I'm getting repeated SirCam attachments from the same site, and many of them. I've written the site and they won't even reply to my emails. Since 8/24/01 I've received 56 of them (over 10 a day!).

I've read a couple of the threads below about the |bouncesaying, but that relies on the FROM header actually having an address. The email I'm getting has an empty FROM.

Is there a way to filter the mail based on the delivery headers? Below is the header of one of the emails:


Status: U
Return-Path: <>
Received: from rasmus.futurequest.net ([63.151.112.3])
by merlin (EarthLink SMTP Server) with SMTP id tol9ld.ile.37tiu4s
for <arithon@earthlink.net>; Mon, 27 Aug 2001 12:59:41 -0700 (PDT)
Received: (qmail 6454 invoked by uid 45900); 27 Aug 2001 20:00:03 -0000
Delivered-To: xmud_master-sk@mud-master.com
Received: (qmail 6426 invoked from network); 27 Aug 2001 20:00:02 -0000
Received: from unknown (HELO exchsrvb.cua.edu) (136.242.11.82)
by rasmus.futurequest.net with SMTP; 27 Aug 2001 20:00:02 -0000
Received: from cx1219515-a.resnet.cua.edu (136.242.123.167 [136.242.123.167]) by exchsrvb.cua.edu with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
id RHCVV7D0; Mon, 27 Aug 2001 15:54:41 -0400
From:
To: sk@mud-master.com
Subject: FinAid
date: Mon, 27 Aug 2001 15:59:58 -0500
MIME-Version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Content-Type: multipart/mixed; boundary="----0FBED45B_Outlook_Express_message_boundary"
Content-Disposition: Multipart message
Message-Id: <200108271259.tol9ld.ile.37tiu4s@merlin>


Aaron

Try to look through this thread:

http://www.aota.net/forums/showthread.php?threadid=8978

Sheila has a very good description of how to use python filters to do what you are asking. Basically, she looks for certain lines in the body itself instead of looking at the headers.

Alternatively, you can search through the list of the Received: headers to search for the domain. Post a message back if you cannot get it to work with Sheila's filters.

Manish

PS Sheila, have you tried implementing your filters with MIME attachments as opposed to text/plain? I believe that there is a completely different library to handle them.

The SirCam filter that manish refers to above, does only look for some lines in the message body. It is not fool-proof, but seems in practice to have done what most people wanted.

If you want to do something more specific for this particular case, it seems to me I would try to get the content of the Received lines and see if any of them contain this string:
exchsrvb.cua.edu

That seems to be the mail server that is forwarding the messages to your FutureQuest account.


PS Sheila, have you tried implementing your filters with MIME attachments as opposed to text/plain? I believe that there is a completely different library to handle them.

No, that hasn't been necessary up until now, although it is something I will probably eventually look into.

Python has a few modules for working with Mime types and Mime messages. This one looks especially handy for parsing Mime e-mail:
http://www.python.org/doc/current/lib/module-mimetools.html

At the moment, I just don't have a need.

Thanks for the tips.

I don't know python, so I started from your sample you posted Sheila; which was a big help. From there it wasn't hard to figure out how to make it do what I needed.

Here is what I ended up with. Let me know if you see anything bad/wrong/inefficient about it. I'm used to C++, python looks a little funky to me, but not terribly hard to figure out. I tested it first by feeding it headers from a file I created, thinking I could see any error output, but I dunno if that is the best way to test it. I had it filter email from one of my other accounts and it seems to be bouncing it properly so I guess all is well.


import sys
import rfc822
import string

header = rfc822.Message(sys.stdin,0)
lstReceived = header.getallmatchingheaders('Received')
for line in lstReceived:
if string.find(line,'from cx1219515-a.resnet.cua.edu') != -1:
sys.exit(0)

sys.exit(1)


Aaron

Sorry, this is not a reply to the original post, but a variation on the problem. I keep getting a virus (not SirCam) attached to a completely empty e-mail; no sender, no address, no nothing. Here are the headers:

Return-Path: <>
Delivered-To: xenglishlearner-elek@englishlearner.com
Received: (qmail 15343 invoked from network); 30 Aug 2001 13:19:57 -0000
Received: from unknown (HELO -) (212.253.80.14)
by x24.futurequest.net with SMTP; 30 Aug 2001 13:19:57 -0000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VET6RKDYBG127W5UR4DURWTIR41"

This is the latest in the series, but all the others are the same. How do I filter this out?

Thanks,

Elek

Originally posted by Aaron O'Neil:
I tested it first by feeding it headers from a file I created, thinking I could see any error output, but I dunno if that is the best way to test it.
That's how I usually test mine. First, on my home machine, I make some test message in a file and feed that to my script. Once I get it working that way, I put it in a .qmail test file (not for my main account) on my FQuest space. Something like .qmail-test or something like that. Then I send test mail to that address (i.e. test@mydomain.com) and see if it is working correctly. If it passes all of that, then I put it on my main account and test it there, too. If all of that works, then I figure it's OK. (E-mail is very important to me. I can't afford to miss any of it.)

Your script looks fine to me. That's probably how I would have done it.

Originally posted by Elek:

Return-Path: <>
Delivered-To: xenglishlearner-elek@englishlearner.com
Received: (qmail 15343 invoked from network); 30 Aug 2001 13:19:57 -0000
Received: from unknown (HELO -) (212.253.80.14)
by x24.futurequest.net with SMTP; 30 Aug 2001 13:19:57 -0000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VET6RKDYBG127W5UR4DURWTIR41"

That's a tough one. Not a lot of information to go on.

Is it possible that they all have a line like this:
Received: from unknown (HELO -) (212.253.80.14)
by x24.futurequest.net with SMTP; 30 Aug 2001 13:19:57 -0000

???

If the IP address 212.253.80.14 appears in all of them, then you could filter on that. Otherwise, I don't know what to suggest.

Here's what I do to test my scripts:
I have a text file with a test email (let's call it testmail.txt) with the correct headers and body. I then run python on the server on the command line and look at the output of the script right there.
For example, if my script was test.py, I run
python test.py < testmail.txt
This will behave exactly like the actual email except that the email is now in a file instead of standard input.
You can add multiple print statements in your test.py files which will print right to the command line or print stuff to a file for debugging.

I caught most of my syntax errors on the command line. I added the script to the .qmail file after testing it with various scenarios in the testmail.txt file (without sending too many emails :) )

Manish

There is a new SirCam variant floating around that begins with the subject line "As per your request!" and has a message that is somewhat generic:

"Please find attached file for your review. I look forward to hear from you again very soon. Thank you."

Adding that rather long line to Sheila's SirCam script doesn't seem to filter emails with that same line in the bod, probably because of random line breaks inserted by the sending email client.

A simple solution might be to key on the variant's subject line "At your request!" With the exclamation point, that is a pretty spammy opener, so it would not likely filter any legitimate messages. Is there a way to key on certain subject lines in Sheila's SirCam script?" I am Python-challenged.

Better yet, is there a way to bounce messages with .exe file extensions to specific email accounts?

Thanks,
Wayne

Try to adapt this into your script. This is in no way perfect. You might have to mess around with it a little bit.

Have fun,
Manish


import sys, os
import rfc822
import string


BadSubList = ["At your request!"]

headers = rfc822.Message(sys.stdin,0)
sub = headers.getrawheader("Subject")


for badsub in BadSubList:
if string.find(sub, badsub) > -1:
sys.exit(0)
sys.exit(1)

Manish, you da man! Pasted snippets of your code into the appropriate places in Sheila's script and it tested perfectly. Thanks to Sheila as well. :)

Important correction to my earlier post: The subject line of the offending bug is "As per your request!", not "At your request!"

Wayne