# ~jhs/.procmailrc.fonts included by ~jhs/.procmailrc. # http://berklix.com/~jhs/dots/.procmailrc.fonts # This file deals with font spam & other generic spam, # but other files included from ~jhs/.procmailrc deal # with specific spam phrases & domains. # USA 1st Can Spam case in court Jan 2006, # law applies as of beginning of 2004: # Controlling the Assault of Non-Solicited Pornography and Marketing Act # http://www.spiegel.de/netzwelt/politik/0,1518,395648,00.html # ----------------------------------------------------------------------------- SPAM_NULL_FONT=$SPAM_NULL_NO_RCVSTORE # SPAM_NULL_FONT=spam/font/. SPAM_NULL_NUMERIC_IP=$SPAM_NULL_NO_RCVSTORE # SPAM_NULL_NUMERIC_IP=spam/numeric_ip/. SPAM_NULL_FORMAT=$SPAM_NULL_NO_RCVSTORE # SPAM_NULL_FORMAT=spam/audio/. # ============================================================================= :0 WB # ----------------------------------------------------------------------- * charset="windows\-1250" * ^Content\-Type: text/plain # | $RCVSTORE +$SPAM_NULL_FONT # Note $RCVSTORE must have a directory, # not a file such as $SPAM_NULL_NO_RCVSTORE # so as I often define $SPAM_NULL_FONT to # $SPAM_NULL_NO_RCVSTORE, avoid rcvstore. $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject: =\?windows\-1251\?B\? $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=Windows\-1251 $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=3DWindows\-1251 $SPAM_NULL_FONT :0 WB # ----------------------------------------------------------------------- # Thai * ^Content\-type:\stext/html; charset=windows\-874 # Message-Id: # | $RCVSTORE +$SPAM_NULL_FONT # Note $RCVSTORE must have a directory, # not a file such as $SPAM_NULL_NO_RCVSTORE # so as I often define $SPAM_NULL_FONT to # $SPAM_NULL_NO_RCVSTORE, avoid rcvstore. $SPAM_NULL_FONT # ----------------------------------------------------------------------------- # Do not block Windows-1252 as Ive seen this: # Subject: (GEA) =?Windows-1252?Q?W=FCrmtal_stammtisch_this_Friday?= (fwd) # Damn Microsoft with their opaque font numbers !. # ----------------------------------------------------------------------------- # Jewish/ Israel .il :0 WH # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * ^MIME\-Version: 1.0 * ^Content-Type: text/plain; * charset="windows\-1255" * ^Content\-Transfer\-Encoding: 8bit * ^X\-MIME\-Autoconverted: from quoted\-printable to 8bit by (flat|tower|slim)\.berklix\.org { :0 WH # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * ^From: "=\?windows\-1255\?Q\?=*".*\<.*@[a-z0-9\.\-]+\.il\> # From: "=?windows-1255?Q?=F4=E9=F7=F1?=" # $SPAM_NULL_FONT spam/font/. :0 WH # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * ^Subject: =\?windows\-1255\?Q\?= # $SPAM_NULL_FONT spam/font/. } # JJLATER New rule 2007.11.23 , I want to keep an eye on it. # ie Might it also catch genuine replies from abuse@ postmasters, # who I mailed as abuse@ # ----------------------------------------------------------------------------- # Turkish .tr # Content-Type: text/plain; charset="windows-1254" # Content-Transfer-Encoding: 8bit # X-MIME-Autoconverted: from quoted-printable to 8bit by (flat|tower|slim)\.berklix\.org :0 WH # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * ^Content\-Type: text/plain; charset="windows\-1254" * ^Content\-Transfer\-Encoding: 8bit * ^X\-MIME\-Autoconverted: from quoted\-printable to 8bit by spam/font/. :0 WH # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Subject: =?utf-8?Q?Sanat_Atlas=C4=B1_k=C4=B1sa_bir_s=C3=BCre_muhte=C5=9Fem_hediyeleriyle...?= * ^Subject: =?utf\-8?Q? # $SPAM_NULL_FONT spam/font/. :0 WH # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Rule added 2011_05_15 # Subject: =?iso-8859-9?Q?D=FCnyaca_=FCnl=FC_ressamlar=FDn_reprod=FCksiyon_tablolar?= =?iso-8859-9?Q?=FD_ile_duvarlar=FDn=FDz=FD_s=FCsleyin?= # Subject: =?iso-8859-9?Q?Bo=F0ulan_600_Libyal=FD'y=FD_kurtarmak_isteyen_TSK'ya_Ba?= # =?iso-8859-9?Q?=FEbakan_Erdo=F0an_dur_demi=FE!?= * ^Subject: =\?iso\-8859\-9\?Q\?.+\?=$ { :0 WB # --------------------------------------------------------------- # # * \ * \ * \ $SPAM_NULL_FONT :0 W spam/font/. } # ----------------------------------------------------------------------------- # Korean spam body :0 WHB # ---------------------------------------------------------------------- * charset= "ks_c_5601\-1987" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * content="text/html; charset=euc\-kr" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="euc\-kr" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=euc\-kr $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=3Deuc\-kr $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="ks_c_5601\-1987" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=ks_c_5601\-1987 $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="ISO\-2022\-KR" $SPAM_NULL_FONT # ----------------------------------------------------------------------------- # Illegible Font # :0 WH # * ^Subject:\s*\>\>_\Ç\ö- # Subject:\s*\>\>_Çö-±Ý ´ë¹Ú »çÀÌÆ® °¡ÀÔ3õ¿øÁö±Þ vnuejvwus mebb cppe # $SPAM_NULL_FONT # ----------------------------------------------------------------------------- # Subject:\s*¿Â¶óÀÎ ´ë¹Ú Ä«Áö³ë ¹«·á°¡ÀÔ3õ¿ø Çö±ÝÃæÀü! 0w tdpi # 0: H # * ^Subject:\s*\¿\ # $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject: =\?x\-mac\-thai\?B $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Content\-type: text/plain; charset="x\-mac\-thai" $SPAM_NULL_FONT # ----------------------------------------------------------------------------- # Chinese spam header :0 WH # ----------------------------------------------------------------------- # Subject:\s*±q¥¼¨£¹L³o»ò Q ªº²£«~!! ¥©³s´¼ Ä_Ä_ª© DVD®M¸Ë ! * ^Subject:\s*± $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- # Subject:\s*²³¹¿µÄ¨èÜ· * ^Subject:\s*² $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:\s*=\?Big5 $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:\s*=\?Big5 $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:=\?big5\? $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^From:\s*=\?Big5\? $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * =\?big5\? $SPAM_NULL_FONT # ----------------------------------------------------------------------------- # No idea what language this 1252 spam is. Maybe Korean ? :0 WHB # ---------------------------------------------------------------------- * ^Subject:\s*=\?Windows\-1252\?B\? $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * ^From:\s*=\?Windows\-1252\?B\? $SPAM_NULL_FONT # ----------------------------------------------------------------------------- # Chinese spam body :0 WHB # ---------------------------------------------------------------------- * charset=big5 $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="BIG\-5" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="big5" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset= "big5" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=3Dbig5 $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=gb2312 $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:\s*=\?GB2312\?B\? $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="GB2312" $SPAM_NULL_FONT :0 WB # ----------------------------------------------------------------------- * charset="CHINESEBIG5" $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- # Rule added 15.05.2011 # From: =?utf-8?B?55+z5Zu955CH?= # From: =?utf-8?B?5ZCO5L+K?= * ^From: =\?utf\-8\?B\?.+\?= \<.+@.+\.cn\> # Subject: =?utf-8?B?6ZSA44Kj5ZSu57K+6IuxMuWkqeS4gOWknOeWr+OBoeeLguiuree7gy3nn7Plm73nkIdfZA==?= # Note in original header there was a \n\t here. # =?utf-8?B?ZHdzeA==?= # Subject: =?utf-8?B?6ZSA44Ox5ZSu57uP55CG44CB5biC5Zy657uP55CG5qC45b+D5oqA6IO95a6e4oaS5oiY56CU5L+u54+t?= # =?utf-8?B?LC3lkI7kv4pfd2p6emg=?= * ^Subject: =\?utf\-8\?B\?6ZSA44.+\?=$ { :0 WB # --------------------------------------------------------------- * ^Content\-Transfer\-Encoding: base64 * ^\tcharset=\"utf\-8\"$ # While testing: spam/font/. # then JJLATER $SPAM_NULL_FONT } # ============================================================================= # Russian :0 WH # ----------------------------------------------------------------------- # From: =?utf-8?B?0JrQvtC90LTRgNCw0YI=?= * ^From: =\?utf\-8\?B\?0 * charset=(|\")utf\-8 $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^From: =\?utf\-8\?B\?0 * charset=(|\")utf\-8 $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- # Subject: =?utf-8?B?0KMg0LLQsNGBINGB0LvQuNCy0LDRjtGCINGC0L7Qv9C70LjQstC+IQ==?= # Subject: =?UTF-8?B?0J/QvtC80L7RidGMINC00LXRgtGP0Lwt0YHQuNGA0L7RgtCw0Lw=?= * ^Subject: =\?utf\-8\?B\?0 # Subject in header, charset in body. * charset=(|\")utf\-8 $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- # Rule added 2010.12.09 # From: =?utf-8?B?0JDQu9C10LrRgdC10Lk=?= # Subject: =?utf-8?B?0JrRg9GA0LXQvdC40LUg0L/QviDQvdC+0LLQvtC80YMNLg==?= * ^From: =\?utf\-8\?B\?0 * ^Subject: =\?utf\-8\?B\?0 $SPAM_NULL_FONT # ============================================================================= :0 WH # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * ^Subject: =?UTF\-8? # http://en.wikipedia.org/wiki/Utf-8 # A multibyte character encoding for Unicode. Like UTF-16 # and UTF-32, UTF-8 can represent every character in the # Unicode character set, but unlike them possesses the # advantages of being backward-compatible with ASCII and of # avoiding the complications of endianness and the resulting # need to use byte order marks. # Could be anything, not just Russian, but in practice seems to be just russian spam. * ^Content\-Type: text/plain; charset="utf\-8" * ^Content\-Transfer\-Encoding: 8bit $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- # Japanese spam * charset="Shift_JIS" $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset=ISO\-2022\-JP $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:\s*=\?ISO\-2022\-JP\? $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:\s*=\?ISO\-2022\-JP\? $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- * ^Subject:\s*=\?shift\-jis\? $SPAM_NULL_FONT :0 WHB # ---------------------------------------------------------------------- * charset="iso\-2022\-jp" $SPAM_NULL_FONT :0 WB # ----------------------------------------------------------------------- # Content-Type: text/plain * charset="shift\-jis" $SPAM_NULL_FONT :0 WHB # Russian spam Cyrillic ------------------------------------------------ * charset=koi8\-r $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- # Subject: =?koi8-r?B?8sHT09nMy8kg0M8g8s/T08nJ?= # Subject: =?koi8-r?B?7MXHxc7EydLP18HOycUsINL # Subject: =?koi8-r?B?78bJ0yDXIMHSxc7E1SDTIM # Subject: =?koi8-r?B?8sHT0NLPxMHWwSDaxc3FzN * ^Subject: =\?koi8\-r\?B\? $SPAM_NULL_FONT :0 WH # ----------------------------------------------------------------------- # From: =?koi8-r?B?88/axMHOycUg0NLFwMTJw8nJ?= # From: =?koi8-r?B?IvPPwtPU18XOzsnLIg==?= * ^From: =\?koi8\-r\?B\? $SPAM_NULL_FONT :0 WB # ----------------------------------------------------------------------- * charset="iso\-2838\-4" | $RCVSTORE +spam/charset # ----------------------------------------------------------------------------- # Anyone quoting a numeric is suspicious, maybe a spammer, # or someone on dynamic DNS who doesnt want to be traced back. :0 WB # ----------------------------------------------------------------------- # JJLATER might FAIL: * http://[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+ * http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ $SPAM_NULL_NUMERIC_IP :0 WB # ----------------------------------------------------------------------- * http://% $SPAM_NULL_NUMERIC_IP :0 WB # ----------------------------------------------------------------------- * http://www\.% $SPAM_NULL_NUMERIC_IP # ----------------------------------------------------------------------------- # EG: http://%11%11.%11%11%11.%11%11%11%1e%11%11/%11%11%1a%1f%11%11%11%11%11 # ----------------------------------------------------------------------------- # All 1-9 converted to 1 so the spammers dont benefit # http://o%11%1Eo%11o%11s @oow %1Coosao%11ed bo%1A/ooo %11 /?fo %11oo :0 WB # ----------------------------------------------------------------------- * http://\&# # The # in the line above does not need to be delimited. $SPAM_NULL_NUMERIC_IP # ----------------------------------------------------------------------------- # Problem yet to solve # http://acl ro @wwo.oogoooono io/ooo /?o oteo # http://joocaooa1 @oow.hugoooooo boo/unoobocoibo.ooo?oiveoy # ----------------------------------------------------------------------------- # Intercept: http://11.111.111.11/ads/precision/debtspecialist # But not intercept EG 01051.com which is a non spamming # (as far as I know) cheap phone caller. # I have tested next line, it works. # ----------------------------------------------------------------------------- # As spammers send spam masquerading as me, lots of sites reject back to me # spam that I never sent. # I used to have these reject messages in my spam phrases list, # but to allow for times (such as during a reconfig) when I suspect I really # may have had a genuine bounce, it is better to seperate them here. # \<\<\< 550 Email rejected by sandiego.com spam blocker :0 WB # ----------------------------------------------------------------------- * ^banned filename in an email to you from: | $RCVSTORE +spam/filename :0 WB # ----------------------------------------------------------------------- * ^\<\<\< 550 Email rejected by * spam blocker | $RCVSTORE +spam/blocker :0 WB # ----------------------------------------------------------------------- * Action: failed * Relaying denied\. Proper authentication required\. | $RCVSTORE +error/auth-sasl :0 WH # ----------------------------------------------------------------------- * ^Received: by mail\.brierdr\.com # brierdr runs amavisd detector, forwards to me # Subject:\s*\*\*\* JUNK MAIL \*\*\*Original_spam_subject # Mime-Version: 1.0 # X-Spam-Status: Yes, hits=3.187 tagged_above=-999 required=1 tests=BAYES_00, # HELO_DYNAMIC_DHCP, HTML_10_20, HTML_IMAGE_ONLY_24, HTML_MESSAGE, # MSGID_FROM_MTA_ID # X-Spam-Level: \*\*\* # X-Spam-Flag: YES * ^Subject:\s*\*\*\* JUNK MAIL \*\*\* * ^X\-Spam\-Flag: YES | $RCVSTORE +spam/amavisd # ----------------------------------------------------------------------------- # Hashed out, as it caught mail from mjm@codito._ERASE_.de & one other person. # :0 # * ^Received: from unknown # | $RCVSTORE +spam/unknown # ----------------------------------------------------------------------------- # JJLATER Block commented out till I add something, eg a "to:" clause # someone who genuinely mailed me as they were webmaster@www.somewhere # get caught by this # :0 WB # * .[a-z][a-z][a-z]@www # JJLATER # | $RCVSTORE +spam/redirect # ----------------------------------------------------------------------------- # 2 letter country codes EG uk fm tv us it de # :0 WB # * .[a-z][a-z]@www # | $RCVSTORE +spam/redirect # ----------------------------------------------------------------------------- # Other odd top level domain names: # :0 WB # * .family@www # | $RCVSTORE +spam/redirect # :0 WB # * .info@www # | $RCVSTORE +spam/redirect # :0 WB # * .name@www # | $RCVSTORE +spam/redirect :0 WB # MIME Enclosures: Much is just HTML spam, but not all. # --------------- * ^Content\-type: audio $SPAM_NULL_FORMAT :0 WB # ----------------------------------------------------------------------- * ^Content\-Type: application/x\-shockwave\-flash $SPAM_NULL_FORMAT :0 WB # ----------------------------------------------------------------------- * ^Content\-Type: application/x\-msdownload $SPAM_NULL_FORMAT :0 WB # ----------------------------------------------------------------------- * ^Content\-Type: audio/x\-midi $SPAM_NULL_FORMAT # Cant use # * ^MIME-Version: # as EG Gary & Ernst send: # Mime-version: 1.0 # Content-type: text/plain; charset=us-ascii :0 WH # ----------------------------------------------------------------------- # Incompetent spammers run spam software unloaded # with addresses & subject, sending generic macro spam. * !^Subject: { :0 WB * ^Content\-Type: text/html * ^Date: \%CURRENT_DATE_TIME * ^\%MESSAGE_BODY $SPAM_NULL_FORMAT } :0 WH # High bit strings - Maybe 16 bit Chinese ? ----------------------------- # Example: Subject: ¦]À³¹L¦~¨ì¦³40»õ»È¦æ¥Á¶¡©ñ´Ú # XD:.....: Subject: ?]???L?~????40??????????????? # XD:.....: 576666732A5CBB4A7AEAB33BFBCAEACBAAFBD0 # XD:.....: 352A534A06D039C6E8C6340B5B8665161914AA # To generate nasty high bit bytes in next line I used: # cd ~/src/bsd/jhs/bin/local/inob ; inob 0x80 > 80 ; inob 0xff > ff * ^Subject: .+[€-ÿ][€-ÿ][€-ÿ][€-ÿ][€-ÿ][€-ÿ] | $RCVSTORE +spam/subject_8bit