This morning I could not open my mailbox. The error message said something about insufficient memory. With command line mail I deleted a handful of the obvious spam messages. I still had 938 messages left in my mail spool directory! This time I could open my mailbox in mozilla but it took the best part of 10 minutes. Another 20 minutes for the junk filter to do its admirable job - it just left 14 messages in my inbox. With my perl IP address filter aimed at the Junk directory I could see instantly that 909 out of that pile came from a single machine. perl -ne 'if (/(d+.\d+.\d+.\d+)]/) {print "$1\n";}' .mozilla/.../Junk|
gawk '{addr[$1]++} END {for (i in addr) print addr[i] " " i}'|
sort -n...
26 24.127.113.172
909 24.200.149.14
...
That IP address has been blocked now in my mail daemon. But that was no solution. On dial-up lines IP addresses don't mean a thing. Anything in an email to be sent can be wrong or forged. The only part that cannot be forged is the sender's IP address while the message is being sent. On dial-up lines the IP address is given to the next customer after the current one hangs up.
Hence, I reluctantly added a body_check to postfix that filters on executable files in the message being received: /^s+(file)?name="?.+\.(pif|exe|com|bat|scr)"?s*$/
I admit that it is not fool-proof: spam writers can get around it by added an innocuous space character (false negatives) and legitimate email that happens to fit that pattern will be rejected (false positives). But I have had enough of spam!
9:10:35 AM 
|
