procmail
[Top] [All Lists]

Trapping RFMS spam mail

1998-04-10 19:41:05
RFMS ("Rapid Fire Mail Server" aka Rude F!!!ing Mail Spammer) is
spreading. Fortunately, its "Received: from" headers leave a
telltale pattern. My ISP is Interlog. Here is the beginning of a
header line from a couple of spams... 

Received: from mx2.mail.interlog.net
(1Cust89.tnt5.redmond.wa.da.uu.net
 [153.37.203.89]) 

Received: from mx2.mail.interlog.net
(ip214.seattle10.wa.pub-ip.psi.net
 [38.28.41.214]) 

Note that each one claims to be from Interlog outside the
parentheses, but the ID inside the parentheses doesn't show
Interlog. To generalize my spam filter I set a variable to
denote my ISP. In my case, because Interlog owns both the
"interlog.com" and "interlog.net" domains...

MYISP="interlog\.(com|net)"

Modify as required to your ISP's domain(s).  According to the
tech people at Interlog, it's the sendmail that is sticking in
the "mx2.mail.interlog.net". Here's the algorithm I use to trap
this sleaze. 

  - Count the "Received: from interlog" headers. Add
    the count to procmail's accumulator. 
  - Count the "Received: from interlog ( interlog [...])"
    headers. Subtract the count from procmail's accumulator. 

If the message was REALLY from somebody at my ISP, then the two
counts should be equal. The subtraction will yield a zero, and
the recipe will not execute. If it's RFMS, at least one of the
headers will not show your ISP's domain inside the parentheses.
The second number will be less than the first number. The
subtraction will yield a positive number, and the recipe in the
braces will execute, and divert the email message. 

:0
*$  1^1  ^Received:.from.*.$MYISP.*\(.*\[.*\]\)
*$ -1^1  ^Received:.from.*.$MYISP.*\(.*$MYISP.*\[.*\]\)
{
LOG="///////////////////// RFMS spam
"
:0: RFMS.lock
$LOGFILE
}

  To view my entire promail filters, check out my webpage
http://www.interlog.com/~waltdnes/spamdunk/spamdunk.htm
The target audience for this webpage is intended to include
PC users with only DOS/Windows background.  It may look like
it's talking down to you a bit if you're a regular reader of
this list.

-- 
Walter Dnes (Toronto)
<waltdnes(_at_)interlog(_dot_)com>

<Prev in Thread] Current Thread [Next in Thread>