*****SPAM***** Re: [Gllug] Whitelist-only spam filtering
Mark Lowes
hamster at korenwolf.net
Thu Sep 12 15:12:53 UTC 2002
On Thu, 2002-09-12 at 14:52, John Southern wrote:
> 201 so far today that are spams. Probably catching 90% with filters. Some
My stats for the last few days.
65 filtered-20020908
106 filtered-20020909
108 filtered-20020910
123 filtered-20020911
77 filtered-20020912
I've recently started filtering junk directly off ftech.net into a
holding pen for checking, in the last 56 hours or so we've seen 748
spams get trapped (not including dictionary attacks which get dumped at
the MXen).
> just do get through. I am sure I filter wrong. Should I filter all into trash
> then filter good ones out to where I want them and occasionally go through
> the trash or should I just try to kill the trash in one hit?
> Apart from using SpamAssassin what actual rules do people filter on?
Prior to using spam assassin I was using a bastard procmailrc from hell.
Logic:
filter out certain lists (ie spam-l)
apply antispam.rc (attached)
filter out mailing lists into sub-mboxes
apply a 'I trust email from these domains' filter (to mbox)
apply a 'I trust email to these domains' filter (to mbox)
dump anything left into the pit of dispair for later checking.
Mostly good but nowhere near as good as spamassassin.
Mark
--
The Flying Hamster <hamster at korenwolf.net>
http://www.korenwolf.net/
"Those who think they know everything really annoy those of us who do."
-------------- next part --------------
# anti-spam rules
# hamster at lspace.org (Mark Lowes)
# Should work, let me know if anything goes wrong.
#
# Definitions
SPAMROOT=$HOME/.lib
SPAMLIST=$SPAMROOT/SpamDomains
LINEBUF=4096
#---------------------------------------------------------
:0 B
* (If this information has been sent by mistake|\
This message is never sent unsolicited.|\
This mailing is done by an independent marketing company|\
This message complies with Senate bill 1618,|\
This is a one time mailing|\
replying with the words remove in the subject|\
Vous ne recevrez pas d'autre E-mail, vous ne devez|\
We adhere to RESPONSIBLE Email Ethics|\
This is a 1 Time Mailing|\
This is a one Time Mailing|\
This is a one time mailing. You will not|\
Your E-mail address was aquired from a Targeted E-mail List|\
If you have recieved this email in error please\
This message is NOT SPAM|\
This ad has been sent in compliance with|\
We are sorry if you received this email in error)
|$FORMAIL -A"X-Spam: It looks like a spam" >> $SPAMBIN
#---------------------------------------------------------
:0 B
* (HR 1910|HR1910)
|$FORMAIL -A"X-Spam: HR 1910 Spam" >> $SPAMBIN
#---------------------------------------------------------
# RBL filters.
#
:0
* ^X-RBL-Warning:.*
| $FORMAIL -A"X-Spam: RBL Hit..." >> $BLACKHOLE
#---------------------------------------------------------
:0:
* ^Received:.*\[.*\] by _\[.*\]
|$FORMAIL -A"X-Spam: Nasty headers" >> $SPAMBIN
#---------------------------------------------------------
:0
* ^X-Mailer: (\
Extractor|\
Floodgate|\
Emailer Platinum|\
Internet Marketing|\
Stellar-X PostList|\
Dynamic Opt-In Emailer\
)
|$FORMAIL -A"X-Spam: Ratware mailer" >> $SPAMBIN
#---------------------------------------------------------
# 4u spams
#---------------------------------------------------------
:0
* ^(TO|FROM):.*(4u|foru|fouryou)\.
| $FORMAIL -A"X-Spam: 4u spam" >> $SPAMBIN
:0:
* !X-Mailer:
* Received:.*from monorailpc
| $FORMAIL -A"X-Spam: monorail rule" >> $SPAMBIN
#---------------------------------------------------------
# Test recipe to filter out UIDL spammers
#---------------------------------------------------------
:0
* ^X-UIDL:.*
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: UIDL" >> $SPAMBIN
# Toast all EMF E-Marketing Stealth Launch spams
:0 B
* function Decode
* EMF E-Marketing
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: EMF E-Marketing" >>$SPAMBIN
#---------------------------------------------------------
# UNIVERSITY DIPLOMA
#---------------------------------------------------------
:0
*^Subject:.*UNIVERSITY.*DIPLOMAS
| $FORMAIL -A"X-Spam: Uni Diploma spammer" >> $SPAMBIN
#---------------------------------------------------------
# Juno forged headers rules.
#---------------------------------------------------------
# a. Mismatched Received: lines - outgoing mails are through Mail.Com's
# servers and carry a Juno address in the From: header)
:0E
{
MATCH=
SERVICE="(aol\.com|\
earthlink\.com|\
freeyellow\.com|\
juno\.com|\
hotmail\.com|\
hotpop\.com|\
netcom\.com|\
wowmail\.com)"
#:0fh
#*$ 2^0 ^From:.*@+\/$SERVICE
##*$ -1^0 ^Received: from.*$MATCH
#*$ -1^0 ^Message-Id:.*@$MATCH
#| formail -A "X-Reject: Forged From: header slandering $MATCH" >> $SPAMBIN
# this one is from http://www.waltdnes.org
# Spambouncer uses something similar to this -
# Juno
:0
* ^From.*juno\.com
* !^Received:.*juno\.com
{
:0 f
| ${FORMAIL} -A "X-SBRule: Bogus Juno" >> $SPAMBIN
}
# b. Checking for the X-Mailer: Juno ... when the from: address is a Juno
# address. Juno users mailing from webmail accounts will also hit these
# filters, as Mail.Com generates its own X-Mailer header (X-Mailer:
# mail.com).
#and the juno ones
:0:
* ^Received: from juno\.com
* !^X-Mailer: Juno
$SPAMBIN
## /*from http://www.panix.com/rc.shared */
#---------------------------------------------------------
# Normal spam nuking rules.
#---------------------------------------------------------
:0
* ^X-Advertisement:
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: X-Ad header" >>$SPAMBIN
:0
* ^Subject.*(ADV|AD):
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: ADV" >>$SPAMBIN
:0
* ^MessageID:
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: MessageID ratware" >> $SPAMBIN
:0
* ^X-Sender: News Breaker Pro
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: Spam software" >>$SPAMBIN
:0
* ^Comments: Authenticated sender
* !^X-Mailer: Pegasus Mail
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: Auth Sender" >>$SPAMBIN
:0 BD
* ffanet.com
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: ffanet.com *ick*" >>$SPAMBIN
:0 BD
* (\
EMAIL BLASTER\
|by Email Blaster\
)
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: Email Blaster" >>$SPAMBIN
:0:
* ^Message-ID.*spam
* ^!Message-ID.*nospam
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: Message ID" >>$SPAMBIN
:0:
* ! ^Message-Id:[ ]*<[^ <>@]+@[^ <>@]+>[ ]*$
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: Invaild Message ID" >>$SPAMBIN
:0:
* ? formail -ISubject: | fgrep -i -f $SPAMLIST
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: SpamDomain" >>$SPAMBIN
:0:
* ^X-(.*www\.quantcom\.com|*iemmc\.org|.*Visit our website|.*removal information)
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: X-Header" >>$SPAMBIN
:0:
* ^From: (.*Success|<>)
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: Nasty From header" >>$SPAMBIN
:0fhw
* ^From:. at aol\.com
* !^Message-id:.*@.*\.aol\.com
| formail -I"X-Spam: aol forgery messageid" >> $SPAMBIN
:0:
* ^From:.*nicetomeetu.*
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: No one mails from nicetomeetu" >>$SPAMBIN
:0
* ^Received:.*\[207\.226\.190
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: Spam Site" >>$SPAMBIN
:0
* ^Received:.*(MAILGOD|InfoAge)
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: Mailgod??" >>$SPAMBIN
:0 BH
* < 32000
* ^X-Info:.*(www.antispam.org|Bulk Emailer|Free Copy)
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: Body X-Info" >> $SPAMBIN
:0
* (friend@)|(savetrees?.com)|(yourinfo.com)|\
(juno.com)|(iemmc.org)|(cybertize)
| $FORMAIL -i"X-Loop: $LOOP" -A"X-Spam: Savetrees, Friend at public" >> $SPAMBIN
:0 :
* ^Message-ID:
* !^Message-ID: +<[^<]*@[^ >]+>$
|$FORMAIL -A"X-Spam: MsgID (1)" >> $SPAMBIN
:0
*^(To|From):.*(Friend\@public.com|.*\@juno.com)
|$FORMAIL -A"X-Spam: No friends at public.com" >> $SPAMBIN
:0
* ^From:.*real-net.net
|$FORMAIL -A"X-Spam: real Audio" >> $SPAMBIN
#
#
# Section 301 Spam
#
:0 B
* Section 301, paragraph.*a.*2.*C.* of S\. *1618
|$FORMAIL -A"X-Spam: Section 301 Spam" >> $SPAMBIN
#
:0 B
* Paragraph (a)(2)(c) of s. 1618
|$FORMAIL -A"X-Spam: Section 301 spam (rule #2)" >> $SPAMBIN
#
#
:0
* ^Comments:.*Authenticated Sender
| $FORMAIL -A"X-Spam: Authenticated sender.." >> $SPAMBIN
#
:0
* ^(To|From):.*\@(public|the_internet)\.com
| $FORMAIL -A"X-Spam: public.com... yeah right" >> $SPAMBIN
#
:0h
* From:.*=\?iso-2022-jp\?b
| $FORMAIL -A"X-Spam: Japanese encoding rule" >> $SPAMBIN
#
:0h
* Subject:.*=\?iso-2022-jp\?b
| $FORMAIL -A"X-Spam: Japanese encoding rule" >> $SPAMBIN
#
:0h
* Content-type:.*iso-2022-jp
| $FORMAIL -A"X-Spam: Japanese encoding rule" >> $SPAMBIN
#
# end
#
More information about the GLLUG
mailing list