# Headers which usually indicate spam, but not always. # Empty Message-ID: :0 * ^Message-ID: ([ ]|<>|< >)$ { SBLOG="A1R-Empty Message-ID:" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } # Missing To: :0 * !^To: * !^Subject: .*\(fwd\) { SBLOG="A1R-Missing To:" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 2^0 { SBSCORE=$= } } # Empty To: :0 * ^To:[ ]??$ * !^Subject: .*\(fwd\) { SBLOG="A1R-Empty To:" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } # Ridiculously overlong To: or Cc: headers :0 * ^(To|Cc):.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?.*@.*,$?\ .*@.*,$?.*@.* { SBLOG="A1R-Overlong To: or Cc:" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } # Multiple To: headers :0 * ^To:(.*$)+To: { SBLOG="A1R-Multiple To: Headers" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } # TO: Headers which almost always indicate spam. :0 * ^TO(friends?@([^a-z0-9.]|\. |\.$|$)|\ fulldatabase@([^a-z0-9.]|\. |\.$|$)|\ nobody@.*([^a-z0-9.]|\. |\.$|$)|\ one@time\.com([^a-z0-9.]|\. |\.$|$)|\ outmail@([^a-z0-9.]|\. |\.$|$)) { SBLOG="A1R-Spammy To: Header" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } # Received: headers after Subject :0 * ^Subject:(.*$)+Received: * ! ^received: by Apple\.Mailer { SBLOG="A1R-Received after Subject" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } # Multiple Received: headers after Date # # Listservs resend bounced emails to email-list admins and retain the old # Received: headers, so the program must ignore this rule if there is an # X-Diagnostic: header, which indicates that this happened. :0 * ^Date:(.*$)+Received:(.*$)+Received: * ! ^X-Diagnostic: { SBLOG="A1R-Multiple Received after Date" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } # Subject: line with too many blank spaces :0 * ^Subject:.*[ ][ ][ ][ ][ ] { SBLOG="A1R-Subject w/too many blanks" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } # Subject: line with too many periods in a row :0 * ^Subject:.*\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]?\.[ ]? { SBLOG="A1R-Subject w/too many periods" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } # Subject: line with too many underscores in a row :0 * ^Subject:.*______ { SBLOG="A1R-Subject w/too many underscores" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } # Subject: line with SUBJECT= :0 D * ^Subject: SUBJECT= { SBLOG="A1R-SUBJECT=" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } # Bogus Content-Type: header :0 BH * ^Content-Type:[ ]unknown/unknown;?( |$) { SBLOG="A1R-Bogus Content-Type: header" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } # Malformed Content-Type: header :0 * ^Content-Type:[ ](.*;.*;.*;.*;.*;.*;|\ multipart/related;$[^0-9a-z]*type=\"multipart/alternative\";) { SBLOG="A1R-Malformed Content-Type: header" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } # Spammy From:/Reply-To: :0 * ^(From.|Reply-To:).*[^0-9a-z](255\.255\.255\.|\ @(email)?[0-9]+\.cc|\ ad(vertise)?(r|ment)?(s)?@|\ anon(ymous)?@|\ x[0-9][0-9]x@|\ [^a-z]friend.*@|\ .*@.*friend|\ ()\"[a-z\']*\"<|\ InternetEx@Picture\.scan\.com|\ make@.*money.com|\ no@reply([^a-z0-9.]|\. |\.$|$)|\ noreply@([^a-z0-9.]|\. |\.$|$)|\ noone@nowhere\.net([^a-z0-9.]|\. |\.$|$)|\ noreply@([^a-z0-9.]|\. |\.$|$)|\ .*offer.*@([^a-z0-9.]|\. |\.$|$)|\ .*@proxy?.\.ba\.best\.com([^a-z0-9.]|\. |\.$|$)|\ info(rmation)?@.*internet\.net([^a-z0-9.]|\. |\.$|$)|\ Reply@By\.Mail([^a-z0-9.]|\. |\.$|$)|\ usethe800number@|\ waiting@thephone\.now([^a-z0-9.]|\. |\.$|$)|\ Weight Loss|\ Worldwide\.Network\.Association([^a-z0-9.]|\. |\.$|$)|\ yourdomain\.com([^a-z0-9.]|\. |\.$|$)|\ .*@[a-z]*\.[a-z]*\.earthlink\.net([^a-z0-9.]|\. |\.$|$)|\ .*@.Cust..?\.[0-9a-z]*\.[0-9a-z]*\.[0-9a-z][0-9a-z]\.uu\.net([^a-z0-9.]|\. |\.$|$)) { SBLOG="A1R-Spammy From/Reply-To" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } # Unqualified recipient (no @ sign in To: field) from outside sender LOCALTAG=no :0 * ! ^To: { LOCALTAG=yes } :0 * FIRSTEXIP ?? ^000\.000\.000\.000$ { LOCALTAG=yes } :0 * LOCALTAG ?? no * ! ^To:.*@ * ! ^To:.*undisclosed.*recipients? { SBLOG="A1R-Unqualified Recipient Address/Outside Sender" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } # Numeric MIME boundary header :0 * boundary=\"\-\-[0-9]+" *$ { SBLOG="A1R-Numeric MIME boundary" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } # Other headers typical of spam :0 * ! ^From:.*user@unknown\.nu([^a-z0-9.]|\. |\.$|$) * ! ^Received.*stealth\.net([^a-z0-9.]|\. |\.$|$) * (^Content-type: .*boundary=.?\#MYBOUNDARY\#|\ ^Date:.*____|\ ^Received:.*xmxpita\.|\ ^Status: MC|\ ^Subject:.*% (discount|off)|\ ^Subject: \[ a d v \]|\ ^To: @|\ ^To: \"\" <|\ ^To: you$|\ ^To.*(any|no|some)(one|body)@|\ ^X-#:|\ ^X-INFO_[a-c]Z:|\ ^X-Set:|\ ^X-SP-Track-ID:) { SBLOG="A1R-Other Spammy Headers" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } }