# junkfilter # a junk email filter system for procmail # Copyright 1997-2002 Gregory Sutter # # $Id: junkfilter.four,v 2.18 2002/04/29 07:20:32 gsutter Exp $ # # Please read the file "README" and the page # http://junkfilter.zer0.org/ before using junkfilter. # Four is the testing section. All recipes in beta. Careful! JFSEC=4 # Block all of China Telecom # Thanks, Joe Altman :0 * ^Received:.*\[(202\.(9[6-9]|10[0-9]|11[0-1])|(\[61\.(12[8-9]|13[0-9]|14[0-9]|15[0-9])))\. { JFMATCH="$JFSEC: Received from China Telecom" INCLUDERC=$JFDIR/junkfilter.match } # Block Korea :0 * ^Received:.*\[210\.12[4567]\. { JFMATCH="$JFSEC: Received from KRNIC" INCLUDERC=$JFDIR/junkfilter.match } # Multiple addresses in From: without single address in Sender: :0 * $ ^From:.*${JFADDR}${JFWS}?,${JFWS}?${JFADDR}+ * $ ! ^Sender:${JFWS}${JFADDR}${JFWS}${JFNL} { JFMATCH="$JFSEC: Invalid From: header" INCLUDERC=$JFDIR/junkfilter.match } # If only one Received: header AND from a common dialup, junk. (RFMS again) # Thanks Rik Kabel :0 * 2^0 * -1^1 ^\/Received:.* * $ MATCH ?? from [ ]+(($JFIPNUM\.)+|[-0-9a-z]+|$JFDIALUPS)[ ]+\(\/[-0-9a-z\.]+[ ] * MATCH ?? \\/[^ ]+ { JFMATCH="$JFSEC: RapidFire Mail Server: $MATCH" INCLUDERC=$JFDIR/junkfilter.match } # Hosts claiming to be other hosts... note trailing space :0 * $ ^X-Authentication-Warning:.*Host ($JFDOMDAM\.)*\/($JFDOMNAM)\.($JFTLD)\> { JFHOSTREAL=$MATCH :0 * $ ^X-Authentication-Warning:.*Host ($JFDOMDAM\.)*($JFDOMNAM)\.($JFTLD)\>[ ]+\[$JFIPNUM\.$JFIPNUM\.$JFIPNUM\.$JFIPNUM\][ ]+claimed to be[ ]+(($JFDOMDAM\.)*\/($JFDOMNAM)\.($JFTLD)|\[$JFIPNUM\.$JFIPNUM\.$JFIPNUM\.$JFIPNUM\])\> { JFHOSTCLAIM=$MATCH :0 * ! JFHOSTREAL ?? JFHOSTCLAIM { JFMATCH="$JFSEC: X-Authentication-Warning: a host in $JFHOSTCLAIM claimed to be in $JFHOSTREAL" INCLUDERC=$JFDIR/junkfilter.match } } } # Empty To: header :0 * $ ^To:$JFWS\(?${JFWS}?\)?${JFWS}[^a-z0-9]+ { JFMATCH="$JFSEC: Empty To header" INCLUDERC=$JFDIR/junkfilter.match } # Apparently from self, but Received: header from outside local domain. :0 * -10000^0 * -10000^0 $ ^Message-Id:.*${JFMAILDOM} * 10000^0 $ ^From:.*${JFMAILADDRESS} * -1^1 $ ^Received:${JFWS}from (${JFDOMNAM}\.)*${JFMAILDOM} * 1^1 ^Received: { JFMATCH="$JFSEC: Forged header from self" INCLUDERC=$JFDIR/junkfilter.match } ## Apparently from self, but Received: header from outside local domain. #:0 #* $ ^Received:${JFWS}from \/.* by (${JFDOMNAM}\.)*${JFMAILDOM} #* $ ()\/$MATCH by #* $ $MATCH ?? ${JFMAILDOM} #{ JFMATCH="$JFSEC: Forged header from Self" INCLUDERC=$JFDIR/junkfilter.match } # One of these damn spam mailers leaves a distinctive signature :0 * $ ^From:${JFWS}[0-9][0-9][0-9][0-9]+\.${JFADDR} * $ ^To:${JFWS}[0-9][0-9][0-9][0-9]+\. * $ ^Subject:.*-[0-9][0-9][0-9][0-9]+$ { JFMATCH="$JFSEC: Sent by a not-tricky-enough junk email program" INCLUDERC=$JFDIR/junkfilter.match } # Bcc: header visible? :0 * ()\/^Bcc:.* { JFMATCH="$JFSEC: Bcc header: $MATCH" INCLUDERC=$JFDIR/junkfilter.match } # Capital Bogosity In E-Mail Is A Near-Sure Sign Of Spam # Thanks, Era Erikkson and Phil Hord #:0D #* -65^0 #* -1^1 B ?? [-a-z'][,:;]?[ ]+[a-z][-a-z'] #* 1^1 B ?? [-a-z'][,:;]?[ ]+[A-Z][-a-z'] #* 8^1 B ?? ()\<[A-Z][-a-z']+[,:;]?[ ]+[A-Z][-a-z']+[,:;]?[ ]+[A-Z][-a-z']+[,:;]? #{ JFMATCH="$JFSEC: Capital Bogosity" INCLUDERC=$JFDIR/junkfilter.match } #* $ ^Message-Id:${JFWS}<.*@\/.*> #* $ $MATCH ?? .*> # Message-Id: from domain that's not in any Received: header :0 * $ ^Message-Id:${JFWS}<.*@.*$JFDOMNAM\.$JFTLD> * $ $MATCH ?? ^Received:.*> { JFMATCH="$JFSEC: Message-Id from domain not in Received headers" INCLUDERC=$JFDIR/junkfilter.match } # If it's all in base64, it's junk. :0 * ^Content-Transfer-Encoding:[ ]*base64 { JFMATCH="$JFSEC: Entire email base64 encoded" INCLUDERC=$JFDIR/junkfilter.match } JFBADCHARSET=(big5|euc-kr|gb2312|gbk|koi8-r|ks_c_5601-1987|windows-(874|125[14])) # If it's MIME... :0 * ^MIME-Version: * ^Content-Type:.*$?(.*$)?(.*$)?[ ]+boundary *= *\"?\/[^\";]+ { JFMIMEBND1=$MATCH #LOG="multipart-mixed mail: boundary: --> $JFMIMEBND1 <-- " # even if it's hidden a second MIME level deep... :0 B * $ ^(--)?${JFMIMEBND1}\/?;:'"`~]+ # \0127-\0254 # Kill non-English (latin-1, iso-8859-1) characters in subjects #:0 #* $ ^Subject:[ ]*\/[^($JFPCHAR|$JFWS)]+ #{ JFMATCH="$JFSEC: Subject contains data ($MATCH) in non-western charset" INCLUDERC=$JFDIR/junkfilter.match } #* ^Subject:[ ]*\/[^-_+=!@#$%^&*() 0-9a-z\[\]\|\\,<.>/?;:'"`~]+ #* $ ^Subject:[ ]*\/[\127-\254]+ # Kill non-English (latin-1, iso-8859-1) characters in subjects :0 * $ ^Subject:[ ]*\/[^[:print:]]+ { JFMATCH="$JFSEC: Subject has data ($MATCH) in non-western charset" INCLUDERC=$JFDIR/junkfilter.match } # mails in HTML-only are >99% spam # from arjan de vet :0 * $ ^Content-Type:${JFWS}text/html { JFMATCH="$JFSEC: HTML-only mail" INCLUDERC=$JFDIR/junkfilter.match } # Subject: line contains five or more consecutive instances of # a single character followed by whitespace. :0 * $ ^Subject:[ ]*(${JFPCHAR}${JFWS})(${JFPCHAR}${JFWS})(${JFPCHAR}${JFWS})(${JFPCHAR}${JFWS})(${JFPCHAR}${JFWS})+ { JFMATCH="$JFSEC: Subject is spaced out" INCLUDERC=$JFDIR/junkfilter.match } ## Use external program 'rblcheck' to see if the source should be blackholed #:0 #* $ 1^1 ^Received:.*\[\/${JFIP} #* $ ! ? rblcheck -q $MATCH #{ JFMATCH="$JFSEC: IP address $MATCH is in RBL" INCLUDERC=$JFDIR/junkfilter.match } JFSEC # EOF junkfilter.four