Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Request option to check all IP's in header
  FAQ FAQ  Forum Search   Register Register  Login Login

Request option to check all IP's in header
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
Alan View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Topic: Request option to check all IP's in header
    Posted: 17 September 2003 at 12:10pm

I would really like to be able to have all IP addresses in the header checked instead of just the connecting one.  Often spam is routed from a blacklisted IP through another non-blacklisted IP.  This accounts for the majority of the spam that still gets through our system now.  Can this feature be added as an option?

Or have a list of "approved" relay IP's so that all the IP's in the header are only checked if connection was made from the list of approved IP's.  That would help to keep overhead down except when needed.
Back to Top
Desperado View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 18 September 2003 at 1:09am

Alan,

I agree with you on all points.  The problem, as I see it (and anyone can chime in if they can argue this point) that there is no way to verify an IP that hasn't actually connected to your server.  Any communication that MAY have occurred is "here say" evidence at best. As the Network Administrator of an ISP, I am constantly frustrated by this.  Many of the multi-hop messages that I try to track down have totally forged headers prior to the actual machine that connected to my server so the point then becomes moot.

Another frustrating scenario is the large quantity of messages where the entire content is a remote URL.  In this case there is no content to filter and because there are more and more "Valid" messages that also do this, we can not just kill anything that is not local content.  If the legitimate list server messages would stop using this technique, then I would be tempted to block them.  I wish the administrators that do this would see that they are only making the whole Spam situation more difficult. If ALL ISP's got together and made the policy to not allow this, then the list operators would stop using remote content because no one would receive them.

My bottom line is that advertisers and Spammers (is there a distinction?) have made email one of the most unreliable and frustrating form of communication.  If I continue writing about this, I will start getting abusive and impolite so I will end now.

Dan S
Back to Top
Alan View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Posted: 18 September 2003 at 12:01pm

For some this would be help to clean up most of that last 10% that still get through, but for others it would not be feasible.  That is why I suggest that the feature be an optional one that can be turned on or off, and the idea of only using the feature only with certain acceptions to the normal check of the connecting IP. 

If anyone is going through the trouble of faking the header information with something that would trigger a hit though SpamFilter, I for one don't want that email to pass through anyway.  I don't want any email that cannot be tracked back to pass though.  Likewise if someone is sending mail through questionable channels, I wouldn't want that to pass though either.  Of course I can only speak for our case here, but having the option would be a powerful option.

I agree with your sentiments Dan about the embedded URL's and I sympathize with your situation where you as an ISP really cannot block them.  We DO block them and they account for 60% of the spam that we quarantine.   This, the nice RegEx, and a few choice keywords blocks 90% of the big problem spam.  But the backdoor spoofed IP method is still one that I would like to gat a handle on for the last 10%.  There was even a small mention of these escalating spam methods in an article in the current Network World.
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 19 September 2003 at 7:25am

Alan,

We DO block some of the more "Bogus" URL ref's with the following RegEx's but we can't (much to my dismay) block a simple URL Referance for all messages.

((http|3dhttp)://.{0,26}(((%.+%))|@|:)[(\d|\w)])
(http://+[\d]{1,3}\.{1}[\d]{1,3}\.{1}[\d]{1,3}\.{1}[\d]{1,3})
((http://http:/\w)|(<(\w){3,10}(\x20/>)|(\*http://w)))

If we put a simple block for all external links ... even Microshaft's (oops ... I menat Microsoft's) Technical Newsletter would get nailed.  That is what I was complaining about in my previous response.  There needs to be some rules that are enforcable about proper email content or some "Magic" way to flag a message as a valid news letter.   Very frustrating!

Dan S.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.207 seconds.

Copyright (c)2002-2021 LogSat Software LLC - Sales: sales@LogSat.com
Contact Us