Thanks to those who tried to help me with my filter testing.
So far, nobody got it to work, but david hunt <dh(_at_)west(_dot_)net>,
came up with the *REAL* solution, namely that I should run...
procmail -m testrc <SPAM.TXT
I can now verify that my filter works. I've also optimised
it so it now works in one stage instead of two, and it no
longer needs to be the last filter executed. It can still
give false positives with mailing lists, so those messages
have to be skipped. BTW, this filter catches forged email
"From: anybody+everybody@<your ISP>", not just MAILER-DAEMON.
In the example that follows, my ISP is "interlog", and my
subscribed mailing lists are procmail and risks. Since
interlog owns both "interlog.com" and "interlog.net" domains,
I've cut the comparison down to the string "interlog."
###################################################
:0
* -1000000^0 !^From:(_dot_)*(_dot_)(_at_)interlog\(_dot_)
* -1000000^0 ^(To|Cc|Bcc):.*(procmail|risks@)
* 1^1 ^Received: from.*.
* -1^1 ^Received: from.*.interlog\..*.by.*.interlog\.
{
LOG="///////////////////// Sendmail sleaze stunt
"
:0: sendmail.lock
$LOGFILE
}
###################################################
Here's how it works...
1) * -1000000^0 !^From:(_dot_)*(_dot_)(_at_)interlog\(_dot_)
If it's not allegedly from my ISP, there is no need for
testing, so assign -1000000 to effectively kill the test.
2) * -1000000^0 ^(To|Cc|Bcc):.*(procmail|risks@)
If it's from one of my subscribed mailing lists, don't
test, so assign -1000000 to effectively kill the test.
3) * 1^1 ^Received: from.*.
Add up the count of all occurrences of "Received: from"
header lines.
4) * -1^1 ^Received: from.*.interlog\..*.by.*.interlog\.
Subtract the count of all occurences of...
Received: from <some.machine.>interlog.com by
<another.machine.>interlog.com
Let's assume that the message claims to be
"From: somebody@<your ISP>", and it's not from one of your
mailing lists. In the case of a message that is actually from
the same ISP, the entire path should be in your ISP's system.
Items 3 and 4 will match an equal number of lines, and the
resulting score will be zero. The recipe will *NOT* deliver
to $LOGFILE.
If it's a forgery from outside your system, one of the
"Received:" headers will look something like so...
Received: from mail.t-1net.com ([209.136.153.190])
by gold.interlog.com (8.8.5/8.8.5) with ESMTP id HAA26929
for <waltdnes(_at_)interlog(_dot_)com>; Sun, 25 Jan 1998 07:39:09
-0500 (EST)
...then line 4) won't match. The score will be positive, and
delivery (to $LOGFILE) will occur.
Note that in the case of a message from you (or anybody else
at your ISP) to one of your subscribed mailing lists, you can
legitimately see "From: somebody@<your ISP>", as well as headers
from external machines (at the very least, from the list-server
machine). This is why mailing lists need to be exempted from
the test.
--
Walter Dnes (Toronto)
<waltdnes(_at_)interlog(_dot_)com>