Sunday, 2 November 2008

header_checks: Block OLD mail!

WARNING: The information presented in this article is provided without warranty. Use at your own risk! Do not implement any features without full understanding of the implications. Using these measures incorrectly MAY prevent e-mail from reaching your server.

A lot of SPAM is sent with an old date. Easy to get rid of these. Once your well and truly into a new year, don't forget to update these.

Quote:   
/^Date:.*200[0-7]/ REJECT Message header rejected [058] - Date too old!
/^Date:.*19[0-9][0-9]/ REJECT Message header rejected [059] - Date too old!



header_checks: Block foreign SPAM

WARNING: The information presented in this article is provided without warranty. Use at your own risk! Do not implement any features without full understanding of the implications. Using these measures incorrectly MAY prevent e-mail from reaching your server.

I can read some French and German but English is my native language. I certainly cannot read Chinese, Japanese or Russian. Therefore, quite pointless receiving any.

Quote:   
#
# Not in english character set? No use to me.
# China = GB2312, big5
# Korean = euc-kr, ks_c_
# Russian = koi8-r, iso-8859-5
/^Subject:.*=\?(GB2312|big5|euc-kr|ks_c_.*|koi8.*|KOI8.*)\?/ REJECT Message header rejected [064a]
/^Content-Type:.*[:space:]charset="?(GB2312|big5|euc-kr|ks_c_5601-1987|koi8.*|KOI8.*)/ REJECT Message header rejected [064b]



header_checks: Block dating and meds SPAM

WARNING: The information presented in this article is provided without warranty. Use at your own risk! Do not implement any features without full understanding of the implications. Using these measures incorrectly MAY prevent e-mail from reaching your server.

SPAM for meds and dating (mainly russian) are currently the most prolific that I am getting and here is a few examples of my header_checks filtering for some of these.

A lot of the mail has a message ID injected into the subject line. I needed a way to test for these but, allow legitimate mail through. This is where our friend the 'if' conditional statement comes in. It allows you to test the first part of a subject line for a message ID. If exists, the rest of the subject line is tested further. The conditional testing finishes when a 'endif' is found.

Quote:   
#
# Check messages with a numeric message ID in subject line.
if /^Subject:.*(ID|MSG|ID MSG|MSG ID).*:[ ]?([0-9]{5}) /
#
# Dating
/[a-zA-Z]* is online now/ REJECT Message header rejected [200x]
/[a-zA-Z]* sent new (message[s]?|mail) from/ REJECT Message header rejected [201x]
/[yY]ou have ([0-9]{1,4})?[ ]?(unread|new) (message[s]?|mail)[ ]?(from)?[ ]?([a-zA-Z]*)?[ ]?(for you)?[ ]?(from)?/ REJECT Message header rejected [202]
/([0-9]{1,4}) (single|new|lonely)?[ ]?ladies/ REJECT Message header rejected [203]
/[iI] am [a-zA-Z]*?[ ,\.]?[ ]?([0-9]{1,4}) (y\.o\.|year[s]?)/ REJECT Message header rejected [204]
/[sS]till (lonely|single)\?/ REJECT Message header rejected [205x]
/[rR]emember [mM]e[ ?\.]/ REJECT Message header rejected [206x]
#
# Meds
/[gG]et all your [mM][eE3][dD][sz]?([iI\|1][cC][aA4@][tT][iI\|1][oO0][nN])?/ REJECT Message header rejected [301xx]
/[pP]harma(cy|ceutical)/ REJECT Message header rejected [302x]
/[oO]nline ([mM][eE3][dD][sz]?([iI\|1][cC][aA4@][tT][iI\|1][oO0][nN])?|prescription-free)/ REJECT Message header rejected [303]
/[nN]ever have to (see|visit) (a|the) [dD]octor[s ]?/ REJECT Message header rejected [304]
/[Rr]ange [a-zA-Z]* [mM][eE3][dD][sz]?([iI\|1][cC][aA4@][tT][iI\|1][oO0][nN])?/ REJECT Message header rejected [305]
/([tT]he )?[wW]orld[.]?s.*[oO]nline [mM][eE3][dD][sz]?([iI\|1][cC][aA4@][tT][iI\|1][oO0][nN])?/ REJECT Message header rejected [306x]
endif