Aliases xFrom address restriction

____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail <at> lists.RWTH-Aachen.DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

Re: Aliases xFrom address restriction

Jasim Asfoor schrieb:
>
> Hi,
>
> I need /etc/procmailrc to restrict "From" mail coming to different 
> aliases by searching at a common whitelist file.
>
> If the email "To" address is HQ_employee <at> domain.com , compare the mail 
> "From" address matching pattern with a common "whitelist" file. i.e 
> eg:/etc/procmail/whitelist
>
> ----whitelist file content may be like this---------
>

the From is easaly faked it i sbetter to look for the Envelope  from

first you have to do something like:

:0  #read the last Received from Header 
* ^Received:.*\/[^ ].*
{ X_RECEIVED=$MATCH }

:0   # reading the part after envelope from
* $ X_RECEIVED ?? envelope-from[ ]+\/.*
{ X_ENVELOPE_FROM=$MATCH }

# setting $NL for a newline

NL = "
"  

# finding fgrep at the right place
FGREP=/usr/bin/fgrep

:0 
* ? (echo "$X_ENVELOPE_FROM" | \
     $FGREP -i -f /etc/mail/friendslist)
{
 LOG = "$NL ======> Received Email From \
"$X_ENVELOPE_FROM" is Whitelisted <====== $NL" 
 WHITE=YES
}

the file

/etc/mail/friendslist

can have the email of your friends 1 by 1 line, a empty line will work 
like wild card

now you can use
:0:
*   WHITE ?? YES
/var/mail/whiteinboxfile

Matthias

Re: Aliases xFrom address restriction

On Sat, 2 Sep 2006, Matthias H?ker wrote:

>
>
> Jasim Asfoor schrieb:
>>
>> Hi,
>>
>> I need /etc/procmailrc to restrict "From" mail coming to different
>> aliases by searching at a common whitelist file.
>>
>> If the email "To" address is HQ_employee <at> domain.com , compare the mail
>> "From" address matching pattern with a common "whitelist" file. i.e
>> eg:/etc/procmail/whitelist
>>
>> ----whitelist file content may be like this---------
>>
>
> the From is easaly faked it i sbetter to look for the Envelope  from
>
> first you have to do something like:
>
> :0  #read the last Received from Header
> * ^Received:.*\/[^ ].*
> { X_RECEIVED=$MATCH }
>
> :0   # reading the part after envelope from
> * $ X_RECEIVED ?? envelope-from[ ]+\/.*
> { X_ENVELOPE_FROM=$MATCH }

 	'envelope-from' not exist in some messages.  Instead of
 	'Received:'  I prefer extracting  From_  by formail:

theSENDER=`formail -rz -x"To: "`

Bye,
  Udi

>
> # setting $NL for a newline
>
> NL = "
> "
>
> # finding fgrep at the right place
> FGREP=/usr/bin/fgrep
>
> :0
> * ? (echo "$X_ENVELOPE_FROM" | \
>     $FGREP -i -f /etc/mail/friendslist)
> {
> LOG = "$NL ======> Received Email From \
> "$X_ENVELOPE_FROM" is Whitelisted <====== $NL"
> WHITE=YES
> }
>
>
>
> the file
>
> /etc/mail/friendslist
>
> can have the email of your friends 1 by 1 line, a empty line will work
> like wild card
>
>
> now you can use
> :0:
> *   WHITE ?? YES
> /var/mail/whiteinboxfile
>
>
> Matthias
>
>
>
>
>
> ____________________________________________________________
> procmail mailing list   Procmail homepage: http://www.procmail.org/
> procmail <at> lists.RWTH-Aachen.DE
> http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
>
>
>
>
>
>
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
>
>
>

stuff getting through my spam filter

Hi All.

I'm sure some of you have probably been hit by this.
I have a spam filter (popfile) that tags spam with 'Subject: [Spam]'

Recently some clever hackers have sent me emails that procmail puts in my Inbox despite them having that header.
The headers of these emails look something like this and have the
'&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&Message-ID:' header:

/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 6 Sep 2006 16:30:18 +0930
From: gene_wise_wi <at> starmine.com
                                                                                                                 
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&M
essage-ID: <007b01c6d1e5$72784b40$425a45ca <at>  <at> starmine.com>
From: "Gene Wise" <gene_wise_wi <at> starmine.com>
To: luke <at> chipcity.com.au
Subject: [spam] Attention Penny St00ck Players
Date: Wed, 06 Sep 2006 14:51:22 -0400
MIME-Version: 1.0
Content-Type: text/plain;
        format=flowed;
        charset="iso-8859-1";
        reply-type=original
Content-Tranfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Text-Classification: spam
X-POPFile-Link: http://127.0.0.1:8080/jump_to_message?view=78232 
\____________________________________

Is there a recipe I can use to stop these?
Something like:

:0 D
* ^.*Message-ID:.*
spamMail

Thanks.
Kind regards.
Luke.

--

-- 
............._..
.|  .| |.|/.|_ .
.|__.|_|.|\.|_ .
:61 421 276 282:

____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail <at> lists.RWTH-Aachen.DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

Re: stuff getting through my spam filter

Luke Vanderfluit schreef:

> I have a spam filter (popfile) that tags spam with 'Subject: [Spam]'
>
> Recently some clever hackers have sent me emails that procmail puts
> in my Inbox despite them having that header.

How do you know that that assumption is true?
Maybe popfile is corrupting your message.

Try to put a copy of the message as-is, both before and after popfile
touched it, on a website somewhere, so we can have a better look at it.
Did you already visit the "X-POPFile-Link:..."?

Why don't you check the added header?

  :0:  # locking!
  * ^X-Text-Classification: spam
  spamMail

--

-- 
Groet, Ruud

Re: stuff getting through my spam filter

On Wed, 6 Sep 2006, Luke Vanderfluit wrote:

> Hi All.

I'm sure some of you have probably been hit by this.
I have a spam filter (popfile) that tags spam with 'Subject: [Spam]'

Recently some clever hackers have sent me emails that procmail puts in my Inbox despite them having that header.
The headers of these emails look something like this and have the
'&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&Message-ID:' header:

/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 6 Sep 2006 16:30:18 +0930
From: gene_wise_wi <at> starmine.com
                                                                                                                  ÿÿ
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&M
essage-ID: <007b01c6d1e5$72784b40$425a45ca <at>  <at> starmine.com>
From: "Gene Wise" <gene_wise_wi <at> starmine.com>
To: luke <at> chipcity.com.au
Subject: [spam] Attention Penny St00ck Players
Date: Wed, 06 Sep 2006 14:51:22 -0400
MIME-Version: 1.0
Content-Type: text/plain;
         format=flowed;
         charset="iso-8859-1";
         reply-type=original
Content-Tranfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Text-Classification: spam
X-POPFile-Link: http://127.0.0.1:8080/jump_to_message?view=78232 
\____________________________________

Is there a recipe I can use to stop these?
Something like:

:0 D
* ^.*Message-ID:.*
spamMail

 	I not understand but I have the feeling that you want to
 	change the rule:

*  ^.+Message-ID:

 	To be precise:

*  ^&+Message-ID:

 	No need for '.*' at end of line because '.*' means:
 	anything (exept NewLine) or nothing.

Bye,
  Udi

____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail <at> lists.RWTH-Aachen.DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

Re: stuff getting through my spam filter

On Wed, 6 Sep 2006, Luke Vanderfluit wrote:

LV> Hi All.
LV> 
LV> I'm sure some of you have probably been hit by this.
LV> I have a spam filter (popfile) that tags spam with 'Subject: [Spam]'
LV> 
LV> Recently some clever hackers have sent me emails that procmail puts in 
LV> my Inbox despite them having that header.

Don't ascribe magical powers to senders of junk.  What is the procmail 
recipe that you think should be picking up that header?  Why isn't it 
working?  Show it to us, together with a copy of the header as procmail 
sees it.

Ironically, you message was filtered as spam by one of my old recipes - 
too high a proportion of ampersands in the message body.  Spam Assassin 
did far better and gave your message a negative score.

--

-- 
Alan

( Please do not email me AS WELL as replying to the list.  Please 
  address personal email to alan+1 <at>  as lists <at>  is not read. A
  password autoresponder may be invoked if this email is very old. )

Re: stuff getting through my spam filter

Hi.

06Sep2006  <at>  14:50 Ruud H.G. van Tol thusly spake
> Luke Vanderfluit schreef:
> 
> > I have a spam filter (popfile) that tags spam with 'Subject: [Spam]'
> >
> > Recently some clever hackers have sent me emails that procmail puts
> > in my Inbox despite them having that header.
> 
> How do you know that that assumption is true?
> Maybe popfile is corrupting your message.
> 
> Try to put a copy of the message as-is, both before and after popfile
> touched it, on a website somewhere, so we can have a better look at it.
> Did you already visit the "X-POPFile-Link:..."?
> 
> 
> Why don't you check the added header?
> 
>   :0:  # locking!
>   * ^X-Text-Classification: spam
>   spamMail

Thanks.
Kind regards.
Luke.

> 
> -- 
> Groet, Ruud
> 
> 
> ____________________________________________________________
> procmail mailing list   Procmail homepage: http://www.procmail.org/
> procmail <at> lists.RWTH-Aachen.DE
> http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
> 

--

-- 
............._..
.|  .| |.|/.|_ .
.|__.|_|.|\.|_ .
:61 421 276 282:

\< and \> don't quite make it

Hi,

I am trying to use scoring to flag mail on a mailing list I belong to
which is of importance to me.  However, it does not quite work 100% of
the time.  The reason for this is that the "match character before or
after word" pair, \< and \>, exclude the character - from those which
may make up a word.  Now, ordinarily I would agree that a dash is not
normally found in a word (except when used as a hyphen), but in this
particular case a "word" is actually a pathname/filename combination.

Here's a simplified version of my recipe:

  :0
  * ^TO_cvs-ports <at> freebsd\.org
  {
    :0 f
    * 1^1 ^Subject:.*\<ports/x11/xterm\>
    | formail -I "X-Status: F"

    :0:
    freebsd-cvs-ports
  }

The above works fine, except that as well as matching on ports/x11/xterm
it also matches on ports/x11/xterm-whatever which I do not want.  Is
there a way around this?

BTW the Subject line may contain one pathname/filename combination
or many.  Thus the ability to detect the end of a word by encountering
either whitespace or newline is what I am looking for.  (I have tried
negatively scoring the files I am not interested in, but that suffers
from the flaw that if a file I am interested in _and_ a file I am not
both appear in the same message the overall score is zero.)

Any and all suggestions gratefully received.

Cheers,
       Nick.

PS  I am using procmail v3.22 on FreeBSD 6.1-STABLE.
--

-- 
"We're predicting third stage shutdown at 11 minutes 42 seconds."

Re: \< and \> don't quite make it

N.J. Mann <njm <at> njm.f2s.com> wrote:
> 
> I am trying to use scoring

You don't need to count, you only need to know if the filename occurs.

>     :0 f
>     * 1^1 ^Subject:.*\<ports/x11/xterm\>
>     | formail -I "X-Status: F"
> 
> As well as matching on    ports/x11/xterm
> it also matches on        ports/x11/xterm-whatever
> which I do not want.

So far, this would do:

      *     ^Subject:.*\<ports/x11/xterm\/\>
      * ! MATCH ?? ^^-

> The Subject line may contain one pathname/filename combination or
> many.  Thus the ability to detect the end of a word by encountering
> either whitespace or newline is what I am looking for.

OK, that tells me why you were trying to count.  Here's one that won't
get spoofed in the first place.  If "whitespace" simply means a space:

      *     ^Subject:.*\<ports/x11/xterm( |$)

Or if there might be a tab character:

      * $   ^Subject:.*\<ports/x11/xterm($WS|$)

Assuming:

   SP  = " "
   TAB = "	"
   WS  = "[$SP$TAB]"

HTH,
-mdp