[colug-432] Uptick in "Foreign Investor" Spam

Rob Funk rfunk at funknet.net
Wed Dec 23 16:17:18 EST 2009

On Wednesday 23 December 2009 03:37:44 pm you wrote:
> On Wed, 23 Dec 2009, Rob Funk wrote:
> > (Hmm, "first exposed Received in the list".... are you sure
> > that's not coming from lists.colug.net?)
> I was not explicit enough -- I read Received records by
> spotting the unbroken chain with a known MTA at the top (the
> last received hop), and then going to the bottom, to go back
> in time.  Hopefully, timestamps will not be skewed, but ...
> For a while, spammers were inserting spurious Received to try
> to defeat scoring systems.
> The 'first' line I intended to refer to was:
> Received: from hactar.local.funknet.net
>  (oh-71-50-192-45.dhcp.embarqhsd.net [])
>      (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>      (No client certificate requested)
>      by vps1.funknet.net (Postfix) with ESMTPSA id 3D637C35B
>      for <colug-432 at colug.net>; Tue, 22 Dec 2009 20:09:29 -0500 (EST)

Which was added by Postfix on my mail server, received from my home desktop 
machine (which sent to the server from Kmail).

I'd actually like my mail server not to that line, mostly because some spam 
filters will check my home IP address against blacklists (e.g. the policy 
blacklist). But I've only figured out how to get rid of previous Received 
headers, not that one.

> * nod * as properly the mailing list software should, to avoid
> self-characterizing as a 'forger' -- Perhaps it would be
> kinder to have moved them to an X- header, though ...  My
> procmail rules had discarded the direct send as a 'dupe', it
> seems, checking the logs and the ./.procmail/.msgid.cache

I think renaming the header (instead of deleting) might just confuse things, 
since someone who goes to the trouble of renaming it back and then running 
the check would invariably get a failure and start complaining about 
Maybe better just to kill X-DKIM and X-DomainKeys headers too. :-)

> Thank you

You're welcome!

==============================| "A slice of life isn't the whole cake
 Rob Funk <rfunk at funknet.net> | One tooth will never make a full grin"
 http://www.funknet.net/rfunk |    -- Chris Mars, "Stuck in Rewind"

More information about the colug-432 mailing list