Recognizing phish spam from exceedingly RFC compliant mailers
Here is how to tell if you were getting phish spam from a compromised server with an exceedingly RFC complaint mailers: you were getting email from addresses like firstname.lastname@example.org.
What was going on is that
paypal.us was a CNAME to that hostname.
(I say was because paypal.us has since been changed to an A record
and an MX to
localhost., possibly because they got tired of being
forged on phish spam.)
According to the RFCs, when a mailer encounters a domain or host name
that is a CNAME, it is supposed to not merely follow the CNAME but
rewrite the address itself to use the target of the CNAME instead
of the CNAME, including when the CNAME is in the envelope origin
address. However, few mailers are this picky and RFC compliant; most
will not rewrite a
MAIL FROM address to canonicalize a CNAME.
So when a phish spammer compromises a server with a normal mailer and
sends out their spam with an envelope address of 'email@example.com',
it shows up at your mailer (and possibly in your inbox) with that
Sidebar: who isn't that picky and who is
From some quick poking, it seems that neither postfix, qmail nor Microsoft Exchange's SMTP server is quite that picky. The latter case is amusing, because Exchange is one of the few mailers that insists that lines in the SMTP conversation be terminated with both CR and LF; if you send bare LFs, it ignores you.
Both ZMailer and (some) modern versions of Sendmail are that picky.