|
|
A take-no-prisoners spamkilling .procmailrcA Hands-on How-toSMfrom Brass Cannon ConsultingA little vague handwaving can often save hours of tedious explanation. |
#
# This contains many user serviceable parts; you must service them!
#
PATH=/bin:/usr/bin
MAILDIR=$HOME/Mail #you'd better make sure it exists
DEFAULT=$MAILDIR/inbox #check this
LOGFILE=$HOME/pm.log #review this frequently!
VERBOSE = off
FGREP=/bin/fgrep
FROM=`formail -x From:`
REC=`formail -x Received:`
TMP=/var/tmp
#### Things to never, ever deliver....
# Microsoft worms:
:0
* ^(X-Spanska|From.*hahaha)
{
LOG="Sexyfun virus "
:0
/dev/null
}
# MIME encoded, unzipped Windows executable > 100KB - SirCam worm
:0 B
* > 100000
* mDmcOaA5pDmoOaw5sDnAOeA56DnsOfA59Dn4Ofw5ADoEOgg6HDo8WOkQ6SD
{
LOG="SirCam2 "
:0
/dev/null
}
# Attachment with an unzipped Win32 executable - KLEZ
:0
* Content-Type:.*multipart/alternative
* BD ?? AAAMFAAA9AgAAPYlAAAKAgAATVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAKgBAAC6EAAO
{
LOG="KLEZ "
:0
/dev/null
}
:0 HB
* > 54000
* ^Content-Type: audio/x-(wav|midi);
{
LOG="Klez "
:0
/dev/null
}
# This is usually "Another stupid worm" (note spaces) but it can give
# false alarms, so send it to quarantine rather than deleting it:
:0
* !^Subject: Re:[ ][ ]
* ^Subject: [^ ]+[ ][ ][^ ]+[ ][^ ]+[ ][^ ]
{
LOG="A Klez "
:0
$HOME/quarantine
}
:0 HB
* > 90000
* ^Content-(Type|Disposition): .* name=".*\.(pif|exe|com|bat|lnk)"
{
LOG="SirCamX "
:0
/dev/null
}
# Okay, that covers executable nasties (I've added a few more of
# these tests below - 12/12/2002). On to regular mail problems.
# You may want to uncomment this one... or not.
#:0
#* ^Subject:.*Out of Office AutoReply
# /dev/null
# Mailgod spammers; fairly rare now.
:0
* ^Received:....................\
.......................................................................\
.......................................................................\
.......................................................................\
.......................................................................\
.......................................................................\
.......................................................................\
.......................................................................\
.......................................................................\
.......................................................................\
.......................................................................\
.......................................................................\
.......................................................................\
.......................................................................\
.......................................................................
{
LOG="Mgod "
:0
/dev/null
}
# Unless you read Chinese, Japanese, or Korean:
:0
* [Bb][Ii][Gg]5
{
LOG = "Big5 "
:0
/dev/null
}
#### Before we get carried away, handle items that we want to see
#### even if they come from places that would otherwise be dropped.
# Things to always deliver -- e.g. lists....
# CUSTOMIZE THIS TO DELIVER MAIL FROM LISTS TO WHICH YOU SUBSCRIBE
:0
* ^List-Id:.*securityfocus\.com # List-Id is good, if your list uses it
${DEFAULT}
:0
* ^(From|Received|To).*(list.somemailinglist\.org)
${DEFAULT}
## Bounces... please make up your own X-loop string:
:0
* ^X-Loop: my-xloop-string
${DEFAULT}
## Spammer kills... :-)
:0
* ^(To|From|Received).*abuse@
${DEFAULT}
## Special subjects... you can tell people to use the magic word
# in the Subject instead of "remove S P A M" from your address. It's
# easier for them, AND you don't run the risk of bouncing your mail,
# having it misdelivered to innocent bystanders. Making up fake domains
# is also a very bad idea, by the way.
:0
* ^Subject:.*Brahms
{
LOG="Brahms "
:0
${DEFAULT}
}
#### Whitelist
## Important because it's the easiest way to exempt someone
## from the unconditional kills that come later (e.g. APNIC)
:0E
* ? (echo "$FROM" | $FGREP -i -f $HOME/ok)
{
LOG="OK "
:0
${DEFAULT}
}
#### Okay, our friends are safe; now we can play cat and mouse with
#### whatever is left over.
## The single most powerful test: If it's not addressed to me, dump it!
# (One problem: it also catches Bcc's I send to myself, hence, the
# X-From exception.) Note also that we MUST handle and and all mailing
# list subscriptions before applying this test.
#
# Why "X-From"? Spammers will try to forge your name on the From line,
# on the assumption that you will accept mail "from" yourself... so I
# don't. "X-headers" are non-standard and free-form; they can be
# anything you like. "X-From" is a non-standard header I insert in
# all my outgoing mail using Mutt's "myheader" feature. You could
# generate an "X-Wombat" or even an "X-Vegetable" header instead; the
# idea is that it is something that is unique to YOUR outgoing email.
:0
* !^To:.*myaccount@myisp\.com
* !^Cc:.*myaccount@myisp\.com
* !^X-From: myaccount
{
LOG = "!me "
:0
$HOME/spam
}
# Once you have whitelisted the mailing lists to which you subscribe,
# the "Not me" test is extremely powerful. But first you MUST handle
# mail that is legitimately sent to a list, even though the "To:" line
# says "undisclosed recipients" or "Name of Legitimate Mailing List".
# And if you sign up for a new list, you'll need to accept the first
# mailing so you know how to add them to your whitelist! So we send
# this recipe to a spam folder rather than to /dev/null.
####
####
# It is reliably reported that this single test may kill half your
# spam in one shot:
:0
* !^Message-Id
{
LOG = "No ID "
:0
/dev/null
}
# And this is one is pretty effective, too:
:0
* !^To:
{
LOG = "No To: "
:0
/dev/null
}
####
####
# It is with some sadness that I consign Taiwan, Argentina, and France
# to Hell, or at least Purgatory, until they rejoin the civilized world:
:0
* ^(From|Received).*\.(com|net)\.(tw|ar|fr)
{
LOG = "TW/AR/FR "
:0
/dev/null
}
# Likewise Japan, China, Korea, Indonesia, Australia, and New Zealand:
:0
* ^Received:.*\[(61\.|133\.|20[23]\.|21[012]\.|166\.104)
{
LOG="APNIC "
:0
/dev/null
}
# Latin America. I speak Spanish and Portuguese; I love the music
# and the people of Brazil. But until they get their spam problem
# under control they will just have to talk to each other.
:0
* ^Received:.*\[200\.
{
LOG="LACNIC "
:0
/dev/null
}
####
####
# I'm sure we all have one friend who just can't understand that we
# really don't WANT his insipid joke of the day. Well, here's mine.
# Accept his mail, which would be blocked by the next test:
:0
* ^(To|From).*mybestfriend@isanidiot.com
${DEFAULT}
# Mega-CC harassment mail is a pain because of all the idiots who
# reply to it -- this fixes both problems, unless you belong to
# a very badly run mailing list:
:0
* ^(To|Cc):.*@.*@.*@.*@.*@.*@.*@.*@.*@.*@.*@.*@
{
LOG="CC "
:0
/dev/null
}
####
####
# Heard any good Bill Gates jokes lately? The kind that start
# "Bill Gates died and went to Hell"? Here's another reason
# I collect those -- GROUPSHIELD is a piece of junk:
:0
* ^Subject:.*(Group[Ss]hield|System.Attendant)
{
LOG="GSSA "
:0
/dev/null
}
#### Now it gets trickier!
## - Explicit blacklists: "twits" for addresses, "spamhaus" for sites
# "twits" has one address per line, and NO BLANK LINES:
:0E
* ? (echo "$FROM" | $FGREP -i -f $HOME/twits)
{
LOG="TWIT "
:0
/dev/null
}
:0E
* ? (echo "$REC" | $FGREP -i -f $HOME/spamhaus)
{
LOG="Site "
:0
/dev/null
}
# - Exception processing: always deliver mail from my "secret"
# mail account, which I never use for public posting (and if
# a spammer ever does find it, he will regret using it)
:0
* ^(To|Cc|X-From):.*myaccount@example\.com
{
LOG = "Me "
:0
${DEFAULT}
}
## - General spam recipes....
## Some recipes from other antispam sites that look worthwhile
# Spammer's embedded space trick -- you know the ones:
# Subject: Hot chix! 12345
:0 Hf
* ^Subject: .*[^ ].* .*
{
LOG="Spaces "
:0
$HOME/spam
}
# You'd think I'd consign Hotmail to Sheol along with Argentina, right?
# But most of the "Hotmail" spammers aren't using Hotmail at all --
# they're only PRETENDING to. (Lying, in other words.) That makes
# me mad enough to add some "Truth about Hotmail, Yahoo, and Netscape"
# tests (in the update section below).
#### Morons trying to forge IP addresses (except for morons using IMS,
# a Microsoft product which breaks an otherwise valid spam-signature
# test).
:0
* ^Received:.*(\(|\[)(([0-9][0-9][0-9][0-9]+|[03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]|0[0-9])\.[0-9]+\.[0-9]+\.[0-9]+|\
[0-9]+\.([0-9][0-9][0-9][0-9]+|[03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]|0[0-9])\.[0-9]+\.[0-9]+|\
[0-9]+\.[0-9]+\.([0-9][0-9][0-9][0-9]+|[03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]|0[0-9])\.[0-9]+|\
[0-9]+\.[0-9]+\.[0-9]+\.([0-9][0-9][0-9][0-9]+|[03-9][0-9][0-9]|2[6-9][0-9]|25[6-9]|0[0-9]))(\)|\])
* !^Received:.*Internet Mail Service
{
LOG="ip "
:0
$HOME/spam
}
#### More bogus IP addresses
:0
* ^Received: .*\[(0)+\.(0)+\.(0)+\.(0)+\].*
{
LOG="ip0 "
:0
$HOME/spam
}
## Invalid message-id format - another thing Microsoft gets wrong, wrong,
# wrong, but I don't CARE any more -- I won't exempt them this time:
:0
* !^Message-Id:[ ]*<[^ @]+@[^ @]+>
{
LOG="id "
:0
$HOME/spam
}
#### Munged-URL spam -- only pornospammers use this trick:
:0 B
* http://[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]
{
LOG="10digit "
:0
$HOME/spam
}
#### England.com, may it sink into the ocean soon
:0 B
* -500^0
* 500^0 (england|india|japan|china|france|belgium|arabia)\.com
{
LOG = "england.com "
:0
$HOME/spam
}
#### Waterloo to you too, wanadoo; Je n'parle pas d'francais.
:0
* ^(From|Received).*wanadoo\.fr
{
LOG="w.fr "
:0
$HOME/spam
}
# Added this block of tests 12/12/2002
# Kill off some more Microsoft viruses/worms:
# The whitespace in the construct "[ +]" is a single tab character:
* ^Content-[-a-z0-9_]+:.*=[ +]*"?[^"]*\.(vb[se]|ws[fhe]|hta|shs|exe|bat|pif|dll|scr|com|xls|doc)
{
LOG="MS "
:0
| formail -A "X-Warning: MS."
}
:0
* ^Content-Type:.*multipart
* B ?? ^Content-[-a-z0-9_]+:.*($[ ].*)*=[ ]*($[ +]+)*"?[^"]*\.(vb[se]|ws[fhe]|hta|shs|exe|bat|pif|dll|scr|com|xls|doc)
{
LOG="MP "
:0
| formail -A "X-Warning: MS."
}
# "Viral marketing" took a new turn in November with a click-through
# user license agreement that authorizes these guys to spam your friends:
:0
* ^Subject: .*you have an E-Card from
{
LOG="FG "
:0
/dev/null
}
# These recipes are from a Slashdot poster and work extremely well,
# UNLESS you have a friend who puts a Yahoo "reply-to" address on
# mail sent from another server. It will say that your friend is lying,
# which is, technically, correct... but you should whitelist your
# friends to avoid that, anyway.
:0 f
* ^Content-type: text/html
* !html; charset=
* !from hotmail
| formail -A "X-Spammers: text/html only message"
# hotmail-specific
:0
* ^(From|Return-Path):.+@hotmail\.com
{
:0
* ^From: ".+" <[a-z0-9_.-]+@hotmail\.com>
* ^X-OriginalArrivalTime:
* ^X-Originating-IP: \[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+]
* ^Received: from hotmail.com \(\/...
* $ ^Message-ID: <${MATCH}.+@hotmail\.com>
{ }
:0 Efhw
| formail -A "X-Spammers: fake hotmail"
}
# yahoo-specific
#:0
#* ^(From|Return-Path):.+@yahoo\.[a-z]+
#{
# :0
# * ^Message-ID: <([0-9.]+\.qmail|[0-9]+\.[0-9A-Z]+)@\/[a-z0-9-]+\. yahoo\.[a-z.]+
# * $ ^Received: from .+by $MATCH
# { }
# :0 Efhw
# | formail -A "X-Spammers: fake yahoo"
#}
# netscape-specific
:0
* ^(From|Return-Path):.+@netscape\.
{
:0
* ^X-Mailer: Atlas
* ^Received: from +netscape.*MAILIN
* ^Return-Path: <\/[a-z0-9_.-]+@netscape\.[a-z.]+
* $ ^From:.*$MATCH
* $ ^Received: from $MATCH.*by [a-z0-9.-]+\.aol\.com
* ^Message-ID: <[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+@netscape\.[a-z.]+
{ }
:0 Efhw
| formail -A "X-Spammers: fake netscape"
}
# If any of the above recipes caught something, dispose of it here:
:0
* ^X-Spammers:
{
LOG = "slashproc "
:0
/dev/null
}
:0 B
* charset=(KS_C_5601-1987|ISO-2022-KR)
{
LOG = "Charset "
:0
/dev/null
}
# I can't figure out how to represent this in HTML, but it does
# catch a good bit of Korean spam. Try a Google groups search
# for the magic characters. They are literally "ADV" in Korean.
:0
* [four 8-bit characters]
{
LOG = "KADV "
:0
/dev/null
}
# end of new tests 12/12/2002
#### Artificial intelligence vs natural stupidity...
# see pmail102.html for information on this numeric scoring approach
:0 BH
* -500^0
* -50^0 ^Subject: Re:
* -20^1 ^[:;#>]
* 300^1 mp3.com
* 500^1 \<script\>
* 500^1 \</script\>
* 500^1 This is not spam
* 500^1 is a one-time mailing
* 500^1 Click Here\</a\>
* 500^1 Click on the link
{
LOG="script "
:0
$HOME/spam
}
:0 BH
* -500^0
* -50^0 ^Subject: Re:
* -20^1 ^[:;#>]
* 300^1.5 Investor.Alert
* 300^1 forward\-looking
* 300^2 prospectus
* 100^2 invest
* 100^2 stock
* 100^2 securities
* 100^1 partner
* 100^2 broker
* 100^2 commission
{
LOG="Stock "
:0
$HOME/spam
}
#### Extractor / Platinum cooties:
:0 B
* ^This.(M|m)essage.(is|was).(never.sent|composed|created|brought|being.sent.to.you)
{
LOG="Ex/Pt "
:0
$HOME/spam
}
:0 BH
* (N|n)ightfusion
{
LOG="NF "
:0
$HOME/spam
}
#### Smut
:0 BH
* !^-----BEGIN PGP SIGNED MESSAGE-----
* -100^0
* -50^0 ^Subject: Re:
* -20^1 ^[:;#>]
* -20^1 UCE
* 50^1 skirt
* 50^1.5 panties
* 95^1 cum
* 95^1 nude
* 90^1 shaved
* 90^1 orgasm
* 90^1 sex
* 90^1.5 pussy
* 50^1 wet
* 50^2 teen
* 50^3 XXX( |-)
* 150^2 hot.pics
{
LOG="smut "
:0
$HOME/spam
}
# S. 1618 never passed; even if it had, it didn't say what the spammers
# claim it did; AND they are STILL in violation of what they SAY it said!
:0 B
* S.+1618
{
LOG="1618 "
:0
$HOME/spam
}
# Remember -- I'm assuming you saw the prior page (pmail102.html) where
# we explain how each of these recipes were constructed.
#### Generic MMF
:0 BH
* !^-----BEGIN PGP SIGNED MESSAGE-----
* -500^0
* -50^0 ^Subject: Re:
* -20^1 ^[:;#>]
* 400^1 Johnathon\ Rourke
* 200^1.5 investor
* 100^1 proposed.federal.legislation
* 100^1 in.compliance.(with|of)
* 200^1 ^Subject: .*(BUY.RECOMMEND|Diamonds.in.the.Rough|\
Financial.Change|Check.*Out!\
Financial.Freedom|STOCK|DYNAMIC\
Good.News|Money.Spinner\
Home.*Based.*Business|\
Make.*Money.*Fast|This.really.works\
Try.+this|This.+one.+works\
Wealth Generator|read.+this.+twice\
\$\$)
* 200^3 BUT.IT.REALLY.WORKS!
* 200^1 remove@noic.org
* 150^2 Web Marketing Network
* 200^1 http:\/\/www\.etrade\.com
* 200^2 Be.your.own.boss!
* 200^1 This\ is\ the\ letter\ you've\ been\ reading\ about
* 100^1 \"AS\ SEEN\ ON\ NATIONAL\ T\.V\.\"
* 200^1 investment.opportunity
* 100^1 www\.replyman\.com
* 200^1 never\ sent\ unsolicited
* 50^2 \$\$
* 50^2 \!\!\!
* 200^1 reply.*with.*REMOVE
* 50^2 stock.market
* 30^1 Make.*Money.*Fast
* 30^1 get.*rich.*quick
* 5^2 cash
* 50^1 cfn-net\.com
* 90^1 downline
* 5^2 \f\r\e\e
* 50^2 \F\R\E\E
* 20^2 (business|work).*home
* 5^2 income
* 100^1 jcware\.com
* 5^2 market
* 5^2 money
* 200^1 MLM
* 250^1 read.this.twice
* 80^2 this.is.a.legal
* 60^2 multi-?level
* 60^1 no.obligation
* 20^1 one-?time
* 10^2 opportunity
* 20^1 pre-approv(e|al)
* 100^1 \$71,000
* 100^1 boy's.mother
* 50^1 closet
* 100^1 lottery
* 100^2 dollars
* 100^2 five
* 50^3 P.O.+Box
* 100^3 Suite
* 100^3 get(|ting) paid to surf the web!
* 100^1 http:\/\/users\.multipro\.com
* 150^1 http:\/\/www\.gotoworld\.com
* 50^1 friends.*tell
* 50^1 tell.*friends
* 100^1 getpaid\/default.asp?rid=
* 400^1 bulk.email.software
* 400^1 \M\A\S\S.E-MAILING\$
* 500^1 C.A.B.L.E
* 150^1 Cybernet.Enterprise
* 100^1 Message.composed.with
* 100^1 Message.created.with
* 100^1 MassMailX
* 100^1 Extractor
* 100^1 TCPS
* 80^1 Dear.Friend
* 400^1 Section.301
* 400^1 1618
* 50^2 profit
* 5^2 quality
* 5^2 report
* 5^3 rich(es|er)
* 50^3 read.it.again
* 20^3 sponsor
* 80^1 HOTTEST.PROGRAM
* 80^3 free.report
* 100^3 This.*is.NOT.SPAM
* 70^2 multi.level.marketing
* 50^2 million-?dollar
* 50^2 to.be.removed.from.our.mailing.list
* 50^2 please.call.toll\-free
* 10^2 mailto:
* 250^2 1.800.
* 250^2 1.888.
* 250^2 1.877.
* 100^1 qualityservice\.com
* 50^1 to.be.deleted
* 50^1 1\-888\-
* 50^2 \$5
* 50^2 \$6
* 80^2 \$50\,000
* 10^2 targeted
* 80^1 tradeventures\.com
* 2^3 \!
* 60^1 upline
* 60^2 loan
* 60^3 cash
* 60^2 IRS
* 10^3 wealth
{
LOG="mmf "
:0
$HOME/spam
}
# Show me where I "opted in," or leave me alone. It's not my job to
# unsubscribe from a liar's list.
:0
* ^From.*(OWNER|owner)-(NOLIST|nolist)-.*\*.*\*\*.*\*-.*@.*\..*\.
{
LOG="DM360 "
:0
/dev/null
}
# Abusers of open websites with "formmail.pl"
:0 B
* 1^0 .*the result of your feedback form\. *It was submitted by
* 1^0 ^Folgendes wurde am
* 1^0 ^Folgende Mitteilung wurde gesendet von
* 1^0 ^Folgende Formulardaten wurden
* 1^0 ^Abaixo segue conteudo do formulario enviado por
* 1^0 ^Sono stati ricevuti i seguenti dati. Sono stati inviati da
* 1^0 ^Oto zamowienie zlozone przez formularz WWW
* 1^0 ^Wys.ano przy pomocy formularza przez:
{
LOG = "Formmail "
:0
/dev/null
}
# Sing along, you all know the words...
#
# "I am DR. KWAZY MBUTU, the widow and only son of the Minister of
# Mumbo Jumbo... I am looking for a perfect stranger to give him
# seventeen percent of the THIRTY FIVE MILLION US DOLLARS stuffed
# under my mattress. It is very lumpy. This is proof that I
# really have this money since only someone who has tried to sleep
# on THIRTY FIVE MILLION US DOLLARS would know this."
:0 B
* -500^0
* 499^2 [DM][R]\.[ ][A-Z]*
* 499^0 (LAGOS|NIGERIA|AFRICA)
* 150^2 [Pp][Rr][Oo][Pp][Oo][Ss][Aa][Ll]
* 150^2 [M]illion [D]ollars
* 200^2 [U]nited [S]tates
* 100^2 strictly\ private
* 200^2 unclaimed
* 200^2 offshore
* 100^2 funds
* 200^2 [P]rince
* 200^2 Minist(er|ry)
* 200^2 confidential
* 100^2 confidence
* 100^2 trustworthy
* 50^2 personal
* 50^2 recommend
* 50^2 invoiced
{
LOG = "419 "
:0
/dev/null
}
# "419" is the section of the Nigerian penal code that covers these
# scammers. I'd prefer to see them use "Rule .303" from the movie
# Breaker Morant, myself.
#### HTML? No thanks! Javascript, html, img links -- kill'em all.
# They're probably spammer web-bugs that log the fact you opened them.
:0
* ^Content-Type: multipart/related
{
LOG="crap "
:0
$HOME/crap
}
:0 B
* \<x-html
{
LOG="xhtml "
:0
$HOME/spam
}
:0 B
* \<a href
{
LOG="link "
:0
$HOME/spam
}
:0 B
* \<img
{
LOG="img "
:0
$HOME/spam
}
### Whew! If it made it all the way through this,
### odds are it's not the usual boring spam.
# Here's a bonus feature, not related to spam.
# This is a handy way to handle the dilemma of a mailing list
# that does not handle Reply-to the way you'd like. Let's say
# you want your default to always be "reply to the list."
# This works well with Mutt's intelligent Reply-to logic.
# You'll be prompted to "Reply to group?" and if you say "No,"
# Mutt will plug in the original sender's address.
* ^X-Originally-To: mailinglist@somewhere.org
{
:0 fH
| formail -R Reply-To: X-Old-Reply-To: -R X-Originally-To: Reply-To:
}
# Still reading? There are two tools that make ninety percent of
# the stuff above obsolete. If you have a machine that can do the
# exhaustive laundry list of tests above, save yourself some trouble
# and instead pick up a current copy of SpamBouncer.
#
# If you still have any spare horsepower after that, add the SpamAssassin
# toolkit as well. The easy way to do that is through the CPAN
# online Perl repository. Once it's in place, you have a spamassassin
# service to which you can feed suspect mail like so:
:0fw
| spamc
# And then test the results for spamminess:
:0:
* ^X-Spam-Status: Yes
{
LOG="SA "
:0
/dev/null
}
You are invited to discuss this article with the author in the Feedback section of the Brass Cannon webboard.