Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Rules top: Identifying spoofed hotmail.com

1 view
Skip to first unread message

Clay Loveless

unread,
Oct 14, 2001, 12:40:19 PM10/14/01
to
I've been chatting with a friend of mine who works for Microsoft in the
"Hotmail department", and he told me that Hotmail adds an "X-Originating-IP"
header to all outbound messages.

So, if you set up this rule:

From is *@hotmail.com
Header Field is not X-Originating-IP: *

... You should be able to identify bogus hotmail.com mail, which is almost
guaranteed to be spam, and do with it what you like in the actions.

For the time being, I've added an "X-SpamWarning: probably" header and let
my users know they can set up a rule on their mail clients to check for that
... But after awhile, once this rule proves to be highly reliable, I'll just
start rejecting these messages.

Hope this helps to stem the flow out there. : )

-Clay

___________________________
Clay Loveless
Webmaster, Crawlspace
http://www.crawlspace.com/


#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePr...@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePr...@mail.stalker.com>
Send administrative queries to <CGatePro...@mail.stalker.com>

Greg

unread,
Oct 14, 2001, 12:57:20 PM10/14/01
to
Confirmed. I sent myself the following message. The subject was 'test',
and the message body was 'test'. What follows is the entire message source:

Return-Path: <mfe...@hotmail.com>
Received: from [64.4.14.100] (HELO hotmail.com)
by thoroughcalibration.com (CommuniGate Pro SMTP 3.4.7)
with ESMTP id 1400065 for gfe...@thoroughcalibration.com; Sun, 14 Oct
2001 09:51:30 -0700
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Sun, 14 Oct 2001 09:51:30 -0700
X-Originating-IP: [192.216.138.7]
From: "Greg Feneis" <mfe...@hotmail.com>
To: <gfe...@thoroughcalibration.com>
Subject: test
Date: Sun, 14 Oct 2001 09:51:23 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Message-ID: <OE42OM3G80cEe...@hotmail.com>
X-OriginalArrivalTime: 14 Oct 2001 16:51:30.0506 (UTC)
FILETIME=[791E8AA0:01C154D0]

test


In this case, the field of interest is:

X-Originating-IP: [192.216.138.7]

Regards,

Greg Feneis

Thorough Calibration & Design
120 Mast St. Suite C
Morgan Hill, CA 95037

Telephone: 408-776-6686 eFax: 413-215-8316

www.thoroughcalibration.com


~~~~

CGP List Account

unread,
Oct 14, 2001, 5:32:55 PM10/14/01
to
Thanks for the info Clay!!

WJ

Clay Loveless

unread,
Oct 14, 2001, 6:06:46 PM10/14/01
to
Interesting input -- but would require

A) people who'd use their company's SMTP server to send Hotmail messages
out

B) That company's mail server to be an open relay, if I'm not mistaken

... In which case, it seems pretty legit to screen/bounce, if the long-term
goal is the reduction of spam.

The question you've got to ask is: Who else is using your company's mail
server to send out messages appearing to originate from hotmail.com?

All my rule says is: If a hotmail.com message doesn't have an
"X-Originating-IP" header, it's not a legitimate, authentic hotmail.com
message. And I believe that despite the case you're mentioning, that's still
a true statement.

-Clay

___________________________
Clay Loveless
Webmaster, Crawlspace
http://www.crawlspace.com/

> From: "Aaron Blosser" <wabl...@yahoo.com>
> Reply-To: <CGat...@mail.stalker.com> (CommuniGate Pro Discussions)
> Date: Sun, 14 Oct 2001 14:42:49 -0700
> To: <CGat...@mail.stalker.com> (CommuniGate Pro Discussions)
> Subject: Re: Rules top: Identifying spoofed hotmail.com
>
> Oop... bad form replying to my own message, but...
>
> I guess you could always have it reject such messages with something like
> "Email from Hotmail accounts MUST come from Hotmail servers"
>
> Just a thought.


>
> ----- Original Message -----
> From: "Aaron Blosser" <wabl...@yahoo.com>
> To: "CommuniGate Pro Discussions" <CGat...@mail.stalker.com>

> Sent: Sunday, October 14, 2001 2:30 PM
> Subject: Re: Rules top: Identifying spoofed hotmail.com
>
>
>> Hmm... the only real problem I can see with this is if a legitimate
> Hotmail
>> user uses their own SMTP server to send email...
>>
>> For instance, I have a Hotmail account that I basically use as a
>> "throwaway"... pages that require an email address to download trial
>> software, etc, I just use the Hotmail account since I don't care too much
> if
>> it gets alot of SPAM. But there are times when I want to send an email
> that
>> has my Hotmail as the return address, but rather than use the Hotmail
>> servers which add the footer to the bottom, I just use my company's email
>> server.
>>
>> So, it's a Hotmail address but doesn't have that header field. With your
>> rule, it would be rejected even though it's not SPAM.
>>
>> Dunno how many Hotmail users would do it like that, but there's bound to
> be
>> others beside me who do that.

Clay Loveless

unread,
Oct 14, 2001, 11:25:59 PM10/14/01
to
Well, there you go -- I was mistaken. : )

I guess that since "Hotmail account" is a setup option in several Microsoft
mail clients, I just assumed there was a regular SMTP authentication process
as with a regular POP/IMAP account. There IS an SMTP server involved, I
believe ... Hotmail headers often include:

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;

As you said, the rule I proposed could be used with a bounce message stating
that e-mail needs to come in using the web or Microsoft mail app interfaces
... OR combine those rule parameters with other tests for spam in subject
lines, etc.

-Clay

___________________________
Clay Loveless
Webmaster, Crawlspace
http://www.crawlspace.com/

> From: "Aaron Blosser" <wabl...@yahoo.com>
> Reply-To: <CGat...@mail.stalker.com> (CommuniGate Pro Discussions)
> Date: Sun, 14 Oct 2001 15:52:06 -0700
> To: <CGat...@mail.stalker.com> (CommuniGate Pro Discussions)
> Subject: Re: Rules top: Identifying spoofed hotmail.com
>

> Well, like I said, I do it. First off, I don't think Hotmail has an SMTP
> server... so to send, you need to use the webmail, and I hate using that.
>
> Using my company's email server is no big deal... it sure isn't an open
> relay, but it allows relay if you authenticate, and since I work there, I
> can authenticate (not to mention, I run the server, so I could do whatever I
> want...)...
>
> But like I said, rejecting it with some message saying that you don't accept
> Hotmail addresses from non-Hotmail servers would be okay probably...

Peter Lalor

unread,
Oct 16, 2001, 3:21:05 PM10/16/01
to
According to some people I konw, some spammers already do forge that
header. They suggest this as a better rule (for sendmail):

From is *@hotmail.com
Connecting-host !~ /\.(hotmail|msn|microsoft)\.com$/

Can this be done in CGP, preferably without resorting to an external filter?

>From: Stefan Seiz <Talk...@index-s.de>
>
>I wonder how long it will take until SPAMERS also add this header ;-)


>
>On 14.10.2001 18:40 Uhr, Clay Loveless<li...@crawlspace.com> wrote:
>
>> I've been chatting with a friend of mine who works for Microsoft in the
>> "Hotmail department", and he told me that Hotmail adds an "X-Originating-IP"
> > header to all outbound messages.

--

Peter Lalor

0 new messages