procmail
[Top] [All Lists]

Re: Filtering unreadable

1999-12-12 10:24:44
On Sun, 12 Dec 1999 11:42:00 -0500, "Henry Smith, Jr"
<hensj(_at_)ihs2000(_dot_)com> wrote:
I've been receiving email that I've been unable to filter.  From what 
I can see there is nothing that matches in headers from one email to 
the next.  What is similar is that I can't red the emails as they all 
originate from chine, japan, ect..
The urls it points to are also different each time.  How can a filter 
this email and /dev/null it. I assume I would need to base the filter 
on the message body, but how do I filter for the mass amount of 
unreadable character and not pick up a wanted message that may have 
only one (or a few) unreadable characters.

Received: from public.cs.hn.cn (sims5500b.cs.hn.cn [202.103.96.110])
     by seth.ihs2000.com (8.9.1/8.9.1) with ESMTP id JAA17960
     for <hensj(_at_)ihs2000(_dot_)com>; Sun, 12 Dec 1999 09:41:33 -0500 
(EST)

Actually I've had a good amount of success by simply blackholing all
of 202.9x and 202.1xx completely. If you can do it on the SMTP level,
that is a lot better than letting it through and attempting to cope
after you have already accepted the garbage.

(The IP range is off the top of my head. 202.96.xxx.xxx is one of the
worst offenders and there are many open relays at least up to 202.110
or so. You can look at the APNIC registrations for these and try to
figure out if there's something there you actually want to communicate
with. Depends on your line of business whether you can block mail
entirely, of course. At least, open relays in these ranges should be
avoided like the plague if you can.)

If you're feeling cooperative, join me in attempting to get
practically all of China into the RBL. Their rules for nominations are
at <http://www.mail-abuse.org/rbl/> somewhere (sorry, no exact URL).
That way, all you really need by way of filtering is to enable RBL
filtering in your Sendmail config (this is enabled by default in
Sendmail 8.9.3 -- you should absolutely upgrade as 8.9.1 has some
security problems, too, I believe).

For more on the topic of the MAPS RBL and other similar DNS-based
blacklists, see <http://www.iki.fi/era/rbl/rbl.html>

From: =?gb2312?B?NDkw1Kq7u7XnxNQ=?= <xunjie(_at_)jxdaogo(_dot_)com>
Subject: =?gb2312?B?xPrP69PDv9rB7rLZ1/e158TUwvCjvw==?=

Strong hint: If it's in a character set you cannot read, ditch it.

    :0
    * ^(From|Subject):[         ]*=\?gb2312\?[bq]\?
    /dev/null

There would also have to be Content-Type: headers in the body (in the
old RFC822 sense) which you could look at for similar hints, too.
(Your forwarded message seems to have been "flattened"; the
Content-Type said multipart/alternative but the actual message you
forwarded didn't seem to contain anything like this.)

To: <Undisclosed.Recipients>
Message-id: <01db01bf449f$fe1d86e0$347c67ca(_at_)yang>
MIME-version: 1.0
X-Mailer: Microsoft Outlook Express 4.72.3110.5
Content-type: multipart/alternative;
  boundary="----=_NextPart_000_01D8_01BF44E3.0C40C6E0"
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
X-Priority: 3

(Strong hints here, too. I leave it to you to decide which of these
are the most annoying. Probably the To: line but if you want a really
tight ship, perhaps you should filter anything with X-MS anything in
the headers :-)

X-UIDL: 39028a07f6b24c3671a34a3b56bbb67a

(Is this added by your local software? If normal messages don't
contain an X-UIDL, that's a good thing to filter on. But I don't see
it in the similar spams I receive from China IIRC.)

Actually, the body you forwarded looked a bit like your own mail
program might have mangled it a little bit when you forwarded it.
Suffice it to say, then, that the topic of actually looking for a
large amount of non-ASCII characters in the body has been discussed on
the list very recently. Have a look at the thread started by Walter
Dnes a mere week and a half ago:

  <http://www.xray.mpe.mpg.de/mailing-lists/procmail/1999-12/msg00016.html>

The followups contain a bug fix and some discussion so you want to
look at them as well. You might also want to try something like

    :0BH
    * ^Content-transfer-encoding:.*quoted-printable
    * -40^0
    * 1^1 =[89A-F][0-9A-F]
    /dev/null

Actually, as usual, I would recommend saving the spam somewhere (but
not along with your valuable real mail) and periodically have a look
at it and send complaints about at least the most egregious spammers.

<...>
Phone  (717) 274-3300
Phone  (717) 520-1989
=46ax  (717) 306-1112
http://www.ihs2000.com
EMail  hensj(_at_)ihs2000(_dot_)com

--============_-1267105572==_ma============
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type=3D"text/css"><!--
blockquote, dl, ul, ol, li { margin-top: 0 ; margin-bottom: 0 }
<...>

Finally, please turn off this "feature" in your "mail client". Thanks.

/* era */

-- 
 Too much to say to fit into this .signature anyway: <http://www.iki.fi/era/>
  Fight spam in Europe: <http://www.euro.cauce.org/> * Sign the EU petition

<Prev in Thread] Current Thread [Next in Thread>