On Sat, 12 Apr 1997 22:13:40 -0400,
Stan Ryckman <stanr(_at_)sunspot(_dot_)tiac(_dot_)net> wrote:
At 05:18 AM 4/5/97 +0300, era eriksson wrote:
As more and more spam comes heavily forged, may I suggest you add this
one to your arsenal of spam filter recipes:
:0
* ^From:.*$Received:
{
LOG="spamreject: Received: after From:
"
:0:
spam
}
This will catch any mail message which has a Received: header after
the From: header, as has been typical in recent spams.
This occurs when mail is sent without a From: header, frequently
omitted by spammers, but sometimes otherwise, probably unintended.
The "From:" you see is likely added while storing the mail by the
MDA, made from a "best guess" (the SMTP MAIL FROM). The purpose is
undoubtedly to pacify some of the stupider mail clients which won't
work right in the absence of From:.
That's correct. You might also look for Message-Id, Date etc for the
same reasons.
The added From: appears above any Received: headers added en route
to the destination, but below the final delivery one (in my experience).
I'd recommend using this test with caution, since the condition can
occur with broken software on the non-spamming-sender's side.
Indeed, a lot of messages which are not spam match this. A mailing
list I'm on preserves the original Received: lines but adds
information to the beginning of the header, to take but one example.
Personally, I use a heuristic which looks at the Subject, the length
of the message, and a number of other things. Of course, I practically
never send anything directly to /dev/null so an occasional mismatch is
not a big deal for me. (I want to be able to complain to the spammers,
for one thing.)
/* era */
--
Defin-i-t-e-ly. Sep-a-r-a-te. Gram-m-a-r. <http://www.iki.fi/~era/>
* Enjoy receiving spam? Register at <http://www.iki.fi/~era/spam.html>