rulesrc/sandbox/jm/20_basic.cf - spamassassin - Git at Google

 # ---------------------------------------------------------------------------
 # The good rules!  These all had good freqs last time I checked. Keeping them
 # here in this file anyway (a) to preserve SVN history and (b) since the rules
 # compiler will take care of the hard work of copying them around for me, while
 # they're still working well.

 header MID_DEGREES  Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
 ## score MID_DEGREES   3

 # from Clifton
 # Been seeing broken message IDs for a long time, e.g. Message-Id<KKdj[20
 #  usually/always? associated with an empty message.  Suspect broken spamware.
 header TT_MSGID_TRUNC   Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/
 describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits

 # testing for Dave Funk (mail of 11/16); compare with AXB_FAKETZ, GMD_FAKETZ.
 # pretty good; less FPs than AXB_FAKETZ, however, same FP level but less 0.01%
 # less hits than GMD_FAKETZ, so that's still better
 header L_SPAM_TOOL_13   Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
 ## score  L_SPAM_TOOL_13   3.0

 header JM_RCVD_QMAILV1     Received =~ /by \S+ \(Qmailv1\) with ESMTP/

 # ---------------------------------------------------------------------------
 # Informational rules

 # define an informational rule, which detects when a message has become
 # corrupt with a header prepended before the From line:
 #
 #   Header: blah
 #   From address@example.com  Mon Jun 19 14:15:23 2006
 #   Header2: blah

 body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s
 meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
 describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers

 # informational rules don't have to hit spam
 tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
 score CORRUPT_FROM_LINE_IN_HDRS 0.001

 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

 # more general, hits massive amounts of GIF spam
 mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/
 mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif|jpeg|png)/
 mimeheader __PART_STOCK_CL Content-Location =~ /./
 mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/

 meta PART_CID_STOCK      (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
 describe PART_CID_STOCK  Has a spammy image attachment (by Content-ID)
 ## score PART_CID_STOCK     2.0

 # more specific, 0 ham hits
 mimeheader __PART_CID_STOCK_LESS    Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/
 meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
 describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
 ## score PART_CID_STOCK_LESS    2.0

 endif # Mail::SpamAssassin::Plugin::MIMEHeader

 # catches "by jmason.org with esmtp (;4OZ*/H/)>7. 4.2-+*)" gibberish
 header RCVD_FORGED_WROTE    Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
 describe RCVD_FORGED_WROTE  Forged 'Received' header found ('wrote:' spam)
 ## score RCVD_FORGED_WROTE     2.8

 header __MIMEOLE_1106   X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
 header __MAILER_OL_5510 X-Mailer =~ /^Microsoft Office Outlook, Build 11.0.5510$/
 meta DRUGS_STOCK_MIMEOLE (__MIMEOLE_1106 && __MAILER_OL_5510)
 describe DRUGS_STOCK_MIMEOLE Stock-spam forged headers found (5510)
 ## score DRUGS_STOCK_MIMEOLE   2.0

 # Suresh: 'Finding "mail.com", "post.com" etc in a received header is ALWAYS bogus'
 header RCVD_MAIL_COM        Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
 describe RCVD_MAIL_COM      Forged Received header (contains post.com or mail.com)
 ## score RCVD_MAIL_COM         3.0

 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
 mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
 describe CTYPE_8SPACE_GIF   Stock spam image part 'Content-Type' found (8 spc)
 ## score CTYPE_8SPACE_GIF      2.0
 endif

 header __HELO_NO_DOMAIN   X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /

 meta STOCK_IMG_HDR_FROM  (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
 describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line

 meta STOCK_IMG_HTML  (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
 describe STOCK_IMG_HTML   Stock spam image part, with distinctive HTML

 header __XM_MS_IN_GENERAL     X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
 meta STOCK_IMG_OUTLOOK  (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)
 describe STOCK_IMG_OUTLOOK  Stock spam image part, with Outlook-like features

 # Spammy X-Mailer version strings; no longer seen in ham, due to MS'
 # auto-updates, but still appearing in plenty of spam template text
 header __XM_OL_28001441    X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/
 header __XM_OL_48072300    X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/
 header __XM_OL_28004682    X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/
 header __XM_OL_10_0_4115    X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
 header __XM_OL_4_72_2106_4  X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
 meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
 describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham

 meta SHORT_HELO_AND_INLINE_IMAGE     (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
 describe SHORT_HELO_AND_INLINE_IMAGE    Short HELO string, with inline image

 # backported to here
 # ---------------------------------------------------------------------------

 meta DYN_RDNS_AND_INLINE_IMAGE     (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
 describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS

 meta DYN_RDNS_SHORT_HELO_HTML      (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE)
 describe DYN_RDNS_SHORT_HELO_HTML  Sent by dynamic rDNS, short HELO, and HTML

 meta DYN_RDNS_SHORT_HELO_IMAGE       (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
 describe DYN_RDNS_SHORT_HELO_IMAGE    Short HELO string, dynamic rDNS, inline image

 header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s
 header __MID_START_001C   Message-ID =~ /^<000001c/

 meta HDR_ORDER_FTSDMCXX_BAT   (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
 describe HDR_ORDER_FTSDMCXX_BAT   Header order similar to spam (FTSDMCXX/boundary variant)

 meta HDR_ORDER_FTSDMCXX_001C  (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
 describe HDR_ORDER_FTSDMCXX_001C  Header order similar to spam (FTSDMCXX/MID variant)

 # "Tora" spam
 header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
 header __MOLE_2962  X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
 header __NAKED_TO   To =~ /^[^\s<>]+\@[^\s<>]+$/
 meta JM_TORA_XM     (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)

 # HELO as localhost.  we should really be rejecting this at MTA, but hey.
 # it seems most of us let these slip through our MTA configs; 3% of spam, no FPs
 header HELO_LOCALHOST   X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i

 header HELO_OEM  X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i

 header HELO_FRIEND  X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i

 header MIME_BOUND_EQ_REL    Content-Type =~ /boundary="=====================_\d+==\.REL"/s

 body __DBLCLAIM     /avoid double claiming/
 body __CASHPRZ      /cash prize of/
 meta LOTTERY_1      (__DBLCLAIM && __CASHPRZ)

 # ---------------------------------------------------------------------------
 # Testing bit

 # quite a few FPs for this one:
 # 9.1138  39580 of 434286 messages    0.0842  84 of 99747 messages
 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
 mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s
 # mimeheader __CONT_LOC_GIF     Content-Location =~ /\.gif$/
 # meta __CTYPE_ONETAB_GIF2      (__CTYPE_ONETAB_GIF && !__CONT_LOC_GIF)
 endif

 meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)
 describe STOCK_IMG_CTYPE  Stock spam image part, with distinctive Content-Type header

 # this is a trick from Spambouncer -- thx Catherine!
 uri __HAS_ANY_URI   /./
 body __HAS_ANY_EMAIL /\w@\S+\.\w/
 meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)

 meta CTYPE_001C_A  (0)      # obsolete

 header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/

 header __MSOE_MID_WRONG_CASE   ALL =~ /\nMessage-Id: /
 header __XM_OUTLOOK_EXPRESS    X-Mailer =~ /^Microsoft Outlook Express \d/
 meta MSOE_MID_WRONG_CASE  (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)

 header STOX_REPLY_TYPE  Content-Type =~ /text\/plain; .* reply-type=original/
 body CURR_PRICE         /\bCurrent Price:/
 meta STOX_AND_PRICE     CURR_PRICE && STOX_REPLY_TYPE

 # bug 5224: basic OE multipart/related check.  see what the overlaps
 # are like
 header __MULTIPART_RELATED Content-Type =~ /multipart\/related/
 meta OE_MULTIPART_RELATED (__OE_MUA && __MULTIPART_RELATED)
 tflags OE_MULTIPART_RELATED nopublish

 # more trials of bad HELO strings
 header HELO_LH_LD   X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
 header HELO_LH_HOME X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i


 # requested experiment: PBL hitrates on URIs
 # reasonably useful:
 # 0.00000   4.9436   0.1641   0.968    0.82    0.00  T_URIBL_PBL
 # however this is NOT a good idea, since the stated aim of PBL and the
 # criteria used for listing are NOT incompatible with running http servers.
 # Disabled.
 #
 ## ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
 ## uridnsbl        URIBL_PBL       pbl.spamhaus.org.   TXT
 ## body            URIBL_PBL       eval:check_uridnsbl('URIBL_PBL')
 ## describe        URIBL_PBL       Contains an URL listed in the PBL blocklist
 ## tflags          URIBL_PBL       net nopublish
 ## endif


 # interesting template, thanks Jeff
 header TEMPLATE_203_RCVD    Received =~ /from 192.168.0.\d+ \(203-219-/

 # Pointless - obsolete - slow - AXB-2012-01-11
 #full    AB_TEST_PDF4    /JVBERi0xLjMKJeLjz9MKMiAwIG9iago8PAovQ3JlYXR/

 # good Message-ID pattern for recent stock spam
 header STOX_BOUND_090909_B Content-Type:raw =~ /;\n boundary=\"------------0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]\"$/s
 header STOX_UA  User-Agent =~ /^Thunderbird 1.5.0.12 \(Windows\/20070509\)/

 meta STOX_META_5 (STOX_BOUND_090909_B && EMPTY_MESSAGE)

 body __CARD_DIRECT_WWW_ADDRESS /card's direct www address below while you are connected to the Internet/
 body __LEGIT_MARLO_CARD /At our Card Pick Up site, enter BOTH the Directory/
 meta CARD_DIRECT_WWW_ADDRESS (__CARD_DIRECT_WWW_ADDRESS && !__LEGIT_MARLO_CARD)

 # thanks to Martin Lee for this tip
 body __AFF_004470_NUMBER  /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/
 body __AFF_LOTTERY        /(?:lottery|winner)/i
 meta LOTTERY_PH_004470  (__AFF_004470_NUMBER && __AFF_LOTTERY)

 # Jo Rhett wants this tested
 meta TVD_PDF_FINGER01_JO  (__TVD_MIME_CT_MM && __TVD_MIME_ATT && !__TVD_BODY)

 # Received: from [84.255.156.27] by northpro.net.amerion.mail5.psmtp.com; Thu, 34 Sep 2007 10:00:46 +0300
 # Received: from [189.191.12.17] by aon.co.uk.s7a1.psmtp.com; Fri, 5 Oct 2007 05:30:09 +0100
 # (I expect they'll notice "34 Sep" and fix that soon ;)
 header JM_FAKE_PSMTP_RCVD   Received =~ /^from \[\d+\.\d+\.\d+\.\d+\] by \S+\.\S+\.psmtp\.com; /m


 # use of the "I Feel Lucky" button in Google, thanks LR
 uri JM_I_FEEL_LUCKY         /(?:\&|\?)btnI=ec(?:$|\&)/
 tflags JM_I_FEEL_LUCKY  publish     # low hitrate, but always a good sign

 # some auto-discovered header rules
 header JM_0800_GMT      Received =~ / \+0800 \(GMT\)$/
 header JM_GMT_RCVD      ALL =~ /0 \(GMT\)\nReceived: by 192\.168\./s

 header JM_EXIM_462  Received =~ /with smtp \(Exim 4.62 \(FreeBSD\)\)/

 body JM_REMOVE_FROM_URL     /\.com\/ \(remove \"\S+\" from /i

 body JM_NICE_GIRL       /I am nice girl that would like to chat with you\. /

 # http://dvlabs.tippingpoint.com/blog/2007/10/26/stopgap-detection-for-the-gozi-pdf-dropper
 full DVLABS_GOZI_PDF    /bWFpbHRvOiUvLi4vLi4vLi4vLi4vLi4vLi4v/


 header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/
 rawbody __HS_QUOTE /^> /

 meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE))

 rawbody IMG_CID_PART1   /<img alt=\"\S*\" src=\"cid:part1\.\d/

 rawbody IMG_ALT_HSPACE_CID_ALIGN  /<IMG alt="\S*" hspace=0 src=.cid:\S+ align=baseline/

 # Joe Stewart at Secureworks identified this pattern last year, in
 # http://www.secureworks.com/research/threats/ronpaul/?threat=ronpaul ;
 # surprisingly, it still seems to catch Reactor Mailer/Trojan.Srizbi output. We
 # catch almost all this output with high scores anyway, esp from network tests,
 # but no harm to add a set0 rule too.
 #
 # - The initial "Received" header is always of the format "from [bot ip] by
 # [nameserver of alleged sender domain]" (this seems to be obsolete)
 #
 # - The Message-ID always begins with three zeros and ends with a random string
 # of lowercase letters (now includes numbers)
 #
 header __JM_REACTOR_MID     Message-ID =~ /^<000\S+\@[a-z0-9]+>$/
 #
 # - The dates in the headers are always shown in GMT time, regardless of the
 # local time zone of the bot
 #
 header __JM_REACTOR_DATE    Date =~ / \+0000$/
 #
 # - The X-Mailer is always Microsoft Outlook Express 6.00.3790.2663 (this doesn't
 # seem to be the case anymore, now 2900.3138)
 #
 header __JM_REACTOR_XM2900  X-Mailer =~ /^Microsoft Outlook Express 6.00.2900.3138$/
 #
 # - The X-MimeOLE version is always Microsoft MimeOLE V6.00.3790.2757 (ditto)
 #
 header __JM_REACTOR_XMOLE   X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2900.3198$/
 #
 meta JM_REACTOR_MAILER (__JM_REACTOR_MID && __JM_REACTOR_DATE && __JM_REACTOR_XM2900 && __JM_REACTOR_XMOLE)
 describe JM_REACTOR_MAILER Header patterns indicative of "Reactor Mailer" ratware

 # spotted in the SOUGHT rules
 # body MSHTML_6_00_2900_3199_A  /> <META content=3D\"MSHTML 6\.00\.2900\.3199\" name=3DGENERATOR> /
 # body MSHTML_6_00_2900_3199_B  /> <META content=3D\"MSHTML 6\.00\.2900\.3199\" name=3DGENERATOR> /
 # body MSHTML_6_00_2900_3199_C  /<META content=3?D?\"MSHTML 6\.00\.2900\.3199\" name=3?D?GENERATOR>/

 # quick tip from Peter Gervai on the users list:
 # 'Just got a report about a false negative, which was caught by
 # ACommercialSpamFilter by using a rule which had high "points" given to the
 # mail because it has contained a reply-to but neither To nor Cc.'
 header __REPLYTO_EXISTS             exists:Reply-To
 meta REPLYTO_WITHOUT_TO_CC     (__REPLYTO_EXISTS && !__TOCC_EXISTS)

 # thanks to Suresh for these tips
 # header FAKE_OUTBLAZE_RCVD_168     X-Spam-Relays-External =~ /^[^\]]+168city\./
 # header FAKE_OUTBLAZE_RCVD_PURIN   X-Spam-Relays-External =~ /^[^\]]+purinmail\./
 # header FAKE_OUTBLAZE_RCVD_168_2   X-Spam-Relays-External =~ /168city\./
 # header FAKE_OUTBLAZE_RCVD_PURIN_2 X-Spam-Relays-External =~ /purinmail\./

 # some rules from the MSNBC spam run (Rustock trojan)
 header __MSNBC_THREAD_INDEX     ALL =~ /\nthread-index: /s
 header __MSNBC_NOT_EXCH         X-MimeOLE =~ /^Produced By Microsoft Exchange/
 meta MSNBC_THREAD_INDEX (__MSNBC_THREAD_INDEX && !__MSNBC_NOT_EXCH)

 header MSNBC_HDR_ORDER          ALL =~ /\nContent-Transfer-Encoding: 7bit\nX-Mailer: Microsoft CDO for Windows 2000\nContent-Class: urn:content-classes:message\nImportance: normal\nPriority: normal\nX-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119\n/s
 header MSNBC_MESSAGEGUID        exists:messageGUID

 body JM_HOODIA      /Hoodia has been showned on/

 # "BBC news headlines" botnet uses this broken template
 header BBC_RCVD_NCHAR_RAW     Received =~ / with (?:esmtp|ESMTP) \(\{nChar\[8-12\]} \{nChar\[4-6\]}\)/

 # thanks to Ray for this tip
 header RATWARE_HELO_DM     X-Spam-Relays-External =~ / helo=DM /
 describe RATWARE_HELO_DM   External host used 'DM' as the HELO name, DarkMailer signature

 # thanks to Phil Randal on the users list for this tip
 rawbody __PR_TD_NOWRAP      /<td nowrap>/
 meta PR_TD_NOWRAP_BAT     (__THEBAT_MUA && __PR_TD_NOWRAP)

 body LOLLY_419      /\bLolly Stevens\b/
 describe LOLLY_419  Your name is "Lolly"?  _sure_ it is

 header DUH_DIKSBJ   Subject =~ /^\$DIKSBJ/
 describe DUH_DIKSBJ Idiot spammer screwed up his templates (DIK variant)

 # a test rule for Jeff
 ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
 meta        URIBL_META_SURBL_ANY   (URIBL_AB_SURBL || URIBL_JP_SURBL || URIBL_PH_SURBL || URIBL_SC_SURBL || URIBL_WS_SURBL)
 tflags      URIBL_META_SURBL_ANY       net nopublish
 endif

 uri T_CN_URL      /[^\/]+\.cn(?:$|\/|\?)/i
 describe T_CN_URL Contains a URL in the .cn domain
 score T_CN_URL    0.01
	# ---------------------------------------------------------------------------
	# The good rules! These all had good freqs last time I checked. Keeping them
	# here in this file anyway (a) to preserve SVN history and (b) since the rules
	# compiler will take care of the hard work of copying them around for me, while
	# they're still working well.

	header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
	## score MID_DEGREES 3

	# from Clifton
	# Been seeing broken message IDs for a long time, e.g. Message-Id<KKdj[20
	# usually/always? associated with an empty message. Suspect broken spamware.
	header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/
	describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits

	# testing for Dave Funk (mail of 11/16); compare with AXB_FAKETZ, GMD_FAKETZ.
	# pretty good; less FPs than AXB_FAKETZ, however, same FP level but less 0.01%
	# less hits than GMD_FAKETZ, so that's still better
	header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
	## score L_SPAM_TOOL_13 3.0

	header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/

	# ---------------------------------------------------------------------------
	# Informational rules

	# define an informational rule, which detects when a message has become
	# corrupt with a header prepended before the From line:
	#
	# Header: blah
	# From address@example.com Mon Jun 19 14:15:23 2006
	# Header2: blah

	body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s
	meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
	describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers

	# informational rules don't have to hit spam
	tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
	score CORRUPT_FROM_LINE_IN_HDRS 0.001

	ifplugin Mail::SpamAssassin::Plugin::MIMEHeader

	# more general, hits massive amounts of GIF spam
	mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/
	mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif\|jpeg\|png)/
	mimeheader __PART_STOCK_CL Content-Location =~ /./
	mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/

	meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
	describe PART_CID_STOCK Has a spammy image attachment (by Content-ID)
	## score PART_CID_STOCK 2.0

	# more specific, 0 ham hits
	mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/
	meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
	describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
	## score PART_CID_STOCK_LESS 2.0

	endif # Mail::SpamAssassin::Plugin::MIMEHeader

	# catches "by jmason.org with esmtp (;4OZ/H/)>7. 4.2-+)" gibberish
	header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
	describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
	## score RCVD_FORGED_WROTE 2.8

	header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
	header __MAILER_OL_5510 X-Mailer =~ /^Microsoft Office Outlook, Build 11.0.5510$/
	meta DRUGS_STOCK_MIMEOLE (__MIMEOLE_1106 && __MAILER_OL_5510)
	describe DRUGS_STOCK_MIMEOLE Stock-spam forged headers found (5510)
	## score DRUGS_STOCK_MIMEOLE 2.0

	# Suresh: 'Finding "mail.com", "post.com" etc in a received header is ALWAYS bogus'
	header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post\|mail)\.com[\s\)\]]/is
	describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
	## score RCVD_MAIL_COM 3.0

	ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
	mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
	describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc)
	## score CTYPE_8SPACE_GIF 2.0
	endif

	header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /

	meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
	describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line

	meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
	describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML

	header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b\|Microsoft (?:CDO\|Outlook\|Office Outlook)\b/
	meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)
	describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features

	# Spammy X-Mailer version strings; no longer seen in ham, due to MS'
	# auto-updates, but still appearing in plenty of spam template text
	header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/
	header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/
	header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/
	header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
	header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
	meta SPAMMY_XMAILER (__XM_OL_28001441\|\|__XM_OL_48072300\|\|__XM_OL_28004682\|\|__XM_OL_10_0_4115\|\|__XM_OL_4_72_2106_4)
	describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham

	meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
	describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image

	# backported to here
	# ---------------------------------------------------------------------------

	meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
	describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS

	meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE)
	describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML

	meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
	describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image

	header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s
	header __MID_START_001C Message-ID =~ /^<000001c/

	meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
	describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant)

	meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
	describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant)

	# "Tora" spam
	header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
	header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
	header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
	meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)

	# HELO as localhost. we should really be rejecting this at MTA, but hey.
	# it seems most of us let these slip through our MTA configs; 3% of spam, no FPs
	header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i

	header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc\|oem\S*) /i

	header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i

	header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s

	body __DBLCLAIM /avoid double claiming/
	body __CASHPRZ /cash prize of/
	meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ)

	# ---------------------------------------------------------------------------
	# Testing bit

	# quite a few FPs for this one:
	# 9.1138 39580 of 434286 messages 0.0842 84 of 99747 messages
	ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
	mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s
	# mimeheader __CONT_LOC_GIF Content-Location =~ /\.gif$/
	# meta __CTYPE_ONETAB_GIF2 (__CTYPE_ONETAB_GIF && !__CONT_LOC_GIF)
	endif

	meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)
	describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header

	# this is a trick from Spambouncer -- thx Catherine!
	uri __HAS_ANY_URI /./
	body __HAS_ANY_EMAIL /\w@\S+\.\w/
	meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)

	meta CTYPE_001C_A (0) # obsolete

	header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/

	header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: /
	header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/
	meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)

	header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/
	body CURR_PRICE /\bCurrent Price:/
	meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE

	# bug 5224: basic OE multipart/related check. see what the overlaps
	# are like
	header __MULTIPART_RELATED Content-Type =~ /multipart\/related/
	meta OE_MULTIPART_RELATED (__OE_MUA && __MULTIPART_RELATED)
	tflags OE_MULTIPART_RELATED nopublish

	# more trials of bad HELO strings
	header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
	header HELO_LH_HOME X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home\|lan) /i


	# requested experiment: PBL hitrates on URIs
	# reasonably useful:
	# 0.00000 4.9436 0.1641 0.968 0.82 0.00 T_URIBL_PBL
	# however this is NOT a good idea, since the stated aim of PBL and the
	# criteria used for listing are NOT incompatible with running http servers.
	# Disabled.
	#
	## ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
	## uridnsbl URIBL_PBL pbl.spamhaus.org. TXT
	## body URIBL_PBL eval:check_uridnsbl('URIBL_PBL')
	## describe URIBL_PBL Contains an URL listed in the PBL blocklist
	## tflags URIBL_PBL net nopublish
	## endif


	# interesting template, thanks Jeff
	header TEMPLATE_203_RCVD Received =~ /from 192.168.0.\d+ \(203-219-/

	# Pointless - obsolete - slow - AXB-2012-01-11
	#full AB_TEST_PDF4 /JVBERi0xLjMKJeLjz9MKMiAwIG9iago8PAovQ3JlYXR/

	# good Message-ID pattern for recent stock spam
	header STOX_BOUND_090909_B Content-Type:raw =~ /;\n boundary=\"------------0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]\"$/s
	header STOX_UA User-Agent =~ /^Thunderbird 1.5.0.12 \(Windows\/20070509\)/

	meta STOX_META_5 (STOX_BOUND_090909_B && EMPTY_MESSAGE)

	body __CARD_DIRECT_WWW_ADDRESS /card's direct www address below while you are connected to the Internet/
	body __LEGIT_MARLO_CARD /At our Card Pick Up site, enter BOTH the Directory/
	meta CARD_DIRECT_WWW_ADDRESS (__CARD_DIRECT_WWW_ADDRESS && !__LEGIT_MARLO_CARD)

	# thanks to Martin Lee for this tip
	body __AFF_004470_NUMBER /(?:\+\|00\|011)\W{0,3}44\W{0,3}0?\W{0,3}70/
	body __AFF_LOTTERY /(?:lottery\|winner)/i
	meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY)

	# Jo Rhett wants this tested
	meta TVD_PDF_FINGER01_JO (__TVD_MIME_CT_MM && __TVD_MIME_ATT && !__TVD_BODY)

	# Received: from [84.255.156.27] by northpro.net.amerion.mail5.psmtp.com; Thu, 34 Sep 2007 10:00:46 +0300
	# Received: from [189.191.12.17] by aon.co.uk.s7a1.psmtp.com; Fri, 5 Oct 2007 05:30:09 +0100
	# (I expect they'll notice "34 Sep" and fix that soon ;)
	header JM_FAKE_PSMTP_RCVD Received =~ /^from \[\d+\.\d+\.\d+\.\d+\] by \S+\.\S+\.psmtp\.com; /m


	# use of the "I Feel Lucky" button in Google, thanks LR
	uri JM_I_FEEL_LUCKY /(?:\&\|\?)btnI=ec(?:$\|\&)/
	tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign

	# some auto-discovered header rules
	header JM_0800_GMT Received =~ / \+0800 \(GMT\)$/
	header JM_GMT_RCVD ALL =~ /0 \(GMT\)\nReceived: by 192\.168\./s

	header JM_EXIM_462 Received =~ /with smtp \(Exim 4.62 \(FreeBSD\)\)/

	body JM_REMOVE_FROM_URL /\.com\/ \(remove \"\S+\" from /i

	body JM_NICE_GIRL /I am nice girl that would like to chat with you\. /

	# http://dvlabs.tippingpoint.com/blog/2007/10/26/stopgap-detection-for-the-gozi-pdf-dropper
	full DVLABS_GOZI_PDF /bWFpbHRvOiUvLi4vLi4vLi4vLi4vLi4vLi4v/



	header __HS_SUBJ_RE_FW Subject =~ /^(?i:re\|fw):/
	rawbody __HS_QUOTE /^> /

	meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW \|\| __HS_QUOTE))

	rawbody IMG_CID_PART1 /<img alt=\"\S*\" src=\"cid:part1\.\d/

	rawbody IMG_ALT_HSPACE_CID_ALIGN /<IMG alt="\S*" hspace=0 src=.cid:\S+ align=baseline/

	# Joe Stewart at Secureworks identified this pattern last year, in
	# http://www.secureworks.com/research/threats/ronpaul/?threat=ronpaul ;
	# surprisingly, it still seems to catch Reactor Mailer/Trojan.Srizbi output. We
	# catch almost all this output with high scores anyway, esp from network tests,
	# but no harm to add a set0 rule too.
	#
	# - The initial "Received" header is always of the format "from [bot ip] by
	# [nameserver of alleged sender domain]" (this seems to be obsolete)
	#
	# - The Message-ID always begins with three zeros and ends with a random string
	# of lowercase letters (now includes numbers)
	#
	header __JM_REACTOR_MID Message-ID =~ /^<000\S+\@[a-z0-9]+>$/
	#
	# - The dates in the headers are always shown in GMT time, regardless of the
	# local time zone of the bot
	#
	header __JM_REACTOR_DATE Date =~ / \+0000$/
	#
	# - The X-Mailer is always Microsoft Outlook Express 6.00.3790.2663 (this doesn't
	# seem to be the case anymore, now 2900.3138)
	#
	header __JM_REACTOR_XM2900 X-Mailer =~ /^Microsoft Outlook Express 6.00.2900.3138$/
	#
	# - The X-MimeOLE version is always Microsoft MimeOLE V6.00.3790.2757 (ditto)
	#
	header __JM_REACTOR_XMOLE X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2900.3198$/
	#
	meta JM_REACTOR_MAILER (__JM_REACTOR_MID && __JM_REACTOR_DATE && __JM_REACTOR_XM2900 && __JM_REACTOR_XMOLE)
	describe JM_REACTOR_MAILER Header patterns indicative of "Reactor Mailer" ratware

	# spotted in the SOUGHT rules
	# body MSHTML_6_00_2900_3199_A /> <META content=3D\"MSHTML 6\.00\.2900\.3199\" name=3DGENERATOR> /
	# body MSHTML_6_00_2900_3199_B /> <META content=3D\"MSHTML 6\.00\.2900\.3199\" name=3DGENERATOR> /
	# body MSHTML_6_00_2900_3199_C /<META content=3?D?\"MSHTML 6\.00\.2900\.3199\" name=3?D?GENERATOR>/

	# quick tip from Peter Gervai on the users list:
	# 'Just got a report about a false negative, which was caught by
	# ACommercialSpamFilter by using a rule which had high "points" given to the
	# mail because it has contained a reply-to but neither To nor Cc.'
	header __REPLYTO_EXISTS exists:Reply-To
	meta REPLYTO_WITHOUT_TO_CC (__REPLYTO_EXISTS && !__TOCC_EXISTS)

	# thanks to Suresh for these tips
	# header FAKE_OUTBLAZE_RCVD_168 X-Spam-Relays-External =~ /^[^\]]+168city\./
	# header FAKE_OUTBLAZE_RCVD_PURIN X-Spam-Relays-External =~ /^[^\]]+purinmail\./
	# header FAKE_OUTBLAZE_RCVD_168_2 X-Spam-Relays-External =~ /168city\./
	# header FAKE_OUTBLAZE_RCVD_PURIN_2 X-Spam-Relays-External =~ /purinmail\./

	# some rules from the MSNBC spam run (Rustock trojan)
	header __MSNBC_THREAD_INDEX ALL =~ /\nthread-index: /s
	header __MSNBC_NOT_EXCH X-MimeOLE =~ /^Produced By Microsoft Exchange/
	meta MSNBC_THREAD_INDEX (__MSNBC_THREAD_INDEX && !__MSNBC_NOT_EXCH)

	header MSNBC_HDR_ORDER ALL =~ /\nContent-Transfer-Encoding: 7bit\nX-Mailer: Microsoft CDO for Windows 2000\nContent-Class: urn:content-classes:message\nImportance: normal\nPriority: normal\nX-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3119\n/s
	header MSNBC_MESSAGEGUID exists:messageGUID

	body JM_HOODIA /Hoodia has been showned on/

	# "BBC news headlines" botnet uses this broken template
	header BBC_RCVD_NCHAR_RAW Received =~ / with (?:esmtp\|ESMTP) \(\{nChar\[8-12\]} \{nChar\[4-6\]}\)/

	# thanks to Ray for this tip
	header RATWARE_HELO_DM X-Spam-Relays-External =~ / helo=DM /
	describe RATWARE_HELO_DM External host used 'DM' as the HELO name, DarkMailer signature

	# thanks to Phil Randal on the users list for this tip
	rawbody __PR_TD_NOWRAP /<td nowrap>/
	meta PR_TD_NOWRAP_BAT (__THEBAT_MUA && __PR_TD_NOWRAP)

	body LOLLY_419 /\bLolly Stevens\b/
	describe LOLLY_419 Your name is "Lolly"? _sure_ it is

	header DUH_DIKSBJ Subject =~ /^\$DIKSBJ/
	describe DUH_DIKSBJ Idiot spammer screwed up his templates (DIK variant)

	# a test rule for Jeff
	ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
	meta URIBL_META_SURBL_ANY (URIBL_AB_SURBL \|\| URIBL_JP_SURBL \|\| URIBL_PH_SURBL \|\| URIBL_SC_SURBL \|\| URIBL_WS_SURBL)
	tflags URIBL_META_SURBL_ANY net nopublish
	endif

	uri T_CN_URL /[^\/]+\.cn(?:$\|\/\|\?)/i
	describe T_CN_URL Contains a URL in the .cn domain
	score T_CN_URL 0.01