> From: Cyborg <cyborg2@???>
> how can i detect the usage of "<>" as sender of an email
> in the smtp commands ?
>
> this spam wasn't a bounce mail, just normal spam. Any way of deciding on
> acl levels if it's a true bounce or just a spam ?
For slightly different spam:
acl_check_data:
discard message = discarded because recognized as Ukrainian spam (type 2)
senders = :
condition = ${if eq{$received_protocol}{smtp}}
condition = ${if !match{${local_part:$header_From:}}{(?i)daemon}}
condition = ${if match{$message_headers_raw}\
{\N\AReceived:(?:.+\n\t)+.+\n\
Received: from unknown \(HELO localhost\) \
\(([a-z._-]+@[a-z.-]+)@([\d.]+)\)\n\
\tby \S+ with ESMTPA;.+\n\
X-Originating-IP: \2\n\
From: \1\n\
To: \S+\n\
Subject: [\x80-\xff ]+\n\
Date:\N}}
# The second Received is fake.
>
>
> Spoolfileheader:
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1Ubv3c-0005Vw-QO-H
> exim 93 93
> <>
> 1368460380 0
> -helo_name 213.227.201.41
> -host_address 213.227.201.41.29058
> -host_name 213-227-201-41.static.vega-ua.net
> -interface_address XXXXXXXXXXXXXXXXXXXXXXXXXXX
> -received_protocol smtp
> -aclm _fromaddress 26
> ----RECIPIENT----
> -aclm _greylistreasons 51
> Message lacks Message-Id: header. Consult RFC2822.
>
> -body_linecount 27
> -max_received_linelength 82
> -frozen 1368460381
> XX
> 1
> ----RECIPIENT----
>
> 224P Received: from 213-227-201-41.static.vega-ua.net ([213.227.201.41]
> helo=213.227.201.41)
> by XXXXXXXXXXXXXXXXX.de with smtp (Exim 4.76)
> id 1Ubv3c-0005Vw-QO
> for ----RECIPIENT----; Mon, 13 May 2013 17:53:00 +0200
> 158P Received: from unknown (HELO localhost)
> (twatts@???@124.107.30.83)
> by 213-227-201-41.static.vega-ua.net with ESMTPA; Mon, 13 May
> 2013 18:51:07 +0200
> 025F From: twatts@???
> 031T To: ----RECIPIENT----
> 045 Subject: Manager fur Warenverteilung gesucht
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> best regards,
> Marius
