Andrew Smith wrote:
I'm sure you're all aware of the new spamware product called
Rapid Fire Mail Server (RFMS). What it does is connect
_directly_ to the MX host of the target ISP.
Since no real mail clients do this (that I'm aware of), I
proprose to build a filter for RFMS by checking the
Received: headers of the message in question. On an incoming
RFMS mail, if it hits the primary MX (and that MX is the final
location), there will be only one Received header, the one
added by the mail server on said primary MX. If it hits a
secondary MX, it'll then transfer to the primary MX and have two.
Felix Tilley replied:
On many systems, if you login as a Unix shell user and send
email to another user on your system, there may be only one
Received: header line. So you have to be careful about this.
I wrote a filter against the MAILER-DAEMON@<your ISP> bozo's
(T1-net). By sheer fluke, it's very useful against RFMS as
described by Andrew. Here's the logic...
1) If "From:" and/or "Message-Id:" contains your ISP's domain
2) Count all "Received: from" headers, *ADD* 1
to the accumulator for each hit
3) Count all "Received: from" headers that are
*BOTH FROM AND BY* servers in your ISP's domain,
*SUBTRACT* 1 from the accumulator for each hit
4) If it's *REALLY* a message from somebody else on
your ISP (Felix's worry), then items 2 and 3 will
be identical; the subtraction will yield zero
5) If it's *NOT* from someone on your ISP, at least
one of the headers will be in the form...
Received: from some.other.domain ([n.n.n])
by some.machine.<your ISP's domain>
Item 2 will be higher than item 3; the subtraction
will yield a positive value, and an action will execute
Early on in my filters, I set
MYISP="interlog\.(com|net)"
# Yes, Interlog owns both interlog.com and Interlog.net
# domains. Andrew and Felix, respectively, would use
# MYISP="insync\.net"
# MYISP="goodnet\.com"
:0
*$ ^(From|Message-Id):.*$MYISP
* 1^1 ^Received:.from
*$ -1^1 ^Received:.from.*.$MYISP.*.by.*.$MYISP
{
LOG="///////////////////// Sendmail sleaze stunt
"
:0: sendmail.lock
$LOGFILE
}
Comments:
My algorithm counts the *DIFFERENCE* between the different
"Received: from" headers, rather than the absolute number.
It doesn't care whether the incoming message hits the ISP's
primary, secondary, tertiary, or quarternary server. The
filter will have "nary a problem" (sorry... I just couldn't
resist)
Do *NOT* use this test on mailing-lists. It's perfectly
legitimate for you (or someone else on your ISP) to send a
message to a mailing list, and have the "From:" header show
as being somebody at your ISP, while showing "Received: from"
headers originating at foreign machines.
This, and other filters, are up on my beta website. The
regular website is http://www.interlog.com/~waltdnes
Once you get there, click on the "W" in "W a l t e r ' s"
and you end up in the beta area. You'll know you've hit
the right location when you see the graphic titled "A man's
email-box is his castle".
I'm now at beta 1.01. The version number should show up
in the title at the top of your browser. The graphic is
somewhat grainier and only 20% its previous size, to speed
up loading. I've corrected some errors in the "Using regex's"
section. I've pulled one filter which was giving false
positives, and I've collapsed two filters into one (the
filter in this message).
--
Walter Dnes (Toronto)
<waltdnes(_at_)interlog(_dot_)com>