recently i saw a lot of spam that didn't get catched by spamassassin.
All the messages have in common that the first received header ist forged.
Here an example:
Received: from 141.88.223.236 (HELO mx1.ihk.de)
by mydomain.at with esmtp (08E71A-P)@7X K0'+V)
id 76)4Y6-5>0O4:-+8
for [EMAIL PROTECTED]; Mon, 4 Dec 2006 01:20:50 +0180
From: "Annmarie Esposito" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
They use the recipient domain (virtual domain on our mailcluster)
as the servername in the received line.
You mean the "hi its me!" spams with headers like
Received: from 216.117.144.149 (HELO smtp.accadia.com)
by earthlink.net with esmtp (0.U011UE BG391)
id N6.'[EMAIL PROTECTED]
for [EMAIL PROTECTED]; Tue, 5 Dec 2006 12:29:13 -0540
Around here those trigger
2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
0.1 FORGED_RCVD_HELO Received: contains a forged HELO
(This particular spam got 28 points between the above and a bunch of other
rule hits.)
Loren
