After reading some of the items here, I thought to take a look at my logs,
and see if there is a pattern of spam/ham to the $MessageID.
First problem I had was that I hadn't got the filter logging the info,
so I've started syslogging (I don't use the graph log, but I bet it
takes care of this..)
filter_(subroutine),$QueueID,$MessageId,.....
and parsing the log file.
Found, for example:
k57Cmi17006408,spam, 7.398, <[EMAIL PROTECTED]>
k57D7ZbK006518,spam, 7.398, <[EMAIL PROTECTED]>
k57DNX0K006687,spam,15.212, <[EMAIL PROTECTED]>
k57DP8Vs006708,spam, 8.249, <[EMAIL PROTECTED]>
k57DYuvp006769,spam,26.097, <[EMAIL PROTECTED]>
k57CqfVK006437,spam,28.497, <[EMAIL PROTECTED]>
Following this, I was thinking that having sort sort of signature, or
fingerprint for an email (like nmap's fingerprints of OS's), but then
I suppose this is what Razor (etc...) do?
I wonder if certain programs follow a pattern? Of course, looking
at the message ID isn't conclusive (I'd copy it from sendmail, if I was
designing a box). But would a certain relay address follow the same style?
Would the helo's be along the same pattern (like those that use a negative
numerical helo ... I think someone broke the inet_aton programming from an
int? or something..)
Not sure if this is worth doing or not.. Thoughts?
-Paul
--
Paul Whittney ArriveTech, Inc.
Network Specialist / Systems Engineer / |3823 W 12th St, Suite A
/--|Erie, PA, 16505, USA
PWhittney [at] arrivetech.com (Main) / |www.arrivetech.com
PWhittney [at] net.arrivetech.com (Aux) / |Tel: 814 868 3306
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
