Google Git
Sign in
apache / spamassassin / 049401dce6c3c6bc27095072302328aaaf4f8252 / . / rulesrc / sandbox / jhardin / 20_misc_testing.cf
blob: fe4ede41876cf61a1c024032cafa0d2601b13fb7 [file] [log] [blame]
# Ensure plugin-based rules used for FP avoidance exist
# even if the plugin is not loaded, or an older version is loaded
# __KAM_BODY_LENGTH_LT_128
ifplugin Mail::SpamAssassin::Plugin::BodyEval
if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128
else
meta __LCL__KAM_BODY_LENGTH_LT_128 0
endif
else
meta __LCL__KAM_BODY_LENGTH_LT_128 0
endif
# __KAM_BODY_LENGTH_LT_512
ifplugin Mail::SpamAssassin::Plugin::BodyEval
if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512
else
meta __LCL__KAM_BODY_LENGTH_LT_512 0
endif
else
meta __LCL__KAM_BODY_LENGTH_LT_512 0
endif
# __KAM_BODY_LENGTH_LT_1024
ifplugin Mail::SpamAssassin::Plugin::BodyEval
if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024
else
meta __LCL__KAM_BODY_LENGTH_LT_1024 0
endif
else
meta __LCL__KAM_BODY_LENGTH_LT_1024 0
endif
# __ENV_AND_HDR_FROM_MATCH
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH
else
meta __LCL__ENV_AND_HDR_FROM_MATCH 0
endif
# __TVD_SPACE_RATIO
ifplugin Mail::SpamAssassin::Plugin::BodyEval
#
else
meta __TVD_SPACE_RATIO 0
endif
#
#header REPLYTO_MANY_AT Reply-To =~ /\@.+\@/
#describe REPLYTO_MANY_AT More than one @ in Reply-To:
#
#header SENDER_MANY_AT Sender =~ /\@.+\@/
#describe SENDER_MANY_AT More than one @ in Sender:
#
#header FROM_MANY_AT From =~ /\@.+\@/
#describe FROM_MANY_AT More than one @ in From:
#
header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
#body EU_SPAM_LAW m,Directive 2000/31/EC of the European Parliament,i
#describe EU_SPAM_LAW Quoting "European Parliament" spam law
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.html?\b,i
mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i
meta HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02
describe HTML_ATTACH HTML attachment to bypass scanning?
mimeheader OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.html?\b,i
describe OBFU_HTML_ATTACH HTML attachment with non-text MIME type
mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type
#score OBFU_TEXT_ATTACH 2.5
tflags OBFU_TEXT_ATTACH publish
mimeheader OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i
describe OBFU_DOC_ATTACH MS Document attachment with generic MIME type
#score OBFU_DOC_ATTACH 0.25
mimeheader OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i
describe OBFU_PDF_ATTACH PDF attachment with generic MIME type
#score OBFU_PDF_ATTACH 0.25
mimeheader OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i
describe OBFU_JPG_ATTACH JPG attachment with generic MIME type
#score OBFU_JPG_ATTACH 1.50
mimeheader OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i
describe OBFU_GIF_ATTACH GIF attachment with generic MIME type
#score OBFU_GIF_ATTACH 1.50
meta OBFU_ATTACH_MISSP __FROM_RUNON && (OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || OBFU_DOC_ATTACH || OBFU_PDF_ATTACH || OBFU_JPG_ATTACH || OBFU_GIF_ATTACH)
describe OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
# mimeheader ECMSNGR_MH X-ecm-part-format =~ /./
# describe ECMSNGR_MH eC-Messenger header
mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/
meta CTYPE_NULL __CTYPE_NULL
describe CTYPE_NULL Malformed Content-Type header
mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i
meta OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02
describe OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware
mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i
meta DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT)
describe DOC_ATTACH_NO_EXT Document attachment with suspicious name
mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i
# see https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39?gi=7ec45f2481ce
mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename="?[^"]+\.SettingContent-ms\b/i
mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i
meta MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02
describe MALW_ATTACH Attachment filename suspicious, probable malware exploit
mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i
mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i
meta ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT
describe ISO_ATTACH ISO attachment - possible malware delivery
score ISO_ATTACH 3.000 # limit
else
meta __HTML_ATTACH_01 0
meta __HTML_ATTACH_02 0
meta __CTYPE_NULL 0
meta __ZIP_ATTACH_NOFN 0
meta __ATTACH_NAME_NO_EXT 0
meta __ZIP_ATTACH_MT 0
meta __MALW_ATTACH_01_01 0
meta __MALW_ATTACH_01_02 0
meta __ISO_ATTACH 0
meta __ISO_ATTACH_MT 0
endif
# general case of spample observation
#header MUA_ONE_WORD X-Mailer =~ /^[A-Za-z][a-z]*$/
#describe MUA_ONE_WORD Single word X-Mailer: not CamelCase
body DEAR_EMAIL_USER /^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/i
describe DEAR_EMAIL_USER Dear Email User:
#score DEAR_EMAIL_USER 3.0
# from users list spamples 8/2009
uri URI_NUMERIC_CCTLD m;^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/;i
describe URI_NUMERIC_CCTLD CCTLD URI with multiple numeric subdomains
# various MUAs
header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/
header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
else
meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
describe PHP_NOVER_MUA Mail from PHP with no version number
score PHP_NOVER_MUA 3.000 # limit
tflags PHP_NOVER_MUA publish
# From should have whitespace between the comment and the address
# Better S/O, good enough for standalone rule
header __FROM_MISSPACED From =~ /^\s*"[^"]*"</
# legit mailers known to misspace from
header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/
header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/
header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/
header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/
# meta with some stuff to reduce FPs
meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe FROM_MISSPACED From: missing whitespace
score FROM_MISSPACED 2.00
# Encrypted mail provider unable to properly format their headers (as of 07/2011)
header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net /
# Poorer S/O than FROM_MISSPACED but better performance in metas
header __FROM_RUNON From =~ /\S+<\w+/
header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/
ifplugin Mail::SpamAssassin::Plugin::SPF
#meta FROM_MISSP_SPF_FAIL1 (__FROM_RUNON && !SPF_PASS)
#tflags FROM_MISSP_SPF_FAIL1 net
meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL)
tflags FROM_MISSP_SPF_FAIL net
score FROM_MISSP_SPF_FAIL 2.00 # limit
endif
meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH
meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
describe FROM_MISSP_EH_MATCH From misspaced, matches envelope
score FROM_MISSP_EH_MATCH 2.00 # max
# most hits > 10 points already
#meta __FROM_MISSP_URI __FROM_RUNON_UNCODED && __HAS_ANY_URI
#meta FROM_MISSP_URI __FROM_MISSP_URI && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !MISSING_MIMEOLE && !__REPTO_QUOTE && !__UNSUB_LINK && !__MSGID_OK_HEX && !__MAIL_LINK && !__MIME_QP && !__BUGGED_IMG && !MIME_BASE64_TEXT && !__CTYPE_MULTIPART_ALT && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__THREADED && !__TAG_EXISTS_META
#describe FROM_MISSP_URI From misspaced, has URI
#score FROM_MISSP_URI 2.00 # max
meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER)
describe FROM_MISSP_USER From misspaced, from "User"
# all hits > 10 points already
#meta FROM_MISSP_NO_TO (__FROM_RUNON && MISSING_HEADERS)
#describe FROM_MISSP_NO_TO From misspaced, To missing
meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED)
describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed
# 0 hits 8/2016
#ifplugin Mail::SpamAssassin::Plugin::DKIM
# meta __FROM_MISSP_DKIM (__FROM_RUNON_UNCODED && __DKIM_DEPENDABLE)
# tflags __FROM_MISSP_DKIM net
# meta FROM_MISSP_DKIM __FROM_MISSP_DKIM && !__CTYPE_MULTIPART_ALT && !__MIME_QP && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__MIME_BASE64 && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
# describe FROM_MISSP_DKIM From misspaced, DKIM dependable
#else
# meta __FROM_MISSP_DKIM 0
#endif
meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO
meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY
describe FROM_MISSP_REPLYTO From misspaced, has Reply-To
score FROM_MISSP_REPLYTO 2.500 # limit
## To the same
#header TO_MISSPACED To =~ /^\s*"[^"]*"</
#describe TO_MISSPACED To: missing whitespace
#score TO_MISSPACED 0.25
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA
describe FROM_MISSP_FREEMAIL From misspaced + freemail provider
#score FROM_MISSP_FREEMAIL 2.0
else
meta __FROM_MISSP_FREEMAIL 0
endif
meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
#score FROM_MISSP_MSFT 3.5
meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC
describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS
#score FROM_MISSP_DYNIP 2.0
# observed in spam 8/2009
header __MUA_EQ_ORG_1 ALL =~ /\nX-Mailer: ([^\n]+)\n.*Organization: \1\n/ism
header __MUA_EQ_ORG_2 ALL =~ /\nOrganization: ([^\n]+)\n.*X-Mailer: \1\n/ism
meta MAILER_EQ_ORG __MUA_EQ_ORG_1 || __MUA_EQ_ORG_2
describe MAILER_EQ_ORG X-Mailer: same as Organization:
#tflags MAILER_EQ_ORG publish
header __FROM_EQ_ORG_1 ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism
header __FROM_EQ_ORG_2 ALL =~ /\nOrganization: ([^\n]+)\n.*From: "?\1"?/ism
#meta FROM_EQ_ORG __FROM_EQ_ORG_1 || __FROM_EQ_ORG_2
#describe FROM_EQ_ORG From: same as Organization:
#tflags FROM_EQ_ORG publish
# observed in UCE 9/2009
#header __HDRS_LCASE ALL =~ /\n(?:Reply-to|Message-id|Content-type|X-MSMail-priority|from|subject|to|Disposition-notification-to):/sm
header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm
tflags __HDRS_LCASE multiple maxhits=3
# __MSGID_APPLEMAIL is uppercase-only GUID message_id. This may be redundant.
header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i
header __MSGID_GUID_LOOSE Message-ID =~ /^<?[0-9A-Z]{8}-(?:[0-9A-Z]{3,4}-){3}[0-9A-Z]{11,12}\@/
meta __MSGID_GUID_FAKE __MSGID_GUID_LOOSE && !__MSGID_GUID
# It would be nice if somebody could identify the MUA/MTA that generates this:
header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/
# It would be nice if somebody could identify the MUA/MTA that generates this:
header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/
# MUAs and MTAs known or suspected to do this
header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/
meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
else
meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
endif
describe HDRS_LCASE Odd capitalization of message header
score HDRS_LCASE 0.10 # limit
meta __MANY_HDRS_LCASE __HDRS_LCASE > 1
meta __TOOMANY_HDRS_LCASE __HDRS_LCASE > 2
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
else
meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
endif
describe MANY_HDRS_LCASE Odd capitalization of multiple message headers
score MANY_HDRS_LCASE 0.10 # limit
# Some metas that appear to perform well in masscheck
#meta __HDRS_LCASE_1K __HDRS_LCASE && __SINGLE_HEADER_1K
#meta HDRS_LCASE_1K __HDRS_LCASE_1K && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__MIME_QP && !__BUGGED_IMG && !__BOUNCE_RPATH_NULL && !__NOT_SPOOFED && !__DKIM_EXISTS && !__RDNS_NONE
#describe HDRS_LCASE_1K Odd capitalization of message headers + long header
#score HDRS_LCASE_1K 0.50 # limit
meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN
describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML
score HDRS_LCASE_IMGONLY 0.10 # limit
# observed in UCE from India, 9/2009
header MDN_BOTCHED Disposition-notification-to =~ /<>/
describe MDN_BOTCHED Malformed return receipt header
# observed in spam 9/2009
header __HDRS_MISSP ALL =~ /\n(?:Subject|From|To):\S/ism
meta HDRS_MISSP __HDRS_MISSP && !__TAG_EXISTS_HEAD && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH
describe HDRS_MISSP Misspaced headers
score HDRS_MISSP 2.000 # limit
header SPAMMY_MIME_BDRY_01 Content-Type =~ /boundary="\@\@BOUNDARY"/
describe SPAMMY_MIME_BDRY_01 Spammy MIME boundary string
#score SPAMMY_MIME_BDRY_01 0.10
# testing
header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary
# too dangerous even if it has a good S/O and hits >20% of spam in masschecks
#meta TBIRD_SPOOF __MUA_TBIRD && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__THREADED && !__VIA_ML && !__NOT_SPOOFED && !__HAS_SENDER && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__RP_MATCHES_RCVD && !ALL_TRUSTED && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL_MESSY && !__MIME_BASE64 && !__S25R_1
#describe TBIRD_SPOOF Claims Thunderbird mail client but looks suspicious
#score TBIRD_SPOOF 2.00 # limit
# seen in a few HTML fraud spams
rawbody RUNON_SHY /(?:\&shy;){3}/i
describe RUNON_SHY Repeating soft hyphens
#score RUNON_SHY 0.1
tflags RUNON_SHY nopublish
# Seen all too often
header LAZY_LISTWASHING To =~ /\@(?:example\.com|example\.domain|your\.domain|some\.domain|domain\.dom|somewhere\.tld|somewhere\.com|your\.?domain\.com|your\.favorite\.machine)\b/i
describe LAZY_LISTWASHING Lazy spammer, painfully obvious bogus addresses
#score LAZY_LISTWASHING 0.25
# Little to work with
body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i
body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i
mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i
meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2)
mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i
mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i
mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i
meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2)
# observed in 419 spam
mimeheader CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/
describe CDISP_SZ_MANY Suspicious MIME header
score CDISP_SZ_MANY 2.0 # limit
else
meta __DOC_ATTACH_MT 0
meta __DOC_ATTACH_FN1 0
meta __DOC_ATTACH_FN2 0
meta __DOC_ATTACH 0
meta __PDF_ATTACH_MT 0
meta __PDF_ATTACH_FN1 0
meta __PDF_ATTACH_FN2 0
meta __PDF_ATTACH 0
endif
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
meta FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF
describe FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail
meta FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED
describe FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden
meta FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF
describe FREEMAIL_RVW_ATTCH Please review attached document, from freemail
endif
meta EMPTY_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __EMPTY_BODY
describe EMPTY_RVW_ATTCH Please review attached document, empty message
body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED
else
meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER
endif
describe END_FUTURE_EMAILS Spammy unsubscribe
score END_FUTURE_EMAILS 2.500 # limit
body AD_COMPLAINTS /\bcomplaints about this ad+\b/i
describe AD_COMPLAINTS Complain about this spam
# observed in bank phishing 09/2009
#rawbody MISQ_HTML /<\w{2,20}[^>=]{1,30}=[^"][^">]{1,30}[^=]"[\s>]/
#describe MISQ_HTML Unbalanced quotes in HTML tag
#tflags MISQ_HTML nopublish
# observed in bank phishing 09/2009
uri WIKI_IMG m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),i
describe WIKI_IMG Image from wikipedia
# observed in spam 09/2009
header SUBJ_RE_CLNCLN Subject =~ /^\s*RE::/
describe SUBJ_RE_CLNCLN Subject RE::
# observed in spam 02/2011
header TO_SEM_SEM To =~ /;;/
describe TO_SEM_SEM To has ";;"
tflags TO_SEM_SEM nopublish
uri __MANY_SUBDOM m;^https?://(?:[^\./]{1,30}\.){6};i
meta MANY_SUBDOM __MANY_SUBDOM && !__JM_REACTOR_DATE && !__UNSUB_LINK && !__VIA_ML && !NO_RELAYS && !__UPPERCASE_URI && !__MIME_QP
describe MANY_SUBDOM Lots and lots of subdomain parts in a URI
# by request of Benny Pedersen <me@junc.org> on the users list 10/9/2009
#meta RFC_ABUSE_POST (__DNS_FROM_RFC_ABUSE && __DNS_FROM_RFC_POST)
#describe RFC_ABUSE_POST Both abuse and postmaster missing on sender domain
#score RFC_ABUSE_POST 0.01
#tflags RFC_ABUSE_POST net
body CALL_SKYPE /\bCall this phone number [\w\s]{0,30}with Skype\b/
# <SPAN> tags shouldn't appear in the midst of text
rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/
tflags __SPAN_BEG_TEXT multiple maxhits=5
rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/
tflags __SPAN_END_TEXT multiple maxhits=5
meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4)
meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML
describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text
tflags MANY_SPAN_IN_TEXT publish
#score MANY_SPAN_IN_TEXT 2.50
#uri __FEEDPROXY_URI m;http://feedproxy\.google\.com/;i
#rawbody __FEEDPROXY m;http://feedproxy\.google\.com/;i
#tflags __FEEDPROXY multiple maxhits=5
#meta MANY_GOOG_PROXY __FEEDPROXY > 4
#describe MANY_GOOG_PROXY Many Google feedproxy URIs
rawbody TINY_FLOAT /\bstyle\s*=\s*"[^"]{0,40}?(?:(?:FONT-SIZE\s*:\s+\dpx|FLOAT\s*:\s+(?:right|left))(?:;\s+)?(?:(?!(?:FONT-SIZE|FLOAT))\w+:\s+\w+;?\s*)*){2}/i
describe TINY_FLOAT Has small-font floating HTML - text obfuscation?
#score TINY_FLOAT 2.00
# endless requests on the users list...
header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
describe __TO_EQ_FROM To: same as From:
#tflags __TO_EQ_FROM publish
# Suggested by Hans-Werner Friedemann on users list 09/30/2010
header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/ism
meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID
describe FROM_IN_TO_AND_SUBJ From address is in To and Subject
tflags FROM_IN_TO_AND_SUBJ publish
header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism
meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3)
meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW
describe TO_IN_SUBJ To address is in Subject
tflags TO_IN_SUBJ publish
score TO_IN_SUBJ 0.1
meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY
meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER
describe TO_EQ_FM_HTML_ONLY To == From and HTML only
#tflags TO_EQ_FM_HTML_ONLY publish
meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX
meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED
describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
score TO_EQ_FM_DIRECT_MX 2.500 # limit
tflags TO_EQ_FM_DIRECT_MX publish
# Why __HUSH_HUSH hits ham on this in masscheck I don't know. Legit bank emails maybe?
meta __TO_EQ_FM_HTML_DIRECT __TO_EQ_FM_DIRECT_MX && MIME_HTML_ONLY
meta TO_EQ_FM_HTML_DIRECT __TO_EQ_FM_HTML_DIRECT && !__HUSH_HUSH
describe TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX
#tflags TO_EQ_FM_HTML_DIRECT publish
ifplugin Mail::SpamAssassin::Plugin::SPF
meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL
tflags __TO_EQ_FM_SPF_FAIL net
meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed
tflags TO_EQ_FM_SPF_FAIL net
else
meta __TO_EQ_FM_SPF_FAIL 0
endif
# Paul Stead on SA list 11/2014
# ++ not liked by perl 5.8.x
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism
meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER
describe PDS_TO_EQ_FROM_NAME From: name same as To: address
header __PDS_FROM_2_EMAILS From =~ /^\W+([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__CLICK_HERE && !__BUGGED_IMG && !__RP_MATCHES_RCVD
endif
uri __PDS_LOC_WP_POMO m;/wp-includes/pomo/(?!(?:entry|po|mo|streams|translations)\.php).*;i
header __FROM_ALL_NUMS From:addr =~ /^\d+@/
header __TO_ALL_NUMS To:addr =~ /^\d+@/
meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS
header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism
header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism
meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)
describe __TO_EQ_FROM_DOM To: domain same as From: domain
meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY
meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX
describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only
meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE
meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD
describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link
ifplugin Mail::SpamAssassin::Plugin::SPF
meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL
tflags __TO_EQ_FM_DOM_SPF_FAIL net
meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed
tflags TO_EQ_FM_DOM_SPF_FAIL net
else
meta __TO_EQ_FM_DOM_SPF_FAIL 0
endif
# Evaluate ReturnPath and blacklist collisions
meta __RP_SAFE_BRBL RCVD_IN_RP_SAFE && RCVD_IN_BRBL_LASTEXT
meta __RP_CERTIFIED_BRBL RCVD_IN_RP_CERTIFIED && RCVD_IN_BRBL_LASTEXT
tflags __RP_SAFE_BRBL net nopublish
tflags __RP_CERTIFIED_BRBL net nopublish
meta __RP_SAFE_ZEN RCVD_IN_RP_SAFE && __RCVD_IN_ZEN
meta __RP_CERTIFIED_ZEN RCVD_IN_RP_CERTIFIED && __RCVD_IN_ZEN
tflags __RP_SAFE_ZEN net nopublish
tflags __RP_CERTIFIED_ZEN net nopublish
meta __RP_SAFE_SORBS RCVD_IN_RP_SAFE && __RCVD_IN_SORBS
meta __RP_CERTIFIED_SORBS RCVD_IN_RP_CERTIFIED && __RCVD_IN_SORBS
tflags __RP_SAFE_SORBS net nopublish
tflags __RP_CERTIFIED_SORBS net nopublish
meta __RP_SAFE_XBL RCVD_IN_RP_SAFE && RCVD_IN_XBL
meta __RP_CERTIFIED_XBL RCVD_IN_RP_CERTIFIED && RCVD_IN_XBL
tflags __RP_SAFE_XBL net nopublish
tflags __RP_CERTIFIED_XBL net nopublish
meta __RP_SAFE_PSBL RCVD_IN_RP_SAFE && RCVD_IN_PSBL
meta __RP_CERTIFIED_PSBL RCVD_IN_RP_CERTIFIED && RCVD_IN_PSBL
tflags __RP_SAFE_PSBL net nopublish
tflags __RP_CERTIFIED_PSBL net nopublish
#meta __RP_SAFE_ANBREP_L3 RCVD_IN_RP_SAFE && RCVD_IN_ANBREP_L3
#meta __RP_CERTIFIED_ANBREP_L3 RCVD_IN_RP_CERTIFIED && RCVD_IN_ANBREP_L3
#tflags __RP_SAFE_ANBREP_L3 net nopublish
#tflags __RP_CERTIFIED_ANBREP_L3 net nopublish
# a URI in the From comment text, to bypass URIBL checks
# simplistic URI format for now
header __FROM_URI_1 From =~ /[^\@]www[.\s][^\s"<\@]+[.\s](?:com|net|info|biz|org|\w\w)\b.*["<]/i
header __FROM_URI_2 From =~ m;http://(?:[^.\s]+\.){1,3}(?:com|net|info|biz|org|\w\w)\b;i
meta FROM_URI __FROM_URI_1 || __FROM_URI_2
describe FROM_URI URI or www. in From
# observed in spam feb 2010
# Apparently-To per RFC2821 SHOULD NOT be used
header __APPARENTLY_TO Apparently-To =~ /<.*>/
tflags __APPARENTLY_TO multiple maxhits=21 nopublish
meta HAS_APPARENTLY_TO __APPARENTLY_TO > 0
describe HAS_APPARENTLY_TO Has deprecated Apparently-To header
#score HAS_APPARENTLY_TO 0.50
tflags HAS_APPARENTLY_TO nopublish
meta MANY_APPARENTLY_TO __APPARENTLY_TO > 20
describe MANY_APPARENTLY_TO Has many Apparently-To headers
#score MANY_APPARENTLY_TO 2.00
tflags MANY_APPARENTLY_TO nopublish
# obfuscation of "opt out"
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_OPTOUT /\s(?!opt.?out)<O><P><T>.?<O><U><T>/i
replace_rules FUZZY_OPTOUT
describe FUZZY_OPTOUT Obfuscated opt-out text
endif
# stock spam disclaimer obfuscation
# body GAPPY_TRADING /\b(?!trading)t[^a-z\s]?r[^a-z\s]?a[^a-z\s]?d[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i
# body GAPPY_SECURITIES /\b(?!securities)s[^a-z\s]?e[^a-z\s]?c[^a-z\s]?u[^a-z\s]?r[^a-z\s]?i[^a-z\s]?t[^a-z\s]?i[^a-z\s]?e[^a-z\s]?s/i
# body GAPPY_RISK /\b(?!risky?)r[^a-z\s]?i[^a-z\s]?s[^a-z\s]?k(?:[^a-z\s]?y)?/i
# body GAPPY_SELLING /\b(?!selling)s[^a-z\s]?e[^a-z\s]?l[^a-z\s]?l[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i
# body GAPPY_HUNDRED /\b(?!hundred)h[^a-z\s]?u[^a-z\s]?n[^a-z\s]?d[^a-z\s]?r[^a-z\s]?e[^a-z\s]?d/i
# body GAPPY_THOUSAND /\b(?!thousand)t[^a-z\s]?h[^a-z\s]?o[^a-z\s]?u[^a-z\s]?s[^a-z\s]?a[^a-z\s]?n[^a-z\s]?d/i
# body GAPPY_EXPENSES /\b(?!expenses)e[^a-z\s]?x[^a-z\s]?p[^a-z\s]?e[^a-z\s]?n[^a-z\s]?s[^a-z\s]?e[^a-z\s]?s/i
# body GAPPY_DOLLARS /\b(?!dollars)d[^a-z\s]?o[^a-z\s]?l[^a-z\s]?l[^a-z\s]?a[^a-z\s]?r[^a-z\s]?s/i
#
# describe GAPPY_TRADING Possible obfuscated stock disclaimer
# describe GAPPY_SECURITIES Possible obfuscated stock disclaimer
# describe GAPPY_RISK Possible obfuscated stock disclaimer
# describe GAPPY_SELLING Possible obfuscated stock disclaimer
# describe GAPPY_HUNDRED Possible obfuscated stock disclaimer
# describe GAPPY_THOUSAND Possible obfuscated stock disclaimer
# describe GAPPY_EXPENSES Possible obfuscated stock disclaimer
# describe GAPPY_DOLLARS Possible obfuscated stock disclaimer
body GAPPY_GENITALIA /\bp(?!enis)(?!en is)[^a-z]?e[^a-z]?n[^a-z]?i[^a-z]?s(?:\b|_)/i
describe GAPPY_GENITALIA G.a.p.p.y male body parts
body GAPPY_PILLS /\bp(?!ills)[^a-z]?i[^a-z]?l[^a-z]?l[^a-z]?s(?:\b|_)/i
describe GAPPY_PILLS G.a.p.p.y pills
body __STYLE_TAG_IN_BODY /<style(?:[^>]{0,30})?>/i
body __BODY_XHTML /<x-html>/i
#if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
# # possessive {0,4}+ requires perl 5.10 or better
# rawbody __STYLE_GIBBERISH_1 /<style(?:\s[^>]{0,40})?>(?:\s{0,100}(?!<\/style>)(?:(?:\/\*(?:\s|[^*<]|\*(?!\/)|<(?!\/style>|!--)){0,200}\*\/)|\#[^{<]{1,50}\{[^}<]{4,100}\})){0,4}+(?:\s{0,100}(?!<\/style>|\/\*|<!--)(?:\/{3,}?\*|,,?+|;;?+|::?+|\|\|?+|[^\s:;,\|]|[:;,\|\/]{2})){150}/im
#else
# # older perl, can't deal with style comments properly
# rawbody __STYLE_GIBBERISH_1 /<style(?:\s[^>]{0,40})?>(?:\s{0,100}(?!<\/style>|\/\*)[^\s:;,]){150}/im
#endif
#rawbody __STYLE_GIBBERISH_2 /\.style\w{0,20}\s{1,10}\{[^:;]{200}/im
#rawbody __STYLE_GIBBERISH_3 /<style(?:\s[^>]{0,40})?>\s{0,80}(?:[\w:]{1,30}\s{0,10}\{[^}]{1,50}\}\s{0,80}){1,5}(?:[\w,.']{1,30}\s{1,10}){40}/im
#meta __STYLE_GIBBERISH (__STYLE_GIBBERISH_1 || __STYLE_GIBBERISH_2 || __STYLE_GIBBERISH_3)
#meta STYLE_GIBBERISH __STYLE_GIBBERISH && (__BODY_XHTML || !__STYLE_TAG_IN_BODY) && !__RCD_RDNS_MX_MESSY && !__HAS_THREAD_INDEX && !__ANY_OUTLOOK_MUA && !__MIME_QP && !ALL_TRUSTED
#describe STYLE_GIBBERISH Nonsense in HTML <STYLE> tag
#score STYLE_GIBBERISH 3.50 # limit
#tflags STYLE_GIBBERISH publish
body __SCRIPT_TAG_IN_BODY /<script>/i
rawbody __SCRIPT_GIBBERISH /<script>[^;<]{100}/im
meta SCRIPT_GIBBERISH __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META
describe SCRIPT_GIBBERISH Nonsense in HTML <SCRIPT> tag
rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im
meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT
describe COMMENT_GIBBERISH Nonsense in long HTML comment
score COMMENT_GIBBERISH 1.50 # limit
tflags COMMENT_GIBBERISH publish
#rawbody MANY_DIV_5 /(?:<div[^>]{0,30}>\s{0,80}){5}/im
#tflags MANY_DIV_5 nopublish
#rawbody MANY_DIV_6 /(?:<div[^>]{0,30}>\s{0,80}){6}/im
#tflags MANY_DIV_6 nopublish
#rawbody MANY_DIV_7 /(?:<div[^>]{0,30}>\s{0,80}){7}/im
#tflags MANY_DIV_7 nopublish
#rawbody MANY_DIV_8 /(?:<div[^>]{0,30}>\s{0,80}){8}/im
#tflags MANY_DIV_8 nopublish
#rawbody MANY_DIV_9 /(?:<div[^>]{0,30}>\s{0,80}){9}/im
#tflags MANY_DIV_9 nopublish
#rawbody MANY_DIV_10 /(?:<div[^>]{0,30}>\s{0,80}){10}/im
#tflags MANY_DIV_10 nopublish
#header FROM_TRL_UNDR From =~ /_\@/
#tflags FROM_TRL_UNDR nopublish
#body LOTSA_EMAILS /\b(?:thousand|million)\se-?mail(?:\saddresse)?s?\b/i
#tflags LOTSA_EMAILS nopublish
body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,\d]{4,})\s(?:(?!and|or|your|place|baby)\w+\s)?(?:e-?mail\saddresses|leads|names)\b/i
meta BIGNUM_EMAILS __BIGNUM_EMAILS && !__SPOOFED_URL && !__BUGGED_IMG
describe BIGNUM_EMAILS Lots of email addresses/leads
score BIGNUM_EMAILS 3.00 # limit
#tflags BIGNUM_EMAILS nopublish
#rawbody __HTML_ELEM_OBFU /[a-z\s]&\#[91]\d\d?[a-z]/
#tflags __HTML_ELEM_OBFU multiple nopublish
#meta HTML_ELEM_OBFU_25 __HTML_ELEM_OBFU > 25
#tflags HTML_ELEM_OBFU_25 nopublish
#meta HTML_ELEM_OBFU_50 __HTML_ELEM_OBFU > 50
#tflags HTML_ELEM_OBFU_50 nopublish
#meta HTML_ELEM_OBFU_100 __HTML_ELEM_OBFU > 100
#tflags HTML_ELEM_OBFU_100 nopublish
#meta HTML_ELEM_OBFU_150 __HTML_ELEM_OBFU > 150
#tflags HTML_ELEM_OBFU_150 nopublish
#header PPMC_FROM_1 From =~ /\bPayPa[IL](?:\.Com)?\b/
#describe PPMC_FROM_1 Paypal phishing sign
uri URI_HIDDEN_2 m;.{8}(?:[/\\]|%(?i:5c|2f))(?!\.\.?[/%\\])\..;
describe URI_HIDDEN_2 URI contains a hidden file or directory
# Catch spam originating from 41.0.0.0/8 (Africa, incl S.Africa)
# Ned Slider, SAU list, 3/11/2010
header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./
describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8
# Catch spam injected from 41.0.0.0/8 (Africa, incl S.Africa)
# Ned Slider, SAU list, 3/11/2010
# consider using khop __RCVD_VIA_AFRINIC_E instead
#header __NSL_RCVD_FROM_41 Received =~ /[([]41\./
header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./
describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8
meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY
meta MONEY_FROM_41 __MONEY_FROM_41
describe MONEY_FROM_41 Lots of money from Africa
score MONEY_FROM_41 2.00 # limit
# some metas with the above, maybe reduce FPs
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
describe __FROM_41_FREEMAIL Sent from Africa + freemail provider
# meta __FROM_AFR_FREEMAIL __RCVD_VIA_AFRINIC_E && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
# describe __FROM_AFR_FREEMAIL Sent from Africa + freemail provider
else
meta __FROM_41_FREEMAIL 0
endif
# More from Ned
header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
describe NSL_RCVD_HELO_USER Received from HELO User
header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
describe NSL_RCVD_FROM_USER Received from User
# observed in spam 3/11/2010
header DATE_DOTS Date =~ /\d\d\.\d\d\.\d\d/
describe DATE_DOTS Periods in date header
uri IMAGESHACK_URI /\.imageshack\.us\//i
describe IMAGESHACK_URI URI contains imageshack.us
#uri __DYNDNS_URI /\.dyndns\.org(?:\/.*)?/i
#tflags __DYNDNS_URI multiple maxhits=2
#meta DYNDNS_URIS __DYNDNS_URI > 1
#describe DYNDNS_URIS Has multiple dyndns.org URIs
## Does not perform better than URL_SHORTENER family
## the ones that misses are already scoring 7+ points
#uri __BITLY_URI /\/\/bit\.ly\//i
#meta BITLY_URI __BITLY_URI && !__HDR_CASE_REVERSED && !__HAS_SENDER && !__HAS_CAMPAIGNID && !__DOS_HAS_LIST_UNSUB && !__HAS_ERRORS_TO && !__MAIL_LINK && !__MSGID_JAVAMAIL && !__ENV_AND_HDR_FROM_MATCH && !__THREADED && !__USING_VERP1 && !__IMG_VIA_BITLY && !__URL_SHORTENER
#describe BITLY_URI URI contains bit.ly
#score BITLY_URI 3.000 # limit
#tflags BITLY_URI publish
#
## HTML image sourced via URL shortening service:
## <IMG border=0 hspace=0 alt="" src="http://bit.ly/1OiuN0y" width=26 height=25>
#rawbody __IMG_VIA_BITLY m;<img\s[^>]+\ssrc\s*=\s*"?https?://(?:www\.)?bit\.ly/;i
#meta IMG_VIA_BITLY __IMG_VIA_BITLY && !SHORTENED_URL_SRC
#describe IMG_VIA_BITLY HTML image via URL shortener - URIBL avoidance?
#score IMG_VIA_BITLY 2.500 # limit
uri __URI_OBFU_DOM /:\/\/(?:\w+\.)+(?:com|gov|net|org)(?:\.\w+){3,}\//i
meta URI_OBFU_DOM __URI_OBFU_DOM && !__VIA_ML
describe URI_OBFU_DOM URI pretending to be different domain
uri DQ_URI_DOM_IN_PATH /:\/\/[\d\.]+\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i
describe DQ_URI_DOM_IN_PATH DQ URI having a domain name in the path part
uri LH_URI_DOM_IN_PATH /:\/\/[^\/]{25,}\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i
describe LH_URI_DOM_IN_PATH Long-host URI having a domain name in the path part
# observed in phish 4/10/10
uri URI_1234 m,//1\.2\.3\.4/,
# requested by Benny Pedersen 17 Apr 2010, 10 Aug 2011
ifplugin Mail::SpamAssassin::Plugin::SPF
meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS)
tflags __SPF_FULL_PASS net
meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS)
tflags __SPF_RANDOM_SENDER net
else
meta __SPF_FULL_PASS 0
meta __SPF_RANDOM_SENDER 0
endif
# Spam from ZA
header CAN_SPAM_HDR CAN-SPAM_Compliant =~ /./
header RPT_SPAM_HDR Report-SPAM =~ /./
#header LONG_FROM From =~ /<[^<@]{40,}\w\@/
#if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
# body __MANY_RECORDS_1 /\s[A-Z][a-z]{1,30}s(?:\sDatabase)?[-:\s]{2,5}(?i:1\smillion\s|\d[\d,.]{1,8}[Kk]?\s(?i:thousand\s|million\s)?)(?i:total\s|full\sdata\s)?(?i:email|record)s/
# tflags __MANY_RECORDS_1 multiple maxhits=16
# body __MANY_RECORDS_2 /\W{1,4}\s(?:[a-z\/]{1,20}\s){0,4}(?:doctor|physician|provider|therapist|counselor|dentist|veterinarian|clinic|hospital|agent|chiropractor|psychologist|companie|supplier)s/i
# tflags __MANY_RECORDS_2 multiple maxhits=16
# body __MANY_RECORDS_3 /\W{1,4}\s(?:(?:[A-Z]{1,2}[a-z\/]{0,20}|and)\s){0,4}[A-Z][a-z]{1,20}s Database/
# tflags __MANY_RECORDS_3 multiple maxhits=16
# #meta BIG_LISTS (__MANY_RECORDS_1 + __MANY_RECORDS_2 + __MANY_RECORDS_3) > 5
# meta __MANY_BIG_LISTS (__MANY_RECORDS_1 + __MANY_RECORDS_2 + __MANY_RECORDS_3) > 15
# meta MANY_BIG_LISTS __MANY_BIG_LISTS && !HTML_MESSAGE && !__CTYPE_MULTIPART_ANY && !__HS_SUBJ_RE_FW && !__HAS_THREAD_INDEX
# describe MANY_BIG_LISTS Lots of mailing lists / databases available!
#endif
# Suggested by Gerard Z 2010-08-15
#uri __GZ_PILL_SQUAT1 /\/[a-z]{3,8}\d{2}\.html/i
#uri __GZ_PILL_SQUAT2 /\/[a-z]{3,8}\d{2}\.jpg/i
#meta __GZ_PILL_SQUATTERS __GZ_PILL_SQUAT1 && __GZ_PILL_SQUAT2
#meta GZ_PILL_SQUATTERS __GZ_PILL_SQUATTERS && !__DOS_RELAYED_EXT && !__FROM_ISO_2022_JP && !__RCD_RDNS_MX_MESSY
#describe GZ_PILL_SQUATTERS Found a link to rogue pill pusher content
# observed in multiple spam
header TO_JOHNZY TO =~ /johnzy_the_king\@hotmail\.com/i
describe TO_JOHNZY To a spammy recipent
#score TO_JOHNZY 3.00
# Discussed on list and observed in spam 10/15/2010
header TO_ONE_CHAR To =~ /^\s*"<"\s*</
describe TO_ONE_CHAR Bogus TO name
# Check From: as well...
header FROM_ONE_CHAR From =~ /^\s*"[^"]"\s*</
describe FROM_ONE_CHAR Bogus FROM name
# __ version of khop rule for FP filtering
meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
# 12-letter domain names, suggested by Len Conrad on the users list
header __RCVD_12LTRDOM Received =~ /[(\s.][a-z]{12}\./
header __RPATH_12LTRDOM Return-Path =~ /\@[a-z]{12}\./
uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i
header __FROM_12LTRDOM_1 From =~ /\@(?!facebookmail)[a-z]{12}\./
## suppress this, masscheck is publishing it as a T_ rule and ignoring the score limit, so hits get 1 point
#ifplugin Mail::SpamAssassin::Plugin::FreeMail
# meta FROM_12LTRDOM __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__freemail_safe && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO
#else
# meta FROM_12LTRDOM __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO
#endif
#describe FROM_12LTRDOM From a 12-letter domain
##tflags FROM_12LTRDOM nopublish
#score FROM_12LTRDOM 0.10 # limit
# promising masscheck results
meta __MONEY_12LTRDOM __FROM_12LTRDOM_1 && __LOTSA_MONEY_00
meta MONEY_12LTRDOM __MONEY_12LTRDOM
score MONEY_12LTRDOM 0.10 # limit
describe MONEY_12LTRDOM Mentions lots of money and from a 12-letter domain
# spammer email addresses noted by D. German on users list 9/2010
body DG_SPAMMER_EMAIL_B /\b[a-z]{10,30}\.[a-z]{3,10}\@[a-z]{3,10}\.[a-z]{6,30}\.[a-z]{2,4}\b/
header DG_SPAMMER_EMAIL_F From =~ /\b[a-z]{10,30}\.[a-z]{3,10}\@[a-z]{3,10}\.[a-z]{6,30}\.[a-z]{2,4}\b/
describe DG_SPAMMER_EMAIL_B Recognized spammer email address in body
describe DG_SPAMMER_EMAIL_F Recognized spammer email address in From: header
# Spammers can't include the real name successfully...
body __FORGED_FB_USERCP_01 /This message was intended for Want to control which emails you receive from Facebook\?/i
# Javascript obfuscation noted by J. Brennan on the Users list 09/2010
rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i
describe OBFU_JVSCR_ESC Injects content using obfuscated javascript
#score OBFU_JVSCR_ESC 2.75
tflags OBFU_JVSCR_ESC publish
# Starting to observe in spam
meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID
meta LIST_PARTIAL __LIST_PARTIAL && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_SENDER && !__HAS_ERRORS_TO
describe LIST_PARTIAL Has incomplete List-* header set
score LIST_PARTIAL 1.000 # limit
meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR
meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO
describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same
score LIST_PRTL_SAME_USER 3.000 # limit
tflags LIST_PRTL_SAME_USER publish
meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1
meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS
describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump
score LIST_PRTL_PUMPDUMP 2.000 # limit
tflags LIST_PRTL_PUMPDUMP publish
# in lots of phishing
uri __UCOZ_URI /\.ucoz\.org\//i
describe __UCOZ_URI URI contains ucoz.org
# Intrust Domains is a persistent domain registration spammer
# recent sign, will likely change
#body __ARTHUR_SIMMONS /Arthur Simmons/
#body __INTRUST_DOMS /In[Tt]rust Domains/
#meta ARTHUR_INTRUST __ARTHUR_SIMMONS && __INTRUST_DOMS
#describe ARTHUR_INTRUST Arthur Simmons - registrar spammer extraordinaire
#header ART_NAMES_ORG Received =~ /\bart\.names\.org\b/i
#describe ART_NAMES_ORG Arthur Simmons - registrar spammer extraordinaire
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i
body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i
tflags __PILL_PRICE_01 multiple maxhits=3
tflags __PILL_PRICE_02 multiple maxhits=3
meta ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON
describe ANY_PILL_PRICE Prices for pills
meta MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2
describe MANY_PILL_PRICE Prices for many pills
else
meta __PILL_PRICE_01 0
meta __PILL_PRICE_02 0
endif
# More from Ned Slider
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta NSL_FREEMAIL_SUBJ (FREEMAIL_FROM && MISSING_SUBJECT)
describe NSL_FREEMAIL_SUBJ From freemail with missing subject
# score NSL_FREEMAIL_SUBJ 1.0
tflags NSL_FREEMAIL_SUBJ nopublish
meta NSL_FREEMAIL_M1 (NSL_FREEMAIL_SUBJ && (__HAS_ANY_URI || __MANY_RECIPS))
describe NSL_FREEMAIL_M1 From freemail, missing subject and uri or many recips
# score NSL_FREEMAIL_M1 1.0
tflags NSL_FREEMAIL_M1 nopublish
meta NSL_FREEMAIL_M2 (FREEMAIL_FROM && __HAS_ANY_URI && __MANY_RECIPS)
describe NSL_FREEMAIL_M2 From freemail with uri and many recips
# score NSL_FREEMAIL_M2 1.0
tflags NSL_FREEMAIL_M2 nopublish
endif
header NSL_TO_ENDS_COMMA To =~ /,$/
describe NSL_TO_ENDS_COMMA To: ends with a comma
#score NSL_TO_ENDS_COMMA 0.001
tflags NSL_TO_ENDS_COMMA nopublish
body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i
describe CN_B2B_SPAMMER Chinese company introducing itself
tflags CN_B2B_SPAMMER publish
body CN_OPTOUT_EML /\b(?:pasamenzi|arinayuma)\@sina\.com\b/i
describe CN_OPTOUT_EML Opt-out email address in CN B2B spams
# __ version of khopesh UPPERCASE_URI, for use in metas
uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/
# __ version of khopesh SINGLE_HEADER_1K, for use in metas
#header __SINGLE_HEADER_1K ALL:raw =~ /(?-xim:(?=(?!X-Spam|X-MailScan)(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){1024,2047}.(?:\n\S|$)))/s
# for sale newsletters
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __FOR_SALE_OBO /\bor best offer\b/i
tflags __FOR_SALE_OBO multiple maxhits=6
meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5
body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i
tflags __FOR_SALE_PRC_1K multiple maxhits=11
meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10
body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i
tflags __FOR_SALE_PRC_10K multiple maxhits=11
meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10
body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i
tflags __FOR_SALE_PRC_100K multiple maxhits=11
meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5
meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20
body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i
tflags __FOR_SALE_LTP multiple maxhits=11
meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10
body __FOR_SALE_NET /00\.? NET/i
tflags __FOR_SALE_NET multiple maxhits=11
meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10
rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m
tflags __FOR_SALE_PRC_EOL multiple maxhits=11
meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10
endif
uri __URI_MAILTO /^mailto:/i
tflags __URI_MAILTO multiple maxhits=16
meta __URI_MAILTO_MANY __URI_MAILTO > 15
header REPLYTO_EMPTY Reply-To =~ /<>/
describe REPLYTO_EMPTY Reply-To undeliverable
header __TO_MANY To =~ /(?:,[^,]{1,90}){10}/
header __CC_MANY Cc =~ /(?:,[^,]{1,90}){10}/
header __TO_TOO_MANY To =~ /(?:,[^,]{1,90}){30}/
header __CC_TOO_MANY Cc =~ /(?:,[^,]{1,90}){30}/
header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/
meta FREEMAIL_MANY_TO __TO_WAY_TOO_MANY && FREEMAIL_FROM
describe FREEMAIL_MANY_TO Freemail sender, 50+ exposed recipients
score FREEMAIL_MANY_TO 2.000 # limit
body __GAPPY_PHONE_NA /1 ?- \d \d \d ?- \d \d \d ?- \d \d \d \d/
meta GAPPY_PHONE_NA __GAPPY_PHONE_NA
describe GAPPY_PHONE_NA Phone number with lots of spaces
full __GAPPY_HTML_01 m;</?[a-z]{1,6}(?:\s[^>]{0,40})?>(?:\s|=09){0,80}(?:(?!\d)[\w'()\#,.:!]{1,15}(?:\s|=09){4,80}){7}\S;
full __GAPPY_HTML_02 m;\S(?:(?:\s|=09){4,80}(?!\d)[\w'()\#,.:!]{1,15}){7}(?:\s|=09){0,5}</?[a-z]{1,6}/?>;
#full __GAPPY_HTML_03 /^(?:=09){5,20}</m
#tflags __GAPPY_HTML_03 multiple maxhits=11
#full __GAPPY_HTML_04 /^(?:=0A){5,20}/m
#tflags __GAPPY_HTML_04 multiple maxhits=11
#meta __GAPPY_HTML __MIME_HTML && (__GAPPY_HTML_01 || __GAPPY_HTML_02 || (__GAPPY_HTML_03 > 10) || (__GAPPY_HTML_04 > 10))
meta __GAPPY_HTML __MIME_HTML && (__GAPPY_HTML_01 || __GAPPY_HTML_02)
meta GAPPY_HTML __GAPPY_HTML && !__UNSUB_LINK && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY
describe GAPPY_HTML HTML body with much useless whitespace
# Try to improve S/O per bug 6119
meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY
#tflags TVD_SPACE_RATIO_MINFP nopublish
score TVD_SPACE_RATIO_MINFP 2.500 # limit
describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?)
# Only useful for English-language email
#meta SUBJECT_UNNEEDED_ENCODING (__SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) && !__RCD_RDNS_MAIL && !__LCL__ENV_AND_HDR_FROM_MATCH && !__SUBSCRIPTION_INFO && !__THREADED && !__NONBOUNCE_READ_RECEIPT
#describe SUBJECT_UNNEEDED_ENCODING Subject encoded but not non-ANSI?
#score SUBJECT_UNNEEDED_ENCODING 1.000 # limit
#tflags SUBJECT_UNNEEDED_ENCODING publish
# Be sensitive to FP on legit japanese- and chinese-language mailing lists (09/2014)
meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED)
meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM
score TVD_SPACE_ENCODED 2.500 # limit
describe TVD_SPACE_ENCODED Space ratio & encoded subject
meta TVD_SPACE_ENC_FM_MIME __TVD_SPACE_ENCODED && __FROM_NEEDS_MIME && !__ISO_2022_JP_DELIM
score TVD_SPACE_ENC_FM_MIME 2.000 # limit
describe TVD_SPACE_ENC_FM_MIME Space ratio & encoded subject & MIME needed
# sample from users list: Subject: Sta ffWork sFastToSen dTab le tsGood s
header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/
tflags __SUBJ_BROKEN_WORD multiple maxhits=2
meta SUBJ_BROKEN_WORD __SUBJ_BROKEN_WORD && !ALL_TRUSTED && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__MIME_QP && !__DOS_HAS_LIST_UNSUB && !__HAS_IN_REPLY_TO && !__THREADED && !__MSGID_JAVAMAIL && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY && !__MSGID_OK_DIGITS && !__NOT_A_PERSON && !__LCL__ENV_AND_HDR_FROM_MATCH
describe SUBJ_BROKEN_WORD Subject contains odd word break
meta SUBJ_BROKEN_WORDS __SUBJ_BROKEN_WORD > 1 && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__MIME_QP && !__DOS_HAS_LIST_UNSUB && !__HAS_IN_REPLY_TO && !__THREADED && !__MSGID_JAVAMAIL && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY && !__MSGID_OK_DIGITS
describe SUBJ_BROKEN_WORDS Subject contains multiple odd word breaks
# felicity TVD_SUBJ_NUM_OBFU as subrule
header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i
meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER
describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers
endif
meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO
# from spample on users list 7/20/2011
header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/
meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED
describe XM_PHPMAILER_FORGED Apparently forged header
tflags XM_PHPMAILER_FORGED publish
# from spample on users list 7/24/2011
header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/
#meta XM_EC_MESSENGER __XM_EC_MESSENGER
#describe XM_EC_MESSENGER eC-Messenger bulk mail service
header __SUBJ_OBFU_PUNCT Subject =~ /(?:(?!<[a-z][a-z])[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z])/i
tflags __SUBJ_OBFU_PUNCT multiple maxhits=4
meta SUBJ_OBFU_PUNCT_FEW __SUBJ_OBFU_PUNCT > 1 && !__THREADED && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH
describe SUBJ_OBFU_PUNCT_FEW Possible punctuation-obfuscated Subject: header
score SUBJ_OBFU_PUNCT_FEW 0.750
meta SUBJ_OBFU_PUNCT_MANY __SUBJ_OBFU_PUNCT > 2 && !__THREADED && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH
describe SUBJ_OBFU_PUNCT_MANY Punctuation-obfuscated Subject: header
score SUBJ_OBFU_PUNCT_MANY 1.750
#meta SUBJ_MANGLED __SUBJ_OBFU_PUNCT && __GAPPY_SUBJECT && !__RP_MATCHES_RCVD && !__HAS_X_MAILER && !__DOS_HAS_LIST_UNSUB
#score SUBJ_MANGLED 2.000 # limit
# A document was scanned and sentto you using a Hewlett-Packard HP Officejet
# A document was scanned and sent to you using a Hewlett-Packard HP Officejet
# Scan from Hewlet-Packard Officejet
# Scan from a HP Officejet
# Hewlett-Packard Officejet Location: machine location not set
# Xerox WorkCentre
# See http://isc.sans.edu/diary.html?storyid=11848#comment
body __SCANNED /\b(?:(?:document was scan+ed and sent ?to you using|Scan from)(?: an?)? (?:(?:Hewlet+-Packard |HP ){1,2}Officejet|Hewlet+-Packard Officejet Location: machine location not set)|Xerox\b)/i
meta SCANNED_EXTERNAL __SCANNED && !ALL_TRUSTED && !__XEROXWORKCTR_MUA
describe SCANNED_EXTERNAL "Scanned Document" email from external source - malware?
score SCANNED_EXTERNAL 3.00 # limit
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
# real estate / stock scam spams 11/2011
# roughly similar to FS_LARGE_PERCENT2, better S/O?
body __LARGE_PERCENT_AFTER /\d{3}% after/i
tflags __LARGE_PERCENT_AFTER multiple maxhits=4
meta LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3
describe LARGE_PCT_AFTER_MANY Many large percentages after...
else
meta __LARGE_PERCENT_AFTER 0
endif
# phish/malware 11/2011
body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i
body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i
meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH
meta ACH_CANCELLED_EXE __ACH_CANCELLED_EXE
describe ACH_CANCELLED_EXE "ACH cancelled" probable malware
else
meta __EXE_ATTACH 0
endif
meta __ACH_CANCELLED (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && (__HAS_ANY_URI || LOTS_OF_MONEY)
meta ACH_CANCELLED __ACH_CANCELLED
describe ACH_CANCELLED "ACH cancelled" fraud / phish
# spams from users list query 03/2012
# Not useful as scored rules, may be useful meta'd with something else
uri __URI_DBL_SUBDOM m,^https?://(?!www\.amazon\.com)([^/]+)/.*https?://(?:[^.]+\.)?\1/,i
#meta URI_DBL_SUBDOM __URI_DBL_SUBDOM && !__RP_MATCHES_RCVD && !__FROM_LOWER && !__HAS_ERRORS_TO && !__TO_EQ_FROM_DOM
#score URI_DBL_SUBDOM 1.00 # limit
uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i
uri __URI_DBL_INDIR m,(?:=https?://(?!www\.amazon\.com).*?){2},i
meta URI_DBL_INDIR __URI_DBL_INDIR && !__URI_TRPL_INDIR
describe URI_DBL_INDIR A URI with two levels of indirection
uri __URI_TRPL_INDIR m,(?:=https?://(?!www\.amazon\.com).*?){3},i
meta URI_TRPL_INDIR __URI_TRPL_INDIR
describe URI_TRPL_INDIR A URI with at least three levels of indirection
# suggestion on users list 04/2012
header SUBJ_ODD_CASE ALL =~ /\n(?!(?:Subject:|SUBJECT:|subject:))(?i:subject:)/sm
describe SUBJ_ODD_CASE Oddly mixed-case Subject: header
# Somebody's resurrecting the dead 07/1012
body BILL_1618 /\bUnder Bills?.1618(?: Title III)? passed by the 105th U\.S\. Congress\b/i
describe BILL_1618 Mentions proposed US law supposedly permitting spamming
body NOT_SPAM /\b(?:this mail cannot be considered Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)\b/i
describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not!
# see https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39?gi=7ec45f2481ce
uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i
describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file)
tflags URI_MALWARE_SCMS publish
# suggested by http://isc.sans.edu/diary.html?storyid=13921
uri URI_MALWARE_BH /\.\w{2,4}\/[\d\w]{8}\/index\.html/i
describe URI_MALWARE_BH Possible BlackHole malware links / phishing
score URI_MALWARE_BH 1.0 # limit
# suggested by https://isc.sans.edu/diary.html?storyid=13996
uri __URI_DATA /^data:(?!image\/)[a-z]/i
meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB
describe URI_DATA "data:" URI - possible malware or phish
score URI_DATA 3.250 # limit
tflags URI_DATA publish
header __SUBJ_ATTENTION Subject =~ /ATTENTION/
meta SUBJ_ATTENTION __SUBJ_ATTENTION && !ALL_TRUSTED
describe SUBJ_ATTENTION ATTENTION in Subject
score SUBJ_ATTENTION 0.500 # limit
header __IRS_FM_NAME From:name =~ /internal\srevenue\sservice/i
header __IRS_FM_DOM From:addr =~ /\birs\.gov$/
header __IRS_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\birs\.gov /
meta __IRS_SPOOF (__IRS_FM_NAME || __IRS_FM_DOM) && !__IRS_RCVD_DOM && __HAS_REPLY_TO
meta IRS_SPOOF __IRS_SPOOF
describe IRS_SPOOF Claims to be IRS, but not from IRS domain
score IRS_SPOOF 2.00 # limit
header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i
header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/
header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov /
body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/
rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m
meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO
meta FBI_SPOOF __FBI_SPOOF
describe FBI_SPOOF Claims to be FBI, but not from FBI domain
score FBI_SPOOF 2.00 # limit
tflags FBI_SPOOF publish
meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY
describe FBI_MONEY The FBI wants to give you lots of money?
score FBI_MONEY 2.00 # limit
tflags FBI_MONEY publish
header __FROM_ASB_BANK From:addr =~ /\basb\.co\.nz$/i
header __FROM_AMEX From =~ /american\s?express/i
header __FROM_BANK_LOOSE From =~ /ban(?:k|co)/i
header __FROM_CHASE From:addr =~ /chase(?:2?-?paymentech)\.com$/i
header __FROM_CMNWLTH_BANK From:addr =~ /\bcommonwealth\.com\.au$/i
header __FROM_EBAY_LOOSE From =~ /\be-?bay\b/i
header __FROM_HSBC From:addr =~ /\bhsbc\.co\.uk$/i
header __FROM_LLOYDSTSB From:addr =~ /\blloyds(?:tsb)\.(?:co\.uk|com)$/i
header __FROM_PAYPAL_LOOSE From =~ /paypal/i
header __FROM_WELLSFARGO From:addr =~ /wellsfargo\.com$/i
header __FROM_WESTERNUNION From:addr =~ /westernunion\.com$/i
meta __FROM_MISSP_PHISH __FROM_MISSPACED && (__FROM_ASB_BANK || __FROM_AMEX || __FROM_BANK_LOOSE || __FROM_CHASE || __FROM_CMNWLTH_BANK || __FROM_EBAY_LOOSE || __FROM_HSBC || __FROM_LLOYDSTSB || __FROM_PAYPAL_LOOSE || __FROM_WELLSFARGO || __FROM_WESTERNUNION)
meta FROM_MISSP_PHISH __FROM_MISSP_PHISH && !__DOS_HAS_LIST_UNSUB
describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish
score FROM_MISSP_PHISH 3.500 # limit
# another upload-a-document-for-public-access site
uri __URI_YOUSENDIT m,^https?://www\.yousendit\.com/directdownload,i
# see also DOS_GOOGLE_DOCS
uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i
uri __URI_GOOGLE_DRV m,^https?://(?:drive\.google|googledrive)\.com/,i
body __WEBMAIL_ACCT /\byour web ?mail account/i
body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i
body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i
tflags __CLEAN_MAILBOX multiple maxhits=2
body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails))\b/i
tflags __VALIDATE_MAILBOX multiple maxhits=2
body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i
body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i
tflags __LOCK_MAILBOX multiple maxhits=2
body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i
header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
header __FROM_ADMIN From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
meta __FROM_DOM_ADMIN __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i
body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i
body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i
body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i
body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i
body __PASSWORD_UPGRADE /\bpassword upgrade\b/i
body __PENDING_MESSAGES /\b(?:messages pending|pending messages|undelivered (?:messages|e?-?mails)|(?:your|\d+) undelivered e?-?mails)\b/i
body __RELEASE_MESSAGES /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i
body __PASSWORD_EXP_CLUMSY /\bpassword is due for expiration yesterday\b/i
meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 1) && !__EMAIL_PHISH_MANY
meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 3)
meta UPGRADE_MAILBOX __UPGR_MAILBOX && __HTML_FONT_LOW_CONTRAST_MINFP
describe UPGRADE_MAILBOX Upgrade your mailbox! (phishing?)
body __ACCESS_SUSPENDED /\b(?:(?:access|account) (?:suspension|has been (?:temporar(?:il)?y )(?:suspended|blocked|locked))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) notice)\b/i
tflags __ACCESS_SUSPENDED multiple maxhits=2
body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i
body __ACCESS_REVOKE /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i
body __VERIFY_ACCOUNT /(?:confirm|updated?|verify) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i
body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i
body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i
body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i
body __ACCOUNT_ERROR /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i
body __ACCOUNT_DISRUPT /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)?) (?:shut ?down|suspension|locking|termination|expiration))\b/i
tflags __ACCOUNT_DISRUPT multiple maxhits=2
body __ACCOUNT_UPGRADE /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i
body __ACCOUNT_SECURE /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i
body __SUSPICION_LOGIN /\bsuspicion login\b/i
meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN) > 1 && !__ACCT_PHISH_MANY
meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN) > 3
meta ACCT_PHISHING (__ACCT_PHISH || __EMAIL_PHISH) && !__RCD_RDNS_SMTP_MESSY
describe ACCT_PHISHING Possible phishing for account information
score ACCT_PHISHING 1.500 # limit
meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY
describe ACCT_PHISHING_MANY Phishing for account information
score ACCT_PHISHING_MANY 3.000 # limit
meta PHISHING_FREEMAIL (__EMAIL_PHISH || __EMAIL_PHISH_MANY || __ACCT_PHISH || __ACCT_PHISH_MANY) && FREEMAIL_FORGED_REPLYTO
describe PHISHING_FREEMAIL Send your login credentials to some random freemail account
# Google Docs observed on LOTS of phishes 2012
meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST)
meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2)
describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form
score GOOGLE_DOCS_PHISH 3.00 # limit
tflags GOOGLE_DOCS_PHISH publish
meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form
score GOOGLE_DOCS_PHISH_MANY 4.00 # limit
tflags GOOGLE_DOCS_PHISH_MANY publish
meta __GOOGLE_DOC_SUSP __URI_GOOGLE_DOC && (__HAS_DOMAINKEY_SIG || __RDNS_NONE || __SYSADMIN || __STY_INVIS || LOTS_OF_MONEY || __XFER_MONEY || __ADVANCE_FEE_2_NEW) && !ALL_TRUSTED
meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID
describe GOOGLE_DOC_SUSP Suspicious use of Google Docs
score GOOGLE_DOC_SUSP 2.500 # limit
tflags GOOGLE_DOC_SUSP publish
#meta URI_GOOGLE_DOCS __URI_GOOGLE_DOC && !__DKIM_EXISTS && !__TO_EQ_FROM_DOM && !__DOS_REF_TODAY && !__DOS_BODY_FRI && !__DOS_BODY_WED && !__freemail_safe_fwd && !__TO_EQ_FROM_DOM && !__HAS_ERRORS_TO
#describe URI_GOOGLE_DOCS URI for Google Docs, common in phishing
#score URI_GOOGLE_DOCS 1.00 # limit
meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH)
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY
else
meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY
endif
describe URI_PHISH Phishing using web form
score URI_PHISH 4.00 # limit
tflags URI_PHISH publish
meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS
describe SYSADMIN Supposedly from your IT department
score SYSADMIN 3.500 # limit
tflags SYSADMIN publish
# suggested by MPerkel on the users list 11/10/2012
uri __URI_PROTO_MC /^(?!(?-i:(?:[Hh]ttps?|HTTPS?):))https?:/i
uri __URI_WWW_MC m,://(?!(?-i:www|WWW))www\.,i
uri __URI_TLD_MC /\.(?!(?-i:com|net|org|biz|info|COM|NET|ORG))(?:com|net|org|biz|info)\b/i
uri __URI_GOOG_MC /(?!(?-i:[Gg]oogle))google/i
rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i
meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_01 && __RDNS_NONE
describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
score HTML_FONT_TINY_NORDNS 1.500 # limit
body __BODY_TEXT_LINE /^\s*\S/
tflags __BODY_TEXT_LINE multiple maxhits=3
meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE
# this hits 13% of masscheck corpus spam, 50% of that only scores 2 points
meta BODY_EMPTY __EMPTY_BODY && !ALL_TRUSTED && !__MIME_ATTACHMENT && !__HAS_THREAD_INDEX && !__TO_EQ_FROM_DOM && !NO_RELAYS && !__PDF_ATTACH && !__HDR_RCVD_GOOGLE && !__MSGID_APPLEMAIL && !__XM_IPHONEMAIL
describe BODY_EMPTY No body text in message
score BODY_EMPTY 2.00 # limit
meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE
meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY
describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image
score BODY_URI_ONLY 1.500 # limit
tflags BODY_URI_ONLY publish
body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/
tflags __SINGLE_WORD_LINE multiple maxhits=2
header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/
meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1)
meta BODY_SINGLE_WORD __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP
describe BODY_SINGLE_WORD Message body is only one word (no spaces)
score BODY_SINGLE_WORD 2.500 # limit
meta __BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI)
meta BODY_SINGLE_URI __BODY_SINGLE_URI && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP && !__VIA_ML
describe BODY_SINGLE_URI Message body is only a URI
score BODY_SINGLE_URI 2.500 # limit
#ifplugin Mail::SpamAssassin::Plugin::DKIM
# # malformed DKIM signatures seen in the wild - see bug#6895
# # see how well this performs
# meta __DKIM_MALFORMED DKIM_SIGNED && !DKIM_VALID
#endif
#body __YOUR_PHOTOS /\byour photos (?:as p[rw]omised )?(?:here )?(?:- )?https?:/i
#meta YOUR_PHOTOS __YOUR_PHOTOS && !__HAS_ANY_EMAIL && !__HAS_REPLY_TO && !__DOS_HAS_LIST_UNSUB
#describe YOUR_PHOTOS "Your Photos" phishing or malware
#score YOUR_PHOTOS 4.00 # limit
body __UNSUBSCRIBE_ES /\b(?:Para darte de baja y no recibir ning(?:=FA|[\xfa]|[\xc3][\xba])n|Si no desea que le enviemos publicidad|Si desea eliminar su correo [^\s@]{1,64}@[^\s@]{1,64} de nuestra lista|no recibir estos boletines a: [^\s@]{1,64}@[^\s@]{1,64} simplemente|Si no desea recibir m(?:=E1|[\xe1]|[\xc3][\xa1]|a)s notificaciones)\b/i
meta UNSUBSCRIBE_ES __UNSUBSCRIBE_ES
score UNSUBSCRIBE_ES 2.500 # limit
body __UNSUBSCRIBE_PT /\bSe n(?:a|=E3|[\xe3]|[\xc3][\xa3])o desejar mais receber nossos e-?mails?\b/i
meta UNSUBSCRIBE_PT __UNSUBSCRIBE_PT
score UNSUBSCRIBE_PT 2.500 # limit
body __URI_DBL_PROTO m,\b(?:https?:/+){2},i
uri __URI_DOS_FILE /^[A-Z]:\\/i
meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP
meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL
describe FORM_LOW_CONTRAST Fill in a form with hidden text
score FORM_LOW_CONTRAST 2.500 # Limit
tflags FORM_LOW_CONTRAST publish
# try to FP-reduce HTML_FONT_LOW_CONTRAST
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID
else
meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN
endif
# some no-ham (at the time) combinations
meta GAPPY_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __GAPPY_SUBJECT
describe GAPPY_LOW_CONTRAST Gappy subject + hidden text
score GAPPY_LOW_CONTRAST 2.500 # limit
meta URI_ONLY_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __BODY_URI_ONLY
score URI_ONLY_LOW_CONTRAST 2.500 # limit
meta SUBJ_OBFU_LOW_CNTRST (HTML_FONT_LOW_CONTRAST && __SUBJ_OBFU_PUNCT) && !ALL_TRUSTED && !__NOT_A_PERSON && !__THREADED
describe SUBJ_OBFU_LOW_CNTRST Subject obfuscation + hidden text
score SUBJ_OBFU_LOW_CNTRST 2.500 # limit
meta URI_DOTDOT_LOW_CNTRST HTML_FONT_LOW_CONTRAST && __URI_DOM_DOTDOT
describe URI_DOTDOT_LOW_CNTRST Suspicious URI + hidden text
score URI_DOTDOT_LOW_CNTRST 2.500 # limit
meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG
describe STOCK_LOW_CONTRAST Stocks + hidden text
score STOCK_LOW_CONTRAST 2.500 # limit
tflags STOCK_LOW_CONTRAST publish
meta NORDNS_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __RDNS_NONE) && !ALL_TRUSTED && !__HAS_CID
describe NORDNS_LOW_CONTRAST No rDNS + hidden text
score NORDNS_LOW_CONTRAST 2.500 # limit
uri __URI_DOM_DOTDOT m,://[^/]+\.\.,
meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO
score FOUND_YOU 3.25 # limit
describe FOUND_YOU I found you...
tflags FOUND_YOU publish
#rawbody __HTML_FONT_ONE_WORD_01 />\s{0,5}\S{1,15}\s{0,5}<\/font>/i
#tflags __HTML_FONT_ONE_WORD_01 multiple maxhits=26
#meta HTML_FONT_ONE_WORD_MANY __HTML_FONT_ONE_WORD_01 > 25
#describe HTML_FONT_ONE_WORD_MANY Many one-word font changes
#score HTML_FONT_ONE_WORD_MANY 0.50 # limit (initial)
#body __ADMITS_CANSPAM /\bThis is a CANSPAM ACT compliant advertising broadcast\b/i
#body __ADMITS_CANSPAM /\bThis is a CANSPAM ACT compliant\b/i
#meta ADMITS_CANSPAM __ADMITS_CANSPAM && !__VIA_ML
#describe ADMITS_CANSPAM Admits to being spam
body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i
meta ADMITS_SPAM __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID
describe ADMITS_SPAM Admits this is an ad
#body __OBFU_ADVERT /\badvert[1l]sement\b/i
#meta OBFU_ADVERT __OBFU_ADVERT
#describe OBFU_ADVERT Misspelled "advertisement"
#tflags OBFU_ADVERT publish
#body __SEO_REGISTER /\bsearch engine (?:registration|subscription|submission)\b/i
#tflags __SEO_REGISTER multiple maxhits=5
#meta SEO_REGISTER __SEO_REGISTER > 4
#score SEO_REGISTER 2.50 # limit
#uri REMOVE_YEAHNET /imremove\@yeah\.net/i
#describe REMOVE_YEAHNET Opt-out address used by CN spammers
header __FROM_LIC From:name =~ /^Lic\./
header __FROM_DOM_INFO From:addr =~ /\.info$/i
meta ES_LIC_FROM_INFO __FROM_LIC && __FROM_DOM_INFO && __UNSUBSCRIBE_ES
describe ES_LIC_FROM_INFO Spanish-language spam from .info domain
header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i
#uri __JIMDO_PHISH /(?:microsoft|outlook|access|helpdesk|upd?ates|newaccount)\w+\.jimdo\.com/i
body __CLICK_HERE /\bclick\shere\b/i
#meta JIMDO_PHISH __JIMDO_PHISH && __CLICK_HERE
#describe JIMDO_PHISH Apparent phishing via webform hosted at jimdo.com
#score JIMDO_PHISH 3.00 # limit
body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i
body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i
body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i
body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i
meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2
uri __URI_WPADMIN m,/wp-admin/\w+/,i
meta URI_WPADMIN __URI_WPADMIN
describe URI_WPADMIN WordPress login/admin URI, possible phishing
tflags URI_WPADMIN publish
uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i
uri __URI_WPCONTENT_L m,/wp-content/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i
uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i
uri __URI_WPINCLUDES_L m,/wp-includes/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i
#uri __URI_WP_WHITELIST m,/wp-content/plugins/civicrm/,i
meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED
describe URI_WP_HACKED URI for compromised WordPress site, possible malware
score URI_WP_HACKED 3.500 # limit
tflags URI_WP_HACKED publish
uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i
meta URI_WP_DIRINDEX __URI_WPDIRINDEX
describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware
score URI_WP_DIRINDEX 3.500 # limit
tflags URI_WP_DIRINDEX publish
# this has some overlap with URI_WP_HACKED
uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf)[^?]{4}(?:\?[^?]{1,5})?$;i
meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1
describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware
score URI_WP_HACKED_2 2.500 # limit
tflags URI_WP_HACKED_2 publish
# subrules migrated from 00_FVGT_File001.cf
header __SUBJ_LOWER ALL =~ /subject:\s\S{5}/
header __FROM_LOWER ALL =~ /from:\s\S{5}/
header __TO___LOWER ALL =~ /to:\s\S{5}/
header __DATE_LOWER ALL =~ /date:\s\S{5}/
# duplicates __XPRIO
#header __FH_HAS_XPRIORITY exists:X-Priority
meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT
ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::SPF
meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS
else
meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE
endif
tflags XPRIO net
else
meta XPRIO __XPRIO_MINFP
endif
describe XPRIO Has X-Priority header
score XPRIO 2.250 # limit
tflags XPRIO publish
# some high-S/O combinations
meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT
meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF
describe XPRIO_SHORT_SUBJ Has X Priority header + short subject
score XPRIO_SHORT_SUBJ 2.500 # limit
tflags XPRIO_SHORT_SUBJ publish
meta FROM_MISSP_XPRIO (__XPRIO && __FROM_MISSPACED) && !__LYRIS_EZLM_REMAILER
describe FROM_MISSP_XPRIO Misspaced FROM + X-Priority
score FROM_MISSP_XPRIO 2.500 # limit
meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE
meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE
describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE
score STATIC_XPRIO_OLE 2.000 # limit
tflags STATIC_XPRIO_OLE publish
# Apparent good performance is an artifact of certain corpora's collection mechanism
#meta XPRIO_RPATH_NULL (__XPRIO && __BOUNCE_RPATH_NULL) && !__HAS_ERRORS_TO && !__VIA_ML && !ANY_BOUNCE_MESSAGE && !__HAS_ORGANIZATION && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED
#score XPRIO_RPATH_NULL 2.500 # limit
#
#meta TO_EQ_FM_NN_RPATH_NULL (__TO_EQ_FROM_USR_NN && __BOUNCE_RPATH_NULL) && !__TO_EQ_FROM_USR
#score TO_EQ_FM_NN_RPATH_NULL 2.000 # limit
#tflags TO_EQ_FM_NN_RPATH_NULL publish
header __FS_SUBJ_RE Subject =~ /^Re: /
header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/
body __CAN_HELP /\bcan help\b/i
body __FB_COST /\bcost\b/i
body __FB_NATIONAL /national/i
body __FB_NUM_PERCNT /\d\s?\%/
body __FB_S_STOCK /\bstock/i
body __FB_TOUR /\btour/i
body __SURVEY /\bsurvey\b/i
body __FB_S_PRICE /pri{1,2}c[a-z]?e/i
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i
replace_rules __FRT_PRICE
meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE)
else
meta __FRT_PRICE 0
meta __FM_MY_PRICE __FB_S_PRICE
endif
rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i
rawbody __FR_SPACING_9 /[a-z0-9]{6}\s{9}[a-z0-9]{5}/i
rawbody __FR_SPACING_15 /[a-z0-9]{6}\s{15}[a-z0-9]{5}/i
rawbody __FR_SPACING_17 /[a-z0-9]{6}\s{17}[a-z0-9]{5}/i
rawbody __FR_SPACING_22 /[a-z0-9]{6}\s{22}[a-z0-9]{5}/i
# per users mailing list question from Joe Quinn
#body __HEXHASHWORD_S /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{18})[0-9a-f]{18}/
#tflags __HEXHASHWORD_S multiple maxhits=4
body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
tflags __HEXHASHWORD_S2EU multiple maxhits=4
#body __HEXHASHWORD_S2E /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}[0-9a-f]{10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
#tflags __HEXHASHWORD_S2E multiple maxhits=4
#body __HEXHASHWORD_S2 /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[0-9a-f]{10,64}\s[A-Z]?[a-z]{1,15}\b/
#tflags __HEXHASHWORD_S2 multiple maxhits=4
#body __HEXHASHWORD /\s[A-Z]?[a-z]{1,15}\s[0-9a-f]{30}/
#tflags __HEXHASHWORD multiple maxhits=4
meta __HEXHASH_2 __HEXHASHWORD_S2EU > 1
meta __HEXHASH_3 __HEXHASHWORD_S2EU > 2
meta __HEXHASH_4 __HEXHASHWORD_S2EU > 3
#meta __HEXHASH_5 __HEXHASHWORD_S2EU > 4
meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER
describe HEXHASH_WORD Multiple instances of word + hexadecimal hash
score HEXHASH_WORD 3.000 # limit
tflags HEXHASH_WORD publish
# from users list spample provided by Larry Starr
body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/
tflags __UC_GIBB_OBFU multiple maxhits=2
#meta __UC_GIBB_2 __UC_GIBB_OBFU > 1
#meta __UC_GIBB_3 __UC_GIBB_OBFU > 2
#meta __UC_GIBB_4 __UC_GIBB_OBFU > 3
#meta __UC_GIBB_5 __UC_GIBB_OBFU > 4
#meta __UC_GIBB_6 __UC_GIBB_OBFU > 5
#meta __UC_GIBB_7 __UC_GIBB_OBFU > 6
meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED
describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word"
score UC_GIBBERISH_OBFU 3.000 # Limit
tflags UC_GIBBERISH_OBFU publish
#body __B2B_HELP /\bhelp(?:ing)? (?:businesses like yours|your business)\b/i
#body __YOUR_BIZ /\bbusiness(?:es) like yours|(?<!of )your b(?:usiness|rand)\b/i
# will be removed with immediate effect from any further mailing list
# wish to receive information from us in the future
# This-link http://www.nowyehue.com/bon/dds/ will end messages.
# stop receiving these emails
# Unsubscribe me from this list
# We are not promoting any kind of SPAM.
# recieve any kind promotional email form us
# To stop receiving these emails
# exclude yourself from further ad-messages
# removal options
# Stop PSA alert
#body __UNSUB_PSA /\bstop PSA alert\b/i
#body __UNSUB_EXCL /\bexclude yourself from further ad\b/i
#meta UNSUB_EXCL __UNSUB_EXCL
#score UNSUB_EXCL 2.000 # limit
#body __UNSUB_OPT /\bremoval options?\b/i
#meta UNSUB_OPT __UNSUB_OPT
#score UNSUB_OPT 2.000 # limit
header __NO_TRUSTED_RELAY X-Spam-Relays-Trusted !~ /ip=/i
#body CANT_SEE_AD /\b(?:can(?:no|')?t|(?:aren'?t |not |un)able to) (?:view|read|see|scan|witness|consider|look at|participate in|take in|(?:make|check|scope) out|eye|scrutinize|watch|display|observe) (?:our|this|the) (?:commercial[-. ]|ad(?:v[-.]?ert[i1l]se-?ment)? |images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?images)\b/i
body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i
body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i
meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB
describe CANT_SEE_AD You really want to see our spam.
score CANT_SEE_AD 2.500 # limit
tflags CANT_SEE_AD publish
uri __128_HEX_URI m,/[0-9a-f]{128},
#tflags __128_HEX_URI multiple maxhits=2
#uri __192_HEX_URI m,/[0-9a-f]{192},
#uri __256_HEX_URI m,/[0-9a-f]{256},
#uri __384_HEX_URI m,/[0-9a-f]{384},
#meta __128_HEX_URI_SGL __128_HEX_URI == 1
#meta __128_HEX_URI_MLT __128_HEX_URI > 1
meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024
describe LONG_HEX_URI Very long purely hexadecimal URI
score LONG_HEX_URI 3.000 # limit
tflags LONG_HEX_URI publish
uri __128_LC_URI m;[/?][a-z]{128,}$;
uri __128_LC_IMG m;/[a-z]{128,}/\w+\.(?:png|gif|jpe?g)$;
uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i
uri __128_ALNUM_IMG m;/[0-9a-z]{128,}/\w+\.(?:png|gif|jpe?g)$;i
uri __64_ANY_URI m;[/?]\w{64,}$;i
uri __64_ANY_IMG m;/\w{64,}/\w+\.(?:png|gif|jpe?g)$;i
uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i
uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i
meta __128_LC_URI_IMG __128_LC_URI && __128_LC_IMG
meta __128_ALNUM_URI_O __128_ALNUM_URI && !__128_LC_URI
meta __128_ALNUM_IMG_O __128_ALNUM_IMG && !__128_LC_IMG
meta __128_ALNUM_URI_IMG __128_ALNUM_URI_O && __128_ALNUM_IMG_O
meta __64_ANY_URI_O __64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
meta __64_ANY_IMG_O __64_ANY_IMG && !__128_ALNUM_IMG && !__128_LC_IMG
meta __64_ALNUM_URI_IMG __64_ANY_URI_O && __64_ANY_IMG_O
meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
meta __45_ALNUM_IMG_O __45_ALNUM_IMG && !__64_ANY_IMG && !__128_ALNUM_IMG && !__128_LC_IMG
meta __45_ALNUM_URI_IMG __45_ALNUM_URI_O && __45_ALNUM_IMG_O
meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO
describe LONG_IMG_URI Image URI with very long path component - web bug?
score LONG_IMG_URI 3.000 # limit
tflags LONG_IMG_URI publish
rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i
meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS
describe HTML_OFF_PAGE HTML element rendered well off the displayed page
score HTML_OFF_PAGE 3.000 # limit
tflags HTML_OFF_PAGE publish
body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i
body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i
body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i
body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i
body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i
body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i
body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i
body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i
body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i
body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i
meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0
meta __PD_CNT_2 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
meta __PD_CNT_3 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 2
meta __PD_CNT_4 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 3
meta __PD_CNT_5 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 4
meta __PD_CNT_6 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 5
meta __PD_CNT_7 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 6
meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI
describe PUMPDUMP Pump-and-dump stock scam phrase
score PUMPDUMP 1.000 # limit
tflags PUMPDUMP publish
meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases
score PUMPDUMP_MULTI 3.500 # limit
tflags PUMPDUMP_MULTI publish
body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i
meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS
describe STOCK_TIP Stock tips
score STOCK_TIP 3.000 # limit
tflags STOCK_TIP publish
meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP
describe PUMPDUMP_TIP Pump-and-dump stock tip
tflags PUMPDUMP_TIP publish
#body DR_OZ_OBFU /\bD(?:r\.|oc(?:tor)?) ?0z\b/i
#describe DR_OZ_OBFU Obfuscated Doctor Oz
#
#body DOC_OZ /\b(?:doc oz|Dr\.?Oz)\b/
#describe DOC_OZ Doctor Oz
body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i
meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS
describe ADMAIL "admail" and variants
tflags ADMAIL publish
body ORS /\bOn-?line Rate Saver\b/i
describe ORS "Online Rate Saver"
# subrule version of MMartinec CR_IN_SUBJ
header __CR_IN_SUBJ Subject:raw =~ /\015/
body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i
meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD
describe THIS_AD "This ad" and variants
tflags THIS_AD publish
# low S/O, legit subscribed marketing in masscheck corpus?
body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i
describe AD_PREFS Advertising preferences
score AD_PREFS 0.500 # limit
tflags AD_PREFS publish
#body OPT_OUT /\bOpt-Out Here\b/i
#score OPT_OUT 2.000
uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i
describe URI_OPTOUT_USME Opt-out URI, unusual TLD
tflags URI_OPTOUT_USME publish
uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i
describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname
score URI_OPTOUT_3LD 2.000 # limit
tflags URI_OPTOUT_3LD publish
uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i
meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS
describe URI_TRY_USME "Try it" URI, unusual TLD
tflags URI_TRY_USME publish
uri URI_TRY_3LD m,^https?://(?:try|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!sub|turbotax)\w)[^.]*\.[^/]+\.(?:com|net)\b,i
describe URI_TRY_3LD "Try it" URI, suspicious hostname
score URI_TRY_3LD 2.000 # limit
tflags URI_TRY_3LD publish
## REFINE THIS
#body __INCOMING_FAX /\bincoming fax\b/i
#body __BANK /\bbank\b/i
#body __ACCT_STMT /\bac(?:count|tivity) statement\b/i
#uri __URI_DROPBOX m,[/.]dropbox\.com\/,i
#meta DROPBOX_MALW (__INCOMING_FAX || (__BANK && __ACCT_STMT)) && __URI_DROPBOX && !ALL_TRUSTED
#describe DROPBOX_MALW Spoofed FAX or bank statement with Dropbox link: PROBABLE MALWARE
#score DROPBOX_MALW 10.00
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_UNSUBSCRIBE /<U>(?!nsubscribe)<N><S><U><B><S><C><R><I><B><E>/i
replace_rules FUZZY_UNSUBSCRIBE
describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe"
tflags FUZZY_UNSUBSCRIBE publish
body FUZZY_ANDROID /<A>(?!ndroid)<N><D><R><O><I><D>/i
replace_rules FUZZY_ANDROID
describe FUZZY_ANDROID Obfuscated "android"
tflags FUZZY_ANDROID publish
body FUZZY_PROMOTION /<P>(?!romotion)<R><O><M><O><T><I><O><N>/i
replace_rules FUZZY_PROMOTION
describe FUZZY_PROMOTION Obfuscated "promotion"
tflags FUZZY_PROMOTION publish
body FUZZY_PRIVACY /<P>(?!rivacy)<R><I><V><A><C><Y>/i
replace_rules FUZZY_PRIVACY
describe FUZZY_PRIVACY Obfuscated "privacy"
tflags FUZZY_PRIVACY publish
body FUZZY_BROWSER /<B>(?!rowser)<R><O><W><S><E><R>/i
replace_rules FUZZY_BROWSER
describe FUZZY_BROWSER Obfuscated "browser"
tflags FUZZY_BROWSER publish
body FUZZY_SAVINGS /<S>(?!avings)<A><V><I><N><G><S>/i
replace_rules FUZZY_SAVINGS
describe FUZZY_SAVINGS Obfuscated "savings"
tflags FUZZY_SAVINGS publish
body FUZZY_IMPORTANT /<I>(?!mportant)(?:<M>|<N>)<P><O><R><T><A><N><T>/i
replace_rules FUZZY_IMPORTANT
describe FUZZY_IMPORTANT Obfuscated "important"
tflags FUZZY_IMPORTANT publish
body FUZZY_SECURITY /<S>(?!ecurity)(?!eguridad)(?!\xc3\xa9curit\xc3\xa9)<E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i
replace_rules FUZZY_SECURITY
describe FUZZY_SECURITY Obfuscated "security"
tflags FUZZY_SECURITY publish
body __FUZZY_DR_OZ /\bD(?!(?-i:(?:r.|octor)(?:\s|&nbsp;)Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i
replace_rules __FUZZY_DR_OZ
meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML && !__DKIM_EXISTS && !__RP_MATCHES_RCVD
describe FUZZY_DR_OZ Obfuscated Doctor Oz
tflags FUZZY_DR_OZ publish
body FUZZY_CLICK_HERE /<C>(?!lick(?:\s|&nbsp;)here)<WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i
replace_rules FUZZY_CLICK_HERE
describe FUZZY_CLICK_HERE Obfuscated "click here"
tflags FUZZY_CLICK_HERE publish
body FUZZY_BITCOIN /<B>(?!itcoin)<I><T>-?<C><O><I><N>/i
replace_rules FUZZY_BITCOIN
describe FUZZY_BITCOIN Obfuscated "Bitcoin"
tflags FUZZY_BITCOIN publish
body __BITCOIN /<B><I><T>-?<C><O><I><N>/i
replace_rules __BITCOIN
body FUZZY_WALLET /<W>(?!allet)<A><L><L><E><T>/i
replace_rules FUZZY_WALLET
describe FUZZY_WALLET Obfuscated "Wallet"
tflags FUZZY_WALLET publish
meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET
describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet"
tflags FUZZY_BTC_WALLET publish
body __FUZZY_MONERO /<M>(?!onero)<O><N><E><R><O>/i
replace_rules __FUZZY_MONERO
body __FUZZY_WELLSFARGO_BODY /<W>(?!ells[-\s]?Fargo)<E><L><L><S>[-\s]?<F><A><R><G><O>/i
replace_rules __FUZZY_WELLSFARGO_BODY
header __FUZZY_WELLSFARGO_FROM From:name =~ /<W>(?!ells[-\s]?Fargo)<E><L><L><S>[-\s]?<F><A><R><G><O>/i
replace_rules __FUZZY_WELLSFARGO_FROM
meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM
describe FUZZY_WELLSFARGO Obfuscated "Wells Fargo"
else
meta __FUZZY_MONERO 0
body __BITCOIN /\bBit-?coin\b/i
endif
uri __URL_BTC_ID m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$);
body __BITCOIN_ID /\b(?<!=)(?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b/
meta FUZZY_MONERO __FUZZY_MONERO
describe FUZZY_MONERO Obfuscated "Monero"
tflags FUZZY_MONERO publish
body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/
body __MONERO_CURNCY /Monero \(XMR\)/
uri __URI_MONERO /buy-monero/i
meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO)
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED
else
meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST
endif
describe BTC_ORG Bitcoin wallet ID + unusual header
score BTC_ORG 2.500 # limit
meta BITCOIN_PDF __BITCOIN && __PDF_ATTACH
describe BITCOIN_PDF "Bitcoin" + PDF attachment
score BITCOIN_PDF 2.500 # limit
meta BITCOIN_MALF_HTML HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID)
describe BITCOIN_MALF_HTML Bitcoin + malformed HTML
score BITCOIN_MALF_HTML 3.500 # limit
meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID)
meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY
describe BITCOIN_XPRIO Bitcoin + priority
score BITCOIN_XPRIO 2.500 # limit
# bitcoin obfuscation - tip o' the hat to Steve Zinski on the users list, with a little cleanup
body __BTC_OBFU_2 /\b\W{0,10}b(?!itcoin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i
body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i
# seen in sloppy spam
body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i
# __BTC_OBFU_4 duplicates (to a degree) FUZZY_BITCOIN
# Use FUZZY_BITCOIN (more hits) if possible
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
else
body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
endif
meta OBFU_BITCOIN __OBFU_BITCOIN
describe OBFU_BITCOIN Obfuscated BitCoin references
score OBFU_BITCOIN 3.000 # limit
tflags OBFU_BITCOIN publish
meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG
describe BITCOIN_SPAM_01 BitCoin spam pattern 01
score BITCOIN_SPAM_01 2.500 # limit
tflags BITCOIN_SPAM_01 publish
meta __BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF
meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID
describe BITCOIN_SPAM_02 BitCoin spam pattern 02
score BITCOIN_SPAM_02 2.500 # limit
tflags BITCOIN_SPAM_02 publish
meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ
describe BITCOIN_SPAM_03 BitCoin spam pattern 03
score BITCOIN_SPAM_03 2.500 # limit
tflags BITCOIN_SPAM_03 publish
meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto
describe BITCOIN_SPAM_04 BitCoin spam pattern 04
score BITCOIN_SPAM_04 1.500 # limit
tflags BITCOIN_SPAM_04 publish
meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL
meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO
describe BITCOIN_SPAM_05 BitCoin spam pattern 05
score BITCOIN_SPAM_05 2.500 # limit
tflags BITCOIN_SPAM_05 net publish
meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET
describe BITCOIN_SPAM_06 BitCoin spam pattern 06
score BITCOIN_SPAM_06 1.500 # limit
tflags BITCOIN_SPAM_06 publish
meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM
meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS
describe BITCOIN_SPAM_07 BitCoin spam pattern 07
score BITCOIN_SPAM_07 3.500 # limit
tflags BITCOIN_SPAM_07 publish
meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ
describe BITCOIN_SPAM_08 BitCoin spam pattern 08
score BITCOIN_SPAM_08 2.500 # limit
tflags BITCOIN_SPAM_08 publish
body __DESTROY_YOU /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i
meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU )
describe BITCOIN_SPAM_09 BitCoin spam pattern 09
score BITCOIN_SPAM_09 1.500 # limit
tflags BITCOIN_SPAM_09 publish
meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 )
describe BITCOIN_SPAM_10 BitCoin spam pattern 10
score BITCOIN_SPAM_10 2.500 # limit
tflags BITCOIN_SPAM_10 publish
meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU
describe BITCOIN_SPAM_11 BitCoin spam pattern 11
score BITCOIN_SPAM_11 2.500 # limit
tflags BITCOIN_SPAM_11 publish
meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY
describe BITCOIN_SPAM_12 BitCoin spam pattern 12
score BITCOIN_SPAM_12 2.500 # limit
tflags BITCOIN_SPAM_12 publish
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i
replace_rules __MY_VICTIM
body __MY_MALWARE /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s)?)(?:<M><A><L><W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>)|<A><P><P><L><I><C><A><T><I><O><N>[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>)\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L><W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i
replace_rules __MY_MALWARE
body __PAY_ME /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>))[\s\.,]/i
replace_rules __PAY_ME
body __YOUR_PASSWORD /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<A><C><C><O><U><N><T>\s|<E>-?<M><A><I><L>\s)?(?:<P><A><S><S>[-\s_]?<W><O><R><D>|<P><S><W><D>\s)/i
replace_rules __YOUR_PASSWORD
body __YOUR_WEBCAM /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s)<C><A><M>/i
replace_rules __YOUR_WEBCAM
body __YOUR_ONAN /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M><A><S><T>(?:<U>|<R>){2}<B><A><T><I>(?:<O><N>|<N><G>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>|(?:<P><L><E><A><S><U><R>(?:<E>|<I><N><G>)|<S><A><T><I><S><F><Y>(?:<I><N><G>)?)\s<Y><O><U><R><S><E><L><F>)/i
replace_rules __YOUR_ONAN
body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i
replace_rules __YOUR_PERSONAL
body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
replace_rules __HOURS_DEADLINE
body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i
replace_rules __EXPLOSIVE_DEVICE
else
body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i
body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s)?)(?:malware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it)|application[^\.]{1,30}(?:enable[sd]|allows)\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|malware)\s)+giv(?:es|ing)\sme)\b/i
body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\sme|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche))\b/i
body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i
body __YOUR_WEBCAM /\b(?:from|your|with)\s(?:(?:screen|desktop)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s)cam\b/i
body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:mast[ur]{2}bati(?:on|ng)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i
body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i
body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i
endif
meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE) > 2
meta BITCOIN_EXTORT_01 __BITCOIN_ID && __EXTORT_MANY
describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin
score BITCOIN_EXTORT_01 5.000 # limit
tflags BITCOIN_EXTORT_01 publish
meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY
describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin
score BITCOIN_EXTORT_02 5.000 # limit
tflags BITCOIN_EXTORT_02 publish
meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01
describe BITCOIN_PAY_ME Pay me via BitCoin
score BITCOIN_PAY_ME 3.000 # limit
tflags BITCOIN_PAY_ME publish
meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01
describe BITCOIN_DEADLINE BitCoin with a deadline
score BITCOIN_DEADLINE 3.000 # limit
tflags BITCOIN_DEADLINE publish
meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01
describe BITCOIN_YOUR_INFO BitCoin with your personal info
score BITCOIN_YOUR_INFO 3.000 # limit
tflags BITCOIN_YOUR_INFO publish
meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED
describe BITCOIN_MALWARE BitCoin + malware bragging
score BITCOIN_MALWARE 3.500 # limit
tflags BITCOIN_MALWARE publish
meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01
describe BITCOIN_BOMB BitCoin + bomb
score BITCOIN_BOMB 3.000 # limit
tflags BITCOIN_BOMB publish
meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY
describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency
score MONERO_EXTORT_01 5.000 # limit
tflags MONERO_EXTORT_01 publish
meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01
describe MONERO_PAY_ME Pay me via Monero cryptocurrency
score MONERO_PAY_ME 3.000 # limit
tflags MONERO_PAY_ME publish
meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01
describe MONERO_DEADLINE Monero cryptocurrency with a deadline
score MONERO_DEADLINE 3.000 # limit
tflags MONERO_DEADLINE publish
meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01
describe MONERO_MALWARE Monero cryptocurrency + malware bragging
score MONERO_MALWARE 3.500 # limit
tflags MONERO_MALWARE publish
meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto
describe BOMB_FREEM Bomb + freemail
score BOMB_FREEM 2.000 # limit
tflags BOMB_FREEM publish
meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW )
describe BOMB_MONEY Bomb + money: bomb threat?
score BOMB_MONEY 2.500 # limit
tflags BOMB_MONEY publish
meta __MALWARE_NORDNS __MY_MALWARE && __RDNS_NONE
meta MALWARE_NORDNS __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
describe MALWARE_NORDNS Malware bragging + no rDNS
score MALWARE_NORDNS 3.500 # limit
tflags MALWARE_NORDNS publish
# 100% overlap with __MALWARE_NORDNS
#meta __MALWARE_IP_NORDNS __MY_MALWARE && __HELO_MISC_IP && __RDNS_NONE
meta __MALWARE_PASSWORD __MY_MALWARE && __PASSWORD
meta MALWARE_PASSWORD __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
describe MALWARE_PASSWORD Malware bragging + "password"
score MALWARE_PASSWORD 3.500 # limit
tflags MALWARE_PASSWORD publish
#body NUM_FREE /\b\d+free/i
#describe NUM_FREE Number + free
# seen in spam (malware?) 07/2014
#header __DATE_SPACEY ALL =~ /\nDate:\s{8}/ism
#uri __FSL_LINK_AWS_S3_WEB_LOOSE m,^https?://(?:[^./]+\.)*s3[^./]+\.amazonaws\.com,i
uri __URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i
meta URI_DQ_UNSUB __URI_DQ_UNSUB
describe URI_DQ_UNSUB IP-address unsubscribe URI
tflags URI_DQ_UNSUB publish
uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i
meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__LONGLINE && !__ML1 && !__FSL_RELAY_GOOGLE && !__FROM_LOWER && !__RCD_RDNS_MAIL
describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy?
tflags URI_GOOGLE_PROXY publish
# Apparent good performance is an artifact of certain corpora's collection mechanism
#meta RPATH_NULL_CTCQ __BOUNCE_RPATH_NULL && __CTYPE_CHARSET_QUOTED && !__VIA_ML && !__SUBJECT_ENCODED_QP && !ANY_BOUNCE_MESSAGE && !__DOS_HAS_LIST_UNSUB && !__TAG_EXISTS_STYLE && !__TAG_EXISTS_STYLE && !__HAS_THREAD_INDEX
#score RPATH_NULL_CTCQ 2.000 # limit
rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m
tflags __TENWORD_GIBBERISH multiple maxhits=21
meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20
describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters
score TW_GIBBERISH_MANY 2.000 # limit
tflags TW_GIBBERISH_MANY publish
#body __OPTOUT_BRKT /\[(?:unsub(?:scribe)|remove(?: me)|leave)\]/i
#tflags __OPTOUT_BRKT multiple maxhits=2
#meta OPTOUT_BRKT_MANY __OPTOUT_BRKT > 1
#describe OPTOUT_BRKT_MANY Repetitive opt-outs
#score OPTOUT_BRKT_MANY 2.000 # limit
# Oh, the humanity! Is there no better way?
#full __RECIP_IN_URL_DOM m;^Received:[^:]{1,400}?\sfor\s<(\w+)\@.+?https?://\1\d*\.;ism
#describe __RECIP_IN_URL_DOM Recipient in body URL
#tflags __RECIP_IN_URL_DOM nopublish
# reported on users list 09/2014 jdebert <jdebert@garlic.com>
header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/
describe RCVD_DBL_DQ Malformatted message header
tflags RCVD_DBL_DQ publish
# reported on users list 09/2014 George Johnson <georgejohnson@talaya.net>
header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism
tflags __RAND_HEADER multiple maxhits=4
meta RAND_HEADER_MANY __RAND_HEADER > 3
describe RAND_HEADER_MANY Many random gibberish message headers
score RAND_HEADER_MANY 3.000 # limit
tflags RAND_HEADER_MANY publish
#body FR_SPAM_LAW /article 34 de la loi 78-17\b/i
#describe FR_SPAM_LAW References French privacy law
#score FR_SPAM_LAW 1.000 # limit
body __EDGER_HOOVER /\bedger hoover\b/i
header __FM_EDGER_HOOVER From =~ /\bedger hoover\b/i
body __MYSTERY_SHOPPER /\bmystery shoppers?\b/i
header __HAS_NO_RELAY X-No-Relay =~ /./
header __DUP_SUSP_HDR ALL =~ /\n(X-No-Relay)\s*:[ ][^\n]{1,100}\n\1\s*:[ ]/ism
meta DUP_SUSP_HDR __DUP_SUSP_HDR
describe DUP_SUSP_HDR Duplicate suspicious message headers
score DUP_SUSP_HDR 2.500 # limit
# seen 10/2014: "https://www.google.com/url?q=https://copy.com/ApbFn2848pQm/ShippingInvoice_6974.PDF.scr?download=1&sa=D&sntz=1&usg=AFQjCNGhvWhljnujQlP85tA6YUsddfuJow"
uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i
meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD
describe GOOG_MALWARE_DNLD File download via Google - Malware?
score GOOG_MALWARE_DNLD 5.000 # limit
tflags GOOG_MALWARE_DNLD publish
uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i
body ONLINE_MKTG_CNSLT /\bonline marketing consultant\b/i
body SOLICIT_BIZ /\bbusiness solicitation messag/i
body __SPELLED_OUT_NUM /\b(?:(?:one|two|three|four|five|six|seven|eight|nine|zero)[\s_-]?){4,}/i
meta SPELLED_OUT_NUMBER __SPELLED_OUT_NUM && !__DKIM_EXISTS
describe SPELLED_OUT_NUMBER Spelled out a number (one two three)
score SPELLED_OUT_NUMBER 3.000 # limit
body __NUM_SPCD_LTRS /\d{4}\s(?:[a-z]\s){5}/i
header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i
tflags __SUBJ_UNNEEDED_HTML multiple maxhits=3
meta __SUBJ_UNNEEDED_HTML_MANY __SUBJ_UNNEEDED_HTML > 1
meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML
describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject:
body __HELP_YOU_SUCCEED /\bhelp you succeed\b/i
body __WANT_BIZ /\b(?:I|we) want your business\b/i
meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2
describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID
tflags TEQF_USR_MSGID_MALF publish
meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2
describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID
tflags TEQF_USR_MSGID_HEX publish
meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH
describe TEQF_USR_IMAGE To and from user nearly same + image
tflags TEQF_USR_IMAGE publish
meta TEQF_USR_POLITE __TO_EQ_FROM_USR_NN && __FRAUD_IRT
describe TEQF_USR_POLITE To and from user nearly same + polite greeting
score TEQF_USR_POLITE 2.000 # limit
meta __MSGID_HEX_MALF __MSGID_NOFQDN2 && __MSGID_OK_HEX
meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2
#ifplugin Mail::SpamAssassin::Plugin::DNSEval
meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW
tflags URI_ONLY_MSGID_MALF net
#else
meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO
#endif
describe URI_ONLY_MSGID_MALF URI only + malformed message ID
score URI_ONLY_MSGID_MALF 2.000 # limit
tflags URI_ONLY_MSGID_MALF publish
# These may be a bit risky, the masscheck ham corpus may not
# reflect how often these are legit in Real Life...
meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512
describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message
tflags GOOG_REDIR_SHORT publish
meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE
describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS
meta GOOG_REDIR_HTML_ONLY (__GOOG_REDIR && MIME_HTML_ONLY) && !RDNS_NONE && !__LCL__KAM_BODY_LENGTH_LT_512
describe GOOG_REDIR_HTML_ONLY Google redirect to obscure spamvertised website + HTML only
score GOOG_REDIR_HTML_ONLY 2.000 # limit
rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i
# low S/O, apparently lots of invisible ham...
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;)/i
tflags __STY_INVIS multiple maxhits=6
meta __STY_INVIS_2 __STY_INVIS > 1
meta __STY_INVIS_3 __STY_INVIS > 2
meta __STY_INVIS_MANY __STY_INVIS > 5
meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX
describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs
score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit
tflags HTML_TEXT_INVISIBLE_STYLE publish
meta __LONG_STY_INVIS __STY_INVIS && __LONGLINE
meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 )
meta __STY_INVIS_DIRECT __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
meta STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK
describe STY_INVIS_DIRECT HTML hidden text + direct-to-MX
score STY_INVIS_DIRECT 2.500 # limit
else
meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV
endif
# try it on span tags only...
# rawbody __SPAN_INVIS /<span\s[^>]{0,200}style\s*=\s*"[^">]{0,80}(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;)[^>]{1,200}>\w/i
describe LONG_INVISIBLE_TEXT Long block of hidden text - spam scan evasion?
score LONG_INVISIBLE_TEXT 3.000 # limit
tflags LONG_INVISIBLE_TEXT publish
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
# Lots of ham uses invisible fonts - WHY?
rawbody __FONT_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i
tflags __FONT_INVIS multiple maxhits=11
meta __FONT_INVIS_2 __FONT_INVIS > 2
meta __FONT_INVIS_5 __FONT_INVIS > 5
meta __FONT_INVIS_10 __FONT_INVIS > 10
meta __FONT_INVIS_MANY __FONT_INVIS_2
meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID
describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation?
score HTML_TEXT_INVISIBLE_FONT 2.000 # limit
tflags HTML_TEXT_INVISIBLE_FONT publish
# Does this hit less ham while still hitting spam?
rawbody __WORD_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}</i
tflags __WORD_INVIS multiple maxhits=6
meta __WORD_INVIS_5 __WORD_INVIS > 5
meta __FONT_INVIS_LONG_LINE __FONT_INVIS && __LONGLINE
meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET
describe FONT_INVIS_LONG_LINE Invisible text + long lines
score FONT_INVIS_LONG_LINE 3.000 # limit
tflags FONT_INVIS_LONG_LINE publish
meta __FONT_INVIS_NORDNS __FONT_INVIS && __RDNS_NONE
meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET
describe FONT_INVIS_NORDNS Invisible text + no rDNS
score FONT_INVIS_NORDNS 2.500 # limit
tflags FONT_INVIS_NORDNS publish
meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS
describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI
score FONT_INVIS_POSTEXTRAS 3.500 # limit
tflags FONT_INVIS_POSTEXTRAS publish
meta __FONT_INVIS_MSGID __FONT_INVIS && __MSGID_OK_HOST
meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP
describe FONT_INVIS_MSGID Invisible text + suspicious message ID
score FONT_INVIS_MSGID 2.500 # limit
tflags FONT_INVIS_MSGID publish
# meta __FONT_INVIS_NAKED_TO __FONT_INVIS && __NAKED_TO
# meta FONT_INVIS_NAKED_TO __FONT_INVIS_NAKED_TO && !__ML3 && !__HAS_ERRORS_TO
# describe FONT_INVIS_NAKED_TO Invisible text + suspicious To
# score FONT_INVIS_NAKED_TO 2.500 # limit
meta __FONT_INVIS_CENTER __FONT_INVIS && __TAG_EXISTS_CENTER
meta __FONT_INVIS_SINGLET __FONT_INVIS && __HTML_SINGLET
meta __FONT_INVIS_DIRECT __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX
describe FONT_INVIS_DIRECT Invisible text + direct-to-MX
score FONT_INVIS_DIRECT 3.500 # limit
tflags FONT_INVIS_DIRECT publish
meta __FONT_INVIS_DOTGOV __FONT_INVIS && __URI_DOTGOV
meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID
describe FONT_INVIS_DOTGOV Invisible text + .gov URI
score FONT_INVIS_DOTGOV 3.500 # limit
tflags FONT_INVIS_DOTGOV publish
endif
# Adapted from SARE rules __SARE_HTML_SINGLET
rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i
tflags __HTML_SINGLET multiple maxhits=21
meta __HTML_SINGLET_10 __HTML_SINGLET > 10
meta __HTML_SINGLET_MANY __HTML_SINGLET > 20
meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP
describe HTML_SINGLET_MANY Many single-letter HTML format blocks
score HTML_SINGLET_MANY 2.500 # limit
tflags HTML_SINGLET_MANY publish
meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP
describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text
tflags SINGLETS_LOW_CONTRAST publish
# per users list, 10-11 2014
uri MALWARE_HACKED_URI m;/(?:dropbox|googlebox|bank\w+|newgdoc)/(?:doc(?:ument)?|invoice|message|index)\.php$;
describe MALWARE_HACKED_URI Malware or phishing hosted-file URI at hacked webserver
uri __HACKED_PHP_URI m;/\w+/(?:doc(?:ument)?|invoice|message)\.php$;
meta HACKED_PHP_URI __HACKED_PHP_URI
describe HACKED_PHP_URI Possible phishing/malware URI
score HACKED_PHP_URI 2.000 # limit
# very poor S/O - this appears a lot more in ham than in spam??
#body __PUNCT_ODD_SPACING /[a-z]{3}\s+[.,][a-z]{3}/
#tflags __PUNCT_ODD_SPACING multiple maxhits=3
#meta __PUNCT_ODD_SPACING_MANY __PUNCT_ODD_SPACING > 2
# poor S/O - how is this in ham?
#header XMAILER_MANY ALL =~ /\nX-Mailer:(?:[^\n]+\n)+X-Mailer:/ism
#describe XMAILER_MANY Has multiple X-Mailer: headers
body __RAW_TOKEN_BODY /\#(?:(?:First|Last)Name|Email)\#/i
#header __RAW_TOKEN_HDR ALL =~ /\$(?:rand[^$]{0,10})\$/i
#tflags __RAW_TOKEN multiple maxhits=3
#meta RAW_TOKENS __RAW_TOKEN > 2
#describe RAW_TOKENS Raw mail merge tokens in body
header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i
meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO
tflags __SPOOFED_FREEM_REPTO net
meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM
describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to
score SPOOFED_FREEM_REPTO_CHN 3.500
tflags SPOOFED_FREEM_REPTO_CHN net publish
header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i
meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM
describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to
score SPOOFED_FREEM_REPTO_RUS 3.500
tflags SPOOFED_FREEM_REPTO_RUS net publish
meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX
describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to
score SPOOFED_FREEM_REPTO 2.500
tflags SPOOFED_FREEM_REPTO net publish
#header __VERY_LONG_REPTO Reply-To =~ /[^<\s\@]{25,}\@/
#meta __VERY_LONG_REPTO_SHORT_MSG __VERY_LONG_REPTO && __HTML_LENGTH_0000_1024
#meta VERY_LONG_REPTO_SHORT_MSG __VERY_LONG_REPTO_SHORT_MSG && !__VIA_ML && !__TO_EQ_FROM_DOM && !__THREAD_INDEX_GOOD
#describe VERY_LONG_REPTO_SHORT_MSG Very long Reply-To username + short message
#score VERY_LONG_REPTO_SHORT_MSG 2.500 # limit
#tflags VERY_LONG_REPTO_SHORT_MSG publish
#
#ifplugin Mail::SpamAssassin::Plugin::FreeMail
# meta __VERY_LONG_FREEM_REPTO __VERY_LONG_REPTO && FREEMAIL_REPLYTO
# meta VERY_LONG_FREEM_REPTO __VERY_LONG_FREEM_REPTO
# describe VERY_LONG_FREEM_REPTO Very long freemail Reply-To username
# score VERY_LONG_FREEM_REPTO 2.500 # limit
# tflags VERY_LONG_FREEM_REPTO publish
#endif
# for <steve.stewart@fastnet.co.uk>; Mon, 2 Nov 2015 14:27:08 GMT
# (envelope-from fastnet.co.uk.12056010.steve.stewart@vmta27.topreasonstovisit.com)
# S/O low, seems to be common in legit mailing lists
# Maybe in meta with "not a mailing list" rules?
#header __RECIP_IN_ENV_FM_01 Received =~ /for\s+<([^\@]+)\@([^>]+)>.*envelope-from\s+\2\.\d+\.\1\@/i
#header __RECIP_IN_ENV_FM_02 Received =~ /for\s+<([^\@]+)\@([^>]+)>.*envelope-from\s+[^@]*\2[^@]*\@/i
uri URI_MALWARE_CWALL /\/abuse_report\.php\?(?!username=)[^&\s.]{1,100}\./i
describe URI_MALWARE_CWALL Potential CryptoWall malware URL
meta __LIST_PARTIAL_SHORT_MSG __HTML_LENGTH_0000_1024 && __LIST_PARTIAL
meta LIST_PARTIAL_SHORT_MSG __LIST_PARTIAL_SHORT_MSG && !__DKIM_EXISTS
describe LIST_PARTIAL_SHORT_MSG Incomplete mailing list headers + short message
score LIST_PARTIAL_SHORT_MSG 2.500 # limit
# duplicates __HAS_MSMAIL_PRI
#header __FH_HAS_XMSMAIL exists:X-MSMail-Priority
meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX
meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS
describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers
score BOGUS_MSM_HDRS 3.000 # limit
tflags BOGUS_MSM_HDRS publish
#meta __BOGUS_MSM_PRIO __HAS_MSMAIL_PRI && __HDR_ORDER_FTSDMCXXXX
#meta __BOGUS_MSM_PRIO_MINFP __BOGUS_MSM_PRIO && !__BOGUS_MSM_HDRS && !__MSGID_NOFQDN2 && !__ANY_OUTLOOK_MUA && !__RCD_RDNS_MAIL_MESSY
meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT
meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH
describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject
score MSM_PRIO_REPTO 2.500 # limit
tflags MSM_PRIO_REPTO publish
header __XM_YAMAIL X-Mailer =~ /^Yamail/
# __GATED_THROUGH_RCVD_REMOVER includes messages with no Received headers *at all*.
# Don't consider those, only consider the ones where *some* Received headers may have been removed
meta __RCVD_RMV_PARTIAL __GATED_THROUGH_RCVD_REMOVER && __HAS_RCVD
# Compare __GATED_THROUGH_RCVD_REMOVER and "via ezmlm"
header __ML_EZMLM Mailing-List =~ /\bezmlm\b/
# easy for spammers to forge a signed message and still have it displayed to the recipient?
#header KHOP_ENCRYPTED_CONTENT Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
meta ENCRYPTED_MESSAGE __CT_ENCRYPTED
describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam
score ENCRYPTED_MESSAGE -1.000
tflags ENCRYPTED_MESSAGE nice publish
#body __PHONE_GIBBERISH_01 /(?:\b\d\d\d-\d\d\d-\d\d\d\d\s+[a-z][^\d\s:.]+\s+){15}/
header __HAS_GMX_BULK exists:X-Gmx-Bulk
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0')
meta HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY
describe HTML_TAG_BALANCE_CENTER Malformatted HTML
endif
# more random garbage message headers 01/2016
header __HDR_CASE_REVERSED ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m
tflags __HDR_CASE_REVERSED multiple maxhits=4
meta __HDR_CASE_REV_MANY (__HDR_CASE_REVERSED > 3)
meta HDR_CASE_REV_MANY __HDR_CASE_REV_MANY
describe HDR_CASE_REV_MANY Multiple malformed (possibly random gibberish) message headers
score HDR_CASE_REV_MANY 2.000 # limit
meta HDR_CASE_REV_ENC __HDR_CASE_REVERSED && (__FROM_ENCODED_B64 || __TVD_SPACE_ENCODED )
describe HDR_CASE_REV_ENC Malformed (possibly random gibberish) message header + suspicious encoding
score HDR_CASE_REV_ENC 2.000 # limit
meta HDR_CASE_REV_HELO_IP __HDR_CASE_REVERSED && __HELO_MISC_IP
describe HDR_CASE_REV_HELO_IP Malformed (possibly random gibberish) message header + IP in HELO
score HDR_CASE_REV_HELO_IP 2.000 # limit
header __HAS_CAMPAIGN exists:X-Campaign
header __HAS_CAMPAIGNID exists:X-Campaignid
header __HAS_CID exists:X-CID
header __HAS_XM_LID exists:X-Mailer-LID
header __HAS_XM_RECPTID exists:X-Mailer-RecptId
header __HAS_XM_SID exists:X-Mailer-SID
header __HAS_XM_SENTBY exists:X-Mailer-Sent-By
header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature
header __HAS_PHP_SCRIPT exists:X-PHP-Script
header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script
header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/
#header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+(?<!Customer\.S(?:ervice|upport))\@/
header __FROM_WORDY_3 From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.){2,}[A-Z][A-Za-z]+\@/
# __FROM_WORDY S/O now very poor (ham sign? :) ), don't score even with FP avoidance
#meta __FROM_WORDY_SONLY __FROM_WORDY && (__XPRIO_MINFP || __TO_NO_BRKTS_MSFT || __FILL_THIS_FORM_SHORT || __HAS_MSMAIL_PRI || DEAR_FRIEND || __TO_NO_BRKTS_FROM_MSSP || FREEMAIL_REPLYTO )
#meta FROM_WORDY ((__FROM_WORDY_SONLY && !__DKIM_EXISTS) || __FROM_WORDY_3) && !__HAS_TNEF && !__USING_VERP1 && !__HAS_THREAD_INDEX && !__HAS_LIST_ID && !__RCD_RDNS_MTA && !__RCD_RDNS_MX
#describe FROM_WORDY From address looks like a sentence
#score FROM_WORDY 2.500 # limit
#tflags FROM_WORDY publish
#
#meta FROM_WORDY_SHORT ((__FROM_WORDY_SONLY || __FROM_WORDY_3) && __HTML_LENGTH_0000_1024) && !__HAS_TNEF && !__USING_VERP1
#describe FROM_WORDY_SHORT From address looks like a sentence + short message
#score FROM_WORDY_SHORT 2.500 # limit
#tflags FROM_WORDY_SHORT publish
meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT
describe PHP_SCRIPT Sent by PHP script
score PHP_SCRIPT 2.500 # limit
tflags PHP_SCRIPT publish
meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA
describe PHP_SCRIPT_MUA Sent by PHP script, no version number
score PHP_SCRIPT_MUA 2.000 # limit
tflags PHP_SCRIPT_MUA publish
meta __PHP_SCRIPT_MIMENEEDED __HAS_PHP_SCRIPT && __FROM_NEEDS_MIME
meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B)
meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER
describe PHP_ORIG_SCRIPT Sent by bot & other signs
score PHP_ORIG_SCRIPT 2.500 # limit
tflags PHP_ORIG_SCRIPT publish
# noted 5/26/2016 on list by RW
header __PHP_ORIG_SCRIPT_EVAL X-PHP-Originating-Script =~ /\beval\b.*\bcode\b/i
meta PHP_ORIG_SCRIPT_EVAL __PHP_ORIG_SCRIPT_EVAL
describe PHP_ORIG_SCRIPT_EVAL From suspicious PHP source
score PHP_ORIG_SCRIPT_EVAL 3.000 # limit
#header __FROM_AUTHORITY_COMPANY From:name =~ /\b(?:court|fed-?ex|dhl|e-?zpass|invoice)\b/i
#meta __PHP_MALWARE_ATTACH __HAS_PHP_SCRIPT && __FROM_AUTHORITY_COMPANY && __ZIP_ATTACH_MT
meta __XMSID __HAS_XM_SID && !__CTYPE_MULTIPART_MIXED
meta __XMSID_SONLY __HAS_XM_SID && (INVALID_MSGID || __XPRIO || __HAS_X_MAILER)
header __UNSUB_MAILTO_BOGUS List-Unsubscribe =~ /mailto:[^@">]*[?">]/i
meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX
meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS
describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX
score MIMEOLE_DIRECT_TO_MX 2.000 # limit
tflags MIMEOLE_DIRECT_TO_MX publish
# suggested 9/2016 by ChipM in personal email
# would be a LOT nicer if rules could use other rules' captures
# terrible S/O
#full __FROM_FULLN_URL m;^From:\s+"?([a-z]+)\s([a-z]+)\b.*?https?://[^/]+/\1[_.]\2\b;ism
#meta FROM_FULLN_URL __FROM_FULLN_URL && !__THREADED
#describe FROM_FULLN_URL From address full name is in body URL - possible phishing
#score FROM_FULLN_URL 2.000 # limit
# warning: __SUBJECT_EMPTY true if header entirely missing...
header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/
meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY
body __BAYES_POISON_NUMS_01 /\s([0-9]{6,})\s(?:.{15,}?\s\1\s){10}/
rawbody __SPAMTOOL_GOOF_01 /^: SMTPHEADER_REPLYTO\#$/m
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i
tflags __PHOTO_RETOUCHING multiple maxhits=5
meta PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
describe PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto
score PHOTO_EDITING_FREEM 3.750 # limit
meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF
describe PHOTO_EDITING_DIRECT Image editing service, direct to MX
score PHOTO_EDITING_DIRECT 3.000 # limit
endif
## not performing well in masscheck
#if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
# body __GENERATE_LEADS /\b(?:new (?:customer|client)s|(?:customer|client|business|new) leads|y?our marketing|(?:marketing|ad(?:vertising)) services?)\b/i
# tflags __GENERATE_LEADS multiple maxhits=5
# meta __GENERATE_LEADS_1 __GENERATE_LEADS > 1 # for masscheck analysis
# meta __GENERATE_LEADS_2 __GENERATE_LEADS > 2 # for masscheck analysis
# meta __GENERATE_LEADS_3 __GENERATE_LEADS > 3 # for masscheck analysis
# meta __GENERATE_LEADS_4 __GENERATE_LEADS > 4 # for masscheck analysis
# meta __GENERATE_LEADS_MINFP __GENERATE_LEADS && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY
#
# meta MARKETING_FREEM __GENERATE_LEADS_MINFP && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
# describe MARKETING_FREEM Marketing service, freemail or CHN replyto
# score MARKETING_FREEM 3.500 # limit
#
# meta MARKETING_SHORT __GENERATE_LEADS_MINFP && __LCL__KAM_BODY_LENGTH_LT_1024
# describe MARKETING_SHORT Marketing service, short message
# score MARKETING_SHORT 3.500 # limit
#
# meta MARKETING_NO_RDNS __GENERATE_LEADS_MINFP && __RDNS_NONE
# describe MARKETING_NO_RDNS Marketing service, no RDNS
# score MARKETING_NO_RDNS 3.500 # limit
#endif
meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML
describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX
score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit
tflags HDR_ORDER_FTSDMCXX_DIRECT publish
meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED
describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS
score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit
tflags HDR_ORDER_FTSDMCXX_NORDNS publish
body __UNICODE_OBFU_URI_DOM /[0-9a-z]{3,10}(?:\xe3\x80\x82|\xe7\x82\xb9)(?:c[o0]m|net|inf[o0]|biz|cn)\b/i
meta UNICODE_OBFU_DOM_NO_BODY __UNICODE_OBFU_URI_DOM && __EMPTY_BODY
score UNICODE_OBFU_DOM_NO_BODY 3.750 # limit
describe UNICODE_OBFU_DOM_NO_BODY Unicode/chinese obfuscated domain + no body
#header __REPTO_MULTI_ADDR Reply-To:addr =~ /,/
#meta MULTI_REPTO_NO_RDNS __REPTO_MULTI_ADDR && __RDNS_NONE && !__DOS_HAS_LIST_UNSUB
#score MULTI_REPTO_NO_RDNS 2.500 # limit
#describe MULTI_REPTO_NO_RDNS Multiple Reply-to addresses + no RDNS
#uri __URI_PHP_LOGIN /\blogin\.php/i
meta __FREEM_FRNUM_UNICD_EMPTY FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY
header __SUB_END_NUMSCOM Subject =~ /[0-9]{6,}[-\s]?c[-\s]?[o0][-\s]?m$/i
#meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY && !__SUB_END_NUMSCOM
meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY
describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body
score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit
tflags FREEM_FRNUM_UNICD_EMPTY publish
#meta FREEM_FRNUM_EMPTY_NUMSCOM __FREEM_FRNUM_UNICD_EMPTY && __SUB_END_NUMSCOM
#describe FREEM_FRNUM_EMPTY_NUMSCOM Numeric freemail From address, unicode From name and Subject, empty body, obfuscated domain name
#score FREEM_FRNUM_EMPTY_NUMSCOM 2.500 # limit
# masscheck just doesn't see this one for some reason
#rawbody __JS_HTML_OBFU_01 /\bdocument\.write\('(?:\\u00[0-9a-f]{2}){30}/i
# very little spam in corpus even though they are bombarding *me* with it
header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/
meta USB_DRIVES __SUBJ_USB_DRIVES
describe USB_DRIVES Trying to sell custom USB flash drives
score USB_DRIVES 2.000 # limit
tflags USB_DRIVES publish
#header __SUBJ_YOUR_LOGO Subject =~ /\b(?:with|having) your logos?\b/i
#header __SUBJ_CUSTOM_WITH_LOGO Subject =~ /^(?=.*\bcustom\b).*(?:printed |with )+(?:your )?logos?\b/i
full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm
meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED
describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject
score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit
tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish
meta __FRNAME_IN_MSG_XPRIO (__FROM_NAME_IN_MSG && __XPRIO && !(__SUBJECT_EMPTY || __SUBJ_SHORT))
#describe FRNAME_IN_MSG_XPRIO From name in message + X-Priority
#score FRNAME_IN_MSG_XPRIO 2.500 # limit
#tflags FRNAME_IN_MSG_XPRIO publish
meta __FRNAME_IN_MSG_NO_SUBJ (__FROM_NAME_IN_MSG && (__SUBJECT_EMPTY || __SUBJ_SHORT) && !__XPRIO)
#describe FRNAME_IN_MSG_NO_SUBJ From name in message + short or no subject
#score FRNAME_IN_MSG_NO_SUBJ 2.500 # limit
#tflags FRNAME_IN_MSG_NO_SUBJ publish
rawbody __HTTP_REFRESH /<meta\s[^>]{0,200}"refresh"/ism
tflags __HTTP_REFRESH publish
meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF
describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS
score RATWARE_NO_RDNS 3.000 # limit
meta BAT_BDRY_TO_MALF __BAT_BOUNDARY && __TO_NO_ARROWS_R
describe BAT_BDRY_TO_MALF Bat boundary + misformatted To: address
score BAT_BDRY_TO_MALF 2.500 # limit
meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO
describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain
score IMG_ONLY_FM_DOM_INFO 2.500 # limit
tflags IMG_ONLY_FM_DOM_INFO publish
meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT
describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address
score NO_FM_NAME_IP_HOSTN 2.500 # limit
tflags NO_FM_NAME_IP_HOSTN publish
header FROM_NUMERIC_TLD From:addr =~ /\.\d+$/
describe FROM_NUMERIC_TLD From: address has numeric TLD
score FROM_NUMERIC_TLD 3.000 # limit
header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/
header __RDNS_NUMERIC_TLD_NODQ X-Spam-Relays-External =~ /\srdns=(?!\d+\.\d+\.\d+\.\d+\s)\S+\.\d+\s/
meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY)
describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers
score RDNS_NUM_TLD_XM 3.000 # limit
tflags RDNS_NUM_TLD_XM publish
meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT
describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment
score RDNS_NUM_TLD_ATCHNX 3.000 # limit
tflags RDNS_NUM_TLD_ATCHNX publish
meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG
describe MALF_HTML_B64 Malformatted base64-encoded HTML content
score MALF_HTML_B64 3.500 # limit
tflags MALF_HTML_B64 publish
meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE
describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS
score TO_NAME_SUBJ_NO_RDNS 3.000 # limit
tflags TO_NAME_SUBJ_NO_RDNS publish
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
# more-precise version of __OBFUSCATING_COMMENT_A
rawbody __HTML_SHRT_CMNT_OBFU /\w<!--\s*\w+\s*-->\w/
tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10
meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE
meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY
describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments
score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit
tflags HTML_SHRT_CMNT_OBFU_MANY publish
endif
header __FROM_ADDR_WS From:addr =~ /\s/
meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL
describe FROM_ADDR_WS Malformed From address
score FROM_ADDR_WS 3.000 # limit
tflags FROM_ADDR_WS publish
header __XM_MSWINLIVE X-Mailer =~ /^Microsoft Windows Live Mail \d+\.\d+\.\d+\.\d+/
header __XM_IPADMAIL X-Mailer =~ /^iPad Mail \([0-9A-F]{4,8}\)/
header __XM_IPHONEMAIL X-Mailer =~ /^iPhone Mail \([0-9A-F]{4,8}\)/
meta __ANY_EXTERNAL __FSL_COUNT_EXTERN > 0
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i
tflags __GAPPY_SALES_LEADS multiple maxhits=3
meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2
meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto
score GAPPY_SALES_LEADS_FREEM 3.500 # limit
tflags GAPPY_SALES_LEADS_FREEM publish
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i
tflags __APP_DEVELOPMENT multiple maxhits=6
meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5
meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto
score APP_DEVELOPMENT_FREEM 3.500 # limit
tflags APP_DEVELOPMENT_FREEM publish
meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE
describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS
score APP_DEVELOPMENT_NORDNS 2.000 # limit
tflags APP_DEVELOPMENT_NORDNS publish
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i
tflags __UNICODE_OBFU_ZW multiple maxhits=10
meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1
meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2
meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4
meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9
meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS
describe UNICODE_OBFU_ZW Obfuscating text with hidden characters
score UNICODE_OBFU_ZW 3.500 # limit
tflags UNICODE_OBFU_ZW publish
body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i
tflags __UNICODE_OBFU_ASC multiple maxhits=10
meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9
meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32
describe UNICODE_OBFU_ASC Obfuscating text with unicode
score UNICODE_OBFU_ASC 2.500 # limit
tflags UNICODE_OBFU_ASC publish
meta ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID
describe ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion
score ZW_OBFU_BITCOIN 2.500 # limit
meta ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ
describe ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject
score ZW_OBFU_FROMTOSUBJ 2.000 # limit
meta ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto
describe ZW_OBFU_FREEM Obfuscated text + freemail
score ZW_OBFU_FREEM 2.000 # limit
full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/
tflags __BOGUS_MIME_HDR multiple maxhits=8
meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7
endif
# HTML entity obfuscation per list discussion 11/2018 (thanks AC and RW)
# Broad non-ASCII didn't pan out
# body __AC_HTML_ENTITY_BONANZA_BODY /(?:&(?:[A-Z0-9]{2,}|\#(?:[0-9]{2,5}|x[0-9A-F]{2,4}));\s{0,64}){20}/i
# rawbody __AC_HTML_ENTITY_BONANZA_RAW /(?:&(?:[A-Z0-9]{2,}|\#(?:[0-9]{2,5}|x[0-9A-F]{2,4}));\s{0,64}){20}/i
# body __AC_HTML_ENTITY_BONANZA_SHRT_BODY /(?:&[A-Z0-9\#]{2,};\s{0,64}){20}/i
rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW_MANY /(?:&[A-Z0-9\#]{2,};\s{0,64}){20}/i
rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i
# meta __AC_HTML_ENTITY_BONANZA_MINFP __AC_HTML_ENTITY_BONANZA_SHRT_RAW_MANY && !__RCD_RDNS_MTA_MESSY && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA
# runaway backtracking?
#rawbody __AC_HTML_ENTITY_BONANZA_NEW /(?:(?:\w|\s|[.,!?:'"()\$]){0,32}(?:&(?:[A-Za-z0-9]{2,64}|\#(?:[0-9]{2,5}|x[0-9A-F]{2,4}));\s*){1,64}){10}/i
# rawbody __RW_HTML_ENTITY_ASCII_MANY /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){20}/i
# meta __RW_HTML_ENTITY_ASCII_MANY_MINFP __HTML_ENTITY_ASCII_MANY && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY
rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i
meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML
meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP
describe HTML_ENTITY_ASCII Obfuscated ASCII
score HTML_ENTITY_ASCII 3.000 # limit
tflags HTML_ENTITY_ASCII publish
meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_MINFP && __HTML_FONT_TINY_01
describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts
score HTML_ENTITY_ASCII_TINY 3.000 # limit
tflags HTML_ENTITY_ASCII_TINY publish
rawbody __HTML_URI_NO_PROTOCOL /<a\s+href\s*=(?:3d)?\s*"[a-z0-9][-a-z0-9_]{1,64}(?:\.[a-z0-9][-a-z0-9_]{1,64}){1,5}\s*"/i
meta URI_GIBB_NO_PROTO __HTML_URI_NO_PROTOCOL && __128_ALNUM_URI
score URI_GIBB_NO_PROTO 3.000 # limit
describe URI_GIBB_NO_PROTO Long, gibberish, no-protocol URI
# test rules suggested by Amir Caspi
header __AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/
meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO
meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP
score AC_FROM_MANY_DOTS 3.000 # limit
describe AC_FROM_MANY_DOTS Multiple periods in From user name
tflags AC_FROM_MANY_DOTS publish
rawbody __AC_LARGE_INDENT /text-indent\s*:\s*[-]?[0-9]{3,}(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
uri __AC_POSTHTMLEXTRAS /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i
uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i
meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS)
meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID
describe AC_POST_EXTRAS Suspicious URL
score AC_POST_EXTRAS 2.500 # limit
tflags AC_POST_EXTRAS publish
rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
uri __URI_BUFFLY m,//buff\.ly/,i
meta URI_BUFFLY __URI_BUFFLY && !__DOS_HAS_LIST_UNSUB
describe URI_BUFFLY buff.ly redirector URI
score URI_BUFFLY 2.000 # limit
meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1
describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener
score SHORTENER_SHORT_IMG 2.500 # limit
tflags SHORTENER_SHORT_IMG publish
header __DATA_ENTRY_SERVICE Subject =~ /\bdata entry services?\b/i
meta FREEM_DATA_ENTRY __DATA_ENTRY_SERVICE && __freemail_hdr_replyto
describe FREEM_DATA_ENTRY Data entry services too cheap to buy a real domain
score FREEM_DATA_ENTRY 2.500 # limit
header __HDR_RCVD_EBAY X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/
uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i
meta __EBAY_IMG_NOT_RCVD_EBAY __URI_IMG_EBAY && !__HDR_RCVD_EBAY
meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS
score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit
describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay
tflags EBAY_IMG_NOT_RCVD_EBAY publish
header __HDR_RCVD_AMAZON X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/
uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?images-amazon\.com/,i
# price alert site that leverages Amazon, avoid FPs
header __HDR_RCVD_KEEPA X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/
meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON
meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST
score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit
describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon
tflags AMAZON_IMG_NOT_RCVD_AMZN publish
header __HDR_RCVD_ALIBABA X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/
uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png),i
meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA
meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE
score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit
describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba
tflags ALIBABA_IMG_NOT_RCVD_ALI publish
header __HDR_RCVD_WALMART X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/
uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i
meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART
meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS
score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit
describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart
tflags WALMART_IMG_NOT_RCVD_WAL publish
header __HDR_RCVD_NEWEGG X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/
uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i
meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG
meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG
score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit
describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg
tflags NEWEGG_IMG_NOT_RCVD_NEGG publish
header __HDR_RCVD_SHOPIFY X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/
uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png),i
meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY
meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !__HAS_CAMPAIGN && !MIME_QP_LONG_LINE && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER
score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit
describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify
tflags SHOPIFY_IMG_NOT_RCVD_SFY publish
uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i
uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i
uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i
uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i
meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG )
meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB
score HOSTED_IMG_DQ_UNSUB 3.500 # limit
describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm site, IP addr unsub link
tflags HOSTED_IMG_DQ_UNSUB publish
meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG )
meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS
score HOSTED_IMG_DIRECT_MX 3.500 # limit
describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm site, message direct-to-mx
tflags HOSTED_IMG_DIRECT_MX publish
meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_WP_REDIR || __URI_IMG_STATICBG )
meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED
score HOSTED_IMG_FREEM 3.500 # limit
describe HOSTED_IMG_FREEM Image hosted at large ecomm site or redirected, freemail from or reply-to
tflags HOSTED_IMG_FREEM publish
meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG ) > 1
meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS
score HOSTED_IMG_MULTI 3.000 # limit
describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm sites or redirected
tflags HOSTED_IMG_MULTI publish
# WordPress "image accelerator" - abused for obfuscating hosted spamvertised product images
uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i
meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR
score URI_IMG_WP_REDIR 3.000 # limit
describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy
tflags URI_IMG_WP_REDIR publish
#header __BOGUS_MIME_VER_01 MIME-Version =~ /^(?!\s*1\.0).+/
header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/
meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02
score BOGUS_MIME_VERSION 3.500 # limit
describe BOGUS_MIME_VERSION Mime version header is bogus
tflags BOGUS_MIME_VERSION publish
# also hits NORMAL_HTTP_TO_IP but should be punished harder
uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i
meta URI_HEX_IP __URI_HEX_IP
score URI_HEX_IP 2.500 # limit
describe URI_HEX_IP URI with hex-encoded IP-address host
tflags URI_HEX_IP publish
uri __URI_PHP_REDIR m;/redirect\.php\?;i
meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA
score URI_PHP_REDIR 3.500 # limit
describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation)
tflags URI_PHP_REDIR publish
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i
tflags __DAY_I_EARNED multiple maxhits=4
#meta __DAY_I_EARNED_1 __DAY_I_EARNED >= 1
#meta __DAY_I_EARNED_2 __DAY_I_EARNED >= 2
#meta __DAY_I_EARNED_3 __DAY_I_EARNED >= 3
meta DAY_I_EARNED __DAY_I_EARNED >= 3
score DAY_I_EARNED 3.000 # limit
describe DAY_I_EARNED Work-at-home spam
tflags DAY_I_EARNED publish
endif
# test rule suggested by list discussion
meta __NORDNS_SPOOFED __RDNS_NONE && !__NOT_SPOOFED
# potential bitcoin extortion obfuscation
body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i
meta __UNAME_PASSWD_PDF ( __PASSWORD || __YOUR_PASSWORD ) && LOCALPART_IN_SUBJECT && __PDF_ATTACH
# .gov and .edu URIs appearing in spams, attempts to leverage whitelisting?
uri __URI_DOTGOV m;^https?://(?:[^./]+\.)+gov/;i
uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i
header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\.gov\s/i
header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\.edu\s/i
meta __DOTGOV_FREEMAIL __URI_DOTGOV && __freemail_hdr_replyto
#meta __DOTGOV_MONEY __URI_DOTGOV && ( __XFER_MONEY || __MONEY_FRAUD || __YOUR_FUND || __BENEFICIARY || __COMPENSATION || __LOTSA_MONEY_01 || __LOTSA_MONEY_04 )
meta __DOTGOV_MONEY __URI_DOTGOV && ( __YOUR_FUND )
meta __DOTGOV_IMAGE __URI_DOTGOV && __REMOTE_IMAGE
meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS
describe DOTGOV_IMAGE .gov URI + hosted image
score DOTGOV_IMAGE 3.000 # limit
tflags DOTGOV_IMAGE publish
meta __DOTGOV_NXDKIM __URI_DOTGOV && DKIM_ADSP_NXDOMAIN
tflags __DOTGOV_NXDKIM net
meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK
describe URI_DOTEDU Has .edu URI
score URI_DOTEDU 2.000 # limit
tflags URI_DOTEDU publish
meta __URI_DOTEDU_LONG __URI_DOTEDU && __LONGLINE
meta URI_DOTEDU_LONG __URI_DOTEDU_LONG && !ALL_TRUSTED && !__RDNS_LONG && !__DOS_RELAYED_EXT && !__URI_MAILTO && !__CTE
describe URI_DOTEDU_LONG Has .edu URI + excessively long line
score URI_DOTEDU_LONG 3.000 # limit
meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW
meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO
describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content
score URI_DOTEDU_ENTITY 3.000 # limit
tflags URI_DOTEDU_ENTITY publish
meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI )
meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI
describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI
score RCVD_DOTEDU_SUSP_URI 3.000 # limit
tflags RCVD_DOTEDU_SUSP_URI publish
meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 )
meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !__FS_SUBJ_RE && !__HAS_LIST_ID
describe RCVD_DOTEDU_SHORT Via .edu MTA + short message
score RCVD_DOTEDU_SHORT 2.500 # limit
tflags RCVD_DOTEDU_SHORT publish
meta __RCVD_DOTEDU_SUSP __RCVD_DOTEDU_EXT && ( MIME_QP_LONG_LINE || __TVD_SPACE_RATIO || __FROM_RUNON || __USING_VERP1 )
meta RCVD_DOTEDU_SUSP __RCVD_DOTEDU_SUSP && !__HAS_X_LOOP && !__HAS_X_REF
describe RCVD_DOTEDU_SUSP Via .edu MTA + suspicious content
score RCVD_DOTEDU_SUSP 2.000 # limit
# bitcoin work-at-home spams 04/2020
body __PERFECT_BINARY /\bperfect binary option\b/i
body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i
body __MAKE_XTRA_DOLLAR /\bmake an extra dollar\b/i
body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i
body __PASSIVE_INCOME /\bpassive income\b/i
body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i
body __TRANSFORM_LIFE /\b(transform|change) your (?:daily )?life(?:style)?\b/i
body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i
body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i
meta TRANSFORM_LIFE __TRANSFORM_LIFE && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_X_MAILER && !__VIA_ML
describe TRANSFORM_LIFE Transform your life!
score TRANSFORM_LIFE 2.500 # limit
meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2
meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01
meta BITCOIN_WFH_01 __BITCOIN_WFH_01
describe BITCOIN_WFH_01 Work-from-Home + bitcoin
tflags BITCOIN_WFH_01 publish
meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01
meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01
describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients
tflags TO_TOO_MANY_WFH_01 publish
meta __FREEMAIL_WFH_01 (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01
meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01
describe FREEMAIL_WFH_01 Work-from-Home + freemail
tflags FREEMAIL_WFH_01 publish
body __4BYTE_UTF8_WORD /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
tflags __4BYTE_UTF8_WORD multiple maxhits=10
meta __4BYTE_UTF8_WORD_3 __4BYTE_UTF8_WORD > 3
meta __4BYTE_UTF8_WORD_5 __4BYTE_UTF8_WORD > 5
meta __4BYTE_UTF8_WORD_9 __4BYTE_UTF8_WORD > 9
meta SUSP_UTF8_WORD_MANY __4BYTE_UTF8_WORD_9
describe SUSP_UTF8_WORD_MANY Many words using only suspicious UTF-8 characters
score SUSP_UTF8_WORD_MANY 3.000 # limit
meta SUSP_UTF8_WORD_COMBO __4BYTE_UTF8_WORD && ( __LIST_PARTIAL || __RDNS_NONE || __CLICK_HERE || __PHPMAILER_MUA || __STY_INVIS_3 || __TO___LOWER || __MSGID_OK_DIGITS || __HTML_IMG_ONLY )
describe SUSP_UTF8_WORD_COMBO Words using only suspicious UTF-8 characters + other signs
score SUSP_UTF8_WORD_COMBO 3.000 # limit
header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ
describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters
score SUSP_UTF8_WORD_SUBJ 2.000 # limit
header __4BYTE_UTF8_WORD_FROM From:name =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
meta SUSP_UTF8_WORD_FROM __4BYTE_UTF8_WORD_FROM
describe SUSP_UTF8_WORD_FROM Word in From name using only suspicious UTF-8 characters
score SUSP_UTF8_WORD_FROM 2.000 # limit
# observed by AC
rawbody __HTML_EMPTY_CELLS /<td>(?:<\/td><td>){5,}/i
tflags __HTML_EMPTY_CELLS multiple maxhits=3
meta __HTML_EMPTY_CELLS_MANY __HTML_EMPTY_CELLS > 2
meta HTML_EMPTY_CELLS_MANY __HTML_EMPTY_CELLS_MANY
describe HTML_EMPTY_CELLS_MANY HTML table with lots of empty cells
score HTML_EMPTY_CELLS_MANY 1.500 # limit
uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=,
meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH
meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS
describe SENDGRID_REDIR Redirect URI via Sendgrid
score SENDGRID_REDIR 1.500 # limit
tflags SENDGRID_REDIR publish
meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )
meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH
describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs
score SENDGRID_REDIR_PHISH 3.500 # limit
tflags SENDGRID_REDIR_PHISH publish
meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE
meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW
describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image
score MSGID_DOLLARS_URI_IMG 3.000 # limit
tflags MSGID_DOLLARS_URI_IMG publish
uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i
meta URI_DASHGOVEDU __URI_DASHGOVEDU
describe URI_DASHGOVEDU Suspicious domain name
score URI_DASHGOVEDU 3.500 # limit
tflags URI_DASHGOVEDU publish
# all have good S/O but are already scored very highly
#meta __NOINR_MSOE_FORG __NO_INR_YES_REF && __MSOE_MID_WRONG_CASE
#meta __NOINR_MONEY __NO_INR_YES_REF && __LOTSA_MONEY_01
#meta __NOINR_FRAUD __NO_INR_YES_REF && (__AFRICAN_STATE || __BENEFICIARY || __COMPENSATION || __FILL_THIS_FORM_PARTIAL || __LOTTO_DEPT || __WIRE_XFR || __TRANSFORM_LIFE )
# Apparent use of content hosted at storage.googleapis.com
# (mapped images and HTML landing pages for the imagemap URIs)
# to avoid URIBL hits
uri __URI_GOOG_STO_IMG m,^https?://storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,i
tflags __URI_GOOG_STO_IMG multiple maxhits=5
uri __URI_GOOG_STO_HTML m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i
tflags __URI_GOOG_STO_HTML multiple maxhits=5
meta __GOOG_STO_IMG_NOHTML __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML
meta __GOOG_STO_NOIMG_HTML !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML
meta __GOOG_STO_IMG_HTML_2 __URI_GOOG_STO_IMG && (__URI_GOOG_STO_HTML > 1)
meta __GOOG_STO_IMG_HTML_1 __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML
meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1
describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL
score GOOG_STO_IMG_HTML 3.000 # limit
tflags GOOG_STO_IMG_HTML publish
meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !__HAS_LIST_ID
describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL
score GOOG_STO_NOIMG_HTML 3.000 # limit
tflags GOOG_STO_NOIMG_HTML publish
# S/O not great, try salvage what's possible
meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID
describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL
score GOOG_STO_IMG_NOHTML 2.500 # limit
tflags GOOG_STO_IMG_NOHTML publish
meta __GOOG_STO_HTML_PHISH __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH
describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL
score GOOG_STO_HTML_PHISH 3.00 # limit
tflags GOOG_STO_HTML_PHISH publish
meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL
score GOOG_STO_HTML_PHISH_MANY 4.00 # limit
tflags GOOG_STO_HTML_PHISH_MANY publish
# download-a-file pitch, malware? 11/2020
#header CRAIGSLIST_DATING Subject =~ /Sexy \w+ From Craigs?list/i
#describe CRAIGSLIST_DATING Possible malware
#score CRAIGSLIST_DATING 4.000 # limit
uri __URI_PVT_SHAREPOINT m,^https?://(?!www\.)(?:[^/.]+\.)+sharepoint\.com/,i
# suspicious HTML observed in the wild
#rawbody __QUOTQUOTQUOT /(?:&quot;){5,}/
#tflags __QUOTQUOTQUOT multiple maxhits=16
#meta __QUOTQUOTQUOT_MANY __QUOTQUOTQUOT > 15
body __OBFU_SHY /\b(?:[a-z]{1,3}[\xc2][\xad][a-z]{1,2}|\w+(?:[\xc2][\xad]\w+){2,6})\b(?![\xc2])/i
tflags __OBFU_SHY multiple maxhits=11
meta __OBFU_SHY_MANY __OBFU_SHY > 10
# For masscheck eval, by request
header __LW_TEST_01 From:addr =~ /^store-news\@amazon\.com$/
header __LW_TEST_02 From:addr =~ /^newsletters\@hohiko\.co\.uk$/
header __LW_TEST_03 From:addr =~ /\@hohiko\.co\.uk$/
header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/
meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS
describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM
score TONLINE_FAKE_DKIM 2.500 # limit
header __MSMAIL_PRI_NORMAL X-MSMail-Priority =~ /^normal$/i
header __MSMAIL_PRI_HIGH X-MSMail-Priority =~ /^(?:high|urgent)$/i
header __MSMAIL_PRI_LOW X-MSMail-Priority =~ /^(?:low|non-urgent)$/i
meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL
# This is counterintuitive - exclude __MSMAIL_PRI_HIGH ?
# It seems that 99% of the spam using X-MSMail-Priority other than "normal" is using *invalid values*
# score "high" separately if justified
meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH
describe MSMAIL_PRI_ABNORMAL Email priority often abused
score MSMAIL_PRI_ABNORMAL 1.500 # limit
meta MSMAIL_PRI_HIGH __MSMAIL_PRI_HIGH && !ALL_TRUSTED && !__FROM_LOWER && !__RDNS_SHORT
describe MSMAIL_PRI_HIGH Email priority often abused
score MSMAIL_PRI_HIGH 1.500 # limit
# Phishing? 11/2020
full __TO_ADDR_BODY_DOC /^To:\s+(?:"[^"\n]{0,80}"\s*)?<?([^@\s]{1,40})@([^\s>]{1,40})>?\s(?=.{1,2048}\b\1(?:@\2)?\s+(?:sharepoint|document))/ism
body __BODY_HAS_ISBN /(?:^|[^-\d])97[89]-\d(?:(?!--)[-\d]){10,14}(?:$|[^-\d])/
header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i
body __ORDER_TODAY /\border (?:it|one|yours) (?:today|now)\b/i
tflags __ORDER_TODAY multiple maxhits=4