At 14:00 2012-07-26, Eric Smith wrote:
List mail? I am not considering list mail. I have recipes to
identify list mail and these are all removed before this
check which is for spam. So in a lot of spam, the From and the
From_ headers are forged and the received headers are not.
Really?
Over the years, I've found a lot of Received: headers are
forged. The spammer tosses a few extras in there so that people
backtracking looking for the originating host get nowhere useful. Of
course, the bulk of messages these days are simply being relayed by
zombie/botnetted PCs, but still, it's a good indicator.
You should check out my spewhosts.rc file sometime. Requires a
smidge of maintenance on the list (which admittedly, I haven't done
in ages). I use it to basically flag stuff like From: hotmail not
coming from an identifyable hotmail host. Since it's not a 100% spam
indicator, just a contributor, it's not a big deal to end up with an
occasional mis-flag.
So my idea is that when the domains in the From/From_ do not
match the domains in the Received, then this is a good scoring
mechanism for spam. Of course people use messagelabs, google and
other MTA's, so you could weed these out of the false positive
list by having a list of allowed Received hosts.
That's what my spewhosts recipe does, but you've got to populate the
list of allowed hosts.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)de
http://mailman.rwth-aachen.de/mailman/listinfo/procmail