On Thu, 23 Sep 1999 11:51:59 -0500, David Stone
<dstone(_at_)chem(_dot_)utoronto(_dot_)ca> wrote:
era wrote:
On Thu, 23 Sep 1999 11:01:37 -0500, David Stone
<dstone(_at_)chem(_dot_)utoronto(_dot_)ca> wrote:
I recently had a spam sneak through filters with the following
header:
From: mailer_daemon151(_at_)yahoo(_dot_)com
What I do is check if the From_ line and the From: line resemble
each other. Usually the ones which are From_ mailer_daemon are
From: typicalspammer093450(_at_)freemail(_dot_)net and vice versa.
I'm not sure I understand what you're saying here: in my particular
case there was exactly ONE From: line (as indicated above) and NO
From_ line.
The From_ line is added automatically to all messages I receive. The
same information should be in Return-Path: if your system doesn't use
From_ lines (this is the conventional way to talk about the "From "
pseudoheader which is the first line of every message on systems which
use Berkeley mbox format; the underscore isn't really there, it's just
a more convenient way to talk about the space we all know is there).
Are you trying to suggest something like the following?
:0:
* FROM_MAILER
* ! ^From: .*[a-zA-Z].*[0-9]@
adminbox
the intent of which is to direct real admin mail to the right spot,
but let fake admin mail pass through to the rest of the filter.
(Assumes that the "fake" address will have the mail(er) part at the
front as in the above example)
Not really. I'm saying that if the message matches ^FROM_MAILER
(obNitpick: the caret at the beginning is part of the macro's name;
you can't leave it out) but the From_ line (or Return-Path:, or
X-Envelope-From:, or X-From_:, or what have you) is definitely bogus,
or the From: line is definitely bogus, it's definitely spam.
My very imperfect realization of this idea looks like this:
# From MAILER-DAEMON and yet not really from MAILER-DAEMON
# This is in fact over-zealous; we should perhaps merely check the
# toplevel domain name, or even just check for MAILER_DAEMON@ in From:
:0:
* ^From \/(MAILER.DAEMON|root|postmaster)([^ ]+)?
* ! $ ^From:.*\<$\MATCH
scratch/spam
I get a small amount of false positives on this, but since I monitor
my spam box at about the same priority as my primary inbox, it doesn't
matter to me :-)
One reason I get few false positives might be that I have an earlier
recipe which sorts out replies to spam complaints of mine (which is
the majority of the ^FROM_MAILER mail I receive) into a junk folder.
My earlier free-form formulation of the basic observation is much
better (more accurate, less prone to false positives) than this actual
recipe. Perhaps you can come up with something better.
Still, hope this helps,
/* era */
--
Too much to say to fit into this .signature anyway: <http://www.iki.fi/era/>
Fight spam in Europe: <http://www.euro.cauce.org/> * Sign the EU petition