On 9 Jun 2006, at 13:56, Jason Staudenmayer wrote:
Is anyone else getting spam from gmail? The ones I'm getting are very lengthy but doesn't look like bayes poison.
It's _not from_ GMail. <snip>
Received: from unknown (HELO 192.168.0.4) (66.148.73.132) by mail2.adventureaquarium.com with SMTP; 8 Jun 2006 12:05:21 -0000 Received: from crysholgh.com (9.13.1/9.13.1) id XAA37462; Thu, 08 Jun 2006 05:05:20 -0800 Message-Id: <[EMAIL PROTECTED]> From: "Marcelino Crews" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: this weeks stock pick KMAG - build a strong position now
<snip>
Maybe gmail has an open relay? Or does this look like something else?
No, you should be looking at this header:
Received: from unknown (HELO 192.168.0.4) (66.148.73.132) by mail2.adventureaquarium.com with SMTP; 8 Jun 2006 12:05:21 -0000
This message was received from [66.148.73.132] with no rDNS and using a private non-routable IP in HELO.
The IP in question is owned by HopOne: NetRange: 66.148.64.0 - 66.148.127.255 CIDR: 66.148.64.0/18 OrgName: HopOne Internet Corporation OrgID: HOPO Address: 1010 Wisconsin Avenue N.W. City: Washington StateProv: DC PostalCode: 20007-3603 Country: US It doesn't match the SPF record for gmail.com either:_spf.google.com. 300 IN TXT "v=spf1 ip4:216.239.56.0/23 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ?all"
The sender address is forged, as is common.IOW it should have been rejected outright before it even got to SA, either because it has no rDNS, or because it used an invalid address literal (1.2.3.4 instead of [1.2.3.4]), or because it used a private non-routable IP in HELO.
-j
PGP.sig
Description: This is a digitally signed message part
