On Sun, 26 Apr 1998 03:53:31 -0400, "Henry Smith, Jr."
<hensj(_at_)ihs2000(_dot_)com> wrote:
I just received some UCE, with the following headers
As a general comment, the quickest way to reduce your spam is to
install one of the existing antispam packages. If you want to roll
your own, perhaps you should look at the code of Spam Bouncer,
Junkfilter and the others. <http://www.iki.fi/~era/procmail/links.html>
Some friendly filtering tips were in the latest CAUCE newsletter.
I believe you can find it at www.cauce.org.
Received: from sophia.pacific.net.sg (sophia.pacific.net.sg [203.120.90.81])
by seth.ihs2000.com (8.8.5/8.8.5) with ESMTP id TAA29106
for <hensj(_at_)seth(_dot_)ihs2000(_dot_)com>; Sat, 25 Apr 1998 19:28:28
-0400 (EDT)
You could simply blacklist pacific.net.sg and not lose much valid mail.
:0:
* ^Received:.*\<pacific\.net\.sg\>
spam
This can be improved. Look for blacklisting examples in the archives.
From: Success(_at_)mauimail(_dot_)com
Received: from pop2.pacific.net.sg (pop2.pacific.net.sg [203.120.90.86])
The From: line before Received: is also a good indicator that this was
injected without a valid From: line.
:0:
* ^From:.*$Received:
spam
Ditto for Message-ID before Received:
by sophia.pacific.net.sg with ESMTP
id HAA22073; Sun, 26 Apr 1998 07:26:24 +0800 (SGT)
Received: from pacific.net.sg
(pool004-max2.ds18-ca-us.dialup.earthlink.net [209.179.10.204])
Relayed via a dialup. Look for recent examples in the list archive.
Also, Received: from host.domain (wildly.different.com [12.34.56.78])
is often a sign that something is spam. (This is not trivial to check
in Procmail alone; I feed the Received: headers to a small Perl script
which checks for various patterns, but only after other checks that
can be performed by Procmail itself.)
by pop2.pacific.net.sg with SMTP
id HAA24938; Sun, 26 Apr 1998 07:28:01 +0800 (SGT)
Message-Id:
<199804252328(_dot_)HAA24938(_at_)pop2(_dot_)pacific(_dot_)net(_dot_)sg>
Date: Sat, 25 Apr 98 16:25:32 EST
To: associates(_at_)success1(_dot_)com
You can have a list of suspicious account names. The prototypical one
is "friend(_at_)public(_dot_)com" but a lot of people are filtering on "you",
"all", "success", "money" and a number of other "spook words". (My
personal favorite is anything "4u". Pretty revolting, huh?)
Subject: Certified mail
You could try to create a list of "spook words" for the Subject: line
as well. These should not be used on their own, except perhaps for
classing mail as suspicious (you could save suspicious mail to a
different folder to keep the unwanted stuff out of your main mailbox,
but there will obviously be false matches you want to fish out of the
tank every once in a while). For improved accuracy, you could use
scoring to classify mail as suspicious only when two or more of the
spook words and phrases match. (You could then add e.g. hotmail.com
and aol.com as fairly accurate address field spook phrases and still
not get many false positives even if you have friends with Hotmail or
AOL accounts -- they would get caught as suspicious only if their mail
also matches some other suspiciousness criteria. Of course, you could
also whitelist your friends, i.e. have a list of addresses which, when
matched, bypass your normal spam filtering.)
X-UIDL: 5420c9d3ab51337dda70a8f7d00b0bc6
If you don't use POP yourself, this is a no-brainer.
:0:
* ^X-UIDL:
* ! ^Resent-
spam
The "resent" checking is in case somebody who does use a POP system
which uses this header decides to forward a message to you. When that
happens, you could receive legit mail with an X-UIDL header. (You
would imagine that the spammers would be aware of these resent checks
by now but the fact of the matter, of course, is that if they were
paying attention in the first place, their stupid software wouldn't be
adding these bogus headers at all.)
Status: RO
X-Status:
If this is not present in your normal mail, you could try to filter on
these as well.
Hope this helps,
/* era */
--
Paparazzi of the Net: No matter what you do to protect your privacy,
they'll hunt you down and spam you. <http://www.iki.fi/~era/spam/>