On 2/13/2017 11:20 AM, Viktor Dukhovni wrote:
On Mon, Feb 13, 2017 at 10:44:22AM -0700, Phillip Carroll wrote:
The problem is that some (very small) number of bad actors are managing to
get by all of the MAIL time tests. A recent example:
HOST = 47-48-213-250.static.gwnt.ga.charter.com
HELO = amazon-sales.com
The email received from this joker purports to be an acknowledgment by
Amazon that "Your Amazon Order has Shipped", the order being a very
expensive retail iPhone. (No doubt hoping to cause someone a panic attack
and accompanying brain freeze) A convenient link to "Amazon" of course
actually links to a site with a Chilean TLD that certainly has no connection
to Amazon, but surely does have an unpleasant surprise for the innocent that
clicks the link. (The latter actually makes no logical sense to me, in that
the whole point of checking at MAIL time is to avoid redundant checking
(particularly redundant conversations with DNS and ZEN) in case of multiple
recipients.)
A purported bounce may well be sent with an empty return path:
MAIL FROM:<>
Does Exim, (or do your MAIL command filters) do anything different
with an empty sender address? Perhaps such an address is not
matched by your rules.
Viktor,
The headers do not indicate this was a purported bounce. It had a normal
from header:
From: "Amazon.com" <[email protected]>
Thanks for the input,
Phil
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
