Sandy S wrote:
> We're also being bombarded with these and I noticed that the bottom
> received header on all of them is in a format like
>
> Received: from [87.245.169.135] (port=2971 helo=aflmpt)
> by amdy with esmtp
> id 1FGG09-0005lZ-7J....
>
> I put in a rule to catch this:
> header ODD_PORT_SS Received =~ /from
> \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] \(port=\d{4} helo=[a-z]{3,6}/
>
> My question to the group is - how likely is a header with that
> non-standard port likely to show up in real mail? Is this a good
> spam sign?
>
> (And Theo, no, the ISP does not have a good corpus, at least not of
> ham - average user doesn't have a clue as to how to submit messages
> with all the headers intact and doesn't understand why they should
> anyway, and privacy issues prevent us from gathering a corpus of ham
> ourselves....)
>
> Thanks,
> Sandy S
every message that goes through my Exim server will log the port the CLIENT
used.
LER
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
