At 10:57 2001-06-22 -0400, Louis LeBlanc wrote:
Hey all. I've been looking at some of the SPAM (pardon the dirty
language :) I have been getting lately, and I noticed that much of it
looks like <something>@<yahoo.com, hotmail.com, aol.com, msn.com,
excite.com, take your pick>
my rule with most of these -- and some of the messages suffer friendly fire
-- is that if the messageid doesn't contain the same domain token as the
from (when it's one of these large freemail, etc. services), then it's
probably spam. Spammers like to use yahoo and the like in the from:, but
their actual messageid usually isn't generated by yahoo, which if they're
sending through that service, it should be.
Well, I would just put these domains into my killfile, but I do have
friends with addresses at some of them, so that would be overkill.
Then greenlist them - have a rule that says "skip the twit & spam rules if
any of THESE addresses are matched".
:0
* From: [^0-9]*$
First, this rule says "if the text contains NO NUMBERS at all, clear to the
end of the line." This means you'll blast addresses from domains (or
hosts, even more common) with numerics in them, as well as gobs of user
addresses at large ISPs like dave2274(_at_)somehugeisp(_dot_)com
If you tossed the caret, the condition above would read "if the text is
*ONLY* numbers, clear to the end of the line.", which isn't going to do you
a lot of good either (that'd probably catch a message or two here and
there, but a good old "if there's no @ in the From:, toss it" rule works
wonders there, and catches others).
Maybe overly simple, but the idea is to catch any mail with a From
header that looks like this: 5A1j0m9(_at_)hotmail(_dot_)com which I see more
often these days.
Have you considered TESTING the rule as a standalone procmailrc file? See
the URL in my .sig for some links to text discussing a testing
template. It's really easy to set up, you can pump old mailboxes through
it quite easily -- and it doesn't affect your LIVE mailstream until you've
added the rule to your live .procmailrc.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail