procmail
[Top] [All Lists]

Re: Spam: Are You In Need Of A Lifestyle Change

1997-09-29 01:00:35
era eriksson writes on 29 September 1997 at 09:23:36
From: N8dx1k7gM(_at_)unlimited(_dot_)net

I've been thinking about ways to catch these. They're fairly obvious
to the human eye but hard to pin down in any meaningful way. Ideas,

I've got recipies to deal with more obvious ones, but this name is (or
could be) a legitimate user-id on some systems.  Perhaps someone with
experience on these systems (mainframes, Prodigy, etc.) can tell us
how these cyrptic (to us at least) logins are formed...maybe there's a
pattern we could use...

To keep this thread more on the topic of procmail and less on SPAM :-),
here's what I use to validate email addresses
  
FROM=${FROM:-"(^((X-(Envelope-)?)?(Apparently-|Resent-)*(From|Reply-To|Sender):\
(.*[^-a-z0-9_])?|From ([^       ]*[-_(_at_)!(_dot_)])?))"}
  # Don't accept all syntactically valid addresses; who's going to have 
  # a real email address of "foo_(_at_)-bar-(_dot_)com"?
  spamcheck_word="[a-z0-9][-a-z0-9_.+]*[a-z0-9]+"
  spamcheck_tld="(com|gov|org|edu|net|int|[a-z][a-z])"
  spamcheck_email="\<${spamcheck_word}@(${spamcheck_word}\.)+${spamcheck_tld}\>"
  :0h
  * $^TO${spamcheck_email}
  * $${FROM}${spamcheck_email}
  { }
  :E
  { ... deal with spam here ... }
Note that the address in question would pass this check.

Where "MyEmailAddress" is replaced by your email address(es).  By dumping 
everything that is not specifically addressed to you to a non-default
[...]
This is dubious advice, but you probably know that already. Some
people receive legitimate BCC:s, others don't. 

I've hooked this up in my "spamcheck" recipes, giving anything that
matches a slight non-spam weight
  SPAMCHECK_ME_RE=${SPAMCHECK_ME_RE:-$LOGNAME}
  :0
  * $^TO\/${SPAMCHECK_ME_RE}
  {
    spamcheck_contribution=${SPAMCHECK_TOME_SCORE:-"-$SPAMCHECK_20"}
    spamcheck_reason="TOME - explicit recipient: $MATCH"
    spamcheck_rcpath=$_
    INCLUDERC=$SPAMCHECK_RCDIR/reason.rc
  }

 Also, Felix, did your local software add the X-Uidl header or was it
in the spam itself?

I've found that the X-Uidl: and Pegasus MUA checks below catch an
awful lot of spam.

  # Might need to be a little more particular here; 
  # Philip Guenther <guenther(_at_)gac(_dot_)edu>: If a message comes into your
  # mailbox that has the X-UIDL: header, and doesn't have your address in
  # the header, then I would have strong doubts about it's legitamacy. 
  #
  # Edward J. Sabol <sabol(_at_)alderaan(_dot_)gsfc(_dot_)nasa(_dot_)gov>: 
E-mails with
  # X-UIDL: headers are almost definitely spam unless they've been
  # Resent-To: me by someone. Also, valid X-UIDL: headers have 32 hexadecimal
  # digits exactly.
  :0
  * ^X-UIDL:
  * !^X-UIDL:[  ]*[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
                  [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
                  [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
                  [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
                  [0-9a-f][0-9a-f][0-9a-f][0-9a-f][     ]*$
  * !^Resent-To:
  { ... spam processing ... }

  # From: Gregory Sutter <gsutter(_at_)ugems(_dot_)psu(_dot_)edu>
  # Pegasus mailer is the only mailer which legitimately generates
  # "Comments: Authenticated sender is ..." so kill anything else.
  :0
  * ^Comments:.*Authenticated sender
  * !^X-Mailer:.*Pegasus Mail
  * !^Resent-To:
  {
    # can such mail *ever* be legit?
    ... spam processing ...
  }

   Dan
------------------- message is author's opinion only ------------------
J. Daniel Smith <DanS(_at_)bristol(_dot_)com>        
http://www.bristol.com/~DanS
Bristol Technology B.V.                   +31 33 450 50 50, ...51 (FAX)
Amersfoort, The Netherlands               {info,jobs}(_at_)bristol(_dot_)com