Hi. Recently, I've noticed that some spam arriving on my mail server contains a "Received:" header line citing amavisd-new -- possibly an attempt to trick spam filters into concluding the message has already been scanned and is presumably free of problems.
Here is an example of one of these -- the physically last (i.e., chronologically first) "Received:" in the message. Received: by 03112d50.rn56dss9.lunafutral.com (amavisd-new, port 9150) with ESMTP id 03MBRTVHDVT112DXUHRJKRWD50; for <rande...@richw.org>; Sat, 8 Nov 2014 17:41:05 -0700 The above line contains several clues that can distinguish it from a real "Received:" line generated by amavisd-new, so I imagine a rule could be created to detect this and increase a message's spam score accordingly. Should I go ahead and discuss this in greater depth here on this list? Or would it be better to go off-list with a smaller group of developers, so as not to give too many ideas to the black hats? :-) Rich Wales ri...@richw.org
