# $Id: badheaders,v 1.7 1999/03/10 18:59:39 explorer Exp $ # # This file assumes the threshold is set to 1000. # # File format is: # where rating regexp # # There should be exactly _one_ _space_ (not tab) between the rating and # the regexp... Blank lines are ok, and comments begin with #. # # "where" is either H, h, B, or b, for header case-sensitive and # case-insensitive matches, and for body c-s and c-i matches. Body matches # do not currently work. # # "rating" is either an integer (positive or negative) or "A" or "R". The # uppercase A means always accept, the uppercase R means always reject. # Accept takes presidence here. If a message matches both A and R, A wins. # This is so you can make mail to postmaster always make it through, for # instance. # # Note that a # as other than the first character in a line would be parsed # as within the regular expression. # # # damned "happy99" virus... Might as well protect those windoze losers. # h R ^X-Spanska: Yes # # this header sometimes occurs in real mail (euroda?) but I always see it # in spam. # h 100 ^comments: authenticated sender is # # a popular "to" header, from header, etc. # h R ^To: friend@public\.com h R ^To: \(dear friend\) h R ^To: you@yourdomain\.net h R ^To: you@yourdomain\.org h R ^To: you@yourdomain\.com h R ^To: you@yourplace\.net h R ^To: you@yourplace\.org h R ^To: you@yourplace\.com h R ^To: user@the_internet\.com h R ^To: user@the\.internet h R ^To: receiver@cyberservices\.com # # empty From: line... this can also be a bounce, so keep the prio low. # Other empty addresses are more likely spam, but I'm not certain about # return-path, so leave that one slighly low as well. # h 1000 ^From: <> h 1000 ^Return-path: <> h 500 ^Message-Id: <> h 400 ^Bcc:$ h 1000 ^Reply-To:[ ]*$ # # Any site that deals with blackmagic.sorcery.net in a To, From, or # Received: header is probably spam or a mail bomb. # h R ^(to|from|received): .*blackmagic\.sorcery\.net # # This is nasty potentially, so make all these ratings small... It will take # many of them to hit before a message is considered spam, but these seem to # be common to many spammers... # h 200 ^X-Advertisment: # # A common trend seems to be subject lines like this: # h 100 ^Subject: .* \([0-9]+\)[[:blank:]]*$ # # specific subject lines. These have to be exact matches, for now... # # # "fuzzy" matches, be careful... # h 900 ^Subject: .*FREE SEX h 1000 ^Subject: See Amazing World Record Sex h 900 ^Subject: .*ATTRACT WOMEN h R ^Subject: Are They Investigating You h R HELO user722\.findfast\?kx4\.com # # It is so nice to have a law in CA that tries to do the right thing... # h R ^Subject: ADV: # # something on the From: line with more than one @ sign in it. Bad. # this catches things like friend@your-host@your-state, for instance. # h 500 ^(To|From|Reply-To|Comments|X-From-Line): [[:graph:]]+(@[[:graph:]]+){2} # # This one is _always_ in some spam, usually "bullseye gold" (the bastards) # h R ^received: from mail\.apache\.net\(really \[164/187\]\) by relay\.comanche\.com h R ^received: from baby \( # # These are mail bomb programs. Drop these as well. # # # "avalanche" tell-tale sign # h R ^Received: .*blackmagic\.sorcery\.net h R ^Received: from 580\.chain\.letters by annoyed\.com h R ^Message-Id: <844687860169\.VUS49737@annoyed\.com> h R ^x-mailer: avalanche h R ^Received: from i'm\.sleeping\.with\.your\.husband\.who\.has\.a\.little\.dick # # Some headers that "up yours" might use, but ones which should be # time-dependent # h R ^x-mailer: Up Yours h R ^x-sender: look@my\.asshole\.gov h R ^in-reply-to: <3\.0b26\.32\.19961018082417\.0093ce80@entex\.com> h R ^Date: Thu, 10 Oct 97 16:23:59 -0400 h R ^Date: Tue, 17 Oct 1995 10:14:32 -0400 h R ^Message-ID: h R ^ h R ^received: by csa\.bu\.edu \(8\.6\.10/Spike-2\.1\) id SAA05175; Sun, 20 Oct 1996 h R ^References: <3\.0b11\.32\.19960923163035\.006a1b80@relay\.com> h R ^References: <32C3DBE6\.226F@msn\.com> # # other mail bombers # h R ^x-mailer: MaiL BeNDeR bY FeNDeR h R ^Received: from socgen\.com by harborside\.comwith smtp h R ^Received: from harborside\.com by nymserver\.com id db54206; # # Set it so mail to postmaster will (almost) always make it through. # h A ^(To|From): .*(postmaster|MAILER-DAEMON|admin)@(.*flame\.org|.*sorcery\.net)