procmail
[Top] [All Lists]

Re: Filtering bogus Received lines

1997-09-15 21:12:38
At 02:02 PM 9/15/97 -0700, Brian Buchanan wrote:
Does anyone have a procmail recipie for catching spams by checking for
lines like:

Received: from spoofed.site (real.site.here [real.ip]) by mail.host.com

This is not a good spam check.  You'll catch all dial-in POP mail with
it, including this one (well, not the procmail list copy since the
list doesn't send out the headers, though you can get them from the
archives).

This message will show:
        Received: from voyager (dial.in.hostname [some.dynamic.ip])
(I am not sending it from tiac, despite my "From:" header.)

Also,
does anyone know if it's possible to have procmail check to see if any
Received: lines appear after headers such as From, Message-Id, To, etc.?
Many spammers also make this mistake.

That happens when those headers are not present in the original mail
headers.  Most ISP's add them, if missing, just before delivery so that
some of the dumber mail clients around can figure out which bytes go with
which message.  Non-spammers sometimes do manage to send out mail missing
certain headers.

Also, I believe that some clients may shuffle headers when they "resend" mail.

Cheers,
Stan

<Prev in Thread] Current Thread [Next in Thread>
  • Re: Filtering bogus Received lines, Stan Ryckman <=