procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Extractor spam that got thru procmail

1997-09-16 09:21:51
from [Rory Hinnen] [Permanent Link] 
Suddenly Jeff A. Earickson hits me with:
# Y'all,
# 
#     The following spam got through my procmail anti-spam filters, which 
# uses a lot of the tricks/recipes found in junkfilter, and some other goodies
# that have been posted on this list.  I've stared at the headers below and
# don't see anything that a procmail recipe could use to filter this one out.
# Any ideas here? 

How about this:

<header snippage occurs>
# From: airtech(_at_)airtech(_dot_)net
<more snippage>
# To: airtech(_at_)airtech(_dot_)net


From & To lines match. Based on Dan's Procmail filter ver .2:


# Check if From: = To:
MATCH=${SENDER:-`formail -rtzx To:`}
# We exclude anything with a Resent- header to avoid problems with
# lists that change the Reply-To: to point back to the list.
:0
* $^TO$MATCH\>
* !^Resent-
{
  SPAMCHECK_SPAM=yes
  :0fwh
  | formail -A "X-SpamCheck-Reason: To: and From:/Reply-To: headers are 
identical"
}

or something like that.

Now, catching this one I think would be tricky (to me):

Received: from dqimages.com (dqimages.com [xxx.xxx.xxx.xxx]) by dqimages.com 
(950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id FAA19334 for 
<rory(_at_)mailhost>; Tue, 16 Sep 1997 05:39:53 -0700
Received: from disney.com by dqimages.com (SMI-8.6/SMI-SVR4)    id FAA26460; 
Tue, 16 Sep 1997 05:34:28 -0700
From: cag1465(_at_)onestopshop(_dot_)net
Received: from global.1-global.com 
(root(_at_)[204(_dot_)157(_dot_)168(_dot_)3]) by disney.com (8.7.5/8.7.3) with 
ESMTP id FAA03100 for <rory(_at_)dqimages(_dot_)com>; Tue, 16 Sep 1997 05:37:16 
-0700 (PDT)
Message-Id: <199709161237(_dot_)FAA03100(_at_)huey(_dot_)disney(_dot_)com>
Received: from --- unknown host ---
X-Sender: cag1465(_at_)onestopshop(_dot_)net
Date: Tue, 16 Sep 1997 07:19:23 PDT
Subject: Accept Major Credit Cards...Online Merchant Accounts!
Apparently-To: <rory(_at_)dqimages(_dot_)com>
X-SpamCheck: Dan's SPAM Detector
X-SpamCheck-Version: 0.2
Status: RO

Dan's SPAM Detector said no problem. The one thing I note is the lack
of a Specific "To:" line. Ideas?

.r.



-- 
Rory "PACKET STORM" Hinnen        |         Dream Quest Images
rory(_at_)dqimages(_dot_)com                 | <disclaimer type=standard>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Et TO, procmail ?, Eli the Bearded
Next by Date:  Re: Extractor spam that got thru procmail, R Lindberg / E Winnie
Previous by Thread:  Re: oversimplification bites ...., W. Wesley Groleau x4923
Next by Thread:  Re: Extractor spam that got thru procmail, R Lindberg / E Winnie
Indexes:  [Date] [Thread] [Top] [All Lists]