I have just found a new kind of spam which went through our spamassassin
(actually it got a "banned" notification - we quarantine spam and virus
but let banned be delivered).
The subject was "Delivery reports about your e-mail", the apparent
originator was From: "MAILER-DAEMON" <nore...@ourdomain>, the body was
empty and there was a single attachment "transcript.zip".
There are only two Received lines in the header as seen on my destination
machine (I've edited out the local details):
Received: from our_mx by my_machine for my_address
Received: from ourdomain (localhost [113.167.75.53] (may be forged)by our_mx
So it looks like the spammer connected directly to our mx (one of two),
faking its name as our domain.
To users it seems a strange mailer daemon message, since our mx are linux
boxes and do not send zipped reports. So it is obvious spam.
My question is : is it ok to feed it into the sa-learn crontab we use for
spam which escapes spamassassin, or the way it is forged will cause
problems (e.g. filtering legitimate mailer daemon reports ?)
--
------------------------------------------------------------------------
Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy)
------------------------------------------------------------------------
Citizens entrusted of public functions have the duty to accomplish them
with discipline and honour
[Art. 54 Constitution of the Italian Republic]
------------------------------------------------------------------------
For more info : http://www.iasf-milano.inaf.it/~lucio/personal.html
------------------------------------------------------------------------
