procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Identifying Phoney Email Addresses ... and From lines

2003-07-15 11:54:00
from [Paul Chvostek] [Permanent Link] 
On Tue, Jul 15, 2003 at 10:31:44AM -0500, Jack L. Stone wrote:


I've seen procmail recipes on identifying suspicious sender emails using
all numbers, but mamny if not most of those now have a mixture of
alpha/numeric user names, like these two in a row:

ygciw651nk(_at_)hotmail(_dot_)com
czlpxgyf1(_at_)yahoo(_dot_)com

I would appreciate help on a procmail recipe that would identify the above
type of sender (From), but only if they exceed 6 digits. The 5-6 digits
with a mixture of alpha/numeric are probably okay since many of our emails
come from radio operators with their unique FCC callsigns which are
typically 5-6 digits.


How about (and this is fresh, untested, only partially proofread):

  FREEMAIL="(yahoo|hotmail|msn|aol|163)\.com"

  :0
   ##  grab the user-part of the email address
  * ^From:.+\/[a-z0-9]+@
  * MATCH ?? ()\/[^(_at_)]+
  { LHS=$MATCH }

  :0 A
   ##  a recipe score > 0 means we'll continue
  * -5^0
  * LHS ?? .
  { }

  :0 A
  * -1^0
   ##  bump up the score if this is from a regularly abused provider
  * 1^0 $ ^From.*${FREEMAIL}
   ##  look for 3+ embedded digits
  * 1^0 LHS ?? [a-z]+[0-9][0-9][0-9]+[a-z]+
   ##  look for consonents trailed by digits
  * 1^0 LHS ?? ^^[bcdfghjklmnpqrstvwxyz]+[0-9]+^^
   ##  look for digits-only
  * 1^0 LHS ?? ^^[0-9]+^^
  { increase spamminess estimate }

That first condition in the first recipe will break on things like

  From: friend(_at_)public(_dot_)com <syzygy1234(_at_)msn(_dot_)com>

so you might want to handle that with something that counts at-signs,
and verifies that email addresses in From comments match "real" ones.
Just blue-skying here too:

  RE_EMAIL="[a-z0-9._+-]+@([a-z0-9][a-z0-9-]*\.)+[a-z][a-z]+"

  :0
  * $ ^From: +"${RE_EMAIL}" +<?\/${RE_EMAIL}
  { FROMADDR=$MATCH }

  :0 A
  * $ ^From: +"\/${RE_EMAIL}
  * $ ! MATCH ?? ^^${FROMADDR}^^
  { increase spamminess estimate by a little }


-- 
  Paul Chvostek                                             
<paul(_at_)it(_dot_)ca>
  Operations / Abuse / Whatever
  it.canada, hosting and development                   http://www.it.ca/


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Identifying Phoney Email Addresses, Jack L. Stone
Next by Date:  Re: Help, Professional Software Engineering
Previous by Thread:  Re: Identifying Phoney Email Addresses, Jack L. Stone
Next by Thread:  whitelist, Dave Stern - Former Rocket Scientist
Indexes:  [Date] [Thread] [Top] [All Lists]