1 # SARE Spoof Ruleset for SpamAssassin
5 # Changes: Various Updates
6 # License: Artistic - see http://www.rulesemporium.com/license.txt
7 # Current Maintainer: Fred Tarasevicius - tech2@i-is.com
8 # Current Home: http://www.rulesemporium.com/rules/70_sare_spoof.cf
9 # Comments: To counter whitelists, some rules have extra meta rules to score 100 to override whitelist_from's.
11 # META RULES USED BY MULTIPLE RULES:
12 uri __URI_IS_IP /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\//
15 # The following NICE rules can be enabled if you choose, it works for me, adjust scores as needed.
16 meta SARE_LEGIT_PAYPAL (__FROM_PAYPAL && __URI_PAYPAL && __RCVD_PAYPAL)
17 describe SARE_LEGIT_PAYPAL Has signs it's from paypal, from, headers, uri
18 score SARE_LEGIT_PAYPAL -0.01
21 #meta SARE_LEGIT_EBAY (__FROM_EBAY && __URI_EBAY && __RCVD_EBAY)
22 #describe SARE_LEGIT_EBAY Has signs it's from ebay, from, headers, uri
23 #score SARE_LEGIT_EBAY -0.01
26 # Simple test recommended by jdow from SA-users list.
27 header __EBAY_FRM_NAME From:name =~ /\bebay\b/i
28 header __EBAY_ADDRESS From:addr =~ /[\@\.]ebay\.(?:com(?:\.au|\.cn|\.hk|\.my|\.sg)?|co\.uk|at|be|ca|fr|de|in|ie|it|nl|ph|pl|es|se|ch)/i
29 meta SARE_EBAY_SPOOF_NAME (__EBAY_FRM_NAME && !__EBAY_ADDRESS)
30 score SARE_EBAY_SPOOF_NAME 0.94
37 header __SARE_NAME_VISA From:name =~ /visa/i
38 header __SARE_ADDR_VISA From:addr =~ /visa/i
39 meta SARE_FORGE_NAME_VISA (__SARE_NAME_VISA && !__SARE_ADDR_VISA)
40 score SARE_FORGE_NAME_VISA 0.399
41 #counts FM_NAME_VISA_FORGE 1s/0h of 12260 corpus (6588s/5672h CT) 03/17/06
42 #counts FM_NAME_VISA_FORGE 18s/0h of 22976 corpus (17263s/5713h MY) 03/17/06
43 #counts FM_NAME_VISA_FORGE 3s/0h of 103688 corpus (96287s/7401h FVGT) 03/17/06
44 #counts FM_NAME_VISA_FORGE 43s/0h of 108996 corpus (71372s/37624h DOC) 03/17/06
53 uri __SPOOF_FLAGS /flagstar\.com/i
54 header __FROM_FLAGSTAR From =~ /\bflagstar\.com/i
55 header __RCVD_FLAGSTAR Received =~ /\bflagstar\.com/i
56 meta SARE_SPOOF_FLAGSTAR (__SPOOF_FLAGS && __FROM_FLAGSTAR && !__RCVD_FLAGSTAR)
57 score SARE_SPOOF_FLAGSTAR 3.667
58 #counts SARE_SPOOF_FLAGSTAR 1s/0h of 42564 corpus (34322s/8242h FVGT) 05/26/06
64 # Try to identify USBank.com e-mail
65 header __RCVD_USBANK Received =~ /usbank\.com/i
66 header __FROM_USBANK From =~ /usbank\.com/i
67 uri __URI_USBANK /usbank\.com/i
68 meta SARE_FORGED_USBANK (__FROM_USBANK && __URI_USBANK && !__RCVD_USBANK)
69 score SARE_FORGED_USBANK 4.4
71 #--------------------------------------------------------------------------------------------------#
72 ## THESE RULES HAVE VERY LARGE SCORES, PLEASE ADJUST TO YOUR NEEDS, I NEED TO OVERRIDE WHITELIST. ##
73 #--------------------------------------------------------------------------------------------------#
75 # Try to identify PAYPAL spoofs by looking for elements which should always appear.
76 # If we have a From and an URL of one of these guys, we should also have a received line to match!
77 header __RCVD_PAYPAL Received =~ /\.(?:paypal|postdirect)\.com/i
78 header __FROM_PAYPAL From =~ /[\@\.]paypa[l1i]\.co[mn]/i
79 uri __URI_PAYPAL /[^\@]paypa[lI1]\.com/i
81 meta SARE_FORGED_PAYPAL (__FROM_PAYPAL && __URI_PAYPAL && !__RCVD_PAYPAL)
82 describe SARE_FORGED_PAYPAL Message appears to be forged, (paypal.com)
83 score SARE_FORGED_PAYPAL 4.0
85 # If the message is whitelisted, add 100 points to over-ride whitelist.
86 meta SARE_FPP_BLOCKER (SARE_FORGED_PAYPAL && USER_IN_WHITELIST)
87 score SARE_FPP_BLOCKER 100
91 # Try to identify EBAY spoofs by looking for elements which should always appear.
92 # If we have a From and an URL of one of these guys, we should also have a received line to match!
93 header __RCVD_EBAY1 Received =~ /(?:email)?[^\s@]ebay\.(?:com(?:\.au|\.cn|\.hk|\.my|\.sg)?|co\.uk|at|be|ca|fr|de|in|ie|it|nl|ph|pl|es|se|ch)/i
94 header __RCVD_EBAY2 Received =~ /ebay\.(?:easynet\.de|emarsys\.net)/
95 header __RCVD_EBAY3 Received =~ /sjc\.liveworld\.com/
96 meta __RCVD_EBAY (__RCVD_EBAY1 || __RCVD_EBAY2 || __RCVD_EBAY3)
97 header __FROM_EBAY From =~ /\@(?:e?mail.?)?ebay\.c/i
98 uri __URI_EBAY /\.ebay(?:static)?\.com/i
100 meta SARE_FORGED_EBAY (__FROM_EBAY && __URI_EBAY && !__RCVD_EBAY)
101 describe SARE_FORGED_EBAY Message appears to be forged, (ebay.com)
102 score SARE_FORGED_EBAY 4.0
104 meta SARE_FEB_BLOCKER (SARE_FORGED_EBAY && USER_IN_WHITELIST)
105 score SARE_FEB_BLOCKER 100
109 # Try to identify SUNTRUST spoofs by looking for elements which should always appear.
110 # If we have a From and an URL of one of these guys, we should also have a received line to match!
111 header __RCVD_SUNTRUST Received =~ /\.suntrust\.com/i
112 header __FROM_SUNTRUST From =~ /[\@\.]suntrust\.com/i
113 uri __URI_SUNTRUST /suntrust[a-z0-9-]{0,25}\.com/i
114 meta SARE_FORGED_SUNTRUST (__FROM_SUNTRUST && __URI_SUNTRUST && !__RCVD_SUNTRUST)
115 describe SARE_FORGED_SUNTRUST Message appears to be forged, (suntrust.com)
116 score SARE_FORGED_SUNTRUST 4.0
118 meta SARE_SUN_BLOCKER (SARE_FORGED_SUNTRUST && USER_IN_WHITELIST)
119 score SARE_SUN_BLOCKER 100
124 header __RCVD_WACHOVIA Received =~ /wachovia\.com[^\)]/i
125 header __FROM_WACHOVIA From =~ /\@wachovia\.com/i
126 uri __URI_WACHOVIA /\bwachovia\.com/i
127 meta SARE_FORGED_WACHOVIA (__FROM_WACHOVIA && __URI_WACHOVIA && !__RCVD_WACHOVIA)
128 score SARE_FORGED_WACHOVIA 3.0
129 #counts SARE_FORGED_WACHOVIA 0s/0h of 82118 corpus (57948s/24170h ML) 04/03/06
130 #counts SARE_FORGED_WACHOVIA 0s/0h of 12246 corpus (6574s/5672h CT) 04/03/06
131 #counts SARE_FORGED_WACHOVIA 0s/0h of 10377 corpus (7302s/3075h ) 04/03/06
132 #counts SARE_FORGED_WACHOVIA 0s/0h of 22951 corpus (17237s/5714h MY) 04/03/06
133 #counts SARE_FORGED_WACHOVIA 2s/0h of 41810 corpus (34135s/7675h FVGT) 04/03/06
139 # Try to identify CHASEBANK spoofs by looking for elements which should always appear.
140 # If we have a From and an URL of one of these guys, we should also have a received line to match!
141 header __RCVD_CHASE_A Received =~ /[^@]\bchase\.com/i
142 header __RCVD_CHASE_B Received =~ /\bbigfootinteractive\.com/i
143 meta __RCVD_CHASE (__RCVD_CHASE_A || __RCVD_CHASE_B)
144 header __FROM_CHASE From =~ /\bchase\.com/i
145 uri __URI_CHASE m'(?:\.chase\.com|http://chase)'i
146 meta SARE_FORGED_CHASE (__FROM_CHASE && __URI_CHASE && (!__RCVD_CHASE && !__RCVD_BANKONE))
147 describe SARE_FORGED_CHASE Message appears to be forged, (chase.com)
148 score SARE_FORGED_CHASE 3.4
150 header __RCVD_BANKONE Received =~ /\bbankone\.com/i
151 header __FROM_BANKONE From =~ /\bbankone\.com/i
152 uri __URI_BANKONE /\.bankone\.com/i
153 meta SARE_FORGED_BANK1 (__FROM_BANKONE && __URI_BANKONE && (!__RCVD_CHASE && !__RCVD_BANKONE))
154 score SARE_FORGED_BANK1 3.0
159 # Try to identify CITIBANK spoofs by looking for elements which should always appear.
160 # If we have a From and an URL of one of these guys, we should also have a received line to match!
161 header __RCVD_CITIBNK_A Received =~ /(?:citi(?:bank(?:cards)?|cards|corp|bankcards)|acxiom|c2it)\.com/i
162 header __RCVD_CITIBNK_B Received =~ /bridgetrack\.com/i
163 meta __RCVD_CITIBNK (__RCVD_CITIBNK_A || __RCVD_CITIBNK_B || __RCVD_CHASE_B)
164 header __FROM_CITIBNK From =~ /\bciti(?:bank)?(?:cards)?\.com/i
165 uri __URI_CITIBNK /\bciti(?:bank)?\.com/i
166 meta SARE_FORGED_CITI (__FROM_CITIBNK && __URI_CITIBNK && !__RCVD_CITIBNK)
167 describe SARE_FORGED_CITI Message appears to be forged, (citibank.com)
168 score SARE_FORGED_CITI 4.0
170 meta SARE_CIT_BLOCKER (SARE_FORGED_CITI && USER_IN_WHITELIST)
171 score SARE_CIT_BLOCKER 100
180 # I'm testing a few new variations of these rules, trying to find people just spoofing the from headers.
181 meta SARE_FORGED_PAYPAL_C (__FROM_PAYPAL && !__RCVD_PAYPAL)
182 describe SARE_FORGED_PAYPAL_C Has Paypal from, no Paypal received header.
183 score SARE_FORGED_PAYPAL_C 1.3
185 # About.com has plenty of spams which spoof their address. Here's a set of rules just for them ;)
186 header __RCVD_ABOUT_COM Received =~ /\.about\.com/i
187 header __FROM_ABOUT_COM From =~ /\babout\.com/i
188 uri __URI_ABOUT_COM /\.about\.com/i
189 meta SARE_FORGED_ABOUT (!__RCVD_ABOUT_COM && __FROM_ABOUT_COM && !__URI_ABOUT_COM)
190 describe SARE_FORGED_ABOUT Message appears to be forged, (about.com)
191 score SARE_FORGED_ABOUT 2.879
194 # another spoof using forms
195 rawbody __FHAS_HTML_FORM /<form/i
196 rawbody __FHAS_EBAY_FORM /<form (?:name="\w{4,20}"\s)?(?:method="?post"?\s)?action="?http:\/\/[^.]{3,7}\.ebay\.com[^>]{4,125}>/i
197 meta __HASFORM_NOT_EBAY (__FHAS_HTML_FORM && !__FHAS_EBAY_FORM)
198 meta SARE_SPOOF_EBAYFORM (__FROM_EBAY && __HASFORM_NOT_EBAY)
199 score SARE_SPOOF_EBAYFORM 1.495
204 header __RCVD_2CHECKOUT Received =~ /\.2checkout\.com/i
205 header __FROM_2CHECKOUT From =~ /\@2checkout\.com/i
206 uri __URI_2CHECKOUT /\b2checkout\.com/i
207 meta SARE_FORGED_2CHK (__FROM_2CHECKOUT && __URI_2CHECKOUT && !__RCVD_2CHECKOUT)
208 score SARE_FORGED_2CHK 3.0
210 header __RCVD_2CO Received =~ /\.2co\.com/i
211 header __FROM_2CO From =~ /\@2co\.com/i
212 uri __URI_2CO /\b2co\.com/i
213 meta SARE_FORGED_2CO (__FROM_2CO && __URI_2CO && !__RCVD_2CO)
214 score SARE_FORGED_2CO 3.0
216 header __RCVD_53 Received =~ /\.53\.com/i
217 header __FROM_53 From =~ /\@53\.com/i
218 uri __URI_53 /\b53\.com/i
219 meta SARE_FORGED_53 (__FROM_53 && __URI_53 && !__RCVD_53)
220 score SARE_FORGED_53 3.0
222 header __RCVD_AMAZON Received =~ /\.amazon\.com/i
223 header __FROM_AMAZON From =~ /\@amazon\.com/i
224 uri __URI_AMAZON /\bamazon\.com/i
225 meta SARE_FORGED_AMAZON (__FROM_AMAZON && __URI_AMAZON && !__RCVD_AMAZON)
226 score SARE_FORGED_AMAZON 3.0
228 header __RCVD_AMERITR Received =~ /\.ameritrade\.com/i
229 header __FROM_AMERITR From =~ /\@ameritrade\.com/i
230 uri __URI_AMERITR /\bameritrade\.com/i
231 meta SARE_FORGED_AMERIT (__FROM_AMERITR && __URI_AMERITR && !__RCVD_AMERITR)
232 score SARE_FORGED_AMERIT 3.0
234 header __RCVD_AMEX Received =~ /\.americanexpress\.com/i
235 header __FROM_AMEX From =~ /\@americanexpress\.com/i
236 uri __URI_AMEX /\bamericanexpress\.com/i
237 meta SARE_FORGED_AMEX (__FROM_AMEX && __URI_AMEX && !__RCVD_AMEX)
238 score SARE_FORGED_AMEX 3.0
240 header __RCVD_BANKNORTH Received =~ /\.banknorth\.com/i
241 header __FROM_BANKNORTH From =~ /\@banknorth\.com/i
242 uri __URI_BANKNORTH /\bbanknorth\.com/i
243 meta SARE_FORGED_BANK_N (__FROM_BANKNORTH && __URI_BANKNORTH && !__RCVD_BANKNORTH)
244 score SARE_FORGED_BANK_N 3.0
246 header __RCVD_BANKOFA1 Received =~ /\.bankofamerica\.com/i
247 header __RCVD_BANKOFA2 Received =~ /\.customercenter\.net/i
248 meta __RCVD_BANKOFA (__RCVD_BANKOFA1 || __RCVD_BANKOFA2)
249 header __FROM_BANKOFA From =~ /[\@\.]bankofamerica\.com/i
250 uri __URI_BANKOFA /\bbankofamerica\.com/i
251 meta SARE_FORGED_BANKOFA (__FROM_BANKOFA && __URI_BANKOFA && !__RCVD_BANKOFA)
252 score SARE_FORGED_BANKOFA 3.0
255 header __RCVD_BANKOFO Received =~ /\.bankofoklahoma\.com/i
256 header __FROM_BANKOFO From =~ /\@bankofoklahoma\.com/i
257 uri __URI_BANKOFO /\bbankofoklahoma\.com/i
258 meta SARE_FORGED_BANKOFO (__FROM_BANKOFO && __URI_BANKOFO && !__RCVD_BANKOFO)
259 score SARE_FORGED_BANKOFO 3.0
261 header __RCVD_BANKOFW Received =~ /\.bankofthewest\.com/i
262 header __FROM_BANKOFW From =~ /\@bankofthewest\.com/i
263 uri __URI_BANKOFW /\bbankofthewest\.com/i
264 meta SARE_FORGED_BANKOFW (__FROM_BANKOFW && __URI_BANKOFW && !__RCVD_BANKOFW)
265 score SARE_FORGED_BANKOFW 3.0
267 header __RCVD_CAPITAL1 Received =~ /\.capitalone\.com/i
268 header __FROM_CAPITAL1 From =~ /\@capitalone\.com/i
269 uri __URI_CAPITAL1 /\bcapitalone\.com/i
270 meta SARE_FORGED_CAPITAL (__FROM_CAPITAL1 && __URI_CAPITAL1 && !__RCVD_CAPITAL1)
271 score SARE_FORGED_CAPITAL 3.0
273 header __RCVD_CFSBANK Received =~ /\.citizensfirstbank\.com/i
274 header __FROM_CFSBANK From =~ /\@citizensfirstbank\.com/i
275 uri __URI_CFSBANK /\bcitizensfirstbank\.com/i
276 meta SARE_FORGED_CFSBANK (__FROM_CFSBANK && __URI_CFSBANK && !__RCVD_CFSBANK)
277 score SARE_FORGED_CFSBANK 3.0
279 header __RCVD_CHARTER1 Received =~ /\.charterone(?:bank)?\.com/i
280 header __FROM_CHARTER1 From =~ /\@charterone(?:bank)?\.com/i
281 uri __URI_CHARTER1 /\bcharterone(?:bank)?\.com/i
282 meta SARE_FORGED_CHARTER (__FROM_CHARTER1 && __URI_CHARTER1 && !__RCVD_CHARTER1)
283 score SARE_FORGED_CHARTER 3.0
285 header __RCVD_CITIZENS Received =~ /\.citizensbank\.com/i
286 header __FROM_CITIZENS From =~ /\@citizensbank\.com/i
287 uri __URI_CITIZENS /\bcitizensbank\.com/i
288 meta SARE_FORGED_CITIZEN (__FROM_CITIZENS && __URI_CITIZENS && !__RCVD_CITIZENS)
289 score SARE_FORGED_CITIZEN 3.0
291 header __RCVD_COMFED Received =~ /\.comfedbank\.com/i
292 header __FROM_COMFED From =~ /\@comfedbank\.com/i
293 uri __URI_COMFED /\bcomfedbank\.com/i
294 meta SARE_FORGED_COMFED (__FROM_COMFED && __URI_COMFED && !__RCVD_COMFED)
295 score SARE_FORGED_COMFED 3.0
297 header __RCVD_COMMERCE Received =~ /\.commercebank\.com/i
298 header __FROM_COMMERCE From =~ /\@commercebank\.com/i
299 uri __URI_COMMERCE /\bcommercebank\.com/i
300 meta SARE_FORGED_COMMERCE (__FROM_COMMERCE && __URI_COMMERCE && !__RCVD_COMMERCE)
301 score SARE_FORGED_COMMERCE 3.0
303 header __RCVD_DISCOVER Received =~ /\.discovercard\.com/i
304 header __FROM_DISCOVER From =~ /\@discovercard\.com/i
305 uri __URI_DISCOVER /\bdiscovercard\.com/i
306 meta SARE_FORGED_DISCOVER (__FROM_DISCOVER && __URI_DISCOVER && !__RCVD_DISCOVER)
307 score SARE_FORGED_DISCOVER 3.0
309 header __RCVD_EGOLD Received =~ /\.e-goldk\.com/i
310 header __FROM_EGOLD From =~ /\@e-gold\.com/i
311 uri __URI_EGOLD /\be-gold\.com/i
312 meta SARE_FORGED_EGOLD (__FROM_EGOLD && __URI_EGOLD && !__RCVD_EGOLD)
313 score SARE_FORGED_EGOLD 3.0
315 header __RCVD_FDIC Received =~ /\.fdic\.gov/i
316 header __FROM_FDIC From =~ /\@fdic\.gov/i
317 uri __URI_FDIC /\bfdic\.gov/i
318 meta SARE_FORGED_FDIC (__FROM_FDIC && __URI_FDIC && !__RCVD_FDIC)
319 score SARE_FORGED_FDIC 3.0
321 header __RCVD_FLEET Received =~ /\.fleet(?:bank)?\.com/i
322 header __FROM_FLEET From =~ /\@fleet(?:bank)?\.com/i
323 uri __URI_FLEET /\bfleet(?:bank)?\.com/i
324 meta SARE_FORGED_FLEET (__FROM_FLEET && __URI_FLEET && !__RCVD_FLEET)
325 score SARE_FORGED_FLEET 3.0
327 header __RCVD_HUNTINGTON Received =~ /\.(?:exacttarget|huntington)\.com/i
328 header __FROM_HUNTINGTON From =~ /\@huntington\.com/i
329 uri __URI_HUNTINGTON /\bhuntington\.com/i
330 meta SARE_FORGED_HUNTIN (__FROM_HUNTINGTON && __URI_HUNTINGTON && !__RCVD_HUNTINGTON)
331 score SARE_FORGED_HUNTIN 3.0
333 header __RCVD_KEYBANK Received =~ /\.keybank\.com/i
334 header __FROM_KEYBANK From =~ /\@keybank\.com/i
335 uri __URI_KEYBANK /\bkeybank\.com/i
336 meta SARE_FORGED_KEY (__FROM_KEYBANK && __URI_KEYBANK && !__RCVD_KEYBANK)
337 score SARE_FORGED_KEY 3.0
339 header __RCVD_LASALLE Received =~ /\.lasallebank\.com/i
340 header __FROM_LASALLE From =~ /\@lasallebank\.com/i
341 uri __URI_LASALLE /\blasallebank\.com/i
342 meta SARE_FORGED_LASAL (__FROM_LASALLE && __URI_LASALLE && !__RCVD_LASALLE)
343 score SARE_FORGED_LASAL 3.0
345 header __RCVD_MIBANK Received =~ /\.mibank\.com/i
346 header __FROM_MIBANK From =~ /\@mibank\.com/i
347 uri __URI_MIBANK /\bmibank\.com/i
348 meta SARE_FORGED_MIBANK (__FROM_MIBANK && __URI_MIBANK && !__RCVD_MIBANK)
349 score SARE_FORGED_MIBANK 3.0
351 header __RCVD_MBNA Received =~ /\.mbna\.com/i
352 header __FROM_MBNA From =~ /\@mbna\.com/i
353 uri __URI_MBNA /\bmbna\.com/i
354 meta SARE_FORGED_MBNA (__FROM_MBNA && __URI_MBNA && !__RCVD_MBNA)
355 score SARE_FORGED_MBNA 3.0
357 header __RCVD_NCUA Received =~ /\.ncua\.gov/i
358 header __FROM_NCUA From =~ /\@ncua\.gov/i
359 uri __URI_NCUA /\bncua\.gov/i
360 meta SARE_FORGED_NCUA (__FROM_NCUA && __URI_NCUA && !__RCVD_NCUA)
361 score SARE_FORGED_NCUA 3.0
363 header __RCVD_REGIONS Received =~ /\.regionsbank\.com/i
364 header __FROM_REGIONS From =~ /\@regionsbank\.com/i
365 uri __URI_REGIONS /\bregionsbank\.com/i
366 meta SARE_FORGED_REGION (__FROM_REGIONS && __URI_REGIONS && !__RCVD_REGIONS)
367 score SARE_FORGED_REGION 3.0
369 header __RCVD_SKYBANK Received =~ /\.sky(?:-bank|fi)\.com/i
370 header __FROM_SKYBANK From =~ /\@sky(?:-bank|fi)\.com/i
371 uri __URI_SKYBANK /\bsky(?:-bank|fi)\.com/i
372 meta SARE_FORGED_SKY (__FROM_SKYBANK && __URI_SKYBANK && !__RCVD_SKYBANK)
373 score SARE_FORGED_SKY 3.0
375 header __RCVD_STRUST Received =~ /\.southtrust\.com/i
376 header __FROM_STRUST From =~ /\@southtrust\.com/i
377 uri __URI_STRUST /\bsouthtrust\.com/i
378 meta SARE_FORGED_STRUST (__FROM_STRUST && __URI_STRUST && !__RCVD_STRUST)
379 score SARE_FORGED_STRUST 3.0
381 header __RCVD_TCFBANK Received =~ /\.tcfbank\.com/i
382 header __FROM_TCFBANK From =~ /\@tcfbank\.com/i
383 uri __URI_TCFBANK /\btcfbank\.com/i
384 meta SARE_FORGED_TCF (__FROM_TCFBANK && __URI_TCFBANK && !__RCVD_TCFBANK)
385 score SARE_FORGED_TCF 3.0
387 header __RCVD_VISA Received =~ /\.visa\.com/i
388 header __FROM_VISA From =~ /\@visa\.com/i
389 uri __URI_VISA /visa/i
390 meta SARE_FORGED_VISA (__FROM_VISA && __URI_VISA && !__RCVD_VISA)
391 score SARE_FORGED_VISA 3.0
393 header __RCVD_WELLS Received =~ /\.wellsfargo\.com/i
394 header __FROM_WELLS From =~ /\@wellsfargo\.com/i
395 uri __URI_WELLS /\bwellsfargo\.com/i
396 meta SARE_FORGED_WELLS (__FROM_WELLS && __URI_WELLS && !__RCVD_WELLS)
397 score SARE_FORGED_WELLS 4.209
399 header __RCVD_WESTERN Received =~ /\.westernunion\.com/i
400 header __FROM_WESTERN From =~ /\@westernunion\.com/i
401 uri __URI_WESTERN /\bwesternunion\.com/i
402 meta SARE_FORGED_WESTERN (__FROM_WESTERN && __URI_WESTERN && !__RCVD_WESTERN)
403 score SARE_FORGED_WESTERN 3.0
412 # Catch Common banks with IP address for URL.
413 meta __POPULAR_BANKS (__URI_PAYPAL || __URI_EBAY || __URI_CITIBNK || __URI_SUNTRUST || __URI_CHASE || __URI_BANKONE || __URI_ABOUT_COM || __URI_2CHECKOUT || __URI_2CO || __URI_53 || __URI_AMAZON || __URI_AMERITR || __URI_AMEX || __URI_BANKNORTH || __URI_BANKOFA || __URI_BANKOFO || __URI_BANKOFW || __URI_CAPITAL1 || __URI_CFSBANK || __URI_CHARTER1 || __URI_CITIZENS || __URI_COMFED || __URI_COMMERCE || __URI_DISCOVER || __URI_EGOLD || __URI_FDIC || __URI_FLEET || __URI_HUNTINGTON || __URI_KEYBANK || __URI_LASALLE || __URI_MIBANK || __URI_MBNA || __URI_NCUA || __URI_REGIONS || __URI_SKYBANK || __URI_STRUST || __URI_TCFBANK || __URI_VISA || __URI_WELLS || __URI_WESTERN)
414 meta SARE_BANK_URI_IP (__POPULAR_BANKS && __URI_IS_IP)
415 score SARE_BANK_URI_IP 0.653
424 # Added 22-4-2004 by Jesse Houwing
425 uri SARE_SPOOF_COM2COM m{^https?://(?:\w+\.)+?com\.(?:\w+\.){2,}}i
426 describe SARE_SPOOF_COM2COM a.com.b.com
427 score SARE_SPOOF_COM2COM 2.536
429 uri SARE_SPOOF_COM2OTH m{^https?://(?:\w+\.)+?com\.(?:\w+\.)+?com}i
430 describe SARE_SPOOF_COM2OTH a.com.b.c
431 score SARE_SPOOF_COM2OTH 2.536
433 uri SARE_SPOOF_OURI m{^(?:h|%68|%48)(?:t|%74|%54)(?:t|%74|%54)(?:p|%70|%50)(?:s|%73|%53)?(?::|%3a)(?:/|%2f){0,2}(?:[^@]+@)*?(?:a-z0-9_%-]+?(?:\.|%2e)){2,}(?:org|com|www)(?!\.edgesuite\.net)(?:(?:\.|%2e)[a-z0-9_%-]+?){2,}(?:(?::|%3a)\d+)?}i
434 describe SARE_SPOOF_OURI URL has items in odd places
435 score SARE_SPOOF_OURI 2.536
438 # Added 07/28/2005 submitted by e-mail
439 header __LOCAL_PP_ISFROMPP From:addr =~ /\@(?:paypal|ebay)\.com$/i
440 header __LOCAL_PP_S_UPD Subject: =~ m'(?:confirm|update) (?:your|the) (?:billing)?(?:records?|information|account)'i
441 header __LOCAL_PP_S_AUT Subject: =~ m'unauthori[sz]ed access'i
442 body __LOCAL_PP_B_UPD m'(?:confirm|updated?|verify|restore) (?:your|the) (?:account|current|billing|personal)? ?(?:records?|information|account|identity|access|data)'i
443 body __LOCAL_PP_B_ATT m'one or more attempts'i
444 body __LOCAL_PP_B_ACT m'unusual activity'i
445 uri __LOCAL_PP_PPCGIURL m'https?://www\.paypal\.com/([A-Za-z0-9-_]+/)?cgi-bin/webscr\?'i
446 uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!(paypal|ebay)\.com)(?:[A-Za-z0-9-_\.]+)'i
448 meta SARE_SPOOF_BADURL (__LOCAL_PP_ISFROMPP && ((__LOCAL_PP_S_AUT || __LOCAL_PP_B_ATT || __LOCAL_PP_B_ACT || __LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) || __LOCAL_PP_PPCGIURL) && __LOCAL_PP_NONPPURL)
449 meta SARE_SPOOF_BADADDR (!__LOCAL_PP_ISFROMPP && ((__LOCAL_PP_S_AUT || __LOCAL_PP_B_ATT || __LOCAL_PP_B_ACT || __LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) && __LOCAL_PP_PPCGIURL))
451 score SARE_SPOOF_BADURL 1.059
452 score SARE_SPOOF_BADADDR 1.059
455 # Describe length test for 3.0 requirements:
456 # 12345678901234567890123456789012345678901234567890