#
# 'Ratware' -- ie. bulk-mailers commonly used by spammers.
#
# Sometimes these leave 'sent by mailername' fingerprints in the
# headers, which provide a nice way for us to catch them.
#
# Note that the tests which look at the "ALL" pseudoheader are quite
# the specific header, as that's much quicker.


# We should not be seeing X-Mailer headers from news gateways, in email messages.
# TODO: check to see if legit mails, gatewayed from USENET to mail, might contain
# this header!

header RATWARE_V3161       ALL =~ /V3,1,6,1/
describe RATWARE_V3161     Bulk email software fingerprint (V3161) found in headers

#   0.614    1.480    0.090    0.94    2.00  RATWARE_EGROUPS
#   0.347    0.904    0.010    0.99    2.00  RATWARE_HASH_2
#   0.129    0.342    0.000    1.00    2.00  RATWARE_MBOMBER
#   0.141    0.366    0.004    0.99    2.00  RATWARE_JPFREE
#   0.149    0.366    0.018    0.95    2.00  RATWARE_GROUPMAIL
#   0.074    0.197    0.000    1.00    2.00  RATWARE_VC_IPA
#   0.064    0.168    0.001    0.99    2.00  RATWARE_GR
#   0.059    0.156    0.000    1.00    3.00  RATWARE_OE_PI
#   0.056    0.148    0.000    1.00    2.00  RATWARE_STORM
#   0.055    0.147    0.000    1.00    2.00  RATWARE_JIXING
#   0.054    0.143    0.000    1.00    2.00  RATWARE_SCREWUP_1
#   0.048    0.126    0.000    1.00    2.00  RATWARE_CURMAIL
#   0.041    0.109    0.000    1.00    2.00  RATWARE_MMAILER
#   0.045    0.117    0.001    0.99    1.00  RATWARE_OE_MALFORMED
#   0.038    0.102    0.000    1.00    2.00  RATWARE_EVAMAIL
#   0.041    0.107    0.001    0.99    2.00  RATWARE_SCREWUP_2
#   0.034    0.092    0.000    1.00    2.00  RATWARE_YAM
#   0.032    0.086    0.000    1.00    2.00  RATWARE_PASCUAL
#   0.026    0.070    0.000    1.00    2.00  RATWARE_IMKTG
#   0.025    0.067    0.000    1.00    2.00  RATWARE_XMAILER
#   0.021    0.056    0.000    1.00    2.00  RATWARE_EPAPER
#   0.020    0.052    0.000    1.00    2.00  RATWARE_SEEDNET
#   0.013    0.035    0.000    1.00    2.00  RATWARE_POWERC
#   0.008    0.022    0.000    1.00    2.00  RATWARE_DIFFOND
#   0.005    0.014    0.000    1.00    2.00  RATWARE_HSU
#   0.005    0.012    0.000    1.00    2.00  RATWARE_CHARSET
#   0.004    0.010    0.000    1.00    2.00  RATWARE_CARETOP
#   0.004    0.010    0.000    1.00    2.00  RATWARE_OPTIN
#   0.003    0.008    0.000    1.00    2.00  RATWARE_EBIZ
#   0.003    0.007    0.000    1.00    2.00  RATWARE_CBLAST
#   0.003    0.007    0.000    1.00    2.00  RATWARE_MATCHMAKER
#   0.002    0.006    0.000    1.00    2.00  RATWARE_LC_OUTLOOK
#   0.001    0.003    0.000    1.00    1.00  RATWARE_39
#   0.001    0.002    0.000    1.00    2.00  RATWARE_UPROAR
header RATWARE_EGROUPS		X-Mailer =~ /eGroups Message Poster/
describe RATWARE_EGROUPS	Bulk email software fingerprint (eGroups) found in headers
header RATWARE_HASH_2		X-Mailer =~ /^[A-Za-z0-9\._]{16,}$/
describe RATWARE_HASH_2		Bulk email software fingerprint (hash 2) found in headers
header RATWARE_MBOMBER		X-Mailer =~ /Mail Bomber/
describe RATWARE_MBOMBER	Bulk email software fingerprint (Mail Bomber) found in headers
header RATWARE_JPFREE		X-Mailer =~ /jpfree Group Mail Express/
describe RATWARE_JPFREE		Bulk email software fingerprint (jpfree) found in headers
header RATWARE_GROUPMAIL	ALL =~ /Group Mail/
describe RATWARE_GROUPMAIL	Bulk email software fingerprint (Group Mail) found in headers
header RATWARE_VC_IPA		X-Mailer =~ /2\.0-b55-VC_IPA/
describe RATWARE_VC_IPA		Bulk email software fingerprint (VC_IPA) found in headers
header RATWARE_GROUPMAIL	ALL =~ /Group Mail/
describe RATWARE_GROUPMAIL	Bulk email software fingerprint (Group Mail) found in headers
header RATWARE_GR		X-Mailer =~ /GRMessageQueue/
describe RATWARE_GR		Bulk email software fingerprint (GRMessageQueue) found in headers
header RATWARE_OE_PI		X-Mailer =~ /Out[Ll]ook Express 3\.14159/
describe RATWARE_OE_PI		X-Mailer contains "OutLook Express 3.14159"
header RATWARE_STORM		X-Mailer =~ /StormPost/
describe RATWARE_STORM		Bulk email software fingerprint (StormPost) found in headers
header RATWARE_JIXING		X-Mailer =~ /JiXing .{0,30}Design By JohnnieHuang/
describe RATWARE_JIXING		Bulk email software fingerprint (JiXing) found in headers
header RATWARE_SCREWUP_1	X-Mailer =~ /^X-Mailer: /
describe RATWARE_SCREWUP_1	Bulk email software fingerprint (screwup 1) found in headers
header RATWARE_CURMAIL		X-Mailer =~ /CurrentMailer\~/
describe RATWARE_CURMAIL	Bulk email software fingerprint (CurrentMailer) found in headers
header RATWARE_MMAILER		X-Mailer =~ /MMailer v3\.0/
describe RATWARE_MMAILER	Bulk email software fingerprint (MMailer) found in headers
header RATWARE_OE_MALFORMED	X-Mailer =~ /^Microsoft Outlook Express \d(?:\.\d+){3} \w+$/
describe RATWARE_OE_MALFORMED	X-Mailer contains malformed Outlook Express version
header RATWARE_EVAMAIL		X-Mailer =~ /EVAMAIL/
describe RATWARE_EVAMAIL	Bulk email software fingerprint (EVAMAIL) found in headers
header RATWARE_SCREWUP_2	X-Mailer =~ /^: /
describe RATWARE_SCREWUP_2	Bulk email software fingerprint (screwup 2) found in headers
header RATWARE_YAM		X-Mailer =~ /Yam Mailer v1\.0/
describe RATWARE_YAM		Bulk email software fingerprint (Yam) found in headers
header RATWARE_PASCUAL		X-Mailer =~ /made from pascual/
describe RATWARE_PASCUAL	Bulk email software fingerprint (pascual) found in headers
header RATWARE_IMKTG		ALL =~ /Internet Marketing/
describe RATWARE_IMKTG		Bulk email software fingerprint (IMktg) found in headers
header RATWARE_XMAILER		X-Mailer =~ /{%xmailer%}/
describe RATWARE_XMAILER	Bulk email software fingerprint (xmailer tag) found in headers
header RATWARE_EPAPER		X-Mailer =~ /EPaper Boy/
describe RATWARE_EPAPER		Bulk email software fingerprint (EPaper) found in headers
header RATWARE_SEEDNET		X-Mailer =~ /Seednet custom enewsletter/
describe RATWARE_SEEDNET	Bulk email software fingerprint (Seednet) found in headers
header RATWARE_POWERC		X-Mailer =~ /PowerCampaign/
describe RATWARE_POWERC		Bulk email software fingerprint (PowerCampaign) found in headers
header RATWARE_DIFFOND		ALL =~ /DiffondiCool/
describe RATWARE_DIFFOND	Bulk email software fingerprint (DiffondiCool) found in headers
header RATWARE_HSU		X-Mailer =~ /Mailer by Henry Su/
describe RATWARE_HSU		Bulk email software fingerprint (Henry Su) found in headers
header RATWARE_CHARSET		X-Mailer =~ /\Qcharset(89)\E/
describe RATWARE_CHARSET	Bulk email software fingerprint (charset) found in headers
header RATWARE_CARETOP		X-Mailer =~ /Caretop 2604/
describe RATWARE_CARETOP	Bulk email software fingerprint (Caretop) found in headers
header RATWARE_OPTIN		X-Mailer =~ /Opt-In Lightning By Garvinweb/
describe RATWARE_OPTIN		Bulk email software fingerprint (Opt-In Lightning) found in headers
header RATWARE_EBIZ		X-Mailer =~ /eBizmailer3\.0/
describe RATWARE_EBIZ		Bulk email software fingerprint (eBizmailer) found in headers
header RATWARE_CBLAST		X-Mailer =~ /Campaign Blaster/
describe RATWARE_CBLAST		Bulk email software fingerprint (Campaign Blaster) found in headers
header RATWARE_MATCHMAKER	ALL =~ /Matchmaker/
describe RATWARE_MATCHMAKER	Bulk email software fingerprint (Matchmaker) found in headers
header RATWARE_LC_OUTLOOK	X-Mailer =~ /^outlook$/
describe RATWARE_LC_OUTLOOK	Bulk email software fingerprint ("outlook") found in headers
header RATWARE_UPROAR		X-Mailer =~ /Uproar Mass Mailer/
describe RATWARE_UPROAR		Bulk email software fingerprint (Uproar) found in headers