home *** CD-ROM | disk | FTP | other *** search

---

/ ftp.f-secure.com / 2014.06.ftp.f-secure.com.tar / ftp.f-secure.com / support / hotfix / fsis / IS-SpamControl.fsfix / iufssc / rules / 20_head_tests.cf

< prev

next >

Wrap

Text File  |  2006-11-29  |  33KB  |  685 lines

---

1. # SpamAssassin rules file: header tests
2. #
3. # Please don't modify this file as your changes will be overwritten with
4. # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
5. # See 'perldoc Mail::SpamAssassin::Conf' for details.
6. #
7. # <@LICENSE>
8. # Copyright 2004 Apache Software Foundation
9. # 
10. # Licensed under the Apache License, Version 2.0 (the "License");
11. # you may not use this file except in compliance with the License.
12. # You may obtain a copy of the License at
13. # 
14. #     http://www.apache.org/licenses/LICENSE-2.0
15. # 
16. # Unless required by applicable law or agreed to in writing, software
17. # distributed under the License is distributed on an "AS IS" BASIS,
18. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19. # See the License for the specific language governing permissions and
20. # limitations under the License.
21. # </@LICENSE>
22. #
23. ###########################################################################
24.  
25. #require_version @@VERSION@@
26.  
27. header HEAD_LONG        eval:check_msg_parse_flags('truncated_header')
28. describe HEAD_LONG        Message headers are very long
29.  
30. # partial messages; currently-theoretical attack
31. # unsurprisingly this hits 0/0 right now.
32. header FRAGMENTED_MESSAGE    Content-Type =~ /\bmessage\/partial/i
33. describe FRAGMENTED_MESSAGE    Partial message
34.  
35. header MISSING_HB_SEP        eval:check_msg_parse_flags('missing_head_body_separator')
36. describe MISSING_HB_SEP        Missing blank line between message header and body
37.  
38. header UNPARSEABLE_RELAY        eval:check_relays_unparseable()
39. tflags UNPARSEABLE_RELAY        userconf
40. describe UNPARSEABLE_RELAY      Informational: message has unparseable relay lines
41.  
42. ###########################################################################
43.  
44. header NO_REAL_NAME        From =~ /^["\s]*\<?\S+\@\S+\>?\s*$/
45. describe NO_REAL_NAME        From: does not include a real name
46.  
47. header FROM_BLANK_NAME        From =~ /(?:\s|^)"" <\S+>/i
48. describe FROM_BLANK_NAME    From: contains empty name
49.  
50. ###########################################################################
51. # numeric address rules, these are written to avoid overlap with each other
52.  
53. header FROM_ENDS_IN_NUMS    From:addr =~ /\D\d{8,}\@/i
54. describe FROM_ENDS_IN_NUMS    From: ends in many numbers
55.  
56. header FROM_STARTS_WITH_NUMS    From:addr =~ /^\d{6,}\S+\@/i
57. describe FROM_STARTS_WITH_NUMS    From: starts with many numbers
58.  
59. # note: anchored for speed
60. header FROM_HAS_MIXED_NUMS    From:addr =~ /^[a-z]+\d+[a-z]+\d+[a-z]+\w*\@/i
61. describe FROM_HAS_MIXED_NUMS    From: contains numbers mixed in with letters
62.  
63. header FROM_HAS_ULINE_NUMS    From =~ /_\S?(?:[a-z]+\w*?\d+|\d+\w*?[a-z]+)\w*\@/i
64. describe FROM_HAS_ULINE_NUMS    From: contains an underline and numbers/letters
65.  
66. # don't match US/Canada phone numbers: 10 digits optionally preceded by a "1"
67. header FROM_ALL_NUMS        From:addr =~ /^(?:\d{1,9}|[02-9]\d{10}|\d{12,})@/
68. describe FROM_ALL_NUMS        From numeric address (except US/Canada phones)
69.  
70. # faked addresses tend to come from big public sites, but avoid overlap
71. header __ADDR_NUMS_AT_BIGSITE    ALL =~ /^(?:To|From|Cc|Reply-To):\s{0,20}<?\S{0,20}\d{5,}\S{0,20}\@(?:bigfoot|email|excite|hotmail|juno|msn|yahoo)\.(?:com|net|org)/mi
72. meta ADDR_NUMS_AT_BIGSITE    __ADDR_NUMS_AT_BIGSITE && !FROM_ENDS_IN_NUMS && !FROM_STARTS_WITH_NUMS && !FROM_HAS_MIXED_NUMS && !FROM_ALL_NUMS
73. describe ADDR_NUMS_AT_BIGSITE    Has an address with lots of numbers at a big ISP
74.  
75. ###########################################################################
76.  
77. header FROM_OFFERS        From:addr =~ /\@\S*offers(?![eo]n\b)/i
78. describe FROM_OFFERS        From address is "at something-offers"
79.  
80. header FROM_NO_USER        From =~ /(?:^\@|<\@| \@[^\)<]*$|<>)/ [if-unset: unset@unset.unset]
81. describe FROM_NO_USER        From: has no local-part before @ sign
82.  
83. header TO_NO_USER        To =~ /(?:^\@|<\@| \@[^\)<]*$|<>)/ [if-unset: unset@unset.unset]
84. describe TO_NO_USER        To: has no local-part before @ sign
85.  
86. header TO_EMPTY            To =~ /^\s*$/ [if-unset: UNSET]
87. describe TO_EMPTY        To: is empty
88.  
89. header REPLY_TO_EMPTY        Reply-To =~ /^\s*$/ [if-unset: UNSET]
90. describe REPLY_TO_EMPTY        Reply-To: is empty
91.  
92. header TO_ADDRESS_EQ_REAL    To =~ /^\s*"([^"@]+\@[^"@]+)"\s+<\1>\s*$/i
93. describe TO_ADDRESS_EQ_REAL    To: repeats address as real name
94.  
95. # NOTE: this is what 100% valid undisclosed-recipients mails look like.
96. # If this gets a high score, that's a bug!
97. header UNDISC_RECIPS        To =~ /^undisclosed-recipients?:\s*;$/
98. describe UNDISC_RECIPS        Valid-looking To "undisclosed-recipients"
99.  
100. # also 100% valid
101. header FAKED_UNDISC_RECIPS    To =~ /undisclosed[_ ]*recipient(?:s[^:]|[^s])/i
102. describe FAKED_UNDISC_RECIPS    Faked To "Undisclosed-Recipients"
103.  
104. header PLING_QUERY        Subject =~ /\?.*!|!.*\?/
105. describe PLING_QUERY        Subject has exclamation mark and question mark
106.  
107. header SUBJ_HAS_UNIQ_ID        eval:check_for_unique_subject_id()
108. describe SUBJ_HAS_UNIQ_ID    Subject contains a unique ID
109.  
110. header SUBJ_HAS_SPACES        Subject =~ /(?:\s{6}|\t\s|\s\t)\S/
111. describe SUBJ_HAS_SPACES    Subject contains lots of white space
112.  
113. header SUBJ_ALL_CAPS        eval:subject_is_all_caps()
114. describe SUBJ_ALL_CAPS        Subject is all capitals
115.  
116. header MSGID_SPAM_99X9XX99    MESSAGEID =~ /^<\d\d\d\d\d\d[a-z]\d[a-z][a-z]\d\d\$[a-z][a-z][a-z]\d\d\d\d\d\$\d\d\d\d\d\d\d\d\@/
117. describe MSGID_SPAM_99X9XX99    Spam tool Message-Id: (99x9xx99 variant)
118.  
119. header MSGID_SPAM_ALPHA_NUM    MESSAGEID =~ /<[A-Z]{7}-000[0-9]{10}\@[a-z]*>/
120. describe MSGID_SPAM_ALPHA_NUM    Spam tool Message-Id: (alpha-numeric variant)
121.  
122. header MSGID_SPAM_CAPS        Message-ID =~ /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
123. describe MSGID_SPAM_CAPS    Spam tool Message-Id: (caps variant)
124.  
125. header MSGID_SPAM_LETTERS    Message-Id =~ /<[a-z]{5,}\@(\S+\.)+\S+>/
126. describe MSGID_SPAM_LETTERS    Spam tool Message-Id: (letters variant)
127.  
128. header MSGID_SPAM_ZEROES    MESSAGEID =~ /<0000[0-9a-f]{8}\$0000[0-9a-f]{4}\$0000[0-9a-f]{4}\@/
129. describe MSGID_SPAM_ZEROES    Spam tool Message-Id: (12-zeroes variant)
130.  
131. header MSGID_NO_HOST            MESSAGEID =~ /\@>(?:$|\s)/m
132. describe MSGID_NO_HOST         Message-Id has no hostname
133.  
134. header MSGID_OUTLOOK_INVALID    eval:check_outlook_message_id()
135. describe MSGID_OUTLOOK_INVALID    Message-Id is fake (in Outlook Express format)
136.  
137. # catches a few spams missed by MSGID_OUTLOOK_INVALID
138. header __HAS_OUTLOOK_IN_MAILER    X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
139. meta MSGID_DOLLARS        (__OUTLOOK_DOLLARS_MSGID && !__HAS_OUTLOOK_IN_MAILER && !__UNUSABLE_MSGID)
140. describe MSGID_DOLLARS        Message-Id has pattern used in spam
141.  
142. # negative lookahead exempts this MUA from circa 1997-2000 
143. # X-Mailer: Microsoft Outlook Express 4.71.1712.3
144. # Message-ID: <01bd45da$2649cdc0$LocalHost@andrew>
145. header __MSGID_DOLLARS_OK    MESSAGEID =~ /<[0-9a-f]{4,}\$[0-9a-f]{4,}\$[0-9a-f]{4,}\@\S+>/m
146. header __MSGID_DOLLARS_MAYBE    MESSAGEID =~ /<\w{4,}\$\w{4,}\$(?!localhost)\w{4,}\@\S+>/mi
147. meta MSGID_DOLLARS_RANDOM    __MSGID_DOLLARS_MAYBE && !__MSGID_DOLLARS_OK
148.  
149. # bit of a ratware rule, but catches a bit more than just the one ratware
150. header __MSGID_RANDY        Message-ID =~ /<[a-z\d][a-z\d\$-]{10,29}[a-z\d]\@[a-z\d][a-z\d.]{3,12}[a-z\d]>/
151. # heuristic to eliminate most good Message-ID formats
152. header __MSGID_OK_HEX        Message-ID =~ /\b[a-f\d]{8}\b/
153. header __MSGID_OK_DIGITS    Message-ID =~ /\d{10}/
154. header __MSGID_OK_HOST        Message-ID =~ /\@(?:\D{2,}|(?:\d{1,3}\.){3}\d{1,3})>/
155. meta MSGID_RANDY    (__MSGID_RANDY && !(__MSGID_OK_HEX || __MSGID_OK_DIGITS || __MSGID_OK_HOST))
156. describe MSGID_RANDY        Message-Id has pattern used in spam
157.  
158. # bug 3395
159. header MSGID_YAHOO_CAPS        Message-ID =~ /<[A-Z]+\@yahoo.com>/
160. describe MSGID_YAHOO_CAPS    Message-ID has ALLCAPS@yahoo.com
161.  
162. ###########################################################################
163.  
164. header   __AT_AOL_MSGID        MESSAGEID =~ /\@aol\.com\b/i
165. header   __FROM_AOL_COM        From =~ /\@aol\.com\b/i
166. meta     FORGED_MSGID_AOL    (__AT_AOL_MSGID && !__FROM_AOL_COM)
167. describe FORGED_MSGID_AOL    Message-ID is forged, (aol.com)
168.  
169. header   __AT_EXCITE_MSGID    MESSAGEID =~ /\@excite\.com\b/i
170. header   __MY_RCVD_EXCITE    Received =~ /\.excite\.com\b/i
171. meta     FORGED_MSGID_EXCITE    (__AT_EXCITE_MSGID && !__MY_RCVD_EXCITE)
172. describe FORGED_MSGID_EXCITE    Message-ID is forged, (excite.com)
173.  
174. header   __AT_HOTMAIL_MSGID    MESSAGEID =~ /\@hotmail\.com\b/i
175. header   __FROM_HOTMAIL_COM    From =~ /\@hotmail\.com\b/i
176. meta     FORGED_MSGID_HOTMAIL    (__AT_HOTMAIL_MSGID && (!__FROM_HOTMAIL_COM && !__FROM_MSN_COM && !__FROM_YAHOO_COM))
177. describe FORGED_MSGID_HOTMAIL    Message-ID is forged, (hotmail.com)
178.  
179. header   __AT_MSN_MSGID        MESSAGEID =~ /\@msn\.com\b/i
180. header   __FROM_MSN_COM        From =~ /\@msn\.com\b/i
181. meta     FORGED_MSGID_MSN    (__AT_MSN_MSGID && (!__FROM_MSN_COM && !__FROM_HOTMAIL_COM && !__FROM_YAHOO_COM))
182. describe FORGED_MSGID_MSN    Message-ID is forged, (msn.com)
183.  
184. header   __AT_YAHOO_MSGID    MESSAGEID =~ /\@yahoo\.com\b/i
185. header   __FROM_YAHOO_COM    From =~ /\@yahoo\.com\b/i
186. meta     FORGED_MSGID_YAHOO    (__AT_YAHOO_MSGID && !__FROM_YAHOO_COM)
187. describe FORGED_MSGID_YAHOO    Message-ID is forged, (yahoo.com)
188.  
189. ###########################################################################
190.  
191. header __MSGID_BEFORE_RECEIVED    ALL =~ /\nMessage-Id:.*\nReceived:/si
192. header __MSGID_BEFORE_OKAY    Message-Id =~ /\@[a-z0-9.-]+\.(?:yahoo|wanadoo)(?:\.[a-z]{2,3}){1,2}>/
193. meta MSGID_FROM_MTA_HEADER    (__MSGID_BEFORE_RECEIVED && !__MSGID_BEFORE_OKAY)
194. describe MSGID_FROM_MTA_HEADER    Message-Id was added by a relay
195.  
196. header MSGID_FROM_MTA_ID    eval:message_id_from_mta()
197. describe MSGID_FROM_MTA_ID    Message-Id for external message added locally
198.  
199. header MSGID_FROM_MTA_HOTMAIL    Message-Id =~ /<MC\d{1,2}-F{1,2}\w{21,22}\@\S*hotmail\.com>/
200. describe MSGID_FROM_MTA_HOTMAIL    Message-Id was added by a hotmail.com relay
201.  
202. header MSGID_LONG        MESSAGEID =~ /<.{160,}>|<.{140,}\@|\@.{55,}>/m
203. describe MSGID_LONG        Message-ID is unusually long
204.  
205. header MSGID_SHORT        MESSAGEID =~ /^.{1,15}$|<.{0,4}\@/m
206. describe MSGID_SHORT        Message-ID is unusually short
207.  
208. header MSGID_MULTIPLE_AT    MESSAGEID =~ /<[^>]*\@[^>]*\@/
209. describe MSGID_MULTIPLE_AT    Message-ID contains multiple '@' characters
210.  
211. ###########################################################################
212.  
213. header DATE_SPAMWARE_Y2K    Date =~ /^[A-Z][a-z]{2}, \d\d [A-Z][a-z]{2} [0-6]\d \d\d:\d\d:\d\d [A-Z]{3}$/
214. describe DATE_SPAMWARE_Y2K    Date header uses unusual Y2K formatting
215.  
216. header INVALID_DATE        Date !~ /^\s*(?:(?i:Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s+)?[0-3\s]?[0-9]\s+(?i:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec)\s+(?:[12][901])?[0-9]{2}\s+[0-2]?[0-9](?:\:[0-5][0-9]){1,2}\s+(?:[AP]M\s+)?(?:[+-][0-9]{4}|UT|[A-Z]{2,3}T)(?:\s+\(.*\))?\s*$/ [if-unset: Wed, 31 Jul 2002 16:41:57 +0200]
217. describe INVALID_DATE        Invalid Date: header (not RFC 2822)
218.  
219. # allow +1300, NZ timezone
220. header INVALID_DATE_TZ_ABSURD    Date =~ /[-+](?:1[4-9]\d\d|[2-9]\d\d\d)$/
221. describe INVALID_DATE_TZ_ABSURD    Invalid Date: header (timezone does not exist)
222.  
223. header INVALID_TZ_CST        ALL =~ /[+-]\d\d[30]0(?<!-0600|-0500|\+0800|\+0930|\+1030)\s+(?:\bCST\b|\(CST\))/
224. describe INVALID_TZ_CST        Invalid date in header (wrong CST timezone)
225.  
226. header INVALID_TZ_EST        ALL =~ /[+-]\d\d[30]0(?<!-0500|-0300|\+1000|\+1100)\s+(?:\bEST\b|\(EST\))/
227. describe INVALID_TZ_EST        Invalid date in header (wrong EST timezone)
228.  
229. header INVALID_TZ_GMT        ALL =~ /[+-]\d\d[30]0(?<![+-]0000)\s+(?:\b(?:GMT|UTC)\b(?![\w+-])|\((?:GMT|UTC)\))/
230. describe INVALID_TZ_GMT        Invalid date in header (wrong GMT/UTC timezone)
231.  
232. header DATE_IN_PAST_03_06    eval:check_for_shifted_date('-6', '-3')
233. describe DATE_IN_PAST_03_06    Date: is 3 to 6 hours before Received: date
234.  
235. header DATE_IN_PAST_06_12    eval:check_for_shifted_date('-12', '-6')
236. describe DATE_IN_PAST_06_12    Date: is 6 to 12 hours before Received: date
237.  
238. header DATE_IN_PAST_12_24    eval:check_for_shifted_date('-24', '-12')
239. describe DATE_IN_PAST_12_24    Date: is 12 to 24 hours before Received: date
240.  
241. header DATE_IN_PAST_24_48    eval:check_for_shifted_date('-48', '-24')
242. describe DATE_IN_PAST_24_48    Date: is 24 to 48 hours before Received: date
243.  
244. header DATE_IN_PAST_48_96    eval:check_for_shifted_date('-96', '-48')
245. describe DATE_IN_PAST_48_96    Date: is 48 to 96 hours before Received: date
246.  
247. header DATE_IN_PAST_96_XX    eval:check_for_shifted_date('undef', '-96')
248. describe DATE_IN_PAST_96_XX    Date: is 96 hours or more before Received: date
249.  
250. header DATE_IN_FUTURE_03_06    eval:check_for_shifted_date('3', '6')
251. describe DATE_IN_FUTURE_03_06    Date: is 3 to 6 hours after Received: date
252.  
253. header DATE_IN_FUTURE_06_12    eval:check_for_shifted_date('6', '12')
254. describe DATE_IN_FUTURE_06_12    Date: is 6 to 12 hours after Received: date
255.  
256. header DATE_IN_FUTURE_12_24    eval:check_for_shifted_date('12', '24')
257. describe DATE_IN_FUTURE_12_24    Date: is 12 to 24 hours after Received: date
258.  
259. header DATE_IN_FUTURE_24_48    eval:check_for_shifted_date('24', '48')
260. describe DATE_IN_FUTURE_24_48    Date: is 24 to 48 hours after Received: date
261.  
262. header DATE_IN_FUTURE_48_96    eval:check_for_shifted_date('48', '96')
263. describe DATE_IN_FUTURE_48_96    Date: is 48 to 96 hours after Received: date
264.  
265. header DATE_IN_FUTURE_96_XX    eval:check_for_shifted_date('96', 'undef')
266. describe DATE_IN_FUTURE_96_XX    Date: is 96 hours or more after Received: date
267.  
268. header UNRESOLVED_TEMPLATE    eval:check_unresolved_template()
269. describe UNRESOLVED_TEMPLATE    Headers contain an unresolved template
270.  
271. ###########################################################################
272. # illegal characters that should be MIME encoded
273. # might want to exempt users using languages that don't use Latin
274. # alphabets, but do it in the eval
275.  
276. header SUBJ_ILLEGAL_CHARS    eval:check_illegal_chars('Subject','0.00','2')
277. describe SUBJ_ILLEGAL_CHARS    Subject: has too many raw illegal characters
278.  
279. header FROM_ILLEGAL_CHARS    eval:check_illegal_chars('From','0.20','2')
280. describe FROM_ILLEGAL_CHARS    From: has too many raw illegal characters
281.  
282. header HEAD_ILLEGAL_CHARS    eval:check_illegal_chars('ALL','0.010','2')
283. describe HEAD_ILLEGAL_CHARS    Headers have too many raw illegal characters
284.  
285. ###########################################################################
286. # MIME encoding with spam characteristics
287.  
288. header __SUBJECT_NEEDS_MIME    Subject =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/
289. header __SUBJECT_ENCODED_QP    Subject:raw =~ /=\?\S+\?Q\?/i
290. header __SUBJECT_ENCODED_B64    Subject:raw =~ /=\?\S+\?B\?/i
291.  
292. meta SUBJECT_EXCESS_QP        __SUBJECT_ENCODED_QP && !__SUBJECT_NEEDS_MIME
293. describe SUBJECT_EXCESS_QP    Subject: quoted-printable encoded unnecessarily
294.  
295. meta SUBJECT_EXCESS_BASE64    __SUBJECT_ENCODED_B64 && !__SUBJECT_NEEDS_MIME
296. describe SUBJECT_EXCESS_BASE64    Subject: base64 encoded encoded unnecessarily
297.  
298. header __FROM_NEEDS_MIME    From =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/
299. header __FROM_ENCODED_QP    From:raw =~ /=\?\S+\?Q\?/i
300. header __FROM_ENCODED_B64    From:raw =~ /=\?\S+\?B\?/i
301.  
302. meta FROM_EXCESS_QP        __FROM_ENCODED_QP && !__FROM_NEEDS_MIME
303. describe FROM_EXCESS_QP        From: quoted-printable encoded unnecessarily
304.  
305. meta FROM_EXCESS_BASE64        __FROM_ENCODED_B64 && !__FROM_NEEDS_MIME
306. describe FROM_EXCESS_BASE64    From: base64 encoded unnecessarily
307.  
308. header SUBJECT_ENCODED_TWICE    Subject:raw =~ /=\?\S+\?[BQ]\?.*=\?\S+\?[BQ]\?/i
309. describe SUBJECT_ENCODED_TWICE    Subject: MIME encoded twice
310.  
311. ###########################################################################
312. # ADV tags in various languages
313.  
314. header ENGLISH_UCE_SUBJECT    Subject =~ /^[^0-9a-z]*adv(?:ert)?\b/i
315. describe ENGLISH_UCE_SUBJECT    Subject contains an English UCE tag
316.  
317. # alan premselaar <alien@12inch.com>, see SpamAssassin-talk list 2003-03
318. # quinlan: 2003-03-23 here are more generic Japanese iso-2022-jp codes
319. # ("not yet acceptance" or "email") + "announcement"
320. # FWIW, according to Peter Evans, this should be sufficient to catch the
321. # UCE tag and a common attempt at evasion (using the "sue" instead of
322. # "mi" Chinese character).
323. header JAPANESE_UCE_SUBJECT    Subject =~ /\e\$B.*(?:L\$>5Bz|EE;R%a!<%k)9-9p/
324. describe JAPANESE_UCE_SUBJECT    Subject contains a Japanese UCE tag
325.  
326. # quinlan: "advertisement" in Russian KOI8-R
327. # (no longer common, but worth noting in future)
328. #header RUSSIAN_UCE_SUBJECT    Subject =~ /\xf0\xe5\xea\xeb\xe0\xec\xf3/
329. #describe RUSSIAN_UCE_SUBJECT    Subject contains a Russian UCE tag
330.  
331. # Korean UCE Subject: lines are usually 8-bit, but are occasionally encoded
332. # with quoted-printable or base64.
333. #
334. # \xbc\xba\xc0\xce means "adult"
335. # \xb1\xa4\xb0\xed means "advertisement"
336. # \xc1\xa4\xba\xb8 means "information"
337. # \xc8\xab\xba\xb8 means "publicity"
338. #
339. # Each two byte sequence is one Korean letter; the spaces and periods are
340. # sometimes used to obscure the words.  \xb1\xa4\xb0\xed is the most common
341. # tag and is sometimes very obscured so we look harder.
342. #
343. header KOREAN_UCE_SUBJECT    Subject =~ /[({[<][. ]*(?:\xbc\xba[. ]*\xc0\xce[. ]*)?(?:\xb1\xa4(?:[. ]*|[\x00-\x7f]{0,3})\xb0\xed|\xc1\xa4[. ]*\xba\xb8|\xc8\xab[. ]*\xba\xb8)[. ]*[)}\]>]/
344. describe KOREAN_UCE_SUBJECT    Subject: contains Korean unsolicited email tag
345.  
346. ###########################################################################
347.  
348. header FROM_AND_TO_SAME        eval:check_for_from_to_same()
349. describe FROM_AND_TO_SAME    From and To are the same, but not exactly
350.  
351. header FORGED_RCVD_HELO        eval:check_for_forged_received_helo()
352. describe FORGED_RCVD_HELO    Received: contains a forged HELO
353.  
354. header RCVD_HELO_IP_MISMATCH    eval:helo_ip_mismatch()
355. describe RCVD_HELO_IP_MISMATCH    Received: HELO and IP do not match, but should
356.  
357. header RCVD_NUMERIC_HELO    eval:check_for_numeric_helo()
358. describe RCVD_NUMERIC_HELO    Received: contains an IP address used for HELO
359.  
360. header RCVD_ILLEGAL_IP        eval:check_for_illegal_ip()
361. describe RCVD_ILLEGAL_IP    Received: contains illegal IP address
362.  
363. # no legit mailer claims that their mailserver has no name
364. # overlaps with RCVD_DOUBLE_IP*, but let's see how it is scored
365. header RCVD_BY_IP    Received =~ /\bby\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?<!127\.0\.0\.1)\b/
366. describe RCVD_BY_IP    Received by mail server with no name
367.  
368. # two reliable signatures
369. header __DOUBLE_IP_SPAM_1    Received =~ /from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} with/
370. header __DOUBLE_IP_SPAM_2    Received =~ /from\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+by\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3};/
371. # loose match
372. header __DOUBLE_IP_LOOSE    Received =~ /(?:\b(?:from|by)\b.{1,4}\b\d{1,3}[._-]\d{1,3}[._-]\d{1,3}[._-]\d{1,3}(?<!127\.0\.0\.1)\b.{0,4}){2}/i
373. # spam signature
374. meta RCVD_DOUBLE_IP_SPAM    (__DOUBLE_IP_SPAM_1 || __DOUBLE_IP_SPAM_2)
375. describe RCVD_DOUBLE_IP_SPAM    Bulk email fingerprint (double IP) found
376. # other matches
377. meta RCVD_DOUBLE_IP_LOOSE    (__DOUBLE_IP_LOOSE && !RCVD_DOUBLE_IP_SPAM)
378. describe RCVD_DOUBLE_IP_LOOSE   Received: by and from look like IP addresses
379.  
380. header FORGED_AOL_RCVD            eval:check_for_fake_aol_relay_in_rcvd()
381. describe FORGED_AOL_RCVD    Received forged, contains fake AOL relays
382.  
383. header FORGED_TELESP_RCVD    Received =~ /\.(?!br).. \(\d+-\d+-\d+-\d+\.dsl\.telesp\.net\.br /
384. describe FORGED_TELESP_RCVD    Contains forged hostname for a DSL IP in Brazil
385.  
386. # a forged Hotmail message; host HELO'd as hotmail.com, but it wasn't
387. header FORGED_HOTMAIL_RCVD    eval:check_for_forged_hotmail_received_headers()
388. describe FORGED_HOTMAIL_RCVD    Forged hotmail.com 'Received:' header found
389.  
390. # this, by comparison is more common: from was @hotmail.com, but it wasn't
391. header FORGED_HOTMAIL_RCVD2    eval:check_for_no_hotmail_received_headers()
392. describe FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but no 'Received:'
393.  
394. header FORGED_EUDORAMAIL_RCVD    eval:check_for_forged_eudoramail_received_headers()
395. describe FORGED_EUDORAMAIL_RCVD    Forged eudoramail.com 'Received:' header found
396.  
397. header FORGED_YAHOO_RCVD    eval:check_for_forged_yahoo_received_headers()
398. describe FORGED_YAHOO_RCVD    'From' yahoo.com does not match 'Received' headers
399.  
400. header FORGED_JUNO_RCVD        eval:check_for_forged_juno_received_headers()
401. describe FORGED_JUNO_RCVD    'From' juno.com does not match 'Received' headers
402.  
403. header FORGED_GW05_RCVD        eval:check_for_forged_gw05_received_headers()
404. describe FORGED_GW05_RCVD    Forged 'by gw05' 'Received:' header found
405.  
406. # not used directly right now due to FPs; but CONFIRMED_FORGED turns it
407. # into a 1.0 S/O rule anyway, so that's not a problem ;)
408. # 2.626   3.6340   1.5251    0.704   0.34    1.44  FORGED_RCVD_TRAIL
409. # 0.956   3.3890   0.0000    1.000   0.98    4.30  CONFIRMED_FORGED
410. header __FORGED_RCVD_TRAIL    eval:check_for_forged_received_trail()
411.  
412. # forgery meta-rules: more reliable than their inputs
413. meta CONFIRMED_FORGED        (__FORGED_RCVD_TRAIL && (FORGED_AOL_RCVD || FORGED_HOTMAIL_RCVD || FORGED_EUDORAMAIL_RCVD || FORGED_YAHOO_RCVD || FORGED_JUNO_RCVD || FORGED_GW05_RCVD))
414. describe CONFIRMED_FORGED    Received headers are forged
415.  
416. meta MULTI_FORGED        ((FORGED_AOL_RCVD + FORGED_HOTMAIL_RCVD + FORGED_EUDORAMAIL_RCVD + FORGED_YAHOO_RCVD + FORGED_JUNO_RCVD + FORGED_GW05_RCVD) > 1)
417. describe MULTI_FORGED        Received headers indicate multiple forgeries
418.  
419. header NONEXISTENT_CHARSET    Content-Type =~ /charset=.?DEFAULT/
420. describe NONEXISTENT_CHARSET    Character set doesn't exist
421.  
422. header CHARSET_FARAWAY_HEADER    eval:check_for_faraway_charset_in_headers()
423. describe CHARSET_FARAWAY_HEADER    A foreign language charset used in headers
424. tflags CHARSET_FARAWAY_HEADER    userconf
425.  
426. header X_PRIORITY_HIGH        X-Priority =~ /^1/
427. describe X_PRIORITY_HIGH    Sent with 'X-Priority' set to high
428.  
429. header X_MSMAIL_PRIORITY_HIGH    X-Msmail-Priority =~ /^High/
430. describe X_MSMAIL_PRIORITY_HIGH    Sent with 'X-Msmail-Priority' set to high
431.  
432. # this variant is local, using the Received hdr itself...
433. header ROUND_THE_WORLD_LOCAL    eval:check_for_round_the_world_received_helo()
434. describe ROUND_THE_WORLD_LOCAL    Received: says mail sent around the world (HELO)
435.  
436. header MISSING_DATE             Date =~ /^UNSET$/ [if-unset: UNSET]
437. describe MISSING_DATE           Missing Date: header
438.  
439. # this is a quite common false positive, as it's legal to remove a To but leave
440. # a CC. so don't score it high.
441. header MISSING_HEADERS        eval:check_for_missing_to_header()
442. describe MISSING_HEADERS    Missing To: header
443.  
444. header __HAS_SUBJECT        exists:Subject
445. meta MISSING_SUBJECT        !__HAS_SUBJECT
446. describe MISSING_SUBJECT    Missing Subject: header
447.  
448. header SUSPICIOUS_RECIPS    eval:similar_recipients('0.65','undef')
449. describe SUSPICIOUS_RECIPS    Similar addresses in recipient list
450.  
451. header SORTED_RECIPS        eval:sorted_recipients()
452. describe SORTED_RECIPS        Recipient list is sorted by address
453.  
454. header GAPPY_SUBJECT        Subject =~ /\b(?:[a-z]([-_. =~\/:,*!\@\#\$\%\^&+;\"\'<>\\])\1{0,2}){4}/i
455. describe GAPPY_SUBJECT        Subject: contains G.a.p.p.y-T.e.x.t
456.  
457. ### header existence tests (description is added automatically)
458.  
459. # X-Fix example: NTMail fixed non RFC822 compliant EMail message
460. #
461. # X-PMFLAGS is all caps
462. #
463. # Headers that seem to only be used by a single spamming software and
464. # are found together in the same message:
465. # 1. X-MailingID and X-ServerHost
466. # 2. X-Stormpost-To and X-List-Unsubscribe
467. #
468. # not spammish: X-EM-Registration, X-EM-Version, X-Antiabuse, X-List-Host,
469. # X-Message-Id
470. # bad FP rate: Comment, Date-warning
471.  
472. header PREVENT_NONDELIVERY    exists:Prevent-NonDelivery-Report
473. describe PREVENT_NONDELIVERY    Message has Prevent-NonDelivery-Report header
474.  
475. header X_IP            exists:X-IP
476. describe X_IP            Message has X-IP header
477.  
478. header X_LIBRARY        exists:X-Library
479. describe X_LIBRARY        Message has X-Library header
480.  
481. # this rule is case-sensitive
482. header X_MESSAGE_FLAG_ODD    ALL =~ /^X-Message-flag:/m
483. describe X_MESSAGE_FLAG_ODD    Message has X-Message-flag header (odd case)
484.  
485. header   __HAS_MIMEOLE          exists:X-MimeOLE
486. header   __HAS_MSMAIL_PRI       exists:X-MSMail-Priority
487. header   __HAS_SQUIRRELMAIL_IN_MAILER    X-Mailer =~ /SquirrelMail\b/
488. meta     MISSING_MIMEOLE    (__HAS_MSMAIL_PRI && !__HAS_MIMEOLE && !__HAS_SQUIRRELMAIL_IN_MAILER)
489. describe MISSING_MIMEOLE    Message has X-MSMail-Priority, but no X-MimeOLE
490.  
491. header __HAS_X_MAILER        exists:X-Mailer
492.  
493. header __IS_EXCH        X-MimeOLE =~ /Produced By Microsoft Exchange V/
494.  
495. header __HAS_X_PRIORITY     exists:X-Priority
496. header __USER_AGENT             exists:User-Agent
497. header __X_NEWSREADER        exists:X-Newsreader
498. meta PRIORITY_NO_NAME        ((__HAS_X_PRIORITY && __HAS_MSMAIL_PRI) && !__HAS_X_MAILER && !__IS_EXCH && !__USER_AGENT && !__X_NEWSREADER)
499. describe PRIORITY_NO_NAME    Message has priority, but no user agent name
500.  
501. header SUBJ_AS_SEEN        Subject =~ /\bAs Seen/i
502. describe SUBJ_AS_SEEN        Subject contains "As Seen"
503.  
504. header SUBJ_DOLLARS             Subject =~ /^\$[0-9.,]+\b/
505. describe SUBJ_DOLLARS           Subject starts with dollar amount
506.  
507. header SUBJ_FOR_ONLY         Subject =~ /For Only/i
508. describe SUBJ_FOR_ONLY         Subject contains "For Only"
509.  
510. header SUBJ_FREE_CAP        Subject =~ /FREE|F.R.E.E\b/
511. describe SUBJ_FREE_CAP        Subject contains "FREE" in CAPS
512.  
513. header SUB_FREE_OFFER           Subject =~ /^fre{2,}\b/i
514. describe SUB_FREE_OFFER         Subject starts with "Free"
515.  
516. header SUBJ_GUARANTEED          Subject =~ /^guaranteed|(?-i:GUARANTEE)/i
517. describe SUBJ_GUARANTEED        Subject GUARANTEED
518.  
519. header SUB_HELLO                Subject =~ /^hello\b/i
520. describe SUB_HELLO              Subject starts with "Hello"
521.  
522. header SUBJ_LIFE_INSURANCE    Subject =~ /life\s+insurance/i
523. describe SUBJ_LIFE_INSURANCE    Subject includes "life insurance"
524.  
525. header SUBJ_YOUR_DEBT        Subject =~ /Your (?:Bills|Debt|Credit)/i
526. describe SUBJ_YOUR_DEBT        Subject contains "Your Bills" or similar
527.  
528. header SUBJ_YOUR_FAMILY        Subject =~ /Your Family/i
529. describe SUBJ_YOUR_FAMILY    Subject contains "Your Family"
530.  
531. header SUBJ_YOUR_OWN        Subject =~ /Your Own/i
532. describe SUBJ_YOUR_OWN        Subject contains "Your Own"
533.  
534. # the real services never HELO as 'foo.com', instead 'mail.foo.com' or
535. # something like that.  Note: be careful when expanding this... legit dotcom
536. # HELOers include: hotmail.com, drizzle.com, lockergnome.com.
537. header RCVD_FAKE_HELO_DOTCOM    Received =~ /^from (?:msn|yahoo|yourwebsite|lycos|excite|cs|aol|localhost|koreanmail|allexecs|mydomain|juno|eudoramail|compuserve|desertmail|excite|caramail)\.com \(/m
538. describe RCVD_FAKE_HELO_DOTCOM  Received contains a faked HELO hostname
539.  
540. header ADDRESS_IN_SUBJECT    eval:check_for_to_in_subject('address')
541. describe ADDRESS_IN_SUBJECT    To: address appears in Subject
542.  
543. header LOCALPART_IN_SUBJECT    eval:check_for_to_in_subject('user')
544. describe LOCALPART_IN_SUBJECT    Local part of To: address appears in Subject
545.  
546. header SUBJECT_DIET        Subject =~ /\bLose .*(?:pounds|lbs|weight)/i
547. describe SUBJECT_DIET        Subject talks about losing pounds
548.  
549. header EXTRA_MPART_TYPE         Content-Type =~ /(?:\s*multipart\/)?.* type=/i
550. describe EXTRA_MPART_TYPE       Header has extraneous Content-type:...type= entry
551.  
552. header TO_RECIP_MARKER          To =~ /\#recipient\#/
553. describe TO_RECIP_MARKER        To header contains 'recipient' marker
554.  
555. # MIME boundary tests; spam tools use distinctive patterns.
556. header MIME_BOUND_DD_DIGITS    Content-Type =~ /boundary=\"--\d+\"/
557. describe MIME_BOUND_DD_DIGITS    Spam tool pattern in MIME boundary
558. header MIME_BOUND_DIGITS_7    Content-Type =~ /boundary=\d{9}\.\d{13}/
559. describe MIME_BOUND_DIGITS_7    Spam tool pattern in MIME boundary
560. header MIME_BOUND_DIGITS_15    Content-Type =~ /boundary=\"\d{15,}\"/
561. describe MIME_BOUND_DIGITS_15    Spam tool pattern in MIME boundary
562. header MIME_BOUND_MANY_HEX    Content-Type =~ /boundary="[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}"/
563. describe MIME_BOUND_MANY_HEX    Spam tool pattern in MIME boundary
564. header __NEXTPART_ALL        Content-Type =~ /NextPart/
565. header __NEXTPART_NORMAL    Content-Type =~ /="(?:----_?=_)?NextPart_[\dA-F]{3}(_[\dA-F]{3,8})?_[\dA-F]{8}\.[\dA-F]{8}"/
566. meta MIME_BOUND_NEXTPART    (__NEXTPART_ALL && !__NEXTPART_NORMAL)
567. describe MIME_BOUND_NEXTPART    Spam tool pattern in MIME boundary
568. header MIME_BOUND_RKFINDY       Content-Type =~ /boundary=\"=_NextPart_2rfkindysadvnqw3nerasdf\"/
569. describe MIME_BOUND_RKFINDY     Spam tool pattern in MIME boundary (rfkindy)
570.  
571. # note: the first alternation is anchored for speed
572. header TO_MALFORMED             To !~ /(?:^|[^\S"])(?:(?:\"[^\"]+\"|\S+)\@\S+\.\S+|^\s*.+:\s*;|^\s*\"[^\"]+\":\s*;|^\s*\([^\)]*\)\s*$|<\S+(?:\!\S+){1,}>|^\s*$)/ [if-unset: unset@unset.unset]
573. describe TO_MALFORMED           To: has a malformed address
574.  
575. header ADDR_FREE              From =~ /\b(?-i:F)ree(?-i:[ A-Z]).*</i
576. describe ADDR_FREE            From Address contains FREE
577.  
578. # common spam-dropping: To: C:\VICTIMS.txt@yourmx.org
579. header TO_TXT            To =~ /\.txt[\'\"]?\@/i
580. describe TO_TXT            Sent to a text file
581.  
582. header CHINA_HEADER             ALL =~ /\@china\.com/i
583. describe CHINA_HEADER           Involves 'china.com'
584.  
585. header __CD                     exists:Content-Disposition
586. header __CT                     exists:Content-Type
587. header __CTE                    exists:Content-Transfer-Encoding
588. header __MIME_VERSION           exists:MIME-Version
589. header __CT_TEXT_PLAIN          Content-Type =~ /^text\/plain\b/i
590. meta MIME_HEADER_CTYPE_ONLY     (!__CD && !__CTE && __CT && !__MIME_VERSION && !__CT_TEXT_PLAIN)
591. describe MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers
592.  
593. header WITH_LC_SMTP        Received =~ /\swith\ssmtp;\s/
594. describe WITH_LC_SMTP        Received line contains spam-sign (lowercase smtp)
595.  
596. header FROM_NO_LOWER        From:addr !~ /[a-z]/ [if-unset: x@example.com]
597. describe FROM_NO_LOWER        From address has no lower-case characters
598.  
599. header SUBJ_BUY                 Subject =~ /^buy/i
600. describe SUBJ_BUY               Subject line starts with Buy or Buying
601.  
602. # seems to be ratware
603. header RCVD_AM_PM        Received =~ /; [A-Z][a-z][a-z], \d{1,2} \d{4} \d{1,2}:\d\d:\d\d [AP]M [+-]\d{4}/
604. describe RCVD_AM_PM        Received headers forged (AM/PM)
605.  
606. header HEADER_COUNT_CTYPE    eval:check_header_count_range('Content-Type','2','999')
607. describe HEADER_COUNT_CTYPE    Multiple Content-Type headers found
608.  
609. header __USER_AGENT_MSN             X-Mailer =~ /^MSN Explorer /
610.  
611. header NO_RDNS_DOTCOM_HELO    eval:check_for_no_rdns_dotcom_helo()
612. describe NO_RDNS_DOTCOM_HELO    Host HELO'd as a big ISP, but had no rDNS
613.  
614. header X_ORIG_IP_NOT_IPV4    X-Originating-IP !~ /\[?(?:\d{1,3}\.){3}\d{1,3}\]?/ [if-unset: 0.0.0.0]
615. describe X_ORIG_IP_NOT_IPV4    X-Originating-IP doesn't look like IPv4 address
616.  
617. # match the format of a legit X-Auth-Warning header, and hit on fake ones
618. # normal: "e4e.oac.uci.edu: foo owned process doing -bs"
619. # fake: "bzgrdag, upaeqehv"
620. header X_AUTH_WARN_FAKED    X-Authentication-Warning !~ /(?:set sender to \S{2,80} using -f|owned process doing -bs|claimed to be|didn.t use HELO protocol)/ [if-unset: host.example.com: foo owned process doing -bs]
621. describe X_AUTH_WARN_FAKED    X-Authentication-Warning header looks faked
622.  
623. # host no longer exists according to administrator
624. header FAKE_OUTBLAZE_RCVD    Received =~ /\.mr\.outblaze\.com/
625. describe FAKE_OUTBLAZE_RCVD    Received header contains faked 'mr.outblaze.com'
626.  
627. # domains never longer used for email, confirmed by administrator
628. header FROM_NONSENDING_DOMAIN    From:addr =~ /\@(?:altavista\.com|eudora\.com)$/i
629. describe FROM_NONSENDING_DOMAIN    Message is from domain that never sends email
630.  
631. header SUBJ_2_NUM_PARENS        Subject =~ /^\(\d+\).*\(\d+\)\s*$/
632. describe SUBJ_2_NUM_PARENS      Subject contains common spam sign (2 numbers)
633.  
634. # thanks to David Ritz for passing this on; ready for post-3.0.0
635. header UNCLOSED_BRACKET        ALL =~ /\[\d+\r?\n/s
636. describe UNCLOSED_BRACKET    Headers contain an unclosed bracket
637.  
638. # some header rules
639. header ORG_MIME_TOOLS        Organization =~ /MIME-tools/
640. describe ORG_MIME_TOOLS        Organization is MIME-tools
641.  
642. header X_MIME_AUTOCONVERTED    X-MIME-Autoconverted =~ /Yes/
643. describe X_MIME_AUTOCONVERTED    Message has X-MIME-Autoconverted "Yes" header
644.  
645. header __HOTMAIL_RCVD        Received =~/\bhotmail\.com\b/
646. header __HOTMAIL_SMTPSVC    Received =~ /\bwith Microsoft SMTPSVC;/
647. header __HOTMAIL_OIP        X-Originating-IP =~ /\[(\d{1,3}\.){3}\d{1,3}\]/
648. header __RECEIVED_DAV        Received =~ /\bwith DAV;/
649. meta DAV_NON_HOTMAIL        __RECEIVED_DAV && !(__HOTMAIL_RCVD && __HOTMAIL_SMTPSVC && __HOTMAIL_OIP)
650. describe DAV_NON_HOTMAIL    Message sent using DAV, but not via Hotmail
651.  
652. header FROM_DOMAIN_NOVOWEL    From =~ /\@\S*[bcdfghjklmnpqrstvwxz]{7}/i
653. describe FROM_DOMAIN_NOVOWEL    From: domain has series of non-vowel letters
654.  
655. header FROM_LOCAL_NOVOWEL    From =~ /[bcdfghjklmnpqrstvwxz]{7}\S*\@/i
656. describe FROM_LOCAL_NOVOWEL    From: localpart has series of non-vowel letters
657.  
658. header SUBJECT_NOVOWEL        Subject =~ /[bcdfghjklmnpqrstvwxz]{8}/i
659. describe SUBJECT_NOVOWEL    Subject: has long non-vowel letter sequence
660.  
661. header FROM_LOCAL_HEX        From =~ /[0-9a-f]{11}\S*\@/i
662. describe FROM_LOCAL_HEX        From: localpart has long hexadecimal sequence
663.  
664. header FROM_LOCAL_DIGITS    From =~ /\d{11}\S*\@/i
665. describe FROM_LOCAL_DIGITS    From: localpart has long digit sequence
666.  
667. header X_MAILER_SPAM        X-Mailer !~ m{[A-Z0-9./]} [if-unset: Foo 1.0]
668. describe X_MAILER_SPAM        X-Mailer: header is bulk email fingerprint
669.  
670. header __TOCC_EXISTS        exists:ToCc
671. meta TO_CC_NONE            !__TOCC_EXISTS
672. describe TO_CC_NONE        No To: or Cc: header
673.  
674. header X_PRIORITY_CC        ALL =~ /\nX-Priority:[^\n]{0,80}\nCc:/si
675. describe X_PRIORITY_CC        Cc: after X-Priority: (bulk email fingerprint)
676.  
677. header    SUBJ_CONSONANTS       Subject =~ /\b[bcghjklmnpqrstvwxz]{6,20}\b/
678. describe  SUBJ_CONSONANTS       Subject contains consecutive consonants in "word"
679.  
680. # catch non-RFC2047 compliant messages
681. # Apple Mail has a bug where headers will have whitespace around the encoded
682. # text, so try to ignore that
683. header BAD_ENC_HEADER        ALL =~ /=\?[^?\s]+\?[^?\s]\?\s*[^?]+\s(?!\?=)/
684. describe BAD_ENC_HEADER        Message has bad MIME encoding in the header
685.