I've been dealing with this for a few months on a number of lists I manage, as the Bagle virus picks up from lines from received emails on infected computers. From the pattern, it doesn't seem to be an intentional attack against listserves, it's just another #*!&^ virus. My lists are newsletter-type (with a few approved posters on each). Outlook and Outlook Express, in use by most folks, can't add custom headers. The "Organization" field is now rarely used by folks. Therefore, if I can get smartlist to look at this header field AND have the approved posters use, e.g. the organization "1234", I can have only approved posts get thru my lists. But I'm not a programmer. I simply bludgeon smartlist into submission, which is preety easy due to the many easy-to-change parameters. Here's what I came up with: Filename: rc.local.20 -------- cut here --------- HEAD=`formail -zx Organization:` # extract the header information :0fw * ^Organization:.*\[1234]\ -------- cut here --------- Alas... it doesn't work. All posts go thru regardless of the contents of the Organization field. Any ideas? -- Phil
On Tue, Jun 15, 2004 at 02:42:32PM -0500, rgball wrote:
1) go through all the list's archives and match information in the bottom-most Received: line to the subscriber's address. Keep all of this in a database (not the dist file).
Can't rely on that. Received: lines can be faked, as long as they're below the point of injection into the system.
If there's spoofing going on, the spoofers are presumably motivated to keep it happening.
You could just rely on a valid PGP signature before passing on the message. But there are very few lists that do this, in large part because most people find PGP too hard to use.
It's still not going to be proof against a determined spoofer but should eliminate the casual spammers.
I first saw spam with fake Received: header lines some time around 1997.
Roger