procmail
[Top] [All Lists]

Re: Junk email relayed via procmail list ?

1997-08-24 12:23:14
At 02:01 PM 8/24/97 -0400, vikas(_at_)insight(_dot_)att(_dot_)com wrote:

[snip]

The good samaritan in me just wants to pass this info along.

In the future, if it is necessary, how about just passing along the
headers?  By passing along the BODY as well, you further propagate the
message of the spam.

However, since the message in question was originally posted to the list,
guess what?  Everybody who received your message ALREADY receieved the
message that was resent by the list.

Except those who managed to filter it out the first time around.  Myself
included.

The geek in me would love to know how this sort of thing is done. i.e. how
can these scum use any arbitrary address to bounce off their trash ?

Simple - the procmail list does NOT limit posts to subscribers -- ANYBODY
can post to the list, subscribed or not, valid address or not.  That
doesn't make it an "arbitrary address" in the sense that YOUR address could
be an arbitrary address, and it wouldn't work there.  Chances are, these
spammers have obtained the list address from a list of mailing lists, or
extracted it from one of several websites which mirror the procmail list.

Some time ago, this was determined to be a pretty much dead issue on the
procmail list - it is unlikely to change here - the list will continue to
resend anything that is posted to it.  IMHO, that is unfortunate.  However,
you can reduce the spam by placing your procmail list filter (if you have
one) AFTER any primary spam filters.  If you get spam from the list, then
apparently your spam filters need more work.  As someone else here has
mentioned, you can call this a measure of your procmail prowess...

[snip]

X-UIDL: f2aa304aecd64edd84e682586e28b948

The mere presence of this header causes the message to be ditched on my
system.  To date, (for me at least) this has never been a false-hit on spam.

X-Sender: quest(_at_)bewellnet(_dot_)com

bewellnet.com is in my domain purge list -- anywhere in the headers (minus
subject), and the message is outta here.

To: posterland(_at_)sellers(_dot_)infohaus(_dot_)com

Infohaus, cybercrash, revenueshare, profitshare, etc. are "First Virtual
Holdings" domains.

Here's an anti-spam pointer:  Any time you get a spam that passes through
your spam rules, examine the headers.  To/from/cc/sender/recieved and
tidbits in other headers.  Look for domains that "look" spam (they are
remarkably easy to pick out).  Then perform a whois lookup on them.  Note
the registered owner, then turn around and perform another whois ON THE
REGISTERED OWNER.  Examine the results, and if they appear spammy, add them
to a domain killfilter.  This heads off future spams from domains you
haven't even yet heard from.

My approach might be more harsh than many others, but I follow the belief
of "once a spammer, always a spammer" - if any one host of a certain outfit
is obviously strictly spam, I generally ban the rest of 'em too.

Pay attention to where the spammer domain is getting service from - often
spammer domains get services from other spammer domains.

This is not to say that any given spam will contain a domain which is
uniquely spam - plenty originates from plain throwaway accounts, and others
are simply forged.

From: imc(_at_)it-makes-cents(_dot_)com

it-makes-cents.com is also in my purge list.  They're run by "cybercon" -
an appropriate name for spammers...


Please, in the future, avoid spamming the body of the spam back to this list.

---
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.

 Sean B. Straw / Professional Software Engineering
 Post Box 2395 / San Rafael, CA  94912-2395

<Prev in Thread] Current Thread [Next in Thread>