1 # -*- mode: spamassassin -*-
3 # This seems to catch a lot of spam, but not sure about false positive (from airmax.cf)
4 # pasc couldn't find any false positives on the lists he's on
5 header X_MESSAGE_INFO exists:X-Message-Info
6 score X_MESSAGE_INFO 4.0
8 # Added by pasc 2004/07/08 (sent by abuse@outblaze via karsten)
9 # host no longer exists according to administrator
10 header FAKE_OUTBLAZE_RCVD Received =~ /\.mr\.outblaze\.com/
11 describe FAKE_OUTBLAZE_RCVD Received header contains faked 'mr.outblaze.com'
12 score FAKE_OUTBLAZE_RCVD 3.0
14 # blarson 2005-01-19 (--pasc 2005-01-30)
15 header TRACKING subject =~ /\b(?:tracking|package|shipping|shipment|delivery) number :/i
16 describe TRACKING tracking number
19 # Sent in by blars (20050220) -- applied by pasc
20 body GUEBDE /http\:\/\/www\.gueb\.de\//
21 describe GUEBDE www.geub.de
25 full PGPSIGNATURE /-----BEGIN PGP SIGNATURE-----/
26 describe PGPSIGNATURE Has a pgp signature (may not be valid, but who cares?)
30 # TODO: The rules below seem to be very similar; possibly fix them.
32 # These might trip up on non-english lists. We'll see.
33 # They're fucking up on GPG signatures
34 body MURPHY_WRONG_WORD1 /[bcdfghjklmnpqrstvwxz]{7,}/i
35 score MURPHY_WRONG_WORD1 0.1
37 body MURPHY_WRONG_WORD2 /[bcdfghjklmnpqrstvwxz]{6,}/i
38 score MURPHY_WRONG_WORD2 0.2
40 #Impronounceable. Need to check this one for accuracy (from airmax.cf)
41 body IMPRONONCABLE_1 /([bcdfghjklmnpqrstvwxz]){6,20}/
42 describe IMPRONONCABLE_1 Some words aren't easy to pronounce (too much vowels)
43 body IMPRONONCABLE_2 /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/
44 describe IMPRONONCABLE_2 Some words aren't easy to pronounce (mixed numbers and lower-case letters)
46 # From http://www.exit0.us/index.php/FredsRules
47 # Added by pasc 2004/06/20
49 body __FVGT_b_OBFU_J /j(b|c|f|g|w)/i
50 body __FVGT_b_OBFU_OTHER /(vj|vk|xj|xk|yy|zf|zj)/i
51 body __FVGT_b_OBFU_Q0 /(j|k|p|q|t|v|w|z)q/i
52 body __FVGT_b_OBFU_Q1 /q(a|f|h|j|k|m|n|s|y)/i
53 body __FVGT_b_OBFU_V /(f|g|q|w)v/i
54 body __FVGT_b_OBFU_X /(c|g|j|k|q|s|v|z)x/i
55 body __FVGT_b_OBFU_Z /(f|j|k|p|q|x)z/i
56 meta FVGT_m_MULTI_ODD ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 1)
57 describe FVGT_m_MULTI_ODD FVGT - contains multiple odd letter combinations
58 score FVGT_m_MULTI_ODD 0.02
61 header NEPEYO From =~ /nepeyo\@catlover/
62 describe NEPEYO spamvertizers
65 # cjwatson, 2003/07/28
66 header MP3_PLAYERS Subject =~ /New mp3 player,usb flash drive/
67 describe MP3_PLAYERS Spam from "HY Tech"
71 header UOSJUNK Subject =~ /UOS online Degree Programme/i
72 describe UOSJUNK Spam from UOS
75 # cjwatson, 2004-02-27
76 body GAS_MILEAGE /This amazing, revolutionary device|www\.mrev\.biz/
77 describe GAS_MILEAGE Fuel-saving snake oil
81 body FUELSAVER /fuel.?saver/i
82 describe FUELSAVER Fuel Saver spam
86 body CABLEFILTERZ /cablefilterz/
87 describe CABLEFILTERZ cablefilterz spam
91 header PARENNUM subject =~ /^\(\s*([0-9\/]+\)|\%RND)/
92 describe PARENNUM paren number in subject
96 # bounces our bounces.... (had negitive score)
97 header COVADRT X-RT-Loop-Prevention =~ /^Covad$/
98 describe COVADRT Covad request tracker bounces
102 header ROBERTOJIMENOCA from =~ /ROBERTOJIMENOCA\@terra\.es/
103 describe ROBERTOJIMENOCA ROBERTOJIMENOCA sends spammy looking messages
104 score ROBERTOJIMENOCA -2
107 header TURBOPRO subject =~ /\bturbonet pro\b/i
108 describe TURBOPRO dialup accelerator spam
112 header RESUBJECT subject =~ /\sRe(?:\[\d+\])?:\s*$/i
113 describe RESUBJECT re nothing
116 # blarson 2004-10-22 2007-07-18 up score
117 header NOSUBJECT subject =~ /^\s*$/
118 describe NOSUBJECT No subject
122 full NEXTPART /\-\=\_NextPart\_000\_/
123 describe NEXTPART spammer mime separator
126 # blarson 2006-10-17 2009-04-30
127 full CT_IMAGE /Content\-Type\:\s*image/i
128 describe CT_IMAGE Picture attached
131 # blarson 2006-12-01 (score so low since it will also hit CT_IMAGE)
132 header CT_IMAGE_HEAD content-type =~ /image/
133 describe CT_IMAGE_HEAD entire message is image
134 score CT_IMAGE_HEAD 2.5
138 header THREADINDEX Thread-Index =~ /A-Z/
139 describe THREADINDEX thread-index header on spam
140 score THREADINDEX 1.5
143 header FORDASH subject =~ /\bFor \- \d+/
144 describe FORDASH for dash
148 header KOREAN subject =~ /\=\?koi8\-r/
149 describe KOREAN Korean Character set spam
153 header FWDNAME subject =~ /fwd\: \w+\s*$/
154 describe FWDNAME fwd: name spam
158 body NUMONLY /^\s*\d+\s*$/
159 describe NUMONLY number only body
163 header THUNDERB User-Agent =~ /^Thunderbird 1\.5\.0\.10/
164 describe THUNDERB spam missing content
169 header FAILNOTE subject =~ /Failure notice\:/
170 describe FAILNOTE bounced spam
174 rawbody CTINLINE /^Content\-Disposition\: inline\;\b/
175 describe CTINLINE Inline attachment
179 body BOXTRAPPER /^This message is a reply to a boxtrapper verifcation message\./
180 describe BOXTRAPPER boxtrapper spam
184 body PROMOCODE /^promo code\:/i
185 describe PROMOCODE promo code
189 body XLMAN /\bwww\.xl\-man\.net\b/
190 describe XLMAN xl-man spam
194 body COSTUMER /^Dear costumer\b/
195 describe COSTUMER paypal scam
199 body PRIVATE /^Your private and confidential message is attached\./
200 describe PRIVATE private message
204 header AUTOGENERATE auto-submitted =~ /auto/i
205 describe AUTOGENERATE auto generated crap
209 body PRIVPDF /^All our private messages are in pdf format/
210 describe PRIVPDF private pdf
214 header AUTORESPOND X-Autorespond =~ /./
215 describe AUTORESPOND Automatic response
218 header AUTOMAILER X-Mailer =~ /autors/
219 describe AUTOMAILER Auto response mailer
223 header OUTOFOFFICE_SUB subject =~ /Out_of_Office/
224 describe OUTOFOFFICE_SUB broken autoresponder
225 score OUTOFOFFICE_SUB 6
227 body OUTOFOFFICE /out of the office/i
228 describe OUTOFOFFICE Out of the office
231 body OUTOFOFFICE_BACK /will be back/i
232 body OUTOFOFFICE_BACK Out of the office
233 score OUTOFOFFICE_BACK 3
235 # blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits
236 header SUBENDNUM subject =~ /[a-zA-Z!]-?\d{3,}$/
237 describe SUBENDNUM Subject ends in word989
241 body PRIVMES /^You have been sent a private message/
242 describe PRIVMES more pdf spam
246 header MIXEDBDN Content-Type =~ /multipart\/mixed\;.*boundary\=\"\-{4,}\d{4,}\"/
247 describe MIXEDBDN more pdf spam
251 header DOTZIP subject =~ /\d\.zip\b/
252 describe DOTZIP zip spam
256 header MIXED2 Content-Type =~ /multipart\/mixed\;charset\=iso\-8859\-1\;.*boundary\=\"\-\-\-\-\=\_\d{8,}\_\d{4,}\"/
257 describe MIXED2 more pdf spam
261 header KEYENCE From =~ /KEYENCE CORPORATION/
262 describe KEYENCE opt out spam
266 header NOSUB subject =~ /\(No Subject\)$/i
267 describe NOSUB explicity no subject
271 header CTPDF Content-Type =~ /\bapplication\/pdf\;/i
272 describe CTPDF more pdf spam
276 header JAPSUB subject =~ /\=\?iso\-2022\-jp/i
277 describe JAPSUB subject in japanese
281 header XMSATT X-MS-Has-Attach =~ /yes/i
282 describe XMSATT more pdf spam
291 header XJ2ID X-J2Id =~ /\d+/
292 describe XJ2ID fax bounce
296 header LONGWORD subject =~ /\b[\w\d]{30,}/i
297 describe LONGWORD long word in subject
301 header TESTIMONIAL subject =~ /\btestimonial/i
302 describe TESTIMONIAL testimonials
306 header ITXS subject =~ /\bit\`s\b/i
311 rawbody TINYFONT /\bFONT-SIZE\:\s+[123]px\;/i
312 describe TINYFONT tiny font specified
316 rawbody ZIPFILE /\bfilename\=.*\.zip\b/i
317 describe ZIPFILE zipfile attachment
321 header SPACESUB subject =~ /^\s\w/
322 describe SPACESUB extra space before subject
326 header YAHOOCALENDAR X-Yahoo-Newman-Property: =~ /calendar-invite/i
327 describe YAHOOCALENDAR Calendar invite from yahoo; broken captcha
328 score YAHOOCALENDAR 4
331 header BOUNDARYID content-type =~ /\bboundary\=\"Boundary_\(ID_/
332 describe BOUNDARYID spamware boundary
336 body GBKXWFLXF /\bgbkxwflxf\b/
337 describe GBKXWFLXF gbkxwflxf
341 body LUKSUS /\bluksus\b/i
343 describe LUKSUS Luksus
345 # disabled by don; was causing false positives
346 # probably needs to be modified to check if it really is ironport
348 # header XIRONPORT X-IronPort-Anti-Spam-Filtered =~ /true/
349 # describe XIRONPORT claims to be ironport filtered
350 # score XIRONPORT 2.5
353 header AUTORESPON subject =~ /Auto_response/
354 describe AUTORESPON Auto_response
358 header XWUM x-wum-to =~ /./
359 describe XWUM X-WUM-TO
363 # compensate false-positives for 140.Red-80-25-20.staticIP.rima-tde.net and stuff
364 header STATIC_RIMA_TDE received =~ /staticIP\.rima-tde\.net/
365 describe STATIC_RIMA_TDE static IP from rima-tde.net
366 score STATIC_RIMA_TDE -5
368 # cord 2008-11-30 # compensate LDO_SUBSCRIBER bonus for Forum2Mail-Gw
369 full NABBLE /lists\@nabble\.com/
370 describe NABBLE sent through nabble.com
374 full HTML_NBSP /(\ ){3,}/
375 describe HTML_NBSP Lots of
379 header ENTIST subject =~ /(?:e.?entist|o.?ctor)/i
380 describe ENTIST (D)entit/(D)octor
383 header THREADTOPIC thread-topic =~ /./i
384 describe THREADTOPIC Has a thread topic header
388 # replacing old aol-rules from rc.spam
390 header AOL_SPAM1 from =~ /[0-9].*\@([^\@]+\.)?aol\.com/i
391 describe AOL_SPAM1 possible AOL-pretending spam, matching rule 1
394 header AOL_SPAM2 from =~ /...........*\@([^\@]+\.)?aol\.com/i
395 describe AOL_SPAM2 possible AOL-pretending spam, matching rule 2
398 header AOL_SPAM3 from =~ /.?.?\@([^\@]+\.)?aol\.com/i
399 describe AOL_SPAM3 possible AOL-pretending spam, matching rule 3
402 header AOL_SPAM4 from =~ /[^a-zA-Z0-9]+.*\@([^\@]+\.)?aol\.com/i
403 describe AOL_SPAM4 possible AOL-pretending spam, matching rule 4
407 body WEBMAIL /\bwebmail\b/i
408 describe WEBMAIL webmail
412 header REFNO subject =~ /\bref no\b/i
413 describe REFNO Ref No
417 header INFOCOUK to =~ /\b(?:info|winner|loan|lotto|grant|win)\@(?:info\.|winner\.|loan\.|lotto\.|hotmail\.|grant\.|win\.|yahoo\.|)(?:co\.uk|net|com|org)\b/
418 describe INFOCOUK to info@co.uk
422 body EXITAT /\b(?:exit|rembox)\@(?:datalistsource|listsourcesworld|BestAccurateReliable|expertdatasystems|bestbizlists)\.\b/i
423 describe EXITAT exit@datalistsource.com
427 header TOINFO to =~ /\binfo\@/
428 describe TOINFO to info@
432 header CONSTCONTACT X-Mailer =~ /Constant Contact/i
433 describe CONSTCONTACT Mail comming from constant contact, which doesn't require double opt-in
437 meta CTBDN (CT_IMAGE && MIXEDBDN)
438 describe CTBDN CT_IMAGE && MIXEDBDN
442 body NUMEMAIL /\d{3,}\s+emails?/i
443 describe NUMEMAIL Mail which mentions some number of e-mail addresses
447 header YAHOOCALENDAR X-Yahoo-Calendar-IId: =~ /./
448 describe YAHOOCALENDAR Mail comming from yahoo calendar, which spams us with updates
449 score YAHOOCALENDAR 5
452 header TLOTTERY subject =~ /Ticket no: [0-9]+/i
453 describe TLOTTERY Lottery spam
457 header GLOTTERY subject =~ /Google_L_o_t_t_e_r_y_W_i_n_n_e_r_s/i
458 describe GLOTTERY Google Lottery spam
462 header DOTNET subject =~ /Planning a Website Design\? Updates/
463 describe DOTNET .NET Spam
467 body REMBOX /\b(?:rembo[xt]|disappear|stopping|delrem|remfiles?|exit|takemeoff|offthelist|purgefile)\s?\@/
468 describe REMBOX rembox
471 # formorer 2010-01-23
472 header LONGTO to =~ /([\S]+, ){15,}/
473 describe LONGTO very long To line
476 # formorer 2010-01-25
477 header VAULAS subject =~ /cursos video aulas video/i
478 describe VAULAS some spanish video spam
482 header FROMWWW from =~ /\bwww\./i
483 describe FROMWWW from www.whatever
487 header FROMCASINO from =~ /\bcasino/i
488 describe FROMCASINO from casino
492 header CTOCTET_STREAM Content-Type =~ /octet-stream/i
493 describe CTOCTET_STREAM Content type is octet-stream
494 score CTOCTET_STREAM 0.5
496 header RTF_ATTACH Content-Type =~ /name=.+\.rtf/i
497 describe RTF_ATTACH Contains an RTF Attachment
500 meta RTF_SPAM CTOCTET_STREAM && RTF_ATTACH
501 describe RTF_SPAM Content type is octet-stream and has an RTF Attachment