Bob wrote:
If they spoof being an mta in our turf and they're not in our SPF records, their payload must be spam or virus. These are viruses, so I should deny them, but I hate to waste good spam...
Except it's not "good spam." The whole point of using a honeypot is to use the inbound e-mail specifically to identify sources of Unsolicited Commercial Email (the boring /real/ name for spam) and block those sources to your legitimate addresses.
In this case, identifying a private in the zombie army doesn't do you any good, really, since the zombie army is everywhere. The only real information you have is that this message has an infected attachment. You don't need to know you should block that IP, since you can block on the content instead. If you are serious about using SPF, block it there, since it is a clear forgery. There is no point in accepting the message, only to block it later as an infected message.
John
