procmail
[Top] [All Lists]

Re: SPAM

2005-03-31 12:24:42
At 19:32 2005-03-31 +0200, Ruud H.G. van Tol wrote:
I have seen a lot of those messages for many months now, but
they were (almost) all caught by existing rules.

Yea, I'd look for other characteristics, not the bogus nametext. The vast majority of the spam I receive trips a LOT of flags. Received header count, bogus/no rDNS data for sending host, consumer dialup/broadband sending host, messageid injected by local MTA, abundance of HTML constructs, HTML only, invalid dates, hosts claiming to be MY mailhost in their SMTP greeting, spoofed local users (when the from: is at my domain, but a can't be resolved as deliverable by my MTA*) -- all of this, and many other checks are independant of a simple taboo word check say for "viagra" and the like, which obviously would have nabbed the message provided by the OP in this thread.

Here's another potential failing of trying to match for the nametext: when someone addresses a message to multiple recipients (in the To:, rather than To+Cc), you're going to see other text, possibly with nametext, even if your address didn't carry nametext, so you could trip up on the OTHER guy's name (or address). Also, people who add you to their addressbook can put all manner of comment text in there - it won't necessarily be your name. Check a mailing list sometime and note the wide variance in the To: line (for the mailing list itself) based on what people have in their own addressbooks.


* the check is quite easy, though involves calling out to the MTA. Since this is ONLY performed when the FROM_DOMAIN (one of several variables I set when receiving mail - see my sandbox for the simple extraction) matches our own domain, it's not hammering the MTA for each message you receive. I score this very high as a spam indicator - but not 100%:

# 20041213
# if the From: address claims to be from a user or the local system,
# check sendmail to see if the user parses as valid.
# This is intended to catch random username forgeries.
# note the two hostnames are hostnames that resolve to the same actual
# (local) mail server, not two separate servers -- you can't validate accounts
# on another server with this method as written.
:0
* FROM_DOMAIN ?? ^((firsthostname|anotherhostname)\.)?domain\.tld$
{
        VALIDRESULT=`$SENDMAIL -bv $CLEANFROM`
        :0
        * ! VALIDRESULT ?? deliverable:
        {
                SPAMVAL="+180"
                SPAMMISHNESS="${SPAMMISHNESS}${SPAMVAL}"
SPAMNOTES="${SPAMNOTES}SPAM: ${SPAMVAL} spoofed local user $CLEANFROM${NL}"
        }
}
---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.


____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>