this receive line only in spam?

[Menno van Bennekom <mv...@xs4all.nl>]

I get a lot of med-spams lately that look the same, short, 2 lines with
one url, below that some text (from a book?).
Often it gets marked as spam because of the url, but not always because
bayes has no real grip on this mail.
Maybe there is a way to recognise them in the second receive-line because
of the special helo and port text.
I want to block it with this at the MTA level because I couldn't find HAM
with this text (port-number and special helo syntax).
But I'm not so sure yet so my question is do you know of any HAM that uses
receive lines like this?

Thanks
Menno van Bennekom

Received: from [66.98.106.84] (port=4465 helo=[Batista])
Received: from [180.111.168.219] (port=4464 helo=[discharge])
Received: from [221.54.120.107] (port=4548 helo=[benchmark])
Received: from [240.232.66.156] (port=4015 helo=[infrared])
Received: from [123.120.113.68] (port=4426 helo=[chronograph])
Received: from [130.98.112.26] (port=4102 helo=[lash])
Received: from [50.188.174.87] (port=4590 helo=[simplifications])
Received: from [188.109.189.81] (port=4054 helo=[barbiturates])
Received: from [62.170.216.71] (port=4317 helo=[dispatching])
Received: from [62.103.177.85] (port=4163 helo=[mangler])
Received: from [47.187.43.74] (port=4578 helo=[Basie])
Received: from [47.119.220.88] (port=4434 helo=[slats])
Received: from [224.62.78.91] (port=3290 helo=[inorganic])
Received: from [231.153.167.126] (port=3319 helo=[custodians])
Received: from [48.224.115.129] (port=4000 helo=[rephrasing])
Received: from [116.68.119.88] (port=4486 helo=[restate])
Received: from [116.217.80.102] (port=4232 helo=[mechanizations])
Received: from [93.80.205.52] (port=4084 helo=[emulation])
Received: from [141.51.44.132] (port=4292 helo=[unsanitary])
Received: from [169.90.217.201] (port=4098 helo=[Apatosaurus])
Received: from [162.120.144.32] (port=4240 helo=[transceive])
Received: from [74.93.157.193] (port=2259 helo=[incompatible])
Received: from [153.24.175.209] (port=4170 helo=[Hercules])
Received: from [140.218.69.178] (port=4354 helo=[contrition])
Received: from [146.198.92.136] (port=4568 helo=[culprit])
Received: from [209.30.112.183] (port=4266 helo=[Argo])
Received: from [144.199.150.185] (port=4024 helo=[enticer])
Received: from [63.210.57.193] (port=4253 helo=[cerebellum])

Re: this receive line only in spam

[Menno van Bennekom <mv...@xs4all.nl>]

FYI,
I got another receive line here that occurs only in spam, with always the
same ip-segment (not the ip-address that actually delivers the mail).
First I tagged it with SA but now I block the mail in postfix, 15% less
spam!.
Maybe somebody recognizes these lines. It's the second receive line, and
the envelope-sender ends at @punkass.com, @sexmagnet.com, @thoughguy.com
etcetera.

Regards
Menno van Bennekom

Received: from bonbon.net (mx2.bonbon.net [38.113.3.55])
Received: from bonbon.net (mx3.bonbon.net [38.113.3.75])
Received: from gamebox.net (mx1.gamebox.net [38.113.3.68])
Received: from gamebox.net (mx2.gamebox.net [38.113.3.58])
Received: from gamebox.net (mx3.gamebox.net [38.113.3.78])
Received: from hotpop.com (mx1.hotpop.com [38.113.3.72])
Received: from hotpop.com (mx2.hotpop.com [38.113.3.72])
Received: from hotpop.com (mx4.hotpop.com [38.113.3.72])
Received: from phreaker.net (mx1.phreaker.net [38.113.3.57])
Received: from phreaker.net (mx2.phreaker.net [38.113.3.57])
Received: from phreaker.net (mx3.phreaker.net [38.113.3.77])
Received: from punkass.com (mx1.punkass.com [38.113.3.63])
Received: from punkass.com (mx2.punkass.com [38.113.3.63])
Received: from punkass.com (mx3.punkass.com [38.113.3.53])
Received: from sexmagnet.com (mx1.sexmagnet.com [38.113.3.64])
Received: from toughguy.net (mx1.toughguy.net [38.113.3.56])
Received: from toughguy.net (mx2.toughguy.net [38.113.3.56])




> FYI,
> Made a small rule for this and it gets hit every day sofar without any
> FP's.
> So if anyone is interested:
> header PORT_HELO Received =~ /from \[[0-9\.]*\]
> \(port\=[0-9][0-9][0-9][0-9] helo\=\[[a-zA-Z]*\]\)/
> describe PORT_HELO Header contains special port and helo
> score PORT_HELO 10.00
>
> Menno
>
>> I get a lot of med-spams lately that look the same, short, 2 lines with
>> one url, below that some text (from a book?).
>> Often it gets marked as spam because of the url, but not always because
>> bayes has no real grip on this mail.
>> Maybe there is a way to recognise them in the second receive-line
>> because
>> of the special helo and port text.
>> I want to block it with this at the MTA level because I couldn't find
>> HAM
>> with this text (port-number and special helo syntax).
>> But I'm not so sure yet so my question is do you know of any HAM that
>> uses
>> receive lines like this?
>>
>> Thanks
>> Menno van Bennekom
>>
>> Received: from [66.98.106.84] (port=4465 helo=[Batista])
>> Received: from [180.111.168.219] (port=4464 helo=[discharge])
>> Received: from [221.54.120.107] (port=4548 helo=[benchmark])
>> Received: from [240.232.66.156] (port=4015 helo=[infrared])
>> Received: from [123.120.113.68] (port=4426 helo=[chronograph])
>> Received: from [130.98.112.26] (port=4102 helo=[lash])
>> Received: from [50.188.174.87] (port=4590 helo=[simplifications])

Re: this receive line only in spam?

[Menno van Bennekom <mv...@xs4all.nl>]

FYI,
Made a small rule for this and it gets hit every day sofar without any FP's.
So if anyone is interested:
header PORT_HELO Received =~ /from \[[0-9\.]*\]
\(port\=[0-9][0-9][0-9][0-9] helo\=\[[a-zA-Z]*\]\)/
describe PORT_HELO Header contains special port and helo
score PORT_HELO 10.00

Menno

> I get a lot of med-spams lately that look the same, short, 2 lines with
> one url, below that some text (from a book?).
> Often it gets marked as spam because of the url, but not always because
> bayes has no real grip on this mail.
> Maybe there is a way to recognise them in the second receive-line because
> of the special helo and port text.
> I want to block it with this at the MTA level because I couldn't find HAM
> with this text (port-number and special helo syntax).
> But I'm not so sure yet so my question is do you know of any HAM that uses
> receive lines like this?
>
> Thanks
> Menno van Bennekom
>
> Received: from [66.98.106.84] (port=4465 helo=[Batista])
> Received: from [180.111.168.219] (port=4464 helo=[discharge])
> Received: from [221.54.120.107] (port=4548 helo=[benchmark])
> Received: from [240.232.66.156] (port=4015 helo=[infrared])
> Received: from [123.120.113.68] (port=4426 helo=[chronograph])
> Received: from [130.98.112.26] (port=4102 helo=[lash])
> Received: from [50.188.174.87] (port=4590 helo=[simplifications])
> Received: from [188.109.189.81] (port=4054 helo=[barbiturates])
> Received: from [62.170.216.71] (port=4317 helo=[dispatching])
> Received: from [62.103.177.85] (port=4163 helo=[mangler])
> Received: from [47.187.43.74] (port=4578 helo=[Basie])
> Received: from [47.119.220.88] (port=4434 helo=[slats])
> Received: from [224.62.78.91] (port=3290 helo=[inorganic])
> Received: from [231.153.167.126] (port=3319 helo=[custodians])
> Received: from [48.224.115.129] (port=4000 helo=[rephrasing])
> Received: from [116.68.119.88] (port=4486 helo=[restate])
> Received: from [116.217.80.102] (port=4232 helo=[mechanizations])
> Received: from [93.80.205.52] (port=4084 helo=[emulation])
> Received: from [141.51.44.132] (port=4292 helo=[unsanitary])
> Received: from [169.90.217.201] (port=4098 helo=[Apatosaurus])
> Received: from [162.120.144.32] (port=4240 helo=[transceive])
> Received: from [74.93.157.193] (port=2259 helo=[incompatible])
> Received: from [153.24.175.209] (port=4170 helo=[Hercules])
> Received: from [140.218.69.178] (port=4354 helo=[contrition])
> Received: from [146.198.92.136] (port=4568 helo=[culprit])
> Received: from [209.30.112.183] (port=4266 helo=[Argo])
> Received: from [144.199.150.185] (port=4024 helo=[enticer])
> Received: from [63.210.57.193] (port=4253 helo=[cerebellum])
>
>
>

Re: this receive line only in spam?

[Loren Wilton <lw...@earthlink.net>]

> But I'm not so sure yet so my question is do you know of any HAM that uses
> receive lines like this?

Not sure, but running some mass-checks now to see.

        Loren