spam addrs

Tom Anderson tanderso at oac-design.com
Tue Jun 29 14:30:05 CEST 2004 

On Mon, 2004-06-28 at 19:31, David Relson wrote:
> > Perhaps the better test would be if "by", "for", etc., didn't come
> > before the IP, as an IP address in the "by" or "for" sections would
> > also follow"from" in most cases.
> 
> Bogofilter only needs to handle the info added by the local MDA.  It
> doesn't need to handle whatever (forgeable) junk is provided by the
> original sender.
> 
> To date, the various means of identifying the address stop looking once
> they've found an address.  In "from address by/for/etc other stuff",
> only "address" will be identified and "other" and "stuff" will be
> ignored.  Show me an MDA that generates "from by local_address
> remote_address" and I'll worry about the problem.  Until that MDA shows
> up, writing code to avoid problems that don't occur seems pointless.

I think you mean MTA, not MDA.  The MTA is not always able to resolve an
IP address for every sender due to possible DNS problems, and I think
the solution is usually to deliver the mail anyway after the lookup
times out or fails.  Although it may return a 5xx error with "relaying
denied" or whatnot.  Guess it depends on the MTA and the configuration
though.  Some people may even turn off IP lookups due to speed
constraints.  It's possible that people will have headers like this:

Received: from spammer.com by 192.168.1.1 for you at localhost

Yeah, I know you don't want to hear about the 5% of users who may have
their servers configured this way, just as with the lines I previously
identified which would screw up the parsing, eg:

Received: from [1.2.3.4] (helo=5.6.7.8) with smtp (Exim 4.12)
vs
Received: from 5.6.7.8 [1.2.3.4] with smtp (8.9.10)

However, I fear that someone without a whole lot of knowledge about the
matter (most of us) will accept bogofilter's output as gospel and start
blocking random innocent IPs, perhaps even their own.  Saying these
problems "don't occur" is a little optimistic.  I'd prefer to assume
that they do occur, and often, and prevent it from being a problem by
nipping it at the bud with accurate parsing or none at all.

But that's just my opinion...

Tom

More information about the Bogofilter mailing list