2005-06-21

Filter Out Paypal Phishing Scams from a Mailing List with qmail + maildrop

It's no secret that I run qmail and I'm subscribed to several mailing lists of varying quality, quantity, and signal-to-noise ratio. Recently, I've been doing some work on my Binc installs, and there has been, coincidentally, a large influx on the Binc mailing list of Paypal phishing mail. (This is one of the biggest advantages to sorting your incoming mail by envelope recipient: Paypal is not going to send you an account update request to an address you never gave them.) Here's how you can filter out bogus Paypal requests to your favorite mailing lists.

Let's start with the basics: you're on the Binc IMAP mailing list. When you joined the Binc list, you gave them a unique address that you use exclusively for that list, and mail is not delivered to your inbox, but rather to its own Maildir-style folder: "./Maildir/.Binc-list/". With qmail, this configuration is very easy to use. 

  $ echo "./Maildir/.Binc-list/" > ~/.qmail-12345-binc

You've just created the e-mail address "yourname-12345-binc@yourserver.dom". Subscribe to the Binc list with this address and, since its customized with a little cookie and the "binc" designation, you'll never be tempted to reuse it for something else. It goes without saying that you're not going to provide this address to Paypal, and thus Paypal is not going to contact you with this address for their official communications with you. Furthermore, if mail from Paypal does end up in your Binc-only mailbox, you can be reliably certain that it is not authentically Paypal talking to you.

But those messages will still show up. Why? Because the Binc list is getting phished, and so everyone is getting those messages. The Binc administrator might be able to do something about it, but it looks like he isn't.

So it's up to you. Fortunately, it's easy to filter with the maildrop MDA software.

I've spoken in the past about how to filter your mailing lists to silently remove all messages from a particular user based on his name. It's not perfect, but it's surprisingly effective, especially when filtering with "Varhoul J. Krananajad" and not "Rob Smith". It's the same thing here, only our "user" is named "Paypal".

Step one: check your facts:

  1. qmail is installed.
  2. maildrop is installed.
  3. You are subscribed to the Binc list with the address "yourname-12345-binc@yourserver.dom". This address was created by making a file named "~/.qmail-12345-binc".
  4. The Binc list mail is delivered to your local Maildir, "./Maildir/.Binc-list/". This folder is listed in the "~/.qmail-12345-binc" file.

Step two: create a maildrop mailfilter. Mine is called "~/.mailfilter-no-paypal" and looks like this: 

  $ cat ./.mailfilter-no-paypal
  # log all activity to a file
  logfile "./.droplog"

  # Gotta love 'em. And by love I mean hate.
  if (/^(To|From|Cc):.*[Pp]aypal.*/:h)
   to /dev/null

  if (/^Delivered-To:.*yourname-12345-binc@yourserver\.dom/:h)
   to "./Maildir/.Binc-list/"

  # default: everything else goes to the inbox
  to "./Maildir/"

Note that qmail puts a "Delivered-To:" line on every message it delivers, and since this line is generated by your own MTA and based on the message envelope recipient, I think it's a good bit more reliable than going with whatever you may find in the (arbitrary) "To:" field. The "To:" field is not even required to exist on a valid message. (Gotta love RFC 822 and RFC 2822.)

Step three: now that the filter exists, you must change its permissions. maildrop will complain if your mailfilter is world-readable: 

  $ chmod 0600 ./.mailfilter-no-paypal

Step four: connect the filter to the incoming list messages. This is as easy as editing "~/.qmail-12345-binc". Copy .qmail-12345-binc to .qmail-12345-binc.new and edit the copy. Specifically, change the line: 

  ./Maildir/.Binc-list/

to 

  |preline maildrop ./.mailfilter-no-paypal

Now move .qmail-12345-binc.new back to .qmail-12345-binc. Editing the dot-qmail file directly may result in botched mail deliveries since you'd be changing a file that can be read at any moment, based solely on incoming mail from the Binc list. Editing a temp file and then moving the temp file into place avoids this potential problem.

Now you're done. Instead of being written to ./Maildir/.Binc-list/ directly, new mail from the Binc list will be filtered through your new maildrop filter and either be written to your Binc folder, trashed, or written to your inbox if there's a problem.

posted at 10:08

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)