Slightly OT: sfm-sav milter

Kevin Miller Kevin_Miller at
Fri Dec 1 22:23:46 GMT 2006

I just posted the following to the smf-sav list, but thought I'd give
folks here a heads up too, since I know some are using smf-sav milter...

The spammers are up to their old tricks apparently.  I noticed this in
my logs today:

Nov 30 19:06:23 mx2 smf-sav[22911]: sender check succeeded:
<burlkevin_miller at>,,, [00:00:03]
Nov 30 19:06:24 mx2 smf-sav[22911]: recipient check failed:
<burlkevin_miller at>,,,
<burlkevin_miller at>, [00:00:00]

There are numerous entries where they use some phoney address as the
from=, which generally fail.  I guess they figured they'd have a better
chance of getting their spam through if they forged an address from my
domain, but configured their server to verify it.

There's nobody here called burlkevin_miller at (as
evidenced by the recipient check failing) so they must be configuring
their server to validate the address during the callback.  I'm not sure
how the callback works; apparently it just queries the server that is
attempting to send rather than looking up the valid mx servers in DNS
and querying them which might be a better way to do the sender
verifications.  I don't know what that would do to overhead or if it
would break any rules.

If the spammer used both a valid sender and recipient id their spam
would get through (although most likely it would then be caught by other
spam filters).  This may be a case of spam being reflected off a valid
domain instead of actually being targeted to me.  Who knows?

At any rate, it seems the spammers have figured out a way to spoof
sender verification.  It's a sure thing I don't have any email servers
in asia...

Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

More information about the MailScanner mailing list