Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-admin
Navigation:
Lists: gentoo-admin: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-admin@g.o
From: Daniel Robbins <drobbins@g.o>
Subject: spam procmailrc (2nd try)
Date: 24 Aug 2002 22:36:41 +0000
-- 
Daniel Robbins
Chief Architect, Gentoo Linux
http://www.gentoo.org
COMSAT = no
MAILDIR = /var/mailman/procmail/
LOGFILE = /var/mailman/procmail/procmail.log.${MAILMAN}
VERBOSE = "off"    #set to on when debugging
#VERBOSE = "on"
LOG = "
---------- NEXT MESSAGE ---------
"
LOGABSTRACT = "all"

# Kill variable 'notice' first.
notice
NL = "
"

# When looking for duplicate Message-ID's formail needs to where to put the 
# database of recently seen ID's. Also, we can specify the maximum size of 
# that file.
CACHE_SIZE = 8192
CACHE_FILE = /var/mailman/procmail/msgid.cache.${MAILMAN}

# Look for duplicate messages (message with a Message-ID we have received
# before recently). First it checks the database. In case of 'success', 
# in case there's a duplicate, the second recipe gets executed.
:0Whc:msgid.lock
| formail -D $CACHE_SIZE $CACHE_FILE

:0a
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: duplicated msgid"

	LOG = "DUPLICATED "
}


# Message should contain something
:0
* < 10 
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: No content"

		LOG = "NO_CONTENT "
}


# Trap SirCam (signature as of 08/01/2001)
:0
* > 130000
* ^Content-Type:.*multipart/mixed;
{
	:0B
	* ^Content-Disposition: attachment;
	* ^Content-Transfer-Encoding: base64
	* AAAAGgU0NhbTMyABCDTUlN|AAAAAaBTQ2FtMzIAEINNSU1F|ABkAAAABoFNDYW0zMgAQg01J
	{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: Virus SirCam"

		LOG = "VIRUS_SIRCAM "
	}
}

# Trap BadTrans (signature as of 12/03/2001)
:0
* > 40000
* < 50000
* ^Subject: Re:
* 1^1 ^Content-Type:.*multipart/.*boundary="====_ABC1234567890DEF_===="
* 1^1 ^Content-Type:.*multipart/.*multipart/
{
	:0B
	* ^Content-Type: audio/x-wav;
	* ^Content-ID:         * ^Content-Transfer-Encoding: base64
	{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: Virus BadTrans"

		LOG = "VIRUS_BADTRANS "
	}
}

# Trap Klez (signature as of 04/26/2002)
:0
* > 100000
* ^Content-Type:.*multipart/alternative;
{
	:0B
	* \<i?frame +src=(3D)?cid:.* height=(3D)?[0-9] +width=(3D)?[0-9]>
	* ^Content-Type:.*audio/
	* ^Content-ID:.*<
	* ^Content-Transfer-Encoding: base64
	* ^TVqQAAMAAAAEAAAA
	{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: Virus Klez"

		LOG = "VIRUS_KLEZ "
	}
}

# Spammer's embedded space trick -- you know the ones:
# Subject: Hot chix!           12345
:0 
* ^Subject: .*[^ ].*       .*
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: subject space trick"

	LOG = "SPACE_TRICK "
}


# X-Mailers commonly used for spamming
:0
* ^X-Mailer.*({%xmailer%}|MailKing|Diffondi|Nicola Delfino|Emailer Platinum|MassE-Mail|massmail\.pl|Group Mail|Floodgate Pro|WorldMerge|YMR email)
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: bad x-mailer"

	LOG = "BAD_XMAILER "
}

####	Morons trying to forge IP addresses (except for morons using IMS,
#	which breaks an otherwise valid spam-signature test).
:0	
* ^Received:.*(\(|\[)(([0-9][0-9][0-9][0-9]+|[03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]|0[0-9])\.[0-9]+\.[0-9]+\.[0-9]+|[0-9]+\.([0-9][0-9][0-9][0-9]+|[03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]|0[0-9])\.[0-9]+\.[0-9]+|[0-9]+\.[0-9]+\.([0-9][0-9][0-9][0-9]+|[03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]|0[0-9])\.[0-9]+|[0-9]+\.[0-9]+\.[0-9]+\.([0-9][0-9][0-9][0-9]+|[03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]|0[0-9]))(\)|\])
* !^Received:.*Internet Mail Service
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: ip forged 1"

	LOG = "IP_FORGED1 "
}

####    More bogus IP addresses
:0
* ^Received: .*\[(0)+\.(0)+\.(0)+\.(0)+\].*
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: ip forged 2"

	LOG = "IP_FORGED2 "
}

# Nuke Invalid IP and domains
:0
* ^Received.*\[[0-9\.]*([03-9][0-9][0-9]|2[6-9][0-9]|25[6-9])
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: ip forged 3"

	LOG = "IP_FORGED3 "
}

# Morons trying to forge IP addresses
:0
* ^Received:.*\[[0-9\.]*([03-9][0-9][0-9]|2[6-9][0-9]|25[6-9])
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: ip forged 4"

	LOG = "IP_FORGED4 "
}

# More bogus IP addresses
:0
* ^Received:.*\[0+\.0+\.0+\.0+\]
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: ip forged 5"

	LOG = "IP_FORGED5 "
}

# Null Message-ID
:0
* ^Message-ID.*<>
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: null msgid"

	LOG = "NULL_MSGID "
}

# Invalid Message-Id:s are likely SPAM, any non-RFC complaint ID gets nailed
:0
* ! ^Message-Id:[       ]*<[^   <>@]+@[^        <>@]+>[         ]*$
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: invalid msgid 1"

	LOG = "INVALID_MSGID1 "
}

# Mail needs to have exactly 1 valid Message-Id:
:0
*   2^0
*  -1^0  ^Message-Id:.*[<]..*@..*[>]$
*  -1^0 !^Message-Id:(.*$)+Message-Id:
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: invalid msgid 2"

	LOG = "INVALID_MSGID2 "
}


:0
* ^(From|Cc|To).*(Undisclosed\.Recipients.*|friend@public\.com|HornySlaves@slave\.com|@*dailydirt\.com|guardian\.net@returns\.onelist\.com|vividvideo\.com|thecompanystore*@s2u2\.com|real-net\.net|hahaha@sexyfun\.net|olibur@yahoo\.com)
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: from cc or to blocked"

	LOG = "FROM_CC_TO "
}

:0
* ^X-Distribution: (Mass|Bulk)(\>|$)
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: x-distribution"

	LOG = "X-DISTRIBUTION "
}

# required headers, if there isn't a From, To, Date, and Subject KILL IT
:0
* !^(Apparently-)?To:
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: no to field"

	LOG = "NO_TO_FIELD "
}

:0
* !^From:
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: no from field"

	LOG = "NO_FROM_FIELD "
}

:0
* !^Date:
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: no date field"

	LOG = "NO_DATE_FIELD "
}

:0
* !^Subject:
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: no subject field"

	LOG = "NO_SUBJECT_FIELD "
}


# Cyberpromo and several other of the similar groups actually add this
# header, talk about making life easier
:0
* ^X-Advertisement.*
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: x-adv"

	LOG = "X_ADV "
}

# bad charset:
:0
* ^Content-Type:.*charset.+(euc-kr|big5|ks_c_5601-1987)
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: chinese charset"

	LOG = "CHINESE_CHARSET "
}

# tipical spam subject:
:0
* ^Subject.*(Free Advertising|X-Rated Pictures|Live Nude Models|ADV:|ADVERT.*|=?ISO-2022-JP?.*|*investment*|Snowhite.and.the.Seven.Dwarfs|More.Month.Than.Money*|gasoline.prices|Mortgage.Rates|Financial.Freedom|China-diesel|Su.sitio.web|Congratulations.*|You.Have.Been.*|BILLIONS.OF.FREE.*|Hey!.I.just.got.my.FREE.*|Register.to.win.*|Amateur.teens*|Are.you.low.on.ink.or.paper*|MORTGAGE|mortgage|Mortgage|Come.chek.out.my.web.cam*|Easy,Quick.DVD.Copier*|Effective.marketing.for.you*|Free.Advertising*|Got.Debt*|Horny.Toons*|Hot.Craze*|How.about.doubling.your.money*|I'M.SO.HORNY*|Jennifer.Love*|Make.money.while*|Mature.Women.Naked*|My.mouth.is.wet.for.you*|No.more.10-10.programs*|lease.ead*|RE:.It's.Brydie*|TASTE.ME*|Tax.right.off*|The.Database.that.Bill*|Time.for.Big.V*|Weight.Loss*|much.for.inkjets*|FREE.Cell.Phones*|lose.weight*|exploited.teens*|Enhance.Your.Sex.Life*|term life insurance*|Bitches Are Hot|sex|Sex|SEX|adult|Adult|ADULT)
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: spam subject"

	LOG = "SPAM_SUBJECT "
}

# Mega-CC harassment mail is a pain because of all the idiots who reply to it

:0
* ^(To|Cc):.*@.*@.*@.*@.*@.*@.*@.*@.*@.*@.*@.*@
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: mega cc"

	LOG = "MEGA_CC "
}


# Comming from a "from mailer": 

:0
* ^Subject.*(Autoreply.*|ndn:.*|RCPT.*|Delivery.Confirmation.*|NON-DELIVERY.of:.*|Undeliverable.Message.*|Receipt.Confirmation.*|Failed.mail.*|Returned.mail.*|unable.to.deliver.mail.*|deliver.*return|Return.*mail|User unknown|Undeliverable mail|away.from.my.mail.*)
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: from mailer 1"

	LOG = "FROM_MAILER1 "
}

:0
* ^FROM_MAILER
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: from mailer 2"

	LOG = "FROM_MAILER2 "
}

:0
* ^To:.*postmaster-.+@.*
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: to postmaster"

	LOG = "TO_POSTMASTER "
}


# Check for Received fields after Date, Subject or Reply-To fields. It's most 
# likely a forgery if there are any Received fields there
:0
*  ^(Date|Subject|Reply-To):(.*$)+Received:
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: incorrect fields order"

	LOG = "INCORRECT_FIELDS_ORDER "
}

# Looking for HELO greetings longer than 1024 characters. These resulted in a 
# buffer overflow in sendmail 8.8, causing all the preceding preceding Received
# fields to be deleted - and figuring out the origin of the a relay impossible.
# Only one line break, at end of dotted line.
:0
* ^Received:.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!
......................
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: bogus helo"

		  LOG = "BOGUS_HELO "
}

# The X-UIDL field is added by the mail-handler after procmail has processed the
# message. If it is there right now when procmail is processing the message, it 
# may be a forgery. The filter should not match X-UIDL's that have 'maildrop' 
# somewhere in the value. Those are from one of my POP's where i have read the 
# mail before using a shell account.
# Edward J. Sabol <sabol@...>: E-mails with
# X-UIDL: headers are almost definitely spam unless they've been
# Resent-To: me by someone. Also, valid X-UIDL: headers have 32
# hexadecimal digits exactly.
:0
* ^X-UIDL:
* !^X-UIDL: .*maildrop
* !^X-UIDL:[   ]*[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
                 [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
                 [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
                 [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
                 [0-9a-f][0-9a-f][0-9a-f][0-9a-f][     ]*$
* !^Resent-To:
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: invalid x-uidl"

		  LOG = "INVALID_X-UIDL "
}

# Only older version of Pegasus Mail used the field 'Comments: Authenticated 
# sender'. If it is there and the message is not sent with Pegasus it's most 
# likely a forgery.
:0
*   ^Comments: Authenticated Sender is
* ! ^X-Mailer: .*Pegasus Mail
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: authenticated sender forged"

		  LOG = "AUTHENTICATED_SENDER_FORGED "
}

# Check for empty Return-Path's.
:0
* ^Return-Path: <>
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: empty return path"

		  LOG = "EMPTY_RETURN_PATH "
}

# all caps headers are used only by spammers and HP's OpenMail.
# so says i forgot who (can somebody help?)
#
# D: Tell the internal egrep to distinguish between upper and  lower  case
# (contrary to the default which is to ignore case).
:0D
* ! ^X-OpenMail
* ^(FROM|TO|DATE|SUBJECT)
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: all caps header"

	LOG = "ALL_CAPS_HEADER "
}


#  Kill numberic only addresses (no-one I know of uses only numbers, even
#Compuserve adds a period.
:0
* ^From:[  ]*[0-9]+@.*(\>|$)
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: numeric only address"

	LOG = "NUMERIC_ONLY_ADDRESS "
}


# scan body for spam
:0B
*(PLEASE READ COMPLETELY!|Secretly.Attract.Women|Yes we do purchase uncollected Judicial Judgements!|We offer some of the best bulk e-mail prices on the Internet|forgive me if I made an error; I'm a two-fingered typist|http://www.RegisterNewExtensions.net|http://www.centralremovalservice.com|bulkemailsite.com|I can put you in touch with over 200 million people at virtually no cost.|Dear Friends & Future Millionaire|Over 75,000 nude celeb photos inside of the hottest teen superstars.|I send you this file in order to have your advice|Te mando este archivo para que me des tu punto de vista|This is the file with the information that you ask for|btamail.net.cn|illion fresh email addresses|largest financial market|to be removed from future mailings|como-vender.com|decreto S.1618 titulo 3ro|investment4u.com|To be removed from t|cannot be considered spam|be taken off our mailing list|his message is not Spam|Free Investment|TO BE REMOVED FROM THIS MAILING|You are receiving this lette!
r because you have|This message is sent in compliance of|This message is being sent to you in compliance with|small investment|Si usted no desea recibir más correos|Lose Weight|To remove yourself from|ONE TIME MAILING|NO NEED TO REMOVE|Amhsa Hotels|Stock Market|be taken off the list|result of your feedback form)
{
        nl
        nl      = ${notice+"$NL"}
        notice  = "$notice${nl}X-Note: body spam"

	LOG = "SPAM_BODY "
}

# Now check if 'notice' is something and if so, make formail add the headers.
:0fhw
* ! notice ?? ^^^^
| formail ${notice+-A"$notice"}

# pass the mail to mailman
:0
|/var/mailman/mail/wrapper post ${MAILMAN}

Navigation:
Lists: gentoo-admin: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
[Fwd: About Spam at gentoo.org mailing lists] (attachments)
Next by thread:
rsync access to the cvs sources
Previous by date:
[Fwd: About Spam at gentoo.org mailing lists] (attachments)
Next by date:
rsync access to the cvs sources


Updated Jun 17, 2009

Summary: Archive of the gentoo-admin mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.