# SpamAssassin rules file: broken rules # # This file isn't installed with SpamAssassin. Rules which appear broken # but might be worth another try are moved onto this pile. Normally every # line in this file should be commented out. # # This program is free software; you can redistribute it and/or modify # it under the terms of either the Artistic License or the GNU General # Public License as published by the Free Software Foundation; either # version 1 of the License, or (at your option) any later version. # # See the file "License" in the top level of the SpamAssassin source # distribution for more details. # ########################################################################### # # tvd - 2003.06.14 # bug 1760 -- this now FPs a lot due to AOL's changing mail system # we need to explore that and see if we can't come up with something better. #header __AOL_MSGID MESSAGEID =~ /^<[0-9a-f]{1,3}\.[0-9a-f]{6,8}\.[0-9a-f]{8}\@aol.com>$/m #meta FORGED_MUA_AOL (__AOL_MUA && !__UNUSABLE_MSGID && !__AOL_MSGID) #describe FORGED_MUA_AOL Forged mail pretending to be from AOL ## these rules may need to factor in ok_languages or ok_locales ## Dec 18 2002 jm: but how? ;) They are ready to be promoted otherwise ##freqs: 0.084 0.2047 0.0095 0.956 0.84 0.01 T_BODY_UNPRINTABLE #body T_BODY_UNPRINTABLE /[\x00-\x07\x0b\x0c\x0e-\x1f\x7f]{3,}/ #describe T_BODY_UNPRINTABLE Body includes 3 consecutive unprintable characters # ## Nov 12 2002 jm: not keen on this. many ISPs do not provide rDNS these ## days as policy. stupid policy, but there we are. and SpamAssassin policy ## is not to punish users with stupid ISPs... ## ## Dec 20 2002 jm: should make fantastic meta-fodder though. ;) ## ##freqs: 11.817 22.1680 5.3554 0.805 0.53 0.01 T_SENDER_NO_REVERSE #header T_SENDER_NO_REVERSE eval:check_for_sender_no_reverse() #describe T_SENDER_NO_REVERSE No reverse lookup for sender's IP # bug 1310: these four rules are pretty slow and not that great # they need to work better before being added back into SA proper #body SALE /\bsales? (?:price|system|department|technology|ends|today)|\b(?:on|summer|movie|clearance|for|your|increase|super|losing|return|business|airfare) (?-i:S)ales?/i #describe SALE Stuff on Sale #body WINNER /\byou.{0,4} a winner|\bregister to win/i #describe WINNER Claims you are a winner #body MONTH_TRIAL /(?:month|day) .{0,9}trial/i #describe MONTH_TRIAL Month Trial Offer #body MEMBER_2 /\b(?:free|special|paid|dear|gold|opt.in|valued|because you are an?|be a|becoming a|sent to) .{0,9}members?\b/i #describe MEMBER_2 Being a Member # These were all removed for the 2.50 GA run. Low scoring, etc. #body NAME_BRAND /\b(?:famous name|major) brand/i #describe NAME_BRAND Name Brand # #body SIGN_UP /\b(?:free sign up|sign up today)\b/i #describe SIGN_UP Sign up Free Today # #body CANCEL /\bcancel at any time\b/i #describe CANCEL Cancel at any time! # #body NO_COMBINE /\bwith any other offer/i #describe NO_COMBINE Can not be combined with any other offer # #header X_SMTPEXP_REGISTRATION exists:X-SMTPExp-Registration #header X_SMTPEXP_VERSION exists:X-SMTPExp-Version #describe X_SMTPEXP_REGISTRATION Message has X-SMTPExp-Registration header #describe X_SMTPEXP_VERSION Message has X-SMTPExp-Version header # #body MEMBER /\bmember (?:number|reward|value|benefit|rate|report|card|information)s?\b/i #describe MEMBER Member Stuff # #header EXCHANGE_SERVER X-Mailer =~ /Internet Mail Service \([\d\.]+\)/ #describe EXCHANGE_SERVER Came via Internet Mail Service plugin #tflags EXCHANGE_SERVER nice # #body REG_THANKS /\bThank you for registering\b/i #describe REG_THANKS Something about registration #tflags REG_THANKS nice # #header SUBJ_ENDS_IN_SPACE Subject =~ /(?:\s{6}|\t\s|\s\t)$/ #describe SUBJ_ENDS_IN_SPACE Subject ends with lots of white space # #header MSGID_CHARS_WEIRD MESSAGEID =~ /["=\\~]/ #describe MSGID_CHARS_WEIRD Message-Id has characters often found in spam # #header ALL_CAPS_HEADER ALL =~ /\n(?:TO|FROM|SUBJECT|DATE):/s #describe ALL_CAPS_HEADER Header with all capitals found # #header MSGID_ADDED_BY_MTA Message-Id =~ / \(added by (?!postmaster\@wanadoo\.fr)/ #describe MSGID_ADDED_BY_MTA 'Message-Id' was added by a relay # #header FROM_MALFORMED From !~ /(?:\"[^\"]+\"|\S+)\@\S+\.\S+|<\S+(?:\!\S+)+>/ [if-unset: unset@unset.unset] #describe FROM_MALFORMED From: has a malformed address # #header SHORT_RECEIVED_LINE Received =~ /\S{120,}/s #describe SHORT_RECEIVED_LINE 'Received:' contains huge hostname # #header YR_MEMBERSHIP_EXCH Subject =~ /Your Membership Exchange/ #describe YR_MEMBERSHIP_EXCH Subject contains 'Your Membership Exchange' # #body PARA_A_2_C_OF_1618 /Paragraph *.a.{0,10}2.{0,10}C\. of S\. 1618/i #describe PARA_A_2_C_OF_1618 Claims compliance with Senate Bill 1618 # #body CHECK_OR_MONEY_ORDER /check or money order/i #describe CHECK_OR_MONEY_ORDER Talk about a check or money order # #body DEAR_EMAIL /\bDear [A-Za-z0-9_-]+\@/ #describe DEAR_EMAIL Dear you@you.com? #test DEAR_EMAIL ok Dear duncf@rogers.com, #test DEAR_EMAIL fail Dear Duncan! # ## this one gets a few false positives #body SOCIAL_SEC_NUMBER /social security (?:number|record)/i #describe SOCIAL_SEC_NUMBER Talks about social security numbers # #body EXCUSE_5 /that your email address is removed/i #describe EXCUSE_5 Claims you can be removed from the list # #body INVESTOR_SPEC_SHEET /Investor Spec Sheet/i #describe INVESTOR_SPEC_SHEET Standard investment opportunity spam # ## detect "mort$age", but not "mortgage" #body MORTGAGE_OBFU /mor[tga\$]*\$[ga\$]*e/i #describe MORTGAGE_OBFU Attempt at obfuscating the word "mortgage" #test MORTGAGE_OBFU ok Mort$a$e #test MORTGAGE_OBFU ok Mor$gage #test MORTGAGE_OBFU ok Mort$age #test MORTGAGE_OBFU ok Mortga$e #test MORTGAGE_OBFU fail Mortsa$e #test MORTGAGE_OBFU fail Morlage #test MORTGAGE_OBFU fail mortgage #test MORTGAGE_OBFU fail mortgage$ #test MORTGAGE_OBFU fail mortgage$ # #body INTERNET_TERROR_RANT /At the time of this mailing.{9,50}legitimate return email address.{100,299}internet terrorists/i #describe INTERNET_TERROR_RANT Cyber FirePower! rant about losing dropboxes # ## jm: use {2,3} to avoid matching iso-2022-jp charset items. split into US_DOLLARS_4 #body US_DOLLARS_4 /\s(?:\$|US\$|usd?).?\d{1,3}\.\d+.?(?:m|millions?)\b/i #describe US_DOLLARS_4 Nigerian scam key phrase ($NNN.N m/USDNNN.N m/US$NN.N m) #test US_DOLLARS_4 fail JP charset test: this should not match: $1 $ #test US_DOLLARS_4 fail JP charset test: this should not match: $1$ #test US_DOLLARS_4 fail $-$NFbMF$K!"A49q$+$iLd$$9g$o$;$,;&E~$7$F$$$^$9!# #test US_DOLLARS_4 ok of US$8.5 million (Eight #test US_DOLLARS_4 ok of US8.5 millions (Eight # #body OFFER_EXPIRE /\boffer expires\b/i #describe OFFER_EXPIRE Offer Expires # #body INVESTMENT /\binvestment decision/i #describe INVESTMENT Investment Decision # #body COUPON /\boff coupon/i #describe COUPON Offers Coupon # #body CANT_LIVE_WITHOUT /\bcan.{0,4} live without\b/i #describe CANT_LIVE_WITHOUT Can't live without? # #body GETAWAY /\bweekend getaway/i #describe GETAWAY Weekend Getaway # #body GIVING_AWAY /\bgiving away\b/i #describe GIVING_AWAY They're just giving it away! # #body CYBER_FIRE_POWER /\b(?:by|for) Cyber FirePower\!/ #describe CYBER_FIRE_POWER mentions Cyber FirePower!, a spam-tool # #body ANOTHER_NET_AD /Another Internet Ad campaign produced/ #describe ANOTHER_NET_AD Tells you it's an ad # #body EU_200_32_CE /Directive 200.32.CE/i #describe EU_200_32_CE Claims compliance with European spam regulations # #body FILTERED_BY_WORLDREMOVE /filtered by WorldRemove/ #describe FILTERED_BY_WORLDREMOVE Claims to listen to some removal request list # #body FREE_HOSTING /\bfree hosting\b/i #describe FREE_HOSTING Free Hosting # #body GREEN_EXCUSE_1 /using email instead can significantly reduce this/i #describe GREEN_EXCUSE_1 Claims spam helps the environment # #body GREEN_EXCUSE_2 /the trees, save the planet, use email!/i #describe GREEN_EXCUSE_2 Claims spam helps the environment # #body POPLAUNCH /StealthLaunch PopLaunch\b/ #describe POPLAUNCH spam software: PopLaunch # #body SIGNIFICANT /\bsignificant savings\b/i #describe SIGNIFICANT Significant Savings # #body SLASH_PRICE /\bslash.{0,2} price/i #describe SLASH_PRICE Slashed Price # #body THIS_AINT_JUNK /This.{0,30}is not (?:a )?junk(?: email)?/is #describe THIS_AINT_JUNK Claims "This is not junk email" # #body OUR_POLICY_ON_SELLING /our policy on selling/i #describe OUR_POLICY_ON_SELLING Mentions their policy on selling # #body BANG_CARTOONS /\bcartoons!/i #describe BANG_CARTOONS Talks about cartoons with an exclamation! # #body BANG_CYBERANALYSTS /\bcyberanalysts!/i #describe BANG_CYBERANALYSTS Talks about cyberanalysts with an exclamation! # #header RATWARE_V3161 ALL =~ /V3,1,6,1/ #describe RATWARE_V3161 Bulk email software fingerprint (V3161) found in headers # #uri LONG_NUMERIC_HTTP_ADDR /^https?\:\/\/000\d+/is #describe LONG_NUMERIC_HTTP_ADDR Uses a long numeric IP address in URL # ## one spamhaus uses servers numbered like this: #uri HTTP_NUMBER_WORD /^https?:\/\/(?:zero|one|two|three|four|five|six|seven|eight|nine|ten|eleven|twelve|thirteen|fourteen|fifteen|sixteen|seventeen|eighteen|nineteen|twenty)\./i #describe HTTP_NUMBER_WORD URL contains spamhaus signature: numbered servers # #uri E_WEBHOSTCENTRAL_URL /e-webhostcentral\.com/i #describe E_WEBHOSTCENTRAL_URL Frequent SPAM content # #uri FREEMEGS_URL /25freemegs\.com/i #describe FREEMEGS_URL Frequent SPAM content # #uri FREEWEBCO_NET_URL /freewebco\.net/i #describe FREEWEBCO_NET_URL Frequent SPAM content # #uri FREEWEBHOSTINGCENTRAL /freewebhostingcentral/i #describe FREEWEBHOSTINGCENTRAL Frequent SPAM content # #uri WEB4PORNO_URL /web4porno\.com/i #describe WEB4PORNO_URL Frequent SPAM content # #uri WWW_NETSITESFORFREE_NET /netsitesforfree\.net/i #describe WWW_NETSITESFORFREE_NET Frequent SPAM content # #uri WWW_REMOVEYOU_COM /removeyou\.com/i #describe WWW_REMOVEYOU_COM Frequent SPAM content # #uri YELLOWSUN /yellowsun01\.com/i #describe YELLOWSUN Frequent SPAM content # #rawbody CARRIAGE_RETURNS eval:check_carriage_returns() #describe CARRIAGE_RETURNS Message contains a lot of ^M characters #lang fr describe CARRIAGE_RETURNS Message contennant plein de caractères ^M (retour chariot) # #header NIGERIAN_SUBJECT3 Subject =~ /^(?:Re:|\[.{1,10}\])?\s*your assistance\b/i #describe NIGERIAN_SUBJECT3 Subject is indicative of a Nigerian spam #header NIGERIAN_SUBJECT4 Subject =~ /^(?:Re:|\[.{1,10}\])?\s*i need your urgent\b/i #describe NIGERIAN_SUBJECT4 Subject is indicative of a Nigerian spam #header NIGERIAN_SUBJECT5 Subject =~ /^(?:Re:|\[.{1,10}\])?\s*treat as urgent\b/i #describe NIGERIAN_SUBJECT5 Subject is indicative of a Nigerian spam #header NIGERIAN_SUBJECT7 Subject =~ /^(?:Re:|\[.{1,10}\])?\s*[!*_-]+\s*(?:business|urgent)/i #describe NIGERIAN_SUBJECT7 Subject is indicative of a Nigerian spam #header NIGERIAN_SUBJECT8 Subject =~ /^(?:Re:|\[.{1,10}\])?\s*(?:appeal|request) for urgent assistance$/i #describe NIGERIAN_SUBJECT8 Subject is indicative of a Nigerian spam # #meta FORGED_MUA_MUTT __USER_AGENT_MUTT && !__VALID_MUTT_MSGID #describe FORGED_MUA_MUTT Forged mail pretending to be sent from Mutt # #body EU_EMAIL_OPTOUT /EU (?:e-?mail opt.?out|e.?commerce) directive/i #describe EU_EMAIL_OPTOUT Claims compliance with European spam regulations #header APPROVED_BY exists:Approved-By #describe APPROVED_BY Has an Approved-By moderated list header #tflags APPROVED_BY nice #score APPROVED_BY -1.434 -0.534 -0.344 -0.275 # This is a Bugzilla bug status report e-mail and probably OK #header BUGZILLA_BUG eval:message_from_bugzilla() #describe BUGZILLA_BUG Looks like a Bugzilla bug #tflags BUGZILLA_BUG nice #lang fr describe BUGZILLA_BUG L'entête Subject ressemble à un bug publié dans Bugzilla #lang it describe BUGZILLA_BUG Sembrerebbe un bug di Bugzilla #score BUGZILLA_BUG -6.400 -6.300 -2.900 -6.300 #header CRON_ENV exists:X-Cron-Env #describe CRON_ENV Has a X-Cron-Env header #tflags CRON_ENV nice #score CRON_ENV -6.400 -6.300 -5.701 -5.701 #header DEBIAN_BTS_BUG eval:message_from_debian_bts() #describe DEBIAN_BTS_BUG Looks like a Debian BTS bug #tflags DEBIAN_BTS_BUG nice #score DEBIAN_BTS_BUG -5.701 -5.801 0 -2.900 #body DISCLAIMER_LEGALESE /This e?-?mail.{1,20}confidential.{1,20}legally privileged/i #describe DISCLAIMER_LEGALESE Contains what looks like an 'E-Mail Disclaimer' #tflags DISCLAIMER_LEGALESE nice #score DISCLAIMER_LEGALESE 0 0 -2.601 0 # The regexp begins with "(?:\"|--- )?" because, in addition to # possibly begining with a double quote, it might also begin with # "--- ", which is used by the Yahoo! groups web form when # doing attribution. # # The regexp ends with "\s*(?:$|>)" rather than "$" because, by # the time the "body" tests are done, this: # # foo@bar.com writes: # > blah blah blah # # becomes # # foo@bar.com writes: > blah blah blah # #body EMAIL_ATTRIBUTION /^(?:\"|--- )?\w.{4,80} (?:wrote|writes):\s*(?:$|>)/ #describe EMAIL_ATTRIBUTION Contains what looks like an email attribution #tflags EMAIL_ATTRIBUTION nice #score EMAIL_ATTRIBUTION -6.600 -6.500 -6.500 -6.500 #test EMAIL_ATTRIBUTION ok At 15:43 2/26/2002 +0000, Rich Webster wrote: #test EMAIL_ATTRIBUTION ok On Tue, 2001-12-04 at 04:45, Matthew Cline wrote: #test EMAIL_ATTRIBUTION ok foo@bar.com writes: #test EMAIL_ATTRIBUTION ok --- In FruityGroup@y..., hopefuldreamer13@a... wrote: #test EMAIL_ATTRIBUTION fail foo@bar.com writed: #test EMAIL_ATTRIBUTION fail wrote: #header __EVITE_CTYPE Content-Type =~ /(?:multipart\/alternative|text\/(?:plain|html));/ #header __EVITE_RCVD Received =~ /\b(?:evite|evt\S*\.citysearch)\.com/ #uri __EVITE_URI /\bevite(?:\.citysearch)?\.com\/.*iid=[A-Z]{20}/ #meta EVITE ((__EVITE_RCVD && __EVITE_URI) || (__EVITE_CTYPE && (__EVITE_RCVD || __EVITE_URI))) #describe EVITE Message looks like an Evite #tflags EVITE nice #lang fr describe EVITE Contient une référence à evite.citysearch.com #lang it describe EVITE Contiene un riferimento a 'evite.citysearch.com' # Message from evite.com #score EVITE -2.900 -0.488 -2.696 -2.796 #header FAILURE_NOTICE_1 Subject =~ /^(?:failure notice|returned mail:|Delivery Status Notification|Undeliverable:)/i #describe FAILURE_NOTICE_1 Mailer daemon failure notice (1) #tflags FAILURE_NOTICE_1 nice #score FAILURE_NOTICE_1 0 -0.018 0 0 #body FAILURE_NOTICE_2 /\b(?:Delivery to the following recipients failed|This Message was undeliverable|The following addresses had permanent fatal errors|did not reach the following recipient)\b/i #describe FAILURE_NOTICE_2 Mailer daemon failure notice (2) #tflags FAILURE_NOTICE_2 nice #score FAILURE_NOTICE_2 0 -1.559 0 0 # spamassassin@davidgreenaway.com (David Greenaway) #body FORGOTTEN_PASSWORD /[fF]org[oe]t.{0,25}[pP]assword/ #describe FORGOTTEN_PASSWORD Contains a password retrieval system #tflags FORGOTTEN_PASSWORD nice #score FORGOTTEN_PASSWORD -0.620 -0.981 -0.217 -0.563 #header FROM_EGROUPS X-eGroups-Return =~ /^sentto-.*\@returns\.groups\.yahoo\.com$/ #describe FROM_EGROUPS Appears to be from yahoo groups #tflags FROM_EGROUPS nice #score FROM_EGROUPS -0.614 -3.100 -0.600 -0.600 #test FROM_EGROUPS ok sentto-2537484-52529-1020428367-Sxm=olswang.com@returns.groups.yahoo.com #test FROM_EGROUPS fail spammer@returns.groups.yahoo.com #header FWD_MSG Subject =~ /Fwd:\s/ #describe FWD_MSG Forwarded email #tflags FWD_MSG nice #test FWD_MSG ok Subject: Fwd: Dracula #test FWD_MSG ok Subject: [landho] Fwd: tell rod #test FWD_MSG fail Subject: Fwd:Pure Opt-In for half the price #test FWD_MSG fail Subject: Re: RE: FWD: search results . . . #score FWD_MSG 0 -0.145 0 0 #header GENUINE_EBAY_RCVD eval:check_for_from_domain_in_received_headers('ebay.com', 'true') #describe GENUINE_EBAY_RCVD Message from eBay #tflags GENUINE_EBAY_RCVD nice #score GENUINE_EBAY_RCVD -2.600 -2.900 -1.401 -2.900 #body GROUPS_YAHOO_1 /^Your use of Yahoo! Groups is subject to http:\/\/\Qdocs.yahoo.com\E\/info\/terms\// #describe GROUPS_YAHOO_1 Yahoo! Groups message #tflags GROUPS_YAHOO_1 nice #score GROUPS_YAHOO_1 -5.801 # Till now no spammer told me where he's working at :o) # -- Malte # freqs: 2.273 0.383 3.416 0.10 1.00 HAS_ORGANIZATION #header HAS_ORGANIZATION exists:Organization #describe HAS_ORGANIZATION Where are you working at? #tflags HAS_ORGANIZATION nice #body HOTMAIL_FOOTER1 /Send and receive Hotmail on your mobile device\b/ #describe HOTMAIL_FOOTER1 Common footer for Hotmail #tflags HOTMAIL_FOOTER1 nice #score HOTMAIL_FOOTER1 0 0 0 -1.401 #body HOTMAIL_FOOTER2 /Get your FREE download of MSN Explorer at\b/ #describe HOTMAIL_FOOTER2 Common footer for Hotmail #tflags HOTMAIL_FOOTER2 nice #body HOTMAIL_FOOTER3 /Get Your Private, Free E-mail from MSN Hotmail at http:\/\/www\.hotmail\.com\./ #describe HOTMAIL_FOOTER3 Common footer for Hotmail #tflags HOTMAIL_FOOTER3 nice #body HOTMAIL_FOOTER4 /Join the world's largest e-mail service with MSN Hotmail\./ #describe HOTMAIL_FOOTER4 Common footer for Hotmail #tflags HOTMAIL_FOOTER4 nice #score HOTMAIL_FOOTER4 -2.900 -2.900 0 0 #body HOTMAIL_FOOTER5 /Chat with friends online, try MSN Messenger\b/ #describe HOTMAIL_FOOTER5 Common footer for Hotmail #tflags HOTMAIL_FOOTER5 nice #score HOTMAIL_FOOTER5 -0.122 0 0 0 #body HTML_COMMENT_EGP eval:html_test('comment_egp') #describe HTML_COMMENT_EGP HTML comment contains non-spam Yahoo! Groups banner #tflags HTML_COMMENT_EGP nice #header IN_REP_TO exists:In-Reply-To #describe IN_REP_TO Has a In-Reply-To header #tflags IN_REP_TO nice #lang de describe IN_REP_TO 'In-Reply-To' Zeile gefunden #lang fr describe IN_REP_TO Contient l'entête In-Reply-To: #lang it describe IN_REP_TO Presente l'header In-Reply-To: #score IN_REP_TO -3.300 -3.301 -0.600 -3.201 # came from a known mailing list system -- but one which does *not* have # built-in (or working!) spam filtering. #header KNOWN_MAILING_LIST eval:detect_mailing_list() #describe KNOWN_MAILING_LIST Email came from some known mailing list software #tflags KNOWN_MAILING_LIST nice #score KNOWN_MAILING_LIST -0.600 -0.912 -0.017 -0.601 #header MAILER_DAEMON From =~ /^(?:Mail Delivery \w+ )??(?: \(Mail Delivery \w+\))?$/i #describe MAILER_DAEMON From the Mailer-Daemon #tflags MAILER_DAEMON nice #score MAILER_DAEMON -0.189 0 0 -2.596 #body MAILMAN_CONFIRM /^We have received a request from \S+ for subscription of your email address, \S+, to the \S+ mailing list\./ #describe MAILMAN_CONFIRM A MailMan confirm-your-address message #tflags MAILMAN_CONFIRM nice # mailman list reminder mails are getting tagged in 2.41, adding a rule to check for these #header __FROM_MAILMAN_OWNER From:addr =~ /^mailman-owner@/ #header __SUBJECT_MAILMAN_REMIND Subject =~ /\bmailing list memberships reminder\b/ #meta MAILMAN_REMINDER (__FROM_MAILMAN_OWNER && __SUBJECT_MAILMAN_REMIND) #describe MAILMAN_REMINDER Mail headers indicate a mailman membership reminder #tflags MAILMAN_REMINDER nice #score MAILMAN_REMINDER -1.505 0 0 -2.900 # give a negative score to Majordomo results. #header MAJORDOMO Subject =~ /Majordomo (?:request )?results/ #describe MAJORDOMO From Majordomo #tflags MAJORDOMO nice #lang fr describe MAJORDOMO L'entête Subject: semble venir du gestionaire de listes Majordomo #lang it describe MAJORDOMO Mail generata da Majordomo (gestore mailing-list) #score MAJORDOMO -2.900 0 -2.900 0 # 3.351 0.0060 4.5117 0.001 0.97 -1.00 T_MSGID_GOOD_EXCHANGE #header MSGID_GOOD_EXCHANGE Message-Id =~ /^<[A-Z]{28}\.\S+\@\S+>$/ #describe MSGID_GOOD_EXCHANGE Message-Id indicates the message was sent from MS Exchange #tflags MSGID_GOOD_EXCHANGE nice #score MSGID_GOOD_EXCHANGE -5.801 -5.701 -5.701 -5.701 # from Theo Van Dinter, see http://www.hughes-family.org/bugzilla/show_bug.cgi?id=591 #body MSN_GROUPS eval:check_for_msn_groups_headers() #describe MSN_GROUPS Came from MSN Communities #tflags MSN_GROUPS nice #body MSN_FOOTER1 /MSN Photos is the easiest way to share and print your photos\b/ #describe MSN_FOOTER1 Common footer for MSN #tflags MSN_FOOTER1 nice #score MSN_FOOTER1 0 0 0 -1.401 #header __ORIG_MESSAGE_AGENT X-Mailer =~ /\b(?:Microsoft Outlook|Internet Mail Service|Mozilla|AOL)\b/ #rawbody __ORIG_MESSAGE_LINE /^-{5,8} ?Original Message ?-{5,8}$/ #meta ORIGINAL_MESSAGE (__ORIG_MESSAGE_AGENT && __ORIG_MESSAGE_LINE) #describe ORIGINAL_MESSAGE Looks like a reply to a message #tflags ORIGINAL_MESSAGE nice #score ORIGINAL_MESSAGE -3.101 -3.101 -6.300 -6.300 #rawbody PATCH_CONTEXT_DIFF /^\*{3} \S+\s+.{10,}\b\d{2}:\d{2}:\d{2}\s/ #describe PATCH_CONTEXT_DIFF Contains what looks like a patch from diff -c #tflags PATCH_CONTEXT_DIFF nice #score PATCH_CONTEXT_DIFF -2.900 -2.900 0 0 #rawbody PATCH_UNIFIED_DIFF /^\@\@ [-+0-9]+,[0-9]+ [-+0-9]+,[0-9]+ \@\@$/ #describe PATCH_UNIFIED_DIFF Contains what looks like a patch from diff -u #tflags PATCH_UNIFIED_DIFF nice #score PATCH_UNIFIED_DIFF -6.027 -6.027 -2.900 -6.300 #rawbody __PGP_BEGIN /^-----BEGIN PGP SIGNATURE-----$/ #rawbody __PGP_MIDDLE /^[0-9A-Za-z+\/]{64}$/ #rawbody __PGP_END /^-----END PGP SIGNATURE-----$/ #meta PGP_SIGNATURE (__PGP_BEGIN && __PGP_MIDDLE && __PGP_END) #describe PGP_SIGNATURE Contains a PGP-signed message #tflags PGP_SIGNATURE nice #lang fr describe PGP_SIGNATURE Contient un message avec une signature PGP #lang it describe PGP_SIGNATURE Contiene un messaggio con firma PGP #score PGP_SIGNATURE -6.400 -6.300 -5.701 -5.701 #header PGP_SIGNATURE_2 Content-Type =~ /protocol=.?application\/pgp-signature.?;/i #describe PGP_SIGNATURE_2 Contains a PGP-signed message (signature attached) #tflags PGP_SIGNATURE_2 nice #lang fr describe PGP_SIGNATURE_2 Contient une signature PGP attachée au message #lang it describe PGP_SIGNATURE_2 Contiene un messaggio con firma PGP #score PGP_SIGNATURE_2 -6.400 -6.300 -6.300 -6.300 #test PGP_SIGNATURE_2 ok Content-Type: multipart/signed; micalg=pgp-sha1;protocol="application/pgp-signature"; boundary="n8g4imXOkfNTN/H1" #test PGP_SIGNATURE_2 fail Content-Type: text/plain; charset=us-ascii #rawbody QUOTED_EMAIL_TEXT /^>+\s+.{60,72}$/ #describe QUOTED_EMAIL_TEXT Contains what looks like a quoted email text #tflags QUOTED_EMAIL_TEXT nice #score QUOTED_EMAIL_TEXT -3.301 -3.201 -3.201 -3.201 #body QUOTE_TWICE_1 /^> >\s/ #describe QUOTE_TWICE_1 Contains twice quoted reply #tflags QUOTE_TWICE_1 nice #score QUOTE_TWICE_1 -0.600 -0.600 -0.601 -0.600 # some non-spam rules from http://www.darkmere.gen.nz/2002/0628.html #header Q_FOR_SELLER Subject =~ /Question.*(?:for|to|from eBay).*(?:seller|Member)/ #describe Q_FOR_SELLER Subject is an eBay question #tflags Q_FOR_SELLER nice #lang de describe Q_FOR_SELLER Betreff ist eine eBay Frage #lang fr describe Q_FOR_SELLER L'entête Subject: est une question issue d'eBay #lang it describe Q_FOR_SELLER Il soggetto contiene una domanda di eBay #score Q_FOR_SELLER -1.124 -0.176 -1.643 -2.275 #header REFERENCES References =~ /^(<(?:[a-zA-Z0-9.!\#\$%&'*\+\/=?\^_{}|~-]+|\".+\")\@(?:[a-zA-Z0-9.-]+|\[\d{1,3}(?:\.\d{1,3}){3}\])>\s*)+$/ #describe REFERENCES Has a valid-looking References header #tflags REFERENCES nice #score REFERENCES -6.600 -6.600 -6.500 -6.500 #meta REPLY_WITH_QUOTES ((IN_REP_TO + REFERENCES + EMAIL_ATTRIBUTION + QUOTED_EMAIL_TEXT) > 2) #describe REPLY_WITH_QUOTES Reply with quoted text #tflags REPLY_WITH_QUOTES nice #score REPLY_WITH_QUOTES -6.600 -6.500 -6.400 -6.500 #header RESENT_TO exists:Resent-To #describe RESENT_TO Has a Resent-To header #tflags RESENT_TO nice #score RESENT_TO -2.444 -0.753 -1.683 0 #header __SMIME_SIGNED_HDR Content-Type =~ /multipart\/signed;.*protocol=/i #full __SMIME_SIGNED_BODY /\nContent-Type: application\/x-pkcs7-signature;/ #meta SMIME_SIGNATURE (__SMIME_SIGNED_HDR && __SMIME_SIGNED_BODY) #describe SMIME_SIGNATURE Contains an S/MIME-signed message #tflags SMIME_SIGNATURE nice # signature tests #full SIGNATURE_SHORT_DENSE eval:check_signature('1', '7', '0') #describe SIGNATURE_SHORT_DENSE Short signature present (no empty lines) #tflags SIGNATURE_SHORT_DENSE nice #full SIGNATURE_LONG_DENSE eval:check_signature('8', '15', '0') #describe SIGNATURE_LONG_DENSE Long signature present (no empty lines) #tflags SIGNATURE_LONG_DENSE nice #score SIGNATURE_LONG_DENSE -6.400 -6.300 -6.300 -6.300 #full SIGNATURE_LONG_SPARSE eval:check_signature('8', '15', '1') #describe SIGNATURE_LONG_SPARSE Long signature present (empty lines) #tflags SIGNATURE_LONG_SPARSE nice #score SIGNATURE_LONG_SPARSE -5.801 -5.801 -3.101 -5.801 #full SIGNATURE_SHORT_SPARSE eval:check_signature('1', '7', '1') #describe SIGNATURE_SHORT_SPARSE Short signature present (empty lines) #tflags SIGNATURE_SHORT_SPARSE nice #score SIGNATURE_SHORT_SPARSE 0 0 0 -0.601 #header SUBJECT_IS_IN_REVIEW Subject =~ /\bin review\b/i #describe SUBJECT_IS_IN_REVIEW Subject contains newsletter header (in review) #tflags SUBJECT_IS_IN_REVIEW nice ## If a USER_AGENT rule is added, make sure to modify the USER_AGENT ## rule to counter. # User-Agent isn't usually found with spam, but ignore it if we already # account with a compensate rule #header __USER_AGENT exists:User-Agent #meta USER_AGENT ( __USER_AGENT && !USER_AGENT_PINE && !USER_AGENT_MUTT && !USER_AGENT_MOZILLA_UA && !USER_AGENT_MOZILLA_XM && !USER_AGENT_MACOE && !USER_AGENT_ENTOURAGE && !USER_AGENT_KMAIL && !USER_AGENT_IMP && !USER_AGENT_TONLINE && !USER_AGENT_APPLEMAIL && !USER_AGENT_GNUS_UA && !USER_AGENT_GNUS_XM && !USER_AGENT_VM && !USER_AGENT_MSN && !USER_AGENT_FORTE && !USER_AGENT_XIMIAN ) #describe USER_AGENT Has a User-Agent header #tflags USER_AGENT nice # NOTE: uses rules from 20_ratware.cf #meta USER_AGENT_AOL8 (__AOL8_MUA && __AOL8_FROM && __AOL8_RCVD && __AOL8_TO) #describe USER_AGENT_AOL8 Headers indicates a non-spam MUA (AOL 7 or 8) #tflags USER_AGENT_AOL8 nice #header USER_AGENT_APPLEMAIL X-Mailer =~ /^Apple Mail \(\d\.\d+\)$/ #describe USER_AGENT_APPLEMAIL X-Mailer header indicates a non-spam MUA (Apple Mail) #tflags USER_AGENT_APPLEMAIL nice #lang fr describe USER_AGENT_APPLEMAIL En-tête X-Mailer provennant d'un MUA non-spammeur (Apple Mail) #score USER_AGENT_APPLEMAIL 0 -2.092 0 -3.101 #header USER_AGENT_ENTOURAGE User-Agent =~ /^Microsoft-Entourage\/\d{1,2}(?:\.\d){1,2}\.\d{4}$/ #describe USER_AGENT_ENTOURAGE User-Agent header indicates a non-spam MUA (Entourage) #tflags USER_AGENT_ENTOURAGE nice #lang fr describe USER_AGENT_ENTOURAGE En-tête User-Agent provennant d'un MUA non-spammeur (Entourage) #score USER_AGENT_ENTOURAGE 0 0 0 -5.701 #header USER_AGENT_FORTE X-Mailer =~ /^Forte Agent \d\.\d+\/\d+\.\d+$/ #describe USER_AGENT_FORTE X-Mailer header indicates a non-spam MUA (Forte) #tflags USER_AGENT_FORTE nice #lang fr describe USER_AGENT_FORTE En-tête X-Mailer provennant d'un MUA non spammeur MUA (Forte) #score USER_AGENT_FORTE -2.900 #header USER_AGENT_GNUS_UA User-Agent =~ /^Gnus\/\d\.\d+ / #describe USER_AGENT_GNUS_UA User-Agent header indicates a non-spam MUA (Gnus) #tflags USER_AGENT_GNUS_UA nice #lang fr describe USER_AGENT_GNUS_UA En-tête User-Agent provennant d'un MUA non-spammeur (Gnus) #score USER_AGENT_GNUS_UA -6.400 -6.300 -2.900 -6.300 #header USER_AGENT_GNUS_XM X-Mailer =~ /^Gnus v\d(?:\.\d+){1,2}\/X?Emacs \d+\.\d+/ #describe USER_AGENT_GNUS_XM X-Mailer header indicates a non-spam MUA (Gnus) #tflags USER_AGENT_GNUS_XM nice #lang fr describe USER_AGENT_GNUS_XM En-tête X-Mailer provennant d'un MUA non-spammeur (Gnus) #score USER_AGENT_GNUS_XM -1.897 -1.997 -1.240 -1.808 #header USER_AGENT_IMP User-Agent =~ /^Internet Messaging Program \(IMP\) [34]\.\d/ #describe USER_AGENT_IMP User-Agent header indicates a non-spam MUA (IMP) #tflags USER_AGENT_IMP nice #lang fr describe USER_AGENT_IMP En-tête User-Agent provennant d'un MUA non-spammeur (IMP) #score USER_AGENT_IMP 0 -1.401 0 -0.475 #header USER_AGENT_KMAIL User-Agent =~ /^KMail\/1\.\d\.\d+$/ #describe USER_AGENT_KMAIL User-Agent header indicates a non-spam MUA (KMail) #tflags USER_AGENT_KMAIL nice #lang fr describe USER_AGENT_KMAIL En-tête User-Agent provennant d'un MUA non-spammeur (KMail) #score USER_AGENT_KMAIL -5.800 -5.801 -6.300 -6.400 #header USER_AGENT_MACOE User-Agent =~ /^Microsoft[ -]Outlook[ -]Express[ -]Macintosh[ -]Edition/ #describe USER_AGENT_MACOE User-Agent header indicates a non-spam MUA (Outlook Express) #tflags USER_AGENT_MACOE nice #lang fr describe USER_AGENT_MACOE En-tête User-Agent provennant d'un MUA non-spammeur Outlook Express) #score USER_AGENT_MACOE -3.101 -3.101 0 -3.101 #header USER_AGENT_MOZILLA_UA User-Agent =~ /^Mozilla\/5\.\d+ \(.*\) Gecko\/\d{8}(?: |$)/ #describe USER_AGENT_MOZILLA_UA User-Agent header indicates a non-spam MUA (Mozilla) #tflags USER_AGENT_MOZILLA_UA nice #lang fr describe USER_AGENT_MOZILLA_UA En-tête User-Agent provennant d'un MUA non-spammeur (Mozilla) #score USER_AGENT_MOZILLA_UA -5.801 -5.800 -5.701 -6.300 #header USER_AGENT_MOZILLA_XM X-Mailer =~ /^Mozilla 4\.\d{2} \[[a-z]{2}\]/ #describe USER_AGENT_MOZILLA_XM X-Mailer header indicates a non-spam MUA (Netscape) #tflags USER_AGENT_MOZILLA_XM nice #lang fr describe USER_AGENT_MOZILLA_XM En-tête X-Mailer provennant d'un MUA non-spammeur Netscape) #score USER_AGENT_MOZILLA_XM -0.236 0 0 0 # frequently forged, needs some correlation meta checks with other headers. #header __USER_AGENT_MSN X-Mailer =~ /^MSN Explorer / #header __HAS_XOAT X-Originalarrivaltime =~ /FILETIME/ #header __HAS_XOIP X-Originating-Ip =~ /^\[/ #meta USER_AGENT_MSN (__USER_AGENT_MSN && __HAS_XOAT && __HAS_XOIP) #describe USER_AGENT_MSN Headers indicate valid mail from MSN #tflags USER_AGENT_MSN nice #lang fr describe USER_AGENT_MSN En-têtes indiquants un mail valide provenant de MSN #score USER_AGENT_MSN -2.900 # From 0.93.2 - 1.2.5.1, message-id is: # snprintf (buf, sizeof (buf), "<%d%02d%02d%02d%02d%02d.%c%d@%s>", # tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, # tm->tm_min, tm->tm_sec, MsgIdPfx, getpid (), fqdn); # MsgIdPfx = (MsgIdPfx == 'Z') ? 'A' : MsgIdPfx + 1; # The code from mutt 1.4 is adds a 'G' for some reason: # snprintf (buf, sizeof (buf), "<%d%02d%02d%02d%02d%02d.G%c%d@%s>", #header __VALID_MUTT_MSGID Message-Id =~ /^<[1-9]\d{3}[01]\d[0-3]\d[0-2]\d(?:[0-5]\d){2}\.G?[A-Z]\d+\@[a-zA-Z0-9._-]+>$/ #header __USER_AGENT_MUTT User-Agent =~ m@^Mutt/\d(?:\.\d+){1,4}@ #meta USER_AGENT_MUTT __USER_AGENT_MUTT && __VALID_MUTT_MSGID #describe USER_AGENT_MUTT User-Agent header indicates a non-spam MUA (Mutt) #tflags USER_AGENT_MUTT nice #lang fr describe USER_AGENT_MUTT En-tête User-Agent provennant d'un MUA non-spammeur (Mutt) #score USER_AGENT_MUTT -6.400 -6.400 -6.300 -6.300 #header USER_AGENT_PINE Message-Id =~ /^\nReceived: .*by \S+mail\.yahoo\.com via HTTP;/s #describe YAHOO_MSGID_ADDED 'Message-Id' was added by yahoo.com, that's OK #tflags YAHOO_MSGID_ADDED nice #header X_ACCEPT_LANG exists:X-Accept-Language #describe X_ACCEPT_LANG Has a X-Accept-Language header #tflags X_ACCEPT_LANG nice #header X_AUTH_WARNING exists:X-Authentication-Warning #describe X_AUTH_WARNING Has a X-Authentication-Warning header #tflags X_AUTH_WARNING nice #lang fr describe X_AUTH_WARNING L'entête X-Authentication-Warning: est présent #lang it describe X_AUTH_WARNING Presente header X-Authentication-Warning: #score X_AUTH_WARNING -1.008 -1.513 -0.137 -1.409 #header X_LOOP exists:X-Loop #describe X_LOOP Has a X-Loop header #tflags X_LOOP nice #header X_MAILING_LIST exists:X-Mailing-List #describe X_MAILING_LIST Has a X-Mailing-List header #tflags X_MAILING_LIST nice #score X_MAILING_LIST -0.001 -0.001 -0.001 -3.101 # new "-notfirsthop" logic #header T_RCVD_IN_PDL rbleval:check_rbl('pdl-notfirsthop', 'dialups.visi.com.') #tflags T_RCVD_IN_PDL net #header T_RCVD_IN_DUINV rbleval:check_rbl('duinv', 'duinv.aupads.org.') #tflags T_RCVD_IN_DUINV net # Warning, several big ISP's mail relays (not open to outside people) # are listed on multihop. Do not set a high score on this. Note too # that those IPs often are listed in unconfirmed.dsbl.org at the same # time. #header RCVD_IN_MULTIHOP_DSBL rbleval:check_rbl_txt('multihop', 'multihop.dsbl.org.') #describe RCVD_IN_MULTIHOP_DSBL Received via a relay in multihop.dsbl.org #tflags RCVD_IN_MULTIHOP_DSBL net # tvd - 2003.02.26, trying to strengthen the anti-ratware rules #meta T_FORGED_USER_AGENT ( __USER_AGENT_PINE + __T_USER_AGENT_MUTT + __T_USER_AGENT_MOZILLA_UA + __T_USER_AGENT_MOZILLA_XM + __T_USER_AGENT_MACOE + __T_USER_AGENT_ENTOURAGE + __T_USER_AGENT_KMAIL + __T_USER_AGENT_IMP + __USER_AGENT_TONLINE + __USER_AGENT_APPLEMAIL + __USER_AGENT_GNUS_UA + __USER_AGENT_GNUS_XM + __USER_AGENT_VM + __T_USER_AGENT_MSN + __T_USER_AGENT_FORTE + __USER_AGENT_XIMIAN > 1 ) #meta T_USER_AGENT ( __USER_AGENT && !T_FORGED_USER_AGENT && !__USER_AGENT_PINE && !__T_USER_AGENT_MUTT && !__T_USER_AGENT_MOZILLA_UA && !__T_USER_AGENT_MOZILLA_XM && !__T_USER_AGENT_MACOE && !__T_USER_AGENT_ENTOURAGE && !__T_USER_AGENT_KMAIL && !__T_USER_AGENT_IMP && !__USER_AGENT_TONLINE && !__USER_AGENT_APPLEMAIL && !__USER_AGENT_GNUS_UA && !__USER_AGENT_GNUS_XM && !__USER_AGENT_VM && !__T_USER_AGENT_MSN && !__T_USER_AGENT_FORTE && !__USER_AGENT_XIMIAN ) #header __MSGID_PINE Message-Id =~ /^", # tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, # tm->tm_min, tm->tm_sec, MsgIdPfx, getpid (), fqdn); # MsgIdPfx = (MsgIdPfx == 'Z') ? 'A' : MsgIdPfx + 1; # The code from mutt 1.4 is adds a 'G' for some reason: # snprintf (buf, sizeof (buf), "<%d%02d%02d%02d%02d%02d.G%c%d@%s>", #meta __T_USER_AGENT_MUTT __USER_AGENT_MUTT && __VALID_MUTT_MSGID && !MIME_HTML_ONLY #meta T_USER_AGENT_MUTT __T_USER_AGENT_MUTT && !T_FORGED_USER_AGENT #meta T_FORGED_MUA_MUTT __USER_AGENT_MUTT && !__UNUSABLE_MSGID && !__T_USER_AGENT_MUTT #header __USER_AGENT_MOZILLA_UA User-Agent =~ /^Mozilla\/5\.\d+ \(.*\) Gecko\/\d{8}(?: |$)/ #header __MSGID_MOZILLA_UA Message-Id =~ /^<[0-9A-F]{8}\.\d+\@\S+>$/ #meta __T_USER_AGENT_MOZILLA_UA __USER_AGENT_MOZILLA_UA && __MSGID_MOZILLA_UA #meta T_USER_AGENT_MOZILLA_UA __T_USER_AGENT_MOZILLA_UA && !T_FORGED_USER_AGENT #header __USER_AGENT_MOZILLA_XM X-Mailer =~ /^Mozilla 4\.\d{2} \[[a-z]{2}\]/ #header __MSGID_MOZILLA_XM Message-Id =~ /^<[0-9A-F]{8}\.[0-9A-F]{8}\@\S+>$/ #meta __T_USER_AGENT_MOZILLA_XM __USER_AGENT_MOZILLA_XM && __MSGID_MOZILLA_XM #meta T_USER_AGENT_MOZILLA_XM __T_USER_AGENT_MOZILLA_XM && !T_FORGED_USER_AGENT #header __USER_AGENT_MACOE User-Agent =~ /^Microsoft[ -]Outlook[ -]Express[ -]Macintosh[ -]Edition/ #meta __T_USER_AGENT_MACOE __USER_AGENT_MACOE && __MSGID_ENTOURAGE #meta T_USER_AGENT_MACOE __T_USER_AGENT_MACOE && !T_FORGED_USER_AGENT #header __USER_AGENT_ENTOURAGE User-Agent =~ /^Microsoft-Entourage\/\d{1,2}(?:\.\d){1,2}\.\d{4}$/ #header __MSGID_ENTOURAGE Message-ID =~ /^<[0-9A-F]{8}\.[0-9A-F]+\%\S+\@\S+>$/ #meta __T_USER_AGENT_ENTOURAGE __USER_AGENT_ENTOURAGE && __MSGID_ENTOURAGE && !MIME_HTML_ONLY #meta T_USER_AGENT_ENTOURAGE __T_USER_AGENT_ENTOURAGE && !T_FORGED_USER_AGENT #header __USER_AGENT_KMAIL User-Agent =~ /^KMail\/1\.\d\.\d+$/ #header __MSGID_KMAIL Message-Id =~ /^<[12]\d{3}[01]\d[0-3]\d[0-2]\d[0-5]\d\.\d+\.\S+@\S+>$/ #meta __T_USER_AGENT_KMAIL __USER_AGENT_KMAIL && __MSGID_KMAIL #meta T_USER_AGENT_KMAIL __T_USER_AGENT_KMAIL && !T_FORGED_USER_AGENT #header __USER_AGENT_IMP User-Agent =~ /^Internet Messaging Program \(IMP\) [34]\.\d/ #header __MSGID_IMP Message-Id =~ /^<\d{9,10}\.[0-9a-f]{13}\@\S+>$/ #meta __T_USER_AGENT_IMP __USER_AGENT_IMP && __MSGID_IMP #meta T_USER_AGENT_IMP __T_USER_AGENT_IMP && !T_FORGED_USER_AGENT #meta T_FORGED_MUA_IMP __USER_AGENT_IMP && !__UNUSABLE_MSGID && !__T_USER_AGENT_IMP #header __USER_AGENT_TONLINE X-Mailer =~ /^T-Online (?:e|Web)Mail \d\.\d+$/ #meta T_USER_AGENT_TONLINE __USER_AGENT_TONLINE && !T_FORGED_USER_AGENT #header __USER_AGENT_GNUS_UA User-Agent =~ /^Gnus\/\d\.\d+ / #meta T_USER_AGENT_GNUS_UA __USER_AGENT_GNUS_UA && !T_FORGED_USER_AGENT #header __USER_AGENT_GNUS_XM X-Mailer =~ /^Gnus v\d(?:\.\d+){1,2}\/X?Emacs \d+\.\d+/ #meta T_USER_AGENT_GNUS_XM __USER_AGENT_GNUS_XM && !T_FORGED_USER_AGENT #header __USER_AGENT_VM X-Mailer =~ /^\s*VM\s+\d+\.\d+\s+under\s+.{0,30}?[Ee]macs\b/ #meta T_USER_AGENT_VM __USER_AGENT_VM && !T_FORGED_USER_AGENT # frequently forged, needs some correlation meta checks with other headers. #meta __T_USER_AGENT_MSN (__USER_AGENT_MSN && __HAS_XOAT && __HAS_XOIP) #meta T_USER_AGENT_MSN __T_USER_AGENT_MSN && !T_FORGED_USER_AGENT #meta T_FORGED_MUA_MSN __USER_AGENT_MSN && !T_USER_AGENT_MSN #header __USER_AGENT_FORTE X-Mailer =~ /^Forte Agent \d\.\d+\/\d+\.\d+$/ #header __MSGID_FORTE Message-Id =~ /^<[0-9a-f]{8}\.\d+\@\S+>$/ #meta __T_USER_AGENT_FORTE __USER_AGENT_FORTE && __MSGID_FORTE #meta T_USER_AGENT_FORTE __T_USER_AGENT_FORTE && !T_FORGED_USER_AGENT #meta __USER_AGENT_XIMIAN (__XIMIAN_MSGID && __XIMIAN_MUA) #meta T_USER_AGENT_XIMIAN __USER_AGENT_XIMIAN && !T_FORGED_USER_AGENT #meta T_FORGED_MUA_XIMIAN __XIMIAN_MUA && !__UNUSABLE_MSGID && !__USER_AGENT_XIMIAN # low score after running mini-GA, not very high hit rate #header T_RCVD_IN_RELAYS_ORDB_ORG rbleval:check_rbl('ordb', 'relays.ordb.org.') #describe T_RCVD_IN_RELAYS_ORDB_ORG Received via a relay in relays.ordb.org #tflags T_RCVD_IN_RELAYS_ORDB_ORG net # \# is used by quite a few legit mailers; lockergnome for one #header MSGID_CHARS_SPAM MESSAGEID =~ /[:}{,!\/]/ #describe MSGID_CHARS_SPAM Message-Id has characters indicating spam #score MSGID_CHARS_SPAM 0.275 0.439 0.691 0.399 #lang sk describe MSGID_CHARS_SPAM Pole "Message-Id" obsahuje znaky indikujúce spam #lang it describe MSGID_CHARS_SPAM L'header Message-Id: contiene caratteri che indicano spam #lang fr describe MSGID_CHARS_SPAM L'entête Message-Id: contient des caractères qui indiquent un spam # tvd - 2003/05/21 - looks like orbs is down permanently :( #header RCVD_IN_ORBS rbleval:check_rbl('orbs', 'orbs.dorkslayers.com.') #describe RCVD_IN_ORBS Received via a relay in orbs.dorkslayers.com #tflags RCVD_IN_ORBS net #score RCVD_IN_ORBS 0 0.458 0 0.121 # quinlan - 2003-06-17 - decent for a dial-up RBL, but it's down right now # test again later? #header T_RCVD_IN_DUL_AUPADS rbleval:check_rbl('duinv-notfirsthop', 'duinv.aupads.org.') #tflags T_RCVD_IN_DUL_AUPADS net # quinlan - 2003-06-17 - good results, no documentation that I could find # test again later? #header T_RCVD_IN_INTERSIL rbleval:check_rbl('intersil', 'blackholes.intersil.net.') #tflags T_RCVD_IN_INTERSIL net # quinlan - 2003-06-18 - slow response, often slow # test again later? # still need to check for cost, policies, etc. # URL: http://vox.schpider.com/ #header T_RCVD_IN_VOX_SCHPIDER_COM rbleval:check_rbl('schpider', 'vox.schpider.com.') #tflags T_RCVD_IN_VOX_SCHPIDER_COM net # quinlan - 2003-06-18 - not getting any hits # test again later? # DNSRBL is a multi-RBL #header T_RCVD_IN_DNSRBL rbleval:check_rbl('dnsrbl', 'spam.dnsrbl.net.') #header T_RCVD_IN_DNSRBL_RELAY rbleval:check_rbl_sub('dnsrbl', '127.0.0.2') #header T_RCVD_IN_DNSRBL_DIALUP rbleval:check_rbl('dnsrbl-notfirsthop', 'spam.dnsrbl.net.', '127.0.0.3') #header T_RCVD_IN_DNSRBL_CONFIRM rbleval:check_rbl_sub('dnsrbl', '127.0.0.4') #header T_RCVD_IN_DNSRBL_SMART rbleval:check_rbl_sub('dnsrbl', '127.0.0.5') #header T_RCVD_IN_DNSRBL_SW rbleval:check_rbl_sub('dnsrbl', '127.0.0.6') #header T_RCVD_IN_DNSRBL_OPTIN rbleval:check_rbl_sub('dnsrbl', '127.0.0.7') #header T_RCVD_IN_DNSRBL_CGI rbleval:check_rbl_sub('dnsrbl', '127.0.0.8') #header T_RCVD_IN_DNSRBL_PROXY rbleval:check_rbl_sub('dnsrbl', '127.0.0.9') #tflags T_RCVD_IN_DNSRBL net #tflags T_RCVD_IN_DNSRBL_RELAY net #tflags T_RCVD_IN_DNSRBL_DIALUP net #tflags T_RCVD_IN_DNSRBL_CONFIRM net #tflags T_RCVD_IN_DNSRBL_SMART net #tflags T_RCVD_IN_DNSRBL_SW net #tflags T_RCVD_IN_DNSRBL_OPTIN net #tflags T_RCVD_IN_DNSRBL_CGI net #tflags T_RCVD_IN_DNSRBL_PROXY net # quinlan - 2003-06-20 - unresponsive to email, other blacklist of theirs # has no hits, makes me nervous about using this, but still seems like a good # list # test again later? #header T_RCVD_IN_DUN_DNSRBL rbleval:check_rbl('dun-notfirsthop', 'dun.dnsrbl.net.') #tflags T_RCVD_IN_DUN_DNSRBL net # quinlan - 2003-06-18 - too much stuff in one result # might revisit later if they split it up a bit # easynet.nl (formerly wirehub.net) #header T_RCVD_IN_EASYNET_BLACKHOLES rbleval:check_rbl('easynet', 'blackholes.easynet.nl.') #tflags T_RCVD_IN_EASYNET_BLACKHOLES net # quinlan - 2003-06-18 - too many FPs across the board, just asking for trouble # fiveten - many blacklists, the bulk one performs well # transfers: yes, most of the slave servers allow zone transfers # url: http://blackholes.five-ten-sg.com/ # pay-to-use: no # delist: email address contact provided #header T_RCVD_IN_FIVETEN rbleval:check_rbl('fiveten', 'blackholes.five-ten-sg.com.') #tflags T_RCVD_IN_FIVETEN net # bulk mailers that don't require confirmed opt-in from their customers, # or that have have allowed known spammers to become clients. #header T_RCVD_IN_FIVETEN_BULK rbleval:check_rbl_sub('fiveten', '127.0.0.4') #tflags T_RCVD_IN_FIVETEN_BULK net # retest all of the rest (since check_rbl_sub wasn't used before) #header T_RCVD_IN_FIVETEN_SPAM rbleval:check_rbl_sub('fiveten', '127.0.0.2') #tflags T_RCVD_IN_FIVETEN_SPAM net #header T_RCVD_IN_FIVETEN_DIALUP rbleval:check_rbl('fiveten-notfirsthop', 'blackholes.five-ten-sg.com.', '127.0.0.3') #tflags T_RCVD_IN_FIVETEN_DIALUP net #header T_RCVD_IN_FIVETEN_MULTISTAGE rbleval:check_rbl_sub('fiveten', '127.0.0.5') #tflags T_RCVD_IN_FIVETEN_MULTISTAGE net #header T_RCVD_IN_FIVETEN_SINGLESTAGE rbleval:check_rbl_sub('fiveten', '127.0.0.6') #tflags T_RCVD_IN_FIVETEN_SINGLESTAGE net #header T_RCVD_IN_FIVETEN_SPAMSUPPORT rbleval:check_rbl_sub('fiveten', '127.0.0.7') #tflags T_RCVD_IN_FIVETEN_SPAMSUPPORT net #header T_RCVD_IN_FIVETEN_WEBFORM rbleval:check_rbl_sub('fiveten', '127.0.0.8') #tflags T_RCVD_IN_FIVETEN_WEBFORM net #header T_RCVD_IN_FIVETEN_MISC rbleval:check_rbl_sub('fiveten', '127.0.0.9') #tflags T_RCVD_IN_FIVETEN_MISC net #header T_RCVD_IN_FIVETEN_KLEZ rbleval:check_rbl_sub('fiveten', '127.0.0.10') #tflags T_RCVD_IN_FIVETEN_KLEZ net #header T_RCVD_IN_FIVETEN_TCPA rbleval:check_rbl_sub('fiveten', '127.0.0.11') #tflags T_RCVD_IN_FIVETEN_TCPA net #header T_RCVD_IN_FIVETEN_FREE rbleval:check_rbl_sub('fiveten', '127.0.0.12') #tflags T_RCVD_IN_FIVETEN_FREE net # quinlan - 2003-06-18 - too few hits # 0.001 0.0014 0.0000 1.000 0.96 0.01 T_FAKE_HELO_DELPHI # 0.000 0.0000 0.0000 0.500 0.12 0.01 T_FAKE_HELO_DELPHI:lan # 0.003 0.0083 0.0000 1.000 0.93 0.01 T_FAKE_HELO_DELPHI:quinlan # 0.000 0.0000 0.0000 0.500 0.12 0.01 T_FAKE_HELO_DELPHI:rODbegbie # 0.000 0.0000 0.0000 0.500 0.11 0.01 T_FAKE_HELO_DELPHI:theo # This is not necessarily intended for the 2.60 release; if it's not # 1.0 S/O, just leave it in here for 2.61cvs. # #header T_FAKE_HELO_DELPHI eval:check_for_rdns_helo_mismatch("delphi\.com", "delphi\.com") #describe T_FAKE_HELO_DELPHI Host HELO did not match rDNS: delphi.com # quinlan - 2003-06-18 - too few hits (note: theo's ham hits are # probably not FPs because he has ANCIENT mail in his corpus) # 0.038 0.0602 0.0104 0.853 0.60 0.01 T_HAS_NUM_AT_DELPHI # 0.068 0.1263 0.0000 1.000 0.95 0.01 T_HAS_NUM_AT_DELPHI:lan # 0.024 0.0582 0.0000 1.000 0.93 0.01 T_HAS_NUM_AT_DELPHI:quinlan # 0.019 0.0404 0.0000 1.000 0.97 0.01 T_HAS_NUM_AT_DELPHI:rODbegbie # 0.049 0.0639 0.0240 0.727 0.35 0.01 T_HAS_NUM_AT_DELPHI:theo # delphi.com is frequently forged. but it's no longer an ISP ;) #header T_HAS_NUM_AT_DELPHI ALL =~ /\d\S+\@delphi\.com\b/ #describe T_HAS_NUM_AT_DELPHI Contains a Delphi address with a number # quinlan - 2003-06-20 - looks excellent, but no response from # maintainer about policies, load handling, and cost # test again later, probably # URL: http://www.fabel.dk/relay/ #header T_RCVD_IN_FABEL rbleval:check_rbl('fabel', 'spamsources.fabel.dk.') #describe T_RCVD_IN_FABEL Received via a relay in spamsources.fabel.dk #tflags T_RCVD_IN_FABEL net