Re: Spampd proxy bypassed by some mails

Thu, 27 May 2010 16:59:49 -0700 

On 28.05.2010, at 24:12, mouss wrote:

> check your spampd: as there any cases where it would pass mail without
> checking it Example: wrong whitelisting mechanism. a common error in
> spamassassin is to use whitelist_from (which is easily abused by sender
> forgery).

I'm sure it can't be a misconfiguration of spampd or Spamassassin, since 
Postfix just doesn't relay these mails to spampd, so the error must be at 
Posfix:

May 26 14:04:48 mail postfix/smtpd[18487]: connect from 
220-143-62-59.dynamic.hinet.net[220.143.62.59]
May 26 14:04:49 mail postfix/smtpd[18487]: setting up TLS connection from 
220-143-62-59.dynamic.hinet.net[220.143.62.59]
May 26 14:04:50 mail postfix/smtpd[18487]: Anonymous TLS connection established 
from 220-143-62-59.dynamic.hinet.net[220.143.62.59]: TLSv1 with cipher RC4-MD5 
(128/128 bits)
May 26 14:04:51 mail postfix/smtpd[18487]: CB46FD60008: 
client=220-143-62-59.dynamic.hinet.net[220.143.62.59]
May 26 14:04:53 mail postfix/cleanup[18188]: CB46FD60008: message-id=<>
May 26 14:04:53 mail postfix/qmgr[18055]: CB46FD60008: 
from=<canad...@yahoo.com>, size=717, nrcpt=1 (queue active)
May 26 14:04:53 mail postfix/virtual[18464]: CB46FD60008: to=<x...@xxxxxxx.xx>, 
orig_to=<xxxxxxxx...@xxxxxxx.xx>, relay=virtual, delay=2.1, 
delays=2.1/0/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
May 26 14:04:53 mail postfix/qmgr[18055]: CB46FD60008: removed
May 26 14:04:54 mail postfix/smtpd[18487]: lost connection after RSET from 
220-143-62-59.dynamic.hinet.net[220.143.62.59]
May 26 14:04:54 mail postfix/smtpd[18487]: disconnect from 
220-143-62-59.dynamic.hinet.net[220.143.62.59]

> didn't check all your samples, but as for hinet, if you "have no hope
> from them", then firewall them:

Sure, I could block them with Postfix, a RBL would be enough. But I wonder why 
they are not relayed properly (It really happens only at exactly these messages 
[http://pastebin.com/4arTzeRu], less than at 1 of 100.000). After several hours 
of research there are only two possibilities: Either I made a weird mistake and 
have overseen something or there is a bug somewhere.

Jan-Kaspar

Reply via email to