The SpamBouncer
Version 1.5

Updated February 23, 2003

If you have a version before the current version number or more than a month older than this date, please update. If you are running in COMPLAIN mode, you should update weekly.

Please also read "What's New" for new version information. New users should run with SPAMREPLY and BLOCKREPLY set to SILENT for a week or so until they are sure the program is installed correctly and isn't catching legitimate email. Beta version users should check the Beta Version comments at the top of the SpamBouncer program file when installing a new beta version.

Copyright © 1996-2003 by Catherine A. Hampton. If you abide by the Free Software Foundation's COPYING principles with this document and the spam software and forms, you're home free, but don't try to copyright it yourself or sell this information.

Contents

What's New with the SpamBouncer?

Return to Table of Contents

What Does the SpamBouncer Do?

The SpamBouncer is a set of procmail recipes, or instructions, which search the headers and text of your incoming email to see if it meets one or more of the following conditions:

• Originates from an email address known to belong to a spammer.

• Originates from known spam source sites, domains or hosts -- internet sites which exist solely or primarily to spam or provide services to spammers.

• Originates from irresponsible, or rogue, Internet Service Providers (ISPs), who permit spamming from their sites and fail to take appropriate action against spammers.

• Was sent using a bulk email program whose only or primary purpose is to send large quantities of junk email.

• Contains headers which match the SpamBouncer's profile of definite or probable spam.

• Contains body text strings which match the SpamBouncer's profile of probable spam.

• Contains body text strings which match the SpamBouncer's profile of a particular virus or class of viruses.

The SpamBouncer sorts suspected spam into three categories -- email sent by a virus, email from known spam sources which is definitely spam, and email which is probably spam, but might also be legitimate. It then tags each email with appropriate headers for the spam classification, and responds according to the parameters you have set.

Depending on how you set it up, it will:

• Simply tag the suspected spam and return it to your main incoming mailbox, allowing you to set up Eudora, Pegasus Mail, or another POP mail program to retrieve and sort your mail.

• Tag the suspected spam, delete spam from known spam sources, and file suspected spam in a separate folder.

• Send a simulated MAILER-DAEMON daemon "bounce" to known spammers in hopes that they will think your email address is invalid and remove you from their spam lists.

• Complain to the "upstream providers" of known spammers or spam sites/domains, asking that they disconnect the internet service of the spammers.

• Notify senders of email tagged as probable spam that their email was intercepted, and give them a password to resend their email and bypass spam filtering if their email was legitimate. (Spammers almost never try to bypass filtering when warned this way -- in most cases, they don't even read replies to their mail.)

If you get mail from friends who have accounts at a site listed in the SpamBouncer, you can put their names and email addresses in a text file and set the NOBOUNCE variable to point to it. If you want to receive mail from a site I have listed as a spam site, you can add the entire site name to the NOBOUNCE file. The SpamBouncer will check the NOBOUNCE file before filtering your email and will skip any email from a person or site listed in the NOBOUNCE file.

Please note that you can put entire domain names, not just email addresses, in NOBOUNCE. For example, if you want to accept all email from concentric.net without checking for spam, just put concentric.net in your NOBOUNCE file, with no username@ section. This will cause the SpamBouncer to skip all email from anyone at Concentric. (I do not recommend doing this except for small domains which you =KNOW= will not be sources of spam, though.)

What Do I Need to Run the SpamBouncer?

The SpamBouncer itself must run on a Unix server which has the Procmail mail filtering program installed, so only users who have access to a Unix shell account with Procmail installed can use it. This means that AOL users, Earthlink users, Mindspring users, Netcom Netcruiser/Netcomplete users, Compuserve users, Prodigy users, and others who do not have a Unix shell account as part of their service will have to find some other means of filtering spam. Sorry!

It is possible, however, for people who use Eudora, Pegasus Mail, and other POP clients to use the SpamBouncer on their Unix shell accounts to filter their email, and then use their favorite POP mail client to retrieve their filtered mail from the server. If their POP client programs can filter mail by headers, they can filter and delete known spam and probable spam directly into appropriate folders via the SpamBouncer's headers.

This means that anyone running any kind of computer, operating system, and software can use the SpamBouncer, provided they have and use a Unix shell account, and (if they want to use a POP mail program) have software capable of filtering their mail based on user-configurable headers.

If you are totally confused by now, PLEASE find a friend who understands what this means before you try to install the SpamBouncer. While I have made this as user-friendly as I could, using the SpamBouncer requires a certain level of knowledge about computers and the internet. It is not for computer or internet novices.

Return to Table of Contents

Before You Begin...

Because someone who evidently likes the SpamBouncer listed it for me in Yahoo and other search engines <wry grin>, I need to include the following disclaimers and warnings.

First, this is free software. No warranty is provided or implied -- users use the SpamBouncer at their own risk.

I wrote the SpamBouncer originally to filter my own mail, when spam started drowning out the real mail. I originally posted these filters to my web site so that users at my old ISP, Best Internet (long since bought out by Verio), and a few other experienced users could help me test them. I recommend that Procmail neophytes get help from an experienced Procmail user on their system to install the SpamBouncer, and run it in default "Silent Mode" until they are more confident of their skills.

The SpamBouncer is being developed on a Pentium-based server running OpenBSD, and running Procmail 3.14.

In addition to the Pentium-based system where I am developing the SpamBouncer currently, I have developed and tested the earlier versions of it on Linux, FreeBDS, SGI systems running Irix 5.3 and 6.2, SunOS 4.1.3, and Solaris 5.2. I know of no problems running on these systems. A number of users have also run the progrem under various flavors of SunOS, Solaris, HPUX, and other versions of Unix with no trouble.

So please be careful, and keep a close eye on your account for a few days after installing to be sure it works properly.

Return to Table of Contents

Installing the SpamBouncer

Installing Procmail

To use these filters, you will need to have procmail installed on your system, and have set it up for your account. This does not mean you must read mail on your unix account -- if you have a shell account, these filters can be configured to filter mail and then deliver it to your POP mail box. If you don't know what kind of account you have, you probably shouldn't be using these filters until you learn something about Unix and shell accounts.

Since the way Procmail should be installed is different on different systems, if you do not already have Procmail installed, you will need to ask your system administrator or people on your local internet service provider for help. Those who have never used Procmail and want to get started with a simple Procmail setup can jump to Getting Started With Procmail, a tutorial with clear instructions about what information you will need to get from your system administrator to set up Procmail properly on your account, and a basic .procmailrc configuration file which should work well on most systems.

If you are an experienced Procmail user, please make sure that your .procmailrc file is configured to filter out your mailing lists before filtering for spam. The SpamBouncer tries to identify list mail and skip it, but some mailing lists do not use standard list "Precedence:" headers or headers recognisable by Procmail as coming from a daemon or list program. So please be sure you filter out your lists first, especially if you are running with SPAMREPLY set to BOUNCE or COMPLAIN!

In any event, you should always run in SILENT mode for a few days, until you are sure you have your mailing lists filtered out properly and that the filter is working properly on your account.

If you did not use procmail.rc from Getting Started With Procmail, here's a recipe to filter out list mail and other mail from automatic mailer programs, or mailer daemons, as they are usually called on Unix machines. Put it in your .procmailrc file before the INCLUDERC statement that calls the SpamBouncer.

# Filter out Mailing List Mail
:0:
* ^TO(listmom-talk@skylist.com|\
      orthodoxy@lists.best.com|\
      procmail@Informatik.RWTH-Aachen.DE)
$BULKFOLDER

You should substitute all mailing list addresses for mailing lists you receive for the list I gave -- you and I don't read mail from the same lists, at least as far as I know! :)

Return to Table of Contents

Retrieving the SpamBouncer Program Files

After you have installed Procmail for your system, you can install the SpamBouncer. You will need to download the SpamBouncer program files to your Unix account first. You can do this one of two ways -- by downloading them from the links below to your personal computer, or by ftp'ing them. The advantage to ftp is that it ensures that the file format will be right. Often, when you retrieve a text file using a WWW browser and then save it to your hard disk, the browser reformats the file. This type of reformatting can break Procmail configuration files like the SpamBouncer.

Lynx users should note that lynx reformats text files when downloading them via a normal link access command, which will break the SpamBouncer and most other Procmail scripts. If you're a lynx user, please remember to use the "D" command to download the SpamBouncer files instead of just accessing the link, or (even better) ftp the files from the links in the FTP column instead of trying to retrieve them from the http:// links in the WWW/HTTP column.

Now, if you saved the SpamBouncer files on your local PC, you will need to ftp or upload them to your unix shell account. They should be put in their own directory.

To unarchive the ZIP format archive, type "unzip spambnc.zip" and press <Enter>. (Your Unix machine may respond with an "unzip: command not found" error message. If it does, you may not have the Unix program unzip, and should retrieve the tar.Z archive.) To unarchive the tar.Z file, type "uncompress spambnc.tar.Z", press <Enter>, and then type "tar -xvf spambnc.tar" and press <Enter> to extract the individual files.

Return to Table of Contents

The SpamBouncer Files and What They're For

The index file of the SpamBouncer, which may be named sb.rc, sb-old.rc or sb-new.rc depending on which version you downloaded, contains the basic script that calls all other files and scripts that comprise the SpamBouncer. The current production version of the SpamBouncer is the one containing sb.rc. The version containing sb-old.rc is the previous production release of the SpamBouncer. The version containing sb-new.rc is the current somewhat stable beta version.

Inexperienced users or users who don't want problems should not use the beta version, and all beta version users need to follow any warnings/instructions listed among the comments at the top of sb-new.rc and in the What's New section.

All other files ending in .rc are subsidiary parts of the SpamBouncer that are called by sb.rc or sb-new.rc.

The freemail file contains a sample text file which you may install and then set your FREEMAIL variable to point to. You do not need to install this file unless you want to customize the list of free email sites -- the SpamBouncer will use its own internal list if it can't find the text file.

The "legitlists" file contains a text file with the names of legitimate email lists (the opt-in variety), which you may getting trapped by the SpamBouncer. Just put each mailing list address on a separate line, just as you would with the NOBOUNCE file.

The other three files contain standardized autoresponder messages for the program. You may customize these to your taste. I do recommend that you leave the references to the SpamBouncer bypass email address in any edited version of the file spam, though, so that people know how to contact me if their mail is getting bounced because of a problem with the filter itself, or how it is installed. That way, I can contact you (hopefully), and prevent further damage.

If you customize the autoresponder messages, you probably will want to keep them reasonably polite. There's no point flaming some poor innocent system administrator at a large ISP just because you're p*ssed at a spamming slimeball. :)

Return to Table of Contents

Where to Put the SpamBouncer

Where you should store the SpamBouncer program files depends on how you are installing the SpamBouncer.

• Individual installations. If you are an individual user who has a Unix workstation or Unix shell account on which you will use the SpamBouncer, you can create a program directory for the SpamBouncer anywhere that your permissions will allow you to create directories and write files. I recommend creating a directory called sb off of your HOME directory, and putting the SpamBouncer program files there.

• Site installations. If you are a system administrator installing the SpamBouncer for sitewide use, you should create the program directory in an area where user accounts have read-only access. I recommend creating a directory called sb or spambouncer off of /usr/local/bin or another directory where you store local programs. If you do this, users on your system can then create symbolic links to the shared SpamBouncer directory in their home directories. This allows you to keep the SpamBouncer up to date.

If a particular user wants to modify the filter, he can simply create a private directory, copy the necessary files to it, and make whatever changes he wants. If he does the last, of course, he is responsible for updating his copy of the filter manually.

In either case, as you proceed through these instructions and configure the SpamBouncer, you should put the configuration files that you create and will modify somewhere outside of the SpamBouncer program directory. In particular, your .procmailrc file, LEGITLISTS file, LOCALHOSTFILE file, MYEMAIL file, and NOBOUNCE file should all be located outside of the SpamBouncer program directory. That way, when you update the SpamBouncer, you won't overwrite your configuration.

Return to Table of Contents

Configuring the SpamBouncer

The SpamBouncer is a highly configurable program with an often-bewildering number of options. If you are an individual user installing the SpamBouncer, however, you can safely accept the default configuration for many of those options when first installing the program. The default configuration is designed with safety first in mind; even if it catches legitimate email, it will not delete it or autocomplain about it.

Some configuration is required before you start, though, or the SpamBouncer will simply do nothing and pass your email to you unfiltered. In addition, to get the best use out of the SpamBouncer, you will need to understand more about configuring it so that you can enable options that will catch a lot more spam.

In particular, if you are a system administrator who will install and configure the SpamBouncer for unsophisticated users, or users who will have only POP access, you must make sure you understand how the SpamBouncer works before you implement it. The SpamBouncer was designed originally by a Unix geek for Unix geeks to use on Unix shell accounts. :) I have added a number of featurs to make it possible to use the SpamBouncer on a system-wide basis and have users that successfully do this, but I am not a system administrator of a mail server myself. I cannot test various configurations of this type myself as a professional software company would. So please be careful, and give me lots of feedback!

Basic Configuration

There are a few variables that every user must set when first installing the program, and a few more that you will want to set to make the SpamBouncer work in the most efficient manner. All users must first set the following variables in their .procmailrc files:

• DEFAULT. Find out what your default incoming email box is and set the DEFAULT variable to that mailbox. On many Unix systems, the default mailbox will be /var/spool/mail/yourlogin or /var/mail/yourlogin. For example, if your incoming email is stored in /var/mail/yourlogin, put the statement DEFAULT=/var/mail/yourlogin in your .procmailrc file. (Substitute your login for yourlogin.)

• FORMAIL. Find out where the formail program is stored on your system, and set the FORMAIL variable to point to it. On many Unix systems, formail will be located in /usr/bin/formail or /usr/local/bin/formail. For example, if your system stores formail in /usr/bin/formail, put the statement FORMAIL=/usr/bin/formail in your .procmailrc file.

• SBDIR. Set the SBDIR variable to point to the directory where you have put the SpamBouncer program files. Many users put the SpamBouncer files in ${HOME}/sb, but you can install them wherever you wish. For example, if you install the SpamBouncer program in ${HOME}/sb, put the statement SBDIR=${HOME}/sb in your .procmailrc file.

After you have set the variables above, you should next create four text files: .legitlists, .localhostfile, .myemail, and .nobounce. You can put them in your home directory, where the SpamBouncer looks for them by default, or in any other directory. If you put them in a directory other than your HOME directory, you must set the LEGITLISTS, LOCALHOSTFILE, MYEMAIL, and NOBOUNCE variables to point to the proper location and filename. For example, if you name your NOBOUNCE file my-friends and put it in ${HOME}/configfiles, put the statement NOBOUNCE=${HOME}/configfiles/my-friends in your .procmailrc file.

Each of these text files must be in Unix text format. That means that you must use a text editor to edit them; DO NOT USE a word processing program like Microsoft Word or Microsoft Wordpad. (Windows users should use Windows Notepad, if they do not have another text editor they prefer.) If you edit these files on a Windows- or Macintosh-based computer, you must upload them using ftp in ASCII mode or some other means that will create Unix, not DOS, text files.

In each file, you must include email addresses or domain names, one on each line of the file. Ensure that there are no blank lines in each of these files, and that the last email address or domain name is followed by a carriage return. (That may create what looks like a blank line in some text editors, but it isn't actually a blank line.)

• .legitlists. Enter the names of all legitimate bulk mailing lists you are subscribed to. A sample .legitlists file is shown below:

junkfax-l@trashbusters.org
html-wizards-l@earlham.edu
outback@yahoogroups.com

• .localhostfile. Enter the name of each domain that you receive email for. If you receive email only for one host, enter that host name in the file. A sample .localhostfile file is shown below:

hrweb.org
spambouncer.org

• .myemail. Enter every email address that belongs to you on this system. (Don't worry -- the SpamBouncer knows about spammers that forge your email address into the From: line and isn't fooled by this.) A sample .myemail file is shown below:

abuse@hrweb.org
abuse@spambouncer.org
ariel@hrweb.org
ariel@spambouncer.org
postmaster@hrweb.org
postmaster@spambouncer.org
webmaster@hrweb.org
webmaster@spambouncer.org

• .nobounce. Enter the email address of every person you regularly receive email from. This will speed up delivery of your mail and reduce the work your server must do to filter your mail, since email from addresses in the NOBOUNCE file is filtered for viruses, but nothing else. In addition, if you regularly add the email addresses of people you correspond with to the NOBOUNCE file, you can use more aggressive filtering options in the SpamBouncer without having a large number of false positives. A sample .nobounce file is shown below:

friend@home.com
anotherfriend@home.com
boss@work.com
coworker@work.com
mom@juno.com
brother@yahoo.com
kid@highschool.kids.us

You can also add partial strings, such as entire domains or subdomains, or partial email addresses, to your NOBOUNCE file. For example, if you know that all email sent from the subdomain engineering.work.com is from one of your coworkers and nobody else, you could add that string to your NOBOUNCE file just as you would add an email address. If you have a friend who habitually changes ISPs or uses email accounts at multiple sites, but whose email address always starts with skywalker@, you could add that string to your NOBOUNCE file just as you would add an email address.

NOTE:Be careful about adding partial strings or entire domains to your NOBOUNCE file. If the string you add is a common string that might be found in email other than the email you are expecting, this can cause the SpamBouncer to think that a spam is okay and not filter it.

For example, if you have several friends who have email addresses at aol.com, and you add aol.com to your NOBOUNCE file, the SpamBouncer will pass anything that appears to be from anyone at aol.com without filtering it. Lots of spammers forge email address at aol.com in the From: lines of their spam, so this means you would get a lot of spam in your inbox that the SpamBouncer would otherwise have caught.

It is safest to add only complete email addresses to your NOBOUNCE file unless you are an experienced user and understand the implications of a partial match.

After you have created these files, you should choose one of the following three sections and do what is indicated in that section. The sections are Risk Averse or New Users, Ready to Fight Back, and I HATE SPAM AND WANT IT GONE NOW!. I've tried to make it easy to tell which section you want. :)

You can also check out the Tracking Spam or SpamCop web sites to learn how to complain about spam manually. Manual complaints take time, but are always the best way to get a spammer shut down if you do it right.

Return to Table of Contents

Risk-Averse or New Users

Users who do not want to risk false positives should use this configuration. This is also the configuration you should start with, regardless of what you do after you become comfortable with Unix and the SpamBouncer.

• BLOCKFOLDER and SPAMFOLDER. Set both of these variables to the name of a folder where you want the SpamBouncer store email that it catches. Once every few days, review this folder to make sure no legitimate email was caught in error. Add the email address of anyone whose email was caught in error to your NOBOUNCE file or LEGITLISTS file (depending on whether it was individual email or a mailing list), and then delete everything else.

• BLOCKREPLY, PATTERNMATCHING, and SPAMREPLY. Set all three of these variables to SILENT. You don't want to send autoreplies or bounces, but you do want Pattern Matching turned on and the default setting leaves it off.

• VIRUSFOLDER. Set this variable to /dev/null to delete all viruses. You don't want to take chances with a virus, and the false positive rate on the virus filters is near zero.

Return to Table of Contents

Ready to Fight Back :)

Users who are willing to accept a low false positive rate, and who want to use the SpamBouncer's autocomplaining features, should set the following variables:

• ALTFROM. Set this to the email address from which you want to send complaints. You may want to obtain a free email address at Yahoo or another free provider and use it just for this purpose. Some ISPs forward spam complaints to spammers, and spammers have been known to sell the addresses of people who complain to other spammers as "known live" email addreses, or even mailbomb those who complain. It is best not to send complaints from your normal email address. (A user pointed out that a number of abuse addresses reject complaints from people with Hotmail addresses. You might want to avoid using Hotmail for your complaint account.)

• BLOCKFOLDER and SPAMFOLDER. Set both of these variables to the name of a folder where you want the SpamBouncer store email that it catches. Once every few days, review this folder to make sure no legitimate email was caught in error. Add the email address of anyone whose email was caught in error to your NOBOUNCE file or LEGITLISTS file (depending on whether it was individual email or a mailing list). Delete anything the SpamBouncer has complained about already, or that you don't want to bother with, and complain about the rest manually.

• BLOCKREPLY. Set this to SILENT. Email classified as Blocked does have some false positives in it, so check your BLOCKFOLDER/SPAMFOLDER regularly to rescue anything you wanted to receive. (And add the sender's name to your NOBOUNCE file to prevent further blocking.)

• PATTERNMATCHING. Set this variable to SILENT. You don't want to send autoreplies or bounces for Pattern Matching because it is more prone to false positives than other types of Blocked email, but you do want Pattern Matching turned on and the default setting leaves it off. (Add the sender's name to your NOBOUNCE file to prevent further blocking.)

• SENDMAIL. Set this to point to your system's copy of the sendmail program. On many systems, this is located in /usr/bin/sendmail, /usr/sbin/sendmail, or even /bin/sendmail. If you do not set this variable correctly, the SpamBouncer will not be able to send bounces, complaints, or notify messages.

• SPAMREPLY. Set this to COMPLAIN. The SpamBouncer very rarely classifies legitimate email as spam. It also does not complain about most spam; it complains only about spam from known spam sources, and usually very aggressive known spam sources that send a lot of spam. By auto-complaining, you ensure that the ISPS of egregious and aggressive spammers are notified immediately when their spamming customers spam again.

• VIRUSFOLDER. Set this variable to /dev/null to delete all viruses. You don't want to take chances with a virus, and the false positive rate on the virus filters is near zero.

In addition, look through the list of blocklists the SpamBouncer supports and enable those that look interesting. :)

Return to Table of Contents

I HATE SPAM AND WANT IT GONE NOW!

If you feel this way, then you and I obviously have some common ancestors or early environmental influences in common. <grin> Set the following variables if you want to autocomplain aggressively, bounce spam back, and notify users whose mail is blocked by the SpamBouncer, and are willing to check the BLOCKFOLDER frequently for false positives:

• ALTFROM. Set this to the email address from which you want to send complaints.

• BLOCKFOLDER. Set this variable to the name of a folder where you want the SpamBouncer store blocked email. Once every few days, review this folder to make sure no legitimate email was caught in error. Add the email address of anyone whose email was caught in error to your NOBOUNCE file or LEGITLISTS file (depending on whether it was individual email or a mailing list). Delete anything the SpamBouncer has complained about already, or that you don't want to bother with. Complain about the rest manually.

• BLOCKREPLY. Set this to NOTIFY. Email classified as Blocked does have some false positives in it, so in addition to notifying people, you should check your BLOCKFOLDER/SPAMFOLDER regularly to rescue anything you wanted to receive. (And add the sender's name to your NOBOUNCE file to prevent further blocking.)

• PATTERNMATCHING. Set this variable to NOTIFY as well, and the SpamBouncer will treat email caught by the Pattern Matching filters exactly as it does Blocked email. (Add the sender's name to your NOBOUNCE file to prevent further blocking.)

• SENDMAIL. Set this to point to your system's copy of the sendmail program. On many systems, this is located in /usr/bin/sendmail, /usr/sbin/sendmail, or even /bin/sendmail. If you do not set this variable correctly, the SpamBouncer will not be able to send bounces, complaints, or notify messages.

• SPAMFOLDER. Set this variable to the name of a folder where you want the SpamBouncer store spam, and review the folder every few days so that you can complain manually about anything the SpamBouncer didn't autocomplain about, or set it to /dev/null if you don't want to be bothered with it further.

• SPAMREPLY. Set this to COMPLAIN, BOUNCE, or BOTH. COMPLAIN will cause the SpamBouncer to send automatic complaints about spam that comes from a known source. BOUNCE will cause the SpamBouncer to bounce spam back to the sender, unless the sender email address is an obvious forgery. BOTH will cause it to do both. I recommend setting this to COMPLAIN because a lot of spammers forge From: lines and bouncing their email just adds to the load on the Internet. (I may remove the BOUNCE option entirely in the future.)

• VIRUSFOLDER. Set this variable to /dev/null to delete all viruses, or to a folder if you want to look at the virus emails on your Unix system (which is probably immune to them) and determine who might be infected so that you can notify them or their ISP and get the problem fixed.

In addition, look through the list of blacklists the SpamBouncer supports and enable those that look interesting. Many of them are somewhat redundant, but I find that one often catches what the other does not. For example, the Five-Ten-SG blocklists are much better at catching spam from Asian spammers (such as Chinese spammers) than the other blocklists are, but the OsiruSoft lists are better at catching European spam.

I prefer to use a lot of blacklists, and when one catches legitimate email, add the sender to my NOBOUNCE file.

Return to Table of Contents

Special Instructions for Users of POP Mail Clients

Users who get their mail using Eudora, Microsoft Outlook, Netscape Communicator, Outlook Express, Pegasus Mail, or another POP mail client which can filter mail by headers will need to set up their filters to look for the following headings:

X-SBClass: Admin

This header indicates mail sent to the ADMINFOLDER. You should create a folder for Admin mail on your client program, and then set your client program's filter to look for this header and filter mail which has it into the Admin folder.

X-SBClass: Blocked

This header indicates mail flagged as probable spam, but not certainly so. Create a folder for Blocked mail and set your client program's filters to put mail with this header into the Blocked Mail folder.

X-SBClass: Bulk

This header indicates mail flagged as bulk mail which is probably legitimate, such as that from known opt-in mailing lists or sent using known legitimate mailing list software, and which passed spam filtering. I recommend creating a separate folder for such mail, though, since that will make it easier to spot personal email, which is usually more important and should get priority.

X-SBClass: OK

This header indicates personal email which passed the spam checks. Set your client program's filters to put this mail in the normal incoming folder.

X-SBClass: Spam

This header indicates mail flagged as definitely spam. Most POP users will simply set the SpamBouncer to delete this mail outright. If you have set the SpamBouncer to deliver it to your POP mail account, though (perhaps because you want to learn more about spam), it will arrive with this header. Create a folder for Spam and set your POP client's program filters to put mail with this header in the Spam folder.

X-SBClass: Virus

This header indicates mail flagged as a virus. POP users should set the SpamBouncer to delete this mail outright.

Return to Table of Contents

Finishing Your Configuration

After setting the variables in your .procmailrc, add this line to your .procmailrc file at the point where you want to filter your mail for spam:

     INCLUDERC=${SBDIR}/sb.rc

This line should appear after recipes for mail you don't want to filter for spam and before recipes for mail you do want to filter for spam. Users of the sample procmail.rc that comes with the SpamBouncer will have the correct lines in the correct location already, and will just need to uncomment whichever one they want to use.

Return to Table of Contents

A Reference to SpamBouncer Features

This section contains a reference to the blacklists supported by the SpamBouncer, and all the SpamBouncer variables. If you need to know what a particular feature does, or want to look "under the hood" of the SpamBouncer, this section will provide it.

Supported Whitelists

Anti-spam whitelists contain the IP addresses (and, in some cases, the domain names) of the following types of servers:

• Private SMTP servers whose owners have guaranteed not to spam
• ISP SMTP servers that fall within a blacklists blocks through no fault of their own, and that have acceptable and enforced no-spamming AUP/TOS posted publicly on their web sites
• Bulk email sources whose owners have clear policies forbidding spam and requiring confirmed opt-in for all subscriptions

Accepting email sent from whitelisted servers without further filtering can be a highly effective way to reduce false positives resulting from aggressive blacklists and pattern matching filters. This also reduces load on your mail server and speeds delivery of email.

In addition to the SpamBouncer's internal whitelists, the SpamBouncer supports the Habeas User's List (HUL), a DNS-based whitelist of the IPs of SMTP servers that are bound by the Habeas Sender Warranted Email (SWE) program and associated contract.

• Habeas, Inc.. Habeas is the brainchild of former MAPS attorney Anne Mitchell and a few other spam fighters who decided to take a different approach to fighting spam -- provide a means to identify email that is not spam and whitelist that email. Users either include a set of headers in their email that are trademarked by Habeas, or register their SMTP servers with the HUL. Habeas has committed to sueing anyone who uses the Habeas SWE warrant mark to send spam, or sends spam via a server listed in the HUL, for trademark and copyright violations. It also places those IPs on another DNS-based list, the Habeas Infringer's List (HIL), which can then be used to blacklist sites that have violated the Habeas SWE terms or used the service mark without permission.

To enable support for the HUL, you must first obtain a free license from Habeas. This license requires you to agree to certain terms of use, the most important that you will not use the HUL to blacklist. The SpamBouncer's code does not allow that use of the HUL -- your use of the SpamBouncer will not violate the Habeas license. When you have set this up and Habeas has confirmed that you have access to the HUL server, set the HABEASVERIFIED variable to yes in your .procmailrc. (Habeas and I are working together, so let me know if you run into any problems getting the license.) After you do this, the SpamBouncer will check the HUL and will whitelist email from any server on HUL.

NOTE: If you get spam from a server on the HUL or that bears the Habeas SWE warrant mark in the headers, you should report that spam to Habeas by sending email to reports@habeas.com or via their web site. Please send a copy to spamtrap@spambouncer.org as well.

• To enable support for the HIL, set the HABEASINFRINGERS variable to yes in your .procmailrc. After you do this, the SpamBouncer will check the HIL and will block email from any server on the HIL. (You do not need to sign a license with Habeas to use the HIL.)

Supported Blacklists

Anti-spam blacklists contain the IP addresses (and, in some cases, the domain names) of the following types of servers:

• SMTP servers that are direct spam sources (usually owned by the spammers)
• Web servers that host the web sites of spammers (haven domains)
• SMTP servers that allow spammers to spam from them (spam-friendly ISPs)
• SMTP servers that relay for spammers (single- or multi-stage open relays)
• IP ranges that are assigned to dial-up users (dial-up lists)
• Web servers that contain insecure forms that can be used for spamming (formmail.pl)
• Proxy servers that allow spammers to hide behind them (open proxies)
• All servers that lack proper whois information or required contact addresses
• Other servers that are abused by spammers or that help spammers hide

Blocking email sent from blacklisted servers can be a highly effective way to stop spam from reaching your mailbox. In the last year, as the volume of spam on the Internet has surged, the number of blacklists has multiplied, allowing users to choose blacklists whose policies closely match their needs. Blacklists are frequently updated, so a filter that uses them is effectively updated as often as the blacklist is, considerably more frequently than the filter itself is usually updated.

The following is a list of blacklists supported by the SpamBouncer, sorted by category. I explain what type of spam problem each blacklist category addresses, and then list the available blacklists in that category. The name of each blacklist is hyperlinked to the blacklist maintainer's web site, which you can consult for more information about blacklist policies.

Spam Sources. IPs and sites listed as spam sources are persistent sources of spam that have continued to spam for a considerable length of time and despite many efforts to stop them. Many have gone through multiple ISPs, being repeatedly disconnected for breaking their provider's terms of service by spamming. Included in these lists are the SMTP servers used to send spam and the web servers that host web sites advertised by spam. Most of these lists are maintained manually.

Two of these blacklists are enabled by default in the SpamBouncer because they block a considerable amount of spam and have low rates of false positives. Because the most carefully maintained blacklist will make occasional errors, though, the SpamBouncer treats email from these servers as suspicious rather than as outright spam, unless that email also meets the SpamBouncer's internal criteria for spam.

• SpamHaus.org List. Highly respected blacklist of IP addresses used to send repeated, multiple spam runs or that host web sites advertised via spamming. Enabled by default. You can disable this blacklist by setting the SPAMHAUSORGCHECK variable to no, but I recommend leaving it enabled.

• OsiruSoft Spamhaus.org List. A mirror of Steve Linford's spamhaus.org blacklist. Enable this blacklist if your site is having trouble contacting the main spamhaus.org blacklist by setting the OSHAVENCHECK variable to yes.

• OsiruSoft Confirmed Spam Sources. Respected blacklist of IP addresses used to send repeated, multiple spam runs or that block the Osirusoft tester. Enabled by default. You can disable this blacklist by setting the OSSPAMCHECK variable to no, but I recommend leaving it enabled.

• WireHub Confirmed Spam Sources. Blacklist of IP addresses used to send repeated, multiple spam runs, somewhat more aggressive than SpamHaus.org. Disabled by default. You can enable this blacklist by setting the WIREHUBSPAMSOURCE variable to yes in your .procmailrc.

• SpamCop Blacklist. Blacklist of IP addresses used to send spam or that offer spam support services. This blacklist is more aggressive than those previously listed, and is likely to result in legitimate email being blocked if you receive email from a site with a lax abuse department or that has spamming customers. If you enable this blacklist, you should check your blockfolder frequently to retrieve any legitimate email it catches. Enable this blacklist by setting the SPAMCOPCHECK variable to yes.

• MAPS Real-time Blackhole List (RBL). The original blacklist of IP addresses used to send repeated, multiple spam runs. Now a pay service and available only if you have subscribed. Enable this blacklist by setting the RBLCHECK variable to yes.(NOTE: If you enable this blacklist without first subscribing to it, all queries against it will result in a negative response. No spam will be detected.)

• Five-Ten-SG Spam Sources. Blacklist of direct spam sources. Similar to the OsiruSoft Spam Sources blacklist, but more aggressive and may therefore result in blocking larger amounts of legitimate email. Enable this blacklist by setting the FTSGSRCCHECK variable to yes.

Open Relays. Open relays are SMTP servers that accept email from any user on the Internet and deliver it to any other user on the Internet. Properly configured SMTP servers require that either the sender of the email or the recipient be a local user. Spammers LOVE open relays because open relays allow them to avoid spam blocks and deliver more spam, and because some open relays also hide the actual origin of the spam. (The latter are called anonymizing open relays.)

Blocking open relays is inherently aggressive and will block legitimate email along with spam. It is also an extremely effective way to get spam out of your mailbox, however. While no open relay blacklist is enabled by default in the SpamBouncer, I recommend strongly that you enable one or more of them.

• Relay Stop List (RSL). Blacklist of single-stage open relays hosted at visi.com. The RSL is the most conservative open relay blacklist supported by the SpamBouncer; it removes all entries after 90 days and will remove any entry on request. This list will block relatively less non-spam email than other blacklists of open relays, but may also not block some spam that others would have. Enable this blacklist by setting the RSLCHECK variable to yes.

• MAPS Relay Spam Stopper (RSS). Blacklist of single-stage open relays. Conservative -- lists only relays that have been used to spam, rather than all open relays. Now a pay service and available only if you have subscribed. Enable this blacklist by setting the RSSCHECK variable to yes.(NOTE: If you enable this blacklist without first subscribing to it, all queries against it will result in a negative response. No spam will be detected.)

• Open Relay Database (ORDB). Blacklist of single-stage open relays. This is a "Child of ORBS" list; it tests open relays on request and lists those that are open relays. Probably the largest and most widely used list of open relays on the Internet. (I use it.) Enable this blacklist by setting the ORDBCHECK variable to yes.

• OsiruSoft Verified Open Relays. Blacklist of single-stage open relays verified as open by the Osirusoft tester. This is a respected open relay list, but more aggressive than the RSL or RSS. Enable this blacklist by setting the OSORCHECK variable to yes.

• Five-Ten-SG Single-Stage Open Relays. Blacklist of single-stage open relays. This is similar to the OsiruSoft Verified Open Relays list, but more aggressive. Enable this blacklist by setting the FTSGRSSCHECK variable to yes.

• DSBL Single-Stage Open Relays. Blacklist of single-stage open relays -- IP addresses of SMTP servers that relay email for any user on the Internet, addressed to any other user on the Internet. This list contains the IP addresses of confirmed open SMTP relays, open proxy servers, and web sites with insecure formmail.pl scripts. Entries to this list are from trusted users only. The DSBL is a "Son of ORBZ" blacklist, and as such is somewhat aggressive. Enable this blacklist by setting the DSBLCHECK variable to yes.

• DorkSlayers. Blacklist of single-stage open relays. The Dorkslayers blacklist, at <http://www.dorkslayers.com>, is a "son of" the original DorkSlayers blacklist created by Alan Hodgson, and of the original ORBS blacklist managed by Alan Brown. It contains relays that were on both lists shortly before they were shut down. Its policy about adding relays is a bit undefined; I would not count on this list being up-to-date. Enable this blacklist by setting the DORKSLCHECK variable to yes.

Multi-Stage Open Relays/"Smart Hosts". Multi-stage open relays are SMTP servers that are themselves secure; they accept email only from their own users or for their own users. Among their users, however, are SMTP servers that are open relays. This allows a spammer to use a customer site of a multi-stage open relay to send email via that site's SMTP server, increasing the amount of spam he can deliver and further obscuring the origin of his spam.

Blocking email from a multi-stage open relay is inherently risky. Most multi-stage open relays are SMTP servers for large ISPs or companies, and most email they send is legitimate. They have been abused to send large spam runs, however. Blocking email from these relays should reduce the amount of spam you get considerably.

• OsiruSoft Smart Host Multi-Stage Open Relays. Blacklist of multi-stage open relays. Enable this blacklist by setting the OSSHRCHECK variable to yes.

• Five-Ten-SG Multi-Stage Open Relays. Blacklist of multi-stage open relays. This is similar to the OsiruSoft Smart Host Multi-Stage Open Relays list, but more aggressive. Enable this blacklist by setting the FTSGMULTICHECK variable to yes.

• DSBL Multi-Stage Open Relays. Blacklist of multi-stage open relays -- IP addresses of SMTP servers that are themselves secure, but that relay email for other, insecure SMTP servers. Entries to this list are from trusted users only. Enable this blacklist by setting the DSBLMULTICHECK variable to yes.

Dynamic IP Ranges. Blacklists of dynamic IP ranges include IP addresses assigned dynamically to dial-up users, and sometimes IP addresses assigned to DSL users and cable modem users. Most of these users are not spammers. Users with this type of connection, however, will rarely (if ever) send email directly from their computer to a recipient's SMTP server. Instead, they send outgoing email via their ISPs SMTP servers.

Spammers, on the other hand, frequently use software that sends email directly from their computer to the recipient's SMTP server, bypassing their own ISP's SMTP server. This allows them to evade security and anti-spamming measures the ISP might have taken. By rejecting email sent directly from a dial-up IP address, you are unlikely to reject legitimate email, but will catch a lot of spam.

The OsiruSoft Dial-Up Spam Sources List is enabled by default. I highly recommend that you use it or another list below; these lists catch a lot of spam.

• OsiruSoft Dialup Spam Source. Blacklist of dynamic IP addresses assigned to dial-up users. Enabled by default. You can disable this blacklist by setting the OSDIALCHECK variable to no, but I recommend that you leave it enabled.

• MAPS Dial-Up List (DUL). Blacklist of dynamic IP addresses assigned to dial-up users. Now a pay service and available only if you have subscribed. Enable this blacklist by setting the DULCHECK variable to yes.(NOTE: If you enable this blacklist without first subscribing to it, all queries against it will result in a negative response. No spam will be detected.)

• Five-Ten-SG Dial-up List. Blacklist of dynamic IP addresses assigned to dial-up, cable modem, and DSL users. Similar to the OsiruSoft Dialup Spam Source list, but more aggressive. Enable this blacklist by setting the VARIABLE variable to yes.

• WireHub Internet DynaBlocker. Blacklist of dynamic IP addresses assigned to dial-up, cable modem, and DSL users. Disabled by default. You can enable this blacklist by setting the WIREHUBDIALUP variable to yes in your .procmailrc.

Insecure Web Forms. These blacklists list the IP addresses of web servers that have insecure web forms or scripts that allow any user to send email to any other user, such as old versions of formmail.pl. Email from such web servers is likely to be spam. While none of these blacklists is enabled by default, I recommend enabling one or more of them.

• Five-Ten-SG Insecure Web Form List. Blacklist of web sites that run insecure web forms, such as formmail.pl, that are abused by spammers to send spam. Enable this blacklist by setting the FTSGWEBFORMCHECK variable to yes.

• Monkeys.com Formmail Servers List. Blacklist of web sites with insecure versions of the formmail.pl script, which spammers can abuse to send spam with untraceable headers. Enable this blacklist by setting the MONKEYFORMMAILCHECK variable to yes.

Open Proxies. An open proxy is a proxy server that accepts anonymous connections from anyone on the Internet. Open proxys are abused by spammers to hide the origin of outgoing spam. None of the open proxy blacklists below is enabled by default, but I recommend that you enable one or more of them.

• OsiruSoft Open Proxy Servers. Blacklist of sites hosting open proxy servers. Enable this blacklist by setting the OSOPSCHECK variable to yes.

• Monkeys.com Open Proxies List. Blacklist of sites hosting open proxy servers. Enable this blacklist by setting the MONKEYPROXYCHECK variable to yes.

Other Spam Support. The blacklists below contain the IP addresses of sites that host bulk email servers that don't properly confirm subscriptions, and that have other spam-related problems.

• OsiruSoft Opt-Out List. Blacklist of sites with non-confirming bulk email lists. Enable this blacklist by setting the OSOOLCHECK variable to yes.

• Five-Ten-SG Opt-Out Lists. Blacklist of sites that host bulk email servers that don't properly confirm subscriptions. Enable this blacklist by setting the FTSGOPTOUTCHECK variable to yes.

• Five-Ten-SG Ignores Spam Complaints List. Blacklist of sites that do not respond to spam complaints. When I last checked, most of Sprint was listed here, among other major sites -- I do not recommend using this blacklist unless you want to block a lot of legitimate email. (Sites that don't respond to spam complaints should be blacklisted, but it is not practical to do so at present.) Enable this blacklist by setting the FTSGIGNORECHECK variable to yes.

• Five-Ten-SG Other Issues. Blacklist of sites with other, unspecified spam-support issues. Since I could not determine what sites were on this list or what the criteria were for inclusion, I do not recommend using this list. Enable this blacklist by setting the FTSGOTHERCHECK variable to yes.

RFC-Ignorant.org. The rfc-ignorant.org blacklists are unique -- they target computer systems and services that do not properly implement the RFCs (the "building blocks" of the Internet), rather than those that send spam. Systems that do not implement the RFCs properly often are misconfigured in other ways and therefore easily abused by spammers. In addition, many of these systems lack any publicly available, valid email addresses that you can use to contact the system administrator when there's a problem.

There are five blacklists on rfc-ignorant.org.

• abuse.rfc-ignorant.org. Blacklist of domains that have no valid abuse@ address. Enable this blacklist by setting the RFCABUSECHECK variable to yes.

• dsn.rfc-ignorant.org. Blacklist of domains that reject bounces -- automatic error messages generated by mail servers when email is sent to a non-existent address or domain. Enable this blacklist by setting the RFCDSNCHECK variable to yes.

• ipwhois.rfc-ignorant.org. Blacklist of IP blocks with no or invalid whois information. Enable this blacklist by setting the RFCIPWHOISCHECK variable to yes.

• postmaster.rfc-ignorant.org. Blacklist of domains that have no postmaster@ address. Enable this blacklist by setting the RFCPOSTMASTERCHECK variable to yes.

• whois.rfc-ignorant.org. Blacklist of domains that have no or invalid whois information. Enable this blacklist by setting the RFCWHOISCHECK variable to yes.

All-In-One Blacklists. The following list is the Swiss Army knives of blacklists -- it contain multiple types of listings. SPEWS is not enabled by default in the SpamBouncer; it is extremely aggressive and, unless you configure your system carefully, you are likely to block legitimate email by using it. I feel that most users will do better using a judicious selection of the other, more narrowly focused blacklists. I personally use SPEWS, however, in addition to other Spam Sources lists, because it often lists a spammer who moved to a new ISP before the other lists do.

• Spam Prevention Early Warning System (SPEWS). Blacklist of sites that either are spamming actively or that the maintainers believe are likely to spam, based on past experience. This is another "Swiss Army knife" blacklist that is aggressive and may result in substantial quantities of legitimate email being classified as possible spam. Enable this blacklist by setting the SPEWSCHECK variable to yes.

A Quick List of Variables and Default Settings

This section contains a quick list of all variables supported by the SpamBouncer, with each with its default setting. A complete list of each variable, a description of what it does, and all available settings, can be found in the following section.

     DEFAULT={NO DEFAULT}
     FORMAIL={NO DEFAULT}
     SBDIR={NO DEFAULT}
     ADMINFOLDER=${DEFAULT}
     ALTFROM=${LOGNAME}@${HOST}
     ALWAYSBLOCK=NONE
     ARABIC=no
     BASE64BLOCK=no
     BLOCKFOLDER=${DEFAULT}
     BLOCKREPLY=SILENT
     BULKFOLDER=${DEFAULT}
     BYPASSWD=syzygy
     CHINESE=no
     CYRILLIC=no
     DATE=date
     DEBUG=no
     DOMAIN=`domainname`
     DORKSLCHECK=no
     DSBLCHECK=no
     DSBLMULTICHECK=no
     DULCHECK=no
     ECHO=echo
     EXECHECKING=yes
     EXEDOCCHECKING=yes
     FILTER=no
     FREEMAIL=INTERNAL
     FREEWEB=no
     FTSGDIALCHECK=no
     FTSGIGNORECHECK=no
     FTSGMULTICHECK=no
     FTSGOPTOUTCHECK=no
     FTSGOTHERCHECK=no
     FTSGRSSCHECK=no
     FTSGSRCCHECK=no
     FTSGWEBFORMCHECK=no
     GARBLEDCHARSET=yes
     GLOBALNOBOUNCE=NONE
     GREEK=no
     GREP=fgrep
     HABEASINFRINGERS=no
     HABEASVERIFIED=no
     HEBREW=no
     HTMLBLOCK=no
     JAPANESE=no
     KOREAN=no
     LANGFILTER=yes
     LEAN=yes
     LEGITLISTS=NONE
     LOCALHOSTFILE=${HOME}/.localhostfile
     MONKEYFORMMAILCHECK=no
     MONKEYPROXYCHECK=no
     MYEMAIL=${HOME}/.myemail
     NOBOUNCE=${HOME}/.nobounce
     NOLOOP=${ALTFROM}
     NSLOOKUP=nslookup
     NUKEBOUNCES=no
     ORBLCHECK=no
     ORDBCHECK=no
     OSDIALCHECK=no
     OSHAVENCHECK=no
     OSOOLCHECK=no
     OSOPSCHECK=no
     OSORCHECK=no
     OSSHRCHECK=no
     OSSPAMCHECK=no
     PATTERNMATCHING=SILENT
     RBLCHECK=yes
     RFCABUSECHECK=yes
     RFCDSNCHECK=yes
     RFCIPWHOISCHECK=yes
     RFCPOSTMASTERCHECK=yes
     RFCWHOISCHECK=yes
     RM=rm
     RSLCHECK=no
     RSSCHECK=no
     RUSSIAN=no
     SBDEBUG=no
     SBTEMP=/tmp
     SBTRAP=NONE
     SED=sed
     SENDMAIL=/usr/sbin/sendmail
     SPAMCOPCHECK=no
     SPAMFOLDER=${DEFAULT}
     SPAMHAUSORGCHECK=yes
     SPAMREPLY=SILENT
     SPEWSCHECK=no
     TEST=test
     THISISP=${HOST}
     TURKISH=no
     VIRUSCHECKING=yes
     VIRUSFOLDER=${SPAMFOLDER}
     WIREHUBDIALUP=no
     WIREHUBSPAMSOURCE=no

The variables are shown with the default values which the SpamBouncer will assign if they are not already set in your .procmailrc file. These defaults will prevent problems, but also will cause the SpamBouncer not to do very much. So you want to set the correct variables for your system and account.

A Comprehensive Description of All Variables

This section contains a description of each configuration variable in the SpamBouncer, what it does, and what the valid values for it are. Many of these variables have default settings that will work for the vast majority of users; you should not need to set most of them in your .procmailrc file. If a SpamBouncer feature is not working properly, though, setting the correct variable may fix the problem.

Please note that those variables in red have no defaults and MUST BE SET or the SpamBouncer will simply pass all your mail on to you unfiltered!

DEFAULT

The email inbox to which your system delivers mail by default, or (if you use your shell account to read mail) to which you want your mail delivered by default. If you normally read email using a POP mail program, like Eudora, Internet Explorer, Netscape, or Pegasus mail, ask your system administrator for the name and location of your POP mailbox, and set DEFAULT to that path and file name.

FORMAIL

The full path to your system's copy of formail. If this is not set properly, the SpamBouncer is unable to sort and tag your email, and so will simply pass it on unfiltered to you.

SBDIR

The directory where your SpamBouncer program and auxiliary files are located.

ADMINFOLDER

ADMINFOLDER is for mail from mailer daemons (usually bounced mail -- mail that could not be delivered), and for mail from administrative addresses like root, admin, sysadmin, and abuse. Shell readers will want to set this to an appropriate folder separate from their DEFAULT folder. (I use admin.incoming.) POP mail readers should set this to DEFAULT, and use their POP program's filters to sort it into a separate folder after downloading.

ADMINFOLDER is set to your DEFAULT mailbox by default.

ALTFROM

ALTFROM should be set to a valid address that you will use for the notifications, bounces, and complaints sent by the SpamBouncer. It is wise to set this to an email address that you do not use for another purpose, and preferably one that does not forward to your main email address. Some ISPs forward spam complaints to their spamming customers. Spammers often add the addresses of complaining users to a list of known "live" email addresses and sell them to other spammers. Some spammers also retaliate against complainers in various ways. It is best to avoid giving out your usual email address when complaining about spam.

I recommend using an account at a free email site, like Hotmail or Yahoo, for this purpose. You can check it occasionally for responses to your complaints. If it gets on too many spam lists, you can close it and open a new one.

ALTFROM is set to ${USER}@${HOST}.${DOMAIN} by default.

ALWAYSBLOCK

If set to point to a file, tells the SpamBouncer where to find your ALWAYSBLOCK file, a text file of email addresses and domains whose email you want to place in your BLOCKFOLDER without further filtering and without notifying the sender that his email was blocked.

ALWAYSBLOCK is set to NONE by default, and must be explicitly enabled if you want to use it.

WARNING! ALWAYSBLOCK IS DANGEROUS IF MISUSED. If you put a blank line in your ALWAYSBLOCK file, it will match on every incoming email it sees. If you put a partial email address or entire domain in your ALWAYSBLOCK file, it may match on email you did not intend to block. The same code is used as with the NOBOUNCE file, and the same precautions apply, except that the consequences of a mistake are greater, especially if your BLOCKFOLDER is set to /dev/null. (I highly recommend against doing that.) Use ALWAYSBLOCK at your own risk -- and be careful!

If you want to keep a local list of email addresses from which you do not want to receive any email, set ALWAYSBLOCK to point to the directory and filename where you keep that file. I suggest naming the file .alwaysblock and keeping it in your home directory. If you do this, put the statement ALWAYSBLOCK=${HOME}/.alwaysblock in your .procmailrc file.

Your ALWAYSBLOCK file (whatever you name it and wherever you put it) should contain one email address per line of text, and nothing else, like this:

     spammer@spamsite.com
     jerk@roguesite.net

Please note that these names and addresses should be in plain text -- don't use Procmail regular expressions or wildcards, and don't try to escape the "." (period) using a "\" (backslash). This will just confuse the SpamBouncer and cause your ALWAYSBLOCK file not to work.

ARABIC

Tells the SpamBouncer what to do with email in Arabic. Set ARABIC=yes if you receive email in Arabic. Otherwise, the SpamBouncer will assume that any email in Arabic is probably spam and put it in the BLOCKFOLDER.

ARABIC is set to no by default.

BASE64BLOCK

Tells the SpamBouncer to block email that uses Base64 encoding. Email in Unicode normally uses Base64 encoding, and email in a number of Asian languages often does as well. Because Unicode is slowly taking over for ASCII and other character encoding formats in email and elsewhere, it is becoming more and more common. Set BASE64BLOCK=yes only if you do not receive any legitimate email whatsoever that users Base64 encoding.

ARABIC is set to no by default.

BLOCKFOLDER

Tells the SpamBouncer where to store email that it classifies as probable spam, but not absolutely certain spam. I recommend setting the BLOCKFOLDER to a folder if you read email on your Unix server (such as block.incoming, or leave it set to ${DEFAULT} if you read email via a POP3 client. Users of POP3 clients can set up their local filters to put BLOCKFOLDER email into an appropriate folder in their email program so that it doesn't clutter up their inbox.

Unix users whose clients use MAILDIR (a directory) instead of a folder to store email may set BLOCKFOLDER to a directory rather than a filename. Users with exotic ideas about spam management <grin> may also forward this email to a different address by setting the FILTER variable to yes and then writing the appropriate recipe in their .procmailrc file.

BLOCKFOLDER is set to ${DEFAULT} by default.

BLOCKREPLY

How to handle mail which the filter tags as probable spam, but which may contain some real email as well. Valid values are SILENT, which simply files the mail in the BLOCKFOLDER, and NOTIFY, which sends a notice and copy of the email back to the sender with instructions on how to bypass the SpamBouncer if the email is not spam. Very few spammers will resend their email after receiving such a notice. (Most don't even look at bounces or email sent back to them.)

BLOCKREPLY is set to SILENT by default.

BULKFOLDER

How to handle bulk mail which the filter does not tag as probable spam -- bulk email which is probably legitimate. If you read mail on your shell account, set this to a separate folder from your normal incoming folder, especially if you get a lot of email or are on many mailing lists, and you'll be able to find your personal mail much more easily. :) If you read email using a POP3 client, leave it set to ${DEFAULT} and use your POP client's filters to sort it into a separate folder from your personal email.

BULKFOLDER is set to ${DEFAULT} by default.

BYPASSWD

A password which, when included on the Subject: line of an email, causes the SpamBouncer to pass the mail immediately into your incoming mail box without further filtering. It allows people who happen to have accounts at ISPs which are blocked in the SpamBouncer, or whose email is being trapped by an error in the SpamBouncer, to contact you and arrange to have the problem fixed or get into your nobounce list. Change this if spammers start using it, but it is very unlikely that they will. (It never has happened to me in the three years since I started developing the SpamBouncer.)

BYPASSWD is set to zeugma by default.

CHINESE

Tells the SpamBouncer what to do with email in Chinese. Set CHINESE=yes if you receive email in Chinese. Otherwise, the SpamBouncer will assume that any email in Chinese is probably spam and put it in the BLOCKFOLDER.

CHINESE is set to no by default.

CYRILLIC

Tells the SpamBouncer what to do with email in a language that uses any Cyrillic character set except Russian. (Russian is handled separately.) Set CYRILLIC=yes if you receive email in a language that uses a Cyrillic alphabet. Otherwise, the SpamBouncer will assume that any email in a Cyrillic character set is probably spam and put it in the BLOCKFOLDER.

CYRILLIC is set to no by default.

DATE

The local Unix date program. The date program is usually in a directory that is on your PATH. (The PATH variable contains a list of directories that your Unix shell searches when you tell it to run an executable program and do not provide a full path with the program name.)

If your SpamBouncer installation is refusing to send complaints or notification emails despite your having configured it to do so, set the DATE variable to point to your system's date program, and that should fix the problem. If the SpamBouncer is working properly, there is no need to set this variable.

DATE is set to date by default.

DEBUG

DEPRECATED -- DO NOT USE. Use the SBDEBUG variable instead to run the SpamBouncer in debugging mode.

DOMAIN

Your system's domain. Unless you set this variable in your .procmailrc file, the SpamBouncer attempts to set it automatically by calling the domainname program that exists on many, but not all, Unix systems. Since the canonical domain for a server may or may not match the domain for which you are processing email, however, you should set this manually. Those who are filtering email for accounts at multiple domains should refer to the LOCALHOSTFILE variable description, as well.

DORKSLCHECK

If set to yes, tells the SpamBouncer to check the Dorkslayers blacklist, which lists IP addresses of open mail relays, and block email sent to your system via one of these IP addresses. See the DorkSlayers entry for more information about this blacklist and how to use it.

DORKSLCHECK is set to no by default.

DSBLCHECK

If set to yes, tells the SpamBouncer to check the DSBL Main blacklist at <http://dsbl.org>, to see if an IP address or domain name is on the main dsbl.org blacklist. See the DSBL entry for more information about this blacklist and how to use it.

DSBLCHECK is set to no by default.

DSBLMULTICHECK

If set to yes, tells the SpamBouncer to check the DSBL Multihop Relays blacklist at <http://dsbl.org>, to see if an IP address or domain name is on the multi-hop relays dsbl.org blacklist. See the DSBL Multi-Stage entry for more information about this blacklist and how to use it.

DSBLMULTICHECK is set to no by default.

DULCHECK

If set to yes, tells the SpamBouncer to check the Mail Abuse Prevention System (MAPS) Dial-Up List (DUL), which lists IP addresses that are part of ISP dial-up pools, and block email sent directly to your system from these IP addresses. See the DUL entry for more information about this blacklist and how to use it.

DULCHECK is set to no by default.

ECHO

The local Unix echo program. The echo program is usually in a directory that is on your PATH. (The PATH variable contains a list of directories that your Unix shell searches when you tell it to run an executable program and do not provide a full path with the program name.)

If your SpamBouncer installation is not properly renaming executable file attachment extensions, <IFRAME> tags, or <SCRIPT> tags, or if you have a domain-based blacklist enabled and it isn't working, set the ECHO variable to point to your system's echo program, and that should fix the problem. If the SpamBouncer is working properly, there is no need to set this variable.

ECHO is set to echo by default.

EXECHECKING

Tells the SpamBouncer whether to check for email with embedded executable file attachments, to block any email containing such attachments, and to rename the executable extensions to prevent you from running the executable program by mistake. To disable this feature, set EXECHECKING=no in your .procmailrc file.

EXECHECKING is set to yes by default.

I recommend strongly that you not disable this feature. Email with executable attachments is dangerous, even when it appears to come from someone you know. Such email is, in my experience, often a virus.

EXEDOCCHECKING

Tells the SpamBouncer whether to check for email with embedded document file attachments of a type that can contain executable code, to block any email containing such attachments, and to rename the document extensions to prevent you from opening them by mistake and possibly running virus-infected code inside of them. To disable this feature, set EXEDOCCHECKING=no in your .procmailrc file.

EXEDOCCHECKING is set to yes by default.

I recommend strongly that you not disable this feature. Many common document types, such as Microsoft Office documents, can contain embedded code. There are many known viruses that infect these types of documents, and new ones appear all the time. File types that can contain viruses include most Microsoft Office document files (such as Access databases, Excel spreadsheets and workbooks, PowerPoint files, Project files, and Word documents) and a number of other programs that run under Microsoft Windows. Email with such files attached is dangerous, even when it appears to come from someone you know.

FILTER

If set to yes, tells the SpamBouncer not to file blocked email, spam, suspected virus-laden email, admin email or legitimate bulk email in the appropriate location, but to pass it on to the user along with the other email. The user must then use his/her own filters to file this email in the proper location.

FILTER is set to no by default.

The FILTER variable is intended for administrators who want to use the SpamBouncer to filter incoming email for an entire server before delivering it to individual users. The individual users can then choose whether to filter their own email using the SpamBouncer's headers, or to ignore the headers and receive their email unfiltered.

FREEMAIL

Tells the SpamBouncer where to find your freemail file, a text file of domains offering free email accounts commonly used or forged by spammers. The domains should be listed singly, with one appearing on each text line, and with no blank lines in the file.

FREEMAIL is set to INTERNAL by default, causing the SpamBouncer to use an internal list of free email sites.

WARNING! Do not create an empty FREEMAIL file -- that will cause all incoming email to be treated as coming from a free email address!

In addition to the location and name of a freemail text file, this variable has two other valid settings. If FREEMAIL is set to INTERNAL, that will cause the SpamBouncer to filter its default set of free email sites, as documented on this WWW page. If FREEMAIL is set to NONE, the SpamBouncer will skip this filter entirely and not block any free email sites. Setting FREEMAIL to NONE will not exempt mail from these sites from other spam filtering, though -- it will simply mean that such mail is not automatically diverted to your BLOCKFOLDER.

FREEWEB

Tells the SpamBouncer whether to block email that has URLs pointing to free web providers in the message body. A lot of spam uses free web sites to host pages that redirect to the real URL, so filtering for free web site URLs can be a useful Pattern Matching tool. Valid settings for this variable are no, the default, and yes, which enables this filter.

FTSGDIALCHECK

If set to "yes", tells the SpamBouncer to check blackholes.five-ten-sg.com, a blacklist hosted by Five-Ten-SG.com, to see if an IP address belongs to a pool of addresses assigned to dial-up users of an ISP. See the FTSG Dial-Up entry for more information about this blacklist and how to use it.

FTSGDIALCHECK is set to no by default.

FTSGIGNORECHECK

If set to "yes", tells the SpamBouncer to check blackholes.five-ten-sg.com, a blacklist hosted by Five-Ten-SG.com, to see if an IP address belongs to a company or ISP that ignores spam complaints. See the FTSG Ignores Spam Complaints entry for more information about this blacklist and how to use it.

FTSGIGNORECHECK is set to no by default.

FTSGMULTICHECK

If set to "yes", tells the SpamBouncer to check blackholes.five-ten-sg.com, a blacklist hosted by Five-Ten-SG.com, to see if an IP address belongs to an SMTP server that is itself secure, but that relays for one or more insecure SMTP servers. See the FTSG Multi-Stage Open Relays entry for more information about this blacklist and how to use it.

FTSGMULTICHECK is set to no by default.

FTSGOPTOUTCHECK

If set to "yes", tells the SpamBouncer to check blackholes.five-ten-sg.com, a blacklist hosted by Five-Ten-SG.com, to see if an IP address belongs to an email list server that adds email addresses to its lists without first properly confirming that the user wants to be on that list. See the FTSG Opt-Out Lists entry for more information about this blacklist and how to use it.

FTSGOPTOUTCHECK is set to no by default.

FTSGOTHERCHECK

If set to "yes", tells the SpamBouncer to check blackholes.five-ten-sg.com, a blacklist hosted by Five-Ten-SG.com, to see if an IP address belongs to a server with which there are other, undefined spam-related problems that the maintainers of the Five-Ten-SG blacklist feel warrant blacklisting. See the FTSG Other Issues entry for more information about this blacklist and how to use it.

FTSGOTHERCHECK is set to no by default.

FTSGRSSCHECK

If set to "yes", tells the SpamBouncer to check blackholes.five-ten-sg.com, a blacklist hosted by Five-Ten-SG.com, to see if an IP address belongs to an SMTP server that is an open relay, that is, that allows any user on the Internet to use it to send email to any other user on the Internet. See the FTSG Single-Stage Open Relays entry for more information about this blacklist and how to use it.

FTSGRSSCHECK is set to no by default.

FTSGSRCCHECK

If set to "yes", tells the SpamBouncer to check blackholes.five-ten-sg.com, a blacklist hosted by Five-Ten-SG.com, to see if an IP address belongs to a server that is a direct spam source. See the FTSG Spam Sources entry for more information about this blacklist and how to use it.

FTSGSRCCHECK is set to no by default.

FTSGWEBFORMCHECK

If set to "yes", tells the SpamBouncer to check blackholes.five-ten-sg.com, a blacklist hosted by Five-Ten-SG.com, to see if an IP address belongs to a web server that has one or more insecure web forms, such as web forms using insecure versions of formmail.pl, that are abused by spammers to send spam. See the FTSG Insecure Web Form entry for more information about this blacklist and how to use it.

FTSGWEBFORMCHECK is set to no by default.

GARBLEDCHARSET

Controls the GARBLEDCHARSET filter, which tests for email with non-Latin character sets, and missing, wrong or corrupted MIME headers which should accompany any such character sets. This filter has been refined considerably, but may still occasionally catch email in heavily-modified Latin character sets (such as Baltic or some Eastern European languages), and will tend to catch email with non-Latin character sets, such as Russian, Greek, Arabic, Hebrew, etc.

The default for this variable is yes, which enables this filter. Users who expect to receive email in a non-Latin character set, or who find it is catching too much legitimate email, can set this variable to no to disable the filter.

GLOBALNOBOUNCE

Points to a system-wide nobounce file, if your system administrator has provided one or if you are the system administrator and want to provide one. Please note that this is in addition to each user's individual NOBOUNCE file, and does not replace it. If you do not set this variable, it is automatically set to NONE, so you need to set it only if you have a system nobounce file.

See NOBOUNCE for a more complete description of how this file works.

GREEK

Set GREEK=yes if you receive email in Greek. Otherwise leave it set to no (the default), and the SpamBouncer will send any email in this language to the BLOCKFOLDER.

GREP

A variant of Unix grep, a set of programs which searches files on Unix systems for specified strings of characters. This is set by default to "fgrep", a fast version of grep which is usually found in a normal system programs directory on Unix machines. Most versions of fgrep work properly with the SpamBouncer.

If NOBOUNCE and LEGITLISTS are working on your system, there is no need to set this variable. If NOBOUNCE is not working, set this variable to point to one of your system's grep programs other than fgrep. Usually egrep will work, or agrep if that does not.

HABEASINFRINGERS

If set to "yes", tells the SpamBouncer to check hil.habeas.com, a blacklist hosted by Habeas, Inc., to see if an IP address found in the headers of an email has been used to send spam in violation of the Habeas SWE program. See the Habeas entry for more information about this blacklist and how to use it.

HABEASINFRINGERS is set to no by default.

HABEASVERIFIED

If set to "yes", tells the SpamBouncer to check hul.habeas.com, a whitelist hosted by Habeas, Inc., to see if an IP address found in the headers of an email is registered with Habeas as a guaranteed source of only non-spam email. See the Habeas entry for more information about this whitelist and how to use it.

HABEASVERIFIED is set to no by default.

HEBREW

Set HEBREW=yes if you receive email in Hebrew. Otherwise leave it set to no (the default), and the SpamBouncer will send any email in this language to the BLOCKFOLDER.

HTMLBLOCK

If set to "yes", tells the SpamBouncer to block HTML-only email. Some years ago I set the SpamBouncer to block email in pure HTML (as opposed to the hybrid text and HTML email produced by Outlook and Netscape at the time), because such email was almost always spam. That is no longer the case -- brain-dead software from Microsoft, AOL, and others enables HTML email by default these days. (Can you tell that I really do not like HTML email?) ;> I have therefore disabled HTML blocking by default in this release. You can manually re-enable HTML blocking by setting the HTMLBLOCK variable to yes in your .procmailrc file.

HTMLBLOCK is set to no by default.

JAPANESE

Set JAPANESE=yes if you receive email in Japanese. Otherwise leave it set to no (the default), and the SpamBouncer will send any email in this language to the BLOCKFOLDER.

KOREAN

Set KOREAN=yes if you receive email in Korean. Otherwise leave it set to no (the default), and the SpamBouncer will send any email in this language to the BLOCKFOLDER.

LANGFILTER

If set to "yes", tells the SpamBouncer to filter incoming email and block email in Arabic, Chinese, any Cyrillic-based alphabet, Greek, Hebrew, Japanese, Korean, and Turkish. For most users who do not receive email in any of these languages, language filtering will delete a lot of spam and catch very little, if any, legitimate email. Users who do receive email in one or more of these languages will usually want to disable filtering only for those languages in which they normally receive email. For the rare polyglot, or shared account, that receives legitimate email in many languages, you can disable all language filtering by setting LANGFILTER=no.

LANGFILTER is set to yes by default.

LEAN

This variable turns off Pattern Matching on the body text only of messages over a certain size, and is set to yes by default. This is to prevent the SpamBouncer from hogging system resources on your server while filtering extremely large messages. The SpamBouncer is a large filter and can use a lot of CPU cycles and RAM if this limit is not in place.

Set LEAN=no only if you receive large quantities of spam with attached files, and then only if you run your own server or know that the server on which your email is filtered has sufficient resources to run the SpamBouncer on the full text of all incoming email.

LEGITLISTS

Tells the SpamBouncer about legitimate mailing lists which the SpamBouncer should not filter, but should deliver to the BULKFOLDER. Your LEGITLISTS file (whatever you name it and wherever you put it) should contain one email list address per line of text, and nothing else, like this:

     chitchat@borg.besties.com
     dylan-fanatics@lists.musicman.net

If you do not set this variable, it is automatically set to ${HOME}/.legitlists. If the file does not exist, the SpamBouncer just skips this recipe.

LOCALHOSTFILE

Tells the SpamBouncer which domains are local to you -- that is, which domains you receive email for. The SpamBouncer needs to know this to know which IP addresses and domains in the Received: headers should be checked against various blacklists. Your LOCALHOSTFILE file (whatever you name it and wherever you put it) should contain one domain name per line of text, and nothing else, like this:

     hrweb.org
     spambouncer.org

If you do not set this variable to point to another location, the SpamBouncer automatically checks your home directory for ${HOME}/.localhostfile. If the file exists, the SpamBouncer uses it. If it does not exist, the SpamBouncer uses the contents of the DOMAIN variable.

MONKEYFORMMAILCHECK

If set to "yes", tells the SpamBouncer to check the Monkeys.com blacklist for email from web sites that use insecure verisons of the formmail.pl script, and block email sent directly to your system from these IP addresses. For more information about the Monkeys.com blacklists, see <http://www.monkeys.com/anti-spam/filtering/>.

This variable is set to "no" by default.

MONKEYPROXYCHECK

If set to "yes", tells the SpamBouncer to check the Monkeys.com blacklist for email from servers that are open proxies, and block email sent directly to your system from these IP addresses. For more information about the Monkeys.com blacklists, see <http://www.monkeys.com/anti-spam/filtering/>.

This variable is set to "no" by default.

MYEMAIL

Points to a text file similar to the NOBOUNCE file, containing a list of email addresses which belong to you. This helps the SpamBouncer with a number of internal routines, and will be implemented in future spam tests, as well. The default is ${HOME}/.myemail. If you do not set this variable to a different value, and if there is no .myemail file in your ${HOME} directory, the SpamBouncer will assume that ${LOGIN}@${HOST} is your email address.

NOBOUNCE

Tells the SpamBouncer where to find your NOBOUNCE file, a text file of email addresses and domains whose email you want the SpamBouncer to skip filtering and deliver directly to you. Set this to point to the directory and filename where you keep that file. I name mine ".nobounce" and keep it in my home directory, and this is where the SpamBouncer looks if you don't set this variable.

Your NOBOUNCE file (whatever you name it and wherever you put it) should contain one email address per line of text, and nothing else, like this:

     goodguy@spamsite.com
     niceguy@roguesite.net

Please note that these names and addresses should be in plain text -- don't use Procmail regular expressions or wildcards, and don't try to escape the "." (periods) using a "\" (backslash). This will just confuse the SpamBouncer and cause your NOBOUNCE file not to work. :)

You can also include entire domain names (the portion of the email address to the right of the @ sign) if you want the SpamBouncer to accept all email from anyone at those domains without checking. I do not recommend doing this, however, except for small domains which you know will not either send spam or be forged into spam by spammers. Since spammers often forge false email addresses in the From: and Reply-To: lines of their messages, you need to be careful or you will make it too easy for them.

In particular, do not put your own domain in your NOBOUNCE file, since a number of spammers use mailmerge spam programs to forge their victims' own email addresses or a phony email address at their victims' domains into their spams, specifically in order to evade filters like the SpamBouncer.

NOLOOP

Sets the X-Loop: header. I recommend leaving the default setting, which uses your ALTFROM address.

NSLOOKUP

Tells the SpamBouncer the path and filename of your system's nslookup program. You need to set this only if nslookup is not in your path (the list of directories which your system will search for a program), if you have an alias set up for nslookup on your account, or if you are running Debian Linux or another Linux system that fills up your logs with error messages indicating that nslookup is deprecated. (If you aren't having trouble getting blacklists to work on your system, you can leave this alone.)

Linux users whose systems object to nslookup can safely set NSLOOKUP=host. Users of other Unix-based systems can also do this provided your version of Unix has the host program. Check before you change this setting!

This variable is set to nslookup by default.

ORDBCHECK

If set to yes, tells the SpamBouncer to check the Open Relay Database, at <http://www.ordb.org>, to see if an IP address is an open relay. This list closely corresponds to the old ORBS inputs list. An email server listed in the ORBL has not necessarily been used to send spam; it merely can be used to do so. Using this or any open relay blacklist can result in blocking a considerable amount of legitimate email as well as spam, if you correspond with people at sites that host open relays.

This variable is set to no by default.

OSDIALCHECK

If set to yes, tells the SpamBouncer to check the Osirusoft Dial-Up blacklist at <http://relays.osirusoft.com>, to see if an IP address belongs to a dial-up pool. This list is designed to closely correspond to the MAPS DUL, except that you do not have to subscribe to use it.

This variable is set to no by default.

OSHAVENCHECK

If set to yes, tells the SpamBouncer to check the Osirusoft SpamHaus.org blacklist at <http://relays.osirusoft.com>, to see if an IP address or domain name is on Steve Linford's spamhaus.org blacklist. This list contains the IP addresses and domain names of sites advertised via spam (that is, haven spam sites) and of spam support service providers. Spamhaus.org also hosts its own dns-based lookup site, and that blacklist is enabled by default in the SpamBouncer, so enable this only if the SpamBouncer is having trouble reaching sbl.spamhaus.org.

This variable is set to no by default.

OSOOLCHECK

If set to yes, tells the SpamBouncer to check the Osirusoft Opt-Out email list server blacklist at <http://relays.osirusoft.com>, to see if an IP address hosts opt-out mailing lists. This list contains the IP addresses of email list providers that add email addresses to their mailing lists without first properly confirming that user at that email address wants to be on the list.

This variable is set to no by default.

OSOPSCHECK

If set to yes, tells the SpamBouncer to check the Osirusoft Open Proxy Server blacklist at <http://relays.osirusoft.com>, to see if an IP address belongs to an open proxy server. This list contains the IP addresses of open proxy servers, servers that allow spammers to mask the origins of their spam and prevent effective complaints.

This variable is set to no by default.

OSORCHECK

If set to yes, tells the SpamBouncer to check the Osirusoft Verified Open Relay blacklist at <http://relays.osirusoft.com>, to see if an IP address belongs to an open SMTP relay. This list contains the IP addresses of SMTP servers that allow outside users to send email to anyone on the Internet via that SMTP server. Spammers use open relays to deliver their spam to sites that block email sent directly from their servers.

This variable is set to no by default.

OSSHRCHECK

If set to yes, tells the SpamBouncer to check the Osirusoft Smart Host Relay blacklist at <http://relays.osirusoft.com>, to see if an IP address belongs to a smart host relay. This list contains the IP addresses of SMTP servers that are themselves secure, but that relay email for insecure SMTP servers.

This variable is set to no by default.

OSSPAMCHECK

If set to yes, tells the SpamBouncer to check the Osirusoft Confirmed Spam Sources blacklist at <http://relays.osirusoft.com>, to see if an IP address belongs to a site with a confirmed history of spamming or supporting spammers. This list is designed to closely correspond to the MAPS RBL, except that you do not have to subscribe to use it.

This variable is set to no by default.

PATTERNMATCHING

How to handle mail which the generic pattern matching filter tags as probable spam, but which may be legitimate email. Valid values are NONE, which skips pattern matching entirely; SILENT, which simply files the mail in the BLOCKFOLDER; and NOTIFY, which sends a notice to the sender that his email was blocked, and explains how to bypass spam filtering if his email was legitimate.

I recommend that users set this value to SILENT. Pattern matching occasionally filters out legitimate email -- there is no way to prevent this entirely. Since more and more spammers are using throwaway accounts, though, and forging their headers so heavily that it is difficult to spot spam through header analysis alone, setting PATTERNMATCHING to NONE will reduce the effectiveness of the SpamBouncer considerably.

The default setting for this variable is NONE, however, because I want to be sure that if you're using it, you have actually read these instructions and know that you are using it. So, if you want to enable it, you must set PATTERNMATCHING to SILENT in your .procmailrc.

RBLCHECK

If set to yes, tells the SpamBouncer to check the Mail Abuse Prevention System (MAPS) Realtime Blackhole List (RBL), which lists IP addresses associated with domains which have spammed repeatedly, and which have failed to clean up their acts despite the RBL team's efforts and assistance. As of August 1, 2001 you must subscribe to MAPS to use the MAPS RBL (Realtime Blackhole List). If you want to use the RBL, contact MAPS <http://www.mail-abuse.org> and become a subscriber. Sites listed on the RBL are highly likely to be the sources of spam, and will rarely be sources of email you want to receive.

This variable is set to no by default. To enable RBL-based filtering, set RBLCHECK=yes in your .procmailrc file.

RFCABUSECHECK

If set to yes, tells the SpamBouncer to check the rfc-ignorant.org list for domains with no valid abuse@ address. Lack of an abuse@ address makes it difficult to report spamming or other abuse from a domain, and is often a sign of a badly-managed domain or a domain owned by a spammer.

This variable is set to no by default. To enable the rfc-ignorant.org abuse blacklist, set RFCABUSECHECK=yes in your .procmailrc file.

RFCDSNCHECK

If set to yes, tells the SpamBouncer to check the rfc-ignorant.org list for domains that do not accept bounced messages. Domains that fail to accept bounced messages can engage in dictionary attacks and other kinds of extremely abusive spamming practices without consequences, since they do not have to accept notifications when they send to an address that does not exist. Failing to accept bounces is often a sign of a badly-managed domain or a domain owned by a spammer.

This variable is set to no by default. To enable the rfc-ignorant.org DSN blacklist, set RFCDSNCHECK=yes in your .procmailrc file.

RFCIPWHOISCHECK

If set to yes, tells the SpamBouncer to check the rfc-ignorant.org list for IP blocks with no valid whois information. Lack of such information makes it difficult or impossible to contact the person responsible for a netblock to report abuse.

This variable is set to no by default. To enable the rfc-ignorant.org IP whois blacklist, set RFCIPWHOISCHECK=yes in your .procmailrc file.

RFCPOSTMASTERHECK

If set to yes, tells the SpamBouncer to check the rfc-ignorant.org list for domains with no valid postmaster@ address. Lack of an postmaster@ address means that it is not possible to contact the person responsible for a domain's mail system. Domains that lack a postmaster address are often badly-managed or owned by a spammer.

This variable is set to no by default. To enable the rfc-ignorant.org postmaster blacklist, set RFCPOSTMASTERCHECK=yes in your .procmailrc file.

RFCWHOISCHECK

If set to yes, tells the SpamBouncer to check the rfc-ignorant.org list for domains with invalid whois information. Invalid whois information is often a sign of a badly-managed domain or a domain owned by a spammer.

This variable is set to no by default. To enable the rfc-ignorant.org whois blacklist, set RFCWHOISCHECK=yes in your .procmailrc file.

RM

Tells the SpamBouncer the path and filename of your system's rm program -- the program which deletes files. You need to set this only if rm is not in your path (the list of directories which your system will search for a program) or if you have an alias set up for rm on your account. If you aren't having trouble with the SpamBouncer leaving temporary files on your system, you can leave this alone.

RSLCHECK

If set to yes, tells the SpamBouncer to check the Relay Stop List (RSL) at <http://relays.visi.com>, to see if an IP address belongs to an open relay. This list contains the IP addresses of open relays, insecure SMTP servers that allow any user on the Internet to send email to any other user via this SMTP server. This list expires entries after 90 days, or automatically on request by anyone, so it is a very conservative list. That means it is unlikely to block much legitimate email, but that it is also likely to fail to block spam that other lists would block.

This variable is set to no by default.

RSSCHECK

If set to yes, tells the SpamBouncer to check the MAPS Relay Spam Source (RSS) blacklist, which lists IP addresses associated with mail servers which are open relays, and through which spam has been sent at least once. As of August 1, 2001 you must subscribe to MAPS to use the RSS. If you want to use the RSS, contact MAPS <http://www.mail-abuse.org> and become a subscriber.

A relay listed in the RSS is not just an open relay; it is an open relay known to spammers which has been used to spam. The RSS blacklist is generally considered less aggressive than the other open relay blacklists, although they both list open relays. As such, it should block less legitimate email than the other blacklists, but will also miss spam sent through relays which have not been abused previously.

This variable is set to no by default. To enable RSS-based filtering, set RSSCHECK=yes in your .procmailrc file.

RUSSIAN

Set RUSSIAN to yes if you receive email in Russian. Otherwise leave it set to no (the default), and the SpamBouncer will send any email in Russian to the BLOCKFOLDER.

SBDEBUG

Set SBDEBUG=yes if you want to run the SpamBouncer in debugging mode. In this mode, the SpamBouncer runs all filters on all incoming email; it does not quit filtering email after it is already classified as spam or as blocked. It also generates verbose Procmail logs. Running in this mode can be useful for diagnosing problems with the SpamBouncer or your configuration. Otherwise, do not turn on debugging mode; it eats up system resources and disk space.

SBTEMP

Set SBTEMP=yes if you want the SpamBouncer to put its temporary files in a specific location. Otherwise, the SpamBouncer will use your system's /tmp directory. (You do not normally need to set this.)

SBTRAP

Set SBTRAP=yes if you want a copy of all email that the SpamBouncer classifies either as blocked or as spam to be sent to a particular email address. Useful for debugging a systemwide installation; otherwise, leave this unset.

SENDMAIL

The full path to your system's copy of sendmail. The default value is /usr/sbin/sendmail, which will work on some systems, but not all. On almost all systems which use sendmail, however, this variable is set correctly as a global default by the system administrators. It does not hurt to check and be sure, though. If SENDMAIL is not set correctly, the SpamBouncer will be unable to send any autoreplies.

SPAMCOPCHECK

If set to yes, tells the SpamBouncer to check the SpamCop blacklist, described at at <http://www.spamcop.net>, to see if an IP address or domain name is on the main spamcop.org blacklist. This list contains the IP addresses of all sorts of sites that have spammed, host sites that are advertised by spamming, or that the maintainers believe are involved in spamming in some other way.

This variable is set to no by default.

SPAMFOLDER

Where to store messages tagged as spam by the filter. If you want to just delete spam, set SPAMFOLDER to /dev/null. If you want to put the stuff in a backup folder, set SPAMFOLDER to a filename, perhaps spam.incoming. POP mail users whose client programs have the ability to filter mail into separate folders (like Eudora and Pegasus mail) can also set this to DEFAULT, and let their mail filters sort it into the trash folder or a special spam folder, if they want to engage in some spam tracking. :) Users of MAILDIR may set BLOCKFOLDER to a directory rather than a filename, or you may forward this email to a different address using normal sendmail syntax.

SPAMHAUSORGCHECK

If set to yes, tells the SpamBouncer to check Steve Linford's <http://www.spamhaus.org> blacklist to see if an IP is listed. These sites are mostly unrepentant and aggressive spammers. You are very unlikely to get legitimate email from any of them.

This variable is set to yes by default. To disable spamhaus.org filtering, set SPAMHAUSORGCHECK=no in your .procmailrc file, but I recommend leaving it enabled.

SPAMREPLY

How to handle mail which the SpamBouncer tags as definitely spam, and which should contain no valid mail whatsoever. Valid values are SILENT, which simply files the mail in the SPAMFOLDER; BOUNCE, which sends a simulated MAILER-DAEMON bounce message to the spammer in hopes that he will think your address is no good and remove it from his list; COMPLAIN, which sends a complaint and copy of the spam to the spammer's postmaster for spammers which the SpamBouncer knows about and has this information, and in most cases also the upstream ISPs; and BOTH, which (not surprisingly) both sends a bounce and complains.

New users should set this to SILENT until they're sure everything is working properly.

SPEWSCHECK

If set to yes, tells the SpamBouncer to check the SPEWS blacklist, described at at <http://www.spews.org>, to see if an IP address or domain name is on the main spews.org blacklist. The SPEWS blacklist used by the SpamBouncer is maintained by Osirusoft, at spews.relays.osirusoft.com. This list contains the IP addresses of all sorts of sites that the SPEWS maintainers believe are likely to be sources of spam, whether they have actually spammed or not as of the time of listing. Most of the entries appear to be of long-time spammers and providers of spam support services, in addition to sites that are actively spamming or hosting spammers and refusing to shut them down. Entries to this list are from trusted users only; SPEWS does not accept submissions for listing from the public.

This variable is set to no by default.

TEST

A variant of Unix test program, a small program which looks for a file or directory and reports whether it exists or not. This is set to "test" by default, since this program is normally found on the system path.

If NOBOUNCE and LEGITLISTS are working on your system, there is no need to set this variable. If NOBOUNCE is not working, set this variable to point directly to your system's test program.

THISISP

DEPRECATED! Use the LOCALHOSTFILE variable and a text file containing your local hosts instead. Tells the SpamBouncer the domain name of your domain or ISP.

THISISP is set to ${HOST}.${DOMAIN} by default.

TURKISH

Set TURKISH=yes if you receive email in Turkish. Otherwise leave it set to no (the default), and the SpamBouncer will send any email in this language to the BLOCKFOLDER.

VIRUSCHECKING

Tells the SpamBouncer whether to run its internal virus checking filters. This variable is set to yes by default, enabling the internal virus checking filters. To disable them, set VIRUSCHECKING=no in your .procmailrc file.

I recommend that you turn off virus checking only if you have a good anti-virus program running on your mailserver itself, rather than just on your local computer. The SpamBouncer's virus checking is not a substitute for an anti-virus program, but it can get rid of a lot of virus-laden email before you download it. If you use a local antivirus program instead of a server-based program, the SpamBouncer's virus filters will save time downloading your email, and also CPU cycles on your workstation or PC.

NOTE: Setting VIRUSCHECKING=no will NOT disable the SpamBouncer's filters for dangerous file types and code. The SpamBouncer will always look for and block email with embedded hidden executable attachments, iframes, and scripts. It will also look for and block email with any embedded executable attachments unless you set EXECHECKING=no, and email with any embedded documents of a type that can contain executable code unless you set EXEDOCCHECKING=no.

VIRUSFOLDER

Where to store messages that the SpamBouncer tags as viruses. This is set by default to the SPAMFOLDER. After you have tested your setup and are certain it works, you may want to change this to /dev/null. Virus-infected email is almost always email the user has no idea he/she sent. It contains nothing most people would want to see, and if you retrieve it into most of the popular Windows-based email programs, you might infect your system.

WIREHUBDIALUP

If set to yes, tells the SpamBouncer to check the dynablock.wirehub.net blacklist to see if an IP is listed. This blacklist lists dial-up IP ranges and other dynamic IP pools. Email sent from these pools should be sent via the ISP's SMTP server, not directly to you -- email that is sent directly from a dynamic IP is usually spam.

This variable is set to no by default. To enable dynablock.wirehub.net filtering, set WIREHUBDIALUP=yes in your .procmailrc file.

WIREHUBSPAMSOURCE

If set to yes, tells the SpamBouncer to check the blackholes.wirehub.net blacklist to see if an IP is listed. This blacklist lists persistent spam sources.

This variable is set to no by default. To enable blackholes.wirehub.net filtering, set WIREHUBSPAMSOURCE=yes in your .procmailrc file.

Upgrading the SpamBouncer

Upgrading is easy. You just check the "What's New" notice to see if there are any new variables you should set or features you should be aware of, and then ftp the new version (or grab it with your WWW browser) and copy it over the old version. If you prefer, you can subscribe to the SpamBouncer Updates mailing list to get automatic notifications of updates via email. The mailing list is described in the next section.

That's all there is to it.

The SpamBouncer should be upgraded regularly -- weekly if you are using it with SPAMREPLY set to COMPLAIN and monthly otherwise. Spammers move around a lot. Prolific spammers tend to get disconnected quite a bit, even by spam-friendly providers, because they cause their providers so much trouble. This means that the complaint addresses in the Spam Bouncer's complaint lists must be updated constantly or complaints will go to the wrong place.

Providers get annoyed when they get complaints about a problem they've already fixed, or at least done everything they can to fix. Once they've kicked a spammer off their system, there is very little else they can do, and sending complaints to them just wastes their time and resources.

I do my part by updating the addresses, but that helps only if you do yours by keeping your copy of the SpamBouncer up to date.

So, if you can't upgrade frequently or don't want to bother updating all the time, please set SPAMREPLY and BLOCKREPLY to SILENT. That way you'll still get the benefits of the filter, but you won't risk causing trouble for an ISP that has already kicked its spammers off.

In addition, today's rogue ISP may be tomorrow's good guys. An example of that is erols.com, which a few years ago was the source of a huge amount of spam and which today is one of the leaders in the fight against it. (Erols also has one of the most entertaining "abuse@" people in the business -- Afterburner.) I regularly review the sites on the blocked list and retire those who have adopted and enforced solid no-spamming policies. That reduces the size of the filter and the resources it takes while keeping it as efficient as possible.

So, please keep up to date! :)

Return to Table of Contents

How to Troubleshoot and Report Trouble

If you are having trouble with the SpamBouncer, first please make sure you:

• Installed it according to the instructions, and particularly set your Procmail variables according to instructions.
• Have the Unix file permissions for your copy of the Spam Bouncer set properly. As long as the file owner has read, write and execute privileges, and has execute privileges to the directory in which it is located, all should be well.
• Are running Procmail 3.11pre7 or later.
• Included at least one email address in your LEGITLISTS, LOCALHOSTFILE, MYEMAIL, and NOBOUNCE files, for each of these files that exists on your system, and do not have any blank lines in any of these files.

The SpamBouncer is set up to avoid replying to bounced messages and autoreplies to its own bounces, but some spammers set their adminstrative accounts to autoreply to spam complaints and misconfigure their autoresponders to remove the "X-Loop" header, which should NEVER be removed by any autoreply script. In general, it is not a good idea to autoreply to mail from administrative accounts at all, so the SpamBouncer is set up to filter it out first.

I commonly hear from new users who examine the log that Procmail keeps, and are concerned when they see lines like the following:

*** host.domain.tld can't find 000.000.000.000.list.dsbl.org: Non-existent host/domain
*** host.domain.tld can't find 000.000.000.000.blackholes.five-ten-sg.com: Non-existent host/domain
*** host.domain.tld can't find 000.000.000.000.relays.ordb.org: Non-existent host/domain
*** host.domain.tld can't find 000.000.000.000.ipwhois.rfc-ignorant.org: Non-existent host/domain
*** host.domain.tld can't find 000.000.000.000.sbl.spamhaus.org: Non-existent host/domain

Please note that these are normal and simply indicate that your system did not find the IP address in question on that blacklist. All is well; do not worry. :)

Please report spam which the SpamBouncer does not catch to <spamtrap@spambouncer.org> so that I can modify the SpamBouncer to catch it. Many spammers have gotten wise to me -- I'm on their remove lists even if they won't put you or others there. <wry grin> So I depend on my users to keep me up-to-date on what kind of spam is out there.

Report any problems to me at ariel@spambouncer.org, and I'll get to work on fixing them ASAP.

Return to Table of Contents

The SpamBouncer Updates Mailing List

Unfortunately this list is down at present. I'll announce it here when it returns from the dead.

Updates to the SpamBouncer are announced via the SpamBouncer Updates mailing list, in addition to this Web page. The list is a low-volume announcements-only list that gets less than one email per week. I keep it this way so that people who hate getting spammed :) can subscribe without being overwhelmed with email. (If you want to discuss spam and how to fight it, I recommend the SPAM-L mailing list, described in the following section.)

The SpamBouncer Updates list runs on a Majordomo list server, a widely used mailing list management program. If you are unfamiliar with Majordomo, the instructions below should explain how to subscribe to and unsubscribe from the SpamBouncer Updates list. For more information on Majordomo and how to use it, refer to Majordomo Mailing List User Commands at the University of Rochester. For more information on Majordomo itself and how it works, refer to the Majordomo FAQ.

I must approve all subscriptions to the mailing list, so I suggest you send me email letting me know who you are and why you are subscribing before you subscribe to the list. :) (Where possible, I would prefer to keep spammers off of it.)

Subscribing

1. Send email to updates-request@lists.spambouncer.org, with any subject line you like (the list server will ignore it), and the following text in the message body:

subscribe <your email address>
end

This will tell the Majordomo list server that you want to subscribe to the SpamBouncer Updates mailing list.

The list server will then send you two messages: a notice to the email address from which your subscription was sent and a confirmation message to the email address that you asked to have subscribed to the list. The notice explains that the subscription must be confirmed from the address that was subscribed to the list. The confirmation message asks you to copy a line of text from it, paste that line of text in a new email, and send the email back to the list server. The message will read like this:

Someone (possibly you) has requested that your email address be added to or deleted from the mailing list "spambouncer-updates@aziz.devnull.net".

If you really want this action to be taken, please send the following commands (exactly as shown) back to "Majordomo@aziz.devnull.net":

auth 3de6896e subscribe spambouncer-updates someone@example.com

If you do not want this action to be taken, simply ignore this message and the request will be disregarded.

The text you need to copy is the line beginning with auth. The jumble of letters and numbers after auth is called a token, and will be different for each person. Because it is different for each person, if you send back the exact token, the mailing list knows you really asked to subscribe. That prevents others from subscribing you to the mailing list without your permission.

2. Copy the line of text beginning with auth and containing the token from the message the Majordomo list server sends to you into a new email, and send the new email back to updates-request@lists.spambouncer.org.

If you followed these instructions correctly, the Majordomo list server will send you two more messages. The first is a short, machine-generated message showing that your subscribe command worked. The second is a message welcoming you to the SpamBouncer Upgrades list.

Unsubscribing

Send email to updates-request@lists.spambouncer.org, with any subject line you like (the list server will ignore it), and the following text in the message body:

unsubscribe <your email address>
end

This will tell the Majordomo list server that you want to unsubscribe from the SpamBouncer Updates mailing list. Majordomo will send you a message confirming that you have unsubscribed from the list. If you no longer have access to your old address, send me email and I will unsubscribe your old address manually.

Switching your Subscription to a Different Email Address

To switch your subscription to a new email address, you must unsubscribe your old address and subscribe the new one, following the instructions above.

Return to Table of Contents

Acknowledgments

First, I would like to thank Stephen van den Berg, the creator of procmail, for his wonderful tool. It is truly the friend of those who hate email spam and want it out of their lives. (It is also the friend of anyone who gets a lot of email.)

I would also like to thank the readers of the Procmail Mailing List for answering lots of often elementary questions, especially at the beginning, as I learned the program. I highly recommend the list for people who use the SpamBouncer. You can subscribe at procmail-request@Informatik.RWTH-Aachen.DE.

Finally, I'd like to thank one of the best sets of users anyone ever had -- you guys do a superb job keeping me up to date on what spammers are doing. I couldn't do it without you, seriously.

These filters are the result of several years of work and learning about Procmail. I hope the results will be as useful to others as they have been to me.

Return to Table of Contents

©1996-2003 by Catherine A. Hampton <ariel@spambouncer.org>. All rights reserved.