On 2/13/2017 11:20 AM, Viktor Dukhovni wrote:
> On Mon, Feb 13, 2017 at 10:44:22AM -0700, Phillip Carroll wrote:
>
>> The problem is that some (very small) number of bad actors are managing to
>> get by all of the MAIL time tests. A recent example:
>>
>> HOST = 47-48-213-250.static.gwnt.ga.charter.com
>> HELO = amazon-sales.com
>> The email received from this joker purports to be an acknowledgment by
>> Amazon that "Your Amazon Order has Shipped", the order being a very
>> expensive retail iPhone. (No doubt hoping to cause someone a panic attack
>> and accompanying brain freeze) A convenient link to "Amazon" of course
>> actually links to a site with a Chilean TLD that certainly has no connection
>> to Amazon, but surely does have an unpleasant surprise for the innocent that
>> clicks the link. (The latter actually makes no logical sense to me, in that
>> the whole point of checking at MAIL time is to avoid redundant checking
>> (particularly redundant conversations with DNS and ZEN) in case of multiple
>> recipients.)
>
> A purported bounce may well be sent with an empty return path:
>
> MAIL FROM:<>
>
> Does Exim, (or do your MAIL command filters) do anything different
> with an empty sender address? Perhaps such an address is not
> matched by your rules.
>
Viktor,
The headers do not indicate this was a purported bounce. It had a normal
from header:
From: "Amazon.com" <amazon@???>
Thanks for the input,
Phil
