: default: False [-0.54 / 14.00];
RCVD_VIA_SMTP_AUTH(0.00)[];
HAS_REPLYTO(0.00)[in...@take-profit24.com];
R_SPF_ALLOW(-0.20)[+mx];
REPLYTO_DN_EQ_FROM_DN(0.00)[];
DKIM_TRACE(0.00)[perm-forex.ru:+];
MX_GOOD(-0.01)[mail.perm-forex.ru];
DMARC_POLICY_ALLOW(-0.25)[perm-forex.ru,reject];
SUBJECT_ENDS_EXCLAIM(0.00)[];
MAILLIST(-0.10)[generic];
FROM_EQ_ENVFROM(0.00)[];
RCVD_TLS_LAST(0.00)[];
ASN(0.00)[asn:24940, ipnet:176.9.0.0/16, country:DE];
MID_RHS_MATCH_FROM(0.00)[];
BAYES_HAM(-0.22)[72.06%];
ARC_NA(0.00)[];
R_DKIM_ALLOW(-0.20)[perm-forex.ru];
FROM_HAS_DN(0.00)[];
TO_MATCH_ENVRCPT_ALL(0.00)[];
PRECEDENCE_BULK(0.00)[];
MIME_GOOD(-0.10)[multipart/alternative,text/plain];
HTML_SHORT_LINK_IMG_3(0.50)[];
REPLYTO_DOM_NEQ_FROM_DOM(0.00)[];
HAS_LIST_UNSUB(-0.01)[];
RCPT_COUNT_ONE(0.00)[1];
MANY_INVISIBLE_PARTS(0.05)[1];
TO_DN_EQ_ADDR_ALL(0.00)[];
RCVD_COUNT_TWO(0.00)[2]
--_=_swift_v4_1536890158_530c86ce34b0a23d20246c871d7e1e76_=_
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Get stable additional income on Forex, even if you don't have a lot
of mo=
ney to invest!
https://mw.fresh-forex.com/campaigns/qh8580fpomad8/track-u=
rl/vw759ah8z0f56/9b1a878602c3ddf677a1f37fc4de665f7dabab64
=C2=A0
Hello,=
Get stable additional income on Forex even if you don't have lots of
m=
oney to invest.
WIth special offer by well-known broker FreshForex collec=
t up to
5000usd per month as a start-up capital for Forex trading!
_Wha=
t is offered?_ You write posts on FreshForex forum, chat with
other trade=
rs, ask questions and get up to 10usd per each message. At
the end of the=
month transfer accumulated funds to trading account and
use them in trad=
ing!
Start trading with minimum expenses, open more trades and EARN!
=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
https://mw.fresh-forex.com/campaigns/q=
h8580fpomad8/track-url/vw759ah8z0f56/9b1a878602c3ddf677a1f37fc4de665f7dabab=
--Rest of the message removed.--
Saw this come through the server this morning, it’s scored a minus figure giving it a free pass. Is there a spam/ham corpus Rspamd.com needs?
Best, Sophie
Return-Path: <no-r...@perm-forex.ru>
Delivered-To: te...@example.co.uk
Received: from mxrelay.example.co.uk
by mxrelay (Dovecot) with LMTP id BtkUBTgVm1tlQAAAQEGcbA
for <te...@example.co.uk>; Fri, 14 Sep 2018 01:56:08 +0000
Received: from perm-forex.ru (mail.perm-forex.ru [176.9.238.85])
by mxrelay.example.co.uk (Postfix) with ESMTPS id 863A63C
for <redc...@example.co.uk>; Fri, 14 Sep 2018 01:56:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=perm-forex.ru; s=mail; h=List-Id:List-Unsubscribe:Content-Type:MIME-Version
:To:Reply-To:From:Subject:Date:Message-ID:Sender:Cc:Content-Transfer-Encoding
:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Help:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=0GoUYI1wNoBV0N0N34qYNiaDcHUtZFs9nGPHv3Ntrxw=; b=dmpgHMP+ZClT491ajinEBrKKnM
wLqALs1kcNzBB/SZmYveg495006fZwzmh9Em7DgMi1Vrz+iy1MT4GrFewjlJQeHgxcGA5LJv51Htq
oNCZcKHsBY+KSPqRNgcvYByusEDDnaQpxc6H/8YQSoZGIDU7wsk/kCXU3YRz2EzQ60Lk=;
Received: from static.19.179.40.188.clients.your-server.de ([188.40.179.19] helo=mw.fresh-forex.com)
by black-smtp-1.smolensk-forex.ru with esmtpa (Exim 4.90_1)
(envelope-from <no-r...@perm-forex.ru>)
id 1g0dL1-0002fL-JI
for redc...@example.co.uk; Fri, 14 Sep 2018 04:56:03 +0300
Message-ID: <75a76449e54fc102...@perm-forex.ru>
Date: Fri, 14 Sep 2018 01:55:58 +0000
Subject: Up to 5000usd per month on Forex without risk!
=?utf-8?Q?/=D0=94=D0=BE?= 5000usd =?utf-8?Q?=D0=B2_=D0=BC=D0=B5?=
=?utf-8?Q?=D1=81=D1=8F=D1=86_=D0=BD=D0=B0_=D1=84=D0=BE=D1=80=D0=B5=D0=BA?=
=?utf-8?Q?=D1=81_=D0=B1=D0=B5=D0=B7_=D1=80=D0=B8=D1=81=D0=BA=D0=B0!?=
From: FreshForex <no-r...@perm-forex.ru>
Reply-To: FreshForex <in...@take-profit24.com>
To: "redc...@example.co.uk" <redc...@example.co.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_=_swift_v4_1536890158_530c86ce34b0a23d20246c871d7e1e76_=_"
X-Sender: no-r...@perm-forex.ru
X-Rmtj-Tracking-Did: 0
X-Rmtj-Subscriber-Uid: vw759ah8z0f56
X-Rmtj-Mailer: SwiftMailer - 5.4.x
X-Rmtj-EBS: https://mw.fresh-forex.com/lists/block-address
X-Rmtj-Delivery-Sid: 21
X-Rmtj-Customer-Uid: qz3307kzd9c9e
X-Rmtj-Customer-Gid: 1
X-Rmtj-Campaign-Uid: qh8580fpomad8
X-Report-Abuse: Please report abuse for this campaign here:
https://mw.fresh-forex.com/campaigns/qh8580fpomad8/report-abuse/oe1321f1fs8a6/vw759ah8z0f56
X-Receiver: redc...@example.co.uk
Precedence: bulk
List-Unsubscribe: <https://mw.fresh-forex.com/lists/oe1321f1fs8a6/unsubscribe/vw759ah8z0f56/qh8580fpomad8/unsubscribe-direct?source=email-client-unsubscribe-button>,
<mailto:in...@take-profit24.com?subject=Campaign-Uid:qh8580fpomad8 /
Subscriber-Uid:vw759ah8z0f56 - Unsubscribe request&body=Please unsubscribe
me!>
List-Id: oe1321f1fs8a6 =?utf-8?Q?=3C=D0=A1=D0=BC=D0=B5?=
=?utf-8?Q?=D1=88=D0=B0=D0=BD=D0=BD=D0=B0=D1=8F_20=D0=BA=3E?=
Feedback-ID: qh8580fpomad8:vw759ah8z0f56:oe1321f1fs8a6:qz3307kzd9c9e
X-Spamd-Bar: /
Authentication-Results: mxrelay.example.co.uk;
dkim=pass header.d=perm-forex.ru;
dmarc=pass (policy=reject) header.from=perm-forex.ru;
spf=pass smtp.mailfrom=no-r...@perm-forex.ru
X-Rspamd-Server: mxrelay
X-Rspamd-Queue-Id: 863A63C
X-Spamd-Result: default: False [-0.54 / 14.00];
RCVD_VIA_SMTP_AUTH(0.00)[];
HAS_REPLYTO(0.00)[in...@take-profit24.com];
R_SPF_ALLOW(-0.20)[+mx];
REPLYTO_DN_EQ_FROM_DN(0.00)[];
DKIM_TRACE(0.00)[perm-forex.ru:+];
MX_GOOD(-0.01)[mail.perm-forex.ru];
DMARC_POLICY_ALLOW(-0.25)[perm-forex.ru,reject];
SUBJECT_ENDS_EXCLAIM(0.00)[];
MAILLIST(-0.10)[generic];
FROM_EQ_ENVFROM(0.00)[];
RCVD_TLS_LAST(0.00)[];
ASN(0.00)[asn:24940, ipnet:176.9.0.0/16, country:DE];
MID_RHS_MATCH_FROM(0.00)[];
BAYES_HAM(-0.22)[72.06%];
ARC_NA(0.00)[];
R_DKIM_ALLOW(-0.20)[perm-forex.ru];
FROM_HAS_DN(0.00)[];
TO_MATCH_ENVRCPT_ALL(0.00)[];
PRECEDENCE_BULK(0.00)[];
MIME_GOOD(-0.10)[multipart/alternative,text/plain];
HTML_SHORT_LINK_IMG_3(0.50)[];
REPLYTO_DOM_NEQ_FROM_DOM(0.00)[];
HAS_LIST_UNSUB(-0.01)[];
RCPT_COUNT_ONE(0.00)[1];
MANY_INVISIBLE_PARTS(0.05)[1];
TO_DN_EQ_ADDR_ALL(0.00)[];
RCVD_COUNT_TWO(0.00)[2]
--_=_swift_v4_1536890158_530c86ce34b0a23d20246c871d7e1e76_=_
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Get stable additional income on Forex, even if you don't have a lot
of mo=
ney to invest!
https://mw.fresh-forex.com/campaigns/qh8580fpomad8/track-u=
rl/vw759ah8z0f56/9b1a878602c3ddf677a1f37fc4de665f7dabab64
=C2=A0
Hello,=
Get stable additional income on Forex even if you don't have lots of
m=
oney to invest.
WIth special offer by well-known broker FreshForex collec=
t up to
5000usd per month as a start-up capital for Forex trading!
_Wha=
t is offered?_ You write posts on FreshForex forum, chat with
other trade=
rs, ask questions and get up to 10usd per each message. At
the end of the=
month transfer accumulated funds to trading account and
use them in trad=
ing!
Start trading with minimum expenses, open more trades and EARN!
=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
https://mw.fresh-forex.com/campaigns/q=
h8580fpomad8/track-url/vw759ah8z0f56/9b1a878602c3ddf677a1f37fc4de665f7dabab=
--Rest of the message removed.--
Karáth Attila
Sep 17, 2018, 11:40:16 AM9/17/18
to rspamd
Hi Sophie,
One of my most effective module is the ASM
let see a paragraph of /etc/rspamd/local.d/multimap.conf
PN_COUNTRY_BANNED {
type = "country";
map = "file:///etc/rspamd/maps/countries_banned.map";
description = "IP in a banned country";
score = 10;
}
PN_COUNTRY_SUSP {
type = "country";
map = "file:///etc/rspamd/maps/countries_suspictious.map";
description = "IP in a suspictious country";
score = 6;
}
PN_COUNTRY_CEU {
type = "country";
map = "file:///etc/rspamd/maps/countries_ceu.map";
description = "IP in a Central Europian country";
score = -4;
}
I've attached the banned list of the countries from my config just to help you to implement my solution if you wish. (Actually these countries not banned but these will got 10 points penalty )
Most of the SPAM-er use US server to send spam to my country, so I decided to give +6 point for the US servers. The 6 points not affects to to the famous mail service like google, ms ... due to the other properties (sysmbols) of their mails are very good. But with this penalty I can catch most of the spams. Of course you can tailor my solution to your condition.
a part from one of the SPAM header:
X-Spamd-Result: default: False [17.64 / 18.00]; HAS_REPLYTO(0.00)[pandacxt...@avazeyeshahr.com]; BAYES_SPAM(4.00)[100.00%]; R_SPF_ALLOW(-0.20)[+ip4:185.213.24.180]; RBL_MAILSPIKE_WORST(2.00)[180.24.213.185.rep.mailspike.net : 127.0.0.10]; PN_COUNTRY_SUSP(6.00)[US]; TO_DN_NONE(0.00)[]; REPLYTO_ADDR_EQ_FROM(0.00)[]; NEURAL_SPAM(0.00)[1.000,0]; DKIM_TRACE(0.00)[avazeyeshahr.com:+]; DMARC_POLICY_ALLOW(-0.25)[avazeyeshahr.com,none]; FROM_EXCESS_QP(1.20)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(3.20)[ip: (6.96), ipnet: 185.213.24.0/24(5.31), asn: 63473(3.77), country: US(-0.04)]; HAS_X_PRIO_ONE(0.00)[1]; ASN(0.00)[asn:63473, ipnet:185.213.24.0/24, country:US]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[avazeyeshahr.com]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HTML_SHORT_LINK_IMG_1(2.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; HAS_LIST_UNSUB(-0.01)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_ALL(0.00)[]; GREYLIST(0.00)[pass,body]
Best rgards
Message-ID: <75a76449e54fc102e299f1432aa6c2...@perm-forex.ru>
Reply all
Reply to author
Forward
0 new messages