On 30 Nov, David W. Tamkin wrote:
| When I suggested,
|
| > :0: # the brackets enclose caret, space, tab
| > * ^From:(.*\<)?_[^ ]*@
| > /var/log/Badtrans
|
| Eric Krichbaum got some false negatives:
|
|| I stuck this one in and it's not catching them all. Specifically, it
|| missed:
||
|| From: "david basagic" <_dbasagic(_at_)mountain(_dot_)net>
|| From: "Don Land" <_dwl(_at_)access(_dot_)mountain(_dot_)net>
||
|| but I'm not seeing why? They both include the <_yadda@ pattern.
|
| Well, the pattern isn't "<yadda@" but rather "\<yadda@"; still, \< will
| match "<", so I'm baffled. Can anyone else figure it out? Even if Eric
| cut-and-pasted it and the tab got converted to spaces, it still should have
| matched those two.
|
No, I can't figure it out. It looks to me as though it should work. Of
course I rarely trust that, so tested it and it also works using egrep.
I dunno.
I must point out that, even while trying to be gentle, I was still
mistaken about David's response. He neither misunderstood the problem,
nor mis-typed. *That's* why I try never to put words in his mouth. ;-)
And combining responses to two messages, David also wrote:
|[...]
|| ... in this case you should be able to get by
|| with something as simple as:
||
|| :0:
|| * ^From:.*<_
|| /var/log/Badtrans
||
|| or if you want to tighten it up a bit more:
||
|| :0:
|| * ^From:.*<_[^ ]*(_at_)[^ ]+>
|| /var/log/Badtrans
|
| Both of those depend on an assumption that every Badtrans dispatch will have
| the address inside angle brackets. If Badtrans can be relied on to act that
| way, then by all means go with Don's recommendation. (Note, folks, that "<"
| in Don's code is a literal left-side angle bracket and "\<" in mine is a
| procmailrc regexp for any non-word character.)
In this case it should be ok, and may be preferable. Under normal
circumstances you'd want a regular expression like this to cover all
the various formats, as David's did. Here, it's a virus/worm with it's
own smtp engine built in apparently [1], so I'd expect this peculiarity
to be as predictable as any of the others identified on this list in
recent days.
BTW, I forgot to document that the brackets encompassed a <space> and
a <tab>.
[1] The X-Unsent: header came up briefly the other day and I'm pretty
sure this is the explanation. The worm uses messages in the Inbox to
gather recipients, but actually uses its own smtp engine rather than
Outlook to send the message, hence this header. I haven't seen enough of
these to say first-hand if this header, and the <_ thing are absolute,
but I'd guess they are. At least until another variant comes out anyway.
BTW, all this information is as I understand it from various sources,
but should not be considered authoritative. As always, YMMV.
--
Reply to list please, or append "6" to "procmail" in address if you must.
Spammers' unrelenting address harvesting forces me to this...reluctantly.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail