Hello,
We have blocked single ip addresses and also ip ranges (SMTP Network Blacklist). However we noticed that spam messages still getting through or being quarantined. Those Phishing messages are usually sent from the ip network clodoserver.ru or other Russian spam networks. It looks like they are abusing good sender domains for their phishing attacks.
How can we completely block ALL spam activity from 62.76.184.0/21? Why do spammer still bypass Sophos UTM Antispam, although the ip range 62.76.184.0/21 has been blocked? Blocking various IP's is working, however it is always being ignored for 62.76.184.0/21. I have attached the mail header.
I highly appreciate any help.
Received: from mail.finsky.de.fr ([5.199.133.228]:52182) by ********************* with esmtp (***) (envelope-from <ihxujvc@finsky.de.fr>) id 1odck0-0005i9-08 for ********************* Wed, 28 Sep 2022 21:29:08 +0200 Received: from finsky.de.fr (229004-4.vm.clodoserver.ru [62.76.188.243]) by mail.finsky.de.fr (Postfix) with ESMTPA id 4E70A8073AA6; Wed, 28 Sep 2022 22:11:44 +0300 (EEST) X-SASI-Hits: BODYTEXTH_SIZE_10000_LESS 0.000000, BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_10000_PLUS 0.000000, BODY_SIZE_100K_PLUS 0.000000, BODY_SIZE_25K_PLUS 0.000000, BODY_SIZE_500K_PLUS 0.000000, BODY_SIZE_50K_PLUS 0.000000, BODY_SIZE_75K_PLUS 0.000000, CS_SUSP_TLD_BODY 0.000000, CYOU_TLD 0.100000, DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000, DOMAINKEY_SIG 0.000000, FROM_NAME_ONE_WORD 0.050000, HREF_LABEL_TEXT_NO_URI 0.000000, HREF_LABEL_TEXT_ONLY 0.000000, JPG_COMMON_HEADER_ORDER 0.000000, JPG_SPAMMY_SEGMENT 0.000000, JPG_SPAMMY_Y_RESOLUTION 0.000000, KNOWN_MSGID 0.000000, KNOWN_OTHER_CAMPAIGN 8.000000, SENDER_NO_AUTH 0.000000, SINGLE_HREF_URI_IN_BODY 0.000000, SINGLE_IMG_ATTACH 0.000000, URI_WITH_PATH_ONLY 0.000000, __ANY_URI 0.000000, __ATTACH_CTE_BASE64 0.000000, __BODY_NO_MAILTO 0.000000, __BODY_TEXT_X4 0.000000, __CT 0.000000, __CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000, __CTYPE_MULTIPART_ALT 0.000000, __DKIM_ALIGNS_1 0.000000, __DKIM_ALIGNS_2 0.000000, __EMBEDDED_IMG 0.000000, __EXTRA_MPART_TYPE_1 0.000000, __EXTRA_MPART_TYPE_N1 0.000000, __FRAUD_MONEY_BIG_COIN 0.000000, __FRAUD_MONEY_BIG_COIN_DIG 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000, __FUR_HEADER 0.000000, __HAS_ATTACHMENT 0.000000, __HAS_ATTACHMENT1 0.000000, __HAS_ATTACHMENT2 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000, __HAS_MSGID 0.000000, __HREF_LABEL_TEXT 0.000000, __HTML_AHREF_TAG 0.000000, __HTML_FONT_BLUE 0.000000, __HTML_FONT_RED 0.000000, __HTML_TAG_CENTER 0.000000, __HTML_TAG_DIV 0.000000, __HTML_TAG_TABLE 0.000000, __HTTPS_URI 0.000000, __IMG_ATTACHED 0.000000, __IMS_MSGID 0.000000, __JPG_HEIGHT_100 0.000000, __JPG_SPAMMY_SEGMENT_2 0.000000, __JPG_SPAMMY_Y_RESOLUTION_3 0.000000, __JPG_WIDTH_100 0.000000, __LOCALE_CYRILLIC_CP1251_MIME 0.000000, __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000, __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000, __MSGID_DIGITS_32_64 0.000000, __MSGID_SAMEAS_FROM_DOMAIN 0.000000, __RCVD_FROM_DOMAIN 0.000000, __SANE_MSGID 0.000000, __SEXTORTION_MALWARE 0.000000, __SUBJ_HIGHBIT 0.000000, __TAG_EXISTS_HTML 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000, __URI_ENDS_IN_SLASH 0.000000, __URI_IN_BODY 0.000000, __URI_NOT_IMG 0.000000, __URI_NO_MAILTO 0.000000, __URI_NO_WWW 0.000000, __URI_WITH_PATH 0.000000, __UTF8_SUBJ 0.000000 X-SASI-Probability: 82% X-SASI-RCODE: 200 X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2022.9.28.185120 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=finsky.de.fr; s=key2; h=DomainKey-Signature:Message-ID:From:To:Subject:Date: MIME-Version:Content-Type; bh=4yHjYb3RMHhUIVgSx+aX3WAsSf+mXXTCyj fvp685YjM=; b=Fn7g5UUB4CkDgW47CxLuAblH/zmav+qssKXq7HzDHJy2ujmFoc nCYnMET1mP0wpJRfoLRJKyTwtB+7X65Qya4eMlslvQ3kcCMO6vX9Bg+Gv0HkIqeV lriTgtegq9QF2I+aJDAgxdPHtbj9ufiw/34CY76eI0p3GqdtLgWxUUfk4= DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=key1; d=finsky.de.fr; h=Message-ID:From:To:Subject:Date:MIME-Version:Content-Type; b=FYuDdHeSopA0I+yrGgGDPrIdErq4HVSlDSm0qZXaf9Fs9sMG1ltvj9UmeZPXWcY72L65CeSUZXmm6MmplcAXtolyFwmzlSLziLdfav8kRyqrdSkFogpH7JhogOVWY28U4NHe0eEmF/koJOWTiK4I8s0JwRMwoz7EIwqPODG+RIg=; Message-ID: <1204667055650384750862225826478214523203@finsky.de.fr> From: "Vermixin" <ihxujvc@finsky.de.fr> To: <kastner@theater-chemnitz.de> Subject: =?utf-8?B?VmVybWl4aW4g4oCUIEVpbiBpbm5vdmF0aXZlcyBBbnRoZWxtaW50aGlrdW0ga2FubiBTaWUgdm9yIGRlbSBWaXJ1cyBiZXdhaHJlbiE=?= Date: Wed, 28 Sep 2022 20:12:12 +0200 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0006_01D8D376.2B90EF30" X-Spam-Result: Spam This is a multi-part message in MIME format.
This thread was automatically locked due to age.