[Mimedefang] Fw: [Sare-users] Spam with numbers in subj and b ody
Paul Whittney
pwhittney at net.arrivetech.com
Wed Jun 7 10:54:42 EDT 2006
After reading some of the items here, I thought to take a look at my logs,
and see if there is a pattern of spam/ham to the $MessageID.
First problem I had was that I hadn't got the filter logging the info,
so I've started syslogging (I don't use the graph log, but I bet it
takes care of this..)
filter_(subroutine),$QueueID,$MessageId,.....
and parsing the log file.
Found, for example:
k57Cmi17006408,spam, 7.398, <000001c68a34$99299710$a442a8c0 at bxb41>
k57D7ZbK006518,spam, 7.398, <000001c68a37$43c1da50$9a70a8c0 at tul44>
k57DNX0K006687,spam,15.212, <000001c68a39$7ef963c0$7ec5a8c0 at bss34>
k57DP8Vs006708,spam, 8.249, <000001c68a39$ab508e30$53b8a8c0 at gdt80>
k57DYuvp006769,spam,26.097, <001801c68a3b$2a7fe880$bc11a8c0 at qege>
k57CqfVK006437,spam,28.497, <005801c68a35$0fd2a280$631f000a at 59.95.128.199>
Following this, I was thinking that having sort sort of signature, or
fingerprint for an email (like nmap's fingerprints of OS's), but then
I suppose this is what Razor (etc...) do?
I wonder if certain programs follow a pattern? Of course, looking
at the message ID isn't conclusive (I'd copy it from sendmail, if I was
designing a box). But would a certain relay address follow the same style?
Would the helo's be along the same pattern (like those that use a negative
numerical helo ... I think someone broke the inet_aton programming from an
int? or something..)
Not sure if this is worth doing or not.. Thoughts?
-Paul
--
Paul Whittney ArriveTech, Inc.
Network Specialist / Systems Engineer / |3823 W 12th St, Suite A
/--|Erie, PA, 16505, USA
PWhittney [at] arrivetech.com (Main) / |www.arrivetech.com
PWhittney [at] net.arrivetech.com (Aux) / |Tel: 814 868 3306
More information about the MIMEDefang
mailing list