>> Which info would you record? The forged envelope sender or the unwitting
>> third-party relay?
>
>1) IP address of the remote host and 2) From / Subject / To ?
>
>The thing spammers are least likely to much with is the subject. But if you
>recorded all 3 you could do a reasonably quick "intelli" match on other
>emails from that host.
Well, only until you put a tool in place that matches on Subject. How much
code does a spammer have to write to randomize the Subject?
Then what will you match on? The envelope details? How much code does it take
to randomize the envelope details?
Then what will you match on? The content? How much code does it take to
randomize the content?
Then what will you match on?
What you need to do is put yourself in the position of the spammer and ask,
"Can I think of a way around this technique". If so, well, so too can spammers.
>No, I don't think you've grasped the concept.
Well, I think I have actually... Seeded detection of spam is not new. If a
spammer sufficiently randomizes their headers, content and their relay, how
will you detect them reliably?
Answer: you can't.
But I could be wrong. What's say you supply the 'reasonably quick "intelli"
match' and I'll see if I can supply a program that generates spams that get
thru. Let's use perl as the language.
Regards.
