[NOOB warning here!]
I am on a small lousy isp (named above) and get _no_mail_ I want with
another ntlworld.ie address on it. Spammers bulk mail to each server for
efficiency. Punishing a second address on your isp would be stupid in
the extreme on other servers (e.g. aol.com) but a very good idea here.
When I set to write a rule for catching these, I found that the
'To:addr' variable is where the Bermuda Triangle intersects with the
Twilight Zone :-/. (BTW, Versions are perl-5.6.1, SA-2.63,
postfix-2.1.13, procmail-3.22. I am rewriting subjects, and adding
headers and a report)
I failed completely. \n, \b, \t, \W & \w don't seem to function as they
should. Better than I at regexes have tried and failed. This rule, however
header ISP To:addr =~ /([EMAIL PROTECTED],5}\b)/
picks up an ntlworld.ie address only when it is spam!:-/. It's 100%(!)
and shows on every spam I get, over 60 since it went in. The only false
positives are from majordomos, which is an edited file mailed to me.
Something (good)is going on and I don't know what. I suspect that spam
is edited by hand before distribution, and that somehow I am catching
that. But this one
header LFS To:addr =~ /([EMAIL PROTECTED],6}\b)/
[changes underlined] ^^^^^^^^^^^^^^^^ ^
does not catch spam to linuxfromscratch.org on my system I get a
mailing list from there forwarded to me :-/. I have one hit with it.
The To: line is [EMAIL PROTECTED]
Using egrep, this one '([EMAIL PROTECTED],5}\b)' catches the
likes of this: ^
To: "Kathie Webb" <[EMAIL PROTECTED]>
i.e. the first of many lines of addresses of spam,
but sees nothing using spamc/spamd. I never got a regex to pick up the
examples below (copied & pasted from spam).
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Or this one
To: "Kathie Webb" <[EMAIL PROTECTED]>
Cc: "Clair Alvarez" <[EMAIL PROTECTED]>,
"Danyel Martin" <[EMAIL PROTECTED]>,
"Faustina Flores" <[EMAIL PROTECTED]>,
"Oliva Carter" <[EMAIL PROTECTED]>
(I'm in those as my Electronic hardware self <[EMAIL PROTECTED]>)
Now comparing legit and spam e-mails, I can't see much difference with a
hex editor (both have 0x0a and 0x20) and I am completely off the map. I
don't know why this works
header ISP To:addr =~ /([EMAIL PROTECTED],5}\b)/
or why the others don't. What I see with egrep is not close to what
spamd/spamc give. I know newbies should (expletive deleted) off and
read. I've given this a good shot before coming here. I've read too.
Any ideas/hints?
--
With best Regards,
Declan Moriarty.
