[CLUE-Tech] Netscape email filters/rules for SPAM
Charlie Oriez
coriez at oriez.org
Sat Dec 15 13:44:21 MST 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 15 December 2001 11:49, Jed S. Baer gave up the right to
remain silent by saying:
> On Sat, 15 Dec 2001 11:40:04 -0700
>
> Mike Staver <staver at fimble.com> wrote:
> > I'm also having major problems with spam, I get more now than I
> > ever have before in my life, and it is driving me nuts. Since I
> > run my own mail server, I don't exactly know what I'm doing with
> > blocking the spam.
>
> Also, IIRC both Linux Journal/Magazine have had recent articles on
> using procmail or Perl to set up mail filters. Maybe qmail as well.
My ISP is using some of the blacklists, and local filters, with good
success. However, procmail seems to be the ultimate answer, and I
have been using it very effectively. Checking my most recent reject
logs on the server, for instance, I find as examples:
- From bCentral_032718 at bcentral.customer-email.com Tue Dec 11 14:30:37
2001
Subject: Newsletter 3 -- Successful online marketing
Folder: /dev/null 12738
- From b.18707.0 at mx2.documagix.com Thu Dec 13 08:46:08 2001
Subject: thank you for your feedback
Folder: /dev/null 2170
- From special at jobseekernews.com Sat Dec 15 09:36:42 2001
Subject: Your Personal Salary Report from Salary.com
Folder: /dev/null 3080
- From special at jobseekernews.com Sat Dec 15 09:36:42 2001
Subject: Your Personal Salary Report from Salary.com
Folder: /dev/null 3048
All are known spammer scum (bCentral is Microsoft, so it's even
sweeter). All got past my ISP's filters. None got past mine. (and
my ISP has good filters)
I'm working on an enhancement to my filters. I'll be happy to
produce my complete procmailrc file and doc on how to use it when I
have the bugs out of the enhancement (I'm setting it up to query the
blacklist databases myself when my ISP chooses not to use a
particular one). But in general, and assuming your ISP supports
procmail:
configure your .forward as follows:
"|IFS=' '&&exec /usr/local/bin/procmail -f-||exit 75 #coriez"
change coriez to your UID
include the open and closing "
if procmail isn't stashed in /usr/local/bin change that appropriately
then your .procmailrc file (in the same directory as your .forward)
might look something like this (this is a limited sample of mine):
# yes for debug, no for normal
VERBOSE=no
# comment out when not debugging
#LOGABSTRACT=all
#change and delete every couple of weeks to keep small
LOGFILE=log121101
# delete on mandatory ADV in subject
:0D
* ^Subject:.*ADV
{
:0
{ RULE="ADV" }
:0:
/dev/null
}
# spamhaus that dev nulls complaints
:0
* ^Received.*195\.20\.224\.
{
:0
{ RULE="kundenserver" }
:0:
/dev/null
}
# Agora Inc blocked for legal threats to anti-spammers
:0
*^Received:.*agora-inc
{
:0
{ RULE="agora" }
:0:
/dev/null
}
# rmiug spammer
:0
* ^Received:.*64\.172\.130\.170
{
:0
{ RULE="rmiug spammer" }
:0:
/dev/null
}
#anything that survives the filters goes to my mailbox
:0:
${DEFAULT}
= = = =
One interesting thing - when I first tried this, I was still on
Windows 98. Seems notepad and the other M$FT editors stick some
hidden ^M characters at the end of lines, which screwed up my code.
So if you try this at home, you HAVE to use linux.
Note that I block on Received more often than From, since From is
easy to forge and spammers morph to evade filters - see for example
bCentral.
In my version, I don't send bounce messages back, since reply-to
addresses are usually forged, and even if it isn't I really don't
care whether a given spammer knows whether my buddy Dave Null is
reading their mail instead of me. However, there is a command line in
procmail for triggering sendmail with a bounce message. If you
choose that route, the generally accepted sendmail return code for
spam bounces is 571, and the generally accepted message to go with it
is "message deleted unread - go fsck yourself spammer".
Softpro carries the O'Reilly book called "Stopping Spam"
(appropriately with a pig on the cover), and "Removing the Spam", by
Geoff Mulligan. Mulligan is local to Colorado and spoke at RMIUG.
He might be willing to speak at CLUE. Mulligan devotes a whole
chapter to procmail. I have been told, but have not verified, that a
couple of his procmail recipes may have typos in them, so use care in
cutting/pasting.
One final word - SPAM is a Hormel trademark for the food which saved
Europe from the Nazis (or so Winston Churchill claimed), while spam
is UCE, which is what we fight. If you ever make reference to SPAM
on an anti-UCE page, you'll get a relatively cordial letter from the
Hormel attorneys asking you to make the correction to lower case.
- --
Charles Oriez, coriez at oriez.org
39 34' 34.4"N / 105 00' 06.3"W
**
Lazlo's Chinese Relativity Axiom:
No matter how great your triumphs or how tragic your defeats,
approximately one billion Chinese couldn't care less.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBPBu2Ln+bkeP849+WEQJdpACcDKbCdOfxS09vRenmq8WXpS4PrRYAn1yb
niBZgfypu8P7VH/SUVMFizn2
=SxNN
-----END PGP SIGNATURE-----
More information about the clue-tech
mailing list