From: Alex Satrapa (alex.satrapaapf.edu.au)
Date: Thu Jun 01 2006 - 20:01:52 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1 Jun 2006, at 17:19, Alex Satrapa wrote:

> When I raise the greylist delay to half an hour (enough time for
> the ISP to start getting complaints of spam originating from their
> clients, and shut the client out), I start receiving complaints
> from people whose mail servers send them messages saying, "I
> couldn't deliver this message after half an hour, I'm still trying
> though."

And here's why greylisting doesn't work:

> Received: from optkmv.ru (opttorg.cust.kmv.ru [217.13.208.17])
> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No
> client certificate requested) by smtp.apf.edu.au (Postfix) with
> ESMTP id 88F6D8A80A3 for <alex.satrapaapf.edu.au>; Thu, 1 Jun
> 2006 19:54:31 +1000 (EST)
> Received: from optkmv.ru (localhost [127.0.0.1] (may be forged))
> by optkmv.ru (8.13.5/8.13.5) with ESMTP id k517X9rF003136 for
> <alex.satrapaapf.edu.au>; Thu, 1 Jun 2006 11:33:09 +0400
> Received: (from dianalocalhost) by optkmv.ru (8.13.5/8.13.5/
> Submit) id k517X7sY003130; Thu, 1 Jun 2006 11:33:07 +0400
> X-Sieve: CMU Sieve 2.2
> X-Greylist: delayed 8422 seconds by postgrey-1.21 at franklin;
> Thu, 01 Jun 2006 19:54:32 EST
> Message-Id: <200606010733.k517X7sY003130optkmv.ru>
> Content-Type: text/html

This was from a phishing attempt (trying to get me to enter my paypal
account details into their website).

Note that they reconnected after a couple of hours, and used TLS
encryption. Their hostname is valid, and doing a resolution on the
name derived from a reverse lookup on the IP address results in the
IP address.

Is there anything else here that could have indicated to my mail
server that this was not legitimate mail?

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]