spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel McDonald <dan.mcdon...@austinenergy.com>
Subject Re: X-Relay-Countries
Date Thu, 14 Feb 2013 13:34:33 GMT
On 2/14/13 6:21 AM, "Ned Slider" <ned@unixmail.co.uk> wrote:

> On 12/02/13 20:33, Daniel McDonald wrote:
>> 
>> On 2/12/13 1:15 PM, "David F. Skoll"<dfs@roaringpenguin.com>  wrote:
>> 
>>> 
>>> PS: Beware of penalizing other countries too much.  My mail originates
>>> from Canada and the PostgreSQL mailing list is (or used to be?) hosted
>>> in Panama.  Furthermore, by far the lion's share of spam originates from
>>> the US.
>> 
>> Yes, of course.  But some mail just isn't likely to originate overseas.  For
>> example, we have been getting a lot of phishes pretending to be FedEX
>> non-delivery notices.  FedEX is based in the US, so if I see "FedEX" and
>> RELAY_NOT_US, and a couple of other spam signs, I can more safely conclude
>> it is spam....
>> 
> 
> Nice idea, but why not just use SPF for fedex.com as they bother to
> publish an SPF record? Surely that has to be a far more reliable
> indicator it wasn't sent from fedex?
> 
> 
> $ dig txt fedex.com
> 
> ;; ANSWER SECTION:
> fedex.com.              10578   IN      TXT     "v=spf1
> redirect=_spf.infosec.fedex.com"
> 
> 
> They might sign their mail too, but as I don't have any legitimate fedex
> mails to hand, I can't confirm that.
> 

We get plenty of messages from suppliers stating that they have made a
shipment, and the fedex tracking number is foo.  But lately we've been
getting a lot of phishes where the link for the fedex tracking number
actually points to malware, and most of these are using cracked accounts and
are being generated on botnets, so I'm looking for a fedex "tracking link"
that didn't originate locally.

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281


Mime
View raw message