> On Apr 21, 2015, at 11:54 AM, Bill Cole
> <postfixlists-070...@billmail.scconsult.com> wrote:
>
> On 21 Apr 2015, at 10:32, LuKreme wrote:
>
>> I am getting some messages with an incomplete received header, they all seem
>> to come from bronto.com:
>>
>> Received: from ms045.bronto.com (unknown)
>> by mail.covisp.net(Postfix 2.11.4/8.13.0) with SMTP id unknown;
>> Sun, 19 Apr 2015 15:00:38 -0600
>> (envelope-from <cl3q5hr7hjponyd66fmt70m4u3kvtoi...@bounce.bronto.com>)
>>
>> I don't know why postfix is not generating a SMTP id or reporting the helo
>> name or IP address.
>>
>> Ideas?
>
> If you're absolutely sure that didn't arrive at your server with that header,
Well, it is the top Received header and has my mail server name in it, so if it
arrived with that header, then postfix didn’t add on at all.
> a milter that mangles/recreates local Received headers would be the top
> suspect.
The only milter I have is spamass-milter and there aren’t any weird config
settings and it only seems to be happening with bronto.com.
> Postfix does not usually include its version number, and adding "/8.13.0" to
> the version smells very much of something that thinks it is supposed to be
> mimicking Sendmail. You'd know if you had a header_checks botch that quirky,
> so a milter is the obvious remaining candidate (i.e. a tool using Sendmail
> libmilter code, in all likelihood.)
Right.
> One other possibility is that Bronto's modus operandi has devolved into
> intentional but poorly-done header forgery with a goal of filter evasion.
> That's not implausible but it strikes me as unlikely, since from my vantage
> point they seem to have become less spammy in recent years. Even less likely
> -- but not impossible -- is that something has taken over your server and is
> injecting messages with this sort of insane chimeric header implicating
> Bronto (a grey-hat/no-hat ESP) to distract you from the change of ownership.
The messages are legitimate messages.
Hmm… looking at the other headers I think I may see a possible source of the
problem. here is a message from the alway_bcc spool:
Received: from ms142.bronto.com (ms142.bronto.com [216.27.63.142])
by mail.covisp.net (Postfix) with ESMTP id 3lVw3h5gW4zJMht
for <kr...@kreme.com>; Mon, 20 Apr 2015 11:28:32 -0600 (MDT)
Received: from localhost (172.16.0.148) by ms142.bronto.com id h6krk01usr0k for
<kr...@kreme.com>; Mon, 20 Apr 2015 13:28:31 -0400 (envelope-from
<074lt6tr87dfcxx6x3vzdqouzogk3px...@email.halloweencostumes.com>)
I suspect that second received line’s localhost is what is mucking
spamass-milter up on occasions (though not in the case of this message). I am
thinking the issue arrises with messages that are marked as spam.
--
I started playing Myst at 4:30 in the afternoon and looked up suddenly
and realized it was February.
