spam addrs

[David Relson]

On Tue, 15 Jun 2004 12:55:28 -0400
Tom Anderson wrote:

> From: "David Relson" <relson at osagesoftware.com>
> > All together, the feature adds about 25 lines of code, including
> > declarations, processing of '%I' in formats, etc.
> >
> > I've also included "Not guaranteed to be the originating address of
> > the message." in two places.
> 
> Cool.  You didn't answer my question regarding lines like these
> though:
> 
> Received: from 1.2.3.4 (proxying for 5.6.7.8) (user 4.3.2.1) by
> 9.8.7.6(7.6.5.4) with SMTP id blah for user+3.4.5.6 at 8.7.6.5.abc.com;
> date
> 
> or similarly:
> 
> Received: from 1.2.3.4 ([5.6.7.8] ident=4.3.2.1) by 9.8.7.6 (7.6.5.4)
> with SMTP id blah for user+3.4.5.6 at 8.7.6.5.abc.com; date
> 
> Will bogofilter output 5.6.7.8 as required, or something else?  I
> think the"proxying for" style is from Squirrelmail and the "ident"
> style from Exim. Other MTAs may also put the IP in the middle
> somewhere.

Tom,

Bogofilter will get both of those wrong, as you can verify by building
with the code in CVS.

As I've said, bogofilter is looking for the last IPADDR (as defined in
lexer_v3.l) of the first Received statment having an IPADDR.

> Also, not only is the IP not guaranteed to be the originating address
> of the message, it may not even be an intermediary, but rather an
> innocent IP spoofed by the spammer.  Action taken on the IP (such as
> blocking, reporting, or retaliation) without further verification may
> make the situation worse by involving innocents or mucking up your own
> services.  If something to this effect could be added to your warning,
> it might help to highlight the need to not depend solely on this
> value.

Identification of the actual, originating ip address of the message
calls for serious forensics and is far beyond anything bogofilter is
likely to do.  My goal is to having bogofilter identify the machine that
made the SMTP contact with the mail server.  If that machine is an open
relay or a zombie, then so be it.

David