procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: restricted form

2003-01-31 10:59:22
from [Professional Software Engineering] [Permanent Link] 
At 06:37 2003-01-31 -0500, dman(_at_)nomotek(_dot_)com did say:

either out of revenge or stupidity.  (I still report every spam I
get, and it causes me to get Joe-jobbed occasionally.)


Perhaps report from some other domain?


Here are nineteen Message-Id's caught, and the good one at the bottom,
making twenty:



Message-ID: <001500a6ca86$cbb12711$16861307(_at_)jrgqa(_dot_)va>
hostname portion = 5.2. Not within the spec which fleet provided (the procmail regexp which I constructed was merely a translation of just as far as he was using in grep, plus the @ terminus - I didn't expand it to limit the hostname portion to the forms which fleet reported) 

[snip, bulk of list]

Message-ID: <000100a7ee56$eba65567$14237317(_at_)trytdgi(_dot_)ohc>


hostname portion = 7.3, which is what fleet was chiefly seeing.


Message-Id: <000501b1ad47$dba43721$72214420(_at_)hvutfwhewy(_dot_)os>
hostname portion = 10.2, "10" being inconsistent with what fleet identified, so if the following macros were defined, and the regexp were expanded to include the following after the @: 

ALPHAX7=[a-z][a-z][a-z][a-z][a-z][a-z][a-z]
ALPHAX12=${ALPHAX7}[a-z][a-z][a-z][a-z][a-z]

        (${ALPHAX7}|${ALPHAX12})\.

that might better isolate the spammy stuff.
Of course, if the _one_ mis-hit you got was from SpamCOP, I might go and point out to them that they really should be using their own domain (even with a bogus hostname) for the host portion of their messageids. Alternatley, you could always whitelist spamcop messages before entering this test. 


slightly on finding it.  It is not at all a dead ringer -- 42%
of my good mail from the current batch has an X-Mailer: header.


Lots of valid email does.  I check for _specific_ mailers used for spamming.


The different X-Mailer: content in many of these message does
further imply a bulk MUA rather than one individual spammer.
Well, the bulk MUA could be inserting the X-Mailer randomly such that any two messages from the same spammer would never appear to be. 

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: suspect mailers (was Re: restricted form), James C. McMaster (Jim)
Next by Date:  Re: suspect mailers (was Re: restricted form), Professional Software Engineering
Previous by Thread:  Re: restricted form/mailer frequency listing enclosed, Gary
Next by Thread:  Re: restricted form, fleet
Indexes:  [Date] [Thread] [Top] [All Lists]