[Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?

Sat Nov 25 01:07:09 EST 2006

> -----Original Message-----
> From: Jim McCullars

>    I feel your pain.  I have gotten to where I check my work 
> email at night to see what the latest pump-and-dump stock 
> spam is and update SA accordingly.  Ugh.

I've found that most of the stock spam have a unique Received header.
Some examples:

Received: from 213.56.31.142 (HELO smtp.oleane.net)     by elgin.edu
with esmtp (30,,1N(4829S +/QM)     id LLX8Z5-/084()-I*     for
xxxxx at elgin.edu; Fri, 24 Nov 2006 10:31:31 -0060

Received: from 63.149.130.78 (HELO barracuda.1-stopnet.com)     by
elgin.edu with esmtp (A+*33AUUHE*U +K686)     id 6OM2K4-172DAP-Q/
for xxxxx at elgin.edu; Fri, 24 Nov 2006 10:43:06 -0480

Received: from 216.122.69.112 (HELO mail.safeserver.com)     by
elgin.edu with esmtp ((1+<D(0E EU=Y)     id 7045B0-4R:LJT-EB     for
xxxxx at elgin.edu; Fri, 24 Nov 2006 10:48:01 -0120

Received: from 210.189.80.22 (HELO mail.01allweb.com)     by elgin.edu
with esmtp (LS,+-3(/ 5*XI:)     id C?13,)-Q0:7(7-)D     for
xxxxx at elgin.edu; Fri, 24 Nov 2006 11:08:20 -0480

Received: from 66.212.232.249 (HELO inon2.inetfast.com)     by elgin.edu
with esmtp (XB'52:=D0/ .B-W)     id YO-;1*-=T8'7Y-O5     for
xxxxx at elgin.edu; Fri, 24 Nov 2006 11:49:46 -0060

Received: from 209.142.136.249 (HELO mx2.centurytel.net)     by
elgin.edu with esmtp (T)08O7Q,AG<+ 63'A)     id 0Z((B*-760A8P-T.     for
xxxxx at elgin.edu; Fri, 24 Nov 2006 12:38:42 -0060

Received: from 80.127.154.82 (HELO mail.walraven.com)     by elgin.edu
with esmtp (.5*V+;+3,RSN D511C)     id ID95DH-6I9CU--65     for
xxxxx at elgin.edu; Fri, 24 Nov 2006 12:42:20 -0060

Received: from 64.18.5.13 (HELO WAMSINC.COM.MAIL7.PSMTP.com)     by
elgin.edu with esmtp (,2-O)V7T9)>? @C28)     id 7;+LH;-FY(844-:7     for
xxxxx at elgin.edu; Fri, 24 Nov 2006 12:44:18 -0060

Received: from 64.214.48.68 (HELO mdegw01.mgipharma.com)     by
elgin.edu with esmtp (942,L96+'P )J4J+,)     id QMRGJ0-:PKD)6--L     for
xxxxx at elgin.edu; Fri, 24 Nov 2006 12:49:20 -0060

Received: from 216.35.197.77 (HELO mail.zytronic.com)     by elgin.edu
with esmtp (IK-24*R3 U)4UJ)     id /ST525-0PO+(5->V     for
xxxxx at elgin.edu; Fri, 24 Nov 2006 12:49:22 -0060

Note the bare IP with no brackets (not the IP of the bot).  
HELO random hostname in parentheses.
elgin.edu is my domain, but I do not have a host at the domain level
that relays mail.
Also note the UTC offset in the date format.  That field should be HHMM.
There are time zones that are not an even hour offset from UTC, but the
only ones I know of are 30 minutes, and a value of 60 or more makes no
sense.

The Date headers also have the odd UTC offset.

Date: Fri, 24 Nov 2006 10:31:31 -0060
Date: Fri, 24 Nov 2006 10:43:06 -0480
Date: Fri, 24 Nov 2006 10:48:01 -0120
Date: Fri, 24 Nov 2006 11:08:20 -0480
Date: Fri, 24 Nov 2006 11:49:46 -0060
Date:   Fri, 24 Nov 2006 12:38:42 -0060
Date:   Fri, 24 Nov 2006 12:42:20 -0060
Date:   Fri, 24 Nov 2006 12:44:18 -0060
Date:   Fri, 24 Nov 2006 12:49:20 -0060
Date:   Fri, 24 Nov 2006 12:49:22 -0060

Two rules that have been doing extremely well for me are:

header ECC_FORGED_ELGIN_RCVD Received =~ /by elgin.edu with esmtp
\(.+\)\s+id\s\S+\s+for/

header ECC_ODD_TZ Date =~
/^\s*(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat)\,\s\d{1,2}\s(?:Jan|Feb|Mar|Apr|Jun|
Jul|Aug|Sep|Oct|Nov|Dec)\s\d{4}\s\d{2}(?:\:\d{2}){1,2}\s[\+\-]?\d{2}[123
456789]\d$/