svn commit: r781152 - /spamassassin/rules/trunk/sandbox/maddoc/99_ach_rules.cf

[ma...@apache.org]

Author: maddoc
Date: Tue Jun  2 20:29:57 2009
New Revision: 781152

URL: http://svn.apache.org/viewvc?rev=781152&view=rev
Log:
New Testing Rules

Added:
    spamassassin/rules/trunk/sandbox/maddoc/99_ach_rules.cf

Added: spamassassin/rules/trunk/sandbox/maddoc/99_ach_rules.cf
URL: http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/maddoc/99_ach_rules.cf?rev=781152&view=auto
==============================================================================
--- spamassassin/rules/trunk/sandbox/maddoc/99_ach_rules.cf (added)
+++ spamassassin/rules/trunk/sandbox/maddoc/99_ach_rules.cf Tue Jun  2 20:29:57 2009
@@ -0,0 +1,356 @@
+rawbody ACH_MSWORD_DROPPINGS		/<o:p><\/o:p>/i
+describe ACH_MSWORD_DROPPINGS		Invalid HTML tags in message.
+score ACH_MSWORD_DROPPINGS		1.5
+
+rawbody ACH_RIGHT_TO_LEFT_TEXT		/dir=(?:3D)?rtl/i
+describe ACH_RIGHT_TO_LEFT_TEXT		Message containes right to left text. No comprendi.
+score ACH_RIGHT_TO_LEFT_TEXT		10.0
+
+full ACH_PRICE_ZIP			/price.+\.zip/i
+describe ACH_PRICE_ZIP			Message contains bogus .zip file attachment.
+score ACH_PRICE_ZIP			10.0
+
+full ACH_EMAIL_PDF			/=(?:3D)?["']Email.*pdf/i
+describe ACH_EMAIL_PDF			Spam or virus infected .pdf
+score ACH_EMAIL_PDF			10.0
+
+header __ACH_LOTO_SUBJ			Subject =~ /CONGRAT|WINN|LOTT?O|LOTTERY|LOOTERY|JACKPOT|NOTICE|PRIZE|AWARD|YOU.* WON|SWEEP/i
+header __ACH_LOTO_FROM			From =~ /CONGRAT|WINN|LOTT?O|LOTTERY|PAY|NOTICE|PRIZE|AWARD|YOU.* WON|SWEEP/i
+header __ACH_LOTO_SUBJ_2		Subject =~ /Ref\sNo:\w+\/.+\/\d+\/.+/i
+meta ACH_LOTO_0				__ACH_LOTO_SUBJ || __ACH_LOTO_FROM || __ACH_LOTO_SUBJ_2 
+describe ACH_LOTO_0			Lottery advance fee fraud
+score ACH_LOTO_0			10.0
+
+body ACH_LOTO_1				/CONGRAT/i
+describe ACH_LOTO_1			Words common to advance fee scam.
+body ACH_LOTO_2				/WINN|YOU.* WON/i
+describe ACH_LOTO_2			Words common to advance fee scam.
+body ACH_LOTO_3				/LOTT?O|LOTTERY|LOOTERY|SWEEP/i
+describe ACH_LOTO_3			Words common to advance fee scam.
+body ACH_LOTO_4				/JACKPOT|PRIZE|AWARD/i
+describe ACH_LOTO_4			Words common to advance fee scam.
+
+header ACH_SUBJ_FROM_SOMEONE		Subject =~ /FROM\s+(MR|MS|MRS|MISS|M\.|MME|MLLE|DR|THE|SIR|MAMA|PROF|GRANDMA)/i
+describe ACH_SUBJ_FROM_SOMEONE		Subject used like From header.
+score ACH_SUBJ_FROM_SOMEONE		10.0
+
+header ACH_FROM_IN_SUBJ			Subject =~ /\sFROM\s/i
+score ACH_FROM_IN_SUBJ			0.8
+
+rawbody ACH_CONTENT_ID			/src=(?:3D)?["']?cid:/i
+describe ACH_CONTENT_ID			Message contains inline content.
+score ACH_CONTENT_ID			1.1
+
+rawbody ACH_REMOTE_IMG			/src=(?:3D)?["']http\:.+(?:jpg|gif)/i
+describe ACH_REMOTE_IMG			Reference to remote web server images.
+score ACH_REMOTE_IMG			0.8
+
+header __ACH_SUBJ_419_1			Subject =~ /(?:BU[SZ]INESS?|CONFIDENTIAL|GRANT|STOCK|INVESTMENT|JOB|URGENT|PRIVATE|PARTNERSHIP|REPRESENTATIVES?|REQUEST|ENQUIRY|YOUR|VOTRE|PAYMENT|Grant)\s.*(?:AGENT|ASSISTANCE|CONFIDENTIAL|PROMOTION|BU[SZ]INESS?|PARTNER|PROPOSAL|ATTENTION|HELP|INVESTMENT|RESPONSE|REQUIRED|NEEDED|OFFER|Notification)/i 
+header __ACH_SUBJ_419_2			Subject =~ /ACT ON OUR BEHALF|REPRESENTATIVES? NEEDED|PLEASE HELP|IMMEDIATE RESPONSE|ATTENTION: PLEASE|represent us|I AWAIT YOUR URGENT RESPONSE|searching for representatives|Treat\s.*Confidential|Dear Beneficiary/i
+header __ACH_SUBJ_419_3			Subject =~ /Part Time Job Offer|EQUITY LOAN OFFER/i
+header __ACH_SUBJ_419_FR		Subject =~ /Proposition pour l'association/i
+meta ACH_SUBJ_419			__ACH_SUBJ_419_1 || __ACH_SUBJ_419_2 || __ACH_SUBJ_419_3 || __ACH_SUBJ_419_FR 
+describe ACH_SUBJ_419			Subject contains common 419 scam phrasing.
+score ACH_SUBJ_419			10.0
+
+header __ACH_SUBJ_419_4			Subject =~ /Barrister|lawyer|minister/i
+body __ACH_BODY_419_1			/proposition|partnership/i
+body __ACH_BODY_419_2			/investment|million|thousand/i
+body __ACH_BODY_419_3			/died|death/i
+meta ACH_BODY_419			__ACH_SUBJ_419_4 || __ACH_BODY_419_1 || __ACH_BODY_419_2 || __ACH_BODY_419_3
+describe ACH_BODY_419			Message contains 419 related words or phrases.
+score ACH_BODY_419			2.0
+
+header ACH_MSGID_NOT_FQDN		Message-ID =~ /@[-a-z]+>/i
+describe ACH_MSGID_NOT_FQDN		The Message-ID is not full qualified.
+score ACH_MSGID_NOT_FQDN		1.5
+
+#header __ACH_MPART_TYPE_PARAM_1		 Content-Type =~ /\s*multipart\/related.* type="?multipart\/alternative/i
+#header __ACH_MPART_TYPE_PARAM_2		 Content-Type =~ /\s*multipart\/alternative.* type="?multipart\/related/i
+#meta ACH_MPART_TYPE_PARAM		__ACH_MPART_TYPE_PARAM_1 || __ACH_MPART_TYPE_PARAM_2
+#describe ACH_MPART_TYPE_PARAM		Mismatched and invalid type parameter.
+#score ACH_MPART_TYPE_PARAM		10.0
+
+header ACH_SUBJ_NOW			Subject =~ /Order Now|Apply Now/i
+score ACH_SUBJ_NOW			10.0
+
+body ACH_ORDER_NOW			/[O0]rder Now|Apply Now|Personal Loans|Business Loans/i
+describe ACH_ORDER_NOW			Pushy sales pitch.
+score ACH_ORDER_NOW			3.7
+
+header ACH_SUBJ_KNOCKOFFS		Subject =~ /replica\s|rolex/i
+describe ACH_SUBJ_KNOCKOFFS		Subject refers to knock-offs.
+score ACH_SUBJ_KNOCKOFFS		10.0
+
+header ACH_SUBJ_OTC_MEDS		Subject =~ /OTC\s.*meds/
+describe ACH_SUBJ_OTC_MEDS		Subject mentions over-the-counter medication.
+score ACH_SUBJ_OTC_MEDS			10.0
+
+body ACH_CHECK_OUT			/Check this out.* achowe/i
+describe ACH_CHECK_OUT			Inane attempts to engage my interest in tripe.
+score ACH_CHECK_OUT			10.0
+
+header ACH_RECEIVED_ID			Received =~ /\sid\s\S*([\][)(}{\#*\\\/,'"?!]+\S*)+/i
+describe ACH_RECEIVED_ID		Received header contains garbage id.
+score ACH_RECEIVED_ID			2.5
+
+# Thread-Index: appears to specify a Base64 encoded value
+header ACH_THREAD_INDEX_B64		Thread-Index =~ /[^\w\d\s+\/=]/
+describe ACH_THREAD_INDEX_B64		Bogus MS Outlook Thread-Index header.
+score ACH_THREAD_INDEX_B64		1.2
+
+# HTML_TINY_FONT matches 0.8em which is readable. This version should be better.
+rawbody ACH_HTML_TINY_FONT		/\<.*font\-size\:[ \"]*(?:1pt|0(?:\.[01][0-9]*)?[^.0-9]+).*\>/i
+describe ACH_HTML_TINY_FONT		HTML message contains unreadable text.
+score ACH_HTML_TINY_FONT		3.4
+score HTML_TINY_FONT			0
+
+header ACH_FROM_USERID_NAME		From =~ /"([^"]+)"\s+<\1@/i
+describe ACH_FROM_USERID_NAME		Part of mail address appears as real name.
+score ACH_FROM_USERID_NAME		1.0
+header ACH_SUBJ_CHEAP			Subject =~ /\scheap|replica |rolex/i
+describe ACH_SUBJ_CHEAP			Subject claims cheap goods.
+score ACH_SUBJ_CHEAP			3.7
+
+header ACH_SUBJ_OTC_MEDS		Subject =~ /OTC\s.*meds/
+describe ACH_SUBJ_OTC_MEDS		Subject mentions over-the-counter medication.
+score ACH_SUBJ_OTC_MEDS			10.0
+
+body ACH_CHECK_OUT			/Check this out.* achowe/i
+describe ACH_CHECK_OUT			Inane attempts to engage my interest in tripe.
+score ACH_CHECK_OUT			10.0
+
+header ACH_RECEIVED_ID			Received =~ /\sid\s\S*([\][)(}{\#*\\\/,'"?!]+\S*)+/i
+describe ACH_RECEIVED_ID		Received header contains garbage id.
+score ACH_RECEIVED_ID			2.5
+
+header ACH_RECEIVED_DEC_IP		Received =~ /\sfrom\s[^(]+\(-?[0-9]+\s\[-?[0-9]+\]\)/i
+describe ACH_RECEIVED_DEC_IP		Received header contains decimal numbers for IP address
+score ACH_RECEIVED_DEC_IP		10.0
+
+# Thread-Index: appears to specify a Base64 encoded value
+header ACH_THREAD_INDEX_B64		Thread-Index =~ /[^\w\d\s+\/=]/
+describe ACH_THREAD_INDEX_B64		Bogus MS Outlook Thread-Index header.
+score ACH_THREAD_INDEX_B64		1.2
+
+# HTML_TINY_FONT matches 0.8em which is readable. This version should be better.
+rawbody ACH_HTML_TINY_FONT		/\<.*font\-size\:[ \"]*(?:1pt|0(?:\.[01][0-9]*)?[^.0-9]+).*\>/i
+describe ACH_HTML_TINY_FONT		HTML message contains unreadable text.
+score ACH_HTML_TINY_FONT		3.4
+score HTML_TINY_FONT			0
+
+body ACH_PENNY_STOCK			/(?:current|price|expected|projected):?.*(?:\$|USD)?\s*0*\.\d{2,}/i
+describe ACH_PENNY_STOCK		Penny stock price quoted.
+score ACH_PENNY_STOCK			3.5
+
+body ACH_PENNY_STOCK_2			/(?:Cannot go wrong.*)\d+\s+cents(?:.+cheap|steal)?/i
+describe ACH_PENNY_STOCK_2		Penny stock price quoted.
+score ACH_PENNY_STOCK_2			3.5
+
+body ACH_PENNY_STOCK_3			/GURANTEED to Double|Remember Snapple/i
+describe ACH_PENNY_STOCK_3		Penny stock price quoted.
+score ACH_PENNY_STOCK_3			3.5
+
+body ACH_PENNY_STOCK_4			/S\W?Y\W?M\W?.?\s*[-:_] (?:\w\W?){3,}/i
+describe ACH_PENNY_STOCK_4		Penny stock price quoted.
+score ACH_PENNY_STOCK_4			3.5
+
+header ACH_FROM_USERID_NAME		From =~ /"([^"]+)"\s+<\1@/i
+describe ACH_FROM_USERID_NAME		Part of mail address appears as real name.
+score ACH_FROM_USERID_NAME		1.0
+
+header ACH_FROM_DOMAIN_NAME		From =~ /"([^"]+)".+@\1>/i
+describe ACH_FROM_DOMAIN_NAME		Part of mail address appears as real name.
+score ACH_FROM_DOMAIN_NAME		1.7
+
+header ACH_TO_USERID_NAME		To =~ /"([^"]+)"\s+<\1@/i
+describe ACH_TO_USERID_NAME		Part of mail address appears as real name.
+score ACH_TO_USERID_NAME		2.0
+
+#header ACH_TO_BARE_ADDR			To =~ /^[^<]+@[^>]+$/
+#describe ACH_TO_BARE_ADDR		Destination address not in angle brackets.
+#score ACH_TO_BARE_ADDR			0.0
+
+rawbody ACH_IMG_H300_W300		/\s*height=(?:3D)?"3\d\d"\s+width=(?:3D)?"3\d\d"/i
+describe ACH_IMG_H300_W300		Image dimensons 300-399 x 300-399
+score ACH_IMG_H300_W300			2.0
+
+rawbody ACH_IMG_H500_W200		/\s*height=(?:3D)?"1\d\d"\s+width=(?:3D)?"5\d\d"/i
+describe ACH_IMG_H500_W200		Image dimensons 500-599 x 100-199
+score ACH_IMG_H500_W200			2.0
+
+rawbody ACH_BR_STYLE			/<br\s+style\=/i
+describe ACH_BR_STYLE			BR with suspicious style attribute.
+score ACH_BR_STYLE			1.5
+
+rawbody ACH_JS_EVENTS			/(?:onclick|onsubmit|onmouseover|onmouseout)=(?:3D)?"/i
+describe ACH_JS_EVENTS			Contains references to JavaScript events.
+score ACH_JS_EVENTS			2.0
+
+rawbody ACH_JS_SCHEME			/href=(?:3D)?"javascript:/i
+describe ACH_JS_SCHEME			Contains reference to JavaScript URL scheme.
+score ACH_JS_SCHEME			10.0
+
+rawbody ACH_SRC_BASELINE		/src=(?:3D)?"?cid:[^>]+align=(?:3D)?"?baseline/i
+describe ACH_SRC_BASELINE		an inline img tag that uses an incorrect align=baseline
+score ACH_SRC_BASELINE			10.0
+
+full __ZIP_FILE				/name(\*[0-9]+)?=(3D)?.[^\\\/:*?"<>|]*\.(zip|rar)\b/i
+describe __ZIP_FILE			A .zip or .rar file attachment found.
+
+header __ACH_MAIL_REPORT_1		Subject =~ /^Mail server report/i
+meta ACH_MAIL_REPORT			__ACH_MAIL_REPORT_1 && __ZIP_FILE
+describe ACH_MAIL_REPORT		Bogus mail server report with suspicious attachment.
+score ACH_MAIL_REPORT			10.0
+
+header ACH_TEENS_1			Subject =~ /\steens|Eighteen/i
+describe ACH_TEENS_1			Subject refers to teens.
+score ACH_TEENS_1			1.0
+
+header ACH_FUCK				Subject =~ /fuu?ck|foo?ck/i
+describe ACH_FUCK			Swearing in subject.
+score ACH_FUCK				3.0
+
+header ACH_PENIS_1			Subject =~ /p[e3]nn?[i1][sz]/i
+describe ACH_PENIS_1			Subject refers to body parts.
+score ACH_PENIS_1			2.0
+
+body ACH_TEENS_2			/\steens|Eighteen/i
+describe ACH_TEENS_2			Message refers to teens.
+score ACH_TEENS_2			1.0
+
+body ACH_PENIS_2			/p[e3]nn?[i1][sz]/i
+describe ACH_PENIS_2			Message refers to body parts.
+score ACH_PENIS_2			3.0
+
+meta ACH_PORN				(ACH_TEENS_1 || ACH_TEENS_2) && (ACH_FUCK || ACH_PENIS_1 || ACH_PENIS_2)
+describe ACH_PORN			Porn
+score ACH_PORN				10.0
+
+header ACH_X_AUTH_WARN			exists:X-Authentication-Warning
+describe ACH_X_AUTH_WARN		Unapproved user used sendmail -f option to change sender address.
+score ACH_X_AUTH_WARN			1.0
+
+header ACH_X_SPAM_CHECK			exists:X-Spam-Check
+describe ACH_X_SPAM_CHECK		Unknown spam scanner headers.
+score ACH_X_SPAM_CHECK			1.0
+
+header __ACH_CADEAUX_1			Subject =~ /cadeaux/i
+body __ACH_CADEAUX_2			/cadeaux/i
+describe ACH_CADEAUX			French offers of gifts.
+meta ACH_CADEAUX			__ACH_CADEAUX_1 || __ACH_CADEAUX_2
+score ACH_CADEAUX			10.0
+
+body ACH_OPTOUT_FR			/inscrit dans notre base/
+describe ACH_OPTOUT_FR			French claims that you subscribed to their list.
+score ACH_OPTOUT_FR			10.0
+
+full ACH_RUSSIAN			/charset=koi8-r/i
+describe ACH_RUSSIAN			We don't read Russian.
+score ACH_RUSSIAN			10.0
+
+full ACH_BOGUS_DATE			/DATE:\s*\[\[.+\]\]/i
+describe ACH_BOGUS_DATE			Has incorrectly formatted Date header.
+score ACH_BOGUS_DATE			10.0
+
+full ACH_VIRUS_BOUNDARY1		/boundary="--------bound--"/i
+describe ACH_VIRUS_BOUNDARY1		Contains virus / spam signature.
+score ACH_VIRUS_BOUNDARY1		10.0
+
+header __ACH_FR_OFFERS_1		Subject =~ /De nombreuses offres exceptionnelles pour vous/i
+body __ACH_FR_OFFERS_2			/De nombreuses offres exceptionnelles pour vous/i
+body __ACH_FR_OFFERS_3			/DISCOUNT AUX ENTREPRISES/i
+meta ACH_FR_OFFERS			__ACH_FR_OFFERS_1 || __ACH_FR_OFFERS_2 || __ACH_FR_OFFERS_3
+describe ACH_FR_OFFERS			Offers in french.
+score ACH_FR_OFFERS			10.0
+
+body ACH_FR_REMISE			/une remise de .+% sur votre prochaine commande en indiquant/i
+describe ACH_FR_REMISE			Disount offer in french.
+score ACH_FR_REMISE			2.5
+
+body ACH_VIRUS_1			/Here is the video of this patient interrogation . cross-examination./ 
+describe ACH_VIRUS_1			Worm.Stration.pac-1 
+score ACH_VIRUS_1			10.0
+
+header ACH_LONG_SUBJ_80			Subject =~ /^.{80,}/
+describe ACH_LONG_SUBJ_80		Subject is unusually long, 80+
+score ACH_LONG_SUBJ_80			10.0
+
+header ACH_LONG_SUBJ_70			Subject =~ /^.{70,79}$/
+describe ACH_LONG_SUBJ_70		Subject is long. 70..79
+score ACH_LONG_SUBJ_70			1.5
+
+header ACH_LONG_SUBJ_60			Subject =~ /^.{60,69}$/
+describe ACH_LONG_SUBJ_60		Subject is long, 60..69
+score ACH_LONG_SUBJ_60			1.0
+
+header ACH_LONG_SUBJ_50			Subject =~ /^.{50,59}$/
+describe ACH_LONG_SUBJ_50		Subject is long, 50..59
+score ACH_LONG_SUBJ_50			0.5
+
+full ACH_PND_PDF_1			/JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCj|JVBERi0xLjEKJeLjz9MKMSAwIG9iaiAKPDwKL/
+describe ACH_PND_PDF_1			Pump-n-dump PDF spam from Storm botnet
+score ACH_PND_PDF_1			10.0
+
+body ACH_SPAMWARE		/\{, MAILTO_USERNAME\}/i
+describe ACH_SPAMWARE		This is spam.
+score ACH_SPAMWARE		10.0
+
+header __ACH_BOGUS_ECARD_1	Subject =~ /Animated postcard/
+body __ACH_BOGUS_ECARD_2	/School-mate\(.*\) has created Animated postcard for you/i
+meta ACH_BOGUS_ECARD		__ACH_BOGUS_ECARD_1 || __ACH_BOGUS_ECARD_2
+describe ACH_BOGUS_ECARD	False online greeting card
+score ACH_BOGUS_ECARD		10.0
+
+body __ACH_ECARD			/(?:e|online|greeting|post|virtual)[-\s]*card/i
+meta ACH_BOGUS_ECARD_1		NORMAL_HTTP_TO_IP && __ACH_ECARD
+describe ACH_BOGUS_ECARD	Online greeting card with IP based URL.
+score ACH_BOGUS_ECARD_1		10.0
+
+full ACH_RUSSIAN		/charset="koi8-r"/
+describe ACH_RUSSIAN		spam written in Russian
+score ACH_RUSSIAN		10.0
+
+body ACH_DOMAIN_SCAM		/A couple of days ago I emailed you about the domain name/
+describe ACH_DOMAIN_SCAM	Domain name scam.
+score ACH_DOMAIN_SCAM		3.0	
+header ACH_DOMAIN_SCAM_1	From =~ /Ken Palm/i
+score ACH_DOMAIN_SCAM_1		3.0
+rawbody ACH_DOMAIN_SCAM_2	/buy\.php\?domain=/i
+score ACH_DOMAIN_SCAM_2		3.0
+
+header ACH_NO_REPLY		Reply_To =~ /no-?reply|no-?return|discard/i
+describe ACH_NO_REPLY		Message has no reply address.
+score ACH_NO_REPLY		3.0
+
+header ACH_FROM_STOCK		From =~ /stock/i
+header ACH_FROM_MARKET		From =~ /market/i
+header ACH_FROM_DEAL		From =~ /deal/i
+header ACH_FROM_DEBT		From =~ /debt/i
+header ACH_FROM_LOAN		From =~ /loan/i
+header ACH_FROM_MORTGAGE	From =~ /Mortgage/i
+
+header ACH_SUBJ_WATCH		Subject =~ /Submariner.*watch/i
+score ACH_SUBJ_WATCH		10.0
+
+rawbody ACH_HTML_FORM		/<FORM/i
+describe ACH_HTML_FORM		HTML <FORM> in email rejected; possible 419 abuse
+score ACH_HTML_FORM		10.0
+
+header ACH_SUBJ_DEGREE_0	Subject =~ /Bachelor/i
+header ACH_SUBJ_DEGREE_1	Subject =~ /diploma|degree/i
+body ACH_SUBJ_DEGREE_2		/Bachelor|Masters/i
+body ACH_SUBJ_DEGREE_3		/diploma/i
+body ACH_SUBJ_DEGREE_4		/degree/i
+
+body __ACH_419_NAME		/FULL NAME:/
+body __ACH_419_ADRRESS		/CONTACT ADDRESS:/
+body __ACH_419_CITY		/CITY:/
+body __ACH_419_STATE		/STATE:/
+body __ACH_419_ZIP		/ZIP-CODE:/
+body __ACH_419_TEL		/TELEPHONE NUMBER:/
+body __ACH_419_CELL		/MOBILE NUMBER:/
+body __ACH_419_AGE		/AGE:/
+body __ACH_419_OCCUPATION	/OCCUPATION:/
+meta ACH_419_CONTACT_DETAILS	(__ACH_419_NAME && __ACH_419_ADRRESS && __ACH_419_CITY && __ACH_419_STATE && __ACH_419_ZIP && __ACH_419_TEL && __ACH_419_CELL && __ACH_419_AGE && __ACH_419_OCCUPATION)
+score ACH_419_CONTACT_DETAILS	10.0