## # 2012-08-29 header AXB_XM_TURBOM X-Mailer =~ /TurboMailer/ describe AXB_XM_TURBOM Mailer fingerprint # 2012-08-22 header AXB_XM_ACHIK X-Mailer =~ /^Achi-KochiMail/ describe AXB_XM_ACHIK Mailer fingerprint # # 2012-08-16 - Patternity pattern header AXB_XMID_PATTERNITY1 Message-ID =~ /^[0-9a-f]{6}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{4}\-[0-9a-f]{12}\@/ describe AXB_XMID_PATTERNITY1 Possible bulkware fingerprint # # 2012-08-15 SA user case header __RDNS_AUTHORIZE_NET X-Spam-Relays-External =~ /rdns=\S+\.authorize\.net/ header __FROM_AUTHORIZE_NET From=~ /authorize\.net/ meta AXB_M_FORGE_AUTHORIZE_NET (__FROM_AUTHORIZE_NET && !__RDNS_AUTHORIZE_NET) describe AXB_M_FORGE_AUTHORIZE_NET Possible authorize.net forgery # 2012-08-15 header AXB_X_XM_MMAGIC X-Mailer =~ /\bMailMagic/ describe AXB_X_XM_MMAGIC Mailer fingerprint # 2012-07-24 header AXB_X_MSEX_ANONYMOUS X-MS-Exchange-Organization-AuthAs =~ /^Anonymous$/ describe AXB_X_MSEX_ANONYMOUS Seen in exploited MTA msgs # 2012-06-28 header AXB_XM_RAINBOW X-Mailer =~ /^RAINBOW\b/ describe AXB_XM_RAINBOW Mailer fingerprint # 2012-04-24 uri AXB_ABUSE_TUMBLR /[a-z0-9]{4,30}\.tumblr\.com/ describe AXB_ABUSE_TUMBLR Abused subdomain # 2012-03-19 header AXB_XM_GETRSP X-Mailer =~ /^GetResponse\b/ describe AXB_XM_GETRSP ESP Bulkware # 2012-03-17 header __AXB_LI_U List-Unsubscribe =~ /\@em\.linkedin\.com\b/ header __AXB_LI_CLASS exists:X-LinkedIn-Class header __AXB_LI_FBL exists:X-LinkedIn-fbl meta AXB_OBFU_MULE (__AXB_LI_U && !__AXB_LI_CLASS && !__AXB_LI_FBL) describe AXB_OBFU_MULE spacey mules # 2012-02-16 body AXB_BODYMAIL_SBL112884 /\@yeah\.net\b/ describe AXB_BODYMAIL_SBL112884 Spammer dropbox SBL112884 # 2012-01-07 header AXB_XMA_BASP X-Mail-Agent =~ /^BASP21/ describe AXB_XMA_BASP Mailer fingerprint # 2012-01-04 header AXB_X_AOL_SEZ_S x-aol-global-disposition =~ /^S$/ describe AXB_X_AOL_SEZ_S AOL said this is S # 2012-01-01 # uri AXB_URI_BIG5 /\¡[CDO]/ # describe AXB_URI_BIG5 Uri contains big5 encoding # 2011-12-08 header AXB_XM_BULK_SB X-Mailer =~ /SendBlaster/ describe AXB_XM_BULK_SB Bulk mail tool # 2011-11-16 header AXB_XRCVD_OWN3D_FW Received =~ /\bmy\.firewall\b/ describe AXB_XRCVD_OWN3D_FW Possibly abused consumer device # 2011-11-01 header AXB_AOLIP_CONFUSED X-AOL-IP =~ /^[a-z0-9\-]{7,25}$/ describe AXB_AOLIP_CONFUSED Confused IP # 2011-09-26 # rawbody AXB_B_RAW_CTRLCLICK /\bControl\.invoke\(\'MessagePartBody\'\,\'_onBodyClick\'\,event\)\;\"\>/ # describe AXB_B_RAW_CTRLCLICK Suspicious fingerprint # 2011-09-14 - Suggested by rfg / patternity header AXB_XM_SENTBY exists:X-Mailer-Sent-By describe AXB_XM_SENTBY Ratware fingerprint # 2011-07-27 # header AXB_XRCVD_XYZCRP Received =~ /\(envelope\-sender \<\#\@\[\]\>\)/ # describe AXB_XRCVD_XYZCRP sender fingerprint # 2011-07-08 #header AXB_XRCVD_APACHE_CTRIP Received =~ /\bfrom apache by ctrip\.com\b/i #describe AXB_XRCVD_APACHE_CTRIP possibly forged ctrip sender - apache header AXB_XMID_PFIX_CTRIP Message-ID =~ /\<[A-F0-9]{8}.[0-9]{6}\@ctrip\.com\>/ describe AXB_XMID_PFIX_CTRIP possibly forged ctrip sender - postfix #header AXB_XMID_EXIM_CTRIP Message-ID =~ /\<[A-F0-9]{32}\@ctrip\.com\>/ #describe AXB_XMID_EXIM_CTRIP possibly forged ctrip sender - exim header AXB_X_PHPS_CTRIP X-PHP-Script =~ /\bctrip\.com\/sendmail\.php\b/ describe AXB_X_PHPS_CTRIP possibly forged ctrip sender - php #header AXB_XRCVD_FRMCTRIP Received =~ /from ctrip\.com\b/ #describe AXB_XRCVD_FRMCTRIP possibly forged ctrip sender - rcvd # # 2011-07-05 rawbody AXB_SSCECCF /\bSandboxScopeClass ExternalClass\b/ describe AXB_SSCECCF unidentified fingerprint #2011-06-05 header AXB_XRCVD_EYOU_SEND Received =~ /\(eyou send program\)/ describe AXB_XRCVD_EYOU_SEND fingerprint #score AXB_XRCVD_EYOU_SEND 1.0 header AXB_HELO_HOME_UN X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\w+\.(lan|home) /i describe AXB_HELO_HOME_UN HELO from home - untrusted #score AXB_HELO_HOME_UN 1.0