I just got the spam below (headers removed except few).
this hasn't been caught at reception time. It now triggers
RCVD_IN_BL_SPAMCOP_NET.
however, it doesn't trigger surbl checks, since the '&' is considered
as the end of the url.
debug: URIDNSBL: domains to query: ins.com nusv.com
and I was surprised that the following works:
# host "nusv.com&wnrsyaidip4elp2wjw0z1li.henogenyhb.com"
nusv.com&wnrsyaidip4elp2wjw0z1li.henogenyhb-MUNGED.com has address
221.11.133.42
would it be reasonable to add a rule to check for anomalies in URLs?
what's the best (TM) way?
another note is that the host (221.3.157.245) issues a helo of
mx.adelphia.net, but 221.3.157.245 is in China while mx.adelphia.net is
in US. shouldn't this trigger a forged helo? one can also see that the
from addr is in .il (let's ignore the msg id). that makes 3 distant
parts of the world:)
--------------- spam follows -----------------
...
Received: from unknown (HELO mx.adelphia.net) (221.3.157.245)
...
message-id: <[EMAIL PROTECTED]>
From: "Keeley Tate" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: It isn't too good to be true. angelfish
When it comes to applications like MS Office, or Windows etc. they ask a
pretty penny. We figured,
scrap the manual, scrap the box, you really only need the CD so thats
what we did.
You can have the CD's sent to you, or download instead, your choice.
For downloading - Browse up
http://nusv.com&wnrsyaidip4elp2wjw0z1li.henogenyhb-MUNGED.com/
For shipped CD's - Browse up
http://ins.com&dwpw3ibhdwafswlbxe.henogenyhb-MUNGED.com/
You'll be shocked at our pricing.
