Neue Müllwelle?

Martin Steigerwald martin at lichtvoll.de
Mo Dez 31 13:03:01 CET 2018


Hi!

Es kam bei mir seit 1-2 Tagen eine neue Welle an Mail-Müll durch Postscreen
und rspamd durch. Mails mit Betreffen wie "Hallo mein Schätzchen" via
Freenet, Office365 / Hotmail, Mail BG Webmail, T-Mobile, …

Bekommt jemand von euch solchen Müll auch? Irgendeinen Ansatz gefunden,
das global zu blocken? Die Mails sind ähnlich aufgebaut.

Einziger Ansatz, der mir bislang in den Sinn kam: Die Mails arbeiten offenbar
mit "X-Original-To:" und haben entweder kein From: oder irgendeine andere 
Adresse im From.

Ich hab zwar einzelne Spam Reports an Provider verschickt und blocke bereits
mit Header-Checks einige Mails, aber das kommt aus ganz unterschiedlichen
Quellen. Und ich würde gerne etwas finden, womit ich die alle blocken kann.

So oder so einen guten Rutsch ins neue Jahr.


Folgend ein paar Header-Beispiele:

Return-Path: <bryannevil at students.aucmed.edu>
X-Original-To: Martin at Lichtvoll.de
Delivered-To: martin at mondschein.lichtvoll.de
Authentication-Results: mail.lichtvoll.de; dkim=pass header.d=studentsaucmed.onmicrosoft.com
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01lp2058.outbound.protection.outlook.com [104.47.32.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.lichtvoll.de (Postfix) with ESMTPS id 144EC42699C for <Martin at Lichtvoll.de>; Mon, 31 Dec 2018 00:26:01 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=studentsaucmed.onmicrosoft.com; s=selector1-students-aucmed-edu; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sKofH+Emr5SShjzieb4f49YzoM+BWNateXUBQVzVUw8=; b=OF+SCrt3Q9awrN+wQExGqhAOG6POtX81Sg88TNjINrq9qMwZw/oh395GPsBWPNxXYSNp5NhVBsDkuZzFbbP/xNzuBciy7K3xdM+8wjidoUP+Zkn8yZrktwyc3F5Bms1/VDrzJwMMOeo4hakXobP9Lsvc6hMaWgjriL8T9IF1Bh4=
Received: from DM6PR17MB2505.namprd17.prod.outlook.com (20.177.218.18) by DM6PR17MB2540.namprd17.prod.outlook.com (20.177.218.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1471.20; Sun, 30 Dec 2018 23:10:40 +0000
Received: from DM6PR17MB2505.namprd17.prod.outlook.com ([fe80::50f0:1fed:dbb8:5d34]) by DM6PR17MB2505.namprd17.prod.outlook.com ([fe80::50f0:1fed:dbb8:5d34%3]) with mapi id 15.20.1471.019; Sun, 30 Dec 2018 23:10:40 +0000
From: "Nevil, Bryan" <bryannevil at students.aucmed.edu>
Subject: (03 )Hi mein Schatz(jd )
Thread-Topic: (03 )Hi mein Schatz(jd )
Thread-Index: AQHUoJThLuOXao1maUSJiP5psteNBQ==
Importance: low
X-Priority: 5
Date: Sun, 30 Dec 2018 23:10:40 +0000
Message-ID: <09235195B17302732A0338A6F0F46AD4CBEC4C7F at VPS032136>
Accept-Language: en-US
Content-Language: en-US
x-clientproxiedby: HE1PR05CA0196.eurprd05.prod.outlook.com (2603:10a6:3:f9::20) To DM6PR17MB2505.namprd17.prod.outlook.com (2603:10b6:5:68::18)
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [213.87.148.207]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;DM6PR17MB2540;7:GvEsBym4tZlRz3xlLRYEMWeMAZEy9rSjDlMUlVp2FyIWIez4ZRKqpxZI0gtchGOYQ6KVF4qzI1Bmsxl/QKdUfZDxVxj7Z8jy5fxA1F1S5QFrP3pFNfk5/FOR7x+8Ruu8c/DZkiyOx0aFw+iG15EMOw==
x-ms-office365-filtering-correlation-id: b54ee3cd-e727-414b-da91-08d66eac03da
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(5600109)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020);SRVR:DM6PR17MB2540;
x-ms-traffictypediagnostic: DM6PR17MB2540:|DM6PR17MB2540:
x-microsoft-antispam-prvs: <DM6PR17MB2540299E095E79A1A8735D1A91B10 at DM6PR17MB2540.namprd17.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0;PCL:8;RULEID:(3230021)(908002)(999002)(5005026)(6040522)(8220055)(2401047)(8121501046)(3231475)(944501520)(2220375)(52105112)(2017080701022)(3002001)(10201501046)(93006095)(93001095)(6041310)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(201702281529075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(201708071742011)(7699051)(76991095);SRVR:DM6PR17MB2540;BCL:0;PCL:8;RULEID:;SRVR:DM6PR17MB2540;
x-forefront-prvs: 0902222726
x-forefront-antispam-report: SFV:SPM;SFS:(10019020)(7916004)(376002)(136003)(39860400002)(346002)(396003)(366004)(199004)(189003)(6116002)(7416002)(476003)(3846002)(5660300001)(71200400001)(81166006)(81156014)(55846006)(6486002)(88552002)(2906002)(8936002)(1671002)(71190400001)(186003)(486006)(7736002)(606006)(14454004)(99286004)(786003)(8676002)(6436002)(75432002)(316002)(236005)(881003)(558084003)(106356001)(256004)(102836004)(6512007)(9686003)(81686011)(33716001)(6306002)(109986005)(478600001)(25786009)(53936002)(52116002)(97736004)(33656002)(33896004)(66066001)(386003)(6506007)(86362001)(54896002)(68736007)(105586002)(26005)(59010400001);DIR:OUT;SFP:1501;SCL:5;SRVR:DM6PR17MB2540;H:DM6PR17MB2505.namprd17.prod.outlook.com;FPR:;SPF:None;LANG:de;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: students.aucmed.edu does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ZSw72VbIxAHzVKBH7aULI7O8GNlYDIOiaLqluQjfIfSHsl4Rf3DQSIIyEJrlt3F0NOL+L6i/mg+wsIDqPiFXEhe4FeInaGLt2okJG+9oeg8mAZxaLo0nhoU7pXCEEf8FBlaOXPJiuaHqYE48uyeC2IR7FuQ7ocj2hgQg9EcaDmhw9tOtAE4ibEIbq49uBXd+tH2uqjTPwICFccd4NFLAY1rZYhWpbni1IulsNC9MqAjhbSMgFuWSLTEMpJcbhJBEkMb8xlY0873M/ehdVpdIp89WKgPEq8C/5Oio73EJGiHAf/eAKfNB70ufoTwUlaLl01wnazOMrSVsNdrcuvsU7OBZABb3dDw4JapZ1BbxgmMgDl03Pxf3QezZnSeBcKEAdjkF+F7SmjMOjtmPYn+prvQMejTqUQDG853AAVA+TITsL52G70SWjZee2W/6NAG2TiakpvBQAhT5mxCuKrm254vB8Z76eT5nQBTHGOQ/iWfS2hchIuMzyrAusPl3/OXGFjwZC6iVZw1e9M9r5hp7XGA1wXBQN9kkIJYhZ8nfgod/Bvu0u7B+1RhOz2pl5wxi2G9shITg9SPXMIAACxA6Aisof3TiW+UGqqPEhrShj4O4b8WY8fiQX9MD5jONRL7OPd7ieSjEHFmBvhPAxUxzGPH+TPO0GIpevIB3IMinaCZjr8+Y0Oe5Ecv/DiWtNAEab3fmBnSWKZnWOr0jTaQz+U/tqlulAAXOX14x+LicsZHjcljTJLtevUVcTs2DVhKSr/q9+yA9GzHMgkvNGaNSFobGIVf1l7PVQT76w3wEQb12jt7QJQaQNP9Ej8Eu/fIH
spamdiagnosticoutput: 1:22
Content-Type: multipart/alternative; boundary="_000_09235195B17302732A0338A6F0F46AD4CBEC4C7FVPS032136_"
MIME-Version: 1.0
X-OriginatorOrg: students.aucmed.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: b54ee3cd-e727-414b-da91-08d66eac03da
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Dec 2018 23:10:40.0790 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5f3a45cf-bae4-4c61-a6a1-0f247677c63c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR17MB2540
X-Spam-Level: *****
X-Rspamd-Server: mondschein
X-Rspamd-Queue-Id: 144EC42699C
X-Spamd-Result: default: False [5.45 / 12.00] FROM_HAS_DN(0.00)[] RCVD_IN_DNSWL_NONE(0.00)[58.32.47.104.list.dnswl.org : 127.0.3.0] DKIM_TRACE(0.00)[studentsaucmed.onmicrosoft.com:+] ARC_NA(0.00)[] MICROSOFT_SPAM(4.00)[] ASN(0.00)[asn:8075, ipnet:104.40.0.0/13, country:US] IP_SCORE(-0.00)[ipnet: 104.40.0.0/13(-4.48), asn: 8075(-3.78), country: US(-0.10)] RCVD_NO_TLS_LAST(0.00)[] GREYLIST(0.00)[pass,body] BAYES_HAM(-0.85)[85.43%] MIME_BASE64_TEXT(0.10)[] R_DKIM_ALLOW(-0.20)[studentsaucmed.onmicrosoft.com] MISSING_TO(2.00)[] HAS_XOIP(0.00)[] R_SPF_NA(0.00)[] MID_RHS_NOT_FQDN(0.50)[] RCVD_COUNT_THREE(0.00)[3] DMARC_NA(0.00)[aucmed.edu] FROM_EQ_ENVFROM(0.00)[] HAS_X_PRIO_FIVE(0.00)[5] MIME_GOOD(-0.10)[multipart/alternative,text/plain]



Return-Path: <oliver.reinhold at freenet.de>
X-Original-To: Martin at Lichtvoll.de
Delivered-To: martin at mondschein.lichtvoll.de
Authentication-Results: mail.lichtvoll.de; spf=pass smtp.mailfrom=oliver.reinhold at freenet.de
Received: from mout2.freenet.de (mout2.freenet.de [195.4.92.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.lichtvoll.de (Postfix) with ESMTPS id 49137425683 for <Martin at Lichtvoll.de>; Sat, 29 Dec 2018 14:00:03 +0100 (CET)
Received: from [195.4.92.127] (helo=sub8.freenet.de) by mout2.freenet.de with esmtpsa (ID oliver.reinhold at freenet.de) (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (port 25) (Exim 4.90_1 #2) id 1gdE7x-0001dt-7f; Sat, 29 Dec 2018 13:54:05 +0100
Received: from web3.emo.freenet-rz.de ([194.97.107.236]:50648) by sub8.freenet.de with esmtpa (ID oliver.reinhold at freenet.de) (port 587) (Exim 4.90_1 #2) id 1gdE7x-0002rq-4G; Sat, 29 Dec 2018 13:54:05 +0100
Received: from localhost ([127.0.0.1] helo=emo.freenet.de) by web3.emo.freenet-rz.de with esmtpa (Exim 4.84_2 2 (Panther_1)) id 1gdE7w-0005xj-Sw; Sat, 29 Dec 2018 13:54:04 +0100
Date: Sat, 29 Dec 2018 13:54:04 +0100
X-Originated-At: 27.79.198.98!37675
From: oliver.reinhold at freenet.de
Subject: Wie lange wollte ich dich treffen?
To: julia.lepik at gmx.de
X-Priority: 3
MIME-Version: 1.0
X-Abuse: 000000 / 27.79.198.98
Message-ID: <d30323b11c11ed4f594416ee4ecbc57b at email.freenet.de>
User-Agent: freenetMail
Content-Type: multipart/alternative; boundary="emo_01_2207d94d787c4649b05bf7360aed4a24"
X-Spam-Level: ***
X-Rspamd-Server: mondschein
X-Rspamd-Queue-Id: 49137425683
X-Spamd-Result: default: False [3.71 / 12.00] MIME_GOOD(-0.10)[multipart/alternative,text/plain] RCVD_VIA_SMTP_AUTH(0.00)[] SUBJECT_ENDS_QUESTION(1.00)[] RCVD_IN_DNSWL_LOW(0.00)[92.92.4.195.list.dnswl.org : 127.0.5.1] ARC_NA(0.00)[] R_SPF_ALLOW(-0.20)[+ip4:195.4.92.0/23] ASN(0.00)[asn:5430, ipnet:195.4.0.0/16, country:DE] RCVD_NO_TLS_LAST(0.00)[] TO_DN_NONE(0.00)[] URI_COUNT_ODD(1.00)[1] IP_SCORE(-0.00)[country: DE(-0.10)] RCVD_COUNT_THREE(0.00)[4] DMARC_NA(0.00)[freenet.de] FROM_EQ_ENVFROM(0.00)[] HAS_X_PRIO_THREE(0.00)[3] RCPT_COUNT_ONE(0.00)[1] R_DKIM_NA(0.00)[] XM_UA_NO_VERSION(0.01)[] FORGED_RECIPIENTS(2.00)[] FROM_NO_DN(0.00)[]


Return-Path: <awudke at freenet.de>
X-Original-To: Martin at Lichtvoll.de
Delivered-To: martin at mondschein.lichtvoll.de
Authentication-Results: mail.lichtvoll.de; spf=pass smtp.mailfrom=awudke at freenet.de
Received: from mout3.freenet.de (mout3.freenet.de [195.4.92.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.lichtvoll.de (Postfix) with ESMTPS id 65B17425654 for <Martin at Lichtvoll.de>; Sat, 29 Dec 2018 13:39:34 +0100 (CET)
Received: from [195.4.92.120] (helo=sub1.freenet.de) by mout3.freenet.de with esmtpsa (ID awudke at freenet.de) (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (port 25) (Exim 4.90_1 #2) id 1gdDfn-0000eN-8t; Sat, 29 Dec 2018 13:24:59 +0100
Received: from web9.emo.freenet-rz.de ([194.97.107.145]:25742) by sub1.freenet.de with esmtpa (ID awudke at freenet.de) (port 587) (Exim 4.90_1 #2) id 1gdDfm-0005np-VW; Sat, 29 Dec 2018 13:24:59 +0100
Received: from localhost ([127.0.0.1] helo=emo.freenet.de) by web9.emo.freenet-rz.de with esmtpa (Exim 4.84_2 2 (Panther_1)) id 1gdDfl-0004e6-6M; Sat, 29 Dec 2018 13:24:57 +0100
Date: Sat, 29 Dec 2018 13:24:57 +0100
X-Originated-At: 14.161.48.19!39203
From: awudke at freenet.de
Subject: Dekoriere dein Leben, Madchen warten
To: fredriedel at gmx.de
X-Priority: 3
MIME-Version: 1.0
X-Abuse: 000000 / 14.161.48.19
Message-ID: <df9605f83b0f12e6f10d9a95615852c0 at email.freenet.de>
User-Agent: freenetMail
Content-Type: multipart/alternative; boundary="emo_01_cefa0f5892a5ea0aea7b346f0a0e2156"
X-Spam-Level: *****
X-Rspamd-Server: mondschein
X-Rspamd-Queue-Id: 65B17425654
X-Spamd-Result: default: False [5.00 / 12.00] FORGED_RECIPIENTS(2.00)[] ARC_NA(0.00)[] RCVD_IN_DNSWL_LOW(0.00)[93.92.4.195.list.dnswl.org : 127.0.5.1] R_SPF_ALLOW(-0.20)[+ip4:195.4.92.0/23] ASN(0.00)[asn:5430, ipnet:195.4.0.0/16, country:DE] RCVD_NO_TLS_LAST(0.00)[] GREYLIST(0.00)[pass,body] BAYES_SPAM(2.29)[90.70%] MIME_GOOD(-0.10)[multipart/alternative,text/plain] TO_DN_NONE(0.00)[] URI_COUNT_ODD(1.00)[1] IP_SCORE(-0.00)[country: DE(-0.10)] RCVD_COUNT_THREE(0.00)[4] DMARC_NA(0.00)[freenet.de] FROM_EQ_ENVFROM(0.00)[] HAS_X_PRIO_THREE(0.00)[3] RCPT_COUNT_ONE(0.00)[1] R_DKIM_NA(0.00)[] FROM_NO_DN(0.00)[] XM_UA_NO_VERSION(0.01)[] RCVD_VIA_SMTP_AUTH(0.00)[]


Ciao,
-- 
Martin




Mehr Informationen über die Mailingliste Postfixbuch-users