For many months now, I have a problem with spam that is passing (in a rate from 50-2.000 a day)
The email got this sort of headers:
Received: from static-89-42-91-176 ([18.104.22.168] helo=static-89-42-91-176)
by ASSP.nospam with SMTP (2.2.1); 9 Jan 2013 04:16:17 +0100
From: Mark Jansen <no-reply@static-89-42-91-176>
The logs tells me:
Jan-09-13 04:16:18 [isbounce] 22.214.171.124 bounce message detected
Jan-09-13 04:16:18 126.96.36.199 Message-Score: added 5 (fiphValencePB) for Suspicious HELO - contains IP: 'static-89-42-91-176', total score for this message is now 5
Jan-09-13 04:16:18 188.8.131.52 [scoring] (Suspicious HELO - contains IP: 'static-89-42-91-176')
Jan-09-13 04:16:19 184.108.40.206 to: firstname.lastname@example.org
[scoring] SPF: none (cache) ip=220.127.116.11 helo=static-89-42-91-176
Jan-09-13 04:16:19 [MessageOK] 18.104.22.168 to: xx<destinationadress>xx message ok - (whitelistdb)
***22.214.171.124 is not in a IP-(white)list, there is no static- in my whitelist (mysql),
however it is marked as a whitelisted-db!!
Q1: is this normal for a bounce?
Now in my config I got:
--> The HELO is marked as Suspicious, so there is a check, however this one is skipped
--> this one is also skipped.
--> these are also skipped.
Q2: How can I stop this spam (without doing all sorts of checkes on whitelisted adresses)?
Q3: Maybe a section for bounces (DoHeloBounce, bombReBounce) is needed for this?