[Mimedefang] New X-AntiAbuse way for spammer
Jeff Rife
mimedefang at nabs.net
Sat May 17 23:42:21 EDT 2008
On 17 May 2008 at 17:32, Pierre Forget wrote:
> I noticed that spammers are using a new way (well, new to me...) to
> get their message through. They use the X-AntiAbuse in the headers. I
> declared the spam to Spamassassin in my SpamTrap, but it had already
> got them. But they still go through. Any idea how to get rid of this?
> Here is an example header:
>
> Return-Path: <rmaryland at newadvent.org>
> Received: from oemc8b286a37b8 ([190.128.82.83])
> by mail.hebergement-quebec.net (8.13.7/8.12.11) with SMTP id
> m4HJCdkn014921;
> Sat, 17 May 2008 15:12:40 -0400
I assume this header is the important one showing your receipt of the
message from [190.128.82.83], and that the one after that is a forgery.
If that's the case, and the name given in the HELO is in that header
("oemc8b286a37b8"...you could have modified sendmail's way of creating
"Received" headers), then a solution could be to reject e-mail where
the HELO argument doesn't follow the RFC.
In this case, it is not a fully-qualified domain name, and that's a no-
no.
It's very hard to set up any current popular MTA and not have it send a
legal value as the HELO argument. It may not be a very valid or
resolvable name, and it might rarely even be an address literal, but
it's generally going to be a FQDN. So, pretty much every MTA that
doesn't send a FQDN is actually a spambot, and you don't want e-mail
from them.
As for the "X-AntiAbuse", unless you have added rules to your
SpamAssassin install, that header doesn't appear anywhere in the rules
as a rule (is it part of a comment, though), so by itself it should not
do anything that increases the chance the e-mail isn't marked as spam.
Every time I've seen a *legitimate* e-mail with these headers, the
"Primary Hostname" *always* matches the "HELO" argument. Otherwise,
it's a forgery. You could write an SA rule that checks for that.
--
Jeff Rife |
| http://www.nabs.net/Cartoons/OverTheHedge/ShatnerHair.gif
More information about the MIMEDefang
mailing list