I get a lot of spam with a subject line that contains characters from
a non-Western character set.  Since I can't read them, it's SPAM to
me.  Here is a recipe that I use to trash those messages.

# ===============================================
# Copied from junkfilter.four
# Kill messages with non-English (latin-1, iso-8859-1) characters in
subjects.
# Kill it if:
#   - the subject has characters not in the range [ -~] or
#   - the subject starts with "=\?[bB]ig5"
#
# Here is a test:
#   egrep "^Subject:[ -~]*[^ -~]+|^Subject:[ ]*=\?[bB]ig5\?"
:0
* ^Subject:[ -~]*[^ -~]+\
   |^Subject:[ ]*=\?[bB]ig5\?
{ JFMATCH="$JFSEC: Subject contains data in non-western charset"
INCLUDERC=$JFDIR/junkfilter.match }

# ===============================================

Hope it's useful to some.

Dave

Monthly news report.

No Yahoo group should allow attachments! Unfortunately this one *still* does and
has passed an infected message to the list members on direct email. :-/  I hope
everybody was protected. Offending message headers are below, including my
server's virus scan...  (personal info munged)

John
==========  infected message headers ===============

> From sentto-1156922-668-1088642453-***@... Wed Jun 30
17:41:02 2004
> Return-Path: <sentto-1156922-668-1088642453-***@...>
> Received: from n14.grp.scd.yahoo.com ([66.218.66.69]) by ***.org for <***>;
Wed, 30 Jun 2004 17:40:57 -0700
> X-eGroups-Return: sentto-1156922-668-1088642453-***@...
> Received: from [66.218.67.192] by n14.grp.scd.yahoo.com with NNFMP; 01 Jul
2004 00:40:53 -0000
> X-Sender: gsutter@...
> X-Apparently-To: junkfilter-users@...
> Received: (qmail 50057 invoked from network); 1 Jul 2004 00:40:52 -0000
> Received: from unknown (66.218.66.217)  by m10.grp.scd.yahoo.com with QMQP; 1
Jul 2004 00:40:52 -0000
> Received: from unknown (HELO groups.yahoo.com) (219.26.181.19)  by
mta2.grp.scd.yahoo.com with SMTP; 1 Jul 2004 00:40:51 -0000
> To: junkfilter-users@yahoogroups.com
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-eGroups-Remote-IP: 219.26.181.19
> From: gsutter@...
> X-Yahoo-Profile: zer0es
> MIME-Version: 1.0
> Mailing-List: list junkfilter-users@yahoogroups.com; contact
junkfilter-users-owner@yahoogroups.com
> Delivered-To: mailing list junkfilter-users@yahoogroups.com
> Precedence: bulk
> List-Unsubscribe: <mailto:junkfilter-users-unsubscribe@yahoogroups.com>
> Date: Thu, 1 Jul 2004 09:41:31 +0900
> Subject: [jf] Mail Delivery (failure junkfilter-users@...)
> Reply-To: junkfilter-users@yahoogroups.com
> Content-Type: multipart/related;
boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"
> X-VirusScan: F-Secure Anti-Virus for Linux version 4.51
> X-FSAV-Viruses-Found: /home/***/tmp/filelnVIxg:Infected:isasecurityriskora
> /home/***/tmp/filelnVIxg:Suspected:Exploit.IFrame.FileDownload[AVP]
>
[[Fromgsutter@...][Subject:[jf]MailDelivery(failurejunkfilter-users@groups.\
yahoo.com)]]noname:
>
[Fromgsutter@...][Subject:[jf]MailDelivery(failurejunkfilter-users@...\
ahoo.com)]:Suspected:Exploit.IFrame.FileDownload
>
[Fromgsutter@...][Subject:[jf]MailDelivery(failurejunkfilter-users@...\
ahoo.com)]message.scr:Infected:is
>
[Fromgsutter@...][Subject:[jf]MailDelivery(failurejunkfilter-users@...\
ahoo.com)]message.scr:Infected:I-Worm.NetSky.q
>
[Fromgsutter@...][Subject:[jf]MailDelivery(failurejunkfilter-users@...\
ahoo.com)]message.scr:Infected:W32/NetSky.P@mm
> Status: RO

I've received your email.  I will responsed as soon as possible if required.

Thanks
Steve Stanley

You'd better read:

http://freshmeat.net/articles/view/964/

or some pages listing many spam filters.

From: Jose Maria Sarachaga <sarachaga@...>
Subject: [jf] Reverse DNS lookup help
Date: Tue, 29 Jun 2004 19:38:24 -0700 (PDT)

> Hi list!
>
> I'm a Junkfilter newbie and i would like to know how
> to make reverse DNS lookups to reduce the crap, what
> code lines to add to my junkfilterrc file, or if there
> is any better solution, for example, spamcop.net, but
> don't know how to use it, in fact no idea :(
>
> Any help? resources?
> Thanks to you all
> Chema

--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@...
http://www.flcl.org/~yoh/index.htm

I've received your email.  I will responsed as soon as possible if required.

Thanks
Steve Stanley

Hi list!

I'm a Junkfilter newbie and i would like to know how
to make reverse DNS lookups to reduce the crap, what
code lines to add to my junkfilterrc file, or if there
is any better solution, for example, spamcop.net, but
don't know how to use it, in fact no idea :(

Any help? resources?
Thanks to you all
Chema


___________________________________________________________
Sent by ePrompter, the premier email notification
software.
Free download at http://www.ePrompter.com.




__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail

Johann Schubert writes:
>^ is the begining of the line... Since the header tag is at the begining, "Sub
>ject:.*^martin" will never match. Try "Subject: martin"

	 That makes perfect sense.  I was forgetting that the header is
still part of a line and that the RE doesn't care one bit whether that
word is Subject: or Substandard_fungus or anything else.  Thank you.

Martin McCormick wrote:
>  I have noticed that probably 99% or more of the messages in
> which my first or last name is the first word of the subject are spam.
> Is it safe to use the anchored RE-style method of describing this
> condition in my headers-use file like:
>
> Subject:.*^martin
>
>  What I don't want to happen is to have messages with my name
> in the subject shown as spam when my first or last name is part of the
> subject such as "Trouble Ticket for Martin McCormick."
>
>  I did try a line like
> Subject:.*martin

^ is the begining of the line... Since the header tag is at the begining,
"Subject:.*^martin" will never match. Try "Subject: martin"

John

I have noticed that probably 99% or more of the messages in
which my first or last name is the first word of the subject are spam.
Is it safe to use the anchored RE-style method of describing this
condition in my headers-use file like:

Subject:.*^martin

	 What I don't want to happen is to have messages with my name
in the subject shown as spam when my first or last name is part of the
subject such as "Trouble Ticket for Martin McCormick."

	 I did try a line like
Subject:.*martin

and it certainly worked, but it also false-triggered on useful
messages in which my name just appeared several words in to the
Subject: line.

	 Sure, I could just try it, but occasionally one can introduce
an insidious problem that isn't apparent for several days, etc.  Thank you.

Sorry for posting a followup so late, but I found the following tidy
solution in an external procedure to junkfilter that I call after the
white-list:

You have to get the reversed IP number and from there the following
eliminates .tr, .cn and .tw, and finally .hk

# Next 4 lines check and report on zz.countries.nerd.dk
   NSLOOKUP=`/usr/sbin/nslookup 2>&1 ${REVERSED}.zz.countries.nerd.dk.`
   :0fh
   *$ NSLOOKUP ?? 127\.0\.3\.24
   | formail -A "X-Reject: IP $IPEXTERNAL is in  NERD-TR Relays."

# Next 4 lines check and report on zz.countries.nerd.dk
   :0fh
   *$ NSLOOKUP ?? 127\.0\.0\.15[68]
   | formail -A "X-Reject: IP $IPEXTERNAL is in  NERD-CN or NERD-TW Relays."

# Next 4 lines check and report on zz.countries.nerd.dk
   :0fh
   *$ NSLOOKUP ?? 127\.0\.1\.88
   | formail -A "X-Reject: IP $IPEXTERNAL is in  NERD-HK Relays."

	 Happy New Year 2004,

	 --Ralph

Ralph P. Sobek, PhD 	  Disclaimer: The above ruminations are my own.
Ralph.Sobek @ irit.fr 				  http://www.sobek.org/
sobek @ irit.fr                   Wi-Fi:  http://www.irit.fr/~Ralph.Sobek/wifi
Ph:(+33)[0]561556356   FAX:(+33)[0]561556847   http://www.irit.fr/~Ralph.Sobek/
===============================================================================
Impeach George W. Bush for squandering US resources for his own priv. business!
   SPAMMERS Beware: http://www.irit.fr/~Ralph.Sobek/welcome.shtml#Mail-Warning


>>>>> "AEW" == Albert E Whale <aewhale@...> writes:

AEW> I've been asked to junk all messages from .ru (or even .cn, .tw ....).
AEW> Can this be implemented in the domains/general file with a rebuild?
AEW> What does it need to look like?  Will a simple entry like

AEW> .ru

AEW> work?  Or is there something more explicit that I need?

AEW> --
AEW> Albert E. Whale - http://www.abs-comptech.com/aewhale.html
AEW> ----------------------------------------------------------------------
AEW> ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
AEW> Sr. Network, OpenView and Systems Consultant



AEW> junkfilter, http://junkfilter.zer0.org/ -- End spam, filter it

AEW> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Hi Folks,

	 When I run junkfilter under VERBOSE, I get the following
strange output:

procmail: [2383] Wed Dec 31 17:22:04 2003
procmail: Executing "test,-r,/home/sobek/.junkfilterrc"
/bin/test: /dev/null: cannot create
procmail: [2383] Wed Dec 31 17:22:04 2003
procmail: Non-zero exitcode (1) from "test"

procmail: [2446] Wed Dec 31 17:23:21 2003
procmail: Executing "test,-r,/home/sobek/.junkfilterrc"
/bin/test: /dev/null: cannot create
procmail: [2446] Wed Dec 31 17:23:21 2003
procmail: Non-zero exitcode (1) from "test"
procmail: No match on "test -r /home/sobek/.junkfilterrc"

etc.

	 Any suggestions?

	 Happy New Year 2004,

	 --Ralph

Ralph P. Sobek, PhD 	  Disclaimer: The above ruminations are my own.
Ralph.Sobek @ irit.fr 				  http://www.sobek.org/
sobek @ irit.fr                   Wi-Fi:  http://www.irit.fr/~Ralph.Sobek/wifi
Ph:(+33)[0]561556356   FAX:(+33)[0]561556847   http://www.irit.fr/~Ralph.Sobek/
===============================================================================
Impeach George W. Bush for squandering US resources for his own priv. business!
   SPAMMERS Beware: http://www.irit.fr/~Ralph.Sobek/welcome.shtml#Mail-Warning

Hi, I'm very new to this list and junkfilter, junkfilter is catching most of
the spam to my system but I'd like it to bounce the mail with a message that
the message has been seen as spam by my system, is that possible or does
there need to be code added?


Regards

Stephen Petersen

"dkuhlman1001" writes:
>I'm not too sure what you are asking, but I believe that there is an
>easier way to filter out attachments of specific types.
>
>Are you using the default .junkfilterrc (copied from
>junkfilter.config)?  Look at the bottom of that file for
>JFBADATT.  It's contains a list of attachment
>types that cause the message to be marked as spam.

	 Many thanks.  I was saying that this is what I thought I
needed to do and asking if there was an easier way.  That explains
some of the output I saw after setting VERBOSE to YES while junkfilter
processed a message.

	 I guess I can just remove those header lines as they aren't
really needed.

--- In junkfilter-users@yahoogroups.com, Martin McCormick
<martin@d...>
wrote:
> it appears that swen is finally slowing down a bit.
>
>  I am now running both junkfilter and bogofilter in .procmailrc
> and junkfilter catches some of the messages that slip by bogofilter.
> I reset both the bodychk and headers files back to their original
form
> because I had had junkfilter so restrictive that it was flagging
lots
> of legitimit messages as spam.  I did add the following lines to the
> headers file but am not sure whether or not they should work because
> several of the swen messages got flagged as spam for other reasons.
> The .exe file takes several names so you have to dump any email
trying
> to hand you one.
>
>  Does anybody see anything wrong with these?
>
> Martin McCormick WB5AGZ  Stillwater, OK
> OSU Information Technology Division Network Operations Group
>
> Content-Type:.*application/x-msdownload; name="*.exe"
> Content-Type:.*audio/x-midi; name="*.exe"
> Content-Type:.*audio/x-wav; name="*.exe"
> Content-disposition:.*attachment; name="*.exe"
> Content-type:.*audio/x-wav; name="*.exe"

I'm not too sure what you are asking, but I believe that there is an
easier way to filter out attachments of specific types.

Are you using the default .junkfilterrc (copied from
junkfilter.config)?  Look at the bottom of that file for
JFBADATT.  It's contains a list of attachment
types that cause the message to be marked as spam.

Hopes this helps.

Dave

[snip]

it appears that swen is finally slowing down a bit.

	 I am now running both junkfilter and bogofilter in .procmailrc
and junkfilter catches some of the messages that slip by bogofilter.
I reset both the bodychk and headers files back to their original form
because I had had junkfilter so restrictive that it was flagging lots
of legitimit messages as spam.  I did add the following lines to the
headers file but am not sure whether or not they should work because
several of the swen messages got flagged as spam for other reasons.
The .exe file takes several names so you have to dump any email trying
to hand you one.

	 Does anybody see anything wrong with these?

Martin McCormick WB5AGZ  Stillwater, OK
OSU Information Technology Division Network Operations Group

Content-Type:.*application/x-msdownload; name="*.exe"
Content-Type:.*audio/x-midi; name="*.exe"
Content-Type:.*audio/x-wav; name="*.exe"
Content-disposition:.*attachment; name="*.exe"
Content-type:.*audio/x-wav; name="*.exe"

"dkuhlman1001" writes:
>junkfilter is doing a great job saving me from the SWEN worm.  All the emails
>I'm
>getting from that virus have a .exe attachment, which junkfilter is dumping fo
>r me.
>If it weren't for junkfilter, my mailbox would overflow every night.  Since ea
>ch of
>these messages is around 140K, they fill up my account limit pretty quickly.
>
>One question -- Is there anything else I should be doing?  Is there anything w
>e can do
>to help fix the machines that are sending this steady stream of large messages
>?
>
>Dave
>
>
>
>junkfilter, http://junkfilter.zer0.org/ -- End spam, filter it
>
>Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>

--- In junkfilter-users@yahoogroups.com, "dkuhlman1001"
<dkuhlman@c...> wrote:
> --- In junkfilter-users@yahoogroups.com, "JRocha" <jrochagrupo@y...>
wrote:
> > Dear People,
> >
> >
> > How can I to block a email with more than 5 addressee in "To:", "Cc:"
> > or "Bcc".
>
> In junkfilter/junkfilter.opt there is a "60 Recipients" rule.  (Look
for
> JF_OPT_60RECIP.)  Perhaps you could copy that rule to
junkfilter/junkfilter.user
> and then modify it so that it would check for 5 or more rather than
60 or more.
>
> I believe that you will need to set JF_USER to 1 in your
.junkfilterrc.  In the default
> config (junkfilter.config), it is off.
>
> Do you also need to do a compile/build?
>
> Dave

Very good!!!!!

Thanks.

--- In junkfilter-users@yahoogroups.com, "JRocha" <jrochagrupo@y...> wrote:
> Dear People,
>
>
> How can I to block a email with more than 5 addressee in "To:", "Cc:"
> or "Bcc".

In junkfilter/junkfilter.opt there is a "60 Recipients" rule.  (Look for
JF_OPT_60RECIP.)  Perhaps you could copy that rule to junkfilter/junkfilter.user
and then modify it so that it would check for 5 or more rather than 60 or more.

I believe that you will need to set JF_USER to 1 in your .junkfilterrc.  In the
default
config (junkfilter.config), it is off.

Do you also need to do a compile/build?

Dave

Dear People,


How can I to block a email with more than 5 addressee in "To:", "Cc:"
or "Bcc".


Thanks

"dkuhlman1001" writes:
>All the emails
>I'm
>getting from that virus have a .exe attachment, which junkfilter is dumping fo
>r me.

	 Thanks for pointing that out.  I've been so busy stomping on
those messages, I haven't had time to notice.  They sure do all seem
to have a .exe either disguised as a .wav file or some other common
binary, but the pushing of the .exe file may be the most common thing
to look for.  I'm getting about 250 or so per day here.

Martin McCormick WB5AGZ  Stillwater, OK
OSU Information Technology Division Network Operations Group

junkfilter is doing a great job saving me from the SWEN worm.  All the emails
I'm
getting from that virus have a .exe attachment, which junkfilter is dumping for
me.
If it weren't for junkfilter, my mailbox would overflow every night.  Since each
of
these messages is around 140K, they fill up my account limit pretty quickly.

One question -- Is there anything else I should be doing?  Is there anything we
can do
to help fix the machines that are sending this steady stream of large messages?

Dave

Just make sure you don't have any blank lines in any of those files. If you
do that is what will happen, everything is marked spam.

Steve...

-----Original Message-----
From: Mike Fahey [mailto:mfahey@...]
Sent: Monday, July 21, 2003 2:07 PM
To: junkfilter-users@yahoogroups.com
Subject: Re: [jf] large list of blocked domains = all mail marked as spam.


any ideas why it would mark all incoming email as spam with 260+ blocked
domains? in the headers it puts "domains-user".

Thanks.



With best regards,

Mike Fahey - Systems Administration
********************************************************************
       ENTER.NET - "The Road to the Internet Starts Here!" (tm)
   (610) 437-2221 * http://www.enter.net/ * email:support@...
********************************************************************

On Sat, 19 Jul 2003, Johann Schubert wrote:

> > I noticed a problem if you have a large amount of blocked domains,
> > all incoming mail gets marked as spam. its tagged with "domains-user".
> >
> > Does junkfilter have a limit on the amount of blocked domains it can
use?
> > There are about 260 blocked domains in the list.
> >
> > I checked the list of domains and they don't have any non alpha-numeric
> > characters.
>
> I have 2092 in "gulf-blocks" alone...
>
> John
>
>
>
>
> junkfilter, http://junkfilter.zer0.org/ -- End spam, filter it
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>

junkfilter, http://junkfilter.zer0.org/ -- End spam, filter it

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

any ideas why it would mark all incoming email as spam with 260+ blocked
domains? in the headers it puts "domains-user".

Thanks.



With best regards,

Mike Fahey - Systems Administration
********************************************************************
       ENTER.NET - "The Road to the Internet Starts Here!" (tm)
   (610) 437-2221 * http://www.enter.net/ * email:support@...
********************************************************************

On Sat, 19 Jul 2003, Johann Schubert wrote:

> > I noticed a problem if you have a large amount of blocked domains,
> > all incoming mail gets marked as spam. its tagged with "domains-user".
> >
> > Does junkfilter have a limit on the amount of blocked domains it can use?
> > There are about 260 blocked domains in the list.
> >
> > I checked the list of domains and they don't have any non alpha-numeric
> > characters.
>
> I have 2092 in "gulf-blocks" alone...
>
> John
>
>
>
>
> junkfilter, http://junkfilter.zer0.org/ -- End spam, filter it
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>

You have emailed the domain´s webmaster.
Due to increase of receiving junk mail this email address hase been closed.
Pay attention to this emails header for possible misspellings of our email
address. Please correkt and then repeat the mailing. You also may call us at +49
40 7891960.

Sie haben Post an den Webmaster geschickt.
Aufgrund überhandnehmender Werbepost haben wir dieses Emailkonto geschlossen.
Überprüfen Sie bitte in diesem Emailkopf, ob Sie unsere Emailadresse falsch
buchstabiert hatten. Korrigieren Sie gegebenenfalls Ihre Eingabe und schicken
Sie uns bitte Ihre Email erneut. Sie können uns auch telefonisch erreichen unter
040 7891960

with kind regards
mit freundlichen Grüßen

Webmaster

> I noticed a problem if you have a large amount of blocked domains,
> all incoming mail gets marked as spam. its tagged with "domains-user".
>
> Does junkfilter have a limit on the amount of blocked domains it can use?
> There are about 260 blocked domains in the list.
>
> I checked the list of domains and they don't have any non alpha-numeric
> characters.

I have 2092 in "gulf-blocks" alone...

John

Hello,

I noticed a problem if you have a large amount of blocked domains,
all incoming mail gets marked as spam. its tagged with "domains-user".

Does junkfilter have a limit on the amount of blocked domains it can use?
There are about 260 blocked domains in the list.

I checked the list of domains and they don't have any non alpha-numeric
characters.

Thanks in advance.




With best regards,

Mike Fahey - Systems Administration
********************************************************************
       ENTER.NET - "The Road to the Internet Starts Here!" (tm)
   (610) 437-2221 * http://www.enter.net/ * email:support@...
********************************************************************

I've started using junkfilter, and it is working very well for me.

Now I want to "tune" it.  So here are a few questions:

1. When junkfilter places a message in my junkmail file and I
   don't want it to, how can I find out why it was marked as spam
   (so that I can change it)?  How can I find out which
   pattern/rule caused it to be selected as spam?  I need to be
   able to identify which pattern to modify or remove.

2. When junkfilter does *not* place a message in my junkmail file
   that I think it should, how how do I figure out why it did not?
   For example, is there a way to determine why the email failed a
   specific test?  Are there techniques for putting debugging
   messages into the procmai log file.

3. As an example, when I send myself an email, junkfilter
   *always* sends it to the junkfile.  How can I find the rule
   that causes this so that I can change it so that I can do some
   tests?  Likewiise, when I subscribed to this group, the welcome
   email was flagged as spam.  I'd like to know why and which
   pattern to look at.

4. Are there other debugging techniques that I should know and
   could use?  Are there some junkfilter variables that I can stick
   into the headers of rejected messages?  Setting VERBOSE=yes in my
   .procmailrc file produces 200K per email.  Is there a slightly more
   brief setting?

5. Is there any documentation on junkfilter besides the README?

Thanks in advance for help.

     - Dave

....that allows the emails between users on my domain to pass through
junkfilter unfiltered.  The answer may be obvious, but I can't seem
to figure it out.

Thanks!
David

>  I have noticed that the bodychk function takes precedence over
> even the White List when flagging messages as spam.  Is there any
> standard way to make any message coming from anyone in the White list
> simply pass, no questions asked so to speak?
>
>  What I presently do is short-circuit the filter for mail
> coming from certain lists and cause those messages to be delivered to
> the inbox.

I do that, too. I set my whitelist for processing ahead of junkfilter.
Messages from whitelisted senders are not sent to junkfilter this way.

I found that whitelisting my own domain the junkfilter whitelist way
caused all spam to be delivered not filtered because the domain name is in
the headers (not just the From: header) because of the mail server's name.
So, unless that's been changed, the whitelist is useless.

I like the preprocessing idea because it gives me complete flexibility. My
.procmailrc file is nothing more than a list of INCLUDERC statements in
the order in which I want them called.

Ralph