On Mon, 2012-07-09 at 20:13 +0100, James Wilkinson wrote: > Errol Mangwiro wrote: > > Does anyone know of a way I can tighten fake sender policies & prevent > > this from occuring again? > > Heinz Diehl wrote: > > You can't prevent people from faking the From: header. > > But you can detect those fakes. > > Bounces should be sent to the SMTP envelope FROM address, not the > address in the header. (For example, once this message has gone through > the fedoraproject.org servers, it will have an SMTP FROM address of > users-bounces@xxxxxxxxxxxxxxxxxxxxxxx , so mailman should get any > bounces, but it will still have > From: James Wilkinson <fedora@xxxxxxxxxxxxxxxxxx> > up there, so you lucky people can reply to me. > > BATV is a technique for rewriting the SMTP FROM address to include a > cryptographic token that is unique to that email. Any bounces including > one of those tokens must at least have seen that email; any bounces to > the plain address must therefore have been sent in reply to something > that didn’t go through your servers. > > BATV isn’t perfect, or at least, the rest of the Internet isn’t perfect. > It does things according to specs in ways some things don’t expect. It > also does require that all your outgoing email goes through > BATV-rewriting servers. > > Alternatively, SpamAssassin has rules to detect bounces. A competent > mail filtering program should be able to filter all bounces into a > separate folder. > > > Any spamfilter > > or network admin who tags email as spam according to From: is a moron. > > Now that I would dispute: if the email purports to come from a known > spammer, then I don’t see why I shouldn’t gleefully reject or sort their > email accordingly! > > You could compare it to an identity thief who stole the identity of > a known terrorist and flew into Washington, London or Jerusalem under > that identity. > > Hope this helps, > > James. I've been getting lots of spam with subjects like: Message for postmaster For postmaster To postmaster Message for root For root Message for uucp For uucp For daemon etc., etc., etc. Spamassassin scores them above my threshold score so they all are rejected with smtp error 540. Also, here's another spam pattern I see daily. This is from the log file that my spam filter writes out: envelope-to: mcallman@xxxxxxxxxxxx envelope-to-R: rfc822;mcallman@xxxxxxxxxxxx from: "Canadian Pharmacy" f.svcxzu@xxxxxxxxx envelope-from: f.svcxzu@xxxxxxxxx subject: Pharmacy Store : <ED Med 1> + <ED Med 2> ! received-name: p4FDDCEE6.dip.t-dialin.net received-addr: 79.221.206.230 envelope-recd: dns; p4FDDCEE6.dip.t-dialin.net ([::ffff:79.221.206.230]) I've replaced the actual drug names with "<ED Med>" just in case anyone else blocks anything coming in with those names. The "received-name" and "received-addr" are the parsed values from the first "Received:" header. I'd reject this e-mail on the contents of the "from" line only, or due to the subject line only, or due to the fact that they say they're a yahoo.com e-mail but the box that handed my server the e-mail wasn't a yahoo.com server (and this isn't from a yahoo groups mailing list -- no "list ID" header). I've recorded in my system around 45k unique IP addresses over the past 18 months that have tried to send me spam. Spammers are always trying something new. Mark C. Allman, PMP, CSM Founder, See How You Ski Allman Professional Consulting, Inc., www.allmanpc.com 617-947-4263, Twitter: @allmanpc -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org