http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5817
Summary: Poorly faked MTA Received headers
Product: Spamassassin
Version: 3.2.4
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P5
Component: Rules
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
I recently noticed quite a few spams with a poorly faked MTA Received header.
The from IPs of the first and second Received header are identical, and the
second Received is by the MX. I guess this is to sneak around MTA_TO_MX style
rules.
I haven't checked a lot of spam for this yet, though. Also, I'm not sure where
to best add such a rule. Maybe I'll have a look next week, when I get some time.
Each and any comment or hint welcome. :)
And now for two examples I found in my <10 scoring spam today:
Received: from dsl.static812142840.ttnet.net.tr
(dsl.static812142840.ttnet.net.tr [81.214.28.40] (may be forged)) by ...
Received: from [81.214.28.40] by kilowog.blockstackers.com; ...
Received: from 91.pool85-49-188.dynamic.orange.es
(91.pool85-49-188.dynamic.orange.es [85.49.188.91]) by ...
Received: from [85.49.188.91] by mx2.free.fr; ...
Btw, all three spamples I had a look at today are "downloadable software" spams,
and the MUA claims to be The Bat! (yeah, again). However, this time, they did
not screw up the Date header. ;)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
