procmail
[Top] [All Lists]

Re: dumping based on domain, but not hostname.domain

1997-02-19 13:30:17
I've been getting a lot of spam from the domain "telysis.com".  Easy
enough to fix, you say, add "telysis.com" to the list of known-bad
domains.  Well, there's a problem.

I usually get the domain via:

echo $SENDER|sed 's/.*@//g'

which works pretty good, except that "telysis.com" is getting tricky
and they are using different hostnames in their domain, such as 
      telysis4.telysis.com
which avoids detection from my above simple scheme, and every few
months they change the hostname. "softcell.net" is another culprit of
this.

These two domains have never produced anything but spam/uce for me,
and I would like to know how to:

      1) catch their domain in the 'From' or 'From: ' line even if
they use additional hostnames

Why not just kill off email with "telysis.com" in the 'From'/'From:'
lines? (note:  The 'From' lines seems to be more reliable than the 'From:'
line):

        :0
        * ^From.*telysis\.com
        /dev/null

Of course, this can be easily modified to use a file that contains spam
addresses/domains or to bounce the email with a "nastygram" or via
sendmail exitcodes.

      2) check for "softcell.net" or "telysis.com" in any of the
headers (From, Received, etc) and be able to match them

I don't prefer the "shotgun" approach (checking ALL headers), because you
will catch emails with a 'Subject:' of "Watch out for telysis.com -- they
are spammers", but what you want can be done with this:

        :0
        * (telysis\.com|softcell\.net)
        /dev/null

A much better approach, IMHO, would be long the lines of this:

        :0
        * ^(From|Reply|Sender|Received).*(telysis\.com|softcell\.net)
        /dev/null

[snip]

Lates!
---------------------------------------------------------------------------
Tim <bodysurf(_at_)pobox(_dot_)com>                          
mailto:bodysurf(_at_)pobox(_dot_)com
Finger bodysurf(_at_)pobox(_dot_)com for my PGP public key (Bits 1024/KeyID 
09DA5C49).
PGP Key FPrint (09/03/94): 4C 97 F1 FA 70 55 68 91  49 D1 AD F2 DD 63 0C 15
---------------------> Please PGP encrypt your email <---------------------

<Prev in Thread] Current Thread [Next in Thread>