[Mimedefang] Regexp help

[Jan-Pieter Cornet]

On Wed, Feb 20, 2008 at 12:36:43PM -0500, Joseph Brennan wrote:
> >    I seem to be getting a lot of spam from e-mails that start with
> >either a '-' or '_', for example 'from=<-l-i-s-h-a at adam-friedman.com>'
> >and 'from=<_nia at adidassler.com>'.  Obviously bouncing them is a waste of
> >time.  Can someone help with a regexp that I can stick in my config to
> >tarpit these guys (/dev/null) ?  Or, if there's a better solution, I'm
> >listening.
> 
> if ($Sender =~ /<[_-]/)  {
> 	return action_bounce('This looks like spam');
> }
> 
> This gives a 550.  Remember action_bounce does not generate a bounce.

Just to pick a minor nit: this has a (albeit pretty slim) chance of
having both false positives, and false negatives.

The rfc822-valid email address "johnpc+<_>"@example.com will be rejected.

However, if the spammer violates the rfc just slightly and starts
delivering mail, with:
    MAIL From:-l-i-s-h-a at example.com
... which is accepted by sendmail, then you won't block it.

The correct way is to code in the regex exactly what you mean: the
address must _start with_ a - or _ character, while the address
optionally is enclosed in <> characters, and optionally has leading
whitespace (also silently accepted and ignored by sendmail).
Or in other words:

   if ( $Sender =~ m{ ^ <? \s* [_-] }x )

By the way, note that these adresses are not necessarily breaking
the RFC. I also see some adresses starting with : or . or !, and those
_are_ breaking the RFC, so I reject them. It might be useful to add
those characters.

-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please !!
!! archive this message indefinitely to allow verification of the logs.  !!