At 12:42 PM 5/7/97 -0400, Robert Nicholson wrote:
This is the first intelligent SPAM that's broken through my defenses.
Mailer because I have a rule to catch all rules from a MAILER_DAEMON
Comments on the From: header?
Return-Path: <Mailer-Daemon>
Received: from iceland.it.earthlink.net (iceland-c.it.earthlink.net) by
dgs.dgsys.com (5.0/SMI-SVR4)
id AA21041; Wed, 7 May 1997 09:58:20 -0400
From: Mailer-Daemon
Received: from mail.earthlink.net (Cust90.Max1.Raleigh.NC.MS.UU.NET
[153.34.251.90])
by iceland.it.earthlink.net (8.8.5/8.8.5) with SMTP id HAA15017;
Tue, 6 May 1997 07:30:56 -0700 (PDT)
Received: from mailhost.errols.com (187.5.88.44) by errols.com
(8.8.5/8.6.5)
with SMTP id GAA01420 for <you(_at_)aol(_dot_)com>; Tue, 06 May 1997 10:20:07
-0600
(EST)
Date: Tue, 06 May 97 10:20:07 EST
To: you(_at_)AOL(_dot_)COM
Subject: Free Orlando Vacations !!!
Message-Id: <756843199975(_dot_)JJA64789(_at_)smtp(_dot_)errols(_dot_)com>
X-Uidl: 9876543fgt9821376nb0988mm632xx321
Comments: Authenticated sender is <email(_at_)errols(_dot_)com>
content-length: 1291
Another has already commented (correctly) on the From: header's location.
That can happen with legitimate mail, though rarely.
This was sent by the "Stealth Mailer" which I don't think is used for
anything but spam. It started appearing in early March as near as I
could find out from others' spam "collections".
Here's a pattern to catch this mailer (for now, at least):
* ^Received:.*\(8\.8\.5/8\.6\.5\).*SMTP id GAA.*for <.*-0600 \(EST\)
This is its "fingerprint" which I've posted on the SPAM-L list. (I typed
it here by hand, so please excuse any typos.) I don't think it's very
likely to catch any legitimate mail; note that EST is -0500. I'd put
this check *before* any check for MAILER_DAEMON, even. (Of course,
check only the headers; if you checked the body, you'd have bounced
your own post!)
Don't try to autoreply to these things; they are configured to forge
everything replyable. You'll probably find phone numbers and/or P.O.Boxes
and/or web pages inside the message body, but procmail won't help there.
In case you care, the spam was injected at:
Cust90.Max1.Raleigh.NC.MS.UU.NET [153.34.251.90],
which earthlink verified, by a sender claiming to be "mail.earthlink.net".
(When is UUNET going to get with it?)
Cheers,
Stan