On Fri, 16 Feb 2018, Michael Storz wrote:
Am 2018-02-15 19:27, schrieb David Jones:
We have covered this issue a few times recently on this list but I
don't think anything definitive was ever decided or recommended to
detect and block this sort of spoofing:
https://pastebin.com/juXLD8vr
This appears to be a spoofed email from a compromised account trying
to be a known corespondent to this customer of mine.
The Message-ID is suspicious since it's an inbound email to the
hck12.net domain.
David,
You can reject this kind of spam using
ALL =~ /^To: .+\@([^>]+)\nMessage-ID: <\d{8,13}\.201[78]\d{5,11}\@\1>/m
and the message-id and the boundary. I am doing this since May last year.
Not necessarily safe. If your MTA receives a message without a Message-ID,
it is supposed to generate one. And if it does so, it will probably do so
using your (recipient) domain...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
People that keep dreaming about the wasteland, labyrinths and
quick cash, die in amusing ways. -- Root the Dragon
-----------------------------------------------------------------------
6 days until George Washington's 286th Birthday
