 | | | spam filters | spam filters 2004-02-13 - By Hal Burgiss
Back
On Fri, Feb 13, 2004 at 10:15:55AM -0600, hanfamily@(protected) wrote:
> I have been reading tons of howtos and have figured out howto
> redirect all the redhat-list to its own folder. I don 't see
> how to filter html mail, what does the rule look like?
See below. I include my virus stuff, whitelist stuff, and some of
the better spam rules (IMO).
I do use postfix features (access.db, etc), and bogofilter too.
But procmail is the most flexible and gives the most control, IMO.
> Thanks
> Linda
> On Fri, 13 Feb 2004, Hal Burgiss wrote:
> <snip >
> > I just do my own. I use procmail behind bogofilter (Baysein spam
> > filter on sourceforge). The single best rule _for me_ is to use a
> > whitelist of friends, cohorts, partners in crime, etc, and then nuke
> > all HTML mail. Most of the bad stuff is HTML. I get 99+% this way on
> > 2000+ spams per week. Also, real high virus control (not that they can
> > hurt me, but its just more junk).
> >
> <snip >
# Excerpts from Hal 's .procmailrc:
#Here is a procmail recipie to trap the Sircam worm:
:0H
* From.*(root|postmaster)@(protected)\.net
$MAIL
# Virus recipes ...
## Microsoft support virus, W32/Gibe-F I think, 18/9/03
:0 B
* ^AGiEo0AAZKEAAAAAUGSJJQAAAABRUbhQFAAA6FSUAABTVleJZegz24ld/It9DIgfjYWs6///UGgA$
{ LOG= "Virus W32/Gibe-F: "
:0
/dev/null
}
:0
* X-Content-Security:.*Trapped \/.*(worm)?
{ LOG= "Virus $MATCH: "
:0
/dev/null
}
# More virus stuff ...
:0 #fhw
* B ?? ^Content-type: (audio|application)
* B ?? name=.*\.(com|exe|bat|scr|pif|lnk|hta|shs|vb[es]|ws[fh])\ >
* Subject: *\/.+
{ LOG= "Virus, generic: "
:0
/dev/null
}
# More things to look for in the body
:0 B
* name=.*\.(vbs|wsf|vbe|wsh|hta|scr|pif|com|exe|shs|bat|bas|mp3|mp2|scr|wav|mpg|avi|eml|dll)
{ LOG= "Virus 2: "
:0
/dev/null
}
:0
* > 10000
* ^Subject:.*(new(est)?|critical|last|new net|internet) (pack|upgrade|pacth|(Security|MS|microsoft)? ?update)
{ LOG= "Virus 3: "
:0
/dev/null
}
# Virus myDoom?
:0 HB
* > 30000
* < 33000
* ^Subject: (|hi|test|hello|error|status|mail transaction failed|mail delivery system|server report)$
* filename=\ "[a-z]+\.zip
* ^Content-Transfer-Encoding: base64
{ LOG= "Virus MyDoom: "
:0
/dev/null
}
# Nuke all duplicate messages, so we only get one copy of each mail.
:0 Wh: msgid.lock
| $FORMAIL -D 16384 msgid.cache
# Keep a backup copy of all mail (except l-k). Moved 09/22/03. Insurance.
:0 c:
$MY_MAIL/backup
# Whitelists: ##########################################################
#
#do nothing. hopefully avoid false positives. Personal mail here.
:0H:
* ^(From|To|Cc):.*(uues|grayson\.net|rhett@|leena@|jason.oz@|\.lisa.com|r_wiley_p|edwina@|wando@|@(protected)|hazelip|americancentury|cristiano|oesterhelt|charley220|@(protected)|-DAEMON@(protected)|d_baddog@|vanderbolt@|noreply@(protected)|bugzilla@(protected)|FETCHMAIL-DAEMON@(protected)|tripwire@|uky\.edu)
$MAIL
# Do nothing. hopefully avoid false positives. Mailing lists stuff here. More
# below.
:0H:
* ^(From|To|Cc).*(windowmaker|redhat|tldp|psyche|mailhelp|spam-howto|procmail|@(protected)|zbrown@)
$MAIL
## end whitelist ########################################
# bogofilter baysein filter here. To its own mailbox for quarantining.
:0HB:
* ? bogofilter -l -vvv
$BOGO_MAIL
# Nuke HTML mail, if not from whitelisted friend.
# HTML enabled mail.
:0 BH:
* ^Content-Type:.*(text/html|multipart/alternative)
$SPAMTRAP
# Alternate method.
:0 B:
* \ <META HTTP-EQUIV=\ "?Content-Type\ "? *CONTENT=\ "?text/html
$SPAMTRAP
# 05/25/03
:0 BH:
* Content-Transfer-Encoding: base64
$SPAMTRAP
# Some general spam type traps. ##################################
# "Remove me " is usually spammer lingo.
:0B:
* (un-?sub(scribe)?|remove(me)?)\.(htm|asp|php|cgi|gif|jpg|jsp)
$SPAMTRAP
:0B:
* remove(me)?@
$SPAMTRAP
* subject=(un-?sub|remove|3D)
$SPAMTRAP
:0B:
* (http|mailto):.*optout
$SPAMTRAP
:0B:
* (business proposal|urgent response|mutual trust)
$SPAMTRAP
:0B:
* as seen on ((national )?tv|cnn|(ms)?nbc|cbs|abc)
$SPAMTRAP
# I block mail from known spam friendly countries, in access.db.
# Chinese spam
:0:
* ^Parts/Attachments:.*charset.*big5
$SPAMTRAP
:0 BH:
* charset=.*(big5|GB2312|ks_c_5601-1987|euc-kr)
$SPAMTRAP
# Catch purely numeric addresses
:0:
* ^From:.*( | <)[0-9]+@
$SPAMTRAP
# Bad message ids
:0:
* ^Message-Id:.* <[^@]* >
$SPAMTRAP
# Suspect senders/recipients ...
:0H:
* ^(To|From).*(income|free|sex\ |success|credit|marketing).*\@
$SPAMTRAP
:0H:
* (From|Return-Path|Reply-To).*\.biz
$SPAMTRAP
:0HB:
* (Nigeria|prank call)
$SPAMTRAP
## Try to catch unwanted Bcc stuff... all my addresses are belonga-us. One must be
## Either a To or a Cc to the real me.
## Now I know why I get so much spam...too many email addies.
:0H
* ! ^(To|Cc):.*(hal9?|hdb|stmfs..)@(foobox|burgiss|stmfs|privoxy|users\.s|feenix|localhost|iglou)
{ LOG= "Bcc trap: "
:0
$SPAMTRAP
}
# Vacation recipe ####################################
:0 Whc: vacation.lock
# Perform a quick check to see if the mail was addressed to us
# * From: hal@
### Dummy to kill the recipe: Remove to make it live.
* From: bozzzzzzzzzzotheclown
* $^To:.*\ <$\LOGNAME\ >
# Don 't reply to daemons and mailinglists
* !^FROM_DAEMON
# Mail loops are evil
* !^X-Loop: hal@(protected)
| formail -rD 8192 vacation.cache
:0 ehc # if the name was not in the cache
| (formail -rI "Precedence: junk " \
-A "X-Loop: hal@(protected) " ; \
echo "Yo! I did receive your mail today, "; \
echo "but I 'm away and won 't be back until Monday. "; \
echo "-- "; cat $HOME/.signature \
) | $SENDMAIL -oi -t
## set vi: tw=256 nowrap
--
Hal Burgiss
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
|
|
|