On 2013-06-03 14:02, David B Funk wrote:
On Mon, 3 Jun 2013, David F. Skoll wrote:
On Mon, 3 Jun 2013 14:28:36 +0200
Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
you should look at Received: headers to see who passed the mail to
you and complain to abuse@ there. If the mail came from nacha.org, the
ab...@nacha.org is the right place to send complaints..
There were no Received: headers in my samples. They were directly
injected
by compromised Windows boxes.
Maybe the lack of Received: headers could be used as the basis for an
SA rule.
How many legit MTAs are there that don't add Received: headers?
Hopefully none.
Unless you run submitted outbound mail through SpamAssassin, in which
case you could expect a VERY high false positive rate. While
SpamAssassin isn't fantastic for this particular role, it can help you
catch compromised accounts/systems before they spew too much.
You could probably mitigate this with one of the "trusted" type lists
that SpamAssassin uses though, if the rule were well written.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
