Mailing List Archive

Header rulename from:addr =~ /.*+.*\@/

Should match an email with a plus one the left hand side.

On Sat, Dec 26, 2020, 18:11 Kenneth Porter <shiva@sewingwitch.com> wrote:

> I usually sign up for a web service using a "plussed" address like
> shiva+vendorname@sewingwitch.com. (My server also recognizes a dot
> instead
> of a plus, to deal with broken websites that won't allow me to use a plus
> in my email address.) I use procmail rules on my server to filter messages
> from them into different folders. I'd like to give a point of spam
> "forgiveness" to some sites (I've noticed some political begging letters
> are bumping over the 5.0 limit), and a big bonus score to those who've
> abused my address and handeded it out to others (or for those whose site
> has been compromised). What should the rule look like for that?
>
>

On 26 Dec 2020, at 18:17, Kevin A. McGrail wrote:

> Header rulename from:addr =~ /.*+.*\@/

You definitely want to escape that '+' and catch the recipient instead
of sender:

header RULENAME To:addr =~ /\+.+\@/
score RULENAME -1

Another approach:

whitelist_to *+*@example.com

In that case you may also want to reduce the strength of that level of
welcome:

# Default is -6 but this is a more useful value
score USER_IN_WELCOMELIST_TO -3




> Should match an email with a plus one the left hand side.
>
> On Sat, Dec 26, 2020, 18:11 Kenneth Porter <shiva@sewingwitch.com>
> wrote:
>
>> I usually sign up for a web service using a "plussed" address like
>> shiva+vendorname@sewingwitch.com. (My server also recognizes a dot
>> instead
>> of a plus, to deal with broken websites that won't allow me to use a
>> plus
>> in my email address.) I use procmail rules on my server to filter
>> messages
>> from them into different folders. I'd like to give a point of spam
>> "forgiveness" to some sites (I've noticed some political begging
>> letters
>> are bumping over the 5.0 limit), and a big bonus score to those
>> who've
>> abused my address and handeded it out to others (or for those whose
>> site
>> has been compromised). What should the rule look like for that?
>>
>>


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

--On Saturday, December 26, 2020 11:20 PM -0500 Bill Cole
<sausers-20150205@billmail.scconsult.com> wrote:

> You definitely want to escape that '+' and catch the recipient instead of
> sender:
>
> header RULENAME To:addr =~ /\+.+\@/
> score RULENAME -1

That looks like what I want. Although since my server is hacked to accept a
dot as separator, I can use [+.] in the pattern, with /[+.].+\@/. I can
then add exceptions with positive scores for the abusers.

On Sun, 27 Dec 2020, Kenneth Porter wrote:

> --On Saturday, December 26, 2020 11:20 PM -0500 Bill Cole
> <sausers-20150205@billmail.scconsult.com> wrote:
>
>> You definitely want to escape that '+' and catch the recipient instead of
>> sender:
>>
>> header RULENAME To:addr =~ /\+.+\@/
>> score RULENAME -1
>
> That looks like what I want. Although since my server is hacked to accept a
> dot as separator, I can use [+.] in the pattern, with /[+.].+\@/. I can then
> add exceptions with positive scores for the abusers.

You'll also need to check Cc: if you're looking at the message headers,
so two rules.

This would miss spams where the recipients are BCC'd, though.

To catch those you'd need to check for the address in a Received: header,
assuming your MTA adds the envelope recipient to the Received: header it
generates. For example, the "for <>" in this:

Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org [95.216.194.37])
by ga.impsec.org (8.14.7/8.14.7) with ESMTP id 0BRHZ0H5027977
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
for <jhardin@impsec.org>; Sun, 27 Dec 2020 11:35:11 -0600

You might do:

header ABUSED_PLUS Received =~ /\bfor <shiva[+.](?:abused1|abused2)\@sewingwitch\.com>/i


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Men by their constitutions are naturally divided in to two parties:
1. Those who fear and distrust the people and wish to draw all
powers from them into the hands of the higher classes. 2. Those who
identify themselves with the people, have confidence in them,
cherish and consider them as the most honest and safe, although not
the most wise, depository of the public interests.
-- Thomas Jefferson
-----------------------------------------------------------------------
211 days since the first private commercial manned orbital mission (SpaceX)

On Sun, 27 Dec 2020 10:17:15 -0800 (PST)
John Hardin wrote:


> To catch those you'd need to check for the address in a Received:
> header, assuming your MTA adds the envelope recipient to the
> Received: header it generates.

> You might do:
>
> header ABUSED_PLUS Received =~ /\bfor
> <shiva[+.](?:abused1|abused2)\@sewingwitch\.com>/i

This isn't completely reliable as the MTA wont provide the envelope
recipient when there's more than one in the same SMTP session. It may
be good enough for a single user mail system though.

I presume this isn't trivial to fix as Fastmail had an unreliable
X-Delivered-to header for years.

Without a reliable envelope recipient, the best you can do is use all
the sources of addresses, something like the following (untested):

header ABUSED_PLUS All =~
/^(?:(?:To|Cc):\s(?:.*(?:,\s|<))?|Received:.*for\s<)(?:shiva[+.](?:abused1|abused2)\@sewingwitch\.com)[,>\s\n]/im

On Mon, 28 Dec 2020, RW wrote:

> On Sun, 27 Dec 2020 10:17:15 -0800 (PST)
> John Hardin wrote:
>
>> To catch those you'd need to check for the address in a Received:
>> header, assuming your MTA adds the envelope recipient to the
>> Received: header it generates.
>
>> You might do:
>>
>> header ABUSED_PLUS Received =~ /\bfor
>> <shiva[+.](?:abused1|abused2)\@sewingwitch\.com>/i
>
> This isn't completely reliable as the MTA wont provide the envelope
> recipient when there's more than one in the same SMTP session. It may
> be good enough for a single user mail system though.
>
> I presume this isn't trivial to fix as Fastmail had an unreliable
> X-Delivered-to header for years.
>
> Without a reliable envelope recipient, the best you can do is use all
> the sources of addresses, something like the following (untested):
>
> header ABUSED_PLUS All =~
> /^(?:(?:To|Cc):\s(?:.*(?:,\s|<))?|Received:.*for\s<)(?:shiva[+.](?:abused1|abused2)\@sewingwitch\.com)[,>\s\n]/im

Right, that's better.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
212 days since the first private commercial manned orbital mission (SpaceX)