Noticed a pattern in Spam headers


Dec 7, 2003
Toronto, Canada
I just spent a nice chunk of my day looking to decreasing cpu load caused by spam. As we speak, my sever's load is between 2 and 10 with 500-2000 emails hitting my server per hour (depending on the time of day).

I did notice that alot of spam likes to spoof the 'Received:' headers and act like it came from the mail server for the domain to your domain already. Hard to explain, so I will give an example:

Received: from [] (port=3076
	by with esmtp (Exim 4.52)
	id 1Gg2jL-0008Or-FG
	for [email protected]; Fri, 03 Nov 2006 12:21:24 -0500
Received: from (HELO
     by with esmtp (6CHY6PNUUJWM XMG9G)
     id 5EYFVA-5ZLBO0-1F
     for [email protected]; Fri, 3 Nov 2006 17:24:16 -0060
From: "Rhonda Rowland" <[email protected]>
To: <[email protected]>
Subject: Rhonda wrote:
As you see, the top Received was added by my mail server when the email was received (I have seen headers where the sender was obviously a dial up user). The bottom one was on the email when received by my mail server. The funny thing is, if already received it, why am I getting it again?

I was just wondering if it is possible to write an ACL that will automatically deny these messages since most spam today seem to take on this approach.

I understand that some domains may be relayed, and may work against people with relayed domains, but in most cases it is not. Even if you were to have a relay setup, you should be able to add your relay server as some sort of trusted relay and bypass the ACL.

I will continue to research it when I have time, I am new to ACLs and have yet to find an example of one that checks the header.