Len The only problem I see with this is I get a lot of emails from clients referencing their domain name in the subject. These days the 15+ char domains are common.
Any idea on how can we best handle 15+ chars not ending in one of the common domain extensions? Thanks -Kevin Len Conrad wrote: > I've been getting a few of these in the past couple of days, where > the Subject: is a concatenation of several words, sometimes with numbers, eg: > > CustomerSupport100mgTakeALook > CanadianOnlineDrugstoreAddtoCart > DFAapprovedNewOffer100mg > VCheapViagraAndCialis > ShippingFriendlySupportWorldwide > InternationalPharPillsInternationalPhar > ForValuedCustomerWelcomePharm > > This spam has been arriving only in the past 2 - 3 days. > > I added a header filter, first in WARN mode, everything looked like > junk, and mostly from PTR-less IPs or IPs with subscriber access > PTRs. So I upgraded it to HOLD mode. > > The filter triggers if there is a subject: with a "too long word" of > 15 or more consecutive characters or digits. > > If you want to take a look at the log lines for HOLD-ed msgs: > > egrep -i "header failure TLW" /var/log/maillog | skipline.sh | less > > > The filter is in pcre: header_checks.regexp: > > /^subject: [a-z0-9]{15,}/ HOLD header failure TLW > > ie, a Subject: "word" of 15 or more characters is a "too long word". > > One busy MX I admin had 4000 TLW HOLDs through about midday Friday. > > a string of 12 might be enough for English, but it was a little short > for French, very probably too short for German. :) > > Len > > > -- Kevin Coveney Connetrix 516.576.3300 x13