On Mon, Apr 26, 2010 at 4:27 AM, Lucio Chiappetti <lu...@lambrate.inaf.it> wrote: > I have just found a new kind of spam which went through our spamassassin > (actually it got a "banned" notification - we quarantine spam and virus but > let banned be delivered). > > The subject was "Delivery reports about your e-mail", the apparent > originator was From: "MAILER-DAEMON" <nore...@ourdomain>, the body was empty > and there was a single attachment "transcript.zip". > > There are only two Received lines in the header as seen on my destination > machine (I've edited out the local details): > > Received: from our_mx by my_machine for my_address > Received: from ourdomain (localhost [113.167.75.53] (may be forged)by our_mx > > So it looks like the spammer connected directly to our mx (one of two), > faking its name as our domain.
FWIW, outright blocking mail from hosts that use our domain name (or even the ip address of one of our MXes) as their HELO has proven to be a safe and efficient way to block some amount of junk. Not too many spammers try this, but when they do it makes things simple. > > To users it seems a strange mailer daemon message, since our mx are linux > boxes and do not send zipped reports. So it is obvious spam. > > My question is : is it ok to feed it into the sa-learn crontab we use for > spam which escapes spamassassin, or the way it is forged will cause problems > (e.g. filtering legitimate mailer daemon reports ?) > > > -- > ------------------------------------------------------------------------ > Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy) > ------------------------------------------------------------------------ > Citizens entrusted of public functions have the duty to accomplish them > with discipline and honour > [Art. 54 Constitution of the Italian Republic] > ------------------------------------------------------------------------ > For more info : http://www.iasf-milano.inaf.it/~lucio/personal.html > ------------------------------------------------------------------------ >
