procmail
[Top] [All Lists]

Re: Spam Recipe: Match Message-id: and From:

1998-04-26 02:51:46
On Sat, 25 Apr 1998, Aaron Schrab wrote:
At 21:34 -0700 24 Apr 1998, "Felix Tilley" <ftilley(_at_)goodnet(_dot_)com> 
wrote:
I am hoping this will work.  At work, I get lots of spam with Message-id
headers assigned by the local incoming mailer machine.  Some spammers don't
create Message-id's.  Maybe they are stupid.  I do not know.

First, a lot of spammers will also send messages with unqualified (no
domain) addresses.  The local MTA will then add the local domain, so
they'd evade detection.

A good way to avoid this problem is to check Received: headers.

Second, lots of mail clients don't add their own message id, and if your
people use your ISP, but a different domain their messages will be
caught by this.

What legitimate mail clients don't add a Message-Id:?  If they don't,
they're violating RFC 822.

So, in summary, it can be a good indicator that a message is spam, but
it shouldn't be used by itself to trash messages.

Not to /dev/null messages, but good enough to spam-folder them.  Any
mail coming from a mailer that didn't add a Message-Id: is questionable
enough for me to filter it.  Thus (from junkfilter):

# Message-ID added by an enroute or local mail machine
:0
* $  ^Message-Id:[      ]+<.*@([-_a-z0-9]+\.)*$JFMAILDOM>
*    ^From:.*@
* $! ^From:.*@([-_a-z0-9]+\.)*$JFMAILDOM
* $  ^Received:.*from.*\(([-_a-z0-9]+\.)*\/[-_a-z0-9]+\.$JFTLD\>
{
        JFSRCDOM=$MATCH
        TEMPSAVE=$SHELLMETAS
        SHELLMETAS
        JFSRCDOM=`expr "$JFSRCDOM" : '\(.*\).'`
        SHELLMETAS=$TEMPSAVE
        :0
        * $ ^Received:.*from.*$JFSRCDOM.*by ([-_a-z0-9]+\.)*$JFMAILDOM
        * $ JFSRCDOM ?? $JFMAILDOM
        { JFEXP="$JFSEC: Message-Id added by local mail host, not by source 
$JFSRCDOM" }
}

GReg
-- 
Gregory S. Sutter                       "How do I read this file?"
mailto:gsutter(_at_)pobox(_dot_)com                "You uudecode it."
http://www.pobox.com/~gsutter/          "I I I decode it?"