# ******************************************************************* # Personnal rules. Do whatever you want with them... # by Maxime Ritter : airmax AT netlibre DOT info # # $Id: airmax.cf,v 1.65 2006/07/13 09:55:35 airmax Exp airmax $ # # Some of them are rejected rules from the SA distribution, some were # written by other people, some are mine, etc... # Some might even be found in the SA distribution (I will clean them... # when I have time). Some may give you bad results also... # # Use with care, and try to understand them. # ******************************************************************* # Fake X-authentification Warning (spams which weren't detected at my school) header __XAUTH exists:X-Authentication-Warning header __FAKE_XAUTH X-Authentication-Warning !~ /(set sender to .{5,80} using -f)|(owned process doing)|(claimed to be)/ meta FAKE_XAUTH (__FAKE_XAUTH && __XAUTH) describe FAKE_XAUTH Using Fake X-Authentication-Warning header lang fr describe FAKE_XAUTH L'en-tête X-Authentication-Warning est suspecte score FAKE_XAUTH 0.5 # One might give a little bonus to XAUTH, since spammers avoid hosts # which put those warnings... That's also what SA did before 2.60 # Ok, no XMAILERBOGUS in SA 3.0. But appeared in three different rules in SARE header SARE_XMAIL_SUSP1 X-Mailer =~ /^[a-z][^A-Z0-9.]*$/ describe SARE_XMAIL_SUSP1 X-Mailer suggests spam (variant 1) score SARE_XMAIL_SUSP1 1.274 header SARE_XMAIL_SUSP2 X-Mailer =~ /^(?:[a-z]{4,20}[\-\.\,]? ){2,8}/ # no /i, trailing space describe SARE_XMAIL_SUSP2 X-Mailer suggests spam (variant 2) score SARE_XMAIL_SUSP2 1.666 header SARE_XMAIL_SUSP3 X-Mailer=~ /^(?:[a-z\-]+\s+[a-z\-]+(?:,\s+[a-z\-]+)?|[a-z\-]+ \d\.\d)$/ describe SARE_XMAIL_SUSP3 Contains a suspicious X-Mailer header score SARE_XMAIL_SUSP3 1.666 meta __XMAILERBOGUS (SARE_XMAIL_SUSP3 ||SARE_XMAIL_SUSP2 || SARE_XMAIL_SUSP1 ) # Fucking In-Reply-To header __EXIST_REPLYTO exists:In-Reply-To header __EXIST_REFERENCES exists:References header __REPLYTO_BOGUS In-Reply-To !~ /<.*\@.*>/ meta REPLYTO_BOGUS (__EXIST_REPLYTO && __REPLYTO_BOGUS ) describe REPLYTO_BOGUS In-Reply-To header seems not to be valid lang fr describe REPLYTO_BOGUS Le champ In-Reply-To ne semble pas valide. # Detect IE urlspoof. # From: Lucas Albers # Date: Thursday 22 January 2004 23:42:00 # Groups: gmane.mail.spam.spamassassin.general uri IE_ADDRESS_SPOOF /^https?\:\/\/[^\/\s].*%0[1|0]@/ describe IE_ADDRESS_SPOOF Message contains IE address spoof score IE_ADDRESS_SPOOF 1.5 # 1st Feb 2004 : Bug 2992 # These messages have a header: # Received: from [numeric_ip] by numeric_ip with HTTP; ... header L_SPAMMY_RCVD Received =~ /from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} with HTTP;/ describe L_SPAMMY_RCVD Received header has Ratware traces score L_SPAMMY_RCVD 1.0 # Now part of SA 3.0.0 header MIME_BOUND_DIGITS_15 Content-Type =~ /boundary=\"\d{15,}\"/ describe MIME_BOUND_DIGITS_15 MIME boundary contains all digits score MIME_BOUND_DIGITS_15 3.3 header L_MSGID_SPAM1 Message-Id =~ /<[A-Z]{7}-000[0-9]{10}\@[a-z]*>/ describe L_MSGID_SPAM1 Message-ID has known spammer pattern score L_MSGID_SPAM1 1.0 rawbody L_TITLE_MESSAGE m{Message} describe L_TITLE_MESSAGE Mail has an HMTL TITLE tag of "Message" score L_TITLE_MESSAGE 1.0 rawbody L_CONVERTED m{
} describe L_CONVERTED Converted from text/plain score L_CONVERTED 1.0 header __EXISTS_LISTPOST exists:List-Post rawbody __IMPRONONCABLE_MSGID /\bMessage-ID:/i meta __IMPRONONCABLE_IS_LIST ( __EXISTS_LISTPOST && __IMPRONONCABLE_MSGID ) # truc qui ressemble a un MD5 body MD5_CONTENT /\W([a-z0-9]){32}\W/ score MD5_CONTENT -0.1 describe MD5_CONTENT Contains MD5 hash. body __IMPRONONCABLE_1 /[bcdfghjklmnpqrstvwxz]{7}(^:)/ meta IMPRONONCABLE_1 (__IMPRONONCABLE_1 && ! __IMPRONONCABLE_IS_LIST) describe IMPRONONCABLE_1 Word with not enough vowels score IMPRONONCABLE_1 1.8 body __IMPRONONCABLE_1_MIDDLE /\b[bcdfghjklmnpqrstvwxz]{6}(^:)/ meta IMPRONONCABLE_1_MIDDLE ( __IMPRONONCABLE_1_MIDDLE && ! __IMPRONONCABLE_1 ) describe IMPRONONCABLE_1_MIDDLE Word with not enough vowels score IMPRONONCABLE_1_MIDDLE 1.35 body __IMPRONONCABLE_1_LIGHT /\b[bcdfghjklmnpqrstvwxz]{5}(^:)/ meta IMPRONONCABLE_1_LIGHT ( __IMPRONONCABLE_1_LIGHT && ! __IMPRONONCABLE_1_MIDDLE ) describe IMPRONONCABLE_1_LIGHT Word with not enough vowels (Light variant) score IMPRONONCABLE_1_LIGHT 0.9 body __IMPRONONCABLE_2 /([a-z]{2,12}\d{1,5}){2}/ meta IMPRONONCABLE_2 ( __IMPRONONCABLE_2 && ! __IMPRONONCABLE_IS_LIST && !MD5_CONTENT ) describe IMPRONONCABLE_2 Too much mixed numbers and lower-case letters score IMPRONONCABLE_2 1.5 body __IMPRONONCABLE_2_LIGHT /([a-z]{2,12}\d{1,5}){3}/ meta IMPRONONCABLE_2_LIGHT ( __IMPRONONCABLE_2_LIGHT && ! __IMPRONONCABLE_2 && !MD5_CONTENT) describe IMPRONONCABLE_2_LIGHT Too much mixed numbers and lower-case letters score IMPRONONCABLE_2_LIGHT 1.0 meta __IMPRO ( __IMPRONONCABLE_1_LIGHT || __IMPRONONCABLE_2_LIGHT ) # Others way to fake the bayesian filter rawbody ILLEGALSTR01 /^([a-z]{80,}, ){3,}[a-z]{80,}$/ describe ILLEGALSTR01 Illegal strings obfuscating bayesian filter ? score ILLEGALSTR01 2.0 rawbody ILLEGALSTR02 /^([a-zA-Z0-9]{50,} +){3,}[a-zA-Z0-9]{20,}$/ describe ILLEGALSTR02 Illegal strings obfuscating bayesian filter ? score ILLEGALSTR02 2.0 full ILLEGALSTR03 /([a-z]+ [a-z]+, [a-z]+, [a-z]+ \. [a-z]+ [a-z]+ [a-z]+, [a-z]+, [a-z]+ \. [a-z]+[\r\n]){30,}/ describe ILLEGALSTR03 Illegal strings obfuscating bayesian filter ? score ILLEGALSTR03 2.0 # Same thing now applies to uri (and IMG tags, so rawbody)... # hope scores aren't too high # TODO: improve this bordel (of course) rawbody VOWEL_URI_7 m%https?://[^/\s]*[bcdfghjklmnpqrstvwxz]{7}%i rawbody __VOWEL_URI_6 m%https?://[^/\s]*[bcdfghjklmnpqrstvwxz]{6}%i meta VOWEL_URI_6 (__VOWEL_URI_6 && ! VOWEL_URI_7) rawbody __VOWEL_URI_5 m%https?://[^/\s]*[bcdfghjklmnpqrstvwxz]{5}%i meta VOWEL_URI_5 (__VOWEL_URI_5 && ! __VOWEL_URI_6) score VOWEL_URI_7 3.0 score VOWEL_URI_6 2.0 score VOWEL_URI_5 1.0 describe VOWEL_URI_7 URI hostname with 7+ consecutive vowels describe VOWEL_URI_6 URI hostname with 6 consecutive vowels describe VOWEL_URI_5 URI hostname with 5 consecutive vowels rawbody __IMPRO_URI_2 m%https?://[^/\s]*([a-z]{2,12}\d{1,5}){2}%i meta IMPRO_URI_2 ( __IMPRO_URI_2 && !MD5_CONTENT ) rawbody __IMPRO_URI_3 m%https?://[^/\s]*([a-z]{2,12}\d{1,5}){3}%i meta IMPRO_URI_3 ( __IMPRO_URI_3 && !MD5_CONTENT ) # And for From headers header VOWEL_FROM_7 From =~ /[bcdfghjklmnpqrstvwxz]{7}/ header __VOWEL_FROM_6 From =~ /[bcdfghjklmnpqrstvwxz]{6}/ meta VOWEL_FROM_6 ( __VOWEL_FROM_6 && ! VOWEL_FROM_7) header __VOWEL_FROM_5 From =~ /[bcdfghjklmnpqrstvwxz]{5}/ meta VOWEL_FROM_5 ( __VOWEL_FROM_5 && ! __VOWEL_FROM_6) score VOWEL_FROM_7 3.5 score VOWEL_FROM_6 1.5 score VOWEL_FROM_5 0.5 describe VOWEL_FROM_7 Impronouncable from header (7+ consecutive vowels) describe VOWEL_FROM_6 Impronouncable from header (6 consecutive vowels) describe VOWEL_FROM_5 Impronouncable from header (6 consecutive vowels) # Same thing for To and CC headers (seens less often) header VOWEL_TOCC_7 ToCc =~ /[bcdfghjklmnpqrstvwxz]{7}/ header __VOWEL_TOCC_6 ToCc =~ /[bcdfghjklmnpqrstvwxz]{6}/ meta VOWEL_TOCC_6 ( __VOWEL_TOCC_6 && ! VOWEL_TOCC_7) header __VOWEL_TOCC_5 ToCc =~ /[bcdfghjklmnpqrstvwxz]{5}/ meta VOWEL_TOCC_5 ( __VOWEL_TOCC_5 && ! __VOWEL_TOCC_6) score VOWEL_TOCC_7 3.5 score VOWEL_TOCC_6 1.5 score VOWEL_TOCC_5 0.5 describe VOWEL_TOCC_7 To or Cc header with 7+ consecutive vowels describe VOWEL_TOCC_6 To or Cc header with 6 consecutive vowels describe VOWEL_TOCC_5 To or Cc header with 5 consecutive vowels #### # Some obfuscation body OBFUSCAT_ZERO /\b(p0rn|rem0ve|bel0w)\b/i describe OBFUSCAT_ZERO Common obfuscation with a zero lang fr describe OBFUSCAT_ZERO Cache des mots avec des zéros. ########## # Apr 2004 # Base rule : yahoo changed theirs URL ? # Ok, now part of SA 3.0 uri YAHOO_RD_REDIR m{^https?://rd\.yahoo\.com/}i header UPPER_CASE_CONTENT Content-type =~ /Text\/HTML/ describe UPPER_CASE_CONTENT Content-type is written in uppercase lang fr describe UPPER_CASE_CONTENT L'en-tête Content-type est écrit en majuscules # FIXME: needs improvement header X_IP exists:X-IP score X_IP 0.5 # Thanks to Fred for confirmation. Now also uses his name for compatibility. # http://www.rulesemporium.com/rules/88_FVGT_headers.cf header FH_HAS_CS_IP exists:X-CS-IP score FH_HAS_CS_IP 3.5 # And now, stupid values header X_IP_ZERO X-IP =~ /\D0\.\d{1,3}\.\d{1,3}\.\d{1,3}/ score X_IP_ZERO 1.5 header X_IP_END X-IP =~ /d{1,3}\.\d{1,3}\.\d{1,3}\.(0|255)/ score X_IP_END 1.0 header X_IP_MULTICAST X-IP =~ /2(2[4-9]|[345]\d)\.\d{1,3}\.\d{1,3}\.\d{1,3}/ score X_IP_MULTICAST 2.5 # Thanks again to Fred for confirmation # Now part of SA 3.0 header X_MESSAGE_INFO exists:X-Message-Info lang fr describe X_MESSAGE_INFO Possède une en-tête X-Message-Info score X_MESSAGE_INFO 4.0 # Fucking spamware, which won't disturb us longer header __NORTON X-Virus-Status =~ /Scanned by norton/ header __CDO_MAILER X-Mailer =~ /Microsoft CDO for Windows 2000/ header __THREAD_INDEX exists:Thread-Index header __CONTENT_CLASS exists:Content-Class meta __CONFIRM_CDO (__CDO_MAILER && __THREAD_INDEX && __CONTENT_CLASS) header __RECEIVED_BOULET Received =~ /from ([A-Z]{2}\d{2}){2} \(\[10\.2\.202\.25\]\)/ meta BOULET_REPERE (__CONFIRM_CDO && __NORTON && X_MESSAGE_INFO && __RECEIVED_BOULET && NO_REAL_NAME) score BOULET_REPERE 10.0 describe BOULET_REPERE Detected a fucking spamware lang fr describe BOULET_REPERE Ca fait un moment que je l'ai capté ton spamware. # MIME-Version verbose header VERBOSE_MIME_VERSION MIME-Version =~ /\(produced/ score VERBOSE_MIME_VERSION 1.5 describe VERBOSE_MIME_VERSION MIME-Version is too much verbose lang fr describe VERBOSE_MIME_VERSION L'en-tête MIME-Version est trop bavarde meta MESSAGE_BADMIME (VERBOSE_MIME_VERSION && X_MESSAGE_INFO) score MESSAGE_BADMIME 1.5 describe MESSAGE_BADMIME VERBOSE_MIME_VERSION + X_MESSAGE_INFO # Too much long words (could be improved, but already working well) body MONOTONE_WORDS_15_2 /^([a-z]{2,20}[\s\.]+){15}/ describe MONOTONE_WORDS_15_2 Many lowercase words (15+ words, 2+ letters) body MONOTONE_WORDS_30_2 /^([a-z]{2,20}[\s\.]+){30}/ describe MONOTONE_WORDS_30_2 Many lowercase words (30+ words, 2+ letters) body MONOTONE_WORDS_20_3 /^([a-z]{3,20}[\s\.]+){20}/ describe MONOTONE_WORDS_20_3 Many lowercase words (20+ words, 3+ letters) body MONOTONE_WORDS_8_5 /^([a-z]{5,20}[\s\.]+){8}/ describe MONOTONE_WORDS_8_5 Many lowercase words (8+ words, 5+ letters) body MONOTONE_WORDS_12_5 /^([a-z]{5,20}[\s\.]+){12}/ describe MONOTONE_WORDS_12_5 Many lowercase words (12+ words, 5+ letters) body MONOTONE_WORDS_20_5 /^([a-z]{5,20}[\s\.]+){20}/ describe MONOTONE_WORDS_20_5 Many lowercase words (20+ words, 5+ letters) # also interested to bayesian poisonning are SARE_BAYES_* rules # found in 70_sare_bayes_poison_nxm.cf # Stupid thing header FROM_INVALID From =~ /<[^>]*\"[^>]*\"[^>]*>/ # Space in a in id header RECEIVED_SPACE_ID Received =~ /id <[^>]* [^>]*>/ score RECEIVED_SPACE_ID 2.0 describe RECEIVED_SPACE_ID Found a space in a id of a Received header lang fr describe RECEIVED_SPACE_ID Il y a un espace dans un id d'une en-tête Received meta SPACE_ID_MESSAGE (RECEIVED_SPACE_ID && X_MESSAGE_INFO) score SPACE_ID_MESSAGE 1.5 # New spamming user-agent header MIPOP_AGENT X-Mailer =~ /miPOP Web[mM]ail/ header RECEIVED_CROCHET Received =~ /by [a-z]{5,12} \([a-z]{5,12} SMTP Server\) with SMTP id [A-Z]+(\-\d{4})?\[\d/ score RECEIVED_CROCHET 2.0 meta MIPOP_RECEIVED ( RECEIVED_CROCHET && MIPOP_AGENT ) score MIPOP_RECEIVED 1.5 header __UNDISCLOSED To =~ /undisclosed-recipients/ meta UNDISCLOSED_RECEIVED ( __UNDISCLOSED && RECEIVED_CROCHET && NO_REAL_NAME) score UNDISCLOSED_RECEIVED 3.0 # RECEIVED_CROCHET + UNDISCLOSED_RECEIVED + NO_REAL_NAME = 5.2 # Received from a multicast IP ! header RECEIVED_MULTICAST Received =~ /2(2[4-9]|[345]\d)\.\d{1,3}\.\d{1,3}\.\d{1,3}/ score RECEIVED_MULTICAST 3.0 describe RECEIVED_MULTICAST A multicast IP adress appears in Received header lang fr describe RECEIVED_MULTICAST Une adresse IP multicast apparait dans un en-tête Received # Spammers should read this document before using fake headers # http://www.iana.org/assignments/ipv4-address-space header MR_NOT_ATTRIBUTED_IP ALL =~ /[^\w\/](0|1|2|5|7|23|27|36|37|39|41|42|7[3-9]|89|9\d|1[01]\d|12[0-6]|17[3-9]|18[0-79]|190|197|198|223|2(2[4-9]|[345]\d))\.\d{1,3}\.\d{1,3}\.\d{1,3}\W/ describe MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in headers score MR_NOT_ATTRIBUTED_IP 0.2 # Thanks again to Fred (improved version for buggish ratware; lower score) ## Received: from 80.156.168.175 by 80.46.170.77; Sun, 28 Mar 2004 01:00:01 +0400 header FH_FAKE_RCVD_LINE Received =~ /from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} by \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}; ([SMTWF].{2}, \d{1,2} [JFMASOND].{2,5} \d{4} \d{2}:\d{2}:\d{2} [-+]\d{4}|%CURRENT_DATE_TIME)/ score FH_FAKE_RCVD_LINE 3.0 ## Received: from 2.19.230.24 by web9DKKRb8QDIGIT.mail.yahoo.com; Sun, 28 Mar 2004 22:08:01 -0500 header FH_FAKE_RCVD_LINE_B ALL =~ /Received: from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} by [a-z0-9.]{4,24}\.[a-z0-9.]{4,36}\.(?:com|net|org|biz); [SMTWF].{2}, \d{1,2} [JFMASOND].{2,5} \d{4} \d{2}:\d{2}:\d{2} [-+]\d{4}/i score FH_FAKE_RCVD_LINE_B 3.0 ## He should learn to fake header header REFRENCES exists:Refrences score REFRENCES 2.0 ## This seems to work. ## Let me know about any FP header SPAMMY_CONTENT Content-Type =~ /text\/html; charset=ascii-us/ score SPAMMY_CONTENT 0.5 # May 2004 # Adapt it to your mail server(s) IP address(es). Not dangerous # if you don't adapt it, but not very usefull un that case header OUR_MTA_IP Received =~ /(from|by) (194.2.204.37|80.65.225.147)/ score OUR_MTA_IP 2.0 describe OUR_MTA_IP Our mail server IP adress appears in headers lang fr describe OUR_MTA_IP L'adresse IP de notre serveur de mail apparait uri AFFILIATE /affiliate(_?id)?/ ### # Catching this kind of User-Agent rules # User-Agent: Mozilla/5.016 (X11; U; solaris; U; NT4.0; en-us) Gecko/25250101 # note: should be fixed with 2.70, but these kind of forgery isn't as common as it used to header BAD_MOZILLA_VERSION User-Agent =~ /Mozilla\/5\.0\d\d/ describe BAD_MOZILLA_VERSION User-Agent from a unexistant Mozilla version lang fr describe BAD_MOZILLA_VERSION User-Agent d'une version de Mozilla inexistante score BAD_MOZILLA_VERSION 2.4 # and some improvement to base rule (not to catch those forgery) # header USER_AGENT_MOZILLA_UA User-Agent =~ /^Mozilla\/5\.0 \(.*\) Gecko\/20\d{6}(?: |$)/ # this rule doe not longer exist in SA... #### # Some usefull spams signs. I didn't open any new bug for them. header RCVD_POWERMTA Received =~ /PowerMTA/ describe RCVD_POWERMTA PowerMTA found in Received field lang fr describe RCVD_POWERMTA Contient 'PowerMTA' dans le champ Received score RCVD_POWERMTA 1.0 #### # RBL maintened by french people. # Isn't down as I thought : http://www.rfc1149.net/wsff header RCVD_IN_WSFF rbleval:check_rbl('relay','will-spam-for-food.eu.org') describe RCVD_IN_WSFF Received via a relay in will-spam-for-food.eu.org tflags RCVD_IN_WSFF net header MAIL_BOMB_1 X-UIDL =~ /KicKaSSmSgID/ describe MAIL_BOMB_1 Mail bomb Ratware. score MAIL_BOMB_1 3.0 lang fr describe MAIL_BOMB_1 Entêtes de Mail Bomber #### # Fucking X-Mailer header MAILER_VERSION X-Mailer =~ /Version 5.0/ describe MAILER_VERSION X-Mailer header shows some ratware (Version 5.0) lang fr describe MAILER_VERSION Entête X-Mailer provenant d'un logiciel à spams (Version 5.0) # Some rules used by alussinan.org (see : http://www.alussinan.org/filtres.html) # some of these rule may be duplicate of SA ones... header ALUSSINAN_1 Comments =~ /Mailociraptor/ describe ALUSSINAN_1 alussinan.org rule 1 lang fr describe ALUSSINAN_1 Rejet spam sur presence du champ Comments: header ALUSSINAN_3 exists:xAddress-Sent describe ALUSSINAN_3 alussinan.org rule 3 lang fr describe ALUSSINAN_3 Rejet spam sur presence du champ "xAddress-Sent:" header ALUSSINAN_4 X-Info =~ /Mindshare/ describe ALUSSINAN_4 alussinan.org rule 4 lang fr describe ALUSSINAN_4 Rejet de courrier envoye via spammailer (X-Info) header ALUSSINAN_5 X-Mailer =~ /Vop Mail|Signature|Juno|Rafale|Mass Sender|MailCity| mailer$|Marketing|MMailer|K-ML|GoldMine|MAGIC|bomber|expeditor|Brooklyn North|Broadcast|DMailer|Extractor|EMailing List Pro|Fusion|News Breaker|dbMail|Unity|PG-MAILINGLIST PRO|Dynamic| Splio|Sarbacane|sMailing|JMail|Broadc\@st|WorkZ|SuperMail/ describe ALUSSINAN_5 alussinan.org rule 5 lang fr describe ALLUSSINAN_5 Rejet de courrier envoye via spammailer (X-Mailer) header ALUSSINAN_6 X-Sender =~ /Rafale|Mass Sender|MailCity|\ mailer$|Marketing|MMailer|K-ML|GoldMine|MAGIC|bomber|expeditor|Brooklyn North|Broadcast|DMailer|Extractor|EMailing List Pro|Group|Fusion|News Breaker|dbMail|Unity|PG-MAILINGLIST PRO|Dynamic| Splio|Sarbacane|sMailing|JMail|Broadc\@st|WorkZ|SuperMail/ describe ALUSSINAN_6 alussinan rule 6 lang fr describe ALUSSINAN_6 Rejet de courrier envoye via spammailer (X-Sender) header ALUSSINAN_7 X-Attention =~ /opt-in/ describe ALUSSINAN_7 alussinan rule 7 lang fr describe ALUSSINAN_7 Rejet X-Attention ##### # Targeting some common geeky headers : # Only geeks use them, and those geeks dont send HTML stuff which might match # any positive rule. And they are also easy to forge. Not a good idea to add # it to SA distribution header X_URL exists:X-URL describe X_URL Message contains X-URL header lang fr describe X_URL En-tête X-URL trouvée score X_URL -1 tflags X_URL nice header X_GPG X-GPG-Fingerprint =~ /^([0-9A-F]{4} ?){10}/ describe X_GPG Message contains X-GPG-Fingerprint header lang fr describe X_GPG En-tête X-UGPG-Fingerprint trouvée score X_GPG -1 tflags X_GPG nice header X_OS exists:X-Operating-System describe X_OS Message contains X-Operating-System header lang fr describe X_OS En-tête X-Operating-System trouvée score X_OS -1 tflags X_OS nice header X_EDITOR exists:X-Editor describe X_EDITOR Message contains X-Editor header lang fr describe X_EDITOR En-tête X-Editor trouvée score X_EDITOR -1 tflags X_EDITOR nice header X_KERNEL exists:X-Kernel describe X_KERNEL Message contains X-Kernel header lang fr describe X_KERNEL En-tête X-Kernel trouvée score X_KERNEL -1 tflags X_KERNEL nice ###### # hello somebody@mailaddress.com # http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1757 # original author : Martin Radford # refused : low s/o (for most people), low spam. But very # interesting for me.... body L_HELLO_ADDRESS /\b(?:Hi|Hello|Dear)\b.{0,30}@\S/i describe L_HELLO_ADDRESS Greets you by address, not by name score L_HELLO_ADDRESS 0.5 ##### # Outlook can't send HTML message only (thanks to DaScritch http://www.dascritch.net/ ) # Vire immédiatement tout mail écrit avec Outlook uniquement en texte enrichi # sans texte brut. Jamais vu ailleurs qu'en spam. # (spoke about it in SAtalk ML, might be added in future version of SA) meta OUTLOOK_FAKED ( __OUTLOOK_MUA && __MIME_HTML_ONLY ) describe OUTLOOK_FAKED Outlook can't send HTML message only lang fr describe OUTLOOK_FAKED Outlook ne sait pas envoyer de mail en HTML pur sans texte brut. score OUTLOOK_FAKED 3 ##### # Saving some percent body SAVE_PERCENT /Saves? [1-9][0-9]? ?%/i describe SAVE_PERCENT Save some percentage lang fr describe SAVE_PERCENT Economisez un certain pourcentage (en anglais) ##### # bug 1415 : Smileys ! # refused : low ratings, too easy to forge... but remaining in my own rules... body SMILEY /\s[:;][-^o]?[][)(><}{|\/DPp]/ describe SMILEY Contains one or more Smileys lang fr describe SMILEY Contient un ou plusieurs Smileys score SMILEY -0.5 tflags SMILEY nice #body SEE_FOR_YOURSELF /See (?:for|it) yourself\b/i body SEE_FOR_YOURSELF /See (?:for|it|it for) yourself\b/i #--> Catches "See it for yourself", which is missed by the original # More Nigerian Scum meta NIGERIAN_BODY_2 ( __NIGERIAN_BODY_1 + __NIGERIAN_BODY_2 + __NIGERIAN_BODY_3 + __NIGERIAN_BODY_5 + __NIGERIAN_BODY_6 + __NIGERIAN_BODY_7 + __NIGERIAN_BODY_8 + __NIGERIAN_BODY_9 + __NIGERIAN_BODY_10 + __NIGERIAN_BODY_11 + __NIGERIAN_BODY_12 + __NIGERIAN_BODY_13 + __NIGERIAN_BODY_14 + __NIGERIAN_BODY_15 + __NIGERIAN_BODY_16 + __NIGERIAN_BODY_17 + __NIGERIAN_BODY_18 + __NIGERIAN_BODY_19 + __NIGERIAN_BODY_20 + __NIGERIAN_BODY_21 + __NIGERIAN_BODY_22 + __NIGERIAN_BODY_25 + __NIGERIAN_BODY_26 + __NIGERIAN_BODY_27 + __NIGERIAN_BODY_28 + __NIGERIAN_BODY_29 + __NIGERIAN_BODY_30 + __NIGERIAN_BODY_31 + __NIGERIAN_BODY_32 + __NIGERIAN_BODY_33 + __NIGERIAN_BODY_34 + __NIGERIAN_BODY_35 + __NIGERIAN_BODY_36 + __NIGERIAN_BODY_37 + __NIGERIAN_BODY_38 + __NIGERIAN_BODY_39 + __NIGERIAN_BODY_40 + __NIGERIAN_BODY_41 + __NIGERIAN_BODY_42 ) > 3 score NIGERIAN_BODY_2 3.0 describe NIGERIAN_BODY_2 More Nigerian scum body content lang fr describe NIGERIAN_BODY_2 Contenu du message ressemblant de manière vraiment douteuse à la combine nigérienne meta NIGERIAN_BODY_3 ( __NIGERIAN_BODY_1 + __NIGERIAN_BODY_2 + __NIGERIAN_BODY_3 + __NIGERIAN_BODY_5 + __NIGERIAN_BODY_6 + __NIGERIAN_BODY_7 + __NIGERIAN_BODY_8 + __NIGERIAN_BODY_9 + __NIGERIAN_BODY_10 + __NIGERIAN_BODY_11 + __NIGERIAN_BODY_12 + __NIGERIAN_BODY_13 + __NIGERIAN_BODY_14 + __NIGERIAN_BODY_15 + __NIGERIAN_BODY_16 + __NIGERIAN_BODY_17 + __NIGERIAN_BODY_18 + __NIGERIAN_BODY_19 + __NIGERIAN_BODY_20 + __NIGERIAN_BODY_21 + __NIGERIAN_BODY_22 + __NIGERIAN_BODY_25 + __NIGERIAN_BODY_26 + __NIGERIAN_BODY_27 + __NIGERIAN_BODY_28 + __NIGERIAN_BODY_29 + __NIGERIAN_BODY_30 + __NIGERIAN_BODY_31 + __NIGERIAN_BODY_32 + __NIGERIAN_BODY_33 + __NIGERIAN_BODY_34 + __NIGERIAN_BODY_35 + __NIGERIAN_BODY_36 + __NIGERIAN_BODY_37 + __NIGERIAN_BODY_38 + __NIGERIAN_BODY_39 + __NIGERIAN_BODY_40 + __NIGERIAN_BODY_41 + __NIGERIAN_BODY_42 ) > 5 score NIGERIAN_BODY_3 5.0 describe NIGERIAN_BODY_3 A lot of Nigerian scum body content lang fr describe NIGERIAN_BODY_3 Contenu du message ressemblant de manière vraiment trop douteuse à la combine nigérienne ##################################################################### # Chris Santerre's rules # ##################################################################### #(This has been recent. Dumb spammers. this may go away after a while) #raw RND_WORD /\%RANDOM_WORD/ #describe RND_WORD Spammers can't use their own software! #score RND_WORD 1.11 # --> syntax error # (This has been working great so far. There are more I can|will add.) # Maxime Ritter notes : creates errors. But still ok for me. header MY_DSL Received =~ /dyn\.optonline\.net|adsl|dsl|tampabay\.rr\.com|vc\.shawcable\.net|se\.client..?\.attbi\.com|\.(east|west)\.verizon\.net/i describe MY_DSL I could use a BL for this. score MY_DSL 0.85 # (The following 2 are to try to catch some of these dynamic IP users faking # legit Froms like, AOL, MSN, Hotmail, excite.... I'm working on this theory a # little more. But this gives you an idea. I wanted to increase the score when # the email hit both rules. I'll most likely change this to more generic and # include all the other domains. score is low for testing.) meta AOL_DSL (_AOL_FAKE_MAIL && MY_DSL) describe AOL_DSL AOL email sent from dsl line. score AOL_DSL 0.25 # Improved via SARE ! header __FREE_MAIL From =~ /\@free.fr/i header __FROM_LIGHT From =~ /(?:sales?|funpages?|discounts|auto|daily|deal|direct|dr\.|free|guaranteeds|health|info|platinum|promo|promotion|reward|single|special|training)/i meta SARE_FROM_SPAM_WORD3 (__FROM_LIGHT && ! __FREE_MAIL) describe SARE_FROM_SPAM_WORD3 I don't know people named this! score SARE_FROM_SPAM_WORD3 0.75 header SALES_REPLY Reply-To =~ /sales?|deals?|specials?|offers?|rewards?|direct|funny|discounts?/i describe SALES_REPLY Your parents named you sales? score SALES_REPLY 0.43 ##################################################################### # Matt Ketler's rulez # ##################################################################### # Generalize this to cover "special xxx offer" # Plus, needs a bit more weight -- my friends don't normally say these things. #body OFFER /\b(?:free|special|trial)\s+(?:|[a-z]+\s+)offer/i #score OFFER 0.5 # Generalize this a bit to cover "CATV xxx descrambler" body CABLE_CONVERTER /\b(?:cable|catv).{0,9}(?:converter|descrambler)/i # Generalize this to allow for a number between "call" and "now" body CALL_NOW /\bCALL (?:|[-0-9]+\s+)NOW/i # Extended, more evil version of ONLY_COST body ONLY_COST_BANG /\bonly .{0,9}\$\s*[0-9.]+\s*!{2,9}/i describe ONLY_COST_BANG Only $$$ !!! score ONLY_COST_BANG 1.0 # Generalize this to cover "opt-out" and "optout", all cases body OPT_OUT /\bopt.?out\b/i score OPT_OUT 1.0 ##################################################################### # Marc Perkel rules # ##################################################################### # Offer : bug 1849 (waiting for 2.70). # not very usefull with bayes & high risk of false positive header ADDR_OFFER ALL =~ /(?:to|from|reply-to):.*<.*offer.*\n/i describe ADDR_OFFER From address contains OFFER uri OFFER_URI /^https?:\/\/.*?(?:offer[sz]?\.\w|[.\/]offer|offer=)/i describe OFFER_URI Offer in link address uri MR_DEPOT_URI /depot/ describe MR_DEPOT_URI Depot in link address score MR_DEPOT_URI 0.3 body OFFER /\b(?:free|trial|full|phone|points?|hottest|internet|great|of this|about this|dealer|responded|not an|pay|are able to|future|valuable|partner|receiv(?:e|ed|ing)|introductory|exclusive|promotional|coupon|bonus|further|following|product|proud to|additional|website|amazing|discounts?).{0,9}(?:this|these|)\boffer(?:s|ings?|ed|)\b/i describe OFFER Offers you Something score OFFER 0.3 body OFFER_2 /\boffer(?:s|ings?|) .{0,9}\b(?:expires|subject|limited|ends|mailed|originator|contained|discounts?|confidential|is good|available|valid|in error|!)\b/i describe OFFER_2 Offers you Something (2) score OFFER_2 0.3 body SPECIAL_OFFER /\bspecial .{0,15}\boffer(?:s|ings?|ed|)/i describe SPECIAL_OFFER Special Offer score SPECIAL_OFFER 0.3 # Bug 1924 : mispelled penis # http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1924 # better version for french spams (pénis) body DISGUISE_PENIS /\bp+\W?[eéèêë]+\W?n+\W?[1líîìï]+\W?[sz]+\b/i describe DISGUISE_PENIS Disguised word "penis" lang fr describe DISGUISE_PENIS Contient le mot "pénis" déguisé. body DISGUISE_VIAGRA /\b(v+)\W?(i+|[1líîìï])\W?(a+|[4âäà@])\W?(g+)\W?(r+)\W?(a+|[4âäà@])\b/i describe DISGUISE_VIAGRA Disguised word "viagra" lang fr describe DISGUISE_VIAGRA Contient le mot "viagra" déguisé. # ABC Tracking # not quite sure it is very efficient... header ABC_TRACKING ABC-Tracking=~ /\/ describe ABC_TRACKING Has an ABC-Tracking header score ABC_TRACKING 2.5 # A Nice rule (Gmane) #### header GMANE_INJECTED X-Injected-Via-Gmane =~ /http:\/\/gmane.org\// describe GMANE_INJECTED Header : Injected Via Gmane score GMANE_INJECTED -1.5 tflags GMANE_INJECTED nice header __GMANE_LOOM User-Agent =~ /^Loom/ header __FORGED_YAHOO_RCVD eval:check_for_forged_yahoo_received_headers() meta FORGED_YAHOO_RCVD (__FORGED_YAHOO_RCVD && ! GMANE_INJECTED && ! __GMANE_LOOM) # # Some improvement to base rules # body REMOVE_FROM_LIST /to be r[e3]mov[e3]d from (?:the|my|our) (?:ma[i1]l[i1]ng|e.?ma[i1]l|opt[ -]?[i1]in)? ?l[i1]st/i body CLICK_TO_REMOVE_1 /click here to be (?:permanently )?(?:r[e3]mov[e3]d|d[e3]l[e3]t[e3]d)/i body EXCUSE_3 /to (?:be removed|be deleted|no longer receive th(?:is|ese) messages?) (?:from|send|reply|[e-]*mail)/i body EXCUSE_7 /you (?:wish|want|would like|desire) to be removed/i body EXCUSE_REMOVE /to be removed from.{0,20}(?:mailings|offers)/i # Base rule with webmails & RBLs # Ok, I known clean test to avoid those FP is to rewrite a new RBL # check with Perl, not to disable them. Don't have time for Perl version. header __IMP_UA User-Agent =~ /^Internet Messaging Program \(IMP\) \d/ header __IMP_RECEIVED Received =~ /\(IMP\) with HTTP/ meta __IMP (__IMP_UA && __IMP_RECEIVED) header __SQUIRREL_UA User-Agent =~ /SquirrelMail\/\d/ header __SQUIRREL_RECEIVED Received =~ /\(SquirrelMail authenticated user/ meta __SQUIRREL (__SQUIRREL_UA && __SQUIRREL_RECEIVED) # Fake Squirrel are now common (only version 1.4.2 affected) header __SUS_SQUIRREL User-Agent =~ /SquirrelMail\/1.4.2/ meta MR_FAKE_SQUIRREL ( __SUS_SQUIRREL && ! __SQUIRREL_RECEIVED ) score MR_FAKE_SQUIRREL 2.0 # for beta, but why not keeping it ? # Sorry, as of nov 2004, there are too much IMP fakes meta RM_KNOWN_WEBMAIL ( __SQUIRREL ) score RM_KNOWN_WEBMAIL -1.5 tflags RM_KNOWN_WEBMAIL nice describe RM_KNOWN_WEBMAIL Header show use of a known webmail lang fr describe RM_KNOWN_WEBMAIL Signature d'un webmail connu dans les headers header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.') header __RCVD_IN_DYNABLOCK eval:check_rbl('sorbs-notfirsthop', 'dnsbl.sorbs.net.', '127.0.0.10') meta RCVD_IN_SORBS (__RCVD_IN_SORBS && ! (RM_KNOWN_WEBMAIL || GMANE_INJECTED) ) meta RCVD_IN_DYNABLOCK (__RCVD_IN_DYNABLOCK && ! (RM_KNOWN_WEBMAIL || GMANE_INJECTED) ) # # Chris Convington (no reverse DNS rules). # # Maxime is waiting for SA 3.0 to rewrite them # # This is what I'm now using w/Postfix (should work for any MTA): header NO_RDNS Received=~ /\(unknown[ ]\[/ describe NO_RDNS Sending MTA has no reverse DNS (Postfix variant) lang fr describe NO_RDNS Un relai ne possedait pas de reverse-DNS (Postfix). score NO_RDNS 0.5 # Improved by Maxime Ritter, 5 May 2004 and 02 June 2004 # Should be done with Perl, for better efficiency with Exim (there are lot of FP, only blacklisting # Sourceforge & Debian avoids lots, but that's not the good way) header __SOURCEFORGE Received =~ /(sourceforge\.net|debian\.org) with .{4,12} \(Exim/ header __AMAVISD Received =~ / \[127.0.0.1\]\) \(amavisd-new, port 10024\) with ESMTP/ header __NO_RDNS2 Received =~ /\(\[(\d{1,3}\.){3}\d{1,3}]\)/ meta NO_RDNS2 (__NO_RDNS2 && ! GMANE_INJECTED && ! __SOURCEFORGE && ! __AMAVISD) describe NO_RDNS2 Sending MTA has no reverse DNS lang fr describe NO_RDNS2 Un relai ne possedait pas de reverse-DNS. score NO_RDNS2 0.01 meta __NO_RDNS (NO_RDNS || NO_RDNS2) meta RDNS_IMPRO (__NO_RDNS && __IMPRO) score RDNS_IMPRO 1.0 # 02 June 2004 # Body EMPTY !! # These fucking new spams are... fucking ! # Thanks to SARE (coding_html.cf) rawbody __SOMETHING /\S/ meta BODY_EMPTY !__SOMETHING score BODY_EMPTY 1.291 describe BODY_EMPTY Empty message body ! lang fr describe BODY_EMPTY Corps du message vide ! # And Improvements !! header __HAS_SUBJECT exists:Subject # This comes out ot 3.0.0 meta MISSING_SUBJECT !__HAS_SUBJECT describe MISSING_SUBJECT Missing Subject: header score MISSING_SUBJECT 1.109 1.570 1.282 1.226 meta PLANTAGE_SPAMWARE (BODY_EMPTY && ! __HAS_SUBJECT && NO_REAL_NAME && __UNDISCLOSED) score PLANTAGE_SPAMWARE 3.0 describe PLANTAGE_SPAMWARE Really empty Message lang fr describe PLANTAGE_SPAMWARE Message vraiment vide # # Font chier ces boulets, alors, hop, rien que pour eux ! header ONE_WORD_SUBJECT Subject =~ /^[a-z]{3,10}$/ score ONE_WORD_SUBJECT 0.5 describe ONE_WORD_SUBJECT Subject with only one lower-case word lang fr describe ONE_WORD_SUBJECT Sujet formé d'un seul mot en minuscule # # Seems like spammers never learned what is a charset. But I did. full __ISO_8859 /charset=\"?iso-8859-\d{1,2}\"?/ full __ISO_CHARSET /charset=\"?iso-\d{4}-\d{1,2}\"?/ meta BAD_ISO_CHARSET (__ISO_CHARSET && ! __ISO_8859 ) describe BAD_ISO_CHARSET Announced ISO charset might not exist. lang fr describe BAD_ISO_CHARSET Le jeu de caractère annoncé n'existe probablement pas. score BAD_ISO_CHARSET 2.5 full __7BITS /Content-Transfer-Encoding: 7[bB]it/ meta ISO_7BITS (__ISO_CHARSET && __7BITS) describe ISO_7BITS ISO charset announced as 7 bit (or bad rule ?) #score ISO_7BITS 2.0 #jl - also in a bunch of lists, alas. score ISO_7BITS 0.5 full __WINDOWS_CHARSET /charset=\"?[Ww]indows-\d{3,4}\"?/ meta WINDOWS_7BITS ( __WINDOWS_CHARSET && __7BITS ) describe WINDOWS_7BITS Windows charset announced as 7 bit score WINDOWS_7BITS 2.0 # I'm not korean, so if some korean people think it is harmfull, mail me. full __ASIA_CHARSET /charset=\"?koi8-r\"?/i meta MR_ASIA_7BITS ( __ASIA_CHARSET && __7BITS ) describe MR_ASIA_7BITS Asian charset announced as 7 bit score MR_ASIA_7BITS 2.0 full __US_ASCII /charset=\"?us-ascii\"?/i full __8BIT /Content-Transfer-Encoding: 8[bB]it/ meta US_8BIT (__US_ASCII && __8BIT) score US_8BIT 2.0 describe US_8BIT US-ASCII isn't an eight bit charset lang fr describe 8BIT_US US-ASCII n'est pas un jeu de caractères 8 bits # Ok, this recovers a little bit 70_sare_html.cf's SARE_HTML_USL_A # SARE_HTML_USL_A has a very low score and we don't catch the same things # disappeared week 42 in my corpus. rawbody A_HREF_NOTHING /<\/a>/i describe A_HREF_NOTHING Link tag with empty href and empty linked element lang fr describe A_HREF_NOTHING Lien HTML vide de chez vide score A_HREF_NOTHING 1.5 # Empty "A HREF" tags # disappeaed week 43 in my corpus rawbody __A_HREF_NOWHERE //i meta A_HREF_NOWHERE ( __A_HREF_NOWHERE && ! A_HREF_NOTHING ) describe A_HREF_NOWHERE A link tag with empty href lang fr describe A_HREF_NOWHERE Un lien HTML pointe sur rien du tout score A_HREF_NOWHERE 0.8 ######################## # 70_sare_header.cf # Undisclosed Recipients are too much common, it creates to much False Positive IMHO # and even Medical Insurance, not sure its a good idea header SARE_TOCC_COMBO1 ToCc =~ /(?:Consumer|Medical|Insurance)/i describe SARE_TOCC_COMBO1 Destination email address suggests this is spam score SARE_TOCC_COMBO1 1.067 # removed from SARE, keeping it here header __SARE_FROM_SPAM_WORD4 From =~ /(?:bounce|moshe|reply)/i header __FROM_SF_BUGZILLA From =~ /noreply\@sourceforge\.net/ meta SARE_FROM_SPAM_WORD4 (__SARE_FROM_SPAM_WORD4 && ! __FROM_SF_BUGZILLA) describe SARE_FROM_SPAM_WORD4 From address suggests this may be spam score SARE_FROM_SPAM_WORD4 0.043 # Removing Foxmail, which isn't a bulk mailer # UnityMail has been removed from SARE, but keeping it here header SARE_XMAIL_BULK3 X-Mailer =~ /UnityMail/i describe SARE_XMAIL_BULK3 Uses bulk mailer used by spammers score SARE_XMAIL_BULK3 0.117 # Free webmail ? And why not blacklisting all people using yahoo ? score SARE_HEAD_HDR_XWEBMTM 0 score SARE_FREE_WEBM_CZSEZNA 0 score SARE_FREE_WEBM_Dora 0 score SARE_FREE_WEBM_EsTerra 0 score SARE_FREE_WEBM_FrVoila 0 score SARE_FREE_WEBM_NetSafe 0 score SARE_FREE_WEBM_Netster 0 score SARE_FREE_WEBM_OwnEm1 0 score SARE_FREE_WEBM_OwnEm2 0 score SARE_FREE_WEBM_PlTenbi 0 score SARE_FREE_WEBM_RuMail 0 score SARE_FREE_WEBM_Whoever 0 score SARE_FREE_WEBM_WOWMAIL 0 score SARE_FREE_WEBM_Zwallet 0 score SARE_FREE_WEBM_ZCom03 0 score SARE_FREE_WEBM_ZCom05 0 score SARE_FREE_WEBM_EsYahoo 0 score SARE_FREE_WEBM_Excite 0 score SARE_FREE_WEBM_Jpop 0 score SARE_FREE_WEBM_Kero 0 score SARE_FREE_WEBM_MailD 0 score SARE_FREE_WEBM_Mailexc 0 score SARE_FREE_WEBM_MYWAY 0 score SARE_FREE_WEBM_NetFs 0 score SARE_FREE_WEBM_Uymail 0 score SARE_FREE_WEBM_ZCom01 0 score SARE_FREE_WEBM_ZCom02 0 score SARE_FREE_WEBM_ZCom04 0 score SARE_FREE_WEBM_ZCom06 0 score SARE_FREE_WEBM_ZCom07 0 score SARE_FREE_WEBM_ZZa001 0 score SARE_FREE_WEBM_123 0 score SARE_FREE_WEBM_FrYahoo 0 score SARE_FREE_WEBM_Iamfi 0 score SARE_FREE_WEBM_Purin 0 score SARE_FREE_WEBM_Smapxsm 0 score SARE_FREE_WEBM_Softhom 0 score SARE_FREE_WEBM_SURIML 0 ######################## # 70_sare_html.cf rawbody __SARE_HTML_INV_TAG2 /\<\/?(?!(?:blockquote|optiongroup|plaintext|fontfamily|underline|cf.+))[a-z]{9,17}\>/ meta SARE_HTML_INV_TAG2 ( HTML_MESSAGE && __SARE_HTML_INV_TAG2) describe SARE_HTML_INV_TAG2 Message contains invalid HTML tag score SARE_HTML_INV_TAG2 1.666 rawbody __SARE_HTML_INV_TAG3 /\<[\/!]?(?!cf.+)[a-z_0-9]{11,20}\>/i meta SARE_HTML_INV_TAG3 ( HTML_MESSAGE && __SARE_HTML_INV_TAG3) describe SARE_HTML_INV_TAG3 Message contains invalid HTML tag ######################## # 70_sare_ratware.cf # Removed from SARE, but at least RATWR10_MESSID is very usefull # (once corrected) header __MOZILLA_BASED User-Agent =~ /^Mozilla/ header __RATWR10_MESSID Message-ID =~ /<[0-9A-F]{8}\.[0-9A-F]{7}\@/ describe RATWR10_MESSID Message-ID has ratware pattern (HEXHEX.HEXHEX@) meta RATWR10_MESSID ( __RATWR10_MESSID && ! __MOZILLA_BASED ) score RATWR10_MESSID 2.0 header __APPLE_MAIL X-Mailer =~ /^Apple Mail/ header __RATWR8_MESSID Message-ID =~ /<([a-z0-9]*[-\$]){4}/i describe RATWR8_MESSID Message-ID with excessive dashes and dollars meta RATWR8_MESSID ( __RATWR8_MESSID && ! __APPLE_MAIL ) score RATWR8_MESSID 2.0 ######################## # 72_sare_bml_post25x.cf score SARE_WEOFFER 0 # # # #--------------------------------------------------------------------------- # Rassistische E-Mails #--------------------------------------------------------------------------- header SOBER_H_SPAM_1 Subject =~ /(?:Bankrott des Gesundheitswesens durch Auslaender!|Wer an ein Tabu ruehrt, muss und darf vernichtet werden|EU Beitritt der Tuerkei \?|Bin ich zu weltfremd\? Ich glaube wohl kaum|Geschrieben von Margrit am 07. April 2004|Die Deform der sozialen Ordnung|Moschee-Bau in Deutschland|Augen auf! \(So sieht es aus!\)|Paradies Bundesrepublik - Rente fuer die Welt -|Libanesen in Berlin|Garather klagen ueber eskalierende Gewalt im Stadtteil!|Auslaender erschleichen sich zunehmend Sozialleistungen|Auslaenderkriminalitaet steigt weiter!|Das kann unmoeglich sein -Leserbrief-|Nein zum Zuwanderungsgesetz !|Skandalurteil in Darmstadt|Auf Kosten der deutschen Beitragszahler und Rentner!|Wir haben die Auslaender doch geholt\?!|TUERKEN-TERROR AM HIMMELFAHRTSTAG|MULTI-KULTI-BANDE TYRANNISIERTE MITSCHUELER|ASYLANTEN BEGRABSCHTEN DEUTSCHES MAEDCHEN|Was Deutschland braucht, sind deutsche Kinder!|Diplomatische Zensur|EU gibt Erwerbslosen volle Freizuegigkeit|Richter unterstuetzt kriminelle Auslaenderin|Auslaenderanteile in Schweizer Gefaengnissen|Neue Voelkerwanderung droht!|Polizei traute sich nicht, kriminellen Auslaender festzunehmen|AUSLAENDERGEWALT BEIM HAFENGEBURTSTAG|Auslaendergewalt: Herr Rau, wo waren Sie\?|So sieht die Wahrheit aus!|ASYLANT QUAELTE TIERE BRUTAL ZU TODE|DEUTSCHES MAEDCHEN FAST VERGEWALTIGT|Medienzensur|Mehr fuer Auslaender als fuer Deutsche tun!|Skandal in Berlin|SEHBEHINDERTER VON AUSLAENDERN VERPRUEGELT|Marokkanischer Wiederholungstaeter vergewaltigte 17-jaehriges Maedel)/i body __SOBER_BD /(?:Lese selbst:|aber auch meine Meinung:|Heil Hitler|Habe eben im Fernsehen einen Bericht gesehen|Kommentar des Sober Autors|dass die traditionell weisse, christliche|Auslaenderanteil in den Schweizer Gefaengnissen|Das ist ja wie zu Adolfs Zeiten|auslaendischer 'Gesundheitstouristen'|Auslaenderkriminalitaet|reichte zwei Tuerken|der Auslaender - obwohl als gewalttaetig|Armutswanderung aus Osteuropa|Eingliederung tuerkischer Kinder|Sie hatten einen osteuropaeischen Akzent|Knastaufenthalt des Asylanten|auslaendische Wiederholungstaeter|Scheinvaterschaft|Tuerken am Vatertag)/i header __SOBER_HD_1 Subject =~ /(?:-[0-9]{1,4}-|Key:[0-9]{1,4}|Id:[0-9]{1,4})/i header __SOBER_HD_2 Message-ID =~ /\.[0-9a-z]{0,5}[a-z]{1,5}[0-9a-z]{0,5}\.qmail\@/i meta SOBER_H_SPAM_2 (SOBER_H_SPAM_1 + __SOBER_BD == 2) meta SOBER_H_SPAM_3 (SOBER_H_SPAM_1 + __SOBER_HD_1 + __SOBER_HD_2 == 2) meta SOBER_H_SPAM_4 (SOBER_H_SPAM_1 + __SOBER_HD_1 + __SOBER_HD_2 == 3) score SOBER_H_SPAM_1 3.000 score SOBER_H_SPAM_2 4.000 score SOBER_H_SPAM_3 5.000 score SOBER_H_SPAM_4 10.000 describe SOBER_H_SPAM_1 Rassistische E-Mails, Titel describe SOBER_H_SPAM_2 Rassistische E-Mails, Inhalt + Titel describe SOBER_H_SPAM_3 Rassistische E-Mails, Inhalt + Header1 describe SOBER_H_SPAM_4 Rassistische E-Mails, Inhalt + Header2 # # Ruleset to filter university SPAM for bachelors, masters, MBA's # body __DOCTORATE_1 /[b][\*\~_\:.^'\/\+\s\-]{0,1}[\@a84ãâàáä][\*\~_\:.^'\/\+\s\-]{0,1}[ccç\(\[\{][\*\~_\:.^'\/\+\s\-]{0,1}[h][\*\~_\:.^'\/\+\s\-]{0,1}[e3êèéë][\*\~_\:.^'\/\+\s\-]{0,1}[1ljiy\|][\*\~_\:.^'\/\+\s\-]{0,1}[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}[r][\*\~_\:.^'\/\+\s\-]{0,1}[s]/i body __DOCTORATE_2 /[m][\*\~_\:.^'\/\+\s\-]{0,1}[\@a84ãâàáä][\*\~_\:.^'\/\+\s\-]{0,1}[s][\*\~_\:.^'\/\+\s\-]{0,1}[t][\*\~_\:.^'\/\+\s\-]{0,1}[e3êèéë][\*\~_\:.^'\/\+\s\-]{0,1}[r][\*\~_\:.^'\/\+\s\-]{0,1}[s](?![a-z])/i body __DOCTORATE_3 /[m][\*\~_\:.^'\/\+\s\-]{0,1}[b][\*\~_\:.^'\/\+\s\-]{0,1}[\@a84ãâàáä](?![a-z])/i body __DOCTORATE_4 /[dt][\*\~_\:.^'\/\+\s\-]{0,1}[1ljiyîìíï\|][\*\~_\:.^'\/\+\s\-]{0,1}[p][\*\~_\:.^'\/\+\s\-]{0,1}[1ljiy\|][\*\~_\:.^'\/\+\s\-]{0,1}[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}[m][\*\~_\:.^'\/\+\s\-]{0,1}[\@a84ãâàáä](?![a-z])/i body __DOCTORATE_5 /[dt][\*\~_\:.^'\/\+\s\-]{0,1}[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}[ccç\(\[\{][\*\~_\:.^'\/\+\s\-]{0,1}[t][\*\~_\:.^'\/\+\s\-]{0,1}[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}[r][\*\~_\:.^'\/\+\s\-]{0,1}[\@a84ãâàáä][\*\~_\:.^'\/\+\s\-]{0,1}[t][\*\~_\:.^'\/\+\s\-]{0,1}[e3êèéë]/i body __DOCTORATE_6 /[uvüùú][\*\~_\:.^'\/\+\s\-]{0,1}[n][\*\~_\:.^'\/\+\s\-]{0,1}[1ljiyîìíï\|][\*\~_\:.^'\/\+\s\-]{0,1}(?:[vuüùú\\]|[\\][\/])[\*\~_\:.^'\/\+\s\-]{0,1}[e3êèéë][\*\~_\:.^'\/\+\s\-]{0,1}[r][\*\~_\:.^'\/\+\s\-]{0,1}[s][\*\~_\:.^'\/\+\s\-]{0,1}[1ljiyîìíï\|][\*\~_\:.^'\/\+\s\-]{0,1}[t][\*\~_\:.^'\/\+\s\-]{0,1}[1ljiy\|]/i meta BUY_DIPLOMA_3 (__DOCTORATE_1 + __DOCTORATE_2 + __DOCTORATE_3 + __DOCTORATE_4 + __DOCTORATE_5 + __DOCTORATE_6 == 3) meta BUY_DIPLOMA_4 (__DOCTORATE_1 + __DOCTORATE_2 + __DOCTORATE_3 + __DOCTORATE_4 + __DOCTORATE_5 + __DOCTORATE_6 == 4) meta BUY_DIPLOMA_5 (__DOCTORATE_1 + __DOCTORATE_2 + __DOCTORATE_3 + __DOCTORATE_4 + __DOCTORATE_5 + __DOCTORATE_6 == 5) meta BUY_DIPLOMA_6 (__DOCTORATE_1 + __DOCTORATE_2 + __DOCTORATE_3 + __DOCTORATE_4 + __DOCTORATE_5 + __DOCTORATE_6 == 6) score BUY_DIPLOMA_3 1.5 score BUY_DIPLOMA_4 2.0 score BUY_DIPLOMA_5 3.0 score BUY_DIPLOMA_6 4.0 describe BUY_DIPLOMA_3 Faked university grade SPAM (3) describe BUY_DIPLOMA_4 Faked university grade SPAM (4) describe BUY_DIPLOMA_5 Faked university grade SPAM (5) describe BUY_DIPLOMA_6 Faked university grade SPAM (6+) # # Catch financial report advisorys. # body __FIDEX1 /(?:compensated|paid|received)/i body __FIDEX2 /paid (?:advertisements|advertisments)/i body __FIDEX3 /(?:send|prepare|create|deliver|distribute|preparation|dissemination)/i body __FIDEX4 /this (?:report|email|newsletter|profile|is an independent electronic publication)/i body __FIDEX5 /third party/i body __FIDEX6 /thousand dollars/i body __FIDEX7 /not be used as investment advice/i body __FIDEX8 /not a registered financial advisory/i body __FIDEX9 /forward-looking statements/i body __FIDEX10 /not for purchasing or selling securities/i body __FIDAS1 /may buy or sell shares/i body __FIDAS2 /huge profits/i body __FIDAS3 /incredible gains/i body __FIDAS4 /significant risks/i body __FIDAS5 /watch this stock trade/i body __FIDAS6 /stockmarket watch/i body __FIDAS7 /we are alerting/i body __FIDAS8 /our last pick/i body __FIDAS9 /tech ticker/i body __FIDAS10 /earnings report/i body __FIDAS11 /first edition/i body __FIDAS12 /strong demand for this stock/i body __FIDAS13 /now getting its legs/i body __FIDAS14 /urgent buy/i body __FIDAS15 /NASDAQ timer/i body __FIDAS16 /investors/i body __FIDAS17 /high gains expected/i body __FIDAS18 /recent news will add millions/i body __FIDAS19 /resulting in gross revenues exceeding/i meta __FREPORT1A (__FIDEX1 + __FIDEX2 + __FIDEX3 + __FIDEX4 + __FIDEX5 + __FIDEX6 +__FIDEX7 + __FIDEX8 + __FIDEX9 + __FIDEX10 == 3) meta __FREPORT1B (__FIDEX1 + __FIDEX2 + __FIDEX3 + __FIDEX4 + __FIDEX5 + __FIDEX6 +__FIDEX7 + __FIDEX8 + __FIDEX9 + __FIDEX10 == 4) meta __FREPORT1C (__FIDEX1 + __FIDEX2 + __FIDEX3 + __FIDEX4 + __FIDEX5 + __FIDEX6 +__FIDEX7 + __FIDEX8 + __FIDEX9 + __FIDEX10 >= 5) meta __FREPORT2 (__FIDAS1 + __FIDAS2 + __FIDAS3 + __FIDAS4 + __FIDAS5 + __FIDAS6 + __FIDAS7 + __FIDAS8 + __FIDAS9 + __FIDAS10 + __FIDAS11 + __FIDAS12 + __FIDAS13 + __FIDAS14 + __FIDAS15 + __FIDAS16 + __FIDAS17 + __FIDAS18 + __FIDAS19 >= 2) meta STOCKREPORT_3 (__FREPORT1A + __FREPORT2 == 2) meta STOCKREPORT_4 (__FREPORT1B + __FREPORT2 == 2) meta STOCKREPORT_5 (__FREPORT1C + __FREPORT2 == 2) describe STOCKREPORT_3 Financial advisory paid by third party (3) describe STOCKREPORT_4 Financial advisory paid by third party (4) describe STOCKREPORT_5 Financial advisory paid by third party (5+) score STOCKREPORT_3 1.5 score STOCKREPORT_4 2.5 score STOCKREPORT_5 3.5 # # Ruleset to filter cheap software advertising (OEM mostly). # body __OEM_1 /l[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}west p[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}ss[1ljiyîìíï\|][\*\~_\:.^'\/\+\s\-]{0,1}ble pr[1ljiyîìíï\|][\*\~_\:.^'\/\+\s\-]{0,1}ce/i body __OEM_2 /l[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}west pr[1ljiyîìíï\|][\*\~_\:.^'\/\+\s\-]{0,1}ce p[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}ss[1ljiyîìíï\|][\*\~_\:.^'\/\+\s\-]{0,1}ble/i body __OEM_3 /w[1ljiyîìíï\|][\*\~_\:.^'\/\+\s\-]{0,1}nd[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}w[s]{0,1}[\*\~_\:.^'\/\+\s\-]{0,1}(?:xp|2003)/i body __OEM_4 /[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}ff[1ljiyîìíï\|][\*\~_\:.^'\/\+\s\-]{0,1}c[e3êèéë]{0,1}[\*\~_\:.^'\/\+\s\-]{0,1}xp/i body __OEM_5 /Ph[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}t[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}sh[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}p/i body __OEM_6 /[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}[e3êèéë][\*\~_\:.^'\/\+\s\-]{0,1}[m][\*\~_\:.^'\/\+\s\-]{0,1}[s][\*\~_\:.^'\/\+\s\-]{0,1}[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}[f][\*\~_\:.^'\/\+\s\-]{0,1}[t][\*\~_\:.^'\/\+\s\-]{0,1}[w][\*\~_\:.^'\/\+\s\-]{0,1}[\@a84ãâàáä][\*\~_\:.^'\/\+\s\-]{0,1}[r][\*\~_\:.^'\/\+\s\-]{0,1}[e3êèéë]/i body __OEM_7 /[g][\*\~_\:.^'\/\+\s\-]{0,1}[uvüùú][\*\~_\:.^'\/\+\s\-]{0,1}[\@a84ãâàáä][\*\~_\:.^'\/\+\s\-]{0,1}[r][\*\~_\:.^'\/\+\s\-]{0,1}[\@a84ãâàáä][\*\~_\:.^'\/\+\s\-]{0,1}[n][\*\~_\:.^'\/\+\s\-]{0,1}[t][\*\~_\:.^'\/\+\s\-]{0,1}[e3êèéë][\*\~_\:.^'\/\+\s\-]{0,1}[dt]/i body __OEM_8 /[b][\*\~_\:.^'\/\+\s\-]{0,1}[uvüùú][\*\~_\:.^'\/\+\s\-]{0,1}[1ljiy\|][\*\~_\:.^'\/\+\s\-]{0,1}[h][\*\~_\:.^'\/\+\s\-]{0,1}[e3êèéë][\*\~_\:.^'\/\+\s\-]{0,1}[r][\*\~_\:.^'\/\+\s\-]{0,1}[e3êèéë]/i body __OEM_9 /t[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}p quality s[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}ftware/i body __OEM_10 /(?:new|all) s[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}ftwares/i body __OEM_11 /[0-9]{1,2}\%[\s ]{0,1}[o0õòóôö][\*\~_\:.^'\/\+\s\-]{0,1}ff/i meta OEM_4 (__OEM_1 + __OEM_2 + __OEM_3 + __OEM_4 + __OEM_5 + __OEM_6 + __OEM_7 + __OEM_8 + __OEM_9 + __OEM_10 + __OEM_11 == 4) meta OEM_5 (__OEM_1 + __OEM_2 + __OEM_3 + __OEM_4 + __OEM_5 + __OEM_6 + __OEM_7 + __OEM_8 + __OEM_9 + __OEM_10 + __OEM_11 == 5) meta OEM_6 (__OEM_1 + __OEM_2 + __OEM_3 + __OEM_4 + __OEM_5 + __OEM_6 + __OEM_7 + __OEM_8 + __OEM_9 + __OEM_10 + __OEM_11 == 6) meta OEM_7 (__OEM_1 + __OEM_2 + __OEM_3 + __OEM_4 + __OEM_5 + __OEM_6 + __OEM_7 + __OEM_8 + __OEM_9 + __OEM_10 + __OEM_11 > 7) score OEM_4 1.5 score OEM_5 2.0 score OEM_6 3.0 score OEM_7 4.0 describe OEM_4 Sells illegal OEM software (4) describe OEM_5 Sells illegal OEM software (5) describe OEM_6 Sells illegal OEM software (6) describe OEM_7 Sells illegal OEM software (7+) # # Detect zero font size. # body FONT_ZERO /font-size:[\s ]*(?:0|1)(?:px|pt)/i describe FONT_ZERO Nobody likes invisible fonts in emails score FONT_ZERO 2.535 2.816 4.095 4.100 # # Find long words. # \w can't be used cause it matches also URI's. We use [a-z] instead. # body LONGWORD /[a-z0-9]{33,}/i describe LONGWORD Uses overlong words body MEGALONGWORD /[a-z0-9]{65,}/i describe MEGALONGWORD Uses really overlong words score LONGWORD 0.3 score MEGALONGWORD 0.6 header CHEAP_GENERICS Subject =~ /[ccç\(\[\{][\*\~_\:.^'\/\+\s\-]{0,1}[h][\*\~_\:.^'\/\+\s\-]{0,1}[e3êèéë][\*\~_\:.^'\/\+\s\-]{0,1}[\@a84ãâàáä][\*\~_\:.^'\/\+\s\-]{0,1}[p][\*\~_\:.^'\/\+\s\-]{0,1}[e3êèéë][\*\~_\:.^'\/\+\s\-]{0,1}[s][\*\~_\:.^'\/\+\s\-]{0,1}[t][\*\~_\:.^'\/\+\s\-]{0,1}[g][\*\~_\:.^'\/\+\s\-]{0,1}[e3êèéë][\*\~_\:.^'\/\+\s\-]{0,1}[n][\*\~_\:.^'\/\+\s\-]{0,1}[e3êèéë][\*\~_\:.^'\/\+\s\-]{0,1}[r][\*\~_\:.^'\/\+\s\-]{0,1}[1ljiyîìíï\|][\*\~_\:.^'\/\+\s\-]{0,1}[ccç\(\[\{][\*\~_\:.^'\/\+\s\-]{0,1}[s][\*\~_\:.^'\/\+\s\-]{0,1}/i describe CHEAP_GENERICS Advertizes the cheapest generics available. score CHEAP_GENERICS 1.536 1.890 0.500 4.099 # # FIXES---------------------------------------------------------------------------------------------------- # # # Bugzilla 2619/2554. Do not mark Virgina as Spam. # body BEST_PORN /\b(?:best|biggest|largest|most|free|ultimate)\b.{0,9}\b(?:virgins?\b|anal\b|lesbians?|incest|porno?|h[a\@]rdcore|sluts?|xxx+)/i body HOT_NASTY /\b(?=[dehklnswxy])(?:horny|nasty|hot|wild|young(?!\s+adult)|horniest|nastiest|hottest|wildest|youngest|naughty|dirtiest|slutty|kinky|lusty|extreme|xxx+)\b.{0,9}\b(?=[acfghilmpsvx])(?:virgins?\b|asian|cheerleader|sex|selection|fuck|fucking|anal\b|lesb(?:ian|o)|incest|chicks?|pics|movies|video|gay\b|porn|h[a\@]rdcore|schoolgirls|amateur|slut|adult\b|cum\b|xxx|sites?|hotties|shit)/i # # Bugzilla 3201 (current Mailman lists not detected as __KNOWN_MAILING_LIST) # # Fixed in MailingList.pm # # Bugzilla 2563 # body PENIS_ENLARGE /\b(?:enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b|\binches\b).{0,50}\b(?:penis|male organ|pee[ -]?pee|dick|sc?hlong|wh?anger|breast(?!\s+cancer))/i body PENIS_ENLARGE2 /\b(?:penis|male organ|pee[ -]?pee|dick|sc?hlong|wh?anger|breast(?!\s+cancer)).{0,50}\b(?:enlarge|increase|grow|lengthen|larger\b|bigger\b|longer\b|thicker\b|\binches\b)/i # # Bugzilla 3160, Very light fonts on a white background are unreadable # rawbody __TM2_MISC_INVISI_COLOR /\#(?:[e-f]{3}['">]?|(?:[e-f][0-9a-f]){3})/i meta TM2_MISC_INVISI_FONT (__TM2_MISC_INVISI_COLOR && HTML_FONTCOLOR_UNKNOWN) describe TM2_MISC_INVISI_FONT Very light text color score TM2_MISC_INVISI_FONT 1.2 # # Bugzilla 2999, Find text after closing # full BODY_TEXTAFTERHTML /<\/HTML>[a-z\s']+\s
[a-z\s']+\s
/si describe BODY_TEXTAFTERHTML Body contains text after closing score BODY_TEXTAFTERHTML 1.2 # # Bugzilla 3007, Find image only messages # meta COMBO_IMAGEONLY1 ((HTML_IMAGE_ONLY_02 + MIME_HTML_ONLY + MIME_HTML_ONLY_MULTI) > 1) describe COMBO_IMAGEONLY1 Appears to be an image only message score COMBO_IMAGEONLY1 1.8 # From 70_sare_html (this one is better) ################################################################### # Image tag tests ################################################################### full SARE_HTML_IMG_ONLY m'<(?:html|body).{1,200}'is describe SARE_HTML_IMG_ONLY Short HTML msg, IMG and A HREF, maybe naught else score SARE_HTML_IMG_ONLY 2.222 #counts SARE_HTML_IMG_ONLY 6443s/5h of 85088 corpus (62493s/22595h RM) 06/10/04 #hist SARE_HTML_IMG_ONLY Originally Fred T: FVGT_m_IMAGE_ONLY #hist SARE_HTML_IMG_ONLY Enhanced May 29 2004 by Bob Menschel, incorporate all tests in one regex #ham SARE_HTML_IMG_ONLY 5: Oct 2002 Yahoo webmail with automatically inserted FAULTY flamingtext.com advertisement #note SARE_HTML_IMG_ONLY Though normally file 0 contains only rules that hit NO ham, because of the specific pattern, this rule is kept in file 0. #overlap SARE_HTML_IMG_ONLY Rules that completely overlap this one: SARE_HTML_PILL3, SARE_HTML_PILL4 # # Bugzilla 2618, Boundary fix, don't mark words with included opt?in as spam. # body OPT_IN_CAPS /\b(?-i:O)pt.?(?-i:I)n\b/i header X_JPMAILER X-Mailer =~ /(GpsMailer|SpireMail|IM2000 Version|Pinta Magazine|MultiMail|BSMTP DLL|E-Magazine|Direct Email|Achi-Kochi Mail|MagicalMail|InternetPost for Active Platform|Web Based Pronto)/ describe X_JPMAILER Japan spammer's choice of X-Mailer score X_JPMAILER 1.0 header X_JPMAIL_AGENT X-Mail-Agent =~ /(Extra Japan)/ describe X_JPMAIL_AGENT Japan spammer's choice of X-Mail-Agent score X_JPMAIL_AGENT 1.0 # #
# # # Jul 04 : Difficult to catch spams without Bayes # rawbody MR_BAD_ENCOODING /Content-Encoding: bitbitNUM/ score MR_BAD_ENCOODING 2.0 header MR_FROM_SHORT From =~ /\"[A-Z][a-z]{3,7}\" <[a-z]{3,8}@[a-z]{3,8}\.[a-z]{2,3}>/ score MR_FROM_SHORT 0.2 # Oct 04 : not as efficient as used to be header MR_BAD_SENDMAIL Received =~ /by [a-z]{3,20}\.[a-z]{3,20}\.com \([012345679]\.\d{2}\.\d{1,2}\/[012345679]\.\d{2}\.\d{1,2}\) with ESMTP id/ describe MR_BAD_SENDMAIL Sorry, this sendmail version is unknown score MR_BAD_SENDMAIL 3.0 # Sorry, not intested in. body MR_HOUSE_WIFE /Date a.{0,35} house ?wife/i body MR_MARRIED_LADY /Date a.{0,35} married (?:lady|women)/i # Oct 04 : not seen any longer, but keeping it here uri MR_NO_LENDING /(?:lend(?:ing|er)-home.com|bigbonus-casino)/ score MR_NO_LENDING 2.5 # # 15 aout 2004 : les connards de ces derniers jours uri MR_ADIPREN_URI /adipren/ body MR_ADIPREN_BODY /Adipren/i meta MR_ADIPREN ( MR_ADIPREN_URI && MR_ADIPREN_BODY && LOSE_POUNDS ) score MR_ADIPREN 2.0 uri MR_CANDYPERSONNAL /candypersonal/ score MR_CANDYPERSONNAL 2.9 # # Stupid Spammers using fake quotes header __MR_SUBJ_REPLY Subject =~ /^re:/i header __MR_SUBJ_FORWARD Subject =~ /^((fw:)|(\[.{1,20}@.{3,30}: .*\]$))/i header __MR_REFERENCES exists:References header __MR_REPLY_TO exists:In-Reply-To header __MR_MS_THREAD exists:Thread-Index meta __MR_REPLY_HEAD ( __MR_REFERENCES || __MR_REPLY_TO || __MR_MS_THREAD ) rawbody __MR_Quote_From /^From:/ rawbody __MR_Quote_From /^From:/ rawbody __MR_Quote_To /^To:/ rawbody __MR_Quote_Sent /^Sent:/ rawbody __MR_Quote_Subject /^Subject:/ meta __MR_Quote ( __MR_Quote_From && __MR_Quote_To && __MR_Quote_Sent && __MR_Quote_Subject ) meta MR_BAD_QUOTE_1 ( __MR_Quote && ! ( __MR_SUBJ_REPLY || __MR_SUBJ_FORWARD || __EXISTS_LISTPOST ) ) describe MR_BAD_QUOTE_1 Quoted mail ? No indication in Subject ? meta MR_BAD_QUOTE_2 ( __MR_Quote && ! ( __MR_SUBJ_FORWARD || __MR_REPLY_HEAD || __EXISTS_LISTPOST ) ) describe MR_BAD_QUOTE_2 Quoted mail ? No indication in headers ? # # Strange URI Formation uri MR_STRANGE_QUESTION m{https?://[a-z0-9\-_\.]*/?\?} score MR_STRANGE_QUESTION 1.5 # Rolex spammers body MR_WANA_ROLEX /(?:Want a (cheap )?(Rolex )?Watch|Genuine Replicas Watches|Get him a finest replica Rolex)/i score MR_WANA_ROLEX 1.8 describe MR_WANA_ROLEX Asks if you want a Rolex lang fr describe MR_WANA_ROLEX Vous demande si vous voulez une Rolex # This rolex spammer use the same Content-type as yahoo... header __MR_MIME_ROLEX_1 Content-Type =~ /boundary=\"0-[0-9]{10}-[0-9]{10}=:[0-9]{5}\"/ header __YAHOO_SERVER Received =~ /yahoo\.com/ meta MR_MIME_ROLEX_1 ( __MR_MIME_ROLEX_1 && ! __YAHOO_SERVER ) score MR_MIME_ROLEX_1 3.0 describe MR_MIME_ROLEX_1 MIME boundary like in some Rolex Spams lang fr describe MR_MIME_ROLEX_1 Frontières MIME ressemblant a celles de Spams à Rolex # From /etc/spamassassin/70_sare_header.cf (rolex spammers) header __RATWARE_0_TZ_DATE Date =~ / \+0000$/ header __SARE_MULT_RATW_02A ALL =~ m'\bMessage-ID: <[A-Z]{28}\.([^>]+)>\n.*\bFrom: \"[^\"]+\" <\1>\n's header __SARE_MULT_RATW_02B ALL =~ m'\bFrom: \"[^\"]+\" <([^>]+)>\n.*\bMessage-ID: <[A-Z]{28}\.\1>\n's meta SARE_MULT_RATW_02 (__RATWARE_0_TZ_DATE && (__SARE_MULT_RATW_02A || __SARE_MULT_RATW_02B)) describe SARE_MULT_RATW_02 Spammer sign in headers score SARE_MULT_RATW_02 4.0 # From SA 3.0.0 (rolex spammers) header __CTYPE_HTML Content-Type =~ /text\/html/i ######################################################################## # This ratware always uses a +0000 TZ in the Date header, and has a multiplicity # of From: header formats. ("From" header samples from Steven Champeon # via the spamtools.lists.abuse.net and SPAM-L lists). # # "First Last" 1 # "First Last" 1 # "First Last" 1 # "First Last" 1 # "First Last" 1 # "First Last" 2 # "First Last" 2 # "First Last" 2 # "First Last" 2 # "First Last" 2 # "First Last" 3 # "First M. Last" 4 # "First M. Last" 4 # "First M. Last" 5 # "First M. Last" 5 # "First M. Last" 5 # "First M. Last" 6 # "First M. Last" 7 # "First M. Last" 7 header __0_TZ_1 From =~ /^\"(\w)(\w+) (\w+)\" <\1\2[\._]?\3_?[a-z][a-z]\@/i header __0_TZ_2 From =~ /^\"(\w)(\w+) (\w+)\" <\1[\._]?\3_?[a-z][a-z]\@/i header __0_TZ_3 From =~ /^\"(\w)(\w+) (\w+)\" <\3_?[a-z][a-z]\@/i header __0_TZ_4 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\2[\._]?\4_?[a-z][a-z]\@/i header __0_TZ_5 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\2[\._]?\3[\._]?\4_?[a-z][a-z]\@/i header __0_TZ_6 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\3\4_?[a-z][a-z]\@/i header __0_TZ_7 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\3[\._]?\4_?[a-z][a-z]\@/i header __RATWARE_0_TZ_DATE Date =~ / \+0000$/ meta RATWARE_ZERO_TZ (__RATWARE_0_TZ_DATE && __CTYPE_HTML && (__0_TZ_1 || __0_TZ_2 || __0_TZ_3 || __0_TZ_4 || __0_TZ_5 || __0_TZ_6 || __0_TZ_7)) describe RATWARE_ZERO_TZ Bulk email fingerprint (+0000) found score RATWARE_ZERO_TZ 3.200 2.372 3.875 4.100 ################## # Some RBL tests # SpamAssassin local.cf for AHBL BlackList / BlockList # "Old blackholes.2mbit.com resurrected as AHBL (dnsbl.ahbl.org)" # URL: http://www.ahbl.org header RCVD_IN_AHBL eval:check_rbl('AHBL', 'dnsbl.ahbl.org.') describe RCVD_IN_AHBL AHBL: sender is listed in dnsbl.ahbl.org score RCVD_IN_AHBL 1.5 tflags RCVD_IN_AHBL net header RCVD_IN_AHBL_UNKNOWN_1 eval:check_rbl_sub('AHBL', '127.0.0.1') describe RCVD_IN_AHBL_UNKNOWN_1 AHBL: Unknown Category 1 in dnsbl.ahbl.org score RCVD_IN_AHBL_UNKNOWN_1 0.01 tflags RCVD_IN_AHBL_UNKNOWN_1 net header RCVD_IN_AHBL_SMTP eval:check_rbl_sub('AHBL', '127.0.0.2') describe RCVD_IN_AHBL_SMTP AHBL: Open SMTP relay in dnsbl.ahbl.org score RCVD_IN_AHBL_SMTP 0.5 tflags RCVD_IN_AHBL_SMTP net header RCVD_IN_AHBL_PROXY eval:check_rbl_sub('AHBL', '127.0.0.3') describe RCVD_IN_AHBL_PROXY AHBL: Open Proxy server in dnsbl.ahbl.org score RCVD_IN_AHBL_PROXY 0.5 tflags RCVD_IN_AHBL_PROXY net header RCVD_IN_AHBL_SPAM eval:check_rbl_sub('AHBL', '127.0.0.4') describe RCVD_IN_AHBL_SPAM AHBL: Spam Source in dnsbl.ahbl.org score RCVD_IN_AHBL_SPAM 1.5 tflags RCVD_IN_AHBL_SPAM net header RCVD_IN_AHBL_RTB eval:check_rbl_sub('AHBL', '127.0.0.5') describe RCVD_IN_AHBL_RTB AHBL: Real-Time Blocked in dnsbl.ahbl.org score RCVD_IN_AHBL_RTB 0.01 tflags RCVD_IN_AHBL_RTB net header RCVD_IN_AHBL_FORMMAIL eval:check_rbl_sub('AHBL', '127.0.0.6') describe RCVD_IN_AHBL_FORMMAIL AHBL: Abuseable Form Mail in dnsbl.ahbl.org score RCVD_IN_AHBL_FORMMAIL 0.5 tflags RCVD_IN_AHBL_FORMMAIL net header AHBL_SPAM_SUPPORT eval:check_rbl_sub('AHBL', '127.0.0.7') describe AHBL_SPAM_SUPPORT AHBL: Spam Supporter in dnsbl.ahbl.org score AHBL_SPAM_SUPPORT 1.0 tflags AHBL_SPAM_SUPPORT net header AHBL_INDIRECT_SPAM eval:check_rbl_sub('AHBL', '127.0.0.8') describe AHBL_INDIRECT_SPAM AHBL: Indirect Spam supporter in dnsbl.ahbl.org score AHBL_INDIRECT_SPAM 0.5 tflags AHBL_INDIRECT_SPAM net header RCVD_IN_AHBL_ENDUSER eval:check_rbl_sub('AHBL', '127.0.0.9') describe RCVD_IN_AHBL_ENDUSER AHBL: End User (non mail system) in dnsbl.ahbl.org score RCVD_IN_AHBL_ENDUSER 0.5 tflags RCVD_IN_AHBL_ENDUSER net header RCVD_IN_AHBL_SOS eval:check_rbl_sub('AHBL-notfirsthop', '127.0.0.10') describe RCVD_IN_AHBL_SOS AHBL: Shoot On Sight in dnsbl.ahbl.org score RCVD_IN_AHBL_SOS 0.5 tflags RCVD_IN_AHBL_SOS net header RCVD_IN_AHBL_RFCI_PA eval:check_rbl_sub('AHBL', '127.0.0.11') describe RCVD_IN_AHBL_RFCI_PA AHBL: Missing Postmaster or Abuse Address score RCVD_IN_AHBL_RFCI_PA 0.5 tflags RCVD_IN_AHBL_RFCI_PA net header RCVD_IN_AHBL_5XXI eval:check_rbl_sub('AHBL', '127.0.0.12') describe RCVD_IN_AHBL_5XXI AHBL: Does not properly handle 5xx errors score RCVD_IN_AHBL_5XXI 0.5 tflags RCVD_IN_AHBL_5XXI net header RCVD_IN_AHBL_RFCI_MISC eval:check_rbl_sub('AHBL', '127.0.0.13') describe RCVD_IN_AHBL_RFCI_MISC AHBL: Other Non-RFC Compliant in dnsbl.ahbl.org score RCVD_IN_AHBL_RFCI_MISC 0.5 tflags RCVD_IN_AHBL_RFCI_MISC net header RCVD_IN_AHBL_MISC eval:check_rbl_sub('AHBL', '127.0.0.127') describe RCVD_IN_AHBL_MISC AHBL: Misc (other) in dnsbl.ahbl.org score RCVD_IN_AHBL_MISC 0.5 tflags RCVD_IN_AHBL_MISC net # Spamhaus XBL+SBL header RCVD_IN_SBL_XBL eval:check_rbl('sblxbl', 'sbl-xbl.spamhaus.org.') describe RCVD_IN_SBL_XBL Received via a relay in Spamhaus SBL+XBL tflags RCVD_IN_SBL_XBL net score RCVD_IN_SBL_XBL 1.5 # Listed in cbl.abuseat.org http://cbl.abuseat.org/ header RCVD_IN_CBL eval:check_rbl_txt('cbl', 'cbl.abuseat.org.') describe RCVD_IN_CBL Received via a relay in cbl.abuseat.org tflags RCVD_IN_CBL net score RCVD_IN_CBL 1.5 # 22 nov. 2004 full MR_AUTH_FLAG /X-Message-flag: Authentic Sender, Hash:/i describe MR_AUTH_FLAG Fake X-Message-flag score MR_AUTH_FLAG 4.0 # 22 nov. 2004 whitelist of sucking webmail header __WALLA_RCVD Received =~ /walla.co.il/ header __WALLA_SENDER X-Sender =~ /\@walla.com/ header __WALLA_XOE X-Originating-Email =~ /\@walla.com/ header __WALLA_MPART Content-Type =~ /WallaMail/ meta MR_WALLA_MAIL ( __WALLA_RCVD && __WALLA_SENDER && __WALLA_XOE && __WALLA_MPART ) score MR_WALLA_MAIL -5.0 # 22 nov. 2004 improved 26 nov. # I hate 50 characters rule description ! header MR_SMTP_HTTP Received =~ /^[fF]rom smtp.?\.\w*\.[a-z]{1,4} .*with HTTP/ score MR_SMTP_HTTP 2.0 # 23 nov. 2004 header FAKE_GOOGLE Subject =~ /^Google Search/ # 24. nov 2004 header MR_BAD_THREAD thread-index =~ /\d{5}-\d+-\d{3}/ score MR_BAD_THREAD 1.9 header MR_DBL_EGAL Content-Type =~ /charset==/ score MR_DBL_EGAL 2.4 # 24. nov 2004 # Ils pourraient au moins faire commencer leurs Organization par une majuscule ! header MR_BAD_ORGA_1 Organization =~ /^[a-z]{2,20}\.[a-z]{2,20}/ score MR_BAD_ORGA_1 2.0 header MR_BAD_ORGA_2 Organization =~ /^[a-z]{2,15}[A-Z][a-z]{{2,15} \d\.\d/ score MR_BAD_ORGA_2 2.0 # New Ratware (25 nov. 2004) header MR_RATWARE_NORTON ALL =~ m'\bMIME-Version: 1.0\nX-Virus-Status: Scanned by norton\nContent-Type: text/plain; charset=us-ascii\n' score MR_RATWARE_NORTON 4.0 # 25 nov 2004 (this one is more or less a beta rule) header __REF_IRT_SAME_1 ALL =~ m'References:.*<([^>]+)>\n.*In-Reply-To:.*<\1>'s header __REF_IRT_SAME_2 ALL =~ m'In-Reply-To:.*<([^>]+)>\n.*References:.*<\1>\n's meta MR_DIFF_MID ( __MR_REFERENCES && __MR_REPLY_TO && ! ( __REF_IRT_SAME_1 || __REF_IRT_SAME_2 ) ) # 25 nov 2004... a nice rule (that's not very common :-) ) header MR_MULT_REF References =~ m'<[^>]+>.*<[^>]+>'s score MR_MULT_REF -0.8 meta MR_MULT_REF nice # 27 nov 2004 header MR_SPACE_RCVD Received =~ /from [a-z]{2,15} \.homelinux\.net/ score MR_SPACE_RCVD 2.0 ################# # HOTMAIL rules # Ok, needed improvements, but now OK (30/06/04) header __HOTMAIL_FROM From =~ /hotmail\.com/ header __HOTMAIL_RCVD Received =~/hotmail\.com/ header __HOTMAIL_SMTPSVC Received =~ / with Microsoft SMTPSVC;/ header __HOTMAIL_OIP X-Originating-IP =~ /[(\d{1,3}\.){3}\d{1,3}]/ meta __HOTMAIL_LOOKLIKE __RECEIVED_DAV && __HOTMAIL_FROM && __HOTMAIL_RCVD && __HOTMAIL_SMTPSVC && __HOTMAIL_OIP header __RECEIVED_DAV Received =~ / with DAV;/ meta RECEIVED_DAV __RECEIVED_DAV && (! __HOTMAIL_LOOKLIKE) score RECEIVED_DAV 2.5 meta CABLETV_SUCKS (ONE_WORD_SUBJECT && RECEIVED_DAV) score CABLETV_SUCKS 2.0 describe CABLETV_SUCKS Known Cable TV spammer lang fr describe CABLETV_SUCKS Spammeur connu vendant des décodeurs télé par cable. # 26 nov 2004 header __MR_HOTMAIL_OK ALL =~ m'Received: from ([0-9\.]+) by \S+.hotmail.msn.com with HTTP.*X-Originating-IP: \[\1\]'s header __MR_HOTMAIL_HTTP Received =~ /from [0-9\.]+ by \S+.hotmail.msn.com with HTTP/ meta MR_FAKE_HOTMAIL_1 ( __HOTMAIL_OIP && __MR_HOTMAIL_HTTP && ! __MR_HOTMAIL_OK ) meta MR_FAKE_HOTMAIL_2 ( __HOTMAIL_OIP && __MR_HOTMAIL_HTTP && ! __HOTMAIL_FROM ) ############## # Copier/coller # From SARE Specific (for people who didn't install this ruleset) ########################################################################## # Spammer identifying his spam with POB 1200B, Orangestad, Aruba ########################################################################## body __SARE_SPEC_ARUBA /A[.\s]*r[.\s]*u[.\s]*b[.\s]*a/i describe __SARE_SPEC_ARUBA contains part of the address of a known spammer #counts __SARE_SPEC_ARUBA 590s/7h of 89433 corpus (67436s/21997h RM) 05/23/04 body __SARE_SPEC_ORGST /O[.\s]*r[.\s]*a*[.\s]*n?[.\s]*[gj][.\s]*e[.\s]*s[.\s]*t[.\s]*a?[.\s]*d?/ims describe __SARE_SPEC_ORGST contains part of the address of a known spammer #counts __SARE_SPEC_ORGST 409s/16h of 89433 corpus (67436s/21997h RM) 05/23/04 body __SARE_SPEC_1200B1 /\b1.?2.?0.?0.?b/im describe __SARE_SPEC_1200B1 contains part of the address of a known spammer #counts __SARE_SPEC_1200B1 265s/4h of 89433 corpus (67436s/21997h RM) 05/23/04 body __SARE_SPEC_1200B2 /(?:P\.?\s*O\.?\s*(?:B\.*)?|slot|box|post office)\s*1[.\s]*2[.\s]*0[.\s]*0/ims describe __SARE_SPEC_1200B2 contains part of the address of a known spammer #counts __SARE_SPEC_1200B2 360s/0h of 89433 corpus (67436s/21997h RM) 05/23/04 body __SARE_SPEC_1200B3 /1[.\s]*2[.\s]*0[.\s]*0[.\s]*-?B/ims describe __SARE_SPEC_1200B3 contains part of the address of a known spammer #counts __SARE_SPEC_1200B3 279s/3h of 89433 corpus (67436s/21997h RM) 05/23/04 meta SARE_SPEC_ARUBA ( __SARE_SPEC_1200B1 || __SARE_SPEC_1200B2 || __SARE_SPEC_1200B3 ) && __SARE_SPEC_ARUBA && __SARE_SPEC_ORGST describe SARE_SPEC_ARUBA contains postal address of spammer score SARE_SPEC_ARUBA 4.000 #stype SARE_SPEC_ARUBA spamgg #counts SARE_SPEC_ARUBA 389s/0h of 89433 corpus (67436s/21997h RM) 05/28/04 #counts SARE_SPEC_ARUBA 26s/0h of 32896 corpus ( 9653s/23243h JH) 05/24/04 #counts SARE_SPEC_ARUBA 110s/0h of 18153 corpus (15872s/ 2281h MY) 05/24/04 # From SARE Header (for people who didn't...) header SARE_SUB_CASINO_OB2 Subject =~ /(?!\bcasino)\bc.?a.?s.?i.?n.?o/i describe SARE_SUB_CASINO_OB2 Subject contains obfuscated spammer topic score SARE_SUB_CASINO_OB2 1.666 # type=obfu #stype SARE_SUB_CASINO_OB2 obfu #counts SARE_SUB_CASINO_OB2 3s/0h of 115478 corpus (94289s/21189h RM) 04/24/04 header SARE_SUB_CASINO Subject =~ /\bc[a\@]sin[o0]/i describe SARE_SUB_CASINO Subject contains spammer subject - gambling score SARE_SUB_CASINO 0.500 # type=max:0.5 #stype SARE_SUB_CASINO max:0.5 #hist SARE_SUB_CASINO score max set to 0.5 to keep in line with other rules with similar hit rates #counts SARE_SUB_CASINO 290s/15h of 88920 corpus (66325s/22595h RM) 06/06/04 #max SARE_SUB_CASINO 397s/15h of 115478 corpus (94289s/21189h) 04/24/04 # From 70_sare_header.cf header SARE_HEAD_HDR_EPATH exists:Error-path describe SARE_HEAD_HDR_EPATH Message headers used which identify spam score SARE_HEAD_HDR_EPATH 0.555 #stype SARE_HEAD_HDR_EPATH spamp #counts SARE_HEAD_HDR_EPATH 2s/0h of 71334 corpus (43633s/27701h RM) 10/03/04 #max SARE_HEAD_HDR_EPATH 4s/0h of 60624 corpus (35501s/25123h RM) 08/13/04 #counts SARE_HEAD_HDR_EPATH 0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04 # From 71_sare_redirect_pre3.0.0.cf uri SARE_RD_GEN_B /.*(?:\.|%2e)jpegg\?.*/i describe SARE_RD_GEN_B Generic redirect spam uri score SARE_RD_GEN_B 2.0 # From SA 3.0 (better version in SA 3.0) header __OUTLOOK_DOLLARS_MSGID MESSAGEID =~ /^<[0-9a-f]{12}\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m header __HAS_OUTLOOK_IN_MAILER X-Mailer =~ /Microsoft (CDO|Outlook|Office Outlook)\b/ meta MSGID_DOLLARS (__OUTLOOK_DOLLARS_MSGID && !__HAS_OUTLOOK_IN_MAILER ) describe MSGID_DOLLARS Message-Id has pattern used in spam lang de describe MSGID_DOLLARS Muster in Kopfzeile "Message-ID" typisch für Spam lang nl describe MSGID_DOLLARS Message-Id bevat een patroon dat wordt gebruikt in SPAM score MSGID_DOLLARS 3.040 3.076 3.608 2.661 # From SA 3.0 header SUBJECT_SEXUAL Subject =~ /[s5][e3\xE8-\xEB]x[u\xB5\xF9-\xFC][a4\xE0-\xE6@][l!|1](?:[l!|1]y)?.{0,2}[e3\xE8-\xEB]xp[l!|1][i1!|l\xEC-\xEF]c[i1!|l\xEC-\xEF]t/i describe SUBJECT_SEXUAL Subject indicates sexually-explicit content lang de describe SUBJECT_SEXUAL Betreff weist auf sexuellen Nachrichtentext hin score SUBJECT_SEXUAL 2.160 2.538 2.775 2.900 # From SA 3.0 header RATWARE_RCVD_PF Received =~ / \(Postfix\) with ESMTP id [^;]+\; \S+ \d+ \S+ \d+ \d+:\d+:\d+ \S+$/s describe RATWARE_RCVD_PF Bulk email fingerprint (Received PF) found lang de describe RATWARE_RCVD_PF Gefälschte "Received"-Kopfzeile von Postfix lang fr describe RATWARE_RCVD_PF Fausse en-tete Received imitant Postfix score RATWARE_RCVD_PF 2.880 3.384 3.608 3.867 # Yahoo suspect Message-ID are now in SA 3.0 header MSGID_YAHOO_CAPS Message-ID =~ /<[A-Z]+\@yahoo.com>/ describe MSGID_YAHOO_CAPS Message-ID has ALLCAPS@yahoo.com score MSGID_YAHOO_CAPS 2.425 0.702 2.442 3.800 # Found in SA 3.0.1 header MSGID_SPAM_LETTERS Message-Id =~ /<[a-z]{5,}\@(\S+\.)+\S+>/ describe MSGID_SPAM_LETTERS Spam tool Message-Id: (letters variant) lang de describe MSGID_SPAM_LETTERS Kopfzeile "Message-ID" von Spam-Software erzeugt (Buchstaben) lang nl describe MSGID_SPAM_LETTERS Spam tool Message-Id: (letters variant) score MSGID_SPAM_LETTERS 2.960 3.151 3.052 2.709 # From /etc/spamassassin/70_sare_header.cf header SARE_BOUNDARY_LC Content-Type =~ /boundary="(?!ffff)[a-z]+"/ describe SARE_BOUNDARY_LC Content type boundary used in spam score SARE_BOUNDARY_LC 1.494 #hist SARE_BOUNDARY_LC Created by Bob Menschel May 31 2004 #ham SARE_BOUNDARY_LC "ffff": Game Rival , ThePerfectGreeting #counts SARE_BOUNDARY_LC 138s/0h of 69632 corpus (42598s/27034h RM) 09/26/04 #counts SARE_BOUNDARY_LC 0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_BOUNDARY_LC 33s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 # From SA 3.0.1 header SUBJECT_DRUG_GAP_C Subject =~ /\bc.{0,2}i.{0,2}a.{0,2}l.{0,2}i.{0,2}s\b/i describe SUBJECT_DRUG_GAP_C Subject contains a gappy version of 'cialis' header SUBJECT_DRUG_GAP_L Subject =~ /l.{0,2}e.{0,2}v.{0,2}i.{0,2}t.{0,2}r.{0,2}a/i describe SUBJECT_DRUG_GAP_L Subject contains a gappy version of 'levitra' header SUBJECT_DRUG_GAP_P Subject =~ /p.{0,2}h.{0,6}t.{0,2}e.{0,2}r.{0,2}m/i describe SUBJECT_DRUG_GAP_P Subject contains a gappy version of 'phentermine' header SUBJECT_DRUG_GAP_S Subject =~ /\bs.{0,1}o.{0,1}m.{0,1}a\b/i describe SUBJECT_DRUG_GAP_S Subject contains a gappy version of 'soma' header SUBJECT_DRUG_GAP_VA Subject =~ /v.{0,2}a.{0,2}l.{0,2}i.{0,2}u.{0,2}m/i describe SUBJECT_DRUG_GAP_VA Subject contains a gappy version of 'valium' header SUBJECT_DRUG_GAP_VIA Subject =~ /v.{0,2}i.{0,2}a.{0,2}g.{0,2}r.{0,2}a/i describe SUBJECT_DRUG_GAP_VIA Subject contains a gappy version of 'viagra' header SUBJECT_DRUG_GAP_VIC Subject =~ /v.{0,2}i.{0,2}c.{0,2}[0o].{0,2}d.{0,2}i.{0,2}n/i describe SUBJECT_DRUG_GAP_VIC Subject contains a gappy version of 'vicodin' header SUBJECT_DRUG_GAP_X Subject =~ /x.{0,2}a.{0,2}n.{0,2}a.{0,2}x/i describe SUBJECT_DRUG_GAP_X Subject contains a gappy version of 'xanax' lang de describe SUBJECT_DRUG_GAP_C Betreff enthält 'cialis' mit L.ü.c.k.e.n lang de describe SUBJECT_DRUG_GAP_L Betreff enthält 'levitra' mit L.ü.c.k.e.n lang de describe SUBJECT_DRUG_GAP_P Betreff enthält 'phentermine' mit L.ü.c.k.e.n lang de describe SUBJECT_DRUG_GAP_S Betreff enthält 'soma' mit L.ü.c.k.e.n lang de describe SUBJECT_DRUG_GAP_VA Betreff enthält 'valium' mit L.ü.c.k.e.n lang de describe SUBJECT_DRUG_GAP_VIA Betreff enthält 'viagra' mit L.ü.c.k.e.n lang de describe SUBJECT_DRUG_GAP_VIC Betreff enthält 'vicodin' mit L.ü.c.k.e.n lang de describe SUBJECT_DRUG_GAP_X Betreff enthält 'xanax' mit L.ü.c.k.e.n score SUBJECT_DRUG_GAP_C 1.993 1.917 2.501 1.325 score SUBJECT_DRUG_GAP_L 2.117 2.726 2.181 2.456 score SUBJECT_DRUG_GAP_P 0.621 0.765 0.698 1.425 score SUBJECT_DRUG_GAP_S 2.005 0.277 2.920 2.041 score SUBJECT_DRUG_GAP_VA 2.005 1.922 2.934 3.680 score SUBJECT_DRUG_GAP_VIA 2.659 1.770 3.158 0.253 score SUBJECT_DRUG_GAP_VIC 2.560 2.961 2.691 2.868 score SUBJECT_DRUG_GAP_X 2.538 2.282 2.945 2.512 # From 70_sare_oem.cf body RM_bpoem_InstantDL /instant download/i describe RM_bpoem_InstantDL Contains spammer phrasing - oem s/w score RM_bpoem_InstantDL 1.820 #hist RM_bpoem_InstantDL Created by Bob Menschel Sep 10 2004 #counts RM_bpoem_InstantDL 82s/0h of 66096 corpus (40118s/25978h RM) 09/12/04 # From 70_sare_oem.cf body SARE_OEM_FAKE_YEAR /\b2(?!00)[O0]{2}\d\b/ score SARE_OEM_FAKE_YEAR 1.70 # From 70_sare_adult.cf header SARE_ADLTSUB2 Subject =~ /\b(?:blow|climax|enlarg(e|ment)|fuck|inter+acial|lick|porn|penis|pervert|pussy|tits|tight|vagina|virgins?)\b/i describe SARE_ADLTSUB2 Contains possible adult words score SARE_ADLTSUB2 1.666 # From 70_sare_header.cf header SARE_MSGID_DBL_AT MESSAGEID =~ /(?!\@.+\@TLZ>)(?!(\@A)?\@0+\@comcast.net>)\@\S+\@.+>/ describe SARE_MSGID_DBL_AT Message ID has two at signs score SARE_MSGID_DBL_AT 1.000 #stype SARE_MSGID_DBL_AT max:1.0 # due to ham #hist SARE_MSGID_DBL_AT Created by Bob Menschel May 3 2004, enhanced June 1 2004 #ham SARE_MSGID_DBL_AT HGTV : <2002110_@TLZ27645874_@TLZ> #ham SARE_MSGID_DBL_AT Web Response Help : <200336_@TLZ1365381_@TLZ> #counts SARE_MSGID_DBL_AT 781s/0h of 71334 corpus (43633s/27701h RM) 10/03/04 #max SARE_MSGID_DBL_AT 991s/0h of 66970 corpus (41750s/25220h RM) 09/04/04 #counts SARE_MSGID_DBL_AT 317s/8h of 17050 corpus (14617s/2433h MY) 08/08/04 #counts SARE_MSGID_DBL_AT 432s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2 # From SA 3.0.1 header INVALID_TZ_GMT ALL =~ /[+-]\d\d[30]0(?