They don¹t appear to be scored at all (see attached header)
Return-Path: <i...@impactps.com>
Received: from murder ([unix socket])
by impactps.com (Cyrus v2.3.8-OS X Server 10.5: 9C31) with LMTPA;
Thu, 18 Jun 2009 12:28:22 -0700
X-Sieve: CMU Sieve 2.3
Received: from localhost (localhost [127.0.0.1])
by impactps.com (Postfix) with ESMTP id CA1EE16DD83A
for <i...@impactps.com>; Thu, 18 Jun 2009 12:28:22 -0700 (MST)
Received: from impactps.com ([127.0.0.1])
by localhost (impactps.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id VhO7fJORAYkP for <i...@impactps.com>;
Thu, 18 Jun 2009 12:28:19 -0700 (MST)
Received: from [78.30.163.198] (dynamic-78-30-163-198.adsl.eunet.rs
[78.30.163.198])
by impactps.com (Postfix) with ESMTP id 8C4BA16DD833
for <i...@impactps.com>; Thu, 18 Jun 2009 12:28:17 -0700 (MST)
From: "Selena Uzox" <i...@impactps.com>
To: i...@impactps.com
Subject: Scanned your photos
Date: Thu, 18 Jun 2009 21:28:04 +0200
Message-ID: <lvbsqcqhekczpo.nukhyyivqhoznft25042911...@[78.30.163.198]>
MIME-version: 1.0
Content-type: text/html; charset="iso-8859-1"
On 6/18/09 12:02 PM, "John Hardin" <jhar...@impsec.org> wrote:
> On Thu, 18 Jun 2009, Jeff Drury wrote:
>
>> > SA is working for the most part beyond expectations, the only problem
>> > I¹m having is filtering spoofed email address (i.e.
>> > valid_u...@ourdomain.com). I am able to filter out non-valid user
>> > addresses (i.e. spam...@ourdomain.com). I run SA-Update daily, have
>> > piped well over 500 of these messages through sa-learn, yet they still
>> > come through. I know this is a generic outline of the problem, but it¹s
>> > a start, if you need more info I can send it.
>
> Are the spoofed address in the sender address or the recipient address?
>
> Are these messages hitting a whitelist and getting large negative scores?
> Have you used "whitelist_from" anywhere in your configs? You probably
> don't want to do that.
>
> Benny suggested SPF; setting up an SPF record will (apparently) reduce
> (but not eliminate) the attempts to send spam using forged addresses from
> your domain, and will allow you to filter forged sender addresses from
> your domain by verifying the message matches the claimed domain's SPF
> information. There are other ways to do this; for example, I use
> milter-regex.
>
> There may be still other ways to say "a sender domain of X should be
> rejected if it comes from the internet", but I am not a postfix guru.
P please consider the environment before printing this e-mail
Life is not measured by the number of breaths we take, but by the
moments that take our breath away.
- George Carlin
Jeff Drury
_________________________________________________
p 602.264.2914
f 602.263-5240
e i...@impactps.com
This message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply E-mail, and destroy all copies
of the original message.
<<image.jpg>>
