| |
| # Ensure plugin-based rules used for FP avoidance exist |
| # even if the plugin is not loaded, or an older version is loaded |
| # __KAM_BODY_LENGTH_LT_128 |
| ifplugin Mail::SpamAssassin::Plugin::BodyEval |
| if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) |
| meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128 |
| else |
| meta __LCL__KAM_BODY_LENGTH_LT_128 0 |
| endif |
| else |
| meta __LCL__KAM_BODY_LENGTH_LT_128 0 |
| endif |
| |
| # __KAM_BODY_LENGTH_LT_512 |
| ifplugin Mail::SpamAssassin::Plugin::BodyEval |
| if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) |
| meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512 |
| else |
| meta __LCL__KAM_BODY_LENGTH_LT_512 0 |
| endif |
| else |
| meta __LCL__KAM_BODY_LENGTH_LT_512 0 |
| endif |
| |
| # __KAM_BODY_LENGTH_LT_1024 |
| ifplugin Mail::SpamAssassin::Plugin::BodyEval |
| if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) |
| meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024 |
| else |
| meta __LCL__KAM_BODY_LENGTH_LT_1024 0 |
| endif |
| else |
| meta __LCL__KAM_BODY_LENGTH_LT_1024 0 |
| endif |
| |
| # __ENV_AND_HDR_FROM_MATCH |
| ifplugin Mail::SpamAssassin::Plugin::HeaderEval |
| meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH |
| else |
| meta __LCL__ENV_AND_HDR_FROM_MATCH 0 |
| endif |
| |
| # __TVD_SPACE_RATIO |
| ifplugin Mail::SpamAssassin::Plugin::BodyEval |
| # |
| else |
| meta __TVD_SPACE_RATIO 0 |
| endif |
| |
| |
| |
| # |
| #header REPLYTO_MANY_AT Reply-To =~ /\@.+\@/ |
| #describe REPLYTO_MANY_AT More than one @ in Reply-To: |
| # |
| #header SENDER_MANY_AT Sender =~ /\@.+\@/ |
| #describe SENDER_MANY_AT More than one @ in Sender: |
| # |
| #header FROM_MANY_AT From =~ /\@.+\@/ |
| #describe FROM_MANY_AT More than one @ in From: |
| # |
| |
| header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i |
| describe RDNS_LOCALHOST Sender's public rDNS is "localhost" |
| |
| #body EU_SPAM_LAW m,Directive 2000/31/EC of the European Parliament,i |
| #describe EU_SPAM_LAW Quoting "European Parliament" spam law |
| |
| ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
| mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.html?\b,i |
| mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i |
| meta HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02 |
| describe HTML_ATTACH HTML attachment to bypass scanning? |
| |
| mimeheader OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.html?\b,i |
| describe OBFU_HTML_ATTACH HTML attachment with non-text MIME type |
| |
| mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i |
| describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type |
| #score OBFU_TEXT_ATTACH 2.5 |
| tflags OBFU_TEXT_ATTACH publish |
| |
| mimeheader OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i |
| describe OBFU_DOC_ATTACH MS Document attachment with generic MIME type |
| #score OBFU_DOC_ATTACH 0.25 |
| |
| mimeheader OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i |
| describe OBFU_PDF_ATTACH PDF attachment with generic MIME type |
| #score OBFU_PDF_ATTACH 0.25 |
| |
| mimeheader OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i |
| describe OBFU_JPG_ATTACH JPG attachment with generic MIME type |
| #score OBFU_JPG_ATTACH 1.50 |
| |
| mimeheader OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i |
| describe OBFU_GIF_ATTACH GIF attachment with generic MIME type |
| #score OBFU_GIF_ATTACH 1.50 |
| |
| meta OBFU_ATTACH_MISSP __FROM_RUNON && (OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || OBFU_DOC_ATTACH || OBFU_PDF_ATTACH || OBFU_JPG_ATTACH || OBFU_GIF_ATTACH) |
| describe OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From |
| |
| # mimeheader ECMSNGR_MH X-ecm-part-format =~ /./ |
| # describe ECMSNGR_MH eC-Messenger header |
| |
| mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/ |
| meta CTYPE_NULL __CTYPE_NULL |
| describe CTYPE_NULL Malformed Content-Type header |
| |
| mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i |
| meta OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02 |
| describe OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware |
| |
| mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i |
| meta DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT) |
| describe DOC_ATTACH_NO_EXT Document attachment with suspicious name |
| |
| mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i |
| |
| # see https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39?gi=7ec45f2481ce |
| mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename="?[^"]+\.SettingContent-ms\b/i |
| mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i |
| meta MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 |
| describe MALW_ATTACH Attachment filename suspicious, probable malware exploit |
| |
| mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i |
| mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i |
| meta ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT |
| describe ISO_ATTACH ISO attachment - possible malware delivery |
| score ISO_ATTACH 3.000 # limit |
| else |
| meta __HTML_ATTACH_01 0 |
| meta __HTML_ATTACH_02 0 |
| meta __CTYPE_NULL 0 |
| meta __ZIP_ATTACH_NOFN 0 |
| meta __ATTACH_NAME_NO_EXT 0 |
| meta __ZIP_ATTACH_MT 0 |
| meta __MALW_ATTACH_01_01 0 |
| meta __MALW_ATTACH_01_02 0 |
| meta __ISO_ATTACH 0 |
| meta __ISO_ATTACH_MT 0 |
| endif |
| |
| # general case of spample observation |
| #header MUA_ONE_WORD X-Mailer =~ /^[A-Za-z][a-z]*$/ |
| #describe MUA_ONE_WORD Single word X-Mailer: not CamelCase |
| |
| body DEAR_EMAIL_USER /^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/i |
| describe DEAR_EMAIL_USER Dear Email User: |
| #score DEAR_EMAIL_USER 3.0 |
| |
| |
| # from users list spamples 8/2009 |
| uri URI_NUMERIC_CCTLD m;^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/;i |
| describe URI_NUMERIC_CCTLD CCTLD URI with multiple numeric subdomains |
| |
| # various MUAs |
| header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/ |
| header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/ |
| |
| ifplugin Mail::SpamAssassin::Plugin::DKIM |
| meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH |
| else |
| meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH |
| endif |
| describe PHP_NOVER_MUA Mail from PHP with no version number |
| score PHP_NOVER_MUA 3.000 # limit |
| tflags PHP_NOVER_MUA publish |
| |
| |
| # From should have whitespace between the comment and the address |
| # Better S/O, good enough for standalone rule |
| header __FROM_MISSPACED From =~ /^\s*"[^"]*"</ |
| |
| # legit mailers known to misspace from |
| header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/ |
| header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/ |
| header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/ |
| header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/ |
| |
| |
| # meta with some stuff to reduce FPs |
| meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA |
| describe FROM_MISSPACED From: missing whitespace |
| score FROM_MISSPACED 2.00 |
| |
| # Encrypted mail provider unable to properly format their headers (as of 07/2011) |
| header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net / |
| |
| # Poorer S/O than FROM_MISSPACED but better performance in metas |
| header __FROM_RUNON From =~ /\S+<\w+/ |
| header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/ |
| |
| ifplugin Mail::SpamAssassin::Plugin::SPF |
| #meta FROM_MISSP_SPF_FAIL1 (__FROM_RUNON && !SPF_PASS) |
| #tflags FROM_MISSP_SPF_FAIL1 net |
| meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL) |
| tflags FROM_MISSP_SPF_FAIL net |
| score FROM_MISSP_SPF_FAIL 2.00 # limit |
| endif |
| |
| meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH |
| meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA |
| describe FROM_MISSP_EH_MATCH From misspaced, matches envelope |
| score FROM_MISSP_EH_MATCH 2.00 # max |
| |
| # most hits > 10 points already |
| #meta __FROM_MISSP_URI __FROM_RUNON_UNCODED && __HAS_ANY_URI |
| #meta FROM_MISSP_URI __FROM_MISSP_URI && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !MISSING_MIMEOLE && !__REPTO_QUOTE && !__UNSUB_LINK && !__MSGID_OK_HEX && !__MAIL_LINK && !__MIME_QP && !__BUGGED_IMG && !MIME_BASE64_TEXT && !__CTYPE_MULTIPART_ALT && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__THREADED && !__TAG_EXISTS_META |
| #describe FROM_MISSP_URI From misspaced, has URI |
| #score FROM_MISSP_URI 2.00 # max |
| |
| meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) |
| describe FROM_MISSP_USER From misspaced, from "User" |
| |
| # all hits > 10 points already |
| #meta FROM_MISSP_NO_TO (__FROM_RUNON && MISSING_HEADERS) |
| #describe FROM_MISSP_NO_TO From misspaced, To missing |
| |
| meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED) |
| describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed |
| |
| # 0 hits 8/2016 |
| #ifplugin Mail::SpamAssassin::Plugin::DKIM |
| # meta __FROM_MISSP_DKIM (__FROM_RUNON_UNCODED && __DKIM_DEPENDABLE) |
| # tflags __FROM_MISSP_DKIM net |
| # meta FROM_MISSP_DKIM __FROM_MISSP_DKIM && !__CTYPE_MULTIPART_ALT && !__MIME_QP && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__MIME_BASE64 && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA |
| # describe FROM_MISSP_DKIM From misspaced, DKIM dependable |
| #else |
| # meta __FROM_MISSP_DKIM 0 |
| #endif |
| |
| meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO |
| meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY |
| describe FROM_MISSP_REPLYTO From misspaced, has Reply-To |
| score FROM_MISSP_REPLYTO 2.500 # limit |
| |
| ## To the same |
| #header TO_MISSPACED To =~ /^\s*"[^"]*"</ |
| #describe TO_MISSPACED To: missing whitespace |
| #score TO_MISSPACED 0.25 |
| |
| ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO) |
| meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA |
| describe FROM_MISSP_FREEMAIL From misspaced + freemail provider |
| #score FROM_MISSP_FREEMAIL 2.0 |
| else |
| meta __FROM_MISSP_FREEMAIL 0 |
| endif |
| |
| meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) |
| describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool |
| #score FROM_MISSP_MSFT 3.5 |
| |
| meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC |
| describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS |
| #score FROM_MISSP_DYNIP 2.0 |
| |
| |
| # observed in spam 8/2009 |
| header __MUA_EQ_ORG_1 ALL =~ /\nX-Mailer: ([^\n]+)\n.*Organization: \1\n/ism |
| header __MUA_EQ_ORG_2 ALL =~ /\nOrganization: ([^\n]+)\n.*X-Mailer: \1\n/ism |
| meta MAILER_EQ_ORG __MUA_EQ_ORG_1 || __MUA_EQ_ORG_2 |
| describe MAILER_EQ_ORG X-Mailer: same as Organization: |
| #tflags MAILER_EQ_ORG publish |
| |
| header __FROM_EQ_ORG_1 ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism |
| header __FROM_EQ_ORG_2 ALL =~ /\nOrganization: ([^\n]+)\n.*From: "?\1"?/ism |
| #meta FROM_EQ_ORG __FROM_EQ_ORG_1 || __FROM_EQ_ORG_2 |
| #describe FROM_EQ_ORG From: same as Organization: |
| #tflags FROM_EQ_ORG publish |
| |
| |
| # observed in UCE 9/2009 |
| #header __HDRS_LCASE ALL =~ /\n(?:Reply-to|Message-id|Content-type|X-MSMail-priority|from|subject|to|Disposition-notification-to):/sm |
| header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm |
| tflags __HDRS_LCASE multiple maxhits=3 |
| |
| # __MSGID_APPLEMAIL is uppercase-only GUID message_id. This may be redundant. |
| header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i |
| header __MSGID_GUID_LOOSE Message-ID =~ /^<?[0-9A-Z]{8}-(?:[0-9A-Z]{3,4}-){3}[0-9A-Z]{11,12}\@/ |
| meta __MSGID_GUID_FAKE __MSGID_GUID_LOOSE && !__MSGID_GUID |
| # It would be nice if somebody could identify the MUA/MTA that generates this: |
| header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/ |
| # It would be nice if somebody could identify the MUA/MTA that generates this: |
| header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/ |
| |
| # MUAs and MTAs known or suspected to do this |
| header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/ |
| meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH |
| |
| ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO |
| else |
| meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO |
| endif |
| describe HDRS_LCASE Odd capitalization of message header |
| score HDRS_LCASE 0.10 # limit |
| meta __MANY_HDRS_LCASE __HDRS_LCASE > 1 |
| meta __TOOMANY_HDRS_LCASE __HDRS_LCASE > 2 |
| ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE |
| else |
| meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE |
| endif |
| describe MANY_HDRS_LCASE Odd capitalization of multiple message headers |
| score MANY_HDRS_LCASE 0.10 # limit |
| |
| # Some metas that appear to perform well in masscheck |
| #meta __HDRS_LCASE_1K __HDRS_LCASE && __SINGLE_HEADER_1K |
| #meta HDRS_LCASE_1K __HDRS_LCASE_1K && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__MIME_QP && !__BUGGED_IMG && !__BOUNCE_RPATH_NULL && !__NOT_SPOOFED && !__DKIM_EXISTS && !__RDNS_NONE |
| #describe HDRS_LCASE_1K Odd capitalization of message headers + long header |
| #score HDRS_LCASE_1K 0.50 # limit |
| meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN |
| describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML |
| score HDRS_LCASE_IMGONLY 0.10 # limit |
| |
| |
| |
| |
| # observed in UCE from India, 9/2009 |
| header MDN_BOTCHED Disposition-notification-to =~ /<>/ |
| describe MDN_BOTCHED Malformed return receipt header |
| |
| # observed in spam 9/2009 |
| header __HDRS_MISSP ALL =~ /\n(?:Subject|From|To):\S/ism |
| meta HDRS_MISSP __HDRS_MISSP && !__TAG_EXISTS_HEAD && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH |
| describe HDRS_MISSP Misspaced headers |
| score HDRS_MISSP 2.000 # limit |
| |
| header SPAMMY_MIME_BDRY_01 Content-Type =~ /boundary="\@\@BOUNDARY"/ |
| describe SPAMMY_MIME_BDRY_01 Spammy MIME boundary string |
| #score SPAMMY_MIME_BDRY_01 0.10 |
| |
| # testing |
| header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/ |
| meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z |
| describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary |
| |
| # too dangerous even if it has a good S/O and hits >20% of spam in masschecks |
| #meta TBIRD_SPOOF __MUA_TBIRD && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__THREADED && !__VIA_ML && !__NOT_SPOOFED && !__HAS_SENDER && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__RP_MATCHES_RCVD && !ALL_TRUSTED && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL_MESSY && !__MIME_BASE64 && !__S25R_1 |
| #describe TBIRD_SPOOF Claims Thunderbird mail client but looks suspicious |
| #score TBIRD_SPOOF 2.00 # limit |
| |
| # seen in a few HTML fraud spams |
| rawbody RUNON_SHY /(?:\­){3}/i |
| describe RUNON_SHY Repeating soft hyphens |
| #score RUNON_SHY 0.1 |
| tflags RUNON_SHY nopublish |
| |
| # Seen all too often |
| header LAZY_LISTWASHING To =~ /\@(?:example\.com|example\.domain|your\.domain|some\.domain|domain\.dom|somewhere\.tld|somewhere\.com|your\.?domain\.com|your\.favorite\.machine)\b/i |
| describe LAZY_LISTWASHING Lazy spammer, painfully obvious bogus addresses |
| #score LAZY_LISTWASHING 0.25 |
| |
| # Little to work with |
| body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i |
| body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i |
| |
| ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
| mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i |
| mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i |
| mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i |
| meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2) |
| mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i |
| mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i |
| mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i |
| meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2) |
| |
| # observed in 419 spam |
| mimeheader CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/ |
| describe CDISP_SZ_MANY Suspicious MIME header |
| score CDISP_SZ_MANY 2.0 # limit |
| else |
| meta __DOC_ATTACH_MT 0 |
| meta __DOC_ATTACH_FN1 0 |
| meta __DOC_ATTACH_FN2 0 |
| meta __DOC_ATTACH 0 |
| meta __PDF_ATTACH_MT 0 |
| meta __PDF_ATTACH_FN1 0 |
| meta __PDF_ATTACH_FN2 0 |
| meta __PDF_ATTACH 0 |
| endif |
| |
| ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) |
| meta FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF |
| describe FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail |
| |
| meta FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED |
| describe FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden |
| |
| meta FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF |
| describe FREEMAIL_RVW_ATTCH Please review attached document, from freemail |
| endif |
| |
| meta EMPTY_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __EMPTY_BODY |
| describe EMPTY_RVW_ATTCH Please review attached document, empty message |
| |
| body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i |
| ifplugin Mail::SpamAssassin::Plugin::DKIM |
| meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED |
| else |
| meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER |
| endif |
| describe END_FUTURE_EMAILS Spammy unsubscribe |
| score END_FUTURE_EMAILS 2.500 # limit |
| |
| |
| body AD_COMPLAINTS /\bcomplaints about this ad+\b/i |
| describe AD_COMPLAINTS Complain about this spam |
| |
| # observed in bank phishing 09/2009 |
| #rawbody MISQ_HTML /<\w{2,20}[^>=]{1,30}=[^"][^">]{1,30}[^=]"[\s>]/ |
| #describe MISQ_HTML Unbalanced quotes in HTML tag |
| #tflags MISQ_HTML nopublish |
| |
| # observed in bank phishing 09/2009 |
| uri WIKI_IMG m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),i |
| describe WIKI_IMG Image from wikipedia |
| |
| # observed in spam 09/2009 |
| header SUBJ_RE_CLNCLN Subject =~ /^\s*RE::/ |
| describe SUBJ_RE_CLNCLN Subject RE:: |
| |
| # observed in spam 02/2011 |
| header TO_SEM_SEM To =~ /;;/ |
| describe TO_SEM_SEM To has ";;" |
| tflags TO_SEM_SEM nopublish |
| |
| uri __MANY_SUBDOM m;^https?://(?:[^\./]{1,30}\.){6};i |
| meta MANY_SUBDOM __MANY_SUBDOM && !__JM_REACTOR_DATE && !__UNSUB_LINK && !__VIA_ML && !NO_RELAYS && !__UPPERCASE_URI && !__MIME_QP |
| describe MANY_SUBDOM Lots and lots of subdomain parts in a URI |
| |
| # by request of Benny Pedersen <me@junc.org> on the users list 10/9/2009 |
| #meta RFC_ABUSE_POST (__DNS_FROM_RFC_ABUSE && __DNS_FROM_RFC_POST) |
| #describe RFC_ABUSE_POST Both abuse and postmaster missing on sender domain |
| #score RFC_ABUSE_POST 0.01 |
| #tflags RFC_ABUSE_POST net |
| |
| body CALL_SKYPE /\bCall this phone number [\w\s]{0,30}with Skype\b/ |
| |
| # <SPAN> tags shouldn't appear in the midst of text |
| rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/ |
| tflags __SPAN_BEG_TEXT multiple maxhits=5 |
| rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/ |
| tflags __SPAN_END_TEXT multiple maxhits=5 |
| meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4) |
| meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML |
| describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text |
| tflags MANY_SPAN_IN_TEXT publish |
| #score MANY_SPAN_IN_TEXT 2.50 |
| |
| #uri __FEEDPROXY_URI m;http://feedproxy\.google\.com/;i |
| #rawbody __FEEDPROXY m;http://feedproxy\.google\.com/;i |
| #tflags __FEEDPROXY multiple maxhits=5 |
| #meta MANY_GOOG_PROXY __FEEDPROXY > 4 |
| #describe MANY_GOOG_PROXY Many Google feedproxy URIs |
| |
| rawbody TINY_FLOAT /\bstyle\s*=\s*"[^"]{0,40}?(?:(?:FONT-SIZE\s*:\s+\dpx|FLOAT\s*:\s+(?:right|left))(?:;\s+)?(?:(?!(?:FONT-SIZE|FLOAT))\w+:\s+\w+;?\s*)*){2}/i |
| describe TINY_FLOAT Has small-font floating HTML - text obfuscation? |
| #score TINY_FLOAT 2.00 |
| |
| |
| # endless requests on the users list... |
| header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism |
| header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism |
| meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2) |
| describe __TO_EQ_FROM To: same as From: |
| #tflags __TO_EQ_FROM publish |
| |
| # Suggested by Hans-Werner Friedemann on users list 09/30/2010 |
| header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,\s\n]/ism |
| meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID |
| describe FROM_IN_TO_AND_SUBJ From address is in To and Subject |
| tflags FROM_IN_TO_AND_SUBJ publish |
| |
| header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism |
| header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism |
| header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism |
| meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3) |
| meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW |
| describe TO_IN_SUBJ To address is in Subject |
| tflags TO_IN_SUBJ publish |
| score TO_IN_SUBJ 0.1 |
| |
| meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY |
| meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER |
| describe TO_EQ_FM_HTML_ONLY To == From and HTML only |
| #tflags TO_EQ_FM_HTML_ONLY publish |
| |
| meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX |
| meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED |
| describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX |
| score TO_EQ_FM_DIRECT_MX 2.500 # limit |
| tflags TO_EQ_FM_DIRECT_MX publish |
| |
| # Why __HUSH_HUSH hits ham on this in masscheck I don't know. Legit bank emails maybe? |
| meta __TO_EQ_FM_HTML_DIRECT __TO_EQ_FM_DIRECT_MX && MIME_HTML_ONLY |
| meta TO_EQ_FM_HTML_DIRECT __TO_EQ_FM_HTML_DIRECT && !__HUSH_HUSH |
| describe TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX |
| #tflags TO_EQ_FM_HTML_DIRECT publish |
| |
| ifplugin Mail::SpamAssassin::Plugin::SPF |
| meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL |
| tflags __TO_EQ_FM_SPF_FAIL net |
| meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED |
| describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed |
| tflags TO_EQ_FM_SPF_FAIL net |
| else |
| meta __TO_EQ_FM_SPF_FAIL 0 |
| endif |
| |
| # Paul Stead on SA list 11/2014 |
| # ++ not liked by perl 5.8.x |
| if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) |
| header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism |
| header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism |
| |
| meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER |
| describe PDS_TO_EQ_FROM_NAME From: name same as To: address |
| |
| header __PDS_FROM_2_EMAILS From =~ /^\W+([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i |
| meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__CLICK_HERE && !__BUGGED_IMG && !__RP_MATCHES_RCVD |
| endif |
| |
| uri __PDS_LOC_WP_POMO m;/wp-includes/pomo/(?!(?:entry|po|mo|streams|translations)\.php).*;i |
| |
| |
| header __FROM_ALL_NUMS From:addr =~ /^\d+@/ |
| header __TO_ALL_NUMS To:addr =~ /^\d+@/ |
| meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS |
| |
| header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism |
| header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism |
| meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2) |
| describe __TO_EQ_FROM_DOM To: domain same as From: domain |
| |
| meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY |
| meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX |
| describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only |
| |
| meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE |
| meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD |
| describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link |
| |
| ifplugin Mail::SpamAssassin::Plugin::SPF |
| meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL |
| tflags __TO_EQ_FM_DOM_SPF_FAIL net |
| meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED |
| describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed |
| tflags TO_EQ_FM_DOM_SPF_FAIL net |
| else |
| meta __TO_EQ_FM_DOM_SPF_FAIL 0 |
| endif |
| |
| |
| # Evaluate ReturnPath and blacklist collisions |
| meta __RP_SAFE_BRBL RCVD_IN_RP_SAFE && RCVD_IN_BRBL_LASTEXT |
| meta __RP_CERTIFIED_BRBL RCVD_IN_RP_CERTIFIED && RCVD_IN_BRBL_LASTEXT |
| tflags __RP_SAFE_BRBL net nopublish |
| tflags __RP_CERTIFIED_BRBL net nopublish |
| meta __RP_SAFE_ZEN RCVD_IN_RP_SAFE && __RCVD_IN_ZEN |
| meta __RP_CERTIFIED_ZEN RCVD_IN_RP_CERTIFIED && __RCVD_IN_ZEN |
| tflags __RP_SAFE_ZEN net nopublish |
| tflags __RP_CERTIFIED_ZEN net nopublish |
| meta __RP_SAFE_SORBS RCVD_IN_RP_SAFE && __RCVD_IN_SORBS |
| meta __RP_CERTIFIED_SORBS RCVD_IN_RP_CERTIFIED && __RCVD_IN_SORBS |
| tflags __RP_SAFE_SORBS net nopublish |
| tflags __RP_CERTIFIED_SORBS net nopublish |
| meta __RP_SAFE_XBL RCVD_IN_RP_SAFE && RCVD_IN_XBL |
| meta __RP_CERTIFIED_XBL RCVD_IN_RP_CERTIFIED && RCVD_IN_XBL |
| tflags __RP_SAFE_XBL net nopublish |
| tflags __RP_CERTIFIED_XBL net nopublish |
| meta __RP_SAFE_PSBL RCVD_IN_RP_SAFE && RCVD_IN_PSBL |
| meta __RP_CERTIFIED_PSBL RCVD_IN_RP_CERTIFIED && RCVD_IN_PSBL |
| tflags __RP_SAFE_PSBL net nopublish |
| tflags __RP_CERTIFIED_PSBL net nopublish |
| #meta __RP_SAFE_ANBREP_L3 RCVD_IN_RP_SAFE && RCVD_IN_ANBREP_L3 |
| #meta __RP_CERTIFIED_ANBREP_L3 RCVD_IN_RP_CERTIFIED && RCVD_IN_ANBREP_L3 |
| #tflags __RP_SAFE_ANBREP_L3 net nopublish |
| #tflags __RP_CERTIFIED_ANBREP_L3 net nopublish |
| |
| # a URI in the From comment text, to bypass URIBL checks |
| # simplistic URI format for now |
| header __FROM_URI_1 From =~ /[^\@]www[.\s][^\s"<\@]+[.\s](?:com|net|info|biz|org|\w\w)\b.*["<]/i |
| header __FROM_URI_2 From =~ m;http://(?:[^.\s]+\.){1,3}(?:com|net|info|biz|org|\w\w)\b;i |
| meta FROM_URI __FROM_URI_1 || __FROM_URI_2 |
| describe FROM_URI URI or www. in From |
| |
| # observed in spam feb 2010 |
| # Apparently-To per RFC2821 SHOULD NOT be used |
| header __APPARENTLY_TO Apparently-To =~ /<.*>/ |
| tflags __APPARENTLY_TO multiple maxhits=21 nopublish |
| meta HAS_APPARENTLY_TO __APPARENTLY_TO > 0 |
| describe HAS_APPARENTLY_TO Has deprecated Apparently-To header |
| #score HAS_APPARENTLY_TO 0.50 |
| tflags HAS_APPARENTLY_TO nopublish |
| meta MANY_APPARENTLY_TO __APPARENTLY_TO > 20 |
| describe MANY_APPARENTLY_TO Has many Apparently-To headers |
| #score MANY_APPARENTLY_TO 2.00 |
| tflags MANY_APPARENTLY_TO nopublish |
| |
| # obfuscation of "opt out" |
| ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
| body FUZZY_OPTOUT /\s(?!opt.?out)<O><P><T>.?<O><U><T>/i |
| replace_rules FUZZY_OPTOUT |
| describe FUZZY_OPTOUT Obfuscated opt-out text |
| endif |
| |
| # stock spam disclaimer obfuscation |
| # body GAPPY_TRADING /\b(?!trading)t[^a-z\s]?r[^a-z\s]?a[^a-z\s]?d[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i |
| # body GAPPY_SECURITIES /\b(?!securities)s[^a-z\s]?e[^a-z\s]?c[^a-z\s]?u[^a-z\s]?r[^a-z\s]?i[^a-z\s]?t[^a-z\s]?i[^a-z\s]?e[^a-z\s]?s/i |
| # body GAPPY_RISK /\b(?!risky?)r[^a-z\s]?i[^a-z\s]?s[^a-z\s]?k(?:[^a-z\s]?y)?/i |
| # body GAPPY_SELLING /\b(?!selling)s[^a-z\s]?e[^a-z\s]?l[^a-z\s]?l[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i |
| # body GAPPY_HUNDRED /\b(?!hundred)h[^a-z\s]?u[^a-z\s]?n[^a-z\s]?d[^a-z\s]?r[^a-z\s]?e[^a-z\s]?d/i |
| # body GAPPY_THOUSAND /\b(?!thousand)t[^a-z\s]?h[^a-z\s]?o[^a-z\s]?u[^a-z\s]?s[^a-z\s]?a[^a-z\s]?n[^a-z\s]?d/i |
| # body GAPPY_EXPENSES /\b(?!expenses)e[^a-z\s]?x[^a-z\s]?p[^a-z\s]?e[^a-z\s]?n[^a-z\s]?s[^a-z\s]?e[^a-z\s]?s/i |
| # body GAPPY_DOLLARS /\b(?!dollars)d[^a-z\s]?o[^a-z\s]?l[^a-z\s]?l[^a-z\s]?a[^a-z\s]?r[^a-z\s]?s/i |
| # |
| # describe GAPPY_TRADING Possible obfuscated stock disclaimer |
| # describe GAPPY_SECURITIES Possible obfuscated stock disclaimer |
| # describe GAPPY_RISK Possible obfuscated stock disclaimer |
| # describe GAPPY_SELLING Possible obfuscated stock disclaimer |
| # describe GAPPY_HUNDRED Possible obfuscated stock disclaimer |
| # describe GAPPY_THOUSAND Possible obfuscated stock disclaimer |
| # describe GAPPY_EXPENSES Possible obfuscated stock disclaimer |
| # describe GAPPY_DOLLARS Possible obfuscated stock disclaimer |
| |
| body GAPPY_GENITALIA /\bp(?!enis)(?!en is)[^a-z]?e[^a-z]?n[^a-z]?i[^a-z]?s(?:\b|_)/i |
| describe GAPPY_GENITALIA G.a.p.p.y male body parts |
| |
| body GAPPY_PILLS /\bp(?!ills)[^a-z]?i[^a-z]?l[^a-z]?l[^a-z]?s(?:\b|_)/i |
| describe GAPPY_PILLS G.a.p.p.y pills |
| |
| body __STYLE_TAG_IN_BODY /<style(?:[^>]{0,30})?>/i |
| body __BODY_XHTML /<x-html>/i |
| |
| #if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) |
| # # possessive {0,4}+ requires perl 5.10 or better |
| # rawbody __STYLE_GIBBERISH_1 /<style(?:\s[^>]{0,40})?>(?:\s{0,100}(?!<\/style>)(?:(?:\/\*(?:\s|[^*<]|\*(?!\/)|<(?!\/style>|!--)){0,200}\*\/)|\#[^{<]{1,50}\{[^}<]{4,100}\})){0,4}+(?:\s{0,100}(?!<\/style>|\/\*|<!--)(?:\/{3,}?\*|,,?+|;;?+|::?+|\|\|?+|[^\s:;,\|]|[:;,\|\/]{2})){150}/im |
| #else |
| # # older perl, can't deal with style comments properly |
| # rawbody __STYLE_GIBBERISH_1 /<style(?:\s[^>]{0,40})?>(?:\s{0,100}(?!<\/style>|\/\*)[^\s:;,]){150}/im |
| #endif |
| #rawbody __STYLE_GIBBERISH_2 /\.style\w{0,20}\s{1,10}\{[^:;]{200}/im |
| #rawbody __STYLE_GIBBERISH_3 /<style(?:\s[^>]{0,40})?>\s{0,80}(?:[\w:]{1,30}\s{0,10}\{[^}]{1,50}\}\s{0,80}){1,5}(?:[\w,.']{1,30}\s{1,10}){40}/im |
| #meta __STYLE_GIBBERISH (__STYLE_GIBBERISH_1 || __STYLE_GIBBERISH_2 || __STYLE_GIBBERISH_3) |
| #meta STYLE_GIBBERISH __STYLE_GIBBERISH && (__BODY_XHTML || !__STYLE_TAG_IN_BODY) && !__RCD_RDNS_MX_MESSY && !__HAS_THREAD_INDEX && !__ANY_OUTLOOK_MUA && !__MIME_QP && !ALL_TRUSTED |
| #describe STYLE_GIBBERISH Nonsense in HTML <STYLE> tag |
| #score STYLE_GIBBERISH 3.50 # limit |
| #tflags STYLE_GIBBERISH publish |
| |
| body __SCRIPT_TAG_IN_BODY /<script>/i |
| rawbody __SCRIPT_GIBBERISH /<script>[^;<]{100}/im |
| meta SCRIPT_GIBBERISH __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META |
| describe SCRIPT_GIBBERISH Nonsense in HTML <SCRIPT> tag |
| |
| rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im |
| meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT |
| describe COMMENT_GIBBERISH Nonsense in long HTML comment |
| score COMMENT_GIBBERISH 1.50 # limit |
| tflags COMMENT_GIBBERISH publish |
| |
| #rawbody MANY_DIV_5 /(?:<div[^>]{0,30}>\s{0,80}){5}/im |
| #tflags MANY_DIV_5 nopublish |
| #rawbody MANY_DIV_6 /(?:<div[^>]{0,30}>\s{0,80}){6}/im |
| #tflags MANY_DIV_6 nopublish |
| #rawbody MANY_DIV_7 /(?:<div[^>]{0,30}>\s{0,80}){7}/im |
| #tflags MANY_DIV_7 nopublish |
| #rawbody MANY_DIV_8 /(?:<div[^>]{0,30}>\s{0,80}){8}/im |
| #tflags MANY_DIV_8 nopublish |
| #rawbody MANY_DIV_9 /(?:<div[^>]{0,30}>\s{0,80}){9}/im |
| #tflags MANY_DIV_9 nopublish |
| #rawbody MANY_DIV_10 /(?:<div[^>]{0,30}>\s{0,80}){10}/im |
| #tflags MANY_DIV_10 nopublish |
| |
| #header FROM_TRL_UNDR From =~ /_\@/ |
| #tflags FROM_TRL_UNDR nopublish |
| |
| #body LOTSA_EMAILS /\b(?:thousand|million)\se-?mail(?:\saddresse)?s?\b/i |
| #tflags LOTSA_EMAILS nopublish |
| |
| body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,\d]{4,})\s(?:(?!and|or|your|place|baby)\w+\s)?(?:e-?mail\saddresses|leads|names)\b/i |
| meta BIGNUM_EMAILS __BIGNUM_EMAILS && !__SPOOFED_URL && !__BUGGED_IMG |
| describe BIGNUM_EMAILS Lots of email addresses/leads |
| score BIGNUM_EMAILS 3.00 # limit |
| #tflags BIGNUM_EMAILS nopublish |
| |
| #rawbody __HTML_ELEM_OBFU /[a-z\s]&\#[91]\d\d?[a-z]/ |
| #tflags __HTML_ELEM_OBFU multiple nopublish |
| #meta HTML_ELEM_OBFU_25 __HTML_ELEM_OBFU > 25 |
| #tflags HTML_ELEM_OBFU_25 nopublish |
| #meta HTML_ELEM_OBFU_50 __HTML_ELEM_OBFU > 50 |
| #tflags HTML_ELEM_OBFU_50 nopublish |
| #meta HTML_ELEM_OBFU_100 __HTML_ELEM_OBFU > 100 |
| #tflags HTML_ELEM_OBFU_100 nopublish |
| #meta HTML_ELEM_OBFU_150 __HTML_ELEM_OBFU > 150 |
| #tflags HTML_ELEM_OBFU_150 nopublish |
| |
| #header PPMC_FROM_1 From =~ /\bPayPa[IL](?:\.Com)?\b/ |
| #describe PPMC_FROM_1 Paypal phishing sign |
| |
| uri URI_HIDDEN_2 m;.{8}(?:[/\\]|%(?i:5c|2f))(?!\.\.?[/%\\])\..; |
| describe URI_HIDDEN_2 URI contains a hidden file or directory |
| |
| |
| |
| # Catch spam originating from 41.0.0.0/8 (Africa, incl S.Africa) |
| # Ned Slider, SAU list, 3/11/2010 |
| header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./ |
| describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8 |
| |
| # Catch spam injected from 41.0.0.0/8 (Africa, incl S.Africa) |
| # Ned Slider, SAU list, 3/11/2010 |
| # consider using khop __RCVD_VIA_AFRINIC_E instead |
| #header __NSL_RCVD_FROM_41 Received =~ /[([]41\./ |
| header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./ |
| describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8 |
| |
| meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY |
| meta MONEY_FROM_41 __MONEY_FROM_41 |
| describe MONEY_FROM_41 Lots of money from Africa |
| score MONEY_FROM_41 2.00 # limit |
| |
| |
| # some metas with the above, maybe reduce FPs |
| ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED |
| describe __FROM_41_FREEMAIL Sent from Africa + freemail provider |
| |
| # meta __FROM_AFR_FREEMAIL __RCVD_VIA_AFRINIC_E && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED |
| # describe __FROM_AFR_FREEMAIL Sent from Africa + freemail provider |
| else |
| meta __FROM_41_FREEMAIL 0 |
| endif |
| |
| # More from Ned |
| header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i |
| describe NSL_RCVD_HELO_USER Received from HELO User |
| |
| header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/ |
| describe NSL_RCVD_FROM_USER Received from User |
| |
| |
| # observed in spam 3/11/2010 |
| header DATE_DOTS Date =~ /\d\d\.\d\d\.\d\d/ |
| describe DATE_DOTS Periods in date header |
| |
| uri IMAGESHACK_URI /\.imageshack\.us\//i |
| describe IMAGESHACK_URI URI contains imageshack.us |
| |
| #uri __DYNDNS_URI /\.dyndns\.org(?:\/.*)?/i |
| #tflags __DYNDNS_URI multiple maxhits=2 |
| #meta DYNDNS_URIS __DYNDNS_URI > 1 |
| #describe DYNDNS_URIS Has multiple dyndns.org URIs |
| |
| |
| ## Does not perform better than URL_SHORTENER family |
| ## the ones that misses are already scoring 7+ points |
| #uri __BITLY_URI /\/\/bit\.ly\//i |
| #meta BITLY_URI __BITLY_URI && !__HDR_CASE_REVERSED && !__HAS_SENDER && !__HAS_CAMPAIGNID && !__DOS_HAS_LIST_UNSUB && !__HAS_ERRORS_TO && !__MAIL_LINK && !__MSGID_JAVAMAIL && !__ENV_AND_HDR_FROM_MATCH && !__THREADED && !__USING_VERP1 && !__IMG_VIA_BITLY && !__URL_SHORTENER |
| #describe BITLY_URI URI contains bit.ly |
| #score BITLY_URI 3.000 # limit |
| #tflags BITLY_URI publish |
| # |
| ## HTML image sourced via URL shortening service: |
| ## <IMG border=0 hspace=0 alt="" src="http://bit.ly/1OiuN0y" width=26 height=25> |
| #rawbody __IMG_VIA_BITLY m;<img\s[^>]+\ssrc\s*=\s*"?https?://(?:www\.)?bit\.ly/;i |
| #meta IMG_VIA_BITLY __IMG_VIA_BITLY && !SHORTENED_URL_SRC |
| #describe IMG_VIA_BITLY HTML image via URL shortener - URIBL avoidance? |
| #score IMG_VIA_BITLY 2.500 # limit |
| |
| uri __URI_OBFU_DOM /:\/\/(?:\w+\.)+(?:com|gov|net|org)(?:\.\w+){3,}\//i |
| meta URI_OBFU_DOM __URI_OBFU_DOM && !__VIA_ML |
| describe URI_OBFU_DOM URI pretending to be different domain |
| |
| uri DQ_URI_DOM_IN_PATH /:\/\/[\d\.]+\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i |
| describe DQ_URI_DOM_IN_PATH DQ URI having a domain name in the path part |
| |
| uri LH_URI_DOM_IN_PATH /:\/\/[^\/]{25,}\/[^\/]+\/[^\@]+[a-z0-9]\w{3,}\.(?:com|gov|net)/i |
| describe LH_URI_DOM_IN_PATH Long-host URI having a domain name in the path part |
| |
| # observed in phish 4/10/10 |
| uri URI_1234 m,//1\.2\.3\.4/, |
| |
| # requested by Benny Pedersen 17 Apr 2010, 10 Aug 2011 |
| ifplugin Mail::SpamAssassin::Plugin::SPF |
| meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS) |
| tflags __SPF_FULL_PASS net |
| meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS) |
| tflags __SPF_RANDOM_SENDER net |
| else |
| meta __SPF_FULL_PASS 0 |
| meta __SPF_RANDOM_SENDER 0 |
| endif |
| |
| # Spam from ZA |
| header CAN_SPAM_HDR CAN-SPAM_Compliant =~ /./ |
| header RPT_SPAM_HDR Report-SPAM =~ /./ |
| |
| |
| #header LONG_FROM From =~ /<[^<@]{40,}\w\@/ |
| |
| |
| #if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| # body __MANY_RECORDS_1 /\s[A-Z][a-z]{1,30}s(?:\sDatabase)?[-:\s]{2,5}(?i:1\smillion\s|\d[\d,.]{1,8}[Kk]?\s(?i:thousand\s|million\s)?)(?i:total\s|full\sdata\s)?(?i:email|record)s/ |
| # tflags __MANY_RECORDS_1 multiple maxhits=16 |
| # body __MANY_RECORDS_2 /\W{1,4}\s(?:[a-z\/]{1,20}\s){0,4}(?:doctor|physician|provider|therapist|counselor|dentist|veterinarian|clinic|hospital|agent|chiropractor|psychologist|companie|supplier)s/i |
| # tflags __MANY_RECORDS_2 multiple maxhits=16 |
| # body __MANY_RECORDS_3 /\W{1,4}\s(?:(?:[A-Z]{1,2}[a-z\/]{0,20}|and)\s){0,4}[A-Z][a-z]{1,20}s Database/ |
| # tflags __MANY_RECORDS_3 multiple maxhits=16 |
| # #meta BIG_LISTS (__MANY_RECORDS_1 + __MANY_RECORDS_2 + __MANY_RECORDS_3) > 5 |
| # meta __MANY_BIG_LISTS (__MANY_RECORDS_1 + __MANY_RECORDS_2 + __MANY_RECORDS_3) > 15 |
| # meta MANY_BIG_LISTS __MANY_BIG_LISTS && !HTML_MESSAGE && !__CTYPE_MULTIPART_ANY && !__HS_SUBJ_RE_FW && !__HAS_THREAD_INDEX |
| # describe MANY_BIG_LISTS Lots of mailing lists / databases available! |
| #endif |
| |
| |
| # Suggested by Gerard Z 2010-08-15 |
| #uri __GZ_PILL_SQUAT1 /\/[a-z]{3,8}\d{2}\.html/i |
| #uri __GZ_PILL_SQUAT2 /\/[a-z]{3,8}\d{2}\.jpg/i |
| #meta __GZ_PILL_SQUATTERS __GZ_PILL_SQUAT1 && __GZ_PILL_SQUAT2 |
| #meta GZ_PILL_SQUATTERS __GZ_PILL_SQUATTERS && !__DOS_RELAYED_EXT && !__FROM_ISO_2022_JP && !__RCD_RDNS_MX_MESSY |
| #describe GZ_PILL_SQUATTERS Found a link to rogue pill pusher content |
| |
| # observed in multiple spam |
| header TO_JOHNZY TO =~ /johnzy_the_king\@hotmail\.com/i |
| describe TO_JOHNZY To a spammy recipent |
| #score TO_JOHNZY 3.00 |
| |
| # Discussed on list and observed in spam 10/15/2010 |
| header TO_ONE_CHAR To =~ /^\s*"<"\s*</ |
| describe TO_ONE_CHAR Bogus TO name |
| # Check From: as well... |
| header FROM_ONE_CHAR From =~ /^\s*"[^"]"\s*</ |
| describe FROM_ONE_CHAR Bogus FROM name |
| |
| # __ version of khop rule for FP filtering |
| meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL |
| |
| # 12-letter domain names, suggested by Len Conrad on the users list |
| header __RCVD_12LTRDOM Received =~ /[(\s.][a-z]{12}\./ |
| header __RPATH_12LTRDOM Return-Path =~ /\@[a-z]{12}\./ |
| uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i |
| |
| header __FROM_12LTRDOM_1 From =~ /\@(?!facebookmail)[a-z]{12}\./ |
| ## suppress this, masscheck is publishing it as a T_ rule and ignoring the score limit, so hits get 1 point |
| #ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| # meta FROM_12LTRDOM __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__freemail_safe && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO |
| #else |
| # meta FROM_12LTRDOM __FROM_12LTRDOM_1 && !__VIA_ML && !__TO___LOWER && !__FS_SUBJ_RE && !__RCD_RDNS_MAIL_MESSY && !__UNSUB_LINK && !NO_RELAYS && !__UNUSABLE_MSGID && !DATE_IN_PAST_96_XX && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__RCD_RDNS_SMTP_MESSY && !__FB_NATIONAL && !__MAIL_LINK && !__NAME_EMAIL_DIFF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__SENDER_BOT && !__IMS_MSGID && !__HS_SUBJ_RE_FW && !__DOS_HAS_LIST_UNSUB && !__THREAD_INDEX_GOOD && !__TO_EQ_FROM_DOM && !__URI_MAILTO && !__SUBSCRIPTION_INFO |
| #endif |
| #describe FROM_12LTRDOM From a 12-letter domain |
| ##tflags FROM_12LTRDOM nopublish |
| #score FROM_12LTRDOM 0.10 # limit |
| |
| # promising masscheck results |
| meta __MONEY_12LTRDOM __FROM_12LTRDOM_1 && __LOTSA_MONEY_00 |
| meta MONEY_12LTRDOM __MONEY_12LTRDOM |
| score MONEY_12LTRDOM 0.10 # limit |
| describe MONEY_12LTRDOM Mentions lots of money and from a 12-letter domain |
| |
| # spammer email addresses noted by D. German on users list 9/2010 |
| body DG_SPAMMER_EMAIL_B /\b[a-z]{10,30}\.[a-z]{3,10}\@[a-z]{3,10}\.[a-z]{6,30}\.[a-z]{2,4}\b/ |
| header DG_SPAMMER_EMAIL_F From =~ /\b[a-z]{10,30}\.[a-z]{3,10}\@[a-z]{3,10}\.[a-z]{6,30}\.[a-z]{2,4}\b/ |
| describe DG_SPAMMER_EMAIL_B Recognized spammer email address in body |
| describe DG_SPAMMER_EMAIL_F Recognized spammer email address in From: header |
| |
| # Spammers can't include the real name successfully... |
| body __FORGED_FB_USERCP_01 /This message was intended for Want to control which emails you receive from Facebook\?/i |
| |
| # Javascript obfuscation noted by J. Brennan on the Users list 09/2010 |
| rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i |
| describe OBFU_JVSCR_ESC Injects content using obfuscated javascript |
| #score OBFU_JVSCR_ESC 2.75 |
| tflags OBFU_JVSCR_ESC publish |
| |
| # Starting to observe in spam |
| meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID |
| meta LIST_PARTIAL __LIST_PARTIAL && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_SENDER && !__HAS_ERRORS_TO |
| describe LIST_PARTIAL Has incomplete List-* header set |
| score LIST_PARTIAL 1.000 # limit |
| |
| meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR |
| meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO |
| describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same |
| score LIST_PRTL_SAME_USER 3.000 # limit |
| tflags LIST_PRTL_SAME_USER publish |
| |
| meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1 |
| meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS |
| describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump |
| score LIST_PRTL_PUMPDUMP 2.000 # limit |
| tflags LIST_PRTL_PUMPDUMP publish |
| |
| |
| |
| # in lots of phishing |
| uri __UCOZ_URI /\.ucoz\.org\//i |
| describe __UCOZ_URI URI contains ucoz.org |
| |
| # Intrust Domains is a persistent domain registration spammer |
| # recent sign, will likely change |
| #body __ARTHUR_SIMMONS /Arthur Simmons/ |
| #body __INTRUST_DOMS /In[Tt]rust Domains/ |
| #meta ARTHUR_INTRUST __ARTHUR_SIMMONS && __INTRUST_DOMS |
| #describe ARTHUR_INTRUST Arthur Simmons - registrar spammer extraordinaire |
| |
| #header ART_NAMES_ORG Received =~ /\bart\.names\.org\b/i |
| #describe ART_NAMES_ORG Arthur Simmons - registrar spammer extraordinaire |
| |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i |
| body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i |
| tflags __PILL_PRICE_01 multiple maxhits=3 |
| tflags __PILL_PRICE_02 multiple maxhits=3 |
| meta ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON |
| describe ANY_PILL_PRICE Prices for pills |
| meta MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2 |
| describe MANY_PILL_PRICE Prices for many pills |
| else |
| meta __PILL_PRICE_01 0 |
| meta __PILL_PRICE_02 0 |
| endif |
| |
| # More from Ned Slider |
| ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| meta NSL_FREEMAIL_SUBJ (FREEMAIL_FROM && MISSING_SUBJECT) |
| describe NSL_FREEMAIL_SUBJ From freemail with missing subject |
| # score NSL_FREEMAIL_SUBJ 1.0 |
| tflags NSL_FREEMAIL_SUBJ nopublish |
| |
| meta NSL_FREEMAIL_M1 (NSL_FREEMAIL_SUBJ && (__HAS_ANY_URI || __MANY_RECIPS)) |
| describe NSL_FREEMAIL_M1 From freemail, missing subject and uri or many recips |
| # score NSL_FREEMAIL_M1 1.0 |
| tflags NSL_FREEMAIL_M1 nopublish |
| |
| meta NSL_FREEMAIL_M2 (FREEMAIL_FROM && __HAS_ANY_URI && __MANY_RECIPS) |
| describe NSL_FREEMAIL_M2 From freemail with uri and many recips |
| # score NSL_FREEMAIL_M2 1.0 |
| tflags NSL_FREEMAIL_M2 nopublish |
| endif |
| |
| header NSL_TO_ENDS_COMMA To =~ /,$/ |
| describe NSL_TO_ENDS_COMMA To: ends with a comma |
| #score NSL_TO_ENDS_COMMA 0.001 |
| tflags NSL_TO_ENDS_COMMA nopublish |
| |
| |
| body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i |
| describe CN_B2B_SPAMMER Chinese company introducing itself |
| tflags CN_B2B_SPAMMER publish |
| |
| body CN_OPTOUT_EML /\b(?:pasamenzi|arinayuma)\@sina\.com\b/i |
| describe CN_OPTOUT_EML Opt-out email address in CN B2B spams |
| |
| # __ version of khopesh UPPERCASE_URI, for use in metas |
| uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/ |
| |
| # __ version of khopesh SINGLE_HEADER_1K, for use in metas |
| #header __SINGLE_HEADER_1K ALL:raw =~ /(?-xim:(?=(?!X-Spam|X-MailScan)(?:^|\n)[^\s\n]+:(?:.(?!\n\S)){1024,2047}.(?:\n\S|$)))/s |
| |
| # for sale newsletters |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| body __FOR_SALE_OBO /\bor best offer\b/i |
| tflags __FOR_SALE_OBO multiple maxhits=6 |
| meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5 |
| |
| body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i |
| tflags __FOR_SALE_PRC_1K multiple maxhits=11 |
| meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10 |
| |
| body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i |
| tflags __FOR_SALE_PRC_10K multiple maxhits=11 |
| meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10 |
| |
| body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i |
| tflags __FOR_SALE_PRC_100K multiple maxhits=11 |
| meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5 |
| |
| meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20 |
| |
| body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i |
| tflags __FOR_SALE_LTP multiple maxhits=11 |
| meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10 |
| |
| body __FOR_SALE_NET /00\.? NET/i |
| tflags __FOR_SALE_NET multiple maxhits=11 |
| meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10 |
| |
| rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m |
| tflags __FOR_SALE_PRC_EOL multiple maxhits=11 |
| meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10 |
| endif |
| |
| uri __URI_MAILTO /^mailto:/i |
| tflags __URI_MAILTO multiple maxhits=16 |
| meta __URI_MAILTO_MANY __URI_MAILTO > 15 |
| |
| |
| header REPLYTO_EMPTY Reply-To =~ /<>/ |
| describe REPLYTO_EMPTY Reply-To undeliverable |
| |
| header __TO_MANY To =~ /(?:,[^,]{1,90}){10}/ |
| header __CC_MANY Cc =~ /(?:,[^,]{1,90}){10}/ |
| |
| header __TO_TOO_MANY To =~ /(?:,[^,]{1,90}){30}/ |
| header __CC_TOO_MANY Cc =~ /(?:,[^,]{1,90}){30}/ |
| |
| header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/ |
| |
| meta FREEMAIL_MANY_TO __TO_WAY_TOO_MANY && FREEMAIL_FROM |
| describe FREEMAIL_MANY_TO Freemail sender, 50+ exposed recipients |
| score FREEMAIL_MANY_TO 2.000 # limit |
| |
| |
| body __GAPPY_PHONE_NA /1 ?- \d \d \d ?- \d \d \d ?- \d \d \d \d/ |
| meta GAPPY_PHONE_NA __GAPPY_PHONE_NA |
| describe GAPPY_PHONE_NA Phone number with lots of spaces |
| |
| full __GAPPY_HTML_01 m;</?[a-z]{1,6}(?:\s[^>]{0,40})?>(?:\s|=09){0,80}(?:(?!\d)[\w'()\#,.:!]{1,15}(?:\s|=09){4,80}){7}\S; |
| full __GAPPY_HTML_02 m;\S(?:(?:\s|=09){4,80}(?!\d)[\w'()\#,.:!]{1,15}){7}(?:\s|=09){0,5}</?[a-z]{1,6}/?>; |
| #full __GAPPY_HTML_03 /^(?:=09){5,20}</m |
| #tflags __GAPPY_HTML_03 multiple maxhits=11 |
| #full __GAPPY_HTML_04 /^(?:=0A){5,20}/m |
| #tflags __GAPPY_HTML_04 multiple maxhits=11 |
| #meta __GAPPY_HTML __MIME_HTML && (__GAPPY_HTML_01 || __GAPPY_HTML_02 || (__GAPPY_HTML_03 > 10) || (__GAPPY_HTML_04 > 10)) |
| meta __GAPPY_HTML __MIME_HTML && (__GAPPY_HTML_01 || __GAPPY_HTML_02) |
| meta GAPPY_HTML __GAPPY_HTML && !__UNSUB_LINK && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY |
| describe GAPPY_HTML HTML body with much useless whitespace |
| |
| # Try to improve S/O per bug 6119 |
| meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY |
| #tflags TVD_SPACE_RATIO_MINFP nopublish |
| score TVD_SPACE_RATIO_MINFP 2.500 # limit |
| describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?) |
| |
| # Only useful for English-language email |
| #meta SUBJECT_UNNEEDED_ENCODING (__SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) && !__RCD_RDNS_MAIL && !__LCL__ENV_AND_HDR_FROM_MATCH && !__SUBSCRIPTION_INFO && !__THREADED && !__NONBOUNCE_READ_RECEIPT |
| #describe SUBJECT_UNNEEDED_ENCODING Subject encoded but not non-ANSI? |
| #score SUBJECT_UNNEEDED_ENCODING 1.000 # limit |
| #tflags SUBJECT_UNNEEDED_ENCODING publish |
| |
| # Be sensitive to FP on legit japanese- and chinese-language mailing lists (09/2014) |
| meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) |
| meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM |
| score TVD_SPACE_ENCODED 2.500 # limit |
| describe TVD_SPACE_ENCODED Space ratio & encoded subject |
| |
| meta TVD_SPACE_ENC_FM_MIME __TVD_SPACE_ENCODED && __FROM_NEEDS_MIME && !__ISO_2022_JP_DELIM |
| score TVD_SPACE_ENC_FM_MIME 2.000 # limit |
| describe TVD_SPACE_ENC_FM_MIME Space ratio & encoded subject & MIME needed |
| |
| |
| # sample from users list: Subject: Sta ffWork sFastToSen dTab le tsGood s |
| header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/ |
| tflags __SUBJ_BROKEN_WORD multiple maxhits=2 |
| meta SUBJ_BROKEN_WORD __SUBJ_BROKEN_WORD && !ALL_TRUSTED && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__MIME_QP && !__DOS_HAS_LIST_UNSUB && !__HAS_IN_REPLY_TO && !__THREADED && !__MSGID_JAVAMAIL && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY && !__MSGID_OK_DIGITS && !__NOT_A_PERSON && !__LCL__ENV_AND_HDR_FROM_MATCH |
| describe SUBJ_BROKEN_WORD Subject contains odd word break |
| meta SUBJ_BROKEN_WORDS __SUBJ_BROKEN_WORD > 1 && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__MIME_QP && !__DOS_HAS_LIST_UNSUB && !__HAS_IN_REPLY_TO && !__THREADED && !__MSGID_JAVAMAIL && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY && !__MSGID_OK_DIGITS |
| describe SUBJ_BROKEN_WORDS Subject contains multiple odd word breaks |
| |
| # felicity TVD_SUBJ_NUM_OBFU as subrule |
| header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i |
| meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU |
| ifplugin Mail::SpamAssassin::Plugin::DKIM |
| meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER |
| describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers |
| endif |
| |
| meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO |
| |
| # from spample on users list 7/20/2011 |
| header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/ |
| meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED |
| describe XM_PHPMAILER_FORGED Apparently forged header |
| tflags XM_PHPMAILER_FORGED publish |
| |
| # from spample on users list 7/24/2011 |
| header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/ |
| #meta XM_EC_MESSENGER __XM_EC_MESSENGER |
| #describe XM_EC_MESSENGER eC-Messenger bulk mail service |
| |
| header __SUBJ_OBFU_PUNCT Subject =~ /(?:(?!<[a-z][a-z])[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z])/i |
| tflags __SUBJ_OBFU_PUNCT multiple maxhits=4 |
| meta SUBJ_OBFU_PUNCT_FEW __SUBJ_OBFU_PUNCT > 1 && !__THREADED && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH |
| describe SUBJ_OBFU_PUNCT_FEW Possible punctuation-obfuscated Subject: header |
| score SUBJ_OBFU_PUNCT_FEW 0.750 |
| meta SUBJ_OBFU_PUNCT_MANY __SUBJ_OBFU_PUNCT > 2 && !__THREADED && !__RP_MATCHES_RCVD && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH |
| describe SUBJ_OBFU_PUNCT_MANY Punctuation-obfuscated Subject: header |
| score SUBJ_OBFU_PUNCT_MANY 1.750 |
| |
| #meta SUBJ_MANGLED __SUBJ_OBFU_PUNCT && __GAPPY_SUBJECT && !__RP_MATCHES_RCVD && !__HAS_X_MAILER && !__DOS_HAS_LIST_UNSUB |
| #score SUBJ_MANGLED 2.000 # limit |
| |
| # A document was scanned and sentto you using a Hewlett-Packard HP Officejet |
| # A document was scanned and sent to you using a Hewlett-Packard HP Officejet |
| # Scan from Hewlet-Packard Officejet |
| # Scan from a HP Officejet |
| # Hewlett-Packard Officejet Location: machine location not set |
| # Xerox WorkCentre |
| # See http://isc.sans.edu/diary.html?storyid=11848#comment |
| body __SCANNED /\b(?:(?:document was scan+ed and sent ?to you using|Scan from)(?: an?)? (?:(?:Hewlet+-Packard |HP ){1,2}Officejet|Hewlet+-Packard Officejet Location: machine location not set)|Xerox\b)/i |
| meta SCANNED_EXTERNAL __SCANNED && !ALL_TRUSTED && !__XEROXWORKCTR_MUA |
| describe SCANNED_EXTERNAL "Scanned Document" email from external source - malware? |
| score SCANNED_EXTERNAL 3.00 # limit |
| |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| # real estate / stock scam spams 11/2011 |
| # roughly similar to FS_LARGE_PERCENT2, better S/O? |
| body __LARGE_PERCENT_AFTER /\d{3}% after/i |
| tflags __LARGE_PERCENT_AFTER multiple maxhits=4 |
| meta LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3 |
| describe LARGE_PCT_AFTER_MANY Many large percentages after... |
| else |
| meta __LARGE_PERCENT_AFTER 0 |
| endif |
| |
| # phish/malware 11/2011 |
| body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i |
| body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i |
| body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i |
| body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i |
| |
| ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
| mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i |
| meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH |
| meta ACH_CANCELLED_EXE __ACH_CANCELLED_EXE |
| describe ACH_CANCELLED_EXE "ACH cancelled" probable malware |
| else |
| meta __EXE_ATTACH 0 |
| endif |
| |
| meta __ACH_CANCELLED (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && (__HAS_ANY_URI || LOTS_OF_MONEY) |
| meta ACH_CANCELLED __ACH_CANCELLED |
| describe ACH_CANCELLED "ACH cancelled" fraud / phish |
| |
| # spams from users list query 03/2012 |
| # Not useful as scored rules, may be useful meta'd with something else |
| uri __URI_DBL_SUBDOM m,^https?://(?!www\.amazon\.com)([^/]+)/.*https?://(?:[^.]+\.)?\1/,i |
| #meta URI_DBL_SUBDOM __URI_DBL_SUBDOM && !__RP_MATCHES_RCVD && !__FROM_LOWER && !__HAS_ERRORS_TO && !__TO_EQ_FROM_DOM |
| #score URI_DBL_SUBDOM 1.00 # limit |
| |
| uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i |
| |
| uri __URI_DBL_INDIR m,(?:=https?://(?!www\.amazon\.com).*?){2},i |
| meta URI_DBL_INDIR __URI_DBL_INDIR && !__URI_TRPL_INDIR |
| describe URI_DBL_INDIR A URI with two levels of indirection |
| uri __URI_TRPL_INDIR m,(?:=https?://(?!www\.amazon\.com).*?){3},i |
| meta URI_TRPL_INDIR __URI_TRPL_INDIR |
| describe URI_TRPL_INDIR A URI with at least three levels of indirection |
| |
| # suggestion on users list 04/2012 |
| header SUBJ_ODD_CASE ALL =~ /\n(?!(?:Subject:|SUBJECT:|subject:))(?i:subject:)/sm |
| describe SUBJ_ODD_CASE Oddly mixed-case Subject: header |
| |
| |
| # Somebody's resurrecting the dead 07/1012 |
| body BILL_1618 /\bUnder Bills?.1618(?: Title III)? passed by the 105th U\.S\. Congress\b/i |
| describe BILL_1618 Mentions proposed US law supposedly permitting spamming |
| body NOT_SPAM /\b(?:this mail cannot be considered Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)\b/i |
| describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not! |
| |
| |
| # see https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39?gi=7ec45f2481ce |
| uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i |
| describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file) |
| tflags URI_MALWARE_SCMS publish |
| |
| # suggested by http://isc.sans.edu/diary.html?storyid=13921 |
| uri URI_MALWARE_BH /\.\w{2,4}\/[\d\w]{8}\/index\.html/i |
| describe URI_MALWARE_BH Possible BlackHole malware links / phishing |
| score URI_MALWARE_BH 1.0 # limit |
| |
| # suggested by https://isc.sans.edu/diary.html?storyid=13996 |
| uri __URI_DATA /^data:(?!image\/)[a-z]/i |
| meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB |
| describe URI_DATA "data:" URI - possible malware or phish |
| score URI_DATA 3.250 # limit |
| tflags URI_DATA publish |
| |
| |
| header __SUBJ_ATTENTION Subject =~ /ATTENTION/ |
| meta SUBJ_ATTENTION __SUBJ_ATTENTION && !ALL_TRUSTED |
| describe SUBJ_ATTENTION ATTENTION in Subject |
| score SUBJ_ATTENTION 0.500 # limit |
| |
| header __IRS_FM_NAME From:name =~ /internal\srevenue\sservice/i |
| header __IRS_FM_DOM From:addr =~ /\birs\.gov$/ |
| header __IRS_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\birs\.gov / |
| meta __IRS_SPOOF (__IRS_FM_NAME || __IRS_FM_DOM) && !__IRS_RCVD_DOM && __HAS_REPLY_TO |
| meta IRS_SPOOF __IRS_SPOOF |
| describe IRS_SPOOF Claims to be IRS, but not from IRS domain |
| score IRS_SPOOF 2.00 # limit |
| |
| |
| header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i |
| header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/ |
| header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov / |
| body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/ |
| rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m |
| meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO |
| meta FBI_SPOOF __FBI_SPOOF |
| describe FBI_SPOOF Claims to be FBI, but not from FBI domain |
| score FBI_SPOOF 2.00 # limit |
| tflags FBI_SPOOF publish |
| |
| meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY |
| describe FBI_MONEY The FBI wants to give you lots of money? |
| score FBI_MONEY 2.00 # limit |
| tflags FBI_MONEY publish |
| |
| |
| header __FROM_ASB_BANK From:addr =~ /\basb\.co\.nz$/i |
| header __FROM_AMEX From =~ /american\s?express/i |
| header __FROM_BANK_LOOSE From =~ /ban(?:k|co)/i |
| header __FROM_CHASE From:addr =~ /chase(?:2?-?paymentech)\.com$/i |
| header __FROM_CMNWLTH_BANK From:addr =~ /\bcommonwealth\.com\.au$/i |
| header __FROM_EBAY_LOOSE From =~ /\be-?bay\b/i |
| header __FROM_HSBC From:addr =~ /\bhsbc\.co\.uk$/i |
| header __FROM_LLOYDSTSB From:addr =~ /\blloyds(?:tsb)\.(?:co\.uk|com)$/i |
| header __FROM_PAYPAL_LOOSE From =~ /paypal/i |
| header __FROM_WELLSFARGO From:addr =~ /wellsfargo\.com$/i |
| header __FROM_WESTERNUNION From:addr =~ /westernunion\.com$/i |
| |
| meta __FROM_MISSP_PHISH __FROM_MISSPACED && (__FROM_ASB_BANK || __FROM_AMEX || __FROM_BANK_LOOSE || __FROM_CHASE || __FROM_CMNWLTH_BANK || __FROM_EBAY_LOOSE || __FROM_HSBC || __FROM_LLOYDSTSB || __FROM_PAYPAL_LOOSE || __FROM_WELLSFARGO || __FROM_WESTERNUNION) |
| meta FROM_MISSP_PHISH __FROM_MISSP_PHISH && !__DOS_HAS_LIST_UNSUB |
| describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish |
| score FROM_MISSP_PHISH 3.500 # limit |
| |
| # another upload-a-document-for-public-access site |
| uri __URI_YOUSENDIT m,^https?://www\.yousendit\.com/directdownload,i |
| |
| # see also DOS_GOOGLE_DOCS |
| uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i |
| uri __URI_GOOGLE_DRV m,^https?://(?:drive\.google|googledrive)\.com/,i |
| |
| |
| body __WEBMAIL_ACCT /\byour web ?mail account/i |
| body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i |
| body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i |
| tflags __CLEAN_MAILBOX multiple maxhits=2 |
| body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails))\b/i |
| tflags __VALIDATE_MAILBOX multiple maxhits=2 |
| body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i |
| body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i |
| tflags __LOCK_MAILBOX multiple maxhits=2 |
| body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i |
| header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i |
| meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN |
| header __FROM_ADMIN From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i |
| meta __FROM_DOM_ADMIN __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN |
| body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i |
| body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i |
| body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i |
| |
| body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i |
| body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i |
| body __PASSWORD_UPGRADE /\bpassword upgrade\b/i |
| body __PENDING_MESSAGES /\b(?:messages pending|pending messages|undelivered (?:messages|e?-?mails)|(?:your|\d+) undelivered e?-?mails)\b/i |
| body __RELEASE_MESSAGES /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i |
| body __PASSWORD_EXP_CLUMSY /\bpassword is due for expiration yesterday\b/i |
| |
| meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 1) && !__EMAIL_PHISH_MANY |
| meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) > 3) |
| |
| meta UPGRADE_MAILBOX __UPGR_MAILBOX && __HTML_FONT_LOW_CONTRAST_MINFP |
| describe UPGRADE_MAILBOX Upgrade your mailbox! (phishing?) |
| |
| body __ACCESS_SUSPENDED /\b(?:(?:access|account) (?:suspension|has been (?:temporar(?:il)?y )(?:suspended|blocked|locked))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) notice)\b/i |
| tflags __ACCESS_SUSPENDED multiple maxhits=2 |
| body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i |
| body __ACCESS_REVOKE /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i |
| body __VERIFY_ACCOUNT /(?:confirm|updated?|verify) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i |
| body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i |
| body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i |
| body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i |
| body __ACCOUNT_ERROR /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i |
| body __ACCOUNT_DISRUPT /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)?) (?:shut ?down|suspension|locking|termination|expiration))\b/i |
| tflags __ACCOUNT_DISRUPT multiple maxhits=2 |
| body __ACCOUNT_UPGRADE /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i |
| body __ACCOUNT_SECURE /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i |
| body __SUSPICION_LOGIN /\bsuspicion login\b/i |
| |
| meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN) > 1 && !__ACCT_PHISH_MANY |
| meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN) > 3 |
| meta ACCT_PHISHING (__ACCT_PHISH || __EMAIL_PHISH) && !__RCD_RDNS_SMTP_MESSY |
| describe ACCT_PHISHING Possible phishing for account information |
| score ACCT_PHISHING 1.500 # limit |
| meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY |
| describe ACCT_PHISHING_MANY Phishing for account information |
| score ACCT_PHISHING_MANY 3.000 # limit |
| |
| meta PHISHING_FREEMAIL (__EMAIL_PHISH || __EMAIL_PHISH_MANY || __ACCT_PHISH || __ACCT_PHISH_MANY) && FREEMAIL_FORGED_REPLYTO |
| describe PHISHING_FREEMAIL Send your login credentials to some random freemail account |
| |
| |
| # Google Docs observed on LOTS of phishes 2012 |
| meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) |
| meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY |
| meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2) |
| describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form |
| score GOOGLE_DOCS_PHISH 3.00 # limit |
| tflags GOOGLE_DOCS_PHISH publish |
| |
| meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) |
| describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form |
| score GOOGLE_DOCS_PHISH_MANY 4.00 # limit |
| tflags GOOGLE_DOCS_PHISH_MANY publish |
| |
| meta __GOOGLE_DOC_SUSP __URI_GOOGLE_DOC && (__HAS_DOMAINKEY_SIG || __RDNS_NONE || __SYSADMIN || __STY_INVIS || LOTS_OF_MONEY || __XFER_MONEY) && !ALL_TRUSTED |
| meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID |
| describe GOOGLE_DOC_SUSP Suspicious use of Google Docs |
| score GOOGLE_DOC_SUSP 2.500 # limit |
| tflags GOOGLE_DOC_SUSP publish |
| |
| #meta URI_GOOGLE_DOCS __URI_GOOGLE_DOC && !__DKIM_EXISTS && !__TO_EQ_FROM_DOM && !__DOS_REF_TODAY && !__DOS_BODY_FRI && !__DOS_BODY_WED && !__freemail_safe_fwd && !__TO_EQ_FROM_DOM && !__HAS_ERRORS_TO |
| #describe URI_GOOGLE_DOCS URI for Google Docs, common in phishing |
| #score URI_GOOGLE_DOCS 1.00 # limit |
| |
| meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) |
| ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
| meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY |
| else |
| meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY |
| endif |
| describe URI_PHISH Phishing using web form |
| score URI_PHISH 4.00 # limit |
| tflags URI_PHISH publish |
| |
| meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS |
| describe SYSADMIN Supposedly from your IT department |
| score SYSADMIN 3.500 # limit |
| tflags SYSADMIN publish |
| |
| # suggested by MPerkel on the users list 11/10/2012 |
| uri __URI_PROTO_MC /^(?!(?-i:(?:[Hh]ttps?|HTTPS?):))https?:/i |
| uri __URI_WWW_MC m,://(?!(?-i:www|WWW))www\.,i |
| uri __URI_TLD_MC /\.(?!(?-i:com|net|org|biz|info|COM|NET|ORG))(?:com|net|org|biz|info)\b/i |
| uri __URI_GOOG_MC /(?!(?-i:[Gg]oogle))google/i |
| |
| rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i |
| meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_01 && __RDNS_NONE |
| describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS |
| score HTML_FONT_TINY_NORDNS 1.500 # limit |
| |
| body __BODY_TEXT_LINE /^\s*\S/ |
| tflags __BODY_TEXT_LINE multiple maxhits=3 |
| meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE |
| # this hits 13% of masscheck corpus spam, 50% of that only scores 2 points |
| meta BODY_EMPTY __EMPTY_BODY && !ALL_TRUSTED && !__MIME_ATTACHMENT && !__HAS_THREAD_INDEX && !__TO_EQ_FROM_DOM && !NO_RELAYS && !__PDF_ATTACH && !__HDR_RCVD_GOOGLE && !__MSGID_APPLEMAIL && !__XM_IPHONEMAIL |
| describe BODY_EMPTY No body text in message |
| score BODY_EMPTY 2.00 # limit |
| |
| |
| meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE |
| meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__LCL__ENV_AND_HDR_FROM_MATCH && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY |
| describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image |
| score BODY_URI_ONLY 1.500 # limit |
| tflags BODY_URI_ONLY publish |
| |
| |
| body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/ |
| tflags __SINGLE_WORD_LINE multiple maxhits=2 |
| header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/ |
| meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1) |
| meta BODY_SINGLE_WORD __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP |
| describe BODY_SINGLE_WORD Message body is only one word (no spaces) |
| score BODY_SINGLE_WORD 2.500 # limit |
| |
| meta __BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI) |
| meta BODY_SINGLE_URI __BODY_SINGLE_URI && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP && !__VIA_ML |
| describe BODY_SINGLE_URI Message body is only a URI |
| score BODY_SINGLE_URI 2.500 # limit |
| |
| #ifplugin Mail::SpamAssassin::Plugin::DKIM |
| # # malformed DKIM signatures seen in the wild - see bug#6895 |
| # # see how well this performs |
| # meta __DKIM_MALFORMED DKIM_SIGNED && !DKIM_VALID |
| #endif |
| |
| #body __YOUR_PHOTOS /\byour photos (?:as p[rw]omised )?(?:here )?(?:- )?https?:/i |
| #meta YOUR_PHOTOS __YOUR_PHOTOS && !__HAS_ANY_EMAIL && !__HAS_REPLY_TO && !__DOS_HAS_LIST_UNSUB |
| #describe YOUR_PHOTOS "Your Photos" phishing or malware |
| #score YOUR_PHOTOS 4.00 # limit |
| |
| body __UNSUBSCRIBE_ES /\b(?:Para darte de baja y no recibir ning(?:=FA|[\xfa]|[\xc3][\xba])n|Si no desea que le enviemos publicidad|Si desea eliminar su correo [^\s@]{1,64}@[^\s@]{1,64} de nuestra lista|no recibir estos boletines a: [^\s@]{1,64}@[^\s@]{1,64} simplemente|Si no desea recibir m(?:=E1|[\xe1]|[\xc3][\xa1]|a)s notificaciones)\b/i |
| meta UNSUBSCRIBE_ES __UNSUBSCRIBE_ES |
| score UNSUBSCRIBE_ES 2.500 # limit |
| |
| body __UNSUBSCRIBE_PT /\bSe n(?:a|=E3|[\xe3]|[\xc3][\xa3])o desejar mais receber nossos e-?mails?\b/i |
| meta UNSUBSCRIBE_PT __UNSUBSCRIBE_PT |
| score UNSUBSCRIBE_PT 2.500 # limit |
| |
| body __URI_DBL_PROTO m,\b(?:https?:/+){2},i |
| |
| uri __URI_DOS_FILE /^[A-Z]:\\/i |
| |
| meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP |
| meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL |
| describe FORM_LOW_CONTRAST Fill in a form with hidden text |
| score FORM_LOW_CONTRAST 2.500 # Limit |
| tflags FORM_LOW_CONTRAST publish |
| |
| |
| # try to FP-reduce HTML_FONT_LOW_CONTRAST |
| ifplugin Mail::SpamAssassin::Plugin::DKIM |
| meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID |
| else |
| meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN |
| endif |
| |
| # some no-ham (at the time) combinations |
| meta GAPPY_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __GAPPY_SUBJECT |
| describe GAPPY_LOW_CONTRAST Gappy subject + hidden text |
| score GAPPY_LOW_CONTRAST 2.500 # limit |
| |
| meta URI_ONLY_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __BODY_URI_ONLY |
| score URI_ONLY_LOW_CONTRAST 2.500 # limit |
| |
| meta SUBJ_OBFU_LOW_CNTRST (HTML_FONT_LOW_CONTRAST && __SUBJ_OBFU_PUNCT) && !ALL_TRUSTED && !__NOT_A_PERSON && !__THREADED |
| describe SUBJ_OBFU_LOW_CNTRST Subject obfuscation + hidden text |
| score SUBJ_OBFU_LOW_CNTRST 2.500 # limit |
| |
| meta URI_DOTDOT_LOW_CNTRST HTML_FONT_LOW_CONTRAST && __URI_DOM_DOTDOT |
| describe URI_DOTDOT_LOW_CNTRST Suspicious URI + hidden text |
| score URI_DOTDOT_LOW_CNTRST 2.500 # limit |
| |
| meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG |
| describe STOCK_LOW_CONTRAST Stocks + hidden text |
| score STOCK_LOW_CONTRAST 2.500 # limit |
| tflags STOCK_LOW_CONTRAST publish |
| |
| meta NORDNS_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __RDNS_NONE) && !ALL_TRUSTED && !__HAS_CID |
| describe NORDNS_LOW_CONTRAST No rDNS + hidden text |
| score NORDNS_LOW_CONTRAST 2.500 # limit |
| |
| |
| uri __URI_DOM_DOTDOT m,://[^/]+\.\., |
| |
| meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO |
| score FOUND_YOU 3.25 # limit |
| describe FOUND_YOU I found you... |
| tflags FOUND_YOU publish |
| |
| |
| #rawbody __HTML_FONT_ONE_WORD_01 />\s{0,5}\S{1,15}\s{0,5}<\/font>/i |
| #tflags __HTML_FONT_ONE_WORD_01 multiple maxhits=26 |
| #meta HTML_FONT_ONE_WORD_MANY __HTML_FONT_ONE_WORD_01 > 25 |
| #describe HTML_FONT_ONE_WORD_MANY Many one-word font changes |
| #score HTML_FONT_ONE_WORD_MANY 0.50 # limit (initial) |
| |
| |
| #body __ADMITS_CANSPAM /\bThis is a CANSPAM ACT compliant advertising broadcast\b/i |
| #body __ADMITS_CANSPAM /\bThis is a CANSPAM ACT compliant\b/i |
| #meta ADMITS_CANSPAM __ADMITS_CANSPAM && !__VIA_ML |
| #describe ADMITS_CANSPAM Admits to being spam |
| |
| body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:email[- ]+)?[a@]dvert[i1l]sement\b/i |
| meta ADMITS_SPAM __ADMITS_SPAM && !__TO___LOWER && !__MSOE_MID_WRONG_CASE && !__RP_MATCHES_RCVD |
| describe ADMITS_SPAM Admits this is an ad |
| |
| #body __OBFU_ADVERT /\badvert[1l]sement\b/i |
| #meta OBFU_ADVERT __OBFU_ADVERT |
| #describe OBFU_ADVERT Misspelled "advertisement" |
| #tflags OBFU_ADVERT publish |
| |
| |
| #body __SEO_REGISTER /\bsearch engine (?:registration|subscription|submission)\b/i |
| #tflags __SEO_REGISTER multiple maxhits=5 |
| #meta SEO_REGISTER __SEO_REGISTER > 4 |
| #score SEO_REGISTER 2.50 # limit |
| |
| |
| #uri REMOVE_YEAHNET /imremove\@yeah\.net/i |
| #describe REMOVE_YEAHNET Opt-out address used by CN spammers |
| |
| |
| header __FROM_LIC From:name =~ /^Lic\./ |
| header __FROM_DOM_INFO From:addr =~ /\.info$/i |
| meta ES_LIC_FROM_INFO __FROM_LIC && __FROM_DOM_INFO && __UNSUBSCRIBE_ES |
| describe ES_LIC_FROM_INFO Spanish-language spam from .info domain |
| |
| |
| header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i |
| |
| |
| #uri __JIMDO_PHISH /(?:microsoft|outlook|access|helpdesk|upd?ates|newaccount)\w+\.jimdo\.com/i |
| body __CLICK_HERE /\bclick\shere\b/i |
| |
| #meta JIMDO_PHISH __JIMDO_PHISH && __CLICK_HERE |
| #describe JIMDO_PHISH Apparent phishing via webform hosted at jimdo.com |
| #score JIMDO_PHISH 3.00 # limit |
| |
| body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i |
| body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i |
| body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i |
| body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i |
| meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2 |
| |
| uri __URI_WPADMIN m,/wp-admin/\w+/,i |
| meta URI_WPADMIN __URI_WPADMIN |
| describe URI_WPADMIN WordPress login/admin URI, possible phishing |
| tflags URI_WPADMIN publish |
| |
| uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i |
| uri __URI_WPCONTENT_L m,/wp-content/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i |
| uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i |
| uri __URI_WPINCLUDES_L m,/wp-includes/.*\.(?:(?!gif|jpg|png|bmp|ico|eot|pdf)[a-z]{3}|(?!jpeg)[a-z]{4})\b,i |
| #uri __URI_WP_WHITELIST m,/wp-content/plugins/civicrm/,i |
| meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED |
| describe URI_WP_HACKED URI for compromised WordPress site, possible malware |
| score URI_WP_HACKED 3.500 # limit |
| tflags URI_WP_HACKED publish |
| |
| uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i |
| meta URI_WP_DIRINDEX __URI_WPDIRINDEX |
| describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware |
| score URI_WP_DIRINDEX 3.500 # limit |
| tflags URI_WP_DIRINDEX publish |
| |
| # this has some overlap with URI_WP_HACKED |
| uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf)[^?]{4}(?:\?[^?]{1,5})?$;i |
| meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1 |
| describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware |
| score URI_WP_HACKED_2 2.500 # limit |
| tflags URI_WP_HACKED_2 publish |
| |
| |
| # subrules migrated from 00_FVGT_File001.cf |
| |
| header __SUBJ_LOWER ALL =~ /subject:\s\S{5}/ |
| header __FROM_LOWER ALL =~ /from:\s\S{5}/ |
| header __TO___LOWER ALL =~ /to:\s\S{5}/ |
| header __DATE_LOWER ALL =~ /date:\s\S{5}/ |
| |
| |
| # duplicates __XPRIO |
| #header __FH_HAS_XPRIORITY exists:X-Priority |
| meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT |
| |
| ifplugin Mail::SpamAssassin::Plugin::DKIM |
| ifplugin Mail::SpamAssassin::Plugin::SPF |
| meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS |
| else |
| meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE |
| endif |
| tflags XPRIO net |
| else |
| meta XPRIO __XPRIO_MINFP |
| endif |
| describe XPRIO Has X-Priority header |
| score XPRIO 2.250 # limit |
| tflags XPRIO publish |
| |
| # some high-S/O combinations |
| |
| meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT |
| meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF |
| describe XPRIO_SHORT_SUBJ Has X Priority header + short subject |
| score XPRIO_SHORT_SUBJ 2.500 # limit |
| tflags XPRIO_SHORT_SUBJ publish |
| |
| meta FROM_MISSP_XPRIO (__XPRIO && __FROM_MISSPACED) && !__LYRIS_EZLM_REMAILER |
| describe FROM_MISSP_XPRIO Misspaced FROM + X-Priority |
| score FROM_MISSP_XPRIO 2.500 # limit |
| |
| meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE |
| meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE |
| describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE |
| score STATIC_XPRIO_OLE 2.000 # limit |
| tflags STATIC_XPRIO_OLE publish |
| |
| # Apparent good performance is an artifact of certain corpora's collection mechanism |
| #meta XPRIO_RPATH_NULL (__XPRIO && __BOUNCE_RPATH_NULL) && !__HAS_ERRORS_TO && !__VIA_ML && !ANY_BOUNCE_MESSAGE && !__HAS_ORGANIZATION && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED |
| #score XPRIO_RPATH_NULL 2.500 # limit |
| # |
| #meta TO_EQ_FM_NN_RPATH_NULL (__TO_EQ_FROM_USR_NN && __BOUNCE_RPATH_NULL) && !__TO_EQ_FROM_USR |
| #score TO_EQ_FM_NN_RPATH_NULL 2.000 # limit |
| #tflags TO_EQ_FM_NN_RPATH_NULL publish |
| |
| |
| header __FS_SUBJ_RE Subject =~ /^Re: / |
| header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/ |
| |
| body __CAN_HELP /\bcan help\b/i |
| body __FB_COST /\bcost\b/i |
| body __FB_NATIONAL /national/i |
| body __FB_NUM_PERCNT /\d\s?\%/ |
| body __FB_S_STOCK /\bstock/i |
| body __FB_TOUR /\btour/i |
| body __SURVEY /\bsurvey\b/i |
| |
| body __FB_S_PRICE /pri{1,2}c[a-z]?e/i |
| |
| ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
| body __FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i |
| replace_rules __FRT_PRICE |
| |
| meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE) |
| else |
| meta __FRT_PRICE 0 |
| meta __FM_MY_PRICE __FB_S_PRICE |
| endif |
| |
| rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i |
| rawbody __FR_SPACING_9 /[a-z0-9]{6}\s{9}[a-z0-9]{5}/i |
| rawbody __FR_SPACING_15 /[a-z0-9]{6}\s{15}[a-z0-9]{5}/i |
| rawbody __FR_SPACING_17 /[a-z0-9]{6}\s{17}[a-z0-9]{5}/i |
| rawbody __FR_SPACING_22 /[a-z0-9]{6}\s{22}[a-z0-9]{5}/i |
| |
| |
| # per users mailing list question from Joe Quinn |
| #body __HEXHASHWORD_S /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{18})[0-9a-f]{18}/ |
| #tflags __HEXHASHWORD_S multiple maxhits=4 |
| body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/ |
| tflags __HEXHASHWORD_S2EU multiple maxhits=4 |
| #body __HEXHASHWORD_S2E /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}[0-9a-f]{10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/ |
| #tflags __HEXHASHWORD_S2E multiple maxhits=4 |
| #body __HEXHASHWORD_S2 /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[0-9a-f]{10,64}\s[A-Z]?[a-z]{1,15}\b/ |
| #tflags __HEXHASHWORD_S2 multiple maxhits=4 |
| #body __HEXHASHWORD /\s[A-Z]?[a-z]{1,15}\s[0-9a-f]{30}/ |
| #tflags __HEXHASHWORD multiple maxhits=4 |
| meta __HEXHASH_2 __HEXHASHWORD_S2EU > 1 |
| meta __HEXHASH_3 __HEXHASHWORD_S2EU > 2 |
| meta __HEXHASH_4 __HEXHASHWORD_S2EU > 3 |
| #meta __HEXHASH_5 __HEXHASHWORD_S2EU > 4 |
| meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER |
| describe HEXHASH_WORD Multiple instances of word + hexadecimal hash |
| score HEXHASH_WORD 3.000 # limit |
| tflags HEXHASH_WORD publish |
| |
| # from users list spample provided by Larry Starr |
| body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/ |
| tflags __UC_GIBB_OBFU multiple maxhits=2 |
| #meta __UC_GIBB_2 __UC_GIBB_OBFU > 1 |
| #meta __UC_GIBB_3 __UC_GIBB_OBFU > 2 |
| #meta __UC_GIBB_4 __UC_GIBB_OBFU > 3 |
| #meta __UC_GIBB_5 __UC_GIBB_OBFU > 4 |
| #meta __UC_GIBB_6 __UC_GIBB_OBFU > 5 |
| #meta __UC_GIBB_7 __UC_GIBB_OBFU > 6 |
| meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED |
| describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word" |
| score UC_GIBBERISH_OBFU 3.000 # Limit |
| tflags UC_GIBBERISH_OBFU publish |
| |
| |
| #body __B2B_HELP /\bhelp(?:ing)? (?:businesses like yours|your business)\b/i |
| #body __YOUR_BIZ /\bbusiness(?:es) like yours|(?<!of )your b(?:usiness|rand)\b/i |
| |
| |
| # will be removed with immediate effect from any further mailing list |
| # wish to receive information from us in the future |
| # This-link http://www.nowyehue.com/bon/dds/ will end messages. |
| # stop receiving these emails |
| # Unsubscribe me from this list |
| # We are not promoting any kind of SPAM. |
| # recieve any kind promotional email form us |
| # To stop receiving these emails |
| # exclude yourself from further ad-messages |
| # removal options |
| # Stop PSA alert |
| |
| #body __UNSUB_PSA /\bstop PSA alert\b/i |
| |
| #body __UNSUB_EXCL /\bexclude yourself from further ad\b/i |
| #meta UNSUB_EXCL __UNSUB_EXCL |
| #score UNSUB_EXCL 2.000 # limit |
| |
| #body __UNSUB_OPT /\bremoval options?\b/i |
| #meta UNSUB_OPT __UNSUB_OPT |
| #score UNSUB_OPT 2.000 # limit |
| |
| header __NO_TRUSTED_RELAY X-Spam-Relays-Trusted !~ /ip=/i |
| |
| #body CANT_SEE_AD /\b(?:can(?:no|')?t|(?:aren'?t |not |un)able to) (?:view|read|see|scan|witness|consider|look at|participate in|take in|(?:make|check|scope) out|eye|scrutinize|watch|display|observe) (?:our|this|the) (?:commercial[-. ]|ad(?:v[-.]?ert[i1l]se-?ment)? |images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?images)\b/i |
| body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i |
| body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i |
| meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB |
| describe CANT_SEE_AD You really want to see our spam. |
| score CANT_SEE_AD 2.500 # limit |
| tflags CANT_SEE_AD publish |
| |
| uri __128_HEX_URI m,/[0-9a-f]{128}, |
| #tflags __128_HEX_URI multiple maxhits=2 |
| #uri __192_HEX_URI m,/[0-9a-f]{192}, |
| #uri __256_HEX_URI m,/[0-9a-f]{256}, |
| #uri __384_HEX_URI m,/[0-9a-f]{384}, |
| #meta __128_HEX_URI_SGL __128_HEX_URI == 1 |
| #meta __128_HEX_URI_MLT __128_HEX_URI > 1 |
| meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024 |
| describe LONG_HEX_URI Very long purely hexadecimal URI |
| score LONG_HEX_URI 3.000 # limit |
| tflags LONG_HEX_URI publish |
| |
| uri __128_LC_URI m;[/?][a-z]{128,}$; |
| uri __128_LC_IMG m;/[a-z]{128,}/\w+\.(?:png|gif|jpe?g)$; |
| uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i |
| uri __128_ALNUM_IMG m;/[0-9a-z]{128,}/\w+\.(?:png|gif|jpe?g)$;i |
| uri __64_ANY_URI m;[/?]\w{64,}$;i |
| uri __64_ANY_IMG m;/\w{64,}/\w+\.(?:png|gif|jpe?g)$;i |
| uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i |
| uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i |
| meta __128_LC_URI_IMG __128_LC_URI && __128_LC_IMG |
| meta __128_ALNUM_URI_O __128_ALNUM_URI && !__128_LC_URI |
| meta __128_ALNUM_IMG_O __128_ALNUM_IMG && !__128_LC_IMG |
| meta __128_ALNUM_URI_IMG __128_ALNUM_URI_O && __128_ALNUM_IMG_O |
| meta __64_ANY_URI_O __64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI |
| meta __64_ANY_IMG_O __64_ANY_IMG && !__128_ALNUM_IMG && !__128_LC_IMG |
| meta __64_ALNUM_URI_IMG __64_ANY_URI_O && __64_ANY_IMG_O |
| meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI |
| meta __45_ALNUM_IMG_O __45_ALNUM_IMG && !__64_ANY_IMG && !__128_ALNUM_IMG && !__128_LC_IMG |
| meta __45_ALNUM_URI_IMG __45_ALNUM_URI_O && __45_ALNUM_IMG_O |
| |
| meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO |
| describe LONG_IMG_URI Image URI with very long path component - web bug? |
| score LONG_IMG_URI 3.000 # limit |
| tflags LONG_IMG_URI publish |
| |
| |
| rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i |
| meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS |
| describe HTML_OFF_PAGE HTML element rendered well off the displayed page |
| score HTML_OFF_PAGE 3.000 # limit |
| tflags HTML_OFF_PAGE publish |
| |
| |
| body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i |
| body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i |
| body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i |
| body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i |
| body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i |
| body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i |
| body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i |
| body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i |
| body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i |
| body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i |
| meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0 |
| meta __PD_CNT_2 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1 |
| meta __PD_CNT_3 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 2 |
| meta __PD_CNT_4 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 3 |
| meta __PD_CNT_5 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 4 |
| meta __PD_CNT_6 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 5 |
| meta __PD_CNT_7 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 6 |
| meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI |
| describe PUMPDUMP Pump-and-dump stock scam phrase |
| score PUMPDUMP 1.000 # limit |
| tflags PUMPDUMP publish |
| meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1 |
| describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases |
| score PUMPDUMP_MULTI 3.500 # limit |
| tflags PUMPDUMP_MULTI publish |
| |
| body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i |
| meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS |
| describe STOCK_TIP Stock tips |
| score STOCK_TIP 3.000 # limit |
| tflags STOCK_TIP publish |
| |
| meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP |
| describe PUMPDUMP_TIP Pump-and-dump stock tip |
| tflags PUMPDUMP_TIP publish |
| |
| |
| #body DR_OZ_OBFU /\bD(?:r\.|oc(?:tor)?) ?0z\b/i |
| #describe DR_OZ_OBFU Obfuscated Doctor Oz |
| # |
| #body DOC_OZ /\b(?:doc oz|Dr\.?Oz)\b/ |
| #describe DOC_OZ Doctor Oz |
| |
| |
| body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i |
| meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS |
| describe ADMAIL "admail" and variants |
| tflags ADMAIL publish |
| |
| body ORS /\bOn-?line Rate Saver\b/i |
| describe ORS "Online Rate Saver" |
| |
| |
| # subrule version of MMartinec CR_IN_SUBJ |
| header __CR_IN_SUBJ Subject:raw =~ /\015/ |
| |
| |
| body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i |
| meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD |
| describe THIS_AD "This ad" and variants |
| tflags THIS_AD publish |
| |
| # low S/O, legit subscribed marketing in masscheck corpus? |
| body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i |
| describe AD_PREFS Advertising preferences |
| score AD_PREFS 0.500 # limit |
| tflags AD_PREFS publish |
| |
| #body OPT_OUT /\bOpt-Out Here\b/i |
| #score OPT_OUT 2.000 |
| |
| uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i |
| describe URI_OPTOUT_USME Opt-out URI, unusual TLD |
| tflags URI_OPTOUT_USME publish |
| |
| uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i |
| describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname |
| score URI_OPTOUT_3LD 2.000 # limit |
| tflags URI_OPTOUT_3LD publish |
| |
| uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i |
| meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS |
| describe URI_TRY_USME "Try it" URI, unusual TLD |
| tflags URI_TRY_USME publish |
| |
| uri URI_TRY_3LD m,^https?://(?:try|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!sub|turbotax)\w)[^.]*\.[^/]+\.(?:com|net)\b,i |
| describe URI_TRY_3LD "Try it" URI, suspicious hostname |
| score URI_TRY_3LD 2.000 # limit |
| tflags URI_TRY_3LD publish |
| |
| |
| |
| ## REFINE THIS |
| #body __INCOMING_FAX /\bincoming fax\b/i |
| #body __BANK /\bbank\b/i |
| #body __ACCT_STMT /\bac(?:count|tivity) statement\b/i |
| #uri __URI_DROPBOX m,[/.]dropbox\.com\/,i |
| #meta DROPBOX_MALW (__INCOMING_FAX || (__BANK && __ACCT_STMT)) && __URI_DROPBOX && !ALL_TRUSTED |
| #describe DROPBOX_MALW Spoofed FAX or bank statement with Dropbox link: PROBABLE MALWARE |
| #score DROPBOX_MALW 10.00 |
| |
| |
| ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
| body FUZZY_UNSUBSCRIBE /<U>(?!nsubscribe)<N><S><U><B><S><C><R><I><B><E>/i |
| replace_rules FUZZY_UNSUBSCRIBE |
| describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe" |
| tflags FUZZY_UNSUBSCRIBE publish |
| |
| body FUZZY_ANDROID /<A>(?!ndroid)<N><D><R><O><I><D>/i |
| replace_rules FUZZY_ANDROID |
| describe FUZZY_ANDROID Obfuscated "android" |
| tflags FUZZY_ANDROID publish |
| |
| body FUZZY_PROMOTION /<P>(?!romotion)<R><O><M><O><T><I><O><N>/i |
| replace_rules FUZZY_PROMOTION |
| describe FUZZY_PROMOTION Obfuscated "promotion" |
| tflags FUZZY_PROMOTION publish |
| |
| body FUZZY_PRIVACY /<P>(?!rivacy)<R><I><V><A><C><Y>/i |
| replace_rules FUZZY_PRIVACY |
| describe FUZZY_PRIVACY Obfuscated "privacy" |
| tflags FUZZY_PRIVACY publish |
| |
| body FUZZY_BROWSER /<B>(?!rowser)<R><O><W><S><E><R>/i |
| replace_rules FUZZY_BROWSER |
| describe FUZZY_BROWSER Obfuscated "browser" |
| tflags FUZZY_BROWSER publish |
| |
| body FUZZY_SAVINGS /<S>(?!avings)<A><V><I><N><G><S>/i |
| replace_rules FUZZY_SAVINGS |
| describe FUZZY_SAVINGS Obfuscated "savings" |
| tflags FUZZY_SAVINGS publish |
| |
| body FUZZY_IMPORTANT /<I>(?!mportant)(?:<M>|<N>)<P><O><R><T><A><N><T>/i |
| replace_rules FUZZY_IMPORTANT |
| describe FUZZY_IMPORTANT Obfuscated "important" |
| tflags FUZZY_IMPORTANT publish |
| |
| body FUZZY_SECURITY /<S>(?!ecurity)(?!eguridad)(?!\xc3\xa9curit\xc3\xa9)<E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i |
| replace_rules FUZZY_SECURITY |
| describe FUZZY_SECURITY Obfuscated "security" |
| tflags FUZZY_SECURITY publish |
| |
| body __FUZZY_DR_OZ /\bD(?!(?-i:(?:r.|octor)(?:\s| )Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i |
| replace_rules __FUZZY_DR_OZ |
| meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML && !__DKIM_EXISTS && !__RP_MATCHES_RCVD |
| describe FUZZY_DR_OZ Obfuscated Doctor Oz |
| tflags FUZZY_DR_OZ publish |
| |
| body FUZZY_CLICK_HERE /<C>(?!lick(?:\s| )here)<WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i |
| replace_rules FUZZY_CLICK_HERE |
| describe FUZZY_CLICK_HERE Obfuscated "click here" |
| tflags FUZZY_CLICK_HERE publish |
| |
| body FUZZY_BITCOIN /<B>(?!itcoin)<I><T>-?<C><O><I><N>/i |
| replace_rules FUZZY_BITCOIN |
| describe FUZZY_BITCOIN Obfuscated "Bitcoin" |
| tflags FUZZY_BITCOIN publish |
| |
| |
| body __BITCOIN /<B><I><T>-?<C><O><I><N>/i |
| replace_rules __BITCOIN |
| |
| body FUZZY_WALLET /<W>(?!allet)<A><L><L><E><T>/i |
| replace_rules FUZZY_WALLET |
| describe FUZZY_WALLET Obfuscated "Wallet" |
| tflags FUZZY_WALLET publish |
| |
| meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET |
| describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet" |
| tflags FUZZY_BTC_WALLET publish |
| |
| body __FUZZY_MONERO /<M>(?!onero)<O><N><E><R><O>/i |
| replace_rules __FUZZY_MONERO |
| |
| body __FUZZY_WELLSFARGO_BODY /<W>(?!ells[-\s]?Fargo)<E><L><L><S>[-\s]?<F><A><R><G><O>/i |
| replace_rules __FUZZY_WELLSFARGO_BODY |
| header __FUZZY_WELLSFARGO_FROM From:name =~ /<W>(?!ells[-\s]?Fargo)<E><L><L><S>[-\s]?<F><A><R><G><O>/i |
| replace_rules __FUZZY_WELLSFARGO_FROM |
| meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM |
| describe FUZZY_WELLSFARGO Obfuscated "Wells Fargo" |
| |
| else |
| meta __FUZZY_MONERO 0 |
| body __BITCOIN /\bBit-?coin\b/i |
| endif |
| |
| uri __URL_BTC_ID m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$); |
| body __BITCOIN_ID /\b(?<!=)(?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b/ |
| |
| meta FUZZY_MONERO __FUZZY_MONERO |
| describe FUZZY_MONERO Obfuscated "Monero" |
| tflags FUZZY_MONERO publish |
| |
| body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/ |
| body __MONERO_CURNCY /Monero \(XMR\)/ |
| uri __URI_MONERO /buy-monero/i |
| meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO) |
| |
| ifplugin Mail::SpamAssassin::Plugin::DKIM |
| meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED |
| else |
| meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST |
| endif |
| describe BTC_ORG Bitcoin wallet ID + unusual header |
| score BTC_ORG 2.500 # limit |
| |
| meta BITCOIN_PDF __BITCOIN && __PDF_ATTACH |
| describe BITCOIN_PDF "Bitcoin" + PDF attachment |
| score BITCOIN_PDF 2.500 # limit |
| |
| meta BITCOIN_MALF_HTML HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID) |
| describe BITCOIN_MALF_HTML Bitcoin + malformed HTML |
| score BITCOIN_MALF_HTML 3.500 # limit |
| |
| meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID) |
| meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY |
| describe BITCOIN_XPRIO Bitcoin + priority |
| score BITCOIN_XPRIO 2.500 # limit |
| |
| # bitcoin obfuscation - tip o' the hat to Steve Zinski on the users list, with a little cleanup |
| body __BTC_OBFU_2 /\b\W{0,10}b(?!itcoin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i |
| body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i |
| |
| # seen in sloppy spam |
| body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i |
| |
| # __BTC_OBFU_4 duplicates (to a degree) FUZZY_BITCOIN |
| # Use FUZZY_BITCOIN (more hits) if possible |
| ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
| meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) |
| meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) |
| else |
| body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i |
| meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) |
| meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) |
| endif |
| |
| meta OBFU_BITCOIN __OBFU_BITCOIN |
| describe OBFU_BITCOIN Obfuscated BitCoin references |
| score OBFU_BITCOIN 3.000 # limit |
| tflags OBFU_BITCOIN publish |
| |
| meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG |
| describe BITCOIN_SPAM_01 BitCoin spam pattern 01 |
| score BITCOIN_SPAM_01 2.500 # limit |
| tflags BITCOIN_SPAM_01 publish |
| |
| meta __BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF |
| meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID |
| describe BITCOIN_SPAM_02 BitCoin spam pattern 02 |
| score BITCOIN_SPAM_02 2.500 # limit |
| tflags BITCOIN_SPAM_02 publish |
| |
| meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ |
| describe BITCOIN_SPAM_03 BitCoin spam pattern 03 |
| score BITCOIN_SPAM_03 2.500 # limit |
| tflags BITCOIN_SPAM_03 publish |
| |
| meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto |
| describe BITCOIN_SPAM_04 BitCoin spam pattern 04 |
| score BITCOIN_SPAM_04 1.500 # limit |
| tflags BITCOIN_SPAM_04 publish |
| |
| meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL |
| meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO |
| describe BITCOIN_SPAM_05 BitCoin spam pattern 05 |
| score BITCOIN_SPAM_05 2.500 # limit |
| tflags BITCOIN_SPAM_05 net publish |
| |
| meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET |
| describe BITCOIN_SPAM_06 BitCoin spam pattern 06 |
| score BITCOIN_SPAM_06 1.500 # limit |
| tflags BITCOIN_SPAM_06 publish |
| |
| meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM |
| meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS |
| describe BITCOIN_SPAM_07 BitCoin spam pattern 07 |
| score BITCOIN_SPAM_07 3.500 # limit |
| tflags BITCOIN_SPAM_07 publish |
| |
| meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ |
| describe BITCOIN_SPAM_08 BitCoin spam pattern 08 |
| score BITCOIN_SPAM_08 2.500 # limit |
| tflags BITCOIN_SPAM_08 publish |
| |
| body __DESTROY_YOU /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i |
| |
| meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU ) |
| describe BITCOIN_SPAM_09 BitCoin spam pattern 09 |
| score BITCOIN_SPAM_09 1.500 # limit |
| tflags BITCOIN_SPAM_09 publish |
| |
| meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 ) |
| describe BITCOIN_SPAM_10 BitCoin spam pattern 10 |
| score BITCOIN_SPAM_10 2.500 # limit |
| tflags BITCOIN_SPAM_10 publish |
| |
| meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU |
| describe BITCOIN_SPAM_11 BitCoin spam pattern 11 |
| score BITCOIN_SPAM_11 2.500 # limit |
| tflags BITCOIN_SPAM_11 publish |
| |
| meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY |
| describe BITCOIN_SPAM_12 BitCoin spam pattern 12 |
| score BITCOIN_SPAM_12 2.500 # limit |
| tflags BITCOIN_SPAM_12 publish |
| |
| |
| ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
| body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i |
| replace_rules __MY_VICTIM |
| body __MY_MALWARE /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s)?)(?:<M><A><L><W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>)|<A><P><P><L><I><C><A><T><I><O><N>[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>)\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L><W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i |
| replace_rules __MY_MALWARE |
| body __PAY_ME /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>))[\s\.,]/i |
| replace_rules __PAY_ME |
| body __YOUR_PASSWORD /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<A><C><C><O><U><N><T>\s|<E>-?<M><A><I><L>\s)?(?:<P><A><S><S>[-\s_]?<W><O><R><D>|<P><S><W><D>\s)/i |
| replace_rules __YOUR_PASSWORD |
| body __YOUR_WEBCAM /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s)<C><A><M>/i |
| replace_rules __YOUR_WEBCAM |
| body __YOUR_ONAN /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M><A><S><T>(?:<U>|<R>){2}<B><A><T><I>(?:<O><N>|<N><G>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>|(?:<P><L><E><A><S><U><R>(?:<E>|<I><N><G>)|<S><A><T><I><S><F><Y>(?:<I><N><G>)?)\s<Y><O><U><R><S><E><L><F>)/i |
| replace_rules __YOUR_ONAN |
| body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i |
| replace_rules __YOUR_PERSONAL |
| body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i |
| replace_rules __HOURS_DEADLINE |
| body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i |
| replace_rules __EXPLOSIVE_DEVICE |
| else |
| body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i |
| body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s)?)(?:malware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it)|application[^\.]{1,30}(?:enable[sd]|allows)\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|malware)\s)+giv(?:es|ing)\sme)\b/i |
| body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\sme|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche))\b/i |
| body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i |
| body __YOUR_WEBCAM /\b(?:from|your|with)\s(?:(?:screen|desktop)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s)cam\b/i |
| body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:mast[ur]{2}bati(?:on|ng)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i |
| body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i |
| body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i |
| body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i |
| endif |
| meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE) > 2 |
| |
| meta BITCOIN_EXTORT_01 __BITCOIN_ID && __EXTORT_MANY |
| describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin |
| score BITCOIN_EXTORT_01 5.000 # limit |
| tflags BITCOIN_EXTORT_01 publish |
| |
| meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY |
| describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin |
| score BITCOIN_EXTORT_02 5.000 # limit |
| tflags BITCOIN_EXTORT_02 publish |
| |
| meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01 |
| describe BITCOIN_PAY_ME Pay me via BitCoin |
| score BITCOIN_PAY_ME 3.000 # limit |
| tflags BITCOIN_PAY_ME publish |
| |
| meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01 |
| describe BITCOIN_DEADLINE BitCoin with a deadline |
| score BITCOIN_DEADLINE 3.000 # limit |
| tflags BITCOIN_DEADLINE publish |
| |
| meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01 |
| describe BITCOIN_YOUR_INFO BitCoin with your personal info |
| score BITCOIN_YOUR_INFO 3.000 # limit |
| tflags BITCOIN_YOUR_INFO publish |
| |
| meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED |
| describe BITCOIN_MALWARE BitCoin + malware bragging |
| score BITCOIN_MALWARE 3.500 # limit |
| tflags BITCOIN_MALWARE publish |
| |
| meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01 |
| describe BITCOIN_BOMB BitCoin + bomb |
| score BITCOIN_BOMB 3.000 # limit |
| tflags BITCOIN_BOMB publish |
| |
| meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY |
| describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency |
| score MONERO_EXTORT_01 5.000 # limit |
| tflags MONERO_EXTORT_01 publish |
| |
| meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01 |
| describe MONERO_PAY_ME Pay me via Monero cryptocurrency |
| score MONERO_PAY_ME 3.000 # limit |
| tflags MONERO_PAY_ME publish |
| |
| meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01 |
| describe MONERO_DEADLINE Monero cryptocurrency with a deadline |
| score MONERO_DEADLINE 3.000 # limit |
| tflags MONERO_DEADLINE publish |
| |
| meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01 |
| describe MONERO_MALWARE Monero cryptocurrency + malware bragging |
| score MONERO_MALWARE 3.500 # limit |
| tflags MONERO_MALWARE publish |
| |
| meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto |
| describe BOMB_FREEM Bomb + freemail |
| score BOMB_FREEM 2.000 # limit |
| tflags BOMB_FREEM publish |
| |
| meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW ) |
| describe BOMB_MONEY Bomb + money: bomb threat? |
| score BOMB_MONEY 2.500 # limit |
| tflags BOMB_MONEY publish |
| |
| meta __MALWARE_NORDNS __MY_MALWARE && __RDNS_NONE |
| meta MALWARE_NORDNS __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 |
| describe MALWARE_NORDNS Malware bragging + no rDNS |
| score MALWARE_NORDNS 3.500 # limit |
| tflags MALWARE_NORDNS publish |
| |
| # 100% overlap with __MALWARE_NORDNS |
| #meta __MALWARE_IP_NORDNS __MY_MALWARE && __HELO_MISC_IP && __RDNS_NONE |
| |
| meta __MALWARE_PASSWORD __MY_MALWARE && __PASSWORD |
| meta MALWARE_PASSWORD __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 |
| describe MALWARE_PASSWORD Malware bragging + "password" |
| score MALWARE_PASSWORD 3.500 # limit |
| tflags MALWARE_PASSWORD publish |
| |
| |
| |
| #body NUM_FREE /\b\d+free/i |
| #describe NUM_FREE Number + free |
| |
| # seen in spam (malware?) 07/2014 |
| #header __DATE_SPACEY ALL =~ /\nDate:\s{8}/ism |
| |
| #uri __FSL_LINK_AWS_S3_WEB_LOOSE m,^https?://(?:[^./]+\.)*s3[^./]+\.amazonaws\.com,i |
| |
| |
| uri __URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i |
| meta URI_DQ_UNSUB __URI_DQ_UNSUB |
| describe URI_DQ_UNSUB IP-address unsubscribe URI |
| tflags URI_DQ_UNSUB publish |
| |
| uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i |
| meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__LONGLINE && !__ML1 && !__FSL_RELAY_GOOGLE && !__FROM_LOWER && !__RCD_RDNS_MAIL |
| describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy? |
| tflags URI_GOOGLE_PROXY publish |
| |
| |
| # Apparent good performance is an artifact of certain corpora's collection mechanism |
| #meta RPATH_NULL_CTCQ __BOUNCE_RPATH_NULL && __CTYPE_CHARSET_QUOTED && !__VIA_ML && !__SUBJECT_ENCODED_QP && !ANY_BOUNCE_MESSAGE && !__DOS_HAS_LIST_UNSUB && !__TAG_EXISTS_STYLE && !__TAG_EXISTS_STYLE && !__HAS_THREAD_INDEX |
| #score RPATH_NULL_CTCQ 2.000 # limit |
| |
| rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m |
| tflags __TENWORD_GIBBERISH multiple maxhits=21 |
| meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20 |
| describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters |
| score TW_GIBBERISH_MANY 2.000 # limit |
| tflags TW_GIBBERISH_MANY publish |
| |
| #body __OPTOUT_BRKT /\[(?:unsub(?:scribe)|remove(?: me)|leave)\]/i |
| #tflags __OPTOUT_BRKT multiple maxhits=2 |
| #meta OPTOUT_BRKT_MANY __OPTOUT_BRKT > 1 |
| #describe OPTOUT_BRKT_MANY Repetitive opt-outs |
| #score OPTOUT_BRKT_MANY 2.000 # limit |
| |
| |
| # Oh, the humanity! Is there no better way? |
| #full __RECIP_IN_URL_DOM m;^Received:[^:]{1,400}?\sfor\s<(\w+)\@.+?https?://\1\d*\.;ism |
| #describe __RECIP_IN_URL_DOM Recipient in body URL |
| #tflags __RECIP_IN_URL_DOM nopublish |
| |
| |
| |
| # reported on users list 09/2014 jdebert <jdebert@garlic.com> |
| header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/ |
| describe RCVD_DBL_DQ Malformatted message header |
| tflags RCVD_DBL_DQ publish |
| |
| # reported on users list 09/2014 George Johnson <georgejohnson@talaya.net> |
| header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism |
| tflags __RAND_HEADER multiple maxhits=4 |
| meta RAND_HEADER_MANY __RAND_HEADER > 3 |
| describe RAND_HEADER_MANY Many random gibberish message headers |
| score RAND_HEADER_MANY 3.000 # limit |
| tflags RAND_HEADER_MANY publish |
| |
| |
| #body FR_SPAM_LAW /article 34 de la loi 78-17\b/i |
| #describe FR_SPAM_LAW References French privacy law |
| #score FR_SPAM_LAW 1.000 # limit |
| |
| body __EDGER_HOOVER /\bedger hoover\b/i |
| header __FM_EDGER_HOOVER From =~ /\bedger hoover\b/i |
| |
| body __MYSTERY_SHOPPER /\bmystery shoppers?\b/i |
| |
| header __HAS_NO_RELAY X-No-Relay =~ /./ |
| |
| header __DUP_SUSP_HDR ALL =~ /\n(X-No-Relay)\s*:[ ][^\n]{1,100}\n\1\s*:[ ]/ism |
| meta DUP_SUSP_HDR __DUP_SUSP_HDR |
| describe DUP_SUSP_HDR Duplicate suspicious message headers |
| score DUP_SUSP_HDR 2.500 # limit |
| |
| # seen 10/2014: "https://www.google.com/url?q=https://copy.com/ApbFn2848pQm/ShippingInvoice_6974.PDF.scr?download=1&sa=D&sntz=1&usg=AFQjCNGhvWhljnujQlP85tA6YUsddfuJow" |
| uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i |
| meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD |
| describe GOOG_MALWARE_DNLD File download via Google - Malware? |
| score GOOG_MALWARE_DNLD 5.000 # limit |
| tflags GOOG_MALWARE_DNLD publish |
| |
| uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i |
| |
| body ONLINE_MKTG_CNSLT /\bonline marketing consultant\b/i |
| |
| body SOLICIT_BIZ /\bbusiness solicitation messag/i |
| |
| body __SPELLED_OUT_NUM /\b(?:(?:one|two|three|four|five|six|seven|eight|nine|zero)[\s_-]?){4,}/i |
| meta SPELLED_OUT_NUMBER __SPELLED_OUT_NUM && !__DKIM_EXISTS |
| describe SPELLED_OUT_NUMBER Spelled out a number (one two three) |
| score SPELLED_OUT_NUMBER 3.000 # limit |
| |
| body __NUM_SPCD_LTRS /\d{4}\s(?:[a-z]\s){5}/i |
| |
| |
| header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i |
| tflags __SUBJ_UNNEEDED_HTML multiple maxhits=3 |
| meta __SUBJ_UNNEEDED_HTML_MANY __SUBJ_UNNEEDED_HTML > 1 |
| meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML |
| describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject: |
| |
| body __HELP_YOU_SUCCEED /\bhelp you succeed\b/i |
| |
| body __WANT_BIZ /\b(?:I|we) want your business\b/i |
| |
| meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2 |
| describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID |
| tflags TEQF_USR_MSGID_MALF publish |
| |
| meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2 |
| describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID |
| tflags TEQF_USR_MSGID_HEX publish |
| |
| meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH |
| describe TEQF_USR_IMAGE To and from user nearly same + image |
| tflags TEQF_USR_IMAGE publish |
| |
| meta TEQF_USR_POLITE __TO_EQ_FROM_USR_NN && __FRAUD_IRT |
| describe TEQF_USR_POLITE To and from user nearly same + polite greeting |
| score TEQF_USR_POLITE 2.000 # limit |
| |
| meta __MSGID_HEX_MALF __MSGID_NOFQDN2 && __MSGID_OK_HEX |
| |
| meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2 |
| #ifplugin Mail::SpamAssassin::Plugin::DNSEval |
| meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW |
| tflags URI_ONLY_MSGID_MALF net |
| #else |
| meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO |
| #endif |
| describe URI_ONLY_MSGID_MALF URI only + malformed message ID |
| score URI_ONLY_MSGID_MALF 2.000 # limit |
| tflags URI_ONLY_MSGID_MALF publish |
| |
| # These may be a bit risky, the masscheck ham corpus may not |
| # reflect how often these are legit in Real Life... |
| meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 |
| describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message |
| tflags GOOG_REDIR_SHORT publish |
| |
| meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE |
| describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS |
| |
| meta GOOG_REDIR_HTML_ONLY (__GOOG_REDIR && MIME_HTML_ONLY) && !RDNS_NONE && !__LCL__KAM_BODY_LENGTH_LT_512 |
| describe GOOG_REDIR_HTML_ONLY Google redirect to obscure spamvertised website + HTML only |
| score GOOG_REDIR_HTML_ONLY 2.000 # limit |
| |
| rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i |
| |
| # low S/O, apparently lots of invisible ham... |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;)/i |
| tflags __STY_INVIS multiple maxhits=6 |
| meta __STY_INVIS_2 __STY_INVIS > 1 |
| meta __STY_INVIS_3 __STY_INVIS > 2 |
| meta __STY_INVIS_MANY __STY_INVIS > 5 |
| meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX |
| describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs |
| score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit |
| tflags HTML_TEXT_INVISIBLE_STYLE publish |
| |
| meta __LONG_STY_INVIS __STY_INVIS && __LONGLINE |
| meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 ) |
| |
| meta __STY_INVIS_DIRECT __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED |
| meta STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK |
| describe STY_INVIS_DIRECT HTML hidden text + direct-to-MX |
| score STY_INVIS_DIRECT 2.500 # limit |
| |
| else |
| meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV |
| endif |
| # try it on span tags only... |
| # rawbody __SPAN_INVIS /<span\s[^>]{0,200}style\s*=\s*"[^">]{0,80}(?:visibility\s*:\s*hidden\s*;|display\s*:\s*none\s*;)[^>]{1,200}>\w/i |
| |
| describe LONG_INVISIBLE_TEXT Long block of hidden text - spam scan evasion? |
| score LONG_INVISIBLE_TEXT 3.000 # limit |
| tflags LONG_INVISIBLE_TEXT publish |
| |
| |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| # Lots of ham uses invisible fonts - WHY? |
| rawbody __FONT_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i |
| tflags __FONT_INVIS multiple maxhits=11 |
| meta __FONT_INVIS_2 __FONT_INVIS > 2 |
| meta __FONT_INVIS_5 __FONT_INVIS > 5 |
| meta __FONT_INVIS_10 __FONT_INVIS > 10 |
| meta __FONT_INVIS_MANY __FONT_INVIS_2 |
| meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID |
| describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation? |
| score HTML_TEXT_INVISIBLE_FONT 2.000 # limit |
| tflags HTML_TEXT_INVISIBLE_FONT publish |
| |
| # Does this hit less ham while still hitting spam? |
| rawbody __WORD_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}</i |
| tflags __WORD_INVIS multiple maxhits=6 |
| meta __WORD_INVIS_5 __WORD_INVIS > 5 |
| |
| meta __FONT_INVIS_LONG_LINE __FONT_INVIS && __LONGLINE |
| meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET |
| describe FONT_INVIS_LONG_LINE Invisible text + long lines |
| score FONT_INVIS_LONG_LINE 3.000 # limit |
| tflags FONT_INVIS_LONG_LINE publish |
| |
| meta __FONT_INVIS_NORDNS __FONT_INVIS && __RDNS_NONE |
| meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET |
| describe FONT_INVIS_NORDNS Invisible text + no rDNS |
| score FONT_INVIS_NORDNS 2.500 # limit |
| tflags FONT_INVIS_NORDNS publish |
| |
| meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS |
| describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI |
| score FONT_INVIS_POSTEXTRAS 3.500 # limit |
| tflags FONT_INVIS_POSTEXTRAS publish |
| |
| meta __FONT_INVIS_MSGID __FONT_INVIS && __MSGID_OK_HOST |
| meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP |
| describe FONT_INVIS_MSGID Invisible text + suspicious message ID |
| score FONT_INVIS_MSGID 2.500 # limit |
| tflags FONT_INVIS_MSGID publish |
| |
| # meta __FONT_INVIS_NAKED_TO __FONT_INVIS && __NAKED_TO |
| # meta FONT_INVIS_NAKED_TO __FONT_INVIS_NAKED_TO && !__ML3 && !__HAS_ERRORS_TO |
| # describe FONT_INVIS_NAKED_TO Invisible text + suspicious To |
| # score FONT_INVIS_NAKED_TO 2.500 # limit |
| |
| meta __FONT_INVIS_CENTER __FONT_INVIS && __TAG_EXISTS_CENTER |
| meta __FONT_INVIS_SINGLET __FONT_INVIS && __HTML_SINGLET |
| |
| meta __FONT_INVIS_DIRECT __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED |
| meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX |
| describe FONT_INVIS_DIRECT Invisible text + direct-to-MX |
| score FONT_INVIS_DIRECT 3.500 # limit |
| tflags FONT_INVIS_DIRECT publish |
| |
| meta __FONT_INVIS_DOTGOV __FONT_INVIS && __URI_DOTGOV |
| meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID |
| describe FONT_INVIS_DOTGOV Invisible text + .gov URI |
| score FONT_INVIS_DOTGOV 3.500 # limit |
| tflags FONT_INVIS_DOTGOV publish |
| |
| endif |
| |
| # Adapted from SARE rules __SARE_HTML_SINGLET |
| rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i |
| tflags __HTML_SINGLET multiple maxhits=21 |
| meta __HTML_SINGLET_10 __HTML_SINGLET > 10 |
| meta __HTML_SINGLET_MANY __HTML_SINGLET > 20 |
| meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP |
| describe HTML_SINGLET_MANY Many single-letter HTML format blocks |
| score HTML_SINGLET_MANY 2.500 # limit |
| tflags HTML_SINGLET_MANY publish |
| |
| meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP |
| describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text |
| tflags SINGLETS_LOW_CONTRAST publish |
| |
| # per users list, 10-11 2014 |
| uri MALWARE_HACKED_URI m;/(?:dropbox|googlebox|bank\w+|newgdoc)/(?:doc(?:ument)?|invoice|message|index)\.php$; |
| describe MALWARE_HACKED_URI Malware or phishing hosted-file URI at hacked webserver |
| |
| uri __HACKED_PHP_URI m;/\w+/(?:doc(?:ument)?|invoice|message)\.php$; |
| meta HACKED_PHP_URI __HACKED_PHP_URI |
| describe HACKED_PHP_URI Possible phishing/malware URI |
| score HACKED_PHP_URI 2.000 # limit |
| |
| # very poor S/O - this appears a lot more in ham than in spam?? |
| #body __PUNCT_ODD_SPACING /[a-z]{3}\s+[.,][a-z]{3}/ |
| #tflags __PUNCT_ODD_SPACING multiple maxhits=3 |
| #meta __PUNCT_ODD_SPACING_MANY __PUNCT_ODD_SPACING > 2 |
| |
| # poor S/O - how is this in ham? |
| #header XMAILER_MANY ALL =~ /\nX-Mailer:(?:[^\n]+\n)+X-Mailer:/ism |
| #describe XMAILER_MANY Has multiple X-Mailer: headers |
| |
| body __RAW_TOKEN_BODY /\#(?:(?:First|Last)Name|Email)\#/i |
| #header __RAW_TOKEN_HDR ALL =~ /\$(?:rand[^$]{0,10})\$/i |
| #tflags __RAW_TOKEN multiple maxhits=3 |
| #meta RAW_TOKENS __RAW_TOKEN > 2 |
| #describe RAW_TOKENS Raw mail merge tokens in body |
| |
| header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i |
| |
| meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO |
| tflags __SPOOFED_FREEM_REPTO net |
| |
| meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM |
| describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to |
| score SPOOFED_FREEM_REPTO_CHN 3.500 |
| tflags SPOOFED_FREEM_REPTO_CHN net publish |
| |
| header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i |
| |
| meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM |
| describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to |
| score SPOOFED_FREEM_REPTO_RUS 3.500 |
| tflags SPOOFED_FREEM_REPTO_RUS net publish |
| |
| meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX |
| describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to |
| score SPOOFED_FREEM_REPTO 2.500 |
| tflags SPOOFED_FREEM_REPTO net publish |
| |
| |
| #header __VERY_LONG_REPTO Reply-To =~ /[^<\s\@]{25,}\@/ |
| #meta __VERY_LONG_REPTO_SHORT_MSG __VERY_LONG_REPTO && __HTML_LENGTH_0000_1024 |
| #meta VERY_LONG_REPTO_SHORT_MSG __VERY_LONG_REPTO_SHORT_MSG && !__VIA_ML && !__TO_EQ_FROM_DOM && !__THREAD_INDEX_GOOD |
| #describe VERY_LONG_REPTO_SHORT_MSG Very long Reply-To username + short message |
| #score VERY_LONG_REPTO_SHORT_MSG 2.500 # limit |
| #tflags VERY_LONG_REPTO_SHORT_MSG publish |
| # |
| #ifplugin Mail::SpamAssassin::Plugin::FreeMail |
| # meta __VERY_LONG_FREEM_REPTO __VERY_LONG_REPTO && FREEMAIL_REPLYTO |
| # meta VERY_LONG_FREEM_REPTO __VERY_LONG_FREEM_REPTO |
| # describe VERY_LONG_FREEM_REPTO Very long freemail Reply-To username |
| # score VERY_LONG_FREEM_REPTO 2.500 # limit |
| # tflags VERY_LONG_FREEM_REPTO publish |
| #endif |
| |
| # for <steve.stewart@fastnet.co.uk>; Mon, 2 Nov 2015 14:27:08 GMT |
| # (envelope-from fastnet.co.uk.12056010.steve.stewart@vmta27.topreasonstovisit.com) |
| # S/O low, seems to be common in legit mailing lists |
| # Maybe in meta with "not a mailing list" rules? |
| #header __RECIP_IN_ENV_FM_01 Received =~ /for\s+<([^\@]+)\@([^>]+)>.*envelope-from\s+\2\.\d+\.\1\@/i |
| #header __RECIP_IN_ENV_FM_02 Received =~ /for\s+<([^\@]+)\@([^>]+)>.*envelope-from\s+[^@]*\2[^@]*\@/i |
| |
| |
| uri URI_MALWARE_CWALL /\/abuse_report\.php\?(?!username=)[^&\s.]{1,100}\./i |
| describe URI_MALWARE_CWALL Potential CryptoWall malware URL |
| |
| |
| meta __LIST_PARTIAL_SHORT_MSG __HTML_LENGTH_0000_1024 && __LIST_PARTIAL |
| meta LIST_PARTIAL_SHORT_MSG __LIST_PARTIAL_SHORT_MSG && !__DKIM_EXISTS |
| describe LIST_PARTIAL_SHORT_MSG Incomplete mailing list headers + short message |
| score LIST_PARTIAL_SHORT_MSG 2.500 # limit |
| |
| # duplicates __HAS_MSMAIL_PRI |
| #header __FH_HAS_XMSMAIL exists:X-MSMail-Priority |
| |
| meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX |
| meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS |
| describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers |
| score BOGUS_MSM_HDRS 3.000 # limit |
| tflags BOGUS_MSM_HDRS publish |
| |
| #meta __BOGUS_MSM_PRIO __HAS_MSMAIL_PRI && __HDR_ORDER_FTSDMCXXXX |
| #meta __BOGUS_MSM_PRIO_MINFP __BOGUS_MSM_PRIO && !__BOGUS_MSM_HDRS && !__MSGID_NOFQDN2 && !__ANY_OUTLOOK_MUA && !__RCD_RDNS_MAIL_MESSY |
| |
| meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT |
| meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH |
| describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject |
| score MSM_PRIO_REPTO 2.500 # limit |
| tflags MSM_PRIO_REPTO publish |
| |
| header __XM_YAMAIL X-Mailer =~ /^Yamail/ |
| |
| |
| # __GATED_THROUGH_RCVD_REMOVER includes messages with no Received headers *at all*. |
| # Don't consider those, only consider the ones where *some* Received headers may have been removed |
| meta __RCVD_RMV_PARTIAL __GATED_THROUGH_RCVD_REMOVER && __HAS_RCVD |
| |
| # Compare __GATED_THROUGH_RCVD_REMOVER and "via ezmlm" |
| header __ML_EZMLM Mailing-List =~ /\bezmlm\b/ |
| |
| |
| # easy for spammers to forge a signed message and still have it displayed to the recipient? |
| #header KHOP_ENCRYPTED_CONTENT Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/ |
| header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/ |
| meta ENCRYPTED_MESSAGE __CT_ENCRYPTED |
| describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam |
| score ENCRYPTED_MESSAGE -1.000 |
| tflags ENCRYPTED_MESSAGE nice publish |
| |
| |
| #body __PHONE_GIBBERISH_01 /(?:\b\d\d\d-\d\d\d-\d\d\d\d\s+[a-z][^\d\s:.]+\s+){15}/ |
| |
| header __HAS_GMX_BULK exists:X-Gmx-Bulk |
| |
| ifplugin Mail::SpamAssassin::Plugin::HTMLEval |
| body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0') |
| meta HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY |
| describe HTML_TAG_BALANCE_CENTER Malformatted HTML |
| endif |
| |
| |
| # more random garbage message headers 01/2016 |
| header __HDR_CASE_REVERSED ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m |
| tflags __HDR_CASE_REVERSED multiple maxhits=4 |
| meta __HDR_CASE_REV_MANY (__HDR_CASE_REVERSED > 3) |
| |
| meta HDR_CASE_REV_MANY __HDR_CASE_REV_MANY |
| describe HDR_CASE_REV_MANY Multiple malformed (possibly random gibberish) message headers |
| score HDR_CASE_REV_MANY 2.000 # limit |
| |
| meta HDR_CASE_REV_ENC __HDR_CASE_REVERSED && (__FROM_ENCODED_B64 || __TVD_SPACE_ENCODED ) |
| describe HDR_CASE_REV_ENC Malformed (possibly random gibberish) message header + suspicious encoding |
| score HDR_CASE_REV_ENC 2.000 # limit |
| |
| meta HDR_CASE_REV_HELO_IP __HDR_CASE_REVERSED && __HELO_MISC_IP |
| describe HDR_CASE_REV_HELO_IP Malformed (possibly random gibberish) message header + IP in HELO |
| score HDR_CASE_REV_HELO_IP 2.000 # limit |
| |
| |
| |
| header __HAS_CAMPAIGN exists:X-Campaign |
| header __HAS_CAMPAIGNID exists:X-Campaignid |
| header __HAS_CID exists:X-CID |
| header __HAS_XM_LID exists:X-Mailer-LID |
| header __HAS_XM_RECPTID exists:X-Mailer-RecptId |
| header __HAS_XM_SID exists:X-Mailer-SID |
| header __HAS_XM_SENTBY exists:X-Mailer-Sent-By |
| header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature |
| header __HAS_PHP_SCRIPT exists:X-PHP-Script |
| header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script |
| |
| header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/ |
| #header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+(?<!Customer\.S(?:ervice|upport))\@/ |
| header __FROM_WORDY_3 From:addr =~ /(?:(?:[A-Z][A-Za-z]+|or|&)\.){2,}[A-Z][A-Za-z]+\@/ |
| |
| # __FROM_WORDY S/O now very poor (ham sign? :) ), don't score even with FP avoidance |
| #meta __FROM_WORDY_SONLY __FROM_WORDY && (__XPRIO_MINFP || __TO_NO_BRKTS_MSFT || __FILL_THIS_FORM_SHORT || __HAS_MSMAIL_PRI || DEAR_FRIEND || __TO_NO_BRKTS_FROM_MSSP || FREEMAIL_REPLYTO ) |
| #meta FROM_WORDY ((__FROM_WORDY_SONLY && !__DKIM_EXISTS) || __FROM_WORDY_3) && !__HAS_TNEF && !__USING_VERP1 && !__HAS_THREAD_INDEX && !__HAS_LIST_ID && !__RCD_RDNS_MTA && !__RCD_RDNS_MX |
| #describe FROM_WORDY From address looks like a sentence |
| #score FROM_WORDY 2.500 # limit |
| #tflags FROM_WORDY publish |
| # |
| #meta FROM_WORDY_SHORT ((__FROM_WORDY_SONLY || __FROM_WORDY_3) && __HTML_LENGTH_0000_1024) && !__HAS_TNEF && !__USING_VERP1 |
| #describe FROM_WORDY_SHORT From address looks like a sentence + short message |
| #score FROM_WORDY_SHORT 2.500 # limit |
| #tflags FROM_WORDY_SHORT publish |
| |
| meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT |
| describe PHP_SCRIPT Sent by PHP script |
| score PHP_SCRIPT 2.500 # limit |
| tflags PHP_SCRIPT publish |
| |
| meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA |
| describe PHP_SCRIPT_MUA Sent by PHP script, no version number |
| score PHP_SCRIPT_MUA 2.000 # limit |
| tflags PHP_SCRIPT_MUA publish |
| |
| meta __PHP_SCRIPT_MIMENEEDED __HAS_PHP_SCRIPT && __FROM_NEEDS_MIME |
| |
| meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B) |
| meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER |
| describe PHP_ORIG_SCRIPT Sent by bot & other signs |
| score PHP_ORIG_SCRIPT 2.500 # limit |
| tflags PHP_ORIG_SCRIPT publish |
| |
| # noted 5/26/2016 on list by RW |
| header __PHP_ORIG_SCRIPT_EVAL X-PHP-Originating-Script =~ /\beval\b.*\bcode\b/i |
| meta PHP_ORIG_SCRIPT_EVAL __PHP_ORIG_SCRIPT_EVAL |
| describe PHP_ORIG_SCRIPT_EVAL From suspicious PHP source |
| score PHP_ORIG_SCRIPT_EVAL 3.000 # limit |
| |
| |
| #header __FROM_AUTHORITY_COMPANY From:name =~ /\b(?:court|fed-?ex|dhl|e-?zpass|invoice)\b/i |
| #meta __PHP_MALWARE_ATTACH __HAS_PHP_SCRIPT && __FROM_AUTHORITY_COMPANY && __ZIP_ATTACH_MT |
| |
| meta __XMSID __HAS_XM_SID && !__CTYPE_MULTIPART_MIXED |
| meta __XMSID_SONLY __HAS_XM_SID && (INVALID_MSGID || __XPRIO || __HAS_X_MAILER) |
| |
| header __UNSUB_MAILTO_BOGUS List-Unsubscribe =~ /mailto:[^@">]*[?">]/i |
| |
| meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX |
| meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS |
| describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX |
| score MIMEOLE_DIRECT_TO_MX 2.000 # limit |
| tflags MIMEOLE_DIRECT_TO_MX publish |
| |
| |
| # suggested 9/2016 by ChipM in personal email |
| # would be a LOT nicer if rules could use other rules' captures |
| # terrible S/O |
| #full __FROM_FULLN_URL m;^From:\s+"?([a-z]+)\s([a-z]+)\b.*?https?://[^/]+/\1[_.]\2\b;ism |
| #meta FROM_FULLN_URL __FROM_FULLN_URL && !__THREADED |
| #describe FROM_FULLN_URL From address full name is in body URL - possible phishing |
| #score FROM_FULLN_URL 2.000 # limit |
| |
| # warning: __SUBJECT_EMPTY true if header entirely missing... |
| header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/ |
| meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY |
| |
| body __BAYES_POISON_NUMS_01 /\s([0-9]{6,})\s(?:.{15,}?\s\1\s){10}/ |
| |
| |
| rawbody __SPAMTOOL_GOOF_01 /^: SMTPHEADER_REPLYTO\#$/m |
| |
| |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i |
| tflags __PHOTO_RETOUCHING multiple maxhits=5 |
| meta PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) |
| describe PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto |
| score PHOTO_EDITING_FREEM 3.750 # limit |
| |
| meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF |
| describe PHOTO_EDITING_DIRECT Image editing service, direct to MX |
| score PHOTO_EDITING_DIRECT 3.000 # limit |
| endif |
| |
| ## not performing well in masscheck |
| #if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| # body __GENERATE_LEADS /\b(?:new (?:customer|client)s|(?:customer|client|business|new) leads|y?our marketing|(?:marketing|ad(?:vertising)) services?)\b/i |
| # tflags __GENERATE_LEADS multiple maxhits=5 |
| # meta __GENERATE_LEADS_1 __GENERATE_LEADS > 1 # for masscheck analysis |
| # meta __GENERATE_LEADS_2 __GENERATE_LEADS > 2 # for masscheck analysis |
| # meta __GENERATE_LEADS_3 __GENERATE_LEADS > 3 # for masscheck analysis |
| # meta __GENERATE_LEADS_4 __GENERATE_LEADS > 4 # for masscheck analysis |
| # meta __GENERATE_LEADS_MINFP __GENERATE_LEADS && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY |
| # |
| # meta MARKETING_FREEM __GENERATE_LEADS_MINFP && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) |
| # describe MARKETING_FREEM Marketing service, freemail or CHN replyto |
| # score MARKETING_FREEM 3.500 # limit |
| # |
| # meta MARKETING_SHORT __GENERATE_LEADS_MINFP && __LCL__KAM_BODY_LENGTH_LT_1024 |
| # describe MARKETING_SHORT Marketing service, short message |
| # score MARKETING_SHORT 3.500 # limit |
| # |
| # meta MARKETING_NO_RDNS __GENERATE_LEADS_MINFP && __RDNS_NONE |
| # describe MARKETING_NO_RDNS Marketing service, no RDNS |
| # score MARKETING_NO_RDNS 3.500 # limit |
| #endif |
| |
| meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML |
| describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX |
| score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit |
| tflags HDR_ORDER_FTSDMCXX_DIRECT publish |
| |
| meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED |
| describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS |
| score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit |
| tflags HDR_ORDER_FTSDMCXX_NORDNS publish |
| |
| body __UNICODE_OBFU_URI_DOM /[0-9a-z]{3,10}(?:\xe3\x80\x82|\xe7\x82\xb9)(?:c[o0]m|net|inf[o0]|biz|cn)\b/i |
| meta UNICODE_OBFU_DOM_NO_BODY __UNICODE_OBFU_URI_DOM && __EMPTY_BODY |
| score UNICODE_OBFU_DOM_NO_BODY 3.750 # limit |
| describe UNICODE_OBFU_DOM_NO_BODY Unicode/chinese obfuscated domain + no body |
| |
| #header __REPTO_MULTI_ADDR Reply-To:addr =~ /,/ |
| #meta MULTI_REPTO_NO_RDNS __REPTO_MULTI_ADDR && __RDNS_NONE && !__DOS_HAS_LIST_UNSUB |
| #score MULTI_REPTO_NO_RDNS 2.500 # limit |
| #describe MULTI_REPTO_NO_RDNS Multiple Reply-to addresses + no RDNS |
| |
| #uri __URI_PHP_LOGIN /\blogin\.php/i |
| |
| meta __FREEM_FRNUM_UNICD_EMPTY FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY |
| header __SUB_END_NUMSCOM Subject =~ /[0-9]{6,}[-\s]?c[-\s]?[o0][-\s]?m$/i |
| |
| #meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY && !__SUB_END_NUMSCOM |
| meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY |
| describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body |
| score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit |
| tflags FREEM_FRNUM_UNICD_EMPTY publish |
| |
| #meta FREEM_FRNUM_EMPTY_NUMSCOM __FREEM_FRNUM_UNICD_EMPTY && __SUB_END_NUMSCOM |
| #describe FREEM_FRNUM_EMPTY_NUMSCOM Numeric freemail From address, unicode From name and Subject, empty body, obfuscated domain name |
| #score FREEM_FRNUM_EMPTY_NUMSCOM 2.500 # limit |
| |
| |
| # masscheck just doesn't see this one for some reason |
| #rawbody __JS_HTML_OBFU_01 /\bdocument\.write\('(?:\\u00[0-9a-f]{2}){30}/i |
| |
| |
| # very little spam in corpus even though they are bombarding *me* with it |
| header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/ |
| meta USB_DRIVES __SUBJ_USB_DRIVES |
| describe USB_DRIVES Trying to sell custom USB flash drives |
| score USB_DRIVES 2.000 # limit |
| tflags USB_DRIVES publish |
| |
| #header __SUBJ_YOUR_LOGO Subject =~ /\b(?:with|having) your logos?\b/i |
| #header __SUBJ_CUSTOM_WITH_LOGO Subject =~ /^(?=.*\bcustom\b).*(?:printed |with )+(?:your )?logos?\b/i |
| |
| full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm |
| meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED |
| describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject |
| score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit |
| tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish |
| |
| meta __FRNAME_IN_MSG_XPRIO (__FROM_NAME_IN_MSG && __XPRIO && !(__SUBJECT_EMPTY || __SUBJ_SHORT)) |
| #describe FRNAME_IN_MSG_XPRIO From name in message + X-Priority |
| #score FRNAME_IN_MSG_XPRIO 2.500 # limit |
| #tflags FRNAME_IN_MSG_XPRIO publish |
| |
| meta __FRNAME_IN_MSG_NO_SUBJ (__FROM_NAME_IN_MSG && (__SUBJECT_EMPTY || __SUBJ_SHORT) && !__XPRIO) |
| #describe FRNAME_IN_MSG_NO_SUBJ From name in message + short or no subject |
| #score FRNAME_IN_MSG_NO_SUBJ 2.500 # limit |
| #tflags FRNAME_IN_MSG_NO_SUBJ publish |
| |
| |
| rawbody __HTTP_REFRESH /<meta\s[^>]{0,200}"refresh"/ism |
| tflags __HTTP_REFRESH publish |
| |
| meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF |
| describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS |
| score RATWARE_NO_RDNS 3.000 # limit |
| |
| meta BAT_BDRY_TO_MALF __BAT_BOUNDARY && __TO_NO_ARROWS_R |
| describe BAT_BDRY_TO_MALF Bat boundary + misformatted To: address |
| score BAT_BDRY_TO_MALF 2.500 # limit |
| |
| meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO |
| describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain |
| score IMG_ONLY_FM_DOM_INFO 2.500 # limit |
| tflags IMG_ONLY_FM_DOM_INFO publish |
| |
| meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT |
| describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address |
| score NO_FM_NAME_IP_HOSTN 2.500 # limit |
| tflags NO_FM_NAME_IP_HOSTN publish |
| |
| header FROM_NUMERIC_TLD From:addr =~ /\.\d+$/ |
| describe FROM_NUMERIC_TLD From: address has numeric TLD |
| score FROM_NUMERIC_TLD 3.000 # limit |
| |
| header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/ |
| header __RDNS_NUMERIC_TLD_NODQ X-Spam-Relays-External =~ /\srdns=(?!\d+\.\d+\.\d+\.\d+\s)\S+\.\d+\s/ |
| |
| meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY) |
| describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers |
| score RDNS_NUM_TLD_XM 3.000 # limit |
| tflags RDNS_NUM_TLD_XM publish |
| |
| meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT |
| describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment |
| score RDNS_NUM_TLD_ATCHNX 3.000 # limit |
| tflags RDNS_NUM_TLD_ATCHNX publish |
| |
| meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG |
| describe MALF_HTML_B64 Malformatted base64-encoded HTML content |
| score MALF_HTML_B64 3.500 # limit |
| tflags MALF_HTML_B64 publish |
| |
| meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE |
| describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS |
| score TO_NAME_SUBJ_NO_RDNS 3.000 # limit |
| tflags TO_NAME_SUBJ_NO_RDNS publish |
| |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| # more-precise version of __OBFUSCATING_COMMENT_A |
| rawbody __HTML_SHRT_CMNT_OBFU /\w<!--\s*\w+\s*-->\w/ |
| tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10 |
| meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE |
| meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY |
| describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments |
| score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit |
| tflags HTML_SHRT_CMNT_OBFU_MANY publish |
| endif |
| |
| header __FROM_ADDR_WS From:addr =~ /\s/ |
| meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL |
| describe FROM_ADDR_WS Malformed From address |
| score FROM_ADDR_WS 3.000 # limit |
| tflags FROM_ADDR_WS publish |
| |
| header __XM_MSWINLIVE X-Mailer =~ /^Microsoft Windows Live Mail \d+\.\d+\.\d+\.\d+/ |
| header __XM_IPADMAIL X-Mailer =~ /^iPad Mail \([0-9A-F]{4,8}\)/ |
| header __XM_IPHONEMAIL X-Mailer =~ /^iPhone Mail \([0-9A-F]{4,8}\)/ |
| |
| meta __ANY_EXTERNAL __FSL_COUNT_EXTERN > 0 |
| |
| |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i |
| tflags __GAPPY_SALES_LEADS multiple maxhits=3 |
| meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2 |
| meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) |
| describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto |
| score GAPPY_SALES_LEADS_FREEM 3.500 # limit |
| tflags GAPPY_SALES_LEADS_FREEM publish |
| endif |
| |
| |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i |
| tflags __APP_DEVELOPMENT multiple maxhits=6 |
| meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5 |
| |
| meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) |
| describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto |
| score APP_DEVELOPMENT_FREEM 3.500 # limit |
| tflags APP_DEVELOPMENT_FREEM publish |
| |
| meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE |
| describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS |
| score APP_DEVELOPMENT_NORDNS 2.000 # limit |
| tflags APP_DEVELOPMENT_NORDNS publish |
| endif |
| |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i |
| tflags __UNICODE_OBFU_ZW multiple maxhits=10 |
| meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1 |
| meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2 |
| meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4 |
| meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9 |
| meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS |
| describe UNICODE_OBFU_ZW Obfuscating text with hidden characters |
| score UNICODE_OBFU_ZW 3.500 # limit |
| tflags UNICODE_OBFU_ZW publish |
| |
| body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i |
| tflags __UNICODE_OBFU_ASC multiple maxhits=10 |
| meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9 |
| meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32 |
| describe UNICODE_OBFU_ASC Obfuscating text with unicode |
| score UNICODE_OBFU_ASC 2.500 # limit |
| tflags UNICODE_OBFU_ASC publish |
| |
| meta ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID |
| describe ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion |
| score ZW_OBFU_BITCOIN 2.500 # limit |
| |
| meta ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ |
| describe ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject |
| score ZW_OBFU_FROMTOSUBJ 2.000 # limit |
| |
| meta ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto |
| describe ZW_OBFU_FREEM Obfuscated text + freemail |
| score ZW_OBFU_FREEM 2.000 # limit |
| |
| full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/ |
| tflags __BOGUS_MIME_HDR multiple maxhits=8 |
| meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7 |
| endif |
| |
| |
| # HTML entity obfuscation per list discussion 11/2018 (thanks AC and RW) |
| # Broad non-ASCII didn't pan out |
| # body __AC_HTML_ENTITY_BONANZA_BODY /(?:&(?:[A-Z0-9]{2,}|\#(?:[0-9]{2,5}|x[0-9A-F]{2,4}));\s{0,64}){20}/i |
| # rawbody __AC_HTML_ENTITY_BONANZA_RAW /(?:&(?:[A-Z0-9]{2,}|\#(?:[0-9]{2,5}|x[0-9A-F]{2,4}));\s{0,64}){20}/i |
| # body __AC_HTML_ENTITY_BONANZA_SHRT_BODY /(?:&[A-Z0-9\#]{2,};\s{0,64}){20}/i |
| rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW_MANY /(?:&[A-Z0-9\#]{2,};\s{0,64}){20}/i |
| rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i |
| # meta __AC_HTML_ENTITY_BONANZA_MINFP __AC_HTML_ENTITY_BONANZA_SHRT_RAW_MANY && !__RCD_RDNS_MTA_MESSY && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA |
| # runaway backtracking? |
| #rawbody __AC_HTML_ENTITY_BONANZA_NEW /(?:(?:\w|\s|[.,!?:'"()\$]){0,32}(?:&(?:[A-Za-z0-9]{2,64}|\#(?:[0-9]{2,5}|x[0-9A-F]{2,4}));\s*){1,64}){10}/i |
| |
| # rawbody __RW_HTML_ENTITY_ASCII_MANY /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){20}/i |
| # meta __RW_HTML_ENTITY_ASCII_MANY_MINFP __HTML_ENTITY_ASCII_MANY && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY |
| |
| rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i |
| meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML |
| |
| meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP |
| describe HTML_ENTITY_ASCII Obfuscated ASCII |
| score HTML_ENTITY_ASCII 3.000 # limit |
| tflags HTML_ENTITY_ASCII publish |
| |
| meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_MINFP && __HTML_FONT_TINY_01 |
| describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts |
| score HTML_ENTITY_ASCII_TINY 3.000 # limit |
| tflags HTML_ENTITY_ASCII_TINY publish |
| |
| |
| rawbody __HTML_URI_NO_PROTOCOL /<a\s+href\s*=(?:3d)?\s*"[a-z0-9][-a-z0-9_]{1,64}(?:\.[a-z0-9][-a-z0-9_]{1,64}){1,5}\s*"/i |
| |
| meta URI_GIBB_NO_PROTO __HTML_URI_NO_PROTOCOL && __128_ALNUM_URI |
| score URI_GIBB_NO_PROTO 3.000 # limit |
| describe URI_GIBB_NO_PROTO Long, gibberish, no-protocol URI |
| |
| # test rules suggested by Amir Caspi |
| header __AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/ |
| meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO |
| meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP |
| score AC_FROM_MANY_DOTS 3.000 # limit |
| describe AC_FROM_MANY_DOTS Multiple periods in From user name |
| tflags AC_FROM_MANY_DOTS publish |
| |
| rawbody __AC_LARGE_INDENT /text-indent\s*:\s*[-]?[0-9]{3,}(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i |
| |
| uri __AC_POSTHTMLEXTRAS /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i |
| |
| uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i |
| |
| meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS) |
| meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID |
| describe AC_POST_EXTRAS Suspicious URL |
| score AC_POST_EXTRAS 2.500 # limit |
| tflags AC_POST_EXTRAS publish |
| |
| rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i |
| |
| |
| |
| uri __URI_BUFFLY m,//buff\.ly/,i |
| meta URI_BUFFLY __URI_BUFFLY && !__DOS_HAS_LIST_UNSUB |
| describe URI_BUFFLY buff.ly redirector URI |
| score URI_BUFFLY 2.000 # limit |
| |
| meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1 |
| describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener |
| score SHORTENER_SHORT_IMG 2.500 # limit |
| tflags SHORTENER_SHORT_IMG publish |
| |
| header __DATA_ENTRY_SERVICE Subject =~ /\bdata entry services?\b/i |
| meta FREEM_DATA_ENTRY __DATA_ENTRY_SERVICE && __freemail_hdr_replyto |
| describe FREEM_DATA_ENTRY Data entry services too cheap to buy a real domain |
| score FREEM_DATA_ENTRY 2.500 # limit |
| |
| |
| |
| header __HDR_RCVD_EBAY X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/ |
| uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i |
| |
| meta __EBAY_IMG_NOT_RCVD_EBAY __URI_IMG_EBAY && !__HDR_RCVD_EBAY |
| meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS |
| score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit |
| describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay |
| tflags EBAY_IMG_NOT_RCVD_EBAY publish |
| |
| header __HDR_RCVD_AMAZON X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/ |
| uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?images-amazon\.com/,i |
| |
| # price alert site that leverages Amazon, avoid FPs |
| header __HDR_RCVD_KEEPA X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/ |
| |
| meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON |
| meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST |
| score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit |
| describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon |
| tflags AMAZON_IMG_NOT_RCVD_AMZN publish |
| |
| header __HDR_RCVD_ALIBABA X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/ |
| uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png),i |
| |
| meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA |
| meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE |
| score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit |
| describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba |
| tflags ALIBABA_IMG_NOT_RCVD_ALI publish |
| |
| header __HDR_RCVD_WALMART X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/ |
| uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i |
| |
| meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART |
| meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS |
| score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit |
| describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart |
| tflags WALMART_IMG_NOT_RCVD_WAL publish |
| |
| header __HDR_RCVD_NEWEGG X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/ |
| uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i |
| |
| meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG |
| meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG |
| score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit |
| describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg |
| tflags NEWEGG_IMG_NOT_RCVD_NEGG publish |
| |
| header __HDR_RCVD_SHOPIFY X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/ |
| uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png),i |
| |
| meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY |
| meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !__HAS_CAMPAIGN && !MIME_QP_LONG_LINE && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER |
| score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit |
| describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify |
| tflags SHOPIFY_IMG_NOT_RCVD_SFY publish |
| |
| uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i |
| uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i |
| uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i |
| uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i |
| |
| |
| meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG ) |
| meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB |
| score HOSTED_IMG_DQ_UNSUB 3.500 # limit |
| describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm site, IP addr unsub link |
| tflags HOSTED_IMG_DQ_UNSUB publish |
| |
| meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG ) |
| meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS |
| score HOSTED_IMG_DIRECT_MX 3.500 # limit |
| describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm site, message direct-to-mx |
| tflags HOSTED_IMG_DIRECT_MX publish |
| |
| meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_WP_REDIR || __URI_IMG_STATICBG ) |
| meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED |
| score HOSTED_IMG_FREEM 3.500 # limit |
| describe HOSTED_IMG_FREEM Image hosted at large ecomm site or redirected, freemail from or reply-to |
| tflags HOSTED_IMG_FREEM publish |
| |
| meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG ) > 1 |
| meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS |
| score HOSTED_IMG_MULTI 3.000 # limit |
| describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm sites or redirected |
| tflags HOSTED_IMG_MULTI publish |
| |
| |
| # WordPress "image accelerator" - abused for obfuscating hosted spamvertised product images |
| uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i |
| meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR |
| score URI_IMG_WP_REDIR 3.000 # limit |
| describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy |
| tflags URI_IMG_WP_REDIR publish |
| |
| #header __BOGUS_MIME_VER_01 MIME-Version =~ /^(?!\s*1\.0).+/ |
| header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/ |
| meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 |
| score BOGUS_MIME_VERSION 3.500 # limit |
| describe BOGUS_MIME_VERSION Mime version header is bogus |
| tflags BOGUS_MIME_VERSION publish |
| |
| # also hits NORMAL_HTTP_TO_IP but should be punished harder |
| uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i |
| meta URI_HEX_IP __URI_HEX_IP |
| score URI_HEX_IP 2.500 # limit |
| describe URI_HEX_IP URI with hex-encoded IP-address host |
| tflags URI_HEX_IP publish |
| |
| uri __URI_PHP_REDIR m;/redirect\.php\?;i |
| meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA |
| score URI_PHP_REDIR 3.500 # limit |
| describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation) |
| tflags URI_PHP_REDIR publish |
| |
| |
| if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
| body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i |
| tflags __DAY_I_EARNED multiple maxhits=4 |
| #meta __DAY_I_EARNED_1 __DAY_I_EARNED >= 1 |
| #meta __DAY_I_EARNED_2 __DAY_I_EARNED >= 2 |
| #meta __DAY_I_EARNED_3 __DAY_I_EARNED >= 3 |
| meta DAY_I_EARNED __DAY_I_EARNED >= 3 |
| score DAY_I_EARNED 3.000 # limit |
| describe DAY_I_EARNED Work-at-home spam |
| tflags DAY_I_EARNED publish |
| endif |
| |
| |
| # test rule suggested by list discussion |
| meta __NORDNS_SPOOFED __RDNS_NONE && !__NOT_SPOOFED |
| |
| |
| |
| # potential bitcoin extortion obfuscation |
| body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i |
| meta __UNAME_PASSWD_PDF ( __PASSWORD || __YOUR_PASSWORD ) && LOCALPART_IN_SUBJECT && __PDF_ATTACH |
| |
| |
| # .gov and .edu URIs appearing in spams, attempts to leverage whitelisting? |
| uri __URI_DOTGOV m;^https?://(?:[^./]+\.)+gov/;i |
| uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i |
| header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\.gov\s/i |
| header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\.edu\s/i |
| |
| meta __DOTGOV_FREEMAIL __URI_DOTGOV && __freemail_hdr_replyto |
| #meta __DOTGOV_MONEY __URI_DOTGOV && ( __XFER_MONEY || __MONEY_FRAUD || __YOUR_FUND || __BENEFICIARY || __COMPENSATION || __LOTSA_MONEY_01 || __LOTSA_MONEY_04 ) |
| meta __DOTGOV_MONEY __URI_DOTGOV && ( __YOUR_FUND ) |
| |
| meta __DOTGOV_IMAGE __URI_DOTGOV && __REMOTE_IMAGE |
| meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS |
| describe DOTGOV_IMAGE .gov URI + hosted image |
| score DOTGOV_IMAGE 3.000 # limit |
| tflags DOTGOV_IMAGE publish |
| |
| meta __DOTGOV_NXDKIM __URI_DOTGOV && DKIM_ADSP_NXDOMAIN |
| tflags __DOTGOV_NXDKIM net |
| |
| meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK |
| describe URI_DOTEDU Has .edu URI |
| score URI_DOTEDU 2.000 # limit |
| tflags URI_DOTEDU publish |
| |
| meta __URI_DOTEDU_LONG __URI_DOTEDU && __LONGLINE |
| meta URI_DOTEDU_LONG __URI_DOTEDU_LONG && !ALL_TRUSTED && !__RDNS_LONG && !__DOS_RELAYED_EXT && !__URI_MAILTO && !__CTE |
| describe URI_DOTEDU_LONG Has .edu URI + excessively long line |
| score URI_DOTEDU_LONG 3.000 # limit |
| |
| meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW |
| meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO |
| describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content |
| score URI_DOTEDU_ENTITY 3.000 # limit |
| tflags URI_DOTEDU_ENTITY publish |
| |
| meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI ) |
| meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI |
| describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI |
| score RCVD_DOTEDU_SUSP_URI 3.000 # limit |
| tflags RCVD_DOTEDU_SUSP_URI publish |
| |
| meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 ) |
| meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !__FS_SUBJ_RE && !__HAS_LIST_ID |
| describe RCVD_DOTEDU_SHORT Via .edu MTA + short message |
| score RCVD_DOTEDU_SHORT 2.500 # limit |
| tflags RCVD_DOTEDU_SHORT publish |
| |
| meta __RCVD_DOTEDU_SUSP __RCVD_DOTEDU_EXT && ( MIME_QP_LONG_LINE || __TVD_SPACE_RATIO || __FROM_RUNON || __USING_VERP1 ) |
| meta RCVD_DOTEDU_SUSP __RCVD_DOTEDU_SUSP && !__HAS_X_LOOP && !__HAS_X_REF |
| describe RCVD_DOTEDU_SUSP Via .edu MTA + suspicious content |
| score RCVD_DOTEDU_SUSP 2.000 # limit |
| |
| |
| # bitcoin work-at-home spams 04/2020 |
| body __PERFECT_BINARY /\bperfect binary option\b/i |
| body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i |
| body __MAKE_XTRA_DOLLAR /\bmake an extra dollar\b/i |
| body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i |
| body __PASSIVE_INCOME /\bpassive income\b/i |
| body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i |
| body __TRANSFORM_LIFE /\b(transform|change) your (?:daily )?life(?:style)?\b/i |
| body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i |
| body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i |
| |
| meta TRANSFORM_LIFE __TRANSFORM_LIFE && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_X_MAILER && !__VIA_ML |
| describe TRANSFORM_LIFE Transform your life! |
| score TRANSFORM_LIFE 2.500 # limit |
| |
| |
| meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2 |
| |
| meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01 |
| meta BITCOIN_WFH_01 __BITCOIN_WFH_01 |
| describe BITCOIN_WFH_01 Work-from-Home + bitcoin |
| tflags BITCOIN_WFH_01 publish |
| |
| meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01 |
| meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01 |
| describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients |
| tflags TO_TOO_MANY_WFH_01 publish |
| |
| meta __FREEMAIL_WFH_01 (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01 |
| meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01 |
| describe FREEMAIL_WFH_01 Work-from-Home + freemail |
| tflags FREEMAIL_WFH_01 publish |
| |
| |
| body __4BYTE_UTF8_WORD /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ |
| tflags __4BYTE_UTF8_WORD multiple maxhits=10 |
| meta __4BYTE_UTF8_WORD_3 __4BYTE_UTF8_WORD > 3 |
| meta __4BYTE_UTF8_WORD_5 __4BYTE_UTF8_WORD > 5 |
| meta __4BYTE_UTF8_WORD_9 __4BYTE_UTF8_WORD > 9 |
| meta SUSP_UTF8_WORD_MANY __4BYTE_UTF8_WORD_9 |
| describe SUSP_UTF8_WORD_MANY Many words using only suspicious UTF-8 characters |
| score SUSP_UTF8_WORD_MANY 3.000 # limit |
| |
| meta SUSP_UTF8_WORD_COMBO __4BYTE_UTF8_WORD && ( __LIST_PARTIAL || __RDNS_NONE || __CLICK_HERE || __PHPMAILER_MUA || __STY_INVIS_3 || __TO___LOWER || __MSGID_OK_DIGITS || __HTML_IMG_ONLY ) |
| describe SUSP_UTF8_WORD_COMBO Words using only suspicious UTF-8 characters + other signs |
| score SUSP_UTF8_WORD_COMBO 3.000 # limit |
| |
| header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ |
| meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ |
| describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters |
| score SUSP_UTF8_WORD_SUBJ 2.000 # limit |
| |
| header __4BYTE_UTF8_WORD_FROM From:name =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ |
| meta SUSP_UTF8_WORD_FROM __4BYTE_UTF8_WORD_FROM |
| describe SUSP_UTF8_WORD_FROM Word in From name using only suspicious UTF-8 characters |
| score SUSP_UTF8_WORD_FROM 2.000 # limit |
| |
| # observed by AC |
| rawbody __HTML_EMPTY_CELLS /<td>(?:<\/td><td>){5,}/i |
| tflags __HTML_EMPTY_CELLS multiple maxhits=3 |
| meta __HTML_EMPTY_CELLS_MANY __HTML_EMPTY_CELLS > 2 |
| meta HTML_EMPTY_CELLS_MANY __HTML_EMPTY_CELLS_MANY |
| describe HTML_EMPTY_CELLS_MANY HTML table with lots of empty cells |
| score HTML_EMPTY_CELLS_MANY 1.500 # limit |
| |
| |
| uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=, |
| meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH |
| meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS |
| describe SENDGRID_REDIR Redirect URI via Sendgrid |
| score SENDGRID_REDIR 1.500 # limit |
| tflags SENDGRID_REDIR publish |
| |
| meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ ) |
| meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH |
| describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs |
| score SENDGRID_REDIR_PHISH 3.500 # limit |
| tflags SENDGRID_REDIR_PHISH publish |
| |
| meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE |
| meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW |
| describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image |
| score MSGID_DOLLARS_URI_IMG 3.000 # limit |
| tflags MSGID_DOLLARS_URI_IMG publish |
| |
| uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i |
| meta URI_DASHGOVEDU __URI_DASHGOVEDU |
| describe URI_DASHGOVEDU Suspicious domain name |
| score URI_DASHGOVEDU 3.500 # limit |
| tflags URI_DASHGOVEDU publish |
| |
| # all have good S/O but are already scored very highly |
| #meta __NOINR_MSOE_FORG __NO_INR_YES_REF && __MSOE_MID_WRONG_CASE |
| #meta __NOINR_MONEY __NO_INR_YES_REF && __LOTSA_MONEY_01 |
| #meta __NOINR_FRAUD __NO_INR_YES_REF && (__AFRICAN_STATE || __BENEFICIARY || __COMPENSATION || __FILL_THIS_FORM_PARTIAL || __LOTTO_DEPT || __WIRE_XFR || __TRANSFORM_LIFE ) |
| |
| # Apparent use of content hosted at storage.googleapis.com |
| # (mapped images and HTML landing pages for the imagemap URIs) |
| # to avoid URIBL hits |
| uri __URI_GOOG_STO_IMG m,^https?://storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,i |
| tflags __URI_GOOG_STO_IMG multiple maxhits=5 |
| |
| uri __URI_GOOG_STO_HTML m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i |
| tflags __URI_GOOG_STO_HTML multiple maxhits=5 |
| |
| meta __GOOG_STO_IMG_NOHTML __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML |
| meta __GOOG_STO_NOIMG_HTML !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML |
| |
| meta __GOOG_STO_IMG_HTML_2 __URI_GOOG_STO_IMG && (__URI_GOOG_STO_HTML > 1) |
| meta __GOOG_STO_IMG_HTML_1 __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML |
| |
| meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 |
| describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL |
| score GOOG_STO_IMG_HTML 3.000 # limit |
| tflags GOOG_STO_IMG_HTML publish |
| |
| meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !__HAS_LIST_ID |
| describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL |
| score GOOG_STO_NOIMG_HTML 3.000 # limit |
| tflags GOOG_STO_NOIMG_HTML publish |
| |
| # S/O not great, try salvage what's possible |
| meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID |
| describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL |
| score GOOG_STO_IMG_NOHTML 2.500 # limit |
| tflags GOOG_STO_IMG_NOHTML publish |
| |
| meta __GOOG_STO_HTML_PHISH __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY |
| meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH |
| describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL |
| score GOOG_STO_HTML_PHISH 3.00 # limit |
| tflags GOOG_STO_HTML_PHISH publish |
| |
| meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) |
| describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL |
| score GOOG_STO_HTML_PHISH_MANY 4.00 # limit |
| tflags GOOG_STO_HTML_PHISH_MANY publish |
| |
| |
| # download-a-file pitch, malware? 11/2020 |
| #header CRAIGSLIST_DATING Subject =~ /Sexy \w+ From Craigs?list/i |
| #describe CRAIGSLIST_DATING Possible malware |
| #score CRAIGSLIST_DATING 4.000 # limit |
| |
| uri __URI_PVT_SHAREPOINT m,^https?://(?!www\.)(?:[^/.]+\.)+sharepoint\.com/,i |
| |
| # suspicious HTML observed in the wild |
| #rawbody __QUOTQUOTQUOT /(?:"){5,}/ |
| #tflags __QUOTQUOTQUOT multiple maxhits=16 |
| #meta __QUOTQUOTQUOT_MANY __QUOTQUOTQUOT > 15 |
| |
| |
| body __OBFU_SHY /\b(?:[a-z]{1,3}[\xc2][\xad][a-z]{1,2}|\w+(?:[\xc2][\xad]\w+){2,6})\b(?![\xc2])/i |
| tflags __OBFU_SHY multiple maxhits=11 |
| meta __OBFU_SHY_MANY __OBFU_SHY > 10 |
| |
| # For masscheck eval, by request |
| header __LW_TEST_01 From:addr =~ /^store-news\@amazon\.com$/ |
| header __LW_TEST_02 From:addr =~ /^newsletters\@hohiko\.co\.uk$/ |
| header __LW_TEST_03 From:addr =~ /\@hohiko\.co\.uk$/ |
| |
| header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/ |
| |
| meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS |
| describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM |
| score TONLINE_FAKE_DKIM 2.500 # limit |
| |
| |
| header __MSMAIL_PRI_NORMAL X-MSMail-Priority =~ /^normal$/i |
| header __MSMAIL_PRI_HIGH X-MSMail-Priority =~ /^(?:high|urgent)$/i |
| meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL |
| |
| meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE |
| describe MSMAIL_PRI_ABNORMAL Email priority often abused |
| score MSMAIL_PRI_ABNORMAL 1.500 # limit |
| |
| |
| # Phishing? 11/2020 |
| full __TO_ADDR_BODY_DOC /^To:\s+(?:"[^"\n]{0,80}"\s*)?<?([^@\s]{1,40})@([^\s>]{1,40})>?\s(?=.{1,2048}\b\1(?:@\2)?\s+(?:sharepoint|document))/ism |
| |
| |
| body __BODY_HAS_ISBN /(?:^|[^-\d])97[89]-\d(?:(?!--)[-\d]){10,14}(?:$|[^-\d])/ |
| |
| |