From: jm(_at_)jmason(_dot_)org (Justin Mason)
issues I can see:
- what about randomised sender addresses? Some spamtools will generate
a new random From: addr for each recipient. I fear the relay IP
address is the only trustworthy source id that can be used...
You're probably correct.
I've seen spammers send from randomized addresses at all of
(known | forged | random) addresses, and also with forged
addresses from others in the same organization.
I expect this spammer was was hoping to take advantage of a likely
"whitelist" for intra-organization email.
My opinion: there are only two things that can be trusted:
the IP address of the machine on the other end of the TCP
connection that hit your firewall, and
the meaningless pattern of bits in the message, which only has
significance in a statistical (rather than a formatted) sense.
You can't trust anything else in the message, in particular, you
must _not_ trust any of the information that's in headers you
recieved from the far end, as spammers have become particularly
adroit at forging _everything_.
-Bill Yerazunis ( CRM114 author, I'll post an intro later)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg