[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vps-mail] Filtering catch-all's misses

Subject: Re: [vps-mail] Filtering catch-all's misses
From: Scott Wiersdorf <scott@xxxxxxxxxxxx>
Date: Tue, 24 Feb 2004 14:20:31 -0700

On Tue, Feb 24, 2004 at 12:36:38PM -0500, Jim Smith wrote:
<snip>
> I set a Procmail rule to get rid of all
> such spams. It came after my white & black list and gave 2 points to
> blarneystone and subtracted 3 points for any of my defined addresses. So
> anything with 2 points to blarneystone but nothing else went directly to
> spam as shown here:
> 
>  :0:
>  * 2^0 ^TOblarneystone\.com
>  * -3^0 ^TOjimsmith@xxxxxxxxxxxxxxxx
>  * -3^0 ^TOjsmith@xxxxxxxxxxxxxxxx
>           ...snipped out many more...
>  * -3^0 ^TOsupport@xxxxxxxxxxxxxxxx
>  * -3^0 ^TOmaillists@xxxxxxxxxxxxxxxx
>  $HOME/spam
> 
> Now that I'm using Bayes, I'd like to somehow turn this into a SA rule so it
> tags each of these as spam (right now it sends them directly to spam folder
> without running through Bayes).
> 
> So, three questions:
> 1. Is there a test that can be implemented in SA to find emails with forged
> To/CC/BCC fields?

Not trivially--it's domain specific so you'll need to write a
customized rule/regex to detect that. Your procmail version will be
more efficient.

> 2. Can a Procmail action mark up a header like SA does so I can then send it
> thru SA with a SA rule to recognize the mark and tag it with a high score?

Yes; use something like this:

    DOMAIN="blarneystone\.com"

    :0
    *  2^0 $ ^TO_${DOMAIN}
    * -3^0 $ ^TO_jimsmith@${DOMAIN}
    * -3^0 $ ^TO_jsmith@${DOMAIN}
    ...
    * -3^0 $ ^TO_support@${DOMAIN}
    * -3^0 $ ^TO_maillists@${DOMAIN}
    {
      :0 fhw
      | formail -A"X-Blarney-Spam: invalid TO/BCC detected"
    }

Then create an SA rule in local.cf:

  header   BLARNEY_INVALID_TO        X-Blarney-Spam =~ /invalid TO\/BCC detected/
  describe BLARNEY_INVALID_TO        Blarney spam test "invalid TO/BCC" triggered
  score    BLARNEY_INVALID_TO        6.0

This hasn't been tested, btw. The filter above (formail pipe) is
non-delivering, so mail will continue to the next recipe in the
procmailrc file (e.g., the one that runs it through spamassassin,
etc.)

Scott
-- 
Scott Wiersdorf
scott@xxxxxxxxxxxx
======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
Before posting a question, please search the archives (see above URL).

Follow-Ups:
- RE: [vps-mail] Filtering catch-all's misses
  - From: Jim Smith

References:
- [vps-mail] Filtering catch-all's misses
  - From: Jim Smith

Prev by Date: [vps-mail] Filtering catch-all's misses
Next by Date: Re: [vps-mail] Filtering catch-all's misses
Previous by thread: [vps-mail] Filtering catch-all's misses
Next by thread: RE: [vps-mail] Filtering catch-all's misses
Index(es):
- Date
- Thread

Main Index | Thread Index