On 7/4/19 2:28 PM, RW wrote: > On Thu, 4 Jul 2019 19:11:43 +0000 > David Jones wrote: > >> Just had a compromised account on one of my customer's mail servers >> (96.4.156.21) try to blast out phishing email. This 96.4 IP is our >> customer space so it's in my trusted_networks since it will not forge >> the Received header. > > This is nothing to do with ehlo, it hit ALL_TRUSTED because it's > authenticated mail submission into the trusted network. >
Thank you for this information. It seems like authenticated mail submission should only apply to internal_networks and not extend out to the trusted_networks. I trust the 96.4.165.21 mail server to not forge the Received headers but compromised accounts happen. Is there another way to accomplish checking the that 88.233 IP as the last-external without stripping off the "A" in ESMTPA at the MTA before SA sees it? >> The 88.233 IP is from Turkey (88.233.47.16.dynamic.ttnet.com.tr) and >> should have triggered a number of rules based on the RelayCountry >> plugin. >> >> This email should not have hit ALL_TRUSTED and should have done >> RelayCountry and ASN lookups on 88.233.47.16. >> >> >> Received: from mail.lced.net (mail.lced.net [96.4.156.2]) >> by smtp5i.ena.net (Postfix) with ESMTP id DF9421480F90 >> for <brookeandj...@eastlink.ca>; Thu, 4 Jul 2019 12:56:42 -0500 >> (CDT) Received: from 192.168.1.2 (unknown [88.233.47.16]) >> by mail.lced.net (Postfix) with ESMTPA id 8F22630961D6D >> for <brookeandj...@eastlink.ca>; Thu, 4 Jul 2019 12:56:40 -0500 >> (CDT) >> >> -- David Jones