Google Git
Sign in
apache / spamassassin / 9b0e8d394bb8a6f86891e6168f631a36474cfdeb / . / rules / 25_replace.cf
blob: ddbed741138bdd4c16b8500f1e7264968bd86661 [file] [log] [blame]
# SpamAssassin - ReplaceTags configuration
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
# Requires the Mail::SpamAssassin::Plugin::ReplaceTags plugin be loaded.
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
replace_tag A (?:[gra\@\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xe4\xe3\xe2\xe0\xe1\xe2\xe3\xe4\xe5\xe6o0]|[\xce][\x86\x91\x94\x9b\xac\xb1]|[\xd0][\x90\xb0]|[\xd1][\xa6\xa7]|[\xd3][\x90\x91\x92\x93]|[\xe1][\x8e][\xaa])
replace_tag B (?:[b8]|[\xce][\x92\xb2]|[\xcf][\x90\xb8]|[\xd0][\x91\x92\xac\xb1\xb2]|[\xd1][\x8a\x8c\xa2\xa3]|[\xd2][\x8c\x8d])
replace_tag C (?:[ck\xc7\xe7@]|[\xc3][\x87]|[\xc4][\x86\x87\x88\x89\x8a\x8b\x8c\x8d]|[\xcf][\x82\x9a\x9b\xb2\xb9\xbe]|[\xd0][\xa1]|[\xd1][\x81]|[\xd2][\x80\x81\xaa\xab]|[\xd5][\x87]|&\#(?:1(?:0(?:10|17|2[123]|57|89)|1(?:52|53|94|95)|99)|2(?:31|6[2-9])|39[12]|x(?:3(?:f2|f9|fe)|4(?:21|41|80|81|aa|ab)));)
replace_tag D (?:[d\xd0]|[\xd4][\x80\x81]|[\xd5][\xaa])
replace_tag E (?:[e3]|[\xc4][\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b]|[\xc8][\x84\x85\x86\x87\xa8\xa9]|[\xce][\x88\x95\xa3\xad\xb5\xbe]|[\xcf][\xb5]|[\xd0][\x80\x81\x84\x95\xb5]|[\xd1][\x90\x91\x94\xb3]|[\xd2][\xbc\xbd\xbe\xbf]|[\xd3][\x96\x97\xa9\xab]|[\xd4][\x90\x91]|[\xc8\xc9\xca\xcb\xe8\xe9\xea\xeb\xa4]|&\#(?:1(?:0(?:13|2[458]|45|77)|108|2(?:1[2-5]|3[89]|9[67]))|2(?:0[0-3]|3[2-5]|7[4-9]|8[0-3])|400|51[6-9]|5[58][23]|603|9(?:04|17|[34]1|4[19]));)
replace_tag F (?:f|[\xcf][\x9c\x9d]|[\xd2][\x92\x93]|[\xd3][\xba\xbb]|[\xd4][\xb2]|[\xd5][\xa2])
replace_tag G (?:[gk]|[\xd2][\xa8\xa9]|[\xd4][\x8c\x8d]|[\xd6][\x81])
replace_tag H (?:h|[\xce][\x89\x97]|[\xcf][\xa6]|[\xd0][\x8a\x8b\x9d\xbd]|[\xd1][\x92\x9b]|[\xd2][\x94\x95\xa2\xa3\xa4\xa5\xba\xbb]|[\xd3][\x87\x88\x89\x8a]|[\xd4][\xbb]|[\xd5][\xab\xb0]|&\#(?:2(?:22[3-6]|9[2-5])|54[23]|1(?:0(?:53|85)|18[6-9]|8(?:0(?:8[89]|9[0-5])|1(?:38[89]|340)))|919);)
replace_tag I (?:[il|!1y?\xcc\xcd\xce\xcf\xec\xed\xee\xef]|[\xc4][\xa8]|[\xc7][\x8f\x90]|[\xce][\x8a\x90\x99\xaa\xaf\xb9]|[\xcf][\x8a]|[\xd0][\x86\x87]|[\xd1][\x96\x97]|[\xd3][\x80\x8f]|[\xd5][\xac]|&\#(?:1(?:03[01]|11[01]|216|231)|2(?:0[4-7]|16|3[6-9]|9[6-9])|3(?:0[0-5])|4(?:0[67]|6[34])|52[0-3]);)
replace_tag J (?:j|[\xcf][\xb3]|[\xd0][\x88]|[\xd1][\x98]|[\xd5][\xb5])
replace_tag K (?:k|[\xc7][\xa8\xa9]|[\xce][\x9a\xba]|[\xd0][\x8c\x9a\xba]|[\xd1][\x9c]|[\xd2][\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1]|[\xd3][\x83\x84]|[\xd4][\x9e\x9f]|&\#(?:31[0-2]|4[08][89]|9(?:22|54|75)|1(?:0(?:36|50|82)|1(?:16|7[89]|8[0-5])|219|220|31[01]));)
replace_tag L (?:[il|!1\xa3]|[\xc4][\xb9\xba\xbb\xbc\xbd\xbe\xbf]|[\xc5][\x80\x81\x82]|[\xc8][\xbd]|[\xd3][\x80\x8f]|[\xd4][\xbc]|[\xd5][\xac]|[\xd6][\x82]|&\#(?:1340|3(?:1[3-9]|2[0-2])|573|671|x53c|76);)
replace_tag M (?:m|rn|[\xd0][\x9c\xbc]|[\xd2][\xa7]|[\xd3][\x8d\x8e])
replace_tag N (?:[n\xd1\xf1]|[\xd0][\x98\x99\x9f\xb8\xb9\xbb\xbf]|[\xd1][\x9d]|[\xd2][\x8a\x8b]|[\xd3][\x86\xa2\xa3\xa4\xa5]|[\xd4][\xa5]|[\xd5][\x88\x8c\xa4\xa8\xb2\xb8\xbc]|[\xd6][\x80])
replace_tag O (?:[go0\xd2\xd3\xd4\xd5\xd6\xd8\xf0\xf2\xf3\xf4\xf5\xf6\xf8]|[\xd0][\x9e\xae\xbe]|[\xd1][\xba\xbb]|[\xd3][\xa6\xa7\xa8\xaa]|[\xd4][\x9a]|[\xd5][\x95\xae]|[\xd6][\x85]|[\xd7][\xa1])
replace_tag P (?:[p\xfe]|[\xd0][\xa0]|[\xd1][\x80]|[\xd2][\x8e\x8f]|[\xd4][\x97]|[\xd5][\xa9]|[\xd6][\x84])
replace_tag Q (?:q|[\xd4][\x9a\x9b\xb3]|[\xd5][\xa3\xa6])
replace_tag R (?:r|[\xc5][\x94\x95\x96\x97\x98\x99]|[\xc8][\x90\x91\x92\x93]|[\xd0][\x93\xaf]|[\xd1][\x8f\x93]|[\xd2][\x90\x91\x93]|[\xd3][\xb6\xb7]|[\xd4][\xb8\xbb]|[\xd5][\x90\x92]|[\xd6][\x80]|&\#(?:1(?:071|103)|34[0-5]|422|5(?:2[89]|3[01]|8[89])|6(?:3[67]|40));)
replace_tag S (?:[sz\xa6\xa7]|[\xd0][\x85]|[\xd1][\x95]|[\xd5][\x8f])
replace_tag T (?:t|[\xd0][\x93\xa2]|[\xd1][\x82]|[\xd2][\x90\xac\xad]|[\xd3][\xb6]|[\xd4][\xb5\xb7]|[\xd5][\x92\xa7])
replace_tag U (?:[uv\xb5\xd9\xda\xdb\xdc\xfc\xfb\xfa\xf9\xfd]|[\xd0][\x8f\xa6]|[\xd1][\x86\x9f]|[\xd4][\xb1\xbf]|[\xd5][\x84\x8d\xb4\xb6\xbd\xbe]|[\xd6][\x87])
replace_tag V (?:[vu]|\\\/|[\xd1][\xb4\xb5\xb6\xb7])
replace_tag W (?:[wv]|[\xd0][\xa8\xa9]|[\xd1][\x88\x89\xa1\xb0\xb1\xbf]|[\xd4][\x9c\x9d]|[\xd5][\xa1\xba])
replace_tag X (?:[x\xd7]|><|[\xd0][\x96\xa5\xb6]|[\xd1][\x85]|[\xd2][\x96\x97\xb2\xb3]|[\xd3][\x81\x82\x9c\x9d\xbc\xbd\xbe\xbf])
replace_tag Y (?:[y\xff\xfd\xa5j]|[\xd0][\x8e\xa3]|[\xd1][\x83\x87\x9e]|[\xd2][\xae\xaf\xb0\xb1\xb6\xb7\xb8\xb9]|[\xd3][\x8b\x8c\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5]|[\xd4][\xbf]|[\xd5][\x8e\xaf\xbe])
replace_tag Z [zs]
replace_tag IMG (?:jpe?g|gif|png)
replace_tag SP [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]
replace_tag WS (?:=?\s|[\xe2](?:[\x80][\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\xaf]|[\x81][\x9f])|&(?:\#(?:8(?:19[2-9]|20[0-5]|239|287)|160|xa0)|(?:e[nm]|nb|thin)sp);)
replace_tag CUR [\$\xa5\xa3\xa4\xa2]
replace_inter SP [\s\d_*\$\%(),.:;?!}{\[\]|\/?^\#~\xa1`'+-]
replace_inter W1 \W?
replace_inter W2 \W{0,2}
replace_inter W3 \W{0,3}
replace_post P2 {1,2}
replace_post P3 {1,3}
###########################################################################
# fuzzy header tests
header SUBJECT_FUZZY_MEDS Subject =~ /(?:\b|_)(?!meds)<M><E><D><S>(?:\b|_)/i
describe SUBJECT_FUZZY_MEDS Attempt to obfuscate words in Subject:
replace_rules SUBJECT_FUZZY_MEDS
header __SUBJECT_FUZZY_VPILL Subject =~ /<inter W2><post P3>(?!viagra)<V><I><A><G><R><A>/i
replace_rules __SUBJECT_FUZZY_VPILL
meta SUBJECT_FUZZY_VPILL __SUBJECT_FUZZY_VPILL && !FUZZY_VPILL
describe SUBJECT_FUZZY_VPILL Attempt to obfuscate words in Subject:
header SUBJECT_FUZZY_CHEAP Subject =~ /<inter W2><post P3>\b(?!cheap)<C><H><E><A><P>(?:\b|<E>)/i
describe SUBJECT_FUZZY_CHEAP Attempt to obfuscate words in Subject:
replace_rules SUBJECT_FUZZY_CHEAP
header SUBJECT_FUZZY_PENIS Subject =~ /<inter W3><post P3>\b(?!pen\s?(?:ie?s|ny[ ']?s))<P><E><N><I><S>\b/i
describe SUBJECT_FUZZY_PENIS Attempt to obfuscate words in Subject:
replace_rules SUBJECT_FUZZY_PENIS
header SUBJECT_FUZZY_TION Subject =~ /<post P3>(?!tion)<T><I><O><N>/i
describe SUBJECT_FUZZY_TION Attempt to obfuscate words in Subject:
replace_rules SUBJECT_FUZZY_TION
###########################################################################
# fuzzy body tests
body FUZZY_AFFORDABLE /<inter W1><post P2>(?!affordable)<A><F><F><O><R><D><A><B><L><E>/i
describe FUZZY_AFFORDABLE Attempt to obfuscate words in spam
replace_rules FUZZY_AFFORDABLE
body FUZZY_AMBIEN /<inter W1><post P2>(?<!t)(?!ambien)(?!ombien)<A><M><B><I><E><N>/i
describe FUZZY_AMBIEN Attempt to obfuscate words in spam
replace_rules FUZZY_AMBIEN
body FUZZY_BILLION /(?!billion)<B><I><L><L><I><O><N>/i
describe FUZZY_BILLION Attempt to obfuscate words in spam
replace_rules FUZZY_BILLION
body FUZZY_CPILL /(?!ciali[sz])<C><I><A><L><I><S>/i
describe FUZZY_CPILL Attempt to obfuscate words in spam
replace_rules FUZZY_CPILL
body FUZZY_CREDIT /<inter W1>(?![ck]r[e\xe9]dit)<C><R><E><D><I><T>/i
describe FUZZY_CREDIT Attempt to obfuscate words in spam
replace_rules FUZZY_CREDIT
body FUZZY_ERECT /<inter W2><post P3>(?!erection)<E><R><E><C><T><I><O><N>/i
describe FUZZY_ERECT Attempt to obfuscate words in spam
replace_rules FUZZY_ERECT
body FUZZY_GUARANTEE /<inter W1><post P2>(?!guarantee)<G><U><A><R><A><N><T><E><E>/i
describe FUZZY_GUARANTEE Attempt to obfuscate words in spam
replace_rules FUZZY_GUARANTEE
body FUZZY_MEDICATION /<inter W1><post P2>(?!medicati[eo])<M><E><D><I><C><A><T><I><O><N>/i
describe FUZZY_MEDICATION Attempt to obfuscate words in spam
replace_rules FUZZY_MEDICATION
body FUZZY_MILLION /(?!milli?[o\xf3\xd3]n)<M><I><L><L><I><O><N>/i
describe FUZZY_MILLION Attempt to obfuscate words in spam
replace_rules FUZZY_MILLION
body FUZZY_MONEY /(?!money)<M><O><N><E><Y>/i
describe FUZZY_MONEY Attempt to obfuscate words in spam
replace_rules FUZZY_MONEY
body FUZZY_MORTGAGE /<inter W1><post P2>(?!mortgage)<M><O><R><T><G><A><G><E>/i
describe FUZZY_MORTGAGE Attempt to obfuscate words in spam
replace_rules FUZZY_MORTGAGE
body FUZZY_OBLIGATION /<inter W1><post P2>(?!obligation)<O><B><L><I><G><A><T><I><O><N>/i
describe FUZZY_OBLIGATION Attempt to obfuscate words in spam
replace_rules FUZZY_OBLIGATION
body FUZZY_OFFERS /(?!offers)<O><F><F><E><R><S>/i
describe FUZZY_OFFERS Attempt to obfuscate words in spam
replace_rules FUZZY_OFFERS
body FUZZY_PHARMACY /<inter W2><post P2>(?!pharmacy)<P><H><A><R><M><A><C><Y>/i
describe FUZZY_PHARMACY Attempt to obfuscate words in spam
replace_rules FUZZY_PHARMACY
body FUZZY_PHENT /<inter W1><post P2>(?!phentermine)<P><H><E><N><T><E><R><M><I><N><E>/i
describe FUZZY_PHENT Attempt to obfuscate words in spam
replace_rules FUZZY_PHENT
body FUZZY_PRESCRIPT /<inter W2><post P2>(?!prescription)<P><R><E><S><C><R><I><P><T><I><O><N>/i
describe FUZZY_PRESCRIPT Attempt to obfuscate words in spam
replace_rules FUZZY_PRESCRIPT
# left S off of negative look-ahead on purpose
body FUZZY_PRICES /<inter W2><post P2>(?!price)<P><R><I><C><E><S>/i
describe FUZZY_PRICES Attempt to obfuscate words in spam
replace_rules FUZZY_PRICES
body FUZZY_REFINANCE /<inter W2><post P2>(?!refinance)<R><E><F><I><N><A><N><C><E>/i
describe FUZZY_REFINANCE Attempt to obfuscate words in spam
replace_rules FUZZY_REFINANCE
body FUZZY_REMOVE /(?!remove)<R><E><M><O><V><E>/i
describe FUZZY_REMOVE Attempt to obfuscate words in spam
replace_rules FUZZY_REMOVE
body FUZZY_ROLEX /(?!rolex)<R><O><L><E><X>/i
describe FUZZY_ROLEX Attempt to obfuscate words in spam
replace_rules FUZZY_ROLEX
body FUZZY_SOFTWARE /(?!software)<S><O><F><T><W><A><R><E>/i
describe FUZZY_SOFTWARE Attempt to obfuscate words in spam
replace_rules FUZZY_SOFTWARE
body FUZZY_THOUSANDS /(?!thousands)<T><H><O><U><S><A><N><D><S>/i
describe FUZZY_THOUSANDS Attempt to obfuscate words in spam
replace_rules FUZZY_THOUSANDS
body FUZZY_VLIUM /<inter W1><post P2>(?!valium|verifiquem|volturno|vollum)<V><A><L><I><U><M>/i
describe FUZZY_VLIUM Attempt to obfuscate words in spam
replace_rules FUZZY_VLIUM
body FUZZY_VIOXX /<inter W1><post P2>(?!vioxx)<V><I><O><X><X>/i
describe FUZZY_VIOXX Attempt to obfuscate words in spam
replace_rules FUZZY_VIOXX
body FUZZY_VPILL /(?!viagra)<V><I><A><G><R><A>/i
describe FUZZY_VPILL Attempt to obfuscate words in spam
replace_rules FUZZY_VPILL
body FUZZY_XPILL /<inter W3><post P2>(?!xanax)<X><A><N><A><X>/i
describe FUZZY_XPILL Attempt to obfuscate words in spam
replace_rules FUZZY_XPILL
endif # Mail::SpamAssassin::Plugin::ReplaceTags