rulesrc/sandbox/gbechis/20_misc.cf - spamassassin - Git at Google

 # uri         __MALWARE_DROPBOX_JAR_URI   m;^https?://[^.]+\.dropbox\.com/(\w+)/(\w+)/(\w+)\.jar\?dl\=1;i
 # meta        GB_MALWARE_DROPBOX_JAR_URI	( __MALWARE_DROPBOX_JAR_URI && (HTML_SHORT_LINK_IMG_1 || HTML_SHORT_LINK_IMG_2 || HTML_SHORT_LINK_IMG_3) )
 # describe    GB_MALWARE_DROPBOX_JAR_URI Dropbox that forces user to download jar file

 uri         GB_GOOGLE_OBFUR	/^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/
 describe    GB_GOOGLE_OBFUR	Obfuscate url through Google redirect
 score       GB_GOOGLE_OBFUR     0.75 # limit
 tflags      GB_GOOGLE_OBFUR     publish

 uri         GB_GOOGLE_OBFUS	/^https:\/\/www\.google\.([a-z]{2,3})\/search\?ei=.{1,50}\&gs_l=.{1,20}/
 describe    GB_GOOGLE_OBFUS	Obfuscate url through Google search
 score       GB_GOOGLE_OBFUS     0.75 # limit
 #tflags      GB_GOOGLE_OBFUS     publish

 uri         GB_GOOGLE_OBFUQ	/^https:\/\/www\.google\.([a-z]{2,3})\/url\?q=.{1,50}\&sa=D&Xh=Gd&usg=/
 describe    GB_GOOGLE_OBFUQ	Obfuscate url through Google search
 score       GB_GOOGLE_OBFUQ     0.75 # limit
 #tflags      GB_GOOGLE_OBFUQ     publish

 header      __COPY_OF       Subject =~ /Copy of:|offers for you/
 meta        GB_COPY_OF_SHORT   ( __URL_SHORTENER && __COPY_OF && __KAM_BODY_LENGTH_LT_1024 )
 describe    GB_COPY_OF_SHORT   Url shortnener spam

 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
   meta      GB_FROMNAME_SPOOFED_EMAIL_IP  ( FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED )
   describe  GB_FROMNAME_SPOOFED_EMAIL_IP  From:name looks like a spoofed email from a spoofed ip
   score     GB_FROMNAME_SPOOFED_EMAIL_IP  0.50 # limit
   tflags    GB_FROMNAME_SPOOFED_EMAIL_IP  publish
 endif

 header     __HDR_RCVD_GOOGLE           X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/
 uri        __URI_IMG_GDRIVE            /^https:\/\/www\.google\.com\/drive\/static\/images\/drive\/logo-drive\.png/
 uri        __URI_IMG_GPHOTO            /^https:\/\/www\.google\.com\/photos\/about\/static\/images\/logo_photos_64dp\.svg/

 meta       __GDRIVE_IMG_NOT_RCVD_GOOG  __URI_IMG_GDRIVE && !__HDR_RCVD_GOOGLE
 meta       __GPHOTO_IMG_NOT_RCVD_GOOG  __URI_IMG_GPHOTO && !__HDR_RCVD_GOOGLE
 meta       GB_GOOG_IMG_NOT_RCVD_GOOG   ( __GDRIVE_IMG_NOT_RCVD_GOOG || __GPHOTO_IMG_NOT_RCVD_GOOG ) && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
 describe   GB_GOOG_IMG_NOT_RCVD_GOOG   Google hosted image but message not from Google
 score      GB_GOOG_IMG_NOT_RCVD_GOOG   2.500    # limit
 # tflags     GB_GOOG_IMG_NOT_RCVD_GOOG   publish

 # header     __HDR_RCVD_LINKEDIN           X-Spam-Relays-External =~ /rdns=mail\S+\-\S+\.linkedin\.com\s/
 # uri        __URI_IMG_LINKEDIN            /^https:\/\/static\.licdn\.com\/scds\/common\/u\/images\/email\/artdeco\/illustrations\/56\/magnifying-glass\.png/

 # meta       __LINKED_IMG_NOT_RCVD_LINK    __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN
 # meta       GB_LINKED_IMG_NOT_RCVD_LINK   __LINKED_IMG_NOT_RCVD_LINK && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
 # describe   GB_LINKED_IMG_NOT_RCVD_LINK   Linkedin hosted image but message not from Linkedin
 # score      GB_LINKED_IMG_NOT_RCVD_LINK   2.500    # limit
 # tflags     GB_LINKED_IMG_NOT_RCVD_LINK   publish

 uri        __SENDINBLUE_REDIR            m~://.{4,5}\.r\.a[a-z]?\.d\.sendibm[0-9]\.com/mk/([a-z]){2}/~
 meta       SENDINBLUE_REDIR              __SENDINBLUE_REDIR && !MIME_HTML_MOSTLY && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION
 describe   SENDINBLUE_REDIR              Redirect URI via Sendinblue
 score      SENDINBLUE_REDIR              2.000    # limit
 # tflags     SENDINBLUE_REDIR            publish

 meta       __SENDINBLUE_REDIR_PHISH      __SENDINBLUE_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || __FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )
 meta       SENDINBLUE_REDIR_PHISH        __SENDINBLUE_REDIR_PHISH
 describe   SENDINBLUE_REDIR_PHISH        Redirect URI via Sendinblue + phishing signs
 score      SENDINBLUE_REDIR_PHISH        3.500    # limit
 # tflags     SENDINBLUE_REDIR_PHISH        publish

 header     __GB_FAKE_RF                  Subject =~ /(Fw|Re)\:{1,2}[\W+]/i
 meta       GB_FAKE_RF                    ( ! __THREADED && __GB_FAKE_RF )
 describe   GB_FAKE_RF                    Fake reply
 score      GB_FAKE_RF                    1.000 # limit

 meta       GB_FAKE_RF_SHORT              ( ! __THREADED && __GB_FAKE_RF && __PDS_URISHORTENER )
 describe   GB_FAKE_RF_SHORT              Fake reply or forward with url shortener
 score      GB_FAKE_RF_SHORT              2.000 # limit
 tflags     GB_FAKE_RF_SHORT              publish
	# uri __MALWARE_DROPBOX_JAR_URI m;^https?://[^.]+\.dropbox\.com/(\w+)/(\w+)/(\w+)\.jar\?dl\=1;i
	# meta GB_MALWARE_DROPBOX_JAR_URI ( __MALWARE_DROPBOX_JAR_URI && (HTML_SHORT_LINK_IMG_1 \|\| HTML_SHORT_LINK_IMG_2 \|\| HTML_SHORT_LINK_IMG_3) )
	# describe GB_MALWARE_DROPBOX_JAR_URI Dropbox that forces user to download jar file

	uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/
	describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect
	score GB_GOOGLE_OBFUR 0.75 # limit
	tflags GB_GOOGLE_OBFUR publish

	uri GB_GOOGLE_OBFUS /^https:\/\/www\.google\.([a-z]{2,3})\/search\?ei=.{1,50}\&gs_l=.{1,20}/
	describe GB_GOOGLE_OBFUS Obfuscate url through Google search
	score GB_GOOGLE_OBFUS 0.75 # limit
	#tflags GB_GOOGLE_OBFUS publish

	uri GB_GOOGLE_OBFUQ /^https:\/\/www\.google\.([a-z]{2,3})\/url\?q=.{1,50}\&sa=D&Xh=Gd&usg=/
	describe GB_GOOGLE_OBFUQ Obfuscate url through Google search
	score GB_GOOGLE_OBFUQ 0.75 # limit
	#tflags GB_GOOGLE_OBFUQ publish

	header __COPY_OF Subject =~ /Copy of:\|offers for you/
	meta GB_COPY_OF_SHORT ( __URL_SHORTENER && __COPY_OF && __KAM_BODY_LENGTH_LT_1024 )
	describe GB_COPY_OF_SHORT Url shortnener spam

	ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
	meta GB_FROMNAME_SPOOFED_EMAIL_IP ( FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED )
	describe GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip
	score GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit
	tflags GB_FROMNAME_SPOOFED_EMAIL_IP publish
	endif

	header __HDR_RCVD_GOOGLE X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/
	uri __URI_IMG_GDRIVE /^https:\/\/www\.google\.com\/drive\/static\/images\/drive\/logo-drive\.png/
	uri __URI_IMG_GPHOTO /^https:\/\/www\.google\.com\/photos\/about\/static\/images\/logo_photos_64dp\.svg/

	meta __GDRIVE_IMG_NOT_RCVD_GOOG __URI_IMG_GDRIVE && !__HDR_RCVD_GOOGLE
	meta __GPHOTO_IMG_NOT_RCVD_GOOG __URI_IMG_GPHOTO && !__HDR_RCVD_GOOGLE
	meta GB_GOOG_IMG_NOT_RCVD_GOOG ( __GDRIVE_IMG_NOT_RCVD_GOOG \|\| __GPHOTO_IMG_NOT_RCVD_GOOG ) && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
	describe GB_GOOG_IMG_NOT_RCVD_GOOG Google hosted image but message not from Google
	score GB_GOOG_IMG_NOT_RCVD_GOOG 2.500 # limit
	# tflags GB_GOOG_IMG_NOT_RCVD_GOOG publish

	# header __HDR_RCVD_LINKEDIN X-Spam-Relays-External =~ /rdns=mail\S+\-\S+\.linkedin\.com\s/
	# uri __URI_IMG_LINKEDIN /^https:\/\/static\.licdn\.com\/scds\/common\/u\/images\/email\/artdeco\/illustrations\/56\/magnifying-glass\.png/

	# meta __LINKED_IMG_NOT_RCVD_LINK __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN
	# meta GB_LINKED_IMG_NOT_RCVD_LINK __LINKED_IMG_NOT_RCVD_LINK && !__HAS_ERRORS_TO && !__MSGID_LIST && !__MSGID_GUID && !__RCD_RDNS_SMTP
	# describe GB_LINKED_IMG_NOT_RCVD_LINK Linkedin hosted image but message not from Linkedin
	# score GB_LINKED_IMG_NOT_RCVD_LINK 2.500 # limit
	# tflags GB_LINKED_IMG_NOT_RCVD_LINK publish

	uri __SENDINBLUE_REDIR m~://.{4,5}\.r\.a[a-z]?\.d\.sendibm[0-9]\.com/mk/([a-z]){2}/~
	meta SENDINBLUE_REDIR __SENDINBLUE_REDIR && !MIME_HTML_MOSTLY && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION
	describe SENDINBLUE_REDIR Redirect URI via Sendinblue
	score SENDINBLUE_REDIR 2.000 # limit
	# tflags SENDINBLUE_REDIR publish

	meta __SENDINBLUE_REDIR_PHISH __SENDINBLUE_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN \|\| __FORGED_RELAY_MUA_TO_MX \|\| __TO_IN_SUBJ )
	meta SENDINBLUE_REDIR_PHISH __SENDINBLUE_REDIR_PHISH
	describe SENDINBLUE_REDIR_PHISH Redirect URI via Sendinblue + phishing signs
	score SENDINBLUE_REDIR_PHISH 3.500 # limit
	# tflags SENDINBLUE_REDIR_PHISH publish

	header __GB_FAKE_RF Subject =~ /(Fw\|Re)\:{1,2}[\W+]/i
	meta GB_FAKE_RF ( ! __THREADED && __GB_FAKE_RF )
	describe GB_FAKE_RF Fake reply
	score GB_FAKE_RF 1.000 # limit

	meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __PDS_URISHORTENER )
	describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener
	score GB_FAKE_RF_SHORT 2.000 # limit
	tflags GB_FAKE_RF_SHORT publish