[leafnode-list] filtering spam articles using the "from" field
Mark
lists at greplinux.dyndns.org
Sat May 1 18:03:27 CEST 2004
Ray Abbitt wrote:
> On Sat, 1 May 2004, Mark wrote:
>
>
>>There is a lot of spam lately that has names in the "from" field such as
>>
>>jamiescot at su.shawcable.net
>>deanmartin at wk.shawcable.net
>>peterreid at vs.shawcable.net
>>
>>Is there any way to create a leafnode filter that will reject all posts
>>based on the .shawcable.net.
>
>
> It's actually fairly easy, but you may want to reconsider just a bit.
> I believe you will find that a lot of legitimate posts in your spool
> from users @xx.shawcable.net since shaw is one of the bigger cable
> connectivity providers in Canada.
If you use Shaw as your cable ISP (as I do) the headers will show
Path: pd7tw1no!pd7cy1no!shaw.ca!pd7tw1no.POSTED!53ab2750!not-for-mail
Shawcable.net is not a legit posting host for email nor usenet. The
"from" name is being munged to make it appear that the post is coming
from a shawcable.net subscriber....that does not exist.
For instance, if I did not munge my "from" address it would be mark at shaw.ca
Take a look here for the spam associated with shawcable.net
http://groups.google.ca/groups?q=shawcable.net&ie=UTF-8&oe=UTF-8&hl=en
> The following filter will work:
>
> pattern = ^From:.*shawcable.net
> action = kill
This will perfectly for me.
Thanks!
>
> But from glancing at your example, you would probably gain a lot more
> with less damage by rejecting articles that are excessively
> crossposted. There is no legitimate reason that I can think of for
> anything to be crossposted to all of those groups (in fact it looks
> like troll sign rather than spam). Note that it is more effective to
> use a filter that looks for excessive commas (,) in the Newsgroups:
> header than it is to use the maxcrosspost directive.)
>
> For example:
>
> pattern = ^Newsgroups:.*,.*,.*,.*,
> action = kill
>
> will reject any articles crossposted to 5 or more newsgroups. On my
> system I limit it to 3 (pattern = ^Newsgroups:.*,.*,.*,) and anything
> crossposted to 4 or more will be rejected.
>
> -ray
>
More information about the leafnode-list
mailing list