procmail
[Top] [All Lists]

Re: A spammer from China

2000-02-27 17:57:42
At 16:04 2000-02-27 -0600, Bert Hiddink wrote:
My hosting provider suggested me the following script, as there is
one thing they all have in common. They are all sent from Asia. As I
do not expect to ever receive any real mail from Asia, I tried the
following:

:0h
* \[202\.
/dev/null

That should filter out any mail coming from an ISP or mail server in
the 202.0.0.0 IP block. 202.0.0.0 - 203.255.255.0 are allocated for
the APNIC for networks in the Asia/Pacific area.

The regexp won't catch 203 nets, or hadn't you noticed?

:0h
* ^Received.*(\[|\(|\ )20(2|3)\.[0-9]*\.[0-9]*\.[0-9]*
SuspectedChineseFilth.mbx

This should catch IPs in the received headers only, which match the following specifications:
        [yyy.nnn.nnn.nnn]
        (yyy.nnn.nnn.nnn)
         yyy.nnn.nnn.nnn        (delimited by spaces)

where yyy= 202 or 203           20(2|3)
and nnn= a variable number of numeric digits (the limitations of this simplified regexp shouldn't pose a problem, since it is still looking for a delimited set of four number groupings).

Disclaimer: I don't use this myself - I use RBL and RSS at the MTA level.

Another suggestion was to filter for strange caracters like ûÄêÊ in
subject and body.

I suggest that you try reading recent threads here on the procmail list for the past month or two, say via a searchable web archive. There has been much discussion on the topic of filtering hibit characters - particularly in messages where the mime headers fail to identify that the body SHOULD have them (which seems characteristic of Chinese spam).

One such searchable archive may be found at:
        <http://www.xray.mpe.mpg.de/mailing-lists/procmail/>

What I would like is to combine the two above, something like:
"if messages contains this IP-address and(!) that caracter in the
body, then remove message"

Is it possible to do AND-ing with procmail receipts?

Uh, yes. In fact, it is a basic concept for the filtering rules. Since you weren't aware of this, and are obviously trying to use procmail without having at least read the various manpages on it, I'd highly suggest that you change your delivery line from "/dev/null" to "SuspectedJunk.mbx", so as not to throw away the valid mail that may in fact get trashed while you're in the learning curve.

With that in mind, please refer to the manpages - 'man procmail', 'man procmailrc', 'man procmailex' to gain a basic understanding of procmail.

[snip - massive collection of junkmail]

PLEASE don't forward huge spams to the list. Procmail is NOT a spam discussion list -- it is a mail filtering tool which among other things, is often used to combat spam. The bulk of your message was absolute trash, and a little selection on your part could have extracted just the headers and a line or two from the body as a representative sample.

Let me repeat that in fewer words:
        DO NOT SEND LARGE SPAM BODIES TO THIS LIST.

Jeezus, as if there isn't enough work avoiding the spam that comes directly to us.

Mr. Conover, this applies to you too - did you have to quote the entire body of the junkmail in YOUR reply?

---
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.

 Sean B. Straw / Professional Software Engineering
 Post Box 2395 / San Rafael, CA  94912-2395

<Prev in Thread] Current Thread [Next in Thread>