Fighting spam with procmailrc

This procmail recipe is a good general drop in filter for most forms of spam, and nasty attachments.

Download the file and drop it into /etc/procmailrc, or copy and paste from the page, be sure you have compiled sendmail (or your favourite MTA such as postfix or qmail) with procmail support.

This recipe does not return any errors to the sender, however it does save the email to /tmp/virus.save (you may want to rename this to something better) and also stores the transfer log to /tmp/virus.log (once again, change this to suit).

It has a couple of a safety-nets, first off it records the message-id into the msgid.cache via formail, this prevents mailloops which can quickly get very ugly, the second is that it stamps each email with "X-Loop: Attachment scanner" which should also prevent mailloops.
The downside of the later safety-net is that a spammer could add this header to the message and it would get bypassed by the scanner, so perhaps you could change it to something random, or possibly add the message id to the xloop as some kind of once off key.

Im sure there is a tighter way to put together a procmail recipe todo the following but this one spells out how it works very easily
Ive only used this one in real-life situations with procmail configured as the delivery mechanism, not a relay config.

more?

Other good procmail and related pages

Defanged filter
procmail homepage
cert.org's search on outlook worms

Questions? Comments? Feel free to email me - Leigh Morresi 17/Jun/2002

download

Version 0.1 procmailrc

VERBOSE=off
LOGFILE=/tmp/virus.log
SUBJECT=`formail -xSubject:`
ARRIVED=`formail -xDate:`
TOEMAIL=`formail -xTo:`
SENDMAIL=/usr/sbin/sendmail
ATTACH=`grep -i -E "\.(vbs|wsf|vbe|wsh|hta|scr|pif|com|exe|shs|bat|bas|mp3|mp2|scr|wav|mpg|avi|eml|dll|jpg)"`
#looping sanity

##  At the first recipe use for filtering duplicate Message-ID:
:0 Wh: msgid.lock
|formail -D 8192 msgid.cache


##  First off, lets get some safe headers happening, dont filter stuff we've already looked at
:0 H
* !^X-Loop: Attachment scanner
{

:0 f ## Add our header, yup we've read it alright
|formail  -A"X-Loop: Attachment scanner"

    # Things to look for in the body
    :0 B
    * name=.*\.(vbs|wsf|vbe|wsh|hta|scr|pif|com|exe|shs|bat|bas|mp3|mp2|scr|wav|mpg|avi|eml|dll)
    {
        :0
        /tmp/virus.save

    }

    :0 H
    * ^Subject.*(sex|viagra|nude|money|100|MORTGAGE|Rates|Casino|\$| Free |Panty|gamble|deal| Win |Life Insurance|e weight|improve your|Prize|Happy Father|Million Dollar|vitamin)
    {
        :0
        /tmp/virus.save

    }

    :0 H
    * ^From.*(offer|Gambling|link2buy.com|dealnow|mb00.net|northcity|freecash)
    {
        :0
        /tmp/virus.save

    }

}