Spam Filter ISP Support - extending the MAPS search

Print Page | Close Window

extending the MAPS search

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5787
Printed Date: 11 May 2025 at 3:01am

Topic: extending the MAPS search

Posted By: StevenJohns
Subject: extending the MAPS search
Date Posted: 06 September 2006 at 9:51am

Roberto,

I have been getting hammered by a hacker who seems to be sending an email apparently from an insurance company which is 800kb in size. So far we have got over 4000 of these !!!!

It appears that this user is connecting to BT (here in the UK) and using their server to relay his email. Now, BT's server isn't blacklisted in any of the usual lists, but the IP of the hackers machine is !!!

Now, as I understand it, the maps checker will only check on the IP that connected to SF. But what if that IP is ok, but the IP of the origional sender is listed.....but they used a relay that was good (at the moment).

Can you extend the maps checker to check not just the IP that connected to SF, but also include all of the IP's in the chain right back to the origional senders server??

Below is a section of the offending headers.

Received: from 194.73.73.210 by mail.protected-mail.co.uk (LogSat Software SMTP Server); Wed, 6 Sep 2006 11:16:14 +0100
Received: from pfps.net (host217-43-193-123.range217-43.btcentralplus.com [217.43.193.123]) by c2bthomr02.btconnect.com (MOS 3.7.4b-GA) with ESMTP id FCO50385; Wed, 6 Sep 2006 10:55:19 +0100 (BST)
Received: from mail pickup service by pfps.net with Microsoft SMTPSVC; Wed, 6 Sep 2006 11:06:24 +0100

As you can see, we received the email from 194.73.73.210 (one of BT's servers) that is not blacklisted, however, this was an relayed email from 217.43.193.123 (the hacker's dial-up address) which is listed in dnsbl.sorbs.net, yet SF let the email through.

Replies:

Posted By: LogSat
Date Posted: 06 September 2006 at 4:16pm

Sorry... SpamFilter can and will only act upon the IP address that connects to it, as using any information contained in the headers can lead to false positives. All headers can be faked by the sender, and spammers could use them to inject invalid data that could cause unwanted side-effects.

...however.
In the SpamFilter.ini file there is the following option:

;if ScanReceivedHeaders is set to 1 SpamFilter will add the "Received:" headers to the text examined for keywords and statistical Bayesian searches.
ScanReceivedHeaders=1

You could enable it, and then add a keyword in your blacklist to block the IP address mentioned in the headers.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: StevenJohns
Date Posted: 07 September 2006 at 3:55am

excellent...that'll do nicely !

Print Page | Close Window