(A copy of this message has also been posted to the following newsgroups:
news.admin.net-abuse.email, comp.mail.misc)
I do not want anymore crap from these jerks.
:0
* ^Subject:.*are\ you\ in\ need\ of\ a\ life
/dev/null
You *could* do this, but how likely are you to get this type
of subject again? In any case, /dev/null'ing a non-spam specific
item is fairly dangerous.
I would suggest poking around in the header a bit more...
Received: from mustang.via.net (mustang.via.net [140.174.204.4])
by mail.goodnet.com (8.8.7/8.8.6) with SMTP id MAA03994
for <ftilley(_at_)goodnet(_dot_)com>; Sat, 27 Sep 1997 12:07:26 -0700
(MST)
From: N8dx1k7gM(_at_)unlimited(_dot_)net
Received: from ctcpXzPDJ (dd30-242.dub.compuserve.com [199.174.147.242])
^^^^^^^^???
by mustang.via.net (8.6.9/8.6.9) with SMTP id LAA28431; Sat, 27 Sep 1997
11:45:38 -0700
DATE: 27 Sep 97 3:18:56 PM
Reply-to: PRR(_at_)UTP(_dot_)NET
Message-ID: <BrS5>
Does anyone have a good Message-Id: recipe? I came up with one that
validated Sendmail Message-Id's, but programs like Pine and qmail have
their own variations that break this.
* ^Message-Id: (<>|<none>|0000000000.\AAA000)
catches the obvious fakes, but not ids such as "BrS5"
Received: From mailhost.UTP.net(alt1.utp..net(333.2.44.55)) by utp.net;Sat,
^^ ^^^ ^^
Oops! IP (IPv4) numbers are 8 bit value (0-255)...333 is no good. There is a
recipe for this type of fakery, but I don't have ready access to it
at the moment. Can someone repost it?
27 Sep 1997 15:18:56 -400 (EDT)
TO:
.............................................................................
(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_dot_)(_at_)mustang(_dot_)via(_dot_)net
I *highly* recommend ending your .procmailrc with something like:
:0:
* ^TO.*MyEmailAddress(@)?
| formail -A"X-Sorted: To my email address" >>$DEFAULT
:0:
| formail -A"X-Sorted: Blocked - fell through .procmailrc" >>$BLOCKFOLDER
Where "MyEmailAddress" is replaced by your email address(es). By dumping
everything that is not specifically addressed to you to a non-default
folder, you virtually eliminate all spam that escapes your other filters.
This is after you filter out mailing lists and such, of course.
SUBJECT: Are You In Need Of A Lifestyle Change...
^^^^^^^
I have noticed that a lot of spam has all capitial letters for
To:, From:, and Subject:. Do any legitimate mail agents produce
such output?
X-UIDL: f1243434ba24adc40b99deff8469afa3
Status: O
X-Status:
Now for the first time ever you have the opportunity to join the most
extraordinary and most powerful wealth building program in the world!
This program has never been offered to the general public until now!
Because of your desire to succeed, you have been given the opportunity
to take a close look at this program.
[rest of crap deleted]
I wish you would have posted the rest. In recent testing, I have
found that I can catch about 90% of my spam with these simple body searches:
:0 B
*
(("remove"|remove)(.*^?.*)in(.*^?.*)the(.*^?.*)subject(.*^?.*)(field|line|header)?|\
reply(.*^?.*)with(.*^?.*)the(.*^?.*)subject(.*^?.*)("remove"|remove)|\
("remove"|remove)(.*^?.*)on(.*^?.*)subject(.*^?.*)(field|line|header)?|\
removed(.*^?.*)from(.*^?.*)our(.*^?.*)(mailing list|database))
{
:0:
| $FORMAIL -A"X-Sorted: *** SPAM! - Remove _THIS_!!! ***" >> $SPAMFOLDER
}
# Case SENSITIVE body check
:0 BD
* (GUARANTEED|FREE (OFFER|BONUS)|CREDIT|\
LEGAL(LY)?|SECRETS|BULK EMAIL|CLICK NOW|\
ORDER FORM|NO RISK|(MAKE|MAKING) MONEY|MLM)
{
:0:
| $FORMAIL -A"X-Sorted: *** SPAM! - Case sensitive keyword found in body of
message ***" >>$SPAMFOLDER
}
# Case INSENSITIVE body check
:0 B
* (This(.*^?.*)is(.*^?.*)a(.*^?.*)one(.*^?.*)time(.*^?.*)mailing|\
(You)?(.*^?.*)must(.*^?.*)be(.*^?.*)(over|at least)(.*^?.*)(18|21)|\
No Credit Checks|\
answerme\.com|\
savetrees\.com|\
(make|making) money (fast)?|\
limited time offer|\
send \$.* to|\
order now)
{
:0:
| $FORMAIL -A"X-Sorted: *** SPAM! - Case insensitive phrase found in body of
message ***" >>$SPAMFOLDER
}
In this case, I think a case insensitive search for "first time ever" or
"wealth building program" would be a pretty safe bet. However, I would rather
catch spam with bogus header searches. Unfortunately, except for the "333" IP
address, this spam actually has fairly clean headers. It should have still
been blocked by the last recipe in your .procmailrc, however.
Jeff Thieleke