At 02:19 PM 10/7/97 -0500, Matthew G. Saroff wrote:
Oops, sorry for not including the header for the stuff I got mentioning
cyberpromo. It had the removeme address.
How do I block this stuff?
[snip - many headers involved with internal mail forwarding]
It probably wouldn't hurt if you identified which of the headers were known
"good" to you (part of your own mail routes), and which were alien. Also,
what exactly flags this as a cyberpromo spam? Did something in the body
identify it (savetrees.com or answerme.com being common identifiers),
because nothing in the headers says this is from the SpamMeister.
From: 79110800(_at_)compuserve(_dot_)com
Ah, the old all-numeric (not even a dot) source address, of exactly 8
digits in length. The archive has a couple of recent discussions on how to
weed out these messages. This alone would have kept this message from
getting into my inbox.
# Okay, if the From contains an 8-digit numeric-only address, ditch it
# as spam (this seems to be a new popular spammage technique - an 8-digit
# random number).
# an example for 3-10 digits:
#* ^From:[
]*[0-9][0-9][0-9][0-9]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]?(_at_)(_dot_)*
:0: $TEMP/twits$LOCKEXT
* ^From:[ ]*[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9](_at_)(_dot_)*
|/bin/gzip -9fc>>$MAILDIR/twits.gz
Received: from moose.erie.net (moose.erie.net [208.138.204.11])
by blackbox.pobox.com (8.8.5/8.8.5) with ESMTP id PAA26090
for <msaroff(_at_)pobox(_dot_)com>; Tue, 7 Oct 1997 15:05:38 -0400 (EDT)
Received: from
netsource.com(2cust94.max2.orlando.fl.ms.uu.net[145.36.156.24]) by
nethost(_at_)webmaster(_dot_)com)[156.23.124.125])(1Cust107.max4.miami.fl.ms.uu.net[15
4.24.123.105])
(8.8.5/8.6.5) with SMTP id GAA04603 for <mailsubs(_at_)hotmail(_dot_)com>;
Tue, 07 Oct
Looks wierd - this wasn't sourced to you. Or is this hotmail address
yours, which forwards to pobox, which forwards to ... ?
I'm personally about ->this<- close to blacklisting hotmail, bigfoot,
freemark, and juno. I've yet to see anything but junk from any of them.
Free mail services for people who don't want to use their own address for a
reason...
Message-Id: <(2cust86.max8.tampa.fl.ms.uu.net[154.15.136.45])>
Is this a valid messageid? I don't think so - parenthesis in the brackets,
the IP address in square brackets, the missing @ sign. What else?
I would expect this field to have at least an "@" followed by text, like so
from the example in RFC822:
Message-ID: <4231(_dot_)629(_dot_)XYzi-What(_at_)Other-Host>
I'll let you play with the regexp for this one -- I check for non-existant,
empty, and a couple of other screwed up forms. I've never seen one like
this, but then, that might have more to do with the fact that this message
would have been trashed on two other criteria anyway.
X-Uidl: 2610431056a78aeb1b128fda426c9a5e
Always popular with me. Zap X-UIDL messages unless your mailer injects
them. Again, you can find other messages on this topic in the archives.
And again, the presence of this header (at least for me) would have kept
this message from ending up in my inbox.
# X-UIDL header present.
# Note that according to the POP3 spec, this header MIGHT be inserted by a
# POP3 server (though the spec doesn't NAME it as such), since procmail is
# pulling the message from the mailspool PRIOR to any POP activity (excepting
# if FETCHMAIL is used), this header shouldn't be inserted by OUR mailer, and
# it simply shouldn't be present otherwise - excepting crappy mail clients
# someone might be using elsewhere to SEND the message to us.
# If you're concerned about false hits, add the 'c' flag (copy), and file
# the copy in a UIDL-specific folder, and check it periodically to verify
# that the folder does indeed contain only spam.
:0: $TEMP/twits$LOCKEXT
* ^X-UIDL:.*
|/bin/gzip -9fc>>$MAILDIR/twits.gz
---
Please DO NOT carbon me on list replies. I'll get my copy from the list.
Sean B. Straw / Professional Software Engineering
Post Box 2395 / San Rafael, CA 94912-2395