[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Policy based spam filtering

On Fri, 14 Nov 1997, James MacKinnon wrote:

> Are we losing?
> New bogus spammers are cropping up daily. I just received this.
> It got past the filter, but the destination failed locally here
> so I got a bounce copy. The content (only part of it here) is
> disturbing to say the least.

  But it is nothing new.  Those headers have been forged in most spam for
a long time.

> Definitely put this guy in the spam database!

  How?  Every header you've included is probably forged.  It was probably
relayed via an unwilling third party, who you should probably contact so
they can setup relay resrictions.

  I block mail based on envelope sender, and host address.  I get about
80% effectiveness.  The only remaining problem is wide-open mail relays.
Once all remaining unrestricted servers are closed up, it should be up to
90% effectiveness.

  A reminder to all on this list:  make sure every mail server you
administrate has relay server restricted to authorized hosts only.  This
message needs to get out.  For example, mail.funet.fi still allows
relaying from anybody to anybody.

> >Date: Fri, 14 Nov 1997 03:31:49 -0700
> >From: Floodgate <taziu63@rema.co.at>
> >Reply to: floodgate@t-1net.com
> >To: taziu63@rema.co.at
> >Subject: Bulk Email For Profit
> [snip]
> >We show you ALL the tricks all the mass e-mailers don't want you to 
> >know... 
> >Here are just a few features the GOLDRUSH STEALTH MASS MAILER offers to 
> >you... 
> >
> >     *Forge the Header - Message ID - ISP's will Spin their wheels. 
> >     *Add's a Bogus Authenticated Sender to the Header. 
> >     *Add's a complete bogus Received From / Received By line with 
> >      real time / date stamp and recipient to the Header. 

> ...
> This is a collection of reports about email delivery
> process concerning a message you originated:
> <smtp rema.co.at taziu63@rema.co.at 99>: ...\
>         <<- MAIL From:<>
>         ->> 500 You are not allowed to send email via this server (this 
> is abnormal, investigate!)
> ...

  So?  What spam doesn't have a bogus return address.  Once a spammer
sends spam, he/she certainly doesn't want to get it back again.

> The original didn't get slotted into postoffice/freezer, so I can't
> examine the full headers. Odd that zmailer used "MAIL From:<>" though.

  I wish bounces contained the full headers.

  The rema.co.at domain is majorly screwed up.  It is has an MX record
pointing to an IP (illegal).  It does not accept "mail from:<>", which is
required by RFC821 (btw, why do you find this strange?)

> Cheers,
> -Jim