At 06:37 2003-01-31 -0500, dman(_at_)nomotek(_dot_)com did say:
either out of revenge or stupidity. (I still report every spam I
get, and it causes me to get Joe-jobbed occasionally.)
Perhaps report from some other domain?
Here are nineteen Message-Id's caught, and the good one at the bottom,
making twenty:
Message-ID: <001500a6ca86$cbb12711$16861307(_at_)jrgqa(_dot_)va>
hostname portion = 5.2. Not within the spec which fleet provided (the
procmail regexp which I constructed was merely a translation of just as far
as he was using in grep, plus the @ terminus - I didn't expand it to limit
the hostname portion to the forms which fleet reported)
[snip, bulk of list]
Message-ID: <000100a7ee56$eba65567$14237317(_at_)trytdgi(_dot_)ohc>
hostname portion = 7.3, which is what fleet was chiefly seeing.
Message-Id: <000501b1ad47$dba43721$72214420(_at_)hvutfwhewy(_dot_)os>
hostname portion = 10.2, "10" being inconsistent with what fleet
identified, so if the following macros were defined, and the regexp were
expanded to include the following after the @:
ALPHAX7=[a-z][a-z][a-z][a-z][a-z][a-z][a-z]
ALPHAX12=${ALPHAX7}[a-z][a-z][a-z][a-z][a-z]
(${ALPHAX7}|${ALPHAX12})\.
that might better isolate the spammy stuff.
Of course, if the _one_ mis-hit you got was from SpamCOP, I might go and
point out to them that they really should be using their own domain (even
with a bogus hostname) for the host portion of their
messageids. Alternatley, you could always whitelist spamcop messages
before entering this test.
slightly on finding it. It is not at all a dead ringer -- 42%
of my good mail from the current batch has an X-Mailer: header.
Lots of valid email does. I check for _specific_ mailers used for spamming.
The different X-Mailer: content in many of these message does
further imply a bulk MUA rather than one individual spammer.
Well, the bulk MUA could be inserting the X-Mailer randomly such that any
two messages from the same spammer would never appear to be.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail