From: mpkelly@primenet.com Newsgroups: alt.hackers Subject: SPAM Filtering Date: 2 Jan 1998 10:36:00 -0700 Organization: Coffee-holics Anonymous Lines: 26 Approved: Juan Valdez Message-ID: <68j8i0$e91@nntp02.primenet.com> X-Posted-By: mpkelly@206.165.52.199 (mpkelly) Path: ccw.ch!aetna.dolphins.ch!news.planetc.com!leto.ou.edu!news.ecn.uoknor.edu!solace!mn6.swip.net!nntp.uio.no!uninett.no!news.maxwell.syr.edu!www.nntp.primenet.com!globalcenter0!news.primenet.com!news.primenet.com!not-for-mail My apologies for the lateness of the post on this subject, but... ObHack: I have discovered that 99.9% of all spam e-mail arrives with the To: portion of the header set to something other than MY e-mail address. It is usually something bogus. Armed with this knowledge, I now use procmail to filter it all out!! If you have an ISP account with a UN*X shell, this will work for you as well. My .forward: |procmail My .procmailrc: :0 * !^To:.*mpkelly /dev/null This fast-forwards all SPAMS with this wonderful """feature""" to /dev/null, WHERE THEY BELONG. I put this into place about 5 months ago, and have yet to get a spam of this nature (I used to get 5-10 per DAY). Matt K. ###### From: skquinn@brokersys.com (Shawn K. Quinn - NO SOLICITING) Newsgroups: alt.hackers Subject: Re: SPAM Filtering Date: 2 Jan 1998 19:50:00 GMT Organization: Customer of Information Broker Systems (post does not necessarily reflect views of IBS) Lines: 48 Approved: hell.no@satan.com Message-ID: <68jgd8$djr$1@news.hal-pc.org> References: <68j8i0$e91@nntp02.primenet.com> Reply-To: skquinn@brokersys.com NNTP-Posting-Host: ernie-39.brokersys.com X-Newsreader: slrn (0.9.4.3 UNIX) Path: ccw.ch!aetna.dolphins.ch!news.planetc.com!leto.ou.edu!news.ecn.uoknor.edu!news.ysu.edu!usenet.INS.CWRU.Edu!vncnews!HSNX.wco.com!vnetnews.value.net!www.nntp.primenet.com!globalcenter0!news.primenet.com!nntp.primenet.com!news-peer.gip.net!news.gsl.net!gip.net!news.maxwell.syr.edu!korova.insync.net!news.hal-pc.org!skquinn In message <68j8i0$e91@nntp02.primenet.com>, mpkelly@primenet.com wrote: |My apologies for the lateness of the post on this subject, but... | |ObHack: | |I have discovered that 99.9% of all spam e-mail arrives with the To: portion |of the header set to something other than MY e-mail address. It is usually |something bogus. It could be your address or the addresses of any mailing lists you subscribe to (including ones that your ISP may subscribe you to for announcements). |Armed with this knowledge, I now use procmail to filter it all out!! If you |have an ISP account with a UN*X shell, this will work for you as well. [snipped] |This fast-forwards all SPAMS with this wonderful """feature""" to /dev/null, |WHERE THEY BELONG. I put this into place about 5 months ago, and have yet |to get a spam of this nature (I used to get 5-10 per DAY). Just don't forget to update this with any mailing lists you subscribe to. Oh, and before I forget: ObSpamReductionIdeaHack: In a couple weeks I'll be working on a system to help deflect spam out of my e-mail box by using time-limited e-mail addresses for posting to Usenet and for e-mail from my web pages. The addresses will look something like where the stuff after the + will be a four-character (or maybe only three-character) code that procmail looks for. The problems I forsee are making sure that every instance of my e-mail address which can be easily grabbed gets changed. If I include mailing lists in this, this could potentially cause problems with the mailing lists I'm on, as I could theoretically need to unsubscribe and resubscribe with a new coded address every week (and this has the potential to break some statistics gathering programs). I do *not* want to just post from a faked address like a bunch of other people are; my goal is to inconvenience spammers and only spammers as much as possible. -- Shawn K. Quinn - skquinn@brokersys.com - visit my home page at http://www.brokersys.com/~skquinn/ and visit a bunch of bogus e-mail addresses at http://www.brokersys.com/~skquinn/spamsucks.html (latter to foil robots) ###### From: nickkral@cal.alumni.berkeley.edu (Nick Kralevich) Newsgroups: alt.hackers Subject: Re: SPAM Filtering Date: 3 Jan 1998 16:30:07 -0800 Organization: A poorly-installed InterNetNews site Lines: 47 Approved: Nick Kralevich Message-ID: <68ml6f$ok9$1@cal.alumni.berkeley.edu> References: <68j8i0$e91@nntp02.primenet.com> NNTP-Posting-Host: cal.alumni.berkeley.edu Path: ccw.ch!aetna.dolphins.ch!news.planetc.com!wilbur.ohww.norman.ok.us!newsfeed.kornet.nm.kr!howland.erols.net!agate!not-for-mail I use the following procmail filter. In the last 30 days, it's caught 676 spam messages destined for our customers. The program /usr/local/bin/report_spam is used to parse the spam message. Any spam message has "X-AntiSpam: antispam@autobahn.org" added to the message to prevent looping. This filter, in addition to blocking invalid domain names in sendmail (see http://spam.abuse.net/ for more info) has resulted in a *significant* drop in spam related activity. ----- Begin ----- DROPPRIVS=yes :0 * !^X-AntiSpam: antispam@autobahn.org { :0 * ^TOfriend@public.com | /usr/local/bin/report_spam :0 * ^X-Advertisement: | /usr/local/bin/report_spam :0 * ^Message-ID: <> | /usr/local/bin/report_spam :0 * ^X-Mailer: Emailer Platinum | /usr/local/bin/report_spam :0 * ^Comments: Authenticated sender is * !^X-mailer: Pegasus Mail * !^From: Just4laughs@USA.Net * !^Resent-from: | /usr/local/bin/report_spam :0 * ^From:.*[< ][0-9]*@aol.com | /usr/local/bin/report_spam } ###### From: Eli the Bearded <*@qz.to> Newsgroups: alt.hackers,alt.fan.e-t-b Subject: Re: SPAM Filtering Date: 4 Jan 1998 03:50:28 GMT Organization: Some absurd concept Lines: 176 Approved: Eli the Bearded <####@qz.to> Message-ID: References: <68j8i0$e91@nntp02.primenet.com> <68juue$fta@server-b.cs.interbusiness.it> X-Files: Used for sharpening claws and teeth on your hawk and hacksaw X-From-Notes: yes, it is a valid address. Nyah. X-US-Congress: Moronic Fucks. X-Attribution: EtB X-Newsreader: Sony Playstation 5.0MIPS X-Usenet-II: Because it is time for October. Path: ccw.ch!aetna.dolphins.ch!news.planetc.com!leto.ou.edu!news.onenet.net!news.oru.edu!newspeer.monmouth.com!sunqbc.risq.qc.ca!cpk-news-hub1.bbnplanet.com!su-news-hub1.bbnplanet.com!news.bbnplanet.com!news.alt.net!qz!not-for-mail markoer wrote: > mpkelly@primenet.com wrote... > >:0 > >* !^To:.*mpkelly > >/dev/null This works fine. Might want to allow Cc'ed mail as well though: :0 * ! ^(To|Cc):.*mpkelly /dev/null > I think the real one is: > > :0 > * ^To:.*mpkelly <--- WITHOUT the '!' > ! /dev/null <--- the '!' is optional here, maybe you got confused > by this syntax You should just shut up until you learn procmail. That will forward all mail directly addresses to mpkelly to the email address "/dev/null" which may or may not cause it to get deleted or bounced. Not pretty. > However, this is a very good techinque. You can use it > to select your mails and split them in different folders too. Yes, that is what procmail was originally intended for. > For more accurate options, you have to provide the location > for a shell (of course) and the formmail. What are you talking about? On its own procmail can do some very powerful filtering (although the syntax is very obscure). Here is something I use, for instance: # Shove aside if more than 3/4ths of the letters are CAPITALS :0BD: * -3^1 [A-Za-z] * 4^1 [A-Z] $HOME/notes/junk-mail And besides your inaccurate "correction" your post ticked me off because it didn't have an ObHack. Here's mine: An elaborate (and still evolving) procmail scoring recipe so that I do not have to see fake baunces from people with rude mail filters. # This header combination is typical of 'formail -r' replies :0 * ^References:\/.* * $ ^In-Reply-To:$\MATCH { BounceFilter=yes } # Spamgard is a perl script that advertises itself in the headers. :0 * spamgard { BounceFilter=yes } # If eiterh of those cases have been detected, run the scoring script. :0 * BounceFilter ?? yes { :0B * 1^1 ()\/Your +(e?mail|message|letter)( +[a-z,-]+( +[a-z,-]+)?)? +(is|came) +\ from +a +\.*$\MATCH { } } :0B * $ $=^0 * 1^1 ()\/(free( +(e?mail|pop3?|drop.?box))? +accounts?.*(spam|U[CB]E)|\ (spam|U[CB]E).*free( +(e?mail|pop3?|drop.?box))? +accounts?) { :0B * $ $=^0 * $ -2^1 ^>.*$\MATCH { } } :0B * $ $=^0 * 1^1 ()\/(probabl[ely]+|(look +)?like?(ly)?) +(spam|U[CB]E) { :0B * $ $=^0 * $ -2^1 ^>.*$\MATCH { } } :0B * $ $=^0 * 1^1 ()\/you +are +a +(bulk|mass) +(e?mail|spam|adverti[sz])er { :0B * $ $=^0 * $ -2^1 ^>.*$\MATCH { } } :0B * $ $=^0 * 1^1 ()\/sites? +((which +)?(is|are)|(I +)?have) +blocked { :0B * $ $=^0 * $ -2^1 ^>.*$\MATCH { } } :0B * $ $=^0 * 3^1 ()\/you +(can|may|should) +re(send|mail) +your +(e?mail|letter|message) { :0B * $ $=^0 * $ -3^1 ^>.*$\MATCH { } } :0B * $ $=^0 * 2^1 ()\/(passw(or)?d.*subject\>+(line|header)|\ subject\>+(line|header).*passw(or)?d) { :0B * $ $=^0 * $ -3^1 ^>.*$\MATCH { } } :0B * $ $=^0 * 2^1 ()\/(passw(or)?d.*(get +(past|through)|bypass).*filter|\ passw(or)?d.*filter.*(get +(past|through)|bypass)|\ (get +(past|through)|bypass).*filter.*passw(or)?d|\ (get +(past|through)|bypass).*passw(or)?d.*filter|\ filter.*passw(or)?d.*(get +(past|through)|bypass)|\ filter.*(get +(past|through)|bypass).*passw(or)?d) { :0B * $ $=^0 * $ -3^1 ^>.*$\MATCH { } } :0 * $ $=^0 * 2^1 ^X-Return.*spamgard * 1^1 ^Subject: spamgard.*in\<*effect.*try\<*again { } PassWordBounceScore = $= :0fhw | formail -A"PassWordBounceScore: $PassWordBounceScore" :0: * -4^0 * $ $PassWordBounceScore^0 $NOTES/junk-mail } Elijah ------ procmail hacker ###### From: David Scheidt Newsgroups: alt.hackers Subject: Re: SPAM Filtering Date: 6 Jan 1998 19:14:34 GMT Organization: infocom, inc. Lines: 32 Approved: No one approves of me. Message-ID: <68tvqq$mu4$1@beezer.infocom.com> References: <68j8i0$e91@nntp02.primenet.com> <68juue$fta@server-b.cs.interbusiness.it> NNTP-Posting-Host: tye.infocom.com X-Newsreader: TIN [UNIX 1.3 unoff BETA 970424; i386 FreeBSD 2.2.5-RELEASE] Path: ccw.ch!aetna.dolphins.ch!news.planetc.com!newsfeed.usit.net!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!ais.net!uunet!in5.uu.net!beezer.infocom.com!infocom.com!david Justin Dolske wrote: : BTW, does procmail have a simple way to log which rule(s) were triggered : by an email? I've got a fair number of anti-spam filters, and it would be : interesting to see which are triggered the most often... Without thinking about it, or looking at man pages, procmail keeps a logfile. The format is three lines like this: From David_Scheidt Tue Jan 6 14:02:37 1998 Subject: . Folder: me 434 if the message has no subject, the subject line is blank. You can set each of your spam filters to point to a different folder (or link to /dev/null...), and count them up. There may be more elegant solutions. hmm, I need an OBHack: I drive a sorely under-heated Land-Rover. I had acquired a heater of the sort used in the back of big passanger vans, but couldn't figure out how to get anti-freeze to it without driling nasty holes. Some poking around revealed that the inlet and outlet pipes were spaced the same disstance apart as the blanking plates for the non-existent right hand brake and clutch pedals. So, I drilled the nasty holes in them. As a bonus, I got to weld the mounting brackets to these plates as well. Come spring, or a move to a warmer climate (anyone want to give me a job in phoenix?), I will simply remove the heater, the blanking plates, fab new ones, and no more ugly heater. david