| |
| # Ensure plugin-based rules used for FP avoidance exist |
| # even if the plugin is not loaded, or an older version is loaded |
| # __KAM_BODY_LENGTH_LT_128 |
| ifplugin Mail::SpamAssassin::Plugin::BodyEval |
| if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) |
| meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128 |
| else |
| meta __LCL__KAM_BODY_LENGTH_LT_128 0 |
| endif |
| else |
| meta __LCL__KAM_BODY_LENGTH_LT_128 0 |
| endif |
| |
| # __KAM_BODY_LENGTH_LT_512 |
| ifplugin Mail::SpamAssassin::Plugin::BodyEval |
| if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) |
| meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512 |
| else |
| meta __LCL__KAM_BODY_LENGTH_LT_512 0 |
| endif |
| else |
| meta __LCL__KAM_BODY_LENGTH_LT_512 0 |
| endif |
| |
| # __KAM_BODY_LENGTH_LT_1024 |
| ifplugin Mail::SpamAssassin::Plugin::BodyEval |
| if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) |
| meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024 |
| else |
| meta __LCL__KAM_BODY_LENGTH_LT_1024 0 |
| endif |
| else |
| meta __LCL__KAM_BODY_LENGTH_LT_1024 0 |
| endif |
| |
| # __ENV_AND_HDR_FROM_MATCH |
| ifplugin Mail::SpamAssassin::Plugin::HeaderEval |
| meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH |
| else |
| meta __LCL__ENV_AND_HDR_FROM_MATCH 0 |
| endif |
| |
| # __TVD_SPACE_RATIO |
| ifplugin Mail::SpamAssassin::Plugin::BodyEval |
| # |
| else |
| meta __TVD_SPACE_RATIO 0 |
| endif |
| |
| |
| |
| # |
| #header REPLYTO_MANY_AT Reply-To =~ /\@.+\@/ |
| #describe REPLYTO_MANY_AT More than one @ in Reply-To: |
| # |
| #header SENDER_MANY_AT Sender =~ /\@.+\@/ |
| #describe SENDER_MANY_AT More than one @ in Sender: |
| # |
| #header FROM_MANY_AT From =~ /\@.+\@/ |
| #describe FROM_MANY_AT More than one @ in From: |
| # |
| |
| header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i |
| describe RDNS_LOCALHOST Sender's public rDNS is "localhost" |
| |
| #body EU_SPAM_LAW m,Directive 2000/31/EC of the European Parliament,i |
| #describe EU_SPAM_LAW Quoting "European Parliament" spam law |
| |
| ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
| mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.html?\b,i |
| mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i |
| meta HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02 |
| describe HTML_ATTACH HTML attachment to bypass scanning? |
| |
| mimeheader OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.html?\b,i |
| describe OBFU_HTML_ATTACH HTML attachment with non-text MIME type |
| |
| mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i |
| describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type |
| #score OBFU_TEXT_ATTACH 2.5 |
| tflags OBFU_TEXT_ATTACH publish |
| |
| mimeheader OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i |
| describe OBFU_DOC_ATTACH MS Document attachment with generic MIME type |
| #score OBFU_DOC_ATTACH 0.25 |
| |
| mimeheader OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i |
| describe OBFU_PDF_ATTACH PDF attachment with generic MIME type |
| #score OBFU_PDF_ATTACH 0.25 |
| |
| mimeheader OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i |
| describe OBFU_JPG_ATTACH JPG attachment with generic MIME type |
| #score OBFU_JPG_ATTACH 1.50 |
| |
| mimeheader OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i |
| describe OBFU_GIF_ATTACH GIF attachment with generic MIME type |
| #score OBFU_GIF_ATTACH 1.50 |
| |
| meta OBFU_ATTACH_MISSP __FROM_RUNON && (OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || OBFU_DOC_ATTACH || OBFU_PDF_ATTACH || OBFU_JPG_ATTACH || OBFU_GIF_ATTACH) |
| describe OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From |
| |
| # mimeheader ECMSNGR_MH X-ecm-part-format =~ /./ |
| # describe ECMSNGR_MH eC-Messenger header |
| |
| mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/ |
| meta CTYPE_NULL __CTYPE_NULL |
| describe CTYPE_NULL Malformed Content-Type header |
| |
| mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i |
| meta OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02 |
| describe OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware |
| |
| mimeheader __PDF_ATTACH Content-Type =~ m,\bapplication/pdf\b,i |
| |
| mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i |
| meta DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH || __DOC_ATTACH_MT) |
| describe DOC_ATTACH_NO_EXT Document attachment with suspicious name |
| |
| mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i |
| else |
| meta __HTML_ATTACH_01 0 |
| meta __HTML_ATTACH_02 0 |
| meta __CTYPE_NULL 0 |
| meta __ZIP_ATTACH_NOFN 0 |
| meta __PDF_ATTACH 0 |
| meta __ATTACH_NAME_NO_EXT 0 |
| meta __ZIP_ATTACH_MT 0 |
| endif |
| |
| # general case of spample observation |
| #header MUA_ONE_WORD X-Mailer =~ /^[A-Za-z][a-z]*$/ |
| #describe MUA_ONE_WORD Single word X-Mailer: not CamelCase |
| |
| body DEAR_EMAIL_USER /^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/i |
| describe DEAR_EMAIL_USER Dear Email User: |
| #score DEAR_EMAIL_USER 3.0 |
| |
| |
| # from users list spamples 8/2009 |
| uri URI_NUMERIC_CCTLD m;^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/;i |
| describe URI_NUMERIC_CCTLD CCTLD URI with multiple numeric subdomains |
| |
| # various MUAs |
| header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/ |
| header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/ |
| |
| ifplugin Mail::SpamAssassin::Plugin::DKIM |
| meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH |
| else |
| meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH |
| endif |
| describe PHP_NOVER_MUA Mail from PHP with no version number |
| score PHP_NOVER_MUA 3.000 # limit |
| tflags PHP_NOVER_MUA publish |
| |
| |
| # From should have whitespace between the comment and the address |
| # Better S/O, good enough for standalone rule |
| header __FROM_MISSPACED From =~ /^\s*"[^"]*"</ |
| |
| # legit mailers known to misspace from |
| header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/ |
| header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/ |
| header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/ |
| header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/ |
| |
| |
| # meta with some stuff to reduce FPs |
| meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA |
| describe FROM_MISSPACED From: missing whitespace |
| score FROM_MISSPACED 2.00 |
| |
| # Encrypted mail provider unable to properly format their headers (as of 07/2011) |
| header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net / |
| |
| # Poorer S/O than FROM_MISSPACED but better performance in metas |
| header __FROM_RUNON From =~ /\S+<\w+/ |
| header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/ |
| |
| ifplugin Mail::SpamAssassin::Plugin::SPF |
| #meta FROM_MISSP_SPF_FAIL1 (__FROM_RUNON && !SPF_PASS) |
| #tflags FROM_MISSP_SPF_FAIL1 net |
| meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL) |
| tflags FROM_MISSP_SPF_FAIL net |
| score FROM_MISSP_SPF_FAIL 2.00 # limit |
| endif |
| |
| meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH |
| meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA |
| describe FROM_MISSP_EH_MATCH From misspaced, matches envelope |
| score FROM_MISSP_EH_MATCH 2.00 # max |
| |
| # most hits > 10 points already |
| #meta __FROM_MISSP_URI __FROM_RUNON_UNCODED && __HAS_ANY_URI |
| #meta FROM_MISSP_URI __FROM_MISSP_URI && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !MISSING_MIMEOLE && !__REPTO_QUOTE && !__UNSUB_LINK && !__MSGID_OK_HEX && !__MAIL_LINK && !__MIME_QP && !__BUGGED_IMG && !MIME_BASE64_TEXT && !__CTYPE_MULTIPART_ALT && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__THREADED && !__TAG_EXISTS_META |
| #describe FROM_MISSP_URI From misspaced, has URI |
| #score FROM_MISSP_URI 2.00 # max |
| |
| meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) |
| describe FROM_MISSP_USER From misspaced, from "User" |
| |
| # all hits > 10 points already |
| #meta FROM_MISSP_NO_TO (__FROM_RUNON && MISSING_HEADERS) |
| #describe FROM_MISSP_NO_TO From misspaced, To missing |
| |
| meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED) |
| describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed |
| |
| ifplugin Mail::SpamAssassin::Plugin::DKIM |
| meta __FROM_MISSP_DKIM (__FROM_RUNON_UNCODED && __DKIM_DEPENDABLE) |
| tflags __FROM_MISSP_DKIM net |
| meta FROM_MISSP_DKIM __FROM_MISSP_DKIM && !__CTYPE_MULTIPART_ALT && !__MIME_QP && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__MIME_BASE64 && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA |
| describe FROM_MISSP_DKIM From misspaced, DKIM dependable |
| else |
| meta __FROM_MISSP_DKIM 0 |
| endif |
| |
| meta __FROM_MISSP_REPLYTO __FROM_RUNON && __REPLYTO_EXISTS |
| meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY |
| describe FROM_MISSP_REPLYTO From misspaced, has Reply-To |
| |
| ## To the same |
| #header TO_MISSPACED To =~ /^\s*"[^"]*"</ |
| #describe TO_MISSPACED To: missing whitespace |
| #score TO_MISSPACED 0.25 |
| |
| ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO) |
| meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA |
| describe FROM_MISSP_FREEMAIL From misspaced + freemail provider |
| #score FROM_MISSP_FREEMAIL 2.0 |
| else |
| meta __FROM_MISSP_FREEMAIL 0 |
| endif |
| |
| meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) |
| describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool |
| #score FROM_MISSP_MSFT 3.5 |
| |
| meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC |
| describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS |
| #score FROM_MISSP_DYNIP 2.0 |
| |
| |
| # observed in spam 8/2009 |
| header __MUA_EQ_ORG_1 ALL =~ /\nX-Mailer: ([^\n]+)\n.*Organization: \1\n/ism |
| header __MUA_EQ_ORG_2 ALL =~ /\nOrganization: ([^\n]+)\n.*X-Mailer: \1\n/ism |
| meta MAILER_EQ_ORG __MUA_EQ_ORG_1 || __MUA_EQ_ORG_2 |
| describe MAILER_EQ_ORG X-Mailer: same as Organization: |
| #tflags MAILER_EQ_ORG publish |
| |
| header __FROM_EQ_ORG_1 ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism |
| header __FROM_EQ_ORG_2 ALL =~ /\nOrganization: ([^\n]+)\n.*From: "?\1"?/ism |
| #meta FROM_EQ_ORG __FROM_EQ_ORG_1 || __FROM_EQ_ORG_2 |
| #describe FROM_EQ_ORG From: same as Organization: |
| #tflags FROM_EQ_ORG publish |
| |
| |
| # observed in UCE 9/2009 |
| #header __HDRS_LCASE ALL =~ /\n(?:Reply-to|Message-id|Content-type|X-MSMail-priority|from|subject|to|Disposition-notification-to):/sm |
| header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm |
| tflags __HDRS_LCASE multiple maxhits=3 |
| |
| # __MSGID_APPLEMAIL is uppercase-only GUID message_id. This may be redundant. |
| header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i |
| header __MSGID_GUID_LOOSE Message-ID =~ /^<?[0-9A-Z]{8}-(?:[0-9A-Z]{3,4}-){3}[0-9A-Z]{11,12}\@/ |
| meta __MSGID_GUID_FAKE __MSGID_GUID_LOOSE && !__MSGID_GUID |
| # It would be nice if somebody could identify the MUA/MTA that generates this: |
| header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/ |
| # It would be nice if somebody could identify the MUA/MTA that generates this: |
| header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/ |
| |
| # MUAs and MTAs known or suspected to do this |
| header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/ |
| meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH |
| |
| ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO |
| else |
| meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO |
| endif |
| describe HDRS_LCASE Odd capitalization of message header |
| score HDRS_LCASE 0.10 # limit |
| meta __MANY_HDRS_LCASE __HDRS_LCASE > 1 |
| meta __TOOMANY_HDRS_LCASE __HDRS_LCASE > 2 |
| ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE |
| else |
| meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE |
| endif |
| describe MANY_HDRS_LCASE Odd capitalization of multiple message headers |
| score MANY_HDRS_LCASE 0.10 # limit |
| |
| # Some metas that appear to perform well in masscheck |
| #meta __HDRS_LCASE_1K __HDRS_LCASE && __SINGLE_HEADER_1K |
| #meta HDRS_LCASE_1K __HDRS_LCASE_1K && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__MIME_QP && !__BUGGED_IMG && !__BOUNCE_RPATH_NULL && !__NOT_SPOOFED && !__DKIM_EXISTS && !__RDNS_NONE |
| #describe HDRS_LCASE_1K Odd capitalization of message headers + long header |
| #score HDRS_LCASE_1K 0.50 # limit |
| meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN |
| describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML |
| score HDRS_LCASE_IMGONLY 0.10 # limit |
| |
| |
| |
| |
| # observed in UCE from India, 9/2009 |
| header MDN_BOTCHED Disposition-notification-to =~ /<>/ |
| describe MDN_BOTCHED Malformed return receipt header |
| |
| # observed in spam 9/2009 |
| header __HDRS_MISSP ALL =~ /\n(?:Subject|From|To):\S/ism |
| meta HDRS_MISSP __HDRS_MISSP && !__TAG_EXISTS_HEAD && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH |
| describe HDRS_MISSP Misspaced headers |
| score HDRS_MISSP 2.000 # limit |
| |
| header SPAMMY_MIME_BDRY_01 Content-Type =~ /boundary="\@\@BOUNDARY"/ |
| describe SPAMMY_MIME_BDRY_01 Spammy MIME boundary string |
| #score SPAMMY_MIME_BDRY_01 0.10 |
| |
| # testing |
| header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/ |
| meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z |
| describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary |
| |
| # too dangerous even if it has a good S/O and hits >20% of spam in masschecks |
| #meta TBIRD_SPOOF __MUA_TBIRD && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__THREADED && !__VIA_ML && !__NOT_SPOOFED && !__HAS_SENDER && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__RP_MATCHES_RCVD && !ALL_TRUSTED && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL_MESSY && !__MIME_BASE64 && !__S25R_1 |
| #describe TBIRD_SPOOF Claims Thunderbird mail client but looks suspicious |
| #score TBIRD_SPOOF 2.00 # limit |
| |
| # seen in a few HTML fraud spams |
| rawbody RUNON_SHY /(?:\­){3}/i |
| describe RUNON_SHY Repeating soft hyphens |
| #score RUNON_SHY 0.1 |
| tflags RUNON_SHY nopublish |
| |
| # Seen all too often |
| header LAZY_LISTWASHING To =~ /\@(?:example\.com|example\.domain|your\.domain|some\.domain|domain\.dom|somewhere\.tld|somewhere\.com|your\.?domain\.com|your\.favorite\.machine)\b/i |
| describe LAZY_LISTWASHING Lazy spammer, painfully obvious bogus addresses |
| #score LAZY_LISTWASHING 0.25 |
| |
| # Little to work with |
| body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i |
| body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i |
| |
| ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
| mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i |
| mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i |
| mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i |
| meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2) |
| mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i |
| mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i |
| mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i |
| meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2) |
| |
| # observed in 419 spam |
| mimeheader CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/ |
| describe CDISP_SZ_MANY Suspicious MIME header |
| score CDISP_SZ_MANY 2.0 # limit |
| else |
| meta __DOC_ATTACH_MT 0 |
| meta __DOC_ATTACH_FN1 0 |
| meta __DOC_ATTACH_FN2 0 |
| meta __DOC_ATTACH 0 |
| meta __PDF_ATTACH_MT 0 |
| meta __PDF_ATTACH_FN1 0 |
| meta __PDF_ATTACH_FN2 0 |
| meta __PDF_ATTACH 0 |
| endif |
| |
| ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) |
| meta FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF |
| describe FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail |
| |
| meta FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED |
| describe FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden |
| |
| meta FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF |
| describe FREEMAIL_RVW_ATTCH Please review attached document, from freemail |
| endif |
| |
| meta EMPTY_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __EMPTY_BODY |
| describe EMPTY_RVW_ATTCH Please review attached document, empty message |
| |
| body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i |
| ifplugin Mail::SpamAssassin::Plugin::DKIM |
| meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED |
| else |
| meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER |
| endif |
| describe END_FUTURE_EMAILS Spammy unsubscribe |
| score END_FUTURE_EMAILS 2.500 # limit |
| |
| |
| body AD_COMPLAINTS /\bcomplaints about this ad+\b/i |
| describe AD_COMPLAINTS Complain about this spam |
| |
| # observed in bank phishing 09/2009 |
| #rawbody MISQ_HTML /<\w{2,20}[^>=]{1,30}=[^"][^">]{1,30}[^=]"[\s>]/ |
| #describe MISQ_HTML Unbalanced quotes in HTML tag |
| #tflags MISQ_HTML nopublish |
| |
| # observed in bank phishing 09/2009 |
| uri WIKI_IMG m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),i |
| describe WIKI_IMG Image from wikipedia |
| |
| # observed in spam 09/2009 |
| header SUBJ_RE_CLNCLN Subject =~ /^\s*RE::/ |
| describe SUBJ_RE_CLNCLN Subject RE:: |
| |
| # observed in spam 02/2011 |
| header TO_SEM_SEM To =~ /;;/ |
| describe TO_SEM_SEM To has ";;" |
| tflags TO_SEM_SEM nopublish |
| |
| uri __MANY_SUBDOM m;^https?://(?:[^\./]{1,30}\.){6};i |
| meta MANY_SUBDOM __MANY_SUBDOM && !__JM_REACTOR_DATE && !__UNSUB_LINK && !__VIA_ML && !NO_RELAYS && !__UPPERCASE_URI && !__MIME_QP |
| describe MANY_SUBDOM Lots and lots of subdomain parts in a URI |
| |
| # by request of Benny Pedersen <me@junc.org> on the users list 10/9/2009 |
| #meta RFC_ABUSE_POST (__DNS_FROM_RFC_ABUSE && __DNS_FROM_RFC_POST) |
| #describe RFC_ABUSE_POST Both abuse and postmaster missing on sender domain |
| #score RFC_ABUSE_POST 0.01 |
| #tflags RFC_ABUSE_POST net |
| |
| body CALL_SKYPE /\bCall this phone number [\w\s]{0,30}with Skype\b/ |
| |
| # <SPAN> tags shouldn't appear in the midst of text |
| rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/ |
| tflags __SPAN_BEG_TEXT multiple maxhits=5 |
| rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/ |
| tflags __SPAN_END_TEXT multiple maxhits=5 |
| meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4) |
| meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML |
| describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text |
| tflags MANY_SPAN_IN_TEXT publish |
| #score MANY_SPAN_IN_TEXT 2.50 |
| |
| #uri __FEEDPROXY_URI m;http://feedproxy\.google\.com/;i |
| #rawbody __FEEDPROXY m;http://feedproxy\.google\.com/;i |
| #tflags __FEEDPROXY multiple maxhits=5 |
| #meta MANY_GOOG_PROXY __FEEDPROXY > 4 |
| #describe MANY_GOOG_PROXY Many Google feedproxy URIs |
| |
| rawbody TINY_FLOAT /\bstyle\s*=\s*"[^"]{0,40}?(?:(?:FONT-SIZE\s*:\s+\dpx|FLOAT\s*:\s+(?:right|left))(?:;\s+)?(?:(?!(?:FONT-SIZE|FLOAT))\w+:\s+\w+;?\s*)*){2}/i |
| describe TINY_FLOAT Has small-font floating HTML - text obfuscation? |
| #score TINY_FLOAT 2.00 |
| |
| |
| # endless requests on the users list... |
| header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism |
| header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism |
| meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2) |
| describe __TO_EQ_FROM To: same as From: |
| #tflags __TO_EQ_FROM publish |
| |
| # Suggested by Hans-Werner Friedemann on users list 09/30/2010 |
| header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/ism |
| meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) |
| describe FROM_IN_TO_AND_SUBJ From address is in To and Subject |
| tflags FROM_IN_TO_AND_SUBJ publish |
| |
| header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism |
| header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism |
| header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism |
| meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3) |
| meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW |
| describe TO_IN_SUBJ To address is in Subject |
| tflags TO_IN_SUBJ publish |
| score TO_IN_SUBJ 0.1 |
| |
| meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY |
| meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER |
| describe TO_EQ_FM_HTML_ONLY To == From and HTML only |
| #tflags TO_EQ_FM_HTML_ONLY publish |
| |
| meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX |
| meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH |
| describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX |
| #tflags TO_EQ_FM_DIRECT_MX publish |
| |
| # Why __HUSH_HUSH hits ham on this in masscheck I don't know. Legit bank emails maybe? |
| meta __TO_EQ_FM_HTML_DIRECT __TO_EQ_FM_DIRECT_MX && MIME_HTML_ONLY |
| meta TO_EQ_FM_HTML_DIRECT __TO_EQ_FM_HTML_DIRECT && !__HUSH_HUSH |
| describe TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX |
| #tflags TO_EQ_FM_HTML_DIRECT publish |
| |
| ifplugin Mail::SpamAssassin::Plugin::SPF |
| meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL |
| tflags __TO_EQ_FM_SPF_FAIL net |
| meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED |
| describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed |
| tflags TO_EQ_FM_SPF_FAIL net |
| else |
| meta __TO_EQ_FM_SPF_FAIL 0 |
| endif |
| |
| # Paul Stead on SA list 11/2014 |
| # ++ not liked by perl 5.8.x |
| if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) |
| header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism |
| header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism |
| |
| meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) |
| describe PDS_TO_EQ_FROM_NAME From: name same as To: address |
| |
| header __PDS_FROM_2_EMAILS From =~ /^\W+([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i |
| meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__CLICK_HERE && !__BUGGED_IMG && !__RP_MATCHES_RCVD |
| endif |
| |
| uri __PDS_LOC_WP_POMO m;/wp-includes/pomo/(?!(?:entry|po|mo|streams|translations)\.php).*;i |
| |
| |
| header __FROM_ALL_NUMS From:addr =~ /^\d+@/ |
| header __TO_ALL_NUMS To:addr =~ /^\d+@/ |
| meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS |
| |
| header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism |
| header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism |
| meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2) |
| describe __TO_EQ_FROM_DOM To: domain same as From: domain |
| |
| meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY |
| meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX |
| describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only |
| |
| meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE |
| meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD |
| describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link |
| |
| ifplugin Mail::SpamAssassin::Plugin::SPF |
| meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL |
| tflags __TO_EQ_FM_DOM_SPF_FAIL net |
| meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED |
| describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed |
| tflags TO_EQ_FM_DOM_SPF_FAIL net |
| else |
| meta __TO_EQ_FM_DOM_SPF_FAIL 0 |
| endif |
| |
| |
| # Evaluate ReturnPath and blacklist collisions |
| meta __RP_SAFE_BRBL RCVD_IN_RP_SAFE && RCVD_IN_BRBL_LASTEXT |
| meta __RP_CERTIFIED_BRBL RCVD_IN_RP_CERTIFIED && RCVD_IN_BRBL_LASTEXT |
| tflags __RP_SAFE_BRBL net nopublish |
| tflags __RP_CERTIFIED_BRBL net nopublish |
| meta __RP_SAFE_ZEN RCVD_IN_RP_SAFE && __RCVD_IN_ZEN |
| meta __RP_CERTIFIED_ZEN RCVD_IN_RP_CERTIFIED && __RCVD_IN_ZEN |
| tflags __RP_SAFE_ZEN net nopublish |
| tflags __RP_CERTIFIED_ZEN net nopublish |
| meta __RP_SAFE_SORBS RCVD_IN_RP_SAFE && __RCVD_IN_SORBS |
| meta __RP_CERTIFIED_SORBS RCVD_IN_RP_CERTIFIED && __RCVD_IN_SORBS |
| tflags __RP_SAFE_SORBS net nopublish |
| tflags __RP_CERTIFIED_SORBS net nopublish |
| meta __RP_SAFE_XBL RCVD_IN_RP_SAFE && RCVD_IN_XBL |
| meta __RP_CERTIFIED_XBL RCVD_IN_RP_CERTIFIED && RCVD_IN_XBL |
| tflags __RP_SAFE_XBL net nopublish |
| tflags __RP_CERTIFIED_XBL net nopublish |
| meta __RP_SAFE_PSBL RCVD_IN_RP_SAFE && RCVD_IN_PSBL |
| meta __RP_CERTIFIED_PSBL RCVD_IN_RP_CERTIFIED && RCVD_IN_PSBL |
| tflags __RP_SAFE_PSBL net nopublish |
| tflags __RP_CERTIFIED_PSBL net nopublish |
| #meta __RP_SAFE_ANBREP_L3 RCVD_IN_RP_SAFE && RCVD_IN_ANBREP_L3 |
| #meta __RP_CERTIFIED_ANBREP_L3 RCVD_IN_RP_CERTIFIED && RCVD_IN_ANBREP_L3 |
| #tflags __RP_SAFE_ANBREP_L3 net nopublish |
| #tflags __RP_CERTIFIED_ANBREP_L3 net nopublish |
| |
| # a URI in the From comment text, to bypass URIBL checks |
| # simplistic URI format for now |
| header __FROM_URI_1 From =~ /[^\@]www[.\s][^\s"<\@]+[.\s](?:com|net|info|biz|org|\w\w)\b.*["<]/i |
| header __FROM_URI_2 From =~ m;http://(?:[^.\s]+\.){1,3}(?:com|net|info|biz|org|\w\w)\b;i |
| meta FROM_URI __FROM_URI_1 || __FROM_URI_2 |
| describe FROM_URI URI or www. in From |
| |
| # observed in spam feb 2010 |
| # Apparently-To per RFC2821 SHOULD NOT be used |
| header __APPARENTLY_TO Apparently-To =~ /<.*>/ |
| tflags __APPARENTLY_TO multiple maxhits=21 nopublish |
| meta HAS_APPARENTLY_TO __APPARENTLY_TO > 0 |
| describe HAS_APPARENTLY_TO Has deprecated Apparently-To header |
| #score HAS_APPARENTLY_TO 0.50 |
| tflags HAS_APPARENTLY_TO nopublish |
| meta MANY_APPARENTLY_TO __APPARENTLY_TO > 20 |
| describe MANY_APPARENTLY_TO Has many Apparently-To headers |
| #score MANY_APPARENTLY_TO 2.00 |
| tflags MANY_APPARENTLY_TO nopublish |
| |
| # obfuscation of "opt out" |
| ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
| body FUZZY_OPTOUT /\b(?!opt.?out)<O><P><T>.?<O><U><T>\b/i |
| replace_rules FUZZY_OPTOUT |
| describe FUZZY_OPTOUT Obfuscated opt-out text |
| endif |
| |
| # stock spam disclaimer obfuscation |
| # body GAPPY_TRADING /\b(?!trading)t[^a-z\s]?r[^a-z\s]?a[^a-z\s]?d[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i |
| # body GAPPY_SECURITIES /\b(?!securities)s[^a-z\s]?e[^a-z\s]?c[^a-z\s]?u[^a-z\s]?r[^a-z\s]?i[^a-z\s]?t[^a-z\s]?i[^a-z\s]?e[^a-z\s]?s/i |
| # body GAPPY_RISK /\b(?!risky?)r[^a-z\s]?i[^a-z\s]?s[^a-z\s]?k(?:[^a-z\s]?y)?/i |
| # body GAPPY_SELLING /\b(?!selling)s[^a-z\s]?e[^a-z\s]?l[^a-z\s]?l[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i |
| # body GAPPY_HUNDRED /\b(?!hundred)h[^a-z\s]?u[^a-z\s]?n[^a-z\s]?d[^a-z\s]?r[^a-z\s]?e[^a-z\s]?d/i |
| # body GAPPY_THOUSAND /\b(?!thousand)t[^a-z\s]?h[^a-z\s]?o[^a-z\s]?u[^a-z\s]?s[^a-z\s]?a[^a-z\s]?n[^a-z\s]?d/i |
| # body GAPPY_EXPENSES /\b(?!expenses)e[^a-z\s]?x[^a-z\s]?p[^a-z\s]?e[^a-z\s]?n[^a-z\s]?s[^a-z\s]?e[^a-z\s]?s/i |
| # body GAPPY_DOLLARS /\b(?!dollars)d[^a-z\s]?o[^a-z\s]?l[^a-z\s]?l[^a-z\s]?a[^a-z\s]?r[^a-z\s]?s/i |
| # |
| # describe GAPPY_TRADING Possible obfuscated stock disclaimer |
| # describe GAPPY_SECURITIES Possible obfuscated stock disclaimer |
| # describe GAPPY_RISK Possible obfuscated stock disclaimer |
| # describe GAPPY_SELLING Possible obfuscated stock disclaimer |
| # describe GAPPY_HUNDRED Possible obfuscated stock disclaimer |
| # describe GAPPY_THOUSAND Possible obfuscated stock disclaimer |
| # describe GAPPY_EXPENSES Possible obfuscated stock disclaimer |
| # describe GAPPY_DOLLARS Possible obfuscated stock disclaimer |
| |
| body GAPPY_GENITALIA /\bp(?!enis)(?!en is)[^a-z]?e[^a-z]?n[^a-z]?i[^a-z]?s(?:\b|_)/i |
| describe GAPPY_GENITALIA G.a.p.p.y male body parts |
| |
| body GAPPY_PILLS /\bp(?!ills)[^a-z]?i[^a-z]?l[^a-z]?l[^a-z]?s(?:\b|_)/i |
| describe GAPPY_PILLS G.a.p.p.y pills |
| |
| body __STYLE_TAG_IN_BODY /<style(?:[^>]{0,30})?>/i |
| body __BODY_XHTML /<x-html>/i |
| if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) |
| # possessive {0,4}+ requires perl 5.10 or better |
| rawbody __STYLE_GIBBERISH_1 /<style(?:\s[^>]{0,40})?>(?:\s{0,100}(?!<\/style>)(?:(?:\/\*(?:\s|[^*<]|\*(?!\/)|<(?!\/style>)){0,200}\*\/)|\#[^{<]{1,50}\{[^}<]{4,100}\})){0,4}+(?:\s{0,100}(?!<\/style>|\/\*)[^\s:;,]){150}/im |
| else |
| # older perl, can't deal with style comments properly |
| rawbody __STYLE_GIBBERISH_1 /<style(?:\s[^>]{0,40})?>(?:\s{0,100}(?!<\/style>|\/\*)[^\s:;,]){150}/im |
| endif |
| rawbody __STYLE_GIBBERISH_2 /\.style\w{0,20}\s{1,10}\{[^:;]{200}/im |
| rawbody __STYLE_GIBBERISH_3 /<style(?:\s[^>]{0,40})?>\s{0,80}(?:[\w:]{1,30}\s{0,10}\{[^}]{1,50}\}\s{0,80}){1,5}(?:[\w,.']{1,30}\s{1,10}){40}/im |
| meta __STYLE_GIBBERISH (__STYLE_GIBBERISH_1 || __STYLE_GIBBERISH_2 || __STYLE_GIBBERISH_3) |
| meta STYLE_GIBBERISH __STYLE_GIBBERISH && (__BODY_XHTML || !__STYLE_TAG_IN_BODY) && !__RCD_RDNS_MX_MESSY && !__HAS_THREAD_INDEX && !__ANY_OUTLOOK_MUA && !__MIME_QP && !ALL_TRUSTED |
| describe STYLE_GIBBERISH Nonsense in HTML <STYLE> tag |
| score STYLE_GIBBERISH 3.50 # limit |
| tflags STYLE_GIBBERISH publish |
| |
| body __SCRIPT_TAG_IN_BODY /<script>/i |
| rawbody __SCRIPT_GIBBERISH /<script>[^;<]{100}/im |
| meta SCRIPT_GIBBERISH __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META |
| describe SCRIPT_GIBBERISH Nonsense in HTML <SCRIPT> tag |
| |
| rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im |
| meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT |
| describe COMMENT_GIBBERISH Nonsense in long HTML comment |
| score COMMENT_GIBBERISH 1.50 # limit |
| tflags COMMENT_GIBBERISH publish |
| |
| #rawbody MANY_DIV_5 /(?:<div[^>]{0,30}>\s{0,80}){5}/im |
| #tflags MANY_DIV_5 nopublish |
| #rawbody MANY_DIV_6 /(?:<div[^>]{0,30}>\s{0,80}){6}/im |
| #tflags MANY_DIV_6 nopublish |
| #rawbody MANY_DIV_7 /(?:<div[^>]{0,30}>\s{0,80}){7}/im |
| #tflags MANY_DIV_7 nopublish |
| #rawbody MANY_DIV_8 /(?:<div[^>]{0,30}>\s{0,80}){8}/im |
| #tflags MANY_DIV_8 nopublish |
| #rawbody MANY_DIV_9 /(?:<div[^>]{0,30}>\s{0,80}){9}/im |
| #tflags MANY_DIV_9 nopublish |
| #rawbody MANY_DIV_10 /(?:<div[^>]{0,30}>\s{0,80}){10}/im |
| #tflags MANY_DIV_10 nopublish |
| |
| #header FROM_TRL_UNDR From =~ /_\@/ |
| #tflags FROM_TRL_UNDR nopublish |
| |
| #body LOTSA_EMAILS /\b(?:thousand|million)\se-?mail(?:\saddresse)?s?\b/i |
| #tflags LOTSA_EMAILS nopublish |
| |
| body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,\d]{4,})\s(?:(?!and|or|your)\w+\s)?(?:e-?mail\saddresses|leads|names)\b/i |
| meta BIGNUM_EMAILS __BIGNUM_EMAILS && !__SPOOFED_URL && !__BUGGED_IMG |
| describe BIGNUM_EMAILS Lots of email addresses/leads |
| score BIGNUM_EMAILS 3.00 # limti |
| #tflags BIGNUM_EMAILS nopublish |
| |
| #rawbody __HTML_ELEM_OBFU /[a-z\s]&\#[91]\d\d?[a-z]/ |
| #tflags __HTML_ELEM_OBFU multiple nopublish |
| #meta HTML_ELEM_OBFU_25 __HTML_ELEM_OBFU > 25 |
| #tflags HTML_ELEM_OBFU_25 nopublish |
| #meta HTML_ELEM_OBFU_50 __HTML_ELEM_OBFU > 50 |
| #tflags HTML_ELEM_OBFU_50 nopublish |
| #meta HTML_ELEM_OBFU_100 __HTML_ELEM_OBFU > 100 |
| #tflags HTML_ELEM_OBFU_100 nopublish |
| #meta HTML_ELEM_OBFU_150 __HTML_ELEM_OBFU > 150 |
| #tflags HTML_ELEM_OBFU_150 nopublish |
| |
| #header PPMC_FROM_1 From =~ /\bPayPa[IL](?:\.Com)?\b/ |
| #describe PPMC_FROM_1 Paypal phishing sign |
| |
| uri URI_HIDDEN_2 m;.{8}(?:[/\\]|%(?i:5c|2f))(?!\.\.?[/%\\])\..; |
| describe URI_HIDDEN_2 URI contains a hidden file or directory |
| |
| |
| |
| # Catch spam originating from 41.0.0.0/8 (Africa, incl S.Africa) |
| # Ned Slider, SAU list, 3/11/2010 |
| header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./ |
| describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8 |
| |
| # Catch spam injected from 41.0.0.0/8 (Africa, incl S.Africa) |
| # Ned Slider, SAU list, 3/11/2010 |
| # consider using khop __RCVD_VIA_AFRINIC_E instead |
| #header __NSL_RCVD_FROM_41 Received =~ /[([]41\./ |
| header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./ |
| describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8 |
| |
| meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY |
| meta MONEY_FROM_41 __MONEY_FROM_41 |
| describe MONEY_FROM_41 Lots of money from Africa |
| score MONEY_FROM_41 2.00 # limit |
| |
| |
| # some metas with the above, maybe reduce FPs |
| ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED |
| describe __FROM_41_FREEMAIL Sent from Africa + freemail provider |
| |
| # meta __FROM_AFR_FREEMAIL __RCVD_VIA_AFRINIC_E && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED |
| # describe __FROM_AFR_FREEMAIL Sent from Africa + freemail provider |
| else |
| meta __FROM_41_FREEMAIL 0 |
| endif |
| |
| # More from Ned |
| header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i |
| describe NSL_RCVD_HELO_USER Received from HELO User |
| |
| header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/ |
| describe NSL_RCVD_FROM_USER Received from User |
| |
| |
| # observed in spam 3/11/2010 |
| header DATE_DOTS Date =~ /\d\d\.\d\d\.\d\d/ |
| describe DATE_DOTS Periods in date header |
| |
| uri IMAGESHACK_URI /\.imageshack\.us\//i |
| describe IMAGESHACK_URI URI contains imageshack.us |
| |
| #uri __DYNDNS_URI /\.dyndns\.org(?:\/.*)?/i |
| #tflags __DYNDNS_URI multiple maxhits=2 |
| #meta DYNDNS_URIS __DYNDNS_URI > 1 |
| #describe DYNDNS_URIS Has multiple dyndns.org URIs |
| |
| |
| ## Does not perform better than URL_SHORTENER family |
| ## the ones that misses are already scoring 7+ points |
| #uri __BITLY_URI /\/\/bit\.ly\//i |
| #meta BITLY_URI __BITLY_URI && !__HDR_CASE_REVERSED && !__HAS_SENDER && !__HAS_CAMPAIGNID && !__DOS_HAS_LIST_UNSUB && !__HAS_ERRORS_TO && !__MAIL_LINK && !__MSGID_JAVAMAIL && !__ENV_AND_HDR_FROM_MATCH && !__THREADED && !__USING_VERP1 && !__IMG_VIA_BITLY && !__URL_SHORTENER |
| #describe BITLY_URI URI contains bit.ly |
| #score BITLY_URI 3.000 # limit |
| #tflags BITLY_URI publish |
| # |
| ## HTML image sourced via URL shortening service: |
| ## <IMG border=0 hspace=0 alt="" src="http://bit.ly/1OiuN0y" width=26 height=25> |
| #rawbody __IMG_VIA_BITLY m;<img\s[^>]+\ssrc\s*=\s*"?https?://(?:www\.)?bit\.ly/;i |
| #meta IMG_VIA_BITLY __IMG_VIA_BITLY && !SHORTENED_URL_SRC |
| #describe IMG_VIA_BITLY HTML image via URL shortener - URIBL avoidance? |
| #score IMG_VIA_BITLY 2.500 # limit |
| |
| uri __URI_OBFU_DOM /:\/\/(?:\w+\.)+(?:com|gov|net|org)(?:\.\w+){3,}\//i |
| meta URI_OBFU_DOM __URI_OBFU_DOM && !__VIA_ML |
| describe URI_OBFU_DOM URI pretending to be different domain |
| |
| uri DQ_URI_DOM_IN_PATH /:\/\/[\d\.]+\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i |
| describe DQ_URI_DOM_IN_PATH DQ URI having a domain name in the path part |
| |
| uri LH_URI_DOM_IN_PATH /:\/\/[^\/]{25,}\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i |
| describe LH_URI_DOM_IN_PATH Long-host URI having a domain name in the path part |
| |
| # observed in phish 4/10/10 |
| uri URI_1234 m,//1\.2\.3\.4/, |
| |
| # requested by Benny Pedersen 17 Apr 2010, 10 Aug 2011 |
| ifplugin Mail::SpamAssassin::Plugin::SPF |
| meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS) |
| tflags __SPF_FULL_PASS net |
| meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS) |
| tflags __SPF_RANDOM_SENDER net |
| else |
| meta __SPF_FULL_PASS 0 |
| meta __SPF_RANDOM_SENDER 0 |
| endif |
| |
| # Spam from ZA |
| header CAN_SPAM_HDR CAN-SPAM_Compliant =~ /./ |
| header RPT_SPAM_HDR Report-SPAM =~ /./ |
| |
| |
| #header LONG_FROM From =~ /<[^<@]{40,}\w\@/ |
| |
| |
| #if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| # body __MANY_RECORDS_1 /\s[A-Z][a-z]{1,30}s(?:\sDatabase)?[-:\s]{2,5}(?i:1\smillion\s|\d[\d,.]{1,8}[Kk]?\s(?i:thousand\s|million\s)?)(?i:total\s|full\sdata\s)?(?i:email|record)s/ |
| # tflags __MANY_RECORDS_1 multiple maxhits=16 |
| # body __MANY_RECORDS_2 /\W{1,4}\s(?:[a-z\/]{1,20}\s){0,4}(?:doctor|physician|provider|therapist|counselor|dentist|veterinarian|clinic|hospital|agent|chiropractor|psychologist|companie|supplier)s/i |
| # tflags __MANY_RECORDS_2 multiple maxhits=16 |
| # body __MANY_RECORDS_3 /\W{1,4}\s(?:(?:[A-Z]{1,2}[a-z\/]{0,20}|and)\s){0,4}[A-Z][a-z]{1,20}s Database/ |
| # tflags __MANY_RECORDS_3 multiple maxhits=16 |
| # #meta BIG_LISTS (__MANY_RECORDS_1 + __MANY_RECORDS_2 + __MANY_RECORDS_3) > 5 |
| # meta __MANY_BIG_LISTS (__MANY_RECORDS_1 + __MANY_RECORDS_2 + __MANY_RECORDS_3) > 15 |
| # meta MANY_BIG_LISTS __MANY_BIG_LISTS && !HTML_MESSAGE && !__CTYPE_MULTIPART_ANY && !__HS_SUBJ_RE_FW && !__HAS_THREAD_INDEX |
| # describe MANY_BIG_LISTS Lots of mailing lists / databases available! |
| #endif |
| |
| |
| # Suggested by Gerard Z 2010-08-15 |
| #uri __GZ_PILL_SQUAT1 /\/[a-z]{3,8}\d{2}\.html/i |
| #uri __GZ_PILL_SQUAT2 /\/[a-z]{3,8}\d{2}\.jpg/i |
| #meta __GZ_PILL_SQUATTERS __GZ_PILL_SQUAT1 && __GZ_PILL_SQUAT2 |
| #meta GZ_PILL_SQUATTERS __GZ_PILL_SQUATTERS && !__DOS_RELAYED_EXT && !__FROM_ISO_2022_JP && !__RCD_RDNS_MX_MESSY |
| #describe GZ_PILL_SQUATTERS Found a link to rogue pill pusher content |
| |
| # observed in multiple spam |
| header TO_JOHNZY TO =~ /johnzy_the_king\@hotmail\.com/i |
| describe TO_JOHNZY To a spammy recipent |
| #score TO_JOHNZY 3.00 |
| |
| # Discussed on list and observed in spam 10/15/2010 |
| header TO_ONE_CHAR To =~ /^\s*"<"\s*</ |
| describe TO_ONE_CHAR Bogus TO name |
| # Check From: as well... |
| header FROM_ONE_CHAR From =~ /^\s*"[^"]"\s*</ |
| describe FROM_ONE_CHAR Bogus FROM name |
| |
| # __ version of khop rule for FP filtering |
| meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL |
| |
| # 12-letter domain names, suggested by Len Conrad on the users list |
| header __RCVD_12LTRDOM Received =~ /[(\s.][a-z]{12}\./ |
| header __RPATH_12LTRDOM Return-Path =~ /\@[a-z]{12}\./ |
| uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i |
| |
| header __FROM_12LTRDOM_1 From =~ /\@(?!facebookmail)[a-z]{12}\./ |
| ## suppress this, masscheck is publishing it as a T_ rule and ignoring the score limit, so hits get 1 point |
| #ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| # meta FROM_12LTRDOM __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__freemail_safe && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO |
| #else |
| # meta FROM_12LTRDOM __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO |
| #endif |
| #describe FROM_12LTRDOM From a 12-letter domain |
| ##tflags FROM_12LTRDOM nopublish |
| #score FROM_12LTRDOM 0.10 # limit |
| |
| # promising masscheck results |
| meta __MONEY_12LTRDOM __FROM_12LTRDOM_1 && __LOTSA_MONEY_00 |
| meta MONEY_12LTRDOM __MONEY_12LTRDOM |
| score MONEY_12LTRDOM 0.10 # limit |
| describe MONEY_12LTRDOM Mentions lots of money and from a 12-letter domain |
| |
| # spammer email addresses noted by D. German on users list 9/2010 |
| body DG_SPAMMER_EMAIL_B /\b[a-z]{10,30}\.[a-z]{3,10}\@[a-z]{3,10}\.[a-z]{6,30}\.[a-z]{2,4}\b/ |
| header DG_SPAMMER_EMAIL_F From =~ /\b[a-z]{10,30}\.[a-z]{3,10}\@[a-z]{3,10}\.[a-z]{6,30}\.[a-z]{2,4}\b/ |
| describe DG_SPAMMER_EMAIL_B Recognized spammer email address in body |
| describe DG_SPAMMER_EMAIL_F Recognized spammer email address in From: header |
| |
| # Spammers can't include the real name successfully... |
| body __FORGED_FB_USERCP_01 /This message was intended for Want to control which emails you receive from Facebook\?/i |
| |
| # Javascript obfuscation noted by J. Brennan on the Users list 09/2010 |
| rawbody OBFU_JVSCR_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i |
| describe OBFU_JVSCR_ESC Injects content using obfuscated javascript |
| #score OBFU_JVSCR_ESC 2.75 |
| tflags OBFU_JVSCR_ESC publish |
| |
| # Starting to observe in spam |
| meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID |
| meta LIST_PARTIAL __LIST_PARTIAL && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_SENDER && !__HAS_ERRORS_TO |
| describe LIST_PARTIAL Has incomplete List-* header set |
| score LIST_PARTIAL 1.000 # limit |
| |
| meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR |
| meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO |
| describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same |
| score LIST_PRTL_SAME_USER 3.000 # limit |
| tflags LIST_PRTL_SAME_USER publish |
| |
| meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1 |
| meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS |
| describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump |
| score LIST_PRTL_PUMPDUMP 2.000 # limit |
| tflags LIST_PRTL_PUMPDUMP publish |
| |
| |
| |
| # in lots of phishing |
| uri __UCOZ_URI /\.ucoz\.org\//i |
| describe __UCOZ_URI URI contains ucoz.org |
| |
| # Intrust Domains is a persistent domain registration spammer |
| # recent sign, will likely change |
| #body __ARTHUR_SIMMONS /Arthur Simmons/ |
| #body __INTRUST_DOMS /In[Tt]rust Domains/ |
| #meta ARTHUR_INTRUST __ARTHUR_SIMMONS && __INTRUST_DOMS |
| #describe ARTHUR_INTRUST Arthur Simmons - registrar spammer extraordinaire |
| |
| #header ART_NAMES_ORG Received =~ /\bart\.names\.org\b/i |
| #describe ART_NAMES_ORG Arthur Simmons - registrar spammer extraordinaire |
| |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i |
| body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i |
| tflags __PILL_PRICE_01 multiple maxhits=3 |
| tflags __PILL_PRICE_02 multiple maxhits=3 |
| meta ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON |
| describe ANY_PILL_PRICE Prices for pills |
| meta MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2 |
| describe MANY_PILL_PRICE Prices for many pills |
| else |
| meta __PILL_PRICE_01 0 |
| meta __PILL_PRICE_02 0 |
| endif |
| |
| # More from Ned Slider |
| ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| meta NSL_FREEMAIL_SUBJ (FREEMAIL_FROM && MISSING_SUBJECT) |
| describe NSL_FREEMAIL_SUBJ From freemail with missing subject |
| # score NSL_FREEMAIL_SUBJ 1.0 |
| tflags NSL_FREEMAIL_SUBJ nopublish |
| |
| meta NSL_FREEMAIL_M1 (NSL_FREEMAIL_SUBJ && (__HAS_ANY_URI || __MANY_RECIPS)) |
| describe NSL_FREEMAIL_M1 From freemail, missing subject and uri or many recips |
| # score NSL_FREEMAIL_M1 1.0 |
| tflags NSL_FREEMAIL_M1 nopublish |
| |
| meta NSL_FREEMAIL_M2 (FREEMAIL_FROM && __HAS_ANY_URI && __MANY_RECIPS) |
| describe NSL_FREEMAIL_M2 From freemail with uri and many recips |
| # score NSL_FREEMAIL_M2 1.0 |
| tflags NSL_FREEMAIL_M2 nopublish |
| endif |
| |
| header NSL_TO_ENDS_COMMA To =~ /,$/ |
| describe NSL_TO_ENDS_COMMA To: ends with a comma |
| #score NSL_TO_ENDS_COMMA 0.001 |
| tflags NSL_TO_ENDS_COMMA nopublish |
| |
| |
| body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i |
| describe CN_B2B_SPAMMER Chinese company introducing itself |
| tflags CN_B2B_SPAMMER publish |
| |
| body CN_OPTOUT_EML /\b(?:pasamenzi|arinayuma)\@sina\.com\b/i |
| describe CN_OPTOUT_EML Opt-out email address in CN B2B spams |
| |
| # __ version of khopesh UPPERCASE_URI, for use in metas |
| uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/ |
| |
| # __ version of khopesh SINGLE_HEADER_1K, for use in metas |
| #header __SINGLE_HEADER_1K ALL:raw =~ /(?-xim:(?=(?!X-Spam|X-MailScan)(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){1024,2047}.(?:\n\S|$)))/s |
| |
| # __ version of mmartinec RP_MATCHES_RCVD, for use in metas |
| if version >= 3.003000 |
| ifplugin Mail::SpamAssassin::Plugin::WLBLEval |
| header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() |
| else |
| meta __RP_MATCHES_RCVD 0 |
| endif |
| else |
| meta __RP_MATCHES_RCVD 0 |
| endif |
| |
| # for sale newsletters |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| body __FOR_SALE_OBO /\bor best offer\b/i |
| tflags __FOR_SALE_OBO multiple maxhits=6 |
| meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5 |
| |
| body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i |
| tflags __FOR_SALE_PRC_1K multiple maxhits=11 |
| meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10 |
| |
| body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i |
| tflags __FOR_SALE_PRC_10K multiple maxhits=11 |
| meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10 |
| |
| body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i |
| tflags __FOR_SALE_PRC_100K multiple maxhits=11 |
| meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5 |
| |
| meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20 |
| |
| body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i |
| tflags __FOR_SALE_LTP multiple maxhits=11 |
| meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10 |
| |
| body __FOR_SALE_NET /00\.? NET/i |
| tflags __FOR_SALE_NET multiple maxhits=11 |
| meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10 |
| |
| rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m |
| tflags __FOR_SALE_PRC_EOL multiple maxhits=11 |
| meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10 |
| endif |
| |
| uri __URI_MAILTO /^mailto:/i |
| tflags __URI_MAILTO multiple maxhits=16 |
| meta __URI_MAILTO_MANY __URI_MAILTO > 15 |
| |
| |
| header REPLYTO_EMPTY Reply-To =~ /<>/ |
| describe REPLYTO_EMPTY Reply-To undeliverable |
| |
| header __TO_MANY To =~ /(?:,[^,]{1,90}){10}/ |
| header __CC_MANY Cc =~ /(?:,[^,]{1,90}){10}/ |
| |
| header __TO_TOO_MANY To =~ /(?:,[^,]{1,90}){30}/ |
| header __CC_TOO_MANY Cc =~ /(?:,[^,]{1,90}){30}/ |
| |
| header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/ |
| |
| meta FREEMAIL_MANY_TO __TO_WAY_TOO_MANY && FREEMAIL_FROM |
| describe FREEMAIL_MANY_TO Freemail sender, 50+ exposed recipients |
| score FREEMAIL_MANY_TO 2.000 # limit |
| |
| |
| body __GAPPY_PHONE_NA /1 ?- \d \d \d ?- \d \d \d ?- \d \d \d \d/ |
| meta GAPPY_PHONE_NA __GAPPY_PHONE_NA |
| describe GAPPY_PHONE_NA Phone number with lots of spaces |
| |
| full __GAPPY_HTML_01 m;</?[a-z]{1,6}(?:\s[^>]{0,40})?>(?:\s|=09){0,80}(?:(?!\d)[\w'()\#,.:!]{1,15}(?:\s|=09){4,80}){7}\S; |
| full __GAPPY_HTML_02 m;\S(?:(?:\s|=09){4,80}(?!\d)[\w'()\#,.:!]{1,15}){7}(?:\s|=09){0,5}</?[a-z]{1,6}/?>; |
| #full __GAPPY_HTML_03 /^(?:=09){5,20}</m |
| #tflags __GAPPY_HTML_03 multiple maxhits=11 |
| #full __GAPPY_HTML_04 /^(?:=0A){5,20}/m |
| #tflags __GAPPY_HTML_04 multiple maxhits=11 |
| #meta __GAPPY_HTML __MIME_HTML && (__GAPPY_HTML_01 || __GAPPY_HTML_02 || (__GAPPY_HTML_03 > 10) || (__GAPPY_HTML_04 > 10)) |
| meta __GAPPY_HTML __MIME_HTML && (__GAPPY_HTML_01 || __GAPPY_HTML_02) |
| meta GAPPY_HTML __GAPPY_HTML && !__UNSUB_LINK && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY |
| describe GAPPY_HTML HTML body with much useless whitespace |
| |
| # Try to improve S/O per bug 6119 |
| meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__TO_EQ_FROM_DOM && !__BOTH_INR_AND_REF && !__X_CRON_ENV && !__HAS_THREAD_INDEX && !__HDRS_LCASE_KNOWN && !__ISO_2022_JP_DELIM |
| #tflags TVD_SPACE_RATIO_MINFP nopublish |
| score TVD_SPACE_RATIO_MINFP 2.750 # limit |
| describe TVD_SPACE_RATIO_MINFP Space ratio |
| |
| # Only useful for English-language email |
| #meta SUBJECT_UNNEEDED_ENCODING (__SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) && !__RCD_RDNS_MAIL && !__LCL__ENV_AND_HDR_FROM_MATCH && !__SUBSCRIPTION_INFO && !__THREADED && !__NONBOUNCE_READ_RECEIPT |
| #describe SUBJECT_UNNEEDED_ENCODING Subject encoded but not non-ANSI? |
| #score SUBJECT_UNNEEDED_ENCODING 1.000 # limit |
| #tflags SUBJECT_UNNEEDED_ENCODING publish |
| |
| # Be sensitive to FP on legit japanese- and chinese-language mailing lists (09/2014) |
| meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) |
| meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM |
| score TVD_SPACE_ENCODED 2.500 # limit |
| describe TVD_SPACE_ENCODED Space ratio & encoded subject |
| |
| meta TVD_SPACE_ENC_FM_MIME __TVD_SPACE_ENCODED && __FROM_NEEDS_MIME && !__ISO_2022_JP_DELIM |
| score TVD_SPACE_ENC_FM_MIME 2.000 # limit |
| describe TVD_SPACE_ENC_FM_MIME Space ratio & encoded subject & MIME needed |
| |
| |
| # sample from users list: Subject: Sta ffWork sFastToSen dTab le tsGood s |
| header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/ |
| tflags __SUBJ_BROKEN_WORD multiple maxhits=2 |
| meta SUBJ_BROKEN_WORD __SUBJ_BROKEN_WORD && !ALL_TRUSTED && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__MIME_QP && !__DOS_HAS_LIST_UNSUB && !__HAS_IN_REPLY_TO && !__THREADED && !__MSGID_JAVAMAIL && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY && !__MSGID_OK_DIGITS && !__NOT_A_PERSON && !__LCL__ENV_AND_HDR_FROM_MATCH |
| describe SUBJ_BROKEN_WORD Subject contains odd word break |
| meta SUBJ_BROKEN_WORDS __SUBJ_BROKEN_WORD > 1 && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__MIME_QP && !__DOS_HAS_LIST_UNSUB && !__HAS_IN_REPLY_TO && !__THREADED && !__MSGID_JAVAMAIL && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY && !__MSGID_OK_DIGITS |
| describe SUBJ_BROKEN_WORDS Subject contains multiple odd word breaks |
| |
| # felicity TVD_SUBJ_NUM_OBFU as subrule |
| header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i |
| meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU |
| ifplugin Mail::SpamAssassin::Plugin::DKIM |
| meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER |
| describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers |
| endif |
| |
| meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO |
| |
| # from spample on users list 7/20/2011 |
| header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/ |
| meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED |
| describe XM_PHPMAILER_FORGED Apparently forged header |
| tflags XM_PHPMAILER_FORGED publish |
| |
| # from spample on users list 7/24/2011 |
| header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/ |
| #meta XM_EC_MESSENGER __XM_EC_MESSENGER |
| #describe XM_EC_MESSENGER eC-Messenger bulk mail service |
| |
| header __SUBJ_OBFU_PUNCT Subject =~ /(?:(?!<[a-z][a-z])[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z])/i |
| tflags __SUBJ_OBFU_PUNCT multiple maxhits=4 |
| meta SUBJ_OBFU_PUNCT_FEW __SUBJ_OBFU_PUNCT > 1 && !__THREADED && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH |
| describe SUBJ_OBFU_PUNCT_FEW Possible punctuation-obfuscated Subject: header |
| score SUBJ_OBFU_PUNCT_FEW 0.750 |
| meta SUBJ_OBFU_PUNCT_MANY __SUBJ_OBFU_PUNCT > 2 && !__THREADED && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH |
| describe SUBJ_OBFU_PUNCT_MANY Punctuation-obfuscated Subject: header |
| score SUBJ_OBFU_PUNCT_MANY 1.750 |
| |
| #meta SUBJ_MANGLED __SUBJ_OBFU_PUNCT && __GAPPY_SUBJECT && !__RP_MATCHES_RCVD && !__HAS_X_MAILER && !__DOS_HAS_LIST_UNSUB |
| #score SUBJ_MANGLED 2.000 # limit |
| |
| # A document was scanned and sentto you using a Hewlett-Packard HP Officejet |
| # A document was scanned and sent to you using a Hewlett-Packard HP Officejet |
| # Scan from Hewlet-Packard Officejet |
| # Scan from a HP Officejet |
| # Hewlett-Packard Officejet Location: machine location not set |
| # Xerox WorkCentre |
| # See http://isc.sans.edu/diary.html?storyid=11848#comment |
| body __SCANNED /\b(?:(?:document was scan+ed and sent ?to you using|Scan from)(?: an?)? (?:(?:Hewlet+-Packard |HP ){1,2}Officejet|Hewlet+-Packard Officejet Location: machine location not set)|Xerox\b)/i |
| meta SCANNED_EXTERNAL __SCANNED && !ALL_TRUSTED && !__XEROXWORKCTR_MUA |
| describe SCANNED_EXTERNAL "Scanned Document" email from external source - malware? |
| score SCANNED_EXTERNAL 3.00 # limit |
| |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| # real estate / stock scam spams 11/2011 |
| # roughly similar to FS_LARGE_PERCENT2, better S/O? |
| body __LARGE_PERCENT_AFTER /\d{3}% after/i |
| tflags __LARGE_PERCENT_AFTER multiple maxhits=4 |
| meta LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3 |
| describe LARGE_PCT_AFTER_MANY Many large percentages after... |
| else |
| meta __LARGE_PERCENT_AFTER 0 |
| endif |
| |
| # phish/malware 11/2011 |
| body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i |
| body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i |
| body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i |
| body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i |
| |
| ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
| mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i |
| meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH |
| meta ACH_CANCELLED_EXE __ACH_CANCELLED_EXE |
| describe ACH_CANCELLED_EXE "ACH cancelled" probable malware |
| else |
| meta __EXE_ATTACH 0 |
| endif |
| |
| meta __ACH_CANCELLED (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && (__HAS_ANY_URI || LOTS_OF_MONEY) |
| meta ACH_CANCELLED __ACH_CANCELLED |
| describe ACH_CANCELLED "ACH cancelled" fraud / phish |
| |
| # spams from users list query 03/2012 |
| # Not useful as scored rules, may be useful meta'd with something else |
| uri __URI_DBL_SUBDOM m,^https?://(?!www\.amazon\.com)([^/]+)/.*https?://(?:[^.]+\.)?\1/,i |
| #meta URI_DBL_SUBDOM __URI_DBL_SUBDOM && !__RP_MATCHES_RCVD && !__FROM_LOWER && !__HAS_ERRORS_TO && !__TO_EQ_FROM_DOM |
| #score URI_DBL_SUBDOM 1.00 # limit |
| |
| uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i |
| |
| uri __URI_DBL_INDIR m,(?:=https?://(?!www\.amazon\.com).*?){2},i |
| meta URI_DBL_INDIR __URI_DBL_INDIR && !__URI_TRPL_INDIR |
| describe URI_DBL_INDIR A URI with two levels of indirection |
| uri __URI_TRPL_INDIR m,(?:=https?://(?!www\.amazon\.com).*?){3},i |
| meta URI_TRPL_INDIR __URI_TRPL_INDIR |
| describe URI_TRPL_INDIR A URI with at least three levels of indirection |
| |
| # suggestion on users list 04/2012 |
| header SUBJ_ODD_CASE ALL =~ /\n(?!(?:Subject:|SUBJECT:|subject:))(?i:subject:)/sm |
| describe SUBJ_ODD_CASE Oddly mixed-case Subject: header |
| |
| |
| # Somebody's resurrecting the dead 07/1012 |
| body BILL_1618 /\bUnder Bills?.1618(?: Title III)? passed by the 105th U\.S\. Congress\b/i |
| describe BILL_1618 Mentions proposed US law supposedly permitting spamming |
| body NOT_SPAM /\b(?:this mail cannot be considered Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)\b/i |
| describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not! |
| |
| |
| # suggested by http://isc.sans.edu/diary.html?storyid=13921 |
| uri URI_MALWARE_BH /\.\w{2,4}\/[\d\w]{8}\/index\.html/i |
| describe URI_MALWARE_BH Possible BlackHole malware links / phishing |
| score URI_MALWARE_BH 1.0 # limit |
| |
| # suggested by https://isc.sans.edu/diary.html?storyid=13996 |
| uri __URI_DATA /^data:[a-z]/i |
| meta URI_DATA __URI_DATA && !ALL_TRUSTED |
| describe URI_DATA "data:" URI - possible malware or phish |
| score URI_DATA 1.0 # limit |
| |
| |
| header __SUBJ_ATTENTION Subject =~ /ATTENTION/ |
| meta SUBJ_ATTENTION __SUBJ_ATTENTION && !ALL_TRUSTED |
| describe SUBJ_ATTENTION ATTENTION in Subject |
| score SUBJ_ATTENTION 0.500 # limit |
| |
| header __IRS_FM_NAME From:name =~ /internal\srevenue\sservice/i |
| header __IRS_FM_DOM From:addr =~ /\birs\.gov$/ |
| header __IRS_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\birs\.gov / |
| meta __IRS_SPOOF (__IRS_FM_NAME || __IRS_FM_DOM) && !__IRS_RCVD_DOM && __REPLYTO_EXISTS |
| meta IRS_SPOOF __IRS_SPOOF |
| describe IRS_SPOOF Claims to be IRS, but not from IRS domain |
| score IRS_SPOOF 2.00 # limit |
| |
| |
| header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i |
| header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/ |
| header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov / |
| body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/ |
| rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m |
| meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __REPLYTO_EXISTS |
| meta FBI_SPOOF __FBI_SPOOF |
| describe FBI_SPOOF Claims to be FBI, but not from FBI domain |
| score FBI_SPOOF 2.00 # limit |
| tflags FBI_SPOOF publish |
| |
| meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY |
| describe FBI_MONEY The FBI wants to give you lots of money? |
| score FBI_MONEY 2.00 # limit |
| tflags FBI_MONEY publish |
| |
| |
| header __FROM_ASB_BANK From:addr =~ /\basb\.co\.nz$/i |
| header __FROM_AMEX From =~ /american\s?express/i |
| header __FROM_BANK_LOOSE From =~ /ban(?:k|co)/i |
| header __FROM_CHASE From:addr =~ /chase(?:2?-?paymentech)\.com$/i |
| header __FROM_CMNWLTH_BANK From:addr =~ /\bcommonwealth\.com\.au$/i |
| header __FROM_EBAY_LOOSE From =~ /\be-?bay\b/i |
| header __FROM_HSBC From:addr =~ /\bhsbc\.co\.uk$/i |
| header __FROM_LLOYDSTSB From:addr =~ /\blloyds(?:tsb)\.(?:co\.uk|com)$/i |
| header __FROM_PAYPAL_LOOSE From =~ /paypal/i |
| header __FROM_WELLSFARGO From:addr =~ /wellsfargo\.com$/i |
| header __FROM_WESTERNUNION From:addr =~ /westernunion\.com$/i |
| |
| meta __FROM_MISSP_PHISH __FROM_MISSPACED && (__FROM_ASB_BANK || __FROM_AMEX || __FROM_BANK_LOOSE || __FROM_CHASE || __FROM_CMNWLTH_BANK || __FROM_EBAY_LOOSE || __FROM_HSBC || __FROM_LLOYDSTSB || __FROM_PAYPAL_LOOSE || __FROM_WELLSFARGO || __FROM_WESTERNUNION) |
| meta FROM_MISSP_PHISH __FROM_MISSP_PHISH |
| describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish |
| score FROM_MISSP_PHISH 3.500 # limit |
| |
| # another upload-a-document-for-public-access site |
| uri __URI_YOUSENDIT m,^https?://www\.yousendit\.com/directdownload,i |
| |
| # see also DOS_GOOGLE_DOCS |
| uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*view(?:form)?\?(?:id|formkey)=,i |
| uri __URI_GOOGLE_DRV m,^https?://googledrive\.com/,i |
| |
| body __WEBMAIL_ACCT /\byour web ?mail account/i |
| body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i |
| body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here)\b/i |
| body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta)\b/i |
| body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:[hw]as\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage)\b/i |
| body __LOCK_MAILBOX /\b(?:(?:deactivate|lock|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server))/i |
| body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i |
| body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i |
| body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i |
| body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail (?:account|log-?in|box|address)\b/i |
| |
| body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i |
| body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i |
| |
| meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 1) |
| meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 3) |
| |
| meta UPGRADE_MAILBOX __UPGR_MAILBOX && __HTML_FONT_LOW_CONTRAST_MINFP |
| describe UPGRADE_MAILBOX Upgrade your mailbox! (phishing?) |
| |
| body __ACCESS_SUSPENDED /\b?(:(?:access|account) has been (?:temporar(?:il)?y )(?:suspended|blocked|locked)|suspend (?:you from|your) access(?:ing)?)\b/i |
| body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online))/i |
| body __ACCESS_REVOKE /(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)/i |
| body __VERIFY_ACCOUNT /(?:confirm|updated?|verify) (?:your|the) (?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)/i |
| body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i |
| body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i |
| body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i |
| body __ACCOUNT_ERROR /your account (?:is|appears to be) (?:incorrect|missing|in error|invalid)/i |
| body __ACCOUNT_DISRUPT /ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)/i |
| body __ACCOUNT_UPGRADE /(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded)/i |
| |
| meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE) > 1 && !__ACCT_PHISH_MANY |
| meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE) > 3 |
| meta ACCT_PHISHING __ACCT_PHISH |
| describe ACCT_PHISHING Possible phishing for account information |
| score ACCT_PHISHING 1.500 # limit |
| meta ACCT_PHISHING_MANY __ACCT_PHISH_MANY |
| describe ACCT_PHISHING_MANY Phishing for account information |
| score ACCT_PHISHING_MANY 3.000 # limit |
| |
| meta PHISHING_FREEMAIL (__EMAIL_PHISH || __EMAIL_PHISH_MANY || __ACCT_PHISH || __ACCT_PHISH_MANY) && FREEMAIL_FORGED_REPLYTO |
| describe PHISHING_FREEMAIL Send your login credentials to some random freemail account |
| |
| |
| # Google Docs observed on LOTS of phishes 2012 |
| meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) |
| meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) |
| meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2) |
| describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form |
| score GOOGLE_DOCS_PHISH 3.00 # limit |
| tflags GOOGLE_DOCS_PHISH publish |
| |
| meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) |
| describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form |
| score GOOGLE_DOCS_PHISH_MANY 4.00 # limit |
| tflags GOOGLE_DOCS_PHISH_MANY publish |
| |
| meta URI_GOOGLE_DOCS __URI_GOOGLE_DOC && !__DKIM_EXISTS && !__TO_EQ_FROM_DOM && !__DOS_REF_TODAY && !__DOS_BODY_FRI && !__DOS_BODY_WED && !__freemail_safe_fwd && !__TO_EQ_FROM_DOM && !__HAS_ERRORS_TO |
| describe URI_GOOGLE_DOCS URI for Google Docs, common in phishing |
| score URI_GOOGLE_DOCS 1.00 # limit |
| |
| meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) |
| ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
| meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE |
| else |
| meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney |
| endif |
| describe URI_PHISH Phishing using web form |
| score URI_PHISH 4.00 # limit |
| tflags URI_PHISH publish |
| |
| meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS |
| describe SYSADMIN Supposedly from your IT department |
| score SYSADMIN 3.500 # limit |
| tflags SYSADMIN publish |
| |
| # suggested by MPerkel on the users list 11/10/2012 |
| uri __URI_PROTO_MC /^(?!(?-i:(?:[Hh]ttps?|HTTPS?):))https?:/i |
| uri __URI_WWW_MC m,://(?!(?-i:www|WWW))www\.,i |
| uri __URI_TLD_MC /\.(?!(?-i:com|net|org|biz|info|COM|NET|ORG))(?:com|net|org|biz|info)\b/i |
| uri __URI_GOOG_MC /(?!(?-i:[Gg]oogle))google/i |
| |
| rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i |
| meta HTML_FONT_TINY __HTML_FONT_TINY_01 && __TAG_EXISTS_BODY && !__DKIM_EXISTS && !__BUGGED_IMG && !__VIA_ML && !__RP_MATCHES_RCVD && !__THREADED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_JAVAMAIL && !__FROM_LOWER && !__HAS_THREAD_INDEX && !__FROM_LOWER |
| describe HTML_FONT_TINY Font too small to read |
| score HTML_FONT_TINY 1.500 # limit |
| |
| body __BODY_TEXT_LINE /^\s*\S/ |
| tflags __BODY_TEXT_LINE multiple maxhits=3 |
| meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE |
| # this hits 13% of masscheck corpus spam, 50% of that only scores 2 points |
| meta BODY_EMPTY __EMPTY_BODY && !__NUMBERS_IN_SUBJ && !__CTE && !__RP_MATCHES_RCVD && !__VIA_ML && !__MIME_ATTACHMENT && !__HAS_THREAD_INDEX && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__FROM_LOWER && !__NOT_SPOOFED && !__MSGID_APPLEMAIL && !__RCD_RDNS_MAIL_MESSY && !NO_RELAYS && !__NOT_A_PERSON |
| describe BODY_EMPTY No body text in message |
| score BODY_EMPTY 3.00 # limit |
| |
| |
| meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE |
| meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__TO_EQ_FROM_DOM && !__X_CRON_ENV |
| describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image |
| score BODY_URI_ONLY 1.000 # limit |
| tflags BODY_URI_ONLY publish |
| |
| |
| body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/ |
| tflags __SINGLE_WORD_LINE multiple maxhits=2 |
| header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/ |
| meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1) |
| meta BODY_SINGLE_WORD __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP |
| describe BODY_SINGLE_WORD Message body is only one word (no spaces) |
| score BODY_SINGLE_WORD 2.500 # limit |
| |
| meta BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI) && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP |
| describe BODY_SINGLE_URI Message body is only a URI |
| score BODY_SINGLE_URI 2.500 # limit |
| |
| #ifplugin Mail::SpamAssassin::Plugin::DKIM |
| # # malformed DKIM signatures seen in the wild - see bug#6895 |
| # # see how well this performs |
| # meta __DKIM_MALFORMED DKIM_SIGNED && !DKIM_VALID |
| #endif |
| |
| #body __YOUR_PHOTOS /\byour photos (?:as p[rw]omised )?(?:here )?(?:- )?https?:/i |
| #meta YOUR_PHOTOS __YOUR_PHOTOS && !__HAS_ANY_EMAIL && !__HAS_REPLY_TO && !__DOS_HAS_LIST_UNSUB |
| #describe YOUR_PHOTOS "Your Photos" phishing or malware |
| #score YOUR_PHOTOS 4.00 # limit |
| |
| body __UNSUBSCRIBE_ES /\b(?:Para darte de baja y no recibir ning(?:=FA|[\xfa]|[\xc3][\xba])n|Si no desea que le enviemos publicidad|Si desea eliminar su correo [^\s@]{1,64}@[^\s@]{1,64} de nuestra lista|no recibir estos boletines a: [^\s@]{1,64}@[^\s@]{1,64} simplemente|Si no desea recibir m(?:=E1|[\xe1]|[\xc3][\xa1]|a)s notificaciones)\b/i |
| meta UNSUBSCRIBE_ES __UNSUBSCRIBE_ES |
| score UNSUBSCRIBE_ES 2.500 # limit |
| |
| body __UNSUBSCRIBE_PT /\bSe n(?:a|=E3|[\xe3]|[\xc3][\xa3])o desejar mais receber nossos e-?mails?\b/i |
| meta UNSUBSCRIBE_PT __UNSUBSCRIBE_PT |
| score UNSUBSCRIBE_PT 2.500 # limit |
| |
| body __URI_DBL_PROTO m,\b(?:https?:/+){2},i |
| |
| uri __URI_DOS_FILE /^[A-Z]:\\/i |
| |
| meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP |
| meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL |
| describe FORM_LOW_CONTRAST Fill in a form with hidden text |
| score FORM_LOW_CONTRAST 2.500 # Limit |
| tflags FORM_LOW_CONTRAST publish |
| |
| |
| # try to FP-reduce HTML_FONT_LOW_CONTRAST |
| meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__VIA_ML && !__RP_MATCHES_RCVD && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !__DKIM_EXISTS && !__SENDER_BOT |
| |
| # some no-ham combinations |
| meta GAPPY_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __GAPPY_SUBJECT |
| describe GAPPY_LOW_CONTRAST Gappy subject + hidden text |
| score GAPPY_LOW_CONTRAST 2.500 # limit |
| |
| meta URI_ONLY_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __BODY_URI_ONLY |
| score URI_ONLY_LOW_CONTRAST 2.500 # limit |
| |
| meta SUBJ_OBFU_LOW_CNTRST (HTML_FONT_LOW_CONTRAST && __SUBJ_OBFU_PUNCT) && !ALL_TRUSTED && !__NOT_A_PERSON && !__THREADED |
| describe SUBJ_OBFU_LOW_CNTRST Subject obfuscation + hidden text |
| score SUBJ_OBFU_LOW_CNTRST 2.500 # limit |
| |
| meta URI_DOTDOT_LOW_CNTRST HTML_FONT_LOW_CONTRAST && __URI_DOM_DOTDOT |
| describe URI_DOTDOT_LOW_CNTRST Suspicious URI + hidden text |
| score URI_DOTDOT_LOW_CNTRST 2.500 # limit |
| |
| meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG |
| describe STOCK_LOW_CONTRAST Stocks + hidden text |
| score STOCK_LOW_CONTRAST 2.500 # limit |
| tflags STOCK_LOW_CONTRAST publish |
| |
| uri __URI_DOM_DOTDOT m,://[^/]+\.\., |
| |
| meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO |
| score FOUND_YOU 3.25 # limit |
| describe FOUND_YOU I found you... |
| tflags FOUND_YOU publish |
| |
| |
| #rawbody __HTML_FONT_ONE_WORD_01 />\s{0,5}\S{1,15}\s{0,5}<\/font>/i |
| #tflags __HTML_FONT_ONE_WORD_01 multiple maxhits=26 |
| #meta HTML_FONT_ONE_WORD_MANY __HTML_FONT_ONE_WORD_01 > 25 |
| #describe HTML_FONT_ONE_WORD_MANY Many one-word font changes |
| #score HTML_FONT_ONE_WORD_MANY 0.50 # limit (initial) |
| |
| |
| #body __ADMITS_CANSPAM /\bThis is a CANSPAM ACT compliant advertising broadcast\b/i |
| #body __ADMITS_CANSPAM /\bThis is a CANSPAM ACT compliant\b/i |
| #meta ADMITS_CANSPAM __ADMITS_CANSPAM && !__VIA_ML |
| #describe ADMITS_CANSPAM Admits to being spam |
| |
| body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:email[- ]+)?[a@]dvert[i1l]sement\b/i |
| meta ADMITS_SPAM __ADMITS_SPAM && !__TO___LOWER && !__MSOE_MID_WRONG_CASE && !__RP_MATCHES_RCVD |
| describe ADMITS_SPAM Admits this is an ad |
| |
| #body __OBFU_ADVERT /\badvert[1l]sement\b/i |
| #meta OBFU_ADVERT __OBFU_ADVERT |
| #describe OBFU_ADVERT Misspelled "advertisement" |
| #tflags OBFU_ADVERT publish |
| |
| |
| #body __SEO_REGISTER /\bsearch engine (?:registration|subscription|submission)\b/i |
| #tflags __SEO_REGISTER multiple maxhits=5 |
| #meta SEO_REGISTER __SEO_REGISTER > 4 |
| #score SEO_REGISTER 2.50 # limit |
| |
| |
| #uri REMOVE_YEAHNET /imremove\@yeah\.net/i |
| #describe REMOVE_YEAHNET Opt-out address used by CN spammers |
| |
| |
| header __FROM_LIC From:name =~ /^Lic\./ |
| header __FROM_DOM_INFO From:addr =~ /\.info$/i |
| meta ES_LIC_FROM_INFO __FROM_LIC && __FROM_DOM_INFO && __UNSUBSCRIBE_ES |
| describe ES_LIC_FROM_INFO Spanish-language spam from .info domain |
| |
| |
| header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i |
| |
| |
| #uri __JIMDO_PHISH /(?:microsoft|outlook|access|helpdesk|upd?ates|newaccount)\w+\.jimdo\.com/i |
| body __CLICK_HERE /\bclick\shere\b/i |
| |
| #meta JIMDO_PHISH __JIMDO_PHISH && __CLICK_HERE |
| #describe JIMDO_PHISH Apparent phishing via webform hosted at jimdo.com |
| #score JIMDO_PHISH 3.00 # limit |
| |
| body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i |
| body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i |
| body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i |
| body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i |
| meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2 |
| |
| uri __URI_WPADMIN m,/wp-admin/\w+/,i |
| meta URI_WPADMIN __URI_WPADMIN |
| describe URI_WPADMIN WordPress login/admin URI, possible phishing |
| tflags URI_WPADMIN publish |
| |
| uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i |
| uri __URI_WPCONTENT_L m,/wp-content/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i |
| uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i |
| uri __URI_WPINCLUDES_L m,/wp-includes/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i |
| #uri __URI_WP_WHITELIST m,/wp-content/plugins/civicrm/,i |
| meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED |
| describe URI_WP_HACKED URI for compromised WordPress site, possible malware |
| score URI_WP_HACKED 3.000 # limit |
| tflags URI_WP_HACKED publish |
| |
| uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i |
| meta URI_WP_DIRINDEX __URI_WPDIRINDEX |
| describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware |
| score URI_WP_DIRINDEX 3.000 # limit |
| tflags URI_WP_DIRINDEX publish |
| |
| # this has some overlap with URI_WP_HACKED |
| uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,64}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf).{4}$;i |
| meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__TO_EQ_FROM && !__THREADED |
| describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware |
| score URI_WP_HACKED_2 2.000 # limit |
| tflags URI_WP_HACKED_2 publish |
| |
| |
| # subrules migrated from 00_FVGT_File001.cf |
| |
| header __SUBJ_LOWER ALL =~ /subject:\s\S{5}/ |
| header __FROM_LOWER ALL =~ /from:\s\S{5}/ |
| header __TO___LOWER ALL =~ /to:\s\S{5}/ |
| header __DATE_LOWER ALL =~ /date:\s\S{5}/ |
| |
| |
| # duplicates __XPRIO |
| #header __FH_HAS_XPRIORITY exists:X-Priority |
| meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__THREADED && !__RP_MATCHES_RCVD && !__LONGLINE && !__MAIL_LINK && !__RCD_RDNS_SMTP && !__PDF_ATTACH && !__USING_VERP1 && !__HAS_DOMAINKEY_SIG && !__LIST_PARTIAL |
| |
| ifplugin Mail::SpamAssassin::Plugin::DKIM |
| ifplugin Mail::SpamAssassin::Plugin::SPF |
| meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS |
| else |
| meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE |
| endif |
| tflags XPRIO net |
| score XPRIO 2.000 # limit |
| else |
| meta XPRIO __XPRIO_MINFP |
| score XPRIO 2.000 # limit |
| endif |
| describe XPRIO Has X-Priority header |
| tflags XPRIO publish |
| |
| # some no-ham combinations |
| |
| meta __XPRIO_SHORT_SUBJ __XPRIO && __SUBJ_SHORT |
| meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__HAS_ANY_URI && !__TO_NO_ARROWS_R && !__ENV_AND_HDR_FROM_MATCH && !__VISTA_MSGID |
| describe XPRIO_SHORT_SUBJ Has X-Priority header + short subject |
| score XPRIO_SHORT_SUBJ 2.500 # limit |
| tflags XPRIO_SHORT_SUBJ publish |
| |
| meta FROM_MISSP_XPRIO __XPRIO && __FROM_MISSPACED |
| describe FROM_MISSP_XPRIO Misspaced FROM + X-Priority |
| score FROM_MISSP_XPRIO 2.500 # limit |
| |
| meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE |
| meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE |
| describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE |
| score STATIC_XPRIO_OLE 2.000 # limit |
| tflags STATIC_XPRIO_OLE publish |
| |
| # Apparent good performance is an artifact of certain corpora's collection mechanism |
| #meta XPRIO_RPATH_NULL (__XPRIO && __BOUNCE_RPATH_NULL) && !__HAS_ERRORS_TO && !__VIA_ML && !ANY_BOUNCE_MESSAGE && !__HAS_ORGANIZATION && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED |
| #score XPRIO_RPATH_NULL 2.500 # limit |
| # |
| #meta TO_EQ_FM_NN_RPATH_NULL (__TO_EQ_FROM_USR_NN && __BOUNCE_RPATH_NULL) && !__TO_EQ_FROM_USR |
| #score TO_EQ_FM_NN_RPATH_NULL 2.000 # limit |
| #tflags TO_EQ_FM_NN_RPATH_NULL publish |
| |
| |
| header __FS_SUBJ_RE Subject =~ /^Re: / |
| header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/ |
| |
| body __CAN_HELP /\bcan help\b/i |
| body __FB_COST /\bcost\b/i |
| body __FB_NATIONAL /national/i |
| body __FB_NUM_PERCNT /\d\s?\%/ |
| body __FB_S_STOCK /\bstock/i |
| body __FB_TOUR /\btour/i |
| body __SURVEY /\bsurvey\b/i |
| |
| body __FB_S_PRICE /pri{1,2}c[a-z]?e/i |
| |
| ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
| body __FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i |
| replace_rules __FRT_PRICE |
| |
| meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE) |
| else |
| meta __FRT_PRICE 0 |
| meta __FM_MY_PRICE __FB_S_PRICE |
| endif |
| |
| rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i |
| rawbody __FR_SPACING_9 /[a-z0-9]{6}\s{9}[a-z0-9]{5}/i |
| rawbody __FR_SPACING_15 /[a-z0-9]{6}\s{15}[a-z0-9]{5}/i |
| rawbody __FR_SPACING_17 /[a-z0-9]{6}\s{17}[a-z0-9]{5}/i |
| rawbody __FR_SPACING_22 /[a-z0-9]{6}\s{22}[a-z0-9]{5}/i |
| |
| |
| # per users mailing list question from Joe Quinn |
| #body __HEXHASHWORD_S /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{18})[0-9a-f]{18}/ |
| #tflags __HEXHASHWORD_S multiple maxhits=4 |
| body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/ |
| tflags __HEXHASHWORD_S2EU multiple maxhits=4 |
| #body __HEXHASHWORD_S2E /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}[0-9a-f]{10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/ |
| #tflags __HEXHASHWORD_S2E multiple maxhits=4 |
| #body __HEXHASHWORD_S2 /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[0-9a-f]{10,64}\s[A-Z]?[a-z]{1,15}\b/ |
| #tflags __HEXHASHWORD_S2 multiple maxhits=4 |
| #body __HEXHASHWORD /\s[A-Z]?[a-z]{1,15}\s[0-9a-f]{30}/ |
| #tflags __HEXHASHWORD multiple maxhits=4 |
| meta __HEXHASH_2 __HEXHASHWORD_S2EU > 1 |
| meta __HEXHASH_3 __HEXHASHWORD_S2EU > 2 |
| meta __HEXHASH_4 __HEXHASHWORD_S2EU > 3 |
| #meta __HEXHASH_5 __HEXHASHWORD_S2EU > 4 |
| meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__LCL__ENV_AND_HDR_FROM_MATCH && !__LYRIS_EZLM_REMAILER && !__THREADED && !__HDRS_LCASE && !__MSGID_HEXISH && !__RDNS_SHORT |
| describe HEXHASH_WORD Multiple instances of word + hexadecimal hash |
| score HEXHASH_WORD 3.000 # limit |
| tflags HEXHASH_WORD publish |
| |
| # from users list spample provided by Larry Starr |
| body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/ |
| tflags __UC_GIBB_OBFU multiple maxhits=2 |
| #meta __UC_GIBB_2 __UC_GIBB_OBFU > 1 |
| #meta __UC_GIBB_3 __UC_GIBB_OBFU > 2 |
| #meta __UC_GIBB_4 __UC_GIBB_OBFU > 3 |
| #meta __UC_GIBB_5 __UC_GIBB_OBFU > 4 |
| #meta __UC_GIBB_6 __UC_GIBB_OBFU > 5 |
| #meta __UC_GIBB_7 __UC_GIBB_OBFU > 6 |
| meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED |
| describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word" |
| score UC_GIBBERISH_OBFU 3.000 # Limit |
| tflags UC_GIBBERISH_OBFU publish |
| |
| |
| #body __B2B_HELP /\bhelp(?:ing)? (?:businesses like yours|your business)\b/i |
| #body __YOUR_BIZ /\bbusiness(?:es) like yours|(?<!of )your b(?:usiness|rand)\b/i |
| |
| |
| # will be removed with immediate effect from any further mailing list |
| # wish to receive information from us in the future |
| # This-link http://www.nowyehue.com/bon/dds/ will end messages. |
| # stop receiving these emails |
| # Unsubscribe me from this list |
| # We are not promoting any kind of SPAM. |
| # recieve any kind promotional email form us |
| # To stop receiving these emails |
| # exclude yourself from further ad-messages |
| # removal options |
| # Stop PSA alert |
| |
| #body __UNSUB_PSA /\bstop PSA alert\b/i |
| |
| #body __UNSUB_EXCL /\bexclude yourself from further ad\b/i |
| #meta UNSUB_EXCL __UNSUB_EXCL |
| #score UNSUB_EXCL 2.000 # limit |
| |
| #body __UNSUB_OPT /\bremoval options?\b/i |
| #meta UNSUB_OPT __UNSUB_OPT |
| #score UNSUB_OPT 2.000 # limit |
| |
| header __NO_TRUSTED_RELAY X-Spam-Relays-Trusted !~ /ip=/i |
| |
| #body CANT_SEE_AD /\b(?:can(?:no|')?t|(?:aren'?t |not |un)able to) (?:view|read|see|scan|witness|consider|look at|participate in|take in|(?:make|check|scope) out|eye|scrutinize|watch|display|observe) (?:our|this|the) (?:commercial[-. ]|ad(?:v[-.]?ert[i1l]se-?ment)? |images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?images)\b/i |
| body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i |
| body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i |
| meta CANT_SEE_AD __CANT_SEE_AD_1 || __CANT_SEE_AD_2 |
| describe CANT_SEE_AD You really want to see our spam. |
| score CANT_SEE_AD 3.000 # limit |
| tflags CANT_SEE_AD publish |
| |
| uri __128_HEX_URI m,/[0-9a-f]{128}, |
| #tflags __128_HEX_URI multiple maxhits=2 |
| #uri __192_HEX_URI m,/[0-9a-f]{192}, |
| #uri __256_HEX_URI m,/[0-9a-f]{256}, |
| #uri __384_HEX_URI m,/[0-9a-f]{384}, |
| #meta __128_HEX_URI_SGL __128_HEX_URI == 1 |
| #meta __128_HEX_URI_MLT __128_HEX_URI > 1 |
| meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024 |
| describe LONG_HEX_URI Very long purely hexadecimal URI |
| score LONG_HEX_URI 3.000 # limit |
| tflags LONG_HEX_URI publish |
| |
| uri __128_LC_URI m;[/?][a-z]{128,}$; |
| uri __128_LC_IMG m;/[a-z]{128,}/\w+\.(?:png|gif|jpe?g)$; |
| uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i |
| uri __128_ALNUM_IMG m;/[0-9a-z]{128,}/\w+\.(?:png|gif|jpe?g)$;i |
| uri __64_ANY_URI m;[/?]\w{64,}$;i |
| uri __64_ANY_IMG m;/\w{64,}/\w+\.(?:png|gif|jpe?g)$;i |
| uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i |
| uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i |
| meta __128_LC_URI_IMG __128_LC_URI && __128_LC_IMG |
| meta __128_ALNUM_URI_O __128_ALNUM_URI && !__128_LC_URI |
| meta __128_ALNUM_IMG_O __128_ALNUM_IMG && !__128_LC_IMG |
| meta __128_ALNUM_URI_IMG __128_ALNUM_URI_O && __128_ALNUM_IMG_O |
| meta __64_ANY_URI_O __64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI |
| meta __64_ANY_IMG_O __64_ANY_IMG && !__128_ALNUM_IMG && !__128_LC_IMG |
| meta __64_ALNUM_URI_IMG __64_ANY_URI_O && __64_ANY_IMG_O |
| meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI |
| meta __45_ALNUM_IMG_O __45_ALNUM_IMG && !__64_ANY_IMG && !__128_ALNUM_IMG && !__128_LC_IMG |
| meta __45_ALNUM_URI_IMG __45_ALNUM_URI_O && __45_ALNUM_IMG_O |
| |
| meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO |
| describe LONG_IMG_URI Image URI with very long path component - web bug? |
| score LONG_IMG_URI 3.000 # limit |
| tflags LONG_IMG_URI publish |
| |
| |
| rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i |
| meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS |
| describe HTML_OFF_PAGE HTML element rendered well off the displayed page |
| score HTML_OFF_PAGE 2.000 # limit |
| tflags HTML_OFF_PAGE publish |
| |
| |
| body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i |
| body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i |
| body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i |
| body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i |
| body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i |
| body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i |
| body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i |
| body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i |
| body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i |
| body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i |
| meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0 |
| meta __PD_CNT_2 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1 |
| meta __PD_CNT_3 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 2 |
| meta __PD_CNT_4 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 3 |
| meta __PD_CNT_5 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 4 |
| meta __PD_CNT_6 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 5 |
| meta __PD_CNT_7 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 6 |
| meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI |
| describe PUMPDUMP Pump-and-dump stock scam phrase |
| score PUMPDUMP 1.000 # limit |
| tflags PUMPDUMP publish |
| meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1 |
| describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases |
| score PUMPDUMP_MULTI 3.500 # limit |
| tflags PUMPDUMP_MULTI publish |
| |
| body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i |
| meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS |
| describe STOCK_TIP Stock tips |
| score STOCK_TIP 3.000 # limit |
| tflags STOCK_TIP publish |
| |
| meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP |
| describe PUMPDUMP_TIP Pump-and-dump stock tip |
| tflags PUMPDUMP_TIP publish |
| |
| |
| #body DR_OZ_OBFU /\bD(?:r\.|oc(?:tor)?) ?0z\b/i |
| #describe DR_OZ_OBFU Obfuscated Doctor Oz |
| # |
| #body DOC_OZ /\b(?:doc oz|Dr\.?Oz)\b/ |
| #describe DOC_OZ Doctor Oz |
| |
| |
| body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i |
| meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS |
| describe ADMAIL "admail" and variants |
| tflags ADMAIL publish |
| |
| body ORS /\bOn-?line Rate Saver\b/i |
| describe ORS "Online Rate Saver" |
| |
| |
| # subrule version of MMartinec CR_IN_SUBJ |
| header __CR_IN_SUBJ Subject:raw =~ /\015/ |
| |
| |
| body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i |
| meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD |
| describe THIS_AD "This ad" and variants |
| tflags THIS_AD publish |
| |
| body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i |
| describe AD_PREFS Advertising preferences |
| tflags AD_PREFS publish |
| |
| #body OPT_OUT /\bOpt-Out Here\b/i |
| #score OPT_OUT 2.000 |
| |
| uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i |
| describe URI_OPTOUT_USME Opt-out URI, unusual TLD |
| tflags URI_OPTOUT_USME publish |
| |
| uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i |
| describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname |
| score URI_OPTOUT_3LD 2.000 # limit |
| tflags URI_OPTOUT_3LD publish |
| |
| uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i |
| meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS |
| describe URI_TRY_USME "Try it" URI, unusual TLD |
| tflags URI_TRY_USME publish |
| |
| uri URI_TRY_3LD m,^https?://(?:try|start|get|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!sub)\w)[^.]*\.[^/]+\.(?:com|net)\b,i |
| describe URI_TRY_3LD "Try it" URI, suspicious hostname |
| score URI_TRY_3LD 2.000 # limit |
| tflags URI_TRY_3LD publish |
| |
| |
| |
| ## REFINE THIS |
| #body __INCOMING_FAX /\bincoming fax\b/i |
| #body __BANK /\bbank\b/i |
| #body __ACCT_STMT /\bac(?:count|tivity) statement\b/i |
| #uri __URI_DROPBOX m,[/.]dropbox\.com\/,i |
| #meta DROPBOX_MALW (__INCOMING_FAX || (__BANK && __ACCT_STMT)) && __URI_DROPBOX && !ALL_TRUSTED |
| #describe DROPBOX_MALW Spoofed FAX or bank statement with Dropbox link: PROBABLE MALWARE |
| #score DROPBOX_MALW 10.00 |
| |
| |
| ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
| body FUZZY_UNSUBSCRIBE /<U>(?!nsubscribe)<N><S><U><B><S><C><R><I><B><E>/i |
| replace_rules FUZZY_UNSUBSCRIBE |
| describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe" |
| tflags FUZZY_UNSUBSCRIBE publish |
| |
| body FUZZY_ANDROID /<A>(?!ndroid)<N><D><R><O><I><D>/i |
| replace_rules FUZZY_ANDROID |
| describe FUZZY_ANDROID Obfuscated "android" |
| tflags FUZZY_ANDROID publish |
| |
| body FUZZY_PROMOTION /<P>(?!romotion)<R><O><M><O><T><I><O><N>/i |
| replace_rules FUZZY_PROMOTION |
| describe FUZZY_PROMOTION Obfuscated "promotion" |
| tflags FUZZY_PROMOTION publish |
| |
| body FUZZY_PRIVACY /<P>(?!rivacy)<R><I><V><A><C><Y>/i |
| replace_rules FUZZY_PRIVACY |
| describe FUZZY_PRIVACY Obfuscated "privacy" |
| tflags FUZZY_PRIVACY publish |
| |
| body FUZZY_BROWSER /<B>(?!rowser)<R><O><W><S><E><R>/i |
| replace_rules FUZZY_BROWSER |
| describe FUZZY_BROWSER Obfuscated "browser" |
| tflags FUZZY_BROWSER publish |
| |
| body FUZZY_SAVINGS /<S>(?!avings)<A><V><I><N><G><S>/i |
| replace_rules FUZZY_SAVINGS |
| describe FUZZY_SAVINGS Obfuscated "savings" |
| tflags FUZZY_SAVINGS publish |
| |
| body FUZZY_IMPORTANT /<I>(?!mportant)<M><P><O><R><T><A><N><T>/i |
| replace_rules FUZZY_IMPORTANT |
| describe FUZZY_IMPORTANT Obfuscated "important" |
| tflags FUZZY_IMPORTANT publish |
| |
| body FUZZY_SECURITY /<S>(?!ecurity)(?!eguridad)<E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i |
| replace_rules FUZZY_SECURITY |
| describe FUZZY_SECURITY Obfuscated "security" |
| tflags FUZZY_SECURITY publish |
| |
| body __FUZZY_DR_OZ /\bD(?!(?-i:(?:r.|octor)(?:\s| )Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i |
| replace_rules __FUZZY_DR_OZ |
| meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML && !__DKIM_EXISTS && !__RP_MATCHES_RCVD |
| describe FUZZY_DR_OZ Obfuscated Doctor Oz |
| tflags FUZZY_DR_OZ publish |
| |
| body FUZZY_CLICK_HERE /<C>(?!lick(?:\s| )here)<WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i |
| replace_rules FUZZY_CLICK_HERE |
| describe FUZZY_CLICK_HERE Obfuscated "click here" |
| tflags FUZZY_CLICK_HERE publish |
| |
| endif |
| |
| |
| #body NUM_FREE /\b\d+free/i |
| #describe NUM_FREE Number + free |
| |
| # seen in spam (malware?) 07/2014 |
| #header __DATE_SPACEY ALL =~ /\nDate:\s{8}/ism |
| |
| #uri __FSL_LINK_AWS_S3_WEB_LOOSE m,^https?://(?:[^./]+\.)*s3[^./]+\.amazonaws\.com,i |
| |
| |
| uri URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i |
| describe URI_DQ_UNSUB IP-address unsubscribe URI |
| tflags URI_DQ_UNSUB publish |
| |
| uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i |
| meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__LONGLINE && !__ML1 && !__FSL_RELAY_GOOGLE && !__FROM_LOWER && !__RCD_RDNS_MAIL |
| describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy? |
| tflags URI_GOOGLE_PROXY publish |
| |
| |
| # Apparent good performance is an artifact of certain corpora's collection mechanism |
| #meta RPATH_NULL_CTCQ __BOUNCE_RPATH_NULL && __CTYPE_CHARSET_QUOTED && !__VIA_ML && !__SUBJECT_ENCODED_QP && !ANY_BOUNCE_MESSAGE && !__DOS_HAS_LIST_UNSUB && !__TAG_EXISTS_STYLE && !__TAG_EXISTS_STYLE && !__HAS_THREAD_INDEX |
| #score RPATH_NULL_CTCQ 2.000 # limit |
| |
| rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m |
| tflags __TENWORD_GIBBERISH multiple maxhits=21 |
| meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20 |
| describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters |
| score TW_GIBBERISH_MANY 2.000 # limit |
| tflags TW_GIBBERISH_MANY publish |
| |
| #body __OPTOUT_BRKT /\[(?:unsub(?:scribe)|remove(?: me)|leave)\]/i |
| #tflags __OPTOUT_BRKT multiple maxhits=2 |
| #meta OPTOUT_BRKT_MANY __OPTOUT_BRKT > 1 |
| #describe OPTOUT_BRKT_MANY Repetitive opt-outs |
| #score OPTOUT_BRKT_MANY 2.000 # limit |
| |
| |
| # Oh, the humanity! Is there no better way? |
| #full __RECIP_IN_URL_DOM m;^Received:[^:]{1,400}?\sfor\s<(\w+)\@.+?https?://\1\d*\.;ism |
| #describe __RECIP_IN_URL_DOM Recipient in body URL |
| #tflags __RECIP_IN_URL_DOM nopublish |
| |
| |
| |
| # reported on users list 09/2014 jdebert <jdebert@garlic.com> |
| header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/ |
| describe RCVD_DBL_DQ Malformatted message header |
| tflags RCVD_DBL_DQ publish |
| |
| # reported on users list 09/2014 George Johnson <georgejohnson@talaya.net> |
| header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism |
| tflags __RAND_HEADER multiple, maxhits=4 |
| meta RAND_HEADER_MANY __RAND_HEADER > 3 |
| describe RAND_HEADER_MANY Many random gibberish message headers |
| score RAND_HEADER_MANY 3.000 # limit |
| tflags RAND_HEADER_MANY publish |
| |
| |
| #body FR_SPAM_LAW /article 34 de la loi 78-17\b/i |
| #describe FR_SPAM_LAW References French privacy law |
| #score FR_SPAM_LAW 1.000 # limit |
| |
| body __EDGER_HOOVER /\bedger hoover\b/i |
| header __FM_EDGER_HOOVER From =~ /\bedger hoover\b/i |
| |
| body __MYSTERY_SHOPPER /\bmystery shoppers?\b/i |
| |
| header __HAS_NO_RELAY X-No-Relay =~ /./ |
| |
| header __DUP_SUSP_HDR ALL =~ /\n(X-No-Relay)\s*:[ ][^\n]{1,100}\n\1\s*:[ ]/ism |
| meta DUP_SUSP_HDR __DUP_SUSP_HDR |
| describe DUP_SUSP_HDR Duplicate suspicious message headers |
| score DUP_SUSP_HDR 2.500 # limit |
| |
| # seen 10/2014: "https://www.google.com/url?q=https://copy.com/ApbFn2848pQm/ShippingInvoice_6974.PDF.scr?download=1&sa=D&sntz=1&usg=AFQjCNGhvWhljnujQlP85tA6YUsddfuJow" |
| uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i |
| meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD |
| describe GOOG_MALWARE_DNLD File download via Google - Malware? |
| score GOOG_MALWARE_DNLD 5.000 # limit |
| tflags GOOG_MALWARE_DNLD publish |
| |
| uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i |
| |
| body ONLINE_MKTG_CNSLT /\bonline marketing consultant\b/i |
| |
| body SOLICIT_BIZ /\bbusiness solicitation messag/i |
| |
| body __SPELLED_OUT_NUM /\b(?:(?:one|two|three|four|five|six|seven|eight|nine|zero)[\s_-]?){4,}/i |
| meta SPELLED_OUT_NUMBER __SPELLED_OUT_NUM && !__DKIM_EXISTS |
| describe SPELLED_OUT_NUMBER Spelled out a number (one two three) |
| score SPELLED_OUT_NUMBER 3.000 # limit |
| |
| body __NUM_SPCD_LTRS /\d{4}\s(?:[a-z]\s){5}/i |
| |
| |
| header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i |
| tflags __SUBJ_UNNEEDED_HTML multiple, maxhits=3 |
| meta __SUBJ_UNNEEDED_HTML_MANY __SUBJ_UNNEEDED_HTML > 1 |
| meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML |
| describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject: |
| |
| body __HELP_YOU_SUCCEED /\bhelp you succeed\b/i |
| |
| body __WANT_BIZ /\b(?:I|we) want your business\b/i |
| |
| meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2 |
| describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID |
| tflags TEQF_USR_MSGID_MALF publish |
| |
| meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2 |
| describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID |
| tflags TEQF_USR_MSGID_HEX publish |
| |
| meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH |
| describe TEQF_USR_IMAGE To and from user nearly same + image |
| tflags TEQF_USR_IMAGE publish |
| |
| meta TEQF_USR_POLITE __TO_EQ_FROM_USR_NN && __FRAUD_IRT |
| describe TEQF_USR_POLITE To and from user nearly same + polite greeting |
| score TEQF_USR_POLITE 2.000 # limit |
| |
| meta __MSGID_HEX_MALF __MSGID_NOFQDN2 && __MSGID_OK_HEX |
| |
| meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2 |
| meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO |
| describe URI_ONLY_MSGID_MALF URI only + malformed message ID |
| tflags URI_ONLY_MSGID_MALF publish |
| |
| # These may be a bit risky, the masscheck ham corpus may not |
| # reflect how often these are legit in Real Life... |
| meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 |
| describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message |
| tflags GOOG_REDIR_SHORT publish |
| |
| meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE |
| describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS |
| |
| meta GOOG_REDIR_HTML_ONLY (__GOOG_REDIR && MIME_HTML_ONLY) && !RDNS_NONE && !__LCL__KAM_BODY_LENGTH_LT_512 |
| describe GOOG_REDIR_HTML_ONLY Google redirect to obscure spamvertised website + HTML only |
| score GOOG_REDIR_HTML_ONLY 2.000 # limit |
| |
| |
| |
| # low S/O, apparently lots of invisible ham... |
| rawbody __STY_INVIS /\bstyle\s*=(?:3d)?\s*"\s*(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;|background\s*:)/i |
| tflags __STY_INVIS multiple, maxhits=6 |
| meta __STY_INVIS_MANY __STY_INVIS > 5 |
| #meta HTML_TEXT_INVISIBLE __STY_INVIS_MANY |
| #describe HTML_TEXT_INVISIBLE Hidden text |
| #score HTML_TEXT_INVISIBLE 2.000 # limit |
| # try it on span tags only... |
| rawbody __SPAN_INVIS /<span\s[^>]{0,80}style\s*=(?:3d)?\s*"\s*(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;|background\s*:)/i |
| |
| # Adapted from SARE rules __SARE_HTML_SINGLET* |
| rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i |
| tflags __HTML_SINGLET multiple, maxhits=21 |
| meta __HTML_SINGLET_MANY __HTML_SINGLET > 20 |
| #meta HTML_SINGLET_MANY __HTML_SINGLET_MANY |
| #describe HTML_SINGLET_MANY Many single-letter HTML format blocks |
| #score HTML_SINGLET_MANY 1.000 # limit |
| |
| meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP |
| describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text |
| tflags SINGLETS_LOW_CONTRAST publish |
| |
| # per users list, 10-11 2014 |
| uri MALWARE_HACKED_URI m;/(?:dropbox|googlebox|bank\w+|newgdoc)/(?:doc(?:ument)?|invoice|message|index)\.php$; |
| describe MALWARE_HACKED_URI Malware or phishing hosted-file URI at hacked webserver |
| |
| uri __HACKED_PHP_URI m;/\w+/(?:doc(?:ument)?|invoice|message)\.php$; |
| meta HACKED_PHP_URI __HACKED_PHP_URI |
| describe HACKED_PHP_URI Possible phishing/malware URI |
| score HACKED_PHP_URI 2.000 # limit |
| |
| # very poor S/O - this appears a lot more in ham than in spam?? |
| #body __PUNCT_ODD_SPACING /[a-z]{3}\s+[.,][a-z]{3}/ |
| #tflags __PUNCT_ODD_SPACING multiple, maxhits=3 |
| #meta __PUNCT_ODD_SPACING_MANY __PUNCT_ODD_SPACING > 2 |
| |
| # poor S/O - how is this in ham? |
| #header XMAILER_MANY ALL =~ /\nX-Mailer:(?:[^\n]+\n)+X-Mailer:/ism |
| #describe XMAILER_MANY Has multiple X-Mailer: headers |
| |
| body __RAW_TOKEN_BODY /\#(?:(?:First|Last)Name|Email)\#/i |
| #header __RAW_TOKEN_HDR ALL =~ /\$(?:rand[^$]{0,10})\$/i |
| #tflags __RAW_TOKEN multiple maxhits=3 |
| #meta RAW_TOKENS __RAW_TOKEN > 2 |
| #describe RAW_TOKENS Raw mail merge tokens in body |
| |
| header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i |
| |
| meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO |
| |
| meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM |
| describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to |
| score SPOOFED_FREEM_REPTO_CHN 3.500 |
| tflags SPOOFED_FREEM_REPTO_CHN publish |
| |
| meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__THREADED |
| describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to |
| score SPOOFED_FREEM_REPTO 2.500 |
| tflags SPOOFED_FREEM_REPTO publish |
| |
| |
| #header __VERY_LONG_REPTO Reply-To =~ /[^<\s\@]{25,}\@/ |
| #meta __VERY_LONG_REPTO_SHORT_MSG __VERY_LONG_REPTO && __HTML_LENGTH_0000_1024 |
| #meta VERY_LONG_REPTO_SHORT_MSG __VERY_LONG_REPTO_SHORT_MSG && !__VIA_ML && !__TO_EQ_FROM_DOM && !__THREAD_INDEX_GOOD |
| #describe VERY_LONG_REPTO_SHORT_MSG Very long Reply-To username + short message |
| #score VERY_LONG_REPTO_SHORT_MSG 2.500 # limit |
| #tflags VERY_LONG_REPTO_SHORT_MSG publish |
| # |
| #ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| # meta __VERY_LONG_FREEM_REPTO __VERY_LONG_REPTO && FREEMAIL_REPLYTO |
| # meta VERY_LONG_FREEM_REPTO __VERY_LONG_FREEM_REPTO |
| # describe VERY_LONG_FREEM_REPTO Very long freemail Reply-To username |
| # score VERY_LONG_FREEM_REPTO 2.500 # limit |
| # tflags VERY_LONG_FREEM_REPTO publish |
| #endif |
| |
| # for <steve.stewart@fastnet.co.uk>; Mon, 2 Nov 2015 14:27:08 GMT |
| # (envelope-from fastnet.co.uk.12056010.steve.stewart@vmta27.topreasonstovisit.com) |
| # S/O low, seems to be common in legit mailing lists |
| # Maybe in meta with "not a mailing list" rules? |
| #header __RECIP_IN_ENV_FM_01 Received =~ /for\s+<([^\@]+)\@([^>]+)>.*envelope-from\s+\2\.\d+\.\1\@/i |
| #header __RECIP_IN_ENV_FM_02 Received =~ /for\s+<([^\@]+)\@([^>]+)>.*envelope-from\s+[^@]*\2[^@]*\@/i |
| |
| |
| uri URI_MALWARE_CWALL /\/abuse_report\.php\?(?!username=)[^&\s.]{1,100}\./i |
| describe URI_MALWARE_CWALL Potential CryptoWall malware URL |
| |
| |
| meta __LIST_PARTIAL_SHORT_MSG __HTML_LENGTH_0000_1024 && __LIST_PARTIAL |
| meta LIST_PARTIAL_SHORT_MSG __LIST_PARTIAL_SHORT_MSG && !__DKIM_EXISTS |
| describe LIST_PARTIAL_SHORT_MSG Incomplete mailing list headers + short message |
| score LIST_PARTIAL_SHORT_MSG 2.500 # limit |
| |
| # duplicates __HAS_MSMAIL_PRI |
| #header __FH_HAS_XMSMAIL exists:X-MSMail-Priority |
| |
| meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX |
| meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS |
| describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers |
| score BOGUS_MSM_HDRS 3.000 # limit |
| tflags BOGUS_MSM_HDRS publish |
| |
| #meta __BOGUS_MSM_PRIO __HAS_MSMAIL_PRI && __HDR_ORDER_FTSDMCXXXX |
| #meta __BOGUS_MSM_PRIO_MINFP __BOGUS_MSM_PRIO && !__BOGUS_MSM_HDRS && !__MSGID_NOFQDN2 && !__ANY_OUTLOOK_MUA && !__RCD_RDNS_MAIL_MESSY |
| |
| meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __REPLYTO_EXISTS && __SUBJ_SHORT |
| meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH |
| describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject |
| score MSM_PRIO_REPTO 2.500 # limit |
| tflags MSM_PRIO_REPTO publish |
| |
| header __XM_YAMAIL X-Mailer =~ /^Yamail/ |
| |
| |
| # __GATED_THROUGH_RCVD_REMOVER includes messages with no Received headers *at all*. |
| # Don't consider those, only consider the ones where *some* Received headers may have been removed |
| meta __RCVD_RMV_PARTIAL __GATED_THROUGH_RCVD_REMOVER && __HAS_RCVD |
| |
| # Compare __GATED_THROUGH_RCVD_REMOVER and "via ezmlm" |
| header __ML_EZMLM Mailing-List =~ /\bezmlm\b/ |
| |
| |
| # easy for spammers to forge a signed message and still have it displayed to the recipient? |
| #header KHOP_ENCRYPTED_CONTENT Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/ |
| header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/ |
| meta ENCRYPTED_MESSAGE __CT_ENCRYPTED |
| describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam |
| score ENCRYPTED_MESSAGE -1.000 |
| tflags ENCRYPTED_MESSAGE nice,publish |
| |
| |
| #body __PHONE_GIBBERISH_01 /(?:\b\d\d\d-\d\d\d-\d\d\d\d\s+[a-z][^\d\s:.]+\s+){15}/ |
| |
| header __HAS_GMX_BULK exists:X-Gmx-Bulk |
| |
| ifplugin Mail::SpamAssassin::Plugin::HTMLEval |
| body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0') |
| meta HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY |
| describe HTML_TAG_BALANCE_CENTER Malformatted HTML |
| endif |
| |
| |
| # more random garbage message headers 01/2016 |
| header __HDR_CASE_REVERSED ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m |
| tflags __HDR_CASE_REVERSED multiple maxhits=4 |
| meta __HDR_CASE_REV_MANY (__HDR_CASE_REVERSED > 3) |
| |
| meta HDR_CASE_REV_MANY __HDR_CASE_REV_MANY |
| describe HDR_CASE_REV_MANY Multiple malformed (possibly random gibberish) message headers |
| score HDR_CASE_REV_MANY 2.000 # limit |
| |
| meta HDR_CASE_REV_ENC __HDR_CASE_REVERSED && (__FROM_ENCODED_B64 || __TVD_SPACE_ENCODED ) |
| describe HDR_CASE_REV_ENC Malformed (possibly random gibberish) message header + suspicious encoding |
| score HDR_CASE_REV_ENC 2.000 # limit |
| |
| meta HDR_CASE_REV_HELO_IP __HDR_CASE_REVERSED && __HELO_MISC_IP |
| describe HDR_CASE_REV_HELO_IP Malformed (possibly random gibberish) message header + IP in HELO |
| score HDR_CASE_REV_HELO_IP 2.000 # limit |
| |
| |
| |
| header __HAS_CAMPAIGN exists:X-Campaign |
| header __HAS_CAMPAIGNID exists:X-Campaignid |
| header __HAS_CID exists:X-CID |
| header __HAS_XM_LID exists:X-Mailer-LID |
| header __HAS_XM_RECPTID exists:X-Mailer-RecptId |
| header __HAS_XM_SID exists:X-Mailer-SID |
| header __HAS_XM_SENTBY exists:X-Mailer-Sent-By |
| header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature |
| header __HAS_PHP_SCRIPT exists:X-PHP-Script |
| header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script |
| |
| header __FROM_WORDY From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/ |
| #header __FROM_WORDY_3 From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.){2,}[A-Z][A-Za-z]+\@/ |
| |
| meta __FROM_WORDY_SONLY __FROM_WORDY && (__KHOP_NO_FULL_NAME || __CTYPE_HTML || __TO_EQ_FROM_DOM_2 || __HTML_IMG_ONLY || FREEMAIL_FORGED_REPLYTO ) |
| meta FROM_WORDY (__FROM_WORDY_SONLY && !__HTML_LENGTH_0000_1024) && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_TNEF && !__USING_VERP1 && !__HDRS_LCASE_KNOWN |
| describe FROM_WORDY From address looks like a sentence |
| tflags FROM_WORDY publish |
| |
| meta FROM_WORDY_SHORT (__FROM_WORDY_SONLY && __HTML_LENGTH_0000_1024) && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_TNEF && !__USING_VERP1 |
| describe FROM_WORDY_SHORT From address looks like a sentence + short message |
| tflags FROM_WORDY_SHORT publish |
| |
| meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA |
| describe PHP_SCRIPT_MUA Sent by PHP script, no version number |
| score PHP_SCRIPT_MUA 2.000 # limit |
| tflags PHP_SCRIPT_MUA publish |
| |
| meta __PHP_SCRIPT_MIMENEEDED __HAS_PHP_SCRIPT && __FROM_NEEDS_MIME |
| |
| meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B) |
| meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO |
| describe PHP_ORIG_SCRIPT Sent by bot & other signs |
| score PHP_ORIG_SCRIPT 2.500 # limit |
| tflags PHP_ORIG_SCRIPT publish |
| |
| # noted 5/26/2016 on list by RW |
| header __PHP_ORIG_SCRIPT_EVAL X-PHP-Originating-Script =~ /\beval\b.*\bcode\b/i |
| |
| |
| #header __FROM_AUTHORITY_COMPANY From:name =~ /\b(?:court|fed-?ex|dhl|e-?zpass|invoice)\b/ |
| #meta __PHP_MALWARE_ATTACH __HAS_PHP_SCRIPT && __FROM_AUTHORITY_COMPANY && __ZIP_ATTACH_MT |
| |
| meta __XMSID __HAS_XM_SID && !__CTYPE_MULTIPART_MIXED |
| meta __XMSID_SONLY __HAS_XM_SID && (INVALID_MSGID || __XPRIO || __HAS_X_MAILER) |
| |
| header __UNSUB_MAILTO_BOGUS List-Unsubscribe =~ /mailto:[^@\s">]*[\s?">]/ |
| |