Re: Basically Lazy - Email Header Analysis

Hi Andy,

First, as tempting as it is to write a tool, my advice is to get one off-the-shelf.

My email at work gets stunning quantities of spam. Somewhere around 500 messages per day, plus another 1000 or so bounce messages from whomever is pummeling our system with dictionary attacks. (in case anyone is curious as to how so much spam is coming in, it seems to be related to the site, not to me. As soon as my work account was activated, spam started rolling in. To this day, nobody except a few coworkers has my work email address).

There is a nice MTA-based filter called SpamAssassin (http://www.spamassassin.org) which catches the vast bulk of the spam which flies in our direction. It does this both by analyzing the headers for known and suspected open relays, as well as looking at the text for spam patterns (i.e. use of nonsense filler HTML comments, LOTS OF CAPITAL LETTERS IN THE TEXT, use of certain keywords, inclusion of an opt-out email, etc.). We use a secondary blocking tool called Spam Bouncer (http://www.spambouncer.org), which takes care of the (very few) items SpamAssassin seems to miss.

This gets our torrent of mail down to 1 or 2 (usually very-low key) unblocked messages per day.

Writing a tool to block spam based on say, finding out if the mail came through an open relay is an idea whose time has come and gone. While obviously some of our spam comes through open relays, I'm seeing less and less of this. A large percentage seems to be originating from throwaway dial-up or cable accounts. When you try to search for a mail server on these systems, one can't be found. Unfortunately, many large sites (i.e. ISPs, etc.) also have separate servers for incoming and outgoing email, so setting up a simple test like "if you can't find a mail server on the remote host, flag the mail as spam" will probably not deliver desirable results.

Good luck with whatever decision you decide to make.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

j.

In your message of 10/25/2003 11:43 AM you wrote:

>Hi
>Whilst drowning my sorrows in the UK rain following our resounding defeat