[SpamCop-List] Re: Mail Daemon Spam - what is it?
michael.spamcop at michaellefevre.com
Wed Mar 3 14:04:38 EST 2004
Marjolein Katsma wrote:
> Michael Lefevre (michael.spamcop at michaellefevre.com) wrote in
> news:c22o16$ij5$1 at news.spamcop.net:
>>> At the very least SpamCop should:
>>> - ignore the From header since it's habitually forged; it should not
>>> be used to dertermine a "type" of email;
>>> - ignore the subject since it's always just made up anyway (even in
>>> non- spam); it should not be used to determine a "type" of email;
>>> - *maybe* look at the Content-Type header; less often forged
>>> (although sometimes erroneous); if it looks suspicious, THEN ALSO
>>> look at the content to determein whether it really is a bounce.
>> I'm not sure how that would work, or how it would help. What exactly
>> would it look for in the body? How is the body any less forgable than
>> the headers?
> The body is the actual payload. I don't see what, by definition, a
> "forged body" would be.
That was kind of my point...
> The body of a bounce doesn't advertize websites,
> products or services; most spam links at least to one website, I've
> never seen a real bounce that does.
Firstly, I have actually seen a "real" unknown user bounce with a URL (to
a directory to find the correct address). If the bounce message is due
to, say, a DNSBL, then it's quite likely to include a lookup URL from
that. The killer point is that bounces tend to include the original
content, which may well be an actual spam, and depending on the format of
the bounce, it can be tricky to work out where the included message
>> The only thing that can't be forged is the Received: headers
>> added by the receiving servers, and those aren't useful for
>> identifying bounces.
> True. But I'm arguing you can *never* identify a bounce by headers
> alone, only by a combination of headers and body.
Could you describe exactly what patterns to look for though - something
that could be implemented in a line or two of code, that would be better
than what we have now. I'm sure it'd be possible to come up with
something, but then the spammers can just include those lines in the
message body - it's not as if they have a problem with including some
>> Doing it in a bad way is probably preferable to not doing it at all...
> That would be giving in to spammers. I don't think that's good at all.
I think it's better to miss a few spammers than to increase the level of
mistakes and false positive listings, which many people think is too high
> Real bounces *are* recognizable to humans (and not by looking at
> headers); there must be a way to build that recognition process into a
> heuristic to make a much better determination of what is (most likley) a
Possibly, but that's sounding like a lot of work. And whatever heuristic
you come up with, the spammers can work around it. Anyway, I'm just
pointing out why it's not that easy to fix - I imagine Julian will do
something at some point...
More information about the SpamCop-List