+# -*- mode: spamassassin -*-
+
# This seems to catch a lot of spam, but not sure about false positive (from airmax.cf)
# pasc couldn't find any false positives on the lists he's on
header X_MESSAGE_INFO exists:X-Message-Info
describe GUEBDE www.geub.de
score GUEBDE 5
+# Don 2008-06-27
+full PGPSIGNATURE /-----BEGIN PGP SIGNATURE-----/
+describe PGPSIGNATURE Has a pgp signature (may not be valid, but who cares?)
+score PGPSIGNATURE -5
-# TODO: The rules below seem to be very similar; possibly fix them.
-
-# These might trip up on non-english lists. We'll see.
-# They're fucking up on GPG signatures
-body MURPHY_WRONG_WORD1 /[bcdfghjklmnpqrstvwxz]{7,}/i
-score MURPHY_WRONG_WORD1 0.1
-body MURPHY_WRONG_WORD2 /[bcdfghjklmnpqrstvwxz]{6,}/i
-score MURPHY_WRONG_WORD2 0.2
+body WORD_WITHOUT_VOWELS /\b[bcdfghjklmnpqrstvwxz]{6,20}\b/
+describe WORD_WITHOUT_VOWELS Long word without any vowels
+score WORD_WITHOUT_VOWELS 1
-#Impronounceable. Need to check this one for accuracy (from airmax.cf)
-body IMPRONONCABLE_1 /([bcdfghjklmnpqrstvwxz]){6,20}/
-describe IMPRONONCABLE_1 Some words aren't easy to pronounce (too much vowels)
-body IMPRONONCABLE_2 /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/
-describe IMPRONONCABLE_2 Some words aren't easy to pronounce (mixed numbers and lower-case letters)
+body DIGITS_LETTERS /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/
+describe DIGITS_LETTERS Mixed groups of letters followed by numbers
+score DIGITS_LETTERS 1
# From http://www.exit0.us/index.php/FredsRules
# Added by pasc 2004/06/20
describe NEXTPART spammer mime separator
score NEXTPART 2.5
-# blarson 2006-10-17
+# blarson 2006-10-17 2009-04-30
full CT_IMAGE /Content\-Type\:\s*image/i
describe CT_IMAGE Picture attached
-score CT_IMAGE 1
+score CT_IMAGE 1.5
# blarson 2006-12-01 (score so low since it will also hit CT_IMAGE)
header CT_IMAGE_HEAD content-type =~ /image/
score FAILNOTE 2
# blarson 2007-06-28
-rawbody CTINLINE /^Content\-Disposition\: inline\;\b/
+full CTINLINE /^Content\-Disposition\: inline\;\b/
describe CTINLINE Inline attachment
score CTINLINE 1
describe OUTOFOFFICE Out of the office
score OUTOFOFFICE 3
+body OUTOFOFFICE_BACK /will be back/i
+describe OUTOFOFFICE_BACK Out of the office
+score OUTOFOFFICE_BACK 3
+
# blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits
header SUBENDNUM subject =~ /[a-zA-Z!]-?\d{3,}$/
describe SUBENDNUM Subject ends in word989
describe XMSATT more pdf spam
score XMSATT 2
+# blarson 2007-10-27
+body ICQ /^icq\:/i
+describe ICQ icq:
+score ICQ 2
+
+# blarson 2007-11-02
+header XJ2ID X-J2Id =~ /\d+/
+describe XJ2ID fax bounce
+score XJ2ID 4
+
+# blarson 2007-11-15
+header LONGWORD subject =~ /\b[\w\d]{30,}/i
+describe LONGWORD long word in subject
+score LONGWORD 2
+
+# blarson 2007-11-23
+header TESTIMONIAL subject =~ /\btestimonial/i
+describe TESTIMONIAL testimonials
+score TESTIMONIAL 2
+
+# blarson 2007-12-13
+header ITXS subject =~ /\bit\`s\b/i
+describe ITXS it`s
+score ITXS 4
+
+# blarson 2007-12-18
+rawbody TINYFONT /\bFONT-SIZE\:\s+[123]px\;/i
+describe TINYFONT tiny font specified
+score TINYFONT 3
+
+# blarson 2008-04-03
+full ZIPFILE /\bfilename\=.*\.zip\b/i
+describe ZIPFILE zipfile attachment
+score ZIPFILE 0.5
+
+# blarson 2008-04-19
+header SPACESUB subject =~ /^\s\w/
+describe SPACESUB extra space before subject
+score SPACESUB 0.5
+
+# don 2008-05-04
+header YAHOOCALENDAR X-Yahoo-Newman-Property: =~ /calendar-invite/i
+describe YAHOOCALENDAR Calendar invite from yahoo; broken captcha
+score YAHOOCALENDAR 4
+
+# blarson 2008-06-03
+header BOUNDARYID content-type =~ /\bboundary\=\"Boundary_\(ID_/
+describe BOUNDARYID spamware boundary
+score BOUNDARYID 0.6
+
+# blarson 2008-07-02
+body GBKXWFLXF /\bgbkxwflxf\b/
+describe GBKXWFLXF gbkxwflxf
+score GBKXWFLXF 5
+
+# blarson 2008-09-07
+body LUKSUS /\bluksus\b/i
+score LUKSUS 4
+describe LUKSUS Luksus
+
+# disabled by don; was causing false positives
+# probably needs to be modified to check if it really is ironport
+# blarson 2008-09-22
+# header XIRONPORT X-IronPort-Anti-Spam-Filtered =~ /true/
+# describe XIRONPORT claims to be ironport filtered
+# score XIRONPORT 2.5
+
+# blarson 2008-10-13
+header AUTORESPON subject =~ /Auto_response/
+describe AUTORESPON Auto_response
+score AUTORESPON 3
+
+# blarson 2008-10-28
+header XWUM x-wum-to =~ /./
+describe XWUM X-WUM-TO
+score XWUM 2
+
+# cord 2008-10-31
+# compensate false-positives for 140.Red-80-25-20.staticIP.rima-tde.net and stuff
+header STATIC_RIMA_TDE received =~ /staticIP\.rima-tde\.net/
+describe STATIC_RIMA_TDE static IP from rima-tde.net
+score STATIC_RIMA_TDE -5
+
+# cord 2008-11-30 # compensate LDO_SUBSCRIBER bonus for Forum2Mail-Gw
+full NABBLE /lists\@nabble\.com/
+describe NABBLE sent through nabble.com
+score NABBLE 5
+
+# don 2009-02-04
+full HTML_NBSP /(\ ){3,}/
+describe HTML_NBSP Lots of
+score HTML_NBSP 2
+
+# blarson 2009-02-19
+header ENTIST subject =~ /(?:e.?entist|o.?ctor)/i
+describe ENTIST (D)entit/(D)octor
+score ENTIST 2
+
+header THREADTOPIC thread-topic =~ /./i
+describe THREADTOPIC Has a thread topic header
+score THREADTOPIC 2
+
+# [2009-04-14 cord]
+# replacing old aol-rules from rc.spam
+
+header AOL_SPAM1 from =~ /[0-9].*\@([^\@]+\.)?aol\.com/i
+describe AOL_SPAM1 possible AOL-pretending spam, matching rule 1
+score AOL_SPAM1 1
+
+header AOL_SPAM2 from =~ /...........*\@([^\@]+\.)?aol\.com/i
+describe AOL_SPAM2 possible AOL-pretending spam, matching rule 2
+score AOL_SPAM2 1
+
+header AOL_SPAM3 from =~ /.?.?\@([^\@]+\.)?aol\.com/i
+describe AOL_SPAM3 possible AOL-pretending spam, matching rule 3
+score AOL_SPAM3 1
+
+header AOL_SPAM4 from =~ /[^a-zA-Z0-9]+.*\@([^\@]+\.)?aol\.com/i
+describe AOL_SPAM4 possible AOL-pretending spam, matching rule 4
+score AOL_SPAM4 1
+
+# blarson 2009-04-15
+body WEBMAIL /\bwebmail\b/i
+describe WEBMAIL webmail
+score WEBMAIL 1
+
+# blarson 2009-04-17
+header REFNO subject =~ /\bref no\b/i
+describe REFNO Ref No
+score REFNO 2
+
+# blarson 2009-05-26
+header INFOCOUK to =~ /\b(?:info|winner|loan|lotto|grant|win)\@(?:info\.|winner\.|loan\.|lotto\.|hotmail\.|grant\.|win\.|yahoo\.|)(?:co\.uk|net|com|org)\b/
+describe INFOCOUK to info@co.uk
+score INFOCOUK 3
+
+# blarson 2009-05-27
+body EXITAT /\b(?:exit|rembox)\@(?:datalistsource|listsourcesworld|BestAccurateReliable|expertdatasystems|bestbizlists)\.\b/i
+describe EXITAT exit@datalistsource.com
+score EXITAT 3
+
+# blarson 2009-06-05
+header TOINFO to =~ /\binfo\@/
+describe TOINFO to info@
+score TOINFO 1
+
+# don 2009-07-06
+header CONSTCONTACT X-Mailer =~ /Constant Contact/i
+describe CONSTCONTACT Mail comming from constant contact, which doesn't require double opt-in
+score CONSTCONTACT 5
+
+# blarson 2009-08-16
+meta CTBDN (CT_IMAGE && MIXEDBDN)
+describe CTBDN CT_IMAGE && MIXEDBDN
+score CTBDN 0.5
+
+# don 2009-09-22
+body NUMEMAIL /\d{3,}\s+emails?/i
+describe NUMEMAIL Mail which mentions some number of e-mail addresses
+score NUMEMAIL 2
+
+# don 2009-11-25
+header YAHOOCALENDAR X-Yahoo-Calendar-IId: =~ /./
+describe YAHOOCALENDAR Mail comming from yahoo calendar, which spams us with updates
+score YAHOOCALENDAR 5
+
+# alex 2009-12-05
+header TLOTTERY subject =~ /Ticket no: [0-9]+/i
+describe TLOTTERY Lottery spam
+score TLOTTERY 3
+
+# alex 2009-12-05
+header GLOTTERY subject =~ /Google_L_o_t_t_e_r_y_W_i_n_n_e_r_s/i
+describe GLOTTERY Google Lottery spam
+score GLOTTERY 3
+
+# alex 2009-12-16
+header DOTNET subject =~ /Planning a Website Design\? Updates/
+describe DOTNET .NET Spam
+score DOTNET 3
+
+# blarson 2010-02-02
+body REMBOX /\b(?:rembo[xt]|disappear|stopping|delrem|remfiles?|exit|takemeoff|offthelist|purgefile)\s?\@/
+describe REMBOX rembox
+score REMBOX 3
+
+# formorer 2010-01-23
+header LONGTO to =~ /([\S]+, ){15,}/
+describe LONGTO very long To line
+score LONGTO 3
+
+# formorer 2010-01-25
+header VAULAS subject =~ /cursos video aulas video/i
+describe VAULAS some spanish video spam
+score VAULAS 3
+
+# blarson 2010-01-28
+header FROMWWW from =~ /\bwww\./i
+describe FROMWWW from www.whatever
+score FROMWWW 3
+
+# blarson 2010-02-16
+header FROMCASINO from =~ /\bcasino/i
+describe FROMCASINO from casino
+score FROMCASINO 3
+
+# don 2010-06-10
+header CTOCTET_STREAM Content-Type =~ /octet-stream/i
+describe CTOCTET_STREAM Content type is octet-stream
+score CTOCTET_STREAM 0.5
+
+full RTF_ATTACH /^Content-Disposition:.+name=.+\.(rtf|doc)/i
+describe RTF_ATTACH Contains an RTF or DOC Attachment
+score RTF_ATTACH 2
+
+meta RTF_SPAM CTOCTET_STREAM && RTF_ATTACH
+describe RTF_SPAM Content type is octet-stream and has an RTF Attachment
+score RTF_SPAM 3
+
+# blarson 2010-10-11
+header WORDDIGDIG subject =~ /^\w{3,}\s+\d\s\d\s*$/
+describe WORDDIGDIG Word digit digit subject
+score WORDDIGDIG 3
+
+# don 2011-06-06
+header BRACE_SUBJECT Subject =~ /^\[\ [a-z0-9]{16}]\ /
+describe BRACE_SUBJECT 16 length word in braces in the subject
+score BRACE_SUBJECT 4
+
+# formorer 2011-08-12
+header COMPTESFR subject =~ /concernant Compte SFR/i
+describe COMPTESFR concernant Compte SFR
+score COMPTESFR 3
+
+# formorer 2012-02-02
+header BACKTOME subject =~ /Please get back to me/i
+describe BACKTOME Phrase get back to me
+score BACKTOME 4
+
+# formorer 2012-12-10
+header STEEL subject =~ /stainless steel cookware/i
+describe STEEL who need steel cookware?
+score STEEL 4
+
+# blarson 2012-02-23
+header SINGLES subject =~ /\bsingles\b/i
+describe SINGLES singles
+score SINGLES 4
+
+header CMAEOUT X-CMAE-OUT-Score =~ /.+/
+describe CMAEOUT Cmae out
+score CMAEOUT 3.5
+
+# blarson 2012-05-05
+body FBPHOTO /\b(photo|pict?|image)\s+on\s+(fb|facebook)\b/i
+describe FBPHOTO facebook photo
+score FBPHOTO 4
+
+header TRADEME subject =~ /Can you afford not to trade/
+describe TRADEME we don't trade
+score TRADEME 4
+
+# cord 2013-11-09
+header PHPMAILER X-Mailer =~ /PHPMailer/
+describe PHPMAILER X-Mailer: PHPMailer
+score PHPMAILER 2
+
+# formorer 2013-11-24
+header FROMTWOO from =~ /twoomail\.com/i
+describe FROMTWOO from twoomail
+score FROMTWOO 3
+
+# formorer 2014-07-31
+header FROMCHICEXECS from =~ /ChicExecs/i
+describe FROMCHICEXECS from ChicExecs
+score FROMCHICEXECS 3
+
+# formorer 2014-08-06
+header LHELMOND from =~ /Luke Helmond/i
+describe LHELMOND from Luke Helmond
+score LHELMOND 4
+
+# formorer 2014-08-06
+header MAILCHIMP X-Mailer =~ /MailChimp Mailer/i
+describe MAILCHIMP X-Mailer: MailChimp Mailer
+score MAILCHIMP 3
+
+# formorer 2014-08-29
+body AVERMITTLUNG /Arbeitsvermittlungsagentur/i
+describe AVERMITTLUNG Arbeitsvermittlungsagentur
+score AVERMITTLUNG 4
+
+# formorer 2014-08-29
+body BEWSCHREIBEN /Bewerbungsschreiben/i
+describe BEWSCHREIBEN Bewerbungsschreiben
+score BEWSCHREIBEN 4
+
+# formorer 2014-08-30
+header FREELNCMR subject =~ /Freelancer Online Marketing/
+describe FREELNCMR Freelancer Online Marketing
+score FREELNCMR 4
+
+# formorer 2014-09-03
+header SOLUCIONESAMB subject =~ /SOLUCIONES AMBIENTALES: FIN AL MAL OLOR CON ENZILIMP/
+describe SOLUCIONESAMB SOLUCIONES AMBIENTALES: FIN AL MAL OLOR CON ENZILIMP
+score SOLUCIONESAMB 5
+
+# formorer 2014-11-17
+header LYMBOO from =~ /\@lymboomail/
+describe LYMBOO lymboomail learning spam
+score LYMBOO 5
+
+# formorer 2015-05-14
+header LEARDINI from =~ /\@leardinigroup.com/
+describe LEARDINI Microbiologia (SIM) spam
+score LEARDINI 5
projects / spamassassin_config.git / blobdiff