# 08/2009 image spams using specific pattern indicating tbird MUA forgery? # FP rate is _UNKNOWN_ so do NOT score this rule very high without testing! # Originally by John Hardin # with input from Alex Broens and Karsten Bräckelmann ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpeg/i endif header __MUA_TBIRD User-Agent =~ /Thunderbird/ header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/ meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam # Additional meta spotted by Alex Broens. Still might FP on legit mail with # manually typed addresses or undisclosed recipients. header __TO_UNDISCLOSED To =~ /(?:undisclosed-recipients|destinataires inconnus):/i header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/ meta FORGED_TBIRD_IMG_ARROW __FORGED_TBIRD_IMG && __TO_NO_ARROWS_R && !__TO_UNDISCLOSED describe FORGED_TBIRD_IMG_ARROW Likely forged Thunderbird image spam score FORGED_TBIRD_IMG_ARROW 0.8 # Try it against other stuff, too, # "To without <>" might be useful outside the context of image spam meta TO_NO_BRKTS_HTML_IMG __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG score TO_NO_BRKTS_HTML_IMG 0.20 describe TO_NO_BRKTS_HTML_IMG To: misformatted and HTML and one image meta TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY && !__MIME_QP && !__MSGID_JAVAMAIL && !__HAS_X_MAILER && !__HAS_REPLY_TO && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 score TO_NO_BRKTS_HTML_ONLY 0.20 describe TO_NO_BRKTS_HTML_ONLY To: misformatted and HTML only meta TO_NO_BRKTS_DYNIP __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && RDNS_DYNAMIC && !__NAME_IS_EMAIL && !__MSGID_OK_HEX && !__HAS_X_MAILER && !__MIME_QP && !__UNSUB_LINK && !__THREADED && !__HAVE_BOUNCE_RELAYS && !__VIA_ML && !__DOS_RELAYED_EXT describe TO_NO_BRKTS_DYNIP To: misformatted and dynamic rDNS tflags TO_NO_BRKTS_DYNIP publish meta TO_NO_BRKTS_NORDNS __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && RDNS_NONE && !__MANY_RECIPS && !__FROM_RUNON && !__VIA_ML && !__TO___LOWER && !ALL_TRUSTED && !__TO_EQ_FROM_DOM && !__DOS_REF_TODAY score TO_NO_BRKTS_NORDNS 0.20 describe TO_NO_BRKTS_NORDNS To: misformatted and no rDNS meta TO_NO_BRKTS_NORDNS_HTML __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && RDNS_NONE && MIME_HTML_ONLY && !__MIME_QP && !__MSGID_JAVAMAIL && !__REPLYTO_EXISTS && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__FROM_FREEMAIL && !__HAS_X_MAILER && !__COMMENT_EXISTS && !__HTML_LENGTH_384 score TO_NO_BRKTS_NORDNS_HTML 0.20 describe TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML only meta TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __HAS_MIMEOLE || __MIMEOLE_MS) describe TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool score TO_NO_BRKTS_MSFT 0.20 meta TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT && !__REPLYTO_EXISTS && !__CTYPE_MULTIPART_ANY && !__SUBJECT_ENCODED_B64 && !__COMMENT_EXISTS && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__MIME_QP && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MAIL_MESSY && !__TVD_MIME_ATT_TP && !__HAS_X_MAILER && !__DOS_RELAYED_EXT describe TO_NO_BRKTS_PCNT To: misformatted + percentage score TO_NO_BRKTS_PCNT 0.20 meta TO_NO_BRKTS_DIRECT __TO_NO_ARROWS_R && __DOS_DIRECT_TO_MX && !__MIME_QP && !__IS_EXCH && !__THREAD_INDEX_GOOD && !__COMMENT_EXISTS && !__RCD_RDNS_MTA_MESSY && !__CTYPE_HAS_BOUNDARY && !__TVD_SPACE_RATIO && !__THREADED && !__HAVE_BOUNCE_RELAYS && !__FB_DO_NOT_REPLY && !__VBOUNCE_MAILSWEEP3 && !__DEAL && !__RCD_RDNS_MAIL_MESSY && !__UNSUB_LINK describe TO_NO_BRKTS_DIRECT To: misformatted and direct-to-MX tflags TO_NO_BRKTS_DIRECT publish meta TO_NO_BRKTS_NOTLIST __TO_NO_ARROWS_R && !__VIA_ML && !__UNUSABLE_MSGID && !__THREADED && !__SUBJ_RE && !__MIME_QP && !__COMMENT_EXISTS && !__RCD_RDNS_MAIL_MESSY && !__CTYPE_MULTIPART_ALT && !__MANY_RECIPS && !__DOS_RELAYED_EXT && !__HAS_MIMEOLE && !__THREAD_INDEX_GOOD && !__IMS_MSGID && !__RCD_RDNS_MTA_MESSY && !__MSGID_OK_HOST && !__BOUNCE_RPATH_NULL && !__BOUNCE_STAT_FAIL && !__BOUNCE_CTYPE && !ALL_TRUSTED && !__FB_DO_NOT_REPLY && !__NOT_SPOOFED && !__DEAL describe TO_NO_BRKTS_NOTLIST To: misformatted and not a mailing list ifplugin Mail::SpamAssassin::Plugin::FreeMail # meta TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (FREEMAIL_FROM || FREEMAIL_REPLYTO) meta TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO) score TO_NO_BRKTS_FREEMAIL 0.20 endif meta TO_NO_BRKTS_FROM_RUNON __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP meta TO_NO_BRKTS_FROM_MSSP __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP score TO_NO_BRKTS_FROM_MSSP 1.00 describe TO_NO_BRKTS_FROM_MSSP Multiple formatting errors # The boundary *does* FP on legit mail. However, all of KB's recent samples # have another thing in common -- direct MUA to MX spam! Most unlikely with # an MUA like Thunderbird. meta FORGED_TBIRD_IMG_TO_MX __FORGED_TBIRD_IMG && __DOS_DIRECT_TO_MX describe FORGED_TBIRD_IMG_TO_MX Likely forged Thunderbird image spam score FORGED_TBIRD_IMG_TO_MX 2.5 # Another constraint. No tiny images, and larger ones up to "less than # 640x480", as observed in the wild. ifplugin Mail::SpamAssassin::Plugin::ImageInfo body __ONE_IMG eval:image_count('all',1,1) body __IMG_LE_300K eval:pixel_coverage('all',62500,300000) meta FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K describe FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam score FORGED_TBIRD_IMG_SIZE 0.8 endif # Try some combinations not related to tbird forgery meta IMG_DIRECT_TO_MX __DOS_DIRECT_TO_MX && __JPEG_ATTACH && __ONE_IMG && __IMG_LE_300K score IMG_DIRECT_TO_MX 0.20