Re: [Exim] SPAM problems : reject by X-Mailer?

Top Page
This message is part of the following thread:
M-++\the complete thread tree sorted by date
M\MMMAvleen Vig at <-
MMMMDr Andrew C Aitchison at ->
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Exim users list
Subject: Re: [Exim] SPAM problems : reject by X-Mailer?
On Mon, 12 Jan 2004, Rory Campbell-Lange wrote:

> I have seen a large increase in emails with subjects like "annoy idea
> handsome" and bodies such as "peace euphorbia lillian scout b centerline
> cleat scapular citron pacify centigrade icicle eh imperate cupid
> fireplace gentlemen cocaine". Presumably the sender is trying to
> generate a response?

At the core of these messages is a spam link:

<a href="..."><img border="0" src="..."></a>

Presumably the sender is trying to obfuscate the message sufficiently
to get past content-recognition filters. 

> Many of these spam senders have the following X-Mailer listed:
>     X-Mailer: mPOP Web-Mail 2.19

So they do: if I try that on the contents of my spam-bucket, I get
quite a number of matches since mid-December, although I also got
several which didn't have that particular X-Mailer.

I don't see any matches for that X-Mailer in my own personal good
mail, though I can't speak for all of our users...

However, all of the samples that I've got in my spam-bucket have been
forwarded from my account at another site, which suggests that if any
of them are being offered to us directly then we're rejecting them on
other grounds (probably DNSRBLed MTA IPs). Some of them can also be
rejected by callbacks on their faked envelope sender addresses (pace
the usual critics of that procedure).

Looking at the matches that I got, I'd say about half of them have so
low a spamassassin score (<4) that no reasonable amount of boost on
the X-Mailer alone would take them up to our rejection level (>8).
The other half had scored around 7, and an extra point or so for the
X-Mailer would have taken them over the limit.

> Is this possible to generate an SMTP-time rejection of a message based
> on its X-Mailer? Is this sensible?

It might be worth some points in the spam-rating, but it would be
premature to use it as a basis for outright rejection, I feel. Based
on the arguments I present above, I'd say there are more effective
ways of keeping these at bay (but those ways are weakened when the
mail has been accepted by some forwarding MTA).

cheers


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] Incomplete transaction from backup mx?Re: [Exim] SPAM problems : reject by X-Mailer?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)