# spamcheckrc - part of spam filter described at http://www.city-fan.org/ftp/contrib/mail/spamfilter/ # Set LINEBUF to high figure to accomodate large recipes. OLDLINEBUF=${LINEBUF} LINEBUF=64000 FORGER=none DAVSPAM=0 # Remove any pre-existing X-Reject: and X-Accept: headers :0fh | formail -I X-Reject: -I X-Accept: # Mail not sent To:/Cc: me is off to a bad start... :0fh *$!^(Sender|From|Reply-To):.*${MYISP} *$!^(Apparently.*|To|Cc):.*${MYNAMES} | formail -A "X-Reject: (35) Not addressed to me" # Offset the spam score by -500 if we detect a LART, Abuse Desk response etc. :0fh * ^From:.*[^a-z0-9-]((abuse|spam|support|tos|postmaster)@|\ please_do_not_reply@worldnet\.att\.net|\ noloop@sprint\.net|\ malecki@starnetusa\.net|\ Kamal\.Mann@cox\.com|\ nobody@(one|uu)\.net|\ abuse-noreply@stargate\.net|\ PostMaster@bta\.net\.cn|\ cbirdsong@alabanza\.com|\ support@mail\.ru|\ rss@mail-abuse\.org|\ request@lycos-europe\.com|\ theabuseteam@btopenworld\.com|\ nemesys@telefonica\.es|\ abuse-various@uk\.tiscali\.com|\ abuse_EN_SY@css\.one\.microsoft\.com|\ askvisa@visa\.com|\ pmg@bbn.com) *$^(Apparently.*|To|Cc):.*(${MYNAMES}|undisclosed-recipients:|recipient list not shown:) *!^Cc: .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.* * ^Subject: (Re:|.*abuse|Your Support Ticket|\[Automatic Reply\]) | formail -A "X-Accept: Abuse response" :0fh *$^From:.*${MYNAMES} * ^Cc:.*nanas@killfile\.org | formail -A "X-Reject: (-500) LART" :0fh *$^From:.*${MYNAMES} * ^To:.*(relays@mail-abuse\.org|relays@relays\.osirusoft\.com) | formail -A "X-Reject: (-500) Open relay nomination" :0fh * ^From:.*relaytest@abuse\.net *$^(To|Sender):.*${MYNAMES} | formail -A "X-Reject: (-500) Abuse.net relay test" # Look for spam sent with MAIL FROM:<> (forged bounce) :0 *$^Return-Path: [<]MAILER-DAEMON@${MYISP}[>] { # Try not to junk genuine bounces. # The Regexp here is like FROM_MAILER, except not checking "From " lines. # The large negative score here is because the bounce may be from a LART and hence quite spammy. :0fh * (^(((Resent-)?(From|Sender)|X-Envelope-From):)([^>]*[^(.%@a-z0-9])?(Post(ma(st(er)?|n)|office)|(send)?Mail(er)?|daemon|mmdf|n?uucp|ops|r(esponse|oot)|(bbs\.)?smtp(error)?|s(erv(ices?|er)|ystem)|A(dmin(istrator)?|MMGR))(([^).!:a-z0-9][-_a-z0-9]*)?[%@>\t][^<)]*(\(.*\).*)?)?$([^>]|$)) *![%]CURRENT_DATE_TIME | formail -A "X-Reject: (-500) Genuine bounce message" :0Efh | formail -A "X-Reject: (35) Possible forged bounce" } # Add special case check for mail received at hotmail if required (turn on with HOTMAIL=1 in procvars) # It's not a bad idea to do this anyway as it spots some forgeries. ISPCHECK=${MYISP} HOTMAILCHECK=(([a-z0-9.-]+\.)?hotmail\.com|mc[0-9][0-9]?-f[0-9][0-9]?) :0 * HOTMAIL ?? 1 { ISPCHECK=(${ISPCHECK}|${HOTMAILCHECK}) # Check for hotmail.com forgeries (common) # Hotmail address ranges: 64.4.0-63.* 65.52-55.*.* 207.68.128-207.* 209.185.240-243.* 216.33.236-243.* MYIP=(${MYIP}|64\.4\.([0-9]|[0-5][0-9]|6[0-3])\.[0-9]+|65\.5[2-5]\.[0-9]+\.[0-9]+|207\.68\.(12[89]|1[3-9][0-9]|20[0-7])\.[0-9]+|209\.185\.24[0-3]\.[0-9]+|216\.33\.2(3[6-9]|4[0-3])\.[0-9]+) MYHOST=(${MYHOST}|${HOTMAILCHECK}) } # Remove carriage returns from headers, obfuscation technique used by some spammers # Also remove trailing spaces and tabs, another technique used. :0fh | tr -d '\r' | sed 's/[ ]*$//' # Figure out who actually sent or relayed the mail to me. IPEXTERNAL="XXXXXX" INSERT="Received: from.*[ ]by[ ](.*$)+" FINALPATTERN="()\/Received: from.*" PATTERN="()\/Received: from.*[ ]by[ ].*" # Start looking for IP address of the host that connected to my ISP. # Start at the top Received: header and work our way down until we # reach one with Received: from {not my ISP} by {my ISP} :0 *$ ${PATTERN} { NEXTHEADER=${MATCH} } :0 * IPEXTERNAL ?? XXXXXX * NEXTHEADER ?? Received: from .*[[(].*[])].*by.* { INCLUDERC=rcvdrc } # Look for hotmail DAV spam :0 *^X-Originating-IP: \[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\] *^Received: from [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ by [a-z0-9-]+dav[0-9]+\.[a-z0-9]+\.hotmail\.com with DAV; { :0fh | formail -A "X-Reject: (50) Mail sent using hotmail DAV" :0 *^X-Originating-IP: \[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ { IPEXTERNAL=${MATCH} } DAVSPAM=1 } :0 *! IPEXTERNAL ?? XXXXXX { # Check for Exim with rDNS :0 * TEST ?? Received: from [^ ]+ \(\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].*by .*with e?smtp \(exim * TEST ?? Received: from [^ ]+ \(\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ { IPEXTERNAL=${MATCH} } # Check for Exim without rDNS :0E * TEST ?? Received: from \[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].*by .*with e?smtp \(exim * TEST ?? Received: from \[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ { IPEXTERNAL=${MATCH} } # If not Exim check for sendmail :0E * TEST ?? Received: from [^ ]+[ ]+\(.*\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ { IPEXTERNAL=${MATCH} } # Let's try qmail :0E * TEST ?? Received: from [^ ]+[ ]+(\((EH|HE)LO .*\)[ ]+)?\((.*@)?[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\)[ ]*by[ ]+ * TEST ?? Received: from [^ ]+[ ]+(\((EH|HE)LO .*\)[ ]+)?\((.*@)?\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ { IPEXTERNAL=${MATCH} } # Otherwise, check for hotmail (note: hotmail doesn't list hostnames or HELO greetings in Received: headers) :0E * HOTMAIL ?? 1 *$ TEST ?? Received: from[ ]+[(]?\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\][)]? by ${HOTMAILCHECK} * TEST ?? Received: from[ ]+[(]?\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ { IPEXTERNAL=${MATCH} } # If we still haven't identified the source of the mail, try looking for hostnames # with spaces in them. This may unfortunately be fooled by spammers that put false IP # addresses in their HELO greetings, but it's better than nothing. :0 * IPEXTERNAL ?? ////// { # Check for Exim with rDNS :0 * TEST ?? Received: from [^[]+ \(\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].*by .*with e?smtp \(exim * TEST ?? Received: from [^[]+ \(\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ { IPEXTERNAL=${MATCH} } # If not Exim check for sendmail :0E * TEST ?? Received: from [^[]+[ ]+\(.*\[\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ { IPEXTERNAL=${MATCH} } } # Having obtained the IP address of the sender, look it up in some blacklists :0 * IPEXTERNAL ?? ()\/[0-9]+ { QUAD1=$MATCH :0 * IPEXTERNAL ?? [0-9]+\.\/[0-9]+ { QUAD2=$MATCH :0 * IPEXTERNAL ?? [0-9]+\.[0-9]+\.\/[0-9]+ { QUAD3=$MATCH :0 * IPEXTERNAL ?? [0-9]+\.[0-9]+\.[0-9]+\.\/[0-9]+ { REVERSED="${MATCH}.${QUAD3}.${QUAD2}.${QUAD1}" # MAPS Blacklists # You need a have a contract with MAPS LLC to use these - see http://mail-abuse.org/ :0 * USE_MAPS ?? 1 { MAPS_DUL=`host -W60 ${REVERSED}.dialups.mail-abuse.org` MAPS_RBL=`host -W60 ${REVERSED}.blackholes.mail-abuse.org` MAPS_RSS=`host -W60 ${REVERSED}.relays.mail-abuse.org` :0fh * MAPS_DUL ?? 127\.0\.0\.3 *!DAVSPAM ?? 1 | formail -A "X-Reject: (100) IP $IPEXTERNAL is in MAPS DUL." :0fh * MAPS_RBL ?? 127\.0\.0\.2 | formail -A "X-Reject: (100) IP $IPEXTERNAL is in MAPS RBL." :0fh * MAPS_RSS ?? 127\.0\.0\.2 | formail -A "X-Reject: (35) IP $IPEXTERNAL is in MAPS RSS." } # city-fan.org local blacklists # Caveat Emptor CITY_FAN_DIALUPS=`host -W60 ${REVERSED}.dialups.city-fan.org` CITY_FAN_SPAMMERS=`host -W60 ${REVERSED}.spammers.city-fan.org` CITY_FAN_RELAYS=`host -W60 ${REVERSED}.relays.city-fan.org` :0fh * CITY_FAN_DIALUPS ?? 127\.0\.0\.2 *!DAVSPAM ?? 1 | formail -A "X-Reject: (100) IP $IPEXTERNAL is in dialups.city-fan.org." :0fh * CITY_FAN_SPAMMERS ?? 127\.0\.0\.2 | formail -A "X-Reject: (100) IP $IPEXTERNAL is in spammers.city-fan.org." :0fh * CITY_FAN_RELAYS ?? 127\.0\.0\.2 | formail -A "X-Reject: (100) IP $IPEXTERNAL is in relays.city-fan.org." # ordb.org open relay list ORDB=`host -W60 ${REVERSED}.relays.ordb.org` :0fh * ORDB ?? 127\.0\.0\.2 | formail -A "X-Reject: (80) IP $IPEXTERNAL is in relays.ordb.org." # Spamhaus SBL SBL=`host -W60 ${REVERSED}.sbl.spamhaus.org` :0fh * SBL ?? 127\.0\.0\.2 | formail -A "X-Reject: (100) IP $IPEXTERNAL is in SBL." # blitzed.org open proxy monitor PROXIES=`host -W60 ${REVERSED}.opm.blitzed.org` :0fh * PROXIES ?? 127\.[0-9]\.[0-9]\.[0-9] | formail -A "X-Reject: (100) IP $IPEXTERNAL is an open proxy listed in opm.blitzed.org." # NJABL.ORG - not just another bogus list NJABL=`host -W60 ${REVERSED}.dnsbl.njabl.org` :0fh * NJABL ?? 127\.0\.0\.2 | formail -A "X-Reject: (50) IP $IPEXTERNAL is an open relay or direct spam source listed in dnsbl.njabl.org." :0fh * NJABL ?? 127\.0\.0\.3 *!DAVSPAM ?? 1 | formail -A "X-Reject: (100) IP $IPEXTERNAL is a dialup listed in dnsbl.njabl.org." # DSBL_LIST - main DSBL list DSBL_LIST=`host -W60 ${REVERSED}.list.dsbl.org` :0fh * DSBL_LIST ?? 127\.0\.0\.2 | formail -A "X-Reject: (80) IP $IPEXTERNAL is listed in list.dsbl.org." # DSBL_MULTIHOP - output stage of multihop relay DSBL_MULTIHOP=`host -W60 ${REVERSED}.multihop.dsbl.org` :0fh * DSBL_MULTIHOP ?? 127\.0\.0\.2 | formail -A "X-Reject: (40) IP $IPEXTERNAL is listed in multihop.dsbl.org." # DSBL_UNC - unconfirmed DSBL list (anything in confirmed or multihop will also be in here) DSBL_UNC=`host -W60 ${REVERSED}.unconfirmed.dsbl.org` :0fh * DSBL_UNC ?? 127\.0\.0\.2 | formail -A "X-Reject: (20) IP $IPEXTERNAL is listed in unconfirmed.dsbl.org." # PDL - Pam-Am Dynamic List # This list currently has no data (November 2003) #PDL=`host -W60 ${REVERSED}.dialups.visi.com` #:0fh #* PDL ?? 127\.0\.0\.3 #*!DAVSPAM ?? 1 #| formail -A "X-Reject: (100) IP $IPEXTERNAL is listed in PDL." # Sorbs Dynamic IP list # This has been a bit unreliable of late, e.g. listing an NTL smarthost SDUL=`host -W60 ${REVERSED}.dul.dnsbl.sorbs.net` :0fh * SDUL ?? 127\.0\.0\.10 *!DAVSPAM ?? 1 | formail -A "X-Reject: (30) IP $IPEXTERNAL is listed in dul.dnsbl.sorbs.net." # Sorbs spam list SSPAM=`host -W60 ${REVERSED}.spam.dnsbl.sorbs.net` :0fh * SSPAM ?? 127\.0\.0\.6 | formail -A "X-Reject: (20) IP $IPEXTERNAL is listed in spam.dnsbl.sorbs.net." # Composite block list CBL=`host -W60 ${REVERSED}.cbl.abuseat.org` :0fh * CBL ?? 127\.0\.0\.2 | formail -A "X-Reject: (100) IP $IPEXTERNAL is listed in CBL." :0fh * TEST ?? Received: from.*\(\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]\).*by *! TEST ?? Received: from.*\(\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]\).*by.*with e?smtp \(exim *! TEST ?? Received: from .* \(\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]\) by [-a-z0-9.]+\.hotmail\.com | formail -A "X-Reject: (35) No reverse DNS returned (sendmail)" }}}}} # Having ascertained where the mail came from, we can now change FORGED-LOCALHOST back to localhost # ... and of course FORGED-MY-HOSTNAME too. :0fh *! FORGER ?? none | sed -e 's/FORGED-LOCALHOST/localhost/' -e 's/FORGED-MY-HOSTNAME/'${FORGERY}'/' :0fh * ^Received: from.*by.*(SMI-8\.6|SGI\.8\.[6-8]) | formail -A "X-Reject: (35) Email received via insecure SMI or SGI 8.6 system" # If it's a genuine message from Hotmail Member Services, help it through :0fh * HOTMAIL ?? 1 * IPEXTERNAL ?? XXXXXX * From:.*staff@hotmail.com | formail -A "X-Reject: (-350) Genuine Hotmail notification" # Undo some quoted-printable encoding that might fool body checks :0fb * ^Content-Transfer-Encoding: quoted-printable | sed -e 's/=20/ /g' -e 's/=22/"/g' -e 's/=23/#/g' -e 's/=24/$/g' -e 's/=2E/./g' -e 's#=2F#/#g' \ -e 's/=3A/:/g' -e 's/=3C//g' -e 's/=3F/?/g' -e 's/=40/@/g' # Check for domains known to be bad by their nameservers SENDER_DOMAIN=`formail -x From | head -n 1 | sed -e 's/.*[<]\([^>]*\)[>].*/\1/' -e 's/.*@\([-0-9a-zA-Z.]*\).*/\1/'` :0 *! SENDER_DOMAIN ?? [.] { # No dot in sender domain name - probably a fetchmail or similar submission # Use the header sender instead SENDER_DOMAIN=`formail -x From: | head -n 1 | sed -e 's/.*[<]\([^>]*\)[>].*/\1/' -e 's/.*@\([-0-9a-zA-Z.]*\).*/\1/'` } :0E *$ SENDER_DOMAIN ?? ${MYISP} { # My ISP's name in the domain - probably a gotmail or similar submission # Use the header sender instead SENDER_DOMAIN=`formail -x From: | head -n 1 | sed -e 's/.*[<]\([^>]*\)[>].*/\1/' -e 's/.*@\([-0-9a-zA-Z.]*\).*/\1/'` } :0 *! SENDER_DOMAIN ?? [.] { # No dot in sender domain name, probably a bogus From: header :0fh | formail -A "X-Reject: (50) Anonymous sender domain" } :0E { SENDER_PARENT_DOMAIN=$SENDER_DOMAIN SENDER_NSLIST=`host -W60 -t ns $SENDER_DOMAIN |\ egrep 'name server|NXDOMAIN' |\ sed -e 's/.*name server \(.*\)\./\1/g' |\ tr '[:space:]' ' '` :0 * SENDER_NSLIST ?? (^[ ]*$| not found) * SENDER_DOMAIN ?? ([^.]+\.[^.]+\.[^.]+) { # No NS records found, try the parent domain (as long as domain name has at least 3 parts) SENDER_PARENT_DOMAIN=`echo $SENDER_DOMAIN | sed -e 's/[^.]*\.//'` SENDER_NSLIST=`host -W60 -t ns $SENDER_PARENT_DOMAIN |\ egrep 'name server|NXDOMAIN' |\ sed -e 's/.*name server \(.*\)\./\1/g' |\ tr '[:space:]' ' '` } :0 * SENDER_NSLIST ?? (^[ ]*$| not found) * SENDER_PARENT_DOMAIN ?? ([^.]+\.[^.]+\.[^.]+) { # No NS records found, try the parent domain again (as long as domain name has at least 3 parts) SENDER_PARENT_DOMAIN=`echo $SENDER_PARENT_DOMAIN | sed -e 's/[^.]*\.//'` SENDER_NSLIST=`host -W60 -t ns $SENDER_PARENT_DOMAIN |\ egrep 'name server|NXDOMAIN' |\ sed -e 's/.*name server \(.*\)\./\1/g' |\ tr '[:space:]' ' '` } :0f * SENDER_NSLIST ?? not found:.*[(]NXDOMAIN[)] | formail -A "X-Reject: (50) Unresolvable sender domain $SENDER_DOMAIN" :0f * SENDER_NSLIST ?? localhost | formail -A "X-Reject: (100) Sender domain $SENDER_DOMAIN has nameserver on localhost" :0f *!SENDER_NSLIST ?? [.] *!SENDER_NSLIST ?? ^[ ]*$ | formail -A "X-Reject: (100) Sender domain $SENDER_DOMAIN has invalid nameserver: $SENDER_NSLIST" :0f * SENDER_NSLIST ?? project-x\.com\.ua | formail -A "X-Reject: (100) Project-X spam domain: $SENDER_DOMAIN" } # Same for spamvertised sites :0 SPAMDOMAIN=| spamdomain :0f * SPAMDOMAIN ?? (goOpt\.com|[&]#103;oopt\.(com|net)|busycorp\.net)$ | formail -A "X-Reject: (100) Empire Towers spamming $SPAMDOMAIN" :0f * SPAMDOMAIN ?? [%&] | formail -A "X-Reject: (100) Obfuscated advertised domain $SPAMDOMAIN" :0E *! SPAMDOMAIN ?? ^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+|[0-9]+)?$ { # Some spammers play games with nameservers, so look for the nameservers of the parent domain first :0 * SPAMDOMAIN ?? ([^.]+\.[^.]+\.[^.]+) { SPAMMER_PARENT_DOMAIN=`echo $SPAMDOMAIN | sed -e 's/[^.]*\.//'` SPAMMER_PARENT_NSLIST=`host -W60 -t ns $SPAMMER_PARENT_DOMAIN |\ egrep 'name server|NXDOMAIN' |\ sed -e 's/.*name server \(.*\)\./\1/g' |\ tr -s '[:space:]' ' ' |\ sed -e 's/[ ]*$//'` } :0E { # Two-level domain name, no valid parent. SPAMMER_PARENT_DOMAIN=$SPAMDOMAIN SPAMMER_PARENT_NSLIST=none } # Now let's look at the nameservers for the advertised domain itself SPAMMER_NSLIST=`host -W60 -t ns $SPAMDOMAIN |\ egrep 'name server|NXDOMAIN' |\ sed -e 's/.*name server \(.*\)\./\1/g' |\ tr -s '[:space:]' ' ' | sed -e 's/[ ]*$//'` :0 * SPAMMER_NSLIST ?? (^[ ]*$| not found) * SPAMDOMAIN ?? ([^.]+\.[^.]+\.[^.]+) { # No NS records found, use the parent domain's SPAMMER_NSLIST="$SPAMMER_PARENT_NSLIST" } # Sometimes the NSLIST is a decoy and we need to look further up the chain :0 * SPAMDOMAIN ?? www\.[a-z0-9-]+\.[a-z]+ *$ SPAMDOMAIN ?? $SPAMMER_NSLIST { # Suspect NS record found, use the parent domain SPAMMER_NSLIST="$SPAMMER_PARENT_NSLIST" } :0 * SPAMMER_NSLIST ?? (^[ ]*$| not found) * SPAMMER_PARENT_DOMAIN ?? ([^.]+\.[^.]+\.[^.]+) { # No NS records found, try the parent domain SPAMMER_PARENT_DOMAIN=`echo $SPAMMER_PARENT_DOMAIN | sed -e 's/[^.]*\.//'` SPAMMER_NSLIST=`host -W60 -t ns $SPAMMER_PARENT_DOMAIN |\ egrep 'name server|NXDOMAIN' |\ sed -e 's/.*name server \(.*\)\./\1/g' |\ tr -s '[:space:]' ' '` } # Some spammers are providing bogus glue NS records that don't resolve FIRST_NAMESERVER=`echo $SPAMMER_NSLIST | sed -e 's/ .*//'` :0 * FIRST_NAMESERVER ?? [.] { FIRST_NAMESERVER_ADDRESS=`host -W60 "$FIRST_NAMESERVER" |\ egrep 'address|NXDOMAIN' |\ sed -e 's/.*has address //'` :0f * FIRST_NAMESERVER_ADDRESS ?? (^[ ]*$| not found) | formail -A "X-Reject: (50) Unresolvable nameserver $FIRST_NAMESERVER" } :0fE | formail -A "X-Reject: (50) Bogus nameserver '$FIRST_NAMESERVER'" :0f # Some spammers have IP addresses in NS records * FIRST_NAMESERVER ?? ^[1-9][0-9.]*$ | formail -A "X-Reject: (50) Bogus nameserver $FIRST_NAMESERVER" :0 { :0f * SPAMMER_NSLIST ?? not found:.*[(]NXDOMAIN[)] | formail -A "X-Reject: (20) Unresolvable advertised domain $SPAMDOMAIN" :0f * SPAMMER_NSLIST ?? (100uptime\.com|\ 295host\.com|\ 4801\.biz|\ 4evazdns\.biz\.info|\ dns77(55|77).biz|\ ns[12]\.4ph\.com|\ aboutcash\.net|\ aboutstamina\.com|\ ad-z\.com|\ ainmortgage\.com|\ allatexerti\.com|\ all-sensationals\.com|\ alon587\.com|\ answerisok\.com|\ anty\.info|\ autonameservers\.com|\ autson\.com|\ avirtualshopper\.net|\ avk29\.biz|\ backhoe613drug\.us|\ backofficemachine\.com|\ badgirlsfucking\.com|\ bigpolestinyholes\.com|\ b0net\.com|\ bossrx\.com|\ bubbalog\.biz|\ bubra\.biz|\ bullethost\.net|\ bulletproof-hosting\.info|\ camshowsluts\.com|\ changeip\.com|\ clicksforfree\.biz|\ cn-ihost\.com|\ computercup\.com|\ corptopia\.com|\ courcator\.com|\ datacommarketing\.com|\ direct--?promotions\.org|\ direct2you\.bz|\ diskhosting\.net|\ dm-direct\.com|\ dnsdomain\.biz|\ dnsegypt\.com|\ dnsonthefly\.com|\ dnsserviceonly\.com|\ donotcomplain\.net|\ dts619\.com|\ ebusinessnews\.co\.uk|\ efedmortgage\.net|\ egoldtime\.com|\ enjoy1here\.com|\ expertfinancial\.org|\ ezcliq\.us|\ feefun\.com|\ fiberpipeline\.net|\ fluxxx\.com|\ giantweb\.com|\ gord\.us|\ gzidc\.com|\ health-services\.biz|\ hereweragain\.com|\ hinos\.igrejamenonita\.nom\.br|\ hkdom\.net|\ host-800\.info|\ hostingcentre\.net|\ hyperhyper\.net|\ industrialmeds\.com|\ infoforu\.net|\ inkus\.net|\ instantgoods\.com|\ iom.us|\ isolate\.net|\ kim-name\.net|\ kmtdomain\.org|\ ktzyp\.info|\ lookingaround\.net|\ lucidhealth\.com|\ main-dns\.com|\ mbpadvertising\.com|\ medcapsule\.com|\ medst\.biz|\ megrihosting\.com|\ morozreg\.biz|\ moskva66\.biz|\ mysharedhosting\.info|\ mtr-internet\.net|\ mushrooms-software\.biz|\ myfreednsonline\.com|\ namedan\.org|\ namesatlarge\.(org|us)|\ nease\.net|\ (net|4)mort\.com|\ netblah\.com|\ netcoopnet\.com|\ net-email\.net|\ nitric\.co\.za|\ nonstop-dns\.com|\ ns[0-9]\.chinadns\.com|\ ns2000\.biz|\ ns-bot\.biz|\ nsroot\.biz|\ oemsoftw\.info|\ offer4in1\.com|\ onlineclicks\.biz|\ opt-in-web\.com|\ peidim\.info|\ pill-shop\.com|\ pillsavings\.net|\ pitc2\.net|\ products-info\.com|\ progoldhosting\.com|\ project-x\.com\.ua|\ quisalot\.biz|\ ram-systems\.info|\ randbad\.com|\ reficentral\.biz|\ refigroup\.info|\ ritepip\.net|\ sdi-marketing\.com|\ servergod\.com|\ shishki\.biz|\ shaggweb\.com|\ simple-management-systems\.com|\ slashpad\.com|\ sonnexh\.com|\ sqdns\.com|\ stylewolf\.com|\ super-zonda\.com|\ suspended-domain\.com|\ thegoodnet\.biz|\ theinkspot4u\.com|\ tludaproject\.com|\ toplessdrivers\.net|\ usenetwork\.net|\ uzc12\.biz|\ warpmug\.com|\ wayout\.net|\ webfinity\.net|\ whitcon\.net|\ womc\.net|\ wowthisiscool\.(net|com)|\ xbst\.(com|info)|\ xxxnameservers\.com|\ yns[12]\.yahoo\.com|\ yourloanz\.com|\ zenithip\.net|\ ztqlrni\.ph|\ zuka\.us) *! SPAMDOMAIN ?? gunnersonhigh\.com | formail -A "X-Reject: (100) Spammer domain $SPAMDOMAIN" :0f * SPAMMER_NSLIST ?? localhost *!^X-Accept: Abuse response$ | formail -A "X-Reject: (100) Advertised domain $SPAMDOMAIN has nameserver on localhost" :0f *!SPAMMER_NSLIST ?? [.] *!^X-Accept: Abuse response$ | formail -A "X-Reject: (100) Advertised domain $SPAMDOMAIN has invalid nameserver: $SPAMMER_NSLIST" :0E *!^X-Accept: Abuse response$ { # Try resolving the spammer's site and seeing if it's blacklisted. # This may fail with domains such as stylewolf.com that play DNS games to try # to misdirect queries. Using "dig +trace $SPAMDOMAIN" and parsing that output # would work better but I suspect "host" is more portable than "dig" SPAMVERTISED_IP=`host -W60 $SPAMDOMAIN | grep 'has address' | head -n 1 | sed 's/.* //g'` :0 *$ SPAMVERTISED_IP ?? ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ { :0 * SPAMVERTISED_IP ?? ()\/[0-9]+ { QUAD1=$MATCH } :0 * SPAMVERTISED_IP ?? [0-9]+\.\/[0-9]+ { QUAD2=$MATCH } :0 * SPAMVERTISED_IP ?? [0-9]+\.[0-9]+\.\/[0-9]+ { QUAD3=$MATCH } :0 * SPAMVERTISED_IP ?? [0-9]+\.[0-9]+\.[0-9]+\.\/[0-9]+ { REVERSED="${MATCH}.${QUAD3}.${QUAD2}.${QUAD1}" } :0 * USE_MAPS ?? 1 { MAPS_RBL=`host -W60 ${REVERSED}.blackholes.mail-abuse.org` MAPS_DUL=`host -W60 ${REVERSED}.dialups.mail-abuse.org` :0fh * MAPS_RBL ?? 127\.0\.0\.2 | formail -A "X-Reject: (100) Advertised site $SPAMDOMAIN [$SPAMVERTISED_IP] is in MAPS RBL." :0fh * MAPS_DUL ?? 127\.0\.0\.3 | formail -A "X-Reject: (100) Advertised site $SPAMDOMAIN [$SPAMVERTISED_IP] is in MAPS DUL." } CITY_FAN_DIALUPS=`host -W60 ${REVERSED}.dialups.city-fan.org` CITY_FAN_SPAMMERS=`host -W60 ${REVERSED}.spammers.city-fan.org` NJABL=`host -W60 ${REVERSED}.dnsbl.njabl.org` #PDL=`host -W60 ${REVERSED}.dialups.visi.com` SBL=`host -W60 ${REVERSED}.sbl.spamhaus.org` SDUL=`host -W60 ${REVERSED}.dul.dnsbl.sorbs.net` SSPAM=`host -W60 ${REVERSED}.spam.dnsbl.sorbs.net` :0fh * SBL ?? 127\.0\.0\.2 | formail -A "X-Reject: (100) Advertised site $SPAMDOMAIN [$SPAMVERTISED_IP] is in SBL." :0fh * CITY_FAN_SPAMMERS ?? 127\.0\.0\.2 *!SPAMDOMAIN ?? www\.citystat\.net | formail -A "X-Reject: (100) Advertised site $SPAMDOMAIN [$SPAMVERTISED_IP] is in spammers.city-fan.org." :0fh * CITY_FAN_DIALUPS ?? 127\.0\.0\.2 | formail -A "X-Reject: (100) Advertised site $SPAMDOMAIN [$SPAMVERTISED_IP] is in city-fans dialup list." :0fh * NJABL ?? 127\.0\.0\.3 | formail -A "X-Reject: (100) Advertised site $SPAMDOMAIN [$SPAMVERTISED_IP] is in NJABL dialups list." #:0fh #* PDL ?? 127\.0\.0\.3 #| formail -A "X-Reject: (100) Advertised site $SPAMDOMAIN [$SPAMVERTISED_IP] is in PDL." :0fh * SDUL ?? 127\.0\.0\.10 | formail -A "X-Reject: (30) Advertised site $SPAMDOMAIN [$SPAMVERTISED_IP] is in dul.dnsbl.sorbs.net." :0fh * SSPAM ?? 127\.0\.0\.6 | formail -A "X-Reject: (20) Advertised site $SPAMDOMAIN [$SPAMVERTISED_IP] is in spam.dnsbl.sorbs.net." } } } } :0 * SPAMDOMAIN ?? ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ *!^X-Accept: Abuse response$ { :0f | formail -A "X-Reject: (20) Site advertised by IP address: $SPAMDOMAIN" # Look up the advertised site in some blacklists :0 * SPAMDOMAIN ?? ()\/[0-9]+ { QUAD1=$MATCH } :0 * SPAMDOMAIN ?? [0-9]+\.\/[0-9]+ { QUAD2=$MATCH } :0 * SPAMDOMAIN ?? [0-9]+\.[0-9]+\.\/[0-9]+ { QUAD3=$MATCH } :0 * SPAMDOMAIN ?? [0-9]+\.[0-9]+\.[0-9]+\.\/[0-9]+ { REVERSED="${MATCH}.${QUAD3}.${QUAD2}.${QUAD1}" } :0 * USE_MAPS ?? 1 { MAPS_RBL=`host -W60 ${REVERSED}.blackholes.mail-abuse.org` MAPS_DUL=`host -W60 ${REVERSED}.dialups.mail-abuse.org` :0fh * MAPS_RBL ?? 127\.0\.0\.2 | formail -A "X-Reject: (100) IP $SPAMDOMAIN is in MAPS RBL." :0fh * MAPS_DUL ?? 127\.0\.0\.3 | formail -A "X-Reject: (100) Advertised site in MAPS DUL: $SPAMDOMAIN" } CITY_FAN_DIALUPS=`host -W60 ${REVERSED}.dialups.city-fan.org` CITY_FAN_SPAMMERS=`host -W60 ${REVERSED}.spammers.city-fan.org` NJABL=`host -W60 ${REVERSED}.dnsbl.njabl.org` #PDL=`host -W60 ${REVERSED}.dialups.visi.com` SBL=`host -W60 ${REVERSED}.sbl.spamhaus.org` SDUL=`host -W60 ${REVERSED}.dul.dnsbl.sorbs.net` SSPAM=`host -W60 ${REVERSED}.spam.dnsbl.sorbs.net` :0fh * CITY_FAN_SPAMMERS ?? 127\.0\.0\.2 | formail -A "X-Reject: (100) IP $SPAMDOMAIN is in spammers.city-fan.org." :0fh * SBL ?? 127\.0\.0\.2 | formail -A "X-Reject: (100) IP $SPAMDOMAIN is in SBL." :0fh * CITY_FAN_DIALUPS ?? 127\.0\.0\.2 | formail -A "X-Reject: (100) Advertised site in city-fans dialup list: $SPAMDOMAIN" :0fh * NJABL ?? 127\.0\.0\.3 | formail -A "X-Reject: (100) Advertised site in NJABL dialups list: $SPAMDOMAIN" #:0fh #* PDL ?? 127\.0\.0\.3 #| formail -A "X-Reject: (100) Advertised site in PDL: $SPAMDOMAIN" :0fh * SDUL ?? 127\.0\.0\.10 | formail -A "X-Reject: (30) Advertised site is in dul.dnsbl.sorbs.net: $SPAMDOMAIN" :0fh * SSPAM ?? 127\.0\.0\.6 | formail -A "X-Reject: (20) Advertised site is in spam.dnsbl.sorbs.net: $SPAMDOMAIN" } :0fh * Subject: =[?][^?]* [^?]*[?] | formail -A "X-Reject: (100) Bogus character set (contains spaces) in RFC1522 encoded Subject: header" :0fh * ^(Date|Subject|Reply-To):(.*$)+Received: | formail -A "X-Reject: (35) Possible forged _Received: from_ line" :0fh * ^X-UIDL: | formail -A "X-Reject: (100) Invalid X-UIDL:" :0fh * ^[ ] | formail -A "X-Reject: (100) Bogus header starting with a space" :0fh * ^Comments:.*Authenticated sender * !^X-Mailer:.*Pegasus Mail | formail -A "X-Reject: (100) Authenticated sender BS" # ==================================== # Specific Mass Mail Software Packages # ==================================== # Many of these checks have been removed as old-fashioned mailers # are now out of favour in spamming circles, with proxy-abusing # software much more to the fore. # Cybercreek Avalanche :0fh * ^X-Mailer:.*Cybercreek Avalanche | formail -A "X-Reject: (100) Spam Mailer/Avalanche" # Diffondi Cool :0fh * ^X-Mailer:.*DiffondiCool | formail -A "X-Reject: (100) Spam Mailer/DiffondiCool" # MailXSender :0fh * ^X-Mailer:.*MailXSender | formail -A "X-Reject: (100) Spam Mailer/MailXSender" # First Class :0fh * !^X-Mailer: * ^From:.*[a-z][a-z][a-z][0-9][0-9][0-9]*@ * ^Subject:.*\(.*[0-9][0-9][0-9].*\)$ * MIME-Version: 1.0 * Content-Type: TEXT/PLAIN; charset="US-ASCII" * Content-Transfer-Encoding: 7bit | formail -A "X-Reject: (80) First Class bulk emailer" # Stealth Mailer Classic :( :0fh * ^Received:.*(SMTP id GAA.*-0600 \(EST\)([^\.]|$)|\ \(8\.8\.5\/8\.6\.5\)) | formail -A "X-Reject: (100) Spam Mailer/Stealth (classic)" # Stealth mailer -- New & "Improved" :( :< :0fh * ^Received:.*-0700 \(EDT\)([^\.]|$) | formail -A "X-Reject: (100) Spam Mailer/Stealth (new)" # TDS Mailer (TO/DATE/SUBJECT) :0fhD * ^(TO:) * ^(DATE:) * ^(SUBJECT:) | formail -A "X-Reject: (80) Spam Mailer/TDS" # Undefined spam mailer :0fh * ^X-Mailer: {%xmailer%} | formail -A 'X-Reject: (100) Spam Mailer/{%xmailer%}' # Assorted X-Mailer: headers :0fh * ^X-Mailer: (.*6.0 sub|\ .*ArGoSoft MX Mailer|\ .*Aristotle|\ .*Aureate|\ .*cgiemail|\ .*dd <[0-9][0-9]>|\ .*Direct Email|\ .*Dynamic Opt-In Emailer|\ .*E-Mail Connection|\ .*eMerge|\ .*Mail Bomber|\ .*Mailchute|\ .*MailKing|\ .*MailWorkZ|\ .*MassE-Mail|\ .*massmail\.pl|\ .*Millennium Mailer|\ .*Multimailer|\ .*Odulo BulkMail Master|\ .*RIME|\ .*Sir Mail-A-Lot|\ .*The HARVESTER|\ .*WinNT\'s Blat) | formail -A "X-Reject: (80) Spam Mailer/Generic" :0fh * ^X-Mailer: The Bat! [(]v1\.52f[)] Business | formail -A "X-Reject: (80) The Bat! Spam mailer" :0fh * ^X-Mailer: Caretop [0-9][0-9][0-9][0-9] | formail -A "X-Reject: (80) Caretop spam mailer" :0fh * ^X-EM-Registration: #(00F06206106618006920|01B0530810E603002D00) | formail -A "X-Reject: (100) Spammer EM registration number" # The next recipe came from a post by Bob Poortinga on SPAM-L, 18th July 2001 :0 Dfh * ^Message-ID: <0000[0-9].......\$0000[0-9]...\$0000[0-9]...@ | formail -A "X-Reject: (50) Spamware signature Message-Id" # Saje Marketing want us to filter them, so why not? :0fh * ^Massege-ID: | formail -A "X-Reject: (100) Saje Marketing spam signature" # More Saje Marketing cruft :0fh * ^From: .* [<]http://[-0-9a-z.]+/(@.*${MYISP})?[>] | formail -A "X-Reject: (80) Bogus From: header" # This lot also want to make it easy for us to filter them :0fh * ^From: .*@[a-z]+\.optdeals\.com>$ | formail -A "X-Reject: (100) optdeals spam signature" # And more... :0fh * ^Subject: .* [ 0-9.]+$ | formail -A "X-Reject: (100) infoforu spam signature" :0 Dfh * ^From: [a-z0-9.-]+@ * ^To: [a-z0-9.-]+@ * ^Content-Type: .*charset="iso-8859-1" * ^Content-Transfer-Encoding: 8BIT * ^Message-Id: <[a-z]*[0-9][a-z0-9]*\.[a-z]*[0-9][a-z0-9]*@ * ^Message-Id: <[0-9]*[a-z][a-z0-9]*\.[0-9]*[a-z][a-z0-9]*@ * !^Mime-Version: * !^X-MimeOLE: Produced By Microsoft MimeOLE V[4-9] * !^User-Agent: | formail -A "X-Reject: (100) Ralsky, Pacheco spamware signature" # #####.@ mailer :0fh * ^From.*[^0-9a-z][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?[0-9]?\. * !^From.*2021\.com([^\.]|$) * !^X-Mailer: Kana Connect | formail -A "X-Reject: (80) Five number mailer signature (A)" :0fh * ^Subject.*[ ](\-[0-9][0-9][0-9][0-9]$|\ \([0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?[0-9]?\)$) * !^From.*usenix\.org([^\.]|$) * !^From.*compuserve\.com([^\.]|$) | formail -A "X-Reject: (80) Five number mailer signature (B)" :0fh * ^Received: .* with NNFMP; *!^From:.*yahoo | formail -A "X-Reject: (100) List-management protocol header (NNFMP) - proxy abuse signature" :0fh * ^Received: .* with QMQP; *!^Received: [(]qmail [0-9]+ invoked from network[)]; [0-9]+ [A-Z]+ [0-9]+ [0-9:]+ [-+][0-9]+$Received: .* with QMQP; | formail -A "X-Reject: (100) Forged Quick Mail Queuing Protocol (QMQP) header - proxy abuse signature" # Missing From: :0fh * !^From: | formail -A "X-Reject: (50) No From: header" # Empty From: :0fh * ^From:([ ]$|<[ ]?>$) | formail -A "X-Reject: (50) Empty From: header" # From: <> :0fh * ^From: .*<> | formail -A "X-Reject: (100) Invalid From: header" # Invalid From:/Reply-To: # Note this recipe has been modified to exempt: # .*@friendsprovident # .*@friendsreunited # .*@friendsupdate :0fh * ^(From.|Reply-To:).*[^0-9a-z](255\.255\.255\.|\ advertise(r|ment)?@|\ anon(ymous)?@|\ x[0-9][0-9]x@|\ [^a-z]friend.*@|\ InternetEx@Picture\.scan\.com|\ make@.*money.com|\ no@reply([^\.]|$)|\ noreply@([^\.]|$)|\ noone@nowhere\.net([^\.]|$)|\ .*@proxy?.\.ba\.best\.com([^\.]|$)|\ info(rmation)?@.*internet\.net([^\.]|$)|\ Reply@By\.Mail([^\.]|$)|\ user@domain\.com([^\.]|$)|\ usethe800number@|\ waiting@thephone\.now([^\.]|$)|\ Weight Loss|\ Worldwide\.Network\.Association([^\.]|$)|\ yourdomain\.com([^\.]|$)|\ .*@[a-z]*\.[a-z]*\.earthlink\.net([^\.]|$)|\ .*@.Cust..?\.[0-9a-z]*\.[0-9a-z]*\.[0-9a-z][0-9a-z]\.uu\.net([^\.]|$)) *!^(From.|Reply-To:).*(friends(provident|reunited|update)) | formail -A "X-Reject: (80) Invalid From/Reply-To" # Elius Books, forge headers but keep the From: line. :0fh * ^From:.* | formail -A "X-Reject: (100) Elius Books" # Other headers which prove an article is spam :0fh * (^Content-Type: Commercial E-Mail|\ ^Message-ID: |\ ^Received:.*ALLINTERNETUSERS|\ ^Received:.*(CLOAKED|CAMPAIGN)|\ ^Received: from bulkserver|\ ^Received:.*spam\.master|\ ^Received:.*stealth|\ ^Received:.*--- unknown host ---|\ ^Received:.*Wakeup|\ ^Received:.*young-crook-|\ ^Reply-To: adzines@msn\.com|\ ^Status: MC|\ ^Subject: (AD|ADV|advertisement):|\ ^Subject: \[?ADV[] ]|\ ^To: @|\ ^To.*(any|no|some)(one|body)@|\ ^To: friends?@public\.com([^\.]|$)|\ ^To: Dear\.Consumer|\ ^To.*@proxy?.\.ba\.best\.com([^\.]|$)|\ ^To.*research@infoname\.com|\ ^To.*undisclosed-recipients|\ ^To.*user@|\ ^To.*videostars@earthlink\.net|\ ^To.*your@email|\ ^To.*you@|\ ^To.*Priority\.Recipient@|\ ^To.yourdomain\.com([^\.]|$)|\ ^To.*WebSiteOwner@|\ ^To: XXXXXX|\ ^To:.*<>|\ ^X-Advertisement:|\ ^X-Distribution: Mass|\ ^X-#:|\ ^X-Info: Antro Promotions|\ ^X-Info: mailto:.* in case of spamming!|\ ^X-visit: http://www\.WebPromote\.com/) * !^Received.*stealth\.net([^\.]|$) | formail -A "X-Reject: (80) Generic spam signature" # Missing To: :0fh * !^To: * !^Subject: .*\(fwd\) * !^From:.*autoresponder@hotmail\.com([^\.]|$) | formail -A "X-Reject: (50) Missing To: header" # Screwed-up mailmerge :0fh * ^To:.*#.*#@ | formail -A "X-Reject: (50) Suspicious To: header" # Ridiculously overlong To: or Cc: headers :0fh * ^(To|Cc):.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.* | formail -A "X-Reject: (50) Overlong To:/Cc: header" # Multiple To: headers :0fh * ^To:(.*$)+To: | formail -A "X-Reject: (50) Multiple To: headers" # TO: Headers which almost always indicate spam. :0fh * ^TO(BlindCopyReceiver:;;;@compuserve.com;|\ [Dd]atabase@outmail\.com([^\.]|$)|\ friends?@([^\.]|$)|\ fulldatabase@([^\.]|$)|\ nobody@.*([^\.]|$)|\ one@time\.com([^\.]|$)|\ outmail@([^\.]|$)|\ recipient list not shown|\ Recipient List Suppressed:;|\ \(Recipient list suppressed\)|\ Undisclosed\.Recipients@) | formail -A "X-Reject: (50) Invalid To: header" # Received: header after Subject: :0fh * ^Subject:(.*$)+Received: | formail -A "X-Reject: (30) Received: header after Subject:" # Multiple Received: headers after Date: :0fh * ^Date:(.*$)+Received:(.*$)+Received: | formail -A "X-Reject: (30) Multiple Received: headers after Date:" # Subject: line with too many periods in a row :0fh * ^Subject:.*\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\. | formail -A "X-Reject: (30) Subject: line with too many periods in a row" # Content-Type with far too many useless semicolons :0fh * ^Content-Type:([ ]*$)?[ ]*.*/.*;;;;;;;;;;;;;;;;;;; | formail -A "X-Reject: (50) Suspicious Content-Type: header" # ======================= # COMMON HEADER FORGERIES # ======================= # Earthlink :0fh * ^From.*earthlink\.net * !^Received:.*earthlink\.net | formail -A "X-Reject: (50) Forged earthlink address" # Hotmail :0fh * ^From.*hotmail\.com * !^From: [<]abuse@hotmail.com[>] * !^X-Originating-IP: | formail -A "X-Reject: (20) Hotmail user not using webmail" :0fh * ^From:? [0-9].*@hotmail\.com | formail -A "X-Reject: (100) Bogus hotmail account" # Lycos :0fh * ^From.*lycos\.com * !^From: spam@lycos.com * !^(Message-ID|Received):.*lycos\.com | formail -A "X-Reject: (50) Bogus Lycos mail" # Mailexcite :0fh * ^From.*mailexcite\.com * !^Received:.*mailexcite\.com | formail -A "X-Reject: (50) Bogus mailexcite mail" # Bogus MSN :0fh * ^(From|Reply-To).*@.*msn\.com([^\.]|$) * !^Received:.*(msn|microsoft)\.com([^\.]|$) | formail -A "X-Reject: (50) Bogus MSN mail" # MSN relay/forgery :0fh * ^Received:.*(microsoft|msn)\.com([^\.]|$) * !^From.*@.*(hotmail|microsoft|msn)\.com([^\.]|$) | formail -A "X-Reject: (50) MSN Relay/Forgery" # eGroups forgery (common) :0fh * ^X-Mailer: eGroups Message Poster | formail -A "X-Reject: (100) eGroups forgery (eGroups now Yahoo!)" # Look for bogus usa.net lines that may have been missed earlier :0fh * ^Received: from usa.net *!^X-Reject: .* forged usa\.net | formail -A "X-Reject: (80) Bogus Received: from usa.net header" # Look for crap at end of Subject: headers :0fh * ^Subject: .* [^ ] | formail -A "X-Reject: (80) Hash-breaker at end of Subject: header" # Check for SPF softfails :0fh * ^Received-SPF: neutral | formail -A "X-Reject: (50) SPF neutral sender" :0fh * ^Received-SPF: softfail | formail -A "X-Reject: (80) SPF soft fail" # Subject: line with too many underscores in a row :0fh * ^Subject:.*_______________ | formail -A "X-Reject: (30) Subject: line with too many underscores in a row" :0fh * ^Subject:.*\ * ^Subject:.*\ | formail -A "X-Reject: (80) Probably porn spam" :0fh * ^Subject: \[¼ºÀα¤°í\] | formail -A "X-Reject: (100) Korean spam subject" # Only spammers send pure HTML email (regrettably not as true as it used to be) :0fh * ^Content-Type: text/html | formail -A "X-Reject: (35) Pure HTML mail, not multi-part" :0fh * ^(From|Reply-To):.*@btamail.net.cn | formail -A "X-Reject: (80) btamail.net.cn spamhaus sender or reply address" :0fh * ^Received: from QRJATYDI[ ] | formail -A "X-Reject: (100) QRJATYDI spammer signature" :0fh * ^Received: from mi-ro[ ] | formail -A "X-Reject: (100) mi-ro spammer signature" :0fh * ^Received: from huook[ ] | formail -A "X-Reject: (100) huook spammer signature" :0fh * ^Received: from (Wi-Wo|wo-wi)[ ] | formail -A "X-Reject: (100) wo-wi spammer signature" :0fh * ^Received: from 0[ ] | formail -A "X-Reject: (100) '0' spammer signature" :0fh * ^Received: from PDAPC[ ] | formail -A "X-Reject: (100) PDAPC spammer signature" :0fh * ^Received: from [0-9]+\.plasticator7\.com | formail -A "X-Reject: (80) plasticator7 porn spam signature" :0fh * -100^0 * 100^0 %RND_UC_CHAR * 100^0 %CUSTOM_IP | formail -A "X-Reject: (100) Stupid spammer signature" # ==================== # Start of body checks # ==================== :0 *!^X-Accept: Abuse response$ { :0fBh * Sent by UNREGISTERED VERSION of * www\.massmailsoftware\.com | formail -A "X-Reject: (80) Atomic Mail Sender spamware" :0fhB * http://(.*@)?[0-9]+(:[0-9]+)?[/"]|http://(.*@)?[0-9]+$ | formail -A "X-Reject: (100) Spamvertised website with single-number IP address" :0fhB * http://(.*@)?0[0-7]+\.0[0-7]+\.0[0-7]+\.0[0-7]+ | formail -A "X-Reject: (100) Spamvertised website with octal IP address" :0fhB * @btamail\.?net\.cn | formail -A "X-Reject: (100) Spamvertised btamail.net.cn drop box" :0fhB * @centralmailer\.com | formail -A "X-Reject: (100) Spamvertised centralmailer.com drop box" :0fhB * action=(3D)?"?mailto: | formail -A "X-Reject: (50) Mail contains form with mailto: action" :0fhB * http://([a-z0-9]*@)?(207\.200\.89\.228/fwd/nrpusrws/|\ info\.netscape\.com/fwd/|\ 206\.132\.132\.127/\?ref=abcsrch_home|\ app.4anything.com/r/|\ my\.lycos\.com/nn\.asp\?|\ 209\.202\.221\.13/r/|\ 206\.65\.183\.140/click|\ click\.lycos\.com/director\.asp|\ transfer\.go\.com/cgi/transfer\.pl|\ www\.looksmart\.com(\.au)?/cgi-bin/go/|\ 211\.51\.63\.182/g/to\?u=http://|\ www[0-9]?\.overture\.com/d/sr\?url=|\ 64\.12\.180\.19/redir\.a[ds]p|\ r\.hotbot\.com/r/|\ click\.hotbot\.com/director\.asp\?|\ ads\.monster\.com/event\.ng/|\ (gd[0-9]+|ln)\.doubleclick\.net/click|\ ads[0-9]+\.webwombat\.com\.au/Click|\ search\.aol\.com\.au/redir\.adp|\ www\.aol\.com/ams/clickThruRedirect\.adp\?|\ r\.aol\.com/cgi/redir|\ ar\.atwola\.com/redir/|\ btrack\.iwon\.com/r\.pl\?redir|\ www\.google\.com/url\?|\ redirect-[a-z]+\.inktomi\.com/click) | formail -A "X-Reject: (100) Redirector abuse" :0 *!^X-Originating-IP: \[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\] *!^X-Originating-Email: \[[a-z][a-z0-9_]+@(hotmail|msn)\.com\] { :0fhB * http://([a-z0-9]*@)?(g\.msn\.com/|\ ads\.msn\.com/ads/adredir\.asp\?.*url=|\ shopping\.msn\.com/trackurl\.asp) | formail -A "X-Reject: (100) MSN redirector abuse" } :0fBHh *!^Received: from \[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\] by web[0-9]+\.mail\.((mud|ukl)\.)?yahoo\.com via HTTP; *!^From:.*@(reply\.yahoo|yahoo-inc)\.com * http://([a-z0-9-]*@)?(us\.)?(s?rd|drs|rds|r[0-9]+\.us\.rmi|click\.shopping)\.yahoo\.com/ *! http://([a-z0-9-]*@)?(us\.)?(s?rd|drs|rds|r[0-9]+\.us\.rmi|click\.shopping)\.yahoo\.com/mail/.*/taglines/ | formail -A "X-Reject: (100) Yahoo redirector abuse" :0fBh * http://wwp\.icq\.com/whitepages/page_me/ | formail -A "X-Reject: (30) ICQ pager link" :0fBhA * [<]form.*action="?http://wwp\.icq\.com/ | formail -A "X-Reject: (70) ICQ pager form" :0fBh * ^Charles M\. Gillette$MortCorp, LLC$ | formail -A "X-Reject: (100) MortCorp mortgage spam" :0fBh * http://((..|www)\.geocities\.com|geocities\.yahoo\.com\...)/ | formail -A "X-Reject: (80) geocities.com URL" :0fBh * http://[a-z0-9]+\.tripod\.com | formail -A "X-Reject: (80) tripod.com URL" :0fBHh * -99^0 * 100^0 timepiece shop * 100^0 our.* replica (watches|timekeepers|timepieces) * 100^0 our replica watches * 100^0 Our world renowned timekeepers * 100^0 Our selection of timepieces * 100^0 wrist (accessories|clock) * 100^0 purchase your time piece * 100^0 swiss duplicate * 100^0 time-monitoring item * 100^0 (exclusive|fabulous) chronometer * 100^0 ica-watches * 100^0 watch-jewelry * 100^0 Watch Replica * 50^0 these top-notch imitations * 50^0 absolutely like the branded ones * 20^0 watches | formail -A "X-Reject: (100) Fake watch spam" :0fBh * -100^0 * 100^0 Save our Sales Newsletter * 80^0 0870[ -]429[ -]609[345] * 50^0 \ * 50^0 www\.koach\.info * 50^0 koachlistmanager * 50^0 attitudinal sales coaching * 50^0 Power (motivation|selling) * 20^0 cold calling | formail -A "X-Reject: (100) Koach power selling spam" :0fBh * -100^0 * 100^0 Move the name \& address in REPORT * 100^0 PIPS is a no fail system * 80^0 THE BEST MONEY MAKING SYSTEM OF ALL TIME * 80^0 Let's say that you decide to start small * 80^0 A one time investment of [$]25 * 80^0 CASH HIDDEN IN HIS CLOSET * 80^0 A [A-Z]* based home business that (delivers|really works) * 50^0 The Insider's Guide To Advertising for Free * 50^0 The Insider's Guide To Sending Bulk Email * 50^0 Secret To Multilevel Marketing * 50^0 How To Become A Millionaire (Using|Utilizing) MLM * 50^0 How To Send Out One Million Emails * 50^0 prohibiting the participation in the program * 50^0 I followed the simple instructions and viola * 50^0 Order all 5 reports * 50^0 send bulk emails legally * 50^0 opened the bag and found it was full of cash * 50^0 it was completely legal according to * 50^0 Cebu( City)?, Philippines, 6000 * 50^0 achieve financial freedom * 25^0 AS SEEN ON NATIONAL TV * 25^0 there are multiple options you can be effective with * 25^0 Pam Hedland * 25^0 Fred Dellaca * 25^0 Mitchell Wolf | formail -A "X-Reject: (100) MMF pyramid scam" :0fBh * -100^0 * 80^0 www\.senate\.gov/[~#]murkowski/ * 80^0 H\.R\.[ ]*3113 * 80^0 (S\.?|Senate Bill)[ ]*1618 * 80^0 pending Anti-Spam law * 80^0 New Email Bill * 80^0 passed by the 105th (US )?Congress * 80^0 cannot be considered Spam * 80^0 this is not considered Spam * 50^0 SECTION 301 * 50^0 [(]a[)][(]2[)][(]C[)] * 50^0 (CAN[- ]SPAM|Electronic Mail) Act * 50^0 (Further|all) transmissions? (from me )?to you * 50^0 may be stopped at no cost * 50^0 Screening of addresses * 50^0 may constitute an advertisement * 40^0 (mail|message|e-?mail( ad)?) (is( being)?|has been) sent in (full )?(accordance|compliance) * 40^0 a way of removal * 50^0 to be (removed|taken off this list) * 20^0 TITLE (III|#3) * 20^0 You have been sent this email because | formail -A "X-Reject: (100) Murk disclaimer" :0fBh * -100^0 * 100^0 (bank|home) l\.o\.a\.n | formail -A "X-Reject: (100) Clear spam signature" :0fBh * -100^0 * 101^0 We (are )?strongly (oppose the|against) (use|(continued )?sending) (of )?(SPAM|unsolicited|not requested) email * 101^0 We strive to never send unsolicited mail * 101^0 We comply with all proposed and current laws * 101^0 We respect your online time and privacy * 101^0 (This |E-?)mail is (never|not) sent unsolicited * 101^0 You have not been added to an e.mail list * 101^0 This (letter )?is not? (an? )?([<][ubi][>])?("?SPAM"?|unsolicited email|UCE) * 101^0 We honou?r (any and )?ALL remove requests * 101^0 you will never receive another email from us * 101^0 This email has been screened and filtered by * 101^0 independent 3rd party to administer our list management * 101^0 send(ing)? an e-?mail with "REMOVE" * 101^0 ['"]?REMOVE['"]? in the subject * 101^0 reply to this email ((with the word|putting) "?REMOVE|for permanent removal) * 101^0 apologize for any email you may have inadvertently received * 101^0 We apologize for any email you may have inadvertently * 101^0 We hope you have enjoyed receiving this message * 101^0 We keep a recore?d of all newsletter registrants * 101^0 you have received this email because you subscribed to our newsletter * 101^0 You are receiving this email as a subscriber to the eNetwork mailing list * 101^0 you have requested to receive free adult offers * 101^0 you opted-in by requesting information * 101^0 (posted an AD|a message) to my FFA (page|site) * 101^0 portals or FFA sites * 101^0 If you have been added to this list by mistake * 101^0 If you rece?ived this (e-?mail )?in error * 101^0 To be REMOVED( from (this|our|further) (mailing)? ?(lists?)?)?,? (simply|just|please) (click|visit|reply|e-?mail) * 101^0 To remove yourself( from all further mailings|, please hit reply) * 101^0 This is not intended for anyone under 18 years old * 101^0 This (message )?is (a )?one time (email|mailing|notice) * 101^0 This message will only be sent once * 101^0 We will not intentionally email you again * 101^0 Transmissions to you by the sender * 101^0 to be (automatically )?(blocked|removed) from (our database|(any )?future mailings) * 101^0 this is NOT a get-rich-quick-scheme * 101^0 ALL clients not honoring remove requests will be terminated * 101^0 If there has been any inconvenience we apologize * 101^0 All unsubscribe and remove requests will be cheerfully processed * 101^0 You will be removed (immediately|automatically|instantly) * 101^0 Click here for REMOVAL * 101^0 this mailing conforms to all federal laws * 101^0 click below and send us an opt-out request email * 101^0 We (honor|respect) all remov(e|al request)s * 101^0 To be added to our global remove list * 101^0 We do apologize (to )?you for this spam * 101^0 We are sorry if you got this e-mail by accident * 101^0 Not intended for (recipients or )?residents of * 101^0 Push button below to be REMOVED * 101^0 permanently block further contact from us * 101^0 To avoid receiving this again, e-?mail * 101^0 To never recieve another email from us again * 101^0 si no desea recibir informaci.n escriba REMOVER * 101^0 someone may have used your email address * 101^0 Increase your sales by ([3-9]|[1-9][0-9]+)[0-9][0-9]% * 101^0 This is a Mail\.it opt-in publication * 101^0 RewardShoppers only sends solicited email * 101^0 it is not our intention to send you unsolicited e-?mail * 101^0 Screening of addresses has been done to the best of our ability * 101^0 Your (name|address) was purchased as an opt-?in * 101^0 Your privacy is extremely important to us * 101^0 WE HAVE EITHER EXCHANGEd? MESSAGES IN THE PAST OR WE ARE ON THE SAME LIST * 101^0 We will be only too happy to take you off our mailing list * 101^0 Complete opting-out system located at website * 101^0 Th(e|is) link (below )?is for (those|people) (that|who) hate (spam|these emails) * 101^0 You are not on a list * 101^0 Communic8te respects your privacy * 101^0 Communic8te works soley in the business to business marketplace * 101^0 communications are targeted to business users only * 101^0 I looked at your profile and thought I would contact you * 101^0 you are part of Our Opt-in Database * 101^0 you subscribed to The PennyStock E-zine * 101^0 wr[0o]ngfu[l|][l|]y p[l|]aced in [0o]ur membership * 101^0 Bigcomps\.com never sends unsolicited email * 101^0 To 0pt-0ut of this adv., click the link at the left side of our website * 101^0 or opted in to one of my websites * 101^0 Expell yourself from other distributions * 101^0 hau?lt receiving more * 101^0 Double opted in Subscribers DAILY | formail -A "X-Reject: (100) Spammer lies disclaimer" :0fBh * -100^0 * 101^0 sent to you as non opt-in subscriber * 101^0 Emails requesting removal will not be processed * 101^0 MULTI-LEVEL MARKETING IS A HUGE MISTAKE FOR MOST PEOPLE * 101^0 Your email address was obtained from a purchased list * 101^0 We are an Internet Advertising Company * 101^0 This is an unsolicited advertisement * 101^0 This message is sent in compliance with the CAN-SPAM Act 2003 * 101^0 You have been added to my mailing list * 101^0 this is a comm?ercial message | formail -A "X-Reject: (100) Honest spammer signature" :0fBh * -100^0 * 101^0 Innovation Marketing Global Group * 101^0 AAW Marketing Rewards * 101^0 The Opt-In Network * 101^0 (iREWARDSTECH|Opt-In (America|USA?)) Mailing List * 101^0 E-mailed by egypt ?cat * 101^0 Prant Real Estate Group * 101^0 win65\.com * 101^0 www\.emailmovers\.com * 101^0 sent to you by Direct Fax and Email Marketing Ltd * 101^0 monako-gp\.com * 101^0 Jalert\.net | formail -A "X-Reject: (100) Spammers with no shame" :0fBh * -100^0 * 101^0 I am coming to your place in few weeks * 101^0 I found your email somewhere | formail -A "X-Reject: (100) Lying spammer" :0fBh * -100^0 * 101^0 www\.([0-9]\.)?removed?you\.(com|org) * 101^0 www\.autoemailremoval\.com * 101^0 www\.autoremove\.com * 101^0 www\.worldremove\.com * 101^0 www\.globalremoveme\.info * 101^0 (www\.|@)easynameremoval\.com * 101^0 www\.bulkemailcds\.com * 101^0 www\.sendmessage\.org * 101^0 mortgageontheweb\.net * 101^0 www\.adult-life\.com * 101^0 www\.shopoutlets\.org * 101^0 www\.sourcenews\.net * 101^0 www\.stopitall\.com * 101^0 www\.e-mps\.org * 101^0 www\.seekeasysoft\.net * 101^0 www\.design54\.com * 101^0 quickremoval\.hk\.st * 101^0 removed\.email-list\.net * 101^0 www\.unsubscribesystem\.com * 101^0 www\.marketingmission\.net * 101^0 remove\.direct2you\.bz * 101^0 www\.centralremovalservice\.com * 101^0 www\.removeyourself\.net * 101^0 www\.subscribemepro\.com * 101^0 www\.webcondos\.net * 101^0 www\.refree\.com * 101^0 www\.zhoster\.com * 101^0 mailtrain\.59i\.net * 101^0 preference\.the-dma\.org * 101^0 antispamcenter\.org * 101^0 www\.cottondream\.com * 101^0 www\.email-offers-direct\.com * 101^0 [a-z0-9]+\.remove-my-email\.com * 101^0 unsubscribe-mail\.com * 101^0 www\.hotresponders\.com * 101^0 www\.removethisemail\.com * 101^0 www\.approvedenlargement\.com\.ar * 101^0 www\.removes-here.com\.ar * 101^0 www\.getoffmylist\.com * 101^0 www\.mailbuilder\.co\.uk * 101^0 www\.yourdomain\.com * 101^0 online-internet-deals\.com * 101^0 satisfiedquicklinks\.com * 101^0 greatnewoffers\.net * 101^0 www\.netoffersforyou\.com * 101^0 www\.insurancepad\.com * 101^0 remove\.up\.co\.il * 101^0 remove=2Eup=2Eco=2Eil * 101^0 www\.gosuccess\.net * 101^0 www\.vmdirect\.com * 101^0 response\.pure360\.com | formail -A "X-Reject: (100) removeyou.com or similar" :0fBh * -100^0 * 100^0 U ?n ?i ?v ?e ?r ?s ?a ?l ? ?A ?d ?v ?e ?r ?t ?i ?s ?i ?n ?g ? ?S ?y ?s ?t ?e ?m ?s * 100^0 C ?e ?n ?t ?r ?a ?l ? ?D ?B ? ?R ?e ?m ?o ?v ?a ?l * 100^0 1 ?- ?8 ?8 ?8 ?- ?6 ?0 ?5 ?- ?2 ?4 ?8 ?5 * 80^0 T ?h ?i ?s ? ?a ?d ? ?i ?s ? ?p ?r ?o ?d ?u ?c ?e ?d ? ?a ?n ?d ? ?s ?e ?n ?t ? ?o ?u ?t ? ?b ?y * 80^0 T ?h ?i ?s ? ?a ?d ? ?i ?s ? ?p ?r ?o ?d ?u ?c ?e ?d ? ?a ?n ?d ? ?c ?o ?m ?m ?u ?n ?i ?c ?a ?t ?e ?d ? ?b ?y * 80^0 T ?o ? ?b ?e ? ?r ?e ?m ?o ?v ?e ?d ? ?f ?r ?o ?m ? ?o ?u ?r ? ?m ?a ?i ?l ?i ?n ?g ? ?l ?i ?s ?t * 80^0 T ?o ? ?b ?e ? ?e ?x ?c ?l ?u ?d ?e ?d ? ?f ?r ?o ?m ? ?o ?u ?r ? ?m ?a ?i ?l ?i ?n ?g ? ?l ?i ?s ?t * 80^0 T ?o ? ?s ?t ?o ?p ? ?r ?e ?c ?e ?i ?v ?i ?n ?g ? ?o ?u ?r ? ?a ?d ?s * 80^0 w ?i ?t ?h ? ?r ?e ?m ?o ?v ?e ? ?i ?n ? ?t ?h ?e ? ?s ?u ?b ?j ?e ?c ?t ? ?l ?i ?n ?e * 80^0 ^UAS ?, * 40^0 O ?r ?a ?n *[gj] ?e ?s ?t ?a ?d ?, ? ?A ?r *u ?b ?a * 40^0 P ?O ? ?B ?(o ?x ?)? ?1 ?2 ?0 ?0 | formail -A "X-Reject: (100) Universal Advertising Systems signature" :0fBh * -2^0 * 5^0 011-871-762336687 * 5^0 161 876 444[78] * 5^0 203 286 2403 * 5^0 [(]203[)] ?- ?467-5378 * 5^0 203\.645\.1596 * 5^0 206-202-1674 * 5^0 206-202-2443 * 5^0 206-202-3781 * 5^0 206-202-4570 * 5^0 206-202-8213 * 5^0 206-309-0461 * 5^0 206-309-0673 * 5^0 206-333-0497 * 5^0 206-337-0293 * 5^0 206-338-5523 * 5^0 206-338-6061 * 5^0 206-339-2743 * 5^0 206-339-6098 * 5^0 206-339-6620 * 5^0 206 *- *350 *- *3737 * 5^0 206-350-5982 * 5^0 206-350-7325 * 5^0 206-600-4655 * 5^0 206-666-2843 * 5^0 206-666-6501 * 5^0 206-984-0106 * 5^0 206-984-0480 * 5^0 206-984-1178 * 5^0 206.*984-1705 * 5^0 2,?0,?6,?-?984-2327 * 5^0 206-984-4304 * 5^0 207-338-5653 * 5^0 [(]208[)] 330-0093 * 5^0 [(]208[)] 474-3603 * 5^0 209-729-5800 * 5^0 212-461-2982 * 5^0 2 ?1 ?2 ?- ?4 ?7 ?9 ?- ?0 ?8 ?0 ?1 * 5^0 212 - 479 - 0870 * 5^0 212-629-1772 * 5^0 212 *629 *1971 * 5^0 212-631-4255 * 5^0 212-714-8339 * 5^0 [(]212[)] 894-3749 * 5^0 [(]213[)] 213 ?- ?2311 * 5^0 214-346-2192 * 5^0 2 ?1 ?4 ?- ?7 ?6 ?4 ?- ?3 ?3 ?1 ?7 * 5^0 214-853-4357 * 5^0 240-250-2646 * 5^0 240-371-0672 * 5^0 248[.-]691[.-]4433 * 5^0 250-381-4822 * 5^0 251-650-1616 * 5^0 253-484-7375 * 5^0 253[)]?[ -]660[.-]1235 * 5^0 [(]260[)]846-2507 * 5^0 267-960-5372 * 5^0 281-497-0700 * 5^0 281-500-4018 * 5^0 302-689-4384 * 5^0 303-223-6022 * 5^0 303-600-9514 * 5^0 303-660-5650 * 5^0 303-922-0098 * 5^0 305-371-7144 * 5^0 305-460-3330 * 5^0 308-650-5905 * 5^0 309-276-9964 * 5^0 309-404-0999 * 5^0 309-407-7378 * 5^0 [(]309[)]424-8954 * 5^0 310 282-8217 * 5^0 3[ -]*1[ -]*0[ -]*8[ -]*4[ -]*2[ -]*3[ -]*5[ -]*2[ -]*1 * 5^0 [(]310[)] 858-5700 * 5^0 312-209-7399 * 5^0 3 ?1 ?2 ?- ?6 ?8 ?3 ?- ?5 ?2 ?0 ?5 * 5^0 312-788-2165 * 5^0 312-896-5854 * 5^0 319-279-1000 * 5^0 347-710-1776 * 5^0 [(]323[)]281-2687 * 5^0 323-651-9849 * 5^0 360-242-9913 * 5^0 401-427-2100 * 5^0 402-597-4111 * 5^0 402-951-5501 * 5^0 403-934-6061 * 5^0 404-371-8468 * 5^0 [(]407[)] 210-2001 * 5^0 4 ?1 ?2 ?- ?2 ?9 ?1 ?- ?1 ?5 ?1 ?5 * 5^0 415-366-1508 * 5^0 416-410-2136 * 5^0 416-410-2840 * 5^0 [(]416[)] 410-9364 * 5^0 [(]416[)]-467-8986 * 5^0 416-696-2339 * 5^0 416-715-2961 * 5^0 443-659-0730 * 5^0 450-224-(9275|ybrl) * 5^0 450-465-5597 * 5^0 450-465-8144 * 5^0 [(]450[)] 923-3041 * 5^0 [(]450[)] 923-5944 * 5^0 484-693-8861 * 5^0 501\.632\.2606 * 5^0 503-342-5501 * 5^0 503-345-9177 * 5^0 503-345-9235 * 5^0 513-941-9929 * 5^0 514-245-1831 * 5^0 [(]?514[)]?[ -]907[ -]3266 * 5^0 514-355-0001 * 5^0 520-844-1041 * 5^0 561-742-5932 * 5^0 602-230-4252 * 5^0 602-640-0095 * 5^0 6 ?0 ?2 ?- ?7 ?9 ?8 ?- ?7 ?6 ?9 ?0 * 5^0 603-629-4880 * 5^0 603-962-8501 * 5^0 6 ?1 ?0 ?- ?9 ?4 ?4 ?- ?8 ?3 ?8 ?2 * 5^0 615-366-7803 * 5^0 617-825-4555 * 5^0 618-355-1776 * 5^0 623-974-2295 * 5^0 626-440-1747 * 5^0 630-372-5109 * 5^0 630-604-1030 * 5^0 631-967-1514 * 5^0 641-456-3544 * 5^0 6 ?4 ?6 ?- ?2 ?1 ?8 ?- ?1 ?2 ?0 ?0 * 5^0 646-304-7908 * 5^0 646-304-8665 * 5^0 646-619-4181 * 5^0 661-244-4903 * 5^0 661-252-6028 * 5^0 702-552-4415 * 5^0 [(]702[)] 921 6618 * 5^0 702-995-8599 * 5^0 707.*924-0923 * 5^0 713-866-8869 * 5^0 713-867-3477 * 5^0 7 ?1 ?3 ?- ?8 ?6 ?7 ?- ?7 ?9 ?5 ?0 * 5^0 7I8\.208\.42l3 * 5^0 716[)]?[- .]812[- .]2144 * 5^0 717-754-9728 * 5^0 718-208-4213 * 5^0 719-661-3442 * 5^0 720-300-0445 * 5^0 732-751-1457 * 5^0 760-632-7770 * 5^0 7 ?7 ?0 ?- ?2 ?3 ?4 ?- ?5 ?2 ?0 ?4 * 5^0 770-441-3656 * 5^0 770-441-3693 * 5^0 770-492-29(2[57]|96) * 5^0 770-621-4619 * 5^0 775-254-5783 * 5^0 775-258-2895 * 5^0 775 *490 *9881 * 5^0 775-667-3239 * 5^0 775-806-7438 * 5^0 800-206-3934 * 5^0 800-222-3876 * 5^0 800-236-8953 * 5^0 800[-.]242[-.]0363 * 5^0 800-243-4146 * 5^0 800-263-2596 * 5^0 800-278-2170 * 5^0 800-279-1555 * 5^0 [(]?800[)]?[ -]320[ -]9895 * 5^0 800-345-9708 * 5^0 800-359-8336 * 5^0 800-363-1282 * 5^0 800-363-6755 * 5^0 800-372-3141 * 5^0 800-378-1835 * 5^0 800-383-2916 * 5^0 800-397-9999 * 5^0 800\.458\.0809 * 5^0 800-475-3539 * 5^0 800 507-9921 * 5^0 800 516-2725 * 5^0 800-533-9350 * 5^0 800-535-8997 * 5^0 800\.561\.MCSE * 5^0 800-570-2031 * 5^0 800-587-9046 * 5^0 800-600-5113 * 5^0 800[ -]637-3656 * 5^0 800-705-3397 * 5^0 800-761-4611 * 5^0 800-767-5874 * 5^0 800-798-0808 * 5^0 800-804-4352 * 5^0 800-841-9056 * 5^0 800-877-1978 * 5^0 800-892-5237 * 5^0 800-934-3473 * 5^0 [(]800[)] 944-5004 * 5^0 800-987-6978 * 5^0 800-USA-LEND * 5^0 801-296-4140 * 5^0 801-397-9010 * 5^0 801 469 9957 * 5^0 801-684-6085 * 5^0 804-780-2352 * 5^0 813-436-5335 * 5^0 817-740-5673 * 5^0 818 783-3588 * 5^0 [(]832[)]-476-8949 * 5^0 852 2385 8708 * 5^0 852 2385 8148 * 5^0 [(]866[)] 206-9068 * 5^0 866-473-8446 * 5^0 866-537-6334 * 5^0 866-386-5868 * 5^0 866-667-5399 * 5^0 [(]866[)] 692-9463 * 5^0 877-295-9196 * 5^0 877 306 6599 * 5^0 877-407-3071 * 5^0 877-467-2636 * 5^0 877-588-2166 * 5^0 877-689-4711 * 5^0 877-798-8717 * 5^0 877-800-5085 * 5^0 877-804-5625 * 5^0 877-805-0343 * 5^0 877-806-6810 * 5^0 877-872-1976 * 5^0 888 238 3164 * 5^0 888-244-3824 * 5^0 888-248-4550 * 5^0 888-248-4930 * 5^0 888-248-6505 * 5^0 8[ -]*8[ -]*8[ -]*2[ -]*4[ -]*8[ -]*7[ -]*0[ -]*9[ -]*3 * 5^0 888-288-9043 * 5^0 888-315-4487 * 5^0 888-316-9167 * 5^0 888-425-6788 * 5^0 888-478-3399 * 5^0 888-538-0507 * 5^0 8[.]?8[.]?8-*605-*2485 * 5^0 888-628-2967 * 5^0 888\.680\.3991 * 5^0 888-751-9059 * 5^0 888-763-2497 * 5^0 888-800-6339 * 5^0 888-8-COM-PRO * 5^0 888-826-8933 * 5^0 888-831-1563 * 5^0 [(]888[)] 846\.7266 * 5^0 888-858-6078 * 5^0 [(]?888[)]?( ?-)? ?729 ?- ?8976 * 5^0 888-977-1577 * 5^0 905-751-0199 * 5^0 905-751-0919 * 5^0 905-974-1876 * 5^0 908-996-0734 * 5^0 916\.482\.5888 * 5^0 916.644.6692 * 5^0 917-591-5070 * 5^0 917-591-5100 * 5^0 928-832-5344 * 5^0 952\.835\.3921 * 5^0 954 340 1628 * 5^0 954 340 1917 * 5^0 954-648-4477 * 5^0 [(]9 ?5 ?4[)] 7 ?5 ?3 ?- ?2 ?8 ?4 ?6 * 5^0 [(]954[)] 782-8808 * 5^0 970-289-6524 * 5^0 970 375\.2400 * 5^0 972\.934\.9555 * 5^0 01274 783391 * 5^0 01473 417200 * 5^0 1481 720 294 * 5^0 1481 720 317 * 5^0 01782-268478 * 5^0 01932-355988 * 5^0 01942 204073 * 5^0 02076813733 * 5^0 0755-3670000 * 5^0 0755-3670990 * 5^0 07968 112704 * 5^0 0800 652 6627 * 5^0 08450 654321 * 5^0 0845 226 7181 * 5^0 0845 658 0036 * 5^0 0870 068 0700 * 5^0 0870 345 6[78]00 * 5^0 0870 7419121 * 5^0 0870 744 ?7019 * 5^0 0870 922 0584 * 5^0 0871 550 6800 * 5^0 0871 872 3731 * 5^0 0906 403 8796 * 5^0 0906 6421001 * 5^0 [+]2 [(]02[)] 3047526 * 5^0 [+]2 [(]02[)] 3452788 * 5^0 [+]2 [(]010[)] 1761076 * 5^0 0020101708270 * 5^0 0020122302683 * 5^0 015-13-3507-4524 * 5^0 20 2 303700[45] * 5^0 021-78843143 * 5^0 021-9125018 * 5^0 021-9238218 * 5^0 31 613444976 * 5^0 31-615-356-364 * 5^0 31 624657950 * 5^0 31 625413542 * 5^0 31-625-433-679 * 5^0 31-645-228-892 * 5^0 33 478 220 606 * 5^0 39\.041\.520\.8722 * 5^0 39\.041\.520\.8913 * 5^0 41 1 274 2793 * 5^0 44 208 458 5966 * 5^0 050 +3543858 * 5^0 050 +8494688 * 5^0 55 11 3145-8000 * 5^0 86-765-8839600 * 5^0 86-13008328236 * 5^0 86-23-67635035 * 5^0 86-23-67732102 * 5^0 86-372-2959157 * 5^0 86 571 8510 6851 * 5^0 88216 ?52098236 * 5^0 92 432 274561 * 5^0 92 432 540359 * 5^0 92 432 543281 * 5^0 92 432 586746 * 5^0 2 1 4 - 8 5 3 - 4 3 5 7 * 5^0 225 07 53 98 25 * 5^0 228-919-1504 * 5^0 234[ -]1[ -]759[ -]?1519 * 5^0 234[ -]1[ -]759[ -]?4484 * 5^0 234[ -]1[ -]759[ -]?4558 * 5^0 234[ -]1[ -]759[ -]?7127 * 5^0 234[ -]1[ -]759[ -]?8018 * 5^0 234[ -]1[ -]775[ -]?7708 * 5^0 234[ -]1[ -]775[ -]?9407 * 5^0 234[ -]1[ -]775[- 7]5403 * 5^0 234-1-776 1459 * 5^0 234-803-7256320 * 5^0 234-803-7263120 * 5^0 234-1-8033282797 * 5^0 234-1-804 4830 * 5^0 873- ?7625 3373[01] * 5^0 874 ?- ?762 ?-? ?102521 * 5^0 874 ?- ?762 ?-? ?86416[78] * 5^0 874 ?- ?762 ?-? ?918-?98[56] * 5^0 882-164-6686022 * 5^0 [(]2010[)] 1761076 * 5^0 [+]2010 *176 *10 *76 * 3^0 7000320 * 3^0 7004315 * 5^0 0101170182 | formail -A "X-Reject: (100) Known spammer telephone number in message body" :0fBh * ^(Below is the result of your feedback form|\ Hier das Ergebnis der Formulareingabe|\ Veja abaixo as informaes enviadas por|\ Das Ergebnis der eMail Abfrage|\ Voici le résultat du formulaire envoyé|\ Voici les données du formulaire de saisie|\ Onderstaand is het resultaat van het invulformulier welke|\ Abaixo o resultado do preenchimento do Formulario|\ Unten finden Sie die Daten Ihres Feedback-Formulars|\ Dados enviados atraves de formulario por|\ Sie erhalten das Ergebnis Ihres Feedback-Formulars) | formail -A "X-Reject: (100) formmail.pl exploit" :0fBh * Diplomas from prestigious non-accredited universities | formail -A "X-Reject: (100) Fake diploma spam" :0fBh * ^Proudly powered by Subscribe Me Lite | formail -A "X-Reject: (80) Subscribe Me Lite does not support confirmed opt-in" :0 * ^Content-Type:.*multipart/alternative { :0fBh * ^Content-Type:.*text/html *!^Content-Type:.*text/(plain|enriched) | formail -A "X-Reject: (80) Multipart/alternative mail with only an HTML part" } :0 * ^Content-Type: multipart/related; { :0fBh * ^Content-Type: text/plain;$[ ]*charset="us-ascii"$Content-Transfer-Encoding: 7bit$$Get a capable html e-mailer$ | formail -A "X-Reject: (100) Spammer doesn't get the concept of multipart/related" } :0 * ^Content-Type: (text/html|multipart/) { :0fBh * -10^0 * 1^1 [<]!--.*--[>] * -20^1 [<]!-- *This table was automatically created * -20^1 [<]!-- (NAV Content Object|ENDIF__) * -20^1 SECTION--[>] * -20^1 [<]!-- *(header|footer|content|table|boxes) * -20^1 [<]!-- (begin|end) separator line * -20^1 [<]!-- .* paste the * -10^1 [<]!-- row [0-9]+ --[>] | formail -A "X-Reject: (100) HTML comments used to obfuscate spam message" :0fBh * -30^0 * 1^1 ?[0-9][0-9]; * -1^1 £ * 30^1 href=["]?http | formail -A "X-Reject: (50) Excessive use of HTML character codes to obfuscate message" :0fBh * -4^0 * -1^1 [<](blockquote|center|select|option|strong|strike|noframes)[>] * 1^1 [<][a-z][a-z][a-z][a-z][a-z][a-z]+[>] * 1^1 [<]!-?[A-Z0-9]+ * -1^1 [<]!DOCTYPE * 1^1 [<][A-Z0-9]*[0-9]+[A-Z0-9]*[>] * -1^1 [<]H[0-9][>] * 1^1 [<]/o[>] * 1^1 �+[1-9][0-9]+; * 1^1 �+[1-9][0-9]+; * 1^1 [<]style [a-z0-9]+ [a-z0-9]+ [>][a-z]+[<]/style[ a-z0-9]*[>] * 5^0 [a-z0-9]href=["]?http:// | formail -A "X-Reject: (100) Bogus HTML used to obfuscate spam message" :0fBh * -2^0 * 1^1 [<]a[^>]*href=[^>]*[>] *[<]/a[>] | formail -A "X-Reject: (100) Empty HTML links to disguise spamvertised site" :0fBh * [A-Za-z]+=http://[^<>]+ [A-Za-z]+=http://[^<>]+ [A-Za-z]+=http:// | formail -A "X-Reject: (50) Multiple URLs in single HTML tag to disguise spamload" :0fBh * [<]a [^>]*[>][^A-Za-z0-9][<]/a[>] | formail -A "X-Reject: (50) Single-character in link text to disguise spamload" :0fBh * FONT color=["]?#ffffff["]? size=["]?1[^0-9] | formail -A "X-Reject: (100) Ultra-small white text trying to beat Bayesian filters" :0fBh * [<]html[>][<]font color=white[>] | formail -A "X-Reject: (100) White text trying to beat Bayesian filters" :0fBh * [<]font color=["]?#F[A-F]F[A-F]F[A-F]["]?[>] *![<](body|td|th) .*bgcolor= | formail -A "X-Reject: (50) Nearly-white text trying to beat Bayesian filters" } # Pill spam :0fBh * -99^0 * 100^0 these low cost health supplements * 100^0 enlarge your penis * 100^0 pill will enlarge it * 100^0 herbal solution * 100^0 revolution in medicine! * 100^0 Stop Overpaing for your Meddications | formail -A "X-Reject: (100) Pill spam" # Fake degree spam :0fBh * -99^0 * 100^0 prestigious non-accredited universit(y|ies) * 100^0 degrees earned from experience * 100^0 Call Now To Receive Your Diploma * 100^0 based on your present knowledge and life experience * 100^0 Turn prior learning experience into course credits * 100^0 Obtain the degree you deserve * 100^0 Genuine University Degree in [0-9-]* weeks | formail -A "X-Reject: (100) Fake degree spam" # Lotto scam :0fBh * -99^0 * 100^0 winning addresses were randomly selected from .* email addresses * 100^0 EURO LOTTO UK * 100^0 This is a final notice on your Lottery Award * 100^0 you have won the lottery in the 2nd category * 100^0 confidential (till|until) your claims? is processed * 100^0 as part of our security protocol to curb double claiming * 100^0 already been deposited with your email contact * 100^0 software email lottery * 100^0 International Lottery Code Number * 100^0 Worldwide loterr?ia * 100^0 Lottery Coordinator * 100^0 sweepstake (lottery )?co(\.|mpany) * 80^0 All prize funds must be claimed * 50^0 Email ticket number * 50^0 lucky email addresses * 50^0 computer ballot draw * 50^0 addresses are picked randomly * 50^0 selected randomly through a computer ballot * 40^0 you have (therefore )?been approved * 40^0 confidential from the public * 40^0 avoid risk of forfeiture * 30^0 Congratulations, you have just won yourself * 30^0 lottery agent | formail -A "X-Reject: (100) Lotto scam" # Spam requiring manual URL entry :0fBh * -99^0 * 100^0 copy the address below and paste in (. )?your (web.? )?b.?r.?o.?w.?s.?e.?r | formail -A "X-Reject: (100) Spam requiring manual URL entry" # Pump'n'dump stock scam :0fBh * -99^0 * 100^0 New Bull Buy Signal * 100^0 WallStreet (Alert|Pick Of The Week) * 100^0 Savv?y Investor alert * 100^0 Powerball International * 100^0 The (BottomLine|Einstein) Report * 100^0 intercontinental sends out public announcements * 100^0 Investment Times Alert Issues: * 100^0 R[0o]cket St[0o]ck Report * 100^0 Investor's World stock report * 100^0 F[o0]rw[a4]rd[- _]?[1|l][0o][0o]k[i1]ng[- _]st[a4]t[e3]m[e3]nts * 100^0 F ?o ?r ?w ?a ?r ?d[- ]?l ?o ?o ?k ?i ?n ?g ?s ?t ?a ?t ?e ?m ?e ?n ?ts * -200^0 Forward[- ]1ooking[- ]statements * -100^0 Securities Act * 100^0 Secur[1|i]t[1|i]es[ _]Act * -100^0 Securities Exchange Act * 100^0 Secur[1|i]t[1|i]es[ _]Exch[a4]nge[ _]Act * 100^0 Informati[0o]n within this emai[|l] c[0o]nt[a4]ins * -100^0 Information within this email contains * 100^0 this is our best stock pick * 100^0 St0ck * 100^0 stocck analysis * 100^0 sto ck for your attention * 100^0 Str0ng_Buy * 100^0 Buyer Alert: Very Strong * 100^0 Str[(][)]ng * 100^0 Penny StOcks * 100^0 Investment Newsletter All Rights Reserved * 100^0 [(]c[)] 200[0-9] Investment Newsletter * 100^0 lose all your m[o0]ney by investing in this st[o0]ck * 100^0 Last time we issued a watch we saw a [1-9][0-9]*% gain in 1 day of trading * 100^0 Remember the gains from our recent recommendations * 100^0 We issued a Investors Alert * 100^0 Explosive pick for our members * 100^0 This (one|stock) (is set to|will) explode * 100^0 Will explode in (the )?next [1-9] weeks * 100^0 Add this one to your investment portfolio * 100^0 a strong stock like this * 100^0 this (company|stock) is (brewing|ready to blow) * 100^0 this stock could (reach record highs|take off at any moment) * 100^0 Stock Traders Alert * 100^0 Smart Money Equities * 100^0 We focus on stocks that have great potential to move up in price * 100^0 This is a MUST Watch for all Investors * 100^0 GOOD LUCK . TRADE (OUT|AT) THE TOP * 100^0 Watch This One Trade * 80^0 Price Set To Jump Monday * 80^0 Our last pick gained * 80^0 This weeks pick * 80^0 BullReport * 80^0 Raging Bull LLC * 80^0 our stock picks * 80^0 We expect explosive growth * 80^0 This Is Going To Explode * 80^0 Best stock for Year * 80^0 When this Stock moves * 80^0 This really moved on (Mon|Tues|Wednes|Thurs|Fri)day * 80^0 We may sell this stock at any ?time without notice * 80^0 Status: Buy NOW * 80^0 ^(S ?t ? o ?c ?k|S ?y ?m ?b ?o ?l|T ?i ?c ?k ?e ?r) *: *{A-Z] ?{A-Z] ?{A-Z] ?{A-Z] *$ * 50^0 This Weeks Hot Pick is * 50^0 Watch This One (Trade\!|go higher and higher) * 50^0 Forward looking statements are based on * 50^0 this email contains ["]?forward looking statements * 50^0 stocks ready to explode * 50^0 check your current stock site * 50^0 Trading A|ert * 50^0 Our company has received .* shares of * 50^0 There is a big PR campaign running all weekend * 50^0 before the market takes notice * 30^0 Already started to climb * 50^0 not a registered broker/dealer * 50^0 Get In Now * 50^0 Investor Alert * 50^0 This one did very well during last marketing campaign * 20^0 Current Press Release * 50^0 shares in a profiled company * 50^0 ST0CK * 40^0 This profile is not a solicitation * 40^0 recommendation to buy * 40^0 market price of the stock * 40^0 based on assumptions rather than fact * 40^0 omissions of material fact * 40^0 carries a high degree of risk * 40^0 lose all or a portion of their investment * 40^0 distribution of this profile have been compensated * 40^0 our selling of a company stock * 40^0 negative effect on the market price of the stock * 40^0 could cause actual results or events to differ * 40^0 Big PR Campaign * 30^0 Securities Act * 30^0 it is at an all time low at the moment * 30^0 finance.yahoo.com * 30^0 Top Pick * 30^0 Current Price: * 30^0 Expected [0-9]+ day: * 30^0 [0-9]+[- ]Day (Target:|fore?cast) * 30^0 Short Term Target: [0-9.]+ * 30^0 Long Term Target: [0-9.]+ * 30^0 [0-9]+ day expected price * 20^0 Big News Expected [A-Z]+day * 20^0 Already started to climb * 20^0 current trading levels * 20^0 Company Overview * 20^0 ^Symbol: * 20^0 ^Price: | formail -A "X-Reject: (100) Pump'n'dump stock scam" } # ================== # End of body checks # ================== :0fh * ^Reply-To: .*remove@ | formail -A "X-Reject: (50) Spammish Reply-To: address" :0fh * ^Reply-To: .*[<][>] | formail -A "X-Reject: (100) Bogus Reply-To: address" :0fh * ^Received: from ((.*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]_by by )|\ (.* by_\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].* by )|\ (.* by .*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]_by )) | formail -A "X-Reject: (100) Received: _by header forgery" :0fhE * ^Received: from ((.*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]_[a-z0-9._-]+.* by )|\ (.*[a-z0-9._-]+_\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].* by )|\ (.* by .*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]_[a-z0-9._-]+.* )|\ (.* by .*[a-z0-9._-]+_\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\])) | formail -A "X-Reject: (80) Probable Received: _[address]_ header forgery" :0fh * ^From:.*Hotmail[A-Z0-9.-]*@yahoo | formail -A "X-Reject: (100) Spammer impersonating hotmail member services" :0fh * ^(Subject: .*=\?(big5|gb2312)\?[BQ]\?|Content-Type:.*charset="(big5|gb2312)") *! CHINESE_OK ?? 1 | formail -A "X-Reject: (100) Chinese character set" :0fh * ^(Subject: .*=\?(windows-1255)\?[BQ]\?|Content-Type:.*charset="windows-1255") *! HEBREW_OK ?? 1 | formail -A "X-Reject: (100) Hebrew character set" :0fh * ^(Subject: .*=\?(iso-2022-jp)\?[BQ]\?|Content-Type:.*charset="iso-2022-jp") *! JAPANESE_OK ?? 1 | formail -A "X-Reject: (100) Japanese character set" :0fh * ^(Subject: .*=\?(ks_c_5601-1987|euc-kr)\?[BQ]\?|Content-Type:.*charset="(ks_c_5601-1987|euc-kr)") *! KOREAN_OK ?? 1 | formail -A "X-Reject: (100) Korean character set" :0fh * ^(Subject: .*=\?(windows-1251)\?[BQ]\?|Content-Type:.*charset="windows-1251") *! RUSSIAN_OK ?? 1 | formail -A "X-Reject: (100) Russian character set" :0fh * ^(Subject: .*=\?(UNKNOWN)\?[BQ]\?|Content-Type:.*charset="UNKNOWN") | formail -A "X-Reject: (100) Sender doesn't know what character set mail is in - how should we know?" :0fh * {THEBAT_[A-Z0-9_]*} | formail -A "X-Reject: (100) Spammer not using ratware properly" :0fhD * ^Content-Type: multipart/related;[ ]*type="multipart/alternative";[ ]*boundary="----=_NextPart_[0-9A-Z._]+"$ * ^Subject: [a-z ]+$ | formail -A "X-Reject: (100) GIF spammer with broken shift key" :0fh * ^(Subject: (PayPal Flagged Account|\ Notification of Limited Account Access|\ PayPal - Check your account|\ .*PayPal.*(Limited Account Access|Account Suspended)|\ PayPal Account Security Measures|\ Update And Verify Your PayPal Account|\ Account compromised:)) | formail -A "X-Reject: (100) PayPal phish" :0fh * ^X-AntiAbuse: * (Lloyds TSB|Barclays|HSBC|PayPal|Halifax|bank account) | formail -A "X-Reject: (100) Banking phish using open web script" :0fBHh * -99^0 * 100^0 accoun[lt]([<][^>]*[>])* from (a )?foreign IP add?ress * 100^0 Your account has recently been accessed from a foreign country * 100^0 a slight error in your billing information * 100^0 identified some unusual activity in your account * 100^0 failed login attempts? in your online banking account * 100^0 you or someone had used your account from different locations * 100^0 We recently noticed one or more attempts to log in to your * 100^0 For security purpose, we are required to open an investigation into this * 100^0 We are currently performing regular maintenance of security * 100^0 We have reason to believe that your account was accessed by a third party * 100^0 Your (eBay|PayPal) account has been violated * 100^0 Your (eBay|Paypal) billing information records are out of date * 100^0 Your address on our records is not valid * 100^0 Amazon Safety Department * 100^0 Your bank has contacted us regarding some suspicious activity * 100^0 accessed by an unauthorized third party * 100^0 account could be suspended if you don't (re-)?update * 100^0 suspended if you don't update your billing information * 100^0 any unverified account will be deleted from the system * 100^0 security reasons we may have to close your account * 100^0 account maintenance and verification * 100^0 failure to update your records will * 100^0 noticed that you experienced trouble logging into * 100^0 illegal activities we noticed going on in your account * 100^0 we will assume this account is fraudulent and will be suspended * 100^0 our system found incompatible information * 100^0 Due to some security protocol's * 100^0 upgraded our new SSL servers * 80^0 Suspension Notice! * 80^0 Your account might be placed? on restricted status * 80^0 require you to update your billing information * 80^0 Failure to confirm your membership details will suspend you * 80^0 suspend you from accessing your banking online * 50^0 your account will be suspended for a period of * 50^0 you are eligible to receive a tax refund of * 50^0 submit the tax refund request and allow us * 50^0 access the form for your tax refund * 50^0 re-enter your personal information * 50^0 please update your account information * 50^0 http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ * 20^0 Internal Revenue Service | formail -A "X-Reject: (100) Phish" :0fBh * -99^0 * 100^0 Your account will expire unless you will * 100^0 sum large sum of money * 100^0 able to acertain | formail -A "X-Reject: (100) Illiterate phish" :0fBh * -99^0 * 100^0 solidjob.org * 100^0 Solid Job Company * 100^0 Safe Sales Inc. * 100^0 HQ Financing Inc. * 100^0 MM Group Handling * 100^0 Italy Representative Group * 100^0 Job (Directions|Promotion) Inc * 100^0 We help people to transfer their money all over the world * 100^0 Our payments will be issued out in your name * 100^0 100% legal job * 100^0 financial operations including offering Your bank account * 80^0 making payments through you * 80^0 searching for representatives * 50^0 I am.*(manag|market)ing director * 50^0 We are searching for (reliable )?representatives * 50^0 We need someone to work for the company as a representative * 50^0 establish a medium of getting to our c[ou]st[ou]mers * 50^0 negotiate (the|your) mode of which we will pay * 50^0 we will pay for your services * 50^0 this lucrative business with us * 40^0 Be able to check your email several times a day * 40^0 Should have personal/business bank account * 40^0 Be able to respond to emails immediately * 40^0 Be responsible and hard working | formail -A "X-Reject: (100) Money-laundering scam" # Look for Nigerian 419 scams: # 1. Header check :0fh * ^Subject: ((URGENT[ /])?BUSINESS +(PROPOS(AL|ITION)|RELATIONSHIP)( [(]CONFIDENTIAL[)])?|URGENT (AND CONFIDENTIAL|ASSISTANCE))$ | formail -A "X-Reject: (100) Nigerian 419 scam subject" # 2. Body check :0fBh * -100^0 * 100^0 General (Olusegun|Sann?i Abacha) * 100^0 Chief (Omole|BAMUNGA SANGO|Bello Osagie|Bola Ige|Olusegun Obasanjo) * 100^0 (PATRICE MILLER|JAMES CAMARA|FODAY SANKOH|Allan P\. Seaman|Henri Kembe Kabongo|Shimo Onlele|LAURENT KABILA|Jonas Savimbi|Mariam Abacha|SAMUEL DOOH|PRINCE JOHNSON) * 100^0 (URGENT|CONFIDENTIAL|BENEFICIAL) BUSINESS (RELATIONSHIP|PROPOSAL) * 100^0 To[:;] +The President[/]CEO * 100^0 Espanola Loteria * 80^0 Dear Beloved in Christ * 80^0 Contract Review Panel * 80^0 sales of diamonds * 80^0 (Bank|Government) (of|for) (Nigeria|Burkina|Senegal|Sierra Leone|Ghana|Southern Africa|Cote D'Ivoire) * 80^0 (UNION BANK PLC|STANDARD TRUST BANK) * 80^0 (Nigerian National Petroleum|NNPC|N N P C|(Department|Ministry) of Petroleum Resources) * 80^0 (Nigeria Electric Power|Diamond Safari) * 80^0 (domiciliary|foreign|foreing|nominated) account * 80^0 demurrage charges * 80^0 actualizing this transaction * 80^0 certificate of deposit * 80^0 depository agreement * 80^0 transfer(ring| of)?( th(e|is))? (said )?(fund|money|sum) * 80^0 diamond and gold business * 80^0 concealed business * 80^0 remitt funds to you * 80^0 deposited in a safety deposit box * 80^0 You will keep [0-9.]+[%] of each deal we conduct * 80^0 this is a legitimate transaction * 80^0 funds will be unclaimed * 80^0 how to claim the funds from the finance company * 80^0 set aside [1-3][05][%] for you * 75^0 you do not know me personally * 75^0 we have not met(\.| before) * 75^0 I wish to introduce myself * 75^0 This letter (may|might) come (to you )?as a surprise * 75^0 You may be astonished about this mail * 75^0 (business|investment) (proposal|opportunity) * 75^0 Prize Award Department * 75^0 WINNING FINAL NOTIFICATION * 50^0 ^X-Mailer: RLSP Mailer * 50^0 chamber of commerce * 50^0 foreign partner * 50^0 offshore bank * 50^0 The money was disguised * 50^0 I am.* the (eldest )?(son|daughter|wife|brother|sister|husband)s? of * 50^0 I am barrister * 50^0 US[$][0-9. ]+m * 50^0 [$€] *[1-9][0-9,.][0-9,.][0-9,.][0-9,.][0-9,.][0-9,.][0-9,.] * 50^0 mutual (benefit|understanding) * 50^0 must not know * 50^0 designated (bank|account) * 50^0 (Finance( and |/)Security|security([/ ]finance)?) +(outfit|company|firm) * 50^0 absolutely risk free * 50^0 freeze any account * 50^0 I require (is )?your honest co-?operation * 50^0 your preferred mode of compensation * 50^0 release of the funds to you * 50^0 modalities for (the )?(transfer|deal) * 50^0 beneficiary to the funds * 50^0 onfirmation that you can be of assistance * 50^0 this disbursement * 50^0 participate in venture * 50^0 undercover courier company * 50^0 millionaire farmer * 50^0 mix(ed)? up of (some )?numbers and (names|addresses) * 50^0 ATTENTION: THE PRESIDENT/CHAIRMAN * 50^0 deposited the consignments * 50^0 for you to deposit * 40^0 you have (therefore )?been approved * 40^0 confidential from the public * 40^0 avoid risk of forfeiture * 30^0 account in question * 30^0 close one of my accounts * 30^0 Congratulations, you have just won yourself * 30^0 propos(al|ition) * 30^0 Robert Mugabe * 30^0 Charles Taylor * 30^0 Olusegun Obasanjo * 30^0 a native of your country * 30^0 out of the country * 30^0 kept in a trunk * 30^0 need your aid * 30^0 not seen each other before * 30^0 in his will * 30^0 Executor of the estate * 20^0 (confiden[ct]ial|secrecy) * 20^0 [bm]illion (euro|dollars) * 20^0 beneficiary * 20^0 next of kin * 20^0 business * 20^0 transaction * 20^0 Nigeria * 20^0 financial arrangement * 20^0 generous commission * 20^0 white farmers * 20^0 inherit this money * 10^0 trust ?worthy * 10^0 dollars * 10^0 investment | formail -A "X-Reject: (100) Nigerian 419 advance payment fraud" # Look for webmail spammers; a reasonable assumption that Bcc'ed mail from these places # is spam. :0fh * ^Received: from Unknown/Local \(\[\?\.\?\.\?\.\?\]\) *$!^TO${MYNAMES} | formail -A "X-Reject: (35) angelfire/mailcity webmail spam" # Same again for eircom webmail spammers, typically Nigerians :0fhE * ^Received: from [a-z0-9.]+ \(HELO webmail.eircom.net\) *$!^TO${MYNAMES} | formail -A "X-Reject: (35) eircom.net webmail spam" # Same again for netscape webmail :0fhE * ^Received: from +netscape\.net \([-a-z0-9]+\.webmail\.aol\.com \[ *$!^TO${MYNAMES} | formail -A "X-Reject: (35) netscape.net webmail spam" # Same again for 123.com :0fhE * ^Received: from .* by [.a-z0-9-]*.mail.entelchile.net (mshttpd); *$!^TO${MYNAMES} | formail -A "X-Reject: (35) 123.com webmail spam" # Same again for laposte.net webmail :0fhE * ^Received: from +mx\.laposte\.net \(mx\.laposte\.net \[ *$!^TO${MYNAMES} | formail -A "X-Reject: (35) laposte.net webmail spam" # Same again for United Online (netzero, juno) :0fhE * ^Received: from \[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\] by webmail[0-9]+\.[a-z]+\.untd\.com with HTTP: *$!^TO${MYNAMES} | formail -A "X-Reject: (35) untd.com webmail spam" # Same again for zwallet.com :0fhE * ^Received: from web[0-9]+\.zwallet\.com[ ]+by[ ]+qmail[0-9]\.zwallet\.com[ ]+with[ ]+SMTP; *$!^TO${MYNAMES} | formail -A "X-Reject: (35) zwallet.com webmail spam" # Same again for bigpond.com :0fhE * ^Received: from \[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\] by mailms[0-9]\.email\.bigpond\.com (mshttpd); *$!^TO${MYNAMES} | formail -A "X-Reject: (35) bigpond.com webmail spam" # Same again for any Squirrelmail/Open Webmail user :0fhE * ^(User-Agent|X-Mailer): (SquirrelMail|.*Web(( ?E?Mail)|User)|Mintersoft VisualOffice) *$!^TO${MYNAMES} | formail -A "X-Reject: (35) Bcc'ed webmail" # Generic webmail :0fhE * ^Received: from .*[[(][0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[])] by [a-z0-9.-]+ (with|via) HTTP; *$!^TO${MYNAMES} | formail -A "X-Reject: (35) Bcc'ed webmail" # Have a peek at MIME attachments, looking for viruses :0 * ^Content-Type: multipart/ { # Look for attachments with .something.{com,exe,pif,bat,scr,cmd} extensions :0B * Content-Type: .*/.*;(.*$)?([ ].*$)*[ ]*name[ ]*=.*\/\..*\.(com|exe|pif|bat|scr|cmd) { DOUBLE_EXT=${MATCH} :0 * DOUBLE_EXT ?? ^\/[^"]+ { DOUBLE_EXT=${MATCH} } :0fh | formail -A "X-Reject: (100) Likely virus - $DOUBLE_EXT extension on attachment" } # Look for attachments with .{com,exe,pif,bat,scr,cmd} extensions :0 * DUMP_EXEC_ATTACHMENTS ?? 1 { :0B * ^Content-Type: .*/.*;(.*$)?([ ].*$)*[ ]*name[ ]*=.*\/\.(com|exe|pif|bat|scr|cmd) { EXT=${MATCH} :0 * EXT ?? ^\/[^"]+ { EXT=${MATCH} } :0fh | formail -A "X-Reject: (100) Likely virus - executable $EXT attachment" } } # Look for Sobig.E :0fB * ^Content-Type: application/x-zip-compressed;$\ [ ]+name="your_details.zip"$\ Content-Transfer-Encoding: base64$\ Content-Disposition: attachment;$\ [ ]+filename="your_details.zi"$ | formail -A "X-Reject: (100) Likely virus - Sobig.E" } # Have seen one virus that's just a base64 encoded .exe :0fB * ^^TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$ | formail -A "X-Reject: (100) Likely virus - message body is .EXE file" :0fBD * -1000^0 * 300^0 YJuA6wS8WsBr * 300^0 zGzjbJDCLB96 * 300^0 BOSKHdXH8Blw * 300^0 dEi3loqk64su * 300^0 byusWle0odyf | formail -A "X-Reject: (100) Bagle.AL virus" # Detect w32.novarg.a@mm virus :0 * < 35000 * > 30000 * ^Subject: (test|hi|hello|Mail Delivery System|Mail Transaction Failed|Server Report|Status|Error|)$ * ^X-Priority: 3^X-MSMail-Priority: Normal$ { :0fhB * ^(Mail transaction failed. Partial message is available\.|\ The message contains Unicode characters and has been sent as a binary attachment\.|\ The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment\.|\ Content-Type: text/plain;^ charset="Windows-1252"^Content-Transfer-Encoding: 7bit^^Ã.*)$ * ^Content-Type: application/octet-stream;^ name=\/"(document|readme|doc|text|file|data|test|message|body)\.(pif|scr|exe|cmd|bat|zip)"$ *$^Content-Transfer-Encoding: base64^Content-Disposition: attachment;^ filename=${MATCH} | formail -A "X-Reject: (100) w32.novarg.a@mm virus" } # Reject base64 plain text or HTML in Latin-style charsets (also in MIME attachments) :0fBH * ^Content-Type: text/(plain|html);?($?[ ]*charset="?(default|iso-8859-1|us-ascii|windows-1252)"?)?([ ]*$)Content-Transfer-Encoding: base64 | formail -A "X-Reject: (100) Base 64 obfuscated text (type,encoding)" :0fBH * ^Content-Transfer-Encoding: base64$Content-Type: text/(plain|html);?([ ]*charset="?(default|iso-8859-1|us-ascii|windows-1252)"?)?$ | formail -A "X-Reject: (100) Base 64 obfuscated text (encoding,type)" # Reject Chinese character sets if appropriate (also in MIME attachments) :0fBH *! CHINESE_OK ?? 1 * ^Content-Type: text/(plain|html);([ ]*$)?[ ]*charset="?(big5|gb2312) | formail -A "X-Reject: (80) Text in Chinese character set" :0fBH *! CHINESE_OK ?? 1 * [<]meta [^>]*http-equiv="Content-Type"[^>]*charset=(big5|gb2312)"[>] | formail -A "X-Reject: (80) Text in Chinese character set (meta tag)" # Reject Hebrew character sets if appropriate (also in MIME attachments) :0fBH *! HEBREW_OK ?? 1 * ^Content-Type: text/(plain|html);([ ]*$)?[ ]*charset="?windows-1255 | formail -A "X-Reject: (80) Text in Hebrew character set" :0fBH *! HEBREW_OK ?? 1 * [<]meta [^>]*http-equiv="Content-Type"[^>]*charset=windows-1255"[>] | formail -A "X-Reject: (80) Text in Hebrew character set (meta tag)" :0fh * 2^0 * -1^0 ^Message-Id:.*[<]..*@..*[>]$ * -1^0 !^Message-Id:(.*$)+Message-Id: | formail -A "X-Reject: (50) Did not have exactly 1 valid Message-Id:" :0E { MATCH= SERVICE="(aol\.com|\ freeyellow\.com|\ hotpop\.com|\ netcom\.com|\ wowmail\.com)" :0fh *! IPEXTERNAL ?? XXXXXX *$ 2^0 ^From:.*@+\/$SERVICE *$ -2^0 ^From:.*abuse@$SERVICE *$ -1^0 ^Received: from.*$MATCH *$ -1^0 ^Message-Id:.*@[-A-Z0-9.]*$MATCH | formail -A "X-Reject: (50) Forged From: header slandering $MATCH" :0fh *! IPEXTERNAL ?? XXXXXX * 2^0 ^From:.*@yahoo\.com * -1^0 ^Received:.from.*(yahoo\.com|yahoomail\.com).*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].*by * -1^0 ^Received:.from.*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].*by.*mail.yahoo.com via HTTP; * -1^0 ^Message-Id:.*@.*(yahoo\.com|yahoomail\.com) | formail -A "X-Reject: (50) Forged From: header slandering yahoo.com" :0 *! IPEXTERNAL ?? XXXXXX * 2^0 ^From:.*@juno\.com * -1^0 ^Received:.from.*juno\.com.*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].*by * -1^0 ^Message-Id:.*@.*juno\.com { :0fh * 3^0 ^From:.*@juno\.com * -1^0 ^Received:.from.*mail\.com.*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].*by * -1^0 ^X-Mailer: mail\.com * -1^0 ^X-Originating-IP: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | formail -A "X-Reject: (50) Forged From: header slandering juno.com" } :0fh *$ ^(From|Message-Id):.*${MYISP} * 1^1 ^Received:.from.*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].*by *$ -1^1 ^Received:.from.*.${MYISP}.*\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\].*.by.*.${MYISP} | formail -A "X-Reject: (35) From:/Message-Id: is local, but message is external" } :0f | formail -A "X-Sending-IP: $IPEXTERNAL" :0f | formail -A "X-Sending-Domain: $SENDER_DOMAIN" :0f *!SPAMDOMAIN ?? ^$ | formail -A "X-Advertised-Domain: $SPAMDOMAIN" :0f | formail -A "X-Advertiser-Nameservers: $SPAMMER_NSLIST" # Restore old value of LINEBUF LINEBUF=${OLDLINEBUF} OLDLINEBUF= # Add up the spam score SPAMSCORE=`spamscore` # Invoke the payload to decide what to do with the mail :0 { INCLUDERC=payload }