At 19:32 2005-03-31 +0200, Ruud H.G. van Tol wrote:
I have seen a lot of those messages for many months now, but
they were (almost) all caught by existing rules.
Yea, I'd look for other characteristics, not the bogus nametext. The vast
majority of the spam I receive trips a LOT of flags. Received header
count, bogus/no rDNS data for sending host, consumer dialup/broadband
sending host, messageid injected by local MTA, abundance of HTML
constructs, HTML only, invalid dates, hosts claiming to be MY mailhost in
their SMTP greeting, spoofed local users (when the from: is at my domain,
but a can't be resolved as deliverable by my MTA*) -- all of this, and many
other checks are independant of a simple taboo word check say for "viagra"
and the like, which obviously would have nabbed the message provided by the
OP in this thread.
Here's another potential failing of trying to match for the nametext: when
someone addresses a message to multiple recipients (in the To:, rather than
To+Cc), you're going to see other text, possibly with nametext, even if
your address didn't carry nametext, so you could trip up on the OTHER guy's
name (or address). Also, people who add you to their addressbook can put
all manner of comment text in there - it won't necessarily be your
name. Check a mailing list sometime and note the wide variance in the To:
line (for the mailing list itself) based on what people have in their own
addressbooks.
* the check is quite easy, though involves calling out to the MTA. Since
this is ONLY performed when the FROM_DOMAIN (one of several variables I set
when receiving mail - see my sandbox for the simple extraction) matches our
own domain, it's not hammering the MTA for each message you receive. I
score this very high as a spam indicator - but not 100%:
# 20041213
# if the From: address claims to be from a user or the local system,
# check sendmail to see if the user parses as valid.
# This is intended to catch random username forgeries.
# note the two hostnames are hostnames that resolve to the same actual
# (local) mail server, not two separate servers -- you can't validate accounts
# on another server with this method as written.
:0
* FROM_DOMAIN ?? ^((firsthostname|anotherhostname)\.)?domain\.tld$
{
VALIDRESULT=`$SENDMAIL -bv $CLEANFROM`
:0
* ! VALIDRESULT ?? deliverable:
{
SPAMVAL="+180"
SPAMMISHNESS="${SPAMMISHNESS}${SPAMVAL}"
SPAMNOTES="${SPAMNOTES}SPAM: ${SPAMVAL} spoofed local user
$CLEANFROM${NL}"
}
}
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail