Professional Software Engineering wrote on Thu-26-Jul 12 5:22PM
At 05:15 2012-07-26, Eric Smith wrote:
Has anyone devised a recipe for checking to see if there is some
match between the Received: header(s) and the From: and From
headers?
Well, pretty universally, From: and From_ won't match on _list_
messages, and increasingly with auto bounce handling and such, even
if the List identifies itself as the From: (say, a digest), versus
merely the Sender:, the From: may have an encoded version of the
recipient's address in it, possibly with a specific transaction code
(allowing the list mailsystem to deal with the wide variety of
bounce formats by just homing in on the address the message bounced
to).
What sort of correlation are you expecting to find between the From:
and a Received: header? Perhaps you could lay out a set of expected
correlations and ask how to actually check for them.
Thank Sean
List mail? I am not considering list mail. I have recipes to
identify list mail and these are all removed before this
check which is for spam. So in a lot of spam, the From and the
From_ headers are forged and the received headers are not.
So my idea is that when the domains in the From/From_ do not
match the domains in the Received, then this is a good scoring
mechanism for spam. Of course people use messagelabs, google and
other MTA's, so you could weed these out of the false positive
list by having a list of allowed Received hosts.
I hope that makes sense.
Eric Smith
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)de
http://mailman.rwth-aachen.de/mailman/listinfo/procmail