My displeasure for the “send me money” scammers has been documented in previous entries so I won’t bore you with that again, although I did want to talk about an idea I had to fight those losers. Basically I want to write SMTP gateway Anti-SPAM policy that can filter for IP address ranges (dashed range or CIDR) in ANY received header. I have a feature request into our vendor for this very ability and am looking forward to seeing how well it will work if they can make it happen.
My reasoning behind this is to fill in a gap that I see in the current Anti-SPAM tactics, which are mainly sender IP reputation and content matching. 419 emails seem to be best making it through those traps because the “last hop” before your SMTP server is some bot host here in US or the most commonly they are sent from a free email service directly (Yahoo, Gmail, Hotmail, etc) so sender reputation isn’t all that effective (neither is SPF, SenderID, DKIM) and since they are very businesslike text, content catching the Spammyness is also hard. However, if I was able to look for trouble country IP ranges in any of the SMTP Received lines there’s a good chance I could catch many of these sent from or through foreign nations.
See some of the free webmail providers include this line to show the IP address of the computer that sent the through the browser.
Received: from [188.8.131.52] by web36802.mail.mud.yahoo.com via HTTP; Sun, 31 May 2009 17:00:44 PDT
Being able to filter on the CIDR ranges (countryipblocks.net or maxmind.com) in any received line, not just the last one with sender reputation, would greatly increase the granularity for keyword lists. For example you can write a 419 keyword policy but you will get MANY false positives if you apply it to all email, whereas I’d like to check it only if the email was sent from or through for example Nigeria, China, Romania, Russia, or Poland IP ranges. Pseudo policy below….
If (dictionary-contains (‘SPAM_Keywords_BodyorAttachments’)) AND
If (header-dictionary-received-contains (‘NigerianIPs’))
Quarantine (‘419 from Nigeria’);
I’ll update my blog if I’m able to apply this and how effective it is.