add blars patches
[spamassassin_config.git] / common / sare / 70_sare_spoof.cf
1 # SARE Spoof Ruleset for SpamAssassin
2 # Version: 1.09.21
3 # Created: 2004-03-01
4 # Modified: 2007-01-15
5 # Changes:  Various Updates
6 # License:  Artistic - see http://www.rulesemporium.com/license.txt
7 # Current Maintainer: Fred Tarasevicius - tech2@i-is.com
8 # Current Home: http://www.rulesemporium.com/rules/70_sare_spoof.cf
9 # Comments: To counter whitelists, some rules have extra meta rules to score 100 to override whitelist_from's.
10
11 # META RULES USED BY MULTIPLE RULES:
12 uri      __URI_IS_IP            /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\//
13
14
15 # The following NICE rules can be enabled if you choose, it works for me, adjust scores as needed.
16 meta     SARE_LEGIT_PAYPAL      (__FROM_PAYPAL && __URI_PAYPAL && __RCVD_PAYPAL)
17 describe SARE_LEGIT_PAYPAL      Has signs it's from paypal, from, headers, uri
18 score    SARE_LEGIT_PAYPAL      -0.01
19
20
21 #meta     SARE_LEGIT_EBAY       (__FROM_EBAY && __URI_EBAY && __RCVD_EBAY)
22 #describe SARE_LEGIT_EBAY       Has signs it's from ebay, from, headers, uri
23 #score    SARE_LEGIT_EBAY       -0.01
24
25
26 # Simple test recommended by jdow from SA-users list.
27 header __EBAY_FRM_NAME    From:name =~ /\bebay\b/i
28 header __EBAY_ADDRESS     From:addr =~ /[\@\.]ebay\.(?:com(?:\.au|\.cn|\.hk|\.my|\.sg)?|co\.uk|at|be|ca|fr|de|in|ie|it|nl|ph|pl|es|se|ch)/i
29 meta   SARE_EBAY_SPOOF_NAME (__EBAY_FRM_NAME && !__EBAY_ADDRESS)
30 score  SARE_EBAY_SPOOF_NAME 0.94
31 # NEEDS MORE TESTING
32
33
34
35
36
37 header  __SARE_NAME_VISA        From:name =~ /visa/i
38 header  __SARE_ADDR_VISA        From:addr =~ /visa/i
39 meta   SARE_FORGE_NAME_VISA     (__SARE_NAME_VISA && !__SARE_ADDR_VISA)
40 score  SARE_FORGE_NAME_VISA     0.399
41 #counts   FM_NAME_VISA_FORGE       1s/0h of 12260 corpus (6588s/5672h CT) 03/17/06
42 #counts   FM_NAME_VISA_FORGE       18s/0h of 22976 corpus (17263s/5713h MY) 03/17/06
43 #counts   FM_NAME_VISA_FORGE       3s/0h of 103688 corpus (96287s/7401h FVGT) 03/17/06
44 #counts   FM_NAME_VISA_FORGE       43s/0h of 108996 corpus (71372s/37624h DOC) 03/17/06
45
46
47
48
49
50
51
52
53 uri     __SPOOF_FLAGS           /flagstar\.com/i
54 header  __FROM_FLAGSTAR         From =~ /\bflagstar\.com/i
55 header  __RCVD_FLAGSTAR         Received =~ /\bflagstar\.com/i
56 meta    SARE_SPOOF_FLAGSTAR     (__SPOOF_FLAGS && __FROM_FLAGSTAR && !__RCVD_FLAGSTAR)
57 score   SARE_SPOOF_FLAGSTAR     3.667
58 #counts   SARE_SPOOF_FLAGSTAR      1s/0h of 42564 corpus (34322s/8242h FVGT) 05/26/06
59
60
61
62
63
64 # Try to identify USBank.com e-mail
65 header   __RCVD_USBANK          Received =~ /usbank\.com/i
66 header   __FROM_USBANK          From =~ /usbank\.com/i
67 uri      __URI_USBANK           /usbank\.com/i
68 meta     SARE_FORGED_USBANK     (__FROM_USBANK && __URI_USBANK && !__RCVD_USBANK)
69 score    SARE_FORGED_USBANK     4.4
70
71 #--------------------------------------------------------------------------------------------------#
72 ## THESE RULES HAVE VERY LARGE SCORES, PLEASE ADJUST TO YOUR NEEDS, I NEED TO OVERRIDE WHITELIST. ##
73 #--------------------------------------------------------------------------------------------------#
74
75 # Try to identify PAYPAL spoofs by looking for elements which should always appear.
76 # If we have a From and an URL of one of these guys, we should also have a received line to match!
77 header   __RCVD_PAYPAL          Received =~ /\.(?:paypal|postdirect)\.com/i
78 header   __FROM_PAYPAL          From =~ /[\@\.]paypa[l1i]\.co[mn]/i
79 uri      __URI_PAYPAL           /[^\@]paypa[lI1]\.com/i
80
81 meta     SARE_FORGED_PAYPAL     (__FROM_PAYPAL && __URI_PAYPAL && !__RCVD_PAYPAL)
82 describe SARE_FORGED_PAYPAL     Message appears to be forged, (paypal.com)
83 score    SARE_FORGED_PAYPAL     4.0
84
85 # If the message is whitelisted, add 100 points to over-ride whitelist.
86 meta     SARE_FPP_BLOCKER       (SARE_FORGED_PAYPAL && USER_IN_WHITELIST)
87 score    SARE_FPP_BLOCKER       100
88
89
90
91 # Try to identify EBAY spoofs by looking for elements which should always appear.
92 # If we have a From and an URL of one of these guys, we should also have a received line to match!
93 header   __RCVD_EBAY1           Received =~ /(?:email)?[^\s@]ebay\.(?:com(?:\.au|\.cn|\.hk|\.my|\.sg)?|co\.uk|at|be|ca|fr|de|in|ie|it|nl|ph|pl|es|se|ch)/i
94 header   __RCVD_EBAY2           Received =~ /ebay\.(?:easynet\.de|emarsys\.net)/
95 header   __RCVD_EBAY3           Received =~ /sjc\.liveworld\.com/
96 meta     __RCVD_EBAY            (__RCVD_EBAY1 || __RCVD_EBAY2 || __RCVD_EBAY3)
97 header   __FROM_EBAY            From =~ /\@(?:e?mail.?)?ebay\.c/i
98 uri      __URI_EBAY             /\.ebay(?:static)?\.com/i
99
100 meta     SARE_FORGED_EBAY       (__FROM_EBAY && __URI_EBAY && !__RCVD_EBAY)
101 describe SARE_FORGED_EBAY       Message appears to be forged, (ebay.com)
102 score    SARE_FORGED_EBAY       4.0
103
104 meta     SARE_FEB_BLOCKER       (SARE_FORGED_EBAY && USER_IN_WHITELIST)
105 score    SARE_FEB_BLOCKER       100
106
107
108
109 # Try to identify SUNTRUST spoofs by looking for elements which should always appear.
110 # If we have a From and an URL of one of these guys, we should also have a received line to match!
111 header   __RCVD_SUNTRUST        Received =~ /\.suntrust\.com/i
112 header   __FROM_SUNTRUST        From =~ /[\@\.]suntrust\.com/i
113 uri      __URI_SUNTRUST         /suntrust[a-z0-9-]{0,25}\.com/i
114 meta     SARE_FORGED_SUNTRUST   (__FROM_SUNTRUST && __URI_SUNTRUST && !__RCVD_SUNTRUST)
115 describe SARE_FORGED_SUNTRUST   Message appears to be forged, (suntrust.com)
116 score    SARE_FORGED_SUNTRUST   4.0
117
118 meta     SARE_SUN_BLOCKER       (SARE_FORGED_SUNTRUST && USER_IN_WHITELIST)
119 score    SARE_SUN_BLOCKER       100
120
121
122
123
124 header   __RCVD_WACHOVIA        Received =~ /wachovia\.com[^\)]/i
125 header   __FROM_WACHOVIA        From =~ /\@wachovia\.com/i
126 uri      __URI_WACHOVIA         /\bwachovia\.com/i
127 meta     SARE_FORGED_WACHOVIA   (__FROM_WACHOVIA && __URI_WACHOVIA && !__RCVD_WACHOVIA)
128 score    SARE_FORGED_WACHOVIA   3.0
129 #counts   SARE_FORGED_WACHOVIA     0s/0h of 82118 corpus (57948s/24170h ML) 04/03/06
130 #counts   SARE_FORGED_WACHOVIA     0s/0h of 12246 corpus (6574s/5672h CT) 04/03/06
131 #counts   SARE_FORGED_WACHOVIA     0s/0h of 10377 corpus (7302s/3075h ) 04/03/06
132 #counts   SARE_FORGED_WACHOVIA     0s/0h of 22951 corpus (17237s/5714h MY) 04/03/06
133 #counts   SARE_FORGED_WACHOVIA     2s/0h of 41810 corpus (34135s/7675h FVGT) 04/03/06
134
135
136
137
138
139 # Try to identify CHASEBANK spoofs by looking for elements which should always appear.
140 # If we have a From and an URL of one of these guys, we should also have a received line to match!
141 header   __RCVD_CHASE_A         Received =~ /[^@]\bchase\.com/i
142 header   __RCVD_CHASE_B         Received =~ /\bbigfootinteractive\.com/i
143 meta     __RCVD_CHASE           (__RCVD_CHASE_A || __RCVD_CHASE_B)
144 header   __FROM_CHASE           From =~ /\bchase\.com/i
145 uri      __URI_CHASE            m'(?:\.chase\.com|http://chase)'i
146 meta     SARE_FORGED_CHASE      (__FROM_CHASE && __URI_CHASE && (!__RCVD_CHASE && !__RCVD_BANKONE))
147 describe SARE_FORGED_CHASE      Message appears to be forged, (chase.com)
148 score    SARE_FORGED_CHASE      3.4
149
150 header   __RCVD_BANKONE         Received =~ /\bbankone\.com/i
151 header   __FROM_BANKONE         From =~ /\bbankone\.com/i
152 uri      __URI_BANKONE          /\.bankone\.com/i
153 meta     SARE_FORGED_BANK1      (__FROM_BANKONE && __URI_BANKONE && (!__RCVD_CHASE && !__RCVD_BANKONE))
154 score    SARE_FORGED_BANK1      3.0
155
156
157
158
159 # Try to identify CITIBANK spoofs by looking for elements which should always appear.
160 # If we have a From and an URL of one of these guys, we should also have a received line to match!
161 header   __RCVD_CITIBNK_A       Received =~ /(?:citi(?:bank(?:cards)?|cards|corp|bankcards)|acxiom|c2it)\.com/i
162 header   __RCVD_CITIBNK_B       Received =~ /bridgetrack\.com/i
163 meta     __RCVD_CITIBNK         (__RCVD_CITIBNK_A || __RCVD_CITIBNK_B || __RCVD_CHASE_B)
164 header   __FROM_CITIBNK         From =~ /\bciti(?:bank)?(?:cards)?\.com/i
165 uri      __URI_CITIBNK          /\bciti(?:bank)?\.com/i
166 meta     SARE_FORGED_CITI       (__FROM_CITIBNK && __URI_CITIBNK && !__RCVD_CITIBNK)
167 describe SARE_FORGED_CITI       Message appears to be forged, (citibank.com)
168 score    SARE_FORGED_CITI       4.0
169
170 meta     SARE_CIT_BLOCKER       (SARE_FORGED_CITI && USER_IN_WHITELIST)
171 score    SARE_CIT_BLOCKER       100
172
173
174
175
176
177
178
179
180 # I'm testing a few new variations of these rules, trying to find people just spoofing the from headers.
181 meta     SARE_FORGED_PAYPAL_C   (__FROM_PAYPAL && !__RCVD_PAYPAL)
182 describe SARE_FORGED_PAYPAL_C   Has Paypal from, no Paypal received header.
183 score    SARE_FORGED_PAYPAL_C   1.3
184
185 # About.com has plenty of spams which spoof their address.  Here's a set of rules just for them ;)
186 header   __RCVD_ABOUT_COM       Received =~ /\.about\.com/i
187 header   __FROM_ABOUT_COM       From =~ /\babout\.com/i
188 uri      __URI_ABOUT_COM        /\.about\.com/i
189 meta     SARE_FORGED_ABOUT      (!__RCVD_ABOUT_COM && __FROM_ABOUT_COM && !__URI_ABOUT_COM)
190 describe SARE_FORGED_ABOUT      Message appears to be forged, (about.com)
191 score    SARE_FORGED_ABOUT      2.879
192
193
194 # another spoof using forms
195 rawbody  __FHAS_HTML_FORM     /<form/i
196 rawbody  __FHAS_EBAY_FORM     /<form (?:name="\w{4,20}"\s)?(?:method="?post"?\s)?action="?http:\/\/[^.]{3,7}\.ebay\.com[^>]{4,125}>/i
197 meta     __HASFORM_NOT_EBAY   (__FHAS_HTML_FORM && !__FHAS_EBAY_FORM)
198 meta     SARE_SPOOF_EBAYFORM  (__FROM_EBAY && __HASFORM_NOT_EBAY)
199 score    SARE_SPOOF_EBAYFORM  1.495
200
201
202 # New set for spoofs
203
204 header   __RCVD_2CHECKOUT       Received =~ /\.2checkout\.com/i
205 header   __FROM_2CHECKOUT       From =~ /\@2checkout\.com/i
206 uri      __URI_2CHECKOUT        /\b2checkout\.com/i
207 meta     SARE_FORGED_2CHK       (__FROM_2CHECKOUT && __URI_2CHECKOUT && !__RCVD_2CHECKOUT)
208 score    SARE_FORGED_2CHK       3.0
209
210 header   __RCVD_2CO             Received =~ /\.2co\.com/i
211 header   __FROM_2CO             From =~ /\@2co\.com/i
212 uri      __URI_2CO              /\b2co\.com/i
213 meta     SARE_FORGED_2CO        (__FROM_2CO && __URI_2CO && !__RCVD_2CO)
214 score    SARE_FORGED_2CO        3.0
215
216 header   __RCVD_53              Received =~ /\.53\.com/i
217 header   __FROM_53              From =~ /\@53\.com/i
218 uri      __URI_53               /\b53\.com/i
219 meta     SARE_FORGED_53         (__FROM_53 && __URI_53 && !__RCVD_53)
220 score    SARE_FORGED_53         3.0
221
222 header   __RCVD_AMAZON          Received =~ /\.amazon\.com/i
223 header   __FROM_AMAZON          From =~ /\@amazon\.com/i
224 uri      __URI_AMAZON           /\bamazon\.com/i
225 meta     SARE_FORGED_AMAZON     (__FROM_AMAZON && __URI_AMAZON && !__RCVD_AMAZON)
226 score    SARE_FORGED_AMAZON     3.0
227
228 header   __RCVD_AMERITR         Received =~ /\.ameritrade\.com/i
229 header   __FROM_AMERITR         From =~ /\@ameritrade\.com/i
230 uri      __URI_AMERITR          /\bameritrade\.com/i
231 meta     SARE_FORGED_AMERIT     (__FROM_AMERITR && __URI_AMERITR && !__RCVD_AMERITR)
232 score    SARE_FORGED_AMERIT     3.0
233
234 header   __RCVD_AMEX            Received =~ /\.americanexpress\.com/i
235 header   __FROM_AMEX            From =~ /\@americanexpress\.com/i
236 uri      __URI_AMEX             /\bamericanexpress\.com/i
237 meta     SARE_FORGED_AMEX       (__FROM_AMEX && __URI_AMEX && !__RCVD_AMEX)
238 score    SARE_FORGED_AMEX       3.0
239
240 header   __RCVD_BANKNORTH       Received =~ /\.banknorth\.com/i
241 header   __FROM_BANKNORTH       From =~ /\@banknorth\.com/i
242 uri      __URI_BANKNORTH        /\bbanknorth\.com/i
243 meta     SARE_FORGED_BANK_N     (__FROM_BANKNORTH && __URI_BANKNORTH && !__RCVD_BANKNORTH)
244 score    SARE_FORGED_BANK_N     3.0
245
246 header   __RCVD_BANKOFA1        Received =~ /\.bankofamerica\.com/i
247 header   __RCVD_BANKOFA2        Received =~ /\.customercenter\.net/i
248 meta     __RCVD_BANKOFA         (__RCVD_BANKOFA1 || __RCVD_BANKOFA2)
249 header   __FROM_BANKOFA         From =~ /[\@\.]bankofamerica\.com/i
250 uri      __URI_BANKOFA          /\bbankofamerica\.com/i
251 meta     SARE_FORGED_BANKOFA    (__FROM_BANKOFA && __URI_BANKOFA && !__RCVD_BANKOFA)
252 score    SARE_FORGED_BANKOFA    3.0
253
254
255 header   __RCVD_BANKOFO         Received =~ /\.bankofoklahoma\.com/i
256 header   __FROM_BANKOFO         From =~ /\@bankofoklahoma\.com/i
257 uri      __URI_BANKOFO          /\bbankofoklahoma\.com/i
258 meta     SARE_FORGED_BANKOFO    (__FROM_BANKOFO && __URI_BANKOFO && !__RCVD_BANKOFO)
259 score    SARE_FORGED_BANKOFO    3.0
260
261 header   __RCVD_BANKOFW         Received =~ /\.bankofthewest\.com/i
262 header   __FROM_BANKOFW         From =~ /\@bankofthewest\.com/i
263 uri      __URI_BANKOFW          /\bbankofthewest\.com/i
264 meta     SARE_FORGED_BANKOFW    (__FROM_BANKOFW && __URI_BANKOFW && !__RCVD_BANKOFW)
265 score    SARE_FORGED_BANKOFW    3.0
266
267 header   __RCVD_CAPITAL1        Received =~ /\.capitalone\.com/i
268 header   __FROM_CAPITAL1        From =~ /\@capitalone\.com/i
269 uri      __URI_CAPITAL1         /\bcapitalone\.com/i
270 meta     SARE_FORGED_CAPITAL    (__FROM_CAPITAL1 && __URI_CAPITAL1 && !__RCVD_CAPITAL1)
271 score    SARE_FORGED_CAPITAL    3.0
272
273 header   __RCVD_CFSBANK         Received =~ /\.citizensfirstbank\.com/i
274 header   __FROM_CFSBANK         From =~ /\@citizensfirstbank\.com/i
275 uri      __URI_CFSBANK          /\bcitizensfirstbank\.com/i
276 meta     SARE_FORGED_CFSBANK    (__FROM_CFSBANK && __URI_CFSBANK && !__RCVD_CFSBANK)
277 score    SARE_FORGED_CFSBANK    3.0
278
279 header   __RCVD_CHARTER1        Received =~ /\.charterone(?:bank)?\.com/i
280 header   __FROM_CHARTER1        From =~ /\@charterone(?:bank)?\.com/i
281 uri      __URI_CHARTER1         /\bcharterone(?:bank)?\.com/i
282 meta     SARE_FORGED_CHARTER    (__FROM_CHARTER1 && __URI_CHARTER1 && !__RCVD_CHARTER1)
283 score    SARE_FORGED_CHARTER    3.0
284
285 header   __RCVD_CITIZENS        Received =~ /\.citizensbank\.com/i
286 header   __FROM_CITIZENS        From =~ /\@citizensbank\.com/i
287 uri      __URI_CITIZENS         /\bcitizensbank\.com/i
288 meta     SARE_FORGED_CITIZEN    (__FROM_CITIZENS && __URI_CITIZENS && !__RCVD_CITIZENS)
289 score    SARE_FORGED_CITIZEN    3.0
290
291 header   __RCVD_COMFED          Received =~ /\.comfedbank\.com/i
292 header   __FROM_COMFED          From =~ /\@comfedbank\.com/i
293 uri      __URI_COMFED           /\bcomfedbank\.com/i
294 meta     SARE_FORGED_COMFED     (__FROM_COMFED && __URI_COMFED && !__RCVD_COMFED)
295 score    SARE_FORGED_COMFED     3.0
296
297 header   __RCVD_COMMERCE        Received =~ /\.commercebank\.com/i
298 header   __FROM_COMMERCE        From =~ /\@commercebank\.com/i
299 uri      __URI_COMMERCE         /\bcommercebank\.com/i
300 meta     SARE_FORGED_COMMERCE   (__FROM_COMMERCE && __URI_COMMERCE && !__RCVD_COMMERCE)
301 score    SARE_FORGED_COMMERCE   3.0
302
303 header   __RCVD_DISCOVER        Received =~ /\.discovercard\.com/i
304 header   __FROM_DISCOVER        From =~ /\@discovercard\.com/i
305 uri      __URI_DISCOVER         /\bdiscovercard\.com/i
306 meta     SARE_FORGED_DISCOVER   (__FROM_DISCOVER && __URI_DISCOVER && !__RCVD_DISCOVER)
307 score    SARE_FORGED_DISCOVER   3.0
308
309 header   __RCVD_EGOLD           Received =~ /\.e-goldk\.com/i
310 header   __FROM_EGOLD           From =~ /\@e-gold\.com/i
311 uri      __URI_EGOLD            /\be-gold\.com/i
312 meta     SARE_FORGED_EGOLD      (__FROM_EGOLD && __URI_EGOLD && !__RCVD_EGOLD)
313 score    SARE_FORGED_EGOLD      3.0
314
315 header   __RCVD_FDIC            Received =~ /\.fdic\.gov/i
316 header   __FROM_FDIC            From =~ /\@fdic\.gov/i
317 uri      __URI_FDIC             /\bfdic\.gov/i
318 meta     SARE_FORGED_FDIC       (__FROM_FDIC && __URI_FDIC && !__RCVD_FDIC)
319 score    SARE_FORGED_FDIC       3.0
320
321 header   __RCVD_FLEET           Received =~ /\.fleet(?:bank)?\.com/i
322 header   __FROM_FLEET           From =~ /\@fleet(?:bank)?\.com/i
323 uri      __URI_FLEET            /\bfleet(?:bank)?\.com/i
324 meta     SARE_FORGED_FLEET      (__FROM_FLEET && __URI_FLEET && !__RCVD_FLEET)
325 score    SARE_FORGED_FLEET      3.0
326
327 header   __RCVD_HUNTINGTON      Received =~ /\.(?:exacttarget|huntington)\.com/i
328 header   __FROM_HUNTINGTON      From =~ /\@huntington\.com/i
329 uri      __URI_HUNTINGTON       /\bhuntington\.com/i
330 meta     SARE_FORGED_HUNTIN     (__FROM_HUNTINGTON && __URI_HUNTINGTON && !__RCVD_HUNTINGTON)
331 score    SARE_FORGED_HUNTIN     3.0
332
333 header   __RCVD_KEYBANK         Received =~ /\.keybank\.com/i
334 header   __FROM_KEYBANK         From =~ /\@keybank\.com/i
335 uri      __URI_KEYBANK          /\bkeybank\.com/i
336 meta     SARE_FORGED_KEY        (__FROM_KEYBANK && __URI_KEYBANK && !__RCVD_KEYBANK)
337 score    SARE_FORGED_KEY        3.0
338
339 header   __RCVD_LASALLE         Received =~ /\.lasallebank\.com/i
340 header   __FROM_LASALLE         From =~ /\@lasallebank\.com/i
341 uri      __URI_LASALLE          /\blasallebank\.com/i
342 meta     SARE_FORGED_LASAL      (__FROM_LASALLE && __URI_LASALLE && !__RCVD_LASALLE)
343 score    SARE_FORGED_LASAL      3.0
344
345 header   __RCVD_MIBANK          Received =~ /\.mibank\.com/i
346 header   __FROM_MIBANK          From =~ /\@mibank\.com/i
347 uri      __URI_MIBANK           /\bmibank\.com/i
348 meta     SARE_FORGED_MIBANK     (__FROM_MIBANK && __URI_MIBANK && !__RCVD_MIBANK)
349 score    SARE_FORGED_MIBANK     3.0
350
351 header   __RCVD_MBNA            Received =~ /\.mbna\.com/i
352 header   __FROM_MBNA            From =~ /\@mbna\.com/i
353 uri      __URI_MBNA             /\bmbna\.com/i
354 meta     SARE_FORGED_MBNA       (__FROM_MBNA && __URI_MBNA && !__RCVD_MBNA)
355 score    SARE_FORGED_MBNA       3.0
356
357 header   __RCVD_NCUA            Received =~ /\.ncua\.gov/i
358 header   __FROM_NCUA            From =~ /\@ncua\.gov/i
359 uri      __URI_NCUA             /\bncua\.gov/i
360 meta     SARE_FORGED_NCUA       (__FROM_NCUA && __URI_NCUA && !__RCVD_NCUA)
361 score    SARE_FORGED_NCUA       3.0
362
363 header   __RCVD_REGIONS         Received =~ /\.regionsbank\.com/i
364 header   __FROM_REGIONS         From =~ /\@regionsbank\.com/i
365 uri      __URI_REGIONS          /\bregionsbank\.com/i
366 meta     SARE_FORGED_REGION     (__FROM_REGIONS && __URI_REGIONS && !__RCVD_REGIONS)
367 score    SARE_FORGED_REGION     3.0
368
369 header   __RCVD_SKYBANK         Received =~ /\.sky(?:-bank|fi)\.com/i
370 header   __FROM_SKYBANK         From =~ /\@sky(?:-bank|fi)\.com/i
371 uri      __URI_SKYBANK          /\bsky(?:-bank|fi)\.com/i
372 meta     SARE_FORGED_SKY        (__FROM_SKYBANK && __URI_SKYBANK && !__RCVD_SKYBANK)
373 score    SARE_FORGED_SKY        3.0
374
375 header   __RCVD_STRUST          Received =~ /\.southtrust\.com/i
376 header   __FROM_STRUST          From =~ /\@southtrust\.com/i
377 uri      __URI_STRUST           /\bsouthtrust\.com/i
378 meta     SARE_FORGED_STRUST     (__FROM_STRUST && __URI_STRUST && !__RCVD_STRUST)
379 score    SARE_FORGED_STRUST     3.0
380
381 header   __RCVD_TCFBANK         Received =~ /\.tcfbank\.com/i
382 header   __FROM_TCFBANK         From =~ /\@tcfbank\.com/i
383 uri      __URI_TCFBANK          /\btcfbank\.com/i
384 meta     SARE_FORGED_TCF        (__FROM_TCFBANK && __URI_TCFBANK && !__RCVD_TCFBANK)
385 score    SARE_FORGED_TCF        3.0
386
387 header   __RCVD_VISA            Received =~ /\.visa\.com/i
388 header   __FROM_VISA            From =~ /\@visa\.com/i
389 uri      __URI_VISA             /visa/i
390 meta     SARE_FORGED_VISA       (__FROM_VISA && __URI_VISA && !__RCVD_VISA)
391 score    SARE_FORGED_VISA       3.0
392
393 header   __RCVD_WELLS           Received =~ /\.wellsfargo\.com/i
394 header   __FROM_WELLS           From =~ /\@wellsfargo\.com/i
395 uri      __URI_WELLS            /\bwellsfargo\.com/i
396 meta     SARE_FORGED_WELLS      (__FROM_WELLS && __URI_WELLS && !__RCVD_WELLS)
397 score    SARE_FORGED_WELLS      4.209
398
399 header   __RCVD_WESTERN         Received =~ /\.westernunion\.com/i
400 header   __FROM_WESTERN         From =~ /\@westernunion\.com/i
401 uri      __URI_WESTERN          /\bwesternunion\.com/i
402 meta     SARE_FORGED_WESTERN    (__FROM_WESTERN && __URI_WESTERN && !__RCVD_WESTERN)
403 score    SARE_FORGED_WESTERN    3.0
404
405
406
407
408
409
410
411
412 # Catch Common banks with IP address for URL.
413 meta     __POPULAR_BANKS        (__URI_PAYPAL || __URI_EBAY || __URI_CITIBNK || __URI_SUNTRUST || __URI_CHASE || __URI_BANKONE || __URI_ABOUT_COM || __URI_2CHECKOUT || __URI_2CO || __URI_53 || __URI_AMAZON || __URI_AMERITR || __URI_AMEX || __URI_BANKNORTH || __URI_BANKOFA || __URI_BANKOFO || __URI_BANKOFW || __URI_CAPITAL1 || __URI_CFSBANK || __URI_CHARTER1 || __URI_CITIZENS || __URI_COMFED || __URI_COMMERCE || __URI_DISCOVER || __URI_EGOLD || __URI_FDIC || __URI_FLEET || __URI_HUNTINGTON || __URI_KEYBANK || __URI_LASALLE || __URI_MIBANK || __URI_MBNA || __URI_NCUA || __URI_REGIONS || __URI_SKYBANK || __URI_STRUST || __URI_TCFBANK || __URI_VISA || __URI_WELLS || __URI_WESTERN)
414 meta     SARE_BANK_URI_IP       (__POPULAR_BANKS && __URI_IS_IP)
415 score    SARE_BANK_URI_IP       0.653
416
417
418
419
420
421
422
423
424 # Added 22-4-2004 by Jesse Houwing
425 uri      SARE_SPOOF_COM2COM     m{^https?://(?:\w+\.)+?com\.(?:\w+\.){2,}}i
426 describe SARE_SPOOF_COM2COM     a.com.b.com
427 score    SARE_SPOOF_COM2COM     2.536
428
429 uri      SARE_SPOOF_COM2OTH      m{^https?://(?:\w+\.)+?com\.(?:\w+\.)+?com}i
430 describe SARE_SPOOF_COM2OTH      a.com.b.c
431 score    SARE_SPOOF_COM2OTH      2.536
432
433 uri      SARE_SPOOF_OURI         m{^(?:h|%68|%48)(?:t|%74|%54)(?:t|%74|%54)(?:p|%70|%50)(?:s|%73|%53)?(?::|%3a)(?:/|%2f){0,2}(?:[^@]+@)*?(?:a-z0-9_%-]+?(?:\.|%2e)){2,}(?:org|com|www)(?!\.edgesuite\.net)(?:(?:\.|%2e)[a-z0-9_%-]+?){2,}(?:(?::|%3a)\d+)?}i
434 describe SARE_SPOOF_OURI         URL has items in odd places
435 score    SARE_SPOOF_OURI         2.536
436
437
438 # Added 07/28/2005 submitted by e-mail
439 header __LOCAL_PP_ISFROMPP      From:addr =~ /\@(?:paypal|ebay)\.com$/i
440 header __LOCAL_PP_S_UPD Subject: =~ m'(?:confirm|update) (?:your|the) (?:billing)?(?:records?|information|account)'i
441 header __LOCAL_PP_S_AUT Subject: =~ m'unauthori[sz]ed access'i
442 body __LOCAL_PP_B_UPD  m'(?:confirm|updated?|verify|restore) (?:your|the) (?:account|current|billing|personal)? ?(?:records?|information|account|identity|access|data)'i
443 body __LOCAL_PP_B_ATT  m'one or more attempts'i
444 body __LOCAL_PP_B_ACT  m'unusual activity'i
445 uri __LOCAL_PP_PPCGIURL m'https?://www\.paypal\.com/([A-Za-z0-9-_]+/)?cgi-bin/webscr\?'i
446 uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!(paypal|ebay)\.com)(?:[A-Za-z0-9-_\.]+)'i
447
448 meta SARE_SPOOF_BADURL (__LOCAL_PP_ISFROMPP && ((__LOCAL_PP_S_AUT || __LOCAL_PP_B_ATT || __LOCAL_PP_B_ACT || __LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) || __LOCAL_PP_PPCGIURL) && __LOCAL_PP_NONPPURL)
449 meta SARE_SPOOF_BADADDR (!__LOCAL_PP_ISFROMPP && ((__LOCAL_PP_S_AUT || __LOCAL_PP_B_ATT || __LOCAL_PP_B_ACT || __LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) && __LOCAL_PP_PPCGIURL))
450
451 score SARE_SPOOF_BADURL  1.059
452 score SARE_SPOOF_BADADDR 1.059
453
454
455 # Describe length test for 3.0 requirements:
456 # 12345678901234567890123456789012345678901234567890
457 #          1         2         3         4         5
458
459
460 # EOF