Hi,
although I'm definitely not a SpamAssassin expert, I observed a pattern
that was present in roughly half the spam mails I got during the last
weeks.
--- snip ---
Received: from 134.34.240.60 (unknown [202.99.169.213])
by guanin.uni-konstanz.de (Postfix) with SMTP
id 00DC026A9EE; Mon, 25 Aug 2003 18:48:39 +0200 (MEST)
Received: from sq2.kn923p2.org [245.227.70.53] by 134.34.240.60 id
--- snap ---
Our incoming mail server is guanin.uni-konstanz.de, with IP
134.34.240.60. Obviously the spammer sent this IP with the HELO command.
I have no idea how to write SpamAssassin patterns, but shouldn't it be
possible to do something like
Received: from {IP1} ({domainname1} [{IP2}]) from {domainname2}
If {IP1} != {IP2} we could give points, even more points we should give
if {IP1} is the IP of {domainname2}.
I'm using SpamAssassin 2.55 with the DNS lookup features, together with
procmail. And it does not seem to have a pattern like this yet.
Regards,
Jens
--
Jens Teubner
University of Konstanz, Department of Computer and Information Sciences
This email was written with 100% recycled electrons.
-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
