On 11/09/2014 06:59 PM, Axb wrote:
On 11/09/2014 06:45 PM, Rich Wales wrote:
Hi. Recently, I've noticed that some spam arriving on my mail server
contains a "Received:" header line citing amavisd-new -- possibly an
attempt to trick spam filters into concluding the message has already
been scanned and is presumably free of problems.
Here is an example of one of these -- the physically last (i.e.,
chronologically first) "Received:" in the message.
Received: by 03112d50.rn56dss9.lunafutral.com
(amavisd-new, port 9150) with ESMTP id 03MBRTVHDVT112DXUHRJKRWD50;
for <rande...@richw.org>; Sat, 8 Nov 2014 17:41:05 -0700
The above line contains several clues that can distinguish it from a
real "Received:" line generated by amavisd-new, so I imagine a rule
could be created to detect this and increase a message's spam score
accordingly.
Should I go ahead and discuss this in greater depth here on this
list? Or would it be better to go off-list with a smaller group of
developers, so as not to give too many ideas to the black hats? :-)
rule is sandbox waiting to be promoted
http://svn.apache.org/repos/asf/spamassassin/trunk/rulesrc/sandbox/axb/20_axb_misc.cf
AXB_XRCVD_8B8
hitting like crazy and safe
http://ruleqa.spamassassin.org/20141108-r1637525-n/AXB_XRCVD_8B8/detail
pick it up from the sandbox and score it as high as you want.
