# ~jhs/.procmailrc.fonts included by ~jhs/.procmailrc. # This file deals with font spam & other generic spam, # but other files included from ~jhs/.procmailrc deal # with specific spam phrases & domains. # USA 1st Can Spam case in court Jan 2006, # law applies as of beginning of 2004: # Controlling the Assault of Non-Solicited Pornography and Marketing Act # http://www.spiegel.de/netzwelt/politik/0,1518,395648,00.html # ----------------------------------------------------------------------------- SPAM_NULL_FONT=$SPAM_NULL_NO_RCVSTORE # SPAM_NULL_FONT=spam/font/. SPAM_NULL_NUMERIC_IP=$SPAM_NULL_NO_RCVSTORE # SPAM_NULL_NUMERIC_IP=spam/numeric_ip/. SPAM_NULL_FORMAT=$SPAM_NULL_NO_RCVSTORE # SPAM_NULL_FORMAT=spam/audio/. :0 WB # ----------------------------------------------------------------------- * charset="windows-1250" * ^Content-Type: text/plain # | $RCVSTORE +$SPAM_NULL_FONT # Note $RCVSTORE must have a directory, # not a file such as $SPAM_NULL_NO_RCVSTORE # so as I often define $SPAM_NULL_FONT to # $SPAM_NULL_NO_RCVSTORE, avoid rcvstore. $SPAM_NULL_FONT :0 WB # ----------------------------------------------------------------------- # Thai * ^Content-type:\stext/html; charset=windows-874 # Message-Id: # | $RCVSTORE +$SPAM_NULL_FONT # Note $RCVSTORE must have a directory, # not a file such as $SPAM_NULL_NO_RCVSTORE # so as I often define $SPAM_NULL_FONT to # $SPAM_NULL_NO_RCVSTORE, avoid rcvstore. $SPAM_NULL_FONT # ----------------------------------------------------------------------------- # Jewish/ Israel .il :0 WH # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * ^MIME-Version: 1.0 * ^Content-Type: text/plain; * charset="windows-1255" * ^Content-Transfer-Encoding: 8bit * ^X-MIME-Autoconverted: from quoted-printable to 8bit by (flat|tower|slim)\.berklix\.org { :0 WH # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * ^From: "=\?windows-1255\?Q\?=*".*\<.*@[a-z0-9\.\-]+\.il\> # From: "=?windows-1255?Q?=F4=E9=F7=F1?=" # $SPAM_NULL_FONT spam/font/. :0 WH # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * ^Subject: =\?windows-1255\?Q\?= # $SPAM_NULL_FONT spam/font/. } # JJLATER New rule 2007.11.23 , I want to keep an eye on it. # ie Might it also catch genuine replies from abuse@ postmasters, # who I mailed as abuse@ # ----------------------------------------------------------------------------- # Turkish .tr # Content-Type: text/plain; charset="windows-1254" # Content-Transfer-Encoding: 8bit # X-MIME-Autoconverted: from quoted-printable to 8bit by (flat|tower|slim)\.berklix\.org :0 WH # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * ^Content-Type: text/plain; charset="windows-1254" * ^Content-Transfer-Encoding: 8bit * ^X-MIME-Autoconverted: from quoted-printable to 8bit by spam/font/. # ----------------------------------------------------------------------------- # Korean spam body :0 WHB # ---------------------------------------------------------------------- * charset= "ks_c_5601-1987" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * content="text/html; charset=euc-kr" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="euc-kr" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=euc-kr $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=3Deuc-kr $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="ks_c_5601-1987" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=ks_c_5601-1987 $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="ISO-2022-KR" $SPAM_NULL_FONT # ----------------------------------------------------------------------------- # Illegible Font # :0 WH # * ^Subject:\s*\>\>_\Ç\ö- # Subject:\s*\>\>_Çö-±Ý ´ë¹Ú »çÀÌÆ® °¡ÀÔ3õ¿øÁö±Þ vnuejvwus mebb cppe # $SPAM_NULL_FONT # ----------------------------------------------------------------------------- # Subject:\s*¿Â¶óÀÎ ´ë¹Ú Ä«Áö³ë ¹«·á°¡ÀÔ3õ¿ø Çö±ÝÃæÀü! 0w tdpi # 0: H # * ^Subject:\s*\¿\ # $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:\s*=\?iso-8859-9\? # Subject:\s*=?iso-8859-9?B?S0FMRElSSU1BLCBMT0dPTlVaVSwgTUFSS0FOSVpJIFlBTlNJVElOISBLQU1QQU5ZQUxJIEbdWUFU ISE=?= # Subject: =?iso-8859-9?B?TmFrbGl5YXTn/Wxhci5jb20=?= { :0 WB # --------------------------------------------------------------- * \ * \ * \ $SPAM_NULL_FONT :0 W spam/font/. } :0 WH # ----------------------------------------------------------------------- * ^Subject: =\?x-mac-thai\?B $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Content-type: text/plain; charset="x-mac-thai" $SPAM_NULL_FONT # ----------------------------------------------------------------------------- # Chinese spam header :0 WH # ----------------------------------------------------------------------- # Subject:\s*±q¥¼¨£¹L³o»ò Q ªº²£«~!! ¥©³s´¼ Ä_Ä_ª© DVD®M¸Ë ! * ^Subject:\s*± $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- # Subject:\s*²³¹¿µÄ¨èÜ· * ^Subject:\s*² $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:\s*=\?Big5 $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:\s*=\?Big5 $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:=\?big5\? $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^From:\s*=\?Big5\? $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * =\?big5\? $SPAM_NULL_FONT # ----------------------------------------------------------------------------- # No idea what language this 1252 spam is. Maybe Korean ? :0 WHB # ---------------------------------------------------------------------- * ^Subject:\s*=\\?Windows-1252\\?B\\? $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * ^From:\s*=\\?Windows-1252\\?B\\? $SPAM_NULL_FONT # ----------------------------------------------------------------------------- # Chinese spam body :0 WHB # ---------------------------------------------------------------------- * charset=big5 $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="BIG-5" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="big5" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset= "big5" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=3Dbig5 $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=gb2312 $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:\s*=\?GB2312\?B\? $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="GB2312" $SPAM_NULL_FONT :0 WB # ----------------------------------------------------------------------- * charset="CHINESEBIG5" $SPAM_NULL_FONT :0 WHB # Russian spam Cyrillic ------------------------------------------------ * charset=koi8\-r $SPAM_NULL_FONT # ============================================================================= :0 WH # ----------------------------------------------------------------------- # rule added Mon Apr 19 17:25:04 CEST 2010 # From: =?utf-8?B?0JrQvtC90LTRgNCw0YI=?= * ^From: =\\?utf-8\\?B\\?0 * charset="utf-8" | $RCVSTORE +spam/russian # JJLATER $SPAM_NULL_FONT when its seen to be just russian :0 WH # ----------------------------------------------------------------------- # rule added Mon Apr 19 17:25:04 CEST 2010 # Subject: =?utf-8?B?0KMg0LLQsNGBINGB0LvQuNCy0LDRjtGCINGC0L7Qv9C70LjQstC+IQ==?= * ^Subject: =\\?utf-8\\?B\\?0 * charset="utf-8" | $RCVSTORE +spam/russian # JJLATER $SPAM_NULL_FONT when its seen to be just russian # ============================================================================= :0 WH # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * ^Subject: =?UTF-8? # http://en.wikipedia.org/wiki/Utf-8 # Could be anything, not just Russian, I dont care, dump non ascii excremement. * ^Content-Type: text/plain; charset="utf-8" * ^Content-Transfer-Encoding: 8bit $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="koi8\-r" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- # Japanese spam * charset="Shift_JIS" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=ISO-2022-JP $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:\s*=\?ISO-2022-JP\? $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:\s*=\?ISO-2022-JP\? $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:\s*=\?shift-jis\? $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="iso-2022-jp" $SPAM_NULL_FONT :0 WB # ----------------------------------------------------------------------- # Content-Type: text/plain * charset="shift-jis" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * ^Content-Type: text/plain; charset=koi8\-r $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject: =\?koi8\-r\? $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=Windows-1251 $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=3DWindows-1251 $SPAM_NULL_FONT :0 WB # ----------------------------------------------------------------------- * charset="iso-2838-4" | $RCVSTORE +spam/charset # ----------------------------------------------------------------------------- # Anyone quoting a numeric is suspicious, maybe a spammer, # or someone on dynamic DNS who doesnt want to be traced back. :0 WB # ----------------------------------------------------------------------- # JJLATER might FAIL: * http://[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+ * http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ $SPAM_NULL_NUMERIC_IP :0 WB # ----------------------------------------------------------------------- * http://% $SPAM_NULL_NUMERIC_IP :0 WB # ----------------------------------------------------------------------- * http://www\.% $SPAM_NULL_NUMERIC_IP # ----------------------------------------------------------------------------- # EG: http://%11%11.%11%11%11.%11%11%11%1e%11%11/%11%11%1a%1f%11%11%11%11%11 # ----------------------------------------------------------------------------- # All 1-9 converted to 1 so the spammers dont benefit # http://o%11%1Eo%11o%11s @oow %1Coosao%11ed bo%1A/ooo %11 /?fo %11oo :0 WB # ----------------------------------------------------------------------- * http://\&# # The # in the line above does not need to be delimited. $SPAM_NULL_NUMERIC_IP # ----------------------------------------------------------------------------- # Problem yet to solve # http://acl ro @wwo.oogoooono io/ooo /?o oteo # http://joocaooa1 @oow.hugoooooo boo/unoobocoibo.ooo?oiveoy # ----------------------------------------------------------------------------- # Intercept: http://11.111.111.11/ads/precision/debtspecialist # But not intercept EG 01051.com which is a non spamming # (as far as I know) cheap phone caller. # I have tested next line, it works. # ----------------------------------------------------------------------------- # As spammers send spam masquerading as me, lots of sites reject back to me # spam that I never sent. # I used to have these reject messages in my spam phrases list, # but to allow for times (such as during a reconfig) when I suspect I really # may have had a genuine bounce, it is better to seperate them here. # \<\<\< 550 Email rejected by sandiego.com spam blocker :0 WB # ----------------------------------------------------------------------- * ^banned filename in an email to you from: | $RCVSTORE +spam/filename :0 WB # ----------------------------------------------------------------------- * ^\<\<\< 550 Email rejected by * spam blocker | $RCVSTORE +spam/blocker :0 WB # ----------------------------------------------------------------------- * Action: failed * Relaying denied\. Proper authentication required\. | $RCVSTORE +error/auth-sasl :0 WH # ----------------------------------------------------------------------- * ^Received: by mail\.brierdr\.com # brierdr runs amavisd detector, forwards to me # Subject:\s*\*\*\* JUNK MAIL \*\*\*Original_spam_subject # Mime-Version: 1.0 # X-Spam-Status: Yes, hits=3.187 tagged_above=-999 required=1 tests=BAYES_00, # HELO_DYNAMIC_DHCP, HTML_10_20, HTML_IMAGE_ONLY_24, HTML_MESSAGE, # MSGID_FROM_MTA_ID # X-Spam-Level: \*\*\* # X-Spam-Flag: YES * ^Subject:\s*\*\*\* JUNK MAIL \*\*\* * ^X-Spam-Flag: YES | $RCVSTORE +spam/amavisd # ----------------------------------------------------------------------------- # Hashed out, as it caught mail from mjm@codito._ERASE_.de & one other person. # :0 # * ^Received: from unknown # | $RCVSTORE +spam/unknown # ----------------------------------------------------------------------------- # JJLATER Block commented out till I add something, eg a "to:" clause # someone who genuinely mailed me as they were webmaster@www.somewhere # get caught by this # :0 WB # * .[a-z][a-z][a-z]@www # JJLATER # | $RCVSTORE +spam/redirect # ----------------------------------------------------------------------------- # 2 letter country codes EG uk fm tv us it de # :0 WB # * .[a-z][a-z]@www # | $RCVSTORE +spam/redirect # ----------------------------------------------------------------------------- # Other odd top level domain names: # :0 WB # * .family@www # | $RCVSTORE +spam/redirect # :0 WB # * .info@www # | $RCVSTORE +spam/redirect # :0 WB # * .name@www # | $RCVSTORE +spam/redirect :0 WB # MIME Enclosures: Much is just HTML spam, but not all. # --------------- * ^Content-type: audio $SPAM_NULL_FORMAT :0 WB # ----------------------------------------------------------------------- * ^Content-Type: application/x-shockwave-flash $SPAM_NULL_FORMAT :0 WB # ----------------------------------------------------------------------- * ^Content-Type: application/x-msdownload $SPAM_NULL_FORMAT :0 WB # ----------------------------------------------------------------------- * ^Content-Type: audio/x-midi $SPAM_NULL_FORMAT # Cant use # * ^MIME-Version: # as EG Gary & Ernst send: # Mime-version: 1.0 # Content-type: text/plain; charset=us-ascii :0 WH # ----------------------------------------------------------------------- # Incompetent spammers run spam software unloaded # with addresses & subject, sending generic macro spam. * !^Subject: { :0 WB * ^Content-Type: text/html * ^Date: \%CURRENT_DATE_TIME * ^\%MESSAGE_BODY $SPAM_NULL_FORMAT } :0 WH # High bit strings - Maybe 16 bit Chinese ? ----------------------------- # Example: Subject: ¦]À³¹L¦~¨ì¦³40»õ»È¦æ¥Á¶¡©ñ´Ú # XD:.....: Subject: ?]???L?~????40??????????????? # XD:.....: 576666732A5CBB4A7AEAB33BFBCAEACBAAFBD0 # XD:.....: 352A534A06D039C6E8C6340B5B8665161914AA # To generate nasty high bit bytes in next line I used: # cd ~/src/bsd/jhs/bin/local/inob ; inob 0x80 > 80 ; inob 0xff > ff * ^Subject: .+[€-ÿ][€-ÿ][€-ÿ][€-ÿ][€-ÿ][€-ÿ] | $RCVSTORE +spam/subject_8bit