# Postcard spam rules
# $Id: postcards.cf,v 1.23 2009-05-17 12:41:29-07 jhardin Exp jhardin $
# originally http://www.impsec.org/~jhardin/antispam/

header     POSTCARD_01   Subject =~ /You(?:'ve| have) (?:just )?(?:rec[ei]{2}ved )?an? (?:new )?(?:greeting |anonymous |virtual )?(?:post|e-?)?card (?:sen[dt] )?(?:from|by) an? (?:admirer|colleague|family member|friend|mate|neighbou?r|partner|(?:class|school).?(?:friend|mate)|worshipper|anonymous|buddy)/i
describe   POSTCARD_01   You got a postcard!
#score      POSTCARD_01   2.50

header     POSTCARD_02   Subject =~ /you have a new greeting/i
describe   POSTCARD_02   You got a postcard!

header     POSTCARD_03   From =~ /\b(?:[a-z]{0,10}greeting[a-z]{0,10}|(?:[a-z]{0,10}post|netfun)card[a-z]{0,10})\.[a-z]{2,5}/i
describe   POSTCARD_03   From a postcard domain

header     POSTCARD_04   Subject =~ /You(?:'ve| have) (?:just )?(?:rec[ei]{2}ved )?an? (?:new )?(?:greeting |anonymous |virtual )?Hallmark (?:post|love-|e-?)?card(?: (?:sen[dt] )?(?:from|by) an? (?:admirer|colleague|family member|friend|mate|neighbou?r|partner|(?:class|school).?(?:friend|mate)|worshipper|anonymous|buddy))?/i
describe   POSTCARD_04   You got a forged Hallmark postcard!
#score      POSTCARD_04   2.50

header     POSTCARD_05   Subject =~ /(?:[-\w]{3,20}\s+)+(?:has\s+)?sen[dt]\s+you\s+an?\s+(?:[-\w]{3,20}\s+)*"?(?:post|e-?)?card"?/i
describe   POSTCARD_05   You got a postcard!
#score      POSTCARD_05   2.50

# based on a rule by Jared Hall
header     POSTCARD_06   Subject =~ /^(?:an?\s+)?(?:Animated|Digital|Funny|Greeting|Holiday|Thank[-\s]you|Musical|Love|Birthday|Movie[-\s]quality)\s+(?:e-?|post)?card/i
describe   POSTCARD_06   You got a postcard!
#score      POSTCARD_06   2.50

header     POSTCARD_07   Subject =~ /^You(?:'ve| have) an? (?:new )?(?:greeting |anonymous |virtual )?(?:post|e-?)?card (?:.{0,30}\s)?waiting for you/i
describe   POSTCARD_07   You got a postcard!

header     POSTCARD_08   Subject =~ /You(?:'ve| have) (?:just )?(?:rec[ei]{2}ved )?an? (?:new )?(?:greeting |anonymous |virtual )?(?:post|e-?)?card/i
describe   POSTCARD_08   You got a postcard!
#score      POSTCARD_08   0.25

body       POSTCARD_09   /(?:rec[ie]{2}ve|view|enjoy|download|open|pick\sup)\syour\s(?:post|e-?)?card/i
describe   POSTCARD_09   You got a postcard!
#score      POSTCARD_09   0.25

body       __POSTCARD_HALLMARK_01   /\bYou(?:'ve| have) (?:just )?(?:rec[ei]{2}ved )?an? (?:new )?(?:greeting |anonymous |virtual )?Hallmark (?:post|e-?)?card\b/i
body       __POSTCARD_HALLMARK_02   /\bA (?:friend) has (?:just )?sent you an? (?:new )?(?:greeting |anonymous |virtual )?Hallmark (?:post|e-?)?card\b/i

# based on rule by Michael Schout
uri        __DQ_URI_ONLY_ARGS       m'^https?://\d+\.\d+\.\d+\.\d+/\?[0-9a-f]{8,}'
#describe   __DQ_URI_ONLY_ARGS       Dotted-Quad URI with only CGI arguments

meta       POSTCARD_DQ   NORMAL_HTTP_TO_IP && (POSTCARD_01 || POSTCARD_02 || POSTCARD_03 || POSTCARD_04 || POSTCARD_05 || POSTCARD_06 || POSTCARD_07 || POSTCARD_08 || POSTCARD_09 || __POSTCARD_HALLMARK_01 || __POSTCARD_HALLMARK_02)
describe   POSTCARD_DQ   Postcard + DQ URI
#score      POSTCARD_DQ   2.00

# EXECUTABLE_URI is a generally-useful rule.
# It appears here so a meta with the postcard rules can be made
uri        __EXECUTABLE_URI         /\.(?:exe|scr|dll|pif|vbs|wsh|cmd|bat|cpl)$/i
meta       EXECUTABLE_URI   __EXECUTABLE_URI
describe   EXECUTABLE_URI   Link to an executable file
#score      EXECUTABLE_URI   2.00

meta       POSTCARD_EXE   __EXECUTABLE_URI && (POSTCARD_01 || POSTCARD_02 || POSTCARD_03 || POSTCARD_04 || POSTCARD_05 || POSTCARD_06 || POSTCARD_07 || POSTCARD_08 || POSTCARD_09 || __POSTCARD_HALLMARK_01 || __POSTCARD_HALLMARK_02)
describe   POSTCARD_EXE   Postcard + Executable URI
#score      POSTCARD_EXE   2.00