Sanity check: I just want to check that a tweak that appears necessary
shouldn't have any adverse effects.
One of various spam detection filters I have is as follows:
:0
* ^From:(_dot_)*(_at_)aol\(_dot_)com
* ! ^Message-[Ii][Dd]:.*aol\.com
{
LOG="SPAM: forged AOL$TWITVER"
:0:
|gzip -9fc>>$MAILDIR/twits.gz
}
What this does is says that if the From contains an aol domain, the
Message-ID had better as well, otherwise it is forged (I have yet to get a
piece of mail junked by this rule that ISN'T spam). I have several others
for various national ISPs as well, and on some, I also do inverse checking:
if the message-id is the domain, the FROM better be as well.
My problem: A spam got through yesterday, which I would have THOUGHT would
have been caught by the above rule, but on closer evaluation:
From: doa58(_at_)aol(_dot_)com (TF)
Message-Id:
<199810131740WAA55015(_at_)aol(_dot_)com(_dot_)shortweb(_dot_)com>
The domain portion STARTS with aol.com, rather than ends with it. GAAK!
I've got to update the rules - I expect this was done just this way in
order to foil basic checks similar to mine.
I should be able to just change the messageid rule to include a closing
bracket, but does anyone see a problem with doing this?
* ! ^Message-[Ii][Dd]:.*aol\.com\>
(I realize that the escapes probably aren't necessary, but I just tend to
do things that way)
---
Please DO NOT carbon me on list replies. I'll get my copy from the list.
Sean B. Straw / Professional Software Engineering
Post Box 2395 / San Rafael, CA 94912-2395