Greetings all. I'm in need of assistance in a bad way. I've been working
on this recipe for quite some time now. Many of you have helped me
through various problems and I thank you for that. I've been trying to
work out what I hope is the last bug in this recipe off and on for months
now to no avail. I think it's safe to say I'm not going to be able to fix
this recipe on my own.
The purpose of this recipe is to munge parts of all incoming spam, report
it via a few local tools, munge it some more, and finally forward it on to
the FTC and the news.admin.net-abuse.sightings newsgroup. This account is
a catchall and accepts mail not destined for a user I explicitly defined.
It takes the incoming message and cleanses it of any identifiable
information that could identify the actual spam recipient. This prevents
listwashing and DDoS attacks (hopefully).
First the subject is cleansed of sensitive information. Next the recipe
uses spamassassin to remove the SA reports and formail to remove various
headers lines added during forwarding. The message in what should be it's
original state is then run through Pyzor and Razor for reporting. The
actual cleansing of sensitive information comes next. After the message
is cleansed copies of it are sent to the FTC and Bob, the NANAS list bot,
for newsgroup posting. That's the script in a nut shell.
This script is basically working as is when a piece of spam is received.
It causes a fair amount of overhead but that's not a show-stopper at
present. The problem I'm having is with bounces. Shortly after this
auto-reporting tool went into use one of my spamtrap domains was
joe-jobbed. Numerous MTAs and anti-spam scripts sent bounces to me
instead of rejecting the messages during the SMTP transaction (something I
know annoys all of us). My recipe didn't know how to handle the bounces.
I never told it to filter them out. Therefore my recipe forwarded the
bounces to the FTC and NANAS. Whoops! That was a mistake on my part. I
then tried to use FROM_DAEMON to filter the bounces. It filtered some but
not all. I also tried FROM_MAILER. It too filtered some but not all of
the bounces. How do I filter out the bounces in a procmail recipe? I've
read man pages, primers, and howtos and can't for the life of me find a
solution that works. I would like to put the script back into service but
I'm afraid to do so without knowing that it will work right. Any advice
would be very much appriated. The recipe is below. I've munged parts of
the munging section to protect the domains used in the spamtraps.
Many thanks
Justin
VERBOSE=off
PMDIR=$HOME/.procmail
MAILDIR=$HOME/mail
LOGFILE=$PMDIR/log
ABUSE="postmaster(_at_)mydomain(_dot_)net"
ARCHIVE_DIR=$MAILDIR/archive
BOUNCER=spam-report(_at_)reportingdomain(_dot_)com
AUTOREPLY=$MAILDIR/autoreplies
NANAS_ADDR=nanas-sub(_at_)cybernothing(_dot_)org
FTC_ADDR=uce(_at_)ftc(_dot_)gov
:0 H:
* ^FROM_MAILER
MAILER
#:0 H:
#* ^FROM_DAEMON
#DAEMON
# Extract subject and assign it to SUBJECT
:0
* ^Subject:[ ]*\/[^ ].*
{
SUBJECT=$MATCH
}
SUBJECT = "`echo $SUBJECT | sed -e 's/\*\*\*SPAM\*\*\* //g' \
-e 's/munge1.net/reportingdomain.com/gI' \
-e 's/munge2.org/reportingdomain.com/gI' \
-e 's/munge3.net/reportingdomain.com/gI' \
-e 's/munge4.com/reportingdomain.com/gI' \
-e 's/munge5.net/reportingdomain.com/gI' \
-e 's/munge6.net/reportingdomain.com/gI' \
-e 's/munge7.net/reportingdomain.com/gI' \
-e 's/munge8.com/reportingdomain.com/gI' \
-e 's/mungeuser1/mungeduserid/gI' \
-e 's/mungeuser2/mungeduserid/gI' \
-e 's/mungeuser3/mungeduserid/gI' \
-e 's/mungeuser4/mungeduserid/gI' \
-e 's/mungeuser5/mungeduserid/gI' \
-e 's/mungeuser6/mungeduserid/gI' `"
## Report spam to Pyzor, Razor, the FTC, and NANAS.
:0 BH
# Hopefully this will prevent mail loops.
* $ ! ^X-Spam-Loop: $BOUNCER
#* ! ^FROM_DAEMON
{
:0f
# Clean up the spam by removing the SA headers, Subject change
# and other misc headers.
| spamassassin -d \
| $FORMAIL -I ReSent \
-I X-Authentication-Warning: \
-I X-Envelope-To: \
-I X-Scanned-By: \
-I "Subject: $SUBJECT" \
# Report to Pyzor
:0 Wc
| /usr/bin/pyzor report
# Report to Razor
:0 Wc
| spamassassin -r
# Testing mbox
:0c:
reported
# Munge some strings
:0f
| sed -e "s/munge1.net/reportingdomain.com/gI" \
-e 's/munge2.org/reportingdomain.com/gI' \
-e "s/aaa.bbb.ccc.ddd/ip.ip.ip.ip/g" \
-e "s/aaa.bbb.ccc.ddd/ip.ip.ip.ip/g" \
-e "s/munge3.net/reportingdomain.com/gI" \
-e "s/munge4.com/reportingdomain.com/gI" \
-e "s/munge5.net/reportingdomain.com/gI" \
-e "s/munge6.net/reportingdomain.com/gI" \
-e "s/munge7.net/reportingdomain.com/gI" \
-e "s/munge8.com/reportingdomain.com/gI" \
-e "s/mungeuser1/mungeduser/gI" \
-e "s/mungeuser2/mungeduser/gI" \
-e "s/mungeuser3/mungeduser/gI" \
-e "s/mungeuser4/mungeduser/gI" \
-e "s/mungeuser5/mungeduser/gI" \
-e "s/mungeuser6/mungeduser/gI" \
-e "s/\*\*\*SPAM\*\*\* //g" \
-e "s/^ReSent-//g" \
-e "s/^X-ReSent-//g" \
| $FORMAIL -I ReSent-Date: \
-I ReSent-From: \
-I ReSent-To: \
-I ReSent-Subject: \
-I ReSent-Message-ID: \
-I X-Authentication-Warning: \
-I X-Envelope-To: \
-I X-Scanned-By:
# was that last formail needed since I'm doing it below too?
# Forward to the FTC and NANAS
# Also set X-No-Confirm so Bob, the NANAS Bot won't auto-ack me.
# Also add a X-Spam-Loop header to *hopefully* stop loops.
:0c
| ( cat $AUTOREPLY/this-is-spam.txt - \
| $FORMAIL -I"Subject: [email] $SUBJECT" \
-I"X-Spam-Loop: $BOUNCER" \
-I"X-No-Confirm: yes" \
-I"From: Automated Spam Bouncing Daemon <$BOUNCER>" \
-I"To: FTC <$FTC_ADDR>, NANAS Bot <$NANAS_ADDR>" ) \
| $SENDMAIL -f $BOUNCER
testaccount(_at_)mydomain(_dot_)net
#| $SENDMAIL -f $BOUNCER $NANAS_ADDR $FTC_ADDR
#| $SENDMAIL -f $BOUNCER $NANAS_ADDR $FTC_ADDR
testaccount(_at_)mydomain(_dot_)net
# Another testing mbox
:0:
wip
}
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail