At 21:07 2002-01-07 -0500, Paul Chvostek wrote:
I would normally expect to see /^(Subject|Date|From|To):/ in each
and every email. But that's not what I'm talking about. As I said
in my original message, I'm assuming that /^(SUBJECT|DATE|FROM|TO):/
is an indication of spam. Note the case. I really meant it.
They could be emitted by schlocky web agents (web cgi programs for emailing
you info). Becuase of this and the fact that it's entirely allowed by
RFC822, I wouldn't be prone to flagging something as spam just because of
this. OTOH, you could use it in scoring - set a flag if these headers are
uppercase, and use it to "help along" a decision on another marginal condition.
If you want to test your theory, simply put in a filter to check for these
headers and emit a log entry indicating that this condition was met:
# defines that the advisory type filters are to be enabled. One stop
# shopping to disable advisory logging when you have a dozen or more such
# filters crammed in your spam filtering.
ADVISORIES=on
# note 'D' flag
:0D
* ADVISORIES ?? on
* ^\/(SUBJECT|DATE|FROM|TO):
{
LOG="SPAM: Advisory - UPPERCASE $MATCH
"
}
Later, you can grep your logs (adjust the A count depending on if there are
typically any other log lines you might emit - I usually run a spam filter
version and a spam tag as well, so -A5 is more appropriate for me - this
would tell me if the advisory - which was checked at the very TOP of my
filters identified a message which was eventially identified by another
rule as being spam). For instance, "Interspersed Received Headers" is an
advisory I've had running for a while which seems to usually be an
indicator of spam - though the apache-ssl list mucks it up (that of course
can be an exception rule).
grep -A2 ^"SPAM: Advisory" logfile
[snip - rfc-822]
Exactly.
Alternatley, you can take all the mail you have saved in mailboxes and just
throw it at a sandbox recipe that logs such matches and delivers everything
to /dev/null. Then, you can test it against your saved mail and evaluate
it for yourself.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail