On Sat, 2010-09-25 at 03:31 +0200, Karsten Bräckelmann wrote: > On Fri, 2010-09-24 at 19:40 -0500, Chris wrote: > > On Sat, 2010-09-25 at 01:07 +0200, Karsten Bräckelmann wrote: > > > Ham!? PBL, SORBS DUL. Are you trying to use whitelisting to protect > > > outgoing messages? Shouldn't you be using authenticated SMTP instead? > > > > No Karsten, this is incoming mail to my machine. I don't run a server, > > this is straight from my ISP, picked up with fetchmail and processed > > through procmail. > > Yeah, I was wondering about that like shorty after I sent the message. > The "ham" got me confused, thinking it really was ham. > > > > Oh, and... Do you DKIM sign mail before scanning it with SA? > > > > No, as you can see here, my ISP adds the DKIM signature. > > > > http://pastebin.com/LqVtvjgM > > OK, wait. That sample is really an example showing the DKIM headers, > sent by *you*. Right? It's authenticated. > > So, yeah, DKIM signing that one looks right. > > Begs the question why the phish that started this thread has been DKIM > signed by your ISP, too. Seriously. > > Hmm, from your original pastebin: > > Authentication-Results: smtp03.embarq.synacor.com smtp.user=thewhedbees; > auth=pass (LOGIN) > Received: from [201.216.4.186] ([201.216.4.186:4248] helo=User) by > mailrelay.embarq.synacor.com (envelope-from <al...@embarqmail.com>) > (ecelerity 2.2.2.40 r(29895/29896)) with ESMTPA id DB/9E-17249-7F22B9C4; > Thu, 23 Sep 2010 05:54:58 -0400 > > So, this ALSO was an authenticated submission? And that's why your ISP > signed it. Which would explain why it got whitelisted, no? > > Yup, *that* is how you do targeted phishing! Don't send from an outside > machine, but crack an account or otherwise send from internal, trusted > sources. It will make your phish look much more legit. > >
Question I have, and I'll have to ask in the embarq forum at DSLReports (though I'll probably not get an answer, or the one I want) is how/why did my ISP dkim sign a message with a sender IP of 201.216.4.186 which is in Bogota, Columbia. -- Chris KeyID 0xE372A7DA98E6705C
signature.asc
Description: This is a digitally signed message part
