Header analysis [Was: Re: How to avoid s p lit up wor ds?]
Nick Simicich
njs at scifi.squawk.com
Tue Jan 21 21:21:09 CET 2003
At 06:08 AM 2003-01-21 -0800, Zack Brown wrote:
>A single-key-press complaint to the ISP and/or whatever authority there
>may be out there, would be cool. Has anyone implemented something that
>automatically analyzes the headers and determines the proper email
>addresses to complain to?
I believe that the best out there is SpamCop. It is also being tuned all
the time, depends on a number of external sources for information,
etc. For example, if a piece of mail is traced to a open proxy, it stops
doing further analysis, but that requires that it trust an external proxy
database.
>Actually, my understanding has been that sophisticated header munging is
>too difficult to detect automatically. Is that actually the case?
There are a number of things you can do. The real question is, "is it
possible to construct a header that makes it look like you are an open
relay as opposed to the spam origin? Yes, certainly, but then you have the
question of why and how, two open relays were used. The flip side of this
is that people will make a proxy look like an open relay. You really
cannot make the machine address of the proxy go away, because that is
applied by the next machine in sequence. So the best you can do is to try
and make the proxy look like it is running the ratware, or, alternatively,
like it is just an SMTP open proxy with a valid chain to someone you are
joe-jobbing. The only reason to do that is because you have a good proxy
you do not want to lose, or because you have someone you dislike who you
want the complaints to go to.
I have been using SpamCop for quite a while. It was seriously slow for a
while, then it improved. Someone joe-jobbed me once, and the reality was
that between 1 in 5 and 1 in 10 complaints do not use SpamCop. That is, by
far, most spam complaints do use SpamCop.
--
SPAM: Trademark for spiced, chopped ham manufactured by Hormel.
spam: Unsolicited, Bulk E-mail, where e-mail can be interpreted generally
to mean electronic messages designed to be read by an individual, and it
can include Usenet, SMS, AIM, etc. But if it is not all three of Unsolicited,
Bulk, and E-mail, it simply is not spam. Misusing the term plays into the
hands of the spammers, since it causes confusion, and spammers thrive on
confusion. If you were not confused, would you patronize a spammer?
Nick Simicich - njs at scifi.squawk.com - http://scifi.squawk.com/njs.html
Stop by and light up the world!
More information about the Bogofilter
mailing list