You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Loren Wilton <lw...@earthlink.net> on 2019/02/14 19:53:52 UTC
Rule to resolve sending hostname & show it in description?
About 99% (literally) of the spam I get is fron one spammer. He doesn't
bother obfuscating the received headers, other than putting a fake hostname
in the sending hostname. Here are the final two levels from a random spam
from a few minutes ago as an example:
Received: from noehlo.host ([209.86.89.125])
by mdl-harvest.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
1GUltH2aW3Nl36V0; Thu, 14 Feb 2019 13:11:17 -0500 (EST)
Received: from newdeals4you.com ([34.207.159.130])
by ibscan-hornet.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
1GUltH4Ke3PGoUd1
for <xx...@earthlink.com>; Thu, 14 Feb 2019 13:11:17 -0500 (EST)
While he's claiming to be from newdeals4you.com, 34.207.159.130 is an Amazon
AWS cloud host.
Just as a matter of curiosity, I'd like some sort of rule that could resolve
that hostname and display it in the description of a low-scoring rule, just
so I don't have to manually do some cut-n-paste into a "ping -a" to resolve
it myself.
Thanks!
Loren
Re: Rule to resolve sending hostname & show it in description?
Posted by RW <rw...@googlemail.com>.
On Thu, 14 Feb 2019 11:53:52 -0800
Loren Wilton wrote:
> About 99% (literally) of the spam I get is fron one spammer. He
> doesn't bother obfuscating the received headers, other than putting a
> fake hostname in the sending hostname. Here are the final two levels
> from a random spam from a few minutes ago as an example:
>
> Received: from noehlo.host ([209.86.89.125])
> by mdl-harvest.atl.sa.earthlink.net (EarthLink SMTP Server) with
> SMTP id 1GUltH2aW3Nl36V0; Thu, 14 Feb 2019 13:11:17 -0500 (EST)
The header above looks to be internal to earthlink and isn't relevant.
> Received: from newdeals4you.com ([34.207.159.130])
> by ibscan-hornet.atl.sa.earthlink.net (EarthLink SMTP Server) with
> SMTP id 1GUltH4Ke3PGoUd1
> for <xx...@earthlink.com>; Thu, 14 Feb 2019 13:11:17 -0500 (EST)
This header is added by earthlink, the only thing under the sender's
control is the 'helo' of newdeals4you.com. There's no other scope for
"obfuscating" this.
> While he's claiming to be from newdeals4you.com, 34.207.159.130 is an
> Amazon AWS cloud host.
A mismatch isn't necessarily wrong, but the A-record for
newdeals4you.com points elsewhere.
> Just as a matter of curiosity, I'd like some sort of rule that could
> resolve that hostname and display it in the description of a
> low-scoring rule,
This is the job of ibscan-hornet.atl.sa.earthlink.net. It probably
doesn't because there is no full circle DNS
34.207.159.130 has rDNS of ec2-34-207-159-130.compute-1.amazonaws.com,
but that doesn't have an A-record pointing to 34.207.159.130
Without full-circle DNS the rDNS alone doesn't reliably connect the IP
address to the the domain.