Mark Little wrote:
> I was playing around with it and have found so far only two cases (out of
> 200+ caught) that were legitimate emails, so I believe I am on to something
> but I believe you are right and I want to get this down further.
>
> I am now playing with detecting Received: from [<sender IP>] but excluding
> if [<sender IP>].+[<sender IP>] or [<sender IP>].+[127.0.0.1] are present.
> All the spammer examples I have seen only include the one IP, so I may
> reduce this to just excluding if there is a second [<ip.address>] on the
> line.
>
> Thoughts?
I think, the main problem is that there are legitimate reasons why a
server might connect back to it's own IP. There might be value in using
this particular metric in a spam scoring system though. Let us know how
it works for you.
--
Mike Cardwell
(
https://secure.grepular.com/) (
http://perlcv.com/)
