.procmailrc problem

[Geoff Soper]

Can anyone suggest why this rule:

<snip>
# Spam
:0:
* ^X-Spam-Flag: YES
* ^TO_*.my_address@my_domain
* !^X-Loop: my_loop_address@my_domain
| (formail -r -I"Precedence: junk" \
-A"From: do_not_reply@my_domain" \
-A"X-Loop: my_loop_address@my_domain" ; \
cat /home/username/auto_responders/geoff_spam) | $SENDMAIL -t
<snip>

lets quite a few messages through such as one containing these headers:

<snip>
To: my_address@my_domain
Subject: *****SPAM***** ORIGINAL MICR0S0FT, AD0BE, N0RTON, COREL DRAW CD
FROM $15 women couvert
Date: Fri, 16 Jul 2004 22:39:13 -0700
Message-Id: <eeke45s5vaglqrmwes0no3hg2f@auxiliumaugitic>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
server.domain.co.uk
X-Spam-Status: Yes, hits=10.6 required=5.0 tests=HTML_30_40,HTML_FONT_BIG,
HTML_MESSAGE,J_CHICKENPOX_14,J_CHICKENPOX_15,J_CHICKENPOX_21,
J_CHICKENPOX_22,J_CHICKENPOX_23,J_CHICKENPOX_26,J_CHICKENPOX_29,
J_CHICKENPOX_42,J_CHICKENPOX_44,J_CHICKENPOX_45,J_CHICKENPOX_62,
MSGID_FROM_MTA_HEADER,SARE_OEM_FAKE_YEAR,SARE_OEM_SOFT_IS
autolearn=no version=2.63
X-Spam-Level: **********
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_40F8AEFF.224F4EA6"
<snip>

Many thanks!
Geoff

[Alan Clifford]

On Sat, 17 Jul 2004, Geoff Soper wrote:

GS> Can anyone suggest why this rule:
GS>
GS> <snip>
GS> # Spam
GS> :0:
GS> * ^X-Spam-Flag: YES
GS> * ^TO_*.my_address@my_domain
GS> * !^X-Loop: my_loop_address@my_domain
GS> | (formail -r -I"Precedence: junk" \
GS> -A"From: do_not_reply@my_domain" \
GS> -A"X-Loop: my_loop_address@my_domain" ; \
GS> cat /home/username/auto_responders/geoff_spam) | $SENDMAIL -t
GS> <snip>
GS>
GS> lets quite a few messages through such as one containing these headers:
GS>
GS> <snip>
GS> To: my_address@my_domain
GS> Subject: *****SPAM***** ORIGINAL MICR0S0FT, AD0BE, N0RTON, COREL DRAW CD
GS> FROM $15 women couvert
GS> Date: Fri, 16 Jul 2004 22:39:13 -0700
GS> Message-Id: <eeke45s5vaglqrmwes0no3hg2f@auxiliumaugitic>
GS> X-Spam-Flag: YES
GS> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
GS> server.domain.co.uk
GS> X-Spam-Status: Yes, hits=10.6 required=5.0 tests=HTML_30_40,HTML_FONT_BIG,
GS> HTML_MESSAGE,J_CHICKENPOX_14,J_CHICKENPOX_15,J_CHICKENPOX_21,
GS> J_CHICKENPOX_22,J_CHICKENPOX_23,J_CHICKENPOX_26,J_CHICKENPOX_29,
GS> J_CHICKENPOX_42,J_CHICKENPOX_44,J_CHICKENPOX_45,J_CHICKENPOX_62,
GS> MSGID_FROM_MTA_HEADER,SARE_OEM_FAKE_YEAR,SARE_OEM_SOFT_IS
GS> autolearn=no version=2.63
GS> X-Spam-Level: **********
GS> MIME-Version: 1.0
GS> Content-Type: multipart/mixed; boundary="----------=_40F8AEFF.224F4EA6"
GS> <snip>
GS>
GS>
GS> Many thanks!
GS> Geoff
GS>

GS> * ^TO_*.my_address@my_domain
GS> To: my_address@my_domain

These two lines do not match. It says so in the verbose log you posted.

--
Alan

( If replying by mail, please note that all "sardines" are canned.
There is also a password autoresponder but, unless this a very
old message, a "tuna" will swim right through. )

[Alan Connor]

On Sat, 17 Jul 2004 10:36:58 +0100, Geoff Soper <geoff.ne...@alphaworks.co.uk> wrote:
>

Hi Geoff.

>
> Can anyone suggest why this rule:
>
><snip>
> # Spam
>:0:
> * ^X-Spam-Flag: YES
> * ^TO_*.my_address@my_domain

That should be ^TO_.*

The way you have it, it's telling procmail to pass any mail with 0 or
more instances of ^TO_ followed by a single character ".".

".*" means 0 or more instances of any character.

> * !^X-Loop: my_loop_address@my_domain

I'd put a space after the "!" although this probably won't make any
difference

>| (formail -r -I"Precedence: junk" \
> -A"From: do_not_reply@my_domain" \
> -A"X-Loop: my_loop_address@my_domain" ; \
> cat /home/username/auto_responders/geoff_spam) | $SENDMAIL -t
><snip>
>

Why are you sending an auto-response to obvious spam? The odds of it
being to a real address are miniscule. You really should just send it
to /dev/null.

If that's a Challenge-Response, you should have a passlist (whitelist)
before spamassassin (which I realize you may have) and only send the C-R
to "grey-area" mails that aren't obvious spam and aren't on your passlist.

> lets quite a few messages through such as one containing these headers:
>
><snip>
> To: my_address@my_domain
> Subject: *****SPAM***** ORIGINAL MICR0S0FT, AD0BE, N0RTON, COREL DRAW CD
> FROM $15 women couvert
> Date: Fri, 16 Jul 2004 22:39:13 -0700
> Message-Id: <eeke45s5vaglqrmwes0no3hg2f@auxiliumaugitic>
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
> server.domain.co.uk
> X-Spam-Status: Yes, hits=10.6 required=5.0 tests=HTML_30_40,HTML_FONT_BIG,
> HTML_MESSAGE,J_CHICKENPOX_14,J_CHICKENPOX_15,J_CHICKENPOX_21,
> J_CHICKENPOX_22,J_CHICKENPOX_23,J_CHICKENPOX_26,J_CHICKENPOX_29,
> J_CHICKENPOX_42,J_CHICKENPOX_44,J_CHICKENPOX_45,J_CHICKENPOX_62,
> MSGID_FROM_MTA_HEADER,SARE_OEM_FAKE_YEAR,SARE_OEM_SOFT_IS
> autolearn=no version=2.63
> X-Spam-Level: **********
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="----------=_40F8AEFF.224F4EA6"
><snip>
>
>
> Many thanks!
> Geoff
>
>
>

For future reference:

Put the mails that are beating your filter into a seperate file (mbox)
and make a copy of your procmailrc with irrelevant recipes stripped and
the environment variables up top pointing to a different MAILDIR, and
different LOGFILE (with VERBOSE set to =yes) etc., and run them through
procmail with:

cat new_mbox | /usr/bin/formail -ds /usr/bin/procmail /path_to/new_procmailrc

Then play with the problem recipes until you figure it out.

AC

[Alan Connor]

On Sat, 17 Jul 2004 17:39:44 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
>
>
> On Sat, 17 Jul 2004 10:36:58 +0100, Geoff Soper <geoff.ne...@alphaworks.co.uk> wrote:
>>
>
> Hi Geoff.
>
>>
>> Can anyone suggest why this rule:
>>
>><snip>
>> # Spam
>>:0:
>> * ^X-Spam-Flag: YES
>> * ^TO_*.my_address@my_domain
>
> That should be ^TO_.*
>
> The way you have it, it's telling procmail to pass any mail with 0 or
> more instances of ^TO_ followed by a single character ".".
>
> ".*" means 0 or more instances of any character.

Actually, if I am reading this correctly

(from man procmailrc)

If the regular expression contains `^TO_' it will be sub
stituted by `(^((Original-)?(Resent-)?(To|Cc|Bcc)|(X-
Envelope|Apparently(-Resent)?)-To):(.*[^-a-zA-Z0-9_.])?)',
which should catch all destination specifications
containing a specific address.

you should make it:

^TO_...@your.address

Be better, if you wanted to avoid sending an Auto-Response to obvious
spam, to change that to:

* ^To: [ ]*y...@your.address[ ]*$

This way the A-R would only be sent to mails that have your address
alone on the To: line. Very, very few spams will come this way.

(presupposing that, as described below, passlisted mails are skimmed
off the top)

>
>> * !^X-Loop: my_loop_address@my_domain
>
> I'd put a space after the "!" although this probably won't make any
> difference
>
>
>>| (formail -r -I"Precedence: junk" \
>> -A"From: do_not_reply@my_domain" \
>> -A"X-Loop: my_loop_address@my_domain" ; \
>> cat /home/username/auto_responders/geoff_spam) | $SENDMAIL -t
>><snip>
>>
>
> Why are you sending an auto-response to obvious spam? The odds of it
> being to a real address are miniscule. You really should just send it
> to /dev/null.
>
> If that's a Challenge-Response, you should have a passlist (whitelist)
> before spamassassin (which I realize you may have) and only send the C-R
> to "grey-area" mails that aren't obvious spam and aren't on your passlist.
>
>
>

<snip>

> For future reference:
>
> Put the mails that are beating your filter into a seperate file (mbox)
> and make a copy of your procmailrc with irrelevant recipes stripped and
> the environment variables up top pointing to a different MAILDIR, and
> different LOGFILE (with VERBOSE set to =yes) etc., and run them through
> procmail with:
>
> cat new_mbox | /usr/bin/formail -ds /usr/bin/procmail /path_to/new_procmailrc
>
> Then play with the problem recipes until you figure it out.
>
> AC
>
>

AC

[Geoff Soper]

"Alan Connor" <zzz...@xxx.yyy> wrote in message
news:TXdKc.6335$Qu5....@newsread2.news.pas.earthlink.net...

> On Sat, 17 Jul 2004 17:39:44 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
> >
> >
> > On Sat, 17 Jul 2004 10:36:58 +0100, Geoff Soper
<geoff.ne...@alphaworks.co.uk> wrote:
> >> Can anyone suggest why this rule:
> >>
> >><snip>
> >> # Spam
> >>:0:
> >> * ^X-Spam-Flag: YES
> >> * ^TO_*.my_address@my_domain
> >
> > That should be ^TO_.*
> >

Brilliant, for all my time looking I didn't spot this, such a simple typo!

> Be better, if you wanted to avoid sending an Auto-Response to obvious
> spam, to change that to:
>
> * ^To: [ ]*y...@your.address[ ]*$
>
> This way the A-R would only be sent to mails that have your address
> alone on the To: line. Very, very few spams will come this way.

I follow your thinking but unfortunately every spam I have here to look at
has only my address on to the To: line.

> > Why are you sending an auto-response to obvious spam? The odds of it
> > being to a real address are miniscule. You really should just send it
> > to /dev/null.
> >
> > If that's a Challenge-Response, you should have a passlist (whitelist)
> > before spamassassin (which I realize you may have) and only send the C-R
> > to "grey-area" mails that aren't obvious spam and aren't on your
passlist.

I'm really not happy about sending false-positives to /dev/null , the total
number of messages sent to the address in question (my personal address) is
fairly small and the number os spam messages in that number even smaller so
I don't think I'm sending out a huge amount of auto-responses.

Thanks for your help and advice,
Geoff

[Alan Connor]

On Sat, 17 Jul 2004 20:22:43 +0100, Geoff Soper <geoff.ne...@alphaworks.co.uk> wrote:
>
>
> "Alan Connor" <zzz...@xxx.yyy> wrote in message
> news:TXdKc.6335$Qu5....@newsread2.news.pas.earthlink.net...
>> On Sat, 17 Jul 2004 17:39:44 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
>> >
>> >
>> > On Sat, 17 Jul 2004 10:36:58 +0100, Geoff Soper
><geoff.ne...@alphaworks.co.uk> wrote:
>> >> Can anyone suggest why this rule:
>> >>
>> >><snip>
>> >> # Spam
>> >>:0:
>> >> * ^X-Spam-Flag: YES
>> >> * ^TO_*.my_address@my_domain
>> >
>> > That should be ^TO_.*
>> >
>
> Brilliant, for all my time looking I didn't spot this, such a simple typo!
>

Been there, done that, bought the t-shirt :-)

>> Be better, if you wanted to avoid sending an Auto-Response to obvious
>> spam, to change that to:
>>
>> * ^To: [ ]*y...@your.address[ ]*$
>>
>> This way the A-R would only be sent to mails that have your address
>> alone on the To: line. Very, very few spams will come this way.
>
> I follow your thinking but unfortunately every spam I have here to look at
> has only my address on to the To: line.
>

Then what's the problem with the above?

At least it will eliminate mails that *don't* have your address there,
which are surely spam...

>> > Why are you sending an auto-response to obvious spam? The odds of it
>> > being to a real address are miniscule. You really should just send it
>> > to /dev/null.
>> >
>> > If that's a Challenge-Response, you should have a passlist (whitelist)
>> > before spamassassin (which I realize you may have) and only send the C-R
>> > to "grey-area" mails that aren't obvious spam and aren't on your
> passlist.
>
> I'm really not happy about sending false-positives to /dev/null , the total
> number of messages sent to the address in question (my personal address) is
> fairly small and the number os spam messages in that number even smaller so
> I don't think I'm sending out a huge amount of auto-responses.
>
> Thanks for your help and advice,
> Geoff
>
>

Good enough and no problem.

AC