[Mimedefang] Regexp help

Paul Murphy Paul.Murphy at argentadiscovery.com
Thu Feb 21 04:48:07 EST 2008 

On Wed, Feb 20, 2008 at 12:36:43PM -0500, Joseph Brennan wrote:
> >    I seem to be getting a lot of spam from e-mails that start with
> >either a '-' or '_', for example
'from=<-l-i-s-h-a at adam-friedman.com>'
> >and 'from=<_nia at adidassler.com>'.  Obviously bouncing them is a
waste of
> >time.  Can someone help with a regexp that I can stick in my config
to
> >tarpit these guys (/dev/null) ?  Or, if there's a better solution,
I'm
> >listening.
> 
> if ($Sender =~ /<[_-]/)  {
> 	return action_bounce('This looks like spam');
> }
> 
> This gives a 550.  Remember action_bounce does not generate a
bounce.

I'm not seeing very many of these (we're a low volume site), but all of
the ones I have seen fail our test for a bad literal IP address in the
HELO:

  # reject all email with a numeric HELO string if it lacks
  # surrounding square brackets:
  if ($helo =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/) {

This is a direct RFC breach, so is fairly safe to reject on, and is
done a stage earlier than the sender check suggested, so slightly lower
load on the system.  You should be doing this already, IMV - for our
systems over the last year or so, filter_sender alone has had the
following results for messages:

---------+------------------------+
| tots    | description            |
+---------+------------------------+
|   14549 | Bad literal IP address |
|    1843 | Bad numeric IP address |
| 1154703 | OK                     |
|   18257 | SPF failed             |
+---------+------------------------+

The difference between a bad literal address and a bad numeric address
is that a bad numeric address is in the correct format, but uses HELO
<127.0.0.1> or something from the private ranges, or multicast range, or
reserved range, etc.  The SPF fails are where the SPF records indicate a
hard fail - we honour that, and reject the message, so far without too
many issues apart from people who change IP addresses and then forget to
change their SPF record.

Best Wishes,

Paul.

-------------------------------------------------------
Paul Murphy
Head of I.T.
Argenta Discovery
Tel. 01279 645 554
Fax. 01279 645 646


_______________________________________________________________________
Argenta Discovery Ltd, 8-9 Spire Green Centre, Harlow, Essex, CM19 5TR
Registered in England No. 3671653
_______________________________________________________________________

More information about the MIMEDefang mailing list