On Mon, Feb 13, 2017 at 10:44:22AM -0700, Phillip Carroll wrote:
> The problem is that some (very small) number of bad actors are managing to
> get by all of the MAIL time tests. A recent example:
>
> HOST = 47-48-213-250.static.gwnt.ga.charter.com
> HELO = amazon-sales.com
> The email received from this joker purports to be an acknowledgment by
> Amazon that "Your Amazon Order has Shipped", the order being a very
> expensive retail iPhone. (No doubt hoping to cause someone a panic attack
> and accompanying brain freeze) A convenient link to "Amazon" of course
> actually links to a site with a Chilean TLD that certainly has no connection
> to Amazon, but surely does have an unpleasant surprise for the innocent that
> clicks the link. (The latter actually makes no logical sense to me, in that
> the whole point of checking at MAIL time is to avoid redundant checking
> (particularly redundant conversations with DNS and ZEN) in case of multiple
> recipients.)
A purported bounce may well be sent with an empty return path:
MAIL FROM:<>
Does Exim, (or do your MAIL command filters) do anything different
with an empty sender address? Perhaps such an address is not
matched by your rules.
--
Viktor.
