procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Who Is This Addressed To & How Do I Stop This Spam?

2004-02-05 03:22:17
from [Robert Arnold] [Permanent Link] 
Shown below is a header from spam that I have started getting. It does
not have my email address in the To:Cc:Bcc fields. 


Personally, the only time I've seen a visible 'Bcc:' field in the
headers is when it's blank. To my knowledge most 'Bcc:' lists are
transmitted by the sending MTA as 'envelope' data, that is: before the
'DATA' stage of the SMTP conversation with the sending MTA. Anything
after 'DATA' and before the terminination of the conversation will be
expressed as either a visible header or in the body of the message. To
my mind, if a 'Bcc:' field is left visible in the headers populated
with addresses, it's either because the spammer _meant_ to do it as an
obfuscation tactic meant to confuse the recipient, or because the poor
sod has been sold some half-broken ratware that works just well enough
to spew his/her garbage across the internet. 


How am I getting it and more importantly, how do I stop it?



Received:  from cpe-66-27-193-247.socal.rr.com
(cpe-66-27-193-247.socal.rr.com [66.27.193.247]) by
mail012.syd.optusnet.com.au (8.11.6p2/8.11.6) with SMTP id i12BpvS04539;


Extracting  the IP that delivered to your ISP's mx and running a few 
dnsbl lookups is a good start, and this can be done with procmail. If 
you check out the archives I'm sure you'll find that it's been 
discussed extensively. Ideally this is done at the SMTP level, but 
possibly your ISP doesn't run such queries, or doesn't check the dsnbl 
zones you'd like it to. BUT it looks to me like you're runnning 
spamassassin locally (I just sorta doubt that your ISP is running a 
relatively new distro like Libranet :-)


X-Spam-Checker-Version:  SpamAssassin 2.61 

(1.212.2.1-2003-12-09-exp)

on  libranet
X-Spam-Level:
X-Spam-Status:  No, hits=0.4 required=6.0 

tests=BAYES_01,HTML_MESSAGE,



MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,RCVD_IN_DSBL,

RCVD_IN_SORBS,SUBJ_HAS_SPACES autolearn=no version=2.61


so you *could* just tweak the scores allocated to certain dnsbl zones
in your user_prefs file to have more weight (or lower the total
overall required score to mark a message as spam -- IMHO avoid doing
this as opposed to tweaking the weight of individual tests to lessen
the risk of false positives; see spamassassin.org for a breakdown on
what all the tests actually look for). 


Regards,

Robert Arnold

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Spam, Peter Rosa
Next by Date:  Re: Spam, Chris Barnes
Previous by Thread:  Re: Who Is This Addressed To & How Do I Stop This Spam?, Ruud H.G. van Tol
Next by Thread:  RE: virus recipe for MyDoom, Gary Funck
Indexes:  [Date] [Thread] [Top] [All Lists]