> -----Original Message----- > From: Martin Radford [mailto:[EMAIL PROTECTED] > Sent: Monday, June 30, 2003 5:55 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] Intriguing header forgery > > > Hi all, > > Now I admit that I don't regularly read all the headers of spam that I > receive, but this one intrigued me. Take a look at its Received > headers: > > > Received: from tele-punt-22.mail.demon.net > (tele-punt-22.mail.demon.net [194.217.242.7]) > > by zamenhof.demon.co.uk (8.9.3/8.9.3) with SMTP id WAA02238 > > for <[EMAIL PROTECTED]>; Mon, 30 Jun 2003 > 22:19:20 +0100 > > Received: from punt-2.mail.demon.net by mailstore > > for [EMAIL PROTECTED] id 1057007496:20:09354:8; > > Mon, 30 Jun 2003 21:11:36 GMT > > Received: from [61.153.213.130] ([61.153.213.130]) by > punt-2.mail.demon.net > > id aa2111511; 30 Jun 2003 21:11 GMT > > Received: from [202.79.123.71] by 194.217.242.6 with ESMTP > id 0FFDFD45CF0; Tue, 01 Jul 2003 02:05:32 +0400 > > > What's interesting is that the header at the bottom is > clearly forged - > 194.217.242.6 *is* punt-2.mail.demon.net, which is one of the two MX > records for my domain zamenhof.demon.co.uk. The genuine Received > header is the one above. > > Is this a new spammer trick - to forge a Received header that refers > to the recipient's legitimate MX? Presumably the intention is to try > to mislead anyone (or anything) which is trying to trace the spammer - > or at least throw them off course. > > Is this common? > > Martin > -- > Martin Radford | "Only wimps use tape backup: _real_
I have a rule called MY_IP that has 100% hit rate on spam. It simply looks for: Received: from [X.X.X.X] by whatever........ Where x.x.x.x is my mail server IP address. I remember showing this rule here before and Matt had to take a second glance at it. You should NEVER see your IP like this. It is a dead giveaway and prbly the best rule I have come up with to date. Just change X's to your mail IP. Change the score to whatever you want. But I've had 0 FPs. header MY_IP Received =~/\b(from x\.x\.x\.x)\b/i describe MY_IP Why would I get email from myself? score MY_IP 5.0 HTH Chris Santerre System Admin "A little nonsense now and then, is relished by the wisest men." - Willy Wonka ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
