mailfilter rule for matching address ANYWHERE in header
I've recently started using mailfilter (called as a precommand from fetchmail) and it works really well. (I have had a couple of mail addresses faked by spammers, so I've had tens of thousands of mail bounces over the last month.) If a mail slips through, I add another rule to cope. However, I find it is not deleting mail messages where the mail address does not appear in the To: field, but appears as a 'for' line elsewhere in the header. In the example below, the faked address is [EMAIL PROTECTED], and I have set up a DENY filter to delete it from the server. But it doesn't work. Is there something wrong with my regexp? Dougie v header containing faked e-mail address -- Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Received: from postie by tbird2.homelan with local (Exim 3.33 #1 (Debian)) id 16QlnU-0008NX-00 for [EMAIL PROTECTED]; Wed, 16 Jan 2002 08:51:52 + Received: from root by tbird2.homelan with local (Exim 3.33 #1 (Debian)) id 16QlnS-0008Lp-00 for [EMAIL PROTECTED]; Wed, 16 Jan 2002 08:51:50 + Received: from mail.cix.co.uk [212.35.225.149] by localhost with POP3 (fetchmail-5.9.6) for [EMAIL PROTECTED] (single-drop); Wed, 16 Jan 2002 08:51:49 + (GMT) Received: from sulphur.cix.co.uk (localhost [127.0.0.1]) by sulphur.cix.co.uk (8.11.3/CIX/8.11.2_BM26) with ESMTP id g0G8MQq09338 for [EMAIL PROTECTED]; Wed, 16 Jan 2002 08:22:26 GMT Received: from deliverator.sgi.com (deliverator.sgi.com [204.94.214.10]) by sulphur.cix.co.uk (8.11.3/CIX/8.11.3) with ESMTP id g0G8MOL09292 for [EMAIL PROTECTED]; Wed, 16 Jan 2002 08:22:25 GMT X-Envelope-From: [EMAIL PROTECTED] Received: (from [EMAIL PROTECTED]) by deliverator.sgi.com (980309.SGI.8.8.8-aspam-6.2/980310.SGI-aspam) id AAA08556 for [EMAIL PROTECTED]; Wed, 16 Jan 2002 00:17:51 -0800 (PST) mail_from (Mailer-Daemon) Date: Wed, 16 Jan 2002 00:17:51 -0800 (PST) From: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Subject: Returned mail: unknown user X-Envelope-To: [EMAIL PROTECTED] X-UIDL: _YSC.DhTR8.sulphur To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Content-Type: Status: R X-Status: N ---^ Header containing faked e-mail address Filter in .mailfilterrc v - # Filter rules for detecting spam (each rule must be placed # in a seperate line) # These filters detect certain unpleasant e-mail subjects: DENY=^To:[EMAIL PROTECTED] [EMAIL PROTECTED] DENY=^To:[EMAIL PROTECTED] [EMAIL PROTECTED] ^^^ - Filter in .mailfilterrc ---
Re: mailfilter rule for matching address ANYWHERE in header
On Wed, Jan 16, 2002 at 10:40:02AM +, Dougie Nisbet wrote: I've recently started using mailfilter (called as a precommand from fetchmail) and it works really well. (I have had a couple of mail addresses faked by spammers, so I've had tens of thousands of mail bounces over the last month.) If a mail slips through, I add another rule to cope. However, I find it is not deleting mail messages where the mail address does not appear in the To: field, but appears as a 'for' line elsewhere in the header. In the example below, the faked address is [EMAIL PROTECTED], and I have set up a DENY filter to delete it from the server. But it doesn't work. Is there something wrong with my regexp? Filter in .mailfilterrc v - # Filter rules for detecting spam (each rule must be placed # in a seperate line) # These filters detect certain unpleasant e-mail subjects: DENY=^To:[EMAIL PROTECTED] [EMAIL PROTECTED] DENY=^To:[EMAIL PROTECTED] [EMAIL PROTECTED] ^^^ - Filter in .mailfilterrc --- You have to Escape the dots (.) with a backslash (\) [EMAIL PROTECTED] Maybe their are other things wrong. btw, if you get a lot of mails (me ist about 400-600 a day) it might be faster to do the thing with procmail. I've no flatrate (ISDN paying per minute) and it took me a lot of time checking 400 mail with say 30-40 pattern. So I decided to block only aol, msn and other in the frontier and I'll set up the rest with procmail. Sven -- Lamer! :)\nLokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de
Re: mailfilter rule for matching address ANYWHERE in header
On Wednesday 16 January 2002 4:03 pm, Sven Hoexter wrote: You have to Escape the dots (.) with a backslash (\) [EMAIL PROTECTED] I'll give that a try but I'm not sure that's the problem. It had seemed to be working fine, but now the mails are getting through. I had a look at the log, and it begins with things like things like: -- vvv --- +0900. [Applied filter: '^To:.*lmailfilter: 0.2.4 querying mail.cix.co.uk on Wed Jan 16 21:58:17 2 002 mailfilter: Examining 873 message(s). mailfilter: Deleted [EMAIL PROTECTED]: Delivery failure, Wed, 16 Jan 2002 22:18 :09 +0900. [Applied filter: '^To:[EMAIL PROTECTED]'] mailfilter: Deleted [EMAIL PROTECTED]: Delivery failure, Wed, 16 Jan 2002 22:18 :09 +0900. [Applied filter: '^To:[EMAIL PROTECTED]'] -- ^^^ --- which all looks very promising, but then at the end of the log it does not terminate cleanly. -- vvv --- mailfilter: Deleted [EMAIL PROTECTED]: Delivery failure, Thu, 17 Jan 2002 03:52:50 + 0900. [Applied filter: '^To:[EMAIL PROTECTED]'] mailfilter: Deleted [EMAIL PROTECTED]: Delivery failure, Thu, 17 Jan 2002 03:54:15 + 0900. [Applied filter: '^To:[EMAIL PROTECTED]'] mailfilter: Deleted [EMAIL PROTECTED]: Delivery failure, Thu, 17 Jan 2002 03:54:15 + 0900. [Applied filter: '^To:[EMAIL PROTECTED]'] mailfilter: Error: Sent LIST, but server responded with an error. (END) -- ^^^ --- I'm not sure what this means, but it seems to me that these messages may not be getting deleted. Theoretically, there will be a window after the mailfilter runs and fetchmail runs where I could get really unlucky and a load of mails could flood in, but I think it's more likely that mailfilter is encountering problems with the mailbox. btw, if you get a lot of mails (me ist about 400-600 a day) it might be faster to do the thing with procmail. I've no flatrate (ISDN paying per minute) and it took me a lot of time checking 400 mail with say 30-40 pattern. So I decided to block only aol, msn and other in the frontier and I'll set up the rest with procmail. The mail address with the problem is with an ISP that doesn't offer anything like procmail. My other 'real' ISP (www.uklinux.net) does offer procmail, so if I get any problems with that, I'll be ok. Dougie