[Top] [All Lists]

Re: A little recipe question (KILL THE SPAM)

2001-06-26 18:57:17
Hash: SHA1

At 10:57 AM -0400 6/22/01, Louis LeBlanc wrote:
Hey all.  I've been looking at some of the SPAM (pardon the dirty
language:) I have been getting lately, and I noticed that much of it
looks like <something>@<,,,,, take your pick>

Careful. SPAM (in all caps) is a processed meat product from Hormel.
Spam is unsolicited bulk/commercial e-mail. :-)

Well, I would just put these domains into my killfile, but I do have
friends with addresses at some of them, so that would be overkill.

I also noticed, however, that some of it has a username that starts
with a digit.  I don't think I know anyone who would use that kind
of username, so I would like to set up a recipe to catch these bozos
before I have to waste my time with them.

I am a little familiar with the vim and grep regexps, but not so
much the procmail stuff, which is why I am asking for your help
before I
start tossing my real mail out.  Here is where I started:

* From: [^0-9]*$

This would go in my ~/.procmailrc, and the EXTENSION variable is set
to the folder name.  Later I check this and decide what to add to
the killfile.  If something matches in the killfile, I just have
procmail put it in the trash folder, which I check periodically to
empty and
see the success of my .procmailrc recipes.

Maybe overly simple, but the idea is to catch any mail with a From
header that looks like this:  5A1j0m9(_at_)hotmail(_dot_)com which I see more
often these days.

Anyone see why this would catch ANYTHING that starts with something
other than a number?

The way you have it written, it'll catch anything on a line which
contains the word "From" that has zero or more occurrences of any
non-numeric character at the end. [^0-9] is "not in the range of
characters from 0 to 9." The asterisk means "zero or more occurrences
of what preceded."  Not quite what you wanted.

Since Hotmail only allows A-Z, 0-9, and an underscore in user names,
one way to do what you might want is this:

* ^From(_dot_)*[^0-9A-Z_][0-9][0-9A-Z_]*(_at_)hotmail\(_dot_)com

("On a line beginning with From, match any invalid user name
character, followed by a digit, followed by any valid username
characters, followed by ''".) Better, because it'll
handle lines like these:

- From $900bucks(_at_)hotmail(_dot_)com       (envelope sender line)
From: "Major Spammer" <45spammers(_at_)hotmail(_dot_)com>   (Valid Hotmail form)
From: 504030405(_at_)hotmail(_dot_)com      (invalid Hotmail form)

However, it still won't handle user names with invalid characters,
such as "not+spam(_at_)hotmail(_dot_)com" -- you'd have to write another filter
for that. I'm sure there are other holes in it, too.

If you're looking for a more elegant solution, use the stamps that
Hotmail et al. put on their messages. Here's one way to detect bogus
Hotmail addresses:

* ^From(_dot_)*(_at_)hotmail\(_dot_)com
* !^Received:.*hotmail\.com
* !^X-Originating-IP:
   ... whatever you want to do ...

So if a message has a From address that contains "" and
doesn't contain *both* a "Received:" header with a server
stamp *and* an "X-Originating-IP:" header, treat it as if it's spam.
Having revealed my Sooper Sekrit trick, of course, means the spammers
will come up with a way to evade this recipe. Maybe. :-)

Note that this will trap mail from people who use Hotmail From:
addresses to send mail from their ISP, because it won't pass through
the Hotmail server. (If this is the case, you could politely point
them toward using the "Reply-To:" header to direct replies to their
Hotmail account, but don't hold your breath.)

You could probably do similar things for Excite, MSN, and Yahoo. ISTR
that the Yahoo equivalent involves checking for a Received: line and
a Message-ID with the appropriate form; if you have two or three,
it's easy to figure out. Excite and MSN are more problematic for me;
after a continuous diet of spam from both sources, they wound up in
my mail server's DENY tables.

Caveat: Don't use this to discard mail without testing it, as it's
all off-the-cuff.



Version: PGPfreeware 7.0.3 for non-commercial use <>

The sender's liability for damages caused by the implementation of information contained in this message is limited to the price paid. Thank you.
procmail mailing list

<Prev in Thread] Current Thread [Next in Thread>