Neue Müllwelle?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Neue Müllwelle?

Martin Steigerwald
Hi!

Es kam bei mir seit 1-2 Tagen eine neue Welle an Mail-Müll durch Postscreen
und rspamd durch. Mails mit Betreffen wie "Hallo mein Schätzchen" via
Freenet, Office365 / Hotmail, Mail BG Webmail, T-Mobile, …

Bekommt jemand von euch solchen Müll auch? Irgendeinen Ansatz gefunden,
das global zu blocken? Die Mails sind ähnlich aufgebaut.

Einziger Ansatz, der mir bislang in den Sinn kam: Die Mails arbeiten offenbar
mit "X-Original-To:" und haben entweder kein From: oder irgendeine andere
Adresse im From.

Ich hab zwar einzelne Spam Reports an Provider verschickt und blocke bereits
mit Header-Checks einige Mails, aber das kommt aus ganz unterschiedlichen
Quellen. Und ich würde gerne etwas finden, womit ich die alle blocken kann.

So oder so einen guten Rutsch ins neue Jahr.


Folgend ein paar Header-Beispiele:

Return-Path: <[hidden email]>
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Authentication-Results: mail.lichtvoll.de; dkim=pass header.d=studentsaucmed.onmicrosoft.com
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01lp2058.outbound.protection.outlook.com [104.47.32.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.lichtvoll.de (Postfix) with ESMTPS id 144EC42699C for <[hidden email]>; Mon, 31 Dec 2018 00:26:01 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=studentsaucmed.onmicrosoft.com; s=selector1-students-aucmed-edu; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sKofH+Emr5SShjzieb4f49YzoM+BWNateXUBQVzVUw8=; b=OF+SCrt3Q9awrN+wQExGqhAOG6POtX81Sg88TNjINrq9qMwZw/oh395GPsBWPNxXYSNp5NhVBsDkuZzFbbP/xNzuBciy7K3xdM+8wjidoUP+Zkn8yZrktwyc3F5Bms1/VDrzJwMMOeo4hakXobP9Lsvc6hMaWgjriL8T9IF1Bh4=
Received: from DM6PR17MB2505.namprd17.prod.outlook.com (20.177.218.18) by DM6PR17MB2540.namprd17.prod.outlook.com (20.177.218.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1471.20; Sun, 30 Dec 2018 23:10:40 +0000
Received: from DM6PR17MB2505.namprd17.prod.outlook.com ([fe80::50f0:1fed:dbb8:5d34]) by DM6PR17MB2505.namprd17.prod.outlook.com ([fe80::50f0:1fed:dbb8:5d34%3]) with mapi id 15.20.1471.019; Sun, 30 Dec 2018 23:10:40 +0000
From: "Nevil, Bryan" <[hidden email]>
Subject: (03 )Hi mein Schatz(jd )
Thread-Topic: (03 )Hi mein Schatz(jd )
Thread-Index: AQHUoJThLuOXao1maUSJiP5psteNBQ==
Importance: low
X-Priority: 5
Date: Sun, 30 Dec 2018 23:10:40 +0000
Message-ID: <09235195B17302732A0338A6F0F46AD4CBEC4C7F@VPS032136>
Accept-Language: en-US
Content-Language: en-US
x-clientproxiedby: HE1PR05CA0196.eurprd05.prod.outlook.com (2603:10a6:3:f9::20) To DM6PR17MB2505.namprd17.prod.outlook.com (2603:10b6:5:68::18)
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [213.87.148.207]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;DM6PR17MB2540;7:GvEsBym4tZlRz3xlLRYEMWeMAZEy9rSjDlMUlVp2FyIWIez4ZRKqpxZI0gtchGOYQ6KVF4qzI1Bmsxl/QKdUfZDxVxj7Z8jy5fxA1F1S5QFrP3pFNfk5/FOR7x+8Ruu8c/DZkiyOx0aFw+iG15EMOw==
x-ms-office365-filtering-correlation-id: b54ee3cd-e727-414b-da91-08d66eac03da
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(5600109)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020);SRVR:DM6PR17MB2540;
x-ms-traffictypediagnostic: DM6PR17MB2540:|DM6PR17MB2540:
x-microsoft-antispam-prvs: <[hidden email]>
x-exchange-antispam-report-cfa-test: BCL:0;PCL:8;RULEID:(3230021)(908002)(999002)(5005026)(6040522)(8220055)(2401047)(8121501046)(3231475)(944501520)(2220375)(52105112)(2017080701022)(3002001)(10201501046)(93006095)(93001095)(6041310)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(201702281529075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(201708071742011)(7699051)(76991095);SRVR:DM6PR17MB2540;BCL:0;PCL:8;RULEID:;SRVR:DM6PR17MB2540;
x-forefront-prvs: 0902222726
x-forefront-antispam-report: SFV:SPM;SFS:(10019020)(7916004)(376002)(136003)(39860400002)(346002)(396003)(366004)(199004)(189003)(6116002)(7416002)(476003)(3846002)(5660300001)(71200400001)(81166006)(81156014)(55846006)(6486002)(88552002)(2906002)(8936002)(1671002)(71190400001)(186003)(486006)(7736002)(606006)(14454004)(99286004)(786003)(8676002)(6436002)(75432002)(316002)(236005)(881003)(558084003)(106356001)(256004)(102836004)(6512007)(9686003)(81686011)(33716001)(6306002)(109986005)(478600001)(25786009)(53936002)(52116002)(97736004)(33656002)(33896004)(66066001)(386003)(6506007)(86362001)(54896002)(68736007)(105586002)(26005)(59010400001);DIR:OUT;SFP:1501;SCL:5;SRVR:DM6PR17MB2540;H:DM6PR17MB2505.namprd17.prod.outlook.com;FPR:;SPF:None;LANG:de;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: students.aucmed.edu does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ZSw72VbIxAHzVKBH7aULI7O8GNlYDIOiaLqluQjfIfSHsl4Rf3DQSIIyEJrlt3F0NOL+L6i/mg+wsIDqPiFXEhe4FeInaGLt2okJG+9oeg8mAZxaLo0nhoU7pXCEEf8FBlaOXPJiuaHqYE48uyeC2IR7FuQ7ocj2hgQg9EcaDmhw9tOtAE4ibEIbq49uBXd+tH2uqjTPwICFccd4NFLAY1rZYhWpbni1IulsNC9MqAjhbSMgFuWSLTEMpJcbhJBEkMb8xlY0873M/ehdVpdIp89WKgPEq8C/5Oio73EJGiHAf/eAKfNB70ufoTwUlaLl01wnazOMrSVsNdrcuvsU7OBZABb3dDw4JapZ1BbxgmMgDl03Pxf3QezZnSeBcKEAdjkF+F7SmjMOjtmPYn+prvQMejTqUQDG853AAVA+TITsL52G70SWjZee2W/6NAG2TiakpvBQAhT5mxCuKrm254vB8Z76eT5nQBTHGOQ/iWfS2hchIuMzyrAusPl3/OXGFjwZC6iVZw1e9M9r5hp7XGA1wXBQN9kkIJYhZ8nfgod/Bvu0u7B+1RhOz2pl5wxi2G9shITg9SPXMIAACxA6Aisof3TiW+UGqqPEhrShj4O4b8WY8fiQX9MD5jONRL7OPd7ieSjEHFmBvhPAxUxzGPH+TPO0GIpevIB3IMinaCZjr8+Y0Oe5Ecv/DiWtNAEab3fmBnSWKZnWOr0jTaQz+U/tqlulAAXOX14x+LicsZHjcljTJLtevUVcTs2DVhKSr/q9+yA9GzHMgkvNGaNSFobGIVf1l7PVQT76w3wEQb12jt7QJQaQNP9Ej8Eu/fIH
spamdiagnosticoutput: 1:22
Content-Type: multipart/alternative; boundary="_000_09235195B17302732A0338A6F0F46AD4CBEC4C7FVPS032136_"
MIME-Version: 1.0
X-OriginatorOrg: students.aucmed.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: b54ee3cd-e727-414b-da91-08d66eac03da
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Dec 2018 23:10:40.0790 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5f3a45cf-bae4-4c61-a6a1-0f247677c63c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR17MB2540
X-Spam-Level: *****
X-Rspamd-Server: mondschein
X-Rspamd-Queue-Id: 144EC42699C
X-Spamd-Result: default: False [5.45 / 12.00] FROM_HAS_DN(0.00)[] RCVD_IN_DNSWL_NONE(0.00)[58.32.47.104.list.dnswl.org : 127.0.3.0] DKIM_TRACE(0.00)[studentsaucmed.onmicrosoft.com:+] ARC_NA(0.00)[] MICROSOFT_SPAM(4.00)[] ASN(0.00)[asn:8075, ipnet:104.40.0.0/13, country:US] IP_SCORE(-0.00)[ipnet: 104.40.0.0/13(-4.48), asn: 8075(-3.78), country: US(-0.10)] RCVD_NO_TLS_LAST(0.00)[] GREYLIST(0.00)[pass,body] BAYES_HAM(-0.85)[85.43%] MIME_BASE64_TEXT(0.10)[] R_DKIM_ALLOW(-0.20)[studentsaucmed.onmicrosoft.com] MISSING_TO(2.00)[] HAS_XOIP(0.00)[] R_SPF_NA(0.00)[] MID_RHS_NOT_FQDN(0.50)[] RCVD_COUNT_THREE(0.00)[3] DMARC_NA(0.00)[aucmed.edu] FROM_EQ_ENVFROM(0.00)[] HAS_X_PRIO_FIVE(0.00)[5] MIME_GOOD(-0.10)[multipart/alternative,text/plain]



Return-Path: <[hidden email]>
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Authentication-Results: mail.lichtvoll.de; spf=pass smtp.mailfrom=[hidden email]
Received: from mout2.freenet.de (mout2.freenet.de [195.4.92.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.lichtvoll.de (Postfix) with ESMTPS id 49137425683 for <[hidden email]>; Sat, 29 Dec 2018 14:00:03 +0100 (CET)
Received: from [195.4.92.127] (helo=sub8.freenet.de) by mout2.freenet.de with esmtpsa (ID [hidden email]) (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (port 25) (Exim 4.90_1 #2) id 1gdE7x-0001dt-7f; Sat, 29 Dec 2018 13:54:05 +0100
Received: from web3.emo.freenet-rz.de ([194.97.107.236]:50648) by sub8.freenet.de with esmtpa (ID [hidden email]) (port 587) (Exim 4.90_1 #2) id 1gdE7x-0002rq-4G; Sat, 29 Dec 2018 13:54:05 +0100
Received: from localhost ([127.0.0.1] helo=emo.freenet.de) by web3.emo.freenet-rz.de with esmtpa (Exim 4.84_2 2 (Panther_1)) id 1gdE7w-0005xj-Sw; Sat, 29 Dec 2018 13:54:04 +0100
Date: Sat, 29 Dec 2018 13:54:04 +0100
X-Originated-At: 27.79.198.98!37675
From: [hidden email]
Subject: Wie lange wollte ich dich treffen?
To: [hidden email]
X-Priority: 3
MIME-Version: 1.0
X-Abuse: 000000 / 27.79.198.98
Message-ID: <[hidden email]>
User-Agent: freenetMail
Content-Type: multipart/alternative; boundary="emo_01_2207d94d787c4649b05bf7360aed4a24"
X-Spam-Level: ***
X-Rspamd-Server: mondschein
X-Rspamd-Queue-Id: 49137425683
X-Spamd-Result: default: False [3.71 / 12.00] MIME_GOOD(-0.10)[multipart/alternative,text/plain] RCVD_VIA_SMTP_AUTH(0.00)[] SUBJECT_ENDS_QUESTION(1.00)[] RCVD_IN_DNSWL_LOW(0.00)[92.92.4.195.list.dnswl.org : 127.0.5.1] ARC_NA(0.00)[] R_SPF_ALLOW(-0.20)[+ip4:195.4.92.0/23] ASN(0.00)[asn:5430, ipnet:195.4.0.0/16, country:DE] RCVD_NO_TLS_LAST(0.00)[] TO_DN_NONE(0.00)[] URI_COUNT_ODD(1.00)[1] IP_SCORE(-0.00)[country: DE(-0.10)] RCVD_COUNT_THREE(0.00)[4] DMARC_NA(0.00)[freenet.de] FROM_EQ_ENVFROM(0.00)[] HAS_X_PRIO_THREE(0.00)[3] RCPT_COUNT_ONE(0.00)[1] R_DKIM_NA(0.00)[] XM_UA_NO_VERSION(0.01)[] FORGED_RECIPIENTS(2.00)[] FROM_NO_DN(0.00)[]


Return-Path: <[hidden email]>
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Authentication-Results: mail.lichtvoll.de; spf=pass smtp.mailfrom=[hidden email]
Received: from mout3.freenet.de (mout3.freenet.de [195.4.92.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.lichtvoll.de (Postfix) with ESMTPS id 65B17425654 for <[hidden email]>; Sat, 29 Dec 2018 13:39:34 +0100 (CET)
Received: from [195.4.92.120] (helo=sub1.freenet.de) by mout3.freenet.de with esmtpsa (ID [hidden email]) (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (port 25) (Exim 4.90_1 #2) id 1gdDfn-0000eN-8t; Sat, 29 Dec 2018 13:24:59 +0100
Received: from web9.emo.freenet-rz.de ([194.97.107.145]:25742) by sub1.freenet.de with esmtpa (ID [hidden email]) (port 587) (Exim 4.90_1 #2) id 1gdDfm-0005np-VW; Sat, 29 Dec 2018 13:24:59 +0100
Received: from localhost ([127.0.0.1] helo=emo.freenet.de) by web9.emo.freenet-rz.de with esmtpa (Exim 4.84_2 2 (Panther_1)) id 1gdDfl-0004e6-6M; Sat, 29 Dec 2018 13:24:57 +0100
Date: Sat, 29 Dec 2018 13:24:57 +0100
X-Originated-At: 14.161.48.19!39203
From: [hidden email]
Subject: Dekoriere dein Leben, Madchen warten
To: [hidden email]
X-Priority: 3
MIME-Version: 1.0
X-Abuse: 000000 / 14.161.48.19
Message-ID: <[hidden email]>
User-Agent: freenetMail
Content-Type: multipart/alternative; boundary="emo_01_cefa0f5892a5ea0aea7b346f0a0e2156"
X-Spam-Level: *****
X-Rspamd-Server: mondschein
X-Rspamd-Queue-Id: 65B17425654
X-Spamd-Result: default: False [5.00 / 12.00] FORGED_RECIPIENTS(2.00)[] ARC_NA(0.00)[] RCVD_IN_DNSWL_LOW(0.00)[93.92.4.195.list.dnswl.org : 127.0.5.1] R_SPF_ALLOW(-0.20)[+ip4:195.4.92.0/23] ASN(0.00)[asn:5430, ipnet:195.4.0.0/16, country:DE] RCVD_NO_TLS_LAST(0.00)[] GREYLIST(0.00)[pass,body] BAYES_SPAM(2.29)[90.70%] MIME_GOOD(-0.10)[multipart/alternative,text/plain] TO_DN_NONE(0.00)[] URI_COUNT_ODD(1.00)[1] IP_SCORE(-0.00)[country: DE(-0.10)] RCVD_COUNT_THREE(0.00)[4] DMARC_NA(0.00)[freenet.de] FROM_EQ_ENVFROM(0.00)[] HAS_X_PRIO_THREE(0.00)[3] RCPT_COUNT_ONE(0.00)[1] R_DKIM_NA(0.00)[] FROM_NO_DN(0.00)[] XM_UA_NO_VERSION(0.01)[] RCVD_VIA_SMTP_AUTH(0.00)[]


Ciao,
--
Martin