Am 2018-02-15 19:27, schrieb David Jones:
We have covered this issue a few times recently on this list but I
don't think anything definitive was ever decided or recommended to
detect and block this sort of spoofing:
https://pastebin.com/juXLD8vr
This appears to be a spoofed email from a compromised account trying
to be a known corespondent to this customer of mine.
The Message-ID is suspicious since it's an inbound email to the
hck12.net domain.
David,
You can reject this kind of spam using
ALL =~ /^To: .+\@([^>]+)\nMessage-ID: <\d{8,13}\.201[78]\d{5,11}\@\1>/m
and the message-id and the boundary. I am doing this since May last
year.
Michael
