usually spam
messages doesn't contain forged mailfrom addresses. But theoretically it's
possible. Specially spam comming from compromised zombie computers can
easily have real existing, forged mailfrom addresses.
The german politic
spam messages from yesterday are comming from such zombies (sober.g infected
computers) and does have forged mailfrom addresses. And finally the spam message
usually contains one real and o dozen of random generated recipient
addresses.
So beside the wave
of spam messages now we have to fight against a big wave of useless
NDR's
As I can see NDR's
are difficult to handle, because they come from legit mailservers, the mail
header has nothing to do with the original mail header (beside the
same message id ?) and not even they contain the original message content in the
body. Some MTA's attach the original message, some others include only the
original headers.
In my opinion it
would be a good solution to think about a new test that is able to identify
-original
mailheaders in the body of the NDR
-eventually also
part of the original but maybe truncated original body below this
header
-attachments of the
original message in the NDR
If there is any of
this content or attachment in the NDR, let run all other spamtest (IP4R,
text-filter, external tests, ...)
or are there other
(simplier) solutions for this?
Markus
