# junkfilter
# a junk email filter system for procmail 
# Copyright 1997-2000 Gregory Sutter <gsutter@zer0.org>
#
# $Id: junkfilter.one,v 2.17 2000/11/30 08:31:07 gsutter Exp $
#
# Please read the file "README" and the page
# http://junkfilter.zer0.org/ before using junkfilter.

# This is junkfilter.one, 100% certainty spam catchers.

JFSEC=1

# Kills anything from an impossible IP address
:0
* ()\/^Received.*\[[0-9\.]*([03-9][0-9][0-9]|2[6-9][0-9]|25[6-9])
{ JFMATCH="$JFSEC: Forged Received header: $MATCH" INCLUDERC=$JFDIR/junkfilter.match }

# Mail needs to have certain headers.
:0
* ! ()\/^(From|Date):[ 	]*.*
{ JFMATCH="$JFSEC: Missing necessary header: $MATCH" INCLUDERC=$JFDIR/junkfilter.match }

# junk mail / mail bomb software
:0D
* ^X-(Mailer|Sender):.*\/(Aristotle|Avalanche|Blaster|Bomber|DejaVu|DiffondiCool|eMerge|Extractor|E-Mail Magnet|Floodgate|friendlymail|fusion|GeoList|Group|Mach10|MegaPro|RAF|RamoMail|RIME|TURBO)\>
* ! $ ^X-(Mailer|Sender):.*\/(Aristotle|Avalanche|Blaster|Bomber|DejaVu|DiffondiCool|eMerge|Extractor|E-Mail Magnet|Floodgate|friendlymail|fusion|GeoList|Group|Mach10|MegaPro|RAF|RamoMail|RIME|TURBO)\.([-a-z0-9_]+\.)*$JFTLD
{ JFMATCH="$JFSEC: Junkmail software: $MATCH" INCLUDERC=$JFDIR/junkfilter.match }

:0D
* ()\/^(Received|Message-Id|X-(Mailer|Sender|Server)):.*(Advanced Direct Remailer|AutoMail|E-Broadcaster|Emailer Platinum|eMarksman|Extractor|e-Merge|Global Messenger|GroupMaster|List-X|Mailcast|MAILGOD|MailKing|Match10|MassE-Mail|massmail\.pl|NetContact|NetMailer|News Breaker|Powermailer|Quick Shot|Ready Aim Fire|'WE' Group Spamm?er|WindoZ|WinNT\'s Blat|WorldMerge|Yourdora)\>
{ JFMATCH="$JFSEC: Junkmail Software: $MATCH" INCLUDERC=$JFDIR/junkfilter.match }

# Pegasus mailer is the only mailer which legitimately generates 
# "Comments: Authenticated sender is ..." so kill anything else.
# This works for versions 2.54 and below only.
:0
* ^Comments:.*Authenticated sender
* !^X-Mailer:.*Pegasus Mail
* !^Resent-To:
* !^Return-Path:.*owner-
{ JFMATCH="$JFSEC: Forged Pegasus Mail authentication" INCLUDERC=$JFDIR/junkfilter.match }

# "unknown host" is not a valid Received: header
:0
* ()\/^Received:.*unknown host
{ JFMATCH="$JFSEC: Forged Received header: $MATCH" INCLUDERC=$JFDIR/junkfilter.match }

# Check to see if they're trying to exploit a security fault in
# Sendmail 8.8, like MailGod does.
:0
* ^Received:.....................................................\
..........................................................................\
..........................................................................\
..........................................................................\
..........................................................................\
..........................................................................\
..........................................................................\
..........................................................................\
..........................................................................\
..........................................................................\
..........................................................................\
..........................................................................\
..........................................................................\
..........................................................................
{ JFMATCH="$JFSEC: Received line longer than 1023 characters" INCLUDERC=$JFDIR/junkfilter.match }

# Stop the happy.exe / Spanska email worm
:0
* ^X-Span(ks|sk)a:
{ JFMATCH="$JFSEC: Happy.exe email worm present" INCLUDERC=$JFDIR/junkfilter.match }

# Stop the Melissa virus.  Damn these things!  
:0
* ^Subject:[ 	]*important message from
{
	:0 B
	* Here is that document you asked for
	* ^Content-[a-z]+:.*\.do[ct]
	{ JFMATCH="$JFSEC: Melissa email virus" INCLUDERC=$JFDIR/junkfilter.match }
}

JFSEC

# EOF junkfilter.one