Am 2018-02-17 00:41, schrieb John Hardin:
On Fri, 16 Feb 2018, Michael Storz wrote:
Am 2018-02-15 19:27, schrieb David Jones:
We have covered this issue a few times recently on this list but I
don't think anything definitive was ever decided or recommended to
detect and block this sort of spoofing:
https://pastebin.com/juXLD8vr
This appears to be a spoofed email from a compromised account trying
to be a known corespondent to this customer of mine.
The Message-ID is suspicious since it's an inbound email to the
hck12.net domain.
David,
You can reject this kind of spam using
ALL =~ /^To: .+\@([^>]+)\nMessage-ID:
<\d{8,13}\.201[78]\d{5,11}\@\1>/m
and the message-id and the boundary. I am doing this since May last
year.
Not necessarily safe. If your MTA receives a message without a
Message-ID, it is supposed to generate one. And if it does so, it will
probably do so using your (recipient) domain...
Addition of a missing Message-ID should only be done by a MSA not a MTA.
The added Message-ID would have the domain of the MTA which is normally
different from the domain of the recipient.
Michael
