PDA

View Full Version : Using Procmailrc for Spoofed E-mail Address



pettyhead
10-16-2008, 09:19 AM
Some of you may have had an e-mail address spoofed in the past. This means a spammer has put your e-mail address in the return address field. When this happens you get flooded with thousands of non-delivery notices from mail servers throughout the world. Many people wonder if there is a way to keep these non-delivery notices from getting delivered to your inbox. Here is how you can keep your mailbox free from these notices.

Most non-delivery notices are sent to you by a Mailer Daemon on the intended recipients mail server. This mailer daemon generates the non-delivery notice and sends it to the return address from the e-mail header. When your mail server gets the e-mail it usually doesn't get caught as spam by Dynamic Spam Rejection with RBL's and Spamassassin is set up so it does not check e-mail that comes from a mailer daemon. So spam filtering is not useful in catching these unwanted e-mails. You have to tell procmail how to handle e-mails that come from a mailer daemon. There are 2 ways you can do this.

The first way to handle these messages is to create a procmail recipe that sends all mail daemon e-mail to /dev/null. This will automatically delete the message and this will ensure your server does not have to spend time and resources writing to disk. The recipe would be added at the bottom of the procmailrc file. Here is the recipe:

:0
* ^FROM_DAEMON
/dev/null

This recipe will also delete any bounce back e-mails that are sent as a result of you sending a message to a non-deliverable address. So this may not be something you want to set up if you are concerned about not getting notified when an e-mail you send gets bounced back. However that is a fair trade of if you are getting thousands of unwanted undeliverable messages delivered to you. This next step may be a good alternative.

I mentioned that Spamassassin does not check e-mails that are sent from a mailer daemon, if you look at the procmailrc recipe for spamassassin you will see two conditional statements that determine if the message will be evaluated by spam assassing. They are:

* ! ^FROM_DAEMON
* < 51200

The first condition * ! ^FROM_DAEMON tells spamassassin that if the message is not from a mail daemon then do the next test. The next test checks the size of the e-mail to see if it is possibly a spam message based on the size. Most spam messages are less than 51200 bytes in size so we don't want to waste server resources on larger e-mails that are almost always not spam. What we will want to do in this situation is tell spamassassin to only check the file size of the e-mail and not do the mail daemon check before it evaluates the e-mail. You can do this by commenting out the * ! ^FROM_DAEMON line or by erasing it completely (a comment line in procmailrc starts with the # character).

As always before making any modifications to your procmailrc file you may want to save a copy of the existing file in case you fudge something in your data entry so you can revert back to the original file. Hope this is helpful to somebody.


"Sell your computer, buy a guitar" -- Tom Petty