| |
| # |
| # Ruleset to match fill-in-this-form body text |
| # common in scams and loan spams |
| # occasional in phishing |
| # |
| # Requires multipass ReplaceTags plugin |
| # |
| # If you are using this with 3.2.5, make sure you get this as well: |
| # http://svn.apache.org/viewvc/spamassassin/branches/3.2/lib/Mail/SpamAssassin/Plugin/ReplaceTags.pm |
| # |
| # <jhardin@impsec.org> |
| # $Id$ |
| # |
| |
| ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
| |
| # Repetitive syntactic bits |
| replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?) |
| replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3} |
| replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s) |
| replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?) |
| replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])? |
| replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100})) |
| replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100}) |
| |
| # Address variations |
| replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))? |
| replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])? |
| |
| # Name variations |
| replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)? |
| |
| # Telephone variations |
| replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3} |
| |
| # Misc personal data |
| replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3} |
| |
| # Loan application details |
| replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d) |
| |
| # Financial/ID details (scams and phishing) |
| replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3} |
| replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)? |
| replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15}) |
| replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names? |
| replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER> |
| |
| # All variations together |
| replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>) |
| |
| # 5+ fields (high reliability) |
| # Leave this exposed, it's a fairly good spam sign by itself |
| body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i |
| body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i |
| replace_rules __FILL_THIS_FORM_LONG1 |
| replace_rules __FILL_THIS_FORM_LONG2 |
| meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2 |
| meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY |
| describe FILL_THIS_FORM_LONG Fill in a form with personal information |
| score FILL_THIS_FORM_LONG 2.00 # limit |
| |
| # 5+ fields that body paragraph processing didn't paste together |
| body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im |
| replace_rules __FILL_THIS_FORM_PARTIAL |
| tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5 |
| rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20| |<\/\w+>){0,4}$)/im |
| replace_rules __FILL_THIS_FORM_PARTIAL_RAW |
| tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5 |
| |
| # 5+ fields in either format |
| # For easy use in metas |
| meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4) |
| meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML |
| describe FILL_THIS_FORM Fill in a form with personal information |
| #score FILL_THIS_FORM 1.00 |
| tflags FILL_THIS_FORM publish |
| |
| # 3 or 4 fields (low reliability, but still useful in metas |
| body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i |
| body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i |
| replace_rules __FILL_THIS_FORM_SHORT1 |
| replace_rules __FILL_THIS_FORM_SHORT2 |
| meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2) |
| meta FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL |
| describe FILL_THIS_FORM_SHORT Fill in a short form with personal information |
| score FILL_THIS_FORM_SHORT 1.00 # limit |
| |
| # Add to score if loan question is present |
| body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i |
| replace_rules __FILL_THIS_FORM_LOAN1 |
| meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1 |
| meta FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE |
| describe FILL_THIS_FORM_LOAN Answer loan question(s) |
| score FILL_THIS_FORM_LOAN 2.0 |
| |
| # Add to score if fraud/phishing question is present |
| body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i |
| replace_rules __FILL_THIS_FORM_FRAUD_PHISH1 |
| meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH) |
| meta FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__UNSUB_LINK && !__SPOOFED_URL && !__DOS_LINK && !__CAN_HELP && !__VIA_ML && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY |
| describe FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) |
| #score FILL_THIS_FORM_FRAUD_PHISH 1.50 |
| |
| else |
| meta __FILL_THIS_FORM_LONG1 0 |
| meta __FILL_THIS_FORM_LONG2 0 |
| meta __FILL_THIS_FORM_LONG 0 |
| meta __FILL_THIS_FORM_PARTIAL 0 |
| meta __FILL_THIS_FORM_PARTIAL_RAW 0 |
| meta __FILL_THIS_FORM 0 |
| meta __FILL_THIS_FORM_SHORT1 0 |
| meta __FILL_THIS_FORM_SHORT2 0 |
| meta __FILL_THIS_FORM_SHORT 0 |
| meta __FILL_THIS_FORM_LOAN1 0 |
| meta __FILL_THIS_FORM_LOAN 0 |
| meta __FILL_THIS_FORM_FRAUD_PHISH1 0 |
| meta __FILL_THIS_FORM_FRAUD_PHISH 0 |
| endif # Mail::SpamAssassin::Plugin::ReplaceTags |