Every one seem to be missing the forged HELO which (incorrectly) used
the IP address of the receiving machine. This seems to have fooled both your
MTA; The critical headers are:
> > Received: from 61.32.186.51 by kukla (envelope-from <[EMAIL PROTECTED]>,
> > uid
71) with qmail-scanner-1.24
and
> > Received: from unknown (HELO 64.81.195.127) (61.32.186.51)
where clearly the forged HELO (i.e. "(HELO 64.81.195.127)") caused qmail,
et. al. to believe you were receiving from a trusted machine.
This is a common trick - to try to pretend to be either the local
machine or another of your legitimate 'MX' hosts. I don't know qmail well
enough to tell you the configuration fix, but you shouldn't be whitelisting
anything based an unverified 'HELO' - Note the real IP address is readily
visible as 61.32.186.51. Also, if RFC821 and RFC1822 were being enforced,
the message would have been rejected anyway (IP addresses are supposed to
*require* surrounding brackets - ex. [64.81.195.127] instead of a bare IP).
In fact, you should probably be checking for any valid looking IP
addresses and applying extra tests in those cases (I could tell you how for
either sendmail or Postfix, but qmail or others are outside my own experience,
except for the many hours spent helping friends work around qmail bugs).
Paul Shupak
[EMAIL PROTECTED]
