info about spam messages

David Relson relson at osagesoftware.com
Mon Jun 14 17:17:50 CEST 2004 

On Mon, 14 Jun 2004 10:07:57 -0400
Tom Anderson wrote:

...[snip]...

> > I've noticed that postfix logs a "connect from example.com[1.2.3.4]"
> > message.  Further validation of the address in (3) can be done by
> > comparing to the system log.  With that check, you'll know if you've
> > got the proper address for the machine sending the unwanted message.
> 
> Postfix can only tell you for certain the immediate sender of the
> email, not whether there were any senders before or what they were. 
> The immediate sender could be an open relay or even a server at your
> own ISP.  Other times, spammers will send it through a server at their
> ISP, but the end of the chain is an IP address on their own machine. 
> Eg., they'll send it from"1.2.3.4-spamtown-adsl.verizon.com [1.2.3.4]"
> through "mail.verizon.com". If you just log the ISP line, then you
> miss any opportunity to nail them down to the IP they were assigned. 
> Or maybe they actually sent it from the ISP account, and the local IP
> is a bogus line.  You can't know for certain.

Tom,

Before I had bogofilter, I had a simple script that would find the first
ip address in a spam message and create an iptable rule to block port 25
for that machine.  It worked (I think) though it was somewhat of a
nuisance to deal with 50 or 100 messages each day.

As you say, the spammer's real address may not even be in the message.
However identifying zombies, open relays, etc is of value (I think).  It
may be that I receive lots of valid email from such machines (zombies,
et al), but I doubt it.

With the patch below, "spamitarium -rai < msg.bogofilter.org | grep
ipad" will print "ipad: 216.144.204.43, asn: 19326" (or comparable
value).  

It might be useful for, say, Tayfun.

Regards,

David


[relson at osage contrib]$ diff -u spamitarium~ spamitarium
--- spamitarium~	2004-04-30 08:25:31.000000000 -0400
+++ spamitarium	2004-06-14 11:14:37.726546784 -0400
@@ -284,6 +284,7 @@
 if ($ARGV[0] =~ /d/) { $options .= "d"; }	# perform domain lookups
where needed
 if ($ARGV[0] =~ /f/) { $options .= "f"; }	# force RDNS lookups
even where MTA provided
 if ($ARGV[0] =~ /a/) { $options .= "a"; }	# perform ASN lookups
+if ($ARGV[0] =~ /i/) { $options .= "i"; }	# display ipaddr
 if ($ARGV[0] =~ /s/) { $options .= "s"; }	# standard fields only
(strip others)
 if ($ARGV[0] =~ /e/) { $options .= "e"; }	# include the helo
received field in output
 if ($ARGV[0] =~ /b/) { $options .= "b"; }	# output benchmarking
info
@@ -496,7 +497,10 @@
 		# perform ASN lookup (RFC 1930/2270)
 		my $asn = asn($ipad) if $ipad && $options =~ /a/;
 
-		# we implicitely trust the received line set "by" our own server
as valid (first untrusted "from")
+		# print ipaddr
+		print "ipad: $ipad, asn: $asn\n" if $options =~ /a/;
+
+		# we implicitly trust the received line set "by" our own server
as valid (first untrusted "from")
 		if (!$edge_ip) { $edge_ip = $mtai; $rcvd->[$x]->{'sane'} =
set_rcvd($helo,$ipad,$idnt,$rdns,$from,$mtan,$mtai,$mtav,$fore,$with,$d
ate,$asn); }
 
 		# now we'll try to establish the validity of each nonlocal
received line by

More information about the Bogofilter mailing list