I've found that almost all spam can be gotten rid of with one simple procmail recipe. It seems that the majority of spam these days isn't actually To: me. Instead, it's to 456sdfl4@cwabg.hotbot.com, from 56df4@stjaxppu.compuserve.com. For some reason, I end up with it. It must be sort sort of forged header/mailing list sort of thing. Anyways, I implemented this simple rule to drop that sort of hejaz:

:0:
* ! ^TO_chris@.*bangmoney\.org
/dev/null

The ^TO_ is a sort of macro - it expands to a very large regular expression that matches almost all to headers. Then I just filled in my email address. The bang inverts the test, such that all mail that doesn't match that rule goes to /dev/null.

This rule has the nasty habit of catching mailing lists too. You might want to filter those into their own mailbox before this rule, or modify the rule to send this spam to its own mailbox for your later perusal. I've been having great success catching spam with this rule, though.

It's not forged headers that makes it look like the email is for someone else, but the fact that the "To:" address in the header actually don't really mean anything.

The actual recipient is often found in the "Received:" lines in the header, but according to RFC 822 the for-part of the "Received:" lines are not mandatory, so some mailservers doesn't add the information. But they do of course specify the recipient when communicating with another mailserver, with RCPT TO.

To preserve bandwidth, most spammers will send their great offers to some invalid address and put a fuckload of real addresses in the bcc-field, which the recipient doesn't see. Mailing lists usually work the same way.

That also explains why fetchmail's multidrop mode breaks some RFCs.

Forged headers are usually "Received:" lines added to the bottom of the header, to make it difficult to find out from where the mail was sent - what ISP was used - so you won't know who to complain to.

Log in or register to write something here or to contact authors.