Exploiting Bulk Emailer Flaws
Some bulk emails are "factory set" to include a particular domain name, and/or To: & From: address information, or to include a particular error. Of course this information is false.
You may be able to exploit these flaws, and any other "signature" characteristics to create spam-blocking content filter rules that identify certain spam. The spam filter does not check the Received: lines beyond the first "word ."
Some versions of the StealthMailer bulk emailer contain an error in the false header information it inserts:
-0600 (EST)
(Eastern Standard Time is five hours behind Greenwich Mean Time, not six.) You can exploit this flaw by creating a keyword -0600 (EST) in the content filter--the content filter checks both message header and message text information.
A "repaired" version of StealthMailer has been released; this one, however, messes up the Eastern Time zone like so:
-0700 (EST)
Compounding the error is an SMTP id that always starts with XAA.
A new signature is popping up as a result of recent anti-spam legislation. Make a content filter rule against email with all, or part, of the following:
This message is sent in compliance of the new email bill: SECTION 301, Paragraph (a)(2)(C) of s. 1618
For example, you could create a single profile with the three rules:
section 301
paragraph (a) (2) (C)
s. 1618
Other bulk emailers routinely insert a line such as the following into the header:
Precedence: bulk
alt1 is a domain name prefix that is often seen buried in the header of unwanted email, evidence of a spoofed Received: field.
Some SMTP servers, when they are unable to authenticate a username@domain.name, or the originating domain, will stamp the following warning in the header:
X-Authentication-Warning:
Others modify the Received: line like this:
Received: from mail1.staffordnet.com (mail1.staffassoc.com [123.12.123.12] (may be forged)) by rly-ya01.mx.aol.com (8.8.8/8.8.5/AOL-4.0.0) with ESMTP id HAA20159; Fri, 7 Aug 1999 07:20:41 -0400 (EDT)
Some bulk emailers routinely fail when entering a number for the Message-ID: <> and end up leaving the field blank, as shown in this edited example:
Received: from 2doormail.2door.com. (2doormail.2door.com [123.1.70.11]) by gnetmgt.2door.com (8.8.5/8.8.5) with ESMTP id JAA04007; Wed, 22 Jul 1999 09:25:39 -0400 (EDT) Message-Id: <>
In a genuine email message, the Message-Id is generated by the SMTP server and appended to the message at the time of delivery.
See also:
Caution
Example Received Fields
Adding or Editing Spam Filter Rules
Current Rules
Setting up rules—strategy
Creating A Keyword List: Example