On 06/26/01 09:50 PM, Scott Fabbri sat at the `puter and typed:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 10:57 AM -0400 6/22/01, Louis LeBlanc wrote:
Hey all. I've been looking at some of the SPAM (pardon the dirty
language:) I have been getting lately, and I noticed that much of it
looks like <something>@<yahoo.com, hotmail.com, aol.com, msn.com,
excite.com, take your pick>
Careful. SPAM (in all caps) is a processed meat product from Hormel.
Spam is unsolicited bulk/commercial e-mail. :-)
fsck 'em if they can't take a joke! :)
<SNIP>
Since Hotmail only allows A-Z, 0-9, and an underscore in user names,
one way to do what you might want is this:
* ^From(_dot_)*[^0-9A-Z_][0-9][0-9A-Z_]*(_at_)hotmail\(_dot_)com
("On a line beginning with From, match any invalid user name
character, followed by a digit, followed by any valid username
characters, followed by '@hotmail.com'".) Better, because it'll
handle lines like these:
- From $900bucks(_at_)hotmail(_dot_)com (envelope sender line)
From: "Major Spammer" <45spammers(_at_)hotmail(_dot_)com> (Valid Hotmail
form)
From: 504030405(_at_)hotmail(_dot_)com (invalid Hotmail form)
Cool. I'll add it with the following additions to check and dump to a
temp folder.
:0
* ^From.*[^0-9A-Z_][0-9][0-9A-Z_]*@(hotmail|aol|msn|excite|yahoo)\.com
{
EXTENSION=temp
}
Maybe a couple issues with this, but it is a test recipe.
Thanks.
However, it still won't handle user names with invalid characters,
such as "not+spam(_at_)hotmail(_dot_)com" -- you'd have to write another
filter
for that. I'm sure there are other holes in it, too.
Understood.
If you're looking for a more elegant solution, use the stamps that
Hotmail et al. put on their messages. Here's one way to detect bogus
Hotmail addresses:
:0
* ^From(_dot_)*(_at_)hotmail\(_dot_)com
* !^Received:.*hotmail\.com
* !^X-Originating-IP:
{
... whatever you want to do ...
}
So if a message has a From address that contains "@hotmail.com" and
doesn't contain *both* a "Received:" header with a hotmail.com server
stamp *and* an "X-Originating-IP:" header, treat it as if it's spam.
Having revealed my Sooper Sekrit trick, of course, means the spammers
will come up with a way to evade this recipe. Maybe. :-)
Cool. I have a bunch with an msn address now, and I noticed that none
of it has a Recieved header with msn.com. So I have modified it to
check for this header for each of the 'spammer hijacked' domains -
msn.com, yahoo, excite, and aol. I have removed the X-Oringinating-IP
check from some, because I noticed Yahoo doesn't use it.
:0
* ^From(_dot_)*(_at_)aol\(_dot_)com
* !^Received:.*aol\.com
{
EXTENSION=temp
}
If I have this recipe repeated for the various domains, it gets
tedious. Is there a way to say match these domains in the From
header, and make sure you match the SAME domain in the Recieved
header? I noticed a few messages that use several of them in various
headers.
If not, I'll just keep the batch of recipes.
Note that this will trap mail from people who use Hotmail From:
addresses to send mail from their ISP, because it won't pass through
the Hotmail server. (If this is the case, you could politely point
them toward using the "Reply-To:" header to direct replies to their
Hotmail account, but don't hold your breath.)
You could probably do similar things for Excite, MSN, and Yahoo. ISTR
that the Yahoo equivalent involves checking for a Received: line and
a Message-ID with the appropriate form; if you have two or three,
it's easy to figure out. Excite and MSN are more problematic for me;
after a continuous diet of spam from both sources, they wound up in
my mail server's DENY tables.
Caveat: Don't use this to discard mail without testing it, as it's
all off-the-cuff.
Understood. I am setting the EXTENSION var to temp, which tells
procmail to dump it to the temp folder.
The sender's liability for damages caused by the implementation of
information contained in this message is limited to the price paid.
Thank you.
ROFL. Often the advice you get for free on a list is worth more than
that you pay out the a$$ for.
Thanks again.
Lou
--
Louis LeBlanc
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
leblanc(_at_)acadia(_dot_)ne(_dot_)mediaone(_dot_)net
http://acadia.ne.mediaone.net Ô¿Ô¬
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail