Not bad for starts. but...

Story: Tracing An EmailTotal Replies: 0
Author Content
cr

Jan 21, 2006
5:20 PM EDT
Depending on the X-fields of an email means depending on text that the originator's software put in there. Spammers have every reason to lie in every field which they can control ( which is every line in the original email, headers and all), so none of those fields can be trusted, because they can all be scripted to say anything you want.

You also can't rely on the full Received: chain. I've seen plenty of spam with bogus Received: lines trailing the real Received: headers. You can analyze the chain for broken hops, where system-A seems not to have gotten the mail from system-B which is mentioned in the next lower Received: line, but that gets problematic unless you're willing to sit doing IP and reverse-IP lookups for everyone mentioned; not every server a message goes through will bother with such lookups, so the two mentions might resolve to the same machine after all.

The only sure way I've found to deal with those is to trust no one beyond my known chain of servers, at my ISP's outer edge and inwards to the server I fetch my mail from. If an AOL server is the next source beyond that, and the chain appears to extend for a few more AOL relays beyond before claiming to be from another domain entirely, it's still an AOL problem, because the spam got into their servers somehow, so they get the bitchmail because they need to know (assuming they care).

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!