## Blue-Labs.org /etc/procmailrc ## keep copy in http://stuph.org/procmailrc ## Last updated: December 5th, 2006/david@blue-labs.org SHELL=/bin/sh LOGFILE=/var/log/procmail SENDMAIL=/usr/sbin/sendmail TMP=/var/tmp SPAM=/var/mail/shared/spam PMDIR=/etc/mail #LINEBUF=8192 FRIENDS=/etc/mail/procmail.friends #DEFAULT=/var/spool/mail/$LOGNAME DEFAULT=${HOME}/.maildir/ FILTERDIR=/etc/mail VERBOSE=no LOGABSTRACT=no COMSAT=no SENDER=`formail -x Return-Path | sed 's/[<>]//g;s/^[ ]*//'` srcrelay=`formail -x Received -c|head -n1| sed -e 's/.*\[\([0-9.]*\)\].*/\1/g'|gawk '{printf "%-15s", $1}'` spamlevel=`formail -x X-Spam-Level|cut -c2-` from=`formail -x "From:"|sed 's/^ *//'` stars=`echo -ne $spamlevel|wc -c|gawk '{printf "%-3s", $1}'` to=`echo $LOGNAME|gawk '{printf "%-10s", $1}'` ## if this rule matched, echo this IP into the spammer hash bucket. ## netfilter will tarpit their packets if they have sent another packet ## within 24*7 hours. in other words, they get to trigger the spam filters ## once per day ;-) this is good netfilter-fu ## ## sunny-beach htdocs # grep spammer /var/lib/iptables/rules-save ## [0:0] -A INPUT -p tcp -m tcp --dport 25 -m recent --rcheck --seconds 1209600 --name spammer --rsource -j TARPIT ## ## remember to reset mode 666 or similar on /proc/net/ipt_recent/spammer anytime ## the firewall is reloaded. this file is written by all users. yes i am ## aware of ramifications, port 25 can be "killed" for you if your IP gets ## maliciously added. ## ## trigger on 6+, these mails are added to the filter then deleted ## :0 * ^X-Spam-Level: \*\*\*\*\*\* { LOG="--------: score/$stars relay/$srcrelay $to $from " :0ci |/usr/bin/echo $srcrelay > /proc/net/ipt_recent/spammer # force train as spam :0ci | /usr/bin/dspam --mode=tum --class=spam --user=$LOGNAME --source=inoculation # not used atm, eventually i want a webpg of stats, just drop it :0 /dev/null } ## ## ## DO NOT use --source=corpus for the initial dspam run ## ## ## check spamminess for all users, check all emails here to train on :0fw | /usr/bin/dspam --mode=tum --user=$LOGNAME --deliver=innocent,spam --stdout ## now get the signature dspam just made since it can't find itself, gah. annoying shit # signature=`formail -x "X-DSPAM-Signature"|gawk '{print $1}'` LOG="Delivery: score/$stars relay/$srcrelay $to $from " ## Vipul's Razor :0 cW | razor-check :0 faW | formail -A "X-Razor2-Warning: SPAM" ## ## ## DSPAM DOES NOT DELIVER TO STDOUT unless you use --source=corpus ## on the retrain ## ## ## high scoring spamassassin email is likely spam and should be force ## trained as such. :0 * ^X-Spam-Status: Yes { # delete the old headers :0fw | formail -I "X-DSPAM-Result" -I "X-DSPAM-Processed" -I "X-DSPAM-Probability" -I "X-DSPAM-Improbability" -I "X-DSPAM-Signature" -I "X-DSPAM-Confidence" :0fw | /usr/bin/dspam --source=corpus --mode=toe --class=spam --user=$LOGNAME --deliver=innocent,spam --stdout } ## razor/pyzor is spam :0 * ^X-Razor2-Warning: SPAM. { # delete the old headers :0fw | formail -I "X-DSPAM-Result" -I "X-DSPAM-Processed" -I "X-DSPAM-Probability" -I "X-DSPAM-Improbability" -I "X-DSPAM-Signature" -I "X-DSPAM-Confidence" :0fw | /usr/bin/dspam --source=corpus --mode=toe --class=spam --user=$LOGNAME --deliver=innocent,spam --stdout } ## zero/negatively scored email is likely innocent, sadly dspam isn't able to fracking handle email bodies ## properly after it's already scored :0 * ^X-Spam-Status: No, score=(0|-) { # delete the old headers :0fw | formail -I "X-DSPAM-Result" -I "X-DSPAM-Processed" -I "X-DSPAM-Probability" -I "X-DSPAM-Improbability" -I "X-DSPAM-Signature" -I "X-DSPAM-Confidence" :0fw | /usr/bin/dspam --source=corpus --mode=toe --class=innocent --user=$LOGNAME --deliver=innocent,spam --stdout } :0fw |formail -I "Delivered-To: $LOGNAME" ## Set the necessary environment variables for TMDA EXTENSION="$1" :0 * EXTENSION ?? . { DELIMITER="+" } ## if the recipient isn't set, define it :0 * ! RECIPIENT ?? . { RECIPIENT="$LOGNAME$DELIMITER$EXTENSION@$HOST" }