At 14:57 2008-03-30 +0200, Nikolaus Hiebaum wrote:
It seems that someone is using my main e-mail address to send out spams (a
"Joe Job" I believe it is called), and I get all the mailer-daemon
messages. To me these are spam.
Actually, many spams are intentionally being delivered via the bounce -
spammers send messages with a return-path to you to an address they know
will accept the message at SMTP time and subsequently generate a bounce,
with the entire original message in tow.
But I would need in addition to this is that procmail searches the body for a
keyword or two.
Simplified response, though I see that Ruud has basically posted the same
thing:
# dump mailer messages for reply requests (grep Body+Header)
:0:
* ^FROM_MAILER
* B ?? body-keyword
bounced-spammer
Changes include eliminating the BH from the flags - it's easier, more
efficient, and more correct (this should be in the header, that should be
in the body), to specify the B token on the condition line where you want
to search the body, when you're also searching something in the headers on
another line (the mailer). Since delivery is to an MBX file, there's a
lockfile flag added as well. The body keyword condition line has "B ?? "
at the start - this says "search the BODY for the tokens".
You may want to read up on scoring, or use a nested action, so that you
check for mailer once, but have multiple recipes (or one recipe with
multiple maximal scoring conditions). Here's a basic collection of some
filter rules for catching reflection spam. This snippet isn't actually
tested, though I employ something very similar myself (minus the first
nested condition):
:0
* ^FROM_MAILER
{
:0B:
* software
* adobe|microsoft|popular
IN.BOUNCESPEW
# Legitimate mail should NEVER have your mailar-daemon as the
# return-path - this is a "reflected" spam delivery.
:0B:
* ^Return-Path: mailer-daemon(_at_)host\(_dot_)yourdomain\(_dot_)tld
IN.BOUNCESPEW
# This header is appearing increasingly on reflected spam - the
# intent is to request that the entire message be bounced, rather
# than truncated to just the headers, ensuring that the spam content
# is delivered to the bounce recipient.
:0B:
* ^Content-Return: allowed
IN.BOUNCESPEW
# if a legitimate bounce is suppsed to be for a message YOU sent,
# check to see that it doesn't specify an X-Mailer that you know YOU
# don't use. This works for personal mail, but isn't appropriate for
# a systemwide filter (of if you administer a discussion list which
# will generate delivery bounces on behalf of messages other people
# send), since many users may use different mailers. You could put
# in additional conditions (probably inversions) to limit this to
# personal mail vs. listadmin stuff.
# Note that the list here doesn't necessarily represent SPAM mailers,
# but rather mailers YOU don't utilize.
:0B:
* ^X-Mailer:[ ]*(CME-V|Microsoft Outlook|AdSend|The Bat!|AOL|\
Internet Mail|Juno|Novell|PMMail|Winbiff)
IN.BOUNCESPEW
# add more...
}
In my own environ, I don't file it to a file when matching the conditions,
I add a score, and later file messages away based on their cumulative score.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail