PSE-L(_at_)mail(_dot_)professional(_dot_)org (Professional Software
Engineering) wrote:
At 23:06 2003-01-30 -0500, fleet(_at_)teachout(_dot_)org wrote:
So far I've only seen it used where ID is capatalized (for whatever
that's worth).
Well, you could set the case-sensitivity flag for the recipe (then, make
sure the character classes are defined as [a-zA-Z]).
Interesting, Fleet. And thanks, Sean, for helping out with it.
I ran Sean's version through my test harness. I keep the last 100
spam messages and the last 100 regular messages around for testing
and backup. It caught 19 of the spam messages, which is very nice,
indeed. It did catch one real message. So Sean's speculation about
the software's being one suited to bulk mailing is one I concur with.
Fwiw, the false-pozz I had also false-pozzed on with my own regular
recipe-set yesterday (and had done some editing to avoid). The lone
false pozz was from -- ta-dah! -- Julian Haight's SpamCop support,
because some weasel has reported one of my domains as spamming,
either out of revenge or stupidity. (I still report every spam I
get, and it causes me to get Joe-jobbed occasionally.)
Here are nineteen Message-Id's caught, and the good one at the bottom,
making twenty:
Message-ID: <001500a6ca86$cbb12711$16861307(_at_)jrgqa(_dot_)va>
Message-ID: <001511c1dc13$dac20858$36380135(_at_)denhlsk(_dot_)ujn>
Message-ID: <001600d5ae84$eae46853$76210642(_at_)qvubcqh(_dot_)jdk>
Message-ID: <001701b6ca05$ddd64145$68674636(_at_)hcxlouy(_dot_)xgu>
Message-ID: <000510a1ae54$dde24561$36157062(_at_)tpwukpw(_dot_)cgd>
Message-ID: <001800c8ca84$acc53553$15363032(_at_)ohxvibo(_dot_)bpo>
Message-ID: <000401d4eb06$bae77403$12764552(_at_)avgvwgi(_dot_)kcs>
Message-ID: <000700b6ca76$ccb63085$47855218(_at_)abyirqy(_dot_)lyu>
Message-ID: <001600e0ab51$bbe57504$76261570(_at_)atdavdk(_dot_)ptl>
Message-ID: <000200b1ce20$cde13782$07446175(_at_)wahvukq(_dot_)wgp>
Message-ID: <001111d7cb07$ded45738$02011448(_at_)owreqdg(_dot_)ebj>
Message-ID: <000411a4ad47$cce65682$74130116(_at_)eemknis(_dot_)wdf>
Message-ID: <000800b4ac36$dcc82275$21741287(_at_)thrltqu(_dot_)gwn>
Message-ID: <001100a1ee68$aad16130$68801323(_at_)rkdjkop(_dot_)ldh>
Message-ID: <001500e7da71$ede13343$08074437(_at_)stbyfps(_dot_)sqw>
Message-ID: <000101e1cc80$aed62530$12666411(_at_)vardvvb(_dot_)cwj>
Message-ID: <001600c8dc80$aab58275$87246833(_at_)ehjguoc(_dot_)ujx>
Message-ID: <001700d7be23$ead78000$26205073(_at_)mhcbsbw(_dot_)tew>
Message-ID: <000100a7ee56$eba65567$14237317(_at_)trytdgi(_dot_)ohc>
Message-Id: <000501b1ad47$dba43721$72214420(_at_)hvutfwhewy(_dot_)os>
Notice that the SpamCop one has the lower-case "d" in "Message-ID,"
so it does seem that the capitalization check would be useful.
(Also notice that what would normally be the "host" field is longer.)
FWIW, all these messages also have an X-Mailer: header. That
must be what the raw software does, though the spammers mostly
customize^w munge the contents of the header to disguise what
they're doing. I had already been looking for X-Mailer: and
been lowering my "$TRUST" calculus (part of my private heuristic)
slightly on finding it. It is not at all a dead ringer -- 42%
of my good mail from the current batch has an X-Mailer: header.
Is it possible this is the work of one individual?
Possibly. More likely is that all the spew was simply sent using the
same tool.
The different X-Mailer: content in many of these message does
further imply a bulk MUA rather than one individual spammer.
I ran it against all my extracted spam from the past 30 days (721
messages, FWIW), and it only caught one of the messages in the
archive, but yea, it did follow the 7.3 extension as well. However,
having said that, I _didn't_ run it against the rest of my mail to see
about false positives.
My existing recipes caught all those same nineteen messages various ways.
They all got tagged already by my "Message-ID: is fake" recipe. But it's
one of my uglier ones and badly in need of a rewrite! So this is
very interesting, indeed.
--
dman
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail