I have an email address set up that customers can send false negative SPAM to should it get through the Email gateways. One I received the other day shows just how allowing country IP blocks to be searched would benefit anti-spam gateways to clean up the relatively few number of false negatives they let through. I blogged about that below.
The below is a cleaned up part header of an email one of my coworkers received that was a 419 SPAM with a word attachment delivering the social engineering “payload.” It was sent from what I believe to be a Sun OS webmail server from a large well known east coast university ( I have notified the who-is abuse contact already.) The IP from Nigeria ( 220.127.116.11), is what directly connected to the webmail server with an account of a college user and sent the SPAM through an already trusted infrastructure. If the college or I was able to search for Nigerian IPs anywhere in the received lines this would have been dropped or quarantined.
Received: from iron1-smtp.xx.xxxx.edu ([xxx.xxx.127.241]) by
SannetSmtp1-in.sannet.gov with ESMTP; 25 Jun 2009 10:09:32 -0700
X-IronPort-AV: E=Sophos; i=”4.42,291,1243828800“; d=”scan’208″;a=”44717911”
Received: from optimus.xx.xxxxx.edu (HELO xxxx.edu) ([xxx.xxx.131.35]) by iron1-smtp.xx.xxxxx.edu with ESMTP; 25 Jun 2009 13:09:34 -0400
Received: from [18.104.22.168] by prime.xx.xxxxx.edu (mshttpd); Thu, 25 Jun
2009 18:09:34 +0100
From: Rxxxxx Hxxxxx <firstname.lastname@example.org>
Date: Thu, 25 Jun 2009 18:09:34 +0100
X-Mailer: Sun Java(tm) System Messenger Express 6.2-7.04 (built Aug 17 2006)
Subject: Respond ASAP
Content-Type: text/plain; charset=”us-ascii”