On Mon, 22 Sep 2003, christophe barbe wrote: > It has the merit to be compact but the inconvenient to read the body.
Which is about the only reliable way to filter it. > I use the followings procmail rules: > > > :0: > *> 100000 > *^subject: (undeliverable |undelivered |returned )*(mail|message)(:* (returned to > (mail|send)er|user unknown))* > swen-junk Not reliable enough for my taste, too much chances of false positives. > :0: > *> 100000 > *^subject: (new(est)* |latest |last |current )*(net(work)* |microsoft |internet > )*(critical |security )*(pack|patch|update|upgrade) > swen-junk This will definitely not catch em all. See below. > :0: > *> 100000 > *^subject: (abort|bug|error|failure)* > *(advice|announcement|letter|message|notice|report) > swen-junk This would catch valid messages for sure in my case. > This catch all swen mails except those with no subject. Nope. Swen composes its subject line from the following words: Current Newest Last New Latest Net Network Microsoft Internet Critical Security Patch Update Pack Upgrade Below is some perl I used to test my pattern. The regexp (in PCRE) catches most sensible combinations, but I wouldn't say this is 100% reliable. The list of subjects has been taken from the only real swen-messages I got (not too many). Even if it were 100% reliable for standard swen subjects then it wouldn't be anymore as soon as a new version made its arrival. I have seen some messages posing as bounces with different subjects today and those definitely used 'new' subject words... So why did I add this PCRE pattern to our postfix? Well, because quite a lot of 'cleaned' swen messages were sent from other MTAs to our recipients. Because the exe was stripped RAV wouldn't catch 'em and I didn't want our people bothered by it. It has been quite succesful (almost 100 discarded messages in the first hour of its use), but must be updated for the new faked bounces. This is exactly the catch-up game I don't like... #!/usr/bin/perl use strict; use warnings; my @subjects = ( 'Microsoft Internet Update Pack', 'Last Critical Pack', 'Newest Network Critical Update', 'Latest Security Update', 'Current Network Update', 'Last Net Patch', 'New Net Update', 'Last Critical Upgrade', 'Current Microsoft Pack', 'Newest Network Critical Update', 'Latest Security Update' ); foreach (@subjects) { $_ = 'Subject: ' . $_; if (/^Subject:(\s+(Current|New(est)?|Last|Latest))?(\s+(Net(work)?|Microsoft|Internet|Critical|Security))+((\s+(Update|Upgrade))?(\s+(Patch|Pack))?)\s*$/i) { #DISCARD Suspicious subject line: W32/Gibe-F alias Swen print "MATCH: $_\n"; } else { print "NO MATCH: $_\n"; } } Grx HdV -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]