1 # Added some rules from Rule du Jour that I've been testing for a while
3 #Monotone (from airmax.cf)
4 body MONOTONE_WORDS_2_15 /^([a-z]{2,20}[\s\.]+){15}/
5 describe MONOTONE_WORDS_2_15 Lines with many (long) lowercase words (15+ words, 2+ letters)
6 body MONOTONE_WORDS_2_30 /^([a-z]{2,20}[\s\.]+){30}/
7 describe MONOTONE_WORDS_2_30 Lines with many (long) lowercase words (30+ words, 2+ letters)
8 body MONOTONE_WORDS_3_20 /^([a-z]{3,20}[\s\.]+){20}/
9 describe MONOTONE_WORDS_3_20 Lines with many (long) lowercase words (20+ words, 3+ letters)
10 body MONOTONE_WORDS_5_8 /^([a-z]{5,20}[\s\.]+){8}/
11 describe MONOTONE_WORDS_5_8 Lines with many (long) lowercase words (8+ words, 5+ letters)
12 body MONOTONE_WORDS_5_12 /^([a-z]{5,20}[\s\.]+){12}/
13 describe MONOTONE_WORDS_5_12 Lines with many (long) lowercase words (12+ words, 5+ letters)
14 body MONOTONE_WORDS_5_20 /^([a-z]{5,20}[\s\.]+){20}/
15 describe MONOTONE_WORDS_5_20 Lines with many (long) lowercase words (20+ words, 5+ letters)
17 # Lots of auto-responders seem to have this
18 body MDO_AUTORESP1 /online form/i
19 score MDO_AUTORESP1 0.1
21 body MDO_AUTORESP2 /large amount of (spam|virus)/i
22 score MDO_AUTORESP2 0.1
24 body MDO_AUTORESP3 /(electronically|automatically) (generated|created) (email|ack)/i
25 score MDO_AUTORESP3 0.1
27 body MDO_AUTORESP4 /(respond|answer) your enquiry/i
28 score MDO_AUTORESP4 0.1
30 body MDO_AUTORESP5 /(email|enquiry) has been received/i
31 score MDO_AUTORESP5 0.1
33 body MDO_AUTORESP6 /will be answered within/i
34 score MDO_AUTORESP6 0.1
36 body MDO_AUTORESP7 /the e-mail address to which you have written does not support incoming messages/i
37 score MDO_AUTORESP7 0.1
39 meta MDO_AUTORESP_META1 (MDO_AUTORESP1 + MDO_AUTORESP2 + MDO_AUTORESP3 + MDO_AUTORESP4 + MDO_AUTORESP5 + MDO_AUTORESP6 + MDO_AUTORESP7) > 1
40 score MDO_AUTORESP_META1 2.0
42 body MURPHY_DIPLOMA /Diploma/
43 describe MURPHY_DIPLOMA No Diploma
44 score MURPHY_DIPLOMA 1
46 body MURPHY_CALORIES /calories/
47 describe MURPHY_CALORIES No Calories
48 score MURPHY_CALORIES 1
50 header MURPHY_CONTENT_GIF Content-Type =~ /image\/gif/
51 describe MURPHY_CONTENT_GIF Content contains image/gif
52 score MURPHY_CONTENT_GIF 1
54 # cable tv spam -- pasc 04/05/11-12
55 body MDO_CABLE_TV1 /pay.?per.?view/i
56 score MDO_CABLE_TV1 0.5
58 body MDO_CABLE_TV2 /mature.?channel/i
59 score MDO_CABLE_TV2 0.5
61 body MDO_CABLE_TV3 /c(\@|a)ble/i
62 score MDO_CABLE_TV3 0.5
64 body MDO_CABLE_TV4 /rem(o|0)te.?control/i
65 score MDO_CABLE_TV4 0.5
67 meta MDO_CABLE_META1 (MDO_CABLE_TV1 || MDO_CABLE_TV2 || MDO_CABLE_TV4) && (MDO_CABLE_TV3)
68 describe MDO_CABLE_META1 Too much cable stuff
69 score MDO_CABLE_META1 3
71 header MDO_TAGSPAM1 Subject =~ /Unknown Tag *free* Please Fix/
74 body MDO_BAD_WORD1 /PORTFOLIO/i
75 score MDO_BAD_WORD1 2.8
77 # blarson, 2004-04-30 -> lists --pasc 04/05/11
78 body AFFILIATEID /affiliate.?id/i
79 describe AFFILIATEID affiliate id
82 # joy, 2003-08-30, 2003-09-21
83 header FW Subject =~ /^Fw: /
84 describe FW Sounds like a Fw: spam
88 header REFWD subject =~ /\b(?:RE|FWD)\:\s*$/i
89 describe REFWD re or fwd nothing
93 header ONEWORD subject =~ /^(?:Fw:|re:)?\s*\w+\s*$/i
94 describe ONEWORD one word subject
97 # robot101, 2003-09-22
98 header CROSSWALK X-UnityUser =~ /^Crosswalk.com, Inc/
99 describe CROSSWALK Crosswalk bible mailing list
102 header CROSSWALK_SPAM From =~ /Crosswalk/
103 describe CROSSWALK_SPAM Crosswalk Spam
104 score CROSSWALK_SPAM 1
107 header BOMDIA Subject =~ /Bom dia /
108 describe BOMDIA Bom dia, usually some Romanic language spam
111 header RCVD_FROM_UNCONF_HOST Received =~ /^from localhost.localdomain/
112 describe RCVD_FROM_UNCONF_HOST Mail comes from a host with unconfigured mailer daemon
113 score RCVD_FROM_UNCONF_HOST 2
116 body ECOSPAM /Corridas de Toros para los turistas Ingleses en Barcelona/
117 describe ECOSPAM Eco-spam all right
120 # cjwatson, 2003/02/24
121 body SPANISH_FORM_CGI /Este formulario fue enviado por/
122 describe SPANISH_FORM_CGI "Below is the result of your feedback form", eh?
123 score SPANISH_FORM_CGI 4.0
126 body TRAFFICMAGNET /Become a TrafficMagnet Reseller/
127 describe TRAFFICMAGNET SpamMagnet
128 score TRAFFICMAGNET 4
131 header BKR Subject =~ /^bkr/
132 describe BKR bkr spam
136 header RISEANDSHINE Subject =~ /^Rise and Shine in 15 minutes/
137 describe RISEANDSHINE Rise and Shine in 15 minutes spam
141 header UNIVDIP Subject =~ /U N I V E R S I T Y . D I P L O M A S/i
142 describe UNIVDIP university diplomas spam
146 header YOUTHERE Subject =~ /^(Re: )?You/i
147 describe YOUTHERE Who, me? Likely spam
150 # cjwatson, 2003-11-20
151 header HOUSECLEANING Subject =~ /^Affordable Housecleaning Service/
152 describe HOUSECLEANING let's clean out the spam instead
153 score HOUSECLEANING 3
155 # cjwatson, 2003-12-11
156 header OTC_FIRST Subject =~ /OTC FIRST ALERT/
157 describe OTC_FIRST OTC spam
161 body AVAILABLENOW /available now/i
162 describe AVAILABLENOW must be selling some shit
165 # cjwatson, 2004-01-16
166 body TEDIOUS_WITTER /If not i included it below so let me know if you like it/
167 describe TEDIOUS_WITTER annoying wittering spam, mypillsource.com I think
168 score TEDIOUS_WITTER 2
170 # cjwatson, 2004-03-12
172 header UNI_DIPLOMA Subject =~ /\b(university|college)\s+(diploma|cert|degree)/i
173 describe UNI_DIPLOMA Got one, thanks
177 body UNI2 /university\s+(diploma|cert|degree)/i
178 describe UNI2 Got one, thanks
181 # cjwatson, 2004-03-12
182 header JOB_CONFIRM Subject =~ /Job confirmation/
183 describe JOB_CONFIRM Got one of these too, thanks
187 header MESSAGESUB subject =~ /^\s*\(?message\s*(subject)?\)?$/i
188 describe MESSAGESUB really descriptive subject
191 # blarson 2006-03-16 2007-09-11
192 body DEARDIGIT /^(?:well\s+)?(?:Dear|Hey|H[ea]y?ll?.?o|To|Attention|Hi+|Hey+a?|Bonjorno|Yo|(?:g[o0]+d\s*)?(?:d?ay|morning|evening?|afternoon|night)|what.?i?s\s+up|wa(?:s|z)+up|greetings?|Salutations|(Mail|News)\s+to|how(?:.?s|\s+is)?\s*(?:(?:it)?(?:\s+is)??\s*going|have\s+you\s+been|are you).?\s*(?:there|to\s+you)?)\,?\s+(?:Account\s+\#?|\=?3d|)(?:bro\s+)?\d{3,}/i
193 describe DEARDIGIT Dear number
197 header SIZEMATTERS subject =~ /^S.ze matters$/i
198 describe SIZEMATTERS Size matters spammer
201 # cjwatson 2005-01-02
202 header RNDMX subject =~ /^<rndmx/
203 describe RNDMX weird empty spam
207 header VERIFYCAT subject =~ /verifycation mail/
208 describe VERIFYCAT verifycation spam
212 header D0WNLOAD subject =~ /\bd[o0]wn[l1][o0]ad.*(?:m[o0]v[i1]e|mp3|tune|music)/i
213 describe D0WNLOAD download spam
217 header REDUCESPAM subject =~ /Reduce Spam\b/i
218 describe REDUCESPAM reduce spam spam
222 body DIRT /\.(?:the|\d|)dirty?\d+\.info\//
223 describe DIRT dirty spammer
227 body RNDWORD /^RND_WORD\s*$/
228 describe RNDWORD RND_WORD
232 header D3GREE subject =~ /\bd(?:3gres?|esgre|eerge|eeerg|reege|egres)e?s?\b/i
233 describe D3GREE Want a used paper from someone who can't spell
237 body FINALNOTE /\bfinal\s+notif/i
238 describe FINALNOTE yet another final notification
242 header HIITS subject =~ /\bHi\! It\'s\b/i
243 describe HIITS hi its
247 header GOTONE subject =~ /\bgot one$/i
248 describe GOTONE got this spam already
252 body IMMEDIATEREV /^ATTENTION- For your immediate review:/
253 describe IMMEDIATEREV immediate discard
257 body CLIENTALERT /^(?:CLIENT ALERT|ATTENTION CLIENT)/i
258 describe CLIENTALERT client alert
261 # cjwatson 2005-10-20
262 header DEBIANTUX23 From =~ /DebianTux23|wieseltux23/i
263 describe DEBIANTUX23 Linux spammer, sigh
267 body SHITBRO /^\s*sh[i1]+t\s+bro/i
268 describe SHITBRO shitty spam
272 header POPPROG subject =~ /popular programs for everyday use/i
273 describe POPPROG unpopular spam
277 body GREET /^\%(?:GREET|EXIT)/
278 describe GREET broken spamware
282 header WROTE subject =~ /\bwrote\:\s*$/i
283 describe WROTE stock scam
286 body DEGREE_SPAM /earn.+degree.+transcripts/i
287 describe DEGREE_SPAM earn a degree with transcripts spam
288 score DEGREE_SPAM 2.5
291 body BLUEPILL /blue pill/i
292 describe BLUEPILL Blue pill spam
296 header PHOTOQUEST subject =~ /question about your photo/i
297 describe PHOTOQUEST questioning photo
301 body KBDP /Knowledge Based Degree Program/i
302 describe KBDP degree spam
306 body CRITERIAHAS /\bOur criteria has changed\b/i
307 describe CRITERIAHAS Diploma salesman with bad english
311 body TORA08 /\b\d{6} \d{7} \d{6} \d \d{7} \d{7}/
312 describe TORA08 TORA.08 spam
316 body SERIOUSBRO /^Seriously bro\b/i
317 describe SERIOUSBRO Seriously bro
321 body INSETET /\bwilson\@insitetcnologia\.com\.br\b/
322 describe INSETET please send spammer
326 body USUARIO /\bEl usuario destinatario no es un usuario valido/
327 describe USUARIO No such user -- sent in infinite loop
331 body NOMAILRECBI /no recibi tu mail/i
332 describe NOMAILRECBI No recbi of mail -- was closing way to many bugs
336 header URHELP subject =~ /\bi need ur help\b/
337 describe URHELP blank spam
341 header ACRO8PR0 subject =~ /\bAcr[0o]bat\s*[78]\s+(?:PR[0O]\b|\$?\d+\$?)/i
342 describe ACRO8PR0 sales spam
346 body WBRS /\b(WBRS|FPMC|ADYN|AFML|MISJ|HXPN|WHKA|CBFE|HSBC|PCAI|MPRG|HPRS|AUNI|TGVI|MHII|TAMG|GDKI|ACEN|CDYV|G7Q\.F|mbwc|CHFR|CDPN|DSDI|UTEV|P-S-U-D|GPSI|SGXI|CAON|SREA|ERMX|VPSN|SZSN|PAYI\.OB|LTDI|C\W\W?Y\W\W?T\W\W?V|E\WX\WM\WT|CYTV|VGPM|V\s?G\s?P\s?M(\.PK)?|wwng|WWNG)\b/
347 describe WBRS stock spam
351 header ACROBAT8 subject =~ /\badobe acr[o0]bat 8\b/i
352 describe ACROBAT8 more sales spam
356 header VLSTA subject =~ /VlSTA|0FFlCE|ACR0B8T/i
357 describe VLSTA misspelled microshit software
361 header ANGEKUEN subject =~ /\bTrauer angekuendigt\b/
362 describe ANGEKUEN german spam
366 body INTCAFE /\binternet caff?e\b/i
367 describe INTCAFE internet cafe spam
371 header VERIFIC subject =~ /Your email requires verification/
372 describe VERIFIC some people prefer you get their spam
376 header WHITELIST subject =~ /You have been added to .* whitelist/
377 describe WHITELIST whitelist spam
381 body CASNIO /^Please be advised that your casnio account is still inactive/
382 describe CASNIO casnio account
386 header AUTOREPLY subject =~ /\bauto(?:mated|matic|)[\s-]+re(?:spon[cs]e|ply)\b/i
387 describe AUTOREPLY Automatic reply
391 body CONFSERV /^Thanks for using our confidential service/
392 describe CONFSERV confidential service
396 body CONTENC /^Confirmation has been enclosed/
397 describe CONTENC more pdf spam
401 header PHONE subject =~ /\b(tele)?phone\b/i
402 describe PHONE phone spam
406 body ASPDF /^We send our messages as Portable Document Format/
407 describe ASPDF more pdf spam
411 body DELAFT /Please delete your private message after reading/
412 describe DELAFT more pdf spam