I have noticed that many spam headers contain a "Received From:" line with conflicted ip addresses. I had thought this line was supposed to show
RECEIVED FROM: some_domain.cx [ip of domain]
That's correct. There are several slightly different formats for the Received: headers, but with IMail it's in the format "hostname [IP]", where "IP" is the actual IP address of the sender, and "hostname" is the host that the remote mailserver claims to be. If it sends an IP there, it is broken.
However I have many that look like this:
Received: from 64.119.218.151.nnt6us.com [64.119.218.151] by mail
Where 64.119.218.151.nnt6us.com resolves like this:
Technically, this could be corrent, *if* 64.119.218.151.nnt6us.com is a valid hostname (which it could be).
If this is some effort to hide the origin of the message could we possibly use it to better ID the message as spam?
You could. If, for example, a lot of E-mail comes in with a hostname on nnt6us.com that looks like a domain, you could use a filter in Declude JunkMail Pro to block all E-mail with ".nnt6us.com" in the HELO/EHLO data.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you have been missing: Ask for a free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
