ietf-asrg
[Top] [All Lists]

Re: [Asrg] Spam detection system proposal

2003-03-05 08:52:44

   From: jm(_at_)jmason(_dot_)org (Justin Mason)

   issues I can see:

   - what about randomised sender addresses?  Some spamtools will generate
     a new random From: addr for each recipient.  I fear the relay IP
     address is the only trustworthy source id that can be used...

You're probably correct.

I've seen spammers send from randomized addresses at all of
(known | forged | random) addresses, and also with forged
addresses from others in the same organization.  

I expect this spammer was was hoping to take advantage of a likely
"whitelist" for intra-organization email.

My opinion: there are only two things that can be trusted:

   the IP address of the machine on the other end of the TCP 
   connection that hit your firewall, and

   the meaningless pattern of bits in the message, which only has
   significance in a statistical (rather than a formatted) sense.

You can't trust anything else in the message, in particular, you
must _not_ trust any of the information that's in headers you 
recieved from the far end, as spammers have become particularly
adroit at forging _everything_.

        -Bill Yerazunis ( CRM114 author, I'll post an intro later)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg