On Fri, 2010-09-24 at 19:40 -0500, Chris wrote: > On Sat, 2010-09-25 at 01:07 +0200, Karsten Bräckelmann wrote: > > Ham!? PBL, SORBS DUL. Are you trying to use whitelisting to protect > > outgoing messages? Shouldn't you be using authenticated SMTP instead? > > No Karsten, this is incoming mail to my machine. I don't run a server, > this is straight from my ISP, picked up with fetchmail and processed > through procmail.
Yeah, I was wondering about that like shorty after I sent the message. The "ham" got me confused, thinking it really was ham. > > Oh, and... Do you DKIM sign mail before scanning it with SA? > > No, as you can see here, my ISP adds the DKIM signature. > > http://pastebin.com/LqVtvjgM OK, wait. That sample is really an example showing the DKIM headers, sent by *you*. Right? It's authenticated. So, yeah, DKIM signing that one looks right. Begs the question why the phish that started this thread has been DKIM signed by your ISP, too. Seriously. Hmm, from your original pastebin: Authentication-Results: smtp03.embarq.synacor.com smtp.user=thewhedbees; auth=pass (LOGIN) Received: from [201.216.4.186] ([201.216.4.186:4248] helo=User) by mailrelay.embarq.synacor.com (envelope-from <al...@embarqmail.com>) (ecelerity 2.2.2.40 r(29895/29896)) with ESMTPA id DB/9E-17249-7F22B9C4; Thu, 23 Sep 2010 05:54:58 -0400 So, this ALSO was an authenticated submission? And that's why your ISP signed it. Which would explain why it got whitelisted, no? Yup, *that* is how you do targeted phishing! Don't send from an outside machine, but crack an account or otherwise send from internal, trusted sources. It will make your phish look much more legit. -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
