On 2011-06-14 Harry Lachanas ( via Freemail ) wrote: > Just by looking at the headers "Return-Path", "From:" and "To:" > one can sense that the following is spam ... > > --------------------------------------------------------------------------------------------------- > Return-Path:<access...@ms29.hinet.net> > X-Original-To: postmas...@example.com > Delivered-To: postmas...@example.com > Received: from localhost (unknown [127.0.0.1]) > by mail.example.gr (Postfix) with ESMTP id D17E557547EC > for<postmas...@example.com>; Tue, 14 Jun 2011 00:39:48 +0300 (EEST) > X-Virus-Scanned: Debian amavisd-new at mail.example.gr > Received: from mail.example.gr ([127.0.0.1]) > by localhost (mail.example.gr [127.0.0.1]) (amavisd-new, port 10024) > with LMTP id yHroNA2goYHC for<postmas...@example.com>; > Tue, 14 Jun 2011 00:39:40 +0300 (EEST) > Received: from [186.194.3.66] (unknown [186.194.3.66]) > by mail.example.gr (Postfix) with ESMTP id 7567357547E2 > for<postmas...@example.com>; Tue, 14 Jun 2011 00:39:39 +0300 (EEST) > Received: from [95.53.111.119] (helo=uvthdjg.mnghdffxosiys.net) > by with esmtpa (Exim 4.69) > (envelope-from ) > id 1MMI1H-7816uo-2U > for postmas...@example.com; Mon, 13 Jun 2011 18:39:39 -0300 > From:<postmas...@example.com> > To:<postmas...@example.com> > Subject: Re: CV 54 > --------------------------------------------------------------------------------------------------- > a) helo host uvthdjg.mnghdffxosiys.net does not have an ip
<http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname> > b) rdns for 95.53.111.119 gives > pppoe.95-53-111-119.dynamic.lenobl.avangarddsl.ru This might be covered by Stan Hoeppner's PCRE for dynamic IP ranges: <http://www.hardwarefreak.com/fqrdns.pcre> > c) Envelope sender ie "return path" is different that From: header That is not a valid indicator for spam. Take a look at arbitrary messages you received from this list. > d) from: and to: headers are pretending to be postmaster @ my domain. You could use a milter to check if From: == To: and the address is from your domain(s), but AFAIK Postfix does not have a built-in check for this. I would, however, blacklist any client who sends spam to a postmaster address. HTH Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
