procmail
[Top] [All Lists]

Re: Spam from (Forged) Numeric Accounts

1998-02-16 23:11:11
(carboned at request)

At 09:42 PM 2/16/98 -0700, Felix Tilley wrote:
Era warned me this would eventually happen.  Goodnet is using Procmail
3.10.  I have no control over what version they use.  It is an unsupported
product at Goodnet.

Uhm, couldn't you download a newer version and compile it in your
userspace?  Or is it that Goodnet has it configured as their local delivery
agent?

Simple answer:

* ^From:.*[     <][0-9]+@

read that as:
        From:(any number of 
anything)(space-tab-bracket)(one-or-more-numbers)@domain

        This is a big generic for my tastes though.

What recipe should I use?  See spam headers below.  The X-UIDL header was
added by Goodnet's POP3 server.  It's legitimate.

Note: If you're processing this in the mailspool, then procmail should be
seeing it before the X-UIDL header header is added by your POPMail server.
If you were fetchmailing it via POP though, it would be an issue (though if
you fetchmailed via IMAP, if available, this generally works around that).

Will this work:

* ^From:.*[0-9]+@

Or will this delete email unintentionally?  I am quite willing to delete

No, this is just as good as ditching ALL AOL mail, since this would catch
addresses in the form of (name)(number)@domain, like what happens when
someone wants to sign up and their first name has long since been used by
someone else, and the system suggests they add a number:

        Dave123(_at_)aol(_dot_)com

Also as pointed out elsewhere, MCIMail and CIS users could be filtered out.
 If you have a minimum length of numerics before triggering, then you
should be (moderatley) safe.  Five or more with CIS should be okay.  Dunno
for MCI.  I use 8 (for other historical reasons).

        Mon, 16 Feb 1998 07:54:20 -0800
From: "Sorry No Reply(_at_)My(_dot_)Com" <6677887766(_at_)aol(_dot_)com>
Date: Mon, 16 Feb 1998 08:47:36 PST
Subject: Achieve Financial Security and Enjoy Life
Message-ID: <0855a2054151028UPIMSRGSMTP03(_at_)msn(_dot_)com>

Excluding the X-UIDL which you said was locally added, and scanning (not
included) received headers for known spamdomains and possibly bogus
timezones, as-is, this would be caught by three different filters in my
procmail:

        aol.com (among several other large names) is checked for a matching
domain portion in the Message-ID.  See the thread "dealing with address
formatting", where I mentioned this, and some discusson has ensued.  Some
debate its validity, though I find it quite effective.

        8 or more numeric only userids.  Used to be just 8 digits, but they've
been getting bigger.  The particular match I use:

        * ^From:.*[     <]*[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+@

        The keyphrase "Achieve Financial Security" is in my subject killfile.

---
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.

 Sean B. Straw / Professional Software Engineering
 Post Box 2395 / San Rafael, CA  94912-2395

<Prev in Thread] Current Thread [Next in Thread>