I've recently added the following to my junkfilter:
# An empty but present Return-Path: header, a signature of RFMS.
:0
* ^Return-Path:[ ]<>
{ JFEXP="$JFSEC: Empty Return-Path: header" }
A space and a tab in those [], as always.
I've been trying out an extended version of this recipe with some
success lately. I originally started out with the one above, but
soon ran into problems with auto-responses, mail failure notifications,
and mailing lists. Here's my current incarnation, but it still needs
work. Need to get more false matches to fix things...
# New breed of spam -- check for null Return-Path and user in
# From_, make sure it's not from root, and try not to catch
# vacation program, auto-responder, and mailing list output
:0
* ^Return-Path:[\t ]+<>
* ^From[\t ]+(Sun|Mon|Tue|Wed|Thu|Fri|Sat)
* !^FROM_DAEMON
* !^(From|Subject):.*((auto|automatic) reply)|javascript|vacation| \
listproc|l-soft)
$SPAM
I'm starting to get enough special cases that I'm not sure if it's
worthwhile yet.
Of the last 15 direct-injection spams I received (two days worth) 3 have a
null return path, 2 have return paths with no domain part, and 10 have
syntactically proper return paths. As you imply when you say that enough
special cases are appearing, your test isn't worth too much except against
the amateurs who don't provide a From: address to over-ride the default
null.
The only reliable stigmata that I see are the number of received headers
(which depends on your local setup) and the presence of a locally generated
message id, together with the identification of the source as a dialup server
(which is relatively easy but not certain).
--
Rik Kabel Old enough to be an adult
rik(_at_)netcom(_dot_)com