info about spam messages
Tom Allison
tallison at tacocat.net
Mon Jun 14 13:27:17 CEST 2004
Tom Anderson wrote:
> From: "David Relson" <relson at osagesoftware.com>
>
>>Recognizing "Received:.*[5.6.7.8]" isn't too hard. I know that's how
>>postfix formats its Received: line. Do other MTAs use the same format?
>>If not, what format is used?
>
>
> These are all real formats used by real MTAs:
>
>>>Received: from 1.2.3.4 (IDENT:4.3.2.1 at 8.7.6.5.s.com[5.6.7.8])
>>>Received: from 1.2.3.4 (<8.7.6.5.s.com> [5.6.7.8])
>>>Received: from 1.2.3.4 ([5.6.7.8] ident=4.3.2.1)
>>>Received: from 1.2.3.4 (proxying for 5.6.7.8) (user 4.3.2.1)
>>>Received: from 1.2.3.4 (account 4.3.2.1[5.6.7.8] verified)
>>>Received: from (1.2.3.4) [5.6.7.8]
>>>Received: from (1.2.3.4 [5.6.7.8])
>>>Received: from 1.2.3.4 (8.7.6.5.s.com [5.6.7.8])
>>>Received: from 1.2.3.4 (4.3.2.1 at 8.7.6.5.s.com)
>>>Received: from 1.2.3.4 (8.7.6.5.s.com)
>>>Received: (from 4.3.2.1 at 8.7.6.5.s.com)
>>>Received: (from 4.3.2.1 at 1.2.3.4)
>>>Received: from ([5.6.7.8])
>>>Received: from 5.6.7.8
>>>Received: from 1.2.3.4
>
>
> I can't necessarily tell you which MTAs they are, as I gathered all of the
> different received formats I could find in any received line in any of my
> emails, plus searches on the web. Some of them are generated by various
> proprietary web-based email systems like yahoo, aol, and hotmail.
>
> If you use /Received:.*\[($IP)\]/, then a spammer could easily make
> HELO=[5.6.7.8]. Eg, in "Received: from [5.6.7.8] (5.6.7.8.s.com [1.2.3.4])",
> 1.2.3.4 is the actual IP, whereas 5.6.7.8 is bogus. I have a pretty
> successful set of regexes in the "process_rcvd" function at
> http://orderamidchaos.com/bogofilter/spamitarium, but it's not necessarily
> foolproof. I wouldn't automatically reject an email based on it alone. And
> I don't think bogofilter should output an IP with the implied authority that
> it is absolutely the true one, or else people may do some stupid things with
> it. The spamicity that bogofilter outputs is clearly a guestimation since
> it's a probability. An IP is an absolute thing though.
>
This is where the postfix UCE options come into play.
If you "turn on" the options for valid+known+fqdn headers it will knock
out a lot of this HELO {I'm Bogus} stuff at the front door.
Unfortunately, a lot of people run with unkown addresses:
"Helo command rejected: Host not found"
is a frequent entry in my logs.
I'm starting to just knock them out and forward them the messages that I
get so they know that 'postmaster' isn't doing a very good job.
I think someone once said there was a reason for doing this, but I don't
recall what it was. Unfortunately about 66% of my spam has this feature
which makes it too hard not to impliment.
More information about the Bogofilter
mailing list