# junkfilter # a junk e-mail filter system for procmail # Copyright 1997-98, Gregory Sutter # # $Id: junkfilter.four,v 2.7 1998/10/15 17:53:26 gsutter Exp $ # # Please read the file "junkfilter.readme" and the page # http://www.pobox.com/~gsutter/junkfilter/ before using # junkfilter. junkfilter is copyright 1997-98 Gregory # Sutter and is licensed under the terms of the GNU # General Public License, version 2. See the file # junkfilter.readme for details. # Four is the testing section. All recipes in beta. Careful! JFSEC=4 # Multiple addresses in From: without single address in Sender: :0 * $ ^From:.*$JFADDR$JFWS?,$JFWS?$JFADDR+ * $ ! ^Sender:$JFWS$JFADDR$JFWS$JFNL { JFMATCH="$JFSEC: Invalid From: header" INCLUDERC=$JFDIR/junkfilter.match } # Capital Bogosity In E-Mail Is A Near-Sure Sign Of Spam # Thanks, Era Erikkson and Phil Hord #:0D #* -59^0 #* 1^1 B ?? [-a-z'][,:;]?[ ]+[A-Z][-a-z'] #* 8^1 B ?? ()\<[A-Z][-a-z']+[,:;]?[ ]+[A-Z][-a-z']+[,:;]?[ ]+[A-Z][-a-z']+[,:;]? #{ JFMATCH="$JFSEC: Capital Bogosity" INCLUDERC=$JFDIR/junkfilter.match } # If only one Received: header AND from a common dialup, junk. (RFMS again) # Thanks Rik Kabel :0 * 2^0 * -1^1 ^\/Received:.* * $ MATCH ?? from [ ]+(($JFIPNUM\.)+|[-0-9a-z]+|$JFDIALUPS)[ ]+\(\/[-0-9a-z\.]+[ ] * MATCH ?? \\/[^ ]+ { JFMATCH="$JFSEC: RapidFire Mail Server: $MATCH" INCLUDERC=$JFDIR/junkfilter.match } # Hosts claiming to be other hosts... note trailing space :0 * $ ^X-Authentication-Warning:.*Host ($JFDOMDAM\.)*\/($JFDOMNAM)\.($JFTLD)\> { JFHOSTREAL=$MATCH :0 * $ ^X-Authentication-Warning:.*Host ($JFDOMDAM\.)*($JFDOMNAM)\.($JFTLD)\>[ ]+\[$JFIPNUM\.$JFIPNUM\.$JFIPNUM\.$JFIPNUM\][ ]+claimed to be[ ]+(($JFDOMDAM\.)*\/($JFDOMNAM)\.($JFTLD)|\[$JFIPNUM\.$JFIPNUM\.$JFIPNUM\.$JFIPNUM\])\> { JFHOSTCLAIM=$MATCH :0 * ! JFHOSTREAL ?? JFHOSTCLAIM { JFMATCH="$JFSEC: X-Authentication-Warning: a host in $JFHOSTCLAIM claimed to be in $JFHOSTREAL" INCLUDERC=$JFDIR/junkfilter.match } } } # Multiple simultaneous spaces or tabs in From: header # Hmmm... now requires three simultaneous. :0 * ()\/^From:.*[-_a-z0-9]+[ ][ ][ ]+.* { JFMATCH="$JFSEC: Spaces in From: header: $MATCH" INCLUDERC=$JFDIR/junkfilter.match } # Hotmail mails all have this header # note, I'm assuming you're not reading this mail at hotmail.com :) :0 * $ $JFFROMREC.*hotmail.com * $ ! ^X-Originating-IP:$JFWS\[$JFIPNUM\.$JFIPNUM\.$JFIPNUM\.$JFIPNUM\] { JFMATCH="$JFSEC: Forged hotmail.com address" INCLUDERC=$JFDIR/junkfilter.match } # Empty To: header :0 * $ ^To:$JFWS\(?${JFWS}?\)?${JFWS}[^a-z0-9]+ { JFMATCH="$JFSEC: Empty To header" INCLUDERC=$JFDIR/junkfilter.match } # From self, but Received: or Message-Id: outside local domain. :0 * $ ^From:.*$JFMAILADDR * -1^1 $ ^Received:${JFWS}from ($JFDOMNAM\.)*$JFMAILDOM * 1^1 $ ^Received: * JFLREC^0 ^Received: { JFMATCH="$JFSEC: Forged header from self" INCLUDERC=$JFDIR/junkfilter.match } # One of these damn spam mailers leaves a distinctive signature :0 * $ ^From:$JFWS[0-9][0-9][0-9][0-9]+\.$JFADDR * $ ^To:$JFWS[0-9][0-9][0-9][0-9]+\. * $ ^Subject:.*-[0-9][0-9][0-9][0-9]+$ { JFMATCH="$JFSEC: Sent by a not-tricky-enough junk email program" INCLUDERC=$JFDIR/junkfilter.match } JFSEC # EOF junkfilter.four