Preface
As many of the memeber in the list know, trapping UBE messages
is one of the most satisfying use of procmail. And people that
are seeking for the best UBE filter/method my be curious to know what
are the most successfull ways to to catch UBE.
The UBE recpe is near the end of my procmailrc so that valid mailing list,
work, private and file server requests are served first. (See X-info header
and file server's pm-code.shar if you don't know what pm-jaube.rc is)
Statistics
My perl cron truncates Mail logs, so I only have data from two months
1998-08-16 - 1998-10-04. The percentages have been cutted off to full
number.
There a roughly 3200 messages trapped during that period.
count % type
------------------------------------------
554 17 Marketing-CountBigLetterWords; # includes many false
hits
457 14 Marketing;
422 12 Marketing-SelectedBigLetterWords;
349 10 AddrBogus-From;
263 8 ReceivedFrom-Mismatch;
223 6 NoDirectAddress-ToCc;
216 6 HdrForgedPegasus;
164 5 AddrBogus-To;
151 4 MessageId;
121 3 FromReceived-Mismatch;
102 3 BodyHtml;
73 2 Received-IPError;
63 1 Identical-FromTo;
53 1 AddrInvalid;
15 0 From-nslookup;
9 0 HdrReceivedTime;
7 0 HdrX-UIDL;
4 0 Marketing-headers;
Matching body with marketing slogams works pretty well: they are the
top 3, total of 43 % of matches. After that the most common bul email
are either trying to hide From/To headers (about 25%). These alone
catch 70% of UBE sent to me.
References
AddrBogus-ToFrom
AddrBogus-To
Cathes invalid RFC like email addresses in To or From field
ReceivedFrom-Mismatch
is list of suspicious addresses that I have set
to known origins of UBE:
compuserve|netcom|aol\.|hotmail|rocketmail|juno\.|\
earthlink|prodigy
The message comes from these sites (Received header), but the spammer
has modified FROM address to conceal the fact.
NoDirectAddress-ToCc
Catches messages that are not directly mailed to your email address.
End