Slightly OT: sfm-sav milter

Kevin Miller Kevin_Miller at ci.juneau.ak.us
Fri Dec 1 22:23:46 GMT 2006 

I just posted the following to the smf-sav list, but thought I'd give
folks here a heads up too, since I know some are using smf-sav milter...

===========
The spammers are up to their old tricks apparently.  I noticed this in
my logs today:

-------------------------------------------------
Nov 30 19:06:23 mx2 smf-sav[22911]: sender check succeeded:
<burlkevin_miller at ci.juneau.ak.us>, 124.120.38.30,
ppp-124.120.38.30.revip2.asianet.co.th, [00:00:03]
Nov 30 19:06:24 mx2 smf-sav[22911]: recipient check failed:
<burlkevin_miller at ci.juneau.ak.us>, 124.120.38.30,
ppp-124.120.38.30.revip2.asianet.co.th,
<burlkevin_miller at ci.juneau.ak.us>, [00:00:00]
-------------------------------------------------

There are numerous entries where they use some phoney address as the
from=, which generally fail.  I guess they figured they'd have a better
chance of getting their spam through if they forged an address from my
domain, but configured their server to verify it.

There's nobody here called burlkevin_miller at ci.juneau.ak.us (as
evidenced by the recipient check failing) so they must be configuring
their server to validate the address during the callback.  I'm not sure
how the callback works; apparently it just queries the server that is
attempting to send rather than looking up the valid mx servers in DNS
and querying them which might be a better way to do the sender
verifications.  I don't know what that would do to overhead or if it
would break any rules.

If the spammer used both a valid sender and recipient id their spam
would get through (although most likely it would then be caught by other
spam filters).  This may be a case of spam being reflected off a valid
domain instead of actually being targeted to me.  Who knows?

At any rate, it seems the spammers have figured out a way to spoof
sender verification.  It's a sure thing I don't have any email servers
in asia...

...Kevin
-- 
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

More information about the MailScanner mailing list