> > > > Jari Fredriksson wrote: >> >>> >>> The headers of the strange spam are: >>> >>> Return-path: <banach...@royalkoas.com> >>> Envelope-to: u...@host.co.uk >>> Delivery-date: Fri, 24 Jul 2009 11:12:38 +0800 >>> Received: from [190.144.0.42] (helo=CWXNQKBTZ) >>> by s1.host.info with esmtp (Exim 4.67) >>> (envelope-from <banach...@royalkoas.com>) >>> id 1MUBD2-0002wE-2i >>> for u...@host.co.uk; Fri, 24 Jul 2009 11:12:38 >>> +0800 >>> Received: from 190.144.0.42 by red3.redtong.com; Thu, 23 >>> Jul 2009 22:24:55 -0500 >>> Message-ID: <000d01ca0c0e$50804720$6400a...@banacha55> >>> From: <u...@host.co.uk> >>> To: u...@host.co.uk >>> Subject: You have received an eCard >>> Date: Thu, 23 Jul 2009 22:24:55 -0500 >>> MIME-Version: 1.0 >>> Content-Type: multipart/mixed; >>> boundary="----=_NextPart_000_0006_01CA0C0E.50804720" >>> X-Priority: 3 >>> X-MSMail-Priority: Normal >>> X-Mailer: Microsoft Outlook Express 6.00.2900.2180 >>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 >>> >>> The above email contained a .zip file. >> >> >> It apparently was never seen by SpamAssassin, if there were no X-Spam-* >> -headers. >> >> How you call SpamAssassin? Any whitelisting there, do you call >> SpamAssassin for your own mail? It seems the sender address is same as >> receiver address. Whitelisted somehow, and maybe not inspected by >> SpamAssassin? >> > > This is the SPF record on the recipient domain: > "v=spf1 a mx ip4:216.108.227.20 ?all" > > I'm thinking to change it to -all as I'm fairly sure that everyone is > using > our mailserver to send mail on the domain. Do you think that might solve > it? > > Also, you're correct that the From: header is the same as the recipient > (obviously spoofed), but the envelope is from an external sender and also > the first Received: line acknowledges that it was received from an > external > server and email address. Which line does it check the SPF record of, just > the spoofable From: or one of the others? >
'It', the SpamAssassin does not check anything. It is not called by your system. I do not know why that is so. There is no marks for SpamAssasin in the headers, so it was never called.
