[Mailman-Users] Recent phishing mails are targeting mailing-lists -- and do pass

Robert Heller heller at deepsoft.com
Tue Sep 26 07:58:26 EDT 2017

One thing *I* have discovered is that "bogus" messages (eg phishing, etc. 
spam), often have various envlope headers that give them away.  One is a 
"Reveived: " from a mail server with no reverse DNS ('Reveived: from ... 
(unknown [ddd.ddd.ddd.ddd])', so a spam filter rule like this:

"Received: from.*(unknown \[\d+\.\d+\.\d+\.\d+\])"

catches them.  Set this filter to "Hold", since *some* E-Mail 
clients/providers seem to use machines with non routing addresses either 
internally or otherwise (typically AOL over a Satelite Internet connection), 
which you will want to pass though manually.

I also use Spamassassin on my server, so having a rule like:

"X-Spam-Score: \d"

is also helpful at catching spam and phishing mail.

At Mon, 25 Sep 2017 21:31:05 -0700 Mark Sapiro <mark at msapiro.net> wrote:

> On 09/25/2017 03:49 AM, Ralf Hildebrandt wrote:
> > Recent phishing mails are targeting mailing-lists -- and do pass.
> > 
> > From our logs:
> > Sep 25 12:10:41 2017 (1940) post to rundmail-it from sabishi.meister at charite.de, size=4760, message-id=<486320030245.201792592050 at charite.de>, success
> > 
> > But the headers of the mail that was automatically passed (since
> > sabishi.meister at charite.de is a member) was:
> > 
> > From: "Sabishi.Meister@" <charite.de events at tryphotels.ae>
> A post is considered to be from a list member if any of the headers in
> the Defaults.py/mm_cfg.py SENDER_HEADERS setting contains a member
> address. The default setting is
> SENDER_HEADERS = ('from', None, 'reply-to', 'sender')
> (None means the envelope sender). Assuming you have the default setting,
> the sabishi.meister at charite.de address was either the envelope sender or
> in Reply-To: or Sender:.
> You could set
> SENDER_HEADERS = ('from',)
> in mm_cfg.py to test only the From: for list membership.

Robert Heller             -- 978-544-6933
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller at deepsoft.com       -- Webhosting Services

More information about the Mailman-Users mailing list