Mark Little wrote: > I was playing around with it and have found so far only two cases (out of > 200+ caught) that were legitimate emails, so I believe I am on to something > but I believe you are right and I want to get this down further. > > I am now playing with detecting Received: from [<sender IP>] but excluding > if [<sender IP>].+[<sender IP>] or [<sender IP>].+[127.0.0.1] are present. > All the spammer examples I have seen only include the one IP, so I may > reduce this to just excluding if there is a second [<ip.address>] on the > line. > > Thoughts?
I think, the main problem is that there are legitimate reasons why a server might connect back to it's own IP. There might be value in using this particular metric in a spam scoring system though. Let us know how it works for you. -- Mike Cardwell (https://secure.grepular.com/) (http://perlcv.com/) -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
