Interesting approach by M$... offering an alerts service for PayPal, which is supposed to be secure, and then using mailservers which don't resolv to anything...
This came up today (the user deleted the mail, and then decided to give me a call, so all I have are the mail logs): May 16 11:48:15 nahuel postfix/smtpd[12083]: 653578CFB9: client=unknown[207.46.117.145] May 16 11:48:15 nahuel postfix/cleanup[18085]: 653578CFB9: message-id=<BY2ACNMSB [EMAIL PROTECTED]> May 16 11:48:16 nahuel postfix/qmgr[2166]: 653578CFB9: from=<[EMAIL PROTECTED]>, size=10459, nrcpt=1 (queue active) May 16 11:48:16 nahuel amavis[18092]: (18092-05) loaded policy bank "MYNETS" May 16 11:48:16 nahuel amavis[18092]: (18092-05) ESMTP::10024 /var/lib/amavis/amavis-20070516T114453-18092: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> SIZE=10459 Received: from nahuel.biol.unlp.edu.ar ([127.0.0.1]) by localhost (nahuel.biol.unlp.edu.ar [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <[EMAIL PROTECTED]>; Wed, 16 May 2007 11:48:16 -0300 (ART) May 16 11:48:16 nahuel amavis[18092]: (18092-05) Checking: tVqyWG7HIQ2H MYNETS [207.46.117.145] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> May 16 11:48:16 nahuel amavis[18092]: (18092-05) p003 1 Content-Type: multipart/alternative May 16 11:48:16 nahuel amavis[18092]: (18092-05) p001 1/1 Content-Type: text/plain, size: 900 B, name: May 16 11:48:16 nahuel amavis[18092]: (18092-05) p002 1/2 Content-Type: text/html, size: 7268 B, name: May 16 11:48:16 nahuel postfix/smtpd[12083]: disconnect from unknown[207.46.117.145] May 16 11:48:16 nahuel amavis[18092]: (18092-05) SPAM-TAG, <[EMAIL PROTECTED]> -><[EMAIL PROTECTED]>, Yes, score=7.328 tagged_above=-100 required=5 tests=[BAYES_99=3.5, BOTNET_NORDNS=0.5, FAKE_HELO_MSN=2.358, HTML_70_80=0.144, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.234, SARE_UNI=0.591] I've obfuscated the user's name in the previous transcription. Apart from the BAYES_99 scoring, the server's IP doesn't resolve, so it got tagged as spam. Here is what I got from dnsstuff.com: IP address: 207.46.117.145 Reverse DNS: [No reverse DNS entry per cpipsdnsp01.phx.gbl.] Reverse DNS authenticity: [Unknown] ASN: 8075 ASN Name: MICROSOFT-CORP---MSN-AS-BLOCK IP range connectivity: 2 Registrar (per ASN): ARIN Country (per IP registrar): US [United States] Country Currency: USD [United States Dollars] Country IP Range: 207.46.0.0 to 207.46.255.255 Country fraud profile: Normal City (per outside source): Redmond, Washington Country (per outside source): US [United States] Private (internal) IP? No IP address registrar: whois.arin.net Known Proxy? No Link for WHOIS: 207.46.117.145 If I look for the server's supposed name, b03.alerts.msn.com, I get this: No ALL records exist for b03.alerts.msn.com, and b03.alerts.msn.com does not exist. [Neg TTL=86400 seconds] Any ideas on how to whitelist these? Thanks, Luix -- ------------------------------------------------- GNU-GPL: "May The Source Be With You... Linux Registered User #448382. -------------------------------------------------
