[antispam-f] Re: Fake To:
- From: Frank de Bruijn <antispam@xxxxxxxxx>
- To: antispam@xxxxxxxxxxxxx
- Date: Sun, 06 Apr 2008 21:04:32 +0200
In article <200804e2dd8b4f.Dave@xxxxxxxxxxxxxxxxx>,
Dave Barnett <as10@xxxxxxxxxxxxxxxxx> wrote:
> Many spams have a fake 'To:' and/or 'Envelope-To:' header of the form
> [string] at mydomain. I have put some that have been repeated
> frequently in a 'DeleteTo' list. These seem to have been passed from
> one bot to another or to have been harvested from inboxes of infected
> muppets. It is also apparent that they are being used as the 'From:'
> by the bots as I am receiving bounce messages.
> It is easy to add new 'From:' addresses to the 'DeleteFrom' list
> using the marking box, but I would like an easy way to add fake 'To:'s
> to a list as they are displayed for marking.
You might think that's useful, but I wonder...
I've seen hundreds of different combinations with my domains. Keeping up
with them would be an absolute pain. So I decided on the opposite
approach. I've created a 'positive list' called 'Alias' in which I've
listed all combinations I use. This is referenced in my rules file as:
Delete Recipient !... Alias
This means any message to a name that *isn't* in the Alias file will be
deleted.
There are a couple of things to watch out for if you use this:
- You can't use it with just the To: header or you might lose valid
mail to mailing lists.
- AntiSpam's Recipient keyword can be tricky. There's more code behind
it than a simple comparison. The program will try to find the *real*
(SMTP) recipient of a message by looking at several headers.
Many providers don't add an Envelope-To: header with recipient info
from the SMTP envelope. So if there isn't any, AntiSpam starts by
looking at the Received: headers. However, some providers add extra
Received: headers at the top with apparently nonsensical 'for'
fields [1]. You need to mask these out (the Ignore Receiver setting
in the Mailbox.Misc frame of the Choices window).
- You'll probably have to put a couple of Accept rules before the
Delete Recipient rule to catch certain badly addressed messages.
I started to use this rule with Defer instead of Delete, until I was
sure I had caught all the exceptions. Currently this rule, together with
the Weight one, is responsible for about 95% of my spam deletions.
It does take some organising. Like others I use different addresses for
different people/businesses. Adding each and every one to the Alias file
would have been just as much a chore as adding faked To:'s to a delete
list. So I switched to using '-sub' and '-account' addresses (e.g.
aol-sub@xxxxxxxxx for Archive On Line and plutousers-sub@xxxxxxxxx for
the Pluto mailing list) and put 'sub@aconet.' and 'account@aconet.' in
the Alias file. If any of these ever get 'contaminated', they'll go into
a separate Delete list.
There's about sixty entries in my Alias list right now - mainly because
of some odd addresses I can't get rid of yet - but it doesn't grow.
Regards,
Frank
[1] Actually, these usually contain subscriber codes or numbers. I have
one account where the top Received: header has a 'for' field with my
username with the hosting company in it!
Other related posts: