----- Original Message -----
From: "Larry Rosenman" <ler@lerctr.org>
To: "'Sandy S'" <[EMAIL PROTECTED]>; <users@spamassassin.apache.org>
Sent: Wednesday, March 08, 2006 10:13 AM
Subject: RE: All image spam
> Sandy S wrote:
> > We're also being bombarded with these and I noticed that the bottom
> > received header on all of them is in a format like
> >
> > Received: from [87.245.169.135] (port=2971 helo=aflmpt)
> > by amdy with esmtp
> > id 1FGG09-0005lZ-7J....
> >
> > I put in a rule to catch this:
> > header ODD_PORT_SS Received =~ /from
> > \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] \(port=\d{4} helo=[a-z]{3,6}/
> >
> > My question to the group is - how likely is a header with that
> > non-standard port likely to show up in real mail? Is this a good
> > spam sign?
> >
> > (And Theo, no, the ISP does not have a good corpus, at least not of
> > ham - average user doesn't have a clue as to how to submit messages
> > with all the headers intact and doesn't understand why they should
> > anyway, and privacy issues prevent us from gathering a corpus of ham
> > ourselves....)
> >
> > Thanks,
> > Sandy S
>
> every message that goes through my Exim server will log the port the
CLIENT
> used.
>
> LER
>
>
> --
> Larry Rosenman http://www.lerctr.org/~ler
> Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
> US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
>
Rats - I thought I was on to something there! I don't know anything about
Exim - would users be sending mail from odd ports like 2947, 3942, 4821,
etc? Our would they use the standard SMTP port 25, or 587 for SMTP auth
mail?
Thanks,
Sandy
