On Tue, 7 Oct 1997 14:19:07 -0500, "Matthew G. Saroff
(Do not Reply to this Address)" <saroff(_at_)vs(_dot_)lmco(_dot_)com> wrote:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Perhaps you should set Reply-To then?
From: 79110800(_at_)compuserve(_dot_)com
From: eight digits(_at_)anywhere == spam, 99% certain.
Received: from mail.ewol.com ([153.36.120.50]) by main.ewol.com
$ host 153.36.120.50
Name: 1Cust50.tnt19.atl2.da.uu.net
Address: 153.36.120.50
Aliases:
This one is actually one of the lines I trimmed from the recipe I
posted originally -- I refuse all mail that has gone via these UUnet
dialups, but it occasionally catches legit mail. (I don't mind, it
goes to the spam tank and gets a hefty complaint when I have the time
to look at it if it's spam.)
Received: from
netsource.com(2cust94.max2.orlando.fl.ms.uu.net[145.36.156.24]) by
nethost(_at_)webmaster(_dot_)com)[156.23.124.125])(1Cust107.max4.miami.fl.ms.uu.net[154.24.123.105])
Fake from: host which actually resolves to uu.net, earthlink, or PSI.
Goner. (This one is actually forged, too; see below. Why would it go
from one dial-in to another, anyhow? Crazy, those spammers.)
1997 15:06:25 -0600 (EST)
This is all you need to filter on. Older versions of the Stealth
mailer contains this erroneous time zone specification in a forged
Received: line it adds to all messages. Any Received: lines below this
one will be forged, too. (And this has been beaten to death on various
spam lists.)
To: mailsubs(_at_)hotmail(_dot_)com
To: a hotmail address which is not yours; hard to guess it's spam.
Message-Id: <(2cust86.max8.tampa.fl.ms.uu.net[154.15.136.45])>
Invalid Message-Id; that's a good clue, too.
X-Pmflags: 134.0
X-Uidl: 2610431056a78aeb1b128fda426c9a5e
Comments: Authenticated sender is <host(_at_)unet(_dot_)net>
You can filter on all these, too. I don't have any recipes for that
but a quick glance at this mailing list archives for the last week or
two should bring up some, I believe. (You can filter all mail with
X-uidl:s if your own software doesn't insert it in all mail you
receive. Recipes for this have been posted several times, too.
Basically you just need to watch out for resent messages, on the
theory that the resender's software added a legitimate Uidl.)
Here's what we have so far:
:0: # if it's both from: 8digits and Received: uu.net, +yech+
* ^From: [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]@
* ^Received:.*[153\.3[4-6]\.
spam
:0:
* ^Received:.* -0600 \(EST\)
spam
:0: # this +could+ fry legitimate BCC:s to you (including mailing lists)
* ^To:.*@(aol|compuserve|hotmail|public|nowhere|etc...)\.com
* ! ^TO_msaroff
spam
:0:
* ! ^Message-Id:[ ]*<[^ <>@]+(_at_)[^ <>@]+>[ ]*$
spam
None of this is rocket science. However, if you're not actively
writing your own filters, you should probably start out with one of
the existing Procmail filter packages. The Procmail Links page at
<http://www.iki.fi/~era/procmail/links.html> has pointers to several.
I didn't particularly see anything in those headers that pointed to
Cyberpromo, though. Was there something in the body?
/* era */
--
Paparazzi of the Net: No matter what you do to protect your privacy,
they'll hunt you down and spam you. <http://www.iki.fi/~era/spam/>