Re: RFC3848 and ESMTPA in Receiver header

[Vaccus Spurcamen]

On Mon, 2011-07-25 at 11:14 +0200, J4K wrote:
> Morning everyone,
> 
>     Whilst trying to debug a spammer, or potential misconfiguration in
> my SA/postfix set-up, I noticed this in the spam header:
> *Received: from 95.132.70.144(helo=xxx.co.uk) by xxx.co.uk with esmtpa
> (Exim 4.69) (envelope-from ) id 1MMY4Z-6815vh-KW for <address@hidden>;
> Mon, 25 Jul 2011 08:05:42 +020*
> 
> The ESMTPA noted in the header stuck me as strange.  1) Does this mean
> that spammer authenticated with an smtp-auth username and password?
Suggests an authenticated user - nothing unusual in that, spammers
hijack accounts all the time (assuming the header is, of course,
genuine)
> 
> 2) Is there an SA rule that would subtract points if this is seem in a
> header ( I didn't think so)?
You could always write one.

> 
> 3) Would the Spam-Assassin Milter give this a free ride?  It would if it
> had the -I option, but mine does not.
>     -I      Ignores messages if the sender has authenticated via SMTP AUTH.
> 
> 
> Current programme called as:
> /usr/sbin/spamass-milter -P /var/run/spamass/spamass.pid -f -p
> /var/spool/postfix/spamass/spamass.sock -u nobody -e xxx.co.uk -M -r 12
> -i 127.0.0.1 -- -s 1050000
> 
> Regards, S.
> 
> 
> >From http://www.ietf.org/rfc/rfc3848.txt
> 
> 1.  IANA Considerations
> 
>    As directed by SMTP [2], IANA maintains a registry [7] of "WITH
>    protocol types" for use in the "with" clause of the Received header
>    in an Internet message.  This registry presently includes SMTP [6],
>    and ESMTP [2].  This specification updates the registry as follows:
> 
>    o  The new keyword "ESMTPA" indicates the use of ESMTP when the SMTP
>       AUTH [3] extension is also used and authentication is successfully
>       achieved.
> 
> 
> _______________________________________________
> Spamass-milt-list mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/spamass-milt-list