On Sun, Feb 23, 2003 at 11:52:24PM -0500, fleet(_at_)teachout(_dot_)org wrote:
Heh! This one got 121 spam out of 6000+ messages.
:0 :
* ^Message-Id:[ ]<.*[$]
* ^Message-Id:[ ]<.*[-]
folder
Good, I'll test it a little later today. Note that you can use
just one pass through the Message-ID rather than two:
* ^Message-ID:[ ]*<.*(\$.*-|-.*\$)
I can already see a problem, though, in that domain names can
have the hyphen and will cause false positives. So let's
obviate that:
* ^Message-ID:[ ]*<.*(\$.*-|-.*\$).*@
(Note that we should already have found, and weeded out, in another
condition or recipe the creepy Message-IDs without @-signs or with more
than one.)
PS: Looks like there can be more things "wrong" with a message-id than
with a Congressional oversight committee. :)
Yes, as long as we remember that we're defining "wrong with" here
as signatures of some common malware, as opposed to RFC violations,
which this is not.
I have two types of M-ID recipes: those looking for RFC violations,
and those looking for creepy malware signatures that are not, in and
of themselves, syntactically improper. Also note that some legit
bulk mailers use the same softare. I had, for instance, a legit
company mail (from proxyvote.com, I believe) that hit on one of
your malware-signature snaggers.
--
dman
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail