On Mon, May 17, 2004 at 10:31:58PM -0400, fleet(_at_)teachout(_dot_)org wrote:
(Re. discussion of split Receiveds:)
On Mon, 17 May 2004, Professional Software Engineering wrote:
I've used the following recipe for a long time:
* ^(From|Date|Subject|Reply-To):(.*$)+Received:
I found my nemesis The Python Tutor list among those that insert header
material. :)
Snake in the grass? :-)
Back to scoring:
The following seems to work except for one problem:
:0
* -4^0
* 1^0 ^Received:(.*$)+Received:
* 1^0 ^Received:(.*$)+Received:
* 1^0 ^Received:(.*$)+Message-Id:
* 1^0 ^Message-Id:(.*$)+Received:
* 1^0 ^Received:
spamtest/gotcha
The problem is - How do I say in the last condition "Received: followed by
NOT Received. I tried * 1^0 ^Received:(.*$)+[^Received:], which didn't
work. (I didn't think it would, but it was worth a try.) I'd like to get
this to work even if the recipe turns out to be useless. I'll have
learned a bunch.
I've used the following with great success. Currently it triggered on
12 of my last 100 spams. Like Sean, I sum various indicators to arrive
at a spamish quantum.
RCVD_EQUIVS = "X-MindSpring-Loop:"
RCVD_EQUIVS = "$RCVD_EQUIVS|Approved-By:.*@"
RCVD_EQUIVS = "$RCVD_EQUIVS|X-SpamCop-Return-Path:"
RCVD_EQUIVS = "$RCVD_EQUIVS|X-Qmail-Scanner-"
RCVD_EQUIVS = "($RCVD_EQUIVS)"
:0 # 031216 () split Received: headers
* $ 1^1 ^Received:.+^$NOT_RCVD
* $ -1^0 ^($RCVD_EQUIVS.+$)Received:
* -1^1 ^Delivered-To:.+$Received:
#
# 031216 () exceptions follow
* $ -1^0 TRUST ?? ^^[$HIGHEST$HIGH]^^
* $ -1^0 XM ?? ()\<Octeth
* $ -1^0 MITIGATED ?? $TRUE
* $ -1^0 HOTHOO_VERIFIED ?? $TRUE
* $ -1^0 FOGGYCLIENT ?? ^^$RESERVED_IPs:[0-9][0-9]+^^
{ RX = "${RX:+$RX, }UBE.RC.SPLIT" }
There are lots of exceptions there, but I haven't had to adjust anything
in nearly six months now. I'm not going to explain all my private
vars, except that XM is the X-Mailer content and FOGGYCLIENT
is a personal name I use for the bottom Received header's asserted
sending client (same code as in Virus Snaggers finds that -- just
the name is a personal one bound up with some private naming history).
Even without the exceptions, it's quite effective for me. Oh: I
do need to show $NOT_RCVD, which is pretty cool:
NOT_RCVD = [^R]|R[^e]|Re[^c]|Rec[^e]|Rece[^i]|Recei[^v]
NOT_RCVD = ($NOT_RCVD|Receiv[^e]|Receive[^d]|Received[^:])
That of course goes earlier than the above. (I have a separate
variable assignment INCLUDERC; actually, several of them.)
I see from the archives that one year ago this month I talked
briefly about NOT_RCVD. But I didn't specifically show it there.
--
dman | Virus Snaggers now at 2.0.2 - <http://vsnag.spamless.us>
| see also the procmail diagnostics rc in the Download section
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail