home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ftp.f-secure.com
/
2014.06.ftp.f-secure.com.tar
/
ftp.f-secure.com
/
support
/
hotfix
/
fsis
/
IS-SpamControl.fsfix
/
iufssc
/
rules
/
96_fs-dyndns.cf
< prev
next >
Wrap
Text File
|
2006-11-29
|
12KB
|
315 lines
# 96_fs-dyndns.cf -- era Mon May 23 11:05:26 2005
# Copyright (C) 2005-2006 F-Secure Corporation
# $Id: 96_fs-dyndns.cf 4051 2006-10-26 10:20:32Z eriker $
ifplugin FS::MsgStructure
# Tests rely on X-Spam-Relays-Untrusted: header --> require DNS --> tflags net
# rule: RDNS_DYNAMIC_HEX_IP
# added 2005-05-17
# test: ######## TODO: add test case
loadplugin FS::FSEvalTests
header RDNS_DYNAMIC_HEX_IP eval:rdns_dynamic_hex_ip()
describe RDNS_DYNAMIC_HEX_IP Injection point's RDNS has IP address in hex
tflags RDNS_DYNAMIC_HEX_IP net
score RDNS_DYNAMIC_HEX_IP 1
# rule: __RDNS_DYNAMIC_IP_4
# added 2005-05-12
# edit 2005-05-16: fix error, relax regex somewhat
# edit 2005-05-19: allow leading zeros
# test: spam-2005-05-16/df-2005-05-16-007309.txt
# test: spam-2005-05-19/df-2005-05-19-004112.txt
header __RDNS_DYNAMIC_IP_4 X-Spam-Relays-Untrusted =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) rdns=(?:[-A-Za-z0-9.]*[^0-9 ])?(?:00?)?\1.(?:00?)?\2.(?:00?)?\3.(?:00?)?\4[-.]/
describe __RDNS_DYNAMIC_IP_4 Reverse DNS contains IP address
tflags __RDNS_DYNAMIC_IP_4 net
# rule: __RDNS_DYNAMIC_IP_4CRASH
# added 2005-05-12
# edit 2005-05-18: relax bounding regex
# edit 2005-05-19: allow double leading zeros
# test: spam-2005-05-12/df-2005-05-12-000584.txt
header __RDNS_DYNAMIC_IP_4CRASH X-Spam-Relays-Untrusted =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) rdns=(?:[-A-Za-z0-9.]*[^0-9 ])?(?:00?)?\1(?:00?)?\2(?:00?)?\3(?:00?)?\4[-.]/
describe __RDNS_DYNAMIC_IP_4CRASH Reverse DNS contains IP address without separators
tflags __RDNS_DYNAMIC_IP_4CRASH net
# rule: __RDNS_DYNAMIC_IP_4REVERSE
# added 2005-05-12
# edit 2005-05-18: relax bounding regex
# edit 2005-05-19: allow leading zeros
# test: ######## TODO: fill in
header __RDNS_DYNAMIC_IP_4REVERSE X-Spam-Relays-Untrusted =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) rdns=(?:[-A-Za-z0-9.]*[^0-9 ])?(?:00?)?\4.(?:00?)?\3.(?:00?)?\2\.(?:00?)?1[-.]/
describe __RDNS_DYNAMIC_IP_4REVERSE Reverse DNS contains reverse IP address
tflags __RDNS_DYNAMIC_IP_4REVERSE net
# rule: RDNS_DYNAMIC_IP_4
meta RDNS_DYNAMIC_IP_4 (__RDNS_DYNAMIC_IP_4 || __RDNS_DYNAMIC_IP_4CRASH || __RDNS_DYNAMIC_IP_4REVERSE)
describe RDNS_DYNAMIC_IP_4 Reverse DNS contains full IP address
tflags RDNS_DYNAMIC_IP_4 net
score RDNS_DYNAMIC_IP_4 1
# rule: __RDNS_DYNAMIC_IP_3
# added 2005-05-12
# edit 2005-05-18: relax bounding regex
# edit 2005-05-19: allow leading zeros
# test: ######## TODO: fill in
header __RDNS_DYNAMIC_IP_3 X-Spam-Relays-Untrusted =~ /^\[ ip=\d+\.(\d+)\.(\d+)\.(\d+) rdns=(?:[-A-Za-z0-9.]*[^0-9 ])?(?:00?)?\1.(?:00?)?\2.(?:00?)?\3[-.]/
describe __RDNS_DYNAMIC_IP_3 Reverse DNS contains 3 octets of IP address
tflags __RDNS_DYNAMIC_IP_3 net
# rule: __RDNS_DYNAMIC_IP_3C
# added 2005-05-12
# edit 2005-05-18: relax bounding regex
# edit 2005-05-19: allow double leading zeros
# test: spam-2005-05-12/df-2005-05-12-000584.txt
header __RDNS_DYNAMIC_IP_3C X-Spam-Relays-Untrusted =~ /^\[ ip=\d+\.(\d+)\.(\d+)\.(\d+) rdns=(?:[-A-Za-z0-9.]*[^0-9 ])?(?:00?)?\1(?:00?)?\2(?:00?)?\3[-.]/
describe __RDNS_DYNAMIC_IP_3C Reverse DNS has 3 octets of IP without separator
tflags __RDNS_DYNAMIC_IP_3C net
# rule: __RDNS_DYNAMIC_IP_3R
# added 2005-05-12
# edit 2005-05-18: relax bounding regex
# edit 2005-05-19: allow leading zeros
# test: ######## TODO: fill in
header __RDNS_DYNAMIC_IP_3R X-Spam-Relays-Untrusted =~ /^\[ ip=\d+\.(\d+)\.(\d+)\.(\d+) rdns=(?:[-A-Za-z0-9.]*[^0-9 ])?(?:00?)?\3.(?:00?)?\2.(?:00?)?\1[-.]/
describe __RDNS_DYNAMIC_IP_3R Reverse DNS has reversed 3 last octets of IP
tflags __RDNS_DYNAMIC_IP_3R net
# rule: RDNS_DYNAMIC_IP_3
meta RDNS_DYNAMIC_IP_3 (!RDNS_DYNAMIC_IP_4 && (__RDNS_DYNAMIC_IP_3 || __RDNS_DYNAMIC_IP_3C || __RDNS_DYNAMIC_IP_3C))
describe RDNS_DYNAMIC_IP_3 Reverse DNS contains last 3 octets of IP address
tflags RDNS_DYNAMIC_IP_3 net
score RDNS_DYNAMIC_IP_3 0.5
# rule: __RDNS_DYNAMIC_IP_2
# added 2005-05-12
# edit 2005-05-18: relax bounding regex
# edit 2005-05-19: allow leading zeros
# test: spam-2005-05-18/df-2005-05-18-001604.txt
header __RDNS_DYNAMIC_IP_2 X-Spam-Relays-Untrusted =~ /^\[ ip=\d+\.\d+\.(\d+)\.(\d+) rdns=(?:[-A-Za-z0-9.]*[^0-9 ])?(?:00?)?\1.(?:00?)?\2[-.]/
describe __RDNS_DYNAMIC_IP_2 Reverse DNS contains last 2 octets of IP address
tflags __RDNS_DYNAMIC_IP_2 net
# rule: __RDNS_DYNAMIC_IP_2R
# added 2005-05-12
# edit 2005-05-18: relax bounding regex
# edit 2005-05-19: allow leading zeros
# test: spam-2005-05-12/df-2005-05-12-003187.txt
header __RDNS_DYNAMIC_IP_2R X-Spam-Relays-Untrusted =~ /^\[ ip=\d+\.\d+\.(\d+)\.(\d+) rdns=(?:[-A-Za-z0-9.]*[^0-9 ])?(?:00?)?\2.(?:00?)?\1[-.]/
describe __RDNS_DYNAMIC_IP_2R Reverse DNS has reversed 2 last octets of IP
tflags __RDNS_DYNAMIC_IP_2R net
# rule: RDNS_DYNAMIC_IP_2
meta RDNS_DYNAMIC_IP_2 (!RDNS_DYNAMIC_IP_4 && !RDNS_DYNAMIC_IP_3 && (__RDNS_DYNAMIC_IP_2 || __RDNS_DYNAMIC_IP_2R))
describe RDNS_DYNAMIC_IP_2 Reverse DNS contains last 2 octets of IP address
score RDNS_DYNAMIC_IP_2 0.2
tflags RDNS_DYNAMIC_IP_2 net
# rule: __RDNS_DYNAMIC_IP_1
# added 2005-05-19
# test: spam-2005-05-19/df-2005-05-19-002431.txt
header __RDNS_DYNAMIC_IP_1 X-Spam-Relays-Untrusted =~ /^\[ ip=\d+\.\d+\.\d+\.(\d+) rdns=(?:[-A-Za-z0-9.]*[^0-9 ])?(?:00?)?\1[-.]/
describe __RDNS_DYNAMIC_IP_1 Reverse DNS contains last octet of IP address
tflags __RDNS_DYNAMIC_IP_1 net
# rule: RDNS_DYNAMIC_IP_1
meta RDNS_DYNAMIC_IP_1 (!RDNS_DYNAMIC_IP_4 && !RDNS_DYNAMIC_IP_3 && !RDNS_DYNAMIC_IP_2 && __RDNS_DYNAMIC_IP_1)
describe RDNS_DYNAMIC_IP_1 Reverse DNS contains last octet of IP address
tflags RDNS_DYNAMIC_IP_1 net
score RDNS_DYNAMIC_IP_1 0.1
# rule: RDNS_DYNAMIC_BIGINT
# added 2005-05-19
# edit 2005-05-20: special exemption for webnnnn.mail.yahoo.com
# test: spam-2005-05-19/df-2005-05-19-004271.txt
# test: spam-2005-05-19/df-2005-05-19-004361.txt
# fail: reference/yahoo-sample-0001.eml
header RDNS_DYNAMIC_BIGINT X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=(?!web\d+\.mail\.yahoo\.com )[-A-Za-z0-9]*[-A-Za-z.]\d{4,20}[-.]/
describe RDNS_DYNAMIC_BIGINT Reverse DNS contains a big number
tflags RDNS_DYNAMIC_BIGINT net
score RDNS_DYNAMIC_BIGINT 1
# rule: RDNS_DYNAMIC_BIGHEX
# added 2005-05-19
# test: spam-2005-05-19/df-2005-05-19-007985.txt
header RDNS_DYNAMIC_BIGHEX X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[-A-Za-z0-9]*[-A-Za-z.][0-9A-Fa-f]{8}[-.]/
describe RDNS_DYNAMIC_BIGHEX Reverse DNS contains a big hex number
tflags RDNS_DYNAMIC_BIGHEX net
score RDNS_DYNAMIC_BIGHEX 1
# rule: __RDNS_DYNAMIC_IP
# added 2005-05-18
# edit 2005-12-20: corrected references to RDNS_DYNAMIC_* rules
# edit 2006-10-26: add underscores to name, remove score
meta __RDNS_DYNAMIC_IP (RDNS_DYNAMIC_HEX_IP || RDNS_DYNAMIC_IP_4 || RDNS_DYNAMIC_IP_3 || RDNS_DYNAMIC_IP_2 || RDNS_DYNAMIC_IP_1 || RDNS_DYNAMIC_BIGINT || RDNS_DYNAMIC_BIGHEX)
describe __RDNS_DYNAMIC_IP One of the RDNS_DYNAMIC_* rules matches
tflags __RDNS_DYNAMIC_IP net
######## TODO: add more provider-specific dynamic RDNS patterns
# test: spam-2005-05-18/df-2005-05-18-001689.txt
# test: spam-2005-05-18/df-2005-05-18-001579.txt
# test: spam-2005-05-18/df-2005-05-18-001464.txt
# test: spam-2005-05-18/df-2005-05-18-001494.txt
# test: spam-2005-05-18/df-2005-05-18-001662.txt
# test: spam-2005-05-18/df-2005-05-18-001687.txt
# test: spam-2005-05-18/df-2005-05-18-001630.txt
# test: spam-2005-05-18/df-2005-05-18-001657.txt
# test: spam-2005-05-18/df-2005-05-18-001710.txt
# test: spam-2005-05-18/df-2005-05-18-001476.txt
# test: spam-2005-05-18/df-2005-05-18-001678.txt
# test: spam-2005-05-18/df-2005-05-18-001551.txt
# test: spam-2005-05-18/df-2005-05-18-001558.txt
# test: spam-2005-05-18/df-2005-05-18-001643.txt
# test: spam-2005-05-18/df-2005-05-18-001700.txt
# test: spam-2005-05-18/df-2005-05-18-001500.txt
# test: spam-2005-05-18/df-2005-05-18-001576.txt
# test: spam-2005-05-18/df-2005-05-18-001572.txt
# test: spam-2005-05-18/df-2005-05-18-001501.txt
# test: spam-2005-05-18/df-2005-05-18-001475.txt
# test: spam-2005-05-18/df-2005-05-18-001487.txt
# test: spam-2005-05-18/df-2005-05-18-001393.txt
# test: spam-2005-05-18/df-2005-05-18-001620.txt
# test: spam-2005-05-18/df-2005-05-18-001556.txt
# test: spam-2005-05-18/df-2005-05-18-001483.txt
# test: spam-2005-05-18/df-2005-05-18-001486.txt
# test: spam-2005-05-18/df-2005-05-18-001535.txt
# test: spam-2005-05-18/df-2005-05-18-001636.txt
# test: spam-2005-05-18/df-2005-05-18-001409.txt
# test: spam-2005-05-18/df-2005-05-18-001544.txt
# test: spam-2005-05-18/df-2005-05-18-001478.txt
# test: spam-2005-05-18/df-2005-05-18-001578.txt
# test: spam-2005-05-18/df-2005-05-18-001484.txt
# test: spam-2005-05-18/df-2005-05-18-001561.txt
# test: spam-2005-05-18/df-2005-05-18-001580.txt
# test: spam-2005-05-18/df-2005-05-18-001664.txt
# test: spam-2005-05-18/df-2005-05-18-001396.txt
# test: spam-2005-05-18/df-2005-05-18-001655.txt
# test: spam-2005-05-18/df-2005-05-18-001613.txt
# test: spam-2005-05-18/df-2005-05-18-001564.txt
# test: spam-2005-05-18/df-2005-05-18-001528.txt
# test: spam-2005-05-18/df-2005-05-18-001615.txt
# test: spam-2005-05-18/df-2005-05-18-001398.txt
# rule: DIRECT_MX_FORGED_RECEIVED
# added 2005-05-19
# edit 2005-05-27: __UNTRUSTED_TAIL_PRIV case
# test: spam-2005-05-19/df-2005-05-19-007196.txt
header __MULTIPLE_UNTRUSTED_RELAYS X-Spam-Relays-Untrusted =~ /\] \[/
######## FIXME: modularize to use reserved range from Constants.pm
header __UNTRUSTED_TAIL_PRIV X-Spam-Relays-Untrusted =~ /^[^\]]+\]( \[ ip=(192\.168|172.(1[6-9]|2[0-9]|3[01])|169.254\|127|10)\.[^\]]+\])+$/
meta DIRECT_MX_FORGED_RECEIVED (__MULTIPLE_UNTRUSTED_RELAYS && !__UNTRUSTED_TAIL_PRIV && __RDNS_DYNAMIC_IP)
describe DIRECT_MX_FORGED_RECEIVED Multiple Received: lines in direct-to-MX
tflags DIRECT_MX_FORGED_RECEIVED net
score DIRECT_MX_FORGED_RECEIVED 0
# rule: FIRST_UNTRUSTED_NO_RDNS
# added 2005-05-19
# test: spam-2005-05-19/df-2005-05-19-007196.txt
header FIRST_UNTRUSTED_NO_RDNS X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns= [^\]]+\] \[/
describe FIRST_UNTRUSTED_NO_RDNS First untrusted relay of >=2 has no rdns
tflags FIRST_UNTRUSTED_NO_RDNS net
score FIRST_UNTRUSTED_NO_RDNS 0.5
# rule: FIRST_UNTRUSTED_MANY_NO_RDNS
# added 2005-05-19
# test: spam-2005-05-19/df-2005-05-19-007196.txt
header FIRST_UNTRUSTED_MANY_NO_RDNS X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns= [^\]]+\] \[[^\]]+\] \[/
describe FIRST_UNTRUSTED_MANY_NO_RDNS First untrusted relay of > 2 has no rdns
tflags FIRST_UNTRUSTED_MANY_NO_RDNS net
score FIRST_UNTRUSTED_MANY_NO_RDNS 0.5
# rule: DIRECT_MX_FORGED_CCTLD
# added 2005-05-18
# test: spam-2005-05-18/df-2005-05-18-001520.txt
# test: spam-2005-05-18/df-2005-05-18-001689.txt
# Forger claims to be google.fr (just domain name, no host part) or moo.org.ni
######## FIXME: should use canned regex for what is a toplevel ccTLD
# (I cheated and did not list quite all the ones we have in M::SA::Conf.pm)
header DIRECT_MX_FORGED_CCTLD X-Spam-Relays-Untrusted =~ /^[^]]+ helo=[0-9a-zA-Z][-0-9A-Za-z]*\.(?:(?:ac|atts?|biz|com?|edu?|fi(?:rm)?|go[bv]?|gv|in(?:tl?|fo?)?|k12|ltd|med?|mil?|net?|nic|nom|org?|pages?|pp|pro|rec|sa|sch|web)\.)?[A-Za-z][A-Za-z] [^][]+\]$/i
describe DIRECT_MX_FORGED_CCTLD Apparent injection point claims toplevel ccTLD
tflags DIRECT_MX_FORGED_CCTLD net
score DIRECT_MX_FORGED_CCTLD 0.5
# rule: DIRECT_MX_NO_RDNS
# added 2005-05-12
# test: spam-2005-05-18/df-2005-05-18-001445.txt
header DIRECT_MX_NO_RDNS X-Spam-Relays-Untrusted =~ /^[^]]+ rdns= [^][]+\]$/
describe DIRECT_MX_NO_RDNS Apparent injection point has no reverse DNS
tflags DIRECT_MX_NO_RDNS net
score DIRECT_MX_NO_RDNS 1
# rule: RATWARE_BASE64_DIRECT_MX
# added 2005-05-18
# test: spam-2005-05-18/df-2005-05-18-001520.txt
header __RATWARE_BASE64_DIRECT_MX_DATE_TZ0000 Date =~ / \+0000$/
meta RATWARE_BASE64_DIRECT_MX (__RATWARE_BASE64_DIRECT_MX_DATE_TZ0000 && MSGSTRUCT_ASCII_BASE64 && DIRECT_MX_FORGED_CCTLD && (__RDNS_DYNAMIC_IP || DIRECT_MX_NO_RDNS))
describe RATWARE_BASE64_DIRECT_MX Curious combination of not so innocent cues
tflags RATWARE_BASE64_DIRECT_MX net
score RATWARE_BASE64_DIRECT_MX 9
endif
