Update to filter IP ranges in SMTP headers…

I have an email address set up that customers can send false negative SPAM to should it get through the Email gateways.  One I received the other day shows just how allowing country IP blocks to be searched would benefit anti-spam gateways to clean up the relatively few number of false negatives they let through. I blogged about that below.

 The below is a cleaned up part header of an email one of my coworkers received that was a 419 SPAM with a word attachment delivering the social engineering “payload.”  It was sent from what I believe to be a Sun OS webmail server from a large well known east coast university ( I have notified the who-is abuse contact already.)   The IP from Nigeria (, is what directly connected to the webmail server with an account of a college user and sent the SPAM through an already trusted infrastructure.  If the college or I was able to search for Nigerian IPs anywhere in the received lines this would have been dropped or quarantined.

Received: from iron1-smtp.xx.xxxx.edu ([xxx.xxx.127.241])  by
SannetSmtp1-in.sannet.gov with ESMTP; 25 Jun 2009 10:09:32 -0700
X-SenderBase: None
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhMJAEZMQ0qApIMj/2dsb2JhbACONYhfgkyocIc9iE6EDQU
X-IronPort-AV: E=Sophos; i=”4.42,291,1243828800“; d=”scan’208″;a=”44717911”
Received: from optimus.xx.xxxxx.edu (HELO xxxx.edu) ([xxx.xxx.131.35])  by iron1-smtp.xx.xxxxx.edu with ESMTP; 25 Jun 2009 13:09:34 -0400
Received: from [] by prime.xx.xxxxx.edu (mshttpd); Thu, 25 Jun
2009 18:09:34 +0100
From: Rxxxxx Hxxxxx <rxxx@xxxxx.edu>
Message-ID: <fce1a4442b7d.4a43bd5e@xxxx.edu>
Date: Thu, 25 Jun 2009 18:09:34 +0100
X-Mailer: Sun Java(tm) System Messenger Express 6.2-7.04 (built Aug 17 2006)
MIME-Version: 1.0
Content-Language: en
Subject: Respond ASAP
X-Accept-Language: en
Priority: normal
Content-Type: text/plain; charset=”us-ascii”
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Return-Path: rxxxx@xxxx.edu


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s