[antispam-f] Re: Fake To:
- From: Dave Barnett <as10@xxxxxxxxxxxxxxxxx>
- To: antispam@xxxxxxxxxxxxx
- Date: Sun, 06 Apr 2008 19:12:10 +0100
In a recent message Chris Johnson <madoka@xxxxxxxxxxxxxxx>
wrote:
> On 06 Apr, Dave Barnett <as10@xxxxxxxxxxxxxxxxx> wrote:
>> Many spams have a fake 'To:' and/or 'Envelope-To:' header of the form
>> [string] at mydomain. I have put some that have been repeated
>> frequently in a 'DeleteTo' list. These seem to have been passed from
>> one bot to another or to have been harvested from inboxes of infected
>> muppets. It is also apparent that they are being used as the 'From:'
>> by the bots as I am receiving bounce messages.
> Do you mean the sort of address where the hostname is garbled but the
> domain name is valid?
Exactly.
>> [...] Some of these are quite ephemeral, I don't suppose that I can
>> do much about those, apart from dropping my practice of using new
>> addys for new addressees and enforcing a strict 'AcceptTo' list.
> That's pretty much what I did before UK2 did away with the free domain
> forwarding they used to do. Effectively, if I knew what addresses I used
> that were valid, I could stick a block at the end which accepted anything
> that hadn't dropped out through other traps or hadn't been accepted by my
> whitelist, and deleted anything else.
> My "defaults" file is the last but one file and contains something like
> this...
> Accept To: = *madoka@xxxxxxxxxxxxxxx*
I suppose that that is a good way of creating and accepting bespoke
addys, provided that you don't put '.' before the user name, I get a
lot of spam like that. I shall give it a try.
> Delete To: = *@crashnet.org.uk*
That leaves you open to missing 'cc' mail (unless you have taken care
of that).
ATM I just Defer.
--
Dave
Keep GMT all year
Other related posts:
