/[pkg-listmaster]/trunk/spamassassin_config/common/misc_spam
ViewVC logotype

Contents of /trunk/spamassassin_config/common/misc_spam

Parent Directory Parent Directory | Revision Log Revision Log

Revision 260 - (show annotations) (download)
Sat Dec 13 13:45:07 2008 UTC (4 years, 5 months ago) by don
File size: 10406 byte(s) 
add blars patches
1 # This seems to catch a lot of spam, but not sure about false positive (from airmax.cf)
2 # pasc couldn't find any false positives on the lists he's on
3 header X_MESSAGE_INFO exists:X-Message-Info
4 score X_MESSAGE_INFO 4.0
5
6 # Added by pasc 2004/07/08 (sent by abuse@outblaze via karsten)
7 # host no longer exists according to administrator
8 header FAKE_OUTBLAZE_RCVD Received =~ /\.mr\.outblaze\.com/
9 describe FAKE_OUTBLAZE_RCVD Received header contains faked 'mr.outblaze.com'
10 score FAKE_OUTBLAZE_RCVD 3.0
11
12 # blarson 2005-01-19 (--pasc 2005-01-30)
13 header TRACKING subject =~ /\b(?:tracking|package|shipping|shipment|delivery) number :/i
14 describe TRACKING tracking number
15 score TRACKING 2
16
17 # Sent in by blars (20050220) -- applied by pasc
18 body GUEBDE /http\:\/\/www\.gueb\.de\//
19 describe GUEBDE www.geub.de
20 score GUEBDE 5
21
22 # Don 2008-06-27
23 rawbody PGPSIGNATURE /-----BEGIN PGP SIGNATURE-----/
24 describe PGPSIGNATURE Has a pgp signature (may not be valid, but who cares?)
25 score PGPSIGNATURE -5
26
27
28 # TODO: The rules below seem to be very similar; possibly fix them.
29
30 # These might trip up on non-english lists. We'll see.
31 # They're fucking up on GPG signatures
32 body MURPHY_WRONG_WORD1 /[bcdfghjklmnpqrstvwxz]{7,}/i
33 score MURPHY_WRONG_WORD1 0.1
34
35 body MURPHY_WRONG_WORD2 /[bcdfghjklmnpqrstvwxz]{6,}/i
36 score MURPHY_WRONG_WORD2 0.2
37
38 #Impronounceable. Need to check this one for accuracy (from airmax.cf)
39 body IMPRONONCABLE_1 /([bcdfghjklmnpqrstvwxz]){6,20}/
40 describe IMPRONONCABLE_1 Some words aren't easy to pronounce (too much vowels)
41 body IMPRONONCABLE_2 /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/
42 describe IMPRONONCABLE_2 Some words aren't easy to pronounce (mixed numbers and lower-case letters)
43
44 # From http://www.exit0.us/index.php/FredsRules
45 # Added by pasc 2004/06/20
46
47 body __FVGT_b_OBFU_J /j(b|c|f|g|w)/i
48 body __FVGT_b_OBFU_OTHER /(vj|vk|xj|xk|yy|zf|zj)/i
49 body __FVGT_b_OBFU_Q0 /(j|k|p|q|t|v|w|z)q/i
50 body __FVGT_b_OBFU_Q1 /q(a|f|h|j|k|m|n|s|y)/i
51 body __FVGT_b_OBFU_V /(f|g|q|w)v/i
52 body __FVGT_b_OBFU_X /(c|g|j|k|q|s|v|z)x/i
53 body __FVGT_b_OBFU_Z /(f|j|k|p|q|x)z/i
54 meta FVGT_m_MULTI_ODD ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 1)
55 describe FVGT_m_MULTI_ODD FVGT - contains multiple odd letter combinations
56 score FVGT_m_MULTI_ODD 0.02
57
58 # joy, 2003-07-20
59 header NEPEYO From =~ /nepeyo\@catlover/
60 describe NEPEYO spamvertizers
61 score NEPEYO 4
62
63 # cjwatson, 2003/07/28
64 header MP3_PLAYERS Subject =~ /New mp3 player,usb flash drive/
65 describe MP3_PLAYERS Spam from "HY Tech"
66 score MP3_PLAYERS 4
67
68 # joy, 2003-08-15
69 header UOSJUNK Subject =~ /UOS online Degree Programme/i
70 describe UOSJUNK Spam from UOS
71 score UOSJUNK 4
72
73 # cjwatson, 2004-02-27
74 body GAS_MILEAGE /This amazing, revolutionary device|www\.mrev\.biz/
75 describe GAS_MILEAGE Fuel-saving snake oil
76 score GAS_MILEAGE 3
77
78 # blarson, 2004-03-31
79 body FUELSAVER /fuel.?saver/i
80 describe FUELSAVER Fuel Saver spam
81 score FUELSAVER 3
82
83 # blarson, 2004-04-03
84 body CABLEFILTERZ /cablefilterz/
85 describe CABLEFILTERZ cablefilterz spam
86 score CABLEFILTERZ 4
87
88 # blarson 2004-04-15
89 header PARENNUM subject =~ /^\(\s*([0-9\/]+\)|\%RND)/
90 describe PARENNUM paren number in subject
91 score PARENNUM 3
92
93 # blarson 2004-04-25
94 # bounces our bounces.... (had negitive score)
95 header COVADRT X-RT-Loop-Prevention =~ /^Covad$/
96 describe COVADRT Covad request tracker bounces
97 score COVADRT 8
98
99 # blarson 2005-03-02
100 header ROBERTOJIMENOCA from =~ /ROBERTOJIMENOCA\@terra\.es/
101 describe ROBERTOJIMENOCA ROBERTOJIMENOCA sends spammy looking messages
102 score ROBERTOJIMENOCA -2
103
104 # blarson 2005-07-10
105 header TURBOPRO subject =~ /\bturbonet pro\b/i
106 describe TURBOPRO dialup accelerator spam
107 score TURBOPRO 3
108
109 # blarson 2006-04-28
110 header RESUBJECT subject =~ /\sRe(?:\[\d+\])?:\s*$/i
111 describe RESUBJECT re nothing
112 score RESUBJECT 2
113
114 # blarson 2004-10-22 2007-07-18 up score
115 header NOSUBJECT subject =~ /^\s*$/
116 describe NOSUBJECT No subject
117 score NOSUBJECT 2.5
118
119 # blarson 2006-10-17
120 full NEXTPART /\-\=\_NextPart\_000\_/
121 describe NEXTPART spammer mime separator
122 score NEXTPART 2.5
123
124 # blarson 2006-10-17
125 full CT_IMAGE /Content\-Type\:\s*image/i
126 describe CT_IMAGE Picture attached
127 score CT_IMAGE 1
128
129 # blarson 2006-12-01 (score so low since it will also hit CT_IMAGE)
130 header CT_IMAGE_HEAD content-type =~ /image/
131 describe CT_IMAGE_HEAD entire message is image
132 score CT_IMAGE_HEAD 2.5
133
134
135 # don 2006-10-25
136 header THREADINDEX Thread-Index =~ /A-Z/
137 describe THREADINDEX thread-index header on spam
138 score THREADINDEX 1.5
139
140 # blarson 2006-10-30
141 header FORDASH subject =~ /\bFor \- \d+/
142 describe FORDASH for dash
143 score FORDASH 3
144
145 # blarson 2006-11-01
146 header KOREAN subject =~ /\=\?koi8\-r/
147 describe KOREAN Korean Character set spam
148 score KOREAN 2
149
150 # blarson 2006-12-04
151 header FWDNAME subject =~ /fwd\: \w+\s*$/
152 describe FWDNAME fwd: name spam
153 score FWDNAME 3
154
155 # blarson 2006-12-06
156 body NUMONLY /^\s*\d+\s*$/
157 describe NUMONLY number only body
158 score NUMONLY 1
159
160 # blarson 2007-04-24
161 header THUNDERB User-Agent =~ /^Thunderbird 1\.5\.0\.10/
162 describe THUNDERB spam missing content
163 score THUNDERB 2
164
165
166 # blarson 2007-06-15
167 header FAILNOTE subject =~ /Failure notice\:/
168 describe FAILNOTE bounced spam
169 score FAILNOTE 2
170
171 # blarson 2007-06-28
172 rawbody CTINLINE /^Content\-Disposition\: inline\;\b/
173 describe CTINLINE Inline attachment
174 score CTINLINE 1
175
176 # blarson 2007-07-07
177 body BOXTRAPPER /^This message is a reply to a boxtrapper verifcation message\./
178 describe BOXTRAPPER boxtrapper spam
179 score BOXTRAPPER 9
180
181 # blarson 2007-07-09
182 body PROMOCODE /^promo code\:/i
183 describe PROMOCODE promo code
184 score PROMOCODE 3
185
186 # blarson 2007-07-11
187 body XLMAN /\bwww\.xl\-man\.net\b/
188 describe XLMAN xl-man spam
189 score XLMAN 3
190
191 # blarson 2007-07-12
192 body COSTUMER /^Dear costumer\b/
193 describe COSTUMER paypal scam
194 score COSTUMER 3
195
196 # blarson 2007-07-13
197 body PRIVATE /^Your private and confidential message is attached\./
198 describe PRIVATE private message
199 score PRIVATE 4
200
201 # don 2007-07-15
202 header AUTOGENERATE auto-submitted =~ /auto/i
203 describe AUTOGENERATE auto generated crap
204 score AUTOGENERATE 3
205
206 # blarson 2007-07-15
207 body PRIVPDF /^All our private messages are in pdf format/
208 describe PRIVPDF private pdf
209 score PRIVPDF 4
210
211 # don 2007-07-19
212 header AUTORESPOND X-Autorespond =~ /./
213 describe AUTORESPOND Automatic response
214 score AUTORESPOND 4
215
216 header AUTOMAILER X-Mailer =~ /autors/
217 describe AUTOMAILER Auto response mailer
218 score AUTOMAILER 3
219
220 # blarson 2007-07-22
221 header OUTOFOFFICE_SUB subject =~ /Out_of_Office/
222 describe OUTOFOFFICE_SUB broken autoresponder
223 score OUTOFOFFICE_SUB 6
224
225 body OUTOFOFFICE /out of the office/i
226 describe OUTOFOFFICE Out of the office
227 score OUTOFOFFICE 3
228
229 # blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits
230 header SUBENDNUM subject =~ /[a-zA-Z!]-?\d{3,}$/
231 describe SUBENDNUM Subject ends in word989
232 score SUBENDNUM 2
233
234 # blarson 2007-07-27
235 body PRIVMES /^You have been sent a private message/
236 describe PRIVMES more pdf spam
237 score PRIVMES 3
238
239 # blarson 2007-07-27
240 header MIXEDBDN Content-Type =~ /multipart\/mixed\;.*boundary\=\"\-{4,}\d{4,}\"/
241 describe MIXEDBDN more pdf spam
242 score MIXEDBDN 1
243
244 # blarson 2007-07-28
245 header DOTZIP subject =~ /\d\.zip\b/
246 describe DOTZIP zip spam
247 score DOTZIP 3
248
249 # blarson 2007-07-30
250 header MIXED2 Content-Type =~ /multipart\/mixed\;charset\=iso\-8859\-1\;.*boundary\=\"\-\-\-\-\=\_\d{8,}\_\d{4,}\"/
251 describe MIXED2 more pdf spam
252 score MIXED2 2.5
253
254 # blarson 2007-07-31
255 header KEYENCE From =~ /KEYENCE CORPORATION/
256 describe KEYENCE opt out spam
257 score KEYENCE 10
258
259 # blarson 2007-08-02
260 header NOSUB subject =~ /\(No Subject\)$/i
261 describe NOSUB explicity no subject
262 score NOSUB 1
263
264 # blarson 2007-08-07
265 header CTPDF Content-Type =~ /\bapplication\/pdf\;/i
266 describe CTPDF more pdf spam
267 score CTPDF 4
268
269 # blarson 2007-06-12
270 header JAPSUB subject =~ /\=\?iso\-2022\-jp/i
271 describe JAPSUB subject in japanese
272 score JAPSUB 3
273
274 # blarson 2007-08-24
275 header XMSATT X-MS-Has-Attach =~ /yes/i
276 describe XMSATT more pdf spam
277 score XMSATT 2
278
279 # blarson 2007-10-27
280 body ICQ /^icq\:/i
281 describe ICQ icq:
282 score ICQ 2
283
284 # blarson 2007-11-02
285 header XJ2ID X-J2Id =~ /\d+/
286 describe XJ2ID fax bounce
287 score XJ2ID 4
288
289 # blarson 2007-11-15
290 header LONGWORD subject =~ /\b[\w\d]{30,}/i
291 describe LONGWORD long word in subject
292 score LONGWORD 2
293
294 # blarson 2007-11-23
295 header TESTIMONIAL subject =~ /\btestimonial/i
296 describe TESTIMONIAL testimonials
297 score TESTIMONIAL 2
298
299 # blarson 2007-12-13
300 header ITXS subject =~ /\bit\`s\b/i
301 describe ITXS it`s
302 score ITXS 4
303
304 # blarson 2007-12-18
305 rawbody TINYFONT /\bFONT-SIZE\:\s+[123]px\;/i
306 describe TINYFONT tiny font specified
307 score TINYFONT 3
308
309 # blarson 2008-04-03
310 rawbody ZIPFILE /\bfilename\=.*\.zip\b/i
311 describe ZIPFILE zipfile attachment
312 score ZIPFILE 0.5
313
314 # blarson 2008-04-19
315 header SPACESUB subject =~ /^\s\w/
316 describe SPACESUB extra space before subject
317 score SPACESUB 0.5
318
319 # don 2008-05-04
320 header YAHOOCALENDAR X-Yahoo-Newman-Property: =~ /calendar-invite/i
321 describe YAHOOCALENDAR Calendar invite from yahoo; broken captcha
322 score YAHOOCALENDAR 4
323
324 # blarson 2008-06-03
325 header BOUNDARYID content-type =~ /\bboundary\=\"Boundary_\(ID_/
326 describe BOUNDARYID spamware boundary
327 score BOUNDARYID 0.6
328
329 # blarson 2008-07-02
330 body GBKXWFLXF /\bgbkxwflxf\b/
331 describe GBKXWFLXF gbkxwflxf
332 score GBKXWFLXF 5
333
334 # blarson 2008-09-07
335 body LUKSUS /\bluksus\b/i
336 score LUKSUS 4
337 describe LUKSUS Luksus
338
339 # blarson 2008-09-22
340 header XIRONPORT X-IronPort-Anti-Spam-Filtered =~ /true/
341 describe XIRONPORT claims to be ironport filtered
342 score XIRONPORT 2.5
343
344 # blarson 2008-10-13
345 header AUTORESPON subject =~ /Auto_response/
346 describe AUTORESPON Auto_response
347 score AUTORESPON 3
348
349 # blarson 2008-10-28
350 header XWUM x-wum-to =~ /./
351 describe XWUM X-WUM-TO
352 score XWUM 2
353
354 # cord 2008-10-31
355 # compensate false-positives for 140.Red-80-25-20.staticIP.rima-tde.net and stuff
356 header STATIC_RIMA_TDE received =~ /staticIP\.rima-tde\.net/
357 describe STATIC_RIMA_TDE static IP from rima-tde.net
358 score STATIC_RIMA_TDE -5
359
360 # cord 2008-11-30 # compensate LDO_SUBSCRIBER bonus for Forum2Mail-Gw
361 full NABBLE /lists\@nabble\.com/
362 describe NABBLE sent through nabble.com
363 score NABBLE 5
  ViewVC Help
Powered by ViewVC 1.1.5