You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Loren Wilton <lw...@earthlink.net> on 2019/02/14 19:53:52 UTC

Rule to resolve sending hostname & show it in description?

About 99% (literally) of the spam I get is fron one spammer. He doesn't 
bother obfuscating the received headers, other than putting a fake hostname 
in the sending hostname. Here are the final two levels from a random spam 
from a few minutes ago as an example:

Received: from noehlo.host ([209.86.89.125])
 by mdl-harvest.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 
1GUltH2aW3Nl36V0; Thu, 14 Feb 2019 13:11:17 -0500 (EST)
Received: from newdeals4you.com ([34.207.159.130])
 by ibscan-hornet.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 
1GUltH4Ke3PGoUd1
 for <xx...@earthlink.com>; Thu, 14 Feb 2019 13:11:17 -0500 (EST)

While he's claiming to be from newdeals4you.com, 34.207.159.130 is an Amazon 
AWS cloud host.

Just as a matter of curiosity, I'd like some sort of rule that could resolve 
that hostname and display it in the description of a low-scoring rule, just 
so I don't have to manually do some cut-n-paste into a "ping -a" to resolve 
it myself.

Thanks!

        Loren

Re: Rule to resolve sending hostname & show it in description?

Posted by RW <rw...@googlemail.com>.
On Thu, 14 Feb 2019 11:53:52 -0800
Loren Wilton wrote:

> About 99% (literally) of the spam I get is fron one spammer. He
> doesn't bother obfuscating the received headers, other than putting a
> fake hostname in the sending hostname. Here are the final two levels
> from a random spam from a few minutes ago as an example:
> 
> Received: from noehlo.host ([209.86.89.125])
>  by mdl-harvest.atl.sa.earthlink.net (EarthLink SMTP Server) with
> SMTP id 1GUltH2aW3Nl36V0; Thu, 14 Feb 2019 13:11:17 -0500 (EST)

The  header above looks to be internal to earthlink and isn't relevant.

> Received: from newdeals4you.com ([34.207.159.130])
>  by ibscan-hornet.atl.sa.earthlink.net (EarthLink SMTP Server) with
> SMTP id 1GUltH4Ke3PGoUd1
>  for <xx...@earthlink.com>; Thu, 14 Feb 2019 13:11:17 -0500 (EST)

This header is added by earthlink, the only thing under the sender's
control is the 'helo' of newdeals4you.com. There's no other scope for
"obfuscating" this.


> While he's claiming to be from newdeals4you.com, 34.207.159.130 is an
> Amazon AWS cloud host.

A mismatch isn't necessarily wrong, but the A-record for
newdeals4you.com points elsewhere.
 
> Just as a matter of curiosity, I'd like some sort of rule that could
> resolve that hostname and display it in the description of a
> low-scoring rule, 


This is the job of ibscan-hornet.atl.sa.earthlink.net. It probably
doesn't because there is no full circle DNS

34.207.159.130 has rDNS of ec2-34-207-159-130.compute-1.amazonaws.com,
but that doesn't have an A-record pointing to 34.207.159.130

Without full-circle DNS the rDNS alone doesn't reliably connect the IP
address to the the domain.