On Thu, Oct 05, 2023 at 02:41:59PM +0700, Olivier wrote:
Recently I have received a wave of mails in the form
From: word-olivier@somewhere.random
To: oliv...@mydomain.com
Where the "olivier" part is a valid username on my domain.
Is there a rule to catch these with SA?
I've been seeing recently connection attempts like that. When they
first started last month, they spoofed amazon.co.jp addresses.
Recently, though, they've morphed and spoof arbitrary hosts / domains.
They seem associated with a HELO such as "VM-0-9-centos.localdomain",
with "VM-" and "-centos.localdomain" always appearing in the value.
While I don't see anything in the current ruleset that looks for that,
you could create your own rule, say one modeled after HELO_LH_LD in
72_active.cf.
You could also consider adjusting the score for RCVD_IN_PBL - all the
connections that I've seen so far have been from hosts on SpamHaus' PBL.
George
--
the...@tifaware.com
