Much simplified lexer
michael at optusnet.com.au
michael at optusnet.com.au
Mon Nov 17 04:03:32 CET 2003
Matthias Andree <matthias.andree at gmx.de> writes:
> michael at optusnet.com.au writes:
> > [...] A fair bit of spam that I get has
> > a _single_ Received line. (i.e. the only one that's there is
> > what my system added). It's stuffed full of good info.
> >
> > Received: from 1.2.3.4 (mctn1-7619.nb.aliant.net [156.34.21.199])
> > by funny.optusnet.com.au (8.12.8/8.12.8) with SMTP id hAC2vOQa029135
> > for <james at plastic.whatnot.net.au>; Wed, 12 Nov 2003 13:57:53 +1100
> >
> > The 1.2.3.4 comes from the spammer. You'll note they lied. The _real_ source
> > is in the parenthesis following. The 'funny.optusnet' is my system. The
> > 'james at plastic' is the spammer.
>
> No, that's your local recipient address.
Sorry, I wasn't clear. 'james at plastic' is generated by the spammer. In
this case there's a reasonable number of addresses that wind up in the
same mailbox so knowing what they used on the SMTP envelope is fairly
significant.
[...]
> OTOH, if I'm pulling mail with POP3 or IMAP, then I'll have extra
> Received: headers that are from my own mail fetcher or from my own
> system. Filtering by content (only filter those systems' Received: lines
> that don't receive directly from the spammer) looks feasible.
Neither POP3 nor IMAP will add Received lines but...
> > That's your configuration, and it's a _relatively_ rare one. The
> > common case is people POP'ing their mail straight of their ISPs mail
> > server.
>
> See above: two extra Received: lines. (for fetchmail, that is).
... fetchmail feeding into a local MTA will. To repeat myself though,
fetchmail is a relatively rare configuration. :)
michael.
More information about the Bogofilter
mailing list