The spam that I see arriving to my organization contains originating
RECEIVED headers originating DOMAIN NAME + ([IP address]) which do
not resolve to one-another.
This recent spam email for "body enhancement" contains
received: header entries showing "two hops" prior to arriving
to the University campus mail forwarder, which then forwards
the email to my mail server. (no university mail gateway doesn't
kill spam, but that's another issue.... i'm not involved at
the gateway.)
-- Spam Example ---
Received: from amrer.net ([211.195.195.78])
Received: from oceanebi.com (sitemail.everyone.net [209.249.170.32])
- - - - - - - - -
Neither of these received headers IP addresses resolve
exactly to the listed domain names beside the IP entryies.
However, the second line does resolve to a different server
on the 'everyone.net' domain.
If one were to scan the Received headers(top-> down) which are not
from your own domain(you who received the mail), then these entries
could be used to kill spam.
Using the FROM: line is a waste of time, since a lot of people send
legitimate email from their home internet ISP's addressed as though
it were from their work accounts, when they work from home.
My computer users do this, so I don't try to reference FROM: addresses
at all.
I'm still quite novice with Procmail scripting, maybe someone on the
list could quickly assemble a sample script for everyone ? Would
the assumption be correct to check for matching in the headers.?
- Chris Payne
Ruud H.G. van Tol wrote:
Lloyd Standish:
Once spam is positively identified as
coming from a given SERVER-IP, then all mail coming from that server
could automatically be assigned a degree of suspicion.
No, that is already done at the SMTP-level. Read about DNSBL.
The human-greylisting I propose, works on the triple, not on any of the
elements apart. It comes after a lot of other filtering, that will
already get rid of 80% or more of the unwanted messages.
I understand that the envelope SMTP-MAIL-FROM might easily be forged,
the same as the message headers - correct?
Yes, but that won't matter much. Most messages with faked addresses will
already be either SMTP-Rejected (by any of the Sendmail milters) or
filtered out by SpamAssassin (most on DCC_CHECK or some URIBL_xx_BL
status).
(I'm receiving list mails in digest mode, so I can't make my replies
follow threads, sorry.)
Better change that. formail can split up digests.
See also news://news.gmane.org/gmane.mail.procmail
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail