I'm not familiar enough to tell if an address is forged or not.
Here is the scoring from one of the spam messages from autoconf...@amazon.com
which I suspect tainted AWL:
Content analysis details: (29.4 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.9 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: bestcomputerized.com]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: bestcomputerized.com]
1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: bestcomputerized.com]
3.5 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: bestcomputerized.com]
4.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
2.5 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr
2)
1.0 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
0.4 HTML_MESSAGE BODY: HTML included in message
1.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[95.134.111.12 listed in zen.spamhaus.org]
4.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
3.0 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: bestcomputerized.com]
3.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[URIs: bestcomputerized.com]
[Blocked - see <http://www.spamcop.net/bl.shtml?95.134.111.12>]
1.5 RDNS_DYNAMIC Delivered to trusted network by host with
dynamic-looking rDNS
--- and the headers:
Received: (qmail 25679 invoked from network); 22 Aug 2010 06:47:56 -0600
Received: from 12-111-134-95.pool.ukrtel.net (95.134.111.12)
by mail.smallgod.net with SMTP; 22 Aug 2010 06:47:55 -0600
Received-SPF: unknown (mail.smallgod.net: domain at spf.smallgod.net does not
designate permitted sender hosts)
Received: from mm-notify-out-209-84.amazon.com (mm-notify-out-209-84.amazon.com
[72.21.209.84])
by server94.appriver.com with asmtp
id 8064CA-0003F6-18;
for <host...@jpkvideo.net>; Sun, 22 Aug 2010 15:47:34 +0200
Date: Sun, 22 Aug 2010 15:47:34 +0200
From: "auto-conf...@amazon.com" <auto-conf...@amazon.com>
To: <host...@jpkvideo.net>
Message-ID:
<000d01cb41f8$31007700$6400a8c0.javamail.corre...@na-mm-relay.amazon.com>
Subject: Your Order with Amazon.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_9404548_33090959.9063490075401"
Bounces-to: da5f1995b875ded4537402d6b10da455cf04fa500aa...@bounces.amazon.com
X-AMAZON-MAIL-RELAY-TYPE: notification
X-AMAZON-RTE-VERSION: 2.0
On Mar 6, 2011, at 12:33 PM, Karsten Bräckelmann wrote:
> On Sun, 2011-03-06 at 11:39 -0800, JP Kelly wrote:
>> Yeah that sender's email address had been forged for a bunch of spam I
>> received.
>
> Without reading the following paragraph, I'd immediately suspect a
> cracked account, not address forgery. The AWL is limited by address and
> originating net-block (default /16, configurable since 3.3), thus it is
> rather unlikely, spam with that address forged is sent from a nearby
> address...
>
>> I used spamasassin --remove-addr-from-whitelist for that address
>> Also I did not have internal_networks and trusted_networks lines in my
>> local.cf, which I added. Hopefully that will help. Thanks!
>
> Bad internal and trusted networks settings would also explain this,
> though.
>
> If those are missing a forwarding / relay system, that one will be
> considered the handing-over machine -- which renders most DNSBLs as well
> as a lot of rules useless. Plus, as far as AWL is concerned, the
> net-block constraint effectively is disabled.
>
>
> Kind of wonder though, why that Amazon outgoing SMTP cluster should be
> part of your internal network. Or, how a forged address ended up being
> sent through it...
>
>>>> -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
>>>> medium trust
>>>> [72.21.212.35 listed in list.dnswl.org]
>
> --
> char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
>
