procmail
[Top] [All Lists]

Recent GIF Spam Recipe

2006-11-18 06:06:00
Hi All,

I am test-piloting the gif spam recipe that was posted to the list a
week or two ago.  As I have said in the past, I am a procmail newbie
and I am really trying to understand the programming that is behind
what procmail recipes do.  Here is my question.

I am using the revised/cleaned-up/commented version of the gif recipe.
 I am trying to integrate a couple of things into the procmail recipe
that I have used in my current recipe.  First off, here is the error
message I am receiving in the log.


~<006c01c70b0b$95f44d30$b001a8c0(_at_)jamiedesktop> 3
From personal(_at_)address(_dot_)net Sat Nov 18 07:17:56 2006
 Subject: Testing20
  Folder: (/usr/bin/formail -rtb -IPrecedence: junk -IFrom: EOSgrad.co     1317
/bin/sh: (/usr/bin/formail: No such file or directory


Here is the portion of the recipe in question:
:0 Hh
 * ^TOsally(_at_)testdrop(_dot_)teamhendricks(_dot_)com
 * !^FROM_DAEMON
 * !^X-Loop: sally(_at_)testdrop(_dot_)teamhendricks(_dot_)com
  | ($FORMAIL -rtb -I"Precedence: junk" \
     -I"From: EOSgrad.com Autoresponder 
<sally(_at_)testdrop(_dot_)teamhendricks(_dot_)com>" \
     -A"X-Loop: sally(_at_)testdrop(_dot_)teamhendricks(_dot_)com"; \
     cat $HOME/.procmailrecipes/testdrop/AUTOmembership.txt \
     ) | $SENDMAIL -oi -t
$AUTORESPOND


Three questions...
#1 I --do-- have formail on my server.  When I do a whereis, the
formail comes up at  /usr/bin/formail.  I put a variable (is that what
you call it?) at the top of the recipe that says:   FORMAIL     =
'/usr/bin/formail'  I have also tried putting in (in the above portion
of the recipe without the variable at the top of the recipie) just
formmail or /usr/bin/formail.  The error log says that there isn't
such a file and stops.

#2 I have the $AUTORESPOND variable at the bottom of that portion of
the recipe.  At the top of the recipe near the GIFSPAM I set an
autorespond directory with my mail account.  How do I get the email
that triggers the autoresponse to drop to the autorespond directory.

#3 If you see anything I should fix/clean-up that is unrelated to the
above 2 questions, could you let me know?  It helps my learning
process.

I have attached the entire recipe below if you need further
information.  I have gotten rid of my addresses.  Thanks for your
help, in advance.  Jamie

# $Id: .procmailrc.anti-gifspam 2006-Nov-10 10:55 $

  SHELLMETAS                    #  unset, for better error messages
  SHELL       = '/bin/sh'

  LINEBUF     = 4096
  LOGABSTRACT = 'all'
  MAILDIR     = '/home/usernamehere/mail/domain.com/zzztestdrop-r'
  DEFAULT     = 'new'
  SENDMAIL    = '/usr/sbin/sendmail'
  FORMAIL     = '/usr/bin/formail'

# disable next line to get procmail's logging on stderr
  LOGFILE     = "$_.log"

  LOG         = '~'

  GIFBOX        = '.suspect'   #  IMAP-oriented, see delivery
  CERTAINLYSPAM = '.certainly-spam/new'
  AUTORESPOND   = '.autorespond'

#------------------------------------------------------------
# set some globals
#------------------------------------------------------------

  t = ' '                       #  only a TAB, like "\t"
  b = "[ $t]"                   #  [[:blank:]]
  n  = '
'                               #  only an LF, like "\n"

  a  = '[0-9A-Za-z]'            #  [[:alnum:]]
  a2 = "$a$a"    a3  = "$a2$a"
  a4 = "$a2$a2"  a6  = "$a4$a2"
  a8 = "$a4$a4"  a12 = "$a8$a4"

  x  = '[0-9A-Fa-f]'            #  [[:xdigit:]]
  x2 = "$x$x"    x3  = "$x2$x"
  x4 = "$x2$x2"  x6  = "$x4$x2"
  x8 = "$x4$x4"  x12 = "$x8$x4"

#------------------------------------------------------------
#  collect some message parameters
#------------------------------------------------------------
  :0
  *  ^^(From |Return-Path: <)[^ @]+(_at_)\/[^ >]+
  { ENV_DOMAIN = $MATCH }       #  domain part of the Envelope-From

  :0
  * 1^1 ^Received:
  { } N_RCVD = $=               #  number of Received header fields

  :0
  * ^Received: from \/[^ ]+
  { R1_HOST = $MATCH }

  :0
  * ^Content-Type: multipart/related;.*\
           boundary=(\")?\/[^\"]+
  { H_CTB = $MATCH }  #  primary MIME boundary

  :0
  *  ^Message-ID:.*\/[^ <@]+(_at_)[^>]+
  { H_MID = $MATCH
    :0
    *  H_MID ?? ^^\/[^(_at_)]+
    {  MID1 = $MATCH }          #  volatile part of the Message-ID
    :0
    *  H_MID ?? @\/.+
    {  MID2 = $MATCH }          #  FQDN part of the Message-ID
  }
  LOG = "<${H_MID}> ${N_RCVD}$n"

#------------------------------------------------------------
#  dump all blacklisted to addresses
#------------------------------------------------------------

:0
* ?       [ -s $HOME/.procmailrecipes/testdrop/testdrop-blacklist.txt ]
* ? fgrep -iqf $HOME/.procmailrecipes/testdrop/testdrop-blacklist.txt
$CERTAINLYSPAM

#------------------------------------------------------------
#  catch gifspam
#------------------------------------------------------------
  :0

# if the number of Received header fields is 1 or 2
  *  N_RCVD ?? ^^(1|2)^^

# and it is a multipart message
  *  ^MIME-Version: 1\.0\
     ^Content-Type: multipart/

# and the MIME boundary matches some regex
  *$ H_CTB  ?? ^^----=_NextPart_000_${x4}_$x8\.$a8^^

  {
    :0

  # if the FQDN part of the Message-ID does not contain a dot
  # or ends in the domain part of the Envelope-From
    *$ MID2 ?? (^^[^.]+|$\ENV_DOMAIN)^^

  # and part of the message body matches some regex
    *$ B ?? ^--$\H_CTB\
            ^Content-Type: image/gif;\
            ^$b+name=\"[^\"]+\.gif\"\
           (^Content-Transfer-Encoding: base64)?\
            ^Content-ID: <\
             ($x12[$]$x8[$]$a8(_at_)$\MID2\
             |$a12[$]$a8[$]$a+(_at_)$a+\
             |[^ >(_dot_)(_at_)]+\(_dot_)gif@$x8\.$a8\
             )>$

  # then deliver
    $GIFBOX/

  #----------------------------------------------------------
  # Procmail stops at delivery, so only if the previous
  # recipe did not deliver, then processing continues here.
  #----------------------------------------------------------

    :0

  # if the FQDN part of the Message-ID is equal to the HELO
    *$ MID2 ?? ^^$\R1_HOST^^

  # and there are 10 (or more) gif-attachments
    * -9^0
    *$ 1^1 B ?? ^--$\H_CTB\
                ^Content-Type: image/gif;\
                ^$b+name=\"[0-9]+\.gif\"$

  # then deliver
    $GIFBOX/
  }

#------------------------------------------------------------
  :0

# if the number of Received header fields is 2 or 3
  *  N_RCVD ?? ^^(2|3)^^

# and the MIME boundary matches /[[:xdigit:]]+/
  *$ H_CTB  ?? ^^$x+^^

# and the FQDN part of the Message-ID ends in the domain part
# of the Envelope-From
  *$ MID2   ?? ()$\ENV_DOMAIN^^

# and the From: header field has an unquoted name, followed
# by <user-part(_at_)domain-part-of-the-Envelope-From>
  *$ ^From: [^\"<]+ <[^(_at_)]+@$\ENV_DOMAIN>$

# and part of the message body matches some regex
  *$ B ?? ^--$\H_CTB\
          ^Content-Type: image/gif;\
          ^$b+name=\"[^\"]+\.gif\"\
         (^Content-Transfer-Encoding: base64)?\
          ^Content-ID: <$x+(_at_)$\ENV_DOMAIN>$

  # then deliver
  $GIFBOX

#------------------------------------------------------------
#
#
:0 Hh
 * ^TOsally(_at_)testdrop(_dot_)teamhendricks(_dot_)com
 * !^FROM_DAEMON
 * !^X-Loop: sally(_at_)testdrop(_dot_)teamhendricks(_dot_)com
  | ($FORMAIL -rtb -I"Precedence: junk" \
     -I"From: xxx.com Autoresponder 
<sally(_at_)testdrop(_dot_)teamhendricks(_dot_)com>" \
     -A"X-Loop: sally(_at_)testdrop(_dot_)teamhendricks(_dot_)com"; \
     cat $HOME/.procmailrecipes/testdrop/AUTOmembership.txt \
     ) | $SENDMAIL -oi -t
$AUTORESPOND

#
#:0 Hh
#* ^TOmemberships(_at_)xxx(_dot_)com
#* !^FROM_DAEMON
#* !^X-Loop: memberships(_at_)xxx(_dot_)com
#  | (formail -rtb -I"Precedence: junk" \
#     -I"From: xxx.com Autoresponder <autoresponder(_at_)xxx(_dot_)com>" \
#     -A"X-Loop: membership(_at_)xxx(_dot_)com"; \
#     cat $HOME/.procmailrecipes/eosgrad/AUTOmembership.txt \
#     ) | $SENDMAIL -oi -t
#
#:0 Hh
#* ^TObian(_at_)xxx(_dot_)com
#* !^FROM_DAEMON
#* !^X-Loop: bian(_at_)xxx(_dot_)com
#  | (formail -rtb -I"Precedence: junk" \
#     -I"From: xxx.com Autoresponder <autoresponder(_at_)xxx(_dot_)com>" \
#     -A"X-Loop: membership(_at_)xxx(_dot_)com"; \
#     cat $HOME/.procmailrecipes/eosgrad/AUTObiannualoff.txt \
#     ) | $SENDMAIL -oi -t
#
#
:0:
* ^TO_(_dot_)troubleform(_at_)xxx\(_dot_)com
$DEFAULT

:0 fw
* < 256000
| spamassassin

:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*
.almost-certainly-spam/new

:0 A:
$DEFAULT

____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>