On Wed, 7 May 1997 12:42:24 -0400 (EDT), Robert Nicholson
<steffi2(_at_)dgs(_dot_)dgsys(_dot_)com> wrote on the Procmail-L mailing list:
This is the first intelligent SPAM that's broken through my defenses.
Mailer because I have a rule to catch all rules from a MAILER_DAEMON
Comments on the From: header?
No, not really. Let me just point out that there are a lot of other
things you can match on:
Return-Path: <Mailer-Daemon>
Received: from iceland.it.earthlink.net (iceland-c.it.earthlink.net) by
dgs.dgsys.com (5.0/SMI-SVR4)
id AA21041; Wed, 7 May 1997 09:58:20 -0400
I already move stuff from earthlink to the spam tank. It hasn't
misfired yet (and since I don't spew out automated gripe messages and
don't delete anything, just refile them, the occasional mismatch
wouldn't really hurt).
From: Mailer-Daemon
A From: line ahead of a Received: one is something I started using,
but I noticed it will match on too many legitimate messages on its
own. I currently do a scoring combo where this will contribute to the
score enough that you need very little further evidence to trip over
the spam threshold. The rest of the scoring works on keywords in the
subject line, mostly (I see "free" in there so that would have been
enough already).
Received: from mail.earthlink.net (Cust90.Max1.Raleigh.NC.MS.UU.NET
[153.34.251.90])
I also block anything with an ms.uu.net IP number;
* ^Received:.*\[153\.34\.
but I haven't been using that recipe long enough to say anything about
how well it works.
by iceland.it.earthlink.net (8.8.5/8.8.5) with SMTP id HAA15017;
Tue, 6 May 1997 07:30:56 -0700 (PDT)
Received: from mailhost.errols.com (187.5.88.44) by errols.com
(8.8.5/8.6.5)
with SMTP id GAA01420 for <you(_at_)aol(_dot_)com>; Tue, 06 May 1997
10:20:07 -0600
(EST)
And here's that stealth signature. It often sports bogus IP numbers so
you could look for that, although doing a lookup on every number is
probably too expensive. But you see stuff like 888.001.987.12 which
you could definitely reject. (I get a very quick response on a lookup
for 187.5.88.44 -- it's apparently not valid either, though it's a
syntactically valid IP number.)
Date: Tue, 06 May 97 10:20:07 EST
To: you(_at_)AOL(_dot_)COM
I have never received legitimate mail which matched "To: you" but lots
of spam. Ditto for To:(_dot_)*(_at_)aol\(_dot_)com\> (I think).
Subject: Free Orlando Vacations !!!
"Free", "vacation", and exclamation marks ... What more do you need? :-)
Message-Id: <756843199975(_dot_)JJA64789(_at_)smtp(_dot_)errols(_dot_)com>
Somebody on Usenet recently asked if there's any source of Message-Id
patterns for recognizing different kinds of mailers. It could be an
interesting project. I haven't seen any answers to that question but
you could probably find out a good deal by subscribing to a number of
mailing lists (for example, mail program mailing lists) and cull
headers from them.
X-Uidl: 9876543fgt9821376nb0988mm632xx321
The observation that spam often contains X-Uidl headers was
interesting. I haven't been paying attention to this.
Comments: Authenticated sender is <email(_at_)errols(_dot_)com>
It's been a long time since I last saw an "authenticated sender"
warning on legitimate mail. (They do occur, but there's enough here
already that if you use scoring, you could add a small extra score for
this header, at least.) And this misspelling of errols is not all that
unusual; I've seen it on several spams so you could certainly block on
that.
content-length: 1291
For the record, here's a couple of other recipes that I have found
helpful.
# Message starts with html tag (ugh)
* B ^^ *<html>
# To: header equals From: header
* ^From: \/.*
* $ ^To: $MATCH
I'm on a spam forwarding list so I receive a lot of test material all
the time. It all depends on the ordering of my recipes, of course, but
these two and the Stealth signature catch about 80%, I think.
Hope this helps,
/* era */
Cc:ed to Spam-L, who I hope will appreciate it :-)
The HELP: subject line is an idiosynracy of that list;
sorry if it's confusing
--
Defin-i-t-e-ly. Sep-a-r-a-te. Gram-m-a-r. <http://www.iki.fi/~era/>
* Enjoy receiving spam? Register at <http://www.iki.fi/~era/spam.html>