Question about transaction filtering and wildcards.

NFG

posted Jan 21 '09 at 11:14 pm

[quote user="Thomas R. Stephenson"]FWIW my philosophy in running a mail server is to first receive all good mail and second keep out most of the spam. A 1% false positive rate where you block good mail is not acceptable in my systems. [/quote]

Mine is similar: I don't accept happily any method that permanently removes legitimate mail from the system. Spammers have made it easier by using names that actually don't exist, so I have an ever-growing list of names that are flat-out culled 'cause no one ever used 'em and no one ever will. That, plus the greywall, puts me at something like 2 spam a day, which I can happily tolerate.

This current wave of non-stop spam is annoying, but as long as I don't watch Mercury's SMTP server window my blood pressure's easily controlled. ;)

Lately all the spam has been in Japanese, with Japanese FROM addresses, which makes me think they're targeting the language based on location (My server's in Japan). These ones are also re-trying mails denied by the greywall. Two new behaviours which are interesting to note.

[quote user="Thomas R. Stephenson"]FWIW my philosophy in running a mail server is to first receive all good mail and second keep out most of the spam.  A 1% false positive rate where you block good mail is not acceptable in my systems.    [/quote]Mine is similar: I don't accept happily any method that permanently removes legitimate mail from the system.  Spammers have made it easier by using names that actually don't exist, so I have an ever-growing list of names that are flat-out culled 'cause no one ever used 'em and no one ever will.  That, plus the greywall, puts me at something like 2 spam a day, which I can happily tolerate.This current wave of non-stop spam is annoying, but as long as I don't watch Mercury's SMTP server window my blood pressure's easily controlled.  ;)Lately all the spam has been in Japanese, with Japanese FROM addresses, which makes me think they're targeting the language based on location (My server's in Japan).  These ones are also re-trying mails denied by the greywall.  Two new behaviours which are interesting to note.

NFG

posted Jan 21 '09 at 1:56 am

My spam problem was mostly solved with the greywall module, so I haven't given this much thought for a long time, but in the last week my spam intake has shot up a hundredfold, so it's time to revisit the issue:

I need to filter an address, without using wildcards, and I can't work out how to do it. The problem is this:

Spammers have a partial address, as their little evil databases have become more and more corrupted over the years. The original username might have been nolan@, they're sending spam to lan@, and since I've got a hundred different in-use address, I can't just turn off the domain mail acceptance. Instead, I want to filter LAN@ without losing NOLAN@, and I can't work out HOW.

No attempt has been so far productive when I try to block lan@domain.com, since Mercury simply doesn't match anything without the bookending wildcards ( *lan@domain.com* works, but also blocks nolan@). I'm sure it's POSSIBLE, but I can't work out HOW. What's the syntax to block only the address <lan@domain.com> and not <nolan@domain.com>?

I've tried:

R, "barreto@domain.com*", RS, "554 - Spammers Must Die" doesn't match anything

R, "lan@*", RS, "554 - Spammers Must Die" doesn't match anything

What should I be doing?

My spam problem was mostly solved with the greywall module, so I haven't given this much thought for a long time, but in the last week my spam intake has shot up a hundredfold, so it's time to revisit the issue: I need to filter an address, without using wildcards, and I can't work out how to do it.  The problem is this: Spammers have a partial address, as their little evil databases have become more and more corrupted over the years.  The original username might have been nolan@, they're sending spam to lan@, and since I've got a hundred different in-use address, I can't just turn off the domain mail acceptance.  Instead, I want to filter LAN@ without losing NOLAN@, and I can't work out HOW. No attempt has been so far productive when I try to block lan@domain.com, since Mercury simply doesn't match anything without the bookending wildcards ( *lan@domain.com* works, but also blocks nolan@).  I'm sure it's POSSIBLE, but I can't work out HOW.  What's the syntax to block only the address &lt;lan@domain.com&gt; and not &lt;nolan@domain.com&gt;?   I've tried:R, "barreto@domain.com*", RS, "554 - Spammers Must Die"   [b]doesn't match anything[/b]R, "lan@*", RS, "554 - Spammers Must Die"  [b]doesn't match anything[/b] What should I be doing?

Rolf Lindby

posted Jan 21 '09 at 3:39 am

The line you are trying to match (the SMTP RCPT) should look something like this:

RCPT TO: <lan@domain.com>

So the filter expression could look like this:

"*<lan@domain.com*"

/Rolf

The line you are trying to match (the SMTP RCPT) should look something like this:RCPT TO: &lt;lan@domain.com>So the filter expression could look like this:"*&lt;lan@domain.com*"/Rolf

dilberts_left_nut

posted Jan 21 '09 at 3:45 am

Use the *lan@domain.com* to block, but before this rule put

R, "*nolan@domain.com*", X, "nolan is exempted from RCPT TO filter"

From the remarks in transflt.mer

# 'X' to stop this phase of transaction filtering for this message

Use the *lan@domain.com* to block, but before this rule put R, "*nolan@domain.com*", X, "nolan is exempted from RCPT TO filter" &nbsp;From the remarks in transflt.mer#&nbsp;&nbsp;&nbsp; 'X' to stop this phase of transaction filtering for this message &nbsp;

NFG

posted Jan 21 '09 at 7:52 am

It seems there are new options in the transflt file that I was unaware of - my decade-old install has old docs and transflt files that don't include the new options (like X). Sadly however X won't work for me since I cannot ever hope to remember all of the addresses I've used over the years, so a whitelist or rule-skipping exception is unfeasible.

Thanks for your idea, rolf. I will give that a go. Dunno if I tried it before or, if not, why I didn't think of it, but it seems like a good solution. =)

Hopefully this new wave of spam is at an end... As an aside, are there spam forums or similar, where people discuss current spam trends? In addition to the volume I've found my server's targeted based on location, which is new, and perhaps an interesting discussion topic.

It seems there are new options in the transflt file that I was unaware of - my decade-old install has old docs and transflt files that don't include the new options (like X).  Sadly however X won't work for me since I cannot ever hope to remember all of the addresses I've used over the years, so a whitelist or rule-skipping exception is unfeasible. Thanks for your idea, rolf.  I will give that a go.  Dunno if I tried it before or, if not, why I didn't think of it, but it seems like a good solution.  =) Hopefully this new wave of spam is at an end...  As an aside, are there spam forums or similar, where people discuss current spam trends?  In addition to the volume I've found my server's targeted based on location, which is new, and perhaps an interesting discussion topic.

Thomas R. Stephenson

posted Jan 21 '09 at 6:02 pm

Hopefully this new wave of spam is at an end... As an aside, are there
spam forums or similar, where people discuss current spam trends? In
addition to the volume I've found my server's targeted based on
location, which is new, and perhaps an interesting discussion topic.

Here's a place to start. http://spamlinks.net/discuss.htm#lists Most think the SPAM-L list is the most effective. I kind of stay away from all of these since there are too many rabid anti-spam people giving very bad advice as to how to stop spam. It's does stop the spam but also stops a very high percentage of good mail. A new user (lass than 5 years in the mail server business [:)]) would be hard pressed to determine the good advice from the bad.

FWIW my philosophy in running a mail server is to first receive all good mail and second keep out most of the spam. A 1% false positive rate where you block good mail is not acceptable in my systems.

<blockquote>Hopefully this new wave of spam is at an end... &nbsp;As an aside, are there spam forums or similar, where people discuss current spam trends? &nbsp;In addition to the volume I've found my server's targeted based on location, which is new, and perhaps an interesting discussion topic.</blockquote>Here's a place to start. http://spamlinks.net/discuss.htm#lists&nbsp; Most think the SPAM-L list is the most effective.&nbsp; I kind of stay away from all of these since there are too many rabid anti-spam people giving very bad advice as to how to stop spam. It's does stop the spam but also stops a very high percentage of good mail. &nbsp; A new user (lass than 5 years in the mail server business [:)]) would be hard pressed to determine the good advice from the bad.FWIW my philosophy in running a mail server is to first receive all good mail and second keep out most of the spam.&nbsp; A 1% false positive rate where you block good mail is not acceptable in my systems. &nbsp; &nbsp;

Related Topics

Pending draft

Confirm move posts

Insufficient permissions

Select a different topic

Edit history