LOCAL_CONFIG
# enable map interface to macros
Kmacro macro

# enable map interface to syslog()
Ksyslog syslog

# This regular expression matches some spamware-generated Message-Id headers.
Kspammessageid regex -f -S  -aREJECT ^<(0000[0-9a-f]{8}\$$0000[0-9a-f]{4}\$$0000[0-9a-f]{4}|[0-9a-f]{12}\$$[0-9a-f]{7}[1-9a-f]\$$[0-9a-f]{8})@
# This regular expression matches some headers with just a random string.
Krandom regex -f -S  -aREJECT ^[.0-9A-Za-z]*[0-9][.0-9A-Za-z]*$$
# This regular expression matches some headers with just an all-numeric string.
Knumeric regex -f -S  -aREJECT ^[0-9]{8,10}$$
Kregistration regex -f -S  -aREJECT ^\#(01B0530810E603002D00|00F06206106618006920)$$
# These Content-Type headers are used by the Klez worm.
Kklez1 regex -f -S  -aKLEZ ^multipart/alternative; +boundary=[A-Z][0-9A-Za-z]+$$
Kklez2 regex -f -S  -aKLEZ ^multipart/alternative;  boundary="Boundary_\(ID_[+/0-9A-Za-z]{22}\)"$$
# These Content-Type headers are used by the Sobig worm.
Ksobig regex -f -S  -aSOBIG ^multipart/mixed;  boundary="(CSmtpMsgPart123X456|_NextPart)_000_[0-9A-Z]{8}"$$
# This Content-Type header is used by the Bugbear worm.
Kbugbear regex -f -S  -aBUGBEAR ^multipart/(alternative|mixed); boundary="----------[0-9A-Z]{14,15}"$$
# This Content-Type header is used by the Swen worm.
Kswen regex -f -S  -aSWEN ^multipart/(alternative|mixed); +boundary="[a-z]{5,}"$$
# These Content-Type headers are used by various Beagle worms.
Kbeagle regex -f -S  -aBEAGLE ^multipart/mixed;         boundary="--------([0-9]{15}|[a-z]{20})"$$
# This Content-Type header is used by the Netsky.B worm.
Knetsky regex -f -S  -aNETSKY ^multipart/mixed; boundary="[0-9]{8}"$$
# These Content-Type headers are spamware signatures.
Kboundary regex -f -S  -aREJECT ^multipart/(alternative|mixed); boundary="(=+xymMimeex22ader|[0-9A-Za-z]+---Minemindfxxyf)[0-9A-Za-z]+=+"$$

LOCAL_RULESETS
# This ruleset should be commented out except when debugging the
# check_relay or check_compat rulesets.  Use it like this:
# > Start,check_compat from_addr $| to_addr
# > Start,check_relay domain $| ip_addr
# to work around the restriction on entering the token $| .
# Thanks to http://www.sendmail.org/~ca/email/chk-dbg.html for this.
#SStart
#R$* $$| $*		$: $1 $| $2		fake for -bt mode, remove for real version

Scheck_mail_domain
R<$*> <$*> <$*<@[$+]>$*>	$@ <$1> <$2> <$3<@[$4]>$5>	ignore domain literals
R<?> <OK> <$+>		$: $1
R<$*> <$*> <$*>		$@ <$1> <$2> <$3>	nothing to do here

# DNS based domain spam list dsn.rfc-ignorant.org
R$* <@$+> $*		$: $(host $2.dsn.rfc-ignorant.org. $: OK $) $| $1 <@$2> $3
ROK $| $*		$: $1		not found
R$+ $| $* <@$+> $*	$#error $@ 5.7.1 $: $&{GoAway} " Domain " $3 " violates RFC 1123 section 5.2.9 - see http://www.rfc-ignorant.org/"

R$*			$@ <?> <OK> <$1>	restore Basic_check_mail syntax

SLocal_check_mail
R$*			$: $1 $(macro {GoAway} $@ 550 $)	establish RFC 2821 error code to be used by check_mail_domain
ifdef(`_DELAY_CHECKS_', `dnl', `dnl
# The check_relay ruleset may `define' the {IgnoreHeaders} macro, but the
# setting is lost unless `FEATURE(delay_checks)' is used.  Compensate by doing
# the appropriate magic in Local_check_mail when the feature is absent.
R$*			$: $>LookUpDomain < $&{client_name} > <?> < $1 > <+Connect>
R<$+> $*		$: $>LookUpAddress < $&{client_addr} > <?> < $2 > <+Connect>
R<$+> $*		$: $2')

# Add the name of a header to the list of those
# to be ignored, if it is not already there.
define(`_ENABLE_IGNORE_HEADERS_', `1')dnl	don't use default ruleset
Sset_ignore_header
R$-				$: $&{IgnoreHeaders} $(macro {HeaderName} $@ $1 $)
R$* $&{HeaderName} $*		$@		header is already listed, return nothing
R$*				$: $(macro {IgnoreHeaders} $@ $&{HeaderName} . $&{IgnoreHeaders} $)

# Use information from the access db to skip checks of certain RFC 822 headers
SDisable_Header_Check
R$-				$: $&{IgnoreHeaders} $(macro {HeaderName} $@ $1 $)
R$* $&{HeaderName} $*		$@ $| OK	indicate not to check the header
ifdef(`_SPAM_FH_', `dnl
ifdef(`_SPAM_FRIEND_', `dnl
R$* SPAMHATER $*		$@		indicate that the header should be checked by returning nothing', `dnl')
R$* SPAMFRIEND $*		$@ $| OK	indicate not to check the header', `dnl')
R$*				$:		indicate that the header should be checked by returning nothing

HDisposition-Notification-To: $>CheckSource
HErrors-To: $>CheckSource
HFrom: $>CheckSource
HReply-To: $>CheckSource
HResent-From: $>CheckSource
HResent-Sender: $>CheckSource
HReturn-Receipt-To: $>CheckSource
HSender: $>CheckSource
HX-Apparently-From: $>CheckSource
HX-Reply-To: $>CheckSource
SCheckSource
R$+ , $+			$@ $1 , $2	do not try to validate complex header lines
R$*				$: $1 $>Disable_Header_Check Source
R$* $| OK			$@ OK		do not check the source headers
R$* <> $*			$#error $@ 5.6.0 $: 554 Syntax error in RFC 822 header
R$*				$: $1 $(macro {GoAway} $@ 554 $)	establish RFC 2821 error code to be used by check_mail_domain
R$*				$: $>Basic_check_mail $1

# Some popular spam tools omit the time zone entirely.
# Others spell it out (e.g., "Eastern Standard Time").
HDate: $>CheckDate
SCheckDate
# Note the presence of a Date header without a timezone.
R$+ $- $- $-:$-:$-		$@ OK $(macro {ZonelessDate} $@ ZonelessDate $)
R$*				$: $1 $>Disable_Header_Check Date
R$* $| OK			$@ OK		do not check the Date header
R$+ AM				$#error $@ 5.6.0 $: 554 Syntax error in RFC 822 header
# The next rule happens to block the W32.Yaha.F@mm worm.
R$+ PM				$#error $@ 5.6.0 $: 554 Syntax error in RFC 822 header
R$+ $- $- $-:$-:$- $-		$@ OK		these are liberal interpretations of RFC 822
R$+ $- $- $-:$- $-		$@ OK
ifelse(index(confOPERATORS,`+'),`-1',`dnl',`R$+ $- $- $-:$-:$- +$-		$@ OK
R$+ $- $- $-:$- +$-		$@ OK')
R$*				$#error $@ 5.6.0 $: 554 Syntax error in RFC 822 header

HX-Mailer: $>+CheckXMailer
SCheckXMailer
# First, certain X-Mailer headers legitimize other headers.
R$*				$: $1                         $>set_ignore_header ContentTypeKlez
R$*				$: $1                         $>set_ignore_header XPriority
RAsp Component Bundle $*	$: Asp Component Bundle $1    $>set_ignore_header XMSMailPriority
RAsp Component Bundle 3.$+	$: Asp Component Bundle 3.$1  $>set_ignore_header ZonelessDate
RAspMail $*			$: AspMail $1                 $>set_ignore_header XMSMailPriority
RAspMail 3.$+			$: AspMail 3.$1               $>set_ignore_header ZonelessDate
RBecky! $*			$: Becky! $1                  $>set_ignore_header XMSMailPriority
RJMail $*			$: JMail $1                   $>set_ignore_header XMSMailPriority
RMicrosoft Internet Mail $*	$: Microsoft Internet Mail $1 $>set_ignore_header XMSMailPriority
RMicrosoft Outlook $*		$: Microsoft Outlook $1       $>set_ignore_header XMSMailPriority
RPegasus Mail $*		$: Pegasus Mail $1            $>set_ignore_header Comments
RSquirrelMail $*		$: SquirrelMail $1            $>set_ignore_header XMSMailPriority
R$* Windows Eudora Light Version 3. $*	$: $1 Windows Eudora Light Version 3. $2 $>set_ignore_header ZonelessDate

# Reject mail sent by self-identifying spamware.
R$*				$: $1 $>Disable_Header_Check XMailer
R$* $| OK			$@ OK		do not check the X-Mailer header
R$+				$: $(random $1 $)
RAdvanced Mass Sender $+	$: REJECT
RBulk Mail Sender		$: REJECT
RCatalyst SocketTools $+	$: REJECT
Rdiffondi $+			$: REJECT
RDirect Email $+		$: REJECT
RDynamic Opt-In Emailer $+	$: REJECT
REMailing List Pro $+		$: REJECT
REmailer Platinum $+		$: REJECT
ReMerge $+			$: REJECT
RFletMail $+			$: REJECT
RGammadyne Mailer $*		$: REJECT
RGoldMine $+			$: REJECT
R$* Group Mail $+		$: REJECT
RMail Bomber			$: REJECT
RMailWorkZ $+			$: REJECT
RMaxBulk Mailer $+		$: REJECT
RMicrosoft Outlook Express 5.00.2919.6900 DM	$: REJECT
RMultiMailer $*			$: REJECT
ROutLook Express $*		$: REJECT
RSent with E-Mail Magnet $+	$: REJECT
RSuperMail-2			$: REJECT
RUnityMail			$: REJECT
RX-Mailer: $+			$: REJECT
R{%xmailer%}			$: REJECT
RREJECT				$#error $@ 5.7.1 $: 554 Mail sent by spamware is not accepted here

HX-Comment: $>CheckXComment
SCheckXComment
R$*				$: $1 $>Disable_Header_Check XComment
R$* $| OK			$@ OK		do not check the X-Comment header
R$+				$: $(random $1 $)
RREJECT				$#error $@ 5.7.1 $: 554 Mail sent by spamware is not accepted here

HOrganization: $>CheckOrganization
SCheckOrganization
R$*				$: $1 $>Disable_Header_Check Organization
R$* $| OK			$@ OK		do not check the Organization header
R$+				$: $(numeric $1 $)
RREJECT				$#error $@ 5.7.1 $: 554 Mail sent by spamware is not accepted here

HX-EM-Registration: $>+CheckXEMRegistration
SCheckXEMRegistration
R$*				$: $1 $>set_ignore_header XPriority
R$*				$: $1 $>Disable_Header_Check XEMRegistration
R$* $| OK			$@ OK		do not check the X-EM-Registration header
R$+				$: $(registration $1 $)
RREJECT				$#error $@ 5.7.1 $: 554 Mail sent by spamware is not accepted here

HX-Encoding: $>CheckXEncoding
SCheckXEncoding
R$*				$: $1 $>Disable_Header_Check XEncoding
R$* $| OK			$@ OK		do not check the X-Encoding header
RMIME				$#error $@ 5.7.1 $: 554 Mail sent by spamware is not accepted here

HX-esmtp: $>CheckXesmtp
SCheckXesmtp
R$*				$: $1 $>Disable_Header_Check Xesmtp
R$* $| OK			$@ OK		do not check the X-esmtp header
R0 0 1				$#error $@ 5.7.1 $: 554 Mail sent by spamware is not accepted here

HX-: $>CheckXdash
SCheckXdash
R$*				$: $1 $>Disable_Header_Check Xdash
R$* $| OK			$@ OK		do not check the X- header
R$*				$#error $@ 5.7.1 $: 554 Mail sent by spamware is not accepted here

HX_Mailer: $>CheckX_Mailer
SCheckX_Mailer
R$*				$: $1 $>Disable_Header_Check X_Mailer
R$* $| OK			$@ OK		do not check the X_Mailer header
R$*				$#error $@ 5.7.1 $: 554 Mail sent by spamware is not accepted here

HContent-Disposition: $>+CheckContentDisposition
SCheckContentDisposition
R$*				$: $1 $>Disable_Header_Check ContentDisposition
R$* $| OK			$@ OK		do not check the Content-Disposition header
RMultipart message		$#error $@ 5.6.0 $: 554 Probable Sircam worm rejected

HContent-Type: $>+CheckContentType
SCheckContentType
Rmultipart/alternative; $-	$: $(klez1 $&{currHeader} $: multipart/alternative; $1 $)
Rmultipart/alternative; boundary=$-	$: $(klez2 $&{currHeader} $: multipart/alternative; boundary=$1 $)
# Note the presence of a Content-Type header that may be generated by the Klez worm.
RKLEZ				$@ OK $(macro {ContentType} $@ KLEZ $)
R$*				$: $1 $>Disable_Header_Check ContentType
R$* $| OK			$@ OK		do not check the Content-Type header
Rmultipart/mixed; boundary=$-	$: $(sobig $&{currHeader} $: multipart/mixed; boundary=$1 $)
RSOBIG				$#error $@ 5.7.1 $: 554 Probable Sobig worm rejected
Rmultipart/mixed; boundary=$-	$: $(bugbear $&{currHeader} $: multipart/mixed; boundary=$1 $)
RBUGBEAR			$#error $@ 5.7.1 $: 554 Probable Bugbear worm rejected
Rmultipart/$-; boundary=$-	$: $(swen $&{currHeader} $: multipart/$1; boundary=$2 $)
RSWEN				$#error $@ 5.7.1 $: 554 Probable Swen worm rejected
Rmultipart/mixed; boundary=$-	$: $(beagle $&{currHeader} $: multipart/mixed; boundary=$1 $)
RBEAGLE				$#error $@ 5.7.1 $: 554 Probable Beagle worm rejected
Rmultipart/mixed; boundary=$-	$: $(netsky $&{currHeader} $: multipart/mixed; boundary=$1 $)
RNETSKY				$#error $@ 5.7.1 $: 554 Probable Netsky worm rejected
Rmultipart/$-; boundary=$-	$: $(boundary $&{currHeader} $: multipart/$1; boundary=$2 $)
RREJECT				$#error $@ 5.7.1 $: 554 Mail sent by spamware is not accepted here

# Insist that the Message-Id header `include' angle brackets
# enclosing an @ character, as some popular spam tools omit it.
# Also block a certain spamware signature.
HMessage-Id: $>CheckMessageId
SCheckMessageId
R<$+@[$-.$-.$-.$-]>		$: <$1@[$2.$3.$4.$5]> $>set_ignore_header XPriority
R$*				$: $1 $>Disable_Header_Check MessageId
R$* $| OK			$@ OK		do not check the Message-Id header
R$*				$: $(spammessageid $1 $)
RREJECT				$#error $@ 5.7.1 $: 554 Mail sent by spamware is not accepted here
R< $+ @ $+ >			$@ OK		RFC 822 syntax
R$*				$#error $@ 5.6.0 $: 554 Syntax error in RFC 822 header

# Certain To headers are sure-fire spam signatures.
HTo: $>CheckTo
SCheckTo
R$+ , $+			$@ $1 , $2	do not try to validate complex header lines
R$*				$: $1 $>Disable_Header_Check To
R$* $| OK			$@ OK		do not check the To header
R$* <> $*			$#error $@ 5.6.0 $: 554 Syntax error in RFC 822 header
R$*				$: $1 $| $>SearchList <!To> $| <E:$1> <>
R$* $| <POISON>			$#error $@ 5.7.1 $: 554 Mail sent by spamware is not accepted here

# Note the presence of the "Comments: Authenticated sender ..." header.
HComments: $>CheckComments
SCheckComments
RAuthenticated sender $+	$: Authenticated sender $1 $(macro {Comments} $@ Comments $)

# Note the presence of the X-MSMail-Priority header.
HX-MSMail-Priority: $>CheckXMSMailPriority
SCheckXMSMailPriority
R$*				$: $1 $(macro {XMSMailPriority} $@ XMSMailPriority $)

# Note certain X-Priority headers.
HX-Priority: $>+CheckXPriority
SCheckXPriority
R1				$: 1 $(macro {XPriority} $@ XPriority $)
R3				$: 3 $(macro {XPriority} $@ XPriority $)

# Here is another case where the X-MSMail-Priority and X-Priority headers are allowed.
HX-MimeOLE: $>CheckXMimeOLE
SCheckXMimeOLE
RProduced By Microsoft Exchange $+	$: Produced By Microsoft Exchange $1 $>set_ignore_header XMSMailPriority
RProduced By Microsoft Exchange $+	$: Produced By Microsoft Exchange $1 $>set_ignore_header XPriority
RProduced By Microsoft MimeOLE $+	$: Produced By Microsoft MimeOLE $1  $>set_ignore_header XMSMailPriority
RProduced By Microsoft MimeOLE $+	$: Produced By Microsoft MimeOLE $1  $>set_ignore_header XPriority

# Here is another case where the X-Priority header is allowed.
HX-MIMETrack: $>CheckXMIMETrack
SCheckXMIMETrack
R$*				$: $1 $>set_ignore_header XPriority

# Another case where X-Priority and Klez-like headers are allowed.
HUser-Agent: $>CheckUserAgent
SCheckUserAgent
R$+				$: $1 $>set_ignore_header ContentTypeKlez
R$+				$: $1 $>set_ignore_header XPriority

# Yet another case where the X-Priority header may be allowed.
HList-Software: $>CheckListSoftware
SCheckListSoftware
RMojo Mail 2. $*		$: Mojo Mail 2. $1 $>set_ignore_header XPriority

HX-Spam-Flag: $>CheckXSpamFlag
SCheckXSpamFlag
R$*				$: $1 $>Disable_Header_Check XSpamFlag
R$* $| OK			$@ OK		do not check the X-Spam-Flag header
R$* YES $*			$#error $@ 5.7.1 $: 554 Spam is not accepted here

# More than one of these is a spam signature.
HX-Originating-IP: $>CheckXOriginatingIP
SCheckXOriginatingIP
R$*				$: $&{XOriginatingIP} $1 $>Disable_Header_Check XOriginatingIP
R$* $| OK			$@ OK		do not check the X-Originating-IP header
R[$-.$-.$-.$-]			$: $1.$2.$3.$4	strip off square brackets
R$-.$-.$-.$-			$: $(host $4.$3.$2.$1.bl.spamcop.net. $: $1.$2.$3.$4 $)
R$-.$-.$-.$-.bl.spamcop.net.	$#error $@ 5.7.1 $: "554 Mail from " $4 "." $3 "." $2 "." $1 " refused - see http://spamcop.net/bl.shtml"
R$-.$-.$-.$-			$@ OK $(macro {XOriginatingIP} $@ REJECT $)
R$*				$#error $@ 5.7.1 $: 554 Mail sent by spamware is not accepted here

SLocal_check_rcpt
R$*				$: $1 $(syslog rcpt=$1 $)	log recipient
# Certain recipients are "poison" and cause the
# message to be rejected for all recipients.
R$*				$: $1 $| $1	create workspace to right of $|
R$* $| $* <$+> $*		$1 $| $3	focus on part in angle brackets
R$* $| $+			$: $1 $| $>SearchList <!To> $| <E:$2> <>
R$* $| <POISON>			$: $1 $| $(macro {PoisonRecipient} $@ POISON $)
R$* $| $*			$: $1		delete workspace

Scheck_eoh
R$*				$: $&{PoisonRecipient}		wishing for a check_data ruleset
RPOISON				$#error $@ 5.7.1 $: 554 Mail sent to spam lists is not accepted here

R$*				$: $&{ContentType}
RKLEZ				$: KLEZ $>Disable_Header_Check ContentTypeKlez
RKLEZ				$#error $@ 5.7.1 $: 554 Probable Klez worm rejected

R$*				$: $&{ZonelessDate}
RZonelessDate			$: ZonelessDate $>Disable_Header_Check ZonelessDate
RZonelessDate			$#error $@ 5.6.0 $: 554 Syntax error in RFC 822 header

R$*				$: $&{XMSMailPriority}
RXMSMailPriority		$: XMSMailPriority $>Disable_Header_Check XMSMailPriority
RXMSMailPriority		$#error $@ 5.7.1 $: 554 Mail sent by MP spamware is not accepted here

R$*				$: $&{XPriority}
RXPriority			$: XPriority $>Disable_Header_Check XPriority
RXPriority			$#error $@ 5.7.1 $: 554 Mail sent by P spamware is not accepted here

R$*				$: $&{Comments}
RComments			$: Comments $>Disable_Header_Check Comments
RComments			$#error $@ 5.7.1 $: 554 Mail sent by C spamware is not accepted here