[milters] Archive

Lists Index Date Thread Search

Article: 677
From: barryc
Date: 2005-08-02 09:55:23 -0400
Subject: [DYNDNS] Re: Re: sender question

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

>I read or heard some where recently something interesting about testing 
>Received: headers concerning the path a message has claimed to have 
>taken, but have since forgotten the details and where I learnt about it.

I know I'd suggested it on this list at one point (or maybe some other sendmail 
/ milter related list)... I'd started doing some reading on what would be 
involved in writing my own milter, but my workload has changed such that I don't 
know when I'll be able to work on it in earnest.

Here's a recap of what I was thinking:

I'd noticed that of the mail coming into my mailservers, I could fairly easily 
distinguish an enormous volume of the SPAM from the real messages by looking 
only at the Received: headers. ( Specifically the lines that read: "Received 
from ... by ..." If it doesn't show both machines involved in the SMTP 
transaction, you can ignore it.)

For example:

If there was only one of these headers, (received from .... by [MY_MAILSERVER]) 
then one of three things is ALWAYS true:
1) The message was sent by a SMTP-AUTH authenticated client.
2) The message came from a host specified in /etc/mail/relay-domains
3) The message is SPAM sent by a zombie computer.

Further tests can be performed on messages with multiple Received lines. Here 
are a couple examples:

1) Locality: Any time that I receive email where there are two blocks of 
Received headers separated by other random headers, the second block is ALWAYS 
forged.  Is it coincidence that legitimate Received headers are always 
contiguous, or is it specified by the RFC? Or, another way to ask the question: 
Is it conceivable that a properly-behaving mailserver may insert other headers 
before prepending its own Received header?

2) Sanity: Consider the following two hypothetical adjacent headers:
Received: from (mailserver.domain1.com[69.215.194.218]) by (...) ...
Received: from (...) by mailserver.domain2.com ...

And mailserver.domain2.com resolves to 162.140.64.107.


Lists Index Date Thread Search