procmail
[Top] [All Lists]

Re: Sanity check please

2005-04-26 06:39:49
On Sat, 23 Apr 2005 17:08:06 -0700 Professional Software Engineering 
<PSE-L(_at_)mail(_dot_)professional(_dot_)org> wrote:

At 17:10 2005-04-23 -0500, Gerald V. Livingston II wrote:

Will this:

* ! ^From.*\"James\".*\<\*\*\*\*\*\*\*(_dot_)*\(_at_)(_dot_)*\>

Catch this?

.From: "James" <*******************(_at_)mail(_dot_)sysmatrix(_dot_)net>

Gerald, surely you've heard of a sandbox by now?  Using a sandbox, it's 
quite easy to verify this sort of stuff.

Errr.... no. My current .procmailrc changes so seldom that I never quite
get around to setting up the sandbox. The number of days it's taken me to
get back to even looking at replies here indicates why. ;-)

I'll assumme the leading dot is a typo - surely you mean:

^From

Habit. I usually put a space in front of any line-starting "From" but I've
noticed that some of the MUA editors I have used remove the leading space.
Then the MTA/LDA/Procmail/something else munges it into ">From" when it's
delivered.

FTR, the From.* bit will also attempt to match the From_ header (envelope), 
which should NEVER have a quoted name portion (nor should the address 
appear in brackets).  As such, you may as well put the colon following the 
From.  I must wonder - is his ENVELOPE address really similarly munged?

This guy is going to have NO luck with mailing lists that don't permit 
posts from anyone other than known s*bscribers.

Frankly, I'd just up the settings on the MTA to properly reject messages 
bearing addresses of invalid syntax, and let him contend with the 
bounces.  Clue him in.

I don't have time to try to clue him in *again* right now. It's not the
first time he's done something stupid. Like the time he wondered why his
email was taking 3 or 4 hours to finally get delivered and it was only
showing up in one of his mailboxes. <--- that part of his question got me
looking at our hosting server logs. He has 3 addresses -- he had two of
them FORWARDED to each other two at the MTA using aliases. An email sent to
any one address would loop for a while...then the MTA would figure out what
was happening and error out on the forward and dump the message into the
box it was originally addressed to

Also, you're INVERTING the condition, so it's more like "will this NOT 
catch this?"

It's intentional. Here's the whole recipe with addresses broken for the
archives. Note I've made a couple of the suggested changes in the "****"
recipe portion.

#Jim Bishop
:0
* ! ^From(_dot_)*jbishop(_at_)tejasph(_dot_)tld
* ! ^From(_dot_)*bikerbear21(_at_)tejasph(_dot_)tld
* ! ^From(_dot_)*admin(_at_)tejasph(_dot_)tld
* ! ^From:.*\"James\".*<\*+(_dot_)*(_at_)(_dot_)*>
{ }
:0 E:
.sysmatrix-net.0-gvl2.Bear/


Here's the complete header as delivered to my home machine via POP3
(fetchmail) through my Exim MTA and Procmail. I'm going to try not to wrap
it:

Return-path: <*******************(_at_)mail(_dot_)sysmatrix(_dot_)net>
Envelope-to: gvl2(_at_)localhost
Delivery-date: Fri, 22 Apr 2005 00:45:08 -0500
Received: from phorce1.sytes.net
        ([127.0.0.1] helo=localhost ident=gvl2)
        by phorce1.sytes.net with esmtp (Exim 3.35 #1 (Debian))
        id 1DOqyS-0006pV-00
        for <gvl2(_at_)localhost>; Fri, 22 Apr 2005 00:45:08 -0500
Received: from mail.sysmatrix.net [65.170.133.30]
        by localhost with POP3 (fetchmail-5.9.11)
        for gvl2(_at_)localhost (single-drop); Fri, 22 Apr 2005 00:45:08 -0500 
(CDT)
Received: from tejasph.com [65.170.133.40] by sysmatrix.net with ESMTP
  (SMTPD32-8.14) id AE1F1B2C0058; Fri, 22 Apr 2005 00:39:43 -0500
Received: from tejas16 [203.177.174.202] by tejasph.com with ESMTP
  (SMTPD32-7.07) id AC851FD00D4; Fri, 22 Apr 2005 00:32:53 -0500
Message-ID: <003501c546fc$ba166560$c800a8c0(_at_)tejas16>
From: "James" <*******************(_at_)mail(_dot_)sysmatrix(_dot_)net>
To: "Al Lindzy" <rotorhead216(_at_)domain(_dot_)tld>,
        "Jim A Underhill" <jaucpa(_at_)domain(_dot_)tld>,
        "carol o'quinn" <carolo1957(_at_)domain(_dot_)tld>,
        "Gerry Roberts" <gerry(_at_)domain(_dot_)tld>,
        <gvl2(_at_)domain(_dot_)tld>,
        "joseph grover" <joejing2003(_at_)domain(_dot_)tld>
Subject: Baby Boy
Date: Fri, 22 Apr 2005 13:32:36 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0032_01C5473F.BEEE57D0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Declude-Sender: jbishop(_at_)tejasph(_dot_)tld [65.170.133.40]
X-Note: (Sysmatrix.net) This E-mail was scanned by Declude JunkMail 
(www.declude.com) for spam.
X-Spam-Tests-Failed: None [0]
X-Note: This E-mail was sent from mail2.sysmatrix.net ([65.170.133.40]).
X-RCPT-TO: <gvl2(_at_)domain(_dot_)tld>
Status: U
X-UIDL: 347763184

tejasph.com is on a vanity domain mail only hosting box at the office I
work in (mail2.sysmatrix.net is it's FQDN). The X-Declude-Sender: header is
added by the current spam scanner on our primary mail server
(mail.sysmatrix.net) by ripping it directly from the envelope sender info
provided by SMTP Authentication. But I will be switching that machine away
from that horrid Windows based MTA in a few weeks to a Postfix machine and
I'm not sure how long it will take for me to get SpamAssassin to add a copy
of the envelope sender info to the human-readable headers. SA is new
territory for me.

He apparently only has "***************************" in the config part of
OE where it asks for his email address to be entered. That's what creates
the "From:" header. mail.sysmatrix.net doesn't see a domain on it so it
adds its own FQDN to "make it an address".

A buddy of mine has apparently taken some dweeb's suggestion for spam
prevention by altering the "Email address" in his Outlook Express settings
to prevent people from automatically adding him to their address books.

dweeb indeed.  Everybody attempting to so much as REPLY to this guy is 
going to have trouble, so he can expect his legitimate contacts to drop 
sharply too.

His problem right now, not mine. I have him in my address book so I just
hit "jbi{TAB}" and any reply is addressed properly. ;-)

His actual address is jbishop at tejasph dot com. I don't have the
sysmatrix mail servers spam checking set rabid enough to insist on a valid
"From:" so the messages come through and the sysmatrix mail server tries to
guess at what to stick in there. The current spam scanner does insert this
header:
 
You mean, the domain portion of his email address is actually inserted 
locally, and what he's actually using is a domain-less address?  Same goes 
for the envelope?

See above. The "From_" envelope header is probably broken but the envelope
sender header is created based on SMTP Auth user/password verification.

This cluebie is going to be using YOUR mail servers?

See above. Using a vanity mail hosting box that's running a Windows based
MTA that I can't change yet. When I get our primary domain working on
Postfix+SA I'll look at switching the hosting box. 

If you're going to match on his From address and you're not matching on the 
explicit string in his messages, why not just match as:

* ^From:.*"James".*<\*+@(list-of-domains)>

I now have:

* ! ^From:.*\"James\".*<(_dot_)*\*+(_dot_)*(_at_)(_dot_)*>

Which would be "James" followed by zero or more of any char then "<"
followed by zero or more of any char then one or more "*" then zero or more
of any char then "@" then zero or more of any char then ">".

That should cover him changing it to something like "JAMES******" or
"****JAMES" or "JAMES****BISHOP" in the email address portion and also
cover any MTA inserting its own FQDN as the domain portion (including
"localhost").

Yuck.

Thanks to all for the pointers.

Gerald

____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>