From: "Matt Kettler" <[EMAIL PROTECTED]>
jdow wrote:
===8<---
Return-Path: <[EMAIL PROTECTED]>
Received: from smtp.earthlink.net [209.86.93.205]
by localhost with POP3 (fetchmail-6.2.5.5)
for [EMAIL PROTECTED] (single-drop); Mon, 13 Mar 2006 05:36:39
-0800 (PST)
Received: from amazon.com ([80.33.31.58])
by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
1fiNda4KB3Nl34g0
for <[EMAIL PROTECTED]>; Mon, 13 Mar 2006 08:35:48 -0500 (EST)
From: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
To: jdow <[EMAIL PROTECTED]>
Subject: PLEASE RESPOND ASAP
X-Priority: 3
X-MSMail-Priority: Normal
Reply-To: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
mime-version: 1.0
content-type: multipart/mixed;
boundary="qzsoft_directmail_seperator"
Message-Id: <[EMAIL PROTECTED]>
Date: Mon, 13 Mar 2006 08:35:48 -0500 (EST)
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
X-Spam-Virus: No
===8<---
Now, just why a FORGED amazon.com Received header should cause this set of
rule hits I don't know:
From the looks of it, earthlink is claiming that 80.33.31.58 RDNS'ed as
amazon.com. So apparently this guy managed to forge his RDNS, or earthlink's
header format is weird.
This:
from amazon.com ([80.33.31.58])
Matches the typical behavior of postgress when the RDNS matches the HELO.. I'm
not sure if Earthlink's server does the same.
This does also outline reason why whitelist_from_spf is better than
whitelist_from_rcvd.. Forging RDNS is difficult, but if your ISP gives you
sub-delegation of your RDNS then you can change it to be whatever you want.
58.Red-80-33-31.staticIP.rima-tde.net.
So it's not a forged rdns. Theo got it in one. I commented out the QMAIL
<censored> in Received.pm and the user_whitelist hit went away. I just
entered my confirmation of that "not really a solution" to the bugzilla
site.
(For a long time now I've thought qmail was more a problem than a solution
based on comments and problems with it recounted on this list.)
{^_^}
