Hello,
After receiving an obvious scam email not marked by the runbox spam filter (which is ok, not the purpose of this message), I noticed that the mail server had associated the sender ip, 94.103.188.211, to the domain itfnet.org.
The domain itfnet.org is legitimate and at a glance it seems properly managed, unlike the host managing the IP range 94.103.188.128/25. While the host does publish a PTR record linking 94.103.188.211 to itfnet.org and pretends to be related to this domain in the HELO, it does not match anything back in the DNS zone of itfnet.org.
So it looks like runbox servers trust any PTR records/HELO, sent by potentially malicious clients, without checking that they actually match the claimed domains as I would have expected. What do you think ?
Regards