# junkfilter
# a junk email filter system for procmail 
# Copyright 2003 Gregory Sutter <gsutter@zer0.org>
#
# $Id$
#
# Please read the file "README" and the page
# http://junkfilter.zer0.org/ before using junkfilter.

# Test, recipes being actively tested for inclusion.

JFSEC=test

# Multiple addresses in From: without single address in Sender:
:0
* $ ^From:.*${JFADDR}${JFWS}?,${JFWS}?${JFADDR}+
* $ ! ^Sender:${JFWS}${JFADDR}${JFWS}${JFNL}
{ JFMATCH="$JFSEC: Invalid From: header" INCLUDERC=$JFDIR/junkfilter.match }

# Hosts claiming to be other hosts... note trailing space
:0
* $ ^X-Authentication-Warning:.*Host ($JFDOMDAM\.)*\/($JFDOMNAM)\.($JFTLD)\>
{
	JFHOSTREAL=$MATCH
	:0
	* $ ^X-Authentication-Warning:.*Host ($JFDOMDAM\.)*($JFDOMNAM)\.($JFTLD)\>[ 	]+\[$JFIPNUM\.$JFIPNUM\.$JFIPNUM\.$JFIPNUM\][ 	]+claimed to be[ 	]+(($JFDOMDAM\.)*\/($JFDOMNAM)\.($JFTLD)|\[$JFIPNUM\.$JFIPNUM\.$JFIPNUM\.$JFIPNUM\])\>
	{
		JFHOSTCLAIM=$MATCH
		:0
		* ! JFHOSTREAL ?? JFHOSTCLAIM
		{ JFMATCH="$JFSEC: X-Authentication-Warning: a host in $JFHOSTCLAIM claimed to be in $JFHOSTREAL" INCLUDERC=$JFDIR/junkfilter.match }
	}
} 

# Empty To: header
:0
* $ ^To:$JFWS\(?${JFWS}?\)?${JFWS}[^a-z0-9]+
{ JFMATCH="$JFSEC: Empty To header" INCLUDERC=$JFDIR/junkfilter.match }

## Apparently from self, but Received: header from outside local domain.
#:0
#* -10000^0
#* -10000^0 $ ^Message-Id:.*${JFMAILDOM}
#* 10000^0 $ ^From:.*${JFMAILADDRESS}
#* -1^1 $ ^Received:${JFWS}from (${JFDOMNAM}\.)*${JFMAILDOM}
#*  1^1 ^Received:
#{ JFMATCH="$JFSEC: Forged header from self" INCLUDERC=$JFDIR/junkfilter.match }

## Apparently from self, but Received: header from outside local domain.
#:0
#* $ ^Received:${JFWS}from \/.* by (${JFDOMNAM}\.)*${JFMAILDOM}
#* $ ()\/$MATCH by
#* $ $MATCH ?? ${JFMAILDOM}
#{ JFMATCH="$JFSEC: Forged header from Self" INCLUDERC=$JFDIR/junkfilter.match }

JFBADCHARSET=(big5|euc-kr|gb2312|gbk|koi8-r|ks_c_5601-1987|windows-(874|125[14]))

# If it's MIME...
:0
* ^MIME-Version:
* ^Content-Type:.*$?(.*$)?(.*$)?[ 	]+boundary *= *\"?\/[^\";]+
{
	JFMIMEBND1=$MATCH
#	LOG="multipart-mixed mail: boundary: --> $JFMIMEBND1 <--
#"

#	# and got a part in a charset I don't understand, it's junk.
#	:0 B
#	* $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-Type:(.*$)?[ 	]+charset=\"?\/${JFBADCHARSET}
#	{ JFMATCH="$JFSEC: MIME attachment in charset $MATCH" INCLUDERC=$JFDIR/junkfilter.match }

	# and got an empty MIME part, it's junk.
	:0 B
	* $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-.*$(.*$)?Content-.*$+${MATCH}
	{ JFMATCH="$JFSEC: empty MIME attachment" INCLUDERC=$JFDIR/junkfilter.match }

#	# and _doesn't_ have an inline, 7-bit part, it's junk.
#	:0 B
#	* $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-Type:.*\<(.*\<)?(.*\<)?Content-(Disposition|Transfer-Encoding):
#	* ! $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-Type:[ 	]+text/[-_a-z0-9]+
#	* ! $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-Type:.*\<(.*\<)?(.*\<)?Content-Transfer-Encoding:[ 	]*(quoted-printable|7bit)
#	* ! $ ^(--)?(${JFMIMEBND1}|${JFMIMEBND2})\<Content-Type:.*\<(.*\<)?(.*\<)?Content-Disposition:[ 	]*inline
#	{ JFMATCH="$JFSEC: MIME with no quoted-printable part" INCLUDERC=$JFDIR/junkfilter.match }

}

# Kill charsets that I don't understand from From: and Subject:
:0 
* $ ^(From|Subject):[ 	]*=\?\/$JFBADCHARSET
{ JFMATCH="$JFSEC: Subject in charset $MATCH" INCLUDERC=$JFDIR/junkfilter.match }

## Hmm.
#:0
#* ^To: \/.*
#* B ?? $MATCH
#{ JFMATCH="$JFSEC: Apparent To: repeated in body" INCLUDERC=$JFDIR/junkfilter.match }

# Catch virus mail tagged by a local Amavis
:0
* $ ^X-Virus-Scanned:.*${JFMAILDOM}
* ^X-Amavis-Alert:[ 	]*INFECTED, message contains virus:[ 	]+\/.*
{ JFMATCH="$JFSEC: infected with virus $MATCH" INCLUDERC=$JFDIR/junkfilter.match }

# Kill some stupid automated responders
:0
* ^From:.*amavisd-new
* ! $ ^From:.*${JFMAILDOM}
{ JFMATCH="$JFSEC: virus autoresponse" INCLUDERC=$JFDIR/junkfilter.match }


JFSEC

# EOF junkfilter.test