On Fri, Apr 29, 2011 at 11:12:43AM +0200, Jeroen Geilman wrote: > >Received: perfectly normal things > > can be seen here > > because it's already our system > >Received: from [109.91.80.133] (HELO VKYNBXL) > > by moln-51ca578dee (8.14.3/8.14.3) with SMTP id 39875026 for > > [email protected]; Thu, > > 28 Apr 2011 12:18:23 +0100Message-ID: > > <000001cc058d9b29143085505b6d@moln51ca578 > > dee>From: > > "Lakia Kerry"<[email protected]>To: [email protected]: > > V!arga porfessional - first sSDate: Thu, > > 28 Apr 2011 12:18:23 +0100MIME-Version: 1.0Content-Type: > > multipart/alternative; > > boundary="----=_NextPart_000_0000_01CC058D.9B291430"X-Priority: > > 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express > > 6.00.2900.2075X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3529This > > is > > a multi-part message in MIME > > format.------=_NextPart_000_0000_01CC058D.9B291430Content-Type: text/plain; > > charset="us-ascii"Content-Transfer-Encoding: > > > > quoted-printableon=20the=20blocks=20meaning=20of=20the=20first=20two=20verses=2 > > 0is=20that=20heaven=20and=20earth=20=20http= > > > > With this formatting it is impossible to see what is original and > what is format fail.
It's more or less the same as I've written, but the important part, that: ...To: [email protected]: headers are seems to be written without valid CRLF (as far as I know it should be the way), they are simply appended each other without any deliminator used. So, from point of view of postfix, this madness is interpreted as a single Received: line but with noticable bogus content and the reason is lack of proper deliminators between the header lines the sender (spammer) wanted to specified. > >It seems there are tons of spams like this (I checked some similar > >happenings, the content itself was about viagra and such), and I am very > >curious what can cause this: as you can see the intended headers created by > >the spammer (after those - in smtp hops "after" I ment - headers are OK for > >sure) are somehow misses line break, so almost everything seems to be given > >as one Received: header. Since it can't be the goal of the spammer, it's > >really interesting what caused this. Maybe it's a stupid spam botnet, or so, > >with major problems implementing SMTP and its friends? :) > > > > And if so, who cares ? me, being curious :) But anyway of course this is not the most important question here. > >/^Received: .*Message-ID:.*From:.*To:/ REJECT Message content seems to be > >spam. > > > >in header_checks pcre table. > > > > Does it work ? It seems it does, I can see the rejected messages in the log because of that rule. However I am interested in the opinion of more clever people here on this issue, is it a good solution (or acceptable at least) at all? - Gábor
