You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2004/02/06 21:42:27 UTC
on that Message-ID pattern
That Dan and Scott have been bashing their heads against. It turns out
the ratware has other patterns that are far easier to spot:
1. it uses the rDNS name of the sending machine in it's HELO. Since it
sends direct-to-MX from dialup pools, this means the recent patterns I
checked in (for rDNS used as HELO from a dialup pool) will catch it.
2. there are a number of other Received header patterns I can spot.
For example, sometimes it forges a line like this:
Received: from [IPADDR] by IPADDR with ESMTP...
IP addresses are never used in the "by" hostname.
I'll take a look later on today after $DAYJOB, and see if I can come up
with some rules.
Also, I've checked in a script that I've used in the past to help
developing rules that correlate headers. it's in as
masses/rule-dev/maildir-scan-headers .
--j.