procmail
[Top] [All Lists]

Re: Scoring Recipe for repeating addresses?

2002-06-19 10:18:00
On Wed, 19 Jun 2002 11:31:54 -0400, Mark_Saunders
<Mark_Saunders(_at_)piucorp(_dot_)com> wrote:
=> OK, how about:
=>  :0
=>  * ^To:.*postmaster@
=>  * ^Cc:.*postmaster@
=>  ! mailbox.example.com
=> To catch when both to & cc fields have "postmaster@"

        That's creative and gets a bit closer, thanks Mark,
however my real world sample might include legitimate postmaster
traffic to one domain with a copy to another postmaster at a
different domain. I really want to make sure that legitimate
postmaster traffic gets thru.

        The stigmata of the spam that I'm seeing has one or two
"To" postmasters (or other "samename" addresses) with "Cc" to
three more, all at different unrelated domains.

        I feel comfortable assuming that legitimate postmaster
traffic would be limited to at most 3 different postmasters at
different domains, but as with all things email YMMV.

=>  :0
=>  * ^To:.*postmaster@
=> {
=> :0
=> {
=> WHOTO=`formail -z -xTo:`
=> COUNT=`echo ${WHOTO} | sed -e 's/[^(_at_)]//g' | wc -c`
=> COUNT1=`expr ${COUNT} - 1`
=> ISGT=`expr ${COUNT1} \> 9`
=> }
=> :0
=> * ISGT ?? ^^1^^
=> ! mailbox.example.com
=> }
=> This may need to be tweaked a bit, but if the "To:" field contains
=> "postmaster@",
=> we'll count the number of "To" recipients, and forward if the count is
=> 10 or more.

        Very slick counting the number of "@", thanks, I may use
that for another additional unrelated spam filter.

        However, with my case above, I can envision a post to a
postmaster with a long [non-postmaster] string of CYA type
addresses as well (though perhaps not 10?). I think however that
I need to focus on the recurring "samename" field as the telling
stigmata for this recipe, as addressed by some of the other great
posts in this thread.

        Thanks again for your continuing suggestions, they are
much appreciated here (and as a former lurker I would have
quietly squirreled them away for later reference).

        Cheers,

        - Don
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>