Mining Received headers

24 Feb 2004 22:02:57 -0000

Based on the principle that if an email header says that "this email has been sent to you buy a spammer"
then the spammer is telling the truth!

It seems to me that SA only uses Received headers for DNSBL interrogation, however,
the received header lines may tell us more information than what DNSBL tables tell us,

I use procmail to tag email before using SA, kind of like an MTA.
If the email Received header contains:
A) a spammy IP range
B) from unknown
C) from 192.168.xxx.xxx
D) from xxx-xxx-xxx-xxx

then header tags can be added to emails that SA can recognize and score accordingly,
as follows

#==========================
#a .procmailrc insert before calling SA
#==========================
# common spammer IP sources YMMV
:0 Hf
* ^Received.*(\(|\(\[)\/(69.6|64.70|69.56|69.59|64.191|172.60|66.59|5.0|66.63|6.0|209.66|64.124|63.212|206.162|209.40|\
69.1|64.88|207.182|216.131|64.125|207.218|216.201|65.110|69.36|12.47|66.96|66.230|\
205.252|64.211|209.133|64.156|211.97|69.42|66.55|206.131|66.129|38.113|66.239|61.173|\
64.66|218.71|207.229|207.134|218.79|216.149|200.69|200.105|66.28|206.15|218.81|207.111|172.31|\
63.215|218.107|216.94|69.60|218.80|209.5|209.210|206.165|209.87|65.118|205.183)
| formail -A "X-From-IP-Header: Spammy IP: $MATCH"

# Spammers sometimes use this
:0 Hf
* ^Received.*from.*unknown.*192.168
| formail -A "X-From-IP-Header: IP 192.168"

# Spammers sometimes use this
:0 Hf
* ^Received.*from.*unknown
| formail -A "X-From-IP-Header: IP unknown"

# DSLs are not always Spammers
:0 Hf
* ^Received.*[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}
| formail -A "X-From-IP-Header: DSL Spammer possibly "

#==========================
#  end of a .procmailrc insert before calling SA
#==========================


and the accompanying  SA tag lines

#==========================
#  SA spammy header tag lines
#==========================

header     SPAMMY_IP    X-From-IP-Header =~ /Spammy IP/i
describe   SPAMMY_IP    Spammy IP Collection
score      SPAMMY_IP    3.0

header     SPAMMY_192   X-From-IP-Header =~ /IP 192.168/i
describe   SPAMMY_192   Spammy IP 192.168
score      SPAMMY_192   3.0

header     SPAMMY_DSL   X-From-IP-Header =~ /DSL Spammer/i
describe   SPAMMY_DSL   Possible Spammy DSL
score      SPAMMY_DSL   2.0

header     SPAMMY_UNKNOWN   X-From-IP-Header =~ /IP unknown/i
describe   SPAMMY_UNKNOWN   Unknown IP
score      SPAMMY_UNKNOWN   1.5

#==========================
# end of  SA spammy header tag lines
#==========================



As I say above - YMMV

Anthony

Reply via email to