# Ensure plugin-based rules used for FP avoidance exist # even if the plugin is not loaded, or an older version is loaded # __KAM_BODY_LENGTH_LT_128 ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128 else meta __LCL__KAM_BODY_LENGTH_LT_128 0 endif else meta __LCL__KAM_BODY_LENGTH_LT_128 0 endif # __KAM_BODY_LENGTH_LT_512 ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512 else meta __LCL__KAM_BODY_LENGTH_LT_512 0 endif else meta __LCL__KAM_BODY_LENGTH_LT_512 0 endif # __KAM_BODY_LENGTH_LT_1024 ifplugin Mail::SpamAssassin::Plugin::BodyEval if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024 else meta __LCL__KAM_BODY_LENGTH_LT_1024 0 endif else meta __LCL__KAM_BODY_LENGTH_LT_1024 0 endif # __ENV_AND_HDR_FROM_MATCH ifplugin Mail::SpamAssassin::Plugin::HeaderEval meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH else meta __LCL__ENV_AND_HDR_FROM_MATCH 0 endif # __TVD_SPACE_RATIO ifplugin Mail::SpamAssassin::Plugin::BodyEval # else meta __TVD_SPACE_RATIO 0 endif # #header REPLYTO_MANY_AT Reply-To =~ /\@.+\@/ #describe REPLYTO_MANY_AT More than one @ in Reply-To: # #header SENDER_MANY_AT Sender =~ /\@.+\@/ #describe SENDER_MANY_AT More than one @ in Sender: # #header FROM_MANY_AT From =~ /\@.+\@/ #describe FROM_MANY_AT More than one @ in From: # header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i describe RDNS_LOCALHOST Sender's public rDNS is "localhost" #body EU_SPAM_LAW m,Directive 2000/31/EC of the European Parliament,i #describe EU_SPAM_LAW Quoting "European Parliament" spam law ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.[a-z]?html?\b,i mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.[a-z]?html?\b,i meta HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02 describe HTML_ATTACH HTML attachment to bypass scanning? mimeheader OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.[a-z]?html?\b,i describe OBFU_HTML_ATTACH HTML attachment with non-text MIME type mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type #score OBFU_TEXT_ATTACH 2.5 tflags OBFU_TEXT_ATTACH publish mimeheader OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i describe OBFU_DOC_ATTACH MS Document attachment with generic MIME type #score OBFU_DOC_ATTACH 0.25 mimeheader OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i describe OBFU_PDF_ATTACH PDF attachment with generic MIME type #score OBFU_PDF_ATTACH 0.25 mimeheader OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i describe OBFU_JPG_ATTACH JPG attachment with generic MIME type #score OBFU_JPG_ATTACH 1.50 mimeheader OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i describe OBFU_GIF_ATTACH GIF attachment with generic MIME type #score OBFU_GIF_ATTACH 1.50 meta OBFU_ATTACH_MISSP __FROM_RUNON && (OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || OBFU_DOC_ATTACH || OBFU_PDF_ATTACH || OBFU_JPG_ATTACH || OBFU_GIF_ATTACH) describe OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From # mimeheader ECMSNGR_MH X-ecm-part-format =~ /./ # describe ECMSNGR_MH eC-Messenger header mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/ meta CTYPE_NULL __CTYPE_NULL describe CTYPE_NULL Malformed Content-Type header mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i meta OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02 describe OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i meta DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT) describe DOC_ATTACH_NO_EXT Document attachment with suspicious name mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i # see https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39?gi=7ec45f2481ce mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]+|\*(?:\d+\*)?=(?:UTF-8'')?\S+)\.SettingContent-ms\b/i mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i # others mimeheader __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:invoice|statement|payment(?: advice)?|(?:[.,_]|%C2%B7|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i mimeheader __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|statement|payment(?: advice)?|(?:[.,_]|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i meta __MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02 meta MALW_ATTACH __MALW_ATTACH && !__HAS_THREAD_INDEX describe MALW_ATTACH Attachment filename suspicious, probable malware exploit tflags MALW_ATTACH publish mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i meta ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT describe ISO_ATTACH ISO attachment - possible malware delivery score ISO_ATTACH 3.000 # limit mimeheader __PHISH_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i mimeheader __PHISH_ATTACH_01_02 Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER describe PHISH_ATTACH Attachment filename suspicious, probable phishing tflags PHISH_ATTACH publish mimeheader __TEXT_XML_MT Content-Type =~ m,\btext/xml\b,i mimeheader __MSO_THEME_MT Content-Type =~ m,\bapplication/vnd.ms-officetheme\b,i mimeheader __X_MSO_MT Content-Type =~ m,\bapplication/x-mso\b,i meta __ATTACH_MSO_MHTML __TEXT_XML_MT && __MSO_THEME_MT && __X_MSO_MT mimeheader __CTE_BAS64 Content-Transfer-Encoding =~ /\bbas64\b/i meta CTE_BAS64 __CTE_BAS64 describe CTE_BAS64 Malformated Content-Type-Encoding score CTE_BAS64 2.000 # limit tflags CTE_BAS64 publish else meta __HTML_ATTACH_01 0 meta __HTML_ATTACH_02 0 meta __CTYPE_NULL 0 meta __ZIP_ATTACH_NOFN 0 meta __ATTACH_NAME_NO_EXT 0 meta __ZIP_ATTACH_MT 0 meta __MALW_ATTACH_01_01 0 meta __MALW_ATTACH_01_02 0 meta __MALW_ATTACH_02_01 0 meta __MALW_ATTACH_02_02 0 meta __ISO_ATTACH 0 meta __ISO_ATTACH_MT 0 meta __CTE_BAS64 0 endif # general case of spample observation #header MUA_ONE_WORD X-Mailer =~ /^[A-Za-z][a-z]*$/ #describe MUA_ONE_WORD Single word X-Mailer: not CamelCase body DEAR_EMAIL_USER /^\s?(?:Dear\s|Attention:?\s?)(?:E|Web)-?mail\s(?:account\s)?User\b/i describe DEAR_EMAIL_USER Dear Email User: #score DEAR_EMAIL_USER 3.0 # from users list spamples 8/2009 uri URI_NUMERIC_CCTLD m;^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/;i describe URI_NUMERIC_CCTLD CCTLD URI with multiple numeric subdomains # various MUAs header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/ header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/ ifplugin Mail::SpamAssassin::Plugin::DKIM meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH else meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH endif describe PHP_NOVER_MUA Mail from PHP with no version number score PHP_NOVER_MUA 3.000 # limit tflags PHP_NOVER_MUA publish # From should have whitespace between the comment and the address # Better S/O, good enough for standalone rule header __FROM_MISSPACED From =~ /^\s*"[^"]*" 10 points already #meta __FROM_MISSP_URI __FROM_RUNON_UNCODED && __HAS_ANY_URI #meta FROM_MISSP_URI __FROM_MISSP_URI && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !MISSING_MIMEOLE && !__REPTO_QUOTE && !__UNSUB_LINK && !__MSGID_OK_HEX && !__MAIL_LINK && !__MIME_QP && !__BUGGED_IMG && !MIME_BASE64_TEXT && !__CTYPE_MULTIPART_ALT && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__THREADED && !__TAG_EXISTS_META #describe FROM_MISSP_URI From misspaced, has URI #score FROM_MISSP_URI 2.00 # max meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) describe FROM_MISSP_USER From misspaced, from "User" # all hits > 10 points already #meta FROM_MISSP_NO_TO (__FROM_RUNON && MISSING_HEADERS) #describe FROM_MISSP_NO_TO From misspaced, To missing meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED) describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed # 0 hits 8/2016 #ifplugin Mail::SpamAssassin::Plugin::DKIM # meta __FROM_MISSP_DKIM (__FROM_RUNON_UNCODED && __DKIM_DEPENDABLE) # tflags __FROM_MISSP_DKIM net # meta FROM_MISSP_DKIM __FROM_MISSP_DKIM && !__CTYPE_MULTIPART_ALT && !__MIME_QP && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__MIME_BASE64 && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA # describe FROM_MISSP_DKIM From misspaced, DKIM dependable #else # meta __FROM_MISSP_DKIM 0 #endif meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB describe FROM_MISSP_REPLYTO From misspaced, has Reply-To score FROM_MISSP_REPLYTO 2.500 # limit ## To the same #header TO_MISSPACED To =~ /^\s*"[^"]*"]+>\n.*Organization: \1\n/ism header __FROM_EQ_ORG_2 ALL =~ /\nOrganization: ([^\n]+)\n.*From: "?\1"?/ism #meta FROM_EQ_ORG __FROM_EQ_ORG_1 || __FROM_EQ_ORG_2 #describe FROM_EQ_ORG From: same as Organization: #tflags FROM_EQ_ORG publish # observed in UCE 9/2009 #header __HDRS_LCASE ALL =~ /\n(?:Reply-to|Message-id|Content-type|X-MSMail-priority|from|subject|to|Disposition-notification-to):/sm header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm tflags __HDRS_LCASE multiple maxhits=3 # __MSGID_APPLEMAIL is uppercase-only GUID message_id. This may be redundant. header __MSGID_GUID Message-ID =~ /^ 1 meta __TOOMANY_HDRS_LCASE __HDRS_LCASE > 2 ifplugin Mail::SpamAssassin::Plugin::FreeMail meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE else meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE endif describe MANY_HDRS_LCASE Odd capitalization of multiple message headers score MANY_HDRS_LCASE 0.10 # limit # Some metas that appear to perform well in masscheck #meta __HDRS_LCASE_1K __HDRS_LCASE && __SINGLE_HEADER_1K #meta HDRS_LCASE_1K __HDRS_LCASE_1K && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__MIME_QP && !__BUGGED_IMG && !__BOUNCE_RPATH_NULL && !__NOT_SPOOFED && !__DKIM_EXISTS && !__RDNS_NONE #describe HDRS_LCASE_1K Odd capitalization of message headers + long header #score HDRS_LCASE_1K 0.50 # limit meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML score HDRS_LCASE_IMGONLY 0.10 # limit # observed in UCE from India, 9/2009 header MDN_BOTCHED Disposition-notification-to =~ /<>/ describe MDN_BOTCHED Malformed return receipt header # observed in spam 9/2009 header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY) describe HDRS_MISSP Misspaced headers score HDRS_MISSP 2.500 # limit tflags HDRS_MISSP publish header SPAMMY_MIME_BDRY_01 Content-Type =~ /boundary="\@\@BOUNDARY"/ describe SPAMMY_MIME_BDRY_01 Spammy MIME boundary string #score SPAMMY_MIME_BDRY_01 0.10 # testing header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/ meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary # too dangerous even if it has a good S/O and hits >20% of spam in masschecks #meta TBIRD_SPOOF __MUA_TBIRD && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__THREADED && !__VIA_ML && !__NOT_SPOOFED && !__HAS_SENDER && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__RP_MATCHES_RCVD && !ALL_TRUSTED && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL_MESSY && !__MIME_BASE64 && !__S25R_1 #describe TBIRD_SPOOF Claims Thunderbird mail client but looks suspicious #score TBIRD_SPOOF 2.00 # limit # seen in a few HTML fraud spams rawbody RUNON_SHY /(?:\­){3}/i describe RUNON_SHY Repeating soft hyphens #score RUNON_SHY 0.1 tflags RUNON_SHY nopublish # Seen all too often header LAZY_LISTWASHING To =~ /\@(?:example\.com|example\.domain|your\.domain|some\.domain|domain\.dom|somewhere\.tld|somewhere\.com|your\.?domain\.com|your\.favorite\.machine)\b/i describe LAZY_LISTWASHING Lazy spammer, painfully obvious bogus addresses #score LAZY_LISTWASHING 0.25 # Little to work with body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2) mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2) # observed in 419 spam mimeheader CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/ describe CDISP_SZ_MANY Suspicious MIME header score CDISP_SZ_MANY 2.0 # limit else meta __DOC_ATTACH_MT 0 meta __DOC_ATTACH_FN1 0 meta __DOC_ATTACH_FN2 0 meta __DOC_ATTACH 0 meta __PDF_ATTACH_MT 0 meta __PDF_ATTACH_FN1 0 meta __PDF_ATTACH_FN2 0 meta __PDF_ATTACH 0 endif ifplugin Mail::SpamAssassin::Plugin::FreeMail meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) meta FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF describe FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail meta FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED describe FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden meta FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF describe FREEMAIL_RVW_ATTCH Please review attached document, from freemail endif meta EMPTY_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __EMPTY_BODY describe EMPTY_RVW_ATTCH Please review attached document, empty message body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i ifplugin Mail::SpamAssassin::Plugin::DKIM meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED else meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER endif describe END_FUTURE_EMAILS Spammy unsubscribe score END_FUTURE_EMAILS 2.500 # limit body AD_COMPLAINTS /\bcomplaints about this ad+\b/i describe AD_COMPLAINTS Complain about this spam # observed in bank phishing 09/2009 #rawbody MISQ_HTML /<\w{2,20}[^>=]{1,30}=[^"][^">]{1,30}[^=]"[\s>]/ #describe MISQ_HTML Unbalanced quotes in HTML tag #tflags MISQ_HTML nopublish # observed in bank phishing 09/2009 uri WIKI_IMG m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),i describe WIKI_IMG Image from wikipedia # observed in spam 09/2009 header SUBJ_RE_CLNCLN Subject =~ /^\s*RE::/ describe SUBJ_RE_CLNCLN Subject RE:: # observed in spam 02/2011 header TO_SEM_SEM To =~ /;;/ describe TO_SEM_SEM To has ";;" tflags TO_SEM_SEM nopublish uri __MANY_SUBDOM m;^https?://(?:[^\./]{1,30}\.){6};i meta MANY_SUBDOM __MANY_SUBDOM && !__JM_REACTOR_DATE && !__UNSUB_LINK && !__VIA_ML && !NO_RELAYS && !__UPPERCASE_URI && !__MIME_QP describe MANY_SUBDOM Lots and lots of subdomain parts in a URI # by request of Benny Pedersen on the users list 10/9/2009 #meta RFC_ABUSE_POST (__DNS_FROM_RFC_ABUSE && __DNS_FROM_RFC_POST) #describe RFC_ABUSE_POST Both abuse and postmaster missing on sender domain #score RFC_ABUSE_POST 0.01 #tflags RFC_ABUSE_POST net body CALL_SKYPE /\bCall this phone number [\w\s]{0,30}with Skype\b/ # tags shouldn't appear in the midst of text rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/ tflags __SPAN_BEG_TEXT multiple maxhits=5 rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/ tflags __SPAN_END_TEXT multiple maxhits=5 meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4) meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML describe MANY_SPAN_IN_TEXT Many tags embedded within text tflags MANY_SPAN_IN_TEXT publish #score MANY_SPAN_IN_TEXT 2.50 #uri __FEEDPROXY_URI m;http://feedproxy\.google\.com/;i #rawbody __FEEDPROXY m;http://feedproxy\.google\.com/;i #tflags __FEEDPROXY multiple maxhits=5 #meta MANY_GOOG_FDPROXY __FEEDPROXY > 4 #describe MANY_GOOG_FDPROXY Many Google feedproxy URIs rawbody TINY_FLOAT /\bstyle\s*=\s*"[^"]{0,40}?(?:(?:FONT-SIZE\s*:\s+\dpx|FLOAT\s*:\s+(?:right|left))(?:;\s+)?(?:(?!(?:FONT-SIZE|FLOAT))\w+:\s+\w+;?\s*)*){2}/i describe TINY_FLOAT Has small-font floating HTML - text obfuscation? #score TINY_FLOAT 2.00 # endless requests on the users list... header __TO_EQ_FROM_1 ALL =~ /\nFrom: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To: (?:[^\n]{0,80}<)?\1[>,\s\n]/ism header __TO_EQ_FROM_2 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From: (?:[^\n]{0,80}<)?\1[>,\s\n]/ism meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2) describe __TO_EQ_FROM To: same as From: #tflags __TO_EQ_FROM publish # Suggested by Hans-Werner Friedemann on users list 09/30/2010 # improvement for 4.x+ from GBechis # capture-rules version never hits in Masscheck, ALL version does #if can(Mail::SpamAssassin::Conf::feature_capture_rules) # header __GB_FROM_ADDR From:addr =~ /(?.*)/ # header __SUBJ_HAS_FROM_1 Subject =~ /%{GB_FROM_ADDR}/i #else header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*Subject: [^\n]{0,100}\1[>,:\s\n]/ism #endif meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID describe FROM_IN_TO_AND_SUBJ From address is in To and Subject tflags FROM_IN_TO_AND_SUBJ publish header __SUBJ_HAS_TO_1 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n+(?:[^\n]{1,200}\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for ;]+)>?;(?:[^\n]+\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n+)*To: [^\n]{0,100}\1[^a-z0-9.]/ism meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3) meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW describe TO_IN_SUBJ To address is in Subject tflags TO_IN_SUBJ publish score TO_IN_SUBJ 0.1 header __SUBJ_HAS_TOUSR_1 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^@\n\s>,]+)@[^\n\s>;]+>?\n+(?:[^\n]{1,200}\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism header __SUBJ_HAS_TOUSR_2 ALL =~ /\nReceived:[^\n]{0,200} for ;]+)@[^\n\s>;]+>?;(?:[^\n]+\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism meta __TOUSR_IN_SUBJ (__SUBJ_HAS_TOUSR_1 || __SUBJ_HAS_TOUSR_2) && !__TO_IN_SUBJ header __SUBJ_HAS_ANY_EMAIL Subject =~ /\b[a-z][a-z0-9_.+]+@(?:[a-z][-a-z0-9]+\.)+[a-z]{2,8}\b/i meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER describe TO_EQ_FM_HTML_ONLY To == From and HTML only #tflags TO_EQ_FM_HTML_ONLY publish meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX score TO_EQ_FM_DIRECT_MX 2.500 # limit tflags TO_EQ_FM_DIRECT_MX publish # Why __HUSH_HUSH hits ham on this in masscheck I don't know. Legit bank emails maybe? meta __TO_EQ_FM_HTML_DIRECT __TO_EQ_FM_DIRECT_MX && MIME_HTML_ONLY meta TO_EQ_FM_HTML_DIRECT __TO_EQ_FM_HTML_DIRECT && !__HUSH_HUSH describe TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX #tflags TO_EQ_FM_HTML_DIRECT publish ifplugin Mail::SpamAssassin::Plugin::SPF meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL tflags __TO_EQ_FM_SPF_FAIL net meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed tflags TO_EQ_FM_SPF_FAIL net else meta __TO_EQ_FM_SPF_FAIL 0 endif # Paul Stead on SA list 11/2014 # ++ not liked by perl 5.8.x if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n+(?:[^\n]{1,100}\n+)*To: (?:[^\n<]{0,80}<)?(\1)>?/ism meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER describe PDS_TO_EQ_FROM_NAME From: name same as To: address header __PDS_FROM_2_EMAILS From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS describe PDS_FROM_2_EMAILS From header has multiple different addresses score PDS_FROM_2_EMAILS 3.500 # limit meta __FROM_MULTI_NORDNS __PDS_FROM_2_EMAILS && __RDNS_NONE meta FROM_MULTI_NORDNS __FROM_MULTI_NORDNS describe FROM_MULTI_NORDNS Multiple From addresses + no rDNS meta __FROM_MULTI_SHORT_IMG __PDS_FROM_2_EMAILS && (HTML_IMAGE_ONLY_16 || HTML_SHORT_LINK_IMG_2 || __HTML_IMG_ONLY) meta FROM_MULTI_SHORT_IMG __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY describe FROM_MULTI_SHORT_IMG Multiple From addresses + short message with image endif uri __PDS_LOC_WP_POMO m;/wp-includes/pomo/(?!(?:entry|po|mo|streams|translations)\.php).*;i header __FROM_ALL_NUMS From:addr =~ /^\d+@/ header __TO_ALL_NUMS To:addr =~ /^\d+@/ meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom: [^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To: [^\n]+@\1[>,\s\n]/ism header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo: [^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From: [^\n]+@\1[>,\s\n]/ism meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2) describe __TO_EQ_FROM_DOM To: domain same as From: domain meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link ifplugin Mail::SpamAssassin::Plugin::SPF meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL tflags __TO_EQ_FM_DOM_SPF_FAIL net meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed tflags TO_EQ_FM_DOM_SPF_FAIL net else meta __TO_EQ_FM_DOM_SPF_FAIL 0 endif # Evaluate Validity (née ReturnPath) and blacklist collisions #meta __VALIDITY_SAFE_BRBL RCVD_IN_VALIDITY_SAFE && RCVD_IN_BRBL_LASTEXT #meta __VALIDITY_CERTIFIED_BRBL RCVD_IN_VALIDITY_CERTIFIED && RCVD_IN_BRBL_LASTEXT #tflags __VALIDITY_SAFE_BRBL net nopublish #tflags __VALIDITY_CERTIFIED_BRBL net nopublish meta __VALIDITY_SAFE_ZEN RCVD_IN_VALIDITY_SAFE && __RCVD_IN_ZEN meta __VALIDITY_CERTIFIED_ZEN RCVD_IN_VALIDITY_CERTIFIED && __RCVD_IN_ZEN tflags __VALIDITY_SAFE_ZEN net nopublish tflags __VALIDITY_CERTIFIED_ZEN net nopublish meta __VALIDITY_SAFE_SORBS RCVD_IN_VALIDITY_SAFE && __RCVD_IN_SORBS meta __VALIDITY_CERTIFIED_SORBS RCVD_IN_VALIDITY_CERTIFIED && __RCVD_IN_SORBS tflags __VALIDITY_SAFE_SORBS net nopublish tflags __VALIDITY_CERTIFIED_SORBS net nopublish meta __VALIDITY_SAFE_XBL RCVD_IN_VALIDITY_SAFE && RCVD_IN_XBL meta __VALIDITY_CERTIFIED_XBL RCVD_IN_VALIDITY_CERTIFIED && RCVD_IN_XBL tflags __VALIDITY_SAFE_XBL net nopublish tflags __VALIDITY_CERTIFIED_XBL net nopublish meta __VALIDITY_SAFE_PSBL RCVD_IN_VALIDITY_SAFE && RCVD_IN_PSBL meta __VALIDITY_CERTIFIED_PSBL RCVD_IN_VALIDITY_CERTIFIED && RCVD_IN_PSBL tflags __VALIDITY_SAFE_PSBL net nopublish tflags __VALIDITY_CERTIFIED_PSBL net nopublish #meta __VALIDITY_SAFE_ANBREP_L3 RCVD_IN_VALIDITY_SAFE && RCVD_IN_ANBREP_L3 #meta __VALIDITY_CERTIFIED_ANBREP_L3 RCVD_IN_VALIDITY_CERTIFIED && RCVD_IN_ANBREP_L3 #tflags __VALIDITY_SAFE_ANBREP_L3 net nopublish #tflags __VALIDITY_CERTIFIED_ANBREP_L3 net nopublish # a URI in the From comment text, to bypass URIBL checks # simplistic URI format for now header __FROM_URI_1 From =~ /[^\@]www[.\s][^\s"<\@]+[.\s](?:com|net|info|biz|org|\w\w)\b.*["<]/i header __FROM_URI_2 From =~ m;http://(?:[^.\s]+\.){1,3}(?:com|net|info|biz|org|\w\w)\b;i meta FROM_URI __FROM_URI_1 || __FROM_URI_2 describe FROM_URI URI or www. in From # observed in spam feb 2010 # Apparently-To per RFC2821 SHOULD NOT be used header __APPARENTLY_TO Apparently-To =~ /<.*>/ tflags __APPARENTLY_TO multiple maxhits=21 nopublish meta HAS_APPARENTLY_TO __APPARENTLY_TO > 0 describe HAS_APPARENTLY_TO Has deprecated Apparently-To header #score HAS_APPARENTLY_TO 0.50 tflags HAS_APPARENTLY_TO nopublish meta MANY_APPARENTLY_TO __APPARENTLY_TO > 20 describe MANY_APPARENTLY_TO Has many Apparently-To headers #score MANY_APPARENTLY_TO 2.00 tflags MANY_APPARENTLY_TO nopublish # obfuscation of "opt out" ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body FUZZY_OPTOUT /(?:$|\W)(?=)(?!opt[-\s]?out)

[-\s]?(?:$|\W)/i replace_rules FUZZY_OPTOUT describe FUZZY_OPTOUT Obfuscated opt-out text endif # stock spam disclaimer obfuscation # body GAPPY_TRADING /\b(?!trading)t[^a-z\s]?r[^a-z\s]?a[^a-z\s]?d[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i # body GAPPY_SECURITIES /\b(?!securities)s[^a-z\s]?e[^a-z\s]?c[^a-z\s]?u[^a-z\s]?r[^a-z\s]?i[^a-z\s]?t[^a-z\s]?i[^a-z\s]?e[^a-z\s]?s/i # body GAPPY_RISK /\b(?!risky?)r[^a-z\s]?i[^a-z\s]?s[^a-z\s]?k(?:[^a-z\s]?y)?/i # body GAPPY_SELLING /\b(?!selling)s[^a-z\s]?e[^a-z\s]?l[^a-z\s]?l[^a-z\s]?i[^a-z\s]?n[^a-z\s]?g/i # body GAPPY_HUNDRED /\b(?!hundred)h[^a-z\s]?u[^a-z\s]?n[^a-z\s]?d[^a-z\s]?r[^a-z\s]?e[^a-z\s]?d/i # body GAPPY_THOUSAND /\b(?!thousand)t[^a-z\s]?h[^a-z\s]?o[^a-z\s]?u[^a-z\s]?s[^a-z\s]?a[^a-z\s]?n[^a-z\s]?d/i # body GAPPY_EXPENSES /\b(?!expenses)e[^a-z\s]?x[^a-z\s]?p[^a-z\s]?e[^a-z\s]?n[^a-z\s]?s[^a-z\s]?e[^a-z\s]?s/i # body GAPPY_DOLLARS /\b(?!dollars)d[^a-z\s]?o[^a-z\s]?l[^a-z\s]?l[^a-z\s]?a[^a-z\s]?r[^a-z\s]?s/i # # describe GAPPY_TRADING Possible obfuscated stock disclaimer # describe GAPPY_SECURITIES Possible obfuscated stock disclaimer # describe GAPPY_RISK Possible obfuscated stock disclaimer # describe GAPPY_SELLING Possible obfuscated stock disclaimer # describe GAPPY_HUNDRED Possible obfuscated stock disclaimer # describe GAPPY_THOUSAND Possible obfuscated stock disclaimer # describe GAPPY_EXPENSES Possible obfuscated stock disclaimer # describe GAPPY_DOLLARS Possible obfuscated stock disclaimer body GAPPY_GENITALIA /\bp(?!enis)(?!en is)[^a-z]?e[^a-z]?n[^a-z]?i[^a-z]?s(?:\b|_)/i describe GAPPY_GENITALIA G.a.p.p.y male body parts body GAPPY_PILLS /\bp(?!ills)[^a-z]?i[^a-z]?l[^a-z]?l[^a-z]?s(?:\b|_)/i describe GAPPY_PILLS G.a.p.p.y pills body __STYLE_TAG_IN_BODY /]{0,30})?>/i body __BODY_XHTML //i #if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) # # possessive {0,4}+ requires perl 5.10 or better # rawbody __STYLE_GIBBERISH_1 /]{0,40})?>(?:\s{0,100}(?!<\/style>)(?:(?:\/\*(?:\s|[^*<]|\*(?!\/)|<(?!\/style>|!--)){0,200}\*\/)|\#[^{<]{1,50}\{[^}<]{4,100}\})){0,4}+(?:\s{0,100}(?!<\/style>|\/\*|\w/ tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10 meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit tflags HTML_SHRT_CMNT_OBFU_MANY publish endif header __FROM_ADDR_WS From:addr =~ /\s/ meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL describe FROM_ADDR_WS Malformed From address score FROM_ADDR_WS 3.000 # limit tflags FROM_ADDR_WS publish header __XM_MSWINLIVE X-Mailer =~ /^Microsoft Windows Live Mail \d+\.\d+\.\d+\.\d+/ header __XM_IPADMAIL X-Mailer =~ /^iPad Mail \([0-9A-F]{4,8}\)/ header __XM_IPHONEMAIL X-Mailer =~ /^iPhone Mail \([0-9A-F]{4,8}\)/ meta __ANY_EXTERNAL __FSL_COUNT_EXTERN > 0 if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i tflags __GAPPY_SALES_LEADS multiple maxhits=3 meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2 meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto score GAPPY_SALES_LEADS_FREEM 3.500 # limit tflags GAPPY_SALES_LEADS_FREEM publish endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i tflags __APP_DEVELOPMENT multiple maxhits=6 meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5 meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto score APP_DEVELOPMENT_FREEM 3.500 # limit tflags APP_DEVELOPMENT_FREEM publish meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS score APP_DEVELOPMENT_NORDNS 2.000 # limit tflags APP_DEVELOPMENT_NORDNS publish endif if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i tflags __UNICODE_OBFU_ZW multiple maxhits=10 meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1 meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2 meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4 meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9 meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS describe UNICODE_OBFU_ZW Obfuscating text with hidden characters score UNICODE_OBFU_ZW 3.500 # limit tflags UNICODE_OBFU_ZW publish meta UNICODE_OBFU_ZW_MANY __UNICODE_OBFU_ZW_10 && !__RCD_RDNS_MAIL_MESSY describe UNICODE_OBFU_ZW_MANY Heavily obfuscating text with hidden characters score UNICODE_OBFU_ZW_MANY 3.000 # limit tflags UNICODE_OBFU_ZW_MANY publish body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i tflags __UNICODE_OBFU_ASC multiple maxhits=10 meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9 meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32 describe UNICODE_OBFU_ASC Obfuscating text with unicode score UNICODE_OBFU_ASC 2.500 # limit tflags UNICODE_OBFU_ASC publish meta ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID describe ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion score ZW_OBFU_BITCOIN 2.500 # limit meta ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ describe ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject score ZW_OBFU_FROMTOSUBJ 2.000 # limit meta ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto describe ZW_OBFU_FREEM Obfuscated text + freemail score ZW_OBFU_FREEM 2.000 # limit full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/ tflags __BOGUS_MIME_HDR multiple maxhits=8 meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7 endif # HTML entity obfuscation per list discussion 11/2018 (thanks AC and RW) # Broad non-ASCII didn't pan out # body __AC_HTML_ENTITY_BONANZA_BODY /(?:&(?:[A-Z0-9]{2,}|\#(?:[0-9]{2,5}|x[0-9A-F]{2,4}));\s{0,64}){20}/i # rawbody __AC_HTML_ENTITY_BONANZA_RAW /(?:&(?:[A-Z0-9]{2,}|\#(?:[0-9]{2,5}|x[0-9A-F]{2,4}));\s{0,64}){20}/i # body __AC_HTML_ENTITY_BONANZA_SHRT_BODY /(?:&[A-Z0-9\#]{2,};\s{0,64}){20}/i rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW_MANY /(?:&[A-Z0-9\#]{2,};\s{0,64}){20}/i rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i # meta __AC_HTML_ENTITY_BONANZA_MINFP __AC_HTML_ENTITY_BONANZA_SHRT_RAW_MANY && !__RCD_RDNS_MTA_MESSY && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA # runaway backtracking? #rawbody __AC_HTML_ENTITY_BONANZA_NEW /(?:(?:\w|\s|[.,!?:'"()\$]){0,32}(?:&(?:[A-Za-z0-9]{2,64}|\#(?:[0-9]{2,5}|x[0-9A-F]{2,4}));\s*){1,64}){10}/i # rawbody __RW_HTML_ENTITY_ASCII_MANY /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){20}/i # meta __RW_HTML_ENTITY_ASCII_MANY_MINFP __HTML_ENTITY_ASCII_MANY && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP describe HTML_ENTITY_ASCII Obfuscated ASCII score HTML_ENTITY_ASCII 3.000 # limit tflags HTML_ENTITY_ASCII publish meta __HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII && (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT) meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_TINY && !__HAS_IN_REPLY_TO describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts score HTML_ENTITY_ASCII_TINY 3.000 # limit tflags HTML_ENTITY_ASCII_TINY publish rawbody __HTML_URI_NO_PROTOCOL / 1 meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS && !__RCD_RDNS_MAIL score HOSTED_IMG_MULTI 3.000 # limit describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected tflags HOSTED_IMG_MULTI publish # WordPress "image accelerator" - abused for obfuscating hosted spamvertised product images uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR score URI_IMG_WP_REDIR 3.000 # limit describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy tflags URI_IMG_WP_REDIR publish meta URI_IMG_CWINDOWSNET __URI_IMG_CWINDOWSNET && !__RCD_RDNS_SMTP && !__REPTO_QUOTE && !__URI_DOTEDU score URI_IMG_CWINDOWSNET 3.500 # limit describe URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure infra, possible phishing tflags URI_IMG_CWINDOWSNET publish #header __BOGUS_MIME_VER_01 MIME-Version =~ /^(?!\s*1\.0).+/ header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/ header __MALF_MIME_VER MIME-Version =~ /^1\.0\S/ meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 || __MALF_MIME_VER score BOGUS_MIME_VERSION 3.500 # limit describe BOGUS_MIME_VERSION Mime version header is bogus tflags BOGUS_MIME_VERSION publish header __VERBOSE_MIME_VER MIME-Version =~ /^1\.0\s+\(\S[^)]*\)/ # also hits NORMAL_HTTP_TO_IP but should be punished harder uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i meta URI_HEX_IP __URI_HEX_IP score URI_HEX_IP 2.500 # limit describe URI_HEX_IP URI with hex-encoded IP-address host tflags URI_HEX_IP publish uri __URI_PHP_REDIR m;/redirect\.php\?;i meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA score URI_PHP_REDIR 3.500 # limit describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation) tflags URI_PHP_REDIR publish if can(Mail::SpamAssassin::Conf::feature_bug6558_free) body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i tflags __DAY_I_EARNED multiple maxhits=4 #meta __DAY_I_EARNED_1 __DAY_I_EARNED >= 1 #meta __DAY_I_EARNED_2 __DAY_I_EARNED >= 2 #meta __DAY_I_EARNED_3 __DAY_I_EARNED >= 3 meta DAY_I_EARNED __DAY_I_EARNED >= 3 score DAY_I_EARNED 3.000 # limit describe DAY_I_EARNED Work-at-home spam tflags DAY_I_EARNED publish endif # test rule suggested by list discussion meta __NORDNS_SPOOFED __RDNS_NONE && !__NOT_SPOOFED # potential bitcoin extortion obfuscation body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i meta __UNAME_PASSWD_PDF ( __PASSWORD || __YOUR_PASSWORD ) && LOCALPART_IN_SUBJECT && __PDF_ATTACH # .gov and .edu URIs appearing in spams, attempts to leverage whitelisting? uri __URI_DOTGOV m;^https?://(?:[^./]+\.)+gov/;i uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\srdns=\S+\.edu\s/i meta __DOTGOV_FREEMAIL __URI_DOTGOV && __freemail_hdr_replyto #meta __DOTGOV_MONEY __URI_DOTGOV && ( __XFER_MONEY || __MONEY_FRAUD || __YOUR_FUND || __BENEFICIARY || __COMPENSATION || __LOTSA_MONEY_01 || __LOTSA_MONEY_04 ) meta __DOTGOV_MONEY __URI_DOTGOV && ( __YOUR_FUND ) meta __DOTGOV_IMAGE __URI_DOTGOV && __REMOTE_IMAGE meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS describe DOTGOV_IMAGE .gov URI + hosted image score DOTGOV_IMAGE 3.000 # limit tflags DOTGOV_IMAGE publish meta __DOTGOV_NXDKIM __URI_DOTGOV && DKIM_ADSP_NXDOMAIN tflags __DOTGOV_NXDKIM net meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK describe URI_DOTEDU Has .edu URI score URI_DOTEDU 2.000 # limit tflags URI_DOTEDU publish meta __URI_DOTEDU_LONG __URI_DOTEDU && __LONGLINE meta URI_DOTEDU_LONG __URI_DOTEDU_LONG && !ALL_TRUSTED && !__RDNS_LONG && !__DOS_RELAYED_EXT && !__URI_MAILTO && !__CTE describe URI_DOTEDU_LONG Has .edu URI + excessively long line score URI_DOTEDU_LONG 3.000 # limit meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content score URI_DOTEDU_ENTITY 3.000 # limit tflags URI_DOTEDU_ENTITY publish meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI ) meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI score RCVD_DOTEDU_SUSP_URI 3.000 # limit tflags RCVD_DOTEDU_SUSP_URI publish meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 ) meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !ALL_TRUSTED && !__FS_SUBJ_RE && !__HAS_LIST_ID describe RCVD_DOTEDU_SHORT Via .edu MTA + short message score RCVD_DOTEDU_SHORT 1.500 # limit tflags RCVD_DOTEDU_SHORT publish meta __RCVD_DOTEDU_SUSP __RCVD_DOTEDU_EXT && ( MIME_QP_LONG_LINE || __TVD_SPACE_RATIO || __FROM_RUNON || __USING_VERP1 ) meta RCVD_DOTEDU_SUSP __RCVD_DOTEDU_SUSP && !__HAS_X_LOOP && !__HAS_X_REF describe RCVD_DOTEDU_SUSP Via .edu MTA + suspicious content score RCVD_DOTEDU_SUSP 2.000 # limit # bitcoin work-at-home spams 04/2020 body __PERFECT_BINARY /\bperfect binary option\b/i body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i body __MAKE_XTRA_DOLLAR /\bmake an extra dollar\b/i body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i body __PASSIVE_INCOME /\bpassive income\b/i body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i body __TRANSFORM_LIFE /\b(?:transform|change) your (?:daily )?life(?:style)?\b/i body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i meta TRANSFORM_LIFE __TRANSFORM_LIFE && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_X_MAILER && !__VIA_ML describe TRANSFORM_LIFE Transform your life! score TRANSFORM_LIFE 2.500 # limit meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2 meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01 meta BITCOIN_WFH_01 __BITCOIN_WFH_01 describe BITCOIN_WFH_01 Work-from-Home + bitcoin tflags BITCOIN_WFH_01 publish meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01 meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01 describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients tflags TO_TOO_MANY_WFH_01 publish meta __FREEMAIL_WFH_01 (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01 meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01 describe FREEMAIL_WFH_01 Work-from-Home + freemail tflags FREEMAIL_WFH_01 publish body __4BYTE_UTF8_WORD /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ tflags __4BYTE_UTF8_WORD multiple maxhits=10 meta __4BYTE_UTF8_WORD_3 __4BYTE_UTF8_WORD > 3 meta __4BYTE_UTF8_WORD_5 __4BYTE_UTF8_WORD > 5 meta __4BYTE_UTF8_WORD_9 __4BYTE_UTF8_WORD > 9 meta SUSP_UTF8_WORD_MANY __4BYTE_UTF8_WORD_9 describe SUSP_UTF8_WORD_MANY Many words using only suspicious UTF-8 characters score SUSP_UTF8_WORD_MANY 3.000 # limit meta SUSP_UTF8_WORD_COMBO __4BYTE_UTF8_WORD && ( __LIST_PARTIAL || __RDNS_NONE || __CLICK_HERE || __PHPMAILER_MUA || __STY_INVIS_3 || __TO___LOWER || __MSGID_OK_DIGITS || __HTML_IMG_ONLY ) describe SUSP_UTF8_WORD_COMBO Words using only suspicious UTF-8 characters + other signs score SUSP_UTF8_WORD_COMBO 3.000 # limit header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters score SUSP_UTF8_WORD_SUBJ 2.000 # limit header __4BYTE_UTF8_WORD_FROM From:name =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ meta SUSP_UTF8_WORD_FROM __4BYTE_UTF8_WORD_FROM describe SUSP_UTF8_WORD_FROM Word in From name using only suspicious UTF-8 characters score SUSP_UTF8_WORD_FROM 2.000 # limit # observed by AC rawbody __HTML_EMPTY_CELLS /(?:<\/td>){5,}/i tflags __HTML_EMPTY_CELLS multiple maxhits=3 meta __HTML_EMPTY_CELLS_MANY __HTML_EMPTY_CELLS > 2 meta HTML_EMPTY_CELLS_MANY __HTML_EMPTY_CELLS_MANY describe HTML_EMPTY_CELLS_MANY HTML table with lots of empty cells score HTML_EMPTY_CELLS_MANY 1.500 # limit uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=, meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH # 03-2024 - S/O = 0.55, little better than flipping a coin. Retire for now. #meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS #describe SENDGRID_REDIR Redirect URI via Sendgrid #score SENDGRID_REDIR 1.500 # limit #tflags SENDGRID_REDIR publish meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || __FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ ) meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs score SENDGRID_REDIR_PHISH 3.500 # limit tflags SENDGRID_REDIR_PHISH publish meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image score MSGID_DOLLARS_URI_IMG 3.000 # limit tflags MSGID_DOLLARS_URI_IMG publish uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i meta URI_DASHGOVEDU __URI_DASHGOVEDU describe URI_DASHGOVEDU Suspicious domain name score URI_DASHGOVEDU 3.500 # limit tflags URI_DASHGOVEDU publish # all have good S/O but are already scored very highly #meta __NOINR_MSOE_FORG __NO_INR_YES_REF && __MSOE_MID_WRONG_CASE #meta __NOINR_MONEY __NO_INR_YES_REF && __LOTSA_MONEY_01 #meta __NOINR_FRAUD __NO_INR_YES_REF && (__AFRICAN_STATE || __BENEFICIARY || __COMPENSATION || __FILL_THIS_FORM_PARTIAL || __LOTTO_DEPT || __WIRE_XFR || __TRANSFORM_LIFE ) # Apparent use of content hosted at storage.googleapis.com # (mapped images and HTML landing pages for the imagemap URIs) # to avoid URIBL hits uri __URI_GOOG_STO_IMG m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,i tflags __URI_GOOG_STO_IMG multiple maxhits=5 uri __URI_GOOG_STO_HTML m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i tflags __URI_GOOG_STO_HTML multiple maxhits=5 meta __GOOG_STO_IMG_NOHTML __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML meta __GOOG_STO_NOIMG_HTML !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML meta __GOOG_STO_IMG_HTML_2 __URI_GOOG_STO_IMG && (__URI_GOOG_STO_HTML > 1) meta __GOOG_STO_IMG_HTML_1 __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL score GOOG_STO_IMG_HTML 3.000 # limit tflags GOOG_STO_IMG_HTML publish meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL score GOOG_STO_NOIMG_HTML 3.000 # limit tflags GOOG_STO_NOIMG_HTML publish # S/O not great, try salvage what's possible meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL score GOOG_STO_IMG_NOHTML 2.500 # limit tflags GOOG_STO_IMG_NOHTML publish meta __GOOG_STO_HTML_PHISH __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL score GOOG_STO_HTML_PHISH 3.00 # limit tflags GOOG_STO_HTML_PHISH publish meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL score GOOG_STO_HTML_PHISH_MANY 4.00 # limit tflags GOOG_STO_HTML_PHISH_MANY publish uri __URI_GOOG_STO_EMAIL m;^https?://(?:firebase)?storage\.googleapis\.com/.*[a-z0-9]@(?:[a-z0-9]{2,20}\.){1,3}[a-z]{2,3}$;i meta GOOG_STO_EMAIL_PHISH __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT) describe GOOG_STO_EMAIL_PHISH Possible phishing with google hosted content URI having email address score GOOG_STO_EMAIL_PHISH 3.00 # limit tflags GOOG_STO_EMAIL_PHISH publish # download-a-file pitch, malware? 11/2020 #header CRAIGSLIST_DATING Subject =~ /Sexy \w+ From Craigs?list/i #describe CRAIGSLIST_DATING Possible malware #score CRAIGSLIST_DATING 4.000 # limit uri __URI_PVT_SHAREPOINT m,^https?://(?!www\.)(?!static\d+\.)(?:[^/.]+\.)+sharepoint\.com/,i # suspicious HTML observed in the wild # Rotten S/O. Why do this in ham? #rawbody __QUOTQUOTQUOT /(?:"){5,}/ #tflags __QUOTQUOTQUOT multiple maxhits=16 #meta __QUOTQUOTQUOT_MANY __QUOTQUOTQUOT > 15 # Abysmal S/O. Why do this in ham? #body __OBFU_SHY /\b(?:[a-z]{1,3}[\xc2][\xad][a-z]{1,2}|\w+(?:[\xc2][\xad]\w+){2,6})\b(?![\xc2])/i #tflags __OBFU_SHY multiple maxhits=11 #meta __OBFU_SHY_MANY __OBFU_SHY > 10 # For masscheck eval, by request header __LW_TEST_01 From:addr =~ /^store-news\@amazon\.com$/ header __LW_TEST_02 From:addr =~ /^newsletters\@hohiko\.co\.uk$/ header __LW_TEST_03 From:addr =~ /\@hohiko\.co\.uk$/ header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/ meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM score TONLINE_FAKE_DKIM 3.000 # limit tflags TONLINE_FAKE_DKIM publish header __MSMAIL_PRI_NORMAL X-MSMail-Priority =~ /^normal$/i header __MSMAIL_PRI_HIGH X-MSMail-Priority =~ /^(?:high|urgent)$/i header __MSMAIL_PRI_LOW X-MSMail-Priority =~ /^(?:low|non-urgent)$/i meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL # This is counterintuitive - exclude __MSMAIL_PRI_HIGH ? # It seems that 99% of the spam using X-MSMail-Priority other than "normal" is using *invalid values* # score "high" separately if justified meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH describe MSMAIL_PRI_ABNORMAL Email priority often abused score MSMAIL_PRI_ABNORMAL 1.500 # limit #meta MSMAIL_PRI_HIGH __MSMAIL_PRI_HIGH && !ALL_TRUSTED && !__FROM_LOWER && !__RDNS_SHORT #describe MSMAIL_PRI_HIGH Email priority often abused #score MSMAIL_PRI_HIGH 1.500 # limit # Phishing? 11/2020 full __TO_ADDR_BODY_DOC /^To:\s+(?:"[^"\n]{0,80}"\s*)?]{1,40})>?\s(?=.{1,2048}\b\1(?:@\2)?\s+(?:sharepoint|document))/ism body __BODY_HAS_ISBN /(?:^|[^-\d])97[89]-\d(?:(?!--)[-\d]){10,14}(?:$|[^-\d])/ header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i #meta __REPLYTO_NOREPLY_SUSP __REPLYTO_NOREPLY && (__HAS_DOMAINKEY_SIG || FORGED_RELAY_MUA_TO_MX || __MSGID_NOFQDN2 || __URI_DBL_SUBDOM) # S/O good but bulk already scoring >6 points body __ORDER_TODAY /\border (?:it|one|yours|this) (?:today|now|right\saway)\b/i #tflags __ORDER_TODAY multiple maxhits=4 #meta __ORDER_TODAY_2 __ORDER_TODAY > 1 #meta __ORDER_TODAY_3 __ORDER_TODAY > 2 #meta __ORDER_TODAY_4 __ORDER_TODAY > 3 #meta __ORDER_TODAY_IMG __ORDER_TODAY && __HTML_IMG_ONLY #meta __ORDER_TODAY_ALI __ORDER_TODAY && __ALIBABA_IMG_NOT_RCVD_ALI meta ORDER_TODAY __ORDER_TODAY && (__HTML_IMG_ONLY || __ALIBABA_IMG_NOT_RCVD_ALI || __TO_NO_BRKTS_NORDNS_HTML) describe ORDER_TODAY Get your order in now! score ORDER_TODAY 2.500 # limit meta __SHORTENER_SHORT_SUBJ __URL_SHORTENER && __SUBJ_SHORT meta SHORTENER_SHORT_SUBJ __SHORTENER_SHORT_SUBJ && !__DOS_HAS_LIST_UNSUB && !__HAS_LIST_ID && !__HDR_RCVD_GOOGLE && !__XPRIO describe SHORTENER_SHORT_SUBJ URL shortener (avoiding URIBL?) + short subject score SHORTENER_SHORT_SUBJ 3.000 # limit #meta __URL_SHORTENER_MINFP __URL_SHORTENER && !__URI_DOTGOV && __HAS_ERRORS_TO && !__URI_DBL_DOM uri __URI_DOTTY_HEX /(?:\.[0-9a-f]{2}){30}/ meta URI_DOTTY_HEX __URI_DOTTY_HEX describe URI_DOTTY_HEX Suspicious URI format tflags URI_DOTTY_HEX publish uri __URI_MYSP_AC m;://mysp\.ac/;i meta URI_MYSP_AC __URI_MYSP_AC describe URI_MYSP_AC Uses unusual redirector to avoid URIBL # evaluate different options before finalizing header __ENVFROM_GOOG_TRIX EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/ meta __ENVFROM_GOOG_TRIX_SPAMMY __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR ) meta ENVFROM_GOOG_TRIX __ENVFROM_GOOG_TRIX_SPAMMY describe ENVFROM_GOOG_TRIX From suspicious Google subdomain score ENVFROM_GOOG_TRIX 3.000 # limit tflags ENVFROM_GOOG_TRIX publish header __ENVFROM_AMAZONSES EnvelopeFrom =~ /\@amazonses\.com$/ # evaluate before altering __FSL_ENVFROM_* header __JH_ENVFROM_GOOGLE EnvelopeFrom =~ /\@g(?:mail|oogle)\.com$/i header __JH_ENVFROM_YAHOO EnvelopeFrom =~ /\@yahoo(?:groups)?\./i header __JH_ENVFROM_YMAIL EnvelopeFrom =~ /\@ymail\.com$/i header __JH_ENVFROM_ROCKET EnvelopeFrom =~ /\@rocketmail\.com$/i header __JH_ENVFROM_HOTMAIL EnvelopeFrom =~ /\@hotmail\./i header __JH_ENVFROM_LIVE EnvelopeFrom =~ /\@live\./i header __JH_ENVFROM_AOL EnvelopeFrom =~ /\@aol\./i # observed in Netflix phish 12/2020 uri URI_FREELOGO m;::/www\.freepnglogos\.com/uploads;i describe URI_FREELOGO Free logo image, possible phishing # observed in tons of spam 12/2020 rawbody JH_SPAMMY_PATTERN01 m;.{0,200}]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}/ meta MIXED_CENTER_CASE __MIXED_CENTER_CASE describe MIXED_CENTER_CASE Has center tag in mixed case score MIXED_CENTER_CASE 2.500 # limit tflags MIXED_CENTER_CASE publish rawbody __MIXED_AREA_CASE /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/ meta MIXED_AREA_CASE __MIXED_AREA_CASE describe MIXED_AREA_CASE Has area tag in mixed case score MIXED_AREA_CASE 2.500 # limit tflags MIXED_AREA_CASE publish # BC's similar mixed-case rules use more-indirect logic and have a poorer S/O rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/ meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL describe MIXED_IMG_CASE Has img tag in mixed case score MIXED_IMG_CASE 3.000 # limit tflags MIXED_IMG_CASE publish rawbody __MIXED_HREF_CASE_JH /<(?i:a(?:rea)?|img)\s+(?!HREF|href)[Hh][Rr][Ee][Ff]\s*=/ meta MIXED_HREF_CASE __MIXED_HREF_CASE && !__LYRIS_EZLM_REMAILER && !__HAS_LIST_ID describe MIXED_HREF_CASE Has href in mixed case score MIXED_HREF_CASE 2.000 # limit tflags MIXED_HREF_CASE publish meta __LOTSA_MIXED_CASE_TAGS (__MIXED_FONT_CASE + __MIXED_CENTER_CASE + __MIXED_AREA_CASE + __MIXED_IMG_CASE_JH + __MIXED_HREF_CASE_JH) > 1 # phishing content for now, may go primarly legit at some point uri __URI_FIREBASEAPP m,://[^./]+\.firebaseapp\.com/, uri __URI_WEBAPP m,://[^./]+\.web\.app/, meta URI_FIREBASEAPP __URI_FIREBASEAPP || __URI_WEBAPP describe URI_FIREBASEAPP Link to hosted firebase web application, possible phishing score URI_FIREBASEAPP 3.000 # limit tflags URI_FIREBASEAPP publish uri __URI_AZURE_CLOUDAPP m,://(?:[^./]+\.)+cloudapp\.azure\.com/, meta URI_AZURE_CLOUDAPP __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE describe URI_AZURE_CLOUDAPP Link to hosted azure web application, possible phishing score URI_AZURE_CLOUDAPP 3.000 # limit tflags URI_AZURE_CLOUDAPP publish uri __URI_ADOBESPARK m,https?://branchlink\.adobespark\.com/,i meta URI_ADOBESPARK __URI_ADOBESPARK score URI_ADOBESPARK 3.500 # limit tflags URI_ADOBESPARK publish # seen in a few spams body __BTC_MLM /Block[-\s]?chain network marketing/i # phishing meta __PHISH_FBASE_01 (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK meta PHISH_FBASEAPP __PHISH_FBASE_01 describe PHISH_FBASEAPP Probable phishing via hosted web app score PHISH_FBASEAPP 3.000 # limit tflags PHISH_FBASEAPP publish meta __UNDISC_MONEY __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY) meta UNDISC_MONEY __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH describe UNDISC_MONEY Undisclosed recipients + money/fraud signs tflags UNDISC_MONEY publish meta __UNDISC_FREEM __TO_UNDISCLOSED && __freemail_replyto meta UNDISC_FREEM __UNDISC_FREEM describe UNDISC_FREEM Undisclosed recipients + freemail reply-to tflags UNDISC_FREEM publish header __REPTO_LONG Reply-To:addr =~ /[a-z]{25,}\d*@/i header __REPTO_MISSPACED ALL:raw =~ /^Reply-To:\S/ism # content+respond+unsub texts as free hosted images # spammer response: now only two hosted images uri __IMGUR_IMG m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i tflags __IMGUR_IMG multiple maxhits=4 meta __IMGUR_IMG_2 __IMGUR_IMG == 2 meta __IMGUR_IMG_3 __IMGUR_IMG == 3 meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF && !__HAS_IN_REPLY_TO describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site score HOSTED_IMG_MULTI_PUB_01 3.000 # limit tflags HOSTED_IMG_MULTI_PUB_01 publish meta __BITCOIN_IMGUR __IMGUR_IMG && __BITCOIN meta BITCOIN_IMGUR __BITCOIN_IMGUR describe BITCOIN_IMGUR Bitcoin + hosted image score BITCOIN_IMGUR 3.500 # limit tflags BITCOIN_IMGUR publish meta __DYNAMIC_IMGUR __IMGUR_IMG && __RDNS_DYNAMIC_IPADDR meta DYNAMIC_IMGUR __DYNAMIC_IMGUR describe DYNAMIC_IMGUR dynamic IP + hosted image score DYNAMIC_IMGUR 4.000 # limit tflags DYNAMIC_IMGUR publish body __OBFU_UNSUB_UL /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/ meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI describe OBFU_UNSUB_UL Obfuscated unsubscribe text tflags OBFU_UNSUB_UL publish header __HAS_X_GOOGLE_DKIM_SIG exists:X-Google-DKIM-Signature header __HAS_X_SENDER exists:X-Sender header __HAS_X_RECEIVER exists:X-Receiver header __HAS_X_CONTACTID exists:X-ContactID header __HAS_X_LETTER exists:X-Letter header __HAS_X_PROCINFO exists:X-ProcInfo header __HAS_X_MAILGUN_SID exists:X-Mailgun-Sid header __HAS_X_MAILGUN_TRACK_OPN exists:X-Mailgun-Track-Opens header __HAS_X_EBSERVER exists:X-EBSERVER header __HAS_X_SOURCE_DIR exists:X-Source-Dir header __HAS_X_OUTGOING_SPAM_STAT exists:X-OutGoing-Spam-Status header __HAS_X_ENTITY_ID exists:X-Entity-ID header __HAS_X_ANTIABUSE exists:X-AntiAbuse header __HAS_X_AUTHED_SENDER exists:X-Authenticated-Sender header __HAS_HEADER_STARTS_NUM ALL =~ /^\d[-a-z0-9]*:/ism meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results? score HAS_X_OUTGOING_SPAM_STAT 2.000 # limit tflags HAS_X_OUTGOING_SPAM_STAT publish # note: *NOT* "Message-ID" ! header __HAS_MESSAGEID exists:MessageID meta MSGID_HDR_MALF __HAS_MESSAGEID describe MSGID_HDR_MALF Has invalid message ID header score MSGID_HDR_MALF 3.500 # limit tflags MSGID_HDR_MALF publish # perfect S/O, but MTAs are supposed to add Message-ID if missing so very low overall hit rate # more a detection of broken MTA meta __HAS_MESSAGEID_ONLY __HAS_MESSAGEID && !__HAS_MESSAGE_ID header __HAS_LIST_OPEN exists:List-Open header __HAS_LIST_POST exists:List-Post header __HAS_COMPLAINT_TO exists:Complaint-To header __HAS_TRACKING_CODE exists:Tracking-Code header __HAS_LOGID exists:logid meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam score JH_SPAMMY_HEADERS 3.500 # limit tflags JH_SPAMMY_HEADERS publish # observed in some phish/419 spams header __HAS_MAIL_REPLY_TO exists:Mail-Reply-To ifplugin Mail::SpamAssassin::Plugin::FreeMail header __freemail_mailreplyto eval:check_freemail_header('Mail-Reply-To') meta ODD_FREEM_REPTO __freemail_mailreplyto describe ODD_FREEM_REPTO Has unusual reply-to header score ODD_FREEM_REPTO 3.000 # limit tflags ODD_FREEM_REPTO publish endif rawbody __CONTENT_AFTER_HTML /<\/html>\s*[a-z0-9]/i meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && (__L_CTE_8BIT || __RDNS_NUMERIC_TLD || __HTML_TAG_BALANCE_CENTER || __STY_INVIS_MANY || __TO_EQ_FROM_USR || __TO_EQ_FROM_USR_2 || __KAM_HTML_FONT_INVALID || __SUBJECT_ENCODED_B64 ) describe CONTENT_AFTER_HTML More content after HTML close tag + other spam signs score CONTENT_AFTER_HTML 2.500 # limit tflags CONTENT_AFTER_HTML publish meta CONTENT_AFTER_HTML_WEAK __CONTENT_AFTER_HTML && !CONTENT_AFTER_HTML && !__CT_TEXT_PLAIN && !__BOUNCE_FROM_DAEMON && !__MSGID_OK_HEX && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !MAILING_LIST_MULTI && !__HAS_CID && !__URI_DOTGOV describe CONTENT_AFTER_HTML_WEAK More content after HTML close tag score CONTENT_AFTER_HTML_WEAK 1.500 # limit tflags CONTENT_AFTER_HTML_WEAK publish # High S/O but rare - ahead of the curve? uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing tflags GOOG_REDIR_DOCUSIGN publish header __LUNSUB_BEFORE_SUBJDT ALL =~ /^List-unsubscribe: (?:[^\n]+\n+){1,40}^(?:Subject|Date): /ism header __LUNSUB_BRKT_MALF List-Unsubscribe =~ /<[^>]*$/ header REPTO_SPOTTY Reply-To:addr =~ /^(?:[a-z]{1,3}\.){4,}[a-z]+\d+\@/i header MIXED_CTYPE_CASE Content-Type =~ m;^(?i:text/)(?!html|HTML)[Hh][Tt][Mm][Ll]; header __XM_ONE_WORD X-Mailer =~ /^\s*\w+\s*$/ header __XM_ONE_WORD_UNKNOWN X-Mailer =~ /^\s*(?!php|msgsend|send(?:html|inblue|mail)|liveagent|(?:cheetah|xyz|swift|power)mailer|dmdroid|codeigniter|peppered|host(?:odo|edsimply)|smart_send_\d|postfix|contactlab|communigator|magnews|(?:as2|manta|be|mikatiminge|web)mail|edelivery|sellware|WHMCS$|CR$|EMS$|SM[EF]$|ACEM$|RMM\d?|EOW\d|FM$|ZIMACS$|oempro\d|typo\d|drupal|mail(?:eon|ingwork|er|spring|force)|onlineoffice|oscommerce|redmine|m1mailmessage_v\d)\w+\s*$/i header __XM_ALNUM_STARTS_DIGIT X-Mailer =~ /^\s*\d+[\s\d]*[^\s\d]/ header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/ header __XM_UC_ONLY X-Mailer =~ /^[^a-z]+$/ header __XM_UC_ONLY_UNKNOWN X-Mailer =~ /^(?!SM[EF]$|ACEM$|CR$|PHP(?:BB)?[\/\d.]*$|EMS$|TYPO\d$|WHMCS$|RMM\d?$|GURU$|SMTP(?:\sCLIENT)?$|ZIMACS$|EOW\d|FM$|EDMAIL\sR[\d.]+$|HPPWS)[^a-z]+$/ header __XM_LC_ONLY X-Mailer =~ /^[^A-Z]+$/ header __XM_LC_ONLY_UNKNOWN X-Mailer =~ /^(?!php|mailer$|sendhtml$)[^A-Z]+$/ header __XM_RANDOM X-Mailer =~ /q(?!(?:q|box|i\s)?mail|\d|[-\w]*=+;)[^u]/i header __XM_LIGHT_HEAVY X-Mailer =~ /\b(?:light|(??$/i meta POSSIBLE_GMAIL_PHISHER (__FROM_ADDR_GMAIL && __NAME_EMAIL_DIFF) describe POSSIBLE_GMAIL_PHISHER Apparent phishing email sent from a gmail account header __REPTO_INFONUMSCOM Reply-To:addr =~ /^info@\d{5,}\.com$/i meta REPTO_INFONUMSCOM __REPTO_INFONUMSCOM score REPTO_INFONUMSCOM 3.000 # limit tflags REPTO_INFONUMSCOM publish # testing a recommendation from benny on the users list rawbody __HREF_EMPTY /href=""/ rawbody __SRC_EMPTY /src=""/ # These don't match a lot of spam but it is all low-scoring meta __HREF_EMPTY_XAUTHED __HREF_EMPTY && __HAS_X_AUTHED_SENDER meta HREF_EMPTY_XAUTHED __HREF_EMPTY_XAUTHED describe HREF_EMPTY_XAUTHED Empty href + X-Authenticated-Sender score HREF_EMPTY_XAUTHED 2.500 # limit tflags HREF_EMPTY_XAUTHED publish meta __HREF_EMPTY_XANTIABUSE __HREF_EMPTY && __HAS_X_ANTIABUSE meta HREF_EMPTY_XANTIABUSE __HREF_EMPTY_XANTIABUSE describe HREF_EMPTY_XANTIABUSE Empty href + X-AntiAbuse score HREF_EMPTY_XANTIABUSE 2.500 # limit tflags HREF_EMPTY_XANTIABUSE publish meta __HREF_EMPTY_NORDNS __HREF_EMPTY && __RDNS_NONE meta HREF_EMPTY_NORDNS __HREF_EMPTY_NORDNS describe HREF_EMPTY_NORDNS Empty href + no rDNS score HREF_EMPTY_NORDNS 2.500 # limit tflags HREF_EMPTY_NORDNS publish meta __HREF_EMPTY_PHPMAIL __HREF_EMPTY && (__PHPMAILER_MUA || __XMAIL_PHPMAIL) meta HREF_EMPTY_PHPMAIL __HREF_EMPTY_PHPMAIL describe HREF_EMPTY_PHPMAIL Empty href + PHP Mailer score HREF_EMPTY_PHPMAIL 2.500 # limit tflags HREF_EMPTY_PHPMAIL publish # not a lot of spam but most of it low-scoring meta __SRC_EMPTY_FILENM_ATT __SRC_EMPTY && __PART_STOCK_CD_F # obsolete MSFT message-ID format meta __VISTA_HELO_MISCIP __VISTA_MSGID && __HELO_MISC_IP #meta VISTA_HELO_MISCIP __VISTA_HELO_MISCIP #describe VISTA_HELO_MISCIP Old MSFT msgid format + IP in HELO #score VISTA_HELO_MISCIP 2.000 # limit meta __VISTA_RELAY_IP __VISTA_MSGID && __IP_IN_RELAY #meta VISTA_RELAY_IP __VISTA_RELAY_IP #describe VISTA_RELAY_IP Old MSFT msgid format + IP in relay hostname #score VISTA_RELAY_IP 2.000 # limit meta __VISTA_COST __VISTA_MSGID && __FB_COST meta VISTA_COST __VISTA_COST && !__DOS_HAS_LIST_UNSUB describe VISTA_COST Old MSFT msgid format + "cost" score VISTA_COST 2.500 # limit tflags VISTA_COST publish meta __VISTA_RDNS_SHRT __VISTA_MSGID && __RDNS_SHORT #meta VISTA_RDNS_SHRT __VISTA_RDNS_SHRT #describe VISTA_RDNS_SHRT Old MSFT msgid format + short RDNS #score VISTA_RDNS_SHRT 2.000 # limit meta __VISTA_TONOM_EQ_TOLOC __VISTA_MSGID && __PDS_TONAME_EQ_TOLOCAL meta VISTA_TONOM_EQ_TOLOC __VISTA_TONOM_EQ_TOLOC && !__MSOE_MID_WRONG_CASE describe VISTA_TONOM_EQ_TOLOC Old MSFT msgid format + To display name = username score VISTA_TONOM_EQ_TOLOC 2.500 # limit tflags VISTA_TONOM_EQ_TOLOC publish ifplugin Mail::SpamAssassin::Plugin::ReplaceTags replace_tag SHY (?:=ad|[\xc2][\xad]|[\xad]|&\#xad;|&\#173;|­) rawbody __SHY_OBFU_PASSWORD /p(?!assword){0,3}a{0,3}s{0,3}s{0,3}w{0,3}o{0,3}r{0,3}d/i replace_rules __SHY_OBFU_PASSWORD meta SHY_OBFU_PASSWORD __SHY_OBFU_PASSWORD describe SHY_OBFU_PASSWORD Obfuscation, probable phishing score SHY_OBFU_PASSWORD 4.000 # limit tflags SHY_OBFU_PASSWORD publish rawbody __SHY_OBFU_EXPIRE /e(?!xpire){0,3}x{0,3}p{0,3}i{0,3}r{0,3}e/i replace_rules __SHY_OBFU_EXPIRE meta SHY_OBFU_EXPIRE __SHY_OBFU_EXPIRE describe SHY_OBFU_EXPIRE Obfuscation, probable phishing score SHY_OBFU_EXPIRE 4.000 # limit tflags SHY_OBFU_EXPIRE publish endif # Attempt to bypass URL parsing? Or just sloppy? See bug #8190 rawbody __HREF_BOM m,href\s*=\s*"(?:[\xef][\xbb][\xbf]|[\xfe][\xff])+https?://,i #uri __URI_WEBMDSERVICE m,/webmdservice/,i #tflags __URI_WEBMDSERVICE multiple maxhits=6 #meta __URI_WEBMDSERVICE_MANY __URI_WEBMDSERVICE > 5 uri __URI_CLOUDFLAREIPFS m,://cloudflare-ipfs\.com/ipfs/,i meta URI_CLOUDFLAREIPFS __URI_CLOUDFLAREIPFS describe URI_CLOUDFLAREIPFS References Interplanetary File System PtP content via CloudFlare, likely phishing score URI_CLOUDFLAREIPFS 2.500 # limit tflags URI_CLOUDFLAREIPFS publish