Hi,
On Tue, Jan 23, 2018 at 4:52 PM, David Jones <djo...@ena.com> wrote:
> Here is a good example of a spoof that might get user clicks. It didn't
> have good SPF or DKIM but it could have pretty easily making it look pretty
> clean in a default SA installation.
>
> https://pastebin.com/GTG8K56a
>
> Need to get this IP off of the HostKarma and dnswl.org whitelists if anyone
> from there is on this list.
This appears to have hit on your side. Is this just an FYI?
X-ENA-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (cached,
score=17.85, required 4, BAYES_99 5.20, BAYES_999 0.20,
Yeah, not good.
-2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE
[168.100.1.4 listed in hostkarma.junkemailfilter.com]
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust [168.100.1.4 listed in list.dnswl.org]
Were there no EnvelopeFrom or Return-Path header?
This hits a local rule involving undisclosed-recips and/or not to my
domain and "urgent" messages. It also now hits pyzor and dcc
I also have a rule that adds 1.2 points to emails that hit hostkarma
with no domain security.
> Kevin already had something similar to this in KAM.cf checking for SPF_FAIL
> from aexp.com but it wouldn't help with that spoofed one at the top with the
> "m" in the domain.
Should we try to do something about "american express" with a faked
domain (amexp.com)?
