/[pkg-listmaster]/trunk/spamassassin_config/common/misc_spam
ViewVC logotype

Contents of /trunk/spamassassin_config/common/misc_spam

Parent Directory Parent Directory | Revision Log Revision Log

Revision 427 - (hide annotations) (download)
Tue Apr 9 20:58:49 2013 UTC (6 weeks, 2 days ago) by don
File size: 15111 byte(s) 
update rules for blars changes
1 don 285 # -*- mode: spamassassin -*-
2    
3 don 2 # This seems to catch a lot of spam, but not sure about false positive (from airmax.cf)
4     # pasc couldn't find any false positives on the lists he's on
5     header X_MESSAGE_INFO exists:X-Message-Info
6     score X_MESSAGE_INFO 4.0
7    
8     # Added by pasc 2004/07/08 (sent by abuse@outblaze via karsten)
9     # host no longer exists according to administrator
10     header FAKE_OUTBLAZE_RCVD Received =~ /\.mr\.outblaze\.com/
11     describe FAKE_OUTBLAZE_RCVD Received header contains faked 'mr.outblaze.com'
12     score FAKE_OUTBLAZE_RCVD 3.0
13    
14     # blarson 2005-01-19 (--pasc 2005-01-30)
15     header TRACKING subject =~ /\b(?:tracking|package|shipping|shipment|delivery) number :/i
16     describe TRACKING tracking number
17     score TRACKING 2
18    
19     # Sent in by blars (20050220) -- applied by pasc
20     body GUEBDE /http\:\/\/www\.gueb\.de\//
21     describe GUEBDE www.geub.de
22     score GUEBDE 5
23    
24 don 226 # Don 2008-06-27
25 don 315 full PGPSIGNATURE /-----BEGIN PGP SIGNATURE-----/
26 don 227 describe PGPSIGNATURE Has a pgp signature (may not be valid, but who cares?)
27     score PGPSIGNATURE -5
28 don 2
29 don 226
30 don 408 body WORD_WITHOUT_VOWELS /\b[bcdfghjklmnpqrstvwxz]{6,20}\b/
31     describe WORD_WITHOUT_VOWELS Long word without any vowels
32     score WORD_WITHOUT_VOWELS 1
33 don 2
34 don 408 body DIGITS_LETTERS /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/
35     describe DIGITS_LETTERS Mixed groups of letters followed by numbers
36     score DIGITS_LETTERS 1
37 don 2
38     # From http://www.exit0.us/index.php/FredsRules
39     # Added by pasc 2004/06/20
40    
41     body __FVGT_b_OBFU_J /j(b|c|f|g|w)/i
42     body __FVGT_b_OBFU_OTHER /(vj|vk|xj|xk|yy|zf|zj)/i
43     body __FVGT_b_OBFU_Q0 /(j|k|p|q|t|v|w|z)q/i
44     body __FVGT_b_OBFU_Q1 /q(a|f|h|j|k|m|n|s|y)/i
45     body __FVGT_b_OBFU_V /(f|g|q|w)v/i
46     body __FVGT_b_OBFU_X /(c|g|j|k|q|s|v|z)x/i
47     body __FVGT_b_OBFU_Z /(f|j|k|p|q|x)z/i
48     meta FVGT_m_MULTI_ODD ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 1)
49     describe FVGT_m_MULTI_ODD FVGT - contains multiple odd letter combinations
50     score FVGT_m_MULTI_ODD 0.02
51    
52     # joy, 2003-07-20
53     header NEPEYO From =~ /nepeyo\@catlover/
54     describe NEPEYO spamvertizers
55     score NEPEYO 4
56    
57     # cjwatson, 2003/07/28
58     header MP3_PLAYERS Subject =~ /New mp3 player,usb flash drive/
59     describe MP3_PLAYERS Spam from "HY Tech"
60     score MP3_PLAYERS 4
61    
62     # joy, 2003-08-15
63     header UOSJUNK Subject =~ /UOS online Degree Programme/i
64     describe UOSJUNK Spam from UOS
65     score UOSJUNK 4
66    
67     # cjwatson, 2004-02-27
68     body GAS_MILEAGE /This amazing, revolutionary device|www\.mrev\.biz/
69     describe GAS_MILEAGE Fuel-saving snake oil
70     score GAS_MILEAGE 3
71    
72     # blarson, 2004-03-31
73     body FUELSAVER /fuel.?saver/i
74     describe FUELSAVER Fuel Saver spam
75     score FUELSAVER 3
76    
77     # blarson, 2004-04-03
78     body CABLEFILTERZ /cablefilterz/
79     describe CABLEFILTERZ cablefilterz spam
80     score CABLEFILTERZ 4
81    
82     # blarson 2004-04-15
83     header PARENNUM subject =~ /^\(\s*([0-9\/]+\)|\%RND)/
84     describe PARENNUM paren number in subject
85     score PARENNUM 3
86    
87     # blarson 2004-04-25
88     # bounces our bounces.... (had negitive score)
89     header COVADRT X-RT-Loop-Prevention =~ /^Covad$/
90     describe COVADRT Covad request tracker bounces
91     score COVADRT 8
92    
93     # blarson 2005-03-02
94     header ROBERTOJIMENOCA from =~ /ROBERTOJIMENOCA\@terra\.es/
95     describe ROBERTOJIMENOCA ROBERTOJIMENOCA sends spammy looking messages
96     score ROBERTOJIMENOCA -2
97    
98     # blarson 2005-07-10
99     header TURBOPRO subject =~ /\bturbonet pro\b/i
100     describe TURBOPRO dialup accelerator spam
101     score TURBOPRO 3
102    
103     # blarson 2006-04-28
104     header RESUBJECT subject =~ /\sRe(?:\[\d+\])?:\s*$/i
105     describe RESUBJECT re nothing
106     score RESUBJECT 2
107    
108     # blarson 2004-10-22 2007-07-18 up score
109     header NOSUBJECT subject =~ /^\s*$/
110     describe NOSUBJECT No subject
111     score NOSUBJECT 2.5
112    
113     # blarson 2006-10-17
114     full NEXTPART /\-\=\_NextPart\_000\_/
115     describe NEXTPART spammer mime separator
116     score NEXTPART 2.5
117    
118 don 312 # blarson 2006-10-17 2009-04-30
119 don 2 full CT_IMAGE /Content\-Type\:\s*image/i
120     describe CT_IMAGE Picture attached
121 don 312 score CT_IMAGE 1.5
122 don 2
123     # blarson 2006-12-01 (score so low since it will also hit CT_IMAGE)
124     header CT_IMAGE_HEAD content-type =~ /image/
125     describe CT_IMAGE_HEAD entire message is image
126     score CT_IMAGE_HEAD 2.5
127    
128    
129     # don 2006-10-25
130     header THREADINDEX Thread-Index =~ /A-Z/
131     describe THREADINDEX thread-index header on spam
132     score THREADINDEX 1.5
133    
134     # blarson 2006-10-30
135     header FORDASH subject =~ /\bFor \- \d+/
136     describe FORDASH for dash
137     score FORDASH 3
138    
139     # blarson 2006-11-01
140     header KOREAN subject =~ /\=\?koi8\-r/
141     describe KOREAN Korean Character set spam
142     score KOREAN 2
143    
144     # blarson 2006-12-04
145     header FWDNAME subject =~ /fwd\: \w+\s*$/
146     describe FWDNAME fwd: name spam
147     score FWDNAME 3
148    
149     # blarson 2006-12-06
150     body NUMONLY /^\s*\d+\s*$/
151     describe NUMONLY number only body
152     score NUMONLY 1
153    
154     # blarson 2007-04-24
155     header THUNDERB User-Agent =~ /^Thunderbird 1\.5\.0\.10/
156     describe THUNDERB spam missing content
157     score THUNDERB 2
158    
159    
160     # blarson 2007-06-15
161     header FAILNOTE subject =~ /Failure notice\:/
162     describe FAILNOTE bounced spam
163     score FAILNOTE 2
164    
165     # blarson 2007-06-28
166 don 376 full CTINLINE /^Content\-Disposition\: inline\;\b/
167 don 2 describe CTINLINE Inline attachment
168     score CTINLINE 1
169    
170     # blarson 2007-07-07
171     body BOXTRAPPER /^This message is a reply to a boxtrapper verifcation message\./
172     describe BOXTRAPPER boxtrapper spam
173     score BOXTRAPPER 9
174    
175     # blarson 2007-07-09
176     body PROMOCODE /^promo code\:/i
177     describe PROMOCODE promo code
178     score PROMOCODE 3
179    
180     # blarson 2007-07-11
181     body XLMAN /\bwww\.xl\-man\.net\b/
182     describe XLMAN xl-man spam
183     score XLMAN 3
184    
185     # blarson 2007-07-12
186     body COSTUMER /^Dear costumer\b/
187     describe COSTUMER paypal scam
188     score COSTUMER 3
189    
190     # blarson 2007-07-13
191     body PRIVATE /^Your private and confidential message is attached\./
192     describe PRIVATE private message
193     score PRIVATE 4
194    
195     # don 2007-07-15
196     header AUTOGENERATE auto-submitted =~ /auto/i
197     describe AUTOGENERATE auto generated crap
198     score AUTOGENERATE 3
199    
200     # blarson 2007-07-15
201     body PRIVPDF /^All our private messages are in pdf format/
202     describe PRIVPDF private pdf
203     score PRIVPDF 4
204    
205     # don 2007-07-19
206     header AUTORESPOND X-Autorespond =~ /./
207     describe AUTORESPOND Automatic response
208     score AUTORESPOND 4
209    
210     header AUTOMAILER X-Mailer =~ /autors/
211     describe AUTOMAILER Auto response mailer
212     score AUTOMAILER 3
213    
214     # blarson 2007-07-22
215     header OUTOFOFFICE_SUB subject =~ /Out_of_Office/
216     describe OUTOFOFFICE_SUB broken autoresponder
217     score OUTOFOFFICE_SUB 6
218    
219     body OUTOFOFFICE /out of the office/i
220     describe OUTOFOFFICE Out of the office
221     score OUTOFOFFICE 3
222    
223 formorer 364 body OUTOFOFFICE_BACK /will be back/i
224     describe OUTOFOFFICE_BACK Out of the office
225     score OUTOFOFFICE_BACK 3
226 formorer 363
227 don 2 # blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits
228     header SUBENDNUM subject =~ /[a-zA-Z!]-?\d{3,}$/
229     describe SUBENDNUM Subject ends in word989
230     score SUBENDNUM 2
231    
232     # blarson 2007-07-27
233     body PRIVMES /^You have been sent a private message/
234     describe PRIVMES more pdf spam
235     score PRIVMES 3
236    
237     # blarson 2007-07-27
238     header MIXEDBDN Content-Type =~ /multipart\/mixed\;.*boundary\=\"\-{4,}\d{4,}\"/
239     describe MIXEDBDN more pdf spam
240 cord 19 score MIXEDBDN 1
241 don 2
242     # blarson 2007-07-28
243     header DOTZIP subject =~ /\d\.zip\b/
244     describe DOTZIP zip spam
245     score DOTZIP 3
246    
247     # blarson 2007-07-30
248     header MIXED2 Content-Type =~ /multipart\/mixed\;charset\=iso\-8859\-1\;.*boundary\=\"\-\-\-\-\=\_\d{8,}\_\d{4,}\"/
249     describe MIXED2 more pdf spam
250     score MIXED2 2.5
251    
252     # blarson 2007-07-31
253     header KEYENCE From =~ /KEYENCE CORPORATION/
254     describe KEYENCE opt out spam
255     score KEYENCE 10
256    
257     # blarson 2007-08-02
258     header NOSUB subject =~ /\(No Subject\)$/i
259     describe NOSUB explicity no subject
260     score NOSUB 1
261    
262     # blarson 2007-08-07
263     header CTPDF Content-Type =~ /\bapplication\/pdf\;/i
264     describe CTPDF more pdf spam
265     score CTPDF 4
266    
267     # blarson 2007-06-12
268     header JAPSUB subject =~ /\=\?iso\-2022\-jp/i
269     describe JAPSUB subject in japanese
270     score JAPSUB 3
271    
272     # blarson 2007-08-24
273     header XMSATT X-MS-Has-Attach =~ /yes/i
274     describe XMSATT more pdf spam
275     score XMSATT 2
276    
277 don 87 # blarson 2007-10-27
278     body ICQ /^icq\:/i
279     describe ICQ icq:
280     score ICQ 2
281 don 2
282 don 91 # blarson 2007-11-02
283     header XJ2ID X-J2Id =~ /\d+/
284     describe XJ2ID fax bounce
285     score XJ2ID 4
286 don 103
287     # blarson 2007-11-15
288 don 105 header LONGWORD subject =~ /\b[\w\d]{30,}/i
289 don 103 describe LONGWORD long word in subject
290     score LONGWORD 2
291 don 121
292     # blarson 2007-11-23
293     header TESTIMONIAL subject =~ /\btestimonial/i
294     describe TESTIMONIAL testimonials
295     score TESTIMONIAL 2
296    
297 don 125 # blarson 2007-12-13
298     header ITXS subject =~ /\bit\`s\b/i
299     describe ITXS it`s
300     score ITXS 4
301    
302     # blarson 2007-12-18
303     rawbody TINYFONT /\bFONT-SIZE\:\s+[123]px\;/i
304     describe TINYFONT tiny font specified
305     score TINYFONT 3
306 don 185
307     # blarson 2008-04-03
308 don 376 full ZIPFILE /\bfilename\=.*\.zip\b/i
309 don 185 describe ZIPFILE zipfile attachment
310     score ZIPFILE 0.5
311 don 194
312     # blarson 2008-04-19
313     header SPACESUB subject =~ /^\s\w/
314     describe SPACESUB extra space before subject
315     score SPACESUB 0.5
316 don 202
317     # don 2008-05-04
318     header YAHOOCALENDAR X-Yahoo-Newman-Property: =~ /calendar-invite/i
319     describe YAHOOCALENDAR Calendar invite from yahoo; broken captcha
320     score YAHOOCALENDAR 4
321 don 217
322     # blarson 2008-06-03
323     header BOUNDARYID content-type =~ /\bboundary\=\"Boundary_\(ID_/
324     describe BOUNDARYID spamware boundary
325     score BOUNDARYID 0.6
326 don 231
327     # blarson 2008-07-02
328     body GBKXWFLXF /\bgbkxwflxf\b/
329     describe GBKXWFLXF gbkxwflxf
330     score GBKXWFLXF 5
331 cord 249
332 don 260 # blarson 2008-09-07
333     body LUKSUS /\bluksus\b/i
334     score LUKSUS 4
335     describe LUKSUS Luksus
336    
337 don 285 # disabled by don; was causing false positives
338     # probably needs to be modified to check if it really is ironport
339 don 260 # blarson 2008-09-22
340 don 285 # header XIRONPORT X-IronPort-Anti-Spam-Filtered =~ /true/
341     # describe XIRONPORT claims to be ironport filtered
342     # score XIRONPORT 2.5
343 don 260
344     # blarson 2008-10-13
345     header AUTORESPON subject =~ /Auto_response/
346     describe AUTORESPON Auto_response
347     score AUTORESPON 3
348    
349     # blarson 2008-10-28
350     header XWUM x-wum-to =~ /./
351     describe XWUM X-WUM-TO
352     score XWUM 2
353    
354 cord 249 # cord 2008-10-31
355     # compensate false-positives for 140.Red-80-25-20.staticIP.rima-tde.net and stuff
356     header STATIC_RIMA_TDE received =~ /staticIP\.rima-tde\.net/
357     describe STATIC_RIMA_TDE static IP from rima-tde.net
358     score STATIC_RIMA_TDE -5
359 cord 251
360     # cord 2008-11-30 # compensate LDO_SUBSCRIBER bonus for Forum2Mail-Gw
361 cord 252 full NABBLE /lists\@nabble\.com/
362 cord 251 describe NABBLE sent through nabble.com
363     score NABBLE 5
364 don 271
365     # don 2009-02-04
366     full HTML_NBSP /(\ ){3,}/
367     describe HTML_NBSP Lots of  
368     score HTML_NBSP 2
369 don 273
370 don 292 # blarson 2009-02-19
371     header ENTIST subject =~ /(?:e.?entist|o.?ctor)/i
372     describe ENTIST (D)entit/(D)octor
373     score ENTIST 2
374 don 299
375     header THREADTOPIC thread-topic =~ /./i
376     describe THREADTOPIC Has a thread topic header
377 cord 304 score THREADTOPIC 2
378 cord 305
379     # [2009-04-14 cord]
380     # replacing old aol-rules from rc.spam
381    
382     header AOL_SPAM1 from =~ /[0-9].*\@([^\@]+\.)?aol\.com/i
383     describe AOL_SPAM1 possible AOL-pretending spam, matching rule 1
384     score AOL_SPAM1 1
385    
386     header AOL_SPAM2 from =~ /...........*\@([^\@]+\.)?aol\.com/i
387     describe AOL_SPAM2 possible AOL-pretending spam, matching rule 2
388     score AOL_SPAM2 1
389    
390     header AOL_SPAM3 from =~ /.?.?\@([^\@]+\.)?aol\.com/i
391     describe AOL_SPAM3 possible AOL-pretending spam, matching rule 3
392     score AOL_SPAM3 1
393    
394     header AOL_SPAM4 from =~ /[^a-zA-Z0-9]+.*\@([^\@]+\.)?aol\.com/i
395     describe AOL_SPAM4 possible AOL-pretending spam, matching rule 4
396     score AOL_SPAM4 1
397 don 311
398 don 312 # blarson 2009-04-15
399     body WEBMAIL /\bwebmail\b/i
400     describe WEBMAIL webmail
401     score WEBMAIL 1
402    
403     # blarson 2009-04-17
404     header REFNO subject =~ /\bref no\b/i
405     describe REFNO Ref No
406     score REFNO 2
407    
408     # blarson 2009-05-26
409     header INFOCOUK to =~ /\b(?:info|winner|loan|lotto|grant|win)\@(?:info\.|winner\.|loan\.|lotto\.|hotmail\.|grant\.|win\.|yahoo\.|)(?:co\.uk|net|com|org)\b/
410     describe INFOCOUK to info@co.uk
411     score INFOCOUK 3
412    
413     # blarson 2009-05-27
414 don 326 body EXITAT /\b(?:exit|rembox)\@(?:datalistsource|listsourcesworld|BestAccurateReliable|expertdatasystems|bestbizlists)\.\b/i
415 don 312 describe EXITAT exit@datalistsource.com
416     score EXITAT 3
417    
418     # blarson 2009-06-05
419     header TOINFO to =~ /\binfo\@/
420     describe TOINFO to info@
421     score TOINFO 1
422    
423 don 311 # don 2009-07-06
424     header CONSTCONTACT X-Mailer =~ /Constant Contact/i
425     describe CONSTCONTACT Mail comming from constant contact, which doesn't require double opt-in
426     score CONSTCONTACT 5
427 don 317
428 don 318 # blarson 2009-08-16
429     meta CTBDN (CT_IMAGE && MIXEDBDN)
430     describe CTBDN CT_IMAGE && MIXEDBDN
431     score CTBDN 0.5
432    
433 don 317 # don 2009-09-22
434     body NUMEMAIL /\d{3,}\s+emails?/i
435     describe NUMEMAIL Mail which mentions some number of e-mail addresses
436     score NUMEMAIL 2
437 don 320
438     # don 2009-11-25
439     header YAHOOCALENDAR X-Yahoo-Calendar-IId: =~ /./
440 don 321 describe YAHOOCALENDAR Mail comming from yahoo calendar, which spams us with updates
441 don 320 score YAHOOCALENDAR 5
442 formorer 323
443     # alex 2009-12-05
444     header TLOTTERY subject =~ /Ticket no: [0-9]+/i
445     describe TLOTTERY Lottery spam
446     score TLOTTERY 3
447    
448     # alex 2009-12-05
449     header GLOTTERY subject =~ /Google_L_o_t_t_e_r_y_W_i_n_n_e_r_s/i
450     describe GLOTTERY Google Lottery spam
451     score GLOTTERY 3
452    
453 formorer 325 # alex 2009-12-16
454     header DOTNET subject =~ /Planning a Website Design\? Updates/
455     describe DOTNET .NET Spam
456     score DOTNET 3
457 formorer 323
458 don 340 # blarson 2010-02-02
459 don 346 body REMBOX /\b(?:rembo[xt]|disappear|stopping|delrem|remfiles?|exit|takemeoff|offthelist|purgefile)\s?\@/
460 don 326 describe REMBOX rembox
461     score REMBOX 3
462 formorer 333
463     # formorer 2010-01-23
464     header LONGTO to =~ /([\S]+, ){15,}/
465     describe LONGTO very long To line
466     score LONGTO 3
467 formorer 334
468     # formorer 2010-01-25
469     header VAULAS subject =~ /cursos video aulas video/i
470     describe VAULAS some spanish video spam
471     score VAULAS 3
472    
473 don 340 # blarson 2010-01-28
474     header FROMWWW from =~ /\bwww\./i
475     describe FROMWWW from www.whatever
476     score FROMWWW 3
477    
478     # blarson 2010-02-16
479     header FROMCASINO from =~ /\bcasino/i
480     describe FROMCASINO from casino
481     score FROMCASINO 3
482    
483     # don 2010-06-10
484 don 342 header CTOCTET_STREAM Content-Type =~ /octet-stream/i
485 don 340 describe CTOCTET_STREAM Content type is octet-stream
486     score CTOCTET_STREAM 0.5
487    
488 don 376 full RTF_ATTACH /^Content-Disposition:.+name=.+\.(rtf|doc)/i
489     describe RTF_ATTACH Contains an RTF or DOC Attachment
490     score RTF_ATTACH 2
491 don 340
492 don 341 meta RTF_SPAM CTOCTET_STREAM && RTF_ATTACH
493 don 340 describe RTF_SPAM Content type is octet-stream and has an RTF Attachment
494 don 346 score RTF_SPAM 3
495 formorer 367
496 don 370 # blarson 2010-10-11
497     header WORDDIGDIG subject =~ /^\w{3,}\s+\d\s\d\s*$/
498     describe WORDDIGDIG Word digit digit subject
499     score WORDDIGDIG 3
500    
501 don 369 # don 2011-06-06
502     header BRACE_SUBJECT Subject =~ /^\[\ [a-z0-9]{16}]\ /
503     describe BRACE_SUBJECT 16 length word in braces in the subject
504     score BRACE_SUBJECT 4
505    
506 formorer 367 # formorer 2011-08-12
507     header COMPTESFR subject =~ /concernant Compte SFR/i
508     describe COMPTESFR concernant Compte SFR
509     score COMPTESFR 3
510    
511 formorer 392 # formorer 2012-02-02
512     header BACKTOME subject =~ /Please get back to me/i
513     describe BACKTOME Phrase get back to me
514     score BACKTOME 4
515 formorer 426
516     # formorer 2012-12-10
517     header STEEL subject =~ /stainless steel cookware/i
518     describe STEEL who need steel cookware?
519     score STEEL 4
520 don 427
521     # blarson 2012-02-23
522     header SINGLES subject =~ /\bsingles\b/i
523     describe SINGLES singles
524     score SINGLES 4
525    
526     header CMAEOUT X-CMAE-OUT-Score =~ /.+/
527     describe CMAEOUT Cmae out
528     score CMAEOUT 3.5
529    
530     # blarson 2012-05-05
531     body FBPHOTO /\b(photo|pict?|image)\s+on\s+(fb|facebook)\b/i
532     describe FBPHOTO facebook photo
533     score FBPHOTO 4
534    
  ViewVC Help
Powered by ViewVC 1.1.5