Contents of ENV_FROM_SPAM.DAT (last modified at 10:49:59AM on 7-JAN-2012): ! ! In the entries which follow, the text after the vertical bar (or "$Y") ! is prepended to a "bounce" message that's worded something like this: ! ! <text> blocked from <from-address> ! acerplan@gmail.com $YSpam autoenvio333@gawab.com $YSpam big@boss.com $YDue$ to$ probable$ "Sobig"$ virus$ infection,$ E-mail bonniewagner@outdrs.net $YDue$ to$ probable$ account$ compromise brilliantmarketinginc@b$@* $YProbable$ SPAM brunomeissner@netfly.com.br $YProbable$ SPAM cialis@cialis.* $Y wazzup@hotmail.com $YSPAM $@*@camcontacts.com $YSPAM $@*@camcontacts.net $YSPAM ccmartin@telus.net $YSPAM clientes@mail.ru $YSPAM cumsee*@* $YProbable$ SPAM cumsho$@[et]%*@* $YProbable$ SPAM from-$@D%$@D*-$@D%$@D*-$@D%$@D*-from@$@* $YProbable$ SPAM *girl*sex*@* $YProbable$ SPAM *lolita*@* $YProbable$ SPAM *love*girl*@* $YProbable$ SPAM marina$[0-9]%$[0-9]%_*@* $YProbable$ SPAM *$[\-_]%nasty@* $YProbable$ SPAM nasty$[\-_]%*@* $YProbable$ SPAM novidades@amostrasgratisebrindes.info $YSpam return-$@D%$@D*-$@D%$@D*-$@D%$@D*-return@$@* $YProbable$ SPAM *sex*girl*@* $YProbable$ SPAM sfirirli$[0-9]%$[0-9]%_*@* $YProbable$ SPAM viagra@viagra.* $YSPAM *-*-@msg.* $YProbable$ SPAM John.Faler@morganstanley.com \ $YOpt-out$ E-mail$ is$ considered$ SPAM$ -$ E-mail ! ! Entries in NIGERIAN-SCAM.DAT are blocked because they have a history of ! sending E-mail soliciting what turns out to be a fraudulent activity. The ! original form of this scam came out of Nigeria, so it's commonly known as ! the "Nigerian scam" (or the "419 scam," since 419 is the country code for ! calls made to Nigeria). ! !!<pmdf_table:nigerian-scam.dat ! ! Strip username ! *@* $C@$1 @ $N @* $C$0 ! ! All subsequent entries check domain only ! $@*casino$@* $YSPAM freemail.soim.com $YProbable$ SPAM $@*porno$@* $YSPAM *sex*girl* $YSPAM ! ! Check SPAM suffix database and report match if found ! * $C${spam_suffix|$0}$Y$E ! ! Provide for domain suffixes with variant patterns ! *.7002.net $CPREFIX=$0.|Probable$ SPAM $_*$@D*2c$@D*fortune$@D*.com $CPREFIX=$0|Probable$ SPAM *accip$@D*.com $CPREFIX=$0|Probable$ SPAM $_*$D*always$D*often$D*.com $C$|ANYTHING;TOKEN=$1$2$3|PREFIX=$0|Probable$ SPAM *bigdeals$@D*.com $CPREFIX=$0|Probable$ SPAM *bsm-ddh0$@[1-6]%.net $CPREFIX=$0|Probable$ SPAM *dealnetwork$@D*.com $CPREFIX=$0|Probable$ SPAM *.$@[eovx]%icp.net $CPREFIX=$0.|Probable$ SPAM *eresourceclub$@D*.com $CPREFIX=$0|Probable$ SPAM *esm$@D%$@D*.net $CPREFIX=$0|Probable$ SPAM *flowgomail$@D*.com $CPREFIX=$0|Probable$ SPAM *gambl$@[ei]%$@* $CPREFIX=$0|Probable$ SPAM $_*$@D*givit$@D*upnow$@D*.com $CPREFIX=$0|Probable$ SPAM *hdos$@D*.com $CPREFIX=$0|Probable$ SPAM $_*$D*hitit$D*getit$D*.com $CPREFIX=$0|Probable$ SPAM $_*$D*hit$D*wicket$D*.com $C$|ANYTHING;TOKEN=$1$2$3|PREFIX=$0|Probable$ SPAM *.inboxrebates.com $CPREFIX=$0.|Probable$ SPAM *.inboxrebates$@D%.com $CPREFIX=$0.|Probable$ SPAM *.kmip.net $CPREFIX=$0.|Probable$ SPAM *onlinedeals$@D*.com $CPREFIX=$0|Probable$ SPAM *outbox$@[1-5]%.com $CPREFIX=$0|Probable$ SPAM *robotreply$@D*.com $CPREFIX=$0|Probable$ SPAM *royalr$@[12]%.com $CPREFIX=$0|Probable$ SPAM *sheck-buy.com $CPREFIX=$0|Probable$ SPAM *skybounddream$@D*.com $CPREFIX=$0|Probable$ SPAM *specials$@D*.com $CPREFIX=$0.|Probable$ SPAM $_*$D*surf$D*speed$D*.com $C$|ANYTHING;TOKEN=$1$2$3|PREFIX=$0|Probable$ SPAM *trave1deals$@[1-3]%.com $CPREFIX=$0|Probable$ SPAM *.u998.com $CPREFIX=$0.|Probable$ SPAM *w3ip.co.kr $CPREFIX=$0|Probable$ SPAM *yourdeals$@D*.com $CPREFIX=$0|Probable$ SPAM PREFIX=|* $Y$0 PREFIX=*.|* $Y$1 ! ! If the address is of the form "a.b.c", (where "c" could be ! "c1[.c2[.c3...]]") the following will strip off "a." and ! then restart checking with "b.c" ! $@_*.* $R$0 ! ! No matches, so bail out ! * $N