1 # -*- mode: spamassassin -*-
3 # This seems to catch a lot of spam, but not sure about false positive (from airmax.cf)
4 # pasc couldn't find any false positives on the lists he's on
5 header X_MESSAGE_INFO exists:X-Message-Info
6 score X_MESSAGE_INFO 4.0
8 # Added by pasc 2004/07/08 (sent by abuse@outblaze via karsten)
9 # host no longer exists according to administrator
10 header FAKE_OUTBLAZE_RCVD Received =~ /\.mr\.outblaze\.com/
11 describe FAKE_OUTBLAZE_RCVD Received header contains faked 'mr.outblaze.com'
12 score FAKE_OUTBLAZE_RCVD 3.0
14 # blarson 2005-01-19 (--pasc 2005-01-30)
15 header TRACKING subject =~ /\b(?:tracking|package|shipping|shipment|delivery) number :/i
16 describe TRACKING tracking number
19 # Sent in by blars (20050220) -- applied by pasc
20 body GUEBDE /http\:\/\/www\.gueb\.de\//
21 describe GUEBDE www.geub.de
25 full PGPSIGNATURE /-----BEGIN PGP SIGNATURE-----/
26 describe PGPSIGNATURE Has a pgp signature (may not be valid, but who cares?)
30 body WORD_WITHOUT_VOWELS /\b[bcdfghjklmnpqrstvwxz]{6,20}\b/
31 describe WORD_WITHOUT_VOWELS Long word without any vowels
32 score WORD_WITHOUT_VOWELS 1
34 body DIGITS_LETTERS /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/
35 describe DIGITS_LETTERS Mixed groups of letters followed by numbers
36 score DIGITS_LETTERS 1
38 # From http://www.exit0.us/index.php/FredsRules
39 # Added by pasc 2004/06/20
41 body __FVGT_b_OBFU_J /j(b|c|f|g|w)/i
42 body __FVGT_b_OBFU_OTHER /(vj|vk|xj|xk|yy|zf|zj)/i
43 body __FVGT_b_OBFU_Q0 /(j|k|p|q|t|v|w|z)q/i
44 body __FVGT_b_OBFU_Q1 /q(a|f|h|j|k|m|n|s|y)/i
45 body __FVGT_b_OBFU_V /(f|g|q|w)v/i
46 body __FVGT_b_OBFU_X /(c|g|j|k|q|s|v|z)x/i
47 body __FVGT_b_OBFU_Z /(f|j|k|p|q|x)z/i
48 meta FVGT_m_MULTI_ODD ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 1)
49 describe FVGT_m_MULTI_ODD FVGT - contains multiple odd letter combinations
50 score FVGT_m_MULTI_ODD 0.02
53 header NEPEYO From =~ /nepeyo\@catlover/
54 describe NEPEYO spamvertizers
57 # cjwatson, 2003/07/28
58 header MP3_PLAYERS Subject =~ /New mp3 player,usb flash drive/
59 describe MP3_PLAYERS Spam from "HY Tech"
63 header UOSJUNK Subject =~ /UOS online Degree Programme/i
64 describe UOSJUNK Spam from UOS
67 # cjwatson, 2004-02-27
68 body GAS_MILEAGE /This amazing, revolutionary device|www\.mrev\.biz/
69 describe GAS_MILEAGE Fuel-saving snake oil
73 body FUELSAVER /fuel.?saver/i
74 describe FUELSAVER Fuel Saver spam
78 body CABLEFILTERZ /cablefilterz/
79 describe CABLEFILTERZ cablefilterz spam
83 header PARENNUM subject =~ /^\(\s*([0-9\/]+\)|\%RND)/
84 describe PARENNUM paren number in subject
88 # bounces our bounces.... (had negitive score)
89 header COVADRT X-RT-Loop-Prevention =~ /^Covad$/
90 describe COVADRT Covad request tracker bounces
94 header ROBERTOJIMENOCA from =~ /ROBERTOJIMENOCA\@terra\.es/
95 describe ROBERTOJIMENOCA ROBERTOJIMENOCA sends spammy looking messages
96 score ROBERTOJIMENOCA -2
99 header TURBOPRO subject =~ /\bturbonet pro\b/i
100 describe TURBOPRO dialup accelerator spam
104 header RESUBJECT subject =~ /\sRe(?:\[\d+\])?:\s*$/i
105 describe RESUBJECT re nothing
108 # blarson 2004-10-22 2007-07-18 up score
109 header NOSUBJECT subject =~ /^\s*$/
110 describe NOSUBJECT No subject
114 full NEXTPART /\-\=\_NextPart\_000\_/
115 describe NEXTPART spammer mime separator
118 # blarson 2006-10-17 2009-04-30
119 full CT_IMAGE /Content\-Type\:\s*image/i
120 describe CT_IMAGE Picture attached
123 # blarson 2006-12-01 (score so low since it will also hit CT_IMAGE)
124 header CT_IMAGE_HEAD content-type =~ /image/
125 describe CT_IMAGE_HEAD entire message is image
126 score CT_IMAGE_HEAD 2.5
130 header THREADINDEX Thread-Index =~ /A-Z/
131 describe THREADINDEX thread-index header on spam
132 score THREADINDEX 1.5
135 header FORDASH subject =~ /\bFor \- \d+/
136 describe FORDASH for dash
140 header KOREAN subject =~ /\=\?koi8\-r/
141 describe KOREAN Korean Character set spam
145 header FWDNAME subject =~ /fwd\: \w+\s*$/
146 describe FWDNAME fwd: name spam
150 body NUMONLY /^\s*\d+\s*$/
151 describe NUMONLY number only body
155 header THUNDERB User-Agent =~ /^Thunderbird 1\.5\.0\.10/
156 describe THUNDERB spam missing content
161 header FAILNOTE subject =~ /Failure notice\:/
162 describe FAILNOTE bounced spam
166 full CTINLINE /^Content\-Disposition\: inline\;\b/
167 describe CTINLINE Inline attachment
171 body BOXTRAPPER /^This message is a reply to a boxtrapper verifcation message\./
172 describe BOXTRAPPER boxtrapper spam
176 body PROMOCODE /^promo code\:/i
177 describe PROMOCODE promo code
181 body XLMAN /\bwww\.xl\-man\.net\b/
182 describe XLMAN xl-man spam
186 body COSTUMER /^Dear costumer\b/
187 describe COSTUMER paypal scam
191 body PRIVATE /^Your private and confidential message is attached\./
192 describe PRIVATE private message
196 header AUTOGENERATE auto-submitted =~ /auto/i
197 describe AUTOGENERATE auto generated crap
201 body PRIVPDF /^All our private messages are in pdf format/
202 describe PRIVPDF private pdf
206 header AUTORESPOND X-Autorespond =~ /./
207 describe AUTORESPOND Automatic response
210 header AUTOMAILER X-Mailer =~ /autors/
211 describe AUTOMAILER Auto response mailer
215 header OUTOFOFFICE_SUB subject =~ /Out_of_Office/
216 describe OUTOFOFFICE_SUB broken autoresponder
217 score OUTOFOFFICE_SUB 6
219 body OUTOFOFFICE /out of the office/i
220 describe OUTOFOFFICE Out of the office
223 body OUTOFOFFICE_BACK /will be back/i
224 describe OUTOFOFFICE_BACK Out of the office
225 score OUTOFOFFICE_BACK 3
227 # blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits
228 header SUBENDNUM subject =~ /[a-zA-Z!]-?\d{3,}$/
229 describe SUBENDNUM Subject ends in word989
233 body PRIVMES /^You have been sent a private message/
234 describe PRIVMES more pdf spam
238 header MIXEDBDN Content-Type =~ /multipart\/mixed\;.*boundary\=\"\-{4,}\d{4,}\"/
239 describe MIXEDBDN more pdf spam
243 header DOTZIP subject =~ /\d\.zip\b/
244 describe DOTZIP zip spam
248 header MIXED2 Content-Type =~ /multipart\/mixed\;charset\=iso\-8859\-1\;.*boundary\=\"\-\-\-\-\=\_\d{8,}\_\d{4,}\"/
249 describe MIXED2 more pdf spam
253 header KEYENCE From =~ /KEYENCE CORPORATION/
254 describe KEYENCE opt out spam
258 header NOSUB subject =~ /\(No Subject\)$/i
259 describe NOSUB explicity no subject
263 header CTPDF Content-Type =~ /\bapplication\/pdf\;/i
264 describe CTPDF more pdf spam
268 header JAPSUB subject =~ /\=\?iso\-2022\-jp/i
269 describe JAPSUB subject in japanese
273 header XMSATT X-MS-Has-Attach =~ /yes/i
274 describe XMSATT more pdf spam
283 header XJ2ID X-J2Id =~ /\d+/
284 describe XJ2ID fax bounce
288 header LONGWORD subject =~ /\b[\w\d]{30,}/i
289 describe LONGWORD long word in subject
293 header TESTIMONIAL subject =~ /\btestimonial/i
294 describe TESTIMONIAL testimonials
298 header ITXS subject =~ /\bit\`s\b/i
303 rawbody TINYFONT /\bFONT-SIZE\:\s+[123]px\;/i
304 describe TINYFONT tiny font specified
308 full ZIPFILE /\bfilename\=.*\.zip\b/i
309 describe ZIPFILE zipfile attachment
313 header SPACESUB subject =~ /^\s\w/
314 describe SPACESUB extra space before subject
318 header YAHOOCALENDAR X-Yahoo-Newman-Property: =~ /calendar-invite/i
319 describe YAHOOCALENDAR Calendar invite from yahoo; broken captcha
320 score YAHOOCALENDAR 4
323 header BOUNDARYID content-type =~ /\bboundary\=\"Boundary_\(ID_/
324 describe BOUNDARYID spamware boundary
328 body GBKXWFLXF /\bgbkxwflxf\b/
329 describe GBKXWFLXF gbkxwflxf
333 body LUKSUS /\bluksus\b/i
335 describe LUKSUS Luksus
337 # disabled by don; was causing false positives
338 # probably needs to be modified to check if it really is ironport
340 # header XIRONPORT X-IronPort-Anti-Spam-Filtered =~ /true/
341 # describe XIRONPORT claims to be ironport filtered
342 # score XIRONPORT 2.5
345 header AUTORESPON subject =~ /Auto_response/
346 describe AUTORESPON Auto_response
350 header XWUM x-wum-to =~ /./
351 describe XWUM X-WUM-TO
355 # compensate false-positives for 140.Red-80-25-20.staticIP.rima-tde.net and stuff
356 header STATIC_RIMA_TDE received =~ /staticIP\.rima-tde\.net/
357 describe STATIC_RIMA_TDE static IP from rima-tde.net
358 score STATIC_RIMA_TDE -5
360 # cord 2008-11-30 # compensate LDO_SUBSCRIBER bonus for Forum2Mail-Gw
361 full NABBLE /lists\@nabble\.com/
362 describe NABBLE sent through nabble.com
366 full HTML_NBSP /(\ ){3,}/
367 describe HTML_NBSP Lots of
371 header ENTIST subject =~ /(?:e.?entist|o.?ctor)/i
372 describe ENTIST (D)entit/(D)octor
375 header THREADTOPIC thread-topic =~ /./i
376 describe THREADTOPIC Has a thread topic header
380 # replacing old aol-rules from rc.spam
382 header AOL_SPAM1 from =~ /[0-9].*\@([^\@]+\.)?aol\.com/i
383 describe AOL_SPAM1 possible AOL-pretending spam, matching rule 1
386 header AOL_SPAM2 from =~ /...........*\@([^\@]+\.)?aol\.com/i
387 describe AOL_SPAM2 possible AOL-pretending spam, matching rule 2
390 header AOL_SPAM3 from =~ /.?.?\@([^\@]+\.)?aol\.com/i
391 describe AOL_SPAM3 possible AOL-pretending spam, matching rule 3
394 header AOL_SPAM4 from =~ /[^a-zA-Z0-9]+.*\@([^\@]+\.)?aol\.com/i
395 describe AOL_SPAM4 possible AOL-pretending spam, matching rule 4
399 body WEBMAIL /\bwebmail\b/i
400 describe WEBMAIL webmail
404 header REFNO subject =~ /\bref no\b/i
405 describe REFNO Ref No
409 header INFOCOUK to =~ /\b(?:info|winner|loan|lotto|grant|win)\@(?:info\.|winner\.|loan\.|lotto\.|hotmail\.|grant\.|win\.|yahoo\.|)(?:co\.uk|net|com|org)\b/
410 describe INFOCOUK to info@co.uk
414 body EXITAT /\b(?:exit|rembox)\@(?:datalistsource|listsourcesworld|BestAccurateReliable|expertdatasystems|bestbizlists)\.\b/i
415 describe EXITAT exit@datalistsource.com
419 header TOINFO to =~ /\binfo\@/
420 describe TOINFO to info@
424 header CONSTCONTACT X-Mailer =~ /Constant Contact/i
425 describe CONSTCONTACT Mail comming from constant contact, which doesn't require double opt-in
429 meta CTBDN (CT_IMAGE && MIXEDBDN)
430 describe CTBDN CT_IMAGE && MIXEDBDN
434 body NUMEMAIL /\d{3,}\s+emails?/i
435 describe NUMEMAIL Mail which mentions some number of e-mail addresses
439 header YAHOOCALENDAR X-Yahoo-Calendar-IId: =~ /./
440 describe YAHOOCALENDAR Mail comming from yahoo calendar, which spams us with updates
441 score YAHOOCALENDAR 5
444 header TLOTTERY subject =~ /Ticket no: [0-9]+/i
445 describe TLOTTERY Lottery spam
449 header GLOTTERY subject =~ /Google_L_o_t_t_e_r_y_W_i_n_n_e_r_s/i
450 describe GLOTTERY Google Lottery spam
454 header DOTNET subject =~ /Planning a Website Design\? Updates/
455 describe DOTNET .NET Spam
459 body REMBOX /\b(?:rembo[xt]|disappear|stopping|delrem|remfiles?|exit|takemeoff|offthelist|purgefile)\s?\@/
460 describe REMBOX rembox
463 # formorer 2010-01-23
464 header LONGTO to =~ /([\S]+, ){15,}/
465 describe LONGTO very long To line
468 # formorer 2010-01-25
469 header VAULAS subject =~ /cursos video aulas video/i
470 describe VAULAS some spanish video spam
474 header FROMWWW from =~ /\bwww\./i
475 describe FROMWWW from www.whatever
479 header FROMCASINO from =~ /\bcasino/i
480 describe FROMCASINO from casino
484 header CTOCTET_STREAM Content-Type =~ /octet-stream/i
485 describe CTOCTET_STREAM Content type is octet-stream
486 score CTOCTET_STREAM 0.5
488 full RTF_ATTACH /^Content-Disposition:.+name=.+\.(rtf|doc)/i
489 describe RTF_ATTACH Contains an RTF or DOC Attachment
492 meta RTF_SPAM CTOCTET_STREAM && RTF_ATTACH
493 describe RTF_SPAM Content type is octet-stream and has an RTF Attachment
497 header WORDDIGDIG subject =~ /^\w{3,}\s+\d\s\d\s*$/
498 describe WORDDIGDIG Word digit digit subject
502 header BRACE_SUBJECT Subject =~ /^\[\ [a-z0-9]{16}]\ /
503 describe BRACE_SUBJECT 16 length word in braces in the subject
504 score BRACE_SUBJECT 4
506 # formorer 2011-08-12
507 header COMPTESFR subject =~ /concernant Compte SFR/i
508 describe COMPTESFR concernant Compte SFR
511 # formorer 2012-02-02
512 header BACKTOME subject =~ /Please get back to me/i
513 describe BACKTOME Phrase get back to me
516 # formorer 2012-12-10
517 header STEEL subject =~ /stainless steel cookware/i
518 describe STEEL who need steel cookware?
522 header SINGLES subject =~ /\bsingles\b/i
523 describe SINGLES singles
526 header CMAEOUT X-CMAE-OUT-Score =~ /.+/
527 describe CMAEOUT Cmae out
531 body FBPHOTO /\b(photo|pict?|image)\s+on\s+(fb|facebook)\b/i
532 describe FBPHOTO facebook photo
535 header TRADEME subject =~ /Can you afford not to trade/
536 describe TRADEME we don't trade
540 header PHPMAILER X-Mailer =~ /PHPMailer/
541 describe PHPMAILER X-Mailer: PHPMailer
544 # formorer 2013-11-24
545 header FROMTWOO from =~ /twoomail\.com/i
546 describe FROMTWOO from twoomail
549 # formorer 2014-07-31
550 header FROMCHICEXECS from =~ /ChicExecs/i
551 describe FROMCHICEXECS from ChicExecs
552 score FROMCHICEXECS 3
554 # formorer 2014-08-06
555 header LHELMOND from =~ /Luke Helmond/i
556 describe LHELMOND from Luke Helmond
559 # formorer 2014-08-06
560 header MAILCHIMP X-Mailer =~ /MailChimp Mailer/i
561 describe MAILCHIMP X-Mailer: MailChimp Mailer
564 # formorer 2014-08-29
565 body AVERMITTLUNG /Arbeitsvermittlungsagentur/i
566 describe AVERMITTLUNG Arbeitsvermittlungsagentur
569 # formorer 2014-08-29
570 body BEWSCHREIBEN /Bewerbungsschreiben/i
571 describe BEWSCHREIBEN Bewerbungsschreiben
574 # formorer 2014-08-30
575 header FREELNCMR subject =~ /Freelancer Online Marketing/
576 describe FREELNCMR Freelancer Online Marketing
579 # formorer 2014-09-03
580 header SOLUCIONESAMB subject =~ /SOLUCIONES AMBIENTALES: FIN AL MAL OLOR CON ENZILIMP/
581 describe SOLUCIONESAMB SOLUCIONES AMBIENTALES: FIN AL MAL OLOR CON ENZILIMP
582 score SOLUCIONESAMB 5
584 # formorer 2014-11-17
585 header LYMBOO from =~ /\@lymboomail/
586 describe LYMBOO lymboomail learning spam
589 # formorer 2015-05-14
590 header LEARDINI from =~ /\@leardinigroup.com/
591 describe LEARDINI Microbiologia (SIM) spam
595 header INTERFAX from =~ /\@interfax.net/
596 describe INTERFAX Interfax spam
600 header FAX_SUBJECT subject =~ /fax/i
601 describe FAX_SUBJECT Interfax spam subject
604 meta FAX_ATTACHMENT ZIPFILE && FAX_SUBJECT && INTERFAX
605 describe FAX_ATTACHMENT Interfax fax attachment
606 score FAX_ATTACHMENT 10