Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Noticed a pattern in Spam headers

Discussion in 'General Discussion' started by Wojjie, Jan 5, 2007.

  1. Wojjie

    Wojjie Member

    Joined:
    Dec 7, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Toronto, Canada
    I just spent a nice chunk of my day looking to decreasing cpu load caused by spam. As we speak, my sever's load is between 2 and 10 with 500-2000 emails hitting my server per hour (depending on the time of day).

    I did notice that alot of spam likes to spoof the 'Received:' headers and act like it came from the mail server for the domain to your domain already. Hard to explain, so I will give an example:

    Code:
    Received: from [80.51.255.150] (port=3076 helo=mail.brenner-de.com)
    	by mich1.wojjie.net with esmtp (Exim 4.52)
    	id 1Gg2jL-0008Or-FG
    	for contact@game-monitor.com; Fri, 03 Nov 2006 12:21:24 -0500
    Received: from 217.140.40.34 (HELO btmx4.sun.com)
         by game-monitor.com with esmtp (6CHY6PNUUJWM XMG9G)
         id 5EYFVA-5ZLBO0-1F
         for contact@game-monitor.com; Fri, 3 Nov 2006 17:24:16 -0060
    From: "Rhonda Rowland" <deborasej@bqethius.eng.sun.com>
    To: <contact@game-monitor.com>
    Subject: Rhonda wrote:
    
    As you see, the top Received was added by my mail server when the email was received (I have seen headers where the sender was obviously a dial up user). The bottom one was on the email when received by my mail server. The funny thing is, if game-monitor.com already received it, why am I getting it again?

    I was just wondering if it is possible to write an ACL that will automatically deny these messages since most spam today seem to take on this approach.

    I understand that some domains may be relayed, and may work against people with relayed domains, but in most cases it is not. Even if you were to have a relay setup, you should be able to add your relay server as some sort of trusted relay and bypass the ACL.

    I will continue to research it when I have time, I am new to ACLs and have yet to find an example of one that checks the header.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice