|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: This is new...
From: /dev/rob0 (rob0
gmx.co.uk)
Date: Sun Oct 16 2005 - 00:02:54 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Saturday 2005-October-15 17:53, James Lay wrote:
> wietseporcupine.org (Wietse Venema) wrote:
> > > Received: from aenlocalhost by bwr.int (8.11.6/8.11.6); Sat, 15
> > > Oct 2005 16:18:08 -0700
> >
> > That is not a Postfix generated message header. That looks like
> > a Sendmail 8.11.6 generated message header.
> >
> > > How is it possible that I didn't see a full/normal IP? This was
> > > sent from a spammer, so maybe anything is possible. Anyway to
It's quite likely it was a forged header. Spammers do that to confuse
clueless anti-spam software and abuse desks.
> > > block non-ip things like this in header_checks? Thanks all!
Really REALLY bad idea to go this way. For one thing it won't be easy
to do it right (catch the header forgeries, don't catch any real
headers.) For another thing your existing content filtering already
identified this one as spam, so what's the benefit?
> X-Spam-Report:
> * 3.2 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but
> * should
> * 1.3 RCVD_NUMERIC_HELO Received: contains an IP address used for
> HELO
SpamAssassin is IMO more appropriate to a MUA. It apparently missed the
all-important distinction about this one's HELO ... see below.
> * 1.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
> * [<http://dsbl.org/listing?220.73.10.74>]
list.dsbl.org is a safe and reliable indicator of spam too.
> Received: from 24.116.255.102 (unknown [220.73.10.74])
> by mail.slave-tothe-box.net (Postfix) with SMTP id C9F7312469E
> for <jlayslave-tothe-box.net>; Sat, 15 Oct 2005 16:10:24 -0600
No reverse DNS. I don't block for that myself, but "24.116.255.102" was
the HELO greeting. That's *your* IP. It is IME always safe to reject
SMTP which helo's as you. So much so that I wrote a poem:
Oct 16 05:20:54 sorry postfix/smtpd[8398]: NOQUEUE: reject: RCPT from
unknown[61.173.247.226]: 503 5.7.1 <my.IP.add.ress>: Helo command
rejected: Spammer comes to me, Greets me with my own IP, Spam I shall
not see.; from=<charityinfocoolgoose.com> to=<usermy.domain>
proto=SMTP helo=<my.IP.add.ress>
> Listing my sendmail reveals:
The fact that you're running Postfix notwithstanding, it's a safe bet
that you will get some legitimate mail with sendmail.org's Received:
headers.
> Did SpamAssassin add something?
A lot of useless overhead. You accepted the DATA on this one, on your
limited bandwidth (ALL bandwidth has limits, right?) and you tasked
your CPU to scan the content ... needlessly.
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
http://www.spamhaus.org/effective_filtering.html [1]
[1] I doubt the 76% figure in A.D. 2005. I couldn't hazard much of a
guess as to the ratio of mail bytes to spam bytes, but if measured in
terms of the number connections being made to my server I would guess
that spam is well over 90% of SMTP traffic.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]