On 6/19/2017 1:54 PM, Robert Kudyba wrote: > We use sendmail-8.15.2-8.fc25 on Fedora 25 > with spamassassin-3.4.1-9. Can anyone explain how this email got > through with a forged from: address? https://pastebin.com/L7NKCK3E > > The 1st received IP is not on any real time blacklist as of this > moment: > > Received: from 167.249.16.132 > > The 2nd IP in the mail header trail now shows up > in BACKSCATTER, BLOCKLIST.DE and MAILSPIKE BL > > Received: from embacelsga.localdomain (oi66.grupocartonpack.com > <http://oi66.grupocartonpack.com> [189.30.23.66]) > > But shouldn’t the default settings in sendmail.mc/cf check for > spoofing of the HELO?
It appears this mail passed through your system and was forwarded to google, and maybe a little mangled along the way. This makes the headers hard to follow as to who added what, and what to trust. I don't believe sendmail has any default setting for rejecting HELO names. You should probably add "localdomain" to your access table.
