#!/usr/bin/perl

# sc_mailfilter.conf
# version 1.08, 11-16-08
# Configuration for sc_mailfilter.pl, sc_abuse.pl

my $MAILFILTER = {

## additional KEYS may be included with an INCLUDE statement of the form:
#
#  INCLUDE => 'path/to/file.conf',
#
#  this file may include an INCLUDE statement, as may the next, etc...
#
#
# Location of the "sc_BlackList.conf" file. The "IGNORE" array is used
# to exclude listed hosts.
#
# [ REQUIRED ]

	BLCONFIG	=> '/usr/local/spamcannibal/config/sc_BlackList.conf',
#


# A list of mail host which are terminating servers for incoming mail to
# this site. Include the IP addresses of any acceptable relays and backup 
# servers. The "sending" host to these servers are the ones that will be 
# placed in the tarpit. At a minimum, this should include all servers
# for which there are MX records for your domains.
#
# Entries may be dot.quad.addresses, host.names or CIDR netblocks of the 
# form:		12.34.56.0/28
#
# The IP addresses of "named" hosts are resolved for multiple interfaces. 
# If you do not want this behavior then always use dot.quad notation.
#
# [ REQUIRED ]
#
	MXhosts   => [qw(
		mail2.ournetwork.net
		mail2.foo.com
		ns2.foo.com
		ns2.ournetwork.net

		mail1.ournetwork.net
		mail3.ournetwork.net
		mail1.foo.com
		mail3.foo.com
		ns3.ournetwork.net
		ns3.foo.com

		mailbackup.ournetwork.net
		mail4.ournetwork.net
	)],


# Do not automatically include private network addresses in MXhosts.
#	127./8, 10./8, 172.16/12, 192.168/16
#
# [ OPTIONAL ]

#	NOPRIVATE => 1;


# Report exceptions and failed entry attempts
#
# [ OPTIONAL ] recommended

	REPORT	  => 'my.email@addy.com',
#


# Count each message received for processing. This will
# normally be approximately the number of added spams.
#
# specify the 	/absolute/path/to/count_file_name
#
# [ OPTIONAL ]

	SPAMCOUNT  => '/usr/local/spamcannibal/spamcount.txt',


# PGP or GPG configuration information to decrypt incoming messages.
# Verify that a message has PGP encrypted content prior to decryption so
# that plain text messages are not inadvertently passed to the to the
# tarpit. Prevent unauthorized access/addition to the tarpit.
#
# See: man Mail::SpamCannibal::GoodPrivacy 'decrypt' for details
#
# [ RECOMMENDED ]

	PGP	  => {
#		ExeFile	   => '/usr/local/bin/pgp',
		ExeFile    => '/usr/local/bin/gpg',
#		KeyPath	   => '/usr/local/spamcannibal/.pgp',
		KeyPath    => '/usr/local/spamcannibal/.gnupg',
		Password   => 'mySPAMpasswd',
		UserID	   => 'Spam',
		Version	   => '',	# might be 2.62
#		Exceptions => 0,
	},

# If "REPORT" is set above, and "Exceptions" is true. Non-PGP messages
# will be forwarded to the REPORT target for evaluation.


# Require that a least on of these headers is present. Use this in place of
# PGP above to limit the source of entries to the database.
# This is a single value or an array of values. The values may be regular
# expressions. They will be matched in a case insensitive manner and the
# pattern must be the 'start' of a header.
#
#	REQHEAD		=> 'received:.+myhost\.com',
#	  or
#	REQHEAD		=> [	'received:.+mylaptop',
#				'received:.+desktop\.pc',
#	],

# Use dirty read of headers. Use this procedure only if you can not avoid
# auto-wrapping in your mail client. Some goofy stuff can slip through or
# headers may be mangled and not properly parsed.
#
# See man Mail::SpamCannibal::ParseMessage 'headers' and 'rfheaders'
# for a detailed explanation.
#
# [ OPTIONAL ] not recommended, sigh... but usually needed

	DIRTY	  => 1,


# Trim the length of the message portion of spam samples
# When batch submitting without manually editing the spam samples,
# configuration variable limits the length to the lesser of the
# set number of lines or the length of the sample
#
# NOTE: this behavior is overriden if the destination "spam" address
#	i.e. spam@yourdomain.com
# ends in the character "X" (not case sensitive)
#	i.e. spamx@yourdomain.com
#
# [ OPTIONAL ]

#	MAXMSG	  => 8,		# something useful?

# Validate IP's spam hosts against SPMCNBL_DB_ARCHIVE
# as a condition of adding to tarpit. 
#
# The ip address double checked against the 'archive' database to
# to see if it exists before being added to the 'tarpit'. This is 
# a belt and suspenders approach to validating spammers and won't
# work well if the 'archive' is checked often since it will constantly
# be emptied by sc_BLcheck.pl. This approach may provide some measure
# of relief from false positive spam source identification in mail headers
# if the archive is run once or twice a day and all mail is posted to the
# spamcannibal user prior to the 'archive' run.
#
# [ OPTIONAL ] experimental

#	VALIDATE  => 1,


# For generic PTR records matching the regular expression
# 'regexp', test the entire /24 for compliance and mark
# all non-compliant records as "spammy"
#
# 'ignore'	array of perl regular expressions to ignore
#		before testing with 'regexp' below, case insensitive
#
# 'regexp'	array of perl regular expression in single
#		quotes that will be tested case insensitive
#
# 'message'	is a REQUIRED string inserted in all matching
#		'generic' records to which the IP
#		address of the spam record is appended
#
# 'agressive'	true will test all class C's for every 
#		IP address submitted to the filter
#
#		false will test only those class C's
#		for which the submitted IP address
#		returns a missing or generic PTR record
#
# [ OPTIONAL ]

	XCIDR24	  => {
#	    ignore	=> [
#		'dls-only',
#	    ],
	    regexp	=> [
		# d+?d+?d+?d+ or 12 digits
		'\d+[a-zA-Z_\-\.]\d+[a-zA-Z_\-\.]\d+[a-zA-Z_\-\.]\d+|\d{12}',
#		'dynamic',
	    ],
	    message	=> "spam source, anonymous/un-named IP\nsee:\n",
	    aggressive	=> 0,	# recommend false
	},

# FOR sc_abuse.pl
# If the of the originating spammer server is found as the key of the 
# ABUSE hash, instead of an abuse message being sent to abuse@domain.com,
# if the domainkey is found in the ABUSE hash, the abuse message is
# sent to the address(s) found in the corresponding data array
#
# [ OPTIONAL ] 

	ABUSE	  => {
		'bellsouth.net'	=> [qw(
				ipoperations@bellsouth.net
				postmaster@bellsouth.net
				root@bellsouth.net
				abuse@bellsouth.net
		)],
		'blueyonder.co.uk' => [qw(
				abuse@blueyonder.co.uk
				abuse@telewest.co.uk
		)],
		'earthlink.net' => [qw(
				abuse@earthlink.net
				postmaster@earthlink.net
				root@earthlink.net
				openrelay@abuse.earthlink.net
				junkmail@earthlink.net
		)],
		'eircom.net'	=> [qw(
				cd@eircom.net
				dcurran@eircom.net
				abuse@ericom.net
				postmaster@ericom.net
				root@ericom.net
				tech@indigo.ie
				ross@eircom.net
		)],
		'hotmail.com'	=> [qw(
				abuse@hotmail.com
				abuse@msn.com
				postmaster@hotmail.com
				postmaster@msn.com
		)],
		'yahoo.com'	=> [qw(
				netblockadmin@yahoo-inc.com
				abuse@yahoo.com
				abuse@yahoo-inc.com
				postmaster@yahoo.com
				postmaster@yahoo-inc.com
				root@yahoo-inc.com
		)],
		'myvzw.com'	=> [qw(
				abuse@verizon.net
		)],
	},
};