At 08:02 AM 2/16/98 -0600, Philip Guenther wrote:
and then someone(_at_)aol(_dot_)com sends a message to
message that goes to fred(_at_)aol(_dot_)com will have an envelope and header
sender of someone(_at_)aol(_dot_)com, even though the message is coming to the
machines from solen.gac.edu.
And the Message-ID on this message from the original AOL user, it contains
what as the domain portion? I'd lay odds on aol.com unless you have some
goofy sendmail config at gac.edu. Or am I still missing something here?
If the user connects directly to the something(_at_)gac(_dot_)edu SMTP to post
message, I would expect it to be different.
Relatively few mailing lists use Resent- headers. Most generate a
completely new message header with new message-id, preserving only a
few headers from the original message (typically From: and the
recipient headers, but not always). Both methods are RFC compliant.
This isn't my experience, and I'm subscribed to many (>20) lists directly.
Though I agree that not all lists add the Resent- headers (most I use do),
I don't see list traffic with rewritten Message-IDs. This isn't to say it
isn't possible, or possibly predominant in some environment I'm not in.
I'd replace [a-z] with [A-Za-z] just to be on the complete side (otherwise
Unless you've turned on case sensitive matching, adding "A-Z" to the
character class is pointless. As for narrowing the condition, I would
suggest doing so, then seeing if any get through.
Oops, I'm still thinking in terms of STANDARD regular expressions...
Not having any examples of the full range of these addresses seen, I can't
say that 4daddy123 might not be one of the spam addresses - in which case
two-numeric limits at either end would fail to catch it. I rather doubt
I'd be seening any messages from people with such goofy addresses.
alpha-numeric-alpha, OTOH, has more opportunity for valid addresses (and
just as many, if not more, for spam too).
LOG="ADVISORY: suspect spam
This simple rule template can be placed whereever you might normally be
scanning for something (or at the VERY top of your recipes if you want to
get an accounting of the affect on ALL messages). Insert your conditions,
and you'll get a copy made of matching messages, the regular message will
still be processed normally, and you'll have a diagnostic emitted to your
logfile, which you can fetch with:
grep -A 3 ^ADVISORY: $/Mail/log
I do this whenever I'm considering adding a filter to remove mail from my
mailstream. I also frequently make a standalone filter and extract saved
message traffic to it:
gzip -d -c mailfile.gz | formail -s procmail -m testfile.rc
(the gzip portion being necessary because I compress inactive folders).
Please DO NOT carbon me on list replies. I'll get my copy from the list.
Sean B. Straw / Professional Software Engineering
Post Box 2395 / San Rafael, CA 94912-2395