# Procmail spam filter # # Last updated 04/04/04 # # Modified by nsc@zorg.org from a recipe by caj@neosoft.com # # Set the variable SPAM to be the folders where you wish spam mail # to be directed. You could set SPAM=/dev/null, the Unix trash can. # If you want to be safe, send SPAM to a real file and check and clean # it every so often. # # Set DEFAULT to be your default system mailbox # # All the recipes are commented. READ ALL OF THEM and decide where # you want each to go. A # at the start of a line denotes a comment -- # if you see a recipe you don't want at all, comment it out. If # you see that I'm sending something to SPAM that you might actually # want, change it or get rid of the recipe altogether. # # Procmail uses extended regular expressions. You won't understand # a lot of the rules unless you understand regexps, which are too # complicated to go into here. SHELL=/bin/sh # Don't change this PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin # Shouldn't need to change MAILDIR=$HOME/mail # The base directory for other filenames here DEFAULT=/var/spool/mail/nsc # Change this to your mailbox # This is where non-spam mail # will be delivered by default. LOGFILE=$HOME/procmail.log # Logging is done to this file. VERBOSE=no # Set to 'yes' if you want to see exactly what's # happening. Log file will be large. Disable normally. SPAM=SPAM # spam folder. BLOCKED=/dev/null # Things we never want to see LOCKFILE=$HOME/.lock # One lockfile instead of many local ones so we're # not trying to lock /dev/null etc if one of our # variables directs mail there COMSAT=no # Don't notify me unless it's for real FRIENDS=.friends # Name of the file containing a list of people we # always want to get mail from, one per line. If # any substring of the From: or Sender: line matches # a line of this file, it will go through, so this # can be used to denote entire sites that we always # wish to get mail from as well as individuals. # E.g. "user", "user@aol.com" or "aol.com". # Note that this file is case-insensitive. # Putting all of the people or lists you get lots # of mail from here will not only insure you get # it, but will speed up procmail. SPAMMERS=.spammers # name of the file containing a list of spammers, # one per line. This also checks the Reply-To: # and Received: fields. # Just like the FRIENDS file otherwise. LISTS=.lists # name of a file containing a list of strings # we will use as signatures to recognize mail from # mailing lists that we want to receive, so it's # not routed to SPAM because it's not addressed # directly to us. You'll need to find a header line # or part of a header line that will always be on # these mailing list messages. Be specific -- if # any part of any message header matches a line in # this file, you're going to see it in your mailbox. # If the Sender: field is always the same on mailing # list messages, you can list the sender (likely # something like "hamster-list-owner@rodents.com") # in your FRIENDS file, which is more efficient, # because FRIENDS are only searched for in the # From: and Sender: headers, while LISTS strings # are searched for in ALL of the headers. # If you can't match a mailing list with Sender:, # find a header that is always there and always the # same and list it in LISTS, including the header # field. As so: X-Loop: FreeBSD.org or... # X-Comment: The hamsters mailing list is for adults only. # back up everything. 'c' flag causes us to continue processing # even though the message has been deliverd. ('copy') # Uncomment this when testing new rules to make sure you don't lose # anything important. (Or you could just set SPAM to something # besides /dev/null, but don't do both.) # #:0 c #backup # Here we search the list of people we always want to get mail from, # and deliver the mail if it's from one of them, no matter what. # The FRIENDS file is set and described above. :0 * ? (formail -x From: -x Sender: | fgrep -iqf $FRIENDS) { COMSAT=yes # notify me of receipt if possible :0 $DEFAULT # deliver to default mailbox } # And here we search a file with a list of people we _never_ want to # get anything from, tossing the mail if it's from one of them. # BLOCKED is set and described above. :0 * ? (formail -x From: -x Sender: -x Reply-To: -x Received: | fgrep -iqf $SPAMMERS) $BLOCKED # not addressed to you -- spam (or mailing list, if not caught earlier) # You could remove this if you subscribe to a lot of lists and don't # want to bother listing them in your 'lists' file but this rule # catches a _lot_ of spam -- upwards of 50% of it for sure. # # REMOVE THIS IF YOU SUBSCRIBE TO MAILING LISTS AND HAVE NOT ARRANGED # FOR MAILING LISTS TO BE CAUGHT WITH EITHER A FRIENDS OR LISTS ENTRY! # # CHANGE THE nsc|nathan|webmaster|postmaster|pinouts TO REFLECT THE # USERNAMES YOU WANT TO ACCEPT - EVERYTHING ELSE GOES TO SPAM :0 * !^(To|Cc):.*(nsc|nathan|webmaster|postmaster|feedback|pinouts) $SPAM # Get rid of SWEN.A Virus # This searches message of the lengths sent out by the SWEN worm for a # BASE-64 encoded URL which comes with each of the copies no matter how # the rest of the payload is munged. :0 * > 140000 * < 165000 { :0 BD *b3IAAABBZG1pbgAAAEdFVCBodHRwOi8vd3cyLmZjZS52dXRici5jei9iaW4vY291bnRlci5naWYv $BLOCKED } # executable windows attachments :0 B * ^Content-Type: .*/.*;$?.*NAME=.*\.(exe|com|bat|pif|scr|lnk) $SPAM # POP3 Host runs Mailscanner, throw detected spam into $SPAM :0: * ^X-MailScanner-SpamCheck: spam $SPAM # POP3 Host inserts spamcop.net header, throw detected spam into $SPAM :0: * ^X-Warning:.*blacklisted at bl.spamcop.net $SPAM # Now we'll look for mailing lists so they don't go to SPAM, as # these will not be addressed directly to us, and later we will route # messages not addressed to us to SPAM. # LISTS is set and described above. :0 H * ? fgrep -iqf $LISTS { COMSAT=yes :0 $DEFAULT } # look for X-Advertisement header or 'advertisement' in the subject, # accounting for possible sp. error. "Nice" spammers use this header. :0 * ^X-Adverti[sz]ement: $SPAM :0 * ^Subject:.*adverti[sz]ement $SPAM # To: friend(s)@public.com or you@wherever.com and the like. Spam. # (arrangements made for those who spell at a 4th grade level as # well, i.e.: freind) :0 * ^TO.*( |<|,)(fr(ie|ei)nd(s)?|you)@ $SPAM # snag the To: and From: headers TO=`formail -zx To:` FROM=`formail -zX From: | formail -zrx To:` #address-stripping magic # spammers love to set their "To:" and "From:" fields to the same # thing. If this is the case and it's not from you, it's spam. :0 * $ TO??$FROM * !$ ^To:.*$LOGNAME $SPAM # no To: line. :0 * TO??^$ $SPAM # no legit From address (formail generates foo@bar in this case) :0 * FROM??^foo@bar$ $SPAM # purely numeric address. blah. I've never seen this be legit. # Even compuserve addresses have a punctuation mark of some sort. :0 * ^From:.*( |<)[0-9]+@ $SPAM # bogus pegasus header, very common with spammers, and I've never # seen it used by anyone else. :0 * ^Comment: Authenticated sender is * ! ^X-Mailer: Pegasus $SPAM # bad message id -- empty or no @host part. :0 * ^Message-Id:.*<[^@]*> $SPAM #sex spam -- "XXX" in subject (case sensitive, word boundaries) :0 D * Subject:.*\ $SPAM # 1-900 in the subject. Yeah, right. :0 * ^Subject:.*1-900 $SPAM # mlm crap -- MLM in subject (case sensitive) :0 D * Subject:.*\ $SPAM # 'dear friend' at the start of a line in the body of message # (in brackets is a tab and a space -- if you edit the file, make # sure you keep them in there -- one tab, one space, in either order) # provisions made for misspelling. :0 B * ^[ ]*dear fr(ie|ei)nd(s)? $SPAM # nothing from email blaster :0 B * EMAIL BLASTER $SPAM # or this one :0 B * EMAIL PLATINUM $SPAM # More known bulk mailers. :0: * ^X-Mailer:.*((MassE-Mail)|Extractor|Floodgate|(Emailer Platinum)|JumboMail|(Advanced Mass Sender)|GreenRider|(FoxMail .*cn)) $SPAM # Your research sucks ("our research indicates that you wanted our spam..") :0 B * (our|my) research indicates $SPAM # sex spam, "adults only" in subject :0 * ^Subject:.*adults only $SPAM # popular pyramid scam signature :0 B * order report #1 $SPAM # we don't ever wanna hear about mlm (message body) :0 B * multi(-| )?level marketing $SPAM # or abbreviated (message body, case sensitive) :0 BD * MLM $SPAM # 2 bangs or dollar signs in subject. spammer hype. # :0 # * ^Subject:.*(!!|\$\$) # $SPAM # more conservative for the body -- need three of the same # :0 B # * (!!!|\$\$\$) # $SPAM # too many recipients ( >= 10) If you want to change this, get rid of # or add sets of ".*," You need n-1 sets, where n is too many recips. :0 * ^(To|Cc):.*,.*,.*,.*,.*,.*,.*,.*,.*, $SPAM # don't even want a 1-900 number in the body. :0 B * 1-900 $SPAM # If opportunity knocks, we're not home. Real common spammer flag. :0 * ^Subject:.*opportunity $SPAM # All caps subjects are highly suspect but unfortunately too many # people have this unfortunate habit. #:0 D #* ^Subject: [^a-z]*$ #$SPAM # "free" in the subject line. More than likely spam although # I have found this to generate too many false positives # You may want to uncomment this. #:0 #* ^Subject:.*\ #$SPAM # "sex" in subject. Only caught on word boundary. :0 * ^Subject:.*\ $SPAM #large dollar amount in subject line, spam :0 * ^Subject:.*\$[0-9]+,000 $SPAM # real common in pyramid scams, uncommon for real people. # (especially those you know.. ;) ) "my name is" in the body. # this one is a good candidate to go to SPAM :0 B * my name is $SPAM # "FREE" in body -- Spammers love to sprinkle this around liberally. # (case sensitive -- the word "free" in lc would be far too common) # Again excluded as too many false positives #:0 BD #* \ #$SPAM # probable sex spam -- "adults only" in body :0 B * adults only $SPAM # more sex spam :0 B * over (18|21) only $SPAM # Medical spam :0: * ^Subject:.*((pharmacy)|(prescription)|(medication)|(viagra)) $SPAM # Catches about 99% of deliberate viagra mispellings ie v1@GRa, v1agr@ etc :0 * ^Subject.*[Vv][1jl\|][aA\@][Gg][Rr][Aa\@] $SPAM ### Section below includes rules from http://horde.com/spam/ # I don't want to buy millions of e-mail addresses, thankyouverymuch. :0: * ^Subject:.*(000|million|verified).*(e-mail|email)?.*address $SPAM # If you're excited about credit cards or mortgage rates, you're probably # stupid. (Note the exclamation point at the end.) :0: * ^Subject:.*((mortgage.*rate)|(credit card)|insurance|market|debt|buy|(financial freedom)|(\$)|wealth).*! $SPAM # Stalk much? :0: * ^Subject:.*find out.*anything.*anyone $SPAM # Enough already. :0: * ^Subject:.*((got debt)|(tax problems)) $SPAM # Thanks, I'm all set. :0: * ^Subject:.*((stop)|(quit)).*((smok)|(snor)) $SPAM # Not generally they're not. :0: * ^Subject:.*girl.*crazy $SPAM # I don't think I will, thanks. :0: * ^Subject:.*((check.*out)|(see.*this)) $SPAM # Some spammers forge usernames that contain multiple consecutive dashes. :0: * ^From:.*-- $SPAM # I doubt I want to hear anything from any marketroid. :0: * ^From:.*marketing $SPAM # I like my fat. I'm not interested in loosing it. :0: * ^Subject:.*loo?se (up to )?[0-9]+ pounds $SPAM # Mail claiming to be malware removal tools almost certainly contains a # virus, worm, or trojan. Not necessarily spam per se, but I don't want to # see it anyway. :0: * ^Subject:.*removal tool $SPAM # Similarly, I'm not interested in receiving notification that some virus or # worm decided to use my e-mail address in its "from" line. Again, not # really spam, but close enough. :0: * ^Subject: InterScan.*Alert $SPAM # Filter any mail claiming to be from a hotmail.com address that does not # contain the characteristic "X-Originating-IP" header. :0: * ^(Received:|From:).*hotmail\.com * !^From: postmaster@.*hotmail\.com * !^X-Originating-IP $SPAM # Filter any mail claiming to be from a yahoo.com address whose Message-ID # header indicates otherwise, unless it appears to be a bounce (which should # come from a mail daemon). :0: * ^(Received:|From:).*yahoo\.com * !^FROM_MAILER * !^Message-ID:.*yahoo(mail)?\.com $SPAM # Filter any mail claiming to be from a Juno address that does not contain # the characteristic "X-Mailer: Juno" header. :0: * ^(Received:|From:).*juno\.com * !^X-Mailer: Juno $SPAM # Filter any mail claiming to be from a Lycos address that does not contain # the characteristic "X-Sender-Ip" header. :0: * ^(Received:|From:).*(lycos|mailcity)\.com * !^X-Sender-Ip: $SPAM ### End section from http://horde.com/spam/ # Run through spamassassin and throw all detected spam into $SPAM :0fw: spamassassin.lock | /usr/bin/spamassassin -P :0: * ^X-Spam-Status: Yes $SPAM COMSAT=yes #ok, you can bother me, looks like it's a real mail