You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by mouss <us...@free.fr> on 2006/01/08 01:23:21 UTC
Re: Kinda O/T: Block Return-Path: <> mail?
Evan Platt a écrit :
> I'm getting quite a bit of spam with
> Return-Path: <>
> in the headers.
>
> Will I likely see valid e-mail with this? Searching my previous mail, it
> appears to all be bounce warnings.
>
> If so, what's the best way to just blackhole this? I have postfix, and put
> /Return-Path: <>/ Reject in the header_checks, but that seems to not
> be correct.
>
> Here's a example of one of the headers:
>
> Return-Path: <>
> X-Original-To: evan@espphotography.com
> Delivered-To: eplatt@espphotography.com
> Received: from aamer-e5bc809e7.chello.nl (a49245.upc-a.chello.nl
> [62.163.49.245])
> by espphotography.com (Postfix) with SMTP id B4BCF35A80D
> for <ev...@espphotography.com>; Thu, 5 Jan 2006 10:56:24 -0800 (PST)
> Message-Id: <20...@espphotography.com>
> Date: Thu, 5 Jan 2006 10:56:24 -0800 (PST)
> From: MAILER-DAEMON
> To: undisclosed-recipients:;
>
Instead of focusing on the bad pattern, note that:
1) Note also that:
- Return-Path = <>
- To = undisclosed-recipients
- Message-id is added by your system (@espphotography.com)
- FROM is non fqdn
This all is suspicious. so a meta rule will catch this.
I think such a rule should be added to SARE. any ninjas out there?
2) At MTA level:
IP=62.163.49.245
host=a49245.upc-a.chello.nl
helo=aamer-e5bc809e7.chello.nl
You could decide to reject or greylist this. Here is a "conservative" way:
- If rdns and/or hello look dynamic
Then use one or more of the following approaches:
- lookup the client in some dul lists (njabl/dynablock seems safe) and
reject if found
- greylist
- ...
To implement "looks dynamic", you could match against some patterns:
/\d{4}/ (or even /\d{3}/)
/\d-\d+-\d/
...