When spammers use general infrastructure for their dirty business, filtering on domain name alone is insufficient. But username filtering only works if the username is purged of randomizing characters.
For the Mail From address, BATV (“Bounce Address Tag Validation”) is often used to detect invalid bounces caused by backscatter or direct fraud. There are four different BATV schemes in use:
- prvs=*=username1@example.com
This is the original format, developed by John Levine and available as an IETF draft that was allowed to expire. - btv1==*==username1@example.com
This is a variant of the original idea, as implemented by Barracuda Networks - msprvs1=*=username1@example.com
This is a variant of the original idea, as implemented by Microsoft.
In each case, the asterisks represent character strings that can be different on each message.
SRS (“Sender Rewriting Scheme”) was originally developed to document forwarding. Each forwarding domain is prepended onto the username portion of the Mail From address.
- srs0=*=*=domain1=username1@domain2
This represent a single forward from username1@domain1 through domain2. - srs1=*=domain2==*=*=domain1=username1@domain3
This represents a double forward, starting from username1@domain1 through domain2 and then through domain3 to the final recipient. - srs1=*=domain3==*=domain2==*=*=domain1=username1@domain4
This represents a triple forward from username1@domain1 through domain2, then domain3, then finally domain4.
Although SRS0 was developed to document forwarding, some hosting services use it as a bounce detection mechanism, where the “forwarded for” domain is the client user and domain, while the forwarding domain is the hosting service domain. This also ensures that outbound messages produce SPF PASS based on the hosting service domain. As with the BATV techniques, the asterisks indicate random characters that can change on every message.
Plus addressing is designed to permit automatic filing of specific messages in specific folders. The receiving server discards everything after the plus (‘+’) character when deciding which account should receive the message. With plus addressing, a single account can have an unlimited number of unique email addresses.
Some mass mailers bury the recipient username and domain in the username portion of the Mail From address, a technique called VERP (“Variable Envelope Return Path”). When a message bounces, the VERP component helps the sender know exactly which recipient triggered the bounce.
For spam filtering, the problem with all of these techniques is that the From or Mail From address will not be consistent from one message to the next, so a block rule based on the full address will never be triggered. To remedy this problem, a spam filter should standardize the address before looking for a block or allow rule that includes a username portion. After purging all of the encoding, the three BATV technique can be resolves down to a simple username@domain. SRS encoding can be resolved down to a domain strings with the encoding: domain3==domain2==domain1=username@domain4. Similarly, plus addressing can be simplified from user+suffix@domain to user@domain. VERP addressing can be simplified from user-ToDomain-ToUser@doimain to user--@doimain.
Recent Uses:
We have been getting fraudulent messages from Google Groups to which we have never subscribed. We cannot block everything from @googlegroups.com because we also have users participating in a legitimate groups. Removing the plus addressing has allowed us to separate the wanted messages from the unwanted ones.
We also have fraudulent messages coming from Gmail.com using plus addressing. Stripping of the suffix allows us to ensure that future messages from that account will be reliably blocked.
Other Uses:
After simplifying and standardizing the From and Mail From addresses, one can reliably compare the two to see if they represent one person or two.