RE: Gmail spam

Fri, 09 Jun 2006 06:45:54 -0700 

Don't know about qmail, but in sendmail you can easily reject the mail because 
of this 'forged helo'.
 
-Sietse

________________________________

From: Jason Staudenmayer [mailto:[EMAIL PROTECTED]
Sent: Fri 09-Jun-06 15:35
To: Jamie L. Penman-Smithson
Cc: users@spamassassin.apache.org
Subject: RE: Gmail spam



I see ... I'll have to see why my qmail didn't drop it for those address
issues.

Thanks

-----Original Message-----
From: Jamie L. Penman-Smithson [mailto:[EMAIL PROTECTED]
Sent: Friday, June 09, 2006 9:26 AM
To: Jason Staudenmayer
Cc: users@spamassassin.apache.org
Subject: Re: Gmail spam



On 9 Jun 2006, at 13:56, Jason Staudenmayer wrote:
> Is anyone else getting spam from gmail? The ones I'm getting are very
> lengthy but doesn't look like bayes poison.

It's _not from_ GMail.

<snip>
> Received: from unknown (HELO 192.168.0.4) (66.148.73.132)
>   by mail2.adventureaquarium.com with SMTP; 8 Jun 2006 12:05:21 -0000
> Received: from crysholgh.com (9.13.1/9.13.1) id XAA37462; Thu, 08 Jun
> 2006 05:05:20 -0800
> Message-Id: <[EMAIL PROTECTED]>
> From: "Marcelino Crews" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: this weeks stock pick KMAG - build a strong position now
<snip>
>
> Maybe gmail has an open relay? Or does this look like something else?

No, you should be looking at this header:

> Received: from unknown (HELO 192.168.0.4) (66.148.73.132)
>   by mail2.adventureaquarium.com with SMTP; 8 Jun 2006 12:05:21 -0000

This message was received from [66.148.73.132] with no rDNS and using 
a private non-routable IP in HELO.

The IP in question is owned by HopOne:

NetRange:   66.148.64.0 - 66.148.127.255
CIDR:       66.148.64.0/18
OrgName:    HopOne Internet Corporation
OrgID:      HOPO
Address:    1010 Wisconsin Avenue N.W.
City:       Washington
StateProv:  DC
PostalCode: 20007-3603
Country:    US

It doesn't match the SPF record for gmail.com either:

_spf.google.com.        300     IN      TXT     "v=spf1 
ip4:216.239.56.0/23 ip4:64.233.160.0/19 ip4:66.249.80.0/20 
ip4:72.14.192.0/18 ?all"

The sender address is forged, as is common.

IOW it should have been rejected outright before it even got to SA, 
either because it has no rDNS, or because it used an invalid address 
literal (1.2.3.4 instead of [1.2.3.4]), or because it used a private 
non-routable IP in HELO.

-j

Reply via email to