# junkfilter
# a junk email filter system for procmail 
# Copyright 1997-2003 Gregory Sutter <gsutter@zer0.org>
#
# $Id: junkfilter.four,v 2.23 2003/12/01 11:35:15 gsutter Exp $
#
# Please read the file "README" and the page
# http://junkfilter.zer0.org/ before using junkfilter.

# Four is the testing section.  All recipes in beta.  Careful!

JFSEC=4

# Multiple addresses in From: without single address in Sender:
:0
* $ ^From:.*${JFADDR}${JFWS}?,${JFWS}?${JFADDR}+
* $ ! ^Sender:${JFWS}${JFADDR}${JFWS}${JFNL}
{ JFMATCH="$JFSEC: Invalid From: header" INCLUDERC=$JFDIR/junkfilter.match }

# If only one Received: header AND from a common dialup, junk.  (RFMS again)
# Thanks Rik Kabel <rik@netcom.com>
:0
* 2^0
* -1^1 ^\/Received:.*
* $ MATCH ?? from [ 	]+(($JFIPNUM\.)+|[-0-9a-z]+|$JFDIALUPS)[ 	]+\(\/[-0-9a-z\.]+[ 	]
* MATCH ?? \\/[^ 	]+
{ JFMATCH="$JFSEC: RapidFire Mail Server: $MATCH" INCLUDERC=$JFDIR/junkfilter.match }

# Hosts claiming to be other hosts... note trailing space
:0
* $ ^X-Authentication-Warning:.*Host ($JFDOMDAM\.)*\/($JFDOMNAM)\.($JFTLD)\>
{
	JFHOSTREAL=$MATCH
	:0
	* $ ^X-Authentication-Warning:.*Host ($JFDOMDAM\.)*($JFDOMNAM)\.($JFTLD)\>[ 	]+\[$JFIPNUM\.$JFIPNUM\.$JFIPNUM\.$JFIPNUM\][ 	]+claimed to be[ 	]+(($JFDOMDAM\.)*\/($JFDOMNAM)\.($JFTLD)|\[$JFIPNUM\.$JFIPNUM\.$JFIPNUM\.$JFIPNUM\])\>
	{
		JFHOSTCLAIM=$MATCH
		:0
		* ! JFHOSTREAL ?? JFHOSTCLAIM
		{ JFMATCH="$JFSEC: X-Authentication-Warning: a host in $JFHOSTCLAIM claimed to be in $JFHOSTREAL" INCLUDERC=$JFDIR/junkfilter.match }
	}
} 

# Empty To: header
:0
* $ ^To:$JFWS\(?${JFWS}?\)?${JFWS}[^a-z0-9]+
{ JFMATCH="$JFSEC: Empty To header" INCLUDERC=$JFDIR/junkfilter.match }

# Apparently from self, but Received: header from outside local domain.
:0
* -10000^0
* -10000^0 $ ^Message-Id:.*${JFMAILDOM}
* 10000^0 $ ^From:.*${JFMAILADDRESS}
* -1^1 $ ^Received:${JFWS}from (${JFDOMNAM}\.)*${JFMAILDOM}
*  1^1 ^Received:
{ JFMATCH="$JFSEC: Forged header from self" INCLUDERC=$JFDIR/junkfilter.match }

## Apparently from self, but Received: header from outside local domain.
#:0
#* $ ^Received:${JFWS}from \/.* by (${JFDOMNAM}\.)*${JFMAILDOM}
#* $ ()\/$MATCH by
#* $ $MATCH ?? ${JFMAILDOM}
#{ JFMATCH="$JFSEC: Forged header from Self" INCLUDERC=$JFDIR/junkfilter.match }

# One of these damn spam mailers leaves a distinctive signature
:0
* $ ^From:${JFWS}[0-9][0-9][0-9][0-9]+\.${JFADDR}
* $ ^To:${JFWS}[0-9][0-9][0-9][0-9]+\.
* $ ^Subject:.*-[0-9][0-9][0-9][0-9]+$
{ JFMATCH="$JFSEC: Sent by a not-tricky-enough junk email program" INCLUDERC=$JFDIR/junkfilter.match }

# Bcc: header visible?  
:0
* ()\/^Bcc:.*
{ JFMATCH="$JFSEC: Bcc header: $MATCH" INCLUDERC=$JFDIR/junkfilter.match }

#* $ ^Message-Id:${JFWS}<.*@\/.*>
#* $ $MATCH ?? .*>
# Message-Id: from domain that's not in any Received: header
:0
* $ ^Message-Id:${JFWS}<.*@.*$JFDOMNAM\.$JFTLD>
* $ $MATCH ?? ^Received:.*>
{ JFMATCH="$JFSEC: Message-Id from domain not in Received headers" INCLUDERC=$JFDIR/junkfilter.match }

JFBADCHARSET=(big5|euc-kr|gb2312|gbk|koi8-r|ks_c_5601-1987|windows-(874|125[14]))

# If it's MIME...
:0
* ^MIME-Version:
* ^Content-Type:.*$?(.*$)?(.*$)?[ 	]+boundary *= *\"?\/[^\";]+
{
	JFMIMEBND1=$MATCH
#	LOG="multipart-mixed mail: boundary: --> $JFMIMEBND1 <--
#"

	# even if it's hidden a second MIME level deep...
	:0 B
	* $ ^(--)?${JFMIMEBND1}\<Content-Type:.*($[ 	]+)?boundary *= *\"?\/[^\";]+
	{
		JFMIMEBND2=$MATCH
	}

	# and got an html part encoded in base64, it's junk.
	:0 B
	* $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-Type:[ 	]*text/html;\<(.*\<)?(.*\<)?Content-Transfer-Encoding:[ 	]*base64
	{ JFMATCH="$JFSEC: Base64-encoded HTML" INCLUDERC=$JFDIR/junkfilter.match }

#	# and got a text/plain part encoded in base64, it's junk.
#	:0 B
#	* $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-Type:[ 	]*text/plain;\<(.*\<)?(.*\<)?Content-Transfer-Encoding:[ 	]*base64
#	{ JFMATCH="$JFSEC: Base64-encoded text/plain section" INCLUDERC=$JFDIR/junkfilter.match }

#	# and got any part in base64, it's junk.
#	:0 B
#	* $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-Type:.*\<(.*\<)?(.*\<)?Content-Transfer-Encoding:[ 	]*base64
#	{ JFMATCH="$JFSEC: Base64-encoded MIME attachment" INCLUDERC=$JFDIR/junkfilter.match }

	# and got a part in a charset I don't understand, it's junk.
	:0 B
	* $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-Type:(.*$)?[ 	]+charset=\"?\/${JFBADCHARSET}
	{ JFMATCH="$JFSEC: MIME attachment in charset $MATCH" INCLUDERC=$JFDIR/junkfilter.match }

	# and got an empty MIME part, it's junk.
	:0 B
	* $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-.*$(.*$)?Content-.*$+${MATCH}
	{ JFMATCH="$JFSEC: empty MIME attachment" INCLUDERC=$JFDIR/junkfilter.match }

	# and _doesn't_ have an inline, 7-bit part, it's junk.
	:0 B
	* $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-Type:.*\<(.*\<)?(.*\<)?Content-(Disposition|Transfer-Encoding):
	* ! $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-Type:[ 	]+text/[-_a-z0-9]+
	* ! $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-Type:.*\<(.*\<)?(.*\<)?Content-Transfer-Encoding:[ 	]*(quoted-printable|7bit)
	* ! $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-Type:.*\<(.*\<)?(.*\<)?Content-Disposition:[ 	]*inline
	{ JFMATCH="$JFSEC: MIME with no quoted-printable part" INCLUDERC=$JFDIR/junkfilter.match }

}

# Kill charsets that I don't understand from From: and Subject:
:0 
* $ ^(From|Subject):[ 	]*=\?\/$JFBADCHARSET
{ JFMATCH="$JFSEC: Subject in charset $MATCH" INCLUDERC=$JFDIR/junkfilter.match }

# Kill charsets that I don't understand using Content-Type:
# commented out 2002-03-04 due to many many false matches
#:0 HB
#* $ ^Content-Type:.*charset=\"?\/$JFBADCHARSET
#{ JFMATCH="$JFSEC: Message in charset $MATCH" INCLUDERC=$JFDIR/junkfilter.match }

#* ^Subject:[ 	]*\/[^-_+=!@#$%^&*() 	0-9a-z\[\]\|\\,<.>/?;:'"`~]+
# \0127-\0254
# Kill non-English (latin-1, iso-8859-1) characters in subjects
#:0 
#* $ ^Subject:[ 	]*\/[^($JFPCHAR|$JFWS)]+
#{ JFMATCH="$JFSEC: Subject contains data ($MATCH) in non-western charset" INCLUDERC=$JFDIR/junkfilter.match }

# Subject: line contains five or more consecutive instances of
# a single character followed by whitespace.
:0
* $ ^Subject:[ 	]*(${JFPCHAR}${JFWS})(${JFPCHAR}${JFWS})(${JFPCHAR}${JFWS})(${JFPCHAR}${JFWS})(${JFPCHAR}${JFWS})+
{ JFMATCH="$JFSEC: Subject is spaced out" INCLUDERC=$JFDIR/junkfilter.match }

## Use external program 'rblcheck' to see if the source should be blackholed
#:0
#* $ 1^1 ^Received:.*\[\/${JFIP}
#* $ ! ? rblcheck -q $MATCH
#{ JFMATCH="$JFSEC: IP address $MATCH is in RBL" INCLUDERC=$JFDIR/junkfilter.match }

# Received: liar claims to be from AOL
:0
* 1^1 ^Received: from aol.com \(
* -1^0 ^Received: from aol.com \((.*\.)aol.com
{ JFMATCH="$JFSEC: Falsely claims to be from aol.com" INCLUDERC=$JFDIR/junkfilter.match }

# Body contains lots of upper ASCII characters
# was 1^1.2 and 1^1.1 but added up too quickly.
:0 B
* -1^1 .
* 1^1.06 [^	 -~]
{ JFMATCH="$JFSEC: Contains too many high ASCII characters (score: $=)" INCLUDERC=$JFDIR/junkfilter.match }


JFSEC

# EOF junkfilter.four