On Sun, 25 Jun 2006, Jim Hermann - UUN Hostmaster wrote: > > On Sun, 25 Jun 2006, Jim Hermann - UUN Hostmaster wrote: > > > > > Here are examples of the Received Headers for the type of spam > > > that are being sent with forged email addresses for a domain that > > > I host. > > > > The Received headers in spams cannot be trusted, except for the > > Received headers put in by relays run by *you* or someone you trust. > > Received headers are trivially easy to forge and cary very little > > useful information in spams. > > These are Received Headers provided by the ISP that sent me the > bounce message, not because of spam, but because the recipient did > not exist. They put the Original Spam Full Headers in the message > that they sent to me.
Erm. Again, I'm not clear on what you provided examples of. Were the Received headers from the message headers of the bounce itself? If so, contact the ISP that you received the message from and ask them to implement SPF checks. Were the Received headers from the *body* of the bounce, where the other ISP put a copy of the spam headers? If so, you can't trust them and for the most part trying to parse them is a waste of time. > If I can trust that my server identified the last server and the > last server was the recipient server, then I think I can trust > that they sent me the Full Headers as they received them. Yes, I > know that the prior Received Headers could be forged. The headers as they received them are also likely forged. You *might* be able to trust the Received header that their mail relay put in, which could tell you from where they received the email. Beyond that, they are subject to forgery. > I don't think that these spambots are bothering to try to forge > the Received Headers. Usually the first two Received Headers have > IP Addresses assigned to the same ISP. > > SPF is not enough. It does not eliminate the zombie or spambot. No, but it does fairly well what it is intended to do: eliminate forgeries. SPF is *not* an anti-spam tool. It is an anti-forgery tool. I agree, though, that it should be part of a larger set of tools. -- John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 -----------------------------------------------------------------------
