Am 03.10.2014 um 21:55 schrieb David F. Skoll: > I've noticed a trend in which spammers put in a bunch of X- header > purporting to show that a message is good. I've appended sample > headers (slightly obfuscated to hide recipient) below. > > I wonder if a test for more than (say) 8 "X-*" header in > an inbound mail would be a good spam indicator?
hard to say in general, that are not so much X-Headers i have seen a lot of spam really tagged with such headers because some outgoing mailserver had indeed a spamfilter and the messages did not reach the block score and depending on how many hops a mail takes the number of such headers increases i would not take the amount of such headers into account just look at some mailing lists which have their own scanners adding headers and the innocent sender also has a outgoing scanner and may even not know about personally i ignore all that headers for training and strip them away on the MTA for inbound to finally face only the own ones bayes_ignore_header List-Archive bayes_ignore_header List-Help bayes_ignore_header List-Id bayes_ignore_header List-Post bayes_ignore_header List-Subscribe bayes_ignore_header List-Unsubscribe bayes_ignore_header Mailing-List bayes_ignore_header Precedence bayes_ignore_header X-ACL-Warn bayes_ignore_header X-Alimail-AntiSpam bayes_ignore_header X-Amavis-Modified bayes_ignore_header X-AntiAbuse bayes_ignore_header X-Antispam bayes_ignore_header X-Anti-Spam bayes_ignore_header X-Antivirus bayes_ignore_header X-Anti-Virus bayes_ignore_header X-Antivirus-Status bayes_ignore_header X-Antivirus-Version bayes_ignore_header X-Anti-Virus-Version bayes_ignore_header X-ASF-Spam-Status bayes_ignore_header X-ASG-Debug-ID bayes_ignore_header X-ASG-Orig-Subj bayes_ignore_header X-ASG-Recipient-Whitelist bayes_ignore_header X-ASG-Tag bayes_ignore_header X-Attachment-Id bayes_ignore_header X-Authenticated-As bayes_ignore_header X-Authenticated-Sender bayes_ignore_header X-Authenticated-User bayes_ignore_header X-Authvirus bayes_ignore_header X-Barracuda-Apparent-Source-IP bayes_ignore_header X-Barracuda-Bayes bayes_ignore_header X-Barracuda-BBL-IP bayes_ignore_header X-Barracuda-BRTS-Status bayes_ignore_header X-Barracuda-Connect bayes_ignore_header X-Barracuda-Encrypted bayes_ignore_header X-Barracuda-Envelope-From bayes_ignore_header X-Barracuda-Fingerprint-Found bayes_ignore_header X-Barracuda-Orig-Rcpt bayes_ignore_header X-Barracuda-RBL-IP bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder bayes_ignore_header X-Barracuda-Spam-Report bayes_ignore_header X-Barracuda-Spam-Score bayes_ignore_header X-Barracuda-Spam-Status bayes_ignore_header X-Barracuda-Start-Time bayes_ignore_header X-Barracuda-UID bayes_ignore_header X-Barracuda-URL bayes_ignore_header X-Barracuda-Virus-Alert bayes_ignore_header X-BeenThere bayes_ignore_header X-Cloud-Security bayes_ignore_header X-Complaints-To bayes_ignore_header X-Coremail-Antispam bayes_ignore_header X-Gmane-NNTP-Posting-Host bayes_ignore_header X-GMX-Antispam bayes_ignore_header X-GMX-Antivirus bayes_ignore_header X-He-Spam bayes_ignore_header X-Injected-Via-Gmane bayes_ignore_header X-Ironport bayes_ignore_header X-IronPort-Anti-Spam-Filtered bayes_ignore_header X-IronPort-Anti-Spam-Result bayes_ignore_header X-IronPort-AV bayes_ignore_header X-Klms-Anti bayes_ignore_header X-Klms-Antispam bayes_ignore_header X-Kse-Anti bayes_ignore_header X-Loom-IP bayes_ignore_header X-Mailman-Version bayes_ignore_header X-Mozilla-Keys bayes_ignore_header X-Mozilla-Status bayes_ignore_header X-Mozilla-Status2 bayes_ignore_header X-No-Relay bayes_ignore_header X-PerlMx-Virus-Scanned bayes_ignore_header X-PROLinux-SpamCheck bayes_ignore_header X-ServerMaster-MailScanner bayes_ignore_header X-Spam-Check-By bayes_ignore_header X-Spam-Checker-Version bayes_ignore_header X-SpamExperts-Domain bayes_ignore_header X-SpamExperts-Outgoing-Class bayes_ignore_header X-SpamExperts-Outgoing-Evidence bayes_ignore_header X-SpamExperts-Username bayes_ignore_header X-Spam-Flag bayes_ignore_header X-SPAM-FLAG bayes_ignore_header X-SpamInfo bayes_ignore_header X-Spam-Level bayes_ignore_header X-Spam-Processed bayes_ignore_header X-Spam-Report bayes_ignore_header X-Spam-Score bayes_ignore_header X-Spam-Score-Int bayes_ignore_header X-Spam-Status bayes_ignore_header X-Spam-Threshold bayes_ignore_header X-UI-Filterresults bayes_ignore_header X-UI-Loop bayes_ignore_header X-UI-Out-Filterresults bayes_ignore_header X-Univie-Virus-Scan bayes_ignore_header X-VirusChecked bayes_ignore_header X-Virus-Checker-Version bayes_ignore_header X-Virus-Scanned bayes_ignore_header X-Virus-Scanner-Version bayes_ignore_header X-Virus-Status > ========================================================================= > Received: from mail.com ([190.237.242.198]) > by colo10.roaringpenguin.com with ESMTP id s93JmajB021470 > for <redac...@example.com>; Fri, 3 Oct 2014 15:48:39 -0400 > Return-Path: <americanexpr...@welcome.aexp.com> > Delivered-To: <redac...@example.com> > X-Virus-Scanned: OK > X-MessageSniffer-Scan-Result: 0 > X-MessageSniffer-Rules: 0-0-0-19882-c > X-CMAE-Scan-Result: 0 > X-Spam-Threshold: 95 > X-Spam-Score: 0 > X-Spam-Flag: NO > X-Virus-Scanned: OK > X-MessageSniffer-Scan-Result: 0 > X-MessageSniffer-Rules: 0-0-0-19849-c > X-CMAE-Scan-Result: 0 > X-Orig-To: <redac...@example.com> > X-Originating-Ip: [209.67.98.59] > Received: from SEFE63.seaprod.com (unknown [192.168.72.11]) > by mailsea.docusign.net (Postfix) with ESMTP id KQAF5JDDV4IK > for <redac...@example.com>; Fri, 3 Oct 2014 14:48:44 -0500 > X-DKIM: Sendmail DKIM Filter v2.8.2 mailsea.docusign.net JQ9N42F3MTC8 > Received: from docusign.net ([127.0.0.1]) by SEFE19.seaprod.com with > Microsoft SMTPSVC(7.5.7601.17514); > Fri, 3 Oct 2014 14:48:44 -0500 > Sender: "American Express" <americanexpr...@welcome.aexp.com> > Reply-To: "American Express" <americanexpr...@welcome.aexp.com> > From: "American Express" <americanexpr...@welcome.aexp.com> > To: <redac...@example.com> > Message-ID: <2sui4otn561x0wm7252lx58t61e...@welcome.aexp.com> > Date: Fri, 3 Oct 2014 14:48:44 -0500 > Subject: Security Concern on Your American Express Account > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_FFTENOOC_L24J_U12E_AEA3_LA0JA0R78GGI" > X-OriginalArrivalTime: Fri, 3 Oct 2014 14:48:44 -0500 > FILETIME=[61006395:87205310]
signature.asc
Description: OpenPGP digital signature
