procmail
[Top] [All Lists]

Re: My own antispam recipes

2003-11-05 16:16:22
At 20:48 2003-11-05 +0100, Peter Rosa wrote:

OK, what do you say about my idea - to stop every domain, the spam come from
?
I made some research (about 3-5 months) and it seems that a lot of spam is
comming from same domains (but not same addresses [before @] ). So I decided
to stop such domains to the future.

This is called a RHSBL, which is similar to a DNSBL, but is based on the domain name. If you're administering your own server(s), you can set up a DNS zone to act as the database for such a blacklist (which has the benefit of meaning multiple hosts can make use of it). Then, you can administer it external to procmail - and NOT take the network hit of receiving messages in the first place.

I can say, my newbie recipes works (I started them, because I had about 200
spams per day), they are only very unefficient. Now I receive about 10-15
spams per day. It's success, isn't it ? Now I can study the procmail "to the
deep" from resources you send me before.

Despite receiving about 700 messages into my own inbox each day (after spam filtering), I only see about 7-10 spams in a month, thanks to DNSBLs and some refined spam recipes utilizing multiple characteristics.

Really, could you please help me with the regexp for searching the first
Received header in a mail for envelope-from and suck the domain from it ?

No good - the hostname provided during the SMTP EHLO exchange is whatever the sending host wants to claim itself to be. Some MTAs are configured to take the actual IP address and perorm an rDNS lookup of it, and deposit that information in the Received header -- but anyone who is a delegate of their IP block can enter *WHATEVER* they want for the hostname - even hosts not owned by them.


Based on:
Received: from r220-1 (r220-1.rz.RWTH-Aachen.DE [someipaddress]) etc...

This won't inherently match the FIRST Received, but since the match should occur on the first matching line, it should generally match on the first:

:0:
* ^Received: from \/[^  ]+
* ? fgrep -i $MATCH myblacklistedhosts.file
blacklisted.mbx

:0:
* ^Received: from [^    ] ([^   ].*
* ? fgrep -i $MATCH myblacklistedhosts.file
blacklisted.mbx


There are other ways to do it as well.

[snip]

Trimmage of previous replies is always well received.

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>