#
# Ruleset to match fill-in-this-form body text
# common in scams and loan spams
# occasional in phishing
#
# Requires multipass ReplaceTags plugin
#
# If you are using this with 3.2.5, make sure you get this as well:
# http://svn.apache.org/viewvc/spamassassin/branches/3.2/lib/Mail/SpamAssassin/Plugin/ReplaceTags.pm
#
# <jhardin@impsec.org>
# $Id$
#

ifplugin Mail::SpamAssassin::Plugin::ReplaceTags

  # Repetitive syntactic bits
  replace_tag FF_LNNO   (?:(?:\d+[)}\]:.,]+|\W?\(\d+\)|\W?\{\d+\}|\[\d+\]|\*{1,5}|\#{1,5}|[A-K][)}\]:.,])\s?)
  replace_tag FF_YOUR   (?:a?\s?copy\sof\s)?(?:your[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full\s?|complete\s|direct\s|private\s|valid\s|personal\s){0,3}
  replace_tag ANDOR     (?:\s?[\/&+,]\s?|\sor\s|\sand\s)
  replace_tag NUMBER    (?:num(?:ber)?s?|nos?\.|no\b|\#s?|nbrs?\.?)
  replace_tag FF_SUFFIX (?:\sin\s(?:full|words))?:?(?:\s?[({][^)}]{1,30}[)}])?
  replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*]|&\#\d+;){3,80}\s?){1,})
  replace_tag FF_BLANK2 (?:[\s\W]{0,3}(?:[-=_.,:;*]|&\#\d+;){1,80}\s?)

  # Address variations
  replace_tag FF_A1 (?:(?:ad+res+e?|countr?y|st?ates?|city|province|ter+itory|(?:zip|postal)(?:\s?code)?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))?
  replace_tag FF_A2 (?:(?:contact|e-?mail|full|house|home|resident[ia]+l|business|mailing|work|office|delivery|ship+ing|post(?:al)?)<ANDOR>?){0,3}\s?(?:ad+res+(?:es)?|location)(?:\sline)?(?:\s[0-9])?

  # Name variations
  replace_tag FF_N1 (?:company|first|last|all|business|legal|ben[ei]ficiary)?\s?names?(?:<ANDOR>ad+res+)?

  # Telephone variations
  replace_tag FF_P1 (?:(?:(?:business|contact|fax|voice|cel+(?:ular)?|house|home|mobile|office|tel+e?(?:\s?phone)?|phone)(?:\sphone)?<ANDOR>?){1,3}(?:\s<NUMBER>)?<ANDOR>?){1,3}

  # Misc personal data
  replace_tag FF_M1 (?:(?:age|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\sof\s)?birth|religion|nationality|email|next\sof\skin)<ANDOR>?){1,3}

  # Loan application details
  replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profession|occup[ae]tion(?:\/position)?|(?:monthly|annual)?\s?income|annual\sturn\s?over|purpose\sof\sl(?:oa|ao)n|l(?:oa|ao)n\sduration|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?)

  # Financial/ID details (scams and phishing)
  replace_tag FF_F1 (?:(?:bank|beneficiary|billing|acc(?:oun)?t|a\/c|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|<NUMBER>)<ANDOR>?){1,3}
  replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(:?en[sc]e)?|pass\s?port|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?|id\scard)<ANDOR>?){1,3}(?:\s<NUMBER>)?
  replace_tag FF_F3 (?:picture|(?:e-?mail\s)?password|e-?mai?l\sid|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|amount\s[\w\s]{0,30}lost[\w\s]{0,15})
  replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names?
  replace_tag FF_F5 (?:reference|batch|winning)\s?<NUMBER>

  # All variations together
  replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_L1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)

  # 5+ fields (high reliability)
  # Leave this exposed, it's a fairly good spam sign by itself
  body     FILL_THIS_FORM_LONG /(?:<FF_LNNO>?<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){5,}/i
  replace_rules   FILL_THIS_FORM_LONG
  describe FILL_THIS_FORM_LONG    Fill in a form with personal information
  score    FILL_THIS_FORM_LONG    1.00

  # 5+ fields that body paragraph processing didn't paste together
  body     __FILL_THIS_FORM_PARTIAL /^\s*<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im
  replace_rules   __FILL_THIS_FORM_PARTIAL
  tflags   __FILL_THIS_FORM_PARTIAL multiple
  rawbody  __FILL_THIS_FORM_PARTIAL_RAW /^\s*<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20|&nbsp;|<\/\w+>){0,4}$)/im
  replace_rules   __FILL_THIS_FORM_PARTIAL_RAW
  tflags   __FILL_THIS_FORM_PARTIAL_RAW multiple

  # 5+ fields in either format
  # For easy use in metas
  meta     FILL_THIS_FORM    (FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4)
  describe FILL_THIS_FORM    Fill in a form with personal information
  score    FILL_THIS_FORM    1.00

  # 3 or 4 fields (low reliability, but still useful in metas
  body     __FILL_THIS_FORM_SHORT /(?:<FF_LNNO>?<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3,}/i
  replace_rules   __FILL_THIS_FORM_SHORT
  meta     FILL_THIS_FORM_SHORT !FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2)
  describe FILL_THIS_FORM_SHORT Fill in a short form with personal information
  score    FILL_THIS_FORM_SHORT 0.25

  # Add to score if loan question is present
  body     __FILL_THIS_FORM_LOAN /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
  replace_rules   __FILL_THIS_FORM_LOAN
  describe FILL_THIS_FORM_LOAN Answer loan question(s)
  meta     FILL_THIS_FORM_LOAN FILL_THIS_FORM && __FILL_THIS_FORM_LOAN
  score    FILL_THIS_FORM_LOAN 0.50

  # Add to score if fraud/phishing question is present
  body     __FILL_THIS_FORM_FRAUD_PHISH /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
  replace_rules   __FILL_THIS_FORM_FRAUD_PHISH
  describe FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
  meta     FILL_THIS_FORM_FRAUD_PHISH (FILL_THIS_FORM || FILL_THIS_FORM_SHORT) && __FILL_THIS_FORM_FRAUD_PHISH
  score    FILL_THIS_FORM_FRAUD_PHISH 1.50

endif   # Mail::SpamAssassin::Plugin::ReplaceTags