GOOGLE 的轉信垃圾信

隨風浮雲

GOOGLE的 GMAIL 提供了一個便利的轉信管道，只要你付費，它就能提供一個給垃圾信發信者很好用的平台，因為GMAIL使用者愈來愈多，所以一般郵件伺服器不太可能會針對 GMAIL 的發信主機、IP、發信郵件地址來封鎖，讓我們看一下下面這個例子：

Thu 2009-09-10 11:29:23: [9499:1] Session 9499; child 1; thread 1944
Thu 2009-09-10 11:28:19: [9499:1] Accepting SMTP connection from [209.85.212.142 : 57745]
Thu 2009-09-10 11:28:19: [9499:1] Performing PTR lookup (142.212.85.209.IN-ADDR.ARPA)
Thu 2009-09-10 11:28:19: [9499:1] *  D=142.212.85.209.IN-ADDR.ARPA TTL=(1324) PTR=[mail-vw0-f142.google.com]
Thu 2009-09-10 11:28:19: [9499:1] *  Gathering A records...
Thu 2009-09-10 11:28:19: [9499:1] *  D=mail-vw0-f142.google.com TTL=(1380) A=[209.85.212.142]
Thu 2009-09-10 11:28:19: [9499:1] ---- End PTR results
Thu 2009-09-10 11:28:19: [9499:1] --> 220 company.com.tw ESMTP MAIL ready
Thu 2009-09-10 11:28:19: [9499:1] <-- EHLO mail-vw0-f142.google.com
Thu 2009-09-10 11:28:19: [9499:1] Performing IP lookup (mail-vw0-f142.google.com)
Thu 2009-09-10 11:28:19: [9499:1] *  D=mail-vw0-f142.google.com TTL=(1340) A=[209.85.212.142]
Thu 2009-09-10 11:28:19: [9499:1] ---- End IP lookup results
Thu 2009-09-10 11:28:19: [9499:1] EHLO/HELO response delayed 10 seconds
Thu 2009-09-10 11:28:29: [9499:1] --> 250-company.com.tw Hello mail-vw0-f142.google.com, pleased to meet you
從上面的HELO段看來，就是一般的GMAIL主機來信，完全沒有異狀。
Thu 2009-09-10 11:28:29: [9499:1] --> 250-ETRN
Thu 2009-09-10 11:28:29: [9499:1] --> 250-AUTH=LOGIN
Thu 2009-09-10 11:28:29: [9499:1] --> 250-AUTH LOGIN CRAM-MD5
Thu 2009-09-10 11:28:29: [9499:1] --> 250-8BITMIME
Thu 2009-09-10 11:28:29: [9499:1] --> 250 SIZE 0
Thu 2009-09-10 11:28:29: [9499:1] <-- MAIL FROM:<grbounce-ZI6zAgUAAABqs8cT52krMJoC9vgr3s_V=Johndoe=company.com.tw@googlegroups.com>
在這個地方，垃圾信發信程式很巧妙的用了一個語法把收信人的EMAIL地址放到了寄件人地址中，
但是當你用OUTLOOK或其它收信程式收到的信件，不仔細觀察的話，你又看不到寄件人的實際EMAIL

Thu 2009-09-10 11:28:29: [9499:1] Performing IP lookup (googlegroups.com)
Thu 2009-09-10 11:28:30: [9499:1] *  D=googlegroups.com TTL=(35) A=[72.14.247.104]
Thu 2009-09-10 11:28:30: [9499:1] *  D=googlegroups.com TTL=(35) A=[64.233.169.104]
Thu 2009-09-10 11:28:30: [9499:1] *  P=005 S=000 D=googlegroups.com TTL=(28) MX=[gmr-smtp-in.l.google.com] {209.85.222.206}
Thu 2009-09-10 11:28:30: [9499:1] *  P=010 S=001 D=googlegroups.com TTL=(28) MX=[alt2.gmr-smtp-in.l.google.com] {209.85.211.205}
Thu 2009-09-10 11:28:30: [9499:1] *  P=010 S=002 D=googlegroups.com TTL=(28) MX=[alt1.gmr-smtp-in.l.google.com] {209.85.223.208}
Thu 2009-09-10 11:28:30: [9499:1] ---- End IP lookup results
Thu 2009-09-10 11:28:30: [9499:1] --> 250 <grbounce-ZI6zAgUAAABqs8cT52krMJoC9vgr3s_V=Johndoe=company.com.tw@googlegroups.com>, Sender ok
Thu 2009-09-10 11:28:30: [9499:1] <-- RCPT TO:<[email protected]>
Thu 2009-09-10 11:28:30: [9499:1] Performing DNS-BL lookup (209.85.212.142 - connecting IP)
Thu 2009-09-10 11:28:30: [9499:1] *  sbl-xbl.spamhaus.org - passed
Thu 2009-09-10 11:28:50: [9499:1] *  opm.blitzed.org - timed out (10 second wait)
Thu 2009-09-10 11:28:50: [9499:1] *  relays.ordb.org - failed
Thu 2009-09-10 11:28:51: [9499:1] *  bl.spamcop.net - passed
Thu 2009-09-10 11:28:51: [9499:1] *  cblless.anti-spam.org.cn - passed
Thu 2009-09-10 11:28:51: [9499:1] ---- End DNS-BL results
Thu 2009-09-10 11:28:51: [9499:1] --> 250 <[email protected]>, Recipient ok
Thu 2009-09-10 11:28:51: [9499:1] <-- DATA
Thu 2009-09-10 11:28:51: [9499:1] Creating temp file (SMTP): c:\mdaemon\queues\temp\md50000005213.tmp
不管你如何正查反查，或是查DNS-BL，他就是一個合法的主機，評分機制也拿它沒辦法
Thu 2009-09-10 11:28:51: [9499:1] --> 354 Enter mail, end with <CRLF>.<CRLF>
Thu 2009-09-10 11:28:51: [9499:1] Message size: 3125 bytes
Thu 2009-09-10 11:28:51: [9499:1] Passing message through AntiVirus (Size: 3125)...
Thu 2009-09-10 11:28:51: [9499:1] *  Message is clean (no viruses found)
Thu 2009-09-10 11:28:51: [9499:1] ---- End AntiVirus results
Thu 2009-09-10 11:28:52: [9499:1] Passing message through Outbreak Protection...
Thu 2009-09-10 11:28:52: [9499:1] *  Message-ID: 2d8c3502-5b62-40f6-8fc6-6f27be23b80c@k13g2000prh.googlegroups.com
Thu 2009-09-10 11:28:52: [9499:1] *  Reference-ID: str=0001.0A150201.4AA87270.00B1,ss=1,fgs=0
Thu 2009-09-10 11:28:52: [9499:1] *  Virus result: 0 - Clean
Thu 2009-09-10 11:28:52: [9499:1] *  Spam result: 1 - Clean
Thu 2009-09-10 11:28:52: [9499:1] *  IWF result: (requires MDaemon 9.60 or higher)
Thu 2009-09-10 11:28:52: [9499:1] ---- End Outbreak Protection results
Thu 2009-09-10 11:28:52: [9499:1] Passing message through Spam Filter (Size: 3125)...
Thu 2009-09-10 11:28:52: [9499:1] *  2.3 X_IP Message has X-IP header
Thu 2009-09-10 11:28:52: [9499:1] *  3.0 MDAEMON_DNSBL MDaemon: marked by MDaemon's DNSBL
Thu 2009-09-10 11:28:52: [9499:1] *  1.6 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
Thu 2009-09-10 11:28:52: [9499:1] *      [score: 0.4989]
Thu 2009-09-10 11:28:52: [9499:1] ---- End SpamAssassin results
Thu 2009-09-10 11:28:52: [9499:1] Spam Filter score/req: 7.00/10.0
唯一會加分的大概就是巴比倫辨識系統，但是這傢伙不知從那裏來的業務，每天都換不同的主旨以及不同的內容，而且也很聰明的不會超過10分，所以我們公司的使用者還都是可以看到它發出來的信件。
Thu 2009-09-10 11:28:52: [9499:1] Message creation successful: c:\mdaemon\queues\inbound\md50000136730.msg
Thu 2009-09-10 11:28:52: [9499:1] --> 250 Ok, message saved <Message-ID: 2d8c3502-5b62-40f6-8fc6-6f27be23b80c@k13g2000prh.googlegroups.com>
Thu 2009-09-10 11:29:23: [9499:1] <-- QUIT
Thu 2009-09-10 11:29:23: [9499:1] --> 221 See ya in cyberspace
Thu 2009-09-10 11:29:23: [9499:1] SMTP session successful (Bytes in/out: 3298/497)
Thu 2009-09-10 11:29:23: ----------

目前消極的做法是把 *[email protected] 加入到限制郵件位址以及黑名單中，理論上是不會有那個笨旦用這個EMAIL。

MarchFun

對這個也是頭痛很久了，雖然消極，但不失是個好方法！