# Let's deal with some really suspect stuff, regardless of subject # Anything mailed to a message ID is too suspect to consider :0: * ^TO[0-9]*sauron[$]?[09][7890123][01][0-9][0-3][0-9][0-2][0-9][0-5][0-9]@morannon $MAILDIR/spam-mail1 :0: * ^Received: from [*-]+ CLOAKED!* [*-]+[ ]*$ $MAILDIR/spam-mail2 # "From: (bozo@bozosite.tld)" is not valid. :0: * ^(From|Reply-to):[ ]*\([^)]*\)[ ]*$ $MAILDIR/spam-mail3 # I get some large To/Cc lists on real mail, so check only for huge ones # as spam suspect. This checks for 52 or more recipients on either line. :0: * ^(To|Cc):.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*,.*, $MAILDIR/spam-mail4 # 10 is the highest I have seen on real mail, so far # (The header is used instead of $score for testing.) :0: * ^JMDigest-Score: bad (1[1-9]|[2-9][0-9]|10[0-9]) $MAILDIR/spam-mail5 # I don't like from lines of "our.com@our.com". Procmail regexps # are very weak for this sort of test. :0: * ^From:.*@\/[a-z0-9.-]+[.][a-z0-9-]+ * $ ^From:.*\<$MATCH@$MATCH\> $MAILDIR/spam-mail6 # From "" but not recieved from "name.com" :0: * ^Return-path:.*<\/[^@]* * $ ^From:.*\<$MATCH@$MATCH\> * $ ! ^Received:.*\<$MATCH\> $MAILDIR/spam-mail7 # I have seen spam with a space in the return path (aka envelope # sender) this confuses my regexps for splitting mailboxes. :0: * ^Return-Path: <[^>]*[ ] $MAILDIR/spam-mail8 # Headers in all caps is suspect, D for case sensitive :0D: * ^(SUBJECT|DATE|FROM): $MAILDIR/spam-mail9 # Missing cannonical format space in from line is legal but suspect. # (eg "Full Name" instead of "Full Name ") :0: * ^From:.*[a-z0-9]<[a-z0-9] $MAILDIR/spam-mail10 # Blank "To: header" :0: * ^To: * !^To:.*[^ ] $MAILDIR/spam-mail11 # Blank "From: header" :0: * ^From: * !^From:.*[^ ] $MAILDIR/spam-mail12 # I'd do subject too, but I do get real mail with blank subjects. # (Stupid MUAs should leave the header out.) # Stupid psuedo-authentification. Pegasus and maybe some others do # put a real authentification there, so check for discrepancies. :0: * ^Comments: Authenticated sender is <\/[^>]* * $ !^(From:.*$MATCH|X-mailer: Pegasus) $MAILDIR/spam-mail13 # 50/50 of this being spam in my experience. :0: * ^X-Authentication-Warning:.*HELO protocol $MAILDIR/spam-mail14 # More than 3/4ths of the letters are CAPITALS :0BD: * -3^1 [A-Za-z] * 4^1 [A-Z] $MAILDIR/spam-mail15 #:0: #* !^(((Resent-)?(From|To|Sender|Cc))|Bcc):.*(sauron@morannon) #* !^Subject:.Re: #$MAILDIR/spam-mail16 # Long domain names without hyphens are often junk. #:0: #* #^From:.*@[a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9]*[.] #$MAILDIR/spam-mail17 # With a single hyphen, allow a slightly longer name. # Keeps out "c-y-b-e-r-p-r-o-m-o" type things. #:0: #* #^From:.*@[a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-][a-z0-9-]*[.] #* ^From:.*@[a-z0-9]+-[a-z0-9]+[.] #$MAILDIR/spam-mail18