Len
The only problem I see with this is I get a lot of emails from clients
referencing their domain name in the subject. These days the 15+ char
domains are common.
Any idea on how can we best handle 15+ chars not ending in one of the
common domain extensions?
Thanks
-Kevin
Len Conrad wrote:
> I've been getting a few of these in the past couple of days, where
> the Subject: is a concatenation of several words, sometimes with numbers, eg:
>
> CustomerSupport100mgTakeALook
> CanadianOnlineDrugstoreAddtoCart
> DFAapprovedNewOffer100mg
> VCheapViagraAndCialis
> ShippingFriendlySupportWorldwide
> InternationalPharPillsInternationalPhar
> ForValuedCustomerWelcomePharm
>
> This spam has been arriving only in the past 2 - 3 days.
>
> I added a header filter, first in WARN mode, everything looked like
> junk, and mostly from PTR-less IPs or IPs with subscriber access
> PTRs. So I upgraded it to HOLD mode.
>
> The filter triggers if there is a subject: with a "too long word" of
> 15 or more consecutive characters or digits.
>
> If you want to take a look at the log lines for HOLD-ed msgs:
>
> egrep -i "header failure TLW" /var/log/maillog | skipline.sh | less
>
>
> The filter is in pcre: header_checks.regexp:
>
> /^subject: [a-z0-9]{15,}/ HOLD header failure TLW
>
> ie, a Subject: "word" of 15 or more characters is a "too long word".
>
> One busy MX I admin had 4000 TLW HOLDs through about midday Friday.
>
> a string of 12 might be enough for English, but it was a little short
> for French, very probably too short for German. :)
>
> Len
>
>
>
--
Kevin Coveney
Connetrix
516.576.3300 x13
