On Fri, 10 Nov 2006, Tony Finch wrote:
>
> They have a forged Received: line which has a "by" field containing the
> domain of the recipient address, a "for" field which matches the From:
> header, and an "id" field of the form XXXXXX-XXXXXX-XX (similar to Exim's
> queue IDs, though Exim IDs are always 1XXXXX-0XXXXX-XX).
>
>
> Received: from [217.218.182.65] (port=2608 helo=shop-efe3045e89)
> by sesame.csx.cam.ac.uk with esmtp (Exim 4.54)
> id 1GiQmw-000Mmp-GM
> for [EMAIL PROTECTED]; Fri, 10 Nov 2006 07:27:18 +0000
> Received: from 64.224.110.142 (HELO smtp.icom.com)
> by exim.org with esmtp ()C8+DP.+1S -G2,0)
> id C989<T-=Z,Z.0-09
> for [EMAIL PROTECTED]; Thu, 19 Jan 2006 07:28:02 -0210
> From: "Eileen Mayer" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: hi cvs
> Date: Thu, 19 Jan 2006 07:28:02 -0210
> Message-ID: <[EMAIL PROTECTED]>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Office Outlook, Build 11.0.5510
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> Thread-Index: Aca6QB0)-/ZA;3SO+O/M?G<3G3C(7,==
You're trying too hard.
Look at that 'Date:' header, they've got a bogus time-zone value.
It's syntactically RFC-2822 correct but nonsense.
(One of my favorites was "-0480" ;)
Simple rule, so far no FPs:
# bogus timzones in date (EG: Date: Wed, 15 Nov 2006 21:29:24 -0180 )
header L_SPAM_TOOL_13 Date =~ /\s[+-]\d\d[124-9]\d$/
describe L_SPAM_TOOL_13 Bogus time-zone
score L_SPAM_TOOL_13 3.1
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
