procmail
[Top] [All Lists]

Re: Well, that was interesting...

1996-10-30 18:02:58
    > > Another solution is to place all of the regexps into a file (for
    > > example, called "spamsters"), and use an egrep against the possible
    > > source addresses:
    > > 
    > >     :0:spamsters.lock
    > >     * ? formail -xFrom -xFrom: -xReply-To: -xSender | \
    > >         egrep -s -f spamsters
    > >     | $FLUSHFILTER $LIST > /dev/null
    > > 
    > > The "formail" pulls out the possible source addresses, and the patterns
    > > in the "spamsters" file are matched against the addresses.  If the egrep
    > > succeeds, then FLUSHFILTER is run.
    > > 
    > > This has the advantage that a spamster address occuring on any of the
    > > source mail fields in the mail will can trigger a match, and not just
    > > the From or From: headers.
    > 
    > This has one problem.  It doesn't allow for the many spammers who aren't
    > above forgery.

You are quite welcome to keep using your original recipes;  I don't
care.  I was responding to the problem you were having with overly
long regexps which were exceeding LINEBUF.

However, your original recipe has the same problem.  The *effective*
changes I made between your original recipe and the one above were:

* all of the regexps exist in a file
* additional sources of addresses were used, instead of just the "From*"
  headers

What you are describing now is a different problem.  

ANYTHING can be forged in ANY email.  Only by sending email through a
well-configured mailer do we get some semblance of tracking with
"Received" headers.  Unfortunately, the Received: headers are not
standardly formatted, and extracting an address programmatically is
difficult.  However, they also can be used for pattern matching:

    :0:spamsters.lock
    * ? formail -xFrom -xFrom: -xReply-To: -xSender -XReceived: | \
        egrep -s -f spamsters
    | $FLUSHFILTER $LIST > /dev/null

will also check the Received: headers for a spamster address.

    > Cyberpromo was extremely bad when it came to filtering due to the MANY
    > domains mail could have come from.
    > 
    > But a recipe like this handles all of thier garbage for me, without losing
    > anything I ever found of importance.
    > 
    > :0
    > *(cyberpromo|interramp|moneyworld)
    > *!^Subject:.*(cyberpromo|interramp|moneyworld)
    > /dev/null
    > 
    > Allows me to recieve mail discussing the twits, while dropping the twits
    > rather effectively.

This is not entirely true.  Your recipe above would toss mail with the following
headers:

    From: Joe (The Anti-Cyberpromo King) <joe(_at_)coolsite(_dot_)com>
    To: anti-cyberpromo-list(_at_)coolsite(_dot_)com
    Cc: anti-spammers(_at_)hotsite(_dot_)org
    Subject: Let's Stamp Out Spammers!

The trouble with trashing mail is that, since you have no feedback, you don't
know how badly the filter is failing.

G'luck.
Alan

<Prev in Thread] Current Thread [Next in Thread>