procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Filter?

2005-08-12 09:18:54
from [Professional Software Engineering] [Permanent Link] 
At 01:17 2005-08-12 -0400, Lennart Andersen wrote:

:0H
* 1^0 ^Reply-To:.*hotmail\.com
* 1^0 ^From:.*hotmail\.com
* 1^0 ^To:.*hotmail\.com
$MAILDIR/spam


I'll echo Paul's statement that this is far too simplistic to simply 
categorize mail as spam.

FTR, since there isn't a threshold (basically, an initial no-condition 
negative score), it only takes one of the three conditions in order to 
match the rule, yet all three will be checked for.  Excepting for capturing 
statistics to the logfile, there's no use in doing this - may as well set 
them to be a maximal score each (9876543210^0 is a common, easy to remember 
one - but basically, it is 2^31 (binary, not scoring syntax)).  See 'man 
procmailsc'

Also the 'H' flag is the default flag and doesn't need to be specficied 
unless you're ALSO scanning the body.  Of course, if you have just a few 
conditions you want to scan the body for


Now, if you're using what I call "spammishness" - a running tabulation of 
"fishy" or "suspect" things about an email, then adding some score for 
these attributes isn't necessarily a bad thing - hotmail is among my 
flagged domains for messages originating from it (and yes, I do have a 
tosser hotmail account myself - I use it for initial contact, such as 
classified advert replies, so I don't have to subject my own domain to a 
deluge of crapmail that will ofttimes ensue), as well as messages 
originating from it but not bearing the expected mailhosts in the headers 
(see my "spewhosts" filter), which is a simplistic way of catching 
forgeries (including for various banks subject to phishing messages).  The 
idea is that few single attributes necessarily makes a message spam, but 
quite a few smaller ones do.  To wit:

SPAM: +50 message-id domain does not match sender domain
SPAM: +75 received without messageid, injected by local mailserver
SPAM: +125 Single received header for foreign sender
SPAM: +35 from_domain not found in received chain
SPAM: +50 Cleartext recipient is common target here
SPAM: +25 From/Recipient score 25
SPAM: +150 From service doesn't appear in Received lines
SPAM: +175 IP 219.32.84.167 listed in dialup DNSBL
SPAM: +125 relay hostname appears to be consumer dialup/broadband
SPAM: +(249*0.75) text/html ONLY
SPAM: +5 spam type statements (5)
SPAM: +150 forged hotmail.com
SPAM: +249 Abundance of triggers
SPAM: Advisory - spammishness is 1400.75
SPAM: spammishness exceeds threshold of 249
SPAM: Apparent recipient is **DELETED**
INFO: SpamFilter v03.11.00  SBS  20050425/1552

From aiyganush(_at_)hotmail(_dot_)com  Thu Aug 11 11:54:42 2005

  Subject:  Attract any woman now
   Folder:  gzip -9fc >> spam.gz


---
  Sean B. Straw / Professional Software Engineering

  Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
  Please DO NOT carbon me on list replies.  I'll get my copy from the list.


____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Filter?, Lennart Andersen
    • Re: Filter?, Paul Simpson
    • Re: Filter?, Professional Software Engineering <=
Previous by Date:  Re: Filter?, Paul Simpson
Next by Date:  converting Html to Plaintext, Hanspeter Roth
Previous by Thread:  Re: Filter?, Paul Simpson
Next by Thread:  converting Html to Plaintext, Hanspeter Roth
Indexes:  [Date] [Thread] [Top] [All Lists]