On Wed, 15 Oct 2008, Michelle Konzack wrote:
2200 legitim messages against 38.000 spams.
To day afternoon I have goten again over 30.000 unique backscatter.
Maybe I can help. One characteristic of 'backscatter' is that because it
is generated by legitimate MTA's a great many of them QUOTE at least the
haders of the bounced e-mail in the body. At this point you can do a
body test for a *very* specific pattern, based on the fact that most
spammers know your address but not your name.
While your legitimate bounces might appear like this in the body....
From: Michelle Konzack <linux4michelle(_at_)tamay-dogan(_dot_)net>
Spammers have to substitute something else:
From: Any Old name <linux4michelle(_at_)tamay-dogan(_dot_)net>
So it becomes possible to filter for "not your name but your address".
I generally filter for this at the MTA level, so that the bounce is
rejected, and the poorly designed MTA can handle its own problem.
In my postfix 'body_checks'.....
/^[^a-z]*From:
([^M]|M[^i]|Mi[^c])[^<]+<linux4michelle(_at_)tamay-dogan(_dot_)net>/ REJECT
"Backscatter from forged sender"
In procmail try something like:
:0 B
*^[^a-z]*From: [^<]+<linux4michelle(_at_)tamay-dogan(_dot_)net>
*!^[^a-z]*From: Michelle Konzack <linux4michelle(_at_)tamay-dogan(_dot_)net>
/dev/null
This will, of course, only work if the body has repeated your address
as the forged visible 'From:' header. If the spam is forging your address
as envelope sender, but using a different address in the visible
headers, then you need a more generic rule to block any 'From' that
does not contain your address, but which is a bounce. That, you can only
do in procmail.... with a more complicated test to first detect that a
message is a bounce, then search for a 'From:' line that does not contain
your address at all.
- Charles
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail