| # Please don't modify this file as your changes will be overwritten with |
| # the next update. |
| # |
| # <@LICENSE> |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to you under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at: |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # </@LICENSE> |
| # |
| ########################################################################### |
| |
| # 2007/07/10 |
| # 0.269 0.3293 0.0000 1.000 0.76 0.00 TVD_PDF_FINGER01 |
| rawbody __TVD_BODY /\S{4}/ |
| header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i |
| meta __TVD_MIME_ATT __TVD_MIME_ATT_AP || __TVD_MIME_ATT_AOPDF |
| meta TVD_PDF_FINGER01 __TVD_MIME_CT_MM && __TVD_MIME_ATT_TP && __TVD_MIME_ATT && !__TVD_BODY |
| describe TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint |
| |
| ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
| |
| mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i |
| mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i |
| mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i |
| |
| endif # Mail::SpamAssassin::Plugin::MIMEHeader |
| |
| |
| # 2007/09/20 |
| meta CARD_DIRECT_WWW_ADDRESS (__CARD_DIRECT_WWW_ADDRESS && !__LEGIT_MARLO_CARD) |
| body __CARD_DIRECT_WWW_ADDRESS /card's direct www address below while you are connected to the Internet/ |
| body __LEGIT_MARLO_CARD /At our Card Pick Up site, enter BOTH the Directory/ |
| score CARD_DIRECT_WWW_ADDRESS 1.577 |
| |
| header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/ |
| describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam |
| score DOS_ANAL_SPAM_MAILER 2.0 |
| |
| meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT |
| header __DOS_HAS_LIST_ID exists:List-ID |
| header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe |
| header __DOS_HAS_MAILING_LIST exists:Mailing-List |
| header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s |
| |
| ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
| |
| mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif|jpeg|png)/ |
| |
| meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH |
| describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image |
| score DOS_OE_TO_MX_IMAGE 3.0 |
| |
| meta DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH |
| describe DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image |
| score DOS_OUTLOOK_TO_MX_IMAGE 1.059 |
| |
| endif # Mail::SpamAssassin::Plugin::MIMEHeader |
| |
| meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE |
| describe DOS_OE_TO_MX Delivered direct to MX with OE headers |
| score DOS_OE_TO_MX 2.75 |
| |
| meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OUTLOOK_TO_MX_IMAGE |
| describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers |
| score DOS_OUTLOOK_TO_MX 1.0 |
| |
| body FB_CASINO /(?!casino)Ca[\$s5][i1\|]n[o0]/i |
| describe FB_CASINO Phrase: ca$ino |
| score FB_CASINO 1.075 |
| |
| ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
| |
| body FRT_BEFORE /<inter SP2><post P2>\b(?!before)<B><E><F><O><R><E>\b/i |
| describe FRT_BEFORE ReplaceTags: Before |
| score FRT_BEFORE 2.381 |
| |
| endif # Mail::SpamAssassin::Plugin::ReplaceTags |
| |
| meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY) |
| body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/ |
| body __AFF_LOTTERY /(?:lottery|winner)/i |
| score LOTTERY_PH_004470 2.015 |
| |
| ##{ HS_BOBAX_MID_1 |
| header HS_BOBAX_MID_1 Message-Id =~ /^<\d{4}D\d{3}\.\d{6}\.\d{5}\@[A-Z]{4}>/ |
| describe HS_BOBAX_MID_1 Bobax? Message-Id: <0000D000.000000.00000@AAAA> |
| ##} HS_BOBAX_MID_1 |
| |
| ##{ HS_BOBAX_MID_2 |
| header HS_BOBAX_MID_2 Message-Id =~ /^<\dIX\d{3}EJXVWDA\d{3}\@[a-z\-]+\.[a-z]+>/ |
| describe HS_BOBAX_MID_2 Bobax? Message-Id: <0IX000EJXVWDA000@example.com> |
| ##} HS_BOBAX_MID_2 |
| |
| ##{ HS_OUTLOOK_MID_NOBRK |
| header HS_OUTLOOK_MID_NOBRK Message-ID =~ /^[a-f0-9]{12,13}(?:\$[a-f0-9]{8}){2}\@[A-Za-z0-9]+$/ |
| describe HS_OUTLOOK_MID_NOBRK Outlook-esque message ID with no brackets. |
| ##} HS_OUTLOOK_MID_NOBRK |
| |
| ##{ JM_REACTOR_MAILER |
| meta JM_REACTOR_MAILER (__JM_REACTOR_MID && __JM_REACTOR_DATE && __JM_REACTOR_XM2900 && __JM_REACTOR_XMOLE) |
| describe JM_REACTOR_MAILER Header patterns indicative of "Reactor Mailer" ratware |
| ##} JM_REACTOR_MAILER |
| header __JM_REACTOR_DATE Date =~ / \+0000$/ |
| header __JM_REACTOR_MID Message-ID =~ /^<000\S+\@[a-z0-9]+>$/ |
| header __JM_REACTOR_XM2900 X-Mailer =~ /^Microsoft Outlook Express 6.00.2900.3138$/ |
| header __JM_REACTOR_XMOLE X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2900.3198$/ |
| |