At 12:42 PM 5/7/97 -0400, Robert Nicholson wrote:
This is the first intelligent SPAM that's broken through my defenses.
Mailer because I have a rule to catch all rules from a MAILER_DAEMON
Comments on the From: header?
Received: from iceland.it.earthlink.net (iceland-c.it.earthlink.net) by
id AA21041; Wed, 7 May 1997 09:58:20 -0400
Received: from mail.earthlink.net (Cust90.Max1.Raleigh.NC.MS.UU.NET
by iceland.it.earthlink.net (8.8.5/8.8.5) with SMTP id HAA15017;
Tue, 6 May 1997 07:30:56 -0700 (PDT)
Received: from mailhost.errols.com (126.96.36.199) by errols.com
with SMTP id GAA01420 for <you(_at_)aol(_dot_)com>; Tue, 06 May 1997 10:20:07
Date: Tue, 06 May 97 10:20:07 EST
Subject: Free Orlando Vacations !!!
Comments: Authenticated sender is <email(_at_)errols(_dot_)com>
Another has already commented (correctly) on the From: header's location.
That can happen with legitimate mail, though rarely.
This was sent by the "Stealth Mailer" which I don't think is used for
anything but spam. It started appearing in early March as near as I
could find out from others' spam "collections".
Here's a pattern to catch this mailer (for now, at least):
* ^Received:.*\(8\.8\.5/8\.6\.5\).*SMTP id GAA.*for <.*-0600 \(EST\)
This is its "fingerprint" which I've posted on the SPAM-L list. (I typed
it here by hand, so please excuse any typos.) I don't think it's very
likely to catch any legitimate mail; note that EST is -0500. I'd put
this check *before* any check for MAILER_DAEMON, even. (Of course,
check only the headers; if you checked the body, you'd have bounced
your own post!)
Don't try to autoreply to these things; they are configured to forge
everything replyable. You'll probably find phone numbers and/or P.O.Boxes
and/or web pages inside the message body, but procmail won't help there.
In case you care, the spam was injected at:
which earthlink verified, by a sender claiming to be "mail.earthlink.net".
(When is UUNET going to get with it?)