procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: trapping fake hotmail

2002-01-02 10:57:00
from [David W. Tamkin] [Permanent Link] 
Paul Chvostek asked,

| How does this look?
|
| :0
| * ^From: ".+" <[a-z0-9_(_dot_)-]+(_at_)hotmail\(_dot_)com>
| * ^X-Keywords:
| * ^X-OriginalArrivalTime:
| * ^X-UID: [0-9]+$
| * ^Content-Length: [0-9]+$
| * ^Lines: [0-9]+$
| * ^From:(_dot_)+(_at_)(_dot_)
| * ^X-Originating-IP: \[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+]
| * ^Received: from hotmail.com (\/...
| * $ ^Message-ID: <${MATCH}(_dot_)+(_at_)hotmail\(_dot_)com>
| { }
|
| :0 fwE
| * ^From:(_dot_)+(_at_)hotmail\(_dot_)com\>
| | formail -A "X-spamtrap: fake hotmail"

My only recommendations are to exempt mail that doesn't purport to be from
Hotmail from the second recipe, not to pass the body through the filter, and
to put the `E' flag first because sometimes things mess up if other flags
preceded `A' or `a,' so I wouldn't want to take the risk with the
similar-acting `E.'

 :0
 * ^From:(_dot_)+(_at_)hotmail\(_dot_)com\>
 {
  :0
  * ^From: ".+" <[a-z0-9_(_dot_)-]+(_at_)hotmail\(_dot_)com>
  * ^X-Keywords:
  * ^X-OriginalArrivalTime:
  * ^X-UID: [0-9]+$
  * ^Content-Length: [0-9]+$
  * ^Lines: [0-9]+$
  * ^From:(_dot_)+(_at_)(_dot_)
  * ^X-Originating-IP: \[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+]
  * ^Received: from hotmail.com (\/...
  * $ ^Message-ID: <${MATCH}(_dot_)+(_at_)hotmail\(_dot_)com>
  { }

  :0 Efhw
  | formail -A "X-spamtrap: fake hotmail"
 }

Another way to go might be with scoring; the problem is that whenever you
add or drop a test, you'll need to remember to adjust the handicap:

 :0fhw
 * ^From:(_dot_)+(_at_)hotmail\(_dot_)com\>
 * 10^0
 * -1^0 ^From: ".+" <[a-z0-9_(_dot_)-]+(_at_)hotmail\(_dot_)com>
 * -1^0 ^X-Keywords:
 * -1^0 ^X-OriginalArrivalTime:
 * -1^0 ^X-UID: [0-9]+$
 * -1^0 ^Content-Length: [0-9]+$
 * -1^0 ^Lines: [0-9]+$
 * -1^0 ^From:(_dot_)+(_at_)(_dot_)
 * -1^0 ^X-Originating-IP: \[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+]
 * -1^0 ^Received: from hotmail.com (\/...
 * -1^0 $ ^Message-ID: <${MATCH}(_dot_)+(_at_)hotmail\(_dot_)com>
 | formail -A "X-spamtrap: fake hotmail"

| It seems that every *legitimate* hotmail message I've received in the last
| few months has the first three characters of the mail server hostname turn
| up in upper case at the beginning of the Message-ID.

Really?  Good catch -- though I'll have to see what happens when I send mail
through Pop3Hot.



_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  trapping fake hotmail, Paul Chvostek
Next by Date:  Re: mailbox too big ?, Philip Guenther
Previous by Thread:  trapping fake hotmail, Paul Chvostek
Next by Thread:  Re: trapping fake hotmail, David W. Tamkin
Indexes:  [Date] [Thread] [Top] [All Lists]