New tests for spammers using multiple names for their machines
We’ve created some new filtering tests to catch one particular style of spammer operation, where their system not only invents (or steals) the name that it claims can be used to contact it – but uses several of them. This is clearly intended to confuse attempts at tracking them down.
The test can be enabled (by full-account customers) in a personal ruleset, as Envelope-validity/Mutating-HELO-data. It’s disabled by default, except for catchall accounts of Lite customers.
To tell if this test would catch any of your recieved spam, look at the Received headers (this may require changing options in your mail reader). Identify the earliest Recieved line for each mail where it arrives at our systems, saying someting like “… by smtp.tidymail.co.uk …”.
The start of that line says “Received: from name (helo-name)…”
If you have several mails from the same name but with different helo-name then this new test is a good candidate to use.
The test actually only looks at the last few elements of the helo-name (e.g. ebay.com rather than mx21.sjc.ebay.com) as we found that many relatively legitimate mail sources seem to hide several systems behind a single IP address. We’ve also had to apply an exceptions list, for sources such as freeparking.com/freeparking.co.uk.
Comments are closed.