Author: James P. Roberts Date: To: Hanasaki JiJi CC: exim-users Subject: [Exim] Scanning Headers Discussion [was: rbl-check for forwarded spam]
----- Original Message -----
From: "Hanasaki JiJi" <hanasaki@???>
To: "List - Exim" <exim-users@???>
Sent: Tuesday, April 08, 2003 1:11 PM
Subject: Re: [Exim] rbl-check for forwarded spam
> Will spam get through if the spammer starts adding this "custom header"
> that indicates it has already been scaned?
>
As "trial balloon" was written, I suppose so. Same applies to SA scanning and
so forth, as I understand many people currently use it.
Options might be:
(a) ignore this, since the effort for a spammer to fake your custom header is
pretty high, especially if we all use unique custom headers.
(b) also check that message is being injected locally (i.e. from your scanning
box); if the header is present but message is coming in from the outside, then
strip the fake header and scan anyway.
(c) encrypt header contents with a private key. If it does not decrypt with
public key, you did not add it, so scan anyway. I know, this is almost
overkill, but I suppose it would work, if the spammers get that sophisticated.
One more thought... Once a message has been scanned, and re-injected, is it
possible to strip the extra header just before actual delivery, so no record
of the scanning is left behind (think of it as a "temporary header"), in order
to reduce the chance of anyone discovering the format of said "custom" header?
(More "brainstorming"). In the case of recording a score, or marker of some
sort, for MUA filtering, one needs to leave a header in there; BUT, one could
use a "temporary" header, as described here, just for the purpose of
determining if scanning has already been done, instead of using one header for
two purposes ("score result" and "already scanned flag").
Any thoughts to add to the discussion? Am I totally out to lunch, here?
