add blars still single rule

[spamassassin_config.git] / common / misc_spam

# This seems to catch a lot of spam, but not sure about false positive (from airmax.cf)
# pasc couldn't find any false positives on the lists he's on
header   X_MESSAGE_INFO exists:X-Message-Info
score    X_MESSAGE_INFO 4.0

# Added by pasc 2004/07/08 (sent by abuse@outblaze via karsten)
# host no longer exists according to administrator
header FAKE_OUTBLAZE_RCVD       Received =~ /\.mr\.outblaze\.com/
describe FAKE_OUTBLAZE_RCVD     Received header contains faked 'mr.outblaze.com'
score FAKE_OUTBLAZE_RCVD        3.0

# blarson 2005-01-19 (--pasc 2005-01-30)
header TRACKING         subject =~ /\b(?:tracking|package|shipping|shipment|delivery) number :/i
describe TRACKING       tracking number
score TRACKING          2

# Sent in by blars (20050220) -- applied by pasc
body GUEBDE     /http\:\/\/www\.gueb\.de\//
describe GUEBDE www.geub.de
score GUEBDE    5


# TODO: The rules below seem to be very similar; possibly fix them.

# These might trip up on non-english lists. We'll see.
# They're fucking up on GPG signatures
body MURPHY_WRONG_WORD1 /[bcdfghjklmnpqrstvwxz]{7,}/i
score MURPHY_WRONG_WORD1 0.1

body MURPHY_WRONG_WORD2 /[bcdfghjklmnpqrstvwxz]{6,}/i
score MURPHY_WRONG_WORD2 0.2

#Impronounceable. Need to check this one for accuracy (from airmax.cf)
body IMPRONONCABLE_1                            /([bcdfghjklmnpqrstvwxz]){6,20}/
describe IMPRONONCABLE_1                        Some words aren't easy to pronounce (too much vowels)
body IMPRONONCABLE_2                            /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/
describe IMPRONONCABLE_2                        Some words aren't easy to pronounce (mixed numbers and lower-case letters)

# From http://www.exit0.us/index.php/FredsRules
# Added by pasc 2004/06/20

body      __FVGT_b_OBFU_J      /j(b|c|f|g|w)/i
body      __FVGT_b_OBFU_OTHER  /(vj|vk|xj|xk|yy|zf|zj)/i
body      __FVGT_b_OBFU_Q0     /(j|k|p|q|t|v|w|z)q/i
body      __FVGT_b_OBFU_Q1     /q(a|f|h|j|k|m|n|s|y)/i
body      __FVGT_b_OBFU_V      /(f|g|q|w)v/i
body      __FVGT_b_OBFU_X      /(c|g|j|k|q|s|v|z)x/i
body      __FVGT_b_OBFU_Z      /(f|j|k|p|q|x)z/i
meta      FVGT_m_MULTI_ODD     ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 1)
describe  FVGT_m_MULTI_ODD      FVGT - contains multiple odd letter combinations
score     FVGT_m_MULTI_ODD      0.02

# joy, 2003-07-20
header NEPEYO                   From =~ /nepeyo\@catlover/
describe NEPEYO                 spamvertizers
score NEPEYO                    4

# cjwatson, 2003/07/28
header MP3_PLAYERS              Subject =~ /New mp3 player,usb flash drive/
describe MP3_PLAYERS            Spam from "HY Tech"
score MP3_PLAYERS               4

# joy, 2003-08-15
header UOSJUNK                  Subject =~ /UOS online Degree Programme/i
describe UOSJUNK                Spam from UOS
score UOSJUNK                   4

# cjwatson, 2004-02-27
body GAS_MILEAGE        /This amazing, revolutionary device|www\.mrev\.biz/
describe GAS_MILEAGE    Fuel-saving snake oil
score GAS_MILEAGE       3

# blarson, 2004-03-31
body FUELSAVER          /fuel.?saver/i
describe FUELSAVER      Fuel Saver spam
score FUELSAVER         3

# blarson, 2004-04-03
body CABLEFILTERZ       /cablefilterz/
describe CABLEFILTERZ   cablefilterz spam
score CABLEFILTERZ      4

# blarson 2004-04-15
header PARENNUM         subject =~ /^\(\s*([0-9\/]+\)|\%RND)/
describe PARENNUM       paren number in subject
score PARENNUM          3

# blarson 2004-04-25
# bounces our bounces.... (had negitive score)
header COVADRT          X-RT-Loop-Prevention =~ /^Covad$/
describe COVADRT        Covad request tracker bounces
score COVADRT           8

# blarson 2005-03-02
header ROBERTOJIMENOCA  from =~ /ROBERTOJIMENOCA\@terra\.es/
describe ROBERTOJIMENOCA ROBERTOJIMENOCA sends spammy looking messages
score ROBERTOJIMENOCA   -2

# blarson 2005-07-10
header TURBOPRO         subject =~ /\bturbonet pro\b/i
describe TURBOPRO       dialup accelerator spam
score TURBOPRO          3

# blarson 2006-04-28
header RESUBJECT        subject =~ /\sRe(?:\[\d+\])?:\s*$/i
describe RESUBJECT      re nothing
score RESUBJECT         2

# blarson 2004-10-22 2007-07-18 up score
header NOSUBJECT        subject =~ /^\s*$/
describe NOSUBJECT      No subject
score NOSUBJECT         2.5

# blarson 2006-10-17
full NEXTPART   /\-\=\_NextPart\_000\_/
describe NEXTPART       spammer mime separator
score NEXTPART          2.5

# blarson 2006-10-17
full CT_IMAGE           /Content\-Type\:\s*image/i
describe CT_IMAGE       Picture attached
score CT_IMAGE          1

# blarson 2006-12-01 (score so low since it will also hit CT_IMAGE)
header CT_IMAGE_HEAD    content-type =~ /image/
describe CT_IMAGE_HEAD  entire message is image
score CT_IMAGE_HEAD     2.5


# don 2006-10-25
header THREADINDEX      Thread-Index =~ /A-Z/
describe THREADINDEX    thread-index header on spam
score    THREADINDEX    1.5

# blarson 2006-10-30
header FORDASH          subject =~ /\bFor \- \d+/
describe FORDASH        for dash
score FORDASH           3

# blarson 2006-11-01
header KOREAN           subject =~ /\=\?koi8\-r/
describe KOREAN         Korean Character set spam
score KOREAN            2

# blarson 2006-12-04
header FWDNAME          subject =~ /fwd\: \w+\s*$/
describe FWDNAME        fwd: name spam
score FWDNAME           3

# blarson 2006-12-06
body NUMONLY            /^\s*\d+\s*$/
describe NUMONLY        number only body
score NUMONLY           1

# blarson 2007-04-24
header THUNDERB         User-Agent =~ /^Thunderbird 1\.5\.0\.10/
describe THUNDERB       spam missing content
score THUNDERB          2


# blarson 2007-06-15
header FAILNOTE         subject =~ /Failure notice\:/
describe FAILNOTE       bounced spam
score FAILNOTE          2

# blarson 2007-06-28
rawbody CTINLINE        /^Content\-Disposition\: inline\;\b/
describe CTINLINE       Inline attachment
score CTINLINE          1

# blarson 2007-07-07
body BOXTRAPPER         /^This message is a reply to a boxtrapper verifcation message\./
describe BOXTRAPPER     boxtrapper spam
score BOXTRAPPER        9

# blarson 2007-07-09
body PROMOCODE          /^promo code\:/i
describe PROMOCODE      promo code
score PROMOCODE         3

# blarson 2007-07-11
body XLMAN              /\bwww\.xl\-man\.net\b/
describe XLMAN          xl-man spam
score XLMAN             3

# blarson 2007-07-12
body COSTUMER           /^Dear costumer\b/
describe COSTUMER       paypal scam
score COSTUMER          3

# blarson 2007-07-13
body PRIVATE            /^Your private and confidential message is attached\./
describe PRIVATE        private message
score PRIVATE           4

# don 2007-07-15
header AUTOGENERATE     auto-submitted =~ /auto/i
describe AUTOGENERATE   auto generated crap
score AUTOGENERATE      3

# blarson 2007-07-15
body PRIVPDF            /^All our private messages are in pdf format/
describe PRIVPDF        private pdf
score PRIVPDF           4

# don 2007-07-19
header AUTORESPOND      X-Autorespond =~ /./
describe AUTORESPOND    Automatic response
score   AUTORESPOND     4

header AUTOMAILER       X-Mailer =~ /autors/
describe AUTOMAILER     Auto response mailer
score AUTOMAILER        3       

# blarson 2007-07-22
header OUTOFOFFICE_SUB  subject =~ /Out_of_Office/
describe OUTOFOFFICE_SUB        broken autoresponder
score OUTOFOFFICE_SUB   6

body OUTOFOFFICE        /out of the office/i
describe OUTOFOFFICE    Out of the office
score OUTOFOFFICE       3

# blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits
header SUBENDNUM        subject =~ /[a-zA-Z!]-?\d{3,}$/
describe SUBENDNUM      Subject ends in word989
score SUBENDNUM         2

# blarson 2007-07-27
body PRIVMES            /^You have been sent a private message/
describe PRIVMES        more pdf spam
score PRIVMES           3

# blarson 2007-07-27
header MIXEDBDN         Content-Type =~ /multipart\/mixed\;.*boundary\=\"\-{4,}\d{4,}\"/
describe MIXEDBDN       more pdf spam
score MIXEDBDN          1

# blarson 2007-07-28
header DOTZIP           subject =~ /\d\.zip\b/
describe DOTZIP         zip spam
score DOTZIP            3

# blarson 2007-07-30
header MIXED2           Content-Type =~ /multipart\/mixed\;charset\=iso\-8859\-1\;.*boundary\=\"\-\-\-\-\=\_\d{8,}\_\d{4,}\"/
describe MIXED2         more pdf spam
score MIXED2            2.5

# blarson 2007-07-31
header KEYENCE          From =~ /KEYENCE CORPORATION/
describe KEYENCE        opt out spam
score KEYENCE           10

# blarson 2007-08-02
header NOSUB            subject =~ /\(No Subject\)$/i
describe NOSUB          explicity no subject
score NOSUB             1

# blarson 2007-08-07
header CTPDF            Content-Type =~ /\bapplication\/pdf\;/i
describe CTPDF          more pdf spam
score CTPDF             4

# blarson 2007-06-12
header JAPSUB           subject =~ /\=\?iso\-2022\-jp/i
describe JAPSUB         subject in japanese
score JAPSUB            3

# blarson 2007-08-24
header XMSATT           X-MS-Has-Attach =~ /yes/i
describe XMSATT         more pdf spam
score XMSATT            2