[Mailman-Users] Recent phishing mails are targeting mailing-lists -- and do pass
Robert Heller
heller at deepsoft.com
Tue Sep 26 07:58:26 EDT 2017
One thing *I* have discovered is that "bogus" messages (eg phishing, etc.
spam), often have various envlope headers that give them away. One is a
"Reveived: " from a mail server with no reverse DNS ('Reveived: from ...
(unknown [ddd.ddd.ddd.ddd])', so a spam filter rule like this:
"Received: from.*(unknown \[\d+\.\d+\.\d+\.\d+\])"
catches them. Set this filter to "Hold", since *some* E-Mail
clients/providers seem to use machines with non routing addresses either
internally or otherwise (typically AOL over a Satelite Internet connection),
which you will want to pass though manually.
I also use Spamassassin on my server, so having a rule like:
"X-Spam-Score: \d"
is also helpful at catching spam and phishing mail.
At Mon, 25 Sep 2017 21:31:05 -0700 Mark Sapiro <mark at msapiro.net> wrote:
>
> On 09/25/2017 03:49 AM, Ralf Hildebrandt wrote:
> > Recent phishing mails are targeting mailing-lists -- and do pass.
> >
> > From our logs:
> > Sep 25 12:10:41 2017 (1940) post to rundmail-it from sabishi.meister at charite.de, size=4760, message-id=<486320030245.201792592050 at charite.de>, success
> >
> > But the headers of the mail that was automatically passed (since
> > sabishi.meister at charite.de is a member) was:
> >
> > From: "Sabishi.Meister@" <charite.de events at tryphotels.ae>
>
>
> A post is considered to be from a list member if any of the headers in
> the Defaults.py/mm_cfg.py SENDER_HEADERS setting contains a member
> address. The default setting is
>
> SENDER_HEADERS = ('from', None, 'reply-to', 'sender')
>
> (None means the envelope sender). Assuming you have the default setting,
> the sabishi.meister at charite.de address was either the envelope sender or
> in Reply-To: or Sender:.
>
> You could set
>
> SENDER_HEADERS = ('from',)
>
> in mm_cfg.py to test only the From: for list membership.
>
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller at deepsoft.com -- Webhosting Services
More information about the Mailman-Users
mailing list