Home page logo
/

basics logo Security Basics mailing list archives

Re: Basically Lazy - Email Header Analysis
From: "Jeremy Anderson" <jeremy () 2monkeys org>
Date: Thu, 29 May 2003 16:13:17 -0700

Hi Andy,

First, as tempting as it is to write a tool, my advice is to get one off-the-shelf.

My email at work gets stunning quantities of spam.  Somewhere around 500 messages per day, plus another 1000 or so 
bounce messages from whomever is pummeling our system with dictionary attacks.
(in case anyone is curious as to how so much spam is coming in, it seems to be related to the site, not to me.  As soon 
as my work account was activated, spam started rolling in.  To this day, nobody except a few coworkers has my work 
email address).


There is a nice MTA-based filter called SpamAssassin (http://www.spamassassin.org) which catches the vast bulk of the 
spam which flies in our direction.  It does this both by analyzing the headers for known and suspected open relays, as 
well as looking at the text for spam patterns (i.e. use of nonsense filler HTML comments, LOTS OF CAPITAL LETTERS IN 
THE TEXT, use of certain keywords, inclusion of an opt-out email, etc.).  We use a secondary blocking tool called Spam 
Bouncer (http://www.spambouncer.org), which takes care of the (very few) items SpamAssassin seems to miss.

This gets our torrent of mail down to 1 or 2 (usually very-low key) unblocked messages per day.

Writing a tool to block spam based on say, finding out if the mail came through an open relay is an idea whose time has 
come and gone.  While obviously some of our spam comes through open relays, I'm seeing less and less of this.  A large 
percentage seems to be originating from throwaway dial-up or cable accounts.  When you try to search for a mail server 
on these systems, one can't be found.  Unfortunately, many large sites (i.e. ISPs, etc.) also have separate servers for 
incoming and outgoing email, so setting up a simple test like "if you can't find a mail server on the remote host, flag 
the mail as spam" will probably not deliver desirable results.

Good luck with whatever decision you decide to make.



j.


In your message  of 10/25/2003 11:43 AM  you wrote:


Hi
Whilst drowning my sorrows in the UK rain following our resounding defeat
in
the Eurovision song contest (Politics in Europe surely not !!)  I have
turned my attention to email headers.

Whilst I'm quietly confident about manually analysing email headers,  I'm
looking for tools or web resources that will automate some of the process.
There are plenty of anti-spam resources such as http://combat.uxn.com/ and
http://www.spamhaus.org/ to identify spammers and there is the infamous Sam
Spade for testing Open Mail Relay Agents. There are a plethora of how-to's
and FAQ's about analysing headers manually.   But I haven't found many
resources that analyse the headers in sufficient accurate detail.

Personally I would rather run a tool on my own system than put my headers
through a 3rd party website but there are a few sites that seem to do it
fairly well such as http://www.3dmail.com/spam/ which whilst spam focussed
seems fairly comprehensive, though sadly a beta which hasn't been updated
in
a year.

Any recommendations websites or tools would be greatly appreciated, if
there
is a sufficient response I will collate the information onto a new page for
the website below and post a summary to this list

cheers, and for the Brits have a good Bank Holiday Weekend I hope the
weather is better where you are!

take care
-andy
Taliskers Network Security Tools
http://www.networkintrusion.co.uk


---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point,
Hacking & Assessment, Cisco Security, Wireless Security & more! Register
Now!
--UP TO 30% off classes in select cities--
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]