80_additional.cf - spamassassin - Git at Google

 # Please don't modify this file as your changes will be overwritten with
 # the next update.
 #
 # <@LICENSE>
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to you under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at:
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # </@LICENSE>
 #
 ###########################################################################

 # 2007/07/10
 # 0.269   0.3293   0.0000    1.000   0.76    0.00  TVD_PDF_FINGER01
 rawbody __TVD_BODY		/\S{4}/
 header __TVD_MIME_CT_MM		Content-Type =~ /^multipart\/mixed/i
 meta __TVD_MIME_ATT		__TVD_MIME_ATT_AP || __TVD_MIME_ATT_AOPDF
 meta TVD_PDF_FINGER01		__TVD_MIME_CT_MM && __TVD_MIME_ATT_TP && __TVD_MIME_ATT && !__TVD_BODY
 describe TVD_PDF_FINGER01	Mail matches standard pdf spam fingerprint

 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

 mimeheader __TVD_MIME_ATT_TP    Content-Type =~ /^text\/plain/i
 mimeheader __TVD_MIME_ATT_AP    Content-Type =~ /^application\/pdf/i
 mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i

 endif # Mail::SpamAssassin::Plugin::MIMEHeader


 # 2007/09/20
 meta CARD_DIRECT_WWW_ADDRESS	(__CARD_DIRECT_WWW_ADDRESS && !__LEGIT_MARLO_CARD)
 body __CARD_DIRECT_WWW_ADDRESS	/card's direct www address below while you are connected to the Internet/
 body __LEGIT_MARLO_CARD		/At our Card Pick Up site, enter BOTH the Directory/
 score CARD_DIRECT_WWW_ADDRESS	1.577

 header DOS_ANAL_SPAM_MAILER	X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/
 describe DOS_ANAL_SPAM_MAILER	X-mailer pattern common to anal porn site spam
 score DOS_ANAL_SPAM_MAILER	2.0

 meta __DOS_DIRECT_TO_MX		__DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
 header __DOS_HAS_LIST_ID	exists:List-ID
 header __DOS_HAS_LIST_UNSUB	exists:List-Unsubscribe
 header __DOS_HAS_MAILING_LIST	exists:Mailing-List
 header __DOS_RELAYED_EXT	ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s

 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

 mimeheader __ANY_IMAGE_ATTACH	Content-Type =~ /image\/(?:gif|jpeg|png)/

 meta DOS_OE_TO_MX_IMAGE		__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
 describe DOS_OE_TO_MX_IMAGE	Direct to MX with OE headers and an image
 score DOS_OE_TO_MX_IMAGE	3.0

 meta DOS_OUTLOOK_TO_MX_IMAGE		__ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
 describe DOS_OUTLOOK_TO_MX_IMAGE	Direct to MX with Outlook headers and an image
 score DOS_OUTLOOK_TO_MX_IMAGE		1.059

 endif # Mail::SpamAssassin::Plugin::MIMEHeader

 meta DOS_OE_TO_MX		__OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
 describe DOS_OE_TO_MX		Delivered direct to MX with OE headers
 score DOS_OE_TO_MX		2.75

 meta DOS_OUTLOOK_TO_MX		__ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OUTLOOK_TO_MX_IMAGE
 describe DOS_OUTLOOK_TO_MX	Delivered direct to MX with Outlook headers
 score DOS_OUTLOOK_TO_MX		1.0

 body FB_CASINO			/(?!casino)Ca[\$s5][i1\|]n[o0]/i
 describe FB_CASINO		Phrase: ca$ino
 score FB_CASINO			1.075

 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

 body FRT_BEFORE			/<inter SP2><post P2>\b(?!before)<B><E><F><O><R><E>\b/i
 describe FRT_BEFORE		ReplaceTags: Before
 score FRT_BEFORE		2.381

 endif # Mail::SpamAssassin::Plugin::ReplaceTags

 meta LOTTERY_PH_004470		(__AFF_004470_NUMBER && __AFF_LOTTERY)
 body __AFF_004470_NUMBER	/(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/
 body __AFF_LOTTERY		/(?:lottery|winner)/i
 score LOTTERY_PH_004470		2.015

 ##{ HS_BOBAX_MID_1
 header HS_BOBAX_MID_1 Message-Id =~ /^<\d{4}D\d{3}\.\d{6}\.\d{5}\@[A-Z]{4}>/
 describe HS_BOBAX_MID_1 Bobax? Message-Id: <0000D000.000000.00000@AAAA>
 ##} HS_BOBAX_MID_1

 ##{ HS_BOBAX_MID_2
 header HS_BOBAX_MID_2 Message-Id =~ /^<\dIX\d{3}EJXVWDA\d{3}\@[a-z\-]+\.[a-z]+>/
 describe HS_BOBAX_MID_2 Bobax? Message-Id: <0IX000EJXVWDA000@example.com>
 ##} HS_BOBAX_MID_2

 ##{ HS_OUTLOOK_MID_NOBRK
 header HS_OUTLOOK_MID_NOBRK Message-ID =~ /^[a-f0-9]{12,13}(?:\$[a-f0-9]{8}){2}\@[A-Za-z0-9]+$/
 describe HS_OUTLOOK_MID_NOBRK Outlook-esque message ID with no brackets.
 ##} HS_OUTLOOK_MID_NOBRK

 ##{ JM_REACTOR_MAILER
 meta JM_REACTOR_MAILER (__JM_REACTOR_MID && __JM_REACTOR_DATE && __JM_REACTOR_XM2900 && __JM_REACTOR_XMOLE)
 describe JM_REACTOR_MAILER Header patterns indicative of "Reactor Mailer" ratware
 ##} JM_REACTOR_MAILER
 header __JM_REACTOR_DATE    Date =~ / \+0000$/
 header __JM_REACTOR_MID     Message-ID =~ /^<000\S+\@[a-z0-9]+>$/
 header __JM_REACTOR_XM2900  X-Mailer =~ /^Microsoft Outlook Express 6.00.2900.3138$/
 header __JM_REACTOR_XMOLE   X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2900.3198$/
	# Please don't modify this file as your changes will be overwritten with
	# the next update.
	#
	# <@LICENSE>
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to you under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at:
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	# </@LICENSE>
	#
	###########################################################################

	# 2007/07/10
	# 0.269 0.3293 0.0000 1.000 0.76 0.00 TVD_PDF_FINGER01
	rawbody __TVD_BODY /\S{4}/
	header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i
	meta __TVD_MIME_ATT __TVD_MIME_ATT_AP \|\| __TVD_MIME_ATT_AOPDF
	meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM && __TVD_MIME_ATT_TP && __TVD_MIME_ATT && !__TVD_BODY
	describe TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint

	ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

	mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i
	mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i
	mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i

	endif # Mail::SpamAssassin::Plugin::MIMEHeader


	# 2007/09/20
	meta CARD_DIRECT_WWW_ADDRESS (__CARD_DIRECT_WWW_ADDRESS && !__LEGIT_MARLO_CARD)
	body __CARD_DIRECT_WWW_ADDRESS /card's direct www address below while you are connected to the Internet/
	body __LEGIT_MARLO_CARD /At our Card Pick Up site, enter BOTH the Directory/
	score CARD_DIRECT_WWW_ADDRESS 1.577

	header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/
	describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam
	score DOS_ANAL_SPAM_MAILER 2.0

	meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
	header __DOS_HAS_LIST_ID exists:List-ID
	header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe
	header __DOS_HAS_MAILING_LIST exists:Mailing-List
	header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^\|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s

	ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

	mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif\|jpeg\|png)/

	meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
	describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image
	score DOS_OE_TO_MX_IMAGE 3.0

	meta DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
	describe DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image
	score DOS_OUTLOOK_TO_MX_IMAGE 1.059

	endif # Mail::SpamAssassin::Plugin::MIMEHeader

	meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
	describe DOS_OE_TO_MX Delivered direct to MX with OE headers
	score DOS_OE_TO_MX 2.75

	meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OUTLOOK_TO_MX_IMAGE
	describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers
	score DOS_OUTLOOK_TO_MX 1.0

	body FB_CASINO /(?!casino)Ca[\$s5][i1\\|]n[o0]/i
	describe FB_CASINO Phrase: ca$ino
	score FB_CASINO 1.075

	ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

	body FRT_BEFORE /<inter SP2><post P2>\b(?!before)<B><E><F><O><R><E>\b/i
	describe FRT_BEFORE ReplaceTags: Before
	score FRT_BEFORE 2.381

	endif # Mail::SpamAssassin::Plugin::ReplaceTags

	meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY)
	body __AFF_004470_NUMBER /(?:\+\|00\|011)\W{0,3}44\W{0,3}0?\W{0,3}70/
	body __AFF_LOTTERY /(?:lottery\|winner)/i
	score LOTTERY_PH_004470 2.015

	##{ HS_BOBAX_MID_1
	header HS_BOBAX_MID_1 Message-Id =~ /^<\d{4}D\d{3}\.\d{6}\.\d{5}\@[A-Z]{4}>/
	describe HS_BOBAX_MID_1 Bobax? Message-Id: <0000D000.000000.00000@AAAA>
	##} HS_BOBAX_MID_1

	##{ HS_BOBAX_MID_2
	header HS_BOBAX_MID_2 Message-Id =~ /^<\dIX\d{3}EJXVWDA\d{3}\@[a-z\-]+\.[a-z]+>/
	describe HS_BOBAX_MID_2 Bobax? Message-Id: <0IX000EJXVWDA000@example.com>
	##} HS_BOBAX_MID_2

	##{ HS_OUTLOOK_MID_NOBRK
	header HS_OUTLOOK_MID_NOBRK Message-ID =~ /^[a-f0-9]{12,13}(?:\$[a-f0-9]{8}){2}\@[A-Za-z0-9]+$/
	describe HS_OUTLOOK_MID_NOBRK Outlook-esque message ID with no brackets.
	##} HS_OUTLOOK_MID_NOBRK

	##{ JM_REACTOR_MAILER
	meta JM_REACTOR_MAILER (__JM_REACTOR_MID && __JM_REACTOR_DATE && __JM_REACTOR_XM2900 && __JM_REACTOR_XMOLE)
	describe JM_REACTOR_MAILER Header patterns indicative of "Reactor Mailer" ratware
	##} JM_REACTOR_MAILER
	header __JM_REACTOR_DATE Date =~ / \+0000$/
	header __JM_REACTOR_MID Message-ID =~ /^<000\S+\@[a-z0-9]+>$/
	header __JM_REACTOR_XM2900 X-Mailer =~ /^Microsoft Outlook Express 6.00.2900.3138$/
	header __JM_REACTOR_XMOLE X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2900.3198$/