Hi,
Recently I noticed that I have mails with mail headers like this:
Received: perfectly normal things
can be seen here
because it's already our system
Received: from [109.91.80.133] (HELO VKYNBXL)
by moln-51ca578dee (8.14.3/8.14.3) with SMTP id 39875026 for
dma...@xxxxxx.xx; Thu,
28 Apr 2011 12:18:23 +0100Message-ID:
<000001cc058d9b29143085505b6d@moln51ca578
dee>From:
"Lakia Kerry" <pdrgvjfti...@nk-cross.nl>To: dmason@xxxxxx.xxSubject:
V!arga porfessional - first sSDate: Thu,
28 Apr 2011 12:18:23 +0100MIME-Version: 1.0Content-Type:
multipart/alternative;
boundary="----=_NextPart_000_0000_01CC058D.9B291430"X-Priority:
3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express
6.00.2900.2075X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3529This
is
a multi-part message in MIME
format.------=_NextPart_000_0000_01CC058D.9B291430Content-Type: text/plain;
charset="us-ascii"Content-Transfer-Encoding:
quoted-printableon=20the=20blocks=20meaning=20of=20the=20first=20two=20verses=2
0is=20that=20heaven=20and=20earth=20=20http=
I noticed, because some of them are "stucked" in the queue so I checked them
with postcat.
It seems there are tons of spams like this (I checked some similar
happenings, the content itself was about viagra and such), and I am very
curious what can cause this: as you can see the intended headers created by
the spammer (after those - in smtp hops "after" I ment - headers are OK for
sure) are somehow misses line break, so almost everything seems to be given
as one Received: header. Since it can't be the goal of the spammer, it's
really interesting what caused this. Maybe it's a stupid spam botnet, or so,
with major problems implementing SMTP and its friends? :)
Anyway, the important part, and maybe a more important question as well:
what do you think if I use a header_check which tries to filter out these
kind of "things come as one Received: header line for some reason"? What
would be the best way for that? Currently I am trying with:
/^Received: .*Message-ID:.*From:.*To:/ REJECT Message content seems to be spam.
in header_checks pcre table.
thanks,
- Gábor
