On Sun, 2011-03-06 at 12:48 -0800, JP Kelly wrote:
> I'm not familiar enough to tell if an address is forged or not. Here is
> the scoring from one of the spam messages from autoconf...@amazon.com
> which I suspect tainted AWL:
Nope. The originating IP isn't even close to the Amazon net-block, let
alone in the same /16.
Kind of start wondering which internal / trusted networks you just
added...
> 1.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
> [95.134.111.12 listed in zen.spamhaus.org]
> Received: (qmail 25679 invoked from network); 22 Aug 2010 06:47:56 -0600
> Received: from 12-111-134-95.pool.ukrtel.net (95.134.111.12)
> by mail.smallgod.net with SMTP; 22 Aug 2010 06:47:55 -0600
^^^^^^^^^^^^^^^^^
Your MX, I assume?
You cannot trust Received headers beyond this. The from is the last
trustworthy information.
> Received-SPF: unknown (mail.smallgod.net: domain at spf.smallgod.net does not
> designate permitted sender hosts)
Uhm, doesn't that mean the Envelope From is from YOUR domain? Yeah, that
would be forged. ;) You didn't include the Return-Path header in your
snippet, though.
> Received: from mm-notify-out-209-84.amazon.com
> (mm-notify-out-209-84.amazon.com [72.21.209.84])
> by server94.appriver.com with asmtp
> id 8064CA-0003F6-18;
> for <host...@jpkvideo.net>; Sun, 22 Aug 2010 15:47:34 +0200
The receiving server has address 204.232.236.150. Compare that to the
machine your MX has received the message from. This entire Received
header is forged, and the dial-up IP above is the originator.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
