I need to clarify my security department is running Interscan VirusWall but it didn't detect the virus and let the email pass. I assume that with the updated patterns that future messages would be blocked. That still leaves a problem that this type of message, can score nothing by SpamAssassin. I am sure that <mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED] didn't send the messages....why didn't that trip any rules?
Why WOULD it trip any rules?
SA 2.63 doesn't have SPF support. SA 3.0 (the development version) does.
For reference, earthlink does export a SPF record, so this kind of forgery will be caught in the future:
$dig txt earthlink.net
earthlink.net. 1800 IN TXT "v=spf1 ip4:207.217.120.0/23 ip4:207.69.200.0/24 ip4:209.86.89.0/24 ?all"
Outside of using SPF, there's no good way of checking From: vs Received: in the general case.
Mismatches here are VERY common and are not illegal in the general case. A lot of ISPs and companies have multiple domain names. Since the server can only RDNS as one of the multiple hosted domains, one can't simply make a rule like "if From: xxx.com and Received doesn't contain xxx.com, it's spam".
Using my network as an exampe, the MX for evitechnology.com happens to be the same machine as xanadu.evi-inc.com, and it's RDNS record is evi-inc.com. And my SPF records reflect this.
