# SB6.RC # # Do the actual filtering, finally! # # Identify Admin email :0 * H ?? (^FROM_MAILER([^a-z0-9.]|\. |\.$|$)|\ ^(From|Sender).*[^0-9a-z]abuse@|\ ^(From|Sender).*[^0-9a-z]admin@|\ ^(From|Sender).*[^0-9a-z]auto@|\ ^(From|Sender).*[^0-9a-z]helpdesk@|\ ^(From|Sender).*[^0-9a-z]hostmaster@|\ ^(From|Sender).*info@|\ ^(From|Sender).*[^0-9a-z]list@|\ ^(From|Sender).*[^0-9a-z]listserv@|\ ^(From|Sender).*[^0-9a-z]macjordomo?@|\ ^(From|Sender).*[^0-9a-z].*mail(er|man)?@|\ ^(From|Sender).*[^0-9a-z].*mailadmin@|\ ^(From|Sender).*[^0-9a-z]majordomo?@|\ ^(From|Sender).*[^0-9a-z]Network(Monitor)?@|\ ^(From|Sender).*[^0-9a-z]nobody@|\ ^(From|Sender).*[^0-9a-z]noc@|\ ^(From|Sender).*[^0-9a-z]noreply@|\ ^(From|Sender).*[^0-9a-z]policy@|\ ^(From|Sender).*[^0-9a-z].*postmaster|\ ^(From|Sender).*[^0-9a-z]root|\ ^(From|Sender).*[^0-9a-z]spam@|\ ^(From|Sender).*[^0-9a-z]support@|\ ^(From|Sender).*[^0-9a-z]webmaster@) * H ?? !^From.*MAILER-DAEMON([ ]|@|$) * H ?? !^Resent-(By|From|To|Sender): { SBLOGFLAGS="ALWAYS 1 NOTE" SBLOG="From Admin" #SBLOG="A1N-From Admin" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { ADMINTAG=yes } } # Tag bulk email that admits it is bulk :) # :0 * H ?? (^FROM_DAEMON|\ ^Precedence: (Bulk|Junk|List)|\ ^Resent-(By|From|To|Sender):|\ ^List-[0-9a-z]*:|\ ^X-ListName:|\ ^X-Listprocessor|\ ^X-Listserver:|\ ^X-Lyris-(To|MemberID|MessageID):|\ ^Received:.*majordom) { SBLOGFLAGS="ALWAYS 1 NOTE" SBLOG="Bulk Email (From_Daemon/Listserv/Resent/Precedence)" #SBLOG="A1N-Bulk Email (From_Daemon/Listserv/Resent/Precedence)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { BULKTAG=yes } } # Check the headers for email with a match between the From: and Received: # headers, and is also sent from a recognized administrative address. Such # email is probably not spam, although it could be. :0 * $ FIRSTEXDOMAIN ?? ${FROMDOMAIN} * H ?? ^From:.*(abuse|admin(istrator)?|help(desk)?|hostmaster|nobody|noc|policy|postmaster|support|web(-?admin|master))[0-9]*@ { SBLOGFLAGS="ALWAYS 1 RULE" SBLOG="Apparently legitimate Admin email" #SBLOG="A1R-Apparently legitimate Admin email" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * -15^0 { SBSCORE=$= } } ########################################################################## # FRAUDULENT SCAMS/SPAMS # # Spams like the Nigerian 4-1-9 advance fee fraud that are sent to promote known # illegal and often dangerous scams that are under investigation by # Interpol, the FBI, or another national police force or forces. Usually # the SpamBouncer will not try to autocomplain about these spams, which # normally are heavily forged to conceal their origin, but may report # them to the appropriate police forces where possible. INCLUDERC=${SBDIR}/sb-fraud.rc # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # ROGUE SPAMMERS # # This file includes all recipes for the rogue's gallery of # spammers, extremely prolific spammers. # :0 * SBCONFIG ?? ^(Analyze|Debug)$ { INCLUDERC=${SBDIR}/sb-rogue.rc } :0 * ! SBCONFIG ?? ^(Analyze|Debug|Lite)$ * SPAMTAG ?? no { INCLUDERC=${SBDIR}/sb-rogue.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # HIGH-VOLUME SPAMMERS # # This file includes all recipes for highly prolific spammers that are # sending out a lot of spam recently. # :0 * SBCONFIG ?? ^(Analyze|Debug)$ { INCLUDERC=${SBDIR}/sb-highvolume.rc } :0 * ! SBCONFIG ?? ^(Analyze|Debug|Lite)$ * SPAMTAG ?? no { INCLUDERC=${SBDIR}/sb-highvolume.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # IDENTIFIED SPAMMERS # # This file includes all other recipes for known spammers that can be # identified by name, domain name, or IP range. # :0 * SBCONFIG ?? ^(Debug|Analyze)$ { INCLUDERC=${SBDIR}/sb-identified.rc } :0 E * SBCONFIG ?? ^Default$ * SPAMTAG ?? no { INCLUDERC=${SBDIR}/sb-identified.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # RETIRED SPAMMERS # # This file includes all recipes for spammers that appear to have # quit spamming and disappeared, or have claimed to have renounced # spamming. It is ignored unless SpamBouncer is running in Analyze # or Debug mode. # LOCALTAG=no :0 * SBCONFIG ?? ^Debug$ { LOCALTAG=yes } :0 * SBCONFIG ?? ^Analyze$ * SBRETIRED ?? yes { LOCALTAG=yes } :0 * LOCALTAG ?? yes { INCLUDERC=${SBDIR}/sb-retired.rc } # MAINSLEAZE, OPT-OUT, and PINKISP Senders # # ESPs, ISPs and otherwise-companies that send spam, but also # send email that some people requested and want. # # Although that doesn't make them less spammers than the rest, # for the convenience of users who might want email from one # of these senders, I am listing them separately and setting # the default SBSCORE to BLOCK. That way,the user can whitelist # any legitimate email from one of them. :0 * SBCONFIG ?? (Analyze|Debug) { INCLUDERC=${SBDIR}/sb-blockool.rc } :0 * ! SBCONFIG ?? (Analyze|Debug|Lite) * SPAMTAG ?? no { INCLUDERC=${SBDIR}/sb-blockool.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # THE NUISANCE FILE # # Spam and spammers that are clearly distinguishable and prolific, but that # do not have a specific domain or domains, IP block or IP blocks, and that # I haven't managed to identify by name. :0 * SBCONFIG ?? ^(Analyze|Debug)$ { INCLUDERC=${SBDIR}/sb-nuisance.rc } :0 * ! SBCONFIG ?? ^(Analyze|Debug)$ * SPAMTAG ?? no { INCLUDERC=${SBDIR}/sb-nuisance.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Tag with "Identified Spammer" tag if you are running # in Analyze or Debug mode. Useful for spamtraps. # :0 * 1^0 * $ ${SBSCORE}^0 * -5^0 { SBIDENTIFIED=yes :0 * SBHEADERS ?? ^COMPLETE$ { SBLOGFLAGS="ALWAYS 1 NOTE" SBLOG="Identified Spammer" #SBLOG="A1N-Identified Spammer" INCLUDERC=${SBDIR}/functions/loglevel.rc } } # UNCLASSIFIED SPAM SOURCES AND SPAM HAVENS # # IPs in this category either had multiple spams sent from them, or # hosted spam havens, but don't have a special entry of their own # among the identified spammers, probably because they haven't # gotten sufficiently on the radar. :0 * SBCONFIG ?? Debug { INCLUDERC=${SBDIR}/sb-unclassified.rc } :0 E * SPAMTAG ?? no { INCLUDERC=${SBDIR}/sb-unclassified.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # DROP-BOX EMAIL ADDRESSES # # Email addresses used as drop-boxes in recent spam. LOCALTAG=no :0 * SBCONFIG ?? Debug { LOCALTAG=yes } :0 * SPAMTAG ?? no { LOCALTAG=yes } :0 * LOCALTAG ?? yes { LOCALTAG=no :0 { INCLUDERC=${SBDIR}/black/dropboxes-0604.rc } :0 * LOCALTAG ?? no { INCLUDERC=${SBDIR}/black/dropboxes-0603.rc } :0 * LOCALTAG ?? no { INCLUDERC=${SBDIR}/black/dropboxes-0602.rc } :0 * LOCALTAG ?? no { INCLUDERC=${SBDIR}/black/dropboxes-0601.rc } :0 * LOCALTAG ?? yes { SBLOGFLAGS="ALWAYS 1 RULE" SBLOG="Drop-Box Email Address" #SBLOG="A1R-Drop-Box Email Address" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # HAVEN URLS # # URLs seen in recent spam at domains that are not # themselves spammers # LOCALTAG=no :0 * SBCONFIG ?? Debug { LOCALTAG=yes } :0 * SPAMTAG ?? no { LOCALTAG=yes } :0 * LOCALTAG ?? yes { LOCALTAG=no :0 { INCLUDERC=${SBDIR}/black/havenurls-0604.rc } :0 * LOCALTAG ?? no { INCLUDERC=${SBDIR}/black/havenurls-0603.rc } :0 * LOCALTAG ?? no { INCLUDERC=${SBDIR}/black/havenurls-0602.rc } :0 * LOCALTAG ?? no { INCLUDERC=${SBDIR}/black/havenurls-0601.rc } :0 * LOCALTAG ?? yes { SBLOGFLAGS="ALWAYS 1 RULE" SBLOG="Spam Haven URL" #SBLOG="A1R-Spam Haven URL" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # HAVEN INSTANT MESSAGE CONTACTS # # IM contacts seen in recent spam. (AIM, ICQ, IRC, MSN, Yahoo) # LOCALTAG=no :0 * SBCONFIG ?? Debug { LOCALTAG=yes } :0 * SPAMTAG ?? no { LOCALTAG=yes } :0 * LOCALTAG ?? yes { LOCALTAG=no :0 { INCLUDERC=${SBDIR}/black/havenims-0604.rc } :0 * LOCALTAG ?? no { INCLUDERC=${SBDIR}/black/havenims-0603.rc } :0 * LOCALTAG ?? no { INCLUDERC=${SBDIR}/black/havenims-0602.rc } :0 * LOCALTAG ?? no { INCLUDERC=${SBDIR}/black/havenims-0601.rc } :0 * LOCALTAG ?? yes { SBLOGFLAGS="ALWAYS 1 RULE" SBLOG="Spam Haven IM" #SBLOG="A1R-Spam Haven IM" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # SPAM PHONE NUMBERS # # The phone numbers listed in this filter have appeared in multiple # spam runs. If an email contains one of these phone numbers, it # is safe to treat it as spam. :0 * SBCONFIG ?? Debug { INCLUDERC=${SBDIR}/black/havenphone-patterns.rc } :0 E * SPAMTAG ?? no { INCLUDERC=${SBDIR}/black/havenphone-patterns.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # SPAM POSTAL ADDRESSES # # The postal addreses contained in this filter have appeared in multiple # spam runs. Most spammers provide web site URLs, email addresses, or # phone numbers as contact information in preference to a postal address, # but the occastional spammer prefers to provide a postal address. :0 * SBCONFIG ?? Debug { INCLUDERC=${SBDIR}/black/havenpostal-patterns.rc } :0 E * SPAMTAG ?? no { INCLUDERC=${SBDIR}/black/havenpostal-patterns.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # SPAM MAILER SOFTWARE :0 * SBCONFIG ?? Debug { INCLUDERC=${SBDIR}/black/spamsw-patterns.rc } :0 E * SPAMTAG ?? no { INCLUDERC=${SBDIR}/black/spamsw-patterns.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # FILTER EVASION SIGNS # # These filters catch spam that has clear evidence of attempts to avoid # spam filters, such as bogus HTML tags, embedded HTML comments, misspelled # key words, etc. # :0 * SBCONFIG ?? Debug { INCLUDERC=${SBDIR}/grey/filterevasion-patterns.rc } :0 E * SPAMTAG ?? no { INCLUDERC=${SBDIR}/grey/filterevasion-patterns.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # GENERIC SPAM HEADERS :0 * SBCONFIG ?? Debug { INCLUDERC=${SBDIR}/black/spamheader-patterns.rc INCLUDERC=${SBDIR}/black/bogusheader-patterns.rc } :0 E * SPAMTAG ?? no { INCLUDERC=${SBDIR}/black/spamheader-patterns.rc INCLUDERC=${SBDIR}/black/bogusheader-patterns.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Adjust SBSCORE for email sent using certain email software that # is typical, not of spammers, but of geeks who would for the most # part cheerfully help stage a barbecue with spammer as the main # course. ;P # :0 D * SPAMTAG ?? no * H ?? ^((User-Agent|X-Mailer): (ELM|\ Mutt|\ Pine|\ VM)|\ X-Editor: (Emacs|\ Vim)|\ X-OS:|\ X-PGP-Fingerprint:) { SBLOGFLAGS="ALWAYS 1 RULE" SBLOG="Typical Geek Header Info" #SBLOG="A1R-Typical Geek Header Info" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * -10^0 { SBSCORE=$= } } ########################################################################## # PROBABLE SPAM # The remaining recipes filter out mail with certain subjects # and To: lines which almost always indicate a spam and which # are difficult to catch otherwise. # Recipes in this section are run only if email is not already # classified as a virus or spam. # CHECK THE INTERNAL BLOCKLISTS # # Check these first because it takes fewer cycles. :) :0 * SBCONFIG ?? Debug { INCLUDERC=${SBDIR}/grey/directtomx-patterns.rc } :0 E * SPAMTAG ?? no { INCLUDERC=${SBDIR}/grey/directtomx-patterns.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # CHECK THE BLOCKLISTS # # This recipe checks those blocklists you have configured the # SpamBouncer to use. By default, the SpamBouncer checks the # SpamHaus SBL and SpamHaus XBL, the NJABL Dial-Up/Dynamic List and # NJABL Open Proxies List, and the SURBL blocklists. :0 * SBCONFIG ?? Debug { INCLUDERC=${SBDIR}/sb-blocklists.rc } :0 E * SPAMTAG ?? no { INCLUDERC=${SBDIR}/sb-blocklists.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # BLOCKED MAIL SOFTWARE # # Mass mailers which aren't always used for spamming, but usually are. :0 * SBCONFIG ?? Debug { INCLUDERC=${SBDIR}/grey/blocksw-patterns.rc } :0 E * SPAMTAG ?? no { INCLUDERC=${SBDIR}/grey/blocksw-patterns.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # SPAM CHANNEL TESTING EMAILS # # Email that appears to be generated by spammers testing out trojaned # computers or open proxies to see if they're still available and how # widely blocked they are. :0 * SBCONFIG ?? Debug { INCLUDERC=${SBDIR}/grey/channeltest-patterns.rc } :0 E * SPAMTAG ?? no { INCLUDERC=${SBDIR}/grey/channeltest-patterns.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # BLOCKED HEADERS # # Headers that usually indicate spam, but not always :0 * SBCONFIG ?? Debug { INCLUDERC=${SBDIR}/grey/blockheader-patterns.rc } :0 E * SPAMTAG ?? no { INCLUDERC=${SBDIR}/grey/blockheader-patterns.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # LANGUAGE FILTERS # # Languages that you shouldn't receive. # # These recipes check for email sent in Chinese and other languages in which # I frequently see spam and score it negatively. If you get email # in one of these languages, you can set the one of the language variables # to skip checking for that language. For example, you can set CHINESE=yes # if you get email in Chinese, or KOREAN=yes if you get email in Korean. # # Given the prevalence of spammers in China and certain other Asian countries # right now, this extra filter is likely to catch a lot of spam which normal # pattern matching filters written by someone who doesn't speak or read # Chinese or Korean won't catch. :) :0 * SBCONFIG ?? Debug { INCLUDERC=${SBDIR}/grey/language-patterns.rc } :0 E * SPAMTAG ?? no { INCLUDERC=${SBDIR}/grey/language-patterns.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # GENERIC PATTERN MATCHING FILTERS # # Filter for categories of spam, such as "enlarge " # spam, stock pumping, etc. These filters can cause some false positives, but # also catch spam when nothing else will. # LOCALTAG=no :0 * SBCONFIG ?? ^Debug$ { LOCALTAG=yes } :0 * SPAMTAG ?? ^no$ { LOCALTAG=yes } :0 * PATTERNMATCHING ?? ^NONE$ { SBLOGFLAGS="ALWAYS 1 PASS" SBLOG="Pattern Matching Disabled (Manual)" #SBLOG="A1P-Pattern Matching Disabled (Manual)" INCLUDERC=${SBDIR}/functions/loglevel.rc LOCALTAG=no } :0 * LEANTAG ?? ^yes$ { SBLOGFLAGS="ALWAYS 1 PASS" SBLOG="Pattern Matching Disabled (Oversize Email)" #SBLOG="A1P-Pattern Matching Disabled (Oversize Email)" INCLUDERC=${SBDIR}/functions/loglevel.rc LOCALTAG=no } :0 * LOCALTAG ?? ^yes$ { INCLUDERC=${SBDIR}/sb-contentpatterns.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # End PATTERNMATCHING Section # IRRESPONSIBLE PROVIDERS AND SPAMMY NETBLOCKS # (ISPs and NSPs which host a lot of spam sites, and which do not have # adequate AUP/TOS or ignore them, but which also have non-spamming # customers.) :0 * SBCONFIG ?? Debug { INCLUDERC=${SBDIR}/grey/blockregistrar-patterns.rc } :0 E * SPAMTAG ?? no { INCLUDERC=${SBDIR}/grey/blockregistrar-patterns.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc # Free email sites LOCALTAG=no :0 * SBCONFIG ?? Debug { LOCALTAG=yes } :0 E * SPAMTAG ?? no { LOCALTAG=yes } :0 * LOCALTAG ?? yes { INCLUDERC=${SBDIR}/grey/freemail-patterns.rc } # Test to see if Spam Threshold has been reached # INCLUDERC=${SBDIR}/functions/test-threshold.rc :0 * SPAMTAG ?? no { :0 * 1^0 * $ ${SBSCORE}^0 * $ -${BLOCKLEVEL}^0 { BLOCKTAG=yes } }