# Aureate Group Mail (Free Edition) # # This software appears to be intended for legitimate purposes, but so many # spammers are using the free edition, which is clearly too easy to get # and abuse, that I am treating the free edition as a spam mail program. # LOCALTAG=no # formmail.pl script # # Several versions of the formmail.pl script are highly insecure, and # spammers use them to send spam. # :0 BH * LEANTAG ?? no * !^Subject: .*\(fwd\) * !--.*forwarded message -- * !^forwarded message: * !^-----BEGIN PGP SIGNED MESSAGE----- * -1000^0 * -500^0 ^Subject: Re: * -200^1 ^[:;#>] * -600^1 ^Subject:.*spam * 1100^0 Below is the result of your (feedback|Internet) form\. * 400^0 It was submitted (by|on) * 1100^0 Hieronder het resultaat van het Strafschop-boek-bestel formulier\. * 600^0 Het is opgestuurd * 1100^0 Folgendes wurde am (Montag|\ Dienstag|\ Mittwoch|\ Donnerstag|\ Freitag|\ Samstag|\ Sonntag), [0-9]+\. (Januar|\ Februar|\ März|\ April|\ Mai|\ Juni|\ Juli|\ August|\ September|\ Oktober|\ November|\ Dezember)[ ]|\ 20[0-1][0-9] um [1-2]?[0-9]:[0-6][0-9] Uhr von [ ]?\(.*@.*\.[a-z]+\) \ per Formular an Sie geschickt: * 1100^0 ^The following form contents were entered on ([0-9]|[1-2][0-9]|3[0-1])(nd|th) \ (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) [0-9]+$ * 1100^0 Date = (.*$)+subject = (.*$)+email = (.*$)+message = (.*$)+ * 1100^0 Az alabbi Ajanlatkero nyomtatvany erkezett\: * 1100^0 Jemand hat das Feedback-Formular Ihrer Website benutzt * 1100^0 Das Ergebnis der eMail Abfrage\.( )*Es wurde gesendet am: * 1100^0 ^Form Results:$^$^=============================================================$^Referring URL:$ * 1100^0 ^Contact Form Submitted By$[(][^)]*[)] on (Monday|\ Tuesday|\ Wednesday|\ Thursday|\ Friday|\ Saturday|\ Sunday), \ (January|\ February|\ March|\ April|\ May|\ June|\ July|\ August|\ September|\ October|\ November|\ December) [1-3][0-9], 200[0-9] at [0-9][0-9]:[0-9][0-9]:[0-9][0-9]$\ ---------------------------------------------------------------------------$ { SBLOG="A1R-Bulk Mail Software (formmail.pl)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } # Other Blocked eMail Programs LOCALTAG=no :0 * ^X-Mailer: (.*Allaire Cold[ ]?Fusion([^a-z0-9.]|\. |\.$|$)|\ .*Msend([^a-z0-9.]|\. |\.$|$)|\ .*Netmailer([^a-z0-9.]|\. |\.$|$)|\ .*PHPBulkEmailer([^a-z0-9.]|\. |\.$|$)|\ .*Worldmerge([^a-z0-9.]|\. |\.$|$)) * !^Subject: .*\(fwd\) { LOCALTAG=yes } :0 * LOCALTAG ?? no * -1000^0 ^Subject: Re: { :0 B * !--.*forwarded message -- * !^forwarded message: * -1000^0 * -200^1 ^[:;#>] * 1100^0 (^|[^0-9a-z])http://www(ÿ|\.|[=%]2E)coloradosoft(ÿ|\.|[=%]2E)com([^a-z0-9.]|\. |\.$|$) * 1100^0 (^|[^0-9a-z])http://www(ÿ|\.|[=%]2E)phplist(ÿ|\.|[=%]2E)com([^a-z0-9.]|\. |\.$|$) * 1100^0 (^|[^0-9a-z])boundary=\"qzsoft_directmail_seperator\" * 1100^0 (^|[^0-9a-z])cid:[0-9a-e.]+_csseditor([^a-z0-9.]|\. |\.$|$) * 1100^0 (^|[^0-9a-z])http://www(ÿ|\.|[=%]2E)mach5-mailer(ÿ|\.|[=%]2E)com/ { LOCALTAG=yes } } :0 * LOCALTAG ?? yes { SBLOG="A1R-Bulk Mail Software (Other)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } # MIME encoded email with empty Text/Plain section # # A lot of spamware uses a dual-part Text/HTML format, but puts # nothing in the text section at all. Legitimate email software # doesn't do this. # :0 * LEANTAG ?? no * ^Content-Type: multipart/(alternative|mixed|related) { :0 B * !--.*forwarded message -- * !^forwarded message: * -1000^0 * 1100^0 ^(- )?--[-_0-9a-z.=+/$]+$Content-Type: text/plain;?$?[^-_0-9a-z]*charset=.?[-0-9a-z]+.?$Content-Transfer-Encoding: [-_0-9a-z\.]+$($)+(- )?--[-_0-9a-z.=+/$]+$ * 1100^0 ^(- )?--[-_0-9a-z.=+/$]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$($)+(- )?--[-_0-9a-z.=+/$]+$ { SBLOG="A1R-Bulk Mail Software (text/plain Content-Type: section is empty)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } } # MIME encoded email with empty multipart/alternative section # # The Dmailer program and some other spamware are now creating # email with empty multipart/alternative content type sections # in the message body -- *really* wierd stuff. # :0 * LEANTAG ?? no * ^Content-Type: multipart/(alternative|mixed|related) { :0 B * !--.*forwarded message -- * !^forwarded message: * !^-----BEGIN PGP SIGNED MESSAGE----- * -1000^0 * -200^1 ^[:;#>] * 1100^0 ^--Boundary_\([_0-9a-z\.]+\)$Content-Type: multipart/alternative;?$[^-_0-9a-z]*charset=.?[-0-9a-z]+.?$Content-Transfer-Encoding: [-_0-9a-z\.]+$($)+--Boundary_\( * 1100^0 ^--Boundary_\([_0-9a-z\.]+\)$Content-Type: multipart/alternative;[^-_0-9a-z]*charset=.?[-0-9a-z]+.?$Content-Transfer-Encoding: [-_0-9a-z\.]+$($)+--Boundary_\( * 1100^0 ^--Boundary_\([_0-9a-z\.]+\)$Content-Type: multipart/alternative;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$($)+--Boundary_\( * 1100^0 ^--(----)?=_[0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z]_[_0-9a-z\.]+$Content-Type: multipart/alternative;?$[^-_0-9a-z]*charset=.?[-0-9a-z]+.?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+------=_NextPart_ * 1100^0 ^--(----)?=_[0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z]_[_0-9a-z\.]+$Content-Type: multipart/alternative;[^-_0-9a-z]*charset=.?[-0-9a-z]+.?$Content-Transfer-Encoding: [-_0-9a-z\.]+$($)+------=_NextPart_ * 1100^0 ^--(----)?=_[0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z]_[_0-9a-z\.]+$Content-Type: multipart/alternative;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$($)+------=_NextPart_ { SBLOG="A1R-Bulk Mail Software (multipart/alternative Content-Type: section is empty)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 2^0 { SBSCORE=$= } } } # Random lower-case words in Subject # :0 D * ! ^X-SBRule: Spam Software \( * ^X-Mailer: [a-z]+ [a-z]+ [a-z]+ ([a-z]+ )+$ { SBLOG="A1R-Bulk Mail Software (Random X-Mailer word string)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } # Random lower-case words in X-Mailer # :0 D * ! ^X-SBRule: Spam Software \( * ^X-Mailer: [a-z]+[^0-9a-z]?( [a-z]+[^0-9a-z]?)*$ { SBLOG="A1R-Bulk Mail Software (Random X-Mailer word string)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } # MIME "Multipart Boundary" Multipart-Boundary :) # :0 HD * ! ^X-SBRule: Spam Software \( * ^Content-Type: multipart/alternative;?$?[^0-9a-z]*boundary=\"= Multipart Boundary [0-9]+\"$ { SBLOG="A1R-Bulk Mail Software (Multipart Boundary string in MIME boundary)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } # Wierd new X-headers -- maybe sure spamsign, but just blocking now. # :0 * ^(X-IdiRosUtu:|\ X-IdiBasRos:|\ X-IP:|\ X-BasTeg:) { SBLOG="A1R-Bulk Mail Software (Spam X-headers)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } # Random lower-case words in body MIME section # :0 BD * ^(- )?--[-_0-9a-z.=+/$]+$Content-Type: text/plain;?$?[^-_0-9a-z]*charset=(\")?[-0-9a-z]+(\")?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$(([a-z][a-z]+ )+[a-z][a-z]+$)+(- )?--[-_0-9a-z.=+/$]+$ { SBLOG="A1R-Bulk Mail Software (Random hashbuster words)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } }