Using procmail to deal with backscatter spam
Recently there have been a couple of treads on this subject
on the Debian user mailing list, and elsewhere.
As a recipient of the mail addressed to security@debian.org
I see large numbers of mail bounces every couple of weeks, due
to joe-job attacks.
These are the rules that I currently use to filter bounces
via my ~/.procmailrc file:
#
# 1. Null envelope == bounce.
#
:0:
*(Return-Path:).*(<>)
.Automated.bounces/
#
# 2. Delivery Status Notifications == bounce too.
#
:0 A
* ^Content-Type:[ ]*multipart/report;[ ]*\/[^ ].*
* ^Mime-Version:.*1.*\..*0
* MATCH ?? report-type="?delivery-status"?
* B ?? ^Content-Type:.*message.*delivery-status
.Automated.bounces2/
This rule contains tabs and spaces. You can find the file "rc.request"
if you "apt-get source procmail" and copy/paste from there if you wish.
Additionally, since Moritz asked this is how I handle foreign
language mails:
#
# 3.a. Define what is "foreign".
#
UNREADABLE='[^?"]*big5|iso-2022-jp|ISO-2022-KR|euc-kr|gb2312|ks_c_5601-1987'
#
# 3.b. Foreign spam.
#
:0:
* ^Content-Type:.*multipart
* !^X-whitelist: yes
* B ?? $ ^Content-Type:.*^?.*charset="?($UNREADABLE)
.spam.foreign/
Notice that in each case I'm using trailing "/" as I file messages
into Maildirs.
I'm sure these rules could be improved, or added to. Any and all
suggestions would be most welcome.
Steve
--
Reply to: