Rule for DNS MX Check

Max Kipness max at assuredata.com
Mon Nov 6 20:23:12 GMT 2006 

Hello,

I'm still having issues with receiving large image stock spam, which is
not being hit by Razor, Pyzor or DCC, SARES stock, or any of the others
except the SARES gif attach. It gets a low bayes score that brings the
score negative at times.

One thing I have noticed is that even though the sender IP does resolve,
it's usually to a dynamically generated host by a DSL company etc. Most
of the time the sender address does not match this IP.

So after doing some research I'm wondering if there is a way either
through Sendmail, MailScanner or SpamAssassin to either check the MX
record of the sender header or match the From and Sender headers. I'd
prefer this to be a SpamAssassin rule so that I could release from
quarantine if there turns out to be FPs. I have a customer that deals
with a lot of foreign customers that might not have DNS setup.

Here is an example of a spam header received today (with my server
names/ips replaced with myserver.com). What I mean is that the From
header shows from byerconsulting.com, but it was actually received from
dsl.pipex.com. If you did an mx check on byerconsulting.com you
definitely would not get the dsl.pipex.com IP address. But simply trying
to match the Received domain to the sender domain would show something
is wrong.

Is there any way of scoring this stuff?

---------------------------------------------------------------

Microsoft Mail Internet Headers Version 2.0
Received: from myserver.com ([192.168.1.4]) by myserver.com with
Microsoft SMTPSVC(6.0.3790.1830);
	 Mon, 6 Nov 2006 08:02:29 -0600
Received: from DESKTOP (81-179-145-240.dsl.pipex.com [81.179.145.240])
	by myserver.com  with ESMTP idkA6E235h002990
	for <mkipness at myserver.com>; Mon, 6 Nov 2006 08:02:14 -0600
Received: from 65.254.254.52 (HELO mail.byerconsulting.com)
     by myserver.com with esmtp (2ST5N97RVEZ G4NVD)
     id O7FKEF-XTPYT5-6N
     for mkipness at myserver.com; Mon, 6 Nov 2006 14:02:22 +0000
From: "Joel Lambert" <deborahstoryhn at byerconsulting.com>
To: <mkipness at myserver.com>
Subject: hi Joel
Date: Mon, 6 Nov 2006 14:02:22 +0000
Message-ID: <01c701ac$2e3fbc00$6c822ecf at deborahstoryhn>
MIME-Version: 1.0
Content-Type: multipart/related;
	boundary="----=_NextPart_000_000A_01C701AC.2E3FBC00"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700
Thread-Index: Aca6Q0YSVIA1BXARN9IQGMR9L98LID==
X-MailScanner-MailScanner-Information: Please email support at myserver.com
for more information.
X-MailScanner-MailScanner: Found to be clean
X-MailScanner-MailScanner-SpamCheck: not spam, SpamAssassin
(score=0.752, required 5.5,
	BAYES_50 0.00, HTML_MESSAGE 0.00, SARE_GIF_ATTACH 0.75)
X-MailScanner-MailScanner-From: deborahstoryhn at byerconsulting.com
Return-Path: deborahstoryhn at byerconsulting.com
X-OriginalArrivalTime: 06 Nov 2006 14:02:29.0968 (UTC)
FILETIME=[32AEFD00:01C701AC]

Thanks,
Max

More information about the MailScanner mailing list