Hello, I am still refining my anti Spamming skills. Every day I get about 2 more pieces of spam that have slipped past my filters. Naturally I add them to my Spam list right away. But for some, like the one below, it is not so obvious (to me) what I should key on for the filter.
I chose WinXP for this one as it is a topic that I should never be interested in. Normally I can see a part of a header that looks obvious like cashsavings, or mastercard.com or grouplotto. Or even a message body that contains opt-in, or optin. But this one reminds me that I really do not yet understand headers. When people talk of forged headers, who, or what, part of the header (using the below example as a concrete example) is usually forged? I am concerned that if I start adding isp's to my spam filter that I will start blocking future legit messages as well. Is this message from someone named Norman at some isp called cheerful.com? Or is that a likely fake name and address? Does the partial phrase "PIMOUT4-prodigy.net" mean anything as a key? What about dsl.rcsntx.swbell.net? What about da nor stuldap ? What about [EMAIL PROTECTED] ? What about multipart/alternative; boundary ? What about kendall.mail? Why does this header have two blocks for "Received:"? Which of the two should I concern myself with to best clock spam? Is on the originator and the other the isp (that is often forged)? Status: U Return-Path: < [EMAIL PROTECTED] > Received: from pimout4-ext.prodigy.net ([207.115.63.103]) by kendall.mail.mindspring.net (Earthlink Mail Service) with ESMTP id 17PHX8NW3Nl3pM0 for <[EMAIL PROTECTED]>; Fri, 13 Sep 2002 00:21:09 -0400 (EDT) Received: from Xep (adsl-65-65-223-64.dsl.rcsntx.swbell.net [65.65.223.64]) by pimout4-ext.prodigy.net (8.12.3 da nor stuldap/8.12.3) with SMTP id g8D4KvAI091506 for <[EMAIL PROTECTED]>; Fri, 13 Sep 2002 00:20:58 -0400 Date: Fri, 13 Sep 2002 00:20:58 -0400 Message-Id: <[EMAIL PROTECTED]> From: norman <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: A WinXP patch MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=C6z4361q9cmbo62A Thanks Dave Groover ___________________________________________________________________________ To unsubscribe send a mail message with a SUBJECT line of "unsubscribe" to <[EMAIL PROTECTED]> or <[EMAIL PROTECTED]>
