Re: this receive line only in spam

[Menno van Bennekom <mv...@xs4all.nl>]

FYI,
I got another receive line here that occurs only in spam, with always the
same ip-segment (not the ip-address that actually delivers the mail).
First I tagged it with SA but now I block the mail in postfix, 15% less
spam!.
Maybe somebody recognizes these lines. It's the second receive line, and
the envelope-sender ends at @punkass.com, @sexmagnet.com, @thoughguy.com
etcetera.

Regards
Menno van Bennekom

Received: from bonbon.net (mx2.bonbon.net [38.113.3.55])
Received: from bonbon.net (mx3.bonbon.net [38.113.3.75])
Received: from gamebox.net (mx1.gamebox.net [38.113.3.68])
Received: from gamebox.net (mx2.gamebox.net [38.113.3.58])
Received: from gamebox.net (mx3.gamebox.net [38.113.3.78])
Received: from hotpop.com (mx1.hotpop.com [38.113.3.72])
Received: from hotpop.com (mx2.hotpop.com [38.113.3.72])
Received: from hotpop.com (mx4.hotpop.com [38.113.3.72])
Received: from phreaker.net (mx1.phreaker.net [38.113.3.57])
Received: from phreaker.net (mx2.phreaker.net [38.113.3.57])
Received: from phreaker.net (mx3.phreaker.net [38.113.3.77])
Received: from punkass.com (mx1.punkass.com [38.113.3.63])
Received: from punkass.com (mx2.punkass.com [38.113.3.63])
Received: from punkass.com (mx3.punkass.com [38.113.3.53])
Received: from sexmagnet.com (mx1.sexmagnet.com [38.113.3.64])
Received: from toughguy.net (mx1.toughguy.net [38.113.3.56])
Received: from toughguy.net (mx2.toughguy.net [38.113.3.56])




> FYI,
> Made a small rule for this and it gets hit every day sofar without any
> FP's.
> So if anyone is interested:
> header PORT_HELO Received =~ /from \[[0-9\.]*\]
> \(port\=[0-9][0-9][0-9][0-9] helo\=\[[a-zA-Z]*\]\)/
> describe PORT_HELO Header contains special port and helo
> score PORT_HELO 10.00
>
> Menno
>
>> I get a lot of med-spams lately that look the same, short, 2 lines with
>> one url, below that some text (from a book?).
>> Often it gets marked as spam because of the url, but not always because
>> bayes has no real grip on this mail.
>> Maybe there is a way to recognise them in the second receive-line
>> because
>> of the special helo and port text.
>> I want to block it with this at the MTA level because I couldn't find
>> HAM
>> with this text (port-number and special helo syntax).
>> But I'm not so sure yet so my question is do you know of any HAM that
>> uses
>> receive lines like this?
>>
>> Thanks
>> Menno van Bennekom
>>
>> Received: from [66.98.106.84] (port=4465 helo=[Batista])
>> Received: from [180.111.168.219] (port=4464 helo=[discharge])
>> Received: from [221.54.120.107] (port=4548 helo=[benchmark])
>> Received: from [240.232.66.156] (port=4015 helo=[infrared])
>> Received: from [123.120.113.68] (port=4426 helo=[chronograph])
>> Received: from [130.98.112.26] (port=4102 helo=[lash])
>> Received: from [50.188.174.87] (port=4590 helo=[simplifications])