pi's .procmailrc

So you want to filter spam and not have a long list of senders and hosts? Try to understand spam. This is what my .procmailrc does … and some things more. Enjoy! Use at your own risk.

Lines starting with | are part of the file, anything else is an explanation.
lynx -dump -width=500 http://piology.org/.procmailrc.html|grep '^|'|cut -c3-
will produce the original version for you.

If you return to this page, note the changes.

| PATH=/bin:/usr/bin:/usr/local/bin:/usr/sbin:$HOME/bin
| SENDMAIL="sendmail"
| SHELL=/bin/sh
| MAILDIR=$HOME/.procmail
| LOGFILE=$HOME/.procmail/procmail.log

Make sure the previous lines work for your system.

| VERBOSE=OFF
| LOGABSTRACT=NO
|
| # Viren
| :0
| * ^X-Zid-Univie-Virus-Alert:[ 	]*\/.*
| {
|  LOG="Virus: $MATCH
|  "
|  LOGABSTRACT=ALL
|  :0:
|  virus
| }

If you mail server adds some header for detected viruses, this is the place to catch it. If it doesn't, delete the recipe.

| :0:
| * ^Content-Type:.*multipart/
| * 1^1 B ?? ^Content-Type:.*application/x-msdownload
| * 1^1 B ?? ^Content-Type:.*name=.*\.(exe|scr|pif|com|bat)
| * 1^1 B ?? ^[ 	]+(file)?name=.*\.(exe|scr|pif|com|bat)
| * -1^1 B ?? ^[ 	]+(file)?name=3D.*\.(exe|scr|pif|com|bat)
| virus-suspects

In that recipe we try to catch mails which passed the virus check, but have attachments of virus file types.

| # Out of office replies NetLaw
| :0
| * ^Subject:[^:]*\/(Out.of.Office.*Reply|Abwesenheitsnotiz).*NETLAW-L
| {
|  LOCKFILE=tmp/y
|  LOG="Muell: $MATCH
|  "
|  Foo=`rm -f tmp/body`
|  :0c
|  tmp/body
|  :0cW
|  | (formail -zrt -X 'To:';cat msg/autoreply.txt tmp/body) | $SENDMAIL -oi -t
|  LOGABSTRACT=ALL
|  :0
|  /dev/null
|  LOCKFILE=
| }

This is an example how to complain for auto-replies to mailing-lists. autoreply.txt must contain the needed header fields. Adjust or delete.

| # Header aufraeumen fuer NetLaw-Schrottware
| :0
| * ^From owner-netlaw-l@LISTSERV.GMD.DE
| {
|  SUBPERL=`formail -zxSubject: | perl -0777p -mMIME::Words=:all -e'$char=(/=\?([^?]+)\?[bBqQ]\?/);$_=decode_mimewords($_);s/\[(?:NETLAW-L|BDSM-Austria)\]\s*//g;s/^(?:(?:R[eE]|AW|Antw(?:ort)?):\s+)+/Re: /s;$_=encode_mimewords($_,"Q",$char)'`
|  :0fw
|  | formail -i"Subject: $SUBPERL" -I"Reply-To:"
| }

This is an example how to fix subjects for mailing-lists which add their name in square brackets. Also bogus Reply-To is removed. Adjust or delete.

| ## Clean CNN Breaking News
| :0fw
| * ^Sender:.*BreakingNews@MAIL.CNN.COM
| | sed -e '/^Watch CNN or log on to/,$ d'

This is an example how to delete unwanted mail parts at the end.

| ## Save From, Envelope-to
| :0fw
| * ^From \/.*
| | formail -i"X-pi-From: $MATCH"
| :0fw
| * ^Envelope-to:[ 	]+\/.*
| * ! ^Envelope-to:.*3.14@logic.univie.ac.at
| | formail -i"X-pi-Envelope-to: $MATCH"

Try to save some information which might get lost otherwise. Does not work with all mail transfer agents (MTAs).

| ## Bounces to answering system
| :0
| * ! ^Subject:.*somestringhere
| * ^From[ 	]+\/.*
| * -1^0
| * 1^0 ^FROM_MAILER
| * 1^0 ^TO3\.14\+as
| * 1^0 ^X-pi-Envelope-to:.*3\.14\+as
| * 1^0 B ?? ^From: .*pi's answering system
| * 1^0 ^Subject: Your recent message sent via abuse.net
| /dev/null

Here we catch replies or bounces to bounces. Replace somestringhere by some "safeword" which you name in your bounces (see below).

| ## Blacklist 1
| #:0fw
| #* ! ^(From|Sender:).*(owner|request)

Rules for people you don't want to see (will bounce) go here. The previous line avoids mails from mailing-list, which you might have to improve depending on the lists you have. To activate remove the comment symbols and add something you want to catch.

| #| formail -i"X-pi-Spam-rated: Blacklisted by $MATCH"
| #
| #
| ## Blacklist 2
| #:0fw

As before, now we even bounce mailing-lists like those spammers create.

| #| formail -i"X-pi-Spam-rated: Blacklisted by $MATCH"
|
| :0HB
| * ? bogofilter
| {
|   FROM=`formail -zxX-pi-From:`
|   SUBJECT=`formail -zxSubject: | perl -0777p -mMIME::Words=:all -e'$_=decode_mimewords($_);s/\s+/ /sg;$_=substr($_,0,69);'`
|   LOGFILE=bogofilter.log
|   LOG="From $FROM
|  Subject: $SUBJECT
| "
|   :0:
|   bad
| }

In the previous recipe we let bogofilter determine if something is spam. If so it is written to the file bad which is logged in a special file bogofilter.log. Whatever is not recoginzed will be treated as being not spam. You will later have to manually correct that.

| # Check PGP-Signatures
| :0
| * ^Content-Type:.*multipart/signed
| {
|   FOO=`pgp6 -f 2>&1 >/dev/null|sed -n '/signature/{;s/File is signed\.  //;N;s/\n/ /;p;}'`
|   :0fw
|   | formail -i"X-pi-PGP-checked: $FOO"
| }

Your pgp might have a different name, for gpg you will have to fix more.

| # Clean MIME mails
| :0
| * ! ^FROM_MAILER
| * ^Content-Type:.*multipart/
| {
|  :0c:
|  tmp/fixmail
|  :0fw
|  | fixmail.pl
| }

If you want to get rid of useless MIME parts.

This here is the place where you want to drop (or save to a junkfile) postings from lusers on various mailing-lists.

| ### Good ...
| #:0fw
| #* ! ^X-pi-Spam-rated:
| ## myself
| #* 1^0 ^\/From:.*\/3\.14@
| #* 1^0 ^Subject: +\/Cron
| ## MTAs etc.
| #* 1^0 ^Subject:.*\/Returned mail
| #* 1^0 \/^FROM_MAILER
| #* 1^0 ^Subject:.*\/somestringhere
| ## mailing lists
| #* 1^0 ^(From|Sender:)[^:]*\/(owner|request)[a-zA-Z0-9.+_\-]*@
| #* 1^0 ^\/List-
| #* 1^0 ^\/(X-)?Mailing-List:
| #* 1^0 ^\/X-listar-version:
| ## lusers
| #* 1^0 ^From:.*\/icann\.org
| #* 1^0 ^From.*\/nobody@mothra\.mozilla\.org
| #| formail -i"X-pi-Spam-rated: Save by $MATCH"
| #
| ##:0A:
| ##$DEFAULT

There are some things you want to see even if they look like spam. Also make sure you don't bounce things you should not. Above some example, adjust to your own needs. The "lusers" section might get long, depending on your friends;-). Recall that somestringhere has to consistently be replaced everywhere.

| ### Silently drop all completely unreadable spam
| #:0
| #* 1^0 ^\/Subject:.*=\?(.*big5|iso-2022-jp|ISO-2022-KR|euc-kr|gb2312|ks_c_5601-1987|windows-1251|windows-1256)\?
| #* 1^0 ^Content-Type:.*charset="?(.*big5|iso-2022-jp|ISO-2022-KR|euc-kr|gb2312|ks_c_5601-1987|windows-1251|windows-1256)
| #/dev/null
| ### Unqualified addresses are only used by spammers
| #:0c
| #* ! ^X-pi-Spam-rated:
| #* ^(From|To|Sender|Reply-To):[ 	]*.*@YOURPROVIDER

For YOURPROVIDER insert whatever your mail server adds to unqualified addresses. If that does not happen, simply delete this rule. Be careful, that you do not have correct host names here.

| #| bogofilter -Ns
| #:0a
| #{
| # LOG="Spam: Unqualified address used
| # "
| # LOGABSTRACT=ALL
| # :0:
| # bad
| #}
|
| LOGFILE=procmail.log

Unqualified addresses are a clear sign of spam. We tell bogofilter right away to corret this and file the spam accordingly.

| ## Test
| :0:

If you have new ideas how to detect spam, test them here. Don't leave empty, delete otherwise.

| test
|
|
| ### ... Evil ...
| #MATCH=
| #:0fw
| #* ! ^X-pi-Spam-rated:
| #* ! ^FROM_MAILER
| #* 1^0 B ?? ^[^>].*message is being brought to you by \/EMAIL BLASTER
| #* 1^0 B ?? ^[^>].*message provided by \/BULK E-MAIL
| #* 1^0 B ?? ^[^>].*\/Click Below To Be Removed
| #* 1^0 B ?? ^[^>].*\/don't w(ish|ant) to receive
| #* 1^0 B ?? ^[^>].*\/exclusively to our subscribers
| #* 1^0 B ?? ^[^>].*\/Global Remove List
| #* 1^0 B ?? ^[^>].*\/prefer not to recieve future E-mails
| #* 1^0 B ?? ^[^>].*\/received this e.?mail in error
| #* 1^0 B ?? ^[^>].*\/wish(ed)? to be removed
| #* 1^0 B ?? ^[^>].*\/want to be REMOVED
| #* 1^0 B ?? ^[^>].*\/to the removal lists
| #* 1^0 B ?? ^[^>].*you.*\/opt.in.*list
| #* 1^0 B ?? ^[^>].*\/opt-in e-mail
| #* 1^0 B ?? ^[^>].*orry \/for the inconvenience
| #* 1^0 B ?? ^[^>].*\/Remove.*in (the )?(subject|header)
| #* 1^0 B ?? ^[^>].*\/remove yourself from future
| #* 1^0 B ?? ^[^>].*\/REMOVE YOUR E-?MAIL
| #* 1^0 B ?? ^[^>].*\/remove your name from our mailing list
| #* 1^0 B ?? ^[^>].*\/removed from .*(future|list|base)
| #* 1^0 B ?? ^[^>].*\/(one|1).time (mailing|message|e-mail)
| #* 1^0 B ?? ^[^>].*\/subject=remove
| #* 1^0 B ?? ^[^>].*\/This is no spam
| #* 1^0 B ?? ^[^>].*\/TYPE 'DELETE' IN THE SUBJECT
| #* 1^0 B ?? ^[^>].*\/TYPE REMOVE
| #* 1^0 B ?? ^[^>].*\/unsubscribe"? in the subject
| #* 1^0 B ?? ^\/[^>].*visit our website
| #* 1^0 B ?? ^[^>].*\/is \/not (a )?SPAM
| #* 1^0 B ?? ^[^>].*message is \/sent in compliance
| #* 1^0 B ?? ^E-mail sent using \/WorldMerge
| #* 1^0 B ?? ^from.*\/future.*mailings
| #* 1^0 B ?? ^\/If you (do not|no longer) wish to receive.*
| #* 1^0 B ?? ^\/Powered by List Builder
| #* 1^0 B ?? ^\/This message complies
| #* 1^0 B ?? ^\/To be removed
| #* 1^0 B ?? ^\/To remove yourself
| #* 1^0 B ?? ^\/To unsubscribe (follow the link|go to|please click here|from future offers)
| #* 1^0 B ?? ^\/subject:? "Remove"
| #* 1^0 B ?? ^\*.*\/Super eMailer
| #* 1^0 ^\/Subject:[ 	]\/.*[^	 -~][^	 -~].*[^	 -~][^	 -~].*[^	 -~][^	 -~]
| #* 1^0 ! ^(Resent-)?From:
| #* 1^0 ^Date:.*\/ (200[01]|[01][0-9][0-9][0-9])
| #* 1^0 ^\/From:[ 	]*$
| #* 1^0 ^\/(From|Sender:).*\/<>
| #* 1^0 ^From.*\/[a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9]@aol\.com
| #* 1^0 ^From.*[ 	<]\/[0-9][a-z0-9]*@aol\.com
| #* 1^0 ^From.*\/[-._$][a-z0-9]*@aol\.com
| #* 1^0 ^From.*\/nousershere
| #* 1^0 ^From:.*\/mlm
| #* 1^0 ^From:.*\/[^	 -~][a-z0-9.+_-]*@
| #* 1^0 ^(From|Reply-To:).*\/remove
| #* 1^0 ^(From|Sender):.*\/@[^"<>()]*@
| #* 1^0 ^Illegal-Object: \/.*
| #* 1^0 ^Message-\/ID:[ ]*<<
| #* 1^0 ^(Message-ID:|From ).*\/seed\.net\.tw
| #* 1^0 ^Received.*\/\[([0-9]+\.)?([0-9]+\.)?([0-9]+\.)?([03-9][0-9][0-9]|2[6-9][0-9]|25[6-9])
| #* 1^0 ^Received:.* \/-0600 \(EST\)
| #* 1^0 ^Received:.*\/bulk_mailer
| #* 1^0 ^Received:.*\/CLOAKED!
| #* 1^0 ^Received:.*\/IPNG-ADV-ANTISPAM
| #* 1^0 ^Received:.*\/mci\.net
| #* 1^0 ^Received:.*\/unknown host
| #* 1^0 ^Received:.*\/vucqpqlj
| #* 1^0 ^([^S]|Se).*\/ybecker\.net
| #* 1^0 ^\/Status: O
| #* 1^0 ^Subject:[ 	[]*\/ADV[]: 	]
| #* 1^0 ^Subject:[        ]+\/Betreff
| #* 1^0 ^Subject:.*\/BUSINESS PROPOSAL
| #* 1^0 ^Subject:.*\/edsubject
| #* 1^0 ^To:[ 	]*\/\.@.*
| #* 1^0 ^TO\/bulkmailer
| #* 1^0 ^TO\/friend@public\.com
| #* 1^0 ^TO\/@nowhere\.com
| #* 1^0 ^TO\/nobody.*
| #* 1^0 ^TO\/spam.*
| #* 1^0 ^To:.*\/customer
| #* 1^0 ^To:.*\/you@
| #* 1^0 ^X-\/Advertise?ment:
| #* 1^0 ^X-\/X-Bulkmail:
| #* 1^0 ^X-\/Distribution: (Bulk|Mass)
| #* 1^0 ^X-\/Mailer:.*(Allaire Cold ?Fusion|Aristotle Mail|Crescent Internet ToolPak ActiveX Mail Control|DiffondiCool|E-Mail Connection|Ellipse Bulk Emailer|Emailer Platinum|Extractor|FastMail|Floodgate|Hammer|Jamail|JMail|Mail Bomber|MailWorkZ|Marketing|MassE-Mail|massmail\.pl|My Own Email|NetMailer|newslettermaker|PG-MAILINGLIST|RIME|Serien-eMail|sndb 32|supermailer|WorldMerge)
| #* 1^0 ^X-Sender:.*\/News Breaker Pro
| #* 1^0 ^X-.*\/http://.*name removal
| #| formail -i"X-pi-Spam-rated: Evil by $MATCH with score $="

OK, here we go, this is spam with a probability very close to one.

| ### Only Pegasus creates this header
| #:0fw
| #* ! ^X-pi-Spam-rated:
| #* ^Comments:.*\/Authenticated sender.*
| #* !^X-Mailer:.*Pegasus Mail
| #* !^Resent-
| #| formail -i"X-pi-Spam-rated: Liar by $MATCH"

This is a 100%er.

| ### Drop spam
| #:0
| ##* ! ^X-pi-Spam-rated: Save by

Add some rule here for things which are (almost certainly) spam, but for some reason you do not want to bounce.

| #* ^X-pi-Spam-rated: \/.*
| #{
| # LOG=$MATCH"
| # "
| # LOGABSTRACT=ALL
| # :0
| # /dev/null
| #}
|
|
| ## License to kill
| :0
| #* ! ^X-pi-Spam-rated: Save by

Add some rule here for things which are (almost certainly) spam, but for some reason you do not want to bounce.

| * ^X-pi-Spam-rated: \/.*
| {
|  LOCKFILE=tmp/y
|  LOG=$MATCH"
|  "
|  Foo=`rm -f tmp/body`
|  :0c
|  tmp/body
|  :0cW
|  | (formail -zr -X 'To:';cat msg/bounce.txt tmp/body) | $SENDMAIL -oi -t
|  LOGABSTRACT=ALL
|  :0
|  * ^From .*<>
|  /dev/null
|  EXITCODE=77
|  :0
|  /dev/null
|  LOCKFILE=
| }

Here we strike back. This is a controversial issue. You should know what you do. Make sure to tell people the safeword here, also add headers as needed and explanation to bounce.txt.

| ################################################################################################
|
| ### ... and Ugly
| #MATCH=
| #:0fw
| #* ! ^X-pi-Spam-rated:
| #* -50^0 ^TO3\.14@
| #* -50^0 ^Subject:.*fwd
| #* -50^0 ^Subject:.*Re:
| #* -50^0 ^Sender:.*owner
| #* -10^0 ^To:.*:.*;
| #* 51^0 ! ^Message-Id:[ 	]+<[^ 	<>@]+@[^ 	<>@]+>[ 	]*$
| #* 10^0 ! ^To:
| #* 5^1 B ?? ^[^>].*\/_______________________
| #* 10^0 ^\/To:\/[^@]*$
| #* 15^1 B ?? (^N|^[^>].*\/N)AME.*_______________________________
| #* 15^1 B ?? (^A|^[^>].*\/A)DDRESS.*_______________________________
| #* 20^1 B ?? ^[^>].*\/CARD.*_______________________________
| #* 25^1 B ?? \/Click Here
| #* 25^1 B ?? (^T|^[^>].*T)hank \/you for your time
| #* 30^0 ^Subject:.*\/\$[0-9][0-9][0-9]
| #* 30^0 ^Subject:.*\/XXX
| #* 30^0 ^Subject:.*\/ware[sz]
| #* 30^0 ^Subject:.*\/video
| #* 30^0 ^Subject:.*\/\<trial
| #* 30^0 ^Subject:.*\/\<rich\>
| #* 30^0 ^Subject:.*\/\<real
| #* 30^0 ^Subject:.*\/read this
| #* 30^0 ^Subject:.*\/\<quick
| #* 30^0 ^Subject:.*\/opportunity
| #* 30^0 ^Subject:.*\/\<offer\>
| #* 30^0 ^Subject:.*\/mortgage
| #* 30^0 ^Subject:.*\/money
| #* 30^0 ^Subject:.*\/market\>
| #* 30^0 ^Subject:.*\/make\>
| #* 30^0 ^Subject:.*\/http://
| #* 30^0 ^Subject:.*\/\<free\>
| #* 30^0 ^Subject:.*\/\<fast\>
| #* 30^0 ^Subject:.*\/dollar
| #* 30^0 ^Subject:.*\/credit
| #* 30^0 ^Subject:.*\/cheap
| #* 30^0 ^Subject:.*\/business
| #* 30^0 ^Subject:.*\/advertising
| #* 30^0 ^Subject:.*\/\<bulk\>
| #* 40^0 ^([^S]|Se).*\/ibm\.net
| #* 40^0 ^From.*\/usa\.net
| #* 40^0 ^From.*\/sales
| #* 40^0 ^From.*\/hotmail\.com
| #* 40^0 ^Received:.*\/da\.uu\.net
| #* 40^0 ^Subject:.*   [0-9][0-9][0-9][0-9]+$
| #* 55^0 B ?? ^\/[^>].*(Eur(o )?min(.?b|kv|re)|[0-9]minb)
| #* 60^0 ^Content-type:.*\/charset=unknown-8bit
| #* 60^0 ^From.*\/money
| #* 60^0 ^From.*\/sex
| #* 60^0 ^Subject:.*\/\$\$\$
| #* 90^0 ^(From|Reply-To:).*\/\<(no@reply|noreply|Reply@By\.Mail|do@not|response)
| #* 90^0 B ?? ^[^>].*\/advertise your product
| #* 90^0 B ?? ^[^>].*\/cannot be considered Spam
| #* 90^0 B ?? ^[^>].*\/multi.level marketing
| #* 90^0 B ?? ^[^>].*\/weight loss
| #* 90^0 ^Content-Type:.*\/text/html
| #* 100^0 ^\/Date:.*[^a-z0-9,:()+ -]
| #* 100^0 B ?? ^\/Below is the result of your feedback form\.
| #* 100^0 B ?? ^\/To be unsubscribed from.*mailing list
| #| formail -i"X-pi-Spam-rated: Spam by $MATCH with score $="

Really looks like spam. Add your own addresses at the top like in the example.

| ### To = From
| #Eone=`formail -zxTo: | md5sum | sed s/..$//`
| #Etwo=`formail -zxFrom: | md5sum | sed s/..$//`
| #Ethree=`formail -zxReply-To: | md5sum | sed s/..$//`
| #:0fw
| #* ! ^X-pi-Spam-rated:
| #* ^To:
| #* 1^0 ? test $Eone = $Etwo
| #* 1^0 ? test $Eone = $Ethree
| #| formail -i"X-pi-Spam-rated: To = From/Reply-To"

Some lusers do this, spammers do it all the time. This rule has the highest risk of false positives.

| ### License to trash
| #:0
| #* ! ^X-pi-Spam-rated: Save by
| #* ^X-pi-Spam-rated: \/.*
| #{
| # LOG=$MATCH"
| # "
| # LOGABSTRACT=ALL
| # :0:
| # trash
| #}

Here we write things which look like spam (and have not been bounced before) to a trash file.

| ## Save huge mail (>3000 lines)
| :0B:
| * -3000^0
| * 1^1 ^.*$
| huge

If you want to save huge mails (to protect your modem), this happens here. Pretty arbitrary limit.

Changes


Valid CSS!Valid HTML 4.01!

© Boris 'pi' Piwinger, February 20, 2005