# SpamAssassin rules file: known spam mailers
#
# Sometimes these leave 'sent by mailername' fingerprints in the
# headers, which provide a nice way for us to catch them.
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
###########################################################################

header RATWARE_EGROUPS		X-Mailer =~ /eGroups Message Poster/
describe RATWARE_EGROUPS	Bulk email software fingerprint (eGroups) found in headers
header RATWARE_HASH_2		X-Mailer =~ /^[A-Za-z0-9\._]{16,}$/
describe RATWARE_HASH_2		Bulk email software fingerprint (hash 2) found in headers
header RATWARE_HASH_2_V2        X-Mailer =~ /^[A-Za-z0-9\._]{14,}$/
describe RATWARE_HASH_2_V2      Bulk email software fingerprint (hash 2 v2) found in headers
header RATWARE_JPFREE		X-Mailer =~ /jpfree Group Mail Express/
describe RATWARE_JPFREE		Bulk email software fingerprint (jpfree) found in headers
header RATWARE_VC_IPA		X-Mailer =~ /2\.0-b55-VC_IPA/
describe RATWARE_VC_IPA		Bulk email software fingerprint (VC_IPA) found in headers

# Note that the tests which look at the "ALL" pseudoheader are slower than
# the specific header.
header RATWARE_GROUPMAIL	ALL =~ /Group Mail/
describe RATWARE_GROUPMAIL	Bulk email software fingerprint (Group Mail) found in headers
header RATWARE_GR		X-Mailer =~ /GRMessageQueue/
describe RATWARE_GR		Bulk email software fingerprint (GRMessageQueue) found in headers
header RATWARE_OE_PI		X-Mailer =~ /Out[Ll]ook Express 3\.14159/
describe RATWARE_OE_PI		X-Mailer contains "OutLook Express 3.14159"
header RATWARE_STORM		X-Mailer =~ /StormPost/
describe RATWARE_STORM		Bulk email software fingerprint (StormPost) found in headers
header RATWARE_JIXING		X-Mailer =~ /JiXing .{0,30}Design By JohnnieHuang/
describe RATWARE_JIXING		Bulk email software fingerprint (JiXing) found in headers
header RATWARE_SCREWUP_1	X-Mailer =~ /^X-Mailer: /
describe RATWARE_SCREWUP_1	Bulk email software fingerprint (screwup 1) found in headers
header RATWARE_MMAILER		X-Mailer =~ /MMailer v3\.0/
describe RATWARE_MMAILER	Bulk email software fingerprint (MMailer) found in headers
header RATWARE_OE_MALFORMED	X-Mailer =~ /^Microsoft Outlook Express \d(?:\.\d+){3} \w+$/
describe RATWARE_OE_MALFORMED	X-Mailer contains malformed Outlook Express version
header RATWARE_EVAMAIL		X-Mailer =~ /EVAMAIL/
describe RATWARE_EVAMAIL	Bulk email software fingerprint (EVAMAIL) found in headers
header RATWARE_SCREWUP_2	X-Mailer =~ /^: /
describe RATWARE_SCREWUP_2	Bulk email software fingerprint (screwup 2) found in headers
header RATWARE_IMKTG		ALL =~ /Internet Marketing/
describe RATWARE_IMKTG		Bulk email software fingerprint (IMktg) found in headers
header RATWARE_XMAILER		X-Mailer =~ /{%xmailer%}/
describe RATWARE_XMAILER	Bulk email software fingerprint (xmailer tag) found in headers
header RATWARE_POWERC		X-Mailer =~ /PowerCampaign/
describe RATWARE_POWERC		Bulk email software fingerprint (PowerCampaign) found in headers
header RATWARE_DIFFOND		ALL =~ /DiffondiCool/
describe RATWARE_DIFFOND	Bulk email software fingerprint (DiffondiCool) found in headers
header RATWARE_CHARSET		X-Mailer =~ /\Qcharset(89)\E/
describe RATWARE_CHARSET	Bulk email software fingerprint (charset) found in headers
header RATWARE_CHARSET_V2       X-Mailer =~ /^normal \W \W\s*charset.*=\"/
describe RATWARE_CHARSET_V2 	Bulk email software fingerprint (charset 2) found in headers
header RATWARE_CARETOP		X-Mailer =~ /Caretop 2604/
describe RATWARE_CARETOP	Bulk email software fingerprint (Caretop) found in headers
header RATWARE_LC_OUTLOOK	X-Mailer =~ /^outlook$/
describe RATWARE_LC_OUTLOOK	Bulk email software fingerprint ("outlook") found in headers
header RATWARE_V3161		ALL =~ /V3,1,6,1/
describe RATWARE_V3161		Bulk email software fingerprint (V3161) found in headers
header RATWARE_EMWAC		Received =~ /EMWAC SMTPRS/
describe RATWARE_EMWAC		Bulk email software fingerprint ("EMWAC SMTPRS") found in headers
header RATWARE_BANG_HASH        X-Mailer =~ /!.*\#.*\*/
describe RATWARE_BANG_HASH 	Bulk email software fingerprint (bang-hash) found in headers
header RATWARE_FLOAT            X-Mailer =~ /^\d\.\d\d/
describe RATWARE_FLOAT 		Bulk email software fingerprint (float) found in headers
header RATWARE_DIRECT_EMAIL		X-Mailer =~ /Direct Email/i
describe RATWARE_DIRECT_EMAIL	Bulk email software fingerprint (Direct Email) found in headers

###########################################################################
# Now, detect forgeries of real MUAs

# Dec 17 2002 jm: this means "message ID is either too old or has been
# rewritten by a gateway".  Made into an eval test since meta tests cannot
# (yet) chain from other meta tests.
header __UNUSABLE_MSGID         eval:check_messageid_not_usable()

# The Bat! forgeries
header __THEBAT_MUA             X-Mailer =~ /The Bat!/
header __THEBAT_MSGID           MESSAGEID =~ /^<\d+\.\d+\@\S+>$/m
meta FORGED_MUA_THEBAT          (__THEBAT_MUA && !__THEBAT_MSGID)
describe FORGED_MUA_THEBAT      Forged mail pretending to be from The Bat!

# forgeries of MSN Explorer.  See "20_anti_ratware.cf" for the meta subrules
meta FORGED_MUA_MSN		(__USER_AGENT_MSN && (!__HAS_XOAT || !__HAS_XOIP))
describe FORGED_MUA_MSN		Forged mail pretending to be from MSN

# AOL
header __AOL_MUA                X-Mailer =~ /\bAOL\b/
header __AOL_MSGID              MESSAGEID =~ /^<[0-9a-f]{1,3}\.[0-9a-f]{6,8}\.[0-9a-f]{8}\@aol.com>$/m             
meta FORGED_MUA_AOL             (__AOL_MUA && !__UNUSABLE_MSGID && !__AOL_MSGID)
describe FORGED_MUA_AOL         Forged mail pretending to be from AOL

# Internet Mail Service
header __IMS_MUA                X-Mailer =~ /Internet Mail Service/
header __IMS_MSGID              MESSAGEID =~ /^<[A-F\d]{36,40}\@\S+>$/m
meta FORGED_MUA_IMS             (__IMS_MUA && !__UNUSABLE_MSGID && !__IMS_MSGID)
describe FORGED_MUA_IMS         Forged mail pretending to be from IMS

# Outlook
# Note: this uses __IMS_MSGID from above
header __OUTLOOK_MUA            X-Mailer =~ /\bOutlook\b(?! IMO| Express Mac)/
header __OUTLOOK_MSGID_1        MESSAGEID =~ /^<[0-9a-f]{12}\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m
header __OUTLOOK_MSGID_2        MESSAGEID =~ /^<(?:OE[0-9A-Za-z]{25}|DAV[0-9A-Za-z]{24})\@hotmail\.com>$/m
meta FORGED_MUA_OUTLOOK         (__OUTLOOK_MUA && !__UNUSABLE_MSGID && !(__OUTLOOK_MSGID_1 || __OUTLOOK_MSGID_2 || __IMS_MSGID))
describe FORGED_MUA_OUTLOOK     Forged mail pretending to be from MS Outlook

# Outlook IMO (Internet Mail Only)
header __OIMO_MUA               X-Mailer =~ /Outlook IMO/
header __OIMO_MSGID             MESSAGEID =~ /^<[A-P]{26}A[AB]\.[-_\w.]+\@\S+>$/m
meta FORGED_MUA_OIMO            (__OIMO_MUA && !__OIMO_MSGID && !__UNUSABLE_MSGID)
describe FORGED_MUA_OIMO        Forged mail pretending to be from MS Outlook IMO

# QUALCOMM Eudora
header __EUDORA_MUA             X-Mailer =~ /\b(?:QUALCOMM|Eudora)\b/
header __MAC_EUDORA_MUA         X-Mailer =~ /Eudora for Macintosh/
header __OLD_EUDORA1            X-Mailer =~ /Eudora\s+Pro\s+Version\s+[1-4]\.\b/
header __OLD_EUDORA2            X-Mailer =~ /\bEudora\s+(?:(?:Pro|Light)\s+)?Version\s+[1-4]\.\b/
header __QUALCOMM               X-Mailer =~ /\bQUALCOMM\b/
header __EUDORA_MSGID           MESSAGEID =~ /^<(?:\d\d?\.){4,5}\d{14}\.[a-f0-9]{8}\@\S+>$/m
# Note: uses X_LOOP and X_MAILING_LIST as subrules
meta FORGED_MUA_EUDORA          (__EUDORA_MUA && !__EUDORA_MSGID && !__UNUSABLE_MSGID && !X_LOOP && !X_MAILING_LIST && !__MAC_EUDORA_MUA && !__OLD_EUDORA1 && !(__OLD_EUDORA2 && !__QUALCOMM))
describe FORGED_MUA_EUDORA      Forged mail pretending to be from Eudora

meta FORGED_MUA_MUTT		__USER_AGENT_MUTT && !__VALID_MUTT_MSGID
describe FORGED_MUA_MUTT	Forged mail pretending to be sent from Mutt