1 # This seems to catch a lot of spam, but not sure about false positive (from airmax.cf)
2 # pasc couldn't find any false positives on the lists he's on
3 header X_MESSAGE_INFO exists:X-Message-Info
4 score X_MESSAGE_INFO 4.0
6 # Added by pasc 2004/07/08 (sent by abuse@outblaze via karsten)
7 # host no longer exists according to administrator
8 header FAKE_OUTBLAZE_RCVD Received =~ /\.mr\.outblaze\.com/
9 describe FAKE_OUTBLAZE_RCVD Received header contains faked 'mr.outblaze.com'
10 score FAKE_OUTBLAZE_RCVD 3.0
12 # blarson 2005-01-19 (--pasc 2005-01-30)
13 header TRACKING subject =~ /\b(?:tracking|package|shipping|shipment|delivery) number :/i
14 describe TRACKING tracking number
17 # Sent in by blars (20050220) -- applied by pasc
18 body GUEBDE /http\:\/\/www\.gueb\.de\//
19 describe GUEBDE www.geub.de
23 # TODO: The rules below seem to be very similar; possibly fix them.
25 # These might trip up on non-english lists. We'll see.
26 # They're fucking up on GPG signatures
27 body MURPHY_WRONG_WORD1 /[bcdfghjklmnpqrstvwxz]{7,}/i
28 score MURPHY_WRONG_WORD1 0.1
30 body MURPHY_WRONG_WORD2 /[bcdfghjklmnpqrstvwxz]{6,}/i
31 score MURPHY_WRONG_WORD2 0.2
33 #Impronounceable. Need to check this one for accuracy (from airmax.cf)
34 body IMPRONONCABLE_1 /([bcdfghjklmnpqrstvwxz]){6,20}/
35 describe IMPRONONCABLE_1 Some words aren't easy to pronounce (too much vowels)
36 body IMPRONONCABLE_2 /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/
37 describe IMPRONONCABLE_2 Some words aren't easy to pronounce (mixed numbers and lower-case letters)
39 # From http://www.exit0.us/index.php/FredsRules
40 # Added by pasc 2004/06/20
42 body __FVGT_b_OBFU_J /j(b|c|f|g|w)/i
43 body __FVGT_b_OBFU_OTHER /(vj|vk|xj|xk|yy|zf|zj)/i
44 body __FVGT_b_OBFU_Q0 /(j|k|p|q|t|v|w|z)q/i
45 body __FVGT_b_OBFU_Q1 /q(a|f|h|j|k|m|n|s|y)/i
46 body __FVGT_b_OBFU_V /(f|g|q|w)v/i
47 body __FVGT_b_OBFU_X /(c|g|j|k|q|s|v|z)x/i
48 body __FVGT_b_OBFU_Z /(f|j|k|p|q|x)z/i
49 meta FVGT_m_MULTI_ODD ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 1)
50 describe FVGT_m_MULTI_ODD FVGT - contains multiple odd letter combinations
51 score FVGT_m_MULTI_ODD 0.02
54 header NEPEYO From =~ /nepeyo\@catlover/
55 describe NEPEYO spamvertizers
58 # cjwatson, 2003/07/28
59 header MP3_PLAYERS Subject =~ /New mp3 player,usb flash drive/
60 describe MP3_PLAYERS Spam from "HY Tech"
64 header UOSJUNK Subject =~ /UOS online Degree Programme/i
65 describe UOSJUNK Spam from UOS
68 # cjwatson, 2004-02-27
69 body GAS_MILEAGE /This amazing, revolutionary device|www\.mrev\.biz/
70 describe GAS_MILEAGE Fuel-saving snake oil
74 body FUELSAVER /fuel.?saver/i
75 describe FUELSAVER Fuel Saver spam
79 body CABLEFILTERZ /cablefilterz/
80 describe CABLEFILTERZ cablefilterz spam
84 header PARENNUM subject =~ /^\(\s*([0-9\/]+\)|\%RND)/
85 describe PARENNUM paren number in subject
89 # bounces our bounces.... (had negitive score)
90 header COVADRT X-RT-Loop-Prevention =~ /^Covad$/
91 describe COVADRT Covad request tracker bounces
95 header ROBERTOJIMENOCA from =~ /ROBERTOJIMENOCA\@terra\.es/
96 describe ROBERTOJIMENOCA ROBERTOJIMENOCA sends spammy looking messages
97 score ROBERTOJIMENOCA -2
100 header TURBOPRO subject =~ /\bturbonet pro\b/i
101 describe TURBOPRO dialup accelerator spam
105 header RESUBJECT subject =~ /\sRe(?:\[\d+\])?:\s*$/i
106 describe RESUBJECT re nothing
109 # blarson 2004-10-22 2007-07-18 up score
110 header NOSUBJECT subject =~ /^\s*$/
111 describe NOSUBJECT No subject
115 full NEXTPART /\-\=\_NextPart\_000\_/
116 describe NEXTPART spammer mime separator
120 full CT_IMAGE /Content\-Type\:\s*image/i
121 describe CT_IMAGE Picture attached
124 # blarson 2006-12-01 (score so low since it will also hit CT_IMAGE)
125 header CT_IMAGE_HEAD content-type =~ /image/
126 describe CT_IMAGE_HEAD entire message is image
127 score CT_IMAGE_HEAD 2.5
131 header THREADINDEX Thread-Index =~ /A-Z/
132 describe THREADINDEX thread-index header on spam
133 score THREADINDEX 1.5
136 header FORDASH subject =~ /\bFor \- \d+/
137 describe FORDASH for dash
141 header KOREAN subject =~ /\=\?koi8\-r/
142 describe KOREAN Korean Character set spam
146 header FWDNAME subject =~ /fwd\: \w+\s*$/
147 describe FWDNAME fwd: name spam
151 body NUMONLY /^\s*\d+\s*$/
152 describe NUMONLY number only body
156 header THUNDERB User-Agent =~ /^Thunderbird 1\.5\.0\.10/
157 describe THUNDERB spam missing content
162 header FAILNOTE subject =~ /Failure notice\:/
163 describe FAILNOTE bounced spam
167 rawbody CTINLINE /^Content\-Disposition\: inline\;\b/
168 describe CTINLINE Inline attachment
172 body BOXTRAPPER /^This message is a reply to a boxtrapper verifcation message\./
173 describe BOXTRAPPER boxtrapper spam
177 body PROMOCODE /^promo code\:/i
178 describe PROMOCODE promo code
182 body XLMAN /\bwww\.xl\-man\.net\b/
183 describe XLMAN xl-man spam
187 body COSTUMER /^Dear costumer\b/
188 describe COSTUMER paypal scam
192 body PRIVATE /^Your private and confidential message is attached\./
193 describe PRIVATE private message
197 header AUTOGENERATE auto-submitted =~ /auto/i
198 describe AUTOGENERATE auto generated crap
202 body PRIVPDF /^All our private messages are in pdf format/
203 describe PRIVPDF private pdf
207 header AUTORESPOND X-Autorespond =~ /./
208 describe AUTORESPOND Automatic response
211 header AUTOMAILER X-Mailer =~ /autors/
212 describe AUTOMAILER Auto response mailer
216 header OUTOFOFFICE_SUB subject =~ /Out_of_Office/
217 describe OUTOFOFFICE_SUB broken autoresponder
218 score OUTOFOFFICE_SUB 6
220 body OUTOFOFFICE /out of the office/i
221 describe OUTOFOFFICE Out of the office
224 # blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits
225 header SUBENDNUM subject =~ /[a-zA-Z!]-?\d{3,}$/
226 describe SUBENDNUM Subject ends in word989
230 body PRIVMES /^You have been sent a private message/
231 describe PRIVMES more pdf spam
235 header MIXEDBDN Content-Type =~ /multipart\/mixed\;.*boundary\=\"\-{4,}\d{4,}\"/
236 describe MIXEDBDN more pdf spam
240 header DOTZIP subject =~ /\d\.zip\b/
241 describe DOTZIP zip spam
245 header MIXED2 Content-Type =~ /multipart\/mixed\;charset\=iso\-8859\-1\;.*boundary\=\"\-\-\-\-\=\_\d{8,}\_\d{4,}\"/
246 describe MIXED2 more pdf spam
250 header KEYENCE From =~ /KEYENCE CORPORATION/
251 describe KEYENCE opt out spam
255 header NOSUB subject =~ /\(No Subject\)$/i
256 describe NOSUB explicity no subject
260 header CTPDF Content-Type =~ /\bapplication\/pdf\;/i
261 describe CTPDF more pdf spam
265 header JAPSUB subject =~ /\=\?iso\-2022\-jp/i
266 describe JAPSUB subject in japanese
270 header XMSATT X-MS-Has-Attach =~ /yes/i
271 describe XMSATT more pdf spam
280 header XJ2ID X-J2Id =~ /\d+/
281 describe XJ2ID fax bounce
285 header LONGWORD subject =~ /\b[\w\d]{30,}/i
286 describe LONGWORD long word in subject
290 header TESTIMONIAL subject =~ /\btestimonial/i
291 describe TESTIMONIAL testimonials
295 header ITXS subject =~ /\bit\`s\b/i
300 rawbody TINYFONT /\bFONT-SIZE\:\s+[123]px\;/i
301 describe TINYFONT tiny font specified
305 rawbody ZIPFILE /\bfilename\=.*\.zip\b/i
306 describe ZIPFILE zipfile attachment
310 header SPACESUB subject =~ /^\s\w/
311 describe SPACESUB extra space before subject
315 header YAHOOCALENDAR X-Yahoo-Newman-Property: =~ /calendar-invite/i
316 describe YAHOOCALENDAR Calendar invite from yahoo; broken captcha
317 score YAHOOCALENDAR 4
320 header BOUNDARYID content-type =~ /\bboundary\=\"Boundary_\(ID_/
321 describe BOUNDARYID spamware boundary