Mail bomber blocked?
For weeks, I’ve been receiving – as shown in operator.log – many, many messages that for some reason were accepted by the spam filter but were caught by the SMTP-client itself. They never made it to the inbox. Quite likely they were passed since the enveloppe_from was from within my own domain, but these headers were al forged: they were not sent from my domain:
X-PMAS-MAIL-FROM: backpedaledsupw@siaminet.com
Received: from unknown ([188.54.93.212] EXTERNAL) (EHLO device.lan) by
diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Mon, 09 Apr
2012 02:18:37 +0000
Received: from 188.54.93.212 (account
grootersnet.nl) by grootersnet.nl (CommuniGate Pro SMTP 5.2.3) with ESMTPA id
712770485 for
From:
(I don’t use Communigate – I know the product, I even tested it)
X-PMAS-MAIL-FROM: undecipherablex63@realliving.com
Received: from HSI-KBW-095-208-015-185.hsi5.kabel-badenwuerttemberg.de
([95.208.15.185] EXTERNAL) (EHLO
HSI-KBW-095-208-015-185.hsi5.kabel-badenwuerttemberg.de) by
diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Mon, 09 Apr
2012 11:09:39 +0000
Received: from apache by mdbaensicmbdedm.iztzg.hr with local (Exim 4.67)
(envelope-from <
To:
(I don’t use apache or Exim)
These are just two examples, but the majority have similar signatures..All have been forged!
What caused this flood to stop, all of a sudden? It might be an addtional rule in the filter, rejecteing any text that I found in the messages that were quarantained (I think PMAS did its job in a second pass?)…
Bogus accounts?
I need to shift attention a bit.
Where it was rather usual to find bogus users in the Wiki (and requiring me to de-spam the wiki on a regular (almost daily…) basis, It seems this blog attracts ‘users’. Probably assuming they can abuse the blog, but the default role is ‘subscriber’ so they are not able to spoil the blog with ther ‘content’. Though there is a possibility to tyry to abuse the comments – but again, I have taken precautions: there is a spam-test in place and comments need to be approved before publication.
The last additions seem to originate in China, based on names and domains: a few of the latter are well know to me: the PMAS anti-relay feature logs these domains quite often if there are\ large numbers of relay attempts….
To mention that latest I’ve seen:
126.com
163.com
yeah.com
These are not forged: there is a mail check in the program and if an email-address is fake, I’ll be noticed. (I would like MoinMoin to have the same feature…)
I don’t mind subscribers…But these are known to me to be domains accepting abusive Internet users. So I’m quite willing to rule ANY user from these domains off the blog.