| # Rules that have tested OK in mass-checks |
| # and can be considered for promotion. |
| |
| # DISABLED - VERY, VERY PRONE TO FPs |
| #body FSL_MY_NAME_IS /\bmy name is\b/i |
| #describe FSL_MY_NAME_IS My name is ... |
| |
| # Performing well in masschecks 10/2018, lots of hits on low-scoring spam |
| # do some FP avoidance to improve it |
| # exclude very short messages, checksum may be bogus (e.g. on just "Sent from my Apple iPhone" in an attachments-only message) |
| header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe |
| meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__USING_VERP1 && !__KAM_BODY_LENGTH_LT_128 && !__RCVD_IN_DNSWL |
| describe FSL_BULK_SIG Bulk signature with no Unsubscribe |
| score FSL_BULK_SIG 2.500 # limit |
| tflags FSL_BULK_SIG net publish |
| |
| uri FSL_LINK_AWS_S3_WEB /http:\/\/[^. ]+\.s3-website-[^. ]+\.amazonaws\.com/i |
| describe FSL_LINK_AWS_S3_WEB Contains a link to Amazon S3 website |
| |
| meta FSL_LINK_AWS_S3_WEB_FM (FREEMAIL_FROM && FSL_LINK_AWS_S3_WEB) |
| describe FSL_LINK_AWS_S3_WEB_FM Contains a link to Amazon S3 website and from a Freemail address |
| |
| header FSL_PHP_EXPLOIT_41 X-PHP-Script =~ / 41\.\d+\.\d+\.\d+\b/ |
| describe FSL_PHP_EXPLOIT_41 PHP Script being run by someone in Africa |
| |
