info about spam messages
David Relson
relson at osagesoftware.com
Fri Jun 11 15:52:25 CEST 2004
On Fri, 11 Jun 2004 09:37:31 -0400
Tom Anderson wrote:
> From: "David Relson" <relson at osagesoftware.com>
> > It's likely not too hard for bogofilter to cache some more info
> > about the message and make it available via the formatting
> > mechanism. I'm thinking of additional format specifications:
> >
> > I - ip address
> > F - From: address
> >
> > And you could then change your bogofilter.cf file to include:
> >
> > log_header_format = %h: %c, spamicity=%p, version=%v, ipaddr=%I,
> > fromaddr=%F
> >
> > Sound reasonable?
>
> Looks like the emails I sent from home this morning didn't get out of
> my outbox, because now I'm going to repeat myself. Be very, very
> careful using any information in the header to block out emails at the
> MTA level. Spams use spoofed headers more often than not. Never ever
> rely on a "From" address. You have to use the "Received" lines, and
> those can be spoofed too. The only trustworthy one is the one set by
> your own server, but even in that line, you have to be careful...
> don't rely on the HELO string, only the IP address or rDNS address
> provided by your own mail server. The logic to verify you have valid
> information can be somewhat complex. I'd recommend it not be in
> bogofilter itself, but in your external script called from procmail.
> See http://orderamidchaos.com/bogofilter/spamitarium for similar
> functionality.
>
> Tom
Tom,
Right you are.
I trust only the ip address in the first Received: stanza. My thought
is to have bogofilter cache that value so it can be included (using
'%I') in the X-Bogosity line (or the logging message).
The From: address is easily forged and less reliable. However while
implementing the '%I' ability, adding '%F' for the From: address is
easy.
Having both spamicity and ip address in bogofilter's syslog message
seems useful.
Regards,
David
More information about the Bogofilter
mailing list