Catching fake replies with spamassassin
By ArnY on Sunday 26 November 2006, 14:07 - spam - Permalink
The most common (and useless?) trick used by spammers to fool users is the fake reply method. By adding "Re: <something>" in the subject, spammers assume that the victim will believe it's a reply to one of their mail. Unfortunately for them, the SMTP RFC (rfc 822) offers optional and commonly used headers for defining a reply and Spamassassin can be used to detect when those headers are missing.
The SMTP protocol is weak, very weak, but it offers optional headers that are very commonly used. A reply missing those headers either come from a broken email software or is a fake reply:
in-reply-to (rfc 822, 4.6.2):
The contents of this field identify previous correspon- dence which this message answers. Note that if message iden- tifiers are used in this field, they must use the msg-id specification format.
references rfc822, 4.6.3):
The contents of this field identify other correspondence which this message references. Note that if message identif- iers are used, they must use the msg-id specification format.
Spamassassin provides a way to detect missing headers and to match patterns in other headers. To detect a fake reply,testing the presence of the In-Reply-To and References headers in messages with a subject starting with "Re:" is enough.
Here is how it will looks like in your local.cf file:
# define a few primitive first: # one for subjects starting with "Re:" header __SUBJECT_RE Subject =~ /^Re: / # one for missing In-Reply-To headers header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET] # one for missing References headers header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET] # let's use the primitives to define our filter: meta UN_FAKE_REPLY __SUBJECT_RE && (__MISSING_REPLY || __MISSING_REF) # end of the filter (description and score) describe UN_FAKE_REPLY fake reply score UN_FAKE�_REPLY 2