On Mon, 2012-07-09 at 20:13 +0100, James Wilkinson wrote:
> Errol Mangwiro wrote:
> > Does anyone know of a way I can tighten fake sender policies & prevent
> > this from occuring again?
>
> Heinz Diehl wrote:
> > You can't prevent people from faking the From: header.
>
> But you can detect those fakes.
>
> Bounces should be sent to the SMTP envelope FROM address, not the
> address in the header. (For example, once this message has gone through
> the fedoraproject.org servers, it will have an SMTP FROM address of
> users-bounces@xxxxxxxxxxxxxxxxxxxxxxx , so mailman should get any
> bounces, but it will still have
> From: James Wilkinson <fedora@xxxxxxxxxxxxxxxxxx>
> up there, so you lucky people can reply to me.
>
> BATV is a technique for rewriting the SMTP FROM address to include a
> cryptographic token that is unique to that email. Any bounces including
> one of those tokens must at least have seen that email; any bounces to
> the plain address must therefore have been sent in reply to something
> that didn’t go through your servers.
>
> BATV isn’t perfect, or at least, the rest of the Internet isn’t perfect.
> It does things according to specs in ways some things don’t expect. It
> also does require that all your outgoing email goes through
> BATV-rewriting servers.
>
> Alternatively, SpamAssassin has rules to detect bounces. A competent
> mail filtering program should be able to filter all bounces into a
> separate folder.
>
> > Any spamfilter
> > or network admin who tags email as spam according to From: is a moron.
>
> Now that I would dispute: if the email purports to come from a known
> spammer, then I don’t see why I shouldn’t gleefully reject or sort their
> email accordingly!
>
> You could compare it to an identity thief who stole the identity of
> a known terrorist and flew into Washington, London or Jerusalem under
> that identity.
>
> Hope this helps,
>
> James.
I've been getting lots of spam with subjects like:
Message for postmaster
For postmaster
To postmaster
Message for root
For root
Message for uucp
For uucp
For daemon
etc., etc., etc.
Spamassassin scores them above my threshold score so they all are
rejected with smtp error 540.
Also, here's another spam pattern I see daily. This is from the log
file that my spam filter writes out:
envelope-to: mcallman@xxxxxxxxxxxx
envelope-to-R: rfc822;mcallman@xxxxxxxxxxxx
from: "Canadian Pharmacy" f.svcxzu@xxxxxxxxx
envelope-from: f.svcxzu@xxxxxxxxx
subject: Pharmacy Store : <ED Med 1> + <ED Med 2> !
received-name: p4FDDCEE6.dip.t-dialin.net
received-addr: 79.221.206.230
envelope-recd: dns; p4FDDCEE6.dip.t-dialin.net ([::ffff:79.221.206.230])
I've replaced the actual drug names with "<ED Med>" just in case anyone
else blocks anything coming in with those names. The "received-name"
and "received-addr" are the parsed values from the first "Received:"
header. I'd reject this e-mail on the contents of the "from" line only,
or due to the subject line only, or due to the fact that they say
they're a yahoo.com e-mail but the box that handed my server the e-mail
wasn't a yahoo.com server (and this isn't from a yahoo groups mailing
list -- no "list ID" header).
I've recorded in my system around 45k unique IP addresses over the past
18 months that have tried to send me spam. Spammers are always trying
something new.
Mark C. Allman, PMP, CSM
Founder, See How You Ski
Allman Professional Consulting, Inc., www.allmanpc.com
617-947-4263, Twitter: @allmanpc
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
