On Monday, November 03, 1997 22:11, Ken Laberteaux
[SMTP:klaberte(_at_)iname(_dot_)com] wrote:
Question: What procmail rules have people found to be the
most effective in eliminating spam?
Please reply directly via email.
OK, but also a copy to the list. My current algorithm is
not based on what to reject, but on what to accept. It
accepts anything addressed...
TO - either me or one of the mailing lists I subscribe to.
FROM - my ISP or one of the mailing lists I subscribe to.
It also does secondary filtering on IP address blocks used
by known spammers (I've included 3 examples).
########## PART 1 ###########
This is the "accept" filter. It decides what messages
will be considered for acceptance.
My logon ID is "waltdnes"; I subscribe to Mapinfo, RISKS,
Reform, and (of course) to this "procmail" list. Note that
I don't put the entire address line in the filter now.
Shortly after I got procmail going, one of my lists changed
its server, and procmail lost a day's worth of email from
that list until I changed the filter. Lesson - filter on the
list name/topic, which should stay constant even if it's
moved to another server. If an email doesn't meet at least
one of the above conditions, its header is saved to my
logfile. That's where I collect spammer IP address blocks.
:0Hi
*
!^(Sender|From|Reply-To):.*(interlog\.com|mapinfo|majordom|list\-o
wner|risks|csl\.sri\.com|reform|autoreply)
*
!^(To|Cc|Bcc):.*(waltdnes|mapinfo|procmail|risks|csl\.sri\.com|ref
orm)
{
LOG="////////////////////////////////////////
"
:0ih
$LOGFILE
}
########## PART 2 ###########
This is the "reject" part of my filter. It blocks out
certain IP-address ranges used by known spammers. It's
only a $50 or $100 per month "cost of doing business" to
buy a new domain name or two from InterNIC. Just like
germs and viruses outsmarting antibiotics, these guys
mutate their domain names so that our filters don't
recognize them. And let's not forget the sleaze-artists
who skip that step and forge domain names outright.
However, your ISP should insert a "Received: from"
header giving the correct IP address of the system that
handed over the email.
If you look at the "Received: from" headers, the
address you want is the first machine outside of your ISP
or firewall. Of course, it's up to your discretion if
you want to block out an entire ISP because it was used
by spammers once or twice. If the "Received: from" IP
address is like abc.def.ghi.jkl use the unix command...
whois full net abc.def.ghi
...to get the owner and range of the IP block.
Note 1) Use only the first 3 parts of the IP address;
Do *NOT* use the full address.
Note 2) You'll occasionaly get a hierarchy listing.
E.g. AGIS with a whole large block, and the
"late great" Cyberpromo would own a sub-block
within the larger block. You could filter
Cyberpromo's block.
# Filter "honest spammers"; Lines 1..3
# Filter Cyberspace Info Systems (NETBLK-NINT-CFC74400) 207.199.68.0
- 207.199.69.255
# Filter Why Networks (NETBLK-CRLWHY2) 207.211.120.0 -
207.211.121.255
# Filter Corporate Computer World (NETBLK-PBI-CUSTNET-1208)
207.212.65.0 - 207.212.65.255
:0Hi
* !^X\-Advertisement:.*
* !^X\-(0-9):.*(iemmc.com|remov)
* !^X\-(0-9)(0-9):.*(iemmc.com|remov)
* !\[207\.199\.6[8-9]\.*\]
* !\[207\.211\.12[0-1]\.*\]
* !\[207\.212\.65\.*\]
$DEFAULT
LOG="////////////////////////////////////////
"
:0ih
$LOGFILE
############ END #############
Walter Dnes
<waltdnes(_at_)interlog(_dot_)com>