[CLUE-Tech] Netscape email filters/rules for SPAM

Charlie Oriez coriez at oriez.org
Sat Dec 15 13:44:21 MST 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 15 December 2001 11:49, Jed S. Baer gave up the right to 
remain silent by saying:
> On Sat, 15 Dec 2001 11:40:04 -0700
>
> Mike Staver <staver at fimble.com> wrote:
> > I'm also having major problems with spam, I get more now than I
> > ever have before in my life, and it is driving me nuts.  Since I
> > run my own mail server, I don't exactly know what I'm doing with
> > blocking the spam.
>
> Also, IIRC both Linux Journal/Magazine have had recent articles on
> using procmail or Perl to set up mail filters. Maybe qmail as well.

My ISP is using some of the blacklists, and local filters, with good 
success.  However, procmail seems to be the ultimate answer, and I 
have been using it very effectively.   Checking my most recent reject 
logs on the server, for instance, I find as examples:

- From bCentral_032718 at bcentral.customer-email.com  Tue Dec 11 14:30:37 
2001
 Subject: Newsletter 3 -- Successful online marketing
  Folder: /dev/null							  12738

- From b.18707.0 at mx2.documagix.com  Thu Dec 13 08:46:08 2001
 Subject: thank you for your feedback
  Folder: /dev/null							   2170

- From special at jobseekernews.com  Sat Dec 15 09:36:42 2001
 Subject: Your Personal Salary Report from Salary.com
  Folder: /dev/null							   3080
- From special at jobseekernews.com  Sat Dec 15 09:36:42 2001
 Subject: Your Personal Salary Report from Salary.com
  Folder: /dev/null							   3048

All are known spammer scum (bCentral is Microsoft, so it's even 
sweeter).  All got past my ISP's filters.  None got past mine.  (and 
my ISP has good filters)

I'm working on an enhancement to my filters.  I'll be happy to 
produce my complete procmailrc file and doc on how to use it when I 
have the bugs out of the enhancement (I'm setting it up to query the 
blacklist databases myself when my ISP chooses not to use a 
particular one).   But in general, and assuming your ISP supports 
procmail:

configure your .forward as follows:

"|IFS=' '&&exec /usr/local/bin/procmail -f-||exit 75 #coriez"

change coriez to your UID
include the open and closing "
if procmail isn't stashed in /usr/local/bin change that appropriately

then your .procmailrc file (in the same directory as your .forward) 
might look something like this (this is a limited sample of mine):

# yes for debug, no for normal
VERBOSE=no

# comment out when not debugging
#LOGABSTRACT=all

#change and delete every couple of weeks to keep small
LOGFILE=log121101

# delete on mandatory ADV in subject
:0D
* ^Subject:.*ADV
    {
      :0
      { RULE="ADV" }
      :0:
      /dev/null
    }

# spamhaus that dev nulls complaints
:0
* ^Received.*195\.20\.224\.
    {
      :0
      { RULE="kundenserver" }
      :0:
      /dev/null
    }

# Agora Inc blocked for legal threats to anti-spammers
:0
*^Received:.*agora-inc
    {
      :0
      { RULE="agora" }
      :0:
      /dev/null
    }

# rmiug spammer
:0
* ^Received:.*64\.172\.130\.170
    {
      :0
      { RULE="rmiug spammer" }
      :0:
      /dev/null
    }

#anything that survives the filters goes to my mailbox
:0:
${DEFAULT}

= = = =

One interesting thing - when I first tried this, I was still on 
Windows 98.  Seems notepad and the other M$FT editors stick some 
hidden ^M characters at the end of lines, which screwed up my code.  
So if you try this at home, you HAVE to use linux. 

Note that I block on Received more often than From, since From is 
easy to forge and spammers morph to evade filters - see for example 
bCentral.

In my version, I don't send bounce messages back, since reply-to 
addresses are usually forged, and even if it isn't I really don't 
care whether a given spammer knows whether my buddy Dave Null is 
reading their mail instead of me. However, there is a command line in 
procmail for triggering sendmail with a bounce message.  If you 
choose that route, the generally accepted sendmail return code for 
spam bounces is 571, and the generally accepted message to go with it 
is "message deleted unread - go fsck yourself spammer".

Softpro carries the O'Reilly book called "Stopping Spam" 
(appropriately with a pig on the cover),  and "Removing the Spam", by 
Geoff Mulligan.  Mulligan is local to Colorado and spoke at RMIUG.  
He might be willing to speak at CLUE.  Mulligan devotes a whole 
chapter to procmail.  I have been told, but have not verified, that a 
couple of his procmail recipes may have typos in them, so use care in 
cutting/pasting.  

One final word - SPAM is a Hormel trademark for the food which saved 
Europe from the Nazis (or so Winston Churchill claimed), while spam 
is UCE, which is what we fight.  If you ever make reference to SPAM 
on an anti-UCE page, you'll get a relatively cordial letter from the 
Hormel attorneys asking you to make the correction to lower case.

- --
Charles Oriez, coriez at oriez.org
39  34' 34.4"N / 105 00' 06.3"W
**
Lazlo's Chinese Relativity Axiom:
No matter how great your triumphs or how tragic your defeats,
approximately one billion Chinese couldn't care less.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBPBu2Ln+bkeP849+WEQJdpACcDKbCdOfxS09vRenmq8WXpS4PrRYAn1yb
niBZgfypu8P7VH/SUVMFizn2
=SxNN
-----END PGP SIGNATURE-----

More information about the clue-tech mailing list