Re: pharmacy spam from RCVD_IN_DNSWL_MED?

Fri, 14 Mar 2008 20:30:26 -0700 

Bob Proulx wrote:

Matt Kettler wrote:
Wait.. Where is the Received: header generated by regret.prolux.com? or any other prolux.com server for that matter... 

'regret' is simply doing the spamassassin filtering for 'lists'.  The
mail will go through lists and never really have gone through regret.
But regret is a server that is classifying the mail out-of-band.


  

Looking at the headers, this message never left lists.gnu.org.

    


Right.  It came through a tunnel.  It came through the moderator
attachment of a moderator notification from Mailman.  Because of this
it is as if it never left lists.gnu.org.  In fact the message is still
there until I discard it or approve it.

I run moderator mail notifications of mail in the Mailman hold queue
through spamassassin and then discard mail classified as spam by SA.
It would be better if this were built directly into Mailman but I
don't have any ability to affect that at the moment and so running the
moderator message which is an exact copy of the message is a good
enough compromise.


  

Perhaps you've got a MTA header generation problem? Or did you 
intentionally censor that header out?
    


I just didn't include the entire configuration picture.



Ahh, that makes a lot more sense... With a really unusual config like 
this, it helps to point such things out.



So it looks like SA is doing the "right" thing, in that it assumes your 
network is gnu.org.. Since you're scanning on behalf of it, that's valid.



You might want to take it up with the DNSWL staff. However, this did 
come out of csail.mit.edu's registered mailservers (128.30.16.9 is in 
their SPF records, and the DNSWL listing of it is restricted to a single 
IP).



.edu's do occasionally have problems with spam output, but they're 
usually really fast to fix it, and generally have a lot of nonspam 
(although much of it garbage college-kid chat) output...



It also looks like this is a "mailing list that got spammed and is 
feeding your mailing list".



Note the message was sent to [EMAIL PROTECTED], which then 
relayed it to gnu.org. Does your list intentionally accept a feed from 
lists at mit?





























					Reply via email to