Sandy S wrote:
> ----- Original Message -----
> From: "Larry Rosenman" <ler@lerctr.org>
> To: "'Sandy S'" <[EMAIL PROTECTED]>; <users@spamassassin.apache.org>
> Sent: Wednesday, March 08, 2006 10:13 AM
> Subject: RE: All image spam
>
>
>> Sandy S wrote:
>>> We're also being bombarded with these and I noticed that the bottom
>>> received header on all of them is in a format like
>>>
>>> Received: from [87.245.169.135] (port=2971 helo=aflmpt) by amdy
>>> with esmtp id 1FGG09-0005lZ-7J....
>>>
>>> I put in a rule to catch this:
>>> header ODD_PORT_SS Received =~ /from
>>> \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] \(port=\d{4} helo=[a-z]{3,6}/
>>>
>>> My question to the group is - how likely is a header with that
>>> non-standard port likely to show up in real mail? Is this a good
>>> spam sign?
>>>
>>> (And Theo, no, the ISP does not have a good corpus, at least not of
>>> ham - average user doesn't have a clue as to how to submit messages
>>> with all the headers intact and doesn't understand why they should
>>> anyway, and privacy issues prevent us from gathering a corpus of
>>> ham ourselves....)
>>>
>>> Thanks,
>>> Sandy S
>>
>> every message that goes through my Exim server will log the port the
>> CLIENT used.
>>
>> LER
>>
>>
>> --
>> Larry Rosenman http://www.lerctr.org/~ler
>> Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
>> US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
>>
>
> Rats - I thought I was on to something there! I don't know anything
> about Exim - would users be sending mail from odd ports like 2947,
> 3942, 4821, etc? Our would they use the standard SMTP port 25, or
> 587 for SMTP auth mail?
>
> Thanks,
> Sandy
In my case, it comes via 587, but that's not necessarily logged. Look at
the headers for 'lerami.lerctr.org' in this message.
Here is the header for YOUR message that MY system added:
Received: from merlin.boreal.org ([216.70.16.15]:54736)
by lerami.lerctr.org with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.60)
(envelope-from <[EMAIL PROTECTED]>)
id 1FH1Qf-0001kR-VB
for ler@lerctr.org; Wed, 08 Mar 2006 10:22:30 -0600
LER
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
