Does it matter how far down the message the match is? This is a sample
message:
--- snip ---
Message 12:
From MAILER-DAEMON (at mark) server1.mainline.co.uk Thu Jan 18 21:09:32 2007
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
server1.mainline.co.uk
X-Spam-Level: **
X-Spam-Status: No, score=2.4 required=5.0 tests=BAYES_50,
MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID,NO_REAL_NAME
autolearn=no
version=3.1.1
Date: 18 Jan 2007 21:09:25 -0000
From: MAILER-DAEMON (at mark) mail10.opentransfer.com
To: harry (at mark) fast-mail.net
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="1169154565mail10.opentransfer.com770590"
Subject: failure notice
X-Mainline-MailScanner-Information: Please contact the ISP for more
information
X-Mainline-MailScanner: Found to be clean
X-Mainline-MailScanner-From:
--1169154565mail10.opentransfer.com770590
Hi. This is the qmail-send program at mail10.opentransfer.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<catchall (at mark) posteverywhere.com>:
This message is looping: it already has my Delivered-To line. (#5.4.6)
--- Enclosed are the original headers of the message.
--
This message has been scanned for viruses and
dangerous content by the Mainline Internet MailScanner, and is
believed to be clean.
--1169154565mail10.opentransfer.com770590
Content-Type: message/rfc822
Return-Path: <harry (at mark) fast-mail.net>
Received: (qmail 22197 invoked by uid 399); 18 Jan 2007 21:09:19 -0000
Delivered-To: sales (at mark) posteverywhere.com
Received: (qmail 22014 invoked by uid 399); 18 Jan 2007 21:09:14 -0000
Delivered-To: posteverywhere.com-catchall (at mark) posteverywhere.com
Received: (qmail 21841 invoked by uid 399); 18 Jan 2007 21:09:09 -0000
Delivered-To: notify (at mark) posteverywhere.com
Received: (qmail 21639 invoked by uid 399); 18 Jan 2007 21:09:04 -0000
X-Virus-Scan: Scanned by clamdmail 0.15 (no viruses);
Thu, 18 Jan 2007 15:09:09 -0600
Received: from unknown (HELO 21.1.98-84.rev.gaoland.net) (84.98.1.21)
by mail10.opentransfer.com with SMTP; 18 Jan 2007 21:09:04 -0000
Received: from 212.21.100.75 (HELO mxcluster.mainline.co.uk)
by posteverywhere.com with esmtp (3.L+F.0:K( ,G1(7*)
id /245=N-4Q1RQ?-BM
for notify (at mark) posteverywhere.com; Thu, 18 Jan 2007 21:49:39 -0060
Message-ID: <01c73b4a$8d7b1160$6c822ecf@harry>
-- end snip --
Any other ideas anyone?
Thanks
Colin
> -----Original Message-----
> From: Colin Jack [mailto:colin (at mark) mainline.co.uk]
> Sent: Wednesday, January 17, 2007 7:09 AM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:08602] Re: Stemming returned undeliverables
> from spoofed spam
>
> Okay thanks ... what does the * do before ^?
> It's a wildcard isn't it?
>
> You can see I'm not up to speed on procmail ;)
>
> Thanks
>
> Colin
>
> > -----Original Message-----
> > From: Paul Aviles [mailto:paul.aviles (at mark) nickelnetworks.com]
> > Sent: Wednesday, January 17, 2007 3:17 AM
> > To: Colin Jack
> > Subject: RE: [coba-e:08588] Re: Stemming returned
> undeliverables from
> > spoofed spam
> >
> > I think you have an extra ":". Try
> >
> > :0
> > * ^Received: from 212.21.100.75 (HELO
> > mxcluster.mainline.co.uk) /dev/null
> >
> > Or something like this..
> >
> > :0
> > * ^Received:.*212.21.100.75.*
> > /dev/null
> >
> > Make sure you are not blocking the servers from sending or rec
> > email....
> >
> > Let me know if it works.
> >
> > -pa
> >
> > -----Original Message-----
> > From: Colin Jack [mailto:colin (at mark) mainline.co.uk]
> > Sent: Tuesday, January 16, 2007 10:27 AM
> > To: Paul Aviles
> > Subject: RE: [coba-e:08588] Re: Stemming returned
> undeliverables from
> > spoofed spam
> >
> > Thanks Paul,
> >
> > The string from the original email (which is included in the
> > bounce) is
> >
> > Received: from 212.21.100.75 (HELO mxcluster.mainline.co.uk)
> >
> > So what about this in procmailrc?
> >
> > :0:
> > ^Received: from 212.21.100.75 (HELO mxcluster.mainline.co.uk)
> > /dev/null
> >
> > Much appreciated
> >
> > Colin
> >
> > > -----Original Message-----
> > > From: Paul Aviles [mailto:paul.aviles (at mark) nickelnetworks.com]
> > > Sent: Tuesday, January 16, 2007 1:22 PM
> > > To: Colin Jack
> > > Subject: RE: [coba-e:08588] Re: Stemming returned
> > undeliverables from
> > > spoofed spam
> > >
> > > Colin, yes, send me the specifics and will send you the
> > modifications
> > > to sendmail.mc or either procmail to /dev/null them.
> > >
> > > Regards,
> > >
> > > Paul Aviles
> > > Nickel Networks
> > >
> > >
> > > -----Original Message-----
> > > From: Colin Jack [mailto:colin (at mark) mainline.co.uk]
> > > Sent: Tuesday, January 16, 2007 5:34 AM
> > > To: coba-e (at mark) bluequartz.org
> > > Subject: [coba-e:08588] Re: Stemming returned undeliverables from
> > > spoofed spam
> > >
> > > I have found a header in the emails that is unique to the
> > scatter (the
> > > original spam email has spoofed the sending server but
> got the host
> > > name slightly wrong).
> > >
> > > Yes we are using all the usual anti-spam techniques ...
> > this is just
> > > 'scatter' from other mail servers.
> > >
> > > Colin
> > >
> > > > -----Original Message-----
> > > > From: Paul Aviles [mailto:paul.aviles (at mark) nickelnetworks.com]
> > > > Sent: Monday, January 15, 2007 9:31 PM
> > > > To: coba-e (at mark) bluequartz.org
> > > > Subject: [coba-e:08577] Re: Stemming returned
> undeliverables from
> > > > spoofed spam
> > > >
> > > > Colin, those 500 messages are all from different IP's?
> > and you are
> > > > using the common black list, greeting pause etc?
> > > > What about the type of messages? Can you filter by
> > certain type of
> > > > mime messages, attachment type, words in the subject or in
> > > the body of
> > > > the email?
> > > >
> > > > Regards,
> > > >
> > > > Paul Aviles
> > > > Nickel Networks
> > > >
> > > > -----Original Message-----
> > > > From: Colin Jack [mailto:colin (at mark) mainline.co.uk]
> > > > Sent: Monday, January 15, 2007 4:15 PM
> > > > To: coba-e (at mark) bluequartz.org
> > > > Subject: [coba-e:08574] Re: Stemming returned
> undeliverables from
> > > > spoofed spam
> > > >
> > > > I don't think you understand the problem.
> > > >
> > > > My clients are receiving mailer_daemon messages from
> > > servers all over
> > > > the world rejecting spam, and because the From:
> > > > address has been spoofed (using my clients' addresses) in
> > > the original
> > > > spam, they are getting these messages. This is what I'm
> trying to
> > > > filter out.
> > > >
> > > > I need to look at the milter-null idea a bit further,
> this looks
> > > > interesting. Thanks Adam.
> > > >
> > > > Regards
> > > >
> > > > Colin
> > > >
> > > > > -----Original Message-----
> > > > > From: Paul Aviles [mailto:paul.aviles (at mark) nickelnetworks.com]
> > > > > Sent: Monday, January 15, 2007 7:36 PM
> > > > > To: coba-e (at mark) bluequartz.org
> > > > > Subject: [coba-e:08572] Re: Stemming returned
> > undeliverables from
> > > > > spoofed spam
> > > > >
> > > > > Block the IP address from connecting to your box. If is a
> > > > spammer and
> > > > > you are getting that many connections there must be
> > something in
> > > > > common, either a range of IP's, domains or something to block.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Paul Aviles
> > > > > Nickel Networks
> > > > >
> > > > > -----Original Message-----
> > > > > From: Colin Jack [mailto:colin (at mark) mainline.co.uk]
> > > > > Sent: Monday, January 15, 2007 12:52 PM
> > > > > To: coba-e (at mark) bluequartz.org
> > > > > Subject: [coba-e:08568] Stemming returned undeliverables
> > > > from spoofed
> > > > > spam
> > > > >
> > > > > I'm looking for some ideas from the more experienced guys
> > > out there.
> > > > >
> > > > > We have a number of clients who are being flooded with
> > > > 'undeliverable'
> > > > > messages where a spammer has used their email address in
> > > the header
> > > > > for the
> > > > > From: field and they are getting all the bounces. Has
> > > > anybody any idea
> > > > > how I might help stem the flow - one guy is getting 500
> > > an hour and
> > > > > this has been going on for a week! Needless to say it is
> > > > not helping
> > > > > my server load either!
> > > > >
> > > > > Using BQ 4.6 ... patched up to date.
> > > > >
> > > > > Thankks in anticipation.
> > > > >
> > > > > Colin
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> >
> >
> >
>
>
>
>
>