On Thu, 14 Feb 2019 11:53:52 -0800 Loren Wilton wrote: > About 99% (literally) of the spam I get is fron one spammer. He > doesn't bother obfuscating the received headers, other than putting a > fake hostname in the sending hostname. Here are the final two levels > from a random spam from a few minutes ago as an example: > > Received: from noehlo.host ([209.86.89.125]) > by mdl-harvest.atl.sa.earthlink.net (EarthLink SMTP Server) with > SMTP id 1GUltH2aW3Nl36V0; Thu, 14 Feb 2019 13:11:17 -0500 (EST)
The header above looks to be internal to earthlink and isn't relevant. > Received: from newdeals4you.com ([34.207.159.130]) > by ibscan-hornet.atl.sa.earthlink.net (EarthLink SMTP Server) with > SMTP id 1GUltH4Ke3PGoUd1 > for <x...@earthlink.com>; Thu, 14 Feb 2019 13:11:17 -0500 (EST) This header is added by earthlink, the only thing under the sender's control is the 'helo' of newdeals4you.com. There's no other scope for "obfuscating" this. > While he's claiming to be from newdeals4you.com, 34.207.159.130 is an > Amazon AWS cloud host. A mismatch isn't necessarily wrong, but the A-record for newdeals4you.com points elsewhere. > Just as a matter of curiosity, I'd like some sort of rule that could > resolve that hostname and display it in the description of a > low-scoring rule, This is the job of ibscan-hornet.atl.sa.earthlink.net. It probably doesn't because there is no full circle DNS 34.207.159.130 has rDNS of ec2-34-207-159-130.compute-1.amazonaws.com, but that doesn't have an A-record pointing to 34.207.159.130 Without full-circle DNS the rDNS alone doesn't reliably connect the IP address to the the domain.