# SARE Spoof Ruleset for SpamAssassin # Version: 1.09.21 # Created: 2004-03-01 # Modified: 2007-01-15 # Changes: Various Updates # License: Artistic - see http://www.rulesemporium.com/license.txt # Current Maintainer: Fred Tarasevicius - tech2@i-is.com # Current Home: http://www.rulesemporium.com/rules/70_sare_spoof.cf # Comments: To counter whitelists, some rules have extra meta rules to score 100 to override whitelist_from's. # META RULES USED BY MULTIPLE RULES: uri __URI_IS_IP /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\// # The following NICE rules can be enabled if you choose, it works for me, adjust scores as needed. meta SARE_LEGIT_PAYPAL (__FROM_PAYPAL && __URI_PAYPAL && __RCVD_PAYPAL) describe SARE_LEGIT_PAYPAL Has signs it's from paypal, from, headers, uri score SARE_LEGIT_PAYPAL -0.01 #meta SARE_LEGIT_EBAY (__FROM_EBAY && __URI_EBAY && __RCVD_EBAY) #describe SARE_LEGIT_EBAY Has signs it's from ebay, from, headers, uri #score SARE_LEGIT_EBAY -0.01 # Simple test recommended by jdow from SA-users list. header __EBAY_FRM_NAME From:name =~ /\bebay\b/i header __EBAY_ADDRESS From:addr =~ /[\@\.]ebay\.(?:com(?:\.au|\.cn|\.hk|\.my|\.sg)?|co\.uk|at|be|ca|fr|de|in|ie|it|nl|ph|pl|es|se|ch)/i meta SARE_EBAY_SPOOF_NAME (__EBAY_FRM_NAME && !__EBAY_ADDRESS) score SARE_EBAY_SPOOF_NAME 0.94 # NEEDS MORE TESTING header __SARE_NAME_VISA From:name =~ /visa/i header __SARE_ADDR_VISA From:addr =~ /visa/i meta SARE_FORGE_NAME_VISA (__SARE_NAME_VISA && !__SARE_ADDR_VISA) score SARE_FORGE_NAME_VISA 0.399 #counts FM_NAME_VISA_FORGE 1s/0h of 12260 corpus (6588s/5672h CT) 03/17/06 #counts FM_NAME_VISA_FORGE 18s/0h of 22976 corpus (17263s/5713h MY) 03/17/06 #counts FM_NAME_VISA_FORGE 3s/0h of 103688 corpus (96287s/7401h FVGT) 03/17/06 #counts FM_NAME_VISA_FORGE 43s/0h of 108996 corpus (71372s/37624h DOC) 03/17/06 uri __SPOOF_FLAGS /flagstar\.com/i header __FROM_FLAGSTAR From =~ /\bflagstar\.com/i header __RCVD_FLAGSTAR Received =~ /\bflagstar\.com/i meta SARE_SPOOF_FLAGSTAR (__SPOOF_FLAGS && __FROM_FLAGSTAR && !__RCVD_FLAGSTAR) score SARE_SPOOF_FLAGSTAR 3.667 #counts SARE_SPOOF_FLAGSTAR 1s/0h of 42564 corpus (34322s/8242h FVGT) 05/26/06 # Try to identify USBank.com e-mail header __RCVD_USBANK Received =~ /usbank\.com/i header __FROM_USBANK From =~ /usbank\.com/i uri __URI_USBANK /usbank\.com/i meta SARE_FORGED_USBANK (__FROM_USBANK && __URI_USBANK && !__RCVD_USBANK) score SARE_FORGED_USBANK 4.4 #--------------------------------------------------------------------------------------------------# ## THESE RULES HAVE VERY LARGE SCORES, PLEASE ADJUST TO YOUR NEEDS, I NEED TO OVERRIDE WHITELIST. ## #--------------------------------------------------------------------------------------------------# # Try to identify PAYPAL spoofs by looking for elements which should always appear. # If we have a From and an URL of one of these guys, we should also have a received line to match! header __RCVD_PAYPAL Received =~ /\.(?:paypal|postdirect)\.com/i header __FROM_PAYPAL From =~ /[\@\.]paypa[l1i]\.co[mn]/i uri __URI_PAYPAL /[^\@]paypa[lI1]\.com/i meta SARE_FORGED_PAYPAL (__FROM_PAYPAL && __URI_PAYPAL && !__RCVD_PAYPAL) describe SARE_FORGED_PAYPAL Message appears to be forged, (paypal.com) score SARE_FORGED_PAYPAL 4.0 # If the message is whitelisted, add 100 points to over-ride whitelist. meta SARE_FPP_BLOCKER (SARE_FORGED_PAYPAL && USER_IN_WHITELIST) score SARE_FPP_BLOCKER 100 # Try to identify EBAY spoofs by looking for elements which should always appear. # If we have a From and an URL of one of these guys, we should also have a received line to match! header __RCVD_EBAY1 Received =~ /(?:email)?[^\s@]ebay\.(?:com(?:\.au|\.cn|\.hk|\.my|\.sg)?|co\.uk|at|be|ca|fr|de|in|ie|it|nl|ph|pl|es|se|ch)/i header __RCVD_EBAY2 Received =~ /ebay\.(?:easynet\.de|emarsys\.net)/ header __RCVD_EBAY3 Received =~ /sjc\.liveworld\.com/ meta __RCVD_EBAY (__RCVD_EBAY1 || __RCVD_EBAY2 || __RCVD_EBAY3) header __FROM_EBAY From =~ /\@(?:e?mail.?)?ebay\.c/i uri __URI_EBAY /\.ebay(?:static)?\.com/i meta SARE_FORGED_EBAY (__FROM_EBAY && __URI_EBAY && !__RCVD_EBAY) describe SARE_FORGED_EBAY Message appears to be forged, (ebay.com) score SARE_FORGED_EBAY 4.0 meta SARE_FEB_BLOCKER (SARE_FORGED_EBAY && USER_IN_WHITELIST) score SARE_FEB_BLOCKER 100 # Try to identify SUNTRUST spoofs by looking for elements which should always appear. # If we have a From and an URL of one of these guys, we should also have a received line to match! header __RCVD_SUNTRUST Received =~ /\.suntrust\.com/i header __FROM_SUNTRUST From =~ /[\@\.]suntrust\.com/i uri __URI_SUNTRUST /suntrust[a-z0-9-]{0,25}\.com/i meta SARE_FORGED_SUNTRUST (__FROM_SUNTRUST && __URI_SUNTRUST && !__RCVD_SUNTRUST) describe SARE_FORGED_SUNTRUST Message appears to be forged, (suntrust.com) score SARE_FORGED_SUNTRUST 4.0 meta SARE_SUN_BLOCKER (SARE_FORGED_SUNTRUST && USER_IN_WHITELIST) score SARE_SUN_BLOCKER 100 header __RCVD_WACHOVIA Received =~ /wachovia\.com[^\)]/i header __FROM_WACHOVIA From =~ /\@wachovia\.com/i uri __URI_WACHOVIA /\bwachovia\.com/i meta SARE_FORGED_WACHOVIA (__FROM_WACHOVIA && __URI_WACHOVIA && !__RCVD_WACHOVIA) score SARE_FORGED_WACHOVIA 3.0 #counts SARE_FORGED_WACHOVIA 0s/0h of 82118 corpus (57948s/24170h ML) 04/03/06 #counts SARE_FORGED_WACHOVIA 0s/0h of 12246 corpus (6574s/5672h CT) 04/03/06 #counts SARE_FORGED_WACHOVIA 0s/0h of 10377 corpus (7302s/3075h ) 04/03/06 #counts SARE_FORGED_WACHOVIA 0s/0h of 22951 corpus (17237s/5714h MY) 04/03/06 #counts SARE_FORGED_WACHOVIA 2s/0h of 41810 corpus (34135s/7675h FVGT) 04/03/06 # Try to identify CHASEBANK spoofs by looking for elements which should always appear. # If we have a From and an URL of one of these guys, we should also have a received line to match! header __RCVD_CHASE_A Received =~ /[^@]\bchase\.com/i header __RCVD_CHASE_B Received =~ /\bbigfootinteractive\.com/i meta __RCVD_CHASE (__RCVD_CHASE_A || __RCVD_CHASE_B) header __FROM_CHASE From =~ /\bchase\.com/i uri __URI_CHASE m'(?:\.chase\.com|http://chase)'i meta SARE_FORGED_CHASE (__FROM_CHASE && __URI_CHASE && (!__RCVD_CHASE && !__RCVD_BANKONE)) describe SARE_FORGED_CHASE Message appears to be forged, (chase.com) score SARE_FORGED_CHASE 3.4 header __RCVD_BANKONE Received =~ /\bbankone\.com/i header __FROM_BANKONE From =~ /\bbankone\.com/i uri __URI_BANKONE /\.bankone\.com/i meta SARE_FORGED_BANK1 (__FROM_BANKONE && __URI_BANKONE && (!__RCVD_CHASE && !__RCVD_BANKONE)) score SARE_FORGED_BANK1 3.0 # Try to identify CITIBANK spoofs by looking for elements which should always appear. # If we have a From and an URL of one of these guys, we should also have a received line to match! header __RCVD_CITIBNK_A Received =~ /(?:citi(?:bank(?:cards)?|cards|corp|bankcards)|acxiom|c2it)\.com/i header __RCVD_CITIBNK_B Received =~ /bridgetrack\.com/i meta __RCVD_CITIBNK (__RCVD_CITIBNK_A || __RCVD_CITIBNK_B || __RCVD_CHASE_B) header __FROM_CITIBNK From =~ /\bciti(?:bank)?(?:cards)?\.com/i uri __URI_CITIBNK /\bciti(?:bank)?\.com/i meta SARE_FORGED_CITI (__FROM_CITIBNK && __URI_CITIBNK && !__RCVD_CITIBNK) describe SARE_FORGED_CITI Message appears to be forged, (citibank.com) score SARE_FORGED_CITI 4.0 meta SARE_CIT_BLOCKER (SARE_FORGED_CITI && USER_IN_WHITELIST) score SARE_CIT_BLOCKER 100 # I'm testing a few new variations of these rules, trying to find people just spoofing the from headers. meta SARE_FORGED_PAYPAL_C (__FROM_PAYPAL && !__RCVD_PAYPAL) describe SARE_FORGED_PAYPAL_C Has Paypal from, no Paypal received header. score SARE_FORGED_PAYPAL_C 1.3 # About.com has plenty of spams which spoof their address. Here's a set of rules just for them ;) header __RCVD_ABOUT_COM Received =~ /\.about\.com/i header __FROM_ABOUT_COM From =~ /\babout\.com/i uri __URI_ABOUT_COM /\.about\.com/i meta SARE_FORGED_ABOUT (!__RCVD_ABOUT_COM && __FROM_ABOUT_COM && !__URI_ABOUT_COM) describe SARE_FORGED_ABOUT Message appears to be forged, (about.com) score SARE_FORGED_ABOUT 2.879 # another spoof using forms rawbody __FHAS_HTML_FORM /