# SpamAssassin rules file: known spam mailers # # Sometimes these leave 'sent by mailername' fingerprints in the # headers, which provide a nice way for us to catch them. # # Please don't modify this file as your changes will be overwritten with # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # This program is free software; you can redistribute it and/or modify # it under the terms of either the Artistic License or the GNU General # Public License as published by the Free Software Foundation; either # version 1 of the License, or (at your option) any later version. # # See the file "License" in the top level of the SpamAssassin source # distribution for more details. # ########################################################################### header RATWARE_EGROUPS X-Mailer =~ /eGroups Message Poster/ describe RATWARE_EGROUPS Bulk email fingerprint (eGroups) found header RATWARE_HASH_2 X-Mailer =~ /^[A-Za-z0-9\._]{16,}$/ describe RATWARE_HASH_2 Bulk email fingerprint (hash 2) found header RATWARE_HASH_2_V2 X-Mailer =~ /^[A-Za-z0-9\._]{14,}$/ describe RATWARE_HASH_2_V2 Bulk email fingerprint (hash 2 v2) found header RATWARE_JPFREE X-Mailer =~ /jpfree Group Mail Express/ describe RATWARE_JPFREE Bulk email fingerprint (jpfree) found header RATWARE_VC_IPA X-Mailer =~ /2\.0-b55-VC_IPA/ describe RATWARE_VC_IPA Bulk email fingerprint (VC_IPA) found # Note that the tests which look at the "ALL" pseudoheader are slower than # the specific header. header RATWARE_GR X-Mailer =~ /GRMessageQueue/ describe RATWARE_GR Bulk email fingerprint (GRMessageQueue) found header RATWARE_OE_PI X-Mailer =~ /Out[Ll]ook Express 3\.14159/ describe RATWARE_OE_PI X-Mailer contains "OutLook Express 3.14159" # 100% overlap with X-Stormpost-To: header, but seems wise to leave it in header RATWARE_STORM X-Mailer =~ /StormPost/ describe RATWARE_STORM Bulk email fingerprint (StormPost) found uri RATWARE_STORM_URI m{http://\S+/sp/t\.pl\?id=\d+:\d+}i describe RATWARE_STORM_URI Bulk email fingerprint (StormPost) found header RATWARE_JIXING X-Mailer =~ /JiXing .{0,30}Design By JohnnieHuang/ describe RATWARE_JIXING Bulk email fingerprint (JiXing) found header RATWARE_SCREWUP_1 X-Mailer =~ /^X-Mailer: / describe RATWARE_SCREWUP_1 Bulk email fingerprint (screwup 1) found header RATWARE_MMAILER X-Mailer =~ /MMailer v3\.0/ describe RATWARE_MMAILER Bulk email fingerprint (MMailer) found in headers header RATWARE_OE_MALFORMED X-Mailer =~ /^Microsoft Outlook Express \d(?:\.\d+){3} \w+$/ describe RATWARE_OE_MALFORMED X-Mailer has malformed Outlook Express version header RATWARE_EVAMAIL X-Mailer =~ /EVAMAIL/ describe RATWARE_EVAMAIL Bulk email fingerprint (EVAMAIL) found header RATWARE_SCREWUP_2 X-Mailer =~ /^: / describe RATWARE_SCREWUP_2 Bulk email fingerprint (screwup 2) found header RATWARE_IMKTG ALL =~ /Internet Marketing/ describe RATWARE_IMKTG Bulk email fingerprint (IMktg) found header RATWARE_XMAILER X-Mailer =~ /{%xmailer%}/ describe RATWARE_XMAILER Bulk email fingerprint (xmailer tag) found header RATWARE_POWERC X-Mailer =~ /PowerCampaign/ describe RATWARE_POWERC Bulk email fingerprint (PowerCampaign) found header RATWARE_DIFFOND ALL =~ /DiffondiCool/ describe RATWARE_DIFFOND Bulk email fingerprint (DiffondiCool) found header RATWARE_CHARSET X-Mailer =~ /\Qcharset(89)\E/ describe RATWARE_CHARSET Bulk email fingerprint (charset) found header RATWARE_CHARSET_V2 X-Mailer =~ /^normal \W \W\s*charset.*=\"/ describe RATWARE_CHARSET_V2 Bulk email fingerprint (charset 2) found header RATWARE_CARETOP X-Mailer =~ /Caretop 2604/ describe RATWARE_CARETOP Bulk email fingerprint (Caretop) found header RATWARE_LC_OUTLOOK X-Mailer =~ /^outlook$/ describe RATWARE_LC_OUTLOOK Bulk email fingerprint ("outlook") found header RATWARE_EMWAC Received =~ /EMWAC SMTPRS/ describe RATWARE_EMWAC Bulk email fingerprint ("EMWAC SMTPRS") found header RATWARE_BANG_HASH X-Mailer =~ /!.*\#.*\*/ describe RATWARE_BANG_HASH Bulk email fingerprint (bang-hash) found header RATWARE_FLOAT X-Mailer =~ /^\d\.\d\d/ describe RATWARE_FLOAT Bulk email fingerprint (float) found header RATWARE_DIRECT_EMAIL X-Mailer =~ /Direct Email/i describe RATWARE_DIRECT_EMAIL Bulk email fingerprint (Direct Email) found header RATWARE_RCVD_LC_ESMTP Received =~ /^from (?:(?:unknown|\d+\.\d+\.\d+\.\d+) \(\S+\)|\[\d+\.\d+\.\d+\.\d+\]) by \S+ with (?:esmtp|local|smtp); /m describe RATWARE_RCVD_LC_ESMTP Bulk email fingerprint ('esmtp' Received) found header RATWARE_RCVD_BONUS_SPC Received =~ /\) by [a-zA-Z0-9]/ describe RATWARE_RCVD_BONUS_SPC Bulk email fingerprint (bonus space) found ########################################################################### # Now, detect forgeries of real MUAs # Dec 17 2002 jm: this means "message ID is either too old or has been # rewritten by a gateway". Made into an eval test since meta tests cannot # (yet) chain from other meta tests. header __UNUSABLE_MSGID eval:check_messageid_not_usable() # forgeries of MSN Explorer. header __HAS_XOAT X-Originalarrivaltime =~ /FILETIME/ header __HAS_XOIP X-Originating-Ip =~ /^\[/ meta FORGED_MUA_MSN (__USER_AGENT_MSN && (!__HAS_XOAT || !__HAS_XOIP)) describe FORGED_MUA_MSN Forged mail pretending to be from MSN # AOL header __AOL_MUA X-Mailer =~ /\bAOL\b/ # Internet Mail Service header __IMS_MUA X-Mailer =~ /Internet Mail Service/ header __IMS_MSGID MESSAGEID =~ /^<[A-F\d]{36,40}\@\S+>$/m meta FORGED_MUA_IMS (__IMS_MUA && !__UNUSABLE_MSGID && !__IMS_MSGID) describe FORGED_MUA_IMS Forged mail pretending to be from IMS # Outlook # Note: this uses __IMS_MSGID from above header __OUTLOOK_MUA X-Mailer =~ /\bOutlook\b(?! IMO| Express (?:for )?Mac|, Build 11\.0\.)/ header __OUTLOOK_MSGID_1 MESSAGEID =~ /^<[0-9a-f]{12}\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m # See bug 1488 for details header __OUTLOOK_MSGID_2 MESSAGEID =~ /^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\@hotmail\.com>$/m header __OUTLOOK_MSGID_3 MESSAGEID =~ /^<\!\~\!/m meta FORGED_MUA_OUTLOOK (__OUTLOOK_MUA && !__UNUSABLE_MSGID && !(__OUTLOOK_MSGID_1 || __OUTLOOK_MSGID_2 || __OUTLOOK_MSGID_3 || __IMS_MSGID)) describe FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook # Outlook IMO (Internet Mail Only) header __OIMO_MUA X-Mailer =~ /Outlook IMO/ header __OIMO_MSGID MESSAGEID =~ /^<[A-P]{26}A[AB]\.[-_\w.]+\@\S+>$/m meta FORGED_MUA_OIMO (__OIMO_MUA && !__OIMO_MSGID && !__UNUSABLE_MSGID) describe FORGED_MUA_OIMO Forged mail pretending to be from MS Outlook IMO # QUALCOMM Eudora # Note: uses X_LOOP and X_MAILING_LIST as subrules header __EUDORA_MUA X-Mailer =~ /\b(?:QUALCOMM|Eudora)\b/ header __MAC_EUDORA_MUA X-Mailer =~ /Eudora for (?:Macintosh|Mac OS X)/ header __PALM_EUDORA_MUA X-Mailer =~ /^Eudora \d+.\d+ for PalmOS\b/ header __OLD_EUDORA1 X-Mailer =~ /Eudora\s+Pro\s+Version\s+[1-4]\.\b/ header __OLD_EUDORA2 X-Mailer =~ /\bEudora\s+(?:(?:Pro|Light)\s+)?Version\s+[1-4]\.\b/ header __ANY_QUALCOMM_MUA X-Mailer =~ /\bQUALCOMM\b/ header __EUDORA_MSGID MESSAGEID =~ /^<(?:\d\d?\.){4,5}\d{14}\.[a-f0-9]{8}\@\S+>$/m header __HAS_X_LOOP exists:X-Loop header __HAS_X_MAILING_LIST exists:X-Mailing-List meta FORGED_MUA_EUDORA (__EUDORA_MUA && !__EUDORA_MSGID && !__UNUSABLE_MSGID && !__HAS_X_LOOP && !__HAS_X_MAILING_LIST && !__MAC_EUDORA_MUA && !__PALM_EUDORA_MUA && !__OLD_EUDORA1 && !(__OLD_EUDORA2 && !__ANY_QUALCOMM_MUA)) describe FORGED_MUA_EUDORA Forged mail pretending to be from Eudora # Mar 26 2003 jm: AOL MUAs add a Received line, and do not use "real names" in # From or To headers, as far as I can see, quinlan: also see bug 1426 header __AOL_FROM From:addr =~ /\@aol\.com$/i meta FORGED_MUA_AOL_FROM (__AOL_MUA && !__AOL_FROM) describe FORGED_MUA_AOL_FROM Forged mail pretending to be from AOL (by From) # From private mail with developers. Some top tips here! header __THEBAT_MUA X-Mailer =~ /The Bat!/ header __BAT_MSGID MESSAGEID =~ /^<\d{2,12}\.\d{14}\@\S+>$/m header __CTYPE_CHARSET_QUOTED Content-Type =~ /charset=\"/i header __CTYPE_HAS_BOUNDARY Content-Type =~ /boundary/i header __BAT_BOUNDARY Content-Type =~ /boundary=\"?-{10}/ meta FORGED_MUA_THEBAT (__THEBAT_MUA && !__UNUSABLE_MSGID && !__BAT_MSGID) meta FORGED_MUA_THEBAT_CS (__THEBAT_MUA && __CTYPE_CHARSET_QUOTED) meta FORGED_MUA_THEBAT_BOUN (__THEBAT_MUA && __CTYPE_HAS_BOUNDARY && !__BAT_BOUNDARY) describe FORGED_MUA_THEBAT Mail pretending to be from The Bat! (mid) describe FORGED_MUA_THEBAT_CS Mail pretending to be from The Bat! (charset) describe FORGED_MUA_THEBAT_BOUN Mail pretending to be from The Bat! (boundary) meta FORGED_OUTLOOK_HTML (__OUTLOOK_MUA && MIME_HTML_ONLY) describe FORGED_OUTLOOK_HTML Outlook can't send HTML message only meta FORGED_AOL_HTML (__AOL_MUA && MIME_HTML_ONLY) describe FORGED_AOL_HTML AOL can't send HTML message only meta FORGED_IMS_HTML (__IMS_MUA && MIME_HTML_ONLY) describe FORGED_IMS_HTML IMS can't send HTML message only meta FORGED_THEBAT_HTML (__THEBAT_MUA && MIME_HTML_ONLY) describe FORGED_THEBAT_HTML The Bat! can't send HTML message only # bug 1561 # stronger version of USER_AGENT_APPLEMAIL # Apple Mail doesn't send text/html at all (unless it's an attachment) # It'll send text/plain, or multipart/alternative with text/plain and # text/enriched parts (boundary of "Apple-Mail-\d--\d+"). It can, however, # send a multipart/mixed with a single text/html attachment, so don't use # MIME_HTML_ONLY. # perhaps limit CTYPE to "text/plain", "multipart/alternative" with # "text/plain" and "text/enhanced", or "multipart/mixed"? header __X_MAILER_APPLEMAIL X-Mailer =~ /^Apple Mail \(\d\.\d+\)$/ header __MSGID_APPLEMAIL Message-Id =~ /^<[0-9A-F]{8}-(?:[0-9A-F]{4}-){3}[0-9A-F]{12}\@\S+>$/ header __MIME_VERSION_APPLEMAIL Mime-Version =~ /^1\.0 \(Apple Message framework v\d+\)$/ meta __USER_AGENT_APPLEMAIL !__CTYPE_HTML && __X_MAILER_APPLEMAIL && (__MSGID_APPLEMAIL || __MIME_VERSION_APPLEMAIL) meta FORGED_MUA_APPLEMAIL (__X_MAILER_APPLEMAIL && !__UNUSABLE_MSGID && !__USER_AGENT_APPLEMAIL) describe FORGED_MUA_APPLEMAIL AppleMail can't send HTML message only # 2003-02-23: quinlan # some useful meta rule sub-elements body __MIME_HTML eval:check_for_mime_html() header __CTYPE_HTML Content-Type =~ /text\/html/i header __ANY_AOL_MUA X-Mailer =~ /^AOL\b/ header __ANY_IMS_MUA X-Mailer =~ /^Internet Mail Service\b/ header __ANY_OUTLOOK_MUA X-Mailer =~ /^Microsoft Outlook\b/ body __TAG_EXISTS_BODY eval:html_tag_exists('body') body __TAG_EXISTS_HEAD eval:html_tag_exists('head') body __TAG_EXISTS_HTML eval:html_tag_exists('html') body __TAG_EXISTS_META eval:html_tag_exists('meta') meta FORGED_QUALCOMM_TAGS (__ANY_QUALCOMM_MUA && __MIME_HTML && !__TAG_EXISTS_HTML) describe FORGED_QUALCOMM_TAGS QUALCOMM mailers can't send HTML in this format meta FORGED_AOL_TAGS (__ANY_AOL_MUA && __MIME_HTML && !__TAG_EXISTS_HTML) describe FORGED_AOL_TAGS AOL mailers can't send HTML in this format meta FORGED_IMS_TAGS (__ANY_IMS_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY)) describe FORGED_IMS_TAGS IMS mailers can't send HTML in this format meta FORGED_OUTLOOK_TAGS (__ANY_OUTLOOK_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY)) describe FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format header RATWARE_BAD_REFS References =~ /^[^<]\S+\$\S+\@\S+[^>]$/ describe RATWARE_BAD_REFS References header has bad format # http://marc.theaimsgroup.com/?l=spamassassin-talk&m=105203882531351&w=2 header RATWARE_X_SCANNER X-Scanner =~ /^: / describe RATWARE_X_SCANNER Has X-Scanner header header __RATWARE_EXISCAN X-Scanner =~ /exiscan/ header __RATWARE_ANTIABUSE X-AntiAbuse =~ /Originator.Caller UID.GID - \[\d \d\] \/ \[\d \d\]/ meta RATWARE_EXISCAN_FORGED (__RATWARE_EXISCAN && __RATWARE_ANTIABUSE && __HAS_MSMAIL_PRI) describe RATWARE_EXISCAN_FORGED Headers indicate forged Exiscan message