Re: helo=<IP> detection

Hello Ruud,

Am 2006-11-17 15:19:00, schrieb Ruud H.G. van Tol:
> Michelle Konzack schreef:
>
> >   :0
> >   * ^X-Mailer:.*Outlook
> >   * ^Received:.*\(helo=\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]\)
> >   .ATTENTION.VirusSpam/
> >
> > but sometimes it does not work.
> Why are you using the \/ MATCH operator in there?
It was taken from another recipe which is working. :-)

> What do you mean by "not work", does the recipe match too many messages?
> Too few? Something else?
To few
 
> The recipe will catch messages that contain a very specific Received:
> header field, namely containing (case-insensitive!)
> "(helo=[12.34.56.78])".
> (the 12.34.56.78 as example)
All received spams has exactly this "(helo=[12.34.56.78])" construct.
And a faked Outlook header.

All the days I get many spams from the same fake Outlook and the same
IP and environement the same time.

It looks like someone switch on the computer or connect it to the
Internet and the WinVirus is sending immediatly the spams.

So I want definitivly filter out such constructs.

Since I must download my mails using fetchmail/procmail...
(I do not trust the filters of my ISP and let only tag messages)

> Is that specific Received header field added by your fetchmail or local
> MTA? Don't you want to limit this recipe to the very first (or second
> etc.) Received header field?
Fetchmail does not add any Header and give the received messges
to "--mda procmail".

My ISP (freenet.de) is generaly adding two headers.  The first
one is by receiving the message and the second one is from the
<mboxNN.freenet.de> server where my mailbox is located.

The message you have send contain:

----8<--------------------------------------------------------------
Received: from [194.97.55.147] (helo=mx4.freenet.de)
                               ^^^^^^^^^^^^^^^^^^^^^
      Legitim, since the hello MUST contain the fqdn (read from RFC)

        by mbox91.freenet.de with esmtpa (ID exim) (Exim 4.62 #12)
        id 1Gl4mA-0002Bu-4Y
        for linux4michelle(_at_)01019freenet(_dot_)de; Fri, 17 Nov 2006 
15:33:06 +0100
Received: from mta-2.ms.rz.rwth-aachen.de ([134.130.7.73]:53281)
        by mx4.freenet.de with esmtp (port 25) (Exim 4.62 #12)
        id 1Gl4kk-00039C-Ov
        for linux4michelle(_at_)freenet(_dot_)de; Fri, 17 Nov 2006 15:31:38 
+0100
Received: from circe ([134.130.3.36]) by mta-2.ms.rz.RWTH-Aachen.de
 (Sun Java System Messaging Server 6.2-7.05 (built Sep  5 2006))
 with ESMTP id 
<0J8V00EFAPOPL0A0(_at_)mta-2(_dot_)ms(_dot_)rz(_dot_)RWTH-Aachen(_dot_)de> for
 linux4michelle(_at_)freenet(_dot_)de; Fri, 17 Nov 2006 15:31:38 +0100 (CET)
Received: from talos.rz.RWTH-Aachen.DE ([134.130.3.22])
        by circe (MailMonitor for SMTP v1.2.2 ) ; Fri, 17 Nov 2006 15:31:36 
+0100 (MET)
Received: from hermes.rz.rwth-aachen.de
 (hermes.rz.RWTH-Aachen.DE [134.130.4.36])      by smarthost.rwth-aachen.de
 (8.13.8/8.13.1/1) with ESMTP id kAHEVX4W013476; Fri, 17 Nov 2006 15:31:35 +0100
Received: from [134.130.4.36] (localhost [127.0.0.1])
        by hermes.rz.rwth-aachen.de (8.13.7+Sun/8.12.2-1)
 with ESMTP id kAHEQVfM021433; Fri, 17 Nov 2006 15:30:56 +0100 (CET)
Received: from mta-2.ms.rz.rwth-aachen.de
 (mta-2.ms.rz.RWTH-Aachen.DE    [134.130.7.73]) by hermes.rz.rwth-aachen.de
 (8.13.7+Sun/8.12.2-1) with ESMTP id    kAHEQSQG021429 for
 <procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE>; Fri, 17 Nov 2006 15:26:28 
+0100 (CET)
Received: from medos ([134.130.3.35]) by mta-2.ms.rz.RWTH-Aachen.de
        (Sun Java System Messaging Server 6.2-7.05 (built Sep  5 2006))
        with ESMTP id 
<0J8V00E0LPFZKYA0(_at_)mta-2(_dot_)ms(_dot_)rz(_dot_)RWTH-Aachen(_dot_)de> for
        procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE; Fri, 17 Nov 2006 
15:26:23 +0100 (CET)
Received: from relay2.rwth-aachen.de ([134.130.3.6])
        by medos (MailMonitor for SMTP v1.2.2 ) ; Fri, 17 Nov 2006 15:26:22 
+0100 (MET)
Received: from smtp-vbr13.xs4all.nl (smtp-vbr13.xs4all.nl [194.109.24.33])
        by relay2.rwth-aachen.de (8.13.7/8.13.0/1) with ESMTP id        
kAHEQDa3018455  for
        <procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE>; Fri, 17 Nov 2006 
15:26:16 +0100 (MET)
Received: from isop10 (s5590d2ae.adsl.wanadoo.nl [85.144.210.174])
        (authenticated bits=0)  by smtp-vbr13.xs4all.nl (8.13.8/8.13.8)
        with ESMTP id kAHEQBfj091491
        (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO)
        for <procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE>; Fri,
 17 Nov 2006 15:26:12 +0100 (CET envelope-from rvtol(_at_)isolution(_dot_)nl)
----8<--------------------------------------------------------------

Greetings
    Michelle Konzack


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack   Apt. 917                  ICQ #328449886
                   50, rue de Soultz         MSM LinuxMichi
0033/6/61925193    67100 Strasbourg/France   IRC #Debian (irc.icq.com)


____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail