# junkfilter # a junkmail filter system for procmail # Copyright 1997, Gregory Sutter # and Matthew Hunt # # Please read the file "rc.junk.readme" and the page # http://www.pobox.com/~gsutter/junkmail/ before using # junkfilter. junkfilter is copyright 1997 Gregory Sutter # and Matthew Hunt. All rights reserved. INCLUDERC=$JFDIR/rc.junk.config # Begin recipes # Kills anything from an impossible IP address :0 * ^Received.*\[[0-9\.]*([03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]) { SPAMMER="forged Received: headers" } # An invalid RFC 822 Message-Id: header :0 * !^Message-Id:[ ]*<[^ <>@]+@[^ <>@]+>[ ]*$ { SPAMMER="invalid Message-Id:" } # Invalid X-UIDL header (inserted by POP3 servers/clients). Valid ones have # exactly 32 hexadecimal characters. :0 * ^X-UIDL: * !^X-UIDL:[ ]*[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][ ]*$ * !^Resent-To: { SPAMMER="invalid X-UIDL" } # Checks date. Because -0600 is either CST, MDT, or water, NOTHING should # ever have a time-zone of "-0600 (EST)". :0 * ^Received:.* -0600 \(EST\) { SPAMMER="invalid datestamp" } # junk mail / mail bomb software :0D * ()\/^(Received|Message-Id|X-Mailer):.*(Aristotle|Avalanche|bulk_mailer|Cyber-Bomber|Emailer Platinum|eMerge|Extractor|e-Merge|Floodgate|from stealth|fusion|Mach10|MassE-Mail|massmail\.pl|NetMailer|Powermailer|Quick Shot|RAF|Ready Aim Fire|RIME|WinNT\'s Blat|WorldMerge) { SPAMMER="junkmail software: $MATCH" } # X-Advertisement header :0 * X-Adverti[sz](e)?ment: { SPAMMER="X-Advertisement header" } # Claiming to be someone you're not, eh? Perhaps... # Testing. Please let me know if this rule captures legitimate mail. :0 * ()\/^X-Authentication-Warning:.*claimed to be { SPAMMER=$MATCH } # Better filter for forged AOL mail. # Testing. Please let me know if this rule captures legitimate mail. :0 #* ^From:.*@aol\.com #* !^From:(.*".*")? ? #* !^From:.*MAILER-DAEMON@aol\.com #{ SPAMMER="forged AOL" } # Bad From: or Reply-To: headers :0 * ^(From|Reply-To:).*\<(no@reply|noreply|Reply@By\.Mail|do@not(\.reply)?) { SPAMMER="bad From: header" } # Pegasus mailer is the only mailer which legitimately generates # "Comments: Authenticated sender is ..." so kill anything else. :0 * ^Comments:.*Authenticated sender * !^X-Mailer:.*Pegasus Mail * !^Resent-To: * !^Return-Path:.*owner- { SPAMMER="forged Pegasus auth" } # "unknown host" is not a valid Received: header :0 * ^Received:.*unknown host { SPAMMER="forged Received: header" } # Some spammers have Ad: or Advertisement: in the subject. :0 * ^Subject: Ad(verti[sz]e?ment|[ :]) { SPAMMER="put an Ad in the subject" } # IAAVC... porn spammers :0 * ^Received:.*208\.202\.29\.[0-9][0-9]?[0-9]? { SPAMMER="IAAVC" } # Quantum Communications (even though AGIS is totally filtered already) :0 * ^Received:.*209\.14\.30\.[0-9][0-9]?[0-9]? { SPAMMER="Quantcom" } # Webcommerce :0 * ^Received:.*204\.183\.199\.[0-9][0-9]?[0-9]? { SPAMMER="Webcommerce" } # PPGsoft/Parallel Performance Group/Meridian Marketing Group # run by Stuart Bar-On :0 * ^Received:.*207\.40\.13\.21(6|7) { SPAMMER="PPG" } # Sunset Direct :0 * ^Received:.*205\.187\.161\.[0-9][0-9]?[0-9]? { SPAMMER="Sunset Direct" } # Webdirect, a.k.a. CESMarketing, both .com or .ca :0 * ^Received:.*(207\.51\.50\.(2|5|6|12|200)[^0-9]|204.174.34.2) { SPAMMER="WebDirect" } # Check to see if spammer is from a known spam domain. :0 * $ $DOMAINS ?? . { :0 * $^(((Resent-|Apparently-)?From|(X-)?Sender|Reply-To|Return-Path|(X-)?Envelope-From).*@|Received:)(.*\<)?\/($DOMAINS)(\>) { SPAMMER="domain: $MATCH" } } # Have we had big problems from you before? :0 * $ $ADDRESSES ?? . { :0 * $^((Resent-|Apparently-)?From|(X-)?Sender|Reply-To|Return-Path|(X-)?Envelope-From)(.*\<)?\/($ADDRESSES)(\>) { SPAMMER="address: $MATCH" } } # unsetting these large variables apparently fixes a # bug with some people's systems. Weird, eh? DOMAINS ADDRESSES # Begin STRICT section :0 * $ $STRICT^0 { # Kills everything from AGIS.net # Not all AGIS customers are spammers, but almost all are. #Here's what's covered in this recipe (for easy reading!): #205.137.48-63.*, 205.254.160-191.*, 204.157.*.*, 204.130.243.*, #204.137.128.0 - 204.137.223.255, 205.164.64.0 - 205.164.255.255, #205.198.*.*, 205.199.*.*, 206.42.*.*, 206.43.*.*, 206.62.*.*, #206.84.*.*, 206.85.*.*, 206.137.48.5, 206.148.*.*, 206.149.*.*, #206.185.*.*, 206.249.*.*, 206.250.*.*, 207.142.*.*, 209.14.*.* :0 * ^Received:.*(205\.137\.(4[89]|5[0-9]|6[0-3])\.|\ 205\.254\.1([678][0-9]|9[01])\.[0-9][0-9]?[0-9]?|\ 204\.157\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|\ 204\.130\.243\.[0-9][0-9]?[0-9]?|\ 204\.137\.(12[89]|1[3456789][0-9]|2[01][0-9]|22[0123])\.[0-9][0-9]?[0-9]?|\ 205\.164\.(6[456789]|[789][0-9]|[1-2][0-9][0-9])\.[0-9][0-9]?[0-9]?|\ 205\.19[89]\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|\ 206\.4[23]\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|\ 206\.62\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|\ 206\.8[45]\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|\ 206\.137\.48\.5|\ 206\.14[89]\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|\ 206\.185\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|\ 206\.249\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|\ 206\.250\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|\ 207\.142\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|\ 209\.14\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?) { SPAMMER="AGIS" } # Post.office is not junk mail software, but it is commonly used # to send junk mail: it is easier than sendmail and has # no AUP. # :0 # * ^Received:.*post.office MTA # { SPAMMER="junkmail software: post.office MTA" } # Mail relayed through someplace it shouldn't? # Testing. Please let me know if this rule captures legitimate mail. :0 * ^Received:.*relay[0-9]?[0-9]?\.(smtp\.)?\/(psi|ibm).(net|com) { SPAMMER="relayed through $MATCH" } # Forged mail from {hotmail, usa, juno}. Has improper Received: headers. :0 * ^From:.*@((hotmail|juno).com|usa.net) * !^(Received|Message-Id):.*((hotmail|juno).com|usa.net) { SPAMMER="forged hotmail/usa/juno" } :0 * ^Received:.*((hotmail|juno|bigfoot|rocketmail).com|usa.net).*uu.net { SPAMMER="forged bigfoot/hotmail/juno/rocketmail/usa" } # Bad To: headers :0 * ()\/^To:.*(friend|friends|hello|thanks|VIP|you(r)?)@ { SPAMMER=$MATCH } :0 * ()\/^(From|(Reply-)?To):.*(friend|friends|friendz|hello|thanks|vip|you(r)?)@ { SPAMMER="bogus address: $MATCH" } # number@, @number.com or number@number.com address : spam. # almost. additions made to the exception list only as necessary. :0 * ()\/^From: ([0-9]+@[0-9]+\.com|[0-9]+@|@[0-9]+\.com) * !^From:.*@2600.com { SPAMMER="numbers at numbers: $MATCH" } # nowhere.com handles a lot of traffic. Too bad it's all junk mail. # Incidentally, I wonder what the real nowhere.com thinks of all this? :0 * ^FROM(nowhere.com) { SPAMMER="nowhere" } # To: or Cc: header with more than 60 recipients. Be cautious. :0 * ^TO_.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.*,.*@.* { SPAMMER="sent to too many people" } } # End STRICT section # Executed only if BOFH is set. :0 * $ $BOFH^0 { :0 * $ ()\/$FROM(earthlink.net|aol.com|hotmail.com|rocketmail.com|usa.net|uu.net|psi.com|geocities.com|tripod.com|angelfire.com|ml.org|juno.com|bigfoot.com) { SPAMMER="from $MATCH" } } # End BOFH section # Body checking section :0 * $ $BODY^0 { # Spammer crap in the body :0 * $ $BODYCHK ?? . { :0B * $ ()\/($BODYCHK) { SPAMMER="body: $MATCH" } } # kills sequences of exclamation points on a line, # except when a row of ! is used as a section delimiter. :0B * -16^0 * -64^0 ^Path:.*!.*!.*!.*!.*! * 2^2 ! * ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! { SPAMMER="multiple exclamation points" } # if there is no lowercase in too much of the message... :0BD * -5^0 * 1^1 ![a-z] { SPAMMER="used too much capitalization" } # Has an 800, 888 or 900 number in the message. Needs score help. #:0B #* (1-|+1 |1)?(800|900|888)[- ]?[a-z0-9]+ #{ SPAMMER = "wants me to call" } } # End Body-checking section # EOF rc.junk