List Archive: gentoo-admin
1.2 |
COMSAT = no
MAILDIR = /var/mailman/procmail/
LOGFILE = /var/mailman/procmail/procmail.log.${MAILMAN}
VERBOSE = "off" #set to on when debugging
#VERBOSE = "on"
LOG = "
---------- NEXT MESSAGE ---------
"
LOGABSTRACT = "all"
# Kill variable 'notice' first.
notice
NL = "
"
# When looking for duplicate Message-ID's formail needs to where to put the
# database of recently seen ID's. Also, we can specify the maximum size of
# that file.
CACHE_SIZE = 8192
CACHE_FILE = /var/mailman/procmail/msgid.cache.${MAILMAN}
# Look for duplicate messages (message with a Message-ID we have received
# before recently). First it checks the database. In case of 'success',
# in case there's a duplicate, the second recipe gets executed.
:0Whc:msgid.lock
| formail -D $CACHE_SIZE $CACHE_FILE
:0a
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: duplicated msgid"
LOG = "DUPLICATED "
}
# Message should contain something
:0
* < 10
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: No content"
LOG = "NO_CONTENT "
}
# Trap SirCam (signature as of 08/01/2001)
:0
* > 130000
* ^Content-Type:.*multipart/mixed;
{
:0B
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* AAAAGgU0NhbTMyABCDTUlN|AAAAAaBTQ2FtMzIAEINNSU1F|ABkAAAABoFNDYW0zMgAQg01J
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: Virus SirCam"
LOG = "VIRUS_SIRCAM "
}
}
# Trap BadTrans (signature as of 12/03/2001)
:0
* > 40000
* < 50000
* ^Subject: Re:
* 1^1 ^Content-Type:.*multipart/.*boundary="====_ABC1234567890DEF_===="
* 1^1 ^Content-Type:.*multipart/.*multipart/
{
:0B
* ^Content-Type: audio/x-wav;
* ^Content-ID: * ^Content-Transfer-Encoding: base64
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: Virus BadTrans"
LOG = "VIRUS_BADTRANS "
}
}
# Trap Klez (signature as of 04/26/2002)
:0
* > 100000
* ^Content-Type:.*multipart/alternative;
{
:0B
* \<i?frame +src=(3D)?cid:.* height=(3D)?[0-9] +width=(3D)?[0-9]>
* ^Content-Type:.*audio/
* ^Content-ID:.*<
* ^Content-Transfer-Encoding: base64
* ^TVqQAAMAAAAEAAAA
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: Virus Klez"
LOG = "VIRUS_KLEZ "
}
}
# Spammer's embedded space trick -- you know the ones:
# Subject: Hot chix! 12345
:0
* ^Subject: .*[^ ].* .*
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: subject space trick"
LOG = "SPACE_TRICK "
}
# X-Mailers commonly used for spamming
:0
* ^X-Mailer.*({%xmailer%}|MailKing|Diffondi|Nicola Delfino|Emailer Platinum|MassE-Mail|massmail\.pl|Group Mail|Floodgate Pro|WorldMerge|YMR email)
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: bad x-mailer"
LOG = "BAD_XMAILER "
}
#### Morons trying to forge IP addresses (except for morons using IMS,
# which breaks an otherwise valid spam-signature test).
:0
* ^Received:.*(\(|\[)(([0-9][0-9][0-9][0-9]+|[03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]|0[0-9])\.[0-9]+\.[0-9]+\.[0-9]+|[0-9]+\.([0-9][0-9][0-9][0-9]+|[03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]|0[0-9])\.[0-9]+\.[0-9]+|[0-9]+\.[0-9]+\.([0-9][0-9][0-9][0-9]+|[03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]|0[0-9])\.[0-9]+|[0-9]+\.[0-9]+\.[0-9]+\.([0-9][0-9][0-9][0-9]+|[03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]|0[0-9]))(\)|\])
* !^Received:.*Internet Mail Service
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: ip forged 1"
LOG = "IP_FORGED1 "
}
#### More bogus IP addresses
:0
* ^Received: .*\[(0)+\.(0)+\.(0)+\.(0)+\].*
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: ip forged 2"
LOG = "IP_FORGED2 "
}
# Nuke Invalid IP and domains
:0
* ^Received.*\[[0-9\.]*([03-9][0-9][0-9]|2[6-9][0-9]|25[6-9])
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: ip forged 3"
LOG = "IP_FORGED3 "
}
# Morons trying to forge IP addresses
:0
* ^Received:.*\[[0-9\.]*([03-9][0-9][0-9]|2[6-9][0-9]|25[6-9])
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: ip forged 4"
LOG = "IP_FORGED4 "
}
# More bogus IP addresses
:0
* ^Received:.*\[0+\.0+\.0+\.0+\]
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: ip forged 5"
LOG = "IP_FORGED5 "
}
# Null Message-ID
:0
* ^Message-ID.*<>
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: null msgid"
LOG = "NULL_MSGID "
}
# Invalid Message-Id:s are likely SPAM, any non-RFC complaint ID gets nailed
:0
* ! ^Message-Id:[ ]*<[^ <>@]+@[^ <>@]+>[ ]*$
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: invalid msgid 1"
LOG = "INVALID_MSGID1 "
}
# Mail needs to have exactly 1 valid Message-Id:
:0
* 2^0
* -1^0 ^Message-Id:.*[<]..*@..*[>]$
* -1^0 !^Message-Id:(.*$)+Message-Id:
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: invalid msgid 2"
LOG = "INVALID_MSGID2 "
}
:0
* ^(From|Cc|To).*(Undisclosed\.Recipients.*|friend@public\.com|HornySlaves@slave\.com|@*dailydirt\.com|guardian\.net@returns\.onelist\.com|vividvideo\.com|thecompanystore*@s2u2\.com|real-net\.net|hahaha@sexyfun\.net|olibur@yahoo\.com)
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: from cc or to blocked"
LOG = "FROM_CC_TO "
}
:0
* ^X-Distribution: (Mass|Bulk)(\>|$)
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: x-distribution"
LOG = "X-DISTRIBUTION "
}
# required headers, if there isn't a From, To, Date, and Subject KILL IT
:0
* !^(Apparently-)?To:
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: no to field"
LOG = "NO_TO_FIELD "
}
:0
* !^From:
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: no from field"
LOG = "NO_FROM_FIELD "
}
:0
* !^Date:
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: no date field"
LOG = "NO_DATE_FIELD "
}
:0
* !^Subject:
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: no subject field"
LOG = "NO_SUBJECT_FIELD "
}
# Cyberpromo and several other of the similar groups actually add this
# header, talk about making life easier
:0
* ^X-Advertisement.*
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: x-adv"
LOG = "X_ADV "
}
# bad charset:
:0
* ^Content-Type:.*charset.+(euc-kr|big5|ks_c_5601-1987)
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: chinese charset"
LOG = "CHINESE_CHARSET "
}
# tipical spam subject:
:0
* ^Subject.*(Free Advertising|X-Rated Pictures|Live Nude Models|ADV:|ADVERT.*|=?ISO-2022-JP?.*|*investment*|Snowhite.and.the.Seven.Dwarfs|More.Month.Than.Money*|gasoline.prices|Mortgage.Rates|Financial.Freedom|China-diesel|Su.sitio.web|Congratulations.*|You.Have.Been.*|BILLIONS.OF.FREE.*|Hey!.I.just.got.my.FREE.*|Register.to.win.*|Amateur.teens*|Are.you.low.on.ink.or.paper*|MORTGAGE|mortgage|Mortgage|Come.chek.out.my.web.cam*|Easy,Quick.DVD.Copier*|Effective.marketing.for.you*|Free.Advertising*|Got.Debt*|Horny.Toons*|Hot.Craze*|How.about.doubling.your.money*|I'M.SO.HORNY*|Jennifer.Love*|Make.money.while*|Mature.Women.Naked*|My.mouth.is.wet.for.you*|No.more.10-10.programs*|lease.ead*|RE:.It's.Brydie*|TASTE.ME*|Tax.right.off*|The.Database.that.Bill*|Time.for.Big.V*|Weight.Loss*|much.for.inkjets*|FREE.Cell.Phones*|lose.weight*|exploited.teens*|Enhance.Your.Sex.Life*|term life insurance*|Bitches Are Hot|sex|Sex|SEX|adult|Adult|ADULT)
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: spam subject"
LOG = "SPAM_SUBJECT "
}
# Mega-CC harassment mail is a pain because of all the idiots who reply to it
:0
* ^(To|Cc):.*@.*@.*@.*@.*@.*@.*@.*@.*@.*@.*@.*@
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: mega cc"
LOG = "MEGA_CC "
}
# Comming from a "from mailer":
:0
* ^Subject.*(Autoreply.*|ndn:.*|RCPT.*|Delivery.Confirmation.*|NON-DELIVERY.of:.*|Undeliverable.Message.*|Receipt.Confirmation.*|Failed.mail.*|Returned.mail.*|unable.to.deliver.mail.*|deliver.*return|Return.*mail|User unknown|Undeliverable mail|away.from.my.mail.*)
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: from mailer 1"
LOG = "FROM_MAILER1 "
}
:0
* ^FROM_MAILER
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: from mailer 2"
LOG = "FROM_MAILER2 "
}
:0
* ^To:.*postmaster-.+@.*
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: to postmaster"
LOG = "TO_POSTMASTER "
}
# Check for Received fields after Date, Subject or Reply-To fields. It's most
# likely a forgery if there are any Received fields there
:0
* ^(Date|Subject|Reply-To):(.*$)+Received:
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: incorrect fields order"
LOG = "INCORRECT_FIELDS_ORDER "
}
# Looking for HELO greetings longer than 1024 characters. These resulted in a
# buffer overflow in sendmail 8.8, causing all the preceding preceding Received
# fields to be deleted - and figuring out the origin of the a relay impossible.
# Only one line break, at end of dotted line.
:0
* ^Received:.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!
......................
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: bogus helo"
LOG = "BOGUS_HELO "
}
# The X-UIDL field is added by the mail-handler after procmail has processed the
# message. If it is there right now when procmail is processing the message, it
# may be a forgery. The filter should not match X-UIDL's that have 'maildrop'
# somewhere in the value. Those are from one of my POP's where i have read the
# mail before using a shell account.
# Edward J. Sabol <sabol@...>: E-mails with
# X-UIDL: headers are almost definitely spam unless they've been
# Resent-To: me by someone. Also, valid X-UIDL: headers have 32
# hexadecimal digits exactly.
:0
* ^X-UIDL:
* !^X-UIDL: .*maildrop
* !^X-UIDL:[ ]*[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]\
[0-9a-f][0-9a-f][0-9a-f][0-9a-f][ ]*$
* !^Resent-To:
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: invalid x-uidl"
LOG = "INVALID_X-UIDL "
}
# Only older version of Pegasus Mail used the field 'Comments: Authenticated
# sender'. If it is there and the message is not sent with Pegasus it's most
# likely a forgery.
:0
* ^Comments: Authenticated Sender is
* ! ^X-Mailer: .*Pegasus Mail
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: authenticated sender forged"
LOG = "AUTHENTICATED_SENDER_FORGED "
}
# Check for empty Return-Path's.
:0
* ^Return-Path: <>
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: empty return path"
LOG = "EMPTY_RETURN_PATH "
}
# all caps headers are used only by spammers and HP's OpenMail.
# so says i forgot who (can somebody help?)
#
# D: Tell the internal egrep to distinguish between upper and lower case
# (contrary to the default which is to ignore case).
:0D
* ! ^X-OpenMail
* ^(FROM|TO|DATE|SUBJECT)
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: all caps header"
LOG = "ALL_CAPS_HEADER "
}
# Kill numberic only addresses (no-one I know of uses only numbers, even
#Compuserve adds a period.
:0
* ^From:[ ]*[0-9]+@.*(\>|$)
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: numeric only address"
LOG = "NUMERIC_ONLY_ADDRESS "
}
# scan body for spam
:0B
*(PLEASE READ COMPLETELY!|Secretly.Attract.Women|Yes we do purchase uncollected Judicial Judgements!|We offer some of the best bulk e-mail prices on the Internet|forgive me if I made an error; I'm a two-fingered typist|http://www.RegisterNewExtensions.net|http://www.centralremovalservice.com|bulkemailsite.com|I can put you in touch with over 200 million people at virtually no cost.|Dear Friends & Future Millionaire|Over 75,000 nude celeb photos inside of the hottest teen superstars.|I send you this file in order to have your advice|Te mando este archivo para que me des tu punto de vista|This is the file with the information that you ask for|btamail.net.cn|illion fresh email addresses|largest financial market|to be removed from future mailings|como-vender.com|decreto S.1618 titulo 3ro|investment4u.com|To be removed from t|cannot be considered spam|be taken off our mailing list|his message is not Spam|Free Investment|TO BE REMOVED FROM THIS MAILING|You are receiving this lette!
r because you have|This message is sent in compliance of|This message is being sent to you in compliance with|small investment|Si usted no desea recibir más correos|Lose Weight|To remove yourself from|ONE TIME MAILING|NO NEED TO REMOVE|Amhsa Hotels|Stock Market|be taken off the list|result of your feedback form)
{
nl
nl = ${notice+"$NL"}
notice = "$notice${nl}X-Note: body spam"
LOG = "SPAM_BODY "
}
# Now check if 'notice' is something and if so, make formail add the headers.
:0fhw
* ! notice ?? ^^^^
| formail ${notice+-A"$notice"}
# pass the mail to mailman
:0
|/var/mailman/mail/wrapper post ${MAILMAN}
|
|
