Jim Witte schreef:
How would I write a filter that would filter out messages where
part of the From field matches the beginning of the Subject field?
I've noticed a huge amount of spam in the following form:
> From: "<x> Madrid" <indication'scoarser(_at_)abs-cbn(_dot_)com>
> To: <jsylvest(_at_)indiana(_dot_)edu>
> Subject: <x> wrote:
Until the spammers update the bots (modify one of the words
perhaps), it would seem such a filter to detect the 'From:\s"(.*)
\s*Subject:\1\swrote' pattern or something like it..
Sorry if this is an 'old hat' trick here..
There is more wrong with those messages, and these other patterns are
better to filter on.
1. Often the Date-header has an invalid TimeZone, like not ending in
([03]0|[14]5).
Date: Fri, 5 Jan 2007 16:10:44 -0540
2. The quote inside the From: address is also worth spamscore points.
From: "Gregorio Summers"
<arithmeticallysubsidence's(_at_)abargainauto(_dot_)com>
3. The oldest Received header field is peculiar, example:
Received: from 216.219.254.203 (HELO mailhost.abargainauto.com)
by munged.invalid with esmtp (U5/*/K6SY8+J 03.3B)
id 22*6(U-<PDR0/-NT
for munged(AT)munged.invalid; Fri, 5 Jan 2007 16:10:44 -0540
4. The Message-ID is peculiar, like
<01c730e4$0d864ad0$6c822ecf(_at_)arithmeticallysubsidence's>
Specifically, it starts with 3 groups of 8 alphanumeric characters,
separated by '$'.
5. Etc.
--
Groet, Ruud
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail