# junkfilter # a junk e-mail filter system for procmail # Copyright 1997-98, Gregory Sutter # and Matthew Hunt # # Please read the file "junkfilter.readme" and the page # http://www.pobox.com/~gsutter/junkfilter/ before using # junkfilter. junkfilter is copyright 1997-98 Gregory # Sutter and Matthew Hunt. All rights reserved. # Four is the testing section. All recipes in beta. Careful! JFSEC=4 # New -0600 datestamp check # Got to think of a better way to say "not MDT|CST", this one's a hack. :0 * ^(Date|Received):.* \/-0600 \([^MC][a-z][a-z]\) { JFEXP="$JFSEC: invalid datestamp: $MATCH" } # Does the reported domain name equal the volunteered one? If not, # someone lied at HELO time and is probably a spammer. # this thing doesn't work worth a damn :0 * $ ^Received:.*\/[-a-z0-9]+\.($JFTLD)\> { JFFROM_APP_DOM=$MATCH :0 * $ ^Received:.*[-a-z0-9]+\.($JFTLD)\>.*\(.*\/[-a-z0-9]+\.($JFTLD)\> { JFFROM_REAL_DOM=$MATCH } :0 * $ $JFFROM_APP_DOM^0 * $ $JFFROM_REAL_DOM^0 * ! $JFFROM_APP_DOM ?? $JFFROM_REAL_DOM { JFEXP="$JFSEC: Falsified domain name: $JFFROM_APP_DOM (really $JFFROM_REAL_DOM)" } } # Capital Bogosity In E-Mail Is A Near-Sure Sign Of Spam # Thanks, Era Erikkson and Phil Hord # This recipe is disabled! :0D * -59^0 * 1^1 B ?? [-a-z'][,:;]?[ ]+[A-Z][-a-z'] * 8^1 B ?? ()\<[A-Z][-a-z']+[,:;]?[ ]+[A-Z][-a-z']+[,:;]?[ ]+[A-Z][-a-z']+[,:;]? { JFEX="$JFSEC: Capital Bogosity" } # If only one Received: header AND from a common dialup, junk. (RFMS again) # Thanks Rik Kabel :0 * 2^0 * -1^1 ^\/Received:.* * $ MATCH ?? from [ ]+(($JFIPNUM\.)+|[-0-9a-z]+|$JFDIALUPS)[ ]+\(\/[-0-9a-z\.]+[ ] * MATCH ?? \\/[^ ]+ { JFEXP="$JFSEC: RapidFire Mail Server: $MATCH" } # Kill some relaying servers :0 * $ ^Received:.*\/relay[-a-z0-9]+\.([-a-z0-9]*\.)*($JFDOMNAM)\.($JFTLD)\> { JFEXP="$JFSEC: Relay server: $MATCH" } # Hosts claiming to be other hosts... note trailing space :0 * $ ^X-Authentication-Warning:.*Host ($JFDOMDAM\.)*\/($JFDOMNAM)\.($JFTLD)\> { JFHOSTREAL=$MATCH :0 * $ ^X-Authentication-Warning:.*Host ($JFDOMDAM\.)*($JFDOMNAM)\.($JFTLD) [$JFIPNUM\.$JFIPNUM\.$JFIPNUM\.$JFIPNUM] claimed to be ($JFDOMDAM\.)*\/($JFDOMNAM)\.($JFTLD)\> { JFHOSTCLAIM=$MATCH :0 * ! JFHOSTREAL ?? JFHOSTCLAIM { JFEXP="$JFSEC: X-Authentication-Warning: a host in $JFHOSTCLAIM claimed to be in $JFHOSTREAL" } } } # Multiple simultaneous spaces or tabs in From: header # Hmmm... :0 * ()\/^From:.*[-_a-z0-9]+[ ][ ]+.* { JFEXP="$JFSEC: Spaces in From: header: $MATCH" } # Verify RFC822-compliant Date: line # Final question mark added because of noncompliant mailers. :0 * ()\/^Date:.* * ! ^X-Mailer: Windows Eudora Light Version 3.0.1 (16) * ! ^Date:[ ]+((Sun|Mon|Tue|Wed|Thu|Fri|Sat),[ ]+)?\ [0-3]?[0-9][ ]+\ (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)[ ]+\ ((19)?[789][0-9]|(20)?[01][0-9])[ ]+\ (0?[0-9]|1[0-9]|2[0-3]):[0-5][0-9](:[0-5][0-9])?[ ]+\ ([+-][0-1][0-9][03]0|"?(UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-I]|[K-Z])"?)? { JFEXP="$JFSEC: Noncomplient Date: line: $MATCH" } JFSEC # EOF junkfilter.four