# Comments: most .procmailrcs I see do an awful lot of checks for
# specific addresses, etc.  As a result, they wind up being 1000
# lines long, and when the spammers change, a lot of the recipes
# become so much detritus.  And of course there are new spammers
# starting up every day -- do you really want to be hit by them
# even once?  As a result, this .procmailrc tries to be mostly
# heuristics-driven, looking for spammer patterns rather than
# specific spammers.
# 
# Set the variables SPAM and SUSPECT to be the folders where you wish
# spam mail and mail that is only suspected of being spam, respectively,
# to be directed.  Suggested SPAM=/dev/null, the Unix trash can.  If
# you want to be safe, send SPAM to a real file and check and clean
# it every so often.
# 
# Set DEFAULT to be your default system mailbox if it is not
# correct as is.  You should not have to touch this in most cases.
#
# All the recipes are commented.  READ ALL OF THEM and decide where
# you want each to go.  A # at the start of a line denotes a comment --
# if you see a recipe you don't want at all, comment it out.  If 
# you see that I'm sending something to SPAM that you might actually
# want, change it to SUSPECT or get rid of the recipe altogether.  If
# you think I'm being too nice to a type of message, change $SUSPECT
# to $SPAM.  (I've been somewhat conservative.)
#
# For maximum effectiveness, be sure all your SPAM rules are before
# all your SUSPECT rules -- this will insure that all messages are
# routed as harshly as their worst characteristics merit.
#
# Procmail uses extended regular expressions.  You won't understand
# a lot of the rules unless you understand regexps, which are too
# complicated to go into here. 
#
#  (refer user to procmail and regexp tutorials on the web here)
#
# I am interested in receiving the full headers and body of any
# message that gets by this filter, and any other comments, questions
# or suggestions you may want to offer.  Please email me at 
# caj@neosoft.com with them.  
#
# Thanks,
# Craig.

SHELL=/bin/sh   	      # don't change this  

PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin  # shouldn't need to change

MAILDIR=$HOME/mail            # the base directory for other filenames here

DEFAULT=/var/mail/$LOGNAME    # if your mailbox name happens to be something
			      # besides your login name, CHANGE THIS.
			      # This is where non-spam or -suspect mail 
			      # will be delivered by default.

LOGFILE=procmail.log	      # Logging is done to this file.

VERBOSE=no      # set to 'yes' if you want to see exactly what's 
                # happening.  Log file will be large.  Disable normally.

SPAM=spam       # spam folder.  You could change this to /dev/null
	   	# if you're confident you won't want any of the stuff
		# directed to SPAM.

SUSPECT=suspect # likely spam folder

LOCKFILE=lock    # one lockfile instead of many local ones so we're
		 # not trying to lock /dev/null etc if one of our
                 # variables directs mail there

COMSAT=no        # don't notify me unless it's for real

FRIENDS=friends  # name of the file containing a list of people we
                 # always want to get mail from, one per line.  If
		 # any substring of the From: or Sender: line matches
		 # a line of this file, it will go through, so this
		 # can be used to denote entire sites that we always
		 # wish to get mail from as well as individuals.
		 # E.g. "user", "user@aol.com" or "aol.com".
		  
		 # Note that this file is case-insensitive.

		 # Putting all of the people or lists you get lots
		 # of mail from here will not only insure you get
		 # it, but will speed up procmail.

SPAMMERS=spammers  # name of the file containing a list of spammers,
                   # one per line.  This also checks the Reply-To:
		   # and Received: fields. 
  		   # Just like the FRIENDS file otherwise.

LISTS=lists    # name of a file containing a list of strings 
               # we will use as signatures to recognize mail from
	       # mailing lists that we want to receive, so it's
	       # not routed to SUSPECT because it's not addressed
	       # directly to us.  You'll need to find a header line
	       # or part of a header line that will always be on
	       # these mailing list messages.  Be specific -- if
	       # any part of any message header matches a line in 
	       # this file, you're going to see it in your mailbox.

	       # If the Sender: field is always the same on mailing
	       # list messages, you can list the sender (likely 
	       # something like "hamster-list-owner@rodents.com")
	       # in your FRIENDS file, which is more efficient,
	       # because FRIENDS are only searched for in the
	       # From: and Sender: headers, while LISTS strings
	       # are searched for in ALL of the headers.

	       # If you can't match a mailing list with Sender:,
	       # find a header that is always there and always the
	       # same and list it in LISTS, including the header
	       # field.  As so:  X-Loop: FreeBSD.org   or...
	       # X-Comment: The hamsters mailing list is for adults only.

# back up everything.  'c' flag causes us to continue processing
# even though the message has been deliverd.  ('copy')
# Uncomment this when testing new rules to make sure you don't lose
# anything important.  (Or you could just set SPAM to something
# besides /dev/null, but don't do both.)
#
#:0 c
#backup

# Here we search the list of people we always want to get mail from,
# and deliver the mail if it's from one of them, no matter what.
# The FRIENDS file is set and described above.

:0
* ? (formail -x From: -x Sender: | fgrep -iqf $FRIENDS)
{
COMSAT=yes  # notify me of receipt if possible
:0
$DEFAULT  # deliver to default mailbox
}

# Now we'll look for mailing lists so they don't go to SUSPECT, as
# these will not be addressed directly to us, and later we will route
# messages not addressed to us to SUSPECT.
# LISTS is set and described above.

:0 H
* ? fgrep -iqf $LISTS
{
COMSAT=yes
:0
$DEFAULT
}

# look for X-Advertisement header or 'advertisement' in the subject,
# accounting for possible sp. error.  "Nice" spammers use this header.

:0
* ^X-Adverti[sz]ement:
$SPAM

:0
* ^Subject:.*adverti[sz]ement
$SPAM

# To: friend(s)@public.com or you@wherever.com and the like.  Spam.
#  (arrangements made for those who spell at a 4th grade level as
# well, i.e.: freind)

:0
* ^TO.*( |<|,)(fr(ie|ei)nd(s)?|you)@
$SPAM

# snag the To: and From: headers

TO=`formail -zx To:`
FROM=`formail -zX From: | formail -zrx To:`    #address-stripping magic
                        
# spammers love to set their "To:" and "From:" fields to the same
# thing.  If this is the case and it's not from you, it's spam.

:0
* $ TO??$FROM 
* !$ ^To:.*$LOGNAME
$SPAM

# no To: line.

:0
* TO??^$
$SPAM

# no legit From address  (formail generates foo@bar in this case)

:0
* FROM??^foo@bar$
$SPAM

# purely numeric address.  blah.  I've never seen this be legit.
# Even compuserve addresses have a punctuation mark of some sort.

:0
* ^From:.*( |<)[0-9]+@
$SPAM

# bogus pegasus header, very common with spammers, and I've never
# seen it used by anyone else.

:0
* ^Comment: Authenticated sender is
* ! ^X-Mailer: Pegasus
$SPAM


# bad message id -- empty or no @host part.  

:0
* ^Message-Id:.*<[^@]*>
$SPAM


#sex spam -- "XXX" in subject  (case sensitive, word boundaries)

:0 D
* Subject:.*\<XXX\>
$SPAM

# 1-900 in the subject.  Yeah, right.

:0
* ^Subject:.*1-900
$SPAM

# mlm crap -- MLM in subject  (case sensitive)

:0 D
* Subject:.*\<MLM\>
$SPAM

# 'dear friend' at the start of a line in the body of message
# (in brackets is a tab and a space -- if you edit the file, make
# sure you keep them in there -- one tab, one space, in either order)
# provisions made for misspelling.

:0 B
* ^[	 ]*dear fr(ie|ei)nd(s)?
$SPAM

# nothing from email blaster

:0 B
* EMAIL BLASTER
$SPAM

# or this one  
:0 B
* EMAIL PLATINUM
$SPAM

# Your research sucks  ("our research indicates that you wanted our spam..")

:0 B
* (our|my) research indicates
$SPAM

# sex spam, "adults only" in subject

:0
* ^Subject:.*adults only
$SPAM

# popular pyramid scam signature

:0 B
* order report #1
$SPAM

# we don't ever wanna hear about mlm  (message body)

:0 B
* multi(-| )?level marketing
$SPAM

# or abbreviated  (message body, case sensitive)
:0 BD
* MLM
$SPAM

# 2 bangs or dollar signs in subject.  spammer hype.

:0
* ^Subject:.*(!!|\$\$)
$SPAM

# more conservative for the body -- need three of the same

:0 B
* (!!!|\$\$\$)
$SPAM

# too many recipients ( >= 10)   If you want to change this, get rid of 
# or add sets of ".*,"  You need n-1 sets, where n is too many recips.

:0
* ^(To|Cc):.*,.*,.*,.*,.*,.*,.*,.*,.*,
$SPAM

# don't even want a 1-900 number in the body.

:0 B
* 1-900
$SPAM

# And here we search a file with a list of people we _never_ want to
# get anything from, tossing the mail if it's from one of them.
# The included list is far from complete, but is a good start.
# Be sure to have a look at it.
# SPAMMERS is set and described above.

:0
* ? (formail -x From: -x Sender: -x Reply-To: -x Received: | fgrep -iqf $SPAMMERS)
$SPAM

# not addressed to you -- suspect  (or mailing list, if not caught earlier)
# You could remove this if you subscribe to a lot of lists and don't
# want to bother listing them in your 'lists' file but this rule
# catches a _lot_ of spam -- upwards of 50% of it for sure.  You could
# also live dangerously and direct this to SPAM.  (not so dangerous if
# SPAM isn't /dev/null)
#
#  REMOVE THIS IF YOU SUBSCRIBE TO MAILING LISTS AND HAVE NOT ARRANGED
#  FOR MAILING LISTS TO BE CAUGHT WITH EITHER A FRIENDS OR LISTS ENTRY!

:0
* !$ ^TO$LOGNAME
$SUSPECT

# If opportunity knocks, we're not home. I really wanted to make 
# this SPAM.  You might want to change it, it's a real common spammer
# flag.

:0
* ^Subject:.*opportunity
$SUSPECT

# All caps subjects are highly suspect

:0 D
* ^Subject: [^a-z]*$
$SUSPECT

# "free" in the subject line.  We'll be conservative, but this is
# more than likely spam... 

:0
* ^Subject:.*\<free\>
$SUSPECT

# "sex" in subject.  SUSPECT instead of SPAM because, hey, you
# could get propositioned.  ;)  Only caught on word boundary.

:0
* ^Subject:.*\<sex\>
$SUSPECT

# popular spammer header, but I have seen this in _one_ legit mail
# So we'll make it SUSPECT.  You could more than likely make it 
# SPAM.

:0 
* ^X-UIDL:
$SUSPECT

#large dollar amount in subject line, suspect

:0
* ^Subject:.*\$[0-9]+,000  
$SUSPECT

# real common in pyramid scams, uncommon for real people.
# (especially those you know.. ;) )  "my name is" in the body.
# this one might be a good candidate to go to SPAM

:0 B
* my name is
$SUSPECT

# "FREE" in body -- too common a word to make SPAM, but it probably 
# is anyway.  Spammers love to sprinkle this around liberally.
# (case sensitive -- the word "free" in lc would be far too common)

:0 BD
* \<FREE\>
$SUSPECT

# probable sex spam  -- "adults only" in body

:0 B
* adults only
$SUSPECT

# more sex spam

:0 B
* over (18|21) only
$SUSPECT

COMSAT=yes  #ok, you can bother me, looks like it's a real mail