On Tue, 1 Jun 2004, Spam Admin wrote:
> I've got a consistent problem with explcit email getting through SA to
> two particular users.
...
> The only common thread I can find is that there are a
> lot of extra unrelated words in the text ("reentering furniture
> plaintiffs indictment sheaves" and other such garbage), plus the
> 'server' name is always one of the recipients' names; e.g., Received:
> from klett (ppp-67-125-116-67.dialup.irvnca.pacbell.net [67.125.116.67])
> where one of the recipients is [EMAIL PROTECTED]
Are you under any policy requirement to accept mail from
dynamically-assigned IP space? If not, I'd suggest greylisting/tempfailing
or rejecting traffic at the MTA level from known dynamic IP space.
According to openrbl.org, (ppp-67-125-116-67.dialup.irvnca.pacbell.net
[67.125.116.67]) is listed by dul.dnsbl.sorbs.net. Your policy may differ;
I see no need to accept direct SMTP traffic from dynamic IP space because
organizations that assign addresses dynamically always provide SMTP
services to their customers. If they want to send to your users, they can
use their organization's mail server to do so; that's what it's there for.
Another spam sign is a system that HELO's with something other than a
FQDN. It's a minor RFC violation and while there are a lot of broken
(Windows?) MTAs out there (FPs) the test hits far more spam than ham.
Depending on how much traffic you get and your available attention span,
you may want to tempfail on broken HELO and missing rDNS. Tempfailing
gives you some time to whitelist broken systems and politely ask their
admins to fix them; at worst, your users will see a delay in getting mail.
There are a very few badly-implemented MTAs out there that won't retry
after a 4xx error but this is a severe RFC violation; any problems losing
mail from these systems are the fault of the sending system, not the
recipient.
hth,
-- Bob
