X-Git-Url: https://git.donarmstrong.com/?p=spamassassin_config.git;a=blobdiff_plain;f=common%2Fmisc_spam;h=83da7da82c22f94bce26c572ba8d0a01f1bc3315;hp=eca1f014065bff1d35b6d0d3a54213597012a53b;hb=77ebe19d25a9c4c105e40d0783f71779f562cee4;hpb=6beb7f3ceb6bd317cf8c506dd24ecba989c4e8d9 diff --git a/common/misc_spam b/common/misc_spam index eca1f01..83da7da 100644 --- a/common/misc_spam +++ b/common/misc_spam @@ -1,3 +1,5 @@ +# -*- mode: spamassassin -*- + # This seems to catch a lot of spam, but not sure about false positive (from airmax.cf) # pasc couldn't find any false positives on the lists he's on header X_MESSAGE_INFO exists:X-Message-Info @@ -20,26 +22,18 @@ describe GUEBDE www.geub.de score GUEBDE 5 # Don 2008-06-27 -rawbody PGPSIGNATURE /-----BEGIN PGP SIGNATURE-----/ +full PGPSIGNATURE /-----BEGIN PGP SIGNATURE-----/ describe PGPSIGNATURE Has a pgp signature (may not be valid, but who cares?) score PGPSIGNATURE -5 -# TODO: The rules below seem to be very similar; possibly fix them. - -# These might trip up on non-english lists. We'll see. -# They're fucking up on GPG signatures -body MURPHY_WRONG_WORD1 /[bcdfghjklmnpqrstvwxz]{7,}/i -score MURPHY_WRONG_WORD1 0.1 - -body MURPHY_WRONG_WORD2 /[bcdfghjklmnpqrstvwxz]{6,}/i -score MURPHY_WRONG_WORD2 0.2 +body WORD_WITHOUT_VOWELS /\b[bcdfghjklmnpqrstvwxz]{6,20}\b/ +describe WORD_WITHOUT_VOWELS Long word without any vowels +score WORD_WITHOUT_VOWELS 1 -#Impronounceable. Need to check this one for accuracy (from airmax.cf) -body IMPRONONCABLE_1 /([bcdfghjklmnpqrstvwxz]){6,20}/ -describe IMPRONONCABLE_1 Some words aren't easy to pronounce (too much vowels) -body IMPRONONCABLE_2 /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/ -describe IMPRONONCABLE_2 Some words aren't easy to pronounce (mixed numbers and lower-case letters) +body DIGITS_LETTERS /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/ +describe DIGITS_LETTERS Mixed groups of letters followed by numbers +score DIGITS_LETTERS 1 # From http://www.exit0.us/index.php/FredsRules # Added by pasc 2004/06/20 @@ -121,10 +115,10 @@ full NEXTPART /\-\=\_NextPart\_000\_/ describe NEXTPART spammer mime separator score NEXTPART 2.5 -# blarson 2006-10-17 +# blarson 2006-10-17 2009-04-30 full CT_IMAGE /Content\-Type\:\s*image/i describe CT_IMAGE Picture attached -score CT_IMAGE 1 +score CT_IMAGE 1.5 # blarson 2006-12-01 (score so low since it will also hit CT_IMAGE) header CT_IMAGE_HEAD content-type =~ /image/ @@ -169,7 +163,7 @@ describe FAILNOTE bounced spam score FAILNOTE 2 # blarson 2007-06-28 -rawbody CTINLINE /^Content\-Disposition\: inline\;\b/ +full CTINLINE /^Content\-Disposition\: inline\;\b/ describe CTINLINE Inline attachment score CTINLINE 1 @@ -226,6 +220,10 @@ body OUTOFOFFICE /out of the office/i describe OUTOFOFFICE Out of the office score OUTOFOFFICE 3 +body OUTOFOFFICE_BACK /will be back/i +describe OUTOFOFFICE_BACK Out of the office +score OUTOFOFFICE_BACK 3 + # blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits header SUBENDNUM subject =~ /[a-zA-Z!]-?\d{3,}$/ describe SUBENDNUM Subject ends in word989 @@ -307,7 +305,7 @@ describe TINYFONT tiny font specified score TINYFONT 3 # blarson 2008-04-03 -rawbody ZIPFILE /\bfilename\=.*\.zip\b/i +full ZIPFILE /\bfilename\=.*\.zip\b/i describe ZIPFILE zipfile attachment score ZIPFILE 0.5 @@ -336,10 +334,12 @@ body LUKSUS /\bluksus\b/i score LUKSUS 4 describe LUKSUS Luksus +# disabled by don; was causing false positives +# probably needs to be modified to check if it really is ironport # blarson 2008-09-22 -header XIRONPORT X-IronPort-Anti-Spam-Filtered =~ /true/ -describe XIRONPORT claims to be ironport filtered -score XIRONPORT 2.5 +# header XIRONPORT X-IronPort-Anti-Spam-Filtered =~ /true/ +# describe XIRONPORT claims to be ironport filtered +# score XIRONPORT 2.5 # blarson 2008-10-13 header AUTORESPON subject =~ /Auto_response/ @@ -367,7 +367,227 @@ full HTML_NBSP /(\ ){3,}/ describe HTML_NBSP Lots of   score HTML_NBSP 2 -# don 2009-02-05 -body QMAILBOUNCE /This\s*is\s*the\s*qmail-send\s*program/i -describe QMAILBOUNCE Stupid qmail bounces; we don't want them -score QMAILBOUNCE 2 +# blarson 2009-02-19 +header ENTIST subject =~ /(?:e.?entist|o.?ctor)/i +describe ENTIST (D)entit/(D)octor +score ENTIST 2 + +header THREADTOPIC thread-topic =~ /./i +describe THREADTOPIC Has a thread topic header +score THREADTOPIC 2 + +# [2009-04-14 cord] +# replacing old aol-rules from rc.spam + +header AOL_SPAM1 from =~ /[0-9].*\@([^\@]+\.)?aol\.com/i +describe AOL_SPAM1 possible AOL-pretending spam, matching rule 1 +score AOL_SPAM1 1 + +header AOL_SPAM2 from =~ /...........*\@([^\@]+\.)?aol\.com/i +describe AOL_SPAM2 possible AOL-pretending spam, matching rule 2 +score AOL_SPAM2 1 + +header AOL_SPAM3 from =~ /.?.?\@([^\@]+\.)?aol\.com/i +describe AOL_SPAM3 possible AOL-pretending spam, matching rule 3 +score AOL_SPAM3 1 + +header AOL_SPAM4 from =~ /[^a-zA-Z0-9]+.*\@([^\@]+\.)?aol\.com/i +describe AOL_SPAM4 possible AOL-pretending spam, matching rule 4 +score AOL_SPAM4 1 + +# blarson 2009-04-15 +body WEBMAIL /\bwebmail\b/i +describe WEBMAIL webmail +score WEBMAIL 1 + +# blarson 2009-04-17 +header REFNO subject =~ /\bref no\b/i +describe REFNO Ref No +score REFNO 2 + +# blarson 2009-05-26 +header INFOCOUK to =~ /\b(?:info|winner|loan|lotto|grant|win)\@(?:info\.|winner\.|loan\.|lotto\.|hotmail\.|grant\.|win\.|yahoo\.|)(?:co\.uk|net|com|org)\b/ +describe INFOCOUK to info@co.uk +score INFOCOUK 3 + +# blarson 2009-05-27 +body EXITAT /\b(?:exit|rembox)\@(?:datalistsource|listsourcesworld|BestAccurateReliable|expertdatasystems|bestbizlists)\.\b/i +describe EXITAT exit@datalistsource.com +score EXITAT 3 + +# blarson 2009-06-05 +header TOINFO to =~ /\binfo\@/ +describe TOINFO to info@ +score TOINFO 1 + +# don 2009-07-06 +header CONSTCONTACT X-Mailer =~ /Constant Contact/i +describe CONSTCONTACT Mail comming from constant contact, which doesn't require double opt-in +score CONSTCONTACT 5 + +# blarson 2009-08-16 +meta CTBDN (CT_IMAGE && MIXEDBDN) +describe CTBDN CT_IMAGE && MIXEDBDN +score CTBDN 0.5 + +# don 2009-09-22 +body NUMEMAIL /\d{3,}\s+emails?/i +describe NUMEMAIL Mail which mentions some number of e-mail addresses +score NUMEMAIL 2 + +# don 2009-11-25 +header YAHOOCALENDAR X-Yahoo-Calendar-IId: =~ /./ +describe YAHOOCALENDAR Mail comming from yahoo calendar, which spams us with updates +score YAHOOCALENDAR 5 + +# alex 2009-12-05 +header TLOTTERY subject =~ /Ticket no: [0-9]+/i +describe TLOTTERY Lottery spam +score TLOTTERY 3 + +# alex 2009-12-05 +header GLOTTERY subject =~ /Google_L_o_t_t_e_r_y_W_i_n_n_e_r_s/i +describe GLOTTERY Google Lottery spam +score GLOTTERY 3 + +# alex 2009-12-16 +header DOTNET subject =~ /Planning a Website Design\? Updates/ +describe DOTNET .NET Spam +score DOTNET 3 + +# blarson 2010-02-02 +body REMBOX /\b(?:rembo[xt]|disappear|stopping|delrem|remfiles?|exit|takemeoff|offthelist|purgefile)\s?\@/ +describe REMBOX rembox +score REMBOX 3 + +# formorer 2010-01-23 +header LONGTO to =~ /([\S]+, ){15,}/ +describe LONGTO very long To line +score LONGTO 3 + +# formorer 2010-01-25 +header VAULAS subject =~ /cursos video aulas video/i +describe VAULAS some spanish video spam +score VAULAS 3 + +# blarson 2010-01-28 +header FROMWWW from =~ /\bwww\./i +describe FROMWWW from www.whatever +score FROMWWW 3 + +# blarson 2010-02-16 +header FROMCASINO from =~ /\bcasino/i +describe FROMCASINO from casino +score FROMCASINO 3 + +# don 2010-06-10 +header CTOCTET_STREAM Content-Type =~ /octet-stream/i +describe CTOCTET_STREAM Content type is octet-stream +score CTOCTET_STREAM 0.5 + +full RTF_ATTACH /^Content-Disposition:.+name=.+\.(rtf|doc)/i +describe RTF_ATTACH Contains an RTF or DOC Attachment +score RTF_ATTACH 2 + +meta RTF_SPAM CTOCTET_STREAM && RTF_ATTACH +describe RTF_SPAM Content type is octet-stream and has an RTF Attachment +score RTF_SPAM 3 + +# blarson 2010-10-11 +header WORDDIGDIG subject =~ /^\w{3,}\s+\d\s\d\s*$/ +describe WORDDIGDIG Word digit digit subject +score WORDDIGDIG 3 + +# don 2011-06-06 +header BRACE_SUBJECT Subject =~ /^\[\ [a-z0-9]{16}]\ / +describe BRACE_SUBJECT 16 length word in braces in the subject +score BRACE_SUBJECT 4 + +# formorer 2011-08-12 +header COMPTESFR subject =~ /concernant Compte SFR/i +describe COMPTESFR concernant Compte SFR +score COMPTESFR 3 + +# formorer 2012-02-02 +header BACKTOME subject =~ /Please get back to me/i +describe BACKTOME Phrase get back to me +score BACKTOME 4 + +# formorer 2012-12-10 +header STEEL subject =~ /stainless steel cookware/i +describe STEEL who need steel cookware? +score STEEL 4 + +# blarson 2012-02-23 +header SINGLES subject =~ /\bsingles\b/i +describe SINGLES singles +score SINGLES 4 + +header CMAEOUT X-CMAE-OUT-Score =~ /.+/ +describe CMAEOUT Cmae out +score CMAEOUT 3.5 + +# blarson 2012-05-05 +body FBPHOTO /\b(photo|pict?|image)\s+on\s+(fb|facebook)\b/i +describe FBPHOTO facebook photo +score FBPHOTO 4 + +header TRADEME subject =~ /Can you afford not to trade/ +describe TRADEME we don't trade +score TRADEME 4 + +# cord 2013-11-09 +header PHPMAILER X-Mailer =~ /PHPMailer/ +describe PHPMAILER X-Mailer: PHPMailer +score PHPMAILER 2 + +# formorer 2013-11-24 +header FROMTWOO from =~ /twoomail\.com/i +describe FROMTWOO from twoomail +score FROMTWOO 3 + +# formorer 2014-07-31 +header FROMCHICEXECS from =~ /ChicExecs/i +describe FROMCHICEXECS from ChicExecs +score FROMCHICEXECS 3 + +# formorer 2014-08-06 +header LHELMOND from =~ /Luke Helmond/i +describe LHELMOND from Luke Helmond +score LHELMOND 4 + +# formorer 2014-08-06 +header MAILCHIMP X-Mailer =~ /MailChimp Mailer/i +describe MAILCHIMP X-Mailer: MailChimp Mailer +score MAILCHIMP 3 + +# formorer 2014-08-29 +body AVERMITTLUNG /Arbeitsvermittlungsagentur/i +describe AVERMITTLUNG Arbeitsvermittlungsagentur +score AVERMITTLUNG 4 + +# formorer 2014-08-29 +body BEWSCHREIBEN /Bewerbungsschreiben/i +describe BEWSCHREIBEN Bewerbungsschreiben +score BEWSCHREIBEN 4 + +# formorer 2014-08-30 +header FREELNCMR subject =~ /Freelancer Online Marketing/ +describe FREELNCMR Freelancer Online Marketing +score FREELNCMR 4 + +# formorer 2014-09-03 +header SOLUCIONESAMB subject =~ /SOLUCIONES AMBIENTALES: FIN AL MAL OLOR CON ENZILIMP/ +describe SOLUCIONESAMB SOLUCIONES AMBIENTALES: FIN AL MAL OLOR CON ENZILIMP +score SOLUCIONESAMB 5 + +# formorer 2014-11-17 +header LYMBOO from =~ /\@lymboomail/ +describe LYMBOO lymboomail learning spam +score LYMBOO 5 + +# formorer 2015-05-14 +header LEARDINI from =~ /\@leardinigroup.com/ +describe LEARDINI Microbiologia (SIM) spam +score LEARDINI 5 +