procmail
[Top] [All Lists]

Re: SPAM>Re: Marketing tool

1997-06-07 11:21:00
On Sat, 7 Jun 1997 20:21:04 +0300 (EET DST),
era eriksson <era(_at_)iki(_dot_)fi> wrote:
On Sat, 7 Jun 1997 13:10:38 -0400 (EDT),
"Mike A. Harris" <mharris(_at_)blackwidow(_dot_)saultc(_dot_)on(_dot_)ca> 
wrote:
On Sat, 7 Jun 1997, era eriksson wrote:
A simple recipe to filter on obviously bogus IP numbers should have
caught this one. 
Can you suggest one?
<...>
     * MATCH ?? 300|2[6-9][0-9]|25[6-9]
Head is getting flatter still as stuff is being taken off top of it.

Ouch. Obviously, head is flawed. Perhaps too much stuff has been taken
off top of it lately.

    :0
    * ^Received: from [^        ]+ ([^  ]+ \[\/[^]]
    {
        :0
        * MATCH ?? [0-9][0-9][0-9][0-9]|[03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]
        spamfolder
    }

Anyway, the basic insight is that valid IP numbers are in the range
0-255. There are some interesting gaps you could look for (anything
beginning with 10, for example) but look in the RFC:s if you want the
full story. 
  My original intention with writing a recipe with MATCH was in order
to make it more readable, but since it no longer is very readable, you
might turn it into a compact and likely faster one-liner ... if you
are very bored. 
  The recipe checks for anything four-digit, or anything three-digit
beginning with a zero or a number larger than two, or anything between
260 and 299, or anything between 256 and 259, inclusive.
  Anything with leading zeroes in it is also most likely forged. The
above recipe covers three-digit numbers with leading zeroes; adding
the two-digit case is left as an exercise. (I believe one-digit zeroes
are permitted but something tells me I ought to check before I go
ahead and pretend they are :-)
  I have yet to see a forged IP number with too many or too few octets
(there are four in a valid IP number, like "207.105.184.14") but I'm
sure it's only a matter of time. Perhaps you ought to check for that
as well;

        #... continuing inside the same braces ...

        :0
        * MATCH ?? ^^[^.]+\.[^.]+\.[^.]+^^
        spamfolder

        :0
        * MATCH ?? ^^[^.]+\.[^.]+\.[^.]+\.[^.]+\.
        spamfolder

        # closing brace goes here

Hope this helps,

/* era */

The stuff between the square brackets in the first recipe are, as
usual, a caret (as in "neither of"), space ("space") and tab ("or
tab"). It could be made more bulletproof but the Received: lines I've
seen are usually machine-generated and thus fairly regular. (The tab
thing is mostly old habit.)

-- 
Defin-i-t-e-ly. Sep-a-r-a-te. Gram-m-a-r.  <http://www.iki.fi/~era/>
 * Enjoy receiving spam? Register at <http://www.iki.fi/~era/spam.html>