On 23 May, Timothy J. Luoma wrote:
|
| Ok, well spammers have gotten more and more creative.... I'm now getting
| spam addressed to myself **FROM** myself.
|
| Anyone got a suggestion how to check for *that*?
|
Short answer:
You weren't specific, but I'm guessing the From: header says you and
the envelope sender is somebody else. If so, something like ...
:0
* ^From:.*\<luomat(_at_)peak\(_dot_)org\>
* ^To:.*\<luomat(_at_)peak\(_dot_)org\>
* ! ^^From luomat(_at_)peak\(_dot_)org\>
{ # whatever you do with possible/probable spam here }
Longer answer:
My procmail recipes start with checking for one of my own X-Loop:
headers, in which case it immediately goes to $DEFAULT (with an
X-Loop Notice to me), followed by identifying MAILER-DAEMON/Postmaster,
then local and list mail before even thinking about spam filtering,
sorting, etc. If so identified, a variable is set and an X-No-Spam:
header is inserted with appropriate content to be referenced by
succeeding recipes (especially when passed to users' ~/.procmailrc) so
there's no excuse for stupidity.
To identify *legitimate* local mail I jump through numerous hoops.
(Same for list mail, but that's another story.) If a message appears
to be local (To: and From:), I check To: From: From_ and Message-Id:,
including resolving aliases to make sure every user name is legit. Then
I walk the Received: headers checking for any that don't belong to one
of my machines. This includes checking sendmail version, build, and the
CF_VERSION string. These are very arguably overkill, but I'm anally
cautious and the cycles are mine to do with as I please. I also only
have to "know" the Received: headers from a half dozen machines (i.e.
this wouldn't scale very well). Anything that appears to be local but
fails any of the tests gets a big red flag. I am extremely liberal
while identifying list mail (erring on the side of false positives),
and just the opposite on local mail. I figure anyone who pretends to be
me is up to no good.
In short, you might want to study the headers from legitimate local mail
to identify some unique [enough] characteristic to supplement checking
To: From: and From_ to make sure everything is kosher. And if the first
guess about From: and From_ NOT matching is incorrect, it'll be a
necessity.
Don Hammond
--
Reply to list please, or append "6" to "procmail" in address if you must.
Spammers' unrelenting address harvesting forces me to this...reluctantly.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail