# 2012-01-07 header AXB_XMA_BASP X-Mail-Agent =~ /^BASP21/ describe AXB_XMA_BASP Mailer fingerprint # 2012-01-05 header AXB_X_AOL_SEZ_G x-aol-global-disposition =~ /^G$/ describe AXB_X_AOL_SEZ_G AOL said this is G # 2012-01-04 header AXB_X_AOL_SEZ_S x-aol-global-disposition =~ /^S$/ describe AXB_X_AOL_SEZ_S AOL said this is S # 2012-01-01 uri AXB_URI_BIG5 /\¡[CDO]/ describe AXB_URI_BIG5 Uri contains big5 encoding # 2011-12-27 header AXB_XM_BULK_SECTRANS X-Mailer =~ /\bSecure\-Transmitter\b/ describe AXB_XM_BULK_SECTRANS Bulk mail tool # 2011-12-08 header AXB_XM_BULK_SB X-Mailer =~ /SendBlaster/ describe AXB_XM_BULK_SB Bulk mail tool # 2011-11-16 header AXB_XRCVD_OWN3D_FW Received =~ /\bmy\.firewall\b/ describe AXB_XRCVD_OWN3D_FW Possibly abused consumer device # 2011-11-01 header AXB_AOLIP_CONFUSED X-AOL-IP =~ /^[a-z0-9\-]{7,25}$/ describe AXB_AOLIP_CONFUSED Confused IP # 2011-11-01 header AXB_XFR_FKTWT From =~ /\@postmaster\.twit-\w+\.com\>/ describe AXB_XFR_FKTWT Suspicious bird # 2011-10-28 header AXB_XF_34X_BLAH From =~ /\@(?:[a-z]{3,15}[0-9]{1,4}\.){3,4}/ describe AXB_XF_34X_BLAH Dicey From # 2011-10-18 header AXB_FR0M_FAKE From:name =~ /\@\w+\.c0m/ describe AXB_FR0M_FAKE Forged domain in name # 2011-09-26 rawbody AXB_B_RAW_CTRLCLICK /\bControl\.invoke\(\'MessagePartBody\'\,\'_onBodyClick\'\,event\)\;\"\>/ describe AXB_B_RAW_CTRLCLICK Suspicious fingerprint # 2011-09-14 - Suggested by rfg / patternity header AXB_XM_SENTBY exists:X-Mailer-Sent-By describe AXB_XM_SENTBY Ratware fingerprint # 2011-09-14 header AXB_XPHP_ORISCRIPT_RC X-PHP-Originating-Script =~ /0\:func\.inc/ describe AXB_XPHP_ORISCRIPT_RC Possibly hacked webmail # 2011-08-02 header AXB_XM_QCVR X-Mailer =~ /\bQuickConveyor\b/ describe AXB_XM_QCVR Bulk fingerprint # 2011-07-27 # header AXB_XRCVD_XYZCRP Received =~ /\(envelope\-sender \<\#\@\[\]\>\)/ # describe AXB_XRCVD_XYZCRP sender fingerprint # 2011-07-08 header AXB_XRCVD_APACHE_CTRIP Received =~ /\bfrom apache by ctrip\.com\b/i describe AXB_XRCVD_APACHE_CTRIP possibly forged ctrip sender - apache header AXB_XMID_PFIX_CTRIP Message-ID =~ /\<[A-F0-9]{8}.[0-9]{6}\@ctrip\.com\>/ describe AXB_XMID_PFIX_CTRIP possibly forged ctrip sender - postfix header AXB_XMID_EXIM_CTRIP Message-ID =~ /\<[A-F0-9]{32}\@ctrip\.com\>/ describe AXB_XMID_EXIM_CTRIP possibly forged ctrip sender - exim header AXB_X_PHPS_CTRIP X-PHP-Script =~ /\bctrip\.com\/sendmail\.php\b/ describe AXB_X_PHPS_CTRIP possibly forged ctrip sender - php header AXB_XRCVD_FRMCTRIP Received =~ /from ctrip\.com\b/ describe AXB_XRCVD_FRMCTRIP possibly forged ctrip sender - rcvd # # 2011-07-05 rawbody AXB_SSCECCF /\bSandboxScopeClass ExternalClass\b/ describe AXB_SSCECCF unidentified fingerprint # 2011-06-28 header AXB_X_GOOGRP_DIRADD X-Google-Loop =~ /^sub_directadd$/ describe AXB_X_GOOGRP_DIRADD Google Groups: You've been added to spammy group? #2011-06-05 header AXB_XRCVD_EYOU_SEND Received =~ /\(eyou send program\)/ describe AXB_XRCVD_EYOU_SEND fingerprint #score AXB_XRCVD_EYOU_SEND 1.0 # 2011-06-02 header AXB_XMIME_OLEV X-MimeOLE =~ /Produced By Microsoft MimeOLE V$/ describe AXB_XMIME_OLEV fingerprint #score AXB_XMIME_OLEV 0.1 # 2011-06-01 header AXB_XM_RCVD_ZERO Received =~ /^from 0\./ describe AXB_XM_RCVD_ZERO fingerprint #score AXB_XM_RCVD_ZERO 1.5 header AXB_HELO_HOME_UN X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\w+\.(lan|home) /i describe AXB_HELO_HOME_UN HELO from home - untrusted #score AXB_HELO_HOME_UN 1.0