# sb4.rc # # Called by sb3.rc if Virus checks/Dangerous checks are passed. # GET MESSAGE BODY INFORMATION # # These scripts extract the domains and IPs from the message's # body text. # :0 * LEANTAG ?? no { INCLUDERC=${SBDIR}/functions/getbodyinfo.rc } # CHECK FOR ADMIN EMAIL LOCALTAG=no # Filter out known sources of bounce messages and adminstrative junk :0 * ^From:.*[^0-9a-z](tickets@above\.net([^a-z0-9.]|\. |\.$|$)|\ SMTP_Gateway@ahint\.com([^a-z0-9.]|\. |\.$|$)|\ autopost@general\.amug\.org([^a-z0-9.]|\. |\.$|$)|\ abuse@aol\.net([^a-z0-9.]|\. |\.$|$)|\ support@arcor\.net([^a-z0-9.]|\. |\.$|$)|\ please_do_not_reply@att\.net([^a-z0-9.]|\. |\.$|$)|\ Abuse@attbi\.com([^a-z0-9.]|\. |\.$|$)|\ ops@bbnplanet\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@bellnexxia\.net([^a-z0-9.]|\. |\.$|$)|\ abuse(-bounce)?@.*bellsouth\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@best\.(com|net)([^a-z0-9.]|\. |\.$|$)|\ info@.*biglobe\.ne\.jp([^a-z0-9.]|\. |\.$|$)|\ nobody@.*cadvision\.com([^a-z0-9.]|\. |\.$|$)|\ mailadmin@care2\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@cerf\.net([^a-z0-9.]|\. |\.$|$)|\ Charm\.Net's\.Abuse\.Center@charm.net([^a-z0-9.]|\. |\.$|$)|\ abuse@chinanetcenter\.com([^a-z0-9.]|\. |\.$|$)|\ abuse-bounce@.*cjb\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@comcast\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@compuserve\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@concentric\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@concert\.net([^a-z0-9.]|\. |\.$|$)|\ nobody@connect\.com\.au([^a-z0-9.]|\. |\.$|$)|\ abuse@cp\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@cw\.net([^a-z0-9.]|\. |\.$|$)|\ Postmaster@.*cwplc\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@tipa2\.cwix\.net([^a-z0-9.]|\. |\.$|$)|\ spamcomplaints@cw[-_a-z0-9]*\.com([^a-z0-9.]|\. |\.$|$)|\ spamcomplnts@.*cw\.net([^a-z0-9.]|\. |\.$|$)|\ spamcomplaints@cwbusiness\.com([^a-z0-9.]|\. |\.$|$)|\ antivir@[-_0-9a-z\.]cy\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@.*dialtone\.com([^a-z0-9.]|\. |\.$|$)|\ abuse-reply@direct-connect.com([^a-z0-9.]|\. |\.$|$)|\ policy@.*digex\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@abuse\.earthlink\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@easy\.to([^a-z0-9.]|\. |\.$|$)|\ safeharbor@ebay\.com([^a-z0-9.]|\. |\.$|$)|\ abuse-resp@eli\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@energis-squared\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@.*espire\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@.*ev1\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@exodus\.net([^a-z0-9.]|\. |\.$|$)|\ supportstaff@flowgo\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@genuity\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@geocities\.com([^a-z0-9.]|\. |\.$|$)|\ reports-response@habeas\.com([^a-z0-9.]|\. |\.$|$)|\ NotesMail1/HaworthPress@haworthpress\.com([^a-z0-9.]|\. |\.$|$)|\ mms@hilton\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@.*home\.net([^a-z0-9.]|\. |\.$|$)|\ MAILER-DAEMON@.*hostme4ever\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@host4u\.net([^a-z0-9.]|\. |\.$|$)|\ abuse\.autoresponder@host4u\.net([^a-z0-9.]|\. |\.$|$)|\ (abuse|policy)@hotmail\.com([^a-z0-9.]|\. |\.$|$)|\ postmaster@mail\.hotmail\.com([^a-z0-9.]|\. |\.$|$)|\ help@idirect\.com([^a-z0-9.]|\. |\.$|$)|\ support-mailscan@([0-9a-z][-_0-9a-z]+\.)*levincom\.com([^a-z0-9.]|\. |\.$|$)|\ webmaster@imagelinkusa\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@inflow\.com([^a-z0-9.]|\. |\.$|$)|\ NOC-[0-9a-z]*@inflow\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@.*interland\.net([^a-z0-9.]|\. |\.$|$)|\ wfeyereisen@Interelate\.com([^a-z0-9.]|\. |\.$|$)|\ noc@ip-transport\.com([^a-z0-9.]|\. |\.$|$)|\ itronit@www\.itron\.it([^a-z0-9.]|\. |\.$|$)|\ postmaster@juno\.com([^a-z0-9.]|\. |\.$|$)|\ spamtool.*@.*level3\.(com|net)([^a-z0-9.]|\. |\.$|$)|\ etms-no-replies@mci\.com([^a-z0-9.]|\. |\.$|$)|\ no-replies-please@mci\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@mindspring\.net([^a-z0-9.]|\. |\.$|$)|\ abuse(_[a-z][a-z])*@([a-z]+\.)*microsoft\.com([^a-z0-9.]|\. |\.$|$)|\ MSNIA[-_0-9a-z.]+@css\.one\.microsoft\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@mo\.com([^a-z0-9.]|\. |\.$|$)|\ cyberfraud@nasaa\.org([^a-z0-9.]|\. |\.$|$)|\ abuse@.*neosoft\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@netcom\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@ntlworld\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@paetec\.com([^a-z0-9.]|\. |\.$|$)|\ abusenet@paetec\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@passport\.ca([^a-z0-9.]|\. |\.$|$)|\ policy@pbi\.net([^a-z0-9.]|\. |\.$|$)|\ autoreply@psi\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@prodigy\.(com|net)([^a-z0-9.]|\. |\.$|$)|\ sysop@qwest\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@rackspace\.com([^a-z0-9.]|\. |\.$|$)|\ forgotpass@rediff\.co\.in([^a-z0-9.]|\. |\.$|$)|\ abuse@rr\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@saix\.net([^a-z0-9.]|\. |\.$|$)|\ interscan@sassc\.com([^a-z0-9.]|\. |\.$|$)|\ Savvis-AbuseCoordinatorArchive@.*Savvis\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@seabone\.net([^a-z0-9.]|\. |\.$|$)|\ enforcement@sec\.gov([^a-z0-9.]|\. |\.$|$)|\ internet\.abuse@shaw\.ca([^a-z0-9.]|\. |\.$|$)|\ abuse-nonverbose@sjrb\.ca([^a-z0-9.]|\. |\.$|$)|\ nobody@spamcop\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@sprint(link)?\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@swbell\.net([^a-z0-9.]|\. |\.$|$)|\ raptor@nampo\.tci\.com([^a-z0-9.]|\. |\.$|$)|\ nemesys@telefonica\.es([^a-z0-9.]|\. |\.$|$)|\ abuse@telia\.com([^a-z0-9.]|\. |\.$|$)|\ Abuse\.Response@telstra\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@topica\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@.*tripod\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@twtelecom\.net([^a-z0-9.]|\. |\.$|$)|\ NMXEXS[-_0-9a-z]+@unisys\.com([^a-z0-9.]|\. |\.$|$)|\ sysop@uswest.net([^a-z0-9.]|\. |\.$|$)|\ nobody@.*uu.net([^a-z0-9.]|\. |\.$|$)|\ abuse@gonk\.valueweb\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@.*verio\.net([^a-z0-9.]|\. |\.$|$)|\ abuse@verizon\.net([^a-z0-9.]|\. |\.$|$)|\ no-replies-please@wcom\.com([^a-z0-9.]|\. |\.$|$)|\ autoresponder@.*webtv\.net([^a-z0-9.]|\. |\.$|$)|\ spambuster@.*whowhere\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@.*xo\.com([^a-z0-9.]|\. |\.$|$)|\ abuse@yahoogroups\.com([^a-z0-9.]|\. |\.$|$)|\ mail-abuse@yahoo-inc\.com([^a-z0-9.]|\. |\.$|$)|\ mail-advocacy@yahoo-inc\.com([^a-z0-9.]|\. |\.$|$)) { SBLOGFLAGS="ALWAYS 1 PASS" SBLOG="Abuse Autoresponse" #SBLOG="A1P-Abuse Autoresponse" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * NUKEBOUNCES ?? yes /dev/null :0 { ADMINTAG=yes } :0 { LOCALTAG=yes } } # Filter out user's opt-in mailing lists LOCALTAG=no :0 * ? ${TEST} -f ${LEGITLISTS} { :0 * ? ${FORMAIL} -zxCc: \ -zxDelivered-To: \ -zxFrom: \ -zxList-ID: \ -zxList-Post: \ -zxList-Unsubscribe: \ -zxMailing-List: \ -zxResent-By: \ -zxResent-From: \ -zxResent-Sender: \ -zxResent-To: \ -zxReply-To: \ -zxSender: \ -zxTo: \ -zxX-Apparently-To: \ -zxX-BeenThere: \ -zxX-List: \ -zxX-Mailing-List: \ | ${GREP} -i -f ${LEGITLISTS} { BULKTAG=yes LOCALTAG=yes SBLOGFLAGS="ALWAYS 1 PASS" SBLOG="Legitimate Mailing List" #SBLOG="A1P-Legitimate Mailing List" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * SBCONFIG ?? Debug { LOCALTAG=no } } } # Start of "else" wrapper so Legitimate Mailing List matches # skip everything else. # :0 * LOCALTAG ?? no { # THE NOBOUNCE FILE # This is a whitelist of email addresses that you want to receive # email from. LOCALTAG=no :0 * ? ${TEST} -f ${NOBOUNCE} { :0 * ! FROMEMAIL ?? ^noemail@example.com$ * ? ${GREP} -i -x "${FROMEMAIL}" ${NOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! REPLYTOEMAIL ?? ^noemail@example.com$ * $ ! REPLYTOEMAIL ?? ^${FROMEMAIL}$ * ? ${GREP} -i -x "${REPLYTOEMAIL}" ${NOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! FROMDOMAIN ?? ^example.com$ * ? ${GREP} -i -x "${FROMDOMAIN}" ${NOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! FROMDOMAIN ?? ^example.com$ * $ ! REPLYTODOMAIN ?? ^${FROMDOMAIN}$ * ? ${GREP} -i -x "${REPLYTODOMAIN}" ${NOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! FROMHOST ?? ^host.example.com$ * $ ! FROMHOST ?? ^${FROMDOMAIN}$ * ? ${GREP} -i -x "${FROMHOST}" ${NOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! REPLYTOHOST ?? ^host.example.com$ * $ ! REPLYTOHOST ?? ^${REPLYTODOMAIN}$ * $ ! REPLYTOHOST ?? ^${FROMHOST}$ * $ ! REPLYTOHOST ?? ^${FROMDOMAIN}$ * ? ${GREP} -i -x "${REPLYTOHOST}" ${NOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! FROMLOGON ?? ^noemail$ * ? ${GREP} -i -x "${FROMLOGON}" ${NOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! REPLYTOLOGON ?? ^noemail$ * $ ! REPLYTOLOGON ?? ^${FROMLOGON}$ * ? ${GREP} -i -x "${REPLYTOLOGON}" ${NOBOUNCE} { LOCALTAG=yes } :0 * LOCALTAG ?? yes { SBLOGFLAGS="ALWAYS 1 PASS" SBLOG="NoBounce" #SBLOG="A1P-NoBounce" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * SBCONFIG ?? Debug { LOCALTAG=no } } } # Start of "else" wrapper so NoBounce matches skip everything else :0 * LOCALTAG ?? no { # GLOBALNOBOUNCE system nobounce file processing # This is identical to the other NOBOUNCE file, except that a # system administrator maintains it for all users on the # system. LOCALTAG=no :0 * ? ${TEST} -f ${GLOBALNOBOUNCE} { :0 * ! FROMEMAIL ?? ^noemail@example\.com$ * ? ${GREP} -i -x "${FROMEMAIL}" ${GLOBALNOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! REPLYTOEMAIL ?? ^noemail@example\.com$ * $ ! REPLYTOEMAIL ?? ^${FROMEMAIL}$ * ? ${GREP} -i -x "${REPLYTOEMAIL}" ${GLOBALNOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! FROMDOMAIN ?? ^example.com$ * ? ${GREP} -i -x "${FROMDOMAIN}" ${GLOBALNOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! REPLYTODOMAIN ?? ^example.com$ * $ ! REPLYTODOMAIN ?? ^${FROMDOMAIN}$ * ? ${GREP} -i -x "${REPLYTODOMAIN}" ${GLOBALNOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! FROMHOST ?? ^host.example.com$ * $ ! FROMHOST ?? ^${FROMDOMAIN}$ * ? ${GREP} -i -x "${FROMHOST}" ${GLOBALNOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! REPLYTOHOST ?? ^host.example.com$ * $ ! REPLYTOHOST ?? ^${REPLYTODOMAIN}$ * $ ! REPLYTOHOST ?? ^${FROMHOST}$ * $ ! REPLYTOHOST ?? ^${FROMDOMAIN}$ * ? ${GREP} -i -x "${REPLYTOHOST}" ${GLOBALNOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! FROMLOGON ?? ^noemail$ * ? ${GREP} -i -x "${FROMLOGON}" ${GLOBALNOBOUNCE} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! REPLYTOLOGON ?? ^noemail$ * $ ! REPLYTOLOGON ?? ^${FROMLOGON}$ * ? ${GREP} -i -x "${REPLYTOLOGON}" ${GLOBALNOBOUNCE} { LOCALTAG=yes } :0 * LOCALTAG ?? yes { SBLOGFLAGS="ALWAYS 1 PASS" SBLOG="GlobalNoBounce" #SBLOG="A1P-GlobalNoBounce" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * SBCONFIG ?? Debug { LOCALTAG=no } } } # Start of "else" wrapper so GlobalNoBounce matches skip everything else :0 * LOCALTAG ?? no { # ALWAYSBLOCK private block list file processing # This is the opposite of your NOBOUNCE file -- email from any # email address or domain that appears in this file will always # be put in your BLOCKFOLDER. Since these senders are presumably # known spammers or people you don't want to interact with, however, # no notices are sent for this blocked email. # # Email blocked by this file is not processed further by the # SpamBouncer, as well. No other filtering is done on it. # # This is a DANGEROUS capability, and I am offering it with some # hesitation. Please be careful -- if you put a partial string # or domain in this file, you could block a lot of legitimate # email. LOCALTAG=no :0 * ? ${TEST} -f ${ALWAYSBLOCK} { :0 * ! FROMEMAIL ?? ^noemail@example.com$ * ? ${GREP} -i -x "${FROMEMAIL}" ${ALWAYSBLOCK} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! REPLYTOEMAIL ?? ^noemail@example.com$ * $ ! REPLYTOEMAIL ?? ^${FROMEMAIL}$ * ? ${GREP} -i -x "${REPLYTOEMAIL}" ${ALWAYSBLOCK} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! FROMDOMAIN ?? ^example.com$ * ? ${GREP} -i -x "${FROMDOMAIN}" ${ALWAYSBLOCK} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! REPLYTODOMAIN ?? ^example.com$ * $ ! REPLYTODOMAIN ?? ^${FROMDOMAIN}$ * ? ${GREP} -i -x "${REPLYTODOMAIN}" ${ALWAYSBLOCK} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! FROMHOST ?? ^host.example.com$ * $ ! FROMHOST ?? ^${FROMDOMAIN}$ * ? ${GREP} -i -x "${FROMHOST}" ${ALWAYSBLOCK} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! REPLYTOHOST ?? ^host.example.com$ * $ ! REPLYTOHOST ?? ^${REPLYTODOMAIN}$ * $ ! REPLYTOHOST ?? ^${FROMHOST}$ * $ ! REPLYTOHOST ?? ^${FROMDOMAIN}$ * ? ${GREP} -i -x "${REPLYTOHOST}" ${ALWAYSBLOCK} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! FROMLOGON ?? ^noemail$ * ? ${GREP} -i -x "${FROMLOGON}" ${ALWAYSBLOCK} { LOCALTAG=yes } :0 * ! LOCALTAG ?? yes * ! REPLYTOLOGON ?? ^noemail$ * $ ! REPLYTOLOGON ?? ^${FROMLOGON}$ * ? ${GREP} -i -x "${REPLYTOLOGON}" ${ALWAYSBLOCK} { LOCALTAG=yes } :0 * LOCALTAG ?? yes { BLOCKTAG=yes BLOCKREPLY=SILENT SBLOGFLAGS="ALWAYS 1 STOP" SBLOG="AlwaysBlock" #SBLOG="A1S-AlwaysBlock" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * SBCONFIG ?? Debug { LOCALTAG=no } } } # Start of "else" wrapper so ALWAYSBLOCK matches skip everything else :0 * LOCALTAG ?? no { # WHITELISTS # # This section contains the whitelists the SpamBouncer supports. Whitelisted # email is not filtered further. # WHITELIST=no INCLUDERC=${SBDIR}/sb-whitelists.rc :0 * SBCONFIG ?? Debug { WHITELIST=no } # Start of "else" wrapper so that WHITELIST matches skip everything else :0 * WHITELIST ?? no { INCLUDERC=${SBDIR}/sb5.rc } # End of :0 E wrapper around WHITELIST } # End of :0 E wrapper around ALWAYSBLOCK } # End of :0 E wrapper around GLOBALNOBOUNCE } # End of :0 E wrapper around NOBOUNCE } # End of :0 E wrapper around LEGITLISTS