On Mon, 2 Jun 1997 11:52:32 +0900 (JST),
Peter Evans <peter(_at_)hirune(_dot_)gol(_dot_)ad(_dot_)jp> wrote:
over the past couple of days, I've noticed a new flavour
of spam program. you cant match on id/site because it
spews its crap everywhere.
<...>
Received: from bud.peinet.pe.ca (ip207.new-haven.ct.pub-ip.psi.net
[38.11.102.207]) by bud.pein
et.pe.ca (8.8.5/8.6.14) with SMTP id VAA09193; Sat, 31 May 1997 21:42:38
-0300 (ADT)
This was injected at a psi.net dialup. Reason enough to dump it.
Received: from mailhost.totuff.net(alt2.forevermails.net(254.750.86.9)) by
forevermails.net (8
.8.5/8.6.5) with SMTP id GAA06259 for <freind(_at_)public(_dot_)com>; Sat,
31 May 1997 20:06:26 -0600 (EST
)
Here's that good ole -0600 EST not-so-stealth signature. Are you not
filtering on that? You should. (And oh, those hopeless IP numbers.)
To: freind(_at_)public(_dot_)com
As if that wasn't enough, anything with To:.*\<public.com should go.
Subject: >> 27 MILLION EMAIL ADDRESSES...PLUS BONUSES!
More than thre words and no lowercase characters? Too bad.
X-UIDL: 6478789540b74jdi9a321loi771l8f8k
I don't know about this; I believe you can filter on X-UIDL if you're
not a POP user yourself (but you should apparently not use this as the
sole criterion for a spam reject).
Comments: Authenticated sender is <mikep(_at_)totuff(_dot_)net>
Do other people than spammers do this "authenticated sender" thing?
about the only consistent thing about is is the id is
always an 8 digit number.
Not really. But sure, you can say
:0:
* ^From: [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]@
scratch/spam
Hope this helps,
/* era */
--
Defin-i-t-e-ly. Sep-a-r-a-te. Gram-m-a-r. <http://www.iki.fi/~era/>
* Enjoy receiving spam? Register at <http://www.iki.fi/~era/spam.html>