Re: Basically Lazy - Email Header Analysis

["Jeremy Anderson" <jeremy () 2monkeys org>]

Hi Andy,

First, as tempting as it is to write a tool, my advice is to get one off-the-shelf.

My email at work gets stunning quantities of spam.  Somewhere around 500 messages per day, plus another 1000 or so 
bounce messages from whomever is pummeling our system with dictionary attacks.
(in case anyone is curious as to how so much spam is coming in, it seems to be related to the site, not to me.  As soon 
as my work account was activated, spam started rolling in.  To this day, nobody except a few coworkers has my work 
email address).


There is a nice MTA-based filter called SpamAssassin (http://www.spamassassin.org) which catches the vast bulk of the 
spam which flies in our direction.  It does this both by analyzing the headers for known and suspected open relays, as 
well as looking at the text for spam patterns (i.e. use of nonsense filler HTML comments, LOTS OF CAPITAL LETTERS IN 
THE TEXT, use of certain keywords, inclusion of an opt-out email, etc.).  We use a secondary blocking tool called Spam 
Bouncer (http://www.spambouncer.org), which takes care of the (very few) items SpamAssassin seems to miss.

This gets our torrent of mail down to 1 or 2 (usually very-low key) unblocked messages per day.

Writing a tool to block spam based on say, finding out if the mail came through an open relay is an idea whose time has 
come and gone.  While obviously some of our spam comes through open relays, I'm seeing less and less of this.  A large 
percentage seems to be originating from throwaway dial-up or cable accounts.  When you try to search for a mail server 
on these systems, one can't be found.  Unfortunately, many large sites (i.e. ISPs, etc.) also have separate servers for 
incoming and outgoing email, so setting up a simple test like "if you can't find a mail server on the remote host, flag 
the mail as spam" will probably not deliver desirable results.

Good luck with whatever decision you decide to make.



j.


In your message  of 10/25/2003 11:43 AM  you wrote:


> Hi
> Whilst drowning my sorrows in the UK rain following our resounding defeat
> in
> the Eurovision song contest (Politics in Europe surely not !!)  I have
> turned my attention to email headers.
>
> Whilst I'm quietly confident about manually analysing email headers,  I'm
> looking for tools or web resources that will automate some of the process.
> There are plenty of anti-spam resources such as http://combat.uxn.com/ and
> http://www.spamhaus.org/ to identify spammers and there is the infamous Sam
> Spade for testing Open Mail Relay Agents. There are a plethora of how-to's
> and FAQ's about analysing headers manually.   But I haven't found many
> resources that analyse the headers in sufficient accurate detail.
>
> Personally I would rather run a tool on my own system than put my headers
> through a 3rd party website but there are a few sites that seem to do it
> fairly well such as http://www.3dmail.com/spam/ which whilst spam focussed
> seems fairly comprehensive, though sadly a beta which hasn't been updated
> in
> a year.
>
> Any recommendations websites or tools would be greatly appreciated, if
> there
> is a sufficient response I will collate the information onto a new page for
> the website below and post a summary to this list
>
> cheers, and for the Brits have a good Bank Holiday Weekend I hope the
> weather is better where you are!
>
> take care
> -andy
> Taliskers Network Security Tools
> http://www.networkintrusion.co.uk
>
>
> ---------------------------------------------------------------------------
> Thinking About Security Training? You Can't Afford Not To!
>
> Vigilar's industry leading curriculum includes:  Security +, Check Point,
> Hacking & Assessment, Cisco Security, Wireless Security & more! Register
> Now!
> --UP TO 30% off classes in select cities--
> http://www.securityfocus.com/Vigilar-security-basics
> ----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------