procmail
[Top] [All Lists]

Re: Filtering unreadable

1999-12-12 13:19:03
Oppss.. Sorry bout the sig.

Yes.. Eudora did manage a little.. the actual message. I've attached the full message to the end.

On Sun, 12 Dec 1999 11:42:00 -0500, "Henry Smith, Jr"
        for <hensj(_at_)ihs2000(_dot_)com>; Sun, 12 Dec 1999 09:41:33 -0500 
(EST)

Actually I've had a good amount of success by simply blackholing all
of 202.9x and 202.1xx completely. If you can do it on the SMTP level,
that is a lot better than letting it through and attempting to cope
after you have already accepted the garbage.

Some of the email is routed through free email services and redirect services. Thereby appearing to come from valid domains. In some cases the header were forged and displayed all of our system information (And very well I might add!)



 At least, open relays in these ranges should be
avoided like the plague if you can.)

We deny all relaying.


If you're feeling cooperative, join me in attempting to get
practically all of China into the RBL. Their rules for nominations are
at <http://www.mail-abuse.org/rbl/> somewhere (sorry, no exact URL).
That way, all you really need by way of filtering is to enable RBL
filtering in your Sendmail config (this is enabled by default in
Sendmail 8.9.3 -- you should absolutely upgrade as 8.9.1 has some
security problems, too, I believe).


RBL has been installed and working quite nicely for over two years now.
And yes.. I am very willing to cooperated in the effort to get these and others added to rbl. I'll swing by the URL and check over things.


For more on the topic of the MAPS RBL and other similar DNS-based
blacklists, see <http://www.iki.fi/era/rbl/rbl.html>

 > From: =?gb2312?B?NDkw1Kq7u7XnxNQ=?= <xunjie(_at_)jxdaogo(_dot_)com>
 > Subject: =?gb2312?B?xPrP69PDv9rB7rLZ1/e158TUwvCjvw==?=

Strong hint: If it's in a character set you cannot read, ditch it.

This wouldn't work, as sometime the header characters are just fine

<-- Another Example -->
From: "doverhow(_at_)komo(_dot_)com" <doverhow(_at_)komo(_dot_)com>
Subject: FREE SEX
(BTW: I did call komo.com about this.. they were not pleased with the 12,000+ email responses they got from the email. Additionally getting the accounts, redirect services and hosts to delete the accounts a few days ago did nothing to slow the mail I am receiving.

What's odd is that 99% of links (other than the above example) do not refer to sex or p0rn. The one link I received referred to a nirvana site.


    :0
    * ^(From|Subject):[         ]*=\?gb2312\?[bq]\?
    /dev/null

There would also have to be Content-Type: headers in the body (in the
old RFC822 sense) which you could look at for similar hints, too.
(Your forwarded message seems to have been "flattened"; the
Content-Type said multipart/alternative but the actual message you
forwarded didn't seem to contain anything like this.)

 > To: <Undisclosed.Recipients>
 > Message-id: <01db01bf449f$fe1d86e0$347c67ca(_at_)yang>

(Strong hints here, too. I leave it to you to decide which of these
are the most annoying. Probably the To: line

Not consistent

but if you want a really
tight ship, perhaps you should filter anything with X-MS anything in
the headers :-)

 > X-UIDL: 39028a07f6b24c3671a34a3b56bbb67a

(Is this added by your local software? If normal messages don't
contain an X-UIDL, that's a good thing to filter on. But I don't see
it in the similar spams I receive from China IIRC.)

Yes it is.


Actually, the body you forwarded looked a bit like your own mail
program might have mangled it a little bit when you forwarded it.
Suffice it to say, then, that the topic of actually looking for a
large amount of non-ASCII characters in the body has been discussed on
the list very recently. Have a look at the thread started by Walter
Dnes a mere week and a half ago:

  <http://www.xray.mpe.mpg.de/mailing-lists/procmail/1999-12/msg00016.html>

Ah.. thank you.. I will be sure to look into this. I feel this will be the most helpful, and worth wild to filter on.



The followups contain a bug fix and some discussion so you want to
look at them as well. You might also want to try something like

    :0BH
    * ^Content-transfer-encoding:.*quoted-printable
    * -40^0
    * 1^1 =[89A-F][0-9A-F]
    /dev/null




# Start Paste


<x-html><!x-stuff-for-pete base="" src="" id="0"><!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>

<META content=text/html;charset=gb2312 http-equiv=Content-Type>
<META content='"MSHTML 4.72.3110.7"' name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff>
<DIV>
<DIV><FONT color=#000000>×?極??Û"-£?<BR>&nbsp;&nbsp;&nbsp; ????£°</FONT></DIV>
<DIV><FONT color=#000000>???ø¾???"ª½?"µ?Ò£¨??µ?"¯--' ??æÕª·¡¢øÃ"-"ª± ª?øÓ?¯' °£æ¯ ¾ª»????Ûª?£°</FONT></DIV>
<DIV><FONT color=#000000>
<DIV><FONT color=#000000><FONT size=3>"-¼ÿ?Í«Î?¦×?× ¡¦«Î?¯»Î¦¬?ʵÿ÷?£?<BR><A
href="http://www.jxdaogo.com.cn/daogo/daogo.htm";>http://www.jxdaogo.co m.cn/daogo/daogo.htm</A></FONT></FONT><FONT
size=3></FONT></DIV>?ð-½µº¼?Õ¯--?Ò?ʾ???"¶"-æ°"-£°</FONT></DIV>
<DIV><FONT color=#000000></FONT>
<DIV>??µ?ø?¡Óø?"'¾?×?µÁ?'°¢ ?»Î??×÷°£½?÷÷??-'?º¾ª?¬£°??Àµ½???æÕ½???£°? ?¦Î"?ø?¡Ó¾?×?µÁ?'¬?£ø??¦Î"?ø?¡Ó¾?×?µÁ?'¬?£ø??¦Î"?ø?¡Ó¾?×?µÁ?'¬?£ø</DIV ></DIV>
<DIV><FONT color=#000000>
<DIV><FONT color=#000000><FONT size=3><A
href="http://www.jxdaogo.com";>http://www.jxdaogo.com</A><BR></FONT></FONT><FONT
color=#000000><FONT size=3><A
href="http://www.jxdaogo.com.cn";>http://www.jxdaogo.com.cn</A></FONT>< /FONT></DIV> <DIV><FONT color=#000000><FONT size=3></FONT></FONT>ª?"??¦×?£°</DIV></FONT></DIV>
<DIV><FONT color=#000000></FONT>&nbsp;</DIV>
<DIV><FONT
color=#000000>?'¾ª??£°»Á'?½?-?¦¢¥¯½¯??¾ª±?£¨«Î?ý?ý?¸??£°<BR>"Ú??"-ª*¡? Õ¯æÕ"ª?®"--?¦¢,?ª"--?¦¢æÕ¾ªª·"-Õ¯¬Á°£<BR>¡À??-?¦¢¾?"-ª?ª·¥¥'Ͼ?½ª<BR>< /FONT></DIV></DIV></BODY></HTML>

</x-html>

# End Paste




        - Henry Smith, Jr.
        - Senior Systems Administrator

Making a difference one customer at a time....


IHS2000 Internet Services
11 Brookfield Dr
Lebanon, Pennsylvania 17046

Phone  (717) 274-3300
Phone  (717) 520-1989
Fax  (717) 306-1112
http://www.ihs2000.com
EMail  hensj(_at_)ihs2000(_dot_)com

<Prev in Thread] Current Thread [Next in Thread>