[9fans] yahoo calendar spam

[9fans] yahoo calendar spam

[erik quanstrom]

i'm getting 100-200 connections per hour from
yahoo calendar with nigerian spam stuff.  here's
the least aggressive patch fix i could think of
without modifying smtpd to also get the reply-to
address.  unfortunately, this means that all mail
from yahoo calendar is blocked.  but it's better
than blocking all of yahoo.

this change is in /n/sources/contrib/quanstro/src/nupas.

the funky eval is to allow regular expressions in the list.

; diffy validatesender
20a21,25
> # these particular senders are blacklisted
> # motivated by the fact that yahoo calender
> # is compromised.
> dropuser=(reply.yahoo.com!calendar-invite)
>
57a63,65
>
> if(eval ~ $dom!$addr $dropuser)
> 	exit 'member of dropuser list'

- erik

Re: [9fans] yahoo calendar spam

[erik quanstrom]

grr.  rc quoting is simple compared to bourne quoting,
but that doesn't make it simple in the face of eval.

> > if(eval ~ $dom!$addr $dropuser)
> > 	exit 'member of dropuser list'

that should actually be

	if(eval ~ '$dom!$addr' $dropuser)
		exit 'memver of dropuser list'

to handle odd envelope senders such as occur
on mailing lists.

- erik

Re: [9fans] yahoo calendar spam

[Russ Cox]

On Sun, Feb 15, 2009 at 9:25 AM, erik quanstrom <quanstro@quanstro.net> wrote:
> i'm getting 100-200 connections per hour from
> yahoo calendar with nigerian spam stuff.  here's
> the least aggressive patch fix i could think of
> without modifying smtpd to also get the reply-to
> address.  unfortunately, this means that all mail
> from yahoo calendar is blocked.  but it's better
> than blocking all of yahoo.
>
> this change is in /n/sources/contrib/quanstro/src/nupas.
>
> the funky eval is to allow regular expressions in the list.

i assume you mean shell wildcards,
which are not regular expressions in
the regexp(6) sense of the word.

>> dropuser=(reply.yahoo.com!calendar-invite)
>>
>> if(eval ~ $dom!$addr $dropuser)
>>       exit 'member of dropuser list'

despite your comment i don't understand why you
are messing with eval here.  using eval is almost
always wrong.

; dropuser=(reply.yahoo.com!calendar-invite)
; addr=reply.yahoo.com!calendar-invite
; if(~ $addr $dropuser) echo drop
drop
;

russ

Re: [9fans] yahoo calendar spam

[erik quanstrom]

> i assume you mean shell wildcards,
> which are not regular expressions in
> the regexp(6) sense of the word.

yes, my mistake

> >> dropuser=(reply.yahoo.com!calendar-invite)
> >>
> >> if(eval ~ $dom!$addr $dropuser)
> >>       exit 'member of dropuser list'
>
> despite your comment i don't understand why you
> are messing with eval here.  using eval is almost
> always wrong.

true.  however, this list of exceptions is one of
several.  rather than put the lists inline with the
code, i thought it would be easier to read and
modify with the lists at the top.  also, most of
the other lists do need some sort of wildcarding.
for example,
# ignore spf mismatches from these domains
spfign=(*.bell-labs.com mac.com)
the full script is /n/sources/contrib/quanstro/nupas/bits/verifysender
i thought it more understandable to treat all
the lists in the same way, rather than make
special cases.

a way of avoiding eval that wasn't more convoluted
wasn't apparent to me at the time.

- erik