info about spam messages

[David Relson]

On Fri, 11 Jun 2004 10:00:50 -0700
Chris Wilkes wrote:

> On Fri, Jun 11, 2004 at 12:44:06PM -0400, David Relson wrote:
> > On Fri, 11 Jun 2004 12:11:17 -0400
> > Tom Anderson wrote:
> > > 
> > > Well, that depends on whether you can correctly identify the IP
> > > address in these lines:
> > > 
> > > Received: from 1.2.3.4 (IDENT:4.3.2.1 at 8.7.6.5.s.com[5.6.7.8])
> > > Received: from 1.2.3.4 (<8.7.6.5.s.com> [5.6.7.8])
> ...
> > 
> > Recognizing "Received:.*[5.6.7.8]" isn't too hard.  I know that's
> > how postfix formats its Received: line.  Do other MTAs use the same
> > format? If not, what format is used?
> 
> http://cr.yp.to/immhf/envelope.html
> 
> "In theory, the value of a Received field is tokenizable"
> "In practice, SMTP servers put all sorts of badly formatted
> information into Received lines."
> 
> Like Tom said you can really only trust what your servers put in
> there. Also keep in mind that a corporation might have a couple email
> servers to handle incoming mail so you just can't go by the first
> Received line as that could be one of your own servers, which doesn't
> give you much to go on.

Having a couple of levels of email servers can be handled by a
resourceful admin.  Assuming s/he wants to use '%I', s/he'll just have
to tweak the code to get the desired address.

> Now we're lucky as we're only going to use what our own servers put in
> there and that (should) be well formatted, or at least remain
> consistant-- famous last words of course.

Modulo the fact that different sites use different MTAs which may use
different formats, which is what I'm presently concerned about.

> 
> It might be easier to have people's MTAs put in a header line like
> "X-Original-IP: 192.168.0.10" and go off of that.  I think yahoo's
> email uses something similiar to that to label their outgoing email
> though. Does bogofilter ignore X- headers when tokenizing?

Such a question can be answered with:

    echo X-Header: testing | bogolexer -p

Regards,

David