Exploiting Bulk Emailer Flaws 

refernce.gif Some bulk emails are "factory set" to include a particular domain name, and/or To: & From: address information, or to include a particular error. Of course this information is false.

You may be able to exploit these flaws, and any other "signature" characteristics to create spam-blocking content filter rules that identify certain spam. The spam filter does not check the Received: lines beyond the first "word ."

bltgreen.gif Some versions of the StealthMailer bulk emailer contain an error in the false header information it inserts:

-0600 (EST)

(Eastern Standard Time is five hours behind Greenwich Mean Time, not six.) You can exploit this flaw by creating a keyword -0600 (EST) in the content filter--the content filter checks both message header and message text information.

bltgreen.gif A "repaired" version of StealthMailer has been released; this one, however, messes up the Eastern Time zone like so:

-0700 (EST)

Compounding the error is an SMTP id that always starts with XAA.

bltgreen.gif A new signature is popping up as a result of recent anti-spam legislation. Make a content filter rule against email with all, or part, of the following:

This message is sent in compliance of the new email bill: SECTION 301, Paragraph (a)(2)(C) of s. 1618

For example, you could create a single profile with the three rules:

section 301
paragraph (a) (2) (C)
s. 1618

bltgreen.gif Other bulk emailers routinely insert a line such as the following into the header:

Precedence: bulk

bltgreen.gif alt1 is a domain name prefix that is often seen buried in the header of unwanted email, evidence of a spoofed Received: field.

bltgreen.gif Some SMTP servers, when they are unable to authenticate a username@domain.name, or the originating domain, will stamp the following warning in the header:

X-Authentication-Warning:

bltgreen.gif Others modify the Received: line like this:

Received: from mail1.staffordnet.com (mail1.staffassoc.com [123.12.123.12] (may be forged)) by rly-ya01.mx.aol.com (8.8.8/8.8.5/AOL-4.0.0) with ESMTP id HAA20159; Fri, 7 Aug 1999 07:20:41 -0400 (EDT)

bltgreen.gif Some bulk emailers routinely fail when entering a number for the Message-ID: <> and end up leaving the field blank, as shown in this edited example:

Received: from 2doormail.2door.com. (2doormail.2door.com [123.1.70.11]) by gnetmgt.2door.com (8.8.5/8.8.5) with ESMTP id JAA04007; Wed, 22 Jul 1999 09:25:39 -0400 (EDT) Message-Id: <>

In a genuine email message, the Message-Id is generated by the SMTP server and appended to the message at the time of delivery.

See also:

Caution
Example Received Fields
Adding or Editing Spam Filter Rules
Current Rules
Setting up rules—strategy
Creating A Keyword List: Example