info about spam messages

[Tom Anderson]

From: "David Relson" <relson at osagesoftware.com>
> Recognizing "Received:.*[5.6.7.8]" isn't too hard.  I know that's how
> postfix formats its Received: line.  Do other MTAs use the same format?
> If not, what format is used?

These are all real formats used by real MTAs:
> > Received: from 1.2.3.4 (IDENT:4.3.2.1 at 8.7.6.5.s.com[5.6.7.8])
> > Received: from 1.2.3.4 (<8.7.6.5.s.com> [5.6.7.8])
> > Received: from 1.2.3.4 ([5.6.7.8] ident=4.3.2.1)
> > Received: from 1.2.3.4 (proxying for 5.6.7.8) (user 4.3.2.1)
> > Received: from 1.2.3.4 (account 4.3.2.1[5.6.7.8] verified)
> > Received: from (1.2.3.4) [5.6.7.8]
> > Received: from (1.2.3.4 [5.6.7.8])
> > Received: from 1.2.3.4 (8.7.6.5.s.com [5.6.7.8])
> > Received: from 1.2.3.4 (4.3.2.1 at 8.7.6.5.s.com)
> > Received: from 1.2.3.4 (8.7.6.5.s.com)
> > Received: (from 4.3.2.1 at 8.7.6.5.s.com)
> > Received: (from 4.3.2.1 at 1.2.3.4)
> > Received: from ([5.6.7.8])
> > Received: from 5.6.7.8
> > Received: from 1.2.3.4

I can't necessarily tell you which MTAs they are, as I gathered all of the
different received formats I could find in any received line in any of my
emails, plus searches on the web.  Some of them are generated by various
proprietary web-based email systems like yahoo, aol, and hotmail.

If you use /Received:.*\[($IP)\]/, then a spammer could easily make
HELO=[5.6.7.8]. Eg, in "Received: from [5.6.7.8] (5.6.7.8.s.com [1.2.3.4])",
1.2.3.4 is the actual IP, whereas 5.6.7.8 is bogus.  I have a pretty
successful set of regexes in the "process_rcvd" function at
http://orderamidchaos.com/bogofilter/spamitarium, but it's not necessarily
foolproof.  I wouldn't automatically reject an email based on it alone.  And
I don't think bogofilter should output an IP with the implied authority that
it is absolutely the true one, or else people may do some stupid things with
it.  The spamicity that bogofilter outputs is clearly a guestimation since
it's a probability.  An IP is an absolute thing though.

Tom