> On Mar 9, 2026, at 1:40 PM, Fred Morris via Postfix-users > <[email protected]> wrote: > > Yes. > > On Mon, 9 Mar 2026, Dan Mahoney via Postfix-users wrote: >> [...] >> >> Return-Path: <[email protected]> >> >> Received: from server-623641.inespre.gob.do (server-623641.inespre.gob.do >> [50.6.199.138]) >> >> Does postfix have a knob to just let me block any server with any fully >> qualified RDNS of *.gob.do, if this is the kind of thing that they're >> letting happen? (Versus blocking the sender/recipient, or an IP block?) > > You're mixing categories there, Dan. Return-Path: is the envelope sender; > that is MAIL FROM, right? Received: is client.
I am aware. But the point of including that was to show that this wasn't completely spoofed -- return-path is likely coming from a compromised user-account and thus captured into the data. (The sender doesn't particularly seem to "care" about spoofing the reported hostname, as he isn't setting a From-Header value different to this domain. Nobody said the sender is "smart"). That said, on a compromised machine, spoofing this is trivial. Telnet tells me this is an Exim box, so this points to compromised and widely-shared UID/auth credentials, picked up in a data breach. Good enough for gobernment work. That said, this is a Dominican Republic government entity (Instituto Nacional de Estabilización de Precios), and one would think they'd at least grok abuse@ reports, as I've been sending with Spamcop. (I don't guess they'd be reading Mailop). At this point, there's a fine line here between "state-sponsored attack" and "state-being-clueless-and-taking-no-action-and-enabling attack". -Dan _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
