procmail
[Top] [All Lists]

Re: Identify a .forward[ed] message

1999-05-08 09:53:07
Brief note on mail setup:
Single user dialup connection.
My isp is worldnet  I use theirr SMTP server to send from my home linux
machine.  My POP server is the on-line Newsguy.com  POP server.

PSE-L(_at_)mail(_dot_)professional(_dot_)org (Professional Software 
Engineering) writes:

How can one identify easily, messages coming from a .forward mechanism
at a different address, in the case where no "To: " field is present?

Not necessarily an easy task.

Received: from unknown ([38.29.28.100]) by mtiwgwc03.worldnet.att.net
         (InterMail v03.02.07 118 124) with SMTP
         id <19990508033151(_dot_)JUWU9634(_at_)unknown>;
         Sat, 8 May 1999 03:31:51 +0000


Of course, you only give us ONE header to look at, so nobody here can see a
complete example of what it is you actually have to work with -- worldnet
_may_ be dropping a hint in there somewhere (possibly the specific server
that handles forward mail?)

I've deleted that specific message but have included full headers from
a similar one below.  Also included headers from two other messages
for comparison.  One is a message sent by me from another (silcom.com)
machine to worldnet address.  The other is a message sent from that
same other machine to newsguy address.  So the one to worldnet address
has been forwarded from there and collected from newsguy.com POP
server, to my home machine (satellite).

FTR, this header shows that worldnet.att.net received the message from some
putz at 38.29.28.100 using a psi.net dialup in Las Vegas, NV

How did you figure out the "psi.net" part?

I said earlier that ALL my mail has worldnet host names in the
"Received: " headers.  Not true.  only forwards and messages sent from
that domain of course.  I think I may have gone into a state of Nirvana
or something, from looking too closely at mail headers.  The tipoff
was when I started seeing sheep jumping over a fence.  : )

So as you've pointed out the real test is between forwarded messages
and messages  originating in worldnet.att.net domain

Does it look like using '^Received:.*mtiwgwc.*worldnet.att.net' would
be sufficient? (the number afer mtiwgwc seems to change on some mails)


 Or maybe:

:0h 
* ! ^To:
* ^Received:.*worldnet\.att\.net.*newsguy\.com
likely-spam

Or can  "Received: " lines be considered  more than one line?

Still .. looks like it would not discern between a forward and an
actual sender.  Though it seems a missing "To: " field would be
unlikely in normal mail.

** Spam message with no "To: " field forwarded from worldnet address
   to newsguy address (I think)

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Note: The (chronologically) first "Received: " line indicates the
message was originally sent to worldnets' mail machine

X-From-Line: dedeirotzq1(_at_)bellsouth(_dot_)com  Fri May  7 01:31:27 1999
Return-Path: <dedeirotzq1(_at_)bellsouth(_dot_)com>
Received: from localhost (IDENT:reader(_at_)localhost [127.0.0.1])
        by satellite.local.lan (8.9.1/8.9.1) with ESMTP id BAA08240
        for <reader(_at_)localhost>; Fri, 7 May 1999 01:31:26 -0700
From: dedeirotzq1(_at_)bellsouth(_dot_)com
Received: from pop.newsguy.com
        by fetchmail-4.5.8 POP3
        for <reader/localhost> (single-drop); Fri, 07 May 1999 01:31:27 PDT
Received: from mtiwgwc07.worldnet.att.net (mtiwgwc07.worldnet.att.net 
[204.127.131.22])
        by newsguy.com (8.9.1a/8.9.1) with ESMTP id BAA64501
        for <reader(_at_)newsguy(_dot_)com>; Fri, 7 May 1999 01:11:27 -0700 
(PDT)
Received: from mailer6.alaska.com ([153.34.61.21])
          by mtiwgwc07.worldnet.att.net (InterMail v03.02.07 118 124)
          with SMTP id 
<19990507081118(_dot_)XPEW12564(_at_)mailer6(_dot_)alaska(_dot_)com>;
          Fri, 7 May 1999 08:11:18 +0000
Subject: Feel Lucky? Just Qualify!
Date: Fri, 7 May 1999 02:24:38
X-Gnus-Mail-Source: file:/var/spool/mail/reader
Message-Id: <192(_dot_)247114(_dot_)224251(_at_)mailer6(_dot_)alaska(_dot_)com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-UIDL: fc0b494aa044292bbaa9c9dc24c2996a
Status: RO
X-Content-Length: 537
Xref: satellite.local.lan spam:2
Lines: 15

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

** Message sent from silcom address to worldnet address then forwarded to
newsguy address:

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Note: The second (chronologically) "Received: " line shows the
transaction where forwarding occurs (I think)


X-From-Line: djputnam(_at_)silcom(_dot_)com  Sat May  8 05:43:37 1999
Return-Path: <djputnam(_at_)silcom(_dot_)com>
Received: from localhost (IDENT:reader(_at_)localhost [127.0.0.1])
        by satellite.local.lan (8.9.1/8.9.1) with ESMTP id FAA02626
        for <reader(_at_)localhost>; Sat, 8 May 1999 05:43:36 -0700
Received: from pop.newsguy.com
        by fetchmail-4.5.8 POP3
        for <reader/localhost> (single-drop); Sat, 08 May 1999 05:43:36 PDT
Received: from mtiwgwc07.worldnet.att.net (mtiwgwc07.worldnet.att.net 
[204.127.131.22])
        by newsguy.com (8.9.1a/8.9.1) with ESMTP id FAA98798
        for <reader(_at_)newsguy(_dot_)com>; Sat, 8 May 1999 05:40:13 -0700 
(PDT)
Received: from beach.silcom.com ([199.201.128.19])
          by mtiwgwc07.worldnet.att.net (InterMail v03.02.07 118 124)
          with ESMTP id 
<19990508123942(_dot_)TXNU3705(_at_)beach(_dot_)silcom(_dot_)com>
          for <readerx(_at_)worldnet(_dot_)att(_dot_)net>; Sat, 8 May 1999 
12:39:42 +0000
Received: from beach.silcom.com (beach.silcom.com [199.201.128.19])
        by beach.silcom.com (Postfix) with SMTP id EF9D17B3
        for <readerx(_at_)worldnet(_dot_)att(_dot_)net>; Sat,  8 May 1999 
05:39:39 -0700 (PDT)
Date: Sat, 8 May 1999 05:39:39 -0700 (PDT)
From: Harry Putnam <djputnam(_at_)silcom(_dot_)com>
To: readerx(_at_)worldnet(_dot_)att(_dot_)net
Subject: TEST Sent silcom acct/readerx(_at_)worldnet(_dot_)att(_dot_)net
X-Gnus-Mail-Source: file:/var/spool/mail/reader
Message-ID: 
<Pine(_dot_)SGI(_dot_)3(_dot_)93(_dot_)990508053533(_dot_)28496A-100000(_at_)beach(_dot_)silcom(_dot_)com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-UIDL: 6188243e10795d4efad72eeedd6eb46c
Xref: satellite.local.lan tests:32
Lines: 5

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

** Message sent directly from silcom address to newsguy address

Note:  No worldnet host names  at all

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
X-From-Line: djputnam(_at_)silcom(_dot_)com  Sat May  8 05:43:38 1999
Return-Path: <djputnam(_at_)silcom(_dot_)com>
Received: from localhost (IDENT:reader(_at_)localhost [127.0.0.1])
        by satellite.local.lan (8.9.1/8.9.1) with ESMTP id FAA02630
        for <reader(_at_)localhost>; Sat, 8 May 1999 05:43:37 -0700
Received: from pop.newsguy.com
        by fetchmail-4.5.8 POP3
        for <reader/localhost> (single-drop); Sat, 08 May 1999 05:43:37 PDT
Received: from beach.silcom.com (beach.silcom.com [199.201.128.19])
        by newsguy.com (8.9.1a/8.9.1) with ESMTP id FAA98898
        for <reader(_at_)newsguy(_dot_)com>; Sat, 8 May 1999 05:42:08 -0700 
(PDT)
Received: from beach.silcom.com (beach.silcom.com [199.201.128.19])
        by beach.silcom.com (Postfix) with SMTP id A432D8E1
        for <reader(_at_)newsguy(_dot_)com>; Sat,  8 May 1999 05:42:07 -0700 
(PDT)
Date: Sat, 8 May 1999 05:42:07 -0700 (PDT)
From: Harry Putnam <djputnam(_at_)silcom(_dot_)com>
To: reader(_at_)newsguy(_dot_)com
Subject: TEST sent from silcom acct/reader(_at_)newguy(_dot_)com
X-Gnus-Mail-Source: file:/var/spool/mail/reader
Message-ID: 
<Pine(_dot_)SGI(_dot_)3(_dot_)93(_dot_)990508053947(_dot_)28496B-100000(_at_)beach(_dot_)silcom(_dot_)com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-UIDL: 974b5692acfbe02fdd8d1e2a6d21dfcd
Xref: satellite.local.lan tests:30
Lines: 5
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^








<Prev in Thread] Current Thread [Next in Thread>