1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
# junkfilter
# a junk e-mail filter system for procmail
# Copyright 1997-98, Gregory Sutter <gsutter@pobox.com>
#
# $Id: junkfilter.four,v 2.9 1999/03/12 03:40:58 gsutter Exp $
#
# Please read the file "junkfilter.readme" and the page
# http://www.pobox.com/~gsutter/junkfilter/ before using
# junkfilter. junkfilter is copyright 1997-98 Gregory
# Sutter and is licensed under the terms of the GNU
# General Public License, version 2. See the file
# junkfilter.readme for details.
# Four is the testing section. All recipes in beta. Careful!
JFSEC=4
# Multiple addresses in From: without single address in Sender:
:0
* $ ^From:.*$JFADDR$JFWS?,$JFWS?$JFADDR+
* $ ! ^Sender:$JFWS$JFADDR$JFWS$JFNL
{ JFMATCH="$JFSEC: Invalid From: header" INCLUDERC=$JFDIR/junkfilter.match }
# If only one Received: header AND from a common dialup, junk. (RFMS again)
# Thanks Rik Kabel <rik@netcom.com>
:0
* 2^0
* -1^1 ^\/Received:.*
* $ MATCH ?? from [ ]+(($JFIPNUM\.)+|[-0-9a-z]+|$JFDIALUPS)[ ]+\(\/[-0-9a-z\.]+[ ]
* MATCH ?? \\/[^ ]+
{ JFMATCH="$JFSEC: RapidFire Mail Server: $MATCH" INCLUDERC=$JFDIR/junkfilter.match }
# Hosts claiming to be other hosts... note trailing space
:0
* $ ^X-Authentication-Warning:.*Host ($JFDOMDAM\.)*\/($JFDOMNAM)\.($JFTLD)\>
{
JFHOSTREAL=$MATCH
:0
* $ ^X-Authentication-Warning:.*Host ($JFDOMDAM\.)*($JFDOMNAM)\.($JFTLD)\>[ ]+\[$JFIPNUM\.$JFIPNUM\.$JFIPNUM\.$JFIPNUM\][ ]+claimed to be[ ]+(($JFDOMDAM\.)*\/($JFDOMNAM)\.($JFTLD)|\[$JFIPNUM\.$JFIPNUM\.$JFIPNUM\.$JFIPNUM\])\>
{
JFHOSTCLAIM=$MATCH
:0
* ! JFHOSTREAL ?? JFHOSTCLAIM
{ JFMATCH="$JFSEC: X-Authentication-Warning: a host in $JFHOSTCLAIM claimed to be in $JFHOSTREAL" INCLUDERC=$JFDIR/junkfilter.match }
}
}
# Multiple simultaneous spaces or tabs in From: header
# Hmmm... now requires three simultaneous.
:0
* ()\/^From:.*[-_a-z0-9]+[ ][ ][ ]+.*
{ JFMATCH="$JFSEC: Spaces in From: header: $MATCH" INCLUDERC=$JFDIR/junkfilter.match }
# Empty To: header
:0
* $ ^To:$JFWS\(?${JFWS}?\)?${JFWS}[^a-z0-9]+
{ JFMATCH="$JFSEC: Empty To header" INCLUDERC=$JFDIR/junkfilter.match }
# From self, but Received: or Message-Id: outside local domain.
:0
* $ ^From:.*$JFMAILADDR
* -1^1 $ ^Received:${JFWS}from ($JFDOMNAM\.)*$JFMAILDOM
* 1^1 $ ^Received:
* JFLREC^0 ^Received:
{ JFMATCH="$JFSEC: Forged header from self" INCLUDERC=$JFDIR/junkfilter.match }
# One of these damn spam mailers leaves a distinctive signature
:0
* $ ^From:$JFWS[0-9][0-9][0-9][0-9]+\.$JFADDR
* $ ^To:$JFWS[0-9][0-9][0-9][0-9]+\.
* $ ^Subject:.*-[0-9][0-9][0-9][0-9]+$
{ JFMATCH="$JFSEC: Sent by a not-tricky-enough junk email program" INCLUDERC=$JFDIR/junkfilter.match }
# Disabled Recipes here
# Capital Bogosity In E-Mail Is A Near-Sure Sign Of Spam
# Thanks, Era Erikkson and Phil Hord <phil.hord@antec.com>
#:0D
#* -59^0
#* 1^1 B ?? [-a-z'][,:;]?[ ]+[A-Z][-a-z']
#* 8^1 B ?? ()\<[A-Z][-a-z']+[,:;]?[ ]+[A-Z][-a-z']+[,:;]?[ ]+[A-Z][-a-z']+[,:;]?
#{ JFMATCH="$JFSEC: Capital Bogosity" INCLUDERC=$JFDIR/junkfilter.match }
# Message-Id: from domain that's not in any Received: header
#:0
#* $ ^Message-Id:$JFWS<.*@\/.*>
#* $ $MATCH ?? .*>
## Damn stock symbol spammer. Kill on the symbol?
#:0 DB
#* ['"][A-Z] ?[A-Z] ?[A-Z] ?[A-Z]['"]
#{ JFMATCH="$JFSEC: Stock symbol spam" INCLUDERC=$JFDIR/junkfilter.match }
JFSEC
# EOF junkfilter.four
|
