You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by ma...@apache.org on 2009/06/02 22:29:58 UTC
svn commit: r781152 -
/spamassassin/rules/trunk/sandbox/maddoc/99_ach_rules.cf
Author: maddoc
Date: Tue Jun 2 20:29:57 2009
New Revision: 781152
URL: http://svn.apache.org/viewvc?rev=781152&view=rev
Log:
New Testing Rules
Added:
spamassassin/rules/trunk/sandbox/maddoc/99_ach_rules.cf
Added: spamassassin/rules/trunk/sandbox/maddoc/99_ach_rules.cf
URL: http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/maddoc/99_ach_rules.cf?rev=781152&view=auto
==============================================================================
--- spamassassin/rules/trunk/sandbox/maddoc/99_ach_rules.cf (added)
+++ spamassassin/rules/trunk/sandbox/maddoc/99_ach_rules.cf Tue Jun 2 20:29:57 2009
@@ -0,0 +1,356 @@
+rawbody ACH_MSWORD_DROPPINGS /<o:p><\/o:p>/i
+describe ACH_MSWORD_DROPPINGS Invalid HTML tags in message.
+score ACH_MSWORD_DROPPINGS 1.5
+
+rawbody ACH_RIGHT_TO_LEFT_TEXT /dir=(?:3D)?rtl/i
+describe ACH_RIGHT_TO_LEFT_TEXT Message containes right to left text. No comprendi.
+score ACH_RIGHT_TO_LEFT_TEXT 10.0
+
+full ACH_PRICE_ZIP /price.+\.zip/i
+describe ACH_PRICE_ZIP Message contains bogus .zip file attachment.
+score ACH_PRICE_ZIP 10.0
+
+full ACH_EMAIL_PDF /=(?:3D)?["']Email.*pdf/i
+describe ACH_EMAIL_PDF Spam or virus infected .pdf
+score ACH_EMAIL_PDF 10.0
+
+header __ACH_LOTO_SUBJ Subject =~ /CONGRAT|WINN|LOTT?O|LOTTERY|LOOTERY|JACKPOT|NOTICE|PRIZE|AWARD|YOU.* WON|SWEEP/i
+header __ACH_LOTO_FROM From =~ /CONGRAT|WINN|LOTT?O|LOTTERY|PAY|NOTICE|PRIZE|AWARD|YOU.* WON|SWEEP/i
+header __ACH_LOTO_SUBJ_2 Subject =~ /Ref\sNo:\w+\/.+\/\d+\/.+/i
+meta ACH_LOTO_0 __ACH_LOTO_SUBJ || __ACH_LOTO_FROM || __ACH_LOTO_SUBJ_2
+describe ACH_LOTO_0 Lottery advance fee fraud
+score ACH_LOTO_0 10.0
+
+body ACH_LOTO_1 /CONGRAT/i
+describe ACH_LOTO_1 Words common to advance fee scam.
+body ACH_LOTO_2 /WINN|YOU.* WON/i
+describe ACH_LOTO_2 Words common to advance fee scam.
+body ACH_LOTO_3 /LOTT?O|LOTTERY|LOOTERY|SWEEP/i
+describe ACH_LOTO_3 Words common to advance fee scam.
+body ACH_LOTO_4 /JACKPOT|PRIZE|AWARD/i
+describe ACH_LOTO_4 Words common to advance fee scam.
+
+header ACH_SUBJ_FROM_SOMEONE Subject =~ /FROM\s+(MR|MS|MRS|MISS|M\.|MME|MLLE|DR|THE|SIR|MAMA|PROF|GRANDMA)/i
+describe ACH_SUBJ_FROM_SOMEONE Subject used like From header.
+score ACH_SUBJ_FROM_SOMEONE 10.0
+
+header ACH_FROM_IN_SUBJ Subject =~ /\sFROM\s/i
+score ACH_FROM_IN_SUBJ 0.8
+
+rawbody ACH_CONTENT_ID /src=(?:3D)?["']?cid:/i
+describe ACH_CONTENT_ID Message contains inline content.
+score ACH_CONTENT_ID 1.1
+
+rawbody ACH_REMOTE_IMG /src=(?:3D)?["']http\:.+(?:jpg|gif)/i
+describe ACH_REMOTE_IMG Reference to remote web server images.
+score ACH_REMOTE_IMG 0.8
+
+header __ACH_SUBJ_419_1 Subject =~ /(?:BU[SZ]INESS?|CONFIDENTIAL|GRANT|STOCK|INVESTMENT|JOB|URGENT|PRIVATE|PARTNERSHIP|REPRESENTATIVES?|REQUEST|ENQUIRY|YOUR|VOTRE|PAYMENT|Grant)\s.*(?:AGENT|ASSISTANCE|CONFIDENTIAL|PROMOTION|BU[SZ]INESS?|PARTNER|PROPOSAL|ATTENTION|HELP|INVESTMENT|RESPONSE|REQUIRED|NEEDED|OFFER|Notification)/i
+header __ACH_SUBJ_419_2 Subject =~ /ACT ON OUR BEHALF|REPRESENTATIVES? NEEDED|PLEASE HELP|IMMEDIATE RESPONSE|ATTENTION: PLEASE|represent us|I AWAIT YOUR URGENT RESPONSE|searching for representatives|Treat\s.*Confidential|Dear Beneficiary/i
+header __ACH_SUBJ_419_3 Subject =~ /Part Time Job Offer|EQUITY LOAN OFFER/i
+header __ACH_SUBJ_419_FR Subject =~ /Proposition pour l'association/i
+meta ACH_SUBJ_419 __ACH_SUBJ_419_1 || __ACH_SUBJ_419_2 || __ACH_SUBJ_419_3 || __ACH_SUBJ_419_FR
+describe ACH_SUBJ_419 Subject contains common 419 scam phrasing.
+score ACH_SUBJ_419 10.0
+
+header __ACH_SUBJ_419_4 Subject =~ /Barrister|lawyer|minister/i
+body __ACH_BODY_419_1 /proposition|partnership/i
+body __ACH_BODY_419_2 /investment|million|thousand/i
+body __ACH_BODY_419_3 /died|death/i
+meta ACH_BODY_419 __ACH_SUBJ_419_4 || __ACH_BODY_419_1 || __ACH_BODY_419_2 || __ACH_BODY_419_3
+describe ACH_BODY_419 Message contains 419 related words or phrases.
+score ACH_BODY_419 2.0
+
+header ACH_MSGID_NOT_FQDN Message-ID =~ /@[-a-z]+>/i
+describe ACH_MSGID_NOT_FQDN The Message-ID is not full qualified.
+score ACH_MSGID_NOT_FQDN 1.5
+
+#header __ACH_MPART_TYPE_PARAM_1 Content-Type =~ /\s*multipart\/related.* type="?multipart\/alternative/i
+#header __ACH_MPART_TYPE_PARAM_2 Content-Type =~ /\s*multipart\/alternative.* type="?multipart\/related/i
+#meta ACH_MPART_TYPE_PARAM __ACH_MPART_TYPE_PARAM_1 || __ACH_MPART_TYPE_PARAM_2
+#describe ACH_MPART_TYPE_PARAM Mismatched and invalid type parameter.
+#score ACH_MPART_TYPE_PARAM 10.0
+
+header ACH_SUBJ_NOW Subject =~ /Order Now|Apply Now/i
+score ACH_SUBJ_NOW 10.0
+
+body ACH_ORDER_NOW /[O0]rder Now|Apply Now|Personal Loans|Business Loans/i
+describe ACH_ORDER_NOW Pushy sales pitch.
+score ACH_ORDER_NOW 3.7
+
+header ACH_SUBJ_KNOCKOFFS Subject =~ /replica\s|rolex/i
+describe ACH_SUBJ_KNOCKOFFS Subject refers to knock-offs.
+score ACH_SUBJ_KNOCKOFFS 10.0
+
+header ACH_SUBJ_OTC_MEDS Subject =~ /OTC\s.*meds/
+describe ACH_SUBJ_OTC_MEDS Subject mentions over-the-counter medication.
+score ACH_SUBJ_OTC_MEDS 10.0
+
+body ACH_CHECK_OUT /Check this out.* achowe/i
+describe ACH_CHECK_OUT Inane attempts to engage my interest in tripe.
+score ACH_CHECK_OUT 10.0
+
+header ACH_RECEIVED_ID Received =~ /\sid\s\S*([\][)(}{\#*\\\/,'"?!]+\S*)+/i
+describe ACH_RECEIVED_ID Received header contains garbage id.
+score ACH_RECEIVED_ID 2.5
+
+# Thread-Index: appears to specify a Base64 encoded value
+header ACH_THREAD_INDEX_B64 Thread-Index =~ /[^\w\d\s+\/=]/
+describe ACH_THREAD_INDEX_B64 Bogus MS Outlook Thread-Index header.
+score ACH_THREAD_INDEX_B64 1.2
+
+# HTML_TINY_FONT matches 0.8em which is readable. This version should be better.
+rawbody ACH_HTML_TINY_FONT /\<.*font\-size\:[ \"]*(?:1pt|0(?:\.[01][0-9]*)?[^.0-9]+).*\>/i
+describe ACH_HTML_TINY_FONT HTML message contains unreadable text.
+score ACH_HTML_TINY_FONT 3.4
+score HTML_TINY_FONT 0
+
+header ACH_FROM_USERID_NAME From =~ /"([^"]+)"\s+<\1@/i
+describe ACH_FROM_USERID_NAME Part of mail address appears as real name.
+score ACH_FROM_USERID_NAME 1.0
+header ACH_SUBJ_CHEAP Subject =~ /\scheap|replica |rolex/i
+describe ACH_SUBJ_CHEAP Subject claims cheap goods.
+score ACH_SUBJ_CHEAP 3.7
+
+header ACH_SUBJ_OTC_MEDS Subject =~ /OTC\s.*meds/
+describe ACH_SUBJ_OTC_MEDS Subject mentions over-the-counter medication.
+score ACH_SUBJ_OTC_MEDS 10.0
+
+body ACH_CHECK_OUT /Check this out.* achowe/i
+describe ACH_CHECK_OUT Inane attempts to engage my interest in tripe.
+score ACH_CHECK_OUT 10.0
+
+header ACH_RECEIVED_ID Received =~ /\sid\s\S*([\][)(}{\#*\\\/,'"?!]+\S*)+/i
+describe ACH_RECEIVED_ID Received header contains garbage id.
+score ACH_RECEIVED_ID 2.5
+
+header ACH_RECEIVED_DEC_IP Received =~ /\sfrom\s[^(]+\(-?[0-9]+\s\[-?[0-9]+\]\)/i
+describe ACH_RECEIVED_DEC_IP Received header contains decimal numbers for IP address
+score ACH_RECEIVED_DEC_IP 10.0
+
+# Thread-Index: appears to specify a Base64 encoded value
+header ACH_THREAD_INDEX_B64 Thread-Index =~ /[^\w\d\s+\/=]/
+describe ACH_THREAD_INDEX_B64 Bogus MS Outlook Thread-Index header.
+score ACH_THREAD_INDEX_B64 1.2
+
+# HTML_TINY_FONT matches 0.8em which is readable. This version should be better.
+rawbody ACH_HTML_TINY_FONT /\<.*font\-size\:[ \"]*(?:1pt|0(?:\.[01][0-9]*)?[^.0-9]+).*\>/i
+describe ACH_HTML_TINY_FONT HTML message contains unreadable text.
+score ACH_HTML_TINY_FONT 3.4
+score HTML_TINY_FONT 0
+
+body ACH_PENNY_STOCK /(?:current|price|expected|projected):?.*(?:\$|USD)?\s*0*\.\d{2,}/i
+describe ACH_PENNY_STOCK Penny stock price quoted.
+score ACH_PENNY_STOCK 3.5
+
+body ACH_PENNY_STOCK_2 /(?:Cannot go wrong.*)\d+\s+cents(?:.+cheap|steal)?/i
+describe ACH_PENNY_STOCK_2 Penny stock price quoted.
+score ACH_PENNY_STOCK_2 3.5
+
+body ACH_PENNY_STOCK_3 /GURANTEED to Double|Remember Snapple/i
+describe ACH_PENNY_STOCK_3 Penny stock price quoted.
+score ACH_PENNY_STOCK_3 3.5
+
+body ACH_PENNY_STOCK_4 /S\W?Y\W?M\W?.?\s*[-:_] (?:\w\W?){3,}/i
+describe ACH_PENNY_STOCK_4 Penny stock price quoted.
+score ACH_PENNY_STOCK_4 3.5
+
+header ACH_FROM_USERID_NAME From =~ /"([^"]+)"\s+<\1@/i
+describe ACH_FROM_USERID_NAME Part of mail address appears as real name.
+score ACH_FROM_USERID_NAME 1.0
+
+header ACH_FROM_DOMAIN_NAME From =~ /"([^"]+)".+@\1>/i
+describe ACH_FROM_DOMAIN_NAME Part of mail address appears as real name.
+score ACH_FROM_DOMAIN_NAME 1.7
+
+header ACH_TO_USERID_NAME To =~ /"([^"]+)"\s+<\1@/i
+describe ACH_TO_USERID_NAME Part of mail address appears as real name.
+score ACH_TO_USERID_NAME 2.0
+
+#header ACH_TO_BARE_ADDR To =~ /^[^<]+@[^>]+$/
+#describe ACH_TO_BARE_ADDR Destination address not in angle brackets.
+#score ACH_TO_BARE_ADDR 0.0
+
+rawbody ACH_IMG_H300_W300 /\s*height=(?:3D)?"3\d\d"\s+width=(?:3D)?"3\d\d"/i
+describe ACH_IMG_H300_W300 Image dimensons 300-399 x 300-399
+score ACH_IMG_H300_W300 2.0
+
+rawbody ACH_IMG_H500_W200 /\s*height=(?:3D)?"1\d\d"\s+width=(?:3D)?"5\d\d"/i
+describe ACH_IMG_H500_W200 Image dimensons 500-599 x 100-199
+score ACH_IMG_H500_W200 2.0
+
+rawbody ACH_BR_STYLE /<br\s+style\=/i
+describe ACH_BR_STYLE BR with suspicious style attribute.
+score ACH_BR_STYLE 1.5
+
+rawbody ACH_JS_EVENTS /(?:onclick|onsubmit|onmouseover|onmouseout)=(?:3D)?"/i
+describe ACH_JS_EVENTS Contains references to JavaScript events.
+score ACH_JS_EVENTS 2.0
+
+rawbody ACH_JS_SCHEME /href=(?:3D)?"javascript:/i
+describe ACH_JS_SCHEME Contains reference to JavaScript URL scheme.
+score ACH_JS_SCHEME 10.0
+
+rawbody ACH_SRC_BASELINE /src=(?:3D)?"?cid:[^>]+align=(?:3D)?"?baseline/i
+describe ACH_SRC_BASELINE an inline img tag that uses an incorrect align=baseline
+score ACH_SRC_BASELINE 10.0
+
+full __ZIP_FILE /name(\*[0-9]+)?=(3D)?.[^\\\/:*?"<>|]*\.(zip|rar)\b/i
+describe __ZIP_FILE A .zip or .rar file attachment found.
+
+header __ACH_MAIL_REPORT_1 Subject =~ /^Mail server report/i
+meta ACH_MAIL_REPORT __ACH_MAIL_REPORT_1 && __ZIP_FILE
+describe ACH_MAIL_REPORT Bogus mail server report with suspicious attachment.
+score ACH_MAIL_REPORT 10.0
+
+header ACH_TEENS_1 Subject =~ /\steens|Eighteen/i
+describe ACH_TEENS_1 Subject refers to teens.
+score ACH_TEENS_1 1.0
+
+header ACH_FUCK Subject =~ /fuu?ck|foo?ck/i
+describe ACH_FUCK Swearing in subject.
+score ACH_FUCK 3.0
+
+header ACH_PENIS_1 Subject =~ /p[e3]nn?[i1][sz]/i
+describe ACH_PENIS_1 Subject refers to body parts.
+score ACH_PENIS_1 2.0
+
+body ACH_TEENS_2 /\steens|Eighteen/i
+describe ACH_TEENS_2 Message refers to teens.
+score ACH_TEENS_2 1.0
+
+body ACH_PENIS_2 /p[e3]nn?[i1][sz]/i
+describe ACH_PENIS_2 Message refers to body parts.
+score ACH_PENIS_2 3.0
+
+meta ACH_PORN (ACH_TEENS_1 || ACH_TEENS_2) && (ACH_FUCK || ACH_PENIS_1 || ACH_PENIS_2)
+describe ACH_PORN Porn
+score ACH_PORN 10.0
+
+header ACH_X_AUTH_WARN exists:X-Authentication-Warning
+describe ACH_X_AUTH_WARN Unapproved user used sendmail -f option to change sender address.
+score ACH_X_AUTH_WARN 1.0
+
+header ACH_X_SPAM_CHECK exists:X-Spam-Check
+describe ACH_X_SPAM_CHECK Unknown spam scanner headers.
+score ACH_X_SPAM_CHECK 1.0
+
+header __ACH_CADEAUX_1 Subject =~ /cadeaux/i
+body __ACH_CADEAUX_2 /cadeaux/i
+describe ACH_CADEAUX French offers of gifts.
+meta ACH_CADEAUX __ACH_CADEAUX_1 || __ACH_CADEAUX_2
+score ACH_CADEAUX 10.0
+
+body ACH_OPTOUT_FR /inscrit dans notre base/
+describe ACH_OPTOUT_FR French claims that you subscribed to their list.
+score ACH_OPTOUT_FR 10.0
+
+full ACH_RUSSIAN /charset=koi8-r/i
+describe ACH_RUSSIAN We don't read Russian.
+score ACH_RUSSIAN 10.0
+
+full ACH_BOGUS_DATE /DATE:\s*\[\[.+\]\]/i
+describe ACH_BOGUS_DATE Has incorrectly formatted Date header.
+score ACH_BOGUS_DATE 10.0
+
+full ACH_VIRUS_BOUNDARY1 /boundary="--------bound--"/i
+describe ACH_VIRUS_BOUNDARY1 Contains virus / spam signature.
+score ACH_VIRUS_BOUNDARY1 10.0
+
+header __ACH_FR_OFFERS_1 Subject =~ /De nombreuses offres exceptionnelles pour vous/i
+body __ACH_FR_OFFERS_2 /De nombreuses offres exceptionnelles pour vous/i
+body __ACH_FR_OFFERS_3 /DISCOUNT AUX ENTREPRISES/i
+meta ACH_FR_OFFERS __ACH_FR_OFFERS_1 || __ACH_FR_OFFERS_2 || __ACH_FR_OFFERS_3
+describe ACH_FR_OFFERS Offers in french.
+score ACH_FR_OFFERS 10.0
+
+body ACH_FR_REMISE /une remise de .+% sur votre prochaine commande en indiquant/i
+describe ACH_FR_REMISE Disount offer in french.
+score ACH_FR_REMISE 2.5
+
+body ACH_VIRUS_1 /Here is the video of this patient interrogation . cross-examination./
+describe ACH_VIRUS_1 Worm.Stration.pac-1
+score ACH_VIRUS_1 10.0
+
+header ACH_LONG_SUBJ_80 Subject =~ /^.{80,}/
+describe ACH_LONG_SUBJ_80 Subject is unusually long, 80+
+score ACH_LONG_SUBJ_80 10.0
+
+header ACH_LONG_SUBJ_70 Subject =~ /^.{70,79}$/
+describe ACH_LONG_SUBJ_70 Subject is long. 70..79
+score ACH_LONG_SUBJ_70 1.5
+
+header ACH_LONG_SUBJ_60 Subject =~ /^.{60,69}$/
+describe ACH_LONG_SUBJ_60 Subject is long, 60..69
+score ACH_LONG_SUBJ_60 1.0
+
+header ACH_LONG_SUBJ_50 Subject =~ /^.{50,59}$/
+describe ACH_LONG_SUBJ_50 Subject is long, 50..59
+score ACH_LONG_SUBJ_50 0.5
+
+full ACH_PND_PDF_1 /JVBERi0xLjMgCjEgMCBvYmoKPDwKPj4KZW5kb2JqCj|JVBERi0xLjEKJeLjz9MKMSAwIG9iaiAKPDwKL/
+describe ACH_PND_PDF_1 Pump-n-dump PDF spam from Storm botnet
+score ACH_PND_PDF_1 10.0
+
+body ACH_SPAMWARE /\{, MAILTO_USERNAME\}/i
+describe ACH_SPAMWARE This is spam.
+score ACH_SPAMWARE 10.0
+
+header __ACH_BOGUS_ECARD_1 Subject =~ /Animated postcard/
+body __ACH_BOGUS_ECARD_2 /School-mate\(.*\) has created Animated postcard for you/i
+meta ACH_BOGUS_ECARD __ACH_BOGUS_ECARD_1 || __ACH_BOGUS_ECARD_2
+describe ACH_BOGUS_ECARD False online greeting card
+score ACH_BOGUS_ECARD 10.0
+
+body __ACH_ECARD /(?:e|online|greeting|post|virtual)[-\s]*card/i
+meta ACH_BOGUS_ECARD_1 NORMAL_HTTP_TO_IP && __ACH_ECARD
+describe ACH_BOGUS_ECARD Online greeting card with IP based URL.
+score ACH_BOGUS_ECARD_1 10.0
+
+full ACH_RUSSIAN /charset="koi8-r"/
+describe ACH_RUSSIAN spam written in Russian
+score ACH_RUSSIAN 10.0
+
+body ACH_DOMAIN_SCAM /A couple of days ago I emailed you about the domain name/
+describe ACH_DOMAIN_SCAM Domain name scam.
+score ACH_DOMAIN_SCAM 3.0
+header ACH_DOMAIN_SCAM_1 From =~ /Ken Palm/i
+score ACH_DOMAIN_SCAM_1 3.0
+rawbody ACH_DOMAIN_SCAM_2 /buy\.php\?domain=/i
+score ACH_DOMAIN_SCAM_2 3.0
+
+header ACH_NO_REPLY Reply_To =~ /no-?reply|no-?return|discard/i
+describe ACH_NO_REPLY Message has no reply address.
+score ACH_NO_REPLY 3.0
+
+header ACH_FROM_STOCK From =~ /stock/i
+header ACH_FROM_MARKET From =~ /market/i
+header ACH_FROM_DEAL From =~ /deal/i
+header ACH_FROM_DEBT From =~ /debt/i
+header ACH_FROM_LOAN From =~ /loan/i
+header ACH_FROM_MORTGAGE From =~ /Mortgage/i
+
+header ACH_SUBJ_WATCH Subject =~ /Submariner.*watch/i
+score ACH_SUBJ_WATCH 10.0
+
+rawbody ACH_HTML_FORM /<FORM/i
+describe ACH_HTML_FORM HTML <FORM> in email rejected; possible 419 abuse
+score ACH_HTML_FORM 10.0
+
+header ACH_SUBJ_DEGREE_0 Subject =~ /Bachelor/i
+header ACH_SUBJ_DEGREE_1 Subject =~ /diploma|degree/i
+body ACH_SUBJ_DEGREE_2 /Bachelor|Masters/i
+body ACH_SUBJ_DEGREE_3 /diploma/i
+body ACH_SUBJ_DEGREE_4 /degree/i
+
+body __ACH_419_NAME /FULL NAME:/
+body __ACH_419_ADRRESS /CONTACT ADDRESS:/
+body __ACH_419_CITY /CITY:/
+body __ACH_419_STATE /STATE:/
+body __ACH_419_ZIP /ZIP-CODE:/
+body __ACH_419_TEL /TELEPHONE NUMBER:/
+body __ACH_419_CELL /MOBILE NUMBER:/
+body __ACH_419_AGE /AGE:/
+body __ACH_419_OCCUPATION /OCCUPATION:/
+meta ACH_419_CONTACT_DETAILS (__ACH_419_NAME && __ACH_419_ADRRESS && __ACH_419_CITY && __ACH_419_STATE && __ACH_419_ZIP && __ACH_419_TEL && __ACH_419_CELL && __ACH_419_AGE && __ACH_419_OCCUPATION)
+score ACH_419_CONTACT_DETAILS 10.0