procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: two questions...

2002-01-07 20:02:36
from [Professional Software Engineering] [Permanent Link] 
At 21:07 2002-01-07 -0500, Paul Chvostek wrote:


I would normally expect to see /^(Subject|Date|From|To):/ in each
and every email.  But that's not what I'm talking about.  As I said
in my original message, I'm assuming that /^(SUBJECT|DATE|FROM|TO):/
is an indication of spam.  Note the case.  I really meant it.
They could be emitted by schlocky web agents (web cgi programs for emailing you info). Becuase of this and the fact that it's entirely allowed by RFC822, I wouldn't be prone to flagging something as spam just because of this. OTOH, you could use it in scoring - set a flag if these headers are uppercase, and use it to "help along" a decision on another marginal condition.
If you want to test your theory, simply put in a filter to check for these headers and emit a log entry indicating that this condition was met: 

# defines that the advisory type filters are to be enabled.  One stop
# shopping to disable advisory logging when you have a dozen or more such
# filters crammed in your spam filtering.
ADVISORIES=on

# note 'D' flag
:0D
* ADVISORIES ?? on
* ^\/(SUBJECT|DATE|FROM|TO):
{
        LOG="SPAM: Advisory - UPPERCASE $MATCH
"
}
Later, you can grep your logs (adjust the A count depending on if there are typically any other log lines you might emit - I usually run a spam filter version and a spam tag as well, so -A5 is more appropriate for me - this would tell me if the advisory - which was checked at the very TOP of my filters identified a message which was eventially identified by another rule as being spam). For instance, "Interspersed Received Headers" is an advisory I've had running for a while which seems to usually be an indicator of spam - though the apache-ssl list mucks it up (that of course can be an exception rule). 

        grep -A2 ^"SPAM: Advisory" logfile

[snip - rfc-822]

Exactly.
Alternatley, you can take all the mail you have saved in mailboxes and just throw it at a sandbox recipe that logs such matches and delivers everything to /dev/null. Then, you can test it against your saved mail and evaluate it for yourself. 

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Still tweaking .procmailrc, Mohsenruddin Moonshi
Next by Date:  Re: Still tweaking .procmailrc, Professional Software Engineering
Previous by Thread:  Re: two questions..., Paul Chvostek
Next by Thread:  Re: two questions..., Paul Chvostek
Indexes:  [Date] [Thread] [Top] [All Lists]