# spam/tag-contents "procmailrc" file
#
# TO USE THESE RECIPES, put
# INCLUDERC=/local/etc/procmail/spam/tag-contents
# into your "main" procmail file (after the tag file).
#
# This file will tag any message that seems to be
# spam based on sentence fragments in the subject line
# and in the message body. THIS MAY CATCH LEGITIMATE MAIL;
# USE AT YOUR OWN RISK!
#
# 1997/05/22 Anne Bennett
# - Initial coding
# 1997/07/10 Anne Bennett
# - Additions, mostly header stuff
# 1998/04/24 Sylvain Robitaille
# - Added filter submitted by Neil.
# 1999/03/29 Sylvain Robitaille
# - Melissa Macro Virus, submitted by Neil.
# 1999/07/07 Anne Bennett
# - (Last mod date)
#
# ----------- "spam" series configuration done in "spam/tag"
# This entry is not quite "contents", but this seemed like the
# best place to put it.
# forged_recd 1997/04/28
##:0 Hf
##* ^Received: .*http://
##| formail -b -f -A "$trash_header siteban tag-contents forged_recd"
## Disabled 1997/06/23; it catches too much legitimate mail.
# The below is inspired by examples provided by
# Neil Schwartzman , based on material
# posted to spam-l by Ron Newman . Further
# material by Brandon M. Browning and
# Catherine Hampton .
#
# Typical Spam non-Subject Headers
#
# Only Pegasus generates "Comments: Authenticated sender is ..."
# legitimately; if this is present and the Pegasus header isn't,
# then this is almost certainly from a bulk mailer.
:0 Hf
* ^Comments:.*Authenticated sender
* !^X-Mailer:.*Pegasus Mail
SPAM
#
# All-numeric "email addresses" of the form 12345@67890.com
:0 Hf
* ^(From|To|Reply-To): .*\<[0-9]+@[0-9]+\>
SPAM
#
# Spamford's "Cyber-Bomber" generates "CLOAKED!" headers.
# Note "D" flag; let's be case-sensitive on this one.
:0 HfD
* ^Received: .*\
SPAM
#
# Extractor [Pro] is a bulk e-mail program.
:0 Hf
* ^(X-Mailer|X-Sender): Extractor
SPAM
#
# Morons trying to forge IP addresses
:0 Hf
* ^Received: .*\[[0-9\.]*([03-9][0-9][0-9]|2[6-9][0-9]|25[6-9])
SPAM
#
# More bogus IP addresses
:0 Hf
* ^Received: .*\[(0)+\.(0)+\.(0)+\.(0)+\]
SPAM
#
# X-Uidl in header; removed 1997/09/23 -- seems to be catching legit mail
#:0 Hf
#* ^X-Uidl: .*
#| formail -b -f -A "$trash_header ordinary tag-contents header x-uidl"
#
# To: you@ or From: you@
:0 Hf
* ^(From|To):.*\
SPAM
#
# Check for invalid Message-Id: RFC822, Section 4.6.1: no local part
:0 Hf
* ^Message-Id: <[^@]+>
SPAM
#
# Check for invalid Message-Id: Same RFC, same section: Two @'s
:0 Hf
* ^Message-Id: <.*@.*@.*>
SPAM
#
# Check for invalid Message-Id: Same RFC, same section: no host/domain part
:0 Hf
* ^Message-Id: <[^@]+@[^A-Za-z0-9\[]
SPAM
#
# Same from and to: happens legitimately only when sending
# mail to oneself. (Neil reports too many false positives.)
##:0 Hf
##* ^From: \/.*
##* $^To: $MATCH
##| formail -b -f -A "$trash_header ordinary tag-contents header same from to"
#
# Stealth Mailer software
:0 Hf
* ^Received: .*id GAA.* -0600 \(EST\)$
SPAM
:0 Hf
* ^Received: .*id XAA.* -0700 \(EDT\)$
SPAM
#
# An up and coming bulk mailer: "platinum"
:0 Hf
* ^X-Mailer: Emailer Platinum
SPAM
#
# More stuff from Neil. 1998/01/19
:0 Hf
* ^X-Info:.*\.
#
# Typical Spam Subject Headers
:0 Hf
* ^Subject: .*(1\.25 mill addresses \- lowest price|\
-- alternative wealth generator --|\
aren\'t you the person....\?)
SPAM
#
:0 Hf
* ^Subject: .*(collect on your judicial claims that are up to 7 years old|\
direct marketing|\
do not delete this!)
SPAM
#
:0 Hf
* ^Subject: .*(easy money selling|\
free seiko message watch or motorola flex pager!!!!|\
fullfill your wildest fantasy)
SPAM
#
:0 Hf
* ^Subject: .*(hottest thing on the internet today!|\
income.*opportunity|\
international company seeks help!!)
SPAM
#
:0 Hf
* ^Subject: .*(is your web site a secret\?$|\
\*\*\*mother of all sands\*\*\*|\
print and read twice)
SPAM
#
:0 Hf
* ^Subject: .*(read this twice|\
\*satellite tv\*|\
save 40\% on pagemaker 6\.5 with free photoshop le !!)
SPAM
#
:0 Hf
* ^Subject: .*(show me the money!!|\
software to spy people on the net|\
\" very important announcement \" !)
SPAM
#
:0 Hf
* ^Subject: .*(writers seeking publication)
SPAM
# Typical Spam Body Patterns
:0 Bf
* (^This is a one time mailing|\
^Warning\: You must be over 21 to enter the commercial site referenced in this message\.$|\
internet.*marketing)
SPAM
#
:0 Bf
* (absolutely guaranteed|\
100\%.*guaranteed|\
no credit checks)
SPAM
#
# 1997/08/13 took out "adult.*site" -- it was causing false positives.
:0 Bf
* (income.*opportunity|\
can't afford to miss)
SPAM
#
:0 Bf
* (remove.*subject|\
^do not delete this!|\
^this is no spam\. you are on a targeted direct mail \"email\" list)
SPAM
#
:0 Bf
* (^welcome to tip mail! computer tips delivered right to your e-mail box!|\
^we will send out your bulk e mail. period. no qualifiers, no conditions|\
^****[ ]*special[ ]*offer[ ]*from[ ]*cni[ ]*telecom)
SPAM
#
:0 Bf
* (^dionne warwick has one\.\.\.mtv has one\.\.\.even the pope has one\!$|\
^to be removed quickly and easily from any \& all mailings)
SPAM
#
:0 Bf
* free.*live.*sex
SPAM
# Additional local body entries
#
:0 Bf
* \
SPAM
#
# More evidence of Extractor [Pro] bulk e-mail program.
:0 Bf
* This Message was Composed using Extractor
SPAM
:0 Bf
* This message was composed using an evaluation copy of Extractor
SPAM
#
# Evidence of another bulk mailer
:0 Bf
* email blaster
SPAM
#
# "------- Headers -------" line misleadingly imitates AOL display
:0 Bf
* ^[ ]*\-+ Headers \-+[ ]*$
SPAM
#
# Chris Erickson is a well known MLM spammer.
:0 Bf
* My name is Chris(topher)? [EO](rick|cker)son
* Report #[0-9]
SPAM
#
# Virtual {Girl|Boy}friend, per Neil 1998/01/26
:0 Bf
* The Virtual Girlfriend and Virtual Boyfriend are artificial
SPAM
#
# From Neil:
# EMAIL MARKETING WORKS, hak@oregon 980423
:0 Bf
* EMAIL MARKETING WORKS
SPAM
# Anne 1998/05/19
:0 Bf
* This Message Was Sent Using The Zenith Bulk Emailer
SPAM
# Anne 1998/09/17
:0 Bf
* This message was brought to you by Email Platinum
SPAM
# Anne 1998/09/22
:0 Bf
* The Mailing List that you are being mailed from was filtered
SPAM
# Anne 1998/10/27, persistent spam on Y2K
:0 Bf
* This *small *publicly *traded *company *"TCFG" *which *is *just
SPAM
# Anne 1998/11/03, more persistent spam on Y2K
:0 Bf
* otc.*tcfg
SPAM
# per Neil 1998/11/30, modified per Neil 1998/12/07
:0 Bf
* this message was sent by e[ \-]?mail king and associates
SPAM
# per Neil 1998/12/08
:0 Bf
* e[ \-]?mail king and associates
* BONHILL RD
* MISSISSAUGA
SPAM
# Anne 1998/12/03
:0 Bf
* I was still curious about the letter and he told me how it works
SPAM
# Anne 1998/12/07
:0 Bf
* This is an extremely IMPORTANT announcement for you
* Your Future May Depend on it
SPAM
# per Neil 1998/12/10
:0 Bf
* \<(PDC Innovative Industries|P D C I|PDCI)\>
SPAM
# Anne 1998/12/10
:0 Bf
* (Advertise With Bulk Email|Bulk Friendly ISP)
SPAM
# per Neil 1998/12/16
:0 Bf
* 602-230-4252
SPAM
# per Neil 1999/01/29
:0 Bf
* INTERNATIONAL DRIVER'S LICENSE
* Need a new driver's license?
SPAM
# per Neil 1999/02/24
:0 Bf
* Emerge Corporate Email System for Windows 95/98/NT
SPAM
# per Neil 1999/03/28 -- Melissa Word Macro Virus
:0 Bf
* Here is that document you asked for \.\.\. don't show anyone else ;-\)
SPAM
# per Neil 1999/05/11
:0 Bf
* Under Bill S.1618 TITLE III
* can *not be considered spam
SPAM
# per Neil 1999/06/04
:0 Bf
* 1\-800\-242\-0363
SPAM
# per Anne 1999/07/07
:0 Bf
* hit reply and type remove
SPAM
#per dml 1999/11/3
:0 Hf
* ^Subject: .*Affordable .*Long Distance
SPAM
:0 Hf
* ^Subject: .*laser printer toner advertisement
SPAM
:0 Bf
* ^\"yourcompany.com\"
SPAM