Jari Fredriksson wrote:
>
>>
>> The headers of the strange spam are:
>>
>> Return-path: <banach...@royalkoas.com>
>> Envelope-to: u...@host.co.uk
>> Delivery-date: Fri, 24 Jul 2009 11:12:38 +0800
>> Received: from [190.144.0.42] (helo=CWXNQKBTZ)
>> by s1.host.info with esmtp (Exim 4.67)
>> (envelope-from <banach...@royalkoas.com>)
>> id 1MUBD2-0002wE-2i
>> for u...@host.co.uk; Fri, 24 Jul 2009 11:12:38
>> +0800
>> Received: from 190.144.0.42 by red3.redtong.com; Thu, 23
>> Jul 2009 22:24:55 -0500
>> Message-ID: <000d01ca0c0e$50804720$6400a...@banacha55>
>> From: <u...@host.co.uk>
>> To: u...@host.co.uk
>> Subject: You have received an eCard
>> Date: Thu, 23 Jul 2009 22:24:55 -0500
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed;
>> boundary="----=_NextPart_000_0006_01CA0C0E.50804720"
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Mailer: Microsoft Outlook Express 6.00.2900.2180
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>
>> The above email contained a .zip file.
>
>
> It apparently was never seen by SpamAssassin, if there were no X-Spam-*
> -headers.
>
> How you call SpamAssassin? Any whitelisting there, do you call
> SpamAssassin for your own mail? It seems the sender address is same as
> receiver address. Whitelisted somehow, and maybe not inspected by
> SpamAssassin?
>
This is the SPF record on the recipient domain:
"v=spf1 a mx ip4:216.108.227.20 ?all"
I'm thinking to change it to -all as I'm fairly sure that everyone is using
our mailserver to send mail on the domain. Do you think that might solve it?
Also, you're correct that the From: header is the same as the recipient
(obviously spoofed), but the envelope is from an external sender and also
the first Received: line acknowledges that it was received from an external
server and email address. Which line does it check the SPF record of, just
the spoofable From: or one of the others?
--
View this message in context:
http://www.nabble.com/Certain-spam-not-parsed-by-spamd%21-tp24638560p24640671.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
