I have noticed that some spam engines (zombies?) use the receiving relay's IP address
as the HELO name, presumably trying to look like a trusted source. I made a simple
test for this, and it triggers for nearly 10% of inbound spam.
# substitute your relay's numeric IP address for AAA BBB CCC DDD below
header PT_SPOOFME Received =~ /from AAA\.BBB\.CCC\.DDD/
describe PT_SPOOFME pretending to be from ourselves!
score PT_SPOOFME 3.0
I can't imagine a configuration where a relay would receive mail from itself; that's
the definition of a mail loop. (And if it did, it would use the loopback
interface...) Therefore I gave this test a pretty high score. I have been using it
for at least a month with no FP's.
Does anyone want to run a mass check against a large corpus? Has anyone seen a valid
sending MTA that behaves this way? Improvements?
[BTW, it was neat to see my crude "WORDWORD" test taken to pieces. Someone
streamlined the regexp, several more tweaked it, it got a new name and a second-level
test, and now we have another weapon against Bayes poison. Keep up the good work!]
Pierre Thomson
BIC
# a sample spam header fragment as seen by SA on a box with address 64.72.85.5 :
Received: from 64.72.85.5 ([219.248.110.109])
by mail1.rifton.com (8.11.6/8.11.6) with SMTP id i0EJC2Z07868
for <[EMAIL PROTECTED]>; Wed, 14 Jan 2004 14:12:02 -0500
Received: from [219.248.110.109] by 3001hosting.comIP with HTTP;
Thu, 15 Jan 2004 00:09:43 +0500
# and another spam from a different X-mailer:
Received: from 64.72.85.5 (c-24-2-238-98.client.comcast.net [24.2.238.98])
by mail1.rifton.com (8.11.6/8.11.6) with SMTP id i0EJM4Z09102
for <[EMAIL PROTECTED]>; Wed, 14 Jan 2004 14:22:06 -0500
Received: from [46.12.70.8] by 64.72.85.5 with SMTP; Wed, 14 Jan 2004 05:11:32 -0200
# and a valid mail from a known ISP:
Received: from imo-r08.mx.aol.com (imo-r08.mx.aol.com [152.163.225.104])
by mail1.rifton.com (8.11.6/8.11.6) with SMTP id i0EJhYZ12005
for <[EMAIL PROTECTED]>; Wed, 14 Jan 2004 14:43:34 -0500
Received: from [EMAIL PROTECTED]
by imo-r08.mx.aol.com (mail_out_v36_r4.12.) id r.1e1.1761647e (18555);
Wed, 14 Jan 2004 14:41:05 -0500 (EST)
-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
