[Mimedefang] New X-AntiAbuse way for spammer

Jeff Rife mimedefang at nabs.net
Sat May 17 23:42:21 EDT 2008


On 17 May 2008 at 17:32, Pierre Forget wrote:

> I noticed that spammers are using a new way (well, new to me...) to  
> get their message through. They use the X-AntiAbuse in the headers. I  
> declared the spam to Spamassassin in my SpamTrap, but it had already  
> got them. But they still go through. Any idea how to get rid of this?  
> Here is an example header:
> 
> Return-Path: <rmaryland at newadvent.org>
> Received: from oemc8b286a37b8 ([190.128.82.83])
>          by mail.hebergement-quebec.net (8.13.7/8.12.11) with SMTP id  
> m4HJCdkn014921;
>          Sat, 17 May 2008 15:12:40 -0400

I assume this header is the important one showing your receipt of the 
message from [190.128.82.83], and that the one after that is a forgery.

If that's the case, and the name given in the HELO is in that header 
("oemc8b286a37b8"...you could have modified sendmail's way of creating 
"Received" headers), then a solution could be to reject e-mail where 
the HELO argument doesn't follow the RFC.

In this case, it is not a fully-qualified domain name, and that's a no-
no.

It's very hard to set up any current popular MTA and not have it send a 
legal value as the HELO argument.  It may not be a very valid or 
resolvable name, and it might rarely even be an address literal, but 
it's generally going to be a FQDN.  So, pretty much every MTA that 
doesn't send a FQDN is actually a spambot, and you don't want e-mail 
from them.

As for the "X-AntiAbuse", unless you have added rules to your 
SpamAssassin install, that header doesn't appear anywhere in the rules 
as a rule (is it part of a comment, though), so by itself it should not 
do anything that increases the chance the e-mail isn't marked as spam.

Every time I've seen a *legitimate* e-mail with these headers, the 
"Primary Hostname" *always* matches the "HELO" argument.  Otherwise, 
it's a forgery.  You could write an SA rule that checks for that.


--
Jeff Rife |  
          | http://www.nabs.net/Cartoons/OverTheHedge/ShatnerHair.gif 





More information about the MIMEDefang mailing list