Re: X-AntiAbuse: Original Domain header

Thu, 20 Apr 2006 15:16:48 -0700 

Tracee wrote:
Good questions. Not being the one who configures SpamAssassin, I thought it might be configured to know it's own domain name. 


You could write a rule on a site-by-site basis, or perhaps introduce a 
configuration option.  Even then, it wouldn't work quite right for sites 
that receive mail for multiple domains.



If the header "indicates the original domain *to which the message was 
sent*" then I guess I was misinterpretting the meaning.



I did some digging, and all the examples I can find use a set of 5 
headers.  Here's an example of the headers in a message sent to the 
Fedora legacy mailing list last week:


X-AntiAbuse: This header was added to track abuse,
        please include it with any abuse report
X-AntiAbuse: Primary Hostname - hyperion.nettuning.net
X-AntiAbuse: Original Domain - redhat.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - nettuning.net

Some things to note:

1. The first header is usually all one line.  In this case, it was wrapped.


2. The Primary Hostname seems to be the HELO string of the MTA that 
added the header.



3. This was sent to a mailing list at redhat.com, matching the Original 
Domain header.



4. The Caller UID/GID (the second pair) was almost always 47 and 12.  On 
my Red Hat-based Linux systems, these are the user ID for mailnull and 
group ID for mail.  A sizable minority were 26 and 6 -- all running Evim 
on FreeBSD, so I assume those are the defaults there.  It's remarkably 
consistent, but the exceptions were all legit, so there's not much spam 
classification value in this one.



5. The Sender Address Domain was, as you might expect, the domain of the 
sender's email address.  However, a lot of the ones I've seen match the 
server name



Thoughts on what you could do with this info for detecting abuse, rather 
than for reporting it:


1. Does the Primary Hostname show up in the Received: headers?

2. Does the Primary Hostname claim to be one of your servers?  (sort of 
a forged-HELO check a couple of hops back)
3. If the Sender Address Domain has an SPF record, does the Primary 
Hostname pass?
4. Does the Sender Address Domain claim to be one of your domains? (what 
you originally suggested, but with the more appropriate header)



I have no idea how effective any of these would be, though if I were to 
guess, there would be a lot of overlap with other header checks.


--
Kelson Vibber
SpeedGate Communications <www.speed.net>














    











					Reply via email to