Scott, I picked up the below msg from another list. I'm posting it because I think it sounds like something you might be interested in adding to Declude.
>Delivered-To: [EMAIL PROTECTED] >Date: Thu, 27 Dec 2001 14:55:26 -0500 >From: Paul Chvostek <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: Spam Research >User-Agent: Mutt/1.2.5i >Sender: [EMAIL PROTECTED] >Reply-To: [EMAIL PROTECTED] >X-Declude-Sender: [EMAIL PROTECTED] >[207.8.186.50] >X-Declude-Spoolname: D7d100fe.SMD >X-Note: Checked for SPAM and Viruses by Internet Concepts - >http://www.inetconcepts.net >X-RCPT-TO: <[EMAIL PROTECTED]> > > >On Tue, Dec 25, 2001 at 09:37:56AM -0700, [EMAIL PROTECTED] wrote: > > > > "Connection refused" is the interesting category, and confirms my belief > > (stated here prior) that the majority of spam was sent directly by PC's, > > not through relays. > > > > While the amount of spam sent through relays is substantial, that sent > > direct outnumbers it handily. > >I noticed this a while ago as well. In my implementation, all direct- >delivery mail contains only a single Received: line (except in the rare >cases where a backup MX has been involved). So I've implemented the >following procmail recipe to deal with it: > >:0 >* ^Return-Path:.*@ >* ! ^Received:.*@localhost >* $ ^Message-ID:@[a-z0-9.-]*$HOST >{ > COUNT=`grep -c "^Received:"` > :0 fw > * COUNT ?? 1 > | formail -A "X-spamtrap: too few Received lines" >} > >The first condition eliminates from consideration any mail from one >local user to another, including from MAILER-DAEMON. The second makes >sure this mail wasn't sent from the local machine (with a false positive >problem that's handled later), and the third checks that the Message-ID >line refers to the local host (which would mean that the incoming email >didn't contain one of its own, and my MTA autogenerated one for it). >And the goop in the curly braces mark the mail with an additional header >line if the message has only one Received line also eliminating the >false positive created by mail being sent from 'user@localhost' on a >remote machine (which would give us >1 Received: lines). > >This catches a good deal of my direct delivery spam. I haven't kept >track closely enough to build statistics, but perhaps I could build some >from my procmail.log file. > >The above recipe is part of http://www.it.ca/software/procmail-spamtrap >in case anyone's interested. > > > I intend to set up a service whereby ISPs can subscribe to a DNS-based > > list. The way it will work, by joining they will make the list that much > > more effective. I therefore need some guinea pigs, er, volunteers from the > > audience. Please email me directly if you're interested in trying out this > > system - I especially would like testers who can compare the results to > > those produced by the ORB* and RBL. > >There's already a great many DNSBLs around. Is what you want to do >different from what's already being done? I'm sure many of us would be >overjoyed to participate in a project that isn't reinventing an already >well-spun wheel. > >If your goal is merely to list open relays or direct delivery sources, >such services already exist, with varying degrees of paranoia and good >sense, enough for just about anybody's taste. If you want to list spam >sources, I would suggest using the DNSBL of bl.spamcop.net which already >does a good job of that. As you say, the more people who participate, >the more useful the service. Unless you're opposed to their policies, >it would be better to participate in existing projects than to dilute >them by starting a new one. > >-- > Paul Chvostek <[EMAIL PROTECTED]> > Operations / Development / Abuse / Whatever vox: +1 416 598-0000 > IT Canada http://www.it.ca/ > >- >Recent archives of the list can be found at: >http://mix.twistedpair.ca/pipermail/inet-access/ >Send 'unsubscribe' in the body to '[EMAIL PROTECTED]' to leave. >Eat sushi frequently. [EMAIL PROTECTED] is the human contact address. ---- Don Brown - Dallas, Texas USA Internet Concepts, Inc. [EMAIL PROTECTED] http://www.inetconcepts.net PGP Key ID: 04C99A55 (972) 788-2364 Fax: (972) 788-5049 Providing Internet Solutions Worldwide - An eDataWeb Affiliate ---- --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". You can E-mail [EMAIL PROTECTED] for assistance. You can visit our web site at http://www.declude.com .
