At 16:04 2000-02-27 -0600, Bert Hiddink wrote:
My hosting provider suggested me the following script, as there is
one thing they all have in common. They are all sent from Asia. As I
do not expect to ever receive any real mail from Asia, I tried the
following:
:0h
* \[202\.
/dev/null
That should filter out any mail coming from an ISP or mail server in
the 202.0.0.0 IP block. 202.0.0.0 - 203.255.255.0 are allocated for
the APNIC for networks in the Asia/Pacific area.
The regexp won't catch 203 nets, or hadn't you noticed?
:0h
* ^Received.*(\[|\(|\ )20(2|3)\.[0-9]*\.[0-9]*\.[0-9]*
SuspectedChineseFilth.mbx
This should catch IPs in the received headers only, which match the
following specifications:
[yyy.nnn.nnn.nnn]
(yyy.nnn.nnn.nnn)
yyy.nnn.nnn.nnn (delimited by spaces)
where yyy= 202 or 203 20(2|3)
and nnn= a variable number of numeric digits (the limitations of this
simplified regexp shouldn't pose a problem, since it is still looking for a
delimited set of four number groupings).
Disclaimer: I don't use this myself - I use RBL and RSS at the MTA level.
Another suggestion was to filter for strange caracters like ûÄêÊ in
subject and body.
I suggest that you try reading recent threads here on the procmail list for
the past month or two, say via a searchable web archive. There has been
much discussion on the topic of filtering hibit characters - particularly
in messages where the mime headers fail to identify that the body SHOULD
have them (which seems characteristic of Chinese spam).
One such searchable archive may be found at:
<http://www.xray.mpe.mpg.de/mailing-lists/procmail/>
What I would like is to combine the two above, something like:
"if messages contains this IP-address and(!) that caracter in the
body, then remove message"
Is it possible to do AND-ing with procmail receipts?
Uh, yes. In fact, it is a basic concept for the filtering rules. Since
you weren't aware of this, and are obviously trying to use procmail without
having at least read the various manpages on it, I'd highly suggest that
you change your delivery line from "/dev/null" to "SuspectedJunk.mbx", so
as not to throw away the valid mail that may in fact get trashed while
you're in the learning curve.
With that in mind, please refer to the manpages - 'man procmail', 'man
procmailrc', 'man procmailex' to gain a basic understanding of procmail.
[snip - massive collection of junkmail]
PLEASE don't forward huge spams to the list. Procmail is NOT a spam
discussion list -- it is a mail filtering tool which among other things, is
often used to combat spam. The bulk of your message was absolute trash,
and a little selection on your part could have extracted just the headers
and a line or two from the body as a representative sample.
Let me repeat that in fewer words:
DO NOT SEND LARGE SPAM BODIES TO THIS LIST.
Jeezus, as if there isn't enough work avoiding the spam that comes directly
to us.
Mr. Conover, this applies to you too - did you have to quote the entire
body of the junkmail in YOUR reply?
---
Please DO NOT carbon me on list replies. I'll get my copy from the list.
Sean B. Straw / Professional Software Engineering
Post Box 2395 / San Rafael, CA 94912-2395