We've been getting some spam from a really sleazy
operator recently. They send their crap as being
"From: MAILER-DAEMON", note the incomplete address.
Sendmail defaults to slapping on the suffix @<your ISP>.
At Interlog, it says "From: MAILER-DAEMON(_at_)interlog(_dot_)com",
which nobody would normally filter out.
I think I've come up with a filter to trap this sleaze,
while letting legitimate stuff through, but I need to test
it out. If there is anybody on this list who can set up
their machine to send a short test message to me...
<waltdnes(_at_)interlog(_dot_)com>
...with the "From:" name *NOT* having the "@<ISPname>, I'd
appreciate it. Here's the filter I'm trying. It's a first
cut, clunky, and it *MUST* be the *LAST* filter in the
.procmailrc file. I'd appreciate any improvements. Replace
all occurences of "interlog" with your ISP's name...
# Trap for sendmail sleaze stunt, where sleazy
# spammer sends email with incomplete "From:"
# address, and expects sendmail to append
# @<your ISP>. Two conditions under which this is
# *NOT* checked...
# 1 - If not "From: somebody@<your ISP>"
# 2 - If via one of your mailing lists. This is
# the only condition under which you expect
# "From: somebody@<your ISP>", but outside
# ISP's listed in "Received: from" headers.
:0
* 1^0 !^From:(_dot_)*(_dot_)(_at_)interlog\(_dot_)
* 1^0 ^(To|Cc|Bcc):.*(procmail|risks@)
$DEFAULT
# Count the number of *ALL* "Received: from" headers.
# Subtract the count of "Received: from" headers
# originating from your ISP. Counts should be
# equal and result should be zero, which will
# skip the delivery to JUNKMAIL. If any of the
# "Received: from" headers is *NOT* from your ISP
# the result will be a positive number, which
# will invoke delivery to JUNKMAIL (LOGFILE).
:0
* 1^1 ^Received: from.*.
* -1^1 ^Received: from.*.interlog\..*.by.*.interlog\.
{
LOG="///////////////////// Sendmail sleaze stunt
"
:0: sendmail.lock
$LOGFILE
}
--
Walter Dnes (Toronto)
<waltdnes(_at_)interlog(_dot_)com>