# DELIVERY-SPAMTRAP.RC
#
#  Delivers all email into files in the directory designated
#  in the SPAMTRAPROOT variable, or into subdirectories of it.
#  Those files include spam sorted by identified spammer names,
#  spam source ISPs, spam haven ISPs, viruses, other types of
#  dangerous content, Advance Fee Fraud, Phishes, other types of
#  fraudulent spam, spam that matches certain patterns, and
#  spam in various languages.  Because one spam often meets
#  more than one criterion, a copy of each spam is delivered to
#  the appropriate folder for each criterion it meets.
#
#  This script is intended to be used only on spam collection
#  accounts -- accounts to which spam is forwarded and which
#  do not or should not receive any legitimate email at all.
#  It was developed as part of the tool suite used to update
#  the SpamBouncer itself, but a spamtrap of that type can
#  be useful to gather information for many other purposes as
#  well.
#
#  Last updated: 10/15/2005


# SECTION 1: SANITY CHECK
#
#  Check for and create any missing subdirectories.
#
#:0 if
#| ${TEST} -d ${SPAMTRAPROOT}/backscatter || ${MKDIR} ${SPAMTRAPROOT}/backscatter

#:0 if
#| ${TEST} -d ${SPAMTRAPROOT}/dangerous || ${MKDIR} ${SPAMTRAPROOT}/dangerous

#:0 if
#| ${TEST} -d ${SPAMTRAPROOT}/forwarded || ${MKDIR} ${SPAMTRAPROOT}/forwarded

#:0 if
#| ${TEST} -d ${SPAMTRAPROOT}/fraud || ${MKDIR} ${SPAMTRAPROOT}/fraud

#:0 if
#| ${TEST} -d ${SPAMTRAPROOT}/havens || ${MKDIR} ${SPAMTRAPROOT}/havens

#:0 if
#| ${TEST} -d ${SPAMTRAPROOT}/identified || ${MKDIR} ${SPAMTRAPROOT}/identified

#:0 if
#| ${TEST} -d ${SPAMTRAPROOT}/language || ${MKDIR} ${SPAMTRAPROOT}/language

#:0 if
#| ${TEST} -d ${SPAMTRAPROOT}/patterns || ${MKDIR} ${SPAMTRAPROOT}/patterns

#:0 if
#| ${TEST} -d ${SPAMTRAPROOT}/retired || ${MKDIR} ${SPAMTRAPROOT}/retired

#:0 if
#| ${TEST} -d ${SPAMTRAPROOT}/sources || ${MKDIR} ${SPAMTRAPROOT}/sources

# SECTION 2: FORWARDED STUFF
#
#   Email forwarded to the spamtrap, rather than bounced to it or
#   redirected using an MX record or Sendmail directive, often has
#   reformatted headers, stripped headers, and/or a reformatted
#   message body. The worst of it is of no use whatsoever because
#   of the reformatting (thanks, Microsoft) <wry grin>.  Even that
#   which was forwarded carefully often has HTML stripped out of
#   the message body, removing the most important hyperlinks and
#   modifying the email so that what you see is NOT what a mail
#   filter sees.
#
#   You don't want this email cluttering up the main folders, so it
#   is segregated off by itself.
#
LOCALTAG=no

# Useless forwarded stuff
#
:0 HB
* ^Received:[^0-9a-z]? from (.*$)+$(.*$)*[^0-9a-z]*((F|=46)rom|To|Cc|Date|Subject|Sen[dt]):[^0-9a-z]?( )(.*$)[^0-9a-z]*((F|=46)rom|To|Cc|Date|Subject|Sen[dt]):[^0-9a-z]?( )
* ! ^Received:[^0-9a-z]? from (.*$)+$(.*$)*([^0-9a-z]+|(X-))?Received:[^0-9a-z]? from( )
{
 :0
 { LOCALTAG=yes }

 :0:
 ${SPAMTRAPROOT}/forwarded/forwarded-badheaders.txt
}

# More useless forwarded stuff
#
:0 HB
* ^Received:[^0-9a-z]? from (.*$)+$(.*$)*[^0-9a-z]*(Von|An|Gesendet|Betreff):[^0-9a-z]?( )(.*$)[^0-9a-z]*(Von|An|Gesendet|Betreff):[^0-9a-z]?( )
* ! ^Received:[^0-9a-z]? from (.*$)+$(.*$)*([^0-9a-z]+|(X-))?Received:[^0-9a-z]? from( )
{
 :0
 { LOCALTAG=yes }

 :0:
 ${SPAMTRAPROOT}/forwarded/forwarded-badheaders.txt
}

# Yet more useless forwarded stuff
#
:0 HB
* ^Received: from .*\.tumbleweed\.com([^0-9a-z.]|$)
* ^(To|Cc):.*[^0-9a-z]reportphishing@antiphishing\.org([^0-9a-z.]|$)
* ! ^Received:[^0-9a-z]? from (.*$)+$(.*$)*([^0-9a-z]+|(X-))?Received:[^0-9a-z]? from( )
{
 :0
 { LOCALTAG=yes }

 :0:
 ${SPAMTRAPROOT}/forwarded/forwarded-badheaders.txt
}

# And yet more useless forwarded stuff
#
:0
* H ?? ^Received: from .*\.tumbleweed\.com([^0-9a-z.]|$)
* B ?? ^Content-Transfer-Encoding: base64$
{
 :0
 { LOCALTAG=yes }

 :0:
 ${SPAMTRAPROOT}/forwarded/forwarded-badheaders.txt
}

# Useless forwarded stuff from Microsoft :(
#
:0
* H ?? ^Received: from .*\.tumbleweed\.com([^0-9a-z.]|$)
* H ?? ^Received: from hotmail.com \(([0-9a-z][-0-9a-z]+\.)+hotmail\.com([^0-9a-z.]|$)
{
 :0
 { LOCALTAG=yes }

 :0:
 ${SPAMTRAPROOT}/forwarded/forwarded-badheaders.txt
}

# Forwarded Spam
#
:0 HB
* ^X-SBClass: Spam$
* ^Received:[^0-9a-z]? from (.*$)+$(.*$)*([^0-9a-z]+|X-)?Received:[^0-9a-z]? from( )
{
 :0
 { LOCALTAG=yes }

 :0:
 ${SPAMTRAPROOT}/forwarded/forwarded-spam.txt
}

# Forwarded Blocked
#
:0 HB
* ^X-SBClass: Blocked$
* ^Received:[^0-9a-z]? from (.*$)+$(.*$)*([^0-9a-z]+|X-)?Received:[^0-9a-z]? from( )
{
 :0
 { LOCALTAG=yes }

 :0:
 ${SPAMTRAPROOT}/forwarded/forwarded-blocked.txt
}

# Forwarded Updates
#
:0 HB
* ! ^X-SBClass: (Virus|Spam|Blocked)$
* ^Received:[^0-9a-z]? from (.*$)+$(.*$)*([^0-9a-z]+|X-)?Received:[^0-9a-z]? from( )
{
 :0
 { LOCALTAG=yes }

 :0:
 ${SPAMTRAPROOT}/forwarded/forwarded-updates.txt
}

# Stuff sent directly to reportphishing@antiphishing.org.
#
:0
* H ?? ^Received: from .*\.tumbleweed\.com([^0-9a-z.]|$)
* H ?? ^(Cc|To):.*reportphishing@antiphishing\.org([^0-9a-z.]|$)
{
 :0
 { LOCALTAG=yes }

 :0:
 ${SPAMTRAPROOT}/forwarded/forwarded-updates.txt
}

:0
* LOCALTAG ?? yes
/dev/null


# SECTION 3: SOURCES
#
#  Sorts spam by source ISP or Network.
#

# Cogent Communications
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/cogent-ips.cidr
TESTNAME='Cogentco'
INCLUDERC=${SBDIR}/functions/check-received-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-header-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/sources/cogentco.txt

# Gilat
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/gilat-ips.cidr
TESTNAME='Gilat'
INCLUDERC=${SBDIR}/functions/check-received-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-header-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/sources/gilat.txt

# Global Crossing
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/glbx-ips.cidr
TESTNAME='Global Crossing'
INCLUDERC=${SBDIR}/functions/check-received-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-header-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/sources/glbx.txt

# Level 3
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/level3-ips.cidr
TESTNAME='Level 3'
INCLUDERC=${SBDIR}/functions/check-received-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-header-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/sources/level3.txt

# MSN/Hotmail
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/hotmail-ips.cidr
TESTNAME='MSN/Hotmail'
INCLUDERC=${SBDIR}/functions/check-received-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-header-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/sources/hotmail.txt

# Newskies
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/newskies-ips.cidr
TESTNAME='Newskies'
INCLUDERC=${SBDIR}/functions/check-received-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-header-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/sources/newskies.txt

# Verizon Dynamic
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/verizon-dynamic-ips.cidr
TESTNAME='Verizon Dynamic'
INCLUDERC=${SBDIR}/functions/check-received-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-header-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/sources/verizon-dynamic.txt

# Yahoo
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/yahoo-ips.cidr
TESTNAME='Yahoo'
INCLUDERC=${SBDIR}/functions/check-received-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-header-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/sources/yahoo.txt


# SECTION 4: Havens
#
#  Sorts spam by haven ISP or Network.
#

# Cogent Communications
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/cogent-ips.cidr
TESTNAME='Cogentco'
INCLUDERC=${SBDIR}/functions/check-body-domain-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-body-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/havens/cogentco.txt

# Gilat
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/gilat-ips.cidr
TESTNAME='Gilat'
INCLUDERC=${SBDIR}/functions/check-body-domain-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-body-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/havens/gilat.txt

# Global Crossing
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/glbx-ips.cidr
TESTNAME='Global Crossing'
INCLUDERC=${SBDIR}/functions/check-body-domain-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-body-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/havens/glbx.txt

# Level3
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/level3-ips.cidr
TESTNAME='Level 3'
INCLUDERC=${SBDIR}/functions/check-body-domain-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-body-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/havens/level3.txt

# MSN/Hotmail
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/hotmail-ips.cidr
TESTNAME='MSN/Hotmail'
INCLUDERC=${SBDIR}/functions/check-body-domain-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-body-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/havens/hotmail.txt

# Yahoo
#
LOCALTAG=no
TESTCIDR=${SBDIR}/info/yahoo-ips.cidr
TESTNAME='Yahoo'
INCLUDERC=${SBDIR}/functions/check-body-domain-cidr.rc

:0
* LOCALTAG ?? no
{ INCLUDERC=${SBDIR}/functions/check-body-cidr.rc }

:0 c:
* LOCALTAG ?? yes
${SPAMTRAPROOT}/havens/yahoo.txt


# SECTION 5: VIRUSES AND DANGEROUS CONTENT
#
LOCALTAG=no

# Viruses
#
:0
* ^X-SBClass: Virus$
{
 :0
 { LOCALTAG=yes }

 :0:
 ${SPAMTRAPROOT}/dangerous/viruses.txt
}

# Attached Hidden Executable files
#
:0
* ^X-SBStop: DANGER! Hidden Executable Attachment$
{
 :0
 { LOCALTAG=yes }

 :0:
 ${SPAMTRAPROOT}/dangerous/hidden-executable-attachment.txt
}

# Attached Executable files
#
:0
* ^X-SBStop: DANGER! Executable Attachment$
{
 :0
 { LOCALTAG=yes }

 :0:
 ${SPAMTRAPROOT}/dangerous/executable-attachment.txt
}

# Attached Archive files
#
:0
* ^X-SBStop: DANGER! Binary Archive Attachment$
{
 :0
 { LOCALTAG=yes }

 :0:
 ${SPAMTRAPROOT}/dangerous/archive-attachment.txt
}

# Attached Executable Document Type
#
:0
* ^X-SBStop: DANGER! Executable Document Type$
{
 :0
 { LOCALTAG=yes }

 :0 c:
 ${SPAMTRAPROOT}/dangerous/executable-document-attachment.txt
}

# Executable link files
#
:0
* ^X-SBStop: DANGER! URL link to executable file$
{
 :0
 { LOCALTAG=yes }

 :0 c:
 ${SPAMTRAPROOT}/dangerous/executable-link-url.txt
}

# Other Dangerous Content
#
:0
* LOCALTAG ?? no
* ^X-SBStop: DANGER!
${SPAMTRAPROOT}/dangerous/other-dangerous-content.txt


# SECTION 6: BACKSCATTER
#

# Juno backscatter
#
:0:
* ^X-SBRule: Juno backscatter
${SPAMTRAPROOT}/backscatter/juno.txt

# MailMarshall backscatter
#
:0:
* ^X-SBRule: MailMarshall
${SPAMTRAPROOT}/backscatter/mailmarshall-av.txt

# McAfee Webshield backscatter
#
:0:
* ^X-SBRule: McAfee
${SPAMTRAPROOT}/backscatter/mcafee-webshield-av.txt

# Qmail backscatter
#
:0:
* ^X-SBRule: Qmail
${SPAMTRAPROOT}/backscatter/qmail-av.txt

# ScanMail backscatter
#
:0:
* ^X-SBRule: ScanMail
${SPAMTRAPROOT}/backscatter/scanmail-av.txt

# Schoolteam.net backscatter
#
:0:
* ^X-SBRule: Schoolteam\.net
${SPAMTRAPROOT}/backscatter/schoolteam-net.txt

# Symantec/Norton Antivirus backscatter
#
:0:
* ^X-SBRule: Symantec/Norton
${SPAMTRAPROOT}/backscatter/symantec-av.txt

# Topica backscatter
#
:0:
* ^X-SBRule: Topica backscatter
${SPAMTRAPROOT}/backscatter/topica.txt

# Travelex.com backscatter
#
:0:
* ^X-SBRule: Travelex\.com backscatter
${SPAMTRAPROOT}/backscatter/travelex-com.txt

# Other Backscatter
#
:0:
* ^X-SBRule: Useless Automatic Virus Notification
${SPAMTRAPROOT}/backscatter/other-backscatter.txt

# Defanged Virus email
#
:0:
* ^X-SBRule: Defanged Virus email
${SPAMTRAPROOT}/backscatter/defanged-virus-email.txt


# SECTION 7: FRAUD
#
:0
* SBIDENTIFIED ?? ^yes$
* ^X-SBRule: (Advance Fee Fraud|Identity Theft|Joe Job|Phish|Probable Charity/Disaster)
{ INCLUDERC=${SBDIR}/functions/delivery-spamtrap-fraud.rc }


# SECTION 8: IDENTIFIED SPAMMERS
#
LOCALTAG=no

:0
* SBIDENTIFIED ?? ^yes$
{ INCLUDERC=${SBDIR}/functions/delivery-spamtrap-identified.rc }


# SECTION 9: RETIRED SPAMMERS
#
:0
* LOCALTAG ?? no
* SBIDENTIFIED ?? ^yes$
{ INCLUDERC=${SBDIR}/functions/delivery-spamtrap-retired.rc }

# Nuke anything filed here.
:0
* LOCALTAG ?? yes
/dev/null

# Other Identified spam
#
:0:
* LOCALTAG ?? no
* SBIDENTIFIED ?? ^yes$
${SPAMTRAPROOT}/identified/other-identified.txt


# SECTION 10: CONTENT PATTERN MATCHES
#
:0
* ^X-SBRule: Pattern Match
{ INCLUDERC=${SBDIR}/functions/delivery-spamtrap-patternmatches.rc }


# SECTION 11: LANGUAGE/CHARACTER SETS
#
:0
* ^X-SBRule: (Arabic|Chinese|Cyrillic|Greek|Hebrew|Japanese|Korean|Russian|Spanish|Turkish)
{ INCLUDERC=${SBDIR}/functions/delivery-spamtrap-language.rc }


# SECTION 12: REMAINDER
#

# Unclassified spam
#
:0:
* ^X-SBClass: Spam$
${SPAMTRAPROOT}/unclassified.txt

# Blocked email (needs better filters)
#
:0:
* ^X-SBClass: Blocked$
${SPAMTRAPROOT}/blocked.txt

# Everything else (REALLY needs better filters)
#
:0:
${SPAMTRAPROOT}/updates.txt