ZJOD : Ziggy's Joke 'o the day Anti-Spam Page

A new joke emailed to you every week day

Home

Awash in junk mail? There are things you can do about it.

Assuming that:

You're running Linux or some other U*nx-type system, and
You store mail in elm-type folders.

If not, the stuff described herein ain't for you.

procmail

It used to be that procmail helped you sort email coming in from your friends and coworkers. It can still do that. However, I've found another use: spam filtering.

Most spammers these days don't send email to you by putting your public email address in the "To" field any more. These days, most spammers put your email address in the "Bcc" (blind copy) field... so your address never shows up in the actual email you receive. You can take advantage of this by adding a procmail rule that filters out mail that doesn't mention your email address in the "To:" and "Cc:" fields.

Let's assume you've got two email addresses, "me@mycompany.com" one for work, and "me@myisp.com" for personal use. Further, because you just can't afford to be out of touch with the office, you forward copies of the email from work to your personal account.

Add the following rule to your procmail RC file (in Linux, that's usually ~/.procmailrc), remembering that procmail is case insensitive while many mail transfer agents aren't:

	# Bcc: filter ... if it hits, 90%+ chance that it's spam
	:0
	* !^To:.*me@mycompany.com.*
	* !^From:.*me@mycompany.com.*
	* !^To:.*me@myisp.com.*
	* !^From:.*me@myisp.com.*
	$HOME/Mail/SPAM

A lot of spammers send mail out without "To:", "From:" or "Subject:" lines (note that the ending ":" in "From:" counts here, because the "From " and "From:" email header tags mean different things.).

So, while you're poking around in procmail, add the following rules, too:

	# Mail without a "^To: " field is usually spam
	:0
	* !^To: .*
	$HOME/Mail/SPAM

	# Mail without a "^From: " field is usually spam
	:0
	* !^From: .*
	$HOME/Mail/SPAM

	# Mail without a "^Subject: " field is usually spam
	:0
	* !^Subject: .*
	$HOME/Mail/SPAM

If you stop here, you'll cut your incoming spam rate by about 95%.

GETTING THE LAST FIVE PERCENT: POSITIVE VETTING

Some spammers actually put your email address in either the "To:" or "Cc:" fields, and then fill out the "From:" and "Subject:" headers, too. Spam from these people goes right through the above procmail filters.

Using procmail and some other fun stuff, you can restrict what hits your main mailbox to email from people you already have corresponded with in the past.

Here's how:

First, create a symlink for a special mail folder ("MBOX") from the directory where you usually save mail to your system mail folder:

	$ ln -s /var/spool/mail/$USER $HOME/Mail/MBOX

Next, unpack the shar file found at "http://zjod.net/sos/spam.shar" and run "make install". This will install one program and two shell scripts into your $HOME/bin directory:

GEN_MAIL_ADDRS - Script to generate a list of known "good" addresses
stripmail - A general purpose mailfolder extraction tool
SORTMAIL - Script to sort mail into one of two folders: MBOX or SPAM

The first shell script (GEN_MAIL_ADDRS) scans all your non-spam elm folders harvesting email addresses and saves them to file "$HOME/.MAIL_ADDRS". You need to run this at least once to generate that file:

	$ GEN_MAIL_ADDRS

Note that GEN_MAIL_ADDRS will _not_ harvest email addresses from folders named "junk", "SPAM" or "POSSIBLE_SPAM". Once you're comfortable with this whole process, you can change/add to this list as you see fit, but at a minimum, keep the "SPAM" and "POSSIBLE_SPAM" folders on the list.

The program (stripmail) is a general purpose filter for extracting stuff from elm-style email folders. In this anti-spam context, it's used by the script $HOME/bin/SORTMAIL. (I also use this program for other stuff, run "stripmail" without any arguments for a pseudo-man page.)

The second script (SORTMAIL) checks incoming email against the stuff in $HOME/.MAIL_ADDRS and puts email in one of two places:

"From " address in $HOME/.MAIL_ADDRS -> $HOME/Mail/MBOX
"From " address NOT in $HOME/.MAIL_ADDRS -> $HOME/Mail/POSSIBLE_SPAM

Lastly, add a final entry to your procmail filter (this must be the _last_ entry, because nothing will get by it):

	# MAKE SURE THIS IS THE ABSOLUTE LAST ENTRY... NOTHING GETS BY IT
	:0
	* ^From 
	| $HOME/bin/SORTMAIL

If you've managed to get to this point, email from people you've traded email with in the past will go straight into your system mailbox. Some small amount of spam along with email from people you've never corresponded with will go into mailbox $HOME/bin/POSSIBLE_SPAM.

You then only need occasionally scan the POSSIBLE_SPAM folder for email from someone you want to correspond with, saving any non-spam there to some other folder (not SPAM or junk). After you're done scanning POSSIBLE_SPAM, re-run GEN_MAIL_ADDRS to update $HOME/.MAIL_ADDRS. In the future, email from these "new" senders will show up in your system mailbox.

Once your comfortable with how this all works, add the following to your personal crontab to automagically keep $HOME/.MAIL_ADDRS up-to-date:

	30 10 * * * bin/GEN_MAIL_ADDRS
	30 22 * * * bin/GEN_MAIL_ADDRS

That's it! Now download that shar file and start enjoying your email again!

All programs, scripts, procmail filters, et cetera talked about in this posting are available for downloading at:
http://zjod.net/sos/spam.shar.

-S