# -*- mode: spamassassin -*- # This seems to catch a lot of spam, but not sure about false positive (from airmax.cf) # pasc couldn't find any false positives on the lists he's on header X_MESSAGE_INFO exists:X-Message-Info score X_MESSAGE_INFO 4.0 # Added by pasc 2004/07/08 (sent by abuse@outblaze via karsten) # host no longer exists according to administrator header FAKE_OUTBLAZE_RCVD Received =~ /\.mr\.outblaze\.com/ describe FAKE_OUTBLAZE_RCVD Received header contains faked 'mr.outblaze.com' score FAKE_OUTBLAZE_RCVD 3.0 # blarson 2005-01-19 (--pasc 2005-01-30) header TRACKING subject =~ /\b(?:tracking|package|shipping|shipment|delivery) number :/i describe TRACKING tracking number score TRACKING 2 # Sent in by blars (20050220) -- applied by pasc body GUEBDE /http\:\/\/www\.gueb\.de\// describe GUEBDE www.geub.de score GUEBDE 5 # Don 2008-06-27 rawbody PGPSIGNATURE /-----BEGIN PGP SIGNATURE-----/ describe PGPSIGNATURE Has a pgp signature (may not be valid, but who cares?) score PGPSIGNATURE -5 # TODO: The rules below seem to be very similar; possibly fix them. # These might trip up on non-english lists. We'll see. # They're fucking up on GPG signatures body MURPHY_WRONG_WORD1 /[bcdfghjklmnpqrstvwxz]{7,}/i score MURPHY_WRONG_WORD1 0.1 body MURPHY_WRONG_WORD2 /[bcdfghjklmnpqrstvwxz]{6,}/i score MURPHY_WRONG_WORD2 0.2 #Impronounceable. Need to check this one for accuracy (from airmax.cf) body IMPRONONCABLE_1 /([bcdfghjklmnpqrstvwxz]){6,20}/ describe IMPRONONCABLE_1 Some words aren't easy to pronounce (too much vowels) body IMPRONONCABLE_2 /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/ describe IMPRONONCABLE_2 Some words aren't easy to pronounce (mixed numbers and lower-case letters) # From http://www.exit0.us/index.php/FredsRules # Added by pasc 2004/06/20 body __FVGT_b_OBFU_J /j(b|c|f|g|w)/i body __FVGT_b_OBFU_OTHER /(vj|vk|xj|xk|yy|zf|zj)/i body __FVGT_b_OBFU_Q0 /(j|k|p|q|t|v|w|z)q/i body __FVGT_b_OBFU_Q1 /q(a|f|h|j|k|m|n|s|y)/i body __FVGT_b_OBFU_V /(f|g|q|w)v/i body __FVGT_b_OBFU_X /(c|g|j|k|q|s|v|z)x/i body __FVGT_b_OBFU_Z /(f|j|k|p|q|x)z/i meta FVGT_m_MULTI_ODD ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 1) describe FVGT_m_MULTI_ODD FVGT - contains multiple odd letter combinations score FVGT_m_MULTI_ODD 0.02 # joy, 2003-07-20 header NEPEYO From =~ /nepeyo\@catlover/ describe NEPEYO spamvertizers score NEPEYO 4 # cjwatson, 2003/07/28 header MP3_PLAYERS Subject =~ /New mp3 player,usb flash drive/ describe MP3_PLAYERS Spam from "HY Tech" score MP3_PLAYERS 4 # joy, 2003-08-15 header UOSJUNK Subject =~ /UOS online Degree Programme/i describe UOSJUNK Spam from UOS score UOSJUNK 4 # cjwatson, 2004-02-27 body GAS_MILEAGE /This amazing, revolutionary device|www\.mrev\.biz/ describe GAS_MILEAGE Fuel-saving snake oil score GAS_MILEAGE 3 # blarson, 2004-03-31 body FUELSAVER /fuel.?saver/i describe FUELSAVER Fuel Saver spam score FUELSAVER 3 # blarson, 2004-04-03 body CABLEFILTERZ /cablefilterz/ describe CABLEFILTERZ cablefilterz spam score CABLEFILTERZ 4 # blarson 2004-04-15 header PARENNUM subject =~ /^\(\s*([0-9\/]+\)|\%RND)/ describe PARENNUM paren number in subject score PARENNUM 3 # blarson 2004-04-25 # bounces our bounces.... (had negitive score) header COVADRT X-RT-Loop-Prevention =~ /^Covad$/ describe COVADRT Covad request tracker bounces score COVADRT 8 # blarson 2005-03-02 header ROBERTOJIMENOCA from =~ /ROBERTOJIMENOCA\@terra\.es/ describe ROBERTOJIMENOCA ROBERTOJIMENOCA sends spammy looking messages score ROBERTOJIMENOCA -2 # blarson 2005-07-10 header TURBOPRO subject =~ /\bturbonet pro\b/i describe TURBOPRO dialup accelerator spam score TURBOPRO 3 # blarson 2006-04-28 header RESUBJECT subject =~ /\sRe(?:\[\d+\])?:\s*$/i describe RESUBJECT re nothing score RESUBJECT 2 # blarson 2004-10-22 2007-07-18 up score header NOSUBJECT subject =~ /^\s*$/ describe NOSUBJECT No subject score NOSUBJECT 2.5 # blarson 2006-10-17 full NEXTPART /\-\=\_NextPart\_000\_/ describe NEXTPART spammer mime separator score NEXTPART 2.5 # blarson 2006-10-17 full CT_IMAGE /Content\-Type\:\s*image/i describe CT_IMAGE Picture attached score CT_IMAGE 1 # blarson 2006-12-01 (score so low since it will also hit CT_IMAGE) header CT_IMAGE_HEAD content-type =~ /image/ describe CT_IMAGE_HEAD entire message is image score CT_IMAGE_HEAD 2.5 # don 2006-10-25 header THREADINDEX Thread-Index =~ /A-Z/ describe THREADINDEX thread-index header on spam score THREADINDEX 1.5 # blarson 2006-10-30 header FORDASH subject =~ /\bFor \- \d+/ describe FORDASH for dash score FORDASH 3 # blarson 2006-11-01 header KOREAN subject =~ /\=\?koi8\-r/ describe KOREAN Korean Character set spam score KOREAN 2 # blarson 2006-12-04 header FWDNAME subject =~ /fwd\: \w+\s*$/ describe FWDNAME fwd: name spam score FWDNAME 3 # blarson 2006-12-06 body NUMONLY /^\s*\d+\s*$/ describe NUMONLY number only body score NUMONLY 1 # blarson 2007-04-24 header THUNDERB User-Agent =~ /^Thunderbird 1\.5\.0\.10/ describe THUNDERB spam missing content score THUNDERB 2 # blarson 2007-06-15 header FAILNOTE subject =~ /Failure notice\:/ describe FAILNOTE bounced spam score FAILNOTE 2 # blarson 2007-06-28 rawbody CTINLINE /^Content\-Disposition\: inline\;\b/ describe CTINLINE Inline attachment score CTINLINE 1 # blarson 2007-07-07 body BOXTRAPPER /^This message is a reply to a boxtrapper verifcation message\./ describe BOXTRAPPER boxtrapper spam score BOXTRAPPER 9 # blarson 2007-07-09 body PROMOCODE /^promo code\:/i describe PROMOCODE promo code score PROMOCODE 3 # blarson 2007-07-11 body XLMAN /\bwww\.xl\-man\.net\b/ describe XLMAN xl-man spam score XLMAN 3 # blarson 2007-07-12 body COSTUMER /^Dear costumer\b/ describe COSTUMER paypal scam score COSTUMER 3 # blarson 2007-07-13 body PRIVATE /^Your private and confidential message is attached\./ describe PRIVATE private message score PRIVATE 4 # don 2007-07-15 header AUTOGENERATE auto-submitted =~ /auto/i describe AUTOGENERATE auto generated crap score AUTOGENERATE 3 # blarson 2007-07-15 body PRIVPDF /^All our private messages are in pdf format/ describe PRIVPDF private pdf score PRIVPDF 4 # don 2007-07-19 header AUTORESPOND X-Autorespond =~ /./ describe AUTORESPOND Automatic response score AUTORESPOND 4 header AUTOMAILER X-Mailer =~ /autors/ describe AUTOMAILER Auto response mailer score AUTOMAILER 3 # blarson 2007-07-22 header OUTOFOFFICE_SUB subject =~ /Out_of_Office/ describe OUTOFOFFICE_SUB broken autoresponder score OUTOFOFFICE_SUB 6 body OUTOFOFFICE /out of the office/i describe OUTOFOFFICE Out of the office score OUTOFOFFICE 3 # blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits header SUBENDNUM subject =~ /[a-zA-Z!]-?\d{3,}$/ describe SUBENDNUM Subject ends in word989 score SUBENDNUM 2 # blarson 2007-07-27 body PRIVMES /^You have been sent a private message/ describe PRIVMES more pdf spam score PRIVMES 3 # blarson 2007-07-27 header MIXEDBDN Content-Type =~ /multipart\/mixed\;.*boundary\=\"\-{4,}\d{4,}\"/ describe MIXEDBDN more pdf spam score MIXEDBDN 1 # blarson 2007-07-28 header DOTZIP subject =~ /\d\.zip\b/ describe DOTZIP zip spam score DOTZIP 3 # blarson 2007-07-30 header MIXED2 Content-Type =~ /multipart\/mixed\;charset\=iso\-8859\-1\;.*boundary\=\"\-\-\-\-\=\_\d{8,}\_\d{4,}\"/ describe MIXED2 more pdf spam score MIXED2 2.5 # blarson 2007-07-31 header KEYENCE From =~ /KEYENCE CORPORATION/ describe KEYENCE opt out spam score KEYENCE 10 # blarson 2007-08-02 header NOSUB subject =~ /\(No Subject\)$/i describe NOSUB explicity no subject score NOSUB 1 # blarson 2007-08-07 header CTPDF Content-Type =~ /\bapplication\/pdf\;/i describe CTPDF more pdf spam score CTPDF 4 # blarson 2007-06-12 header JAPSUB subject =~ /\=\?iso\-2022\-jp/i describe JAPSUB subject in japanese score JAPSUB 3 # blarson 2007-08-24 header XMSATT X-MS-Has-Attach =~ /yes/i describe XMSATT more pdf spam score XMSATT 2 # blarson 2007-10-27 body ICQ /^icq\:/i describe ICQ icq: score ICQ 2 # blarson 2007-11-02 header XJ2ID X-J2Id =~ /\d+/ describe XJ2ID fax bounce score XJ2ID 4 # blarson 2007-11-15 header LONGWORD subject =~ /\b[\w\d]{30,}/i describe LONGWORD long word in subject score LONGWORD 2 # blarson 2007-11-23 header TESTIMONIAL subject =~ /\btestimonial/i describe TESTIMONIAL testimonials score TESTIMONIAL 2 # blarson 2007-12-13 header ITXS subject =~ /\bit\`s\b/i describe ITXS it`s score ITXS 4 # blarson 2007-12-18 rawbody TINYFONT /\bFONT-SIZE\:\s+[123]px\;/i describe TINYFONT tiny font specified score TINYFONT 3 # blarson 2008-04-03 rawbody ZIPFILE /\bfilename\=.*\.zip\b/i describe ZIPFILE zipfile attachment score ZIPFILE 0.5 # blarson 2008-04-19 header SPACESUB subject =~ /^\s\w/ describe SPACESUB extra space before subject score SPACESUB 0.5 # don 2008-05-04 header YAHOOCALENDAR X-Yahoo-Newman-Property: =~ /calendar-invite/i describe YAHOOCALENDAR Calendar invite from yahoo; broken captcha score YAHOOCALENDAR 4 # blarson 2008-06-03 header BOUNDARYID content-type =~ /\bboundary\=\"Boundary_\(ID_/ describe BOUNDARYID spamware boundary score BOUNDARYID 0.6 # blarson 2008-07-02 body GBKXWFLXF /\bgbkxwflxf\b/ describe GBKXWFLXF gbkxwflxf score GBKXWFLXF 5 # blarson 2008-09-07 body LUKSUS /\bluksus\b/i score LUKSUS 4 describe LUKSUS Luksus # disabled by don; was causing false positives # probably needs to be modified to check if it really is ironport # blarson 2008-09-22 # header XIRONPORT X-IronPort-Anti-Spam-Filtered =~ /true/ # describe XIRONPORT claims to be ironport filtered # score XIRONPORT 2.5 # blarson 2008-10-13 header AUTORESPON subject =~ /Auto_response/ describe AUTORESPON Auto_response score AUTORESPON 3 # blarson 2008-10-28 header XWUM x-wum-to =~ /./ describe XWUM X-WUM-TO score XWUM 2 # cord 2008-10-31 # compensate false-positives for 140.Red-80-25-20.staticIP.rima-tde.net and stuff header STATIC_RIMA_TDE received =~ /staticIP\.rima-tde\.net/ describe STATIC_RIMA_TDE static IP from rima-tde.net score STATIC_RIMA_TDE -5 # cord 2008-11-30 # compensate LDO_SUBSCRIBER bonus for Forum2Mail-Gw full NABBLE /lists\@nabble\.com/ describe NABBLE sent through nabble.com score NABBLE 5 # don 2009-02-04 full HTML_NBSP /(\ ){3,}/ describe HTML_NBSP Lots of   score HTML_NBSP 2 # blarson 2009-02-19 header ENTIST subject =~ /(?:e.?entist|o.?ctor)/i describe ENTIST (D)entit/(D)octor score ENTIST 2 header THREADTOPIC thread-topic =~ /./i describe THREADTOPIC Has a thread topic header score THREADTOPIC 2 # [2009-04-14 cord] # replacing old aol-rules from rc.spam header AOL_SPAM1 from =~ /[0-9].*\@([^\@]+\.)?aol\.com/i describe AOL_SPAM1 possible AOL-pretending spam, matching rule 1 score AOL_SPAM1 1 header AOL_SPAM2 from =~ /...........*\@([^\@]+\.)?aol\.com/i describe AOL_SPAM2 possible AOL-pretending spam, matching rule 2 score AOL_SPAM2 1 header AOL_SPAM3 from =~ /.?.?\@([^\@]+\.)?aol\.com/i describe AOL_SPAM3 possible AOL-pretending spam, matching rule 3 score AOL_SPAM3 1 header AOL_SPAM4 from =~ /[^a-zA-Z0-9]+.*\@([^\@]+\.)?aol\.com/i describe AOL_SPAM4 possible AOL-pretending spam, matching rule 4 score AOL_SPAM4 1