The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Noticed a pattern in Spam headers

Discussion in 'General Discussion' started by Wojjie, Jan 5, 2007.

  1. Wojjie

    Wojjie Member

    Dec 7, 2003
    Likes Received:
    Trophy Points:
    Toronto, Canada
    I just spent a nice chunk of my day looking to decreasing cpu load caused by spam. As we speak, my sever's load is between 2 and 10 with 500-2000 emails hitting my server per hour (depending on the time of day).

    I did notice that alot of spam likes to spoof the 'Received:' headers and act like it came from the mail server for the domain to your domain already. Hard to explain, so I will give an example:

    Received: from [] (port=3076
    	by with esmtp (Exim 4.52)
    	id 1Gg2jL-0008Or-FG
    	for; Fri, 03 Nov 2006 12:21:24 -0500
    Received: from (HELO
         by with esmtp (6CHY6PNUUJWM XMG9G)
         id 5EYFVA-5ZLBO0-1F
         for; Fri, 3 Nov 2006 17:24:16 -0060
    From: "Rhonda Rowland" <>
    To: <>
    Subject: Rhonda wrote:
    As you see, the top Received was added by my mail server when the email was received (I have seen headers where the sender was obviously a dial up user). The bottom one was on the email when received by my mail server. The funny thing is, if already received it, why am I getting it again?

    I was just wondering if it is possible to write an ACL that will automatically deny these messages since most spam today seem to take on this approach.

    I understand that some domains may be relayed, and may work against people with relayed domains, but in most cases it is not. Even if you were to have a relay setup, you should be able to add your relay server as some sort of trusted relay and bypass the ACL.

    I will continue to research it when I have time, I am new to ACLs and have yet to find an example of one that checks the header.

Share This Page