On Fri, 16 Jan 98 07:36:15 CST, dwhawk(_at_)southwind(_dot_)net (Don Hawkinson)
wrote:
Is there anything in the following header that would identify it as
junk email?
Perhaps Spam-L would be a better forum for this?
Return-Path: <0Vt3pYIbi(_at_)prodigy(_dot_)com>
prodigy.com is suspect in and of itself, like the Earthlink of
yesteryear. You could try to construct a heuristic for matching
"random strings" in the user ID of an e-mail address, but it will
probably bite back hard.
Received: from 4dPT8Qp41 (port44.nanu.prodigy.net [204.237.245.44])
by ixc.ixc.net (8.8.5/8.8.5) with SMTP id GAA13998;
Fri, 16 Jan 1998 06:08:34 -0500 (EST)
This is a pretty good sign of a forgery, or at least a potential
forgery. If the "Received: from X" is ridiculously different from
what's in the parentheses after it, it's suspect (but this, too, is
merely a good guess).
DATE: 16 Jan 98 6:02:31 AM
I'd be somewhat wary of any software that uppercases stuff ... :-/
Reply-to: ddd2961(_at_)prodigy(_dot_)com
Reply-to in the same domain as the From: -- again, not necessarily a
spammer stigma, but perhaps something you can score a little bit on.
Message-ID: <jJC8duq(_at_)4ukg8A96lmhg8>
The Message-Id doesn't contain a valid host name. Legitimate software
does this, too, but it's another thing to look out for.
Received: From sony300 by ibm266;Fri, 16 Jan 1998 6:2:31 -400 (EDT)
I throw away stuff that has Received: lines beneath From:.
TO: ddd2961(_at_)prodigy(_dot_)com
Well, it's not for you, and you can rather safely assume that stuff
that is not from a mailing list but still has To: equal to Reply-To:
is spam.
SUBJECT: secrets of making money now
My personal filters score on several of the buzzwords here.
X-UIDL: 5a0246e04e1341cd527dedb7e196eed1
If you're not using POP yourself, this is usually a pretty good sign
you don't want this message. (You should perhaps check that is was not
resent to you by someone who does use POP.)
Here are the relevant Procmail recipes I use myself:
## Before these recipes I have something to make sure LINEBUF
## doesn't get exceeded by very long MATCHes
:0
* ! ^FROM_DAEMON
* ^To: \/.*
* $ ^\/(From|Reply-To): $\MATCH
{ REJECT="$REJECT${REJECT:+$NL}${REJ}To: equals $MATCH" }
:0
* ^\/(From|Message-Id|Date):.*$Received:
* MATCH ?? ^^\/[^:]*:
* -1^0
* $ $SPAM^0
{ REJECT="$REJECT${REJECT:+$NL}${REJ}Received: after $MATCH" }
Look in the archives for references to X-UIDL -- there have been
numerous recipes posted for this. (I believe I've posted the above two
at one point or another as well. You might want to investigate over at
<http://www.rosat.mpe-garching.mpg.de/mailing-lists/procmail/> -- this
is a surfable archive of this list.)
You'd replace the stuff in the brackets with whatever you do with your
spam. Because I want to see which of my recipes catch the most spam, I
merely collect all matches in REJECT and throw away the spam only at
the end of my spam.rc if REJECT is nonempty. Replace with an action of
your choice, in other words.
As a general tip, try one of the existing antispam recipe collections
unless you're certain you want to roll your own. Pointers to several
are at <http://www.iki.fi/~era/procmail/links.html>
Hope this helps,
/* era */
--
Paparazzi of the Net: No matter what you do to protect your privacy,
they'll hunt you down and spam you. <http://www.iki.fi/~era/spam/>