Header Detail checking |
Post Reply 
|
| Author | ||||||||||||||||||
jerryo 
Guest Group 
|
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Header Detail checkingPosted: 07 April 2004 at 2:06pm |
|||||||||||||||||
|
Can anyone tell me if a filter can be set to check specific header detail information, and then take or not take appropriate action on the message?
thx |
||||||||||||||||||
 |
||||||||||||||||||
|
bpogue99
Groupie 
Joined: 26 January 2005 Status: Offline Points: 59 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 April 2004 at 4:14pm |
|||||||||||||||||
|
Most of the header information is handled by different blacklists. I say most, not all of it is. Received is handled by the Domain/IP blacklist. From is handled by Domain/IP and Email From blacklists. To/Subject have obvious blacklists. So what's left is probably "MIME-Version" or "Content-" and some special ones. I'm not sure those would be good indicators of spam though. Is this what you were looking for? bill |
||||||||||||||||||
|
||||||||||||||||||
|
jerryo
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 07 April 2004 at 4:43pm |
|||||||||||||||||
|
Hi Bill thanks for the quick reply. Hmm.. kind of what I want to be able to is reject message's based upon the sending host name. for instance. comcast.net uses the following for it's clients symbolics. 00a-a1-00.ne.client.comcast.net These symbolics should not be able to send mail, they should be using smtp.comcast.net. Many of the ISPs are now encoding the clients this way to help email admins and ISPs deter home users from sending smtp directly. This is what spammers or smtp hi-jackers use to send spam. so if I could say write a script to say something like the following: If header is = Received:*client.comcast.net* then action is to reject Communigate pro offers this and it's very handy. When I tested communigate pro with this feature, it eliminated almost all of the spam I receive. let me know what you think?
|
||||||||||||||||||
|
||||||||||||||||||
|
George
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 07 April 2004 at 8:52pm |
|||||||||||||||||
|
Jerry, g |
||||||||||||||||||
|
||||||||||||||||||
|
Jerryo
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 07 April 2004 at 9:54pm |
|||||||||||||||||
|
No, but I will give it a go.
Thanks for the help. |
||||||||||||||||||
|
||||||||||||||||||
|
jerryo
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 07 April 2004 at 10:11pm |
|||||||||||||||||
|
George, tried it but it didn't work. Keep in mind this is a field that is a hidden header field. It is normally the field in the head that has the smtp server address. Oh well, it was good try. thx
|
||||||||||||||||||
|
||||||||||||||||||
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 April 2004 at 10:38pm |
|||||||||||||||||
|
Jerry, Currently the only header against which keyword searches can be performed is the "Subject". We had in the past included all headers, but that caused too many false positives to be picked up because of the "strange" coding some headers have. Adding a selected type of headers only, as the "Received:" ones, is not a bad idea. I've added it to the wish list, and will be implemented soon. Roberto F. |
||||||||||||||||||
|
||||||||||||||||||
|
Desperado
Senior Member 
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 April 2004 at 4:02am |
|||||||||||||||||
|
If the IP that is the last server to "touch" your server is from a Comcast customer, rather that from a Comcast SMTP server then the *.client.Comcast.net will work in the blocked domains list. In fact I use the following with very reasonable results: (.+\.(client|dhcp|adsl)\..+\.(net|com|biz|org)) This tells SpamFilter to block messages that arrive directly from client machines if their provider has the "Polite" RDNS set up on their IP. As an example, all our residential customers have RDNS that looks like the following: bg1-12.bernardc.adsl.mags.net. The RegEx above will block this forcing the customer to mail through our SMTP server as he is supposed to. For our "real" customers, RDNS looks like gateway.asappromo.com. and therefore it would not get blocked by a filter like the one above. The problem is that not all ISP's do this but most of the "brand name" ones do. I am sure that a better expression could be put together but I slapped this one in when we started getting a rash of client based Spam ... mainly from Comcast and charter. I am not sure how this will show up in the posting but ... below are examples of blocked messages:
And, here is one of the headers: Received: from 12.214.205.90 by 66.181.192.97 (LogSat Software SMTP Server) Thu, 8 Apr 2004 09:22:16 -0400 Hope this posts OK and does someone some good. Regards, Dan S. |
||||||||||||||||||
|
||||||||||||||||||
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.341 seconds.