Using procmail to deal with backscatter spam - Debian
This is a discussion on Using procmail to deal with backscatter spam - Debian ; Steve Kemp wrote:
> #
> # 1. Null envelope == bounce.
> #
> :0:
> *(Return-Path .*( )
> .Automated.bounces/
>
> #
> # 2. Delivery Status Notifications == bounce too.
> #
> :0 A
> ...
-
Re: Using procmail to deal with backscatter spam
Steve Kemp wrote:
> #
> # 1. Null envelope == bounce.
> #
> :0:
> *(Return-Path
.*(<>)
> .Automated.bounces/
>
> #
> # 2. Delivery Status Notifications == bounce too.
> #
> :0 A
> * ^Content-Type:[ ]*multipart/report;[ ]*\/[^ ].*
> * ^Mime-Version:.*1.*\..*0
> * MATCH ?? report-type="?delivery-status"?
> * B ?? ^Content-Type:.*message.*delivery-status
> .Automated.bounces2/
>
>
> This rule contains tabs and spaces. You can find the file "rc.request"
> if you "apt-get source procmail" and copy/paste from there if you wish.
>
> Additionally, since Moritz asked this is how I handle foreign
> language mails:
>
> #
> # 3.a. Define what is "foreign".
> #
> UNREADABLE='[^?"]*big5|iso-2022-jp|ISO-2022-KR|euc-kr|gb2312|ks_c_5601-1987'
>
> #
> # 3.b. Foreign spam.
> #
> :0:
> * ^Content-Type:.*multipart
> * !^X-whitelist: yes
> * B ?? $ ^Content-Type:.*^?.*charset="?($UNREADABLE)
> .spam.foreign/
Well, defining that something coming from another language and encoding
that you don't understand can works for YOU, but not for everybody... We
have quite some Asian customers, they wouldn't be happy with these kinds
of rules! Also, the charset used in the mail doesn't tell you FOR SURE
what kind of language is used in the content of the email. I can write
you a mail using the Chinese charset, but with the content in English,
and you would be 100% capable of reading it.
Even more important: it makes no sense at all. Why a mail within an
Asian charset would be more a spam than another? Do not take it badly,
it's not aimed to you, but I consider this fascism... Just consider
how many people on the internet are from Asia, and you will agree.
Well, these rules are OK if you are doing them for a single mail
account, but then WHY only write Russian + Asian? These should also be
configured for each account, this cannot be a general rule that works
for every account (don't you worry, I do understand that what you are
doing is a procmail stuff, working differently for each individual
account). Why don't you ban ALL the charset that your account reader
can't read? Don't tell me that it's because there are more spammer in
China. You have in your rules some Japanese charsets, and I really don't
think that spamming is a national sport in Japan.
Last: don't you think there are more efficient ways of filtering?
This was my 2 cents...
Thomas
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-
Using procmail to deal with backscatter spam
Recently there have been a couple of treads on this subject
on the Debian user mailing list, and elsewhere.
As a recipient of the mail addressed to security@debian.org
I see large numbers of mail bounces every couple of weeks, due
to joe-job attacks.
These are the rules that I currently use to filter bounces
via my ~/.procmailrc file:
#
# 1. Null envelope == bounce.
#
:0:
*(Return-Path.*(<>)
..Automated.bounces/
#
# 2. Delivery Status Notifications == bounce too.
#
:0 A
* ^Content-Type:[ ]*multipart/report;[ ]*\/[^ ].*
* ^Mime-Version:.*1.*\..*0
* MATCH ?? report-type="?delivery-status"?
* B ?? ^Content-Type:.*message.*delivery-status
..Automated.bounces2/
This rule contains tabs and spaces. You can find the file "rc.request"
if you "apt-get source procmail" and copy/paste from there if you wish.
Additionally, since Moritz asked this is how I handle foreign
language mails:
#
# 3.a. Define what is "foreign".
#
UNREADABLE='[^?"]*big5|iso-2022-jp|ISO-2022-KR|euc-kr|gb2312|ks_c_5601-1987'
#
# 3.b. Foreign spam.
#
:0:
* ^Content-Type:.*multipart
* !^X-whitelist: yes
* B ?? $ ^Content-Type:.*^?.*charset="?($UNREADABLE)
..spam.foreign/
Notice that in each case I'm using trailing "/" as I file messages
into Maildirs.
I'm sure these rules could be improved, or added to. Any and all
suggestions would be most welcome.
Steve
--
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-
Re: Using procmail to deal with backscatter spam
On Fri Oct 10, 2008 at 17:17:49 +0800, Thomas Goirand wrote:
> Well, defining that something coming from another language and encoding
> that you don't understand can works for YOU, but not for everybody... We
> have quite some Asian customers, they wouldn't be happy with these kinds
> of rules!
Indeed, which is why I listed it as an extra. But the original
thread, located elsewhere, specifically asked about blocking foreign
spam.
> Also, the charset used in the mail doesn't tell you FOR SURE
> what kind of language is used in the content of the email. I can write
> you a mail using the Chinese charset, but with the content in English,
> and you would be 100% capable of reading it.
True.
> Even more important: it makes no sense at all. Why a mail within an
> Asian charset would be more a spam than another? Do not take it badly,
> it's not aimed to you, but I consider this fascism... Just consider
> how many people on the internet are from Asia, and you will agree.
In general you're correct. The location, language, and character
set shouldn't have any bearing. That said I receive several thousand
spam messages a day. The majority of it is in English coming from the
USA and UK. The next significant common thing is Asian & Russian
character sets.
Given that I'm a personal individual who rarely deals with Asian
and Russian email I've not heard this has caused any problem. I
clearly cannot block English messages as that is what my legitimate
mail would be written in.
> Last: don't you think there are more efficient ways of filtering?
I look forward to hearing about your efficient solution, which
doesn't run the risk of fascistly blocking large swathes of messages
that somebody else might consider valid ..
Actually I think my own service is pretty good, but that's more for
small businesses and people with their own domains:
http://mail-scanning.com/
Steve
--
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-
Re: Using procmail to deal with backscatter spam
On Fri, Oct 10, 2008 at 10:54:29AM +0100, Steve Kemp wrote:
> Given that I'm a personal individual who rarely deals with Asian
> and Russian email I've not heard this has caused any problem. I
> clearly cannot block English messages as that is what my legitimate
> mail would be written in.
I've seen multiple occurrences of this kind of overly broad "hammer"
filtering out English mail from people using mailers with national
charsets set.
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-
Re: Using procmail to deal with backscatter spam
On Thu, Oct 09, 2008 at 06:24:39PM +0100, Steve Kemp wrote:
>
> Also these will help:
>
> # 4. More language specific checks
> :0:
^
> * Subject:.*koi8-r
> .spam.foreign/
>
> :0:
^
> * Subject:.*windows-1251
> .spam.foreign/
You don't need to lock for maildir. This was pointed out on debian-user.
Better:
:0
* Subject:.*windows-1251
..spam.foreign/
--
Chris.
======
I contend that we are both atheists. I just believe in one fewer god
than you do. When you understand why you dismiss all the other
possible gods, you will understand why I dismiss yours.
-- Sir Stephen Henry Roberts
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-
Re: Using procmail to deal with backscatter spam
There are two errors:
Am 2008-10-09 18:24:39, schrieb Steve Kemp:
>
> Also these will help:
>
> # 4. More language specific checks
> :0:
^
Since you use Maildir, you do not need locking.
> * Subject:.*koi8-r
^
* ^Subject:.*koi8-r
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFI885kC0FPBMSS+BIRAnT0AJ4mdqMW9qT+N+W+gDaTvJ IkYrvtYACfYmSQ
jBpAjp4SrGvRrfAXWSGKWqI=
=/hAm
-----END PGP SIGNATURE-----
-
Re: Using procmail to deal with backscatter spam
On Tue Oct 14, 2008 at 00:40:36 +0200, Michelle Konzack wrote:
> > # 4. More language specific checks
> > :0:
> ^
> Since you use Maildir, you do not need locking.
Indeed. This was pointed out to me previously. I've updated
my reference copy:
http://blog.steve.org.uk/procmail.snippets
> > * Subject:.*koi8-r
> ^
> * ^Subject:.*koi8-r
Good catch, that is also fixed in the online copy.
Steve
--
http://www.steve.org.uk/
--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
