/[pkg-listmaster]/trunk/spamassassin_config/common/misc_spam
ViewVC logotype

Contents of /trunk/spamassassin_config/common/misc_spam

Parent Directory Parent Directory | Revision Log Revision Log

Revision 334 - (hide annotations) (download)
Mon Jan 25 20:00:42 2010 UTC (3 years, 4 months ago) by formorer
File size: 13714 byte(s) 
Catch some spanish videospam
1 don 285 # -*- mode: spamassassin -*-
2    
3 don 2 # This seems to catch a lot of spam, but not sure about false positive (from airmax.cf)
4     # pasc couldn't find any false positives on the lists he's on
5     header X_MESSAGE_INFO exists:X-Message-Info
6     score X_MESSAGE_INFO 4.0
7    
8     # Added by pasc 2004/07/08 (sent by abuse@outblaze via karsten)
9     # host no longer exists according to administrator
10     header FAKE_OUTBLAZE_RCVD Received =~ /\.mr\.outblaze\.com/
11     describe FAKE_OUTBLAZE_RCVD Received header contains faked 'mr.outblaze.com'
12     score FAKE_OUTBLAZE_RCVD 3.0
13    
14     # blarson 2005-01-19 (--pasc 2005-01-30)
15     header TRACKING subject =~ /\b(?:tracking|package|shipping|shipment|delivery) number :/i
16     describe TRACKING tracking number
17     score TRACKING 2
18    
19     # Sent in by blars (20050220) -- applied by pasc
20     body GUEBDE /http\:\/\/www\.gueb\.de\//
21     describe GUEBDE www.geub.de
22     score GUEBDE 5
23    
24 don 226 # Don 2008-06-27
25 don 315 full PGPSIGNATURE /-----BEGIN PGP SIGNATURE-----/
26 don 227 describe PGPSIGNATURE Has a pgp signature (may not be valid, but who cares?)
27     score PGPSIGNATURE -5
28 don 2
29 don 226
30 don 2 # TODO: The rules below seem to be very similar; possibly fix them.
31    
32     # These might trip up on non-english lists. We'll see.
33     # They're fucking up on GPG signatures
34     body MURPHY_WRONG_WORD1 /[bcdfghjklmnpqrstvwxz]{7,}/i
35     score MURPHY_WRONG_WORD1 0.1
36    
37     body MURPHY_WRONG_WORD2 /[bcdfghjklmnpqrstvwxz]{6,}/i
38     score MURPHY_WRONG_WORD2 0.2
39    
40     #Impronounceable. Need to check this one for accuracy (from airmax.cf)
41 cord 18 body IMPRONONCABLE_1 /([bcdfghjklmnpqrstvwxz]){6,20}/
42 don 2 describe IMPRONONCABLE_1 Some words aren't easy to pronounce (too much vowels)
43     body IMPRONONCABLE_2 /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/
44     describe IMPRONONCABLE_2 Some words aren't easy to pronounce (mixed numbers and lower-case letters)
45    
46     # From http://www.exit0.us/index.php/FredsRules
47     # Added by pasc 2004/06/20
48    
49     body __FVGT_b_OBFU_J /j(b|c|f|g|w)/i
50     body __FVGT_b_OBFU_OTHER /(vj|vk|xj|xk|yy|zf|zj)/i
51     body __FVGT_b_OBFU_Q0 /(j|k|p|q|t|v|w|z)q/i
52     body __FVGT_b_OBFU_Q1 /q(a|f|h|j|k|m|n|s|y)/i
53     body __FVGT_b_OBFU_V /(f|g|q|w)v/i
54     body __FVGT_b_OBFU_X /(c|g|j|k|q|s|v|z)x/i
55     body __FVGT_b_OBFU_Z /(f|j|k|p|q|x)z/i
56     meta FVGT_m_MULTI_ODD ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 1)
57     describe FVGT_m_MULTI_ODD FVGT - contains multiple odd letter combinations
58     score FVGT_m_MULTI_ODD 0.02
59    
60     # joy, 2003-07-20
61     header NEPEYO From =~ /nepeyo\@catlover/
62     describe NEPEYO spamvertizers
63     score NEPEYO 4
64    
65     # cjwatson, 2003/07/28
66     header MP3_PLAYERS Subject =~ /New mp3 player,usb flash drive/
67     describe MP3_PLAYERS Spam from "HY Tech"
68     score MP3_PLAYERS 4
69    
70     # joy, 2003-08-15
71     header UOSJUNK Subject =~ /UOS online Degree Programme/i
72     describe UOSJUNK Spam from UOS
73     score UOSJUNK 4
74    
75     # cjwatson, 2004-02-27
76     body GAS_MILEAGE /This amazing, revolutionary device|www\.mrev\.biz/
77     describe GAS_MILEAGE Fuel-saving snake oil
78     score GAS_MILEAGE 3
79    
80     # blarson, 2004-03-31
81     body FUELSAVER /fuel.?saver/i
82     describe FUELSAVER Fuel Saver spam
83     score FUELSAVER 3
84    
85     # blarson, 2004-04-03
86     body CABLEFILTERZ /cablefilterz/
87     describe CABLEFILTERZ cablefilterz spam
88     score CABLEFILTERZ 4
89    
90     # blarson 2004-04-15
91     header PARENNUM subject =~ /^\(\s*([0-9\/]+\)|\%RND)/
92     describe PARENNUM paren number in subject
93     score PARENNUM 3
94    
95     # blarson 2004-04-25
96     # bounces our bounces.... (had negitive score)
97     header COVADRT X-RT-Loop-Prevention =~ /^Covad$/
98     describe COVADRT Covad request tracker bounces
99     score COVADRT 8
100    
101     # blarson 2005-03-02
102     header ROBERTOJIMENOCA from =~ /ROBERTOJIMENOCA\@terra\.es/
103     describe ROBERTOJIMENOCA ROBERTOJIMENOCA sends spammy looking messages
104     score ROBERTOJIMENOCA -2
105    
106     # blarson 2005-07-10
107     header TURBOPRO subject =~ /\bturbonet pro\b/i
108     describe TURBOPRO dialup accelerator spam
109     score TURBOPRO 3
110    
111     # blarson 2006-04-28
112     header RESUBJECT subject =~ /\sRe(?:\[\d+\])?:\s*$/i
113     describe RESUBJECT re nothing
114     score RESUBJECT 2
115    
116     # blarson 2004-10-22 2007-07-18 up score
117     header NOSUBJECT subject =~ /^\s*$/
118     describe NOSUBJECT No subject
119     score NOSUBJECT 2.5
120    
121     # blarson 2006-10-17
122     full NEXTPART /\-\=\_NextPart\_000\_/
123     describe NEXTPART spammer mime separator
124     score NEXTPART 2.5
125    
126 don 312 # blarson 2006-10-17 2009-04-30
127 don 2 full CT_IMAGE /Content\-Type\:\s*image/i
128     describe CT_IMAGE Picture attached
129 don 312 score CT_IMAGE 1.5
130 don 2
131     # blarson 2006-12-01 (score so low since it will also hit CT_IMAGE)
132     header CT_IMAGE_HEAD content-type =~ /image/
133     describe CT_IMAGE_HEAD entire message is image
134     score CT_IMAGE_HEAD 2.5
135    
136    
137     # don 2006-10-25
138     header THREADINDEX Thread-Index =~ /A-Z/
139     describe THREADINDEX thread-index header on spam
140     score THREADINDEX 1.5
141    
142     # blarson 2006-10-30
143     header FORDASH subject =~ /\bFor \- \d+/
144     describe FORDASH for dash
145     score FORDASH 3
146    
147     # blarson 2006-11-01
148     header KOREAN subject =~ /\=\?koi8\-r/
149     describe KOREAN Korean Character set spam
150     score KOREAN 2
151    
152     # blarson 2006-12-04
153     header FWDNAME subject =~ /fwd\: \w+\s*$/
154     describe FWDNAME fwd: name spam
155     score FWDNAME 3
156    
157     # blarson 2006-12-06
158     body NUMONLY /^\s*\d+\s*$/
159     describe NUMONLY number only body
160     score NUMONLY 1
161    
162     # blarson 2007-04-24
163     header THUNDERB User-Agent =~ /^Thunderbird 1\.5\.0\.10/
164     describe THUNDERB spam missing content
165     score THUNDERB 2
166    
167    
168     # blarson 2007-06-15
169     header FAILNOTE subject =~ /Failure notice\:/
170     describe FAILNOTE bounced spam
171     score FAILNOTE 2
172    
173     # blarson 2007-06-28
174     rawbody CTINLINE /^Content\-Disposition\: inline\;\b/
175     describe CTINLINE Inline attachment
176     score CTINLINE 1
177    
178     # blarson 2007-07-07
179     body BOXTRAPPER /^This message is a reply to a boxtrapper verifcation message\./
180     describe BOXTRAPPER boxtrapper spam
181     score BOXTRAPPER 9
182    
183     # blarson 2007-07-09
184     body PROMOCODE /^promo code\:/i
185     describe PROMOCODE promo code
186     score PROMOCODE 3
187    
188     # blarson 2007-07-11
189     body XLMAN /\bwww\.xl\-man\.net\b/
190     describe XLMAN xl-man spam
191     score XLMAN 3
192    
193     # blarson 2007-07-12
194     body COSTUMER /^Dear costumer\b/
195     describe COSTUMER paypal scam
196     score COSTUMER 3
197    
198     # blarson 2007-07-13
199     body PRIVATE /^Your private and confidential message is attached\./
200     describe PRIVATE private message
201     score PRIVATE 4
202    
203     # don 2007-07-15
204     header AUTOGENERATE auto-submitted =~ /auto/i
205     describe AUTOGENERATE auto generated crap
206     score AUTOGENERATE 3
207    
208     # blarson 2007-07-15
209     body PRIVPDF /^All our private messages are in pdf format/
210     describe PRIVPDF private pdf
211     score PRIVPDF 4
212    
213     # don 2007-07-19
214     header AUTORESPOND X-Autorespond =~ /./
215     describe AUTORESPOND Automatic response
216     score AUTORESPOND 4
217    
218     header AUTOMAILER X-Mailer =~ /autors/
219     describe AUTOMAILER Auto response mailer
220     score AUTOMAILER 3
221    
222     # blarson 2007-07-22
223     header OUTOFOFFICE_SUB subject =~ /Out_of_Office/
224     describe OUTOFOFFICE_SUB broken autoresponder
225     score OUTOFOFFICE_SUB 6
226    
227     body OUTOFOFFICE /out of the office/i
228     describe OUTOFOFFICE Out of the office
229     score OUTOFOFFICE 3
230    
231     # blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits
232     header SUBENDNUM subject =~ /[a-zA-Z!]-?\d{3,}$/
233     describe SUBENDNUM Subject ends in word989
234     score SUBENDNUM 2
235    
236     # blarson 2007-07-27
237     body PRIVMES /^You have been sent a private message/
238     describe PRIVMES more pdf spam
239     score PRIVMES 3
240    
241     # blarson 2007-07-27
242     header MIXEDBDN Content-Type =~ /multipart\/mixed\;.*boundary\=\"\-{4,}\d{4,}\"/
243     describe MIXEDBDN more pdf spam
244 cord 19 score MIXEDBDN 1
245 don 2
246     # blarson 2007-07-28
247     header DOTZIP subject =~ /\d\.zip\b/
248     describe DOTZIP zip spam
249     score DOTZIP 3
250    
251     # blarson 2007-07-30
252     header MIXED2 Content-Type =~ /multipart\/mixed\;charset\=iso\-8859\-1\;.*boundary\=\"\-\-\-\-\=\_\d{8,}\_\d{4,}\"/
253     describe MIXED2 more pdf spam
254     score MIXED2 2.5
255    
256     # blarson 2007-07-31
257     header KEYENCE From =~ /KEYENCE CORPORATION/
258     describe KEYENCE opt out spam
259     score KEYENCE 10
260    
261     # blarson 2007-08-02
262     header NOSUB subject =~ /\(No Subject\)$/i
263     describe NOSUB explicity no subject
264     score NOSUB 1
265    
266     # blarson 2007-08-07
267     header CTPDF Content-Type =~ /\bapplication\/pdf\;/i
268     describe CTPDF more pdf spam
269     score CTPDF 4
270    
271     # blarson 2007-06-12
272     header JAPSUB subject =~ /\=\?iso\-2022\-jp/i
273     describe JAPSUB subject in japanese
274     score JAPSUB 3
275    
276     # blarson 2007-08-24
277     header XMSATT X-MS-Has-Attach =~ /yes/i
278     describe XMSATT more pdf spam
279     score XMSATT 2
280    
281 don 87 # blarson 2007-10-27
282     body ICQ /^icq\:/i
283     describe ICQ icq:
284     score ICQ 2
285 don 2
286 don 91 # blarson 2007-11-02
287     header XJ2ID X-J2Id =~ /\d+/
288     describe XJ2ID fax bounce
289     score XJ2ID 4
290 don 103
291     # blarson 2007-11-15
292 don 105 header LONGWORD subject =~ /\b[\w\d]{30,}/i
293 don 103 describe LONGWORD long word in subject
294     score LONGWORD 2
295 don 121
296     # blarson 2007-11-23
297     header TESTIMONIAL subject =~ /\btestimonial/i
298     describe TESTIMONIAL testimonials
299     score TESTIMONIAL 2
300    
301 don 125 # blarson 2007-12-13
302     header ITXS subject =~ /\bit\`s\b/i
303     describe ITXS it`s
304     score ITXS 4
305    
306     # blarson 2007-12-18
307     rawbody TINYFONT /\bFONT-SIZE\:\s+[123]px\;/i
308     describe TINYFONT tiny font specified
309     score TINYFONT 3
310 don 185
311     # blarson 2008-04-03
312     rawbody ZIPFILE /\bfilename\=.*\.zip\b/i
313     describe ZIPFILE zipfile attachment
314     score ZIPFILE 0.5
315 don 194
316     # blarson 2008-04-19
317     header SPACESUB subject =~ /^\s\w/
318     describe SPACESUB extra space before subject
319     score SPACESUB 0.5
320 don 202
321     # don 2008-05-04
322     header YAHOOCALENDAR X-Yahoo-Newman-Property: =~ /calendar-invite/i
323     describe YAHOOCALENDAR Calendar invite from yahoo; broken captcha
324     score YAHOOCALENDAR 4
325 don 217
326     # blarson 2008-06-03
327     header BOUNDARYID content-type =~ /\bboundary\=\"Boundary_\(ID_/
328     describe BOUNDARYID spamware boundary
329     score BOUNDARYID 0.6
330 don 231
331     # blarson 2008-07-02
332     body GBKXWFLXF /\bgbkxwflxf\b/
333     describe GBKXWFLXF gbkxwflxf
334     score GBKXWFLXF 5
335 cord 249
336 don 260 # blarson 2008-09-07
337     body LUKSUS /\bluksus\b/i
338     score LUKSUS 4
339     describe LUKSUS Luksus
340    
341 don 285 # disabled by don; was causing false positives
342     # probably needs to be modified to check if it really is ironport
343 don 260 # blarson 2008-09-22
344 don 285 # header XIRONPORT X-IronPort-Anti-Spam-Filtered =~ /true/
345     # describe XIRONPORT claims to be ironport filtered
346     # score XIRONPORT 2.5
347 don 260
348     # blarson 2008-10-13
349     header AUTORESPON subject =~ /Auto_response/
350     describe AUTORESPON Auto_response
351     score AUTORESPON 3
352    
353     # blarson 2008-10-28
354     header XWUM x-wum-to =~ /./
355     describe XWUM X-WUM-TO
356     score XWUM 2
357    
358 cord 249 # cord 2008-10-31
359     # compensate false-positives for 140.Red-80-25-20.staticIP.rima-tde.net and stuff
360     header STATIC_RIMA_TDE received =~ /staticIP\.rima-tde\.net/
361     describe STATIC_RIMA_TDE static IP from rima-tde.net
362     score STATIC_RIMA_TDE -5
363 cord 251
364     # cord 2008-11-30 # compensate LDO_SUBSCRIBER bonus for Forum2Mail-Gw
365 cord 252 full NABBLE /lists\@nabble\.com/
366 cord 251 describe NABBLE sent through nabble.com
367     score NABBLE 5
368 don 271
369     # don 2009-02-04
370     full HTML_NBSP /(\ ){3,}/
371     describe HTML_NBSP Lots of  
372     score HTML_NBSP 2
373 don 273
374 don 292 # blarson 2009-02-19
375     header ENTIST subject =~ /(?:e.?entist|o.?ctor)/i
376     describe ENTIST (D)entit/(D)octor
377     score ENTIST 2
378 don 299
379     header THREADTOPIC thread-topic =~ /./i
380     describe THREADTOPIC Has a thread topic header
381 cord 304 score THREADTOPIC 2
382 cord 305
383     # [2009-04-14 cord]
384     # replacing old aol-rules from rc.spam
385    
386     header AOL_SPAM1 from =~ /[0-9].*\@([^\@]+\.)?aol\.com/i
387     describe AOL_SPAM1 possible AOL-pretending spam, matching rule 1
388     score AOL_SPAM1 1
389    
390     header AOL_SPAM2 from =~ /...........*\@([^\@]+\.)?aol\.com/i
391     describe AOL_SPAM2 possible AOL-pretending spam, matching rule 2
392     score AOL_SPAM2 1
393    
394     header AOL_SPAM3 from =~ /.?.?\@([^\@]+\.)?aol\.com/i
395     describe AOL_SPAM3 possible AOL-pretending spam, matching rule 3
396     score AOL_SPAM3 1
397    
398     header AOL_SPAM4 from =~ /[^a-zA-Z0-9]+.*\@([^\@]+\.)?aol\.com/i
399     describe AOL_SPAM4 possible AOL-pretending spam, matching rule 4
400     score AOL_SPAM4 1
401 don 311
402 don 312 # blarson 2009-04-15
403     body WEBMAIL /\bwebmail\b/i
404     describe WEBMAIL webmail
405     score WEBMAIL 1
406    
407     # blarson 2009-04-17
408     header REFNO subject =~ /\bref no\b/i
409     describe REFNO Ref No
410     score REFNO 2
411    
412     # blarson 2009-05-26
413     header INFOCOUK to =~ /\b(?:info|winner|loan|lotto|grant|win)\@(?:info\.|winner\.|loan\.|lotto\.|hotmail\.|grant\.|win\.|yahoo\.|)(?:co\.uk|net|com|org)\b/
414     describe INFOCOUK to info@co.uk
415     score INFOCOUK 3
416    
417     # blarson 2009-05-27
418 don 326 body EXITAT /\b(?:exit|rembox)\@(?:datalistsource|listsourcesworld|BestAccurateReliable|expertdatasystems|bestbizlists)\.\b/i
419 don 312 describe EXITAT exit@datalistsource.com
420     score EXITAT 3
421    
422     # blarson 2009-06-05
423     header TOINFO to =~ /\binfo\@/
424     describe TOINFO to info@
425     score TOINFO 1
426    
427 don 311 # don 2009-07-06
428     header CONSTCONTACT X-Mailer =~ /Constant Contact/i
429     describe CONSTCONTACT Mail comming from constant contact, which doesn't require double opt-in
430     score CONSTCONTACT 5
431 don 317
432 don 318 # blarson 2009-08-16
433     meta CTBDN (CT_IMAGE && MIXEDBDN)
434     describe CTBDN CT_IMAGE && MIXEDBDN
435     score CTBDN 0.5
436    
437 don 317 # don 2009-09-22
438     body NUMEMAIL /\d{3,}\s+emails?/i
439     describe NUMEMAIL Mail which mentions some number of e-mail addresses
440     score NUMEMAIL 2
441 don 320
442     # don 2009-11-25
443     header YAHOOCALENDAR X-Yahoo-Calendar-IId: =~ /./
444 don 321 describe YAHOOCALENDAR Mail comming from yahoo calendar, which spams us with updates
445 don 320 score YAHOOCALENDAR 5
446 formorer 323
447     # alex 2009-12-05
448     header TLOTTERY subject =~ /Ticket no: [0-9]+/i
449     describe TLOTTERY Lottery spam
450     score TLOTTERY 3
451    
452     # alex 2009-12-05
453     header GLOTTERY subject =~ /Google_L_o_t_t_e_r_y_W_i_n_n_e_r_s/i
454     describe GLOTTERY Google Lottery spam
455     score GLOTTERY 3
456    
457 formorer 325 # alex 2009-12-16
458     header DOTNET subject =~ /Planning a Website Design\? Updates/
459     describe DOTNET .NET Spam
460     score DOTNET 3
461 formorer 323
462 don 326 # blarson 2009-12-08
463     body REMBOX /\brembox\@/
464     describe REMBOX rembox
465     score REMBOX 3
466 formorer 333
467     # formorer 2010-01-23
468     header LONGTO to =~ /([\S]+, ){15,}/
469     describe LONGTO very long To line
470     score LONGTO 3
471 formorer 334
472     # formorer 2010-01-25
473     header VAULAS subject =~ /cursos video aulas video/i
474     describe VAULAS some spanish video spam
475     score VAULAS 3
476    
  ViewVC Help
Powered by ViewVC 1.1.5