Re: More on spam

To: debian-user@lists.debian.org
Subject: Re: More on spam
From: Pigeon <jah.pigeon@ukonline.co.uk>
Date: Sat, 18 Oct 2003 20:49:24 +0100
Message-id: <[🔎] 20031018194924.GR22112@pigeon.pigeonloft>
In-reply-to: <[🔎] pan.2003.10.18.18.57.36.608811.11645@net-yan.com>
References: <[🔎] 20031017024612.46078.qmail@web41214.mail.yahoo.com> <[🔎] 3F8F5AC7.7090108@yahoo.es> <[🔎] 200310170432.50782.jeffelkins@earthlink.net> <[🔎] 200310170613.56736.claus.imgrund@terra.com.br> <[🔎] 87zng058t3.fsf@toncho.dhh.gt.org> <[🔎] pan.2003.10.17.22.11.26.297395.429@net-yan.com> <[🔎] 20031017152704.GA5830@dmcom.net> <[🔎] pan.2003.10.18.18.57.36.608811.11645@net-yan.com>

On Sat, Oct 18, 2003 at 06:57:40PM +0800, Brian Walker wrote:
> 
> Can I add a line to procmail to prefilter spam with mailfilter, before
> letting spamassassin get to work? 

mailfilter operates on the POP3 mailbox on the remote server, not on
stuff you've already retrieved. You can add 'preconnect "mailfilter"'
to ~/.fetchmailrc, to get fetchmail to preprocess your POP3 box with
mailfilter before it retrieves the messages.

> What about the line to add to delete swen messages?

Probably the easiest way is simply to bin anything over 145k with
MAXSIZE_DENY=145000, then use ALLOW=^From:.*username@email.addy to
whitelist anyone who might really send you a genuine mail that big.

This still lets through the ones around 15k in size that have had the
.exe stripped. These can be filtered out on the contents of the From:,
To: and sometimes Subject: headers. I "primed" my .mailfilterrc with
rules appropriate to what I'd seen in these headers at the time, and
have semi-automatedly stuck in extra rules to match the odd ones that
still slip through. The attached .mailfilterrc may be of some use.

-- 
Pigeon

Be kind to pigeons
Get my GPG key here: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x21C61F7F

LOGFILE=/home/pigeon/mailfilter.log

SHOW_HEADERS=yes

SERVER=pop3.ukonline.co.uk
USER=jah.pigeon
PASS=xxxxxxx
PROTOCOL=pop3
PORT=110

SERVER=pop3.ukonline.co.uk
USER=my.other.email.addy
PASS=xxxxxxx
PROTOCOL=pop3
PORT=110

REG_CASE=yes

REG_TYPE=extended

MAXSIZE_DENY=145000

NORMAL=yes


DENY=^Content-(Type|[Dd]isposition):.*(file)?name=.*\.(asd|bat|chm|cmd|com|dll|exe|gif|hlp|hta|js|jse|lnk|ocx|pif|scr|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wav|wsf|wsh)

DENY=^(Subject|SUBJECT):.*(Latest Net Critical Update|Bug Message|Abort Letter|abort notice|Failure Message|New Microsoft Security Patch|Error Announcement|Newest Security Patch|Internet Security Upgrade|Abort Advice) 

DENY=^(From|FROM):.*(Microsoft|MS Email Delivery System|Inet Email|Internet Message|Inet Mail Service|MS Internet|Net. Delivery Service|MS Mail System|internet email delivery|MS Network Delivery|ms network system|MS Security Services|Inet Mail Storage System|Public Assistance|MS Corporation|Internet Mail Storage Service|microsoft mail storage service|Program Security Center|MS Network Email Service|Inet Message Storage System|Program Security Division|MS Email Delivery Service|Program Security Department)

DENY=^(To|TO):.*(Network Recipient|Mail Client|Commercial Client|Net Receiver|email client|Partner|Inet User|net user|Commercial Customer|email receiver)

ALLOW=^From:.*@lists.debian.org
ALLOW=^From:.*@linuxsa.org.au
ALLOW=^From:.*@lists.kraya.co.uk

DENY=^(From|FROM):.*internet message delivery system
DENY=^(To|TO):.*Email Recipient
DENY=^(From|FROM):.*Net Email Delivery Service
DENY=^(To|TO):.*Internet Receiver
DENY=^(From|FROM):.*MS Security Bulletin
DENY=^(To|TO):.*MS Corporation Customer
DENY=^(Subject|SUBJECT):.*Newest Microsoft Upgrade



DENY=^(Subject|SUBJECT):.*announcement
DENY=^(From|FROM):.*Internet Mail Delivery Service
DENY=^(To|TO):.*Network Client
DENY=^(From|FROM):.*Net Storage Service
DENY=^(To|TO):.*Email User
DENY=^(From|FROM):.*Internet Mail Delivery System
DENY=^(To|TO):.*Internet Recipient
DENY=^(From|FROM):.*Net Delivery Service
DENY=^(To|TO):.*Internet User
DENY=^(From|FROM):.*Net Mail Storage Service
DENY=^(To|TO):.*Network User
DENY=^(From|FROM):.*MS Inet Message Service
DENY=^(To|TO):.*internet receiver
DENY=^(From|FROM):.*MS Public Services
DENY=^(To|TO):.*Microsoft Customer
DENY=^(From|FROM):.*internet system
DENY=^(To|TO):.*Inet Recipient
DENY=^(From|FROM):.*inet mail service
DENY=^(To|TO):.*Net User
DENY=^(Subject|SUBJECT):.*Last Microsoft Security Upgrade
DENY=^(From|FROM):.*Net Email Storage System
DENY=^(To|TO):.*Mail Receiver
DENY=^(From|FROM):.*Security Center
DENY=^(To|TO):.*Consumer
DENY=^(From|FROM):.*MS Security Assistance
DENY=^(To|TO):.*Microsoft Corporation Customer
DENY=^(Subject|SUBJECT):.*Latest Security Upgrade
DENY=^(Subject|SUBJECT):.*SFK AntiVirus scan results
DENY=^(From|FROM):.*DrWeb-DAEMON
DENY=^(To|TO):.*Recipients of original message
DENY=^(From|FROM):.*ms net message delivery service
DENY=^(To|TO):.*Mail User
DENY=^(From|FROM):.*Net Mail Storage System
DENY=^(To|TO):.*Inet Receiver
DENY=^(From|FROM):.*Security Support
DENY=^(To|TO):.*Microsoft User
DENY=^(Subject|SUBJECT):.*Current Microsoft Security Pack
DENY=^(To|TO):.*Client
DENY=^(Subject|SUBJECT):.*Last Network Critical Pack
DENY=^(From|FROM):.*Storage Service
DENY=^(To|TO):.*Net Client
DENY=^(Subject|SUBJECT):.*Current Microsoft Critical Pack
DENY=^(From|FROM):.*MS Corporation Security Division
DENY=^(To|TO):.*Microsoft Corporation User
DENY=^(From|FROM):.*Microsoft Corporation Technical Support
DENY=^(To|TO):.*Customer
DENY=^(From|FROM):.*Network Message System
DENY=^(From|FROM):.*MS Program Security Section

Attachment: pgp9qTJ12yi6M.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: More on spam
  - From: Brian Walker <bfwalker@net-yan.com>

References:
- More on spam
  - From: Sidney Brooks <sidneybrooks@yahoo.com>
- Re: More on spam
  - From: Roberto Sanchez <rcsanchez97@yahoo.es>
- Re: More on spam
  - From: Jeff Elkins <jeffelkins@earthlink.net>
- Re: More on spam
  - From: klaus imgrund <claus.imgrund@terra.com.br>
- Re: More on spam
  - From: John Hasler <john@dhh.gt.org>
- Re: More on spam
  - From: Brian Walker <bfwalker@net-yan.com>
- Re: More on spam
  - From: Wayne Topa <brittman@capital.net>
- Re: More on spam
  - From: Brian Walker <bfwalker@net-yan.com>

Prev by Date: Re: Upgrading to a new release
Next by Date: Re: OT - Programming Languages w/o English Syntax
Previous by thread: Re: More on spam
Next by thread: Re: More on spam
Index(es):
- Date
- Thread