Spam getting through despite FW rules/snort

  • I'm not sure if this is a question suiteable for this forum at all, but i'll give it a try.

    It all works just fine with the exception of one specific spammer. It's definitely not a big deal, but i'm wondering how it can be. This spammer uses some method or glitch that gets his spam through to Spamd  every once in a while. He's very persistent and i estimate its only 1 of his roughly 3000-8000 attempts a day that get through. This has been going on for at least a month now. Before that i had no way of logging this.

    I run 1.0-Release and the current versions of Snort and Spamd.
    My setup is.
    1. Blocked XXX.101.156.125 AND the whole net in FW rules. Both TCP and UDP.
    2. Added XXX.101.156.125 to Snort blocked in the local.rules. Both TCP and UDP.
    3. Spamd

    When the spam arrives at Spamd the sender info looks like this, spaces and all;
    XXXusedtelecoms -bounces+4fc326d6b74e0dde24eadf15369f10c31412bdd5 @XXXusedtelecoms .com
    XXXusedtelecoms -bounces+4a020ddfb96190116eddab82f03e49895c6bd574 @XXXusedtelecoms .com
    The IP is always XXX.101.156.125

    I know that FW rules and/or Snort work fine. It works a 100% with some other persistent spammers.

    XXX.101.156.125 is listed under Snort Blocked.
    I figure there is a small window of opportunity when Snort reaches the 60 minutes limit and deletes the IP from the Blocked list (or does it not?). The FW rules don't seem to work for this spammer.

    Can anyone explain how this can be?
    Is there some kind of spoofing going on that Snort doesn't pick up on, but that Spamd somehow translates to XXX.101.156.125 every time?

    I've tried to Google this but can't find any clues ….

Log in to reply