On 21 Apr 2015, at 18:47, Mark Martinec wrote:
There is no benefit to spammers (and a likely disservice to them) for forging a non-trustworthy external Received header field and providing some unusual IP address there, and they cannot forge the boundary Received header field inserted by recipient's own mailer.
This is all true.
I can only conclude that a rule like RCVD_ILLEGAL_IP will hit mostly on misconfigured or misguided sending mailers, not primarily on spam.
This would be true if the people and tools trying to investigate spam sources AND spammers were uniformly (or even broadly) as smart about email as you or as anyone else who has been working with email intensively for many years.
That is not the case, as evidenced by the fact that RCVD_ILLEGAL_IP actually has a history of being a very reliable test except for the recent periods of Yahoo and Microsoft engaging in Stupid Freemail Tricks. Spammers forge Received headers to send investigators & their tools on wild goose chases, both because they don't understand the net effects and because once in a while it works.
It is worth noting that I have a large handful of very reliable SCC_RCVD_FORMAT_* custom rules, some of which date to 2003 yet still get hits, because the same spammers and/or spamware have been creating Received headers in patterns unlike any real MTA for a dozen years. When they stop being useful, I'll consider the possibility that spammers are not generally morons engaged in high-effort self-defeating tactics.
