[clue-tech] stopping bogus hosts using mail headers
Crawford Rainwater
crawford.rainwater at linux-etc.com
Wed Jun 22 12:10:00 MDT 2005
Dan:
Sean R of tummy.com gave a nice presentation on Graylisting and other
anti-spam techniques for CLUE-North in April. I do not know if Sean has
his slides up on tummy.com's web site, but they typically post them up
there sooner or later.
As for other's spoofing your servers and domain names...welcome to the
club. It happens unfortunately, but with better anti-spamming
techniques being used, most folks are starting to filter the "real" from
the "bogus" material these days.
HTH.
--- Crawford
CLUE-North Coordinator/Lackie ;-)
--
The Linux ETC Company
368 South McCaslin Boulevard
P.M.B. 146
Louisville, CO 80027 USA
+1 (303) 604-2550 (voice)
+1 (866) 604-2550 (toll free within the US)
+1 (303) 664-0036 (fax)
http://www.linux-etc.com
On Wed, 2005-06-22 at 12:00 -0600, clue-tech-request at clue.denver.co.us
wrote:
> Date: Wed, 22 Jun 2005 09:24:09 -0600
> From: "Ballon, Mike" <Mike.Ballon at echostar.com>
> Subject: RE: [clue-tech] stopping bogus hosts using mail headers
> To: "'CLUE technical discussions - Q& A'"
> <clue-tech at clue.denver.co.us>
> Message-ID:
> <B8C9CF34B3F7164282C8610C93BB94AF107BAA0A at riv-exchb1.echostar.com>
> Content-Type: text/plain
>
> You can use rdns but it's so loosely adhered to you might block more then
> you want.
>
> -----Original Message-----
> From: clue-tech-bounces at clue.denver.co.us
> [mailto:clue-tech-bounces at clue.denver.co.us] On Behalf Of Dan Harris
> Sent: Tuesday, June 21, 2005 4:33 PM
> To: CLUE technical discussions - Q& A
> Subject: [clue-tech] stopping bogus hosts using mail headers
>
> I have recently been noticing a lot of spam is claiming to be 'from'
> my mail server. They are doing this:
>
> ------------------------- BEGIN HEADERS -----------------------------
> Return-Path: <lnewhm at classified.co.jp>
> Received: from zerrenterprises.com
> (adsl-70-242-70-142.dsl.stlsmo.swbell.net [70.242.70.142])
> by crestone.coronasolutions.com (Postfix) with ESMTP id ADBA0644100
> for <3dlee.collier at zerrenterprises.com>; Tue, 21 Jun 2005
> 15:26:28 -0600 (MDT)
>
> Notice the 'zerrenterprises.com' it claims to be, my mail server does
> receive and send for zerrenterprises.com, however the IP address is clearly
> not one of mine. I wonder if there is a way using postfix or amavisd-new to
> detect these kinds of spoofs and immediately block them because the
> hostname, domain name didn't match? Maybe tighten up that "HELO" reply
> some?
>
> -Dan
>
More information about the clue-tech
mailing list