Dan,
FWIW... that IP, 220.226.197.15, is currently listed on four spam
blacklists ("RBLs"):
1) uceprotect
2) no-more-funn
3) psbl
4) ivmSIP.com (mine)
The first two are "FP-risky" for outright blocking, but can be useful in
a scoring environment. The latter two are much more safe for outright
blocking... particularly ivmSIP.com, which a FP rate that is almost low
as the FP rate of SpamHaus's lists.
Rob McEwen
Dan Mahoney, System Admin wrote:
Message at bottom.
I checked on this email. My system is right: it is an spf soft-fail.
At this point, ninety nine percent of people who set up SPF are going
to be setting ~all and not understanding the difference between ~all
and -all. And this did constitute a fail (i.e. a forgery), but there's
no rule that hit.
We've had the debate before, that SPF alone should not stop spam, but
here it is: a legitimate domain hijack and SA isn't hitting?
Also, what's up with RDNS_NONE? My sendmail won't accept a connection
unless your RDNS resolves, or you send in the domain literal format.
I did a quick search and found a few bugs on this.
We've already been over DKIM_POLICY_SIGNSOME -- I'm still in favor of
making a new rule for the implicit policy (DKIM_NOPOLICY or
DKIM_POLICY_ASSUMED_SIGNSSONE) rather than the explicit one.
Can we also assume the following...
The Ironport-Anti-Spam score is bogus but we have no way of checking
the result?
The Ironport-AV score is probably also bogus? Are "valid" values for
i and a documented somewhere?
The X-Originating-IP of 127.0.0.1 is probably accurate (after all, the
sending host must have had a 127.1), but useless and either the result
of a bug (i.e. a misconfigured mailserver, from which we should not
accept), or an intentional attempt to fool filters to believe it's
"trusted" (for those systems that check this header) and should be
ignored or a rule created?
From [EMAIL PROTECTED] Sat Oct 6 05:40:56 2007
Return-Path: <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 3.2.2 (2007-07-23) on
quark.gushi.org
X-Spam-Level: *
X-Spam-Status: No, score=1.4 required=5.0
tests=BAYES_50,DKIM_POLICY_SIGNSOME,
MISSING_HEADERS,RDNS_NONE autolearn=no version=3.2.2
Received: from rx4.indiatimes.com ([220.226.197.15])
by prime.gushi.org (8.13.8/8.13.8) with ESMTP id l969eqTG063292
for <[EMAIL PROTECTED]>; Sat, 6 Oct 2007 05:40:54 -0400 (EDT)
(envelope-from [EMAIL PROTECTED])
Authentication-Results: prime.gushi.org [EMAIL PROTECTED];
sender-id=softfail; spf=softfail
Received: from unknown (HELO tilmb7.indiatimes.com) ([192.168.61.27])
by x1.indiatimes.com with ESMTP; 06 Oct 2007 15:07:38 +0530
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AnoUAJL0BkfAqD0b/2dsb2JhbAAMiRw
X-IronPort-AV: i="unknown"; a="17144176:sNHT0"
Date: Sat, 6 Oct 2007 14:57:11 +0530 (IST)
From: "Mr.Craig McAfee" <[EMAIL PROTECTED]>
Reply-To: "Mr.Craig McAfee" <[EMAIL PROTECTED]>
Message-ID:
<[EMAIL PROTECTED]>
Subject: Attn:YOU HAVE WON A PRIZE (1,700,000.00 Euros)!
MIME-Version: 1.0
X-Originating-IP: [127.0.0.1]
Content-Type: text/plain; charset="utf-8"
X-Greylist: Default is to whitelist mail, not delayed by
milter-greylist-3.0 (prime.gushi.org [0.0.0.0]); Sat, 06 Oct 2007
05:40:56 -0400 (EDT)
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by prime.gushi.org id
l969eqTG063292
X-Envelope-To: [EMAIL PROTECTED]
[ The following text is in the "utf-8" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Attention!!!
Your email address has emerged as one of the winner in Euromillions
FreeDraws.Prize attached is 1,700,000.00 Euros.Contact Mr Mr Denis
Ernest Fing.Email:[EMAIL PROTECTED]
with the following information:1, Full Names: 2. Address:3. Age:4.
Sex:5. Phone /Fax number: and 6. Country:
--
My life has changed. What about yours?
Log on to the new Indiatimes Mail and Live out of the Inbox!
--
"Is Gushi a person or an entity?"
"Yes"
-Bad Karma, August 25th 2001, Ezzi Computers, Quoting himself earler,
referring to Gushi
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
