The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Noticed a pattern in Spam headers

Discussion in 'General Discussion' started by Wojjie, Jan 5, 2007.

  1. Wojjie

    Wojjie Member

    Joined:
    Dec 7, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Toronto, Canada
    I just spent a nice chunk of my day looking to decreasing cpu load caused by spam. As we speak, my sever's load is between 2 and 10 with 500-2000 emails hitting my server per hour (depending on the time of day).

    I did notice that alot of spam likes to spoof the 'Received:' headers and act like it came from the mail server for the domain to your domain already. Hard to explain, so I will give an example:

    Code:
    Received: from [80.51.255.150] (port=3076 helo=mail.brenner-de.com)
    	by mich1.wojjie.net with esmtp (Exim 4.52)
    	id 1Gg2jL-0008Or-FG
    	for contact@game-monitor.com; Fri, 03 Nov 2006 12:21:24 -0500
    Received: from 217.140.40.34 (HELO btmx4.sun.com)
         by game-monitor.com with esmtp (6CHY6PNUUJWM XMG9G)
         id 5EYFVA-5ZLBO0-1F
         for contact@game-monitor.com; Fri, 3 Nov 2006 17:24:16 -0060
    From: "Rhonda Rowland" <deborasej@bqethius.eng.sun.com>
    To: <contact@game-monitor.com>
    Subject: Rhonda wrote:
    
    As you see, the top Received was added by my mail server when the email was received (I have seen headers where the sender was obviously a dial up user). The bottom one was on the email when received by my mail server. The funny thing is, if game-monitor.com already received it, why am I getting it again?

    I was just wondering if it is possible to write an ACL that will automatically deny these messages since most spam today seem to take on this approach.

    I understand that some domains may be relayed, and may work against people with relayed domains, but in most cases it is not. Even if you were to have a relay setup, you should be able to add your relay server as some sort of trusted relay and bypass the ACL.

    I will continue to research it when I have time, I am new to ACLs and have yet to find an example of one that checks the header.
     

Share This Page