We're also being bombarded with these and I noticed that the bottom received
header on all of them is in a format like
Received: from [87.245.169.135] (port=2971 helo=aflmpt)
by amdy with esmtp
id 1FGG09-0005lZ-7J....
I put in a rule to catch this:
header ODD_PORT_SS Received =~ /from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]
\(port=\d{4} helo=[a-z]{3,6}/
My question to the group is - how likely is a header with that non-standard
port likely to show up in real mail? Is this a good spam sign?
(And Theo, no, the ISP does not have a good corpus, at least not of ham -
average user doesn't have a clue as to how to submit messages with all the
headers intact and doesn't understand why they should anyway, and privacy
issues prevent us from gathering a corpus of ham ourselves....)
Thanks,
Sandy S
