On 6/19/2017 2:54 PM, Robert Kudyba wrote:
We use sendmail-8.15.2-8.fc25 on Fedora 25 with spamassassin-3.4.1-9.
Can anyone explain how this email got through with a forged from:
address? https://pastebin.com/L7NKCK3E
The 1st received IP is not on any real time blacklist as of this moment:
Received: from 167.249.16.132
The 2nd IP in the mail header trail now shows up in BACKSCATTER,
BLOCKLIST.DE and MAILSPIKE BL
Received: from embacelsga.localdomain (oi66.grupocartonpack.com
<http://oi66.grupocartonpack.com> [189.30.23.66])
But shouldn’t the default settings in sendmail.mc/cf check for
spoofing of the HELO?
I'm not aware of much in the way of spoofed helo checks by default in
sendmail.
The biggest issue I see is the SPF approval:
ARC‐Authentication‐Results: i=1; mx.google.com;
spf=pass (google.com: best guess record for domain of
le...@cis.fordham.edu designates 150.108.68.26 as permitted sender)
Perhaps a compromised account?
Regards,
KAM
