info about spam messages

David Relson relson at osagesoftware.com
Mon Jun 14 14:35:12 CEST 2004 

On 14 Jun 2004 07:48:55 -0400
Tom Anderson wrote:

> On Mon, 2004-06-14 at 07:27, Tom Allison wrote:
> > This is where the postfix UCE options come into play.
> > If you "turn on" the options for valid+known+fqdn headers it will
> > knock out a lot of this HELO {I'm Bogus} stuff at the front door.
> > Unfortunately, a lot of people run with unkown addresses:
> > "Helo command rejected: Host not found"
> > is a frequent entry in my logs.
> 
> Absolutely, if you are using an MTA which will do the lookup and the
> reverse lookup, you should use it.  However, not everybody uses
> Postfix.  And the IP/DN you receive an email from is not always the
> originator.  Therefore it is very difficult for bogofilter to be able
> to say that some IP address is authoritatively the originator of the
> email.  The question was whether bogofilter should output an IP
> address in its logs.  I think this would cause confusion about what
> that address represents, as it is not necessarily (or even usually?)
> the spammer.  In fact, if the IP parsing regex isn't perfect for all
> possible MTAs, it's possible for the spammer to trick bogofilter into
> outputting a completely innocent IP, even your own.  Therefore, if the
> IP outputted cannot be trusted, then what's the purpose in doing it?
> 
> Tom

As you point out, different MTAs have differently formatted Received:
lines.  Correctly recognizing IP address for _all_ MTAs is likely more
effort than it's worth.

In any case, I was thinking of the IP address as being an optional
formatting character.  My guess is that, most people won't care that it
exists and usage won't be widespread.  That being said, address parsing
would only need to be "good enough" for those who want it.

You've done a lot of work in this area and that work suggests an
alternate approach to me.   Spamitarium already has much (all?) of the
wanted ability for finding the IP address.  I'm sure a minor tweak would
enable it to output the IP address. Right, Tom?  Assuming this is so,
here's my idea:

Run bogofilter & spamitarium via a script that:

1) runs bogofilter and remembers the bogofilter classification.  This
can be done several ways, for example by saving "bogofilter -v" output
in an environment variable.

2) runs spamitarium to get the determine the IP address.

3) puts results (1) and (2) together and logs the info.

I've noticed that postfix logs a "connect from example.com[1.2.3.4]"
message.  Further validation of the address in (3) can be done by
comparing to the system log.  With that check, you'll know if you've got
the proper address for the machine sending the unwanted message.

Anyhow, those're my present ideas on the subject.

David

More information about the Bogofilter mailing list