Re: [exim] envelope-from in received lines - the dark side

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Graeme Fowler
Date:  
À: exim-users
Sujet: Re: [exim] envelope-from in received lines - the dark side
Hi

On Sat, 2006-01-07 at 12:42 -0800, Marc Perkel wrote:
> I'm not sure I like the envelope-from in received lines. There is a down
> side.
>
> One of the spam filtering trics I use to catch paypal fraud is to scan
> the received lines to see if I find "paypal" there. With these new
> ebvelope-from lines the envelope is being passed in the received lines
> undermining my trick. I disabled them in my setup but if I get spam from
> others using Exim 4.60 it might not be able to detect fake paypal
> phishing spam because the envelope-from has paypal in it.


With the ever-shifting nature of MTA releases, configs, spammer tricks,
and antispam defence systems (like yours, presumably) wouldn't you be
better off working on the assumption that occasionally [0] things *will*
change, and that you're going to have to adapt your systems to reflect
those changes?

If I read you correctly, if any spammer with an ounce of sense [1] is
reading this list then they're now going to say "great news - all we
have to do is add a bogus Received: header with the word paypal in it,
and it'll get through junkemailfilter.com!".

If you have a read of the archives, there's at least one poster who
already included that in his headers way before 4.60 came along. I'm
sure there are other MTAs and SMTP server admins doing the same thing
out there, too.

Maybe you just need tighter regex matches, and an acceptance of the fact
that spam is a moving target?

[0] or frequently.
[1] assuming that such a thing exists, of course.

Graeme