# Headers that always indicate that email is spam. # SMTP overflow bug exploit :0 * ^Received:....................\ ......................................................................\ ......................................................................\ ......................................................................\ ......................................................................\ ......................................................................\ ......................................................................\ ...................................................................... { SBLOG="A1R-SMTP overflow bug exploit" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Missing From: :0 * !^From: { SBLOG="A1R-Missing From:" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Empty From: :0 * ^From:([ ]$|<[ ]?>$) { SBLOG="A1R-Empty From:" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Ridiculously Overlong Message-ID: :0 * ^Message-ID:.*<......................................................................\ ......................................................................\ ......................................................................*>$ { SBLOG="A1R-Ridiculously Overlong Message-ID:" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Ridiculously Overlong Subject: :0 * ^Subject: ......................................................................\ ......................................................................\ ......................................................................+$ { SBLOG="A1R-Ridiculously Overlong Subject:" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Fake Pegasus Mail Headers :0 * ^(Comments:.*Authenticated Sender|\ X-PMFLAGS:.*) * !^X-Mailer: Pegasus { BOGUSPEGASUS=yes } :0 * (Errors-To|Return-Path): Pegasus Mail for Win32 (v3.11) { BOGUSPEGASUS=yes } :0 * BOGUSPEGASUS ?? yes { SBLOG="A1R-Bogus Pegasus Headers" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Bogus Message-ID: headers :0 * ^(Messege-ID|\ Messxge-ID): { SBLOG="A1R-Bogus Message-ID header" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Spammy From Header Tags :0 * -1000^0 * -500^0 ^Subject: Re: * -500^0 ^Subject:.*\(fwd\)$ * -500^0 ^Subject:.*\(EOM\)$ * 1100^0 ^From: .*[0-9a-z][-_0-9a-z]*<[0-9a-z][-_0-9a-z]*@[0-9a-z][-_0-9a-z\.]*> * 1100^0 ^From: .*localhost\.localdomain(^|[^-_0-9a-z]) { SBLOG="A1R-Spammy From Header Tag" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Spam Subject Header Tags :0 * -1000^0 * -500^0 ^Subject: Re: * -500^0 ^Subject:.*\(fwd\)$ * -500^0 ^Subject:.*\(EOM\)$ * 1100^0 ^Subject:.*\([0-9][0-9][0-9]?[0-9]?[0-9]?[0-9]?[0-9]?\)$ * 1100^0 ^Subject:.*[ ]\-[0-9][0-9][0-9]?[0-9]?[0-9]?[0-9]?[0-9]?$ * 1100^0 ^Subject: ADV: * 1100^0 ^Subject: (ADV) * 1100^0 ^Subject: \[ADV\] * 1100^0 ^Subject: [^0-9a-z]?A[^0-9a-z]?D[^0-9a-z]?V[^0-9a-z] { SBLOG="A1R-Spam Subject Header Tag" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Spammy To/CC Header Tags :0 BH * -1000^0 * -500^0 ^Subject: Re: * -500^0 ^Subject:.*\(fwd\)$ * -500^0 ^Subject:.*\(EOM\)$ * -500^0 --.*forwarded message -- * -500^0 ^forwarded message:$ * -500^0 ^To:.*@ * 1100^0 ^To:.*(^|[^-_0-9a-z])([1-9][0-9][0-9]|\ friend|\ hk[-0-9][-0-9]*|\ user|\ you)$ * 1100^0 ^To:.*(^|[^-_0-9a-z])(friend@public\.com|\ localhost\.localdomain|\ user@[a-z][-_a-z0-9]*\.?(com|net|org)?)([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Spammy To/CC Header Tag" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged HELO # :0 D * -1000^0 * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) \.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) \.\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) 12\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) 126[0-9][0-9][0-9]\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) 80g( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) 9oiyg( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) [a-z]dm10[0-9]( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) aa-9f460272f1fe( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) aaa\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) aaa\.asn\.au( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) aasdf-jtkv84tqb( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) abnersip3v93ue( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) acb( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) addr\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) ADDWEWEXDSDF3( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) Adolfo( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) allegro\.no( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) amity-f3ztot0ep( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) antrhax( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) aoaoman( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) APEXY( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) aport\.ru( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) ase\.md( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) astarte\.ch( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) asus( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) atd-clan\.de( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) Audi( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) aysun( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) baby( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) badd?y( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) bbcc-2e3e466109( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) benq-[0-9a-z]+( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) bigo-a8bpl8jpxl( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) billgates( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) BINNAZ( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) biz1368\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) boda( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) bodaying-[0-9a-z]+( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) boss( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) Brutus( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) bt-teg-01( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) bundesregierung.de( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) C23236_26040( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) cab\.de( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) capivara( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) CatholicSpank( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) cbsnkjwgxfqe( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) CDI_INTERNET( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) cel2000( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) chinagrafix\.de( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) claro( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) clergynet( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) cliente(-[0-9a-z]+)?( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) comp( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) company\.mail( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) compu[0-9]\.( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) compuserve\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) computer-[0-9]+( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) computerdr( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) conceptkauf( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) corbett-rs3mglj( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) crm004( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) cvc-[0-9a-z]+( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) c-zjef8tc8udr79( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) DABAO( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) dado( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) daimaru-2000( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) daytona( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) dfllly( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) dginfo22( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) dina( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) dm14( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) domilibros( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) DOUG( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) DumeCasa( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) DVD1( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) dwng( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) e[a-z]m11[0-9]( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) EDUARDO( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) efly( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) elbacristianpro( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) elsevier\.nl( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) EnterComputerNameHere( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) EXFHM-HB68( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) eyyjbn( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) fff510qiz( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) friend( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) FRONTSTORE( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) fss( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) g1( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) gavin( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) gbh( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) gco( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) GHONORATO( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) gigabyte\.com\.tw( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) gina( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) goodpeter( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) gris( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) guardian9( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) guto( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) gws8852( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) hai-truapbea2p7( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) hcaaopenpc( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) here( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) herpcx( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) hoge( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) HOME-XP( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) home1( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) hp-[0-9a-z]+( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) ibmfk01gn6----( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) ibm-qux6osig6zd( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) IMGYP83( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) i-Talk( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) izvestia\.ru( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) jacoby-ou1eu0ru( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) JIMMY( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) [jk]m1[0-9]( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) jonholl( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) JuanCarlos( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) K6-300( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) kdgl_wei( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) kenny-mail( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) kimo( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) kmomzydj( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) KNKN( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) KOZA-22( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) KPD9NK8OSVCKJOD( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) legend( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) linux-[0-9a-z]+( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) longxiao( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) LOVER( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) lpwsa( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) lungtrax-hkqjda( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) mail-01( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) mail\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) mail2[a-z]+\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) mail\.[M-O]......[KQ]\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) mang( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) masikad( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) matrox-2( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) MJ5( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) MJKIM( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) mm( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) mms22( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) moonlight( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) morado( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) msn\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) mychat-25053e12( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) mydomain\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) nathan-535beff7( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) new( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) newtonpost1( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) NFBEC-WZ33( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) nhorsley( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) nirvana( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) nm1[0-9]( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) NOMBRE-VJ3MHWCC( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) ns-alibi( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) ntfs4( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) nullpmws4esytf( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) NUUWR-WO79( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) oinke[0-9]?(\.oinke)?( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) oku-je\.cz(\.oinke)?( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) ommo\.net( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) omya\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) oom1( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) ooxx6688-xuujc6( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) ossama( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) OXFA32( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) particul-6b2e27( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) partyyy( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) paziu( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) pc( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) pchome( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) piripipi( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) prodigy( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) protovision( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) pt800( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) puripe( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) qjwlddn( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) qpe8441( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) qs2( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) ri[ck]ardo( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) RICARDO( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) Ricardo( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) riston( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) rjs1( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) s1( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) SALES-{a-z]( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) se03( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) senect-gp3vx3pi( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) shawohwa-mg64x8( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) sina688\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) SMTP0( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) softdnserror( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) sohu[0-9]+\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) spam( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) srau\.net( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) ss\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) sss-ftqx5sp9ay0( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) stc[0-9]+( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) strana\.ru( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) subdomains( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) sw-0206( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) SYS( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) tamar-hanuka( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) testpc( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) tgttvrvln( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) TmpStr( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) TOM( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) tom\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) tpts7( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) U-203( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) [uv]m1[0-9]( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) user( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) user-[0-9a-z]+( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) usuario-hyhaya5( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) utro\.ru( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) UWPF13( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) vip1264\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) vlm[0-9]+(\.[a-z][a-z][a-z]?[a-z]?)?( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) vxcbf2143hjk( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) wl0f( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) w544k5pnv1hqn4q( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) Wade20( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) web( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) well( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) wendel( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) WHWHSTREM( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) winai( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) wm17( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) wonder-super( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) worldtel-fpulam( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) wu( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) www( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) wwwomen\.ru( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) x6r0j1( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) xmxpita( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) xoat( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) xx( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) xyz-[0-9a-z]+( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) yahoo( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) yahoo[0-9]+\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) yorkies( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) your-ytekyfc6hg( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) ypwin888-58888( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) yy0( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) zdld-dx( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) ZHANGCHUNYONG( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) zmryqyblib\.com( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) zsvzxd( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) zx640wfe( |[)]) * 1100^0 ( |[(])(ELHO|elho|HELO|helo|from) zzgjj\.net( |[)]) { SBLOG="A1R-Forged HELO (known spam string)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged 126.com HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) 126\.com( |[)]) * ! ^Received:.*[^0-9a-z]202\.108\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?([^a-z0-9.]|$) { SBLOG="A1R-Forged HELO (126.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged 163.com HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) 163\.com( |[)]) * ! ^Received:.*[^0-9a-z]202\.108\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?([^a-z0-9.]|$) { SBLOG="A1R-Forged HELO (163.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged 21cn.com HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) 21cn\.com( |[)]) * ! ^Received:.*[^0-9a-z]61\.140\.60\.[0-9][0-9]?[0-9]?([^a-z0-9.]|$) { SBLOG="A1R-Forged HELO (21cn.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged AOL HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) aol\.com( |[)]) * ! ^From:.*[^0-9a-z]aol\.com([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (aol.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged Amazon HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) amazon\.com( |[)]) * ! ^From:.*[^0-9a-z]amazon\.com([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (amazon.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged apl.no HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) apl\.no( |[)]) * ! ^From:.*[^0-9a-z]apl\.no([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (apl.no)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged asbjerg.dk HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) asbjerg\.dk( |[)]) * ! ^From:.*[^0-9a-z]asbjerg\.no([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (asbjerg.dk)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged barmaton.nl HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) barmaton\.nl( |[)]) * ! ^From:.*[^0-9a-z]barmaton\.nl([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (barmaton.nl)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged BEA HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) bea\.com( |[)]) * ! ^From:.*[^0-9a-z]bea\.com([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (bea.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged bifrost.is HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) bifrost\.is( |[)]) * ! ^From:.*[^0-9a-z]bifrost\.is([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (bifrost.is)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged borland.com HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) borland\.com( |[)]) * ! ^From:.*[^0-9a-z]borland\.com([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (borland.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged coldcathode.com.hk HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) coldcathode\.com\.hk( |[)]) * ! ^From:.*[^0-9a-z]coldcathode\.com\.hk([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (coldcathode.com.hk)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged Excite HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) excite\.com( |[)]) * ! ^From:.*[^0-9a-z]excite\.com([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (excite.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged Google HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) google\.com( |[)]) * ! ^From:.*[^0-9a-z]google\.com([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (google.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Forged Hotmail HELO # :0 * ( |[(])(ELHO|elho|HELO|helo|from) hotmail\.com( |[)]) * ! ^(X-)?Received: from .*([(]|\[)(64\.4\.[0-9]\.[0-9][0-9]?[0-9]?|\ 64\.4\.[1-5][0-9]\.[0-9][0-9]?[0-9]?|\ 64\.4\.6[0-3]\.[0-9][0-9]?[0-9]?|\ 65\.5[2-5]\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?)([^a-z0-9.]|$) { SBLOG="A1R-Forged HELO (hotmail.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } :0 * ( |[(])(ELHO|elho|HELO|helo|from) ([0-9a-z]+\.)?microsoft\.com( |[)]) * ! ^From:.*[^0-9a-z](hotmail|microsoft|msn)\.com([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (microsoft.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } :0 * ( |[(])(ELHO|elho|HELO|helo|from) monster\.com( |[)]) * ! ^From:.*[^0-9a-z]monster\.com([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (monster.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } :0 * ( |[(])(ELHO|elho|HELO|helo|from) namoweb\.net( |[)]) * ! ^From:.*[^0-9a-z]namoweb\.net([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (namoweb.net)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } :0 * ( |[(])(ELHO|elho|HELO|helo|from) sun\.com( |[)]) * ! ^From:.*[^0-9a-z]sun\.com([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (sun.com)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } :0 * ( |[(])(ELHO|elho|HELO|helo|from) yahoo(\.com(\.[a-z][a-z])?|\.[a-z][a-z])?( |[)]) * ! ^From:.*[^0-9a-z]yahoo(\.com(\.[a-z][a-z])?|\.[a-z][a-z])([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged HELO (Yahoo)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # HELO IP does not match actual IP # :0 * FIRSTEXHELO ?? ^[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?$ * ! FIRSTEXHELO ?? ^000\.000\.000\.000$ * $ ! FIRSTEXHELO ?? ^${FIRSTEXIP}$ { LOCALIPREGEXP=${FIRSTEXHELOIPREGEXP} TESTCIDR=${SBDIR}/info/icann-nonroutable-ips.cidr LT2=no INCLUDERC=${SBDIR}/functions/check-cidr.rc :0 * LT2 ?? no { SBLOG="A1R-Forged HELO (HELO IP does not match actual IP)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } } # Non-local email HELOing as local IP or host # :0 E * LOCALHELOCHECKING ?? yes * ! FIRSTEXIP ?? ^000\.000\.000\.000$ * ! FIRSTEXHELO ?? ^host\.example\.com$ * ? ${TEST} -f ${LOCALHOSTFILE} { :0 * ? ${GREP} -i -x "${FIRSTEXHELO}" ${LOCALHOSTFILE} { SBLOG="A1R-Forged HELO (Non-local email HELOing as local IP or host)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } } # Non-local email HELOing as local logon # :0 * LOCALHELOCHECKING ?? yes * ! FIRSTEXIP ?? ^000\.000\.000\.000$ * $ FIRSTEXHELO ?? ${TOLOGON} { SBLOG="A1R-Forged HELO (Non-local email HELOing as local logon)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Bogus Received: headers :0 * -1000^0 * -500^0 ^Subject: Re: * -500^0 ^Subject:.*\(fwd\)$ * -500^0 ^Subject:.*\(EOM\)$ * 1100^0 ^Received: from by ; { SBLOG="A1R-Bogus Received Headers" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Nuke Invalid IP :0 * ^Received.*\[[0-9\.]*([03-9][0-9][0-9]|2[6-9][0-9]|25[6-9])\]([^a-z0-9.]|\. |\.$|$) * ! ^Received.*\[[0-9\.]*([03-9][0-9][0-9]|2[6-9][0-9]|25[6-9])\.4[0-9][0-9][0-9][0-9]\] ident=root { SBLOG="A1R-Invalid IP" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Broken Mail-Merge Codes :0 * -1000^0 * -500^0 --.*forwarded message -- * -500^0 ^forwarded message:$ * 1100^0 ^Subject:.*[^0-9a-z]%RND_UC_CHAR([^a-z0-9.]|\. |\.$|$) * 1100^0 ^X-MimeOLE: %CUSTOM_MIMEOLE$ * 1100^0 %CURRENT_DATE_TIME([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Broken Mail-Merge Codes" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } # Bogus Yahoogroups email :0 * ^(Delivered-To|List-Unsubscribe|Mailing-List):.*[^0-9a-z]yahoogroups\.com([^a-z0-9.]|\. |\.$|$) * ! ^Received: from .*([(]|\[)(66\.94\.22[4-9]\.[0-9][0-9]?[0-9]?|\ 66\.94\.23[0-9]\.[0-9][0-9]?[0-9]?|\ 66\.163\.1[6-8][0-9]\.[0-9][0-9]?[0-9]?|\ 66\.163\.19[0-1]\.[0-9][0-9]?[0-9]?|\ 66\.218\.6[4-9]\.[0-9][0-9]?[0-9]?|\ 66\.218\.[7-8][0-9]\.[0-9][0-9]?[0-9]?|\ 66\.218\.9[0-5]\.[0-9][0-9]?[0-9]?|\ 68\.142\.19[2-9]\.[0-9][0-9]?[0-9]?|\ 68\.142\.2[0-4][0-9]\.[0-9][0-9]?[0-9]?|\ 68\.142\.25[0-5]\.[0-9][0-9]?[0-9]?|\ 206\.190\.3[2-9]\.[0-9][0-9]?[0-9]?|\ 206\.190\.[4-5][0-9]\.[0-9][0-9]?[0-9]?|\ 206\.190\.6[0-3]\.[0-9][0-9]?[0-9]?|\ 209\.73\.1[6-8][0-9]\.[0-9][0-9]?[0-9]?|\ 209\.73\.19[0-1]\.[0-9][0-9]?[0-9]?|\ 216\.109\.11[2-9]\.[0-9][0-9]?[0-9]?|\ 216\.109\.12[0-7]\.[0-9][0-9]?[0-9]?|\ 216\.136\.17[2-5]\.[0-9][0-9]?[0-9]?|\ 216\.136\.22[4-7]\.[0-9][0-9]?[0-9]?|\ 216\.155\.19[2-9]\.[0-9][0-9]?[0-9]?|\ 216\.155\.20[0-7]\.[0-9][0-9]?[0-9]?|\ 217\.12\.1[0-2]\.[0-9][0-9]?[0-9]?)(\]|[)])([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Bogus YahooGroups Headers" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } }