Those hacked mail rules again...- Any email where HELO/EHLO is exactly one of the following: bbc.com, cnn.com, mail.com, addr.com
- Any email where X-Mailer contains "The Bat" (pax Bat users - I know the Bat is a bona fide MUA and is used by some real people, not just forged by spammers - it is just that non-spam emails bearing an X-Mailer of The Bat are so rare that we manage these by exception as and when we see them).
- Any email where X-Mailer contains "Outlook" and X-Mailer contains ".X" - real Outlook/Outlook Express X-Mailer headers never have .X, but this is not an unusual feature of spam.
- Any email where HELO/EHLO contains one of (210., 211., 218., 219., 220.) and the connecting IP contains the same - Reason: most of these are China/Korea and most have no rDNS. Some spamware, when sending through a proxy server, will attempt to HELO with the resolved name of the proxy's IP if it has one or else will just use the IP where it has no name. I have never seen a sample of a non-spam email with this characteristic.
Current false positive count = 1. That was a user of the Bat and we tweaked the rule so that it did not apply to mail from his domain. There has been no recurrence.
Category: Domino: Administration
Technorati: Domino: Administration
1. Steven de Brouwer12/08/2004 17:05:38
Homepage: http://www.deBrouwer.org
I'm a The Bat! user and proud of it! 
If all mail from The Bat! would be blocked, I and other users would have to switch to MS Lookout or other bad software 
Oh, would the spammers and virus-writers enjoy this!!! 
So here's my request... 
PLEASE add either stricter rules or no rule at all for The Bat!...
Thanks!
Steven.
2. Chris Linfoot12/08/2004 17:14:47
I hear you. Even some of my friends at Spamhaus use The Bat!
Here's the thing though. I have a spamtrap with several thousand samples of spam with The Bat! as a forged X-Mailer and I have only seen two samples of real email from The Bat! users.
Besides, we don't block 'em, we quarantine. So if a non-spam The Bat! email lands in the quarantine (this has happened precisely once), we relase it to the intended recipient.
What I want to know is this:
Why is a forged X-Mailer of The Bat! so popular with spammers? That is, I assume they forge it or are they really spamming with it?
3. Chris LeRoy12/08/2004 21:49:15
Homepage: http://www.brainbent.com
Any email where HELO/EHLO is exactly one of the following: bbc.com, cnn.com, mail.com, addr.com
I have the same basic rule in place with aol.com, hotmail.com, yahoo.com, etc also included, in the exact format. It works great!
Something that I have been working on lately has been looking for HELO/EHLO with an ISP's port name and writing rules to accomodate for those in conjunction with our smtp server names, i.e. ip-wv-68-117-173-056.charterwv.net ([68.117.173.56]) by smtpX.domain.com. This rule matches patterns in the addresses that have been reported has netted thousands of hits each day, after RBL (spamhaus) checks. False positives to date=0 (over 3 months now)
Great site, Chris. I learn alot from what you share.
4. Chris Linfoot13/08/2004 08:29:50
Um. Real hotmail email often comes from a host that says EHLO hotmail.com (which is RFC correct as hotmail.com does have an A record) so not a good idea to defeat that. There are some others though. Did I mention compuserve.com?
5. Philip Storry06/02/2005 19:07:58
Homepage: http://www.not-so-rapid.com
Why is The Bat! a popular mail client X-Mailer entry?
See here: http://www.ritlabs.com/ru/products/thebat/advice_detail.php?ID=189
In a nutshell, a bulk email program allows The Bat! to be set as the X-Mailer. Apparently, if you see this AND see a header entry for X-MSMail-Priority, then you can know it's spam - The Bat! doesn't use that particular header. Maybe that can help you...
6. Dave Harris05/09/2006 08:34:22
Homepage: http://www.wavysworld..com
We've been running a block (or rather quarantining to our spamtrap) on the bat for about six months and I have yet to see a single false positive.
Unable to post a comment? Please read this for a possible explanation...
- 
