I'm being dossed from 70.33.76.131 by six to nine each
of one message, same sender, same recipient, then on
to the next non-existent recipient name. The spam
engine spoofs being an mta for the recipient's domain,
as well as the sender address spoofing being a user
in the same domain as recipient. It's all "security alert",
"last warning", "account cancelled" with zip attachments
containing .scr trojans.
If they spoof being an mta in our turf and
they're not in our SPF records, their payload
must be spam or virus. These are viruses, so
I should deny them, but I hate to waste good
spam...
my $spf_query = $transaction->notes( 'spfquery' ) ;
my ( $spf ) = $spf_query->result2( $recipient->address )
if $spf_query ;
if ( $spf and $spf eq 'fail' ) {
my $helo = lc $self->qp->connection->hello_host ;
my $more_spf_hosts =
$self->qp->config( 'morercpthosts' , 'map' ) ;
my @spf_hosts = ( $self->qp->config( "me" ) ,
$self->qp->config( "rcpthosts" ) ,
$more_spf_hosts->{ $helo } ) ;
my $spoofus = 0 ;
for ( @spf_hosts ) {
$_ =~ s/^\s*(\S+)/$1/ ;
$_ = lc $_ ;
$spoofus = 1 if $helo eq $_ ;
$spoofus = 1 if substr( $_ , 0 , 1 ) eq "."
and $helo =~ m/\Q$_\E$/i ;
}
my $spfdeny = $config->{spfdeny} ;
if ( $spoofus
and not $self->qp->connection->notes( 'whitelisthost' )
and not $transaction->notes( 'whitelistsender' ) ) {
return ( $spfdeny , "you are SPooFing me" ) if $spfdeny ;
$self->log( LOGDEBUG , "ldap_ok - SPooF me pot you" ) ;
$recipient->address ( "honeypot" . '@' . $self->qp->config( "me" ) ) ;
return ( OK , "2.5.2. SPF says you are not me but will attempt
delivery" ) ;
}
}
-Bob Dodds
