spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Cole" <sausers-20150...@billmail.scconsult.com>
Subject Re: FPs on RCVD_ILLEGAL_IP
Date Wed, 22 Apr 2015 00:15:36 GMT
On 21 Apr 2015, at 18:47, Mark Martinec wrote:

> There is no benefit to spammers (and a likely disservice to them)
> for forging a non-trustworthy external Received header field
> and providing some unusual IP address there, and they cannot forge
> the boundary Received header field inserted by recipient's own mailer.

This is all true.

> I can only conclude that a rule like RCVD_ILLEGAL_IP will hit
> mostly on misconfigured or misguided sending mailers, not primarily
> on spam.

This would be true if the people and tools trying to investigate spam 
sources AND spammers were uniformly (or even broadly) as smart about 
email as you or as anyone else who has been working with email 
intensively for many years.

That is not the case, as evidenced by the fact that RCVD_ILLEGAL_IP 
actually has a history of being a very reliable test except for the 
recent periods of Yahoo and Microsoft engaging in Stupid Freemail 
Tricks. Spammers forge Received headers to send investigators & their 
tools on wild goose chases, both because they don't understand the net 
effects and because once in a while it works.

It is worth noting that I have a large handful of very reliable 
SCC_RCVD_FORMAT_* custom rules, some of which date to 2003 yet still get 
hits, because the same spammers and/or spamware have been creating 
Received headers in patterns unlike any real MTA for a dozen years. When 
they stop being useful, I'll consider the possibility that spammers are 
not generally morons engaged in high-effort self-defeating tactics.

Mime
View raw message