Hi Everyone,
I've been using Procmail for years. For a long-time I used homegrown rules
to try to detect spam, but recently I changed it over to more-or-less a
whitelist only system. (I would recommend this method to all -- I literally
receive almost no spam anymore! And I check my spam mailbox daily, for just
a minute, to ensure that I don't miss any messages).
However, some tricky spamsters are getting through the near-infallible
whitelist system using a sneaky method: their final header is the subject
line, which contains two carriage returns -- therefore, when you append a
new header via procmail, the e-mail browser does not detect it as a header
(the extra blank line after subject makes it think that the headers have
ended and the content of the e-mail begins). For example, here are the
headers from a recent spam that I received, including the spam header that
procmail added to it:
-------------------------------------------------------------------------
Return-Path: <asdfosos(_at_)mxdat(_dot_)com>
Delivered-To: morgan(_at_)w3(_dot_)drh(_dot_)net
Received: (qmail 17871 invoked by uid 532); 20 Feb 2003 11:26:39 -0000
Delivered-To: morgan-morgan(_at_)westegg(_dot_)com
Received: (qmail 17866 invoked by uid 532); 20 Feb 2003 11:26:39 -0000
Delivered-To: morgan-entries(_at_)westegg(_dot_)com
Received: (qmail 17860 invoked from network); 20 Feb 2003 11:26:39 -0000
Received: from unknown (HELO mail37.mxdat.com) (209.236.32.37)
by 64.21.76.49 with SMTP; 20 Feb 2003 11:26:39 -0000
To: entries(_at_)westegg(_dot_)com
Date: Thu, 20 Feb 2003 06:23:34 -0500
Message-ID: <1045740214(_dot_)23155(_at_)green3>
X-Mailer: Mutt/1.3.14i
From: "Product Samples" <asdfosos(_at_)mxdat(_dot_)com>
Return-Path: <asdfosos(_at_)mxdat(_dot_)com>
Reply-To: <asdfosos(_at_)mxdat(_dot_)com>
Subject: Your free digital camera
X-SMF-Cat: Spam; final filter
-------------------------------------------------------------------------
To tag mail as spam, I'm just using the simple formail:
| formail -I "X-SMF-Cat: Spam; final filter"
So my question for you all is this: I want solve this problem and one way
that comes to mind is inserting the header after a certain point in the
headers (such as, after the "Delivered-To:" header, which all messages
have) so it is not after the final subject. Or another possibility is to
delete the extra carriage return from the subject header, if it has
contains an extra one. Unfortunately, I do not know how to do either of these.
I searched through the procmail list archives, and also man-ed formail, but
to no avail. If anyone has any suggestions on how to do either of these or
another way to solve this problem, then let me know.
I only receive one spam per day that uses this trick. However, we know how
the spammers work: they will take any small hole and magnify it. I expect,
within two months, most spam to use this same trick to elude the filters!
Thanks!!!
-morgan
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail