procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Few misc questions.

2004-02-05 23:23:13
from [Professional Software Engineering] [Permanent Link] 
At 19:55 2004-02-05 -0500, Robert Krueger wrote:

1.  All my mail that isn't tagged by SA and deposited in a special file
is sent to a maildir/ type folder.  Because my virus stuff plus the SA
stuff are in a regular MH style file, I used the :0 : format telling
MH "files" are separate files. I think perhaps you mean mbox file. Procmail basically supports storing messages in FOUR distinct ways, as outlined in a message I posted yesterday: mbox, two file naming conventions for MH, and maildir (with new/ old/ tmp/ subdirs). Excepting mbox, all the other formats are one-message-per-file, and therefore do not require locking. 


procmail to use a lockfile on these files only.  I assume this is
proper, as I see no need to use maildir/ format style directories to
deposit spam and viruses.  While i go to the trouble of scanning these
files using "less" to make sure I'm not getting good mail deposited
here, I have to believe there's an easier way.  Isn't there some mail
utility that can scan all this mail in one of these files ( one at a
time, all, whatever)


Uh, I'm unclear on how you're having a difficulty in reviewing them.
and lay it out neatly so I can see what type of mail is in there? ( I did try "mailstat", it's kind of a "busy" display)
mailstat works best with a procmail logfile which is is logabstract only. Verbosity and manually-emitted notes make mailstat pretty noisy. You could filter a logfile before passing it into mailstat though - eliminate lines not part of the logabstract: 

egrep ^"(From | Subject:|  Folder:)" log | mailstat
Replace 'mailstat' with 'less' and you can just page through the simplified logfile. 


2.  Because I subscribe to three maillists, which can involve a lot of
mail,
Because I subscribe to several maillists and admin several more, I get a *LOT* of email. I average over 700 a day. Then there's the frantic days... 


The first block says (I think...) "If this email is NOT one of these
three mailing lists, then execute the code between the braces {}.
If you're going to use scoring, then use maximal score on any one of the conditions (I presume they are actual checks of specific headers - the rewritten summarization isn't the best way to seek explanation of code). Why? because as written, it certainly appears that unless it's *ALL* of the lists simultaniously (that is if it isn't a procmail AND postfix AND evolution message, and I think you'll agree that's unlikely) then you'll have a nonzero score and the message conditions will be considered true.
Either lose the scoring SCORING aspect, and just invert the conditions (all conditions need to evaluate TRUE, that is NOT the lists): 

* ! procmaillistcondition
* ! postfixlistcondition
* ! evolutionslistcondition
{
        # do stuff
}
or, use a NEGATIVE maximal value ('minus infinity', which for procmail is anything larger than negative 2^31) in your scoring, but DO NOT invert the list check (thus, if the list condition is met, the scored conditions stop being checked and it skips the recipe). This is more efficient, since condition evaluations stop as soon as any one of the conditions is found to be true. Ordering the checks in order of list traffic levels allows you to tweak the performance ever so slightly: if you receive 100 procmail messages a day, five postfix messages, and one evolution message, you'd want to order it so that the procmail list is checked first, since MOST messages would match that condition and continue past this recipe right away without wasting the (nominal, for sure) cycles on the other checks. If you put evolution first, then the 100 procmail messages would have to check that condition, fail it, and then check the procmail condition and succeed on it. Minour optimization for sure, but in any event, this is more efficient than the alternative above, which will check all conditions for ALL messages. 

* -9876543210^0 procmaillistcondition
* -9876543210^0 postfixlistcondition
* -9876543210^0 evolutionlistcondition
{
        # do stuff
}


What's a fairly bulletproof way to snag mail from a mailing list?
I'm a little confused over the special variables that can be used just
for a mailing list, truth be told.
Check the procmail list archives for a recipe defining LISTNAME. Such recipes (including one I posted not so long back) have been written to generically identify a list message based on commonly-inserted headers. owner-listname, X-Beenthere:, and certain list-RFC specific headers can be checked for, and the listname discerned from them. So, I run these filters up near the top of my procmailrc processing, and subsequently, I can do: 

:0
* ! LISTNAME ?? (procmail|postfix|evolution)
{
        # do stuff
}
That condition is very literal - it isn't a vage pseudocode rewrite. I use the same sort of thing to define additional "padding" for my spam filters on some lists. Procmail for instance discusses viruses frequently, so it needs a lot more padding. Other lists have a sufficient number of other characteristics (such as removing Received: lines from before the list handling, which interferes with detecting forged freemail messages), that some padding is appropriate. 


3. Last question.   These spammers are getting sneakier.  They used to
use just .exe attachments, now, among others, they use my old reliable
..zip extension as well.
That's not spam per-se, it's virus. Spammers _generally_ want to send you advertising, though in some cases, they've used malware to obtain address lists or produce zombie SMTP servers, such messages still fall under the general category of virus.
So virussnag.rc can snag these also, no problem, but I thought it would be wiser to use a conditional statement somehow that said, basically, "Check this list, and if this file with the .zip attachment is from anyone on this list, then let it in".
It's called a Greenlist - if you really want to implement one, scan the archives for that term.
However, I'd *STRONGLY* caution against this for virus scanning - the whole basis of email based viruses for the past three years has been to use email addresses culled from saved mail and addressbooks and send messages FORGED to be from those addresses to other addresses culled from the same sources. And prior to this technique, viruses commonly simply spread From: the infected user to the addresses which could be found on their system. Either way, MANY of the viruses you get will be from addresses which you recognise. Moreso for people with small contact lists who do not participate on discussion lists, but you'll still get viruses from addresses you recognize, which were not really sent by those parties.
It's fine to use a greenlist to bypass _spam_ checking, but if you're doing virus checking, you shouldn't have ANY greenlist to bypass that. 


 Most of my zipped up stuff comes from business associates, so I do want
to receive these mails,
Then don't simply _discard_ zips - look for signatures associated with certain viruses. Or, request that your business associates send ZIPs in messages which they've PGP signed. Problem solved.
I myself have been a longtime registered ZIP user (from the OLD days - I've used Phil Katz's software since PKARC). If you're a registered ZIP user, you can apply for an authentication code -- PKZIP can embed a code into a zipfile that authenticates the files which YOU added. So, even if PGP isn't an option (sucks to be you if it isn't), authenticated ZIP files can be. I'm unaware of any support for authentication in the open source ports of ZIP though, but if you use the actual PKWare versions of the program, you've got access to the feature. It is popular for software authors, since you could validate your own archives as not having been tampered with.
Similarly, encrypting the zipfiles is another way to circumvent virus ZIPs - if everyone on a development team encrypts their ZIPs, then only the other members of that team (those with the password) can extract it. A _virus_ that goes around with a password would be useless since nobody would know the password and thus wouldn't be able to extract the file.
Now, watch, some virus writer will start encrypting ZIPfiles and the virus will send out TWO messages - one with an "I'm sending you a file, it's encrypted with the password 'blah'", and the other with the attached ZIP....
Well, PGP remains my choice for validating legitimate message content, but I still transfer most stuff (since I'm the one sending stuff to clients) via client-specific FTP accounts and authenticated HTTP downloads, so program files aren't being sent around as attachments anyhow. 

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Spam, Professional Software Engineering
Next by Date:  Re: Few misc questions., Nancy McGough
Previous by Thread:  Few misc questions., Robert Krueger
Next by Thread:  Re: Few misc questions., Robert Krueger
Indexes:  [Date] [Thread] [Top] [All Lists]