How did this spam make it through?
Mike Kercher
mike at CAMAROSS.NET
Fri Mar 18 13:32:12 GMT 2005
I use milter-sender on my MX's and it catches these ploys:
Mar 18 07:15:36 avwall2 sendmail[5439]: j2IDFVLc005439: Milter:
from=<dfqqanre at mindless.com>, reject=550 5.7.1 HELO 207.44.250.10 claims to
be us 'avwall2.bladeware.com' [207.44.250.10], but the connection
[199.211.133.143] is not us
Mike
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Jeff Falgout
Sent: Thursday, March 17, 2005 10:00 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: How did this spam make it through?
A user sent me a nasty-spam(tm) that made it through MS (headers below).
SA scored it a 24.772, but it was whitelisted. I've searched through all of
my whitelists and can find nothing related. What does have me baffled is
that the first Received line:
Received: from 206.247.49.30 ([219.144.239.84])
by ww11.co.jefferson.co.us (8.13.1/8.13.1) with SMTP id
j2HEXJ40003797;
206.247.49.30, which shows up as the hostname for 219.144.239.84 (I believe
I'm reading that correctly), is the ip address of the machine
ww11.co.jefferson.co.us - the primary MX.
Did this spam get whitelisted because it saw it's ip address somewhere in
the first Recieved line and thought it came from itself? How can I fix this
or is it a new technique?
Jeff
Return-path: <Doran at didamail.com>
Received: from ww11.co.jefferson.co.us [172.18.2.30]
by GC6.jefferson.co.us; Thu, 17 Mar 2005 07:34:17 -0700
Received: from 206.247.49.30 ([219.144.239.84])
by ww11.co.jefferson.co.us (8.13.1/8.13.1) with SMTP id
j2HEXJ40003797;
Thu, 17 Mar 2005 07:33:37 -0700
Message-Id: <200503171433.j2HEXJ40003797 at ww11.co.jefferson.co.us>
Received: from [108.94.24.232] by dutiful%DIGITS.beetle.219.144.239.84 via
HTTP; Thu, 17 Mar 2005 06:33:39 -0800
Reply-To: "boardermail.com" <Doran at didamail.com>
From: "boardermail.com" <Doran at didamail.com>
To: <llamprec at co.jefferson.co.us>
Subject: Here it is
Date: Thu, 17 Mar 2005 06:33:39 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--3842810193altf8696"
X-JeffCo-MailScanner-Information: Please contact the Help Desk for more
information
X-JeffCo-MailScanner: Found to be clean
X-JeffCo-MailScanner-SpamCheck: not spam (whitelisted),
SpamAssassin (score=24.722, required 4, autolearn=spam,
BAYES_50 0.00, DCC_CHECK 2.17, DNS_FROM_RFC_WHOIS 0.30,
MSGID_FROM_MTA_HEADER 0.05, MSGID_FROM_MTA_ID 1.72,
RCVD_HELO_IP_MISMATCH 2.18, RCVD_IN_BL_SPAMCOP_NET 1.22,
RCVD_IN_DSBL 1.00, RCVD_IN_XBL 3.08, RCVD_NUMERIC_HELO 1.25,
SOMETHING_FOR_ADULTS 0.01, UNRESOLVED_TEMPLATE 2.87,
URIBL_AB_SURBL 0.42, URIBL_OB_SURBL 3.21, URIBL_SBL 1.00,
URIBL_SC_SURBL 4.26)
X-MailScanner-From: doran at didamail.com
------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and the
archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list