+# -*- mode: spamassassin -*-
+
# This seems to catch a lot of spam, but not sure about false positive (from airmax.cf)
# pasc couldn't find any false positives on the lists he's on
header X_MESSAGE_INFO exists:X-Message-Info
score GUEBDE 5
# Don 2008-06-27
-rawbody PGPSIGNATURE /-----BEGIN PGP SIGNATURE-----/
+full PGPSIGNATURE /-----BEGIN PGP SIGNATURE-----/
describe PGPSIGNATURE Has a pgp signature (may not be valid, but who cares?)
score PGPSIGNATURE -5
describe NEXTPART spammer mime separator
score NEXTPART 2.5
-# blarson 2006-10-17
+# blarson 2006-10-17 2009-04-30
full CT_IMAGE /Content\-Type\:\s*image/i
describe CT_IMAGE Picture attached
-score CT_IMAGE 1
+score CT_IMAGE 1.5
# blarson 2006-12-01 (score so low since it will also hit CT_IMAGE)
header CT_IMAGE_HEAD content-type =~ /image/
score LUKSUS 4
describe LUKSUS Luksus
+# disabled by don; was causing false positives
+# probably needs to be modified to check if it really is ironport
# blarson 2008-09-22
-header XIRONPORT X-IronPort-Anti-Spam-Filtered =~ /true/
-describe XIRONPORT claims to be ironport filtered
-score XIRONPORT 2.5
+# header XIRONPORT X-IronPort-Anti-Spam-Filtered =~ /true/
+# describe XIRONPORT claims to be ironport filtered
+# score XIRONPORT 2.5
# blarson 2008-10-13
header AUTORESPON subject =~ /Auto_response/
describe HTML_NBSP Lots of
score HTML_NBSP 2
-# don 2009-02-05
-body QMAILBOUNCE /This\s*is\s*the\s*qmail-send\s*program/i
-describe QMAILBOUNCE Stupid qmail bounces; we don't want them
-score QMAILBOUNCE 2
+# blarson 2009-02-19
+header ENTIST subject =~ /(?:e.?entist|o.?ctor)/i
+describe ENTIST (D)entit/(D)octor
+score ENTIST 2
+
+header THREADTOPIC thread-topic =~ /./i
+describe THREADTOPIC Has a thread topic header
+score THREADTOPIC 2
+
+# [2009-04-14 cord]
+# replacing old aol-rules from rc.spam
+
+header AOL_SPAM1 from =~ /[0-9].*\@([^\@]+\.)?aol\.com/i
+describe AOL_SPAM1 possible AOL-pretending spam, matching rule 1
+score AOL_SPAM1 1
+
+header AOL_SPAM2 from =~ /...........*\@([^\@]+\.)?aol\.com/i
+describe AOL_SPAM2 possible AOL-pretending spam, matching rule 2
+score AOL_SPAM2 1
+
+header AOL_SPAM3 from =~ /.?.?\@([^\@]+\.)?aol\.com/i
+describe AOL_SPAM3 possible AOL-pretending spam, matching rule 3
+score AOL_SPAM3 1
+
+header AOL_SPAM4 from =~ /[^a-zA-Z0-9]+.*\@([^\@]+\.)?aol\.com/i
+describe AOL_SPAM4 possible AOL-pretending spam, matching rule 4
+score AOL_SPAM4 1
+
+# blarson 2009-04-15
+body WEBMAIL /\bwebmail\b/i
+describe WEBMAIL webmail
+score WEBMAIL 1
+
+# blarson 2009-04-17
+header REFNO subject =~ /\bref no\b/i
+describe REFNO Ref No
+score REFNO 2
+
+# blarson 2009-05-26
+header INFOCOUK to =~ /\b(?:info|winner|loan|lotto|grant|win)\@(?:info\.|winner\.|loan\.|lotto\.|hotmail\.|grant\.|win\.|yahoo\.|)(?:co\.uk|net|com|org)\b/
+describe INFOCOUK to info@co.uk
+score INFOCOUK 3
+
+# blarson 2009-05-27
+body EXITAT /\b(?:exit|rembox)\@(?:datalistsource|listsourcesworld|BestAccurateReliable|expertdatasystems|bestbizlists)\.\b/i
+describe EXITAT exit@datalistsource.com
+score EXITAT 3
+
+# blarson 2009-06-05
+header TOINFO to =~ /\binfo\@/
+describe TOINFO to info@
+score TOINFO 1
+
+# don 2009-07-06
+header CONSTCONTACT X-Mailer =~ /Constant Contact/i
+describe CONSTCONTACT Mail comming from constant contact, which doesn't require double opt-in
+score CONSTCONTACT 5
+
+# blarson 2009-08-16
+meta CTBDN (CT_IMAGE && MIXEDBDN)
+describe CTBDN CT_IMAGE && MIXEDBDN
+score CTBDN 0.5
+
+# don 2009-09-22
+body NUMEMAIL /\d{3,}\s+emails?/i
+describe NUMEMAIL Mail which mentions some number of e-mail addresses
+score NUMEMAIL 2
+
+# don 2009-11-25
+header YAHOOCALENDAR X-Yahoo-Calendar-IId: =~ /./
+describe YAHOOCALENDAR Mail comming from yahoo calendar, which spams us with updates
+score YAHOOCALENDAR 5
+
+# alex 2009-12-05
+header TLOTTERY subject =~ /Ticket no: [0-9]+/i
+describe TLOTTERY Lottery spam
+score TLOTTERY 3
+
+# alex 2009-12-05
+header GLOTTERY subject =~ /Google_L_o_t_t_e_r_y_W_i_n_n_e_r_s/i
+describe GLOTTERY Google Lottery spam
+score GLOTTERY 3
+
+# alex 2009-12-16
+header DOTNET subject =~ /Planning a Website Design\? Updates/
+describe DOTNET .NET Spam
+score DOTNET 3
+
+# blarson 2010-02-02
+body REMBOX /\b(?:rembox|disappear|stopping|delrem|remfiles?|exit)\s?\@/
+describe REMBOX rembox
+score REMBOX 3
+
+# formorer 2010-01-23
+header LONGTO to =~ /([\S]+, ){15,}/
+describe LONGTO very long To line
+score LONGTO 3
+
+# formorer 2010-01-25
+header VAULAS subject =~ /cursos video aulas video/i
+describe VAULAS some spanish video spam
+score VAULAS 3
+
+# blarson 2010-01-28
+header FROMWWW from =~ /\bwww\./i
+describe FROMWWW from www.whatever
+score FROMWWW 3
+
+# blarson 2010-02-16
+header FROMCASINO from =~ /\bcasino/i
+describe FROMCASINO from casino
+score FROMCASINO 3
+
+# don 2010-06-10
+header CTOCTET_STREAM Content-Type =~ /octet-stream/i
+describe CTOCTET_STREAM Content type is octet-stream
+score CTOCTET_STREAM 0.5
+
+header RTF_ATTACH Content-Type =~ /name=.+\.rtf/i
+describe RTF_ATTACH Contains an RTF Attachment
+score RTF_ATTACH 0.5
+
+meta RTF_SPAM CTOCTET_STREAM && RTF_ATTACH
+describe RTF_SPAM Content type is octet-stream and has an RTF Attachment
+score RTF_SPAM 3
\ No newline at end of file
projects / spamassassin_config.git / blobdiff