On Tue, 15 Apr 1997 10:14:39 GMT,
revjack(_at_)Radix(_dot_)Net (revjack(_at_)radix(_dot_)net) wrote:
:0
* ^X-Mailer:.*(Extractor|Floodgate|WorldMerge|Aristotle)
/dev/null
(I know it's case-insensitive). What sort of dangers am I missing in
the above recipe? None, say I.
You're missing the "Stealth" mailer, which wisely fails to advertise
itself with an X-Mailer header. However, it seems that it will produce
a fake Received: line which matches the following pattern:
^Received:.*SMTP id GAA.*-0600 \(EST\)
The things to note are (1) EST is not -0600, and (2) sink to /dev/null
at your own peril. This might still match legitimate mail.
Another thing you might look for for extra affirmation is a "reverse
DNS:ed" host name beginning with "alt" and a number in the fake
Received line, as in this example (rewrapped for your reading
pleasure):
Received: from mailhost.jedder.com (alt5.jedder.com (211.2.34.47))
by jedder.com (8.8.5/8.6.5) with SMTP id GAA08823 for
<jedder(_at_)usa(_dot_)net>;
Fri, 11 Apr 1997 16:24:53 -0600 (EST)
Also missing from your regexp is NetMailer, which (like WorldMerge)
can be used for legitimate mass mailing as well as spamming. (I didn't
have Aristotle in mine, though; never received anything from it.
Thanks for the tip.)
As an aside, I can't see how it could +hurt+ to change that .* into
(.*\<)? -- a better bounded search is also more efficient, no?
/* era */
--
Defin-i-t-e-ly. Sep-a-r-a-te. Gram-m-a-r. <http://www.iki.fi/~era/>
* Enjoy receiving spam? Register at <http://www.iki.fi/~era/spam.html>