I have been scratching my head as to how some blacklisted recipients are
getting through SpamDyke, and I think I've finally figured it out. I think
it has something to do the spam having an incorrectly formatted Cc: line
(Missing closing angle brackets). Here are the To and CC from the header as
it came in:
-----------------------------------------------------
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED],
<[EMAIL PROTECTED],
<[EMAIL PROTECTED]
-----------------------------------------------------
Note the missing ">" on the last 3 emails.
Now, three of these recipients are blacklisted: baldwind, andrews, and
andrewsd. The other two, amber and amber-bike, are not blacklisted.
Here is the log:
-----------------------------------------------------
Jan 17 14:25:18 buzz spamdyke[3328]:
DENIED_RECIPIENT_BLACKLISTED(/home/spamdyke/recipient-blacklist-file:5)
from: [EMAIL PROTECTED] to: [EMAIL PROTECTED] origin_ip:
81.20.177.203 origin_rdns: 81-20-177-203.dsl1.localdial.com auth: (unknown)
Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED]
to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns:
81-20-177-203.dsl1.localdial.com auth: (unknown)
Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED]
to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns:
81-20-177-203.dsl1.localdial.com auth: (unknown)
Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED]
to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns:
81-20-177-203.dsl1.localdial.com auth: (unknown)
Jan 17 14:25:19 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED]
to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns:
81-20-177-203.dsl1.localdial.com auth: (unknown)
Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED]
to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns:
81-20-177-203.dsl1.localdial.com auth: (unknown)
Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED]
to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns:
81-20-177-203.dsl1.localdial.com auth: (unknown)
Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED]
to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns:
81-20-177-203.dsl1.localdial.com auth: (unknown)
Jan 17 14:25:20 buzz spamdyke[3328]: ALLOWED from: [EMAIL PROTECTED]
to: [EMAIL PROTECTED] origin_ip: 81.20.177.203 origin_rdns:
81-20-177-203.dsl1.localdial.com auth: (unknown)
-----------------------------------------------------
The first recipient is correctly denied. Then the next two are allowed (also
correct). But then it gets screwy - the last two are allowed, despite being
blacklisted, and then all 4 CC'd email addresses are repeated.
Is it possible the missing angle-bracket is a way for spammers to sneak past
spamdyke?
_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
