# # Oxford Astrophysics system procmail filter /etc/procmailrc # pmc 19/01/98 # # Procmail examples at # http://www.umbi.umd.edu/computing/procmail.html # http://www.ling.helsinki.fi/~reriksso/procmail/links.html # # We use EXITCODE=68 when rejecting mail (on rules we are sure about). This # causes sendmail to return a permanent fatal `host unknown' error to sender, # which is much less effort than a canned reply but may help to get us off # the spam list. Alternative codes are given in /usr/include/sysexits.h; # obvious ones are 67 (addressee unknown) or 77 (permission denied) but these # mask real messages in the logs which are sometimes useful. # SHELL=/bin/sh PATH=$HOME/bin:/usr/bin:/var/mail:/bin:/usr/local/bin:. # # Make sure LINEBUF is big enough to cope with the long lists of domains # used later. # LINEBUF=8192 ######################################################################### # # Catch mail loops # :0 h: xloop.lock * ^X-Loop: postmaster@astro.ox.ac.uk ! postmaster :0 h: xloop.lock * ^X-Loop: root@astro.ox.ac.uk ! root ####################################################################### # # Bounce messages for users that we don't want to receive mail. This # is more friendly than mail-aliasing their id to /dev/null. Obviously # the mail is rejected by sendmail if the account is deleted. # ## No mail to the proto account REASON="This account is for system administration purposes only. If you \ want to reach a person please contact star@astro.ox.ac.uk." :0 h *!^FROM_DAEMON *!^X-Loop:proto@astro.ox.ac.uk * ^To.*proto@astro.ox.ac.uk { :0 Ah |(formail -r -a "Subject: Undelivered mail" \ -i "Precedence: junk" \ -i "Priority: non-urgent" \ -i "X-Loop:proto@astro.ox.ac.uk" \ ; echo "" \ ; echo "Your mail was not delivered to proto@astro.ox.ac.uk." \ ; echo "" \ ; echo "$REASON" | fmt -72 \ )| $SENDMAIL -t } ######################################################################### # # Improper headers indicate spam # # # no message ID should indicate spam. More complicated rules to enforce # compliance to RFC822 are floating about, but the following seems to do # the trick for spam. :0 * ^Message-ID.*<> { EXITCODE=68 :0 h /var/log/spam/no_id.log } :0 # no return path should indicate fake * !^FROM_DAEMON * ^Return-Path.*<> { :0 /var/log/spam/no_return.log } # From "" but not recieved from "name.com" :0 * ^Return-path:.*<\/[^@]* * $ ^From:.*\<$MATCH@$MATCH\> * $ ! ^Received:.*\<$MATCH\> { :0 h /var/log/spam/bad_header.log } # Masking the path :0 * ^Received.*unknown host { :0 /var/log/spam/bad_header.log } ######################################################################### # # Known spam mail programs # # :0 * ^(X-Mailer|Comments).*(Floodgate|WorldMerge|Extractor|stealthmail) { :0 h /var/log/spam/spam_mailer.log } :0 * ^X-.*(Cyber-Bomber|cyberpromo) { :0 h /var/log/spam/spam_mailer.log } # a popular spam mail program puts a duff timezone(s) in # the header :0 * ^Received:.* (-0600 \(EST\)|-0700 \(EDT\))( |$) { :0 /var/log/spam/spam_mailer.log } ######################################################################### # # Reject the IEMMC spam. More information from # http://members.aol.com/macabrus/agisfaq.html # # The AGIS netblock given there is a bit too heavy handed. # :0 * ^X-.*(Advertisement|iemmc) { EXITCODE=68 :0 h /var/log/spam/iemmc.log } ######################################################################### # # Dodgy usernames. # # Info could be valid, but is very popular with spammers. # :0 * ^(From|To|Reply-To).*( golfer.| foryou| exciting| emailing| contest| floodgat e| credit| friend| afriend| friends| allinternetusers| home_employ| .*marketing | success| sales| money| F\.Y\.I)@ { :0 /var/log/spam/username.log } ######################################################################### # # Dodgy domains - sendmail will reject based on DNS lookups on the From # line only. Note that the domain must be preceeded with a dot or an @, # so we match, for example, mars.net and faceon.mars.net, but not barsmars.net. # # Domains with valid users are dealt with at the end. # :0 * ^(From|Reply|To|Sender).*@(.*\.)?(advertise|interpoint|hothotmail|writeme|you r-domain|yourdomain|memo|emailtools|hitmasters|atozonline|classifiedcentral|any where|somewhere|gentrace|mail-response|savetrees|naturalinstincts|friendly|succ ess|nowhere|goldenapples|infowatch|fastgrowth|elsewhere|mailgram|hotline|favour ably|stealthmail|noreply|no-reply|yourplace|mars|commonwealthpub|2bornot2b|lust ingforyou|internetmedia|bookpromotions|newhome|casinochico|nametrace|daltek)\.( com|net) { :0 /var/log/spam/domain.log } :0 * ^Return-Path.*martianconsulate\.(com|net) { :0 /var/log/spam/return-path-domain.log } ######################################################################### # # The following are domains that contain a large number of valid users, but # are also heavily used by spammers. Generally spam email is addressed only # to the spamming address (then uses BCC or an alias which we can't see). # Allowing mail explicitly addressed to local users as well as maillists # seems to work well, although the whole message is kept and periodically # monitored to check. # # I am assuming that all mailing lists are well behaved and setting a # precedence header and spam is not. This is not true for some lists and # they are excepted as discovered. # :0 * !^(From|To|cc).*oxford.ac.uk * !^(From|To|cc).*ox.ac.uk * !^(From|To|cc).*jadfe@jbx.com * !^From.*Knightwave * !^Sender.*FKFIC-L * !^X-Listname * !^Precedence.*(list|bulk) * ^(To|From).*@(aol\.com|mailexcite\.com|netcom\.com|juno\.com|hotmail\.com|usa \.net|earthlink\.net|impulse\.net|banet\.net) { :0 /var/log/spam/abused.log } # same deal for from id's that could be genuine, but are more often spam # :0 * !^(From|To|cc).*oxford.ac.uk * !^(From|To|cc).*ox.ac.uk * !^Sender.*FKFIC-L * !^X-Listname * !^Precedence.*(list|bulk) * ^(From|To|Reply-To).*( info| associates)@ { :0 /var/log/spam/abused_names.log }