info about spam messages
Chris Wilkes
cwilkes-bf at ladro.com
Fri Jun 11 19:00:50 CEST 2004
On Fri, Jun 11, 2004 at 12:44:06PM -0400, David Relson wrote:
> On Fri, 11 Jun 2004 12:11:17 -0400
> Tom Anderson wrote:
> >
> > Well, that depends on whether you can correctly identify the IP
> > address in these lines:
> >
> > Received: from 1.2.3.4 (IDENT:4.3.2.1 at 8.7.6.5.s.com[5.6.7.8])
> > Received: from 1.2.3.4 (<8.7.6.5.s.com> [5.6.7.8])
...
>
> Recognizing "Received:.*[5.6.7.8]" isn't too hard. I know that's how
> postfix formats its Received: line. Do other MTAs use the same format?
> If not, what format is used?
http://cr.yp.to/immhf/envelope.html
"In theory, the value of a Received field is tokenizable"
"In practice, SMTP servers put all sorts of badly formatted information
into Received lines."
Like Tom said you can really only trust what your servers put in there.
Also keep in mind that a corporation might have a couple email servers
to handle incoming mail so you just can't go by the first Received line
as that could be one of your own servers, which doesn't give you much to
go on.
Now we're lucky as we're only going to use what our own servers put in
there and that (should) be well formatted, or at least remain consistant
-- famous last words of course.
It might be easier to have people's MTAs put in a header line like
"X-Original-IP: 192.168.0.10" and go off of that. I think yahoo's email
uses something similiar to that to label their outgoing email though.
Does bogofilter ignore X- headers when tokenizing?
Chris
More information about the Bogofilter
mailing list