]>
Commit | Line | Data |
---|---|---|
6927b9b6 SI |
1 | #FROM SA/MD/SARE LISTS - All consider public domain or fair use. |
2 | ||
3 | #BY Warren Sallade" <warren.sallade@ewgateway.org> for Drug Spams | |
4 | ||
5 | #DISABLING DUE TO FALSE POSITIVES 2021-09-14 | |
6 | rawbody __EWG_BAD34 />\s{0,3}V\s{0,3}</i | |
7 | rawbody __EWG_BAD35 />\s{0,3}I\s{0,3}</i | |
8 | rawbody __EWG_BAD36 />\s{0,3}A\s{0,3}</i | |
9 | rawbody __EWG_BAD37 />\s{0,3}G\s{0,3}</i | |
10 | rawbody __EWG_BAD38 />\s{0,3}R\s{0,3}</i | |
11 | rawbody __EWG_BAD39 />\s{0,3}A\s{0,3}</i | |
12 | meta EWG_VIAGRA ((__EWG_BAD34 + __EWG_BAD35 + __EWG_BAD36 + __EWG_BAD37 + __EWG_BAD38 + __EWG_BAD39) > 5) | |
13 | describe EWG_VIAGRA Viagra Obfuscation SPAM | |
14 | score EWG_VIAGRA 1.0 | |
15 | ||
16 | rawbody __EWG_BAD41 />\s{0,3}C\s{0,3}</i | |
17 | rawbody __EWG_BAD42 />\s{0,3}I\s{0,3}</i | |
18 | rawbody __EWG_BAD43 />\s{0,3}A\s{0,3}</i | |
19 | rawbody __EWG_BAD44 />\s{0,3}L\s{0,3}</i | |
20 | rawbody __EWG_BAD45 />\s{0,3}I\s{0,3}</i | |
21 | rawbody __EWG_BAD46 />\s{0,3}S\s{0,3}</i | |
22 | meta EWG_CIALIS ((__EWG_BAD41 + __EWG_BAD42 + __EWG_BAD43 + __EWG_BAD44 + __EWG_BAD45 + __EWG_BAD46) > 5) | |
23 | describe EWG_CIALIS Cialis Obfuscation spam | |
24 | score EWG_CIALIS 1.0 | |
25 | ||
26 | rawbody __EWG_BAD48 />\s{0,3}V\s{0,3}</i | |
27 | rawbody __EWG_BAD49 />\s{0,3}A\s{0,3}</i | |
28 | rawbody __EWG_BAD50 />\s{0,3}L\s{0,3}</i | |
29 | rawbody __EWG_BAD51 />\s{0,3}I\s{0,3}</i | |
30 | rawbody __EWG_BAD52 />\s{0,3}U\s{0,3}</i | |
31 | rawbody __EWG_BAD53 />\s{0,3}M\s{0,3}</i | |
32 | meta EWG_VALIUM ((__EWG_BAD48 + __EWG_BAD49 + __EWG_BAD50 + __EWG_BAD51 + __EWG_BAD52 + __EWG_BAD53) > 5) | |
33 | describe EWG_VALIUM Valium Obfuscation Spam | |
34 | score EWG_VALIUM 1.000 | |
35 | ||
36 | #FOR CURRENT RND_UC_CHAR SPAMS | |
37 | header SUBJ_RND_UC_CHAR_L Subject =~ /\%RND_UC_CHAR/ | |
38 | describe SUBJ_RND_UC_CHAR_L Subject contains literal RND_UC_CHAR tag | |
39 | score SUBJ_RND_UC_CHAR_L 5.0 | |
40 | ||
41 | header SUBJ_RND_UC_CHAR Subject =~ /^Re:\s[A-Z]{2,8},\s[a-z]+\s[a-z]+\s[a-z]+\s*$/ | |
42 | describe SUBJ_RND_UC_CHAR Subject fits RND_UC_CHAR pattern | |
43 | score SUBJ_RND_UC_CHAR 1.0 | |
44 | ||
45 | uri PHARMACOURT_BIZ /\b(?:pharmacourt|pharmawarehouse|valuepointmeds)\.biz\b/i | |
46 | describe PHARMACOURT_BIZ Includes a link to spammer www.pharmacourt.biz | |
47 | score PHARMACOURT_BIZ 3.0 | |
48 | ||
49 | #meta HABEAS_VIOLATOR_LOCAL (!HABEAS_VIOLATOR && PHARMACOURT_BIZ && HABEAS_SWE) | |
50 | #describe HABEAS_VIOLATOR_LOCAL Spammer known to abuse Habeas mark | |
51 | #score HABEAS_VIOLATOR_LOCAL 16.0 | |
52 | ||
53 | rawbody UAH_VIAGRA_IMAGE /^<center><\!--[a-zA-Z0-9]{10,20}--><a href=.+><img src=.+\/[a-z][1-9]\.gif\" border=0><\/a><\/center>$/i | |
54 | describe UAH_VIAGRA_IMAGE Viagra Image | |
55 | score UAH_VIAGRA_IMAGE 3.0 | |
56 | ||
57 | ||
58 | #INVALID QMAIL | |
59 | header GERMANSPAM MESSAGEID =~ /^<.*[a-z].*\.qmail\@.*>/ | |
60 | describe GERMANSPAM Contains German Spam / Invalid Qmail Message ID | |
61 | score GERMANSPAM 3.0 | |
62 | ||
63 | #GOOGLE Who really uses the "I'm Feeling Lucky" button anyway? by John Wilcock | |
64 | uri local_GOOGLE_LUCKY /(?:\bgoogle\b).+(?:&btnI=)/i | |
65 | describe local_GOOGLE_LUCKY Redirect through Google Feeling Lucky | |
66 | score local_GOOGLE_LUCKY 2.0 | |
67 | ||
68 | #ZD.NET's OPEN REDIR by Raymond Dijkxhoorn | |
69 | uri PROLO_REDIR_ZDNET_CHECK_1 /http:\/\/.*chkpt.zdnet.com\/chkpt/ | |
70 | score PROLO_REDIR_ZDNET_CHECK_1 8.0 | |
71 | describe PROLO_REDIR_ZDNET_CHECK_1 PROLO_REDIR-ZDNET CHECK_1_2_3, Body | |
72 | ||
73 | #TINYTEXT by Jonathan Maliepaard <jon@enetworks.co.za> | |
74 | #describe TINY_TEXT_1 Body includes very small html text | |
75 | #rawbody TINY_TEXT_1 /FONT-SIZE: (?:1|1.5|2|2.5|3)px/i | |
76 | #score TINY_TEXT_1 1.5 | |
77 | ||
78 | #describe TINY_TEXT_2 Body includes very small html text | |
79 | #rawbody TINY_TEXT_2 /FONT-SIZE: (?:1|1.5|2|2.5|3)\;/i | |
80 | #score TINY_TEXT_2 1.5 | |
81 | ||
82 | ||
83 | #HABEAS MARK TOO OFTEN FORGED | |
84 | #REMOVED FOR 3.0SA #score HABEAS_SWE 0.0 | |
85 | ||
86 | #patch to MS Outlook 2003 has changed the headers | |
87 | #REMOVED FOR 3.0SA #score FORGED_MUA_OUTLOOK 0.00 | |
88 | ||
89 | #SCORE ADJUSTMENTS | |
90 | #REMOVED FOR 3.0SA #score RCVD_IN_NJABL_DIALUP 1.5 | |
91 | #REMOVED FOR 3.0SA #score RCVD_IN_DYNABLOCK 1.0 | |
92 | #REMOVED FROM RULES score DNS_FROM_OPENWHOIS 2.0 | |
93 | ||
94 | # | |
95 | # Abusive public hosting Raymond Dijkxhoorn | |
96 | # | |
97 | ||
98 | uri PROLO_PUBWEB_UKGEO_CHECK1 /^http:\/\/.*uk\.geocities\.com\// | |
99 | score PROLO_PUBWEB_UKGEO_CHECK1 5.0 | |
100 | describe PROLO_PUBWEB_UKGEO_CHECK1 PROLO_PUBWEB_UKGEO_CHECK1, Body | |
101 | ||
102 | uri PROLO_PUBWEB_ITGEO_CHECK1 /^http:\/\/.*it\.geocities\.com\// | |
103 | score PROLO_PUBWEB_ITGEO_CHECK1 5.0 | |
104 | describe PROLO_PUBWEB_ITGEO_CHECK1 PROLO_PUBWEB_ITGEO_CHECK1, Body | |
105 | ||
106 | uri PROLO_PUBWEB_WWWGEO_CHECK1 /^http:\/\/.*www\.geocities\.com\// | |
107 | score PROLO_PUBWEB_WWWGEO_CHECK1 5.0 | |
108 | describe PROLO_PUBWEB_WWWGEO_CHECK1 PROLO_PUBWEB_WWWGEO_CHECK1, Body | |
109 | ||
110 | uri PROLO_HOSTING_PROHOSTING_CHK1 /^http:\/\/.*prohosting\.com\// | |
111 | score PROLO_HOSTING_PROHOSTING_CHK1 5.0 | |
112 | describe PROLO_HOSTING_PROHOSTING_CHK1 PROLO_HOSTING_PROHOSTING_CHK1, Body | |
113 | ||
114 | uri PROLO_HOSTING_XTHOST_CHK1 /^http:\/\/.*xthost\.info\// | |
115 | score PROLO_HOSTING_XTHOST_CHK1 5.0 | |
116 | describe PROLO_HOSTING_XTHOST_CHK1 PROLO_HOSTING_XTHOST_CHK1, Body | |
117 | ||
118 | uri PROLO_HOSTING_NET4FREE_CHK1 /^http:\/\/.*net4free\.org\// | |
119 | score PROLO_HOSTING_NET4FREE_CHK1 5.0 | |
120 | describe PROLO_HOSTING_NET4FREE_CHK1 PROLO_HOSTING_NET4FREE_CHK1, Body | |
121 | ||
122 | #Raymond's SA Rules for Tripod Spams from Leo | |
123 | body PROLO_LEO1 /85\,45|1\,21/ | |
124 | body PROLO_LEO2 /69\,95|3\,33/ | |
125 | body PROLO_LEO3 /99\,95|3\,75/ | |
126 | uri PROLO_LEO4 /http:\/\/.*\.tripod\.com/ | |
127 | meta PROLO_LEO_M1 (PROLO_LEO1 && PROLO_LEO2 && PROLO_LEO3 && PROLO_LEO4) | |
128 | ||
129 | score PROLO_LEO1 0.1 | |
130 | score PROLO_LEO2 0.1 | |
131 | score PROLO_LEO3 0.1 | |
132 | score PROLO_LEO4 0.1 | |
133 | score PROLO_LEO_M1 8 | |
134 | ||
135 | describe PROLO_LEO1 Meta Catches all Leo drug variations so far | |
136 | describe PROLO_LEO2 Meta Catches all Leo drug variations so far | |
137 | describe PROLO_LEO3 Meta Catches all Leo drug variations so far | |
138 | describe PROLO_LEO4 Meta to catch Leo now using Tripod | |
139 | describe PROLO_LEO_M1 Catches all Leo drug variations so far | |
140 | ||
141 | #JUNK SCORES TO RECREATE ROUNDING BUG | |
142 | #score RDNS_NONE 0.0 | |
143 | #header TEMP Received =~ /64.18.1.27/ | |
144 | #score TEMP -0.5 | |
145 | #score KAM_LIVE 0.0 | |
146 | ||
147 | #DFS Rule for Warning: Malformed MIME virus in the wild 10-10-2013 | |
148 | full __RP_ZIP_TYPE /name\s{0,2}=\s{0,2}.{0,80}\.zip/i | |
149 | full __RP_EMPTY_CTYPE /Content-Type:\s{0,4};/i | |
150 | meta RP_ZIP_ECTYP __RP_EMPTY_CTYPE && __RP_ZIP_TYPE | |
151 | describe RP_ZIP_ECTYP Zip file attachment with bogus Content-Type: header | |
152 | score RP_ZIP_ECTYP 15 | |
153 | ||
154 | #AXB TEXTAREA | |
155 | rawbody __AXB_RAW_TXTRO1 /\<textarea name\=\"textmain\" readonly\=\"readonly\" style\=\"width\:/ | |
156 | rawbody __AXB_RAW_TXTRO2 /\<textarea readonly\=\"readonly\" name\=\"textmain\" style\=\"width\:/ | |
157 | meta AXB_RAW_TXTRO (__AXB_RAW_TXTRO1 + __AXB_RAW_TXTRO2 >= 2) | |
158 | describe AXB_RAW_TXTRO R/O Textarea | |
159 | score AXB_RAW_TXTRO 5.0 | |
160 | ||
161 | ########################################################################## | |
162 | # - Find messages with eight or more html break characters in it. | |
163 | # - From: Kevin Miller <Kevin_Miller@ci.juneau.ak.us> | |
164 | ########################################################################## | |
165 | ||
166 | # HTML <BR> | |
167 | rawbody __CBJ_GiveMeABreak1 /(?:<\/?br ?\/?>[\s\r\n]{0,4}){8}/mi | |
168 | ||
169 | # NEWLINES - DISABLED | |
170 | rawbody __CBJ_GiveMeABreak2 /(?:[\r\n]){8}/mi | |
171 | ||
172 | # EMPTY TABLE ROWS | |
173 | rawbody __CBJ_GiveMeABreak3 /(?:<tr><td><\/td><\/tr>[\r\n]{0,4}){4}/mi | |
174 | ||
175 | # EMPTY PARAGRAPHS | |
176 | rawbody __CBJ_GiveMeABreak4 /(?:<p[^>]*> <\/p>\s*){4}|(?:<div[^>]*> <\/div>\s*){4}/mi | |
177 | ||
178 | meta CBJ_GiveMeABreak (__CBJ_GiveMeABreak1 + __CBJ_GiveMeABreak3 + __CBJ_GiveMeABreak4 >= 1) | |
179 | describe CBJ_GiveMeABreak Messages with consecutive break characters | |
180 | score CBJ_GiveMeABreak 1.75 | |
181 | ||
182 | # FIX FOR THE FAILURE THAT IS OUTLOOK | |
183 | meta MSGID_MULTIPLE_AT_OUTLOOK (MSGID_MULTIPLE_AT && __ANY_OUTLOOK_MUA && !MSGID_OUTLOOK_INVALID) | |
184 | score MSGID_MULTIPLE_AT_OUTLOOK -1.00 | |
185 | describe MSGID_MULTIPLE_AT_OUTLOOK Undo MSGID_MULTIPLE_AT for Outlook MUAs that fail at standards | |
186 | ||
187 | # SPAM THAT SAYS IT IS SPAM | |
188 | header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /^SFV\:SPM/ | |
189 | describe AXB_X_FF_SEZ_S Forefront says this is spam | |
190 | score AXB_X_FF_SEZ_S 1.5 | |
191 | ||
192 | # HACKED WORDPRESS SITES | |
193 | uri __RP_D_00069_1 /\/wp-content\/(?:plugins|themes)\/.*\.php/is | |
194 | uri __RP_D_00069_2 /\/wp-includes\/.*\.php/is | |
195 | meta RP_D_00069 __RP_D_00069_1 || __RP_D_00069_2 | |
196 | describe RP_D_00069 Contains URL that may point to hacked WordPress site | |
197 | score RP_D_00069 1.2 | |
198 | ||
199 | #lowering score on this rule from 1.5 to 1.2 and the stock URI_WP_HACKED_2 to 2.1 | |
200 | score URI_WP_HACKED_2 2.1 | |
201 | ||
202 | # from John Hardin <jhardin@impsec.org> | |
203 | # reported on users list 09/2014 George Johnson <georgejohnson@talaya.net> | |
204 | header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{5,}):\s+(?:\d{3,}[-\.][0-9a-f]{6,}|\d{6,}(?:[-\.]\d{2,5})?|[0-9a-f]{30,})$/ism | |
205 | tflags __RAND_HEADER multiple maxhits=5 | |
206 | meta RAND_HEADER_MANY __RAND_HEADER > 4 | |
207 | describe RAND_HEADER_MANY Many random gibberish message headers | |
208 | score RAND_HEADER_MANY 1.500 # limit | |
209 | ||
210 | ||
211 | uri AXB_URI_MLW_DROPBOX /\/(dropbox|googlebox)\/(document|doc|invoice)\.php$/ | |
212 | score AXB_URI_MLW_DROPBOX 100 | |
213 | ||
214 | # from axb - the .link tld is completely useless and spam-ridden | |
215 | # FP from 2017-09-12 removed | |
216 | if (version >= 3.004000) | |
217 | #blacklist_uri_host link | |
218 | endif | |
219 | ||
220 | # COSTCO SPAM RULE FROM DIANNE F SKOLL | |
221 | uri __RP_D_00081_1 /\.php\?(?:dp|k|c|t)=[\/A-Za-z0-9=+]{25}/ | |
222 | header __RP_D_00081_2 Subject =~ /\b(?:order|buying)\b/i | |
223 | meta RP_D_00081 __RP_D_00081_1 && __RP_D_00081_2 | |
224 | describe RP_D_00081 Link to malware | |
225 | score RP_D_00081 3.5 | |
226 | ||
227 | # MORE AXB - PENDING BUG 4691 | |
228 | #rawbody MINIMAL_PAGE_128 /\<HTML\>\<BODY\>\<\/BODY\>\<\/HTML\>/ | |
229 | #range MINIMAL_PAGE_128 byte 0:128 | |
230 | #score MINIMAL_PAGE_128 5.0 | |
231 | ||
232 | #fast_body PILLS_VIAGRA /Blue pill and all popular Meds/ | |
233 | #score PILLS_VIAGRA 5.0 | |
234 | ||
235 | #NOTE 53548 - TESTING JUNKEMAIL FILTER CHECK - TESTING WITH RULES 1/2 OF DOCUMENTED | |
236 | header __RCVD_IN_HOSTKARMA eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.') | |
237 | describe __RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter | |
238 | tflags __RCVD_IN_HOSTKARMA net | |
239 | ||
240 | header RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.1') | |
241 | describe RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE | |
242 | tflags RCVD_IN_HOSTKARMA_W net nice | |
243 | score RCVD_IN_HOSTKARMA_W -2.5 | |
244 | ||
245 | header RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.2') | |
246 | describe RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK | |
247 | tflags RCVD_IN_HOSTKARMA_BL net | |
248 | score RCVD_IN_HOSTKARMA_BL 1.5 | |
249 | ||
250 | header RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.4') | |
251 | describe RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN | |
252 | tflags RCVD_IN_HOSTKARMA_BR net | |
253 | score RCVD_IN_HOSTKARMA_BR 0.5 | |
254 | ||
255 | #Steadramon's bogus SPF rules - https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7099 | |
256 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
257 | askdns PDS_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .+\+all$/ | |
258 | describe PDS_SPF_ALL SPF set to +all! | |
259 | score PDS_SPF_ALL 4.5 | |
260 | ||
261 | askdns PDS_SPF_NONE _SENDERDOMAIN_ TXT /^v=spf1 \-all$/ | |
262 | describe PDS_SPF_NONE No IP is supposed to send email for this domain! | |
263 | score PDS_SPF_NONE 3.5 | |
264 | ||
265 | askdns PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/ | |
266 | describe PDS_SPF_ONLYALL SPF only +all - very lazy | |
267 | score PDS_SPF_ONLYALL 4.5 | |
268 | endif | |
269 | ||
270 | # FROM DFS | |
271 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
272 | mimeheader RP_D_00086 Content-Disposition =~ /SecureMessage\.chm/ | |
273 | score RP_D_00086 50 | |
274 | describe RP_D_00086 SecureMessage.chm malware | |
275 | endif | |
276 | ||
277 | # FROM BENNY PEDERSEN | |
278 | # sig of fill space to possible drop scanning if clients have very low | |
279 | # size on how much thay send to spamassassin in size | |
280 | ||
281 | rawbody POISEN_SPAM_PILL_1 /\ \/[a-zA-Z0-9]{5}/i | |
282 | tflags POISEN_SPAM_PILL_1 multiple maxhits=1 | |
283 | describe POISEN_SPAM_PILL_1 random spam to be learned in bayes | |
284 | score POISEN_SPAM_PILL_1 0.1 0.1 0.1 0.1 | |
285 | ||
286 | rawbody POISEN_SPAM_PILL_2 /\ \/\/[a-zA-Z0-9]{5}/i | |
287 | tflags POISEN_SPAM_PILL_2 multiple maxhits=1 | |
288 | describe POISEN_SPAM_PILL_2 random spam to be learned in bayes | |
289 | score POISEN_SPAM_PILL_2 0.1 0.1 0.1 0.1 | |
290 | ||
291 | # lets check above is in body :=) | |
292 | ||
293 | body POISEN_SPAM_PILL_3 /\ \/[a-zA-Z0-9]{5}/i | |
294 | tflags POISEN_SPAM_PILL_3 multiple maxhits=1 | |
295 | describe POISEN_SPAM_PILL_3 random spam to be learned in bayes | |
296 | score POISEN_SPAM_PILL_3 0.1 0.1 0.1 0.1 | |
297 | ||
298 | body POISEN_SPAM_PILL_4 /\ \/\/[a-zA-Z0-9]{5}/i | |
299 | tflags POISEN_SPAM_PILL_4 multiple maxhits=1 | |
300 | describe POISEN_SPAM_PILL_4 random spam to be learned in bayes | |
301 | score POISEN_SPAM_PILL_4 0.1 0.1 0.1 0.1 | |
302 | ||
303 | # meta is now | |
304 | ||
305 | meta POISEN_SPAM_PILL ((POISEN_SPAM_PILL_1 || POISEN_SPAM_PILL_2) && (!POISEN_SPAM_PILL_3 || !POISEN_SPAM_PILL_4)) | |
306 | describe POISEN_SPAM_PILL Meta: its spam | |
307 | score POISEN_SPAM_PILL 0.1 0.1 0.1 0.1 | |
308 | ||
309 | #HENRIK KROHNS DEPENDENCY ISSUES FROM OLD SANDBOX | |
310 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
311 | mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi | |
312 | mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi | |
313 | meta HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN | |
314 | score HK_SPAMMY_FILENAME 0.5 | |
315 | describe HK_SPAMMY_FILENAME Content Type or Disposition is Spammy | |
316 | endif | |
317 | ||
318 | #KHOPESH DEPENDENCY ISSUES FROM OLD SANDBOX | |
319 | meta MALFORMED_FREEMAIL (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM | |
320 | describe MALFORMED_FREEMAIL Bad headers on message from free email service | |
321 | score MALFORMED_FREEMAIL 0.1 | |
322 | ||
323 | #DAVE JONES / ENA OK TO ADD TO SA DEFAULT IF PROVEN WORTHY | |
324 | header ENA_SUBJ_IS_SPACE Subject =~ /^ $/ | |
325 | describe ENA_SUBJ_IS_SPACE Subject is a space | |
326 | score ENA_SUBJ_IS_SPACE 1.2 | |
327 | #Lowered score from 3.2 for testing 9/19 | |
328 | ||
329 | header ENA_SUBJ_ONLY_SPACES Subject =~ /^\s\s+$/ | |
330 | describe ENA_SUBJ_ONLY_SPACES Subject is only spaces commonly used by spammers to get around subject checks | |
331 | score ENA_SUBJ_ONLY_SPACES 0.2 | |
332 | #Lowered score from 2.2 for testing 9/19 | |
333 | ||
334 | header ENA_SUBJ_ONLY_FWD Subject =~ /(^Fw:\s+$|^Fw\s+$|^Fwd:\s+$|^Fwd\s+$|^Fwd: \(\d\)$|^Fwd: \[\d\]$)/i | |
335 | describe ENA_SUBJ_ONLY_FWD Subject is only "Fwd:" | |
336 | score ENA_SUBJ_ONLY_FWD 2.2 | |
337 | ||
338 | header ENA_SUBJ_ONLY_RE Subject =~ /(^Re:\s+$|^Re\s+$|^Re: \(\d\)$|^Re: \[\d\]$)/i | |
339 | describe ENA_SUBJ_ONLY_RE Subject is only "Re:" | |
340 | score ENA_SUBJ_ONLY_RE 2.2 | |
341 | ||
342 | header ENA_SUBJ_LONG_WORD Subject =~ /\b[^[:space:][:punct:]]{30}/ | |
343 | describe ENA_SUBJ_LONG_WORD Subject has a very long word | |
344 | score ENA_SUBJ_LONG_WORD 2.2 | |
345 | ||
346 | header ENA_SUBJ_ODD_CASE Subject =~ /(?:[[:lower:]][[:upper:]].{0,15}){3}/ | |
347 | describe ENA_SUBJ_ODD_CASE Subject has odd case | |
348 | score ENA_SUBJ_ODD_CASE 2.6 | |
349 | ||
350 | ||
351 | # David Jones <djones@ena.com>, SA users list, 2 Oct 2017 | |
352 | ||
353 | #header USERS_FROM_SPOOF_EMAIL_DISPLAY From =~ /\@[a-z_]+?\.[a-z]{2,3} \</i | |
354 | #score USERS_FROM_SPOOF_EMAIL_DISPLAY 0.1 | |
355 | ||
356 | #describe USERS_FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an email address in the display name | |
357 | ||
358 | # RW <rwmaillists@googlemail.com>, SA users list, 5 Oct 2017 | |
359 | ||
360 | #header USERS_FROM_ADDR_SPACE From:addr =~ /\s/ | |
361 | #score USERS_FROM_ADDR_SPACE 0.1 | |
362 | ||
363 | ||
364 | # Note 56133, SA bug 5561 | |
365 | #score FORGED_YAHOO_RCVD 0 | |
366 | ||
367 | ||
368 | # RW <rwmaillists@googlemail.com>, SA users list, 26 Apr 2019 | |
369 | header BOGUS_MIME_VERSION MIME-Version =~ /^(?!.*\b1\.0\b).+/ | |
370 | score BOGUS_MIME_VERSION 0.5 | |
371 | describe BOGUS_MIME_VERSION bogus MIME-Version header | |
372 | ||
373 | # by Paul Stead <paul.stead@zeninternet.co.uk> | |
374 | if (version >= 3.004000) | |
375 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
376 | # skip message signed by these DKIM senders | |
377 | fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de | |
378 | ||
379 | # skip messages with one or more of these headers | |
380 | fns_ignore_headers List-Id List-Post Mailing-List X-Forwarded-For | |
381 | ||
382 | # group similar domains to one name | |
383 | fns_add_addrlist (GMAIL) *@gmail.com *@googlemail.com | |
384 | ||
385 | # From:name and From:address don't match and owners differ | |
386 | header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() | |
387 | ||
388 | # From:name address matches To:address | |
389 | header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to() | |
390 | ||
391 | meta PDS_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD) | |
392 | describe PDS_FROMNAME_SPOOFED_EMAIL From:name doesn't match From:address | |
393 | score PDS_FROMNAME_SPOOFED_EMAIL 0.2 | |
394 | ||
395 | endif | |
396 | endif | |
397 | ||
398 | # by Pedro David Marcos | |
399 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
400 | uri_detail PDM_URI_GOOGLEAPIS text =~ /check|click|update|renew|preview/i cleaned =~ /\.googleapis\./i | |
401 | describe PDM_URI_GOOGLEAPIS Rule to look for spammy Google API usage | |
402 | score PDM_URI_GOOGLEAPIS 3.0 | |
403 | endif | |
404 | ||
10758bc6 SI |
405 | # by Bill Cole |
406 | describe HTML_BADATTR Illegal char in HTML attribute name | |
407 | rawbody HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(src|href)\s*\=/ | |
408 | score HTML_BADATTR 1.0 | |
409 | ||
6927b9b6 SI |
410 | #RECOMMENDED BY Raymond Dijkxhoorn for SURBL to block abuses on these pages |
411 | util_rb_3tld ct.sendgrid.net | |
412 | util_rb_2tld page.link | |
413 |