[Coco] How did this spam from an open proxy get through a moderated list?

John E. Malmberg wb8tyw at qsl.net
Sat Apr 30 20:27:04 EDT 2005


: Original-Received: from unknown (HELO 216.92.131.37) (220.126.249.150)
:	by qs281.pair.com with SMTP; 30 Apr 2005 22:39:12 -0000

Absolute spam indicator when external mail server says helo with the 
I.P. address of the receiving mail server instead of it's name.

A mail server should be configured to just issue an SMTP 550 code to it, 
the message text does not matter since it did not come from

: http://www.spamhaus.org/query/bl?ip=220.126.249.150

This list is also known for zero false positives.

No rDNS at all, is an over 90% indication that the mail is spam.

When a mail server says hello with anything other than it's rDNS name, 
that is suspicious, but allowed by RFC, so I have been told.

I am also told that all servers connected to the internet including mail 
servers are required to have a working rDNS name by RFC.

Looks like a spammer is spoofing that they are coming from a subscribed 
user.  Since gmane munged it, I can not tell which one.

I do not think that this forum has any subscribers in Korea and if they 
are, would not be using an improperly configured mail server that is 
deliberately lying about it's origin, that has been confirmed to be 
sending e-mail to non-existent e-mail addresses.

-John
wb8tyw(at)qsl.net
Personal Opinion Only





More information about the Coco mailing list