At 14:04 2008-10-17 -0400, Charles Gregory wrote:
On Wed, 15 Oct 2008, Michelle Konzack wrote:
> 2200 legitim messages against 38.000 spams.
> To day afternoon I have goten again over 30.000 unique backscatter.
Maybe I can help. One characteristic of 'backscatter' is that because it
is generated by legitimate MTA's a great many of them QUOTE at least the
haders of the bounced e-mail in the body.
I'll go a step farther here: Some spams that INTEND to propogate via the
bounce use "Content-Return: allowed". I've yet to see that header on
legitimate email.
The X-Mailer header identifying mailers you don't use is another good
mechanism to use - if you don't use AOL or MS Outbreak, why should bounces
claiming to be from you claim you sent a message with these clients?
:0
* ^FROM_MAILER
{
# Since when would a mailer-daemon SPECIFY a return path for a message
# which itself is a bounce? That's just asking for a loop.
:0B
*
^Return-Path:[ ]*mailer-daemon@(host|anotherhost)\.domain\.tld
{
SPAMVAL="+150"
SPAMMISHNESS="${SPAMMISHNESS}${SPAMVAL}"
SPAMNOTES="${SPAMNOTES}SPAM: ${SPAMVAL} MAILER BOUNCE:
return-path${NL}"
}
# This header is appearing increasingly on reflected spam - the
# intent is to request that the entire message be bounced, rather
# than truncated to just the headers, ensuring that the spam content
# is delivered to the bounce recipient.
:0B
* ^Content-Return:[ ]*allowed
{
SPAMVAL="+200"
SPAMMISHNESS="${SPAMMISHNESS}${SPAMVAL}"
SPAMNOTES="${SPAMNOTES}SPAM: ${SPAMVAL} MAILER BOUNCE:
content-return${NL}"
}
# if a legitimate bounce is suppsed to be for a message YOU sent,
# check to see that it doesn't specify an X-Mailer that you know YOU
# don't use. This works for personal mail, but isn't effective for
# a systemwide filter, since many users may use different mailers.
:0
* B ?? ^X-Mailer:[ ]*(CME-V|Microsoft Outlook|AdSend|The
Bat!|AOL|Internet Mail|Juno|Novell|PMMail|Winbiff)
{
SPAMVAL="+200"
SPAMMISHNESS="${SPAMMISHNESS}${SPAMVAL}"
SPAMNOTES="${SPAMNOTES}SPAM: ${SPAMVAL} MAILER BOUNCE:
x-mailer${NL}"
}
}
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail