# junkfilter # a junk e-mail filter system for procmail # Copyright 1997-1999, Gregory Sutter # # $Id: junkfilter.three,v 2.12 1999/02/02 08:01:44 gsutter Exp $ # # Please read the file "junkfilter.readme" and the page # http://www.pobox.com/~gsutter/junkfilter/ before using # junkfilter. junkfilter is copyright 1997-98 Gregory # Sutter and is licensed under the terms of the GNU # General Public License, version 2. See the file # junkfilter.readme for details. # Section Three, recipes that catch some legitimate mail. JFSEC=3 # Phil Guenther's Message-Id: rule # modified by allowing a trailing "." after the domain... :0 * ^Message-Id:\/.* * ! ^Message-Id:[ ]*<[ ]*("([^"\]|\\.)*"|[-!#-'*+/-9=?A-Z^-~]+)\ ([ ]*\.[ ]*("([^"\]|\\.)*"|[-!#-'*+/-9=?A-Z^-~]+))*\ [ ]*@[ ]*\ (\[[ ]*([^][\]|\\.)*[ ]*\]|\ [-!#-'*+/-9=?A-Z^-~]+([ ]*\.[ ]*[-!#-'*+/-9=?A-Z^-~]+)*)\.?\ [ ]*> { JFMATCH="$JFSEC: Invalid Message-Id: $MATCH" INCLUDERC=$JFDIR/junkfilter.match } # Message-ID added by an enroute or local mail machine :0 * $ ^Message-Id:[ ]+<.*@([-_a-z0-9]+\.)*$JFMAILDOM> * ^From:.*@ * $! ^From:.*@([-_a-z0-9]+\.)*$JFMAILDOM * $ 1^1 ^Received:.*from * $ -1^1 ^Received:.*from.*\(([-_a-z0-9]+\.)*$JFMAILDOM\> { JFMATCH="$JFSEC: Message-Id added after initial transmission" INCLUDERC=$JFDIR/junkfilter.match } # AOL, Hotmail, Juno forged From: headers. :0 * ^From:.*@\/(hotmail|juno|aol).com * ! ^Received:.*(hotmail|juno|aol).com * ! ^Return-Path:.*owner- { JFMATCH="$JFSEC: Forged From header from $MATCH" INCLUDERC=$JFDIR/junkfilter.match } # All-capitalized headers are used only by spam programs. # and HP OpenMail. Grrr.... :0D * ! ^X-OpenMail * ()\/^(FROM|TO|DATE|SUBJECT) { JFMATCH="$JFSEC: $MATCH header in all caps" INCLUDERC=$JFDIR/junkfilter.match } # Verify decent Date: line. RFC822 and Real World taken into account. # the first condition is full of very noncompliant mailers. :0 * ! ^X-Mailer:.*(Windows Eudora (Light|Pro) Version 3\.0\.[0-9] \(16\)|NetMailer v|PMMail 1\.[0-9]+ for OS/2) * ! $ ^Date:$JFWS((Sun|Mon|Tue|Wed|Thu|Fri|Sat),$JFWS)?\ (0?[1-9]|[12][0-9]|3[01])$JFWS\ (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)$JFWS\ ((19)?[789][0-9]|(20)?[01][0-9])$JFWS\ (0?[0-9]|1[0-9]|2[0-3]):[0-5][0-9](:[0-5][0-9])?$JFWS\ (([+-][0-1][0-4]([03]0|45))|("?\(?(UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-I]|[K-Z])\)?"?))? { JFMATCH="$JFSEC: Bad Date line" INCLUDERC=$JFDIR/junkfilter.match } # ([+-][0-1][0-4]([03]0|45)|"?\(?(UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-I]|[K-Z])\)?"?) # New New -0600 datestamp check # Got to think of a better way to say "not MDT|CST", this one's a hack. :0 * ^(Date|Received):.* \/-0600 * ! MATCH ?? ^[(-0600 \((MD|CS)T\))] { JFMATCH="$JFSEC: invalid datestamp: $MATCH" INCLUDERC=$JFDIR/junkfilter.match } # number@, @number.com or number@number.com address : spam. # almost. additions made to the exception list only as necessary. :0 * !^From:.*@((1776|2600|mcimail)\.com|brookes\.ac\.uk|bigred\.unl\.edu|.*\.disu\.edu\.ph|dcc.unicamp.br|(.*\.)*rosmail.com)\> * !^From:.*\<[0-7][0-7][0-7][0-7][0-7][0-7]?\.[0-7][0-7][0-7]?[0-7]?@compuserve\.com * ()\/^From:.*([^-_(.%+a-z0-9][0-9.]+@|@[0-9.]+\.$JFTLD\>) { JFMATCH="$JFSEC: Numbers at numbers: $MATCH" INCLUDERC=$JFDIR/junkfilter.match } JFSEC # EOF junkfilter.three