On Thu, 4 Jul 2019 19:11:43 +0000 David Jones wrote: > Just had a compromised account on one of my customer's mail servers > (96.4.156.21) try to blast out phishing email. This 96.4 IP is our > customer space so it's in my trusted_networks since it will not forge > the Received header.
This is nothing to do with ehlo, it hit ALL_TRUSTED because it's authenticated mail submission into the trusted network. > The 88.233 IP is from Turkey (88.233.47.16.dynamic.ttnet.com.tr) and > should have triggered a number of rules based on the RelayCountry > plugin. > > This email should not have hit ALL_TRUSTED and should have done > RelayCountry and ASN lookups on 88.233.47.16. > > > Received: from mail.lced.net (mail.lced.net [96.4.156.2]) > by smtp5i.ena.net (Postfix) with ESMTP id DF9421480F90 > for <brookeandj...@eastlink.ca>; Thu, 4 Jul 2019 12:56:42 -0500 > (CDT) Received: from 192.168.1.2 (unknown [88.233.47.16]) > by mail.lced.net (Postfix) with ESMTPA id 8F22630961D6D > for <brookeandj...@eastlink.ca>; Thu, 4 Jul 2019 12:56:40 -0500 > (CDT) > >