On Thu, 25 Sep 1997 09:55:36 -0600 (MDT), Jim Hribnak
<hribnak(_at_)nucleus(_dot_)com> wrote:
How can I use procmail to detect if the From: field has a domain name
associated with it? I have a spam that did not get trapped and I am
Here's what I've been using:
# If the From: line contains a @ but no . after it, it's suspect
:0
* ^\/From:(_dot_)*(_at_)[^(_dot_)]+([, ].*)?$
{ REJECT="$REJECT${REJECT:+$NL}${REJ}under-qualified $MATCH" }
# If the From: line doesn't contain a @ and there is more than two
# Received: lines, it's suspect
:0
* ^Received:.*$Received:.*$Received:
* ^\/From:.*
* ! ^From:.*@
{ REJECT="$REJECT${REJECT:+$NL}${REJ}under-qualified $MATCH" }
This is a bit sketchy but it has in fact been catching spam for me:
$ zgrep -c 'under-qualified' Mail/procmail.log.gz
4
$ zgrep -c 'scratch/spam' Mail/procmail.log.gz # total spams caught
680
$ zgrep -c '^ *Folder:' Mail/procmail.log.gz # total messages
1937
The number of received lines your local system will generate while
getting the message through to you might be different from mine here.
Look at mail you receive and try to find a good balance. This was a
shot from the hip to begin with, but I don't see any obvious
improvements to it (or maybe I don't want to ... actually you would
probably rather use scoring to count Received: lines. Received: lines
near the end of the header would also likely be a good thing to look
out for).
Hope this helps,
/* era */
I subscribe to a spam-forwarding list to receive material to test my
filters on. Real spam during this period was maybe twenty messages,
all of it trapped (except maybe one). OTOH maybe another twenty got
misidentified as spam. Mostly from experimental recipes I don't intend
to show to anyone, of course :-)
--
Paparazzi of the Net: No matter what you do to protect your privacy,
they'll hunt you down and spam you. <http://www.iki.fi/~era/spam/>