On 8/26/2007 11:36 PM, John D. Hardin wrote:
On Sun, 26 Aug 2007, Nikolay Shopik wrote:
Just parse received headers in attached message in backscatter.
You can easily see what this message sent not by your server and
you can reject such backscatter, because you never sent such
messages.
Not true any longer. The joe job I've been suffering from the last
month has forged Received: headers that makes the spam appear to have
been sent from my MX to the bot that actually originated it. After
all, how hard is it to look up the MX for the domain you're forging as
the sender?
I you want to filter you'd need to keep a history of all the
Message-ID values your MTA had processed and compare to that.
And what else, you can announce your MTA not as it named in DNS. So you
announce your system as mta.example.com but all DNS records claims what
its mx.example.com.
MX RR = mx.example.com -> 1.2.3.4
CNAME RR = mta.example.com -> mx.example.com (just for safety)
