Using procmail to deal with backscatter spam - Debian

This is a discussion on Using procmail to deal with backscatter spam - Debian ; Steve Kemp wrote: > # > # 1. Null envelope == bounce. > # > :0: > *(Return-Path .*( ) > .Automated.bounces/ > > # > # 2. Delivery Status Notifications == bounce too. > # > :0 A > ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Using procmail to deal with backscatter spam

  1. Re: Using procmail to deal with backscatter spam

    Steve Kemp wrote:
    > #
    > # 1. Null envelope == bounce.
    > #
    > :0:
    > *(Return-Path.*(<>)
    > .Automated.bounces/
    >
    > #
    > # 2. Delivery Status Notifications == bounce too.
    > #
    > :0 A
    > * ^Content-Type:[ ]*multipart/report;[ ]*\/[^ ].*
    > * ^Mime-Version:.*1.*\..*0
    > * MATCH ?? report-type="?delivery-status"?
    > * B ?? ^Content-Type:.*message.*delivery-status
    > .Automated.bounces2/
    >
    >
    > This rule contains tabs and spaces. You can find the file "rc.request"
    > if you "apt-get source procmail" and copy/paste from there if you wish.
    >
    > Additionally, since Moritz asked this is how I handle foreign
    > language mails:
    >
    > #
    > # 3.a. Define what is "foreign".
    > #
    > UNREADABLE='[^?"]*big5|iso-2022-jp|ISO-2022-KR|euc-kr|gb2312|ks_c_5601-1987'
    >
    > #
    > # 3.b. Foreign spam.
    > #
    > :0:
    > * ^Content-Type:.*multipart
    > * !^X-whitelist: yes
    > * B ?? $ ^Content-Type:.*^?.*charset="?($UNREADABLE)
    > .spam.foreign/


    Well, defining that something coming from another language and encoding
    that you don't understand can works for YOU, but not for everybody... We
    have quite some Asian customers, they wouldn't be happy with these kinds
    of rules! Also, the charset used in the mail doesn't tell you FOR SURE
    what kind of language is used in the content of the email. I can write
    you a mail using the Chinese charset, but with the content in English,
    and you would be 100% capable of reading it.

    Even more important: it makes no sense at all. Why a mail within an
    Asian charset would be more a spam than another? Do not take it badly,
    it's not aimed to you, but I consider this fascism... Just consider
    how many people on the internet are from Asia, and you will agree.

    Well, these rules are OK if you are doing them for a single mail
    account, but then WHY only write Russian + Asian? These should also be
    configured for each account, this cannot be a general rule that works
    for every account (don't you worry, I do understand that what you are
    doing is a procmail stuff, working differently for each individual
    account). Why don't you ban ALL the charset that your account reader
    can't read? Don't tell me that it's because there are more spammer in
    China. You have in your rules some Japanese charsets, and I really don't
    think that spamming is a national sport in Japan.

    Last: don't you think there are more efficient ways of filtering?

    This was my 2 cents...

    Thomas


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  2. Using procmail to deal with backscatter spam


    Recently there have been a couple of treads on this subject
    on the Debian user mailing list, and elsewhere.

    As a recipient of the mail addressed to security@debian.org
    I see large numbers of mail bounces every couple of weeks, due
    to joe-job attacks.

    These are the rules that I currently use to filter bounces
    via my ~/.procmailrc file:

    #
    # 1. Null envelope == bounce.
    #
    :0:
    *(Return-Path.*(<>)
    ..Automated.bounces/

    #
    # 2. Delivery Status Notifications == bounce too.
    #
    :0 A
    * ^Content-Type:[ ]*multipart/report;[ ]*\/[^ ].*
    * ^Mime-Version:.*1.*\..*0
    * MATCH ?? report-type="?delivery-status"?
    * B ?? ^Content-Type:.*message.*delivery-status
    ..Automated.bounces2/


    This rule contains tabs and spaces. You can find the file "rc.request"
    if you "apt-get source procmail" and copy/paste from there if you wish.

    Additionally, since Moritz asked this is how I handle foreign
    language mails:

    #
    # 3.a. Define what is "foreign".
    #
    UNREADABLE='[^?"]*big5|iso-2022-jp|ISO-2022-KR|euc-kr|gb2312|ks_c_5601-1987'

    #
    # 3.b. Foreign spam.
    #
    :0:
    * ^Content-Type:.*multipart
    * !^X-whitelist: yes
    * B ?? $ ^Content-Type:.*^?.*charset="?($UNREADABLE)
    ..spam.foreign/


    Notice that in each case I'm using trailing "/" as I file messages
    into Maildirs.

    I'm sure these rules could be improved, or added to. Any and all
    suggestions would be most welcome.

    Steve
    --


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  3. Re: Using procmail to deal with backscatter spam

    On Fri Oct 10, 2008 at 17:17:49 +0800, Thomas Goirand wrote:

    > Well, defining that something coming from another language and encoding
    > that you don't understand can works for YOU, but not for everybody... We
    > have quite some Asian customers, they wouldn't be happy with these kinds
    > of rules!


    Indeed, which is why I listed it as an extra. But the original
    thread, located elsewhere, specifically asked about blocking foreign
    spam.

    > Also, the charset used in the mail doesn't tell you FOR SURE
    > what kind of language is used in the content of the email. I can write
    > you a mail using the Chinese charset, but with the content in English,
    > and you would be 100% capable of reading it.


    True.

    > Even more important: it makes no sense at all. Why a mail within an
    > Asian charset would be more a spam than another? Do not take it badly,
    > it's not aimed to you, but I consider this fascism... Just consider
    > how many people on the internet are from Asia, and you will agree.


    In general you're correct. The location, language, and character
    set shouldn't have any bearing. That said I receive several thousand
    spam messages a day. The majority of it is in English coming from the
    USA and UK. The next significant common thing is Asian & Russian
    character sets.

    Given that I'm a personal individual who rarely deals with Asian
    and Russian email I've not heard this has caused any problem. I
    clearly cannot block English messages as that is what my legitimate
    mail would be written in.

    > Last: don't you think there are more efficient ways of filtering?


    I look forward to hearing about your efficient solution, which
    doesn't run the risk of fascistly blocking large swathes of messages
    that somebody else might consider valid ..

    Actually I think my own service is pretty good, but that's more for
    small businesses and people with their own domains:

    http://mail-scanning.com/

    Steve
    --


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  4. Re: Using procmail to deal with backscatter spam

    On Fri, Oct 10, 2008 at 10:54:29AM +0100, Steve Kemp wrote:
    > Given that I'm a personal individual who rarely deals with Asian
    > and Russian email I've not heard this has caused any problem. I
    > clearly cannot block English messages as that is what my legitimate
    > mail would be written in.


    I've seen multiple occurrences of this kind of overly broad "hammer"
    filtering out English mail from people using mailers with national
    charsets set.


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  5. Re: Using procmail to deal with backscatter spam

    On Thu, Oct 09, 2008 at 06:24:39PM +0100, Steve Kemp wrote:
    >
    > Also these will help:
    >
    > # 4. More language specific checks
    > :0:

    ^
    > * Subject:.*koi8-r
    > .spam.foreign/
    >
    > :0:

    ^
    > * Subject:.*windows-1251
    > .spam.foreign/


    You don't need to lock for maildir. This was pointed out on debian-user.

    Better:
    :0
    * Subject:.*windows-1251
    ..spam.foreign/

    --
    Chris.
    ======
    I contend that we are both atheists. I just believe in one fewer god
    than you do. When you understand why you dismiss all the other
    possible gods, you will understand why I dismiss yours.
    -- Sir Stephen Henry Roberts


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  6. Re: Using procmail to deal with backscatter spam

    There are two errors:

    Am 2008-10-09 18:24:39, schrieb Steve Kemp:
    >
    > Also these will help:
    >
    > # 4. More language specific checks
    > :0:

    ^
    Since you use Maildir, you do not need locking.

    > * Subject:.*koi8-r

    ^
    * ^Subject:.*koi8-r



    Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    24V Electronic Engineer
    Tamay Dogan Network
    Debian GNU/Linux Consultant


    --
    Linux-User #280138 with the Linux Counter, http://counter.li.org/
    ##################### Debian GNU/Linux Consultant #####################
    Michelle Konzack Apt. 917 ICQ #328449886
    +49/177/9351947 50, rue de Soultz MSN LinuxMichi
    +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFI885kC0FPBMSS+BIRAnT0AJ4mdqMW9qT+N+W+gDaTvJ IkYrvtYACfYmSQ
    jBpAjp4SrGvRrfAXWSGKWqI=
    =/hAm
    -----END PGP SIGNATURE-----


  7. Re: Using procmail to deal with backscatter spam

    On Tue Oct 14, 2008 at 00:40:36 +0200, Michelle Konzack wrote:

    > > # 4. More language specific checks
    > > :0:

    > ^
    > Since you use Maildir, you do not need locking.


    Indeed. This was pointed out to me previously. I've updated
    my reference copy:

    http://blog.steve.org.uk/procmail.snippets

    > > * Subject:.*koi8-r

    > ^
    > * ^Subject:.*koi8-r


    Good catch, that is also fixed in the online copy.

    Steve
    --
    http://www.steve.org.uk/


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

+ Reply to Thread