home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ftp.f-secure.com
/
2014.06.ftp.f-secure.com.tar
/
ftp.f-secure.com
/
support
/
hotfix
/
fsis
/
IS-SpamControl.fsfix
/
iufssc
/
rules
/
96_fs-received.cf
< prev
next >
Wrap
Text File
|
2006-11-29
|
13KB
|
335 lines
# 96_fs-received.cf -- era Mon May 23 13:25:03 2005
# Copyright (C) 2005 F-Secure Corporation
# $Id: 96_fs-received.cf 2346 2005-12-09 13:59:39Z $
ifplugin FS::MsgStructure
# rule: RECEIVED_DOUBLE_BY
# added 2005-05-18
# test: spam-2005-05-18/df-2005-05-18-008544.txt
# test: spam-2005-05-18/df-2005-05-18-003952.txt
define_structure RECEIVED_DOUBLE_BY
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
structure Received: from \(EHLO [-A-Za-z0-9_.]{0,64} ?\)(?: )\n
structure (?: ) by mta[0-9]{1,4}[-A-Za-z0-9_.]{0,60} with SMTP;.{0,200}\n
structure (?: ) by mta[0-9]{1,4}[-A-Za-z0-9_.]{0,60} with SMTP;.{0,200}\n
structure (?:[ \t].{0,1023}\n){0,50}
structure (?:(?!Received:)[A-Za-z0-9].{0,1023}\n
structure (?:[ \t].{0,1023}\n){0,50}){0,50}
structure \n
describe RECEIVED_DOUBLE_BY Clumsy Received: forgery, doubled "by" fields
score RECEIVED_DOUBLE_BY 9
# rule: RECEIVED_WOSTFIX
# added 2005-05-18
# edit 2005-05-20: FQDN hostname, additional comment after (Wostfix ...
# test: spam-2005-05-18/df-2005-05-18-008468.txt
# test: spam-2005-05-20/df-2005-05-20-008127.txt
define_structure RECEIVED_WOSTFIX
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
structure Received: by [.-A-Za-z0-9_]{0,64} \(Wostfix
structure (?:, from userid \d{3,7})?\)\n
structure (?:[ \t].{0,1023}\n){0,50}
structure (?:(?!Received:)[A-Za-z0-9].{0,1023}\n
structure (?:[ \t].{0,1023}\n){0,50}){0,50}
structure \n
describe RECEIVED_WOSTFIX Silly "Wostfix" Received: forgery
score RECEIVED_WOSTFIX 9
# rule: RECEIVED_FORGED_FOR_SELF
# added 2005-05-18
# test: spam-2005-05-18/df-2005-05-18-000059.txt
# see also: MSGSTRUCT_FORGED_FOR_SELF
define_structure RECEIVED_FORGED_FOR_SELF
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
structure Received: from [-A-Za-z0-9_.]{0,64}
# telltale sign #1: HELO in parens where genuine Sendmail would have rdns
structure (?: )\((?:EH|HE)LO [-A-Za-z0-9_.]{0,64} \[[0-9.]{7,15}\]\)\n
structure \tby [-A-Za-z0-9_.]{0,64}(?: )
# telltale sign #2: occasionally somewhat weird Sendmail version identifier
structure \(8\.[0-9]{1,2}\.[0-9]{1,2}(?:\.[-_A-Za-z0-9]{1,15})?
structure /8\.[0-9]{1,2}\.[0-9]{1,2}(?:\.[-_A-Za-z0-9]{1,15})?
structure [-_/A_Za-z0-9]{0,15}\)(?: with E?SMTP)
structure (?: )id [A-Za-z0-9]{5,20}\n
structure \tfor <([-A-Za-z0-9._%=]{1,50}\@[-A-Za-z0-9.]{5,64})>;
structure (?: )(?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), [ 0-3][0-9]
structure (?: )(?:J(?:an|u[nl])|Feb|Ma[ry]|A(?:pr|ug)|Sep|Oct|Nov|Dec)
structure (?: )[12][0-9]{3} [012][0-9](?::[0-5][0-9]){2} [+-][01][0-9][0-5]0\n
# telltale sign #3: whimsical envelope-from after the real thing
structure \t\(envelope-from \1\)\n
structure (?:(?!Received:)[A-Za-z0-9].{0,1023}\n
structure (?:[ \t].{0,1023}\n){0,50}){0,50}
structure \n
describe RECEIVED_FORGED_FOR_SELF Sendmail Received: forgery, "for sender"
score RECEIVED_FORGED_FOR_SELF 9
# rule: RECEIVED_FORGED_MAJORDOMO
# added 2005-05-18
# test: spam-2005-05-18/df-2005-05-18-008436.txt
######## TODO: look at genuine Majordomo handovers, look for better telltales?
define_structure RECEIVED_FORGED_MAJORDOMO
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
# telltale sign #1: claims to be (from majordomo?)
structure Received: \(from majordomo?@[-A-Za-z0-9_.]{5,64}\)\n
structure \tby [-A-Za-z0-9_.]{5,64}(?: )
# telltale sign #2: weirdish Sendmail version id (and no "with E?SMTP")
structure \(8\.[0-9]{1,2}\.[0-9]{1,2}(?:\.[-_A-Za-z0-9]{1,15})?
structure /8\.[0-9]{1,2}\.[0-9]{1,2}(?:\.[-_A-Za-z0-9]{1,15})?
structure /SubmitX\)
structure (?: )id [A-Za-z0-9]{5,20}\n
# telltale sign #3: proper Majordomo list-dash-name
structure \tfor [A-Za-z0-9]{1,50}-[A-Za-z0-9]{1,64};
structure (?: )(?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), [ 0-3][0-9]
structure (?: )(?:J(?:an|u[nl])|Feb|Ma[ry]|A(?:pr|ug)|Sep|Oct|Nov|Dec)
structure (?: )[12][0-9]{3} [012][0-9](?::[0-5][0-9]){2} [+-][01][0-9][0-5]0\n
structure (?:(?!Received:)[A-Za-z0-9].{0,1023}\n
structure (?:[ \t].{0,1023}\n){0,50}){0,50}
structure \n
describe RECEIVED_FORGED_MAJORDOMO Forged Majordomo/Sendmail/SubmitX handoff
score RECEIVED_FORGED_MAJORDOMO 9
# rule: RECEIVED_FORGED_MINIMAL
# added 2005-05-18
# test: spam-2005-05-18/df-2005-05-18-000132.txt
define_structure RECEIVED_FORGED_MINIMAL
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
structure Received: from [-A-Za-z0-9_.]{0,64} \(HELO [-A-Za-z0-9_.]{0,64}\)\n
structure \tby [-A-Za-z0-9_.]{0,64} with E?SMTP;
structure (?: )(?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), [ 0-3][0-9]
structure (?: )(?:J(?:an|u[nl])|Feb|Ma[ry]|A(?:pr|ug)|Sep|Oct|Nov|Dec)
structure (?: )[12][0-9]{3} [012][0-9](?::[0-5][0-9]){2} [+-][01][0-9][0-5]0\n
structure (?:(?!Received:)[A-Za-z0-9].{0,1023}\n
structure (?:[ \t].{0,1023}\n){0,50}){0,50}
structure \n
describe RECEIVED_FORGED_MINIMAL Minimal forged Received: header
score RECEIVED_FORGED_MINIMAL 2
# rule: FS_RECEIVED_FORGED_8X
# added 2005-05-20
# test: spam-2005-05-20/df-2005-05-20-008124.txt
define_structure FS_RECEIVED_FORGED_8X
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
structure Received: from .{1,999}\n
structure (?: )by (?:[-0-9A-Za-z_]{1,64}\.){1,7}[A-Za-z]{2,4}
structure (?: )with ESMTP \(8(?:\.[0-9]{1,2}){2}/8(?:\.[0-9]{1,2}){2}[/)]
describe FS_RECEIVED_FORGED_8X Misplaced Sendmail 8.x.x identification
score FS_RECEIVED_FORGED_8X 7
# rule: FS_RECEIVED_FORGED_8XX
# added 2005-05-20
# test: spam-2005-05-20/df-2005-05-20-008121.txt
define_structure FS_RECEIVED_FORGED_8XX
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
# telltale sign #1: X-Apparently-To:
structure X-Apparently-To: .{1,999}\n
# telltale sign #2: like above, but even without "with E?SMTP"
structure Received: from .{1,999}\n
structure (?: )by (?:[-0-9A-Za-z_]{1,64}\.){1,7}[A-Za-z]{2,4}
structure (?: )\(8(?:\.[0-9]{1,2}){2}/8(?:\.[0-9]{1,2}){2}
structure (?:/[-A-Za-z0-9./_]{2,15})?\)\n
structure (?: )ID <[0-9A-Za-z]{5,20}@
structure (?:[-0-9A-Za-z_]{1,64}\.){1,7}[A-Za-z]{2,4}>;
structure (?: )(?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), [ 0-3][0-9]
structure (?: )(?:J(?:an|u[nl])|Feb|Ma[ry]|A(?:pr|ug)|Sep|Oct|Nov|Dec)
structure (?: )[12][0-9]{3} [012][0-9](?::[0-5][0-9]){2} [+-][01][0-9][0-5]0\n
# and we require it to be the final Received: line
structure (?:(?!Received:)[A-Za-z0-9].{0,1023}\n
structure (?:[ \t].{0,1023}\n){0,50}){0,50}
structure \n
describe FS_RECEIVED_FORGED_8XX Misplaced Sendmail 8.x.x identification, mk II
score FS_RECEIVED_FORGED_8XX 9
# rule: MSGSTRUCT_RECEIVED_STUB
# added 2005-05-13
# test: spam-2005-05-13/df-2005-05-13-006279.txt
define_structure MSGSTRUCT_RECEIVED_STUB
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
# telltale sign #1: Received by IP
structure Received: by (?:[1-9][0-9]?|1[0-9][0-9]|2[0-4][0-9]|25[0-4])
structure \.(?:0|[1-9][0-9]?|1[0-9][0-9]|2[0-4][0-9]|25[0-5])
structure \.(?:0|[1-9][0-9]?|1[0-9][0-9]|2[0-4][0-9]|25[0-5])
structure \.(?:[1-9][0-9]?|1[0-9][0-9]|2[0-4][0-9]|25[0-4])
# telltale sign #2: with SMTP, smack dab; longish queue id
structure (?: )with SMTP id [A-Za-z0-9]{8,20};
structure (?: )(?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), [ 0-3][0-9]
structure (?: )(?:J(?:an|u[nl])|Feb|Ma[ry]|A(?:pr|ug)|Sep|Oct|Nov|Dec)
structure (?: )[12][0-9]{3} [012][0-9](?::[0-5][0-9]){2} [+-][01][0-9][0-5]0\n
structure (?:(?!Received:)[A-Za-z0-9].{0,1023}\n
structure (?:[ \t].{0,1023}\n){0,50}){0,50}
structure \n
describe MSGSTRUCT_RECEIVED_STUB Forged very minimal final Received: header
score MSGSTRUCT_RECEIVED_STUB 4
# rule: MSGSTRUCT_FORGED_FOR_SENDER
# added 2005-05-13
# edit 2005-05-18: relax IP number on first line
# test: spam-2005-05-13/df-2005-05-13-003032.txt
# test: spam-2005-05-18/df-2005-05-18-003339.txt
define_structure MSGSTRUCT_FORGED_FOR_SENDER
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
# telltale sign #1: Received from [square brackets] (sheesh)
structure Received: from \[[-.0-9A-Za-z]{5,64}\] \(\[[.0-9]{7,15}\]\)\n
structure \tby [-.0-9A-Za-z]{5,64}
# telltale sign #2: somewhat weird Sendmail identification (e.g. 8.12.0.Beta5)
structure (?: )\(8\.[A-Za-z0-9.]{1,12}/8\.[A-Za-z0-9.]{1,12}\)
structure (?: )with E?SMTP id [A-Za-z0-9]{9,20}\n
# telltale sign #3: for <sender>
structure \tfor (<[-A-Za-z0-9_.]{1,20}\@[-.0-9A-Za-z]{5,64}>);
structure (?: )(?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), [ 0-3][0-9]
structure (?: )(?:J(?:an|u[nl])|Feb|Ma[ry]|A(?:pr|ug)|Sep|Oct|Nov|Dec)
structure (?: )[12][0-9]{3} [012][0-9](?::[0-5][0-9]){2} [+-][01][0-9][0-5]0\n
structure (?:(?!Received:)[A-Za-z0-9].{0,1023}\n
structure (?:[ \t].{0,1023}\n){0,50}){0,50}
# telltale sign #3 part 2: From: terminus identical to Received: for
structure From: "[^\"]{0,50}" \1\n
structure (?:(?!Received:)[A-Za-z0-9].{0,1023}\n
structure (?:[ \t].{0,1023}\n){0,50}){0,50}
structure \n
describe MSGSTRUCT_FORGED_FOR_SENDER Forged Sendmail Received: for <sender>
score MSGSTRUCT_FORGED_FOR_SENDER 9
# rule: MSGSTRUCT_FORGED_FOR_SELF
# added 2005-05-13
# edit 2005-05-18: relax hostname regex in Received: from
# test: spam-2005-05-13/df-2005-05-13-003031.txt
# test: spam-2005-05-18/df-2005-05-18-000182.txt
define_structure MSGSTRUCT_FORGED_FOR_SELF
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
# telltale sign #1: X-Sender
structure X-Sender: ([-A-Za-z0-9._]{1,64}\@[-.0-9A-Za-z]{5,64})\n
# telltale sign #2: X-Apparently-To: same address
structure X-Apparently-To: \1\n
# telltale sign #3: really weird final Received: lines
structure Received: from [-.0-9A-Za-z]{0,64} \(\1\) by [-.0-9A-Za-z]{5,64}\n
structure Received: \(.{1,200}\);
structure (?: )(?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), [ 0-3][0-9]
structure (?: )(?:J(?:an|u[nl])|Feb|Ma[ry]|A(?:pr|ug)|Sep|Oct|Nov|Dec)
structure (?: )[12][0-9]{3} [012][0-9](?::[0-5][0-9]){2} [+-][01][0-9][0-5]0\n
structure (?:(?!Received:)[A-Za-z0-9].{0,1023}\n
structure (?:[ \t].{0,1023}\n){0,50}){0,50}
structure \n
describe MSGSTRUCT_FORGED_FOR_SELF Clumsy forged X-Sender = X-Apparently-To
score MSGSTRUCT_FORGED_FOR_SELF 7
# rule: FS_REFERENCES_RECEIVED
# added 2005-05-20
# test: spam-2005-05-20/df-2005-05-20-004613.txt
define_structure FS_REFERENCES_RECEIVED
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
# last Received: header with a full domain name -- grab domain name into \1
structure Received: from (?:[-0-9A-Za-z]{1,64}\.)?
structure ([-0-9A-Za-z]{1,64}\.[A-Za-z]{2,4}) .{1,600}\n
structure [ \t]{1,1000}by .{1,1000}\n
structure (?:[ \t].{0,1023}\n){0,50}
# anything goes, as long as it's not a Received: from something.dot
structure (?:(?!Received: from [-A-Za-z0-9_]{1,64}\.[-A-Za-z0-9_])
structure [A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
# telltale sign: references and in-reply-to a message-id in domain \1
structure References: (<[-0-9A-Za-z._+=]{1,64}@\1>)\n
structure In-Reply-To: \2\n
describe FS_REFERENCES_RECEIVED In-Reply-To+References point to Received domain
score FS_REFERENCES_RECEIVED 1
# rule: FS_RANDOM_MID_DOMAIN
# added 2005-05-20
# edit 2005-05-24: add case __FS_MID_DOMAIN_FROM_AFTER
# test: spam-2005-05-20/df-2005-05-20-007176.txt
# fail: reference/yahoo-sample-0001.eml
# fail: reference/thunderbird-sample-0001.eml
# Prerequisite: There is a Message-ID in exactly this format
define_structure __FS_MID_EXISTS
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
structure Message-ID: <[-0-9A-Za-z._=+%]{1,64}@
structure (?:[-_0-9A-Za-z]{1,64}\.){0,8}[A-Za-z]{2,4}>\n
define_structure __FS_MID_DOMAIN_RECEIVED
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
structure Received: from (?:[-0-9A-Za-z]{1,64}\.){0,7}
structure ([-0-9A-Za-z]{1,64}\.[A-Za-z]{2,4}) .{1,600}\n
structure (?:[ \t].{0,1023}\n){0,50}
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
structure Message-ID: <[-0-9A-Za-z._=+%]{1,64}@
structure (?:[-_0-9A-Za-z]{1,64}\.){0,7}\1>\n
######## TODO: __FS_MID_DOMAIN_RECEIVED_AFTER?
define_structure __FS_MID_DOMAIN_FROM
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
structure From: .{1,100}@(?:[-_0-9A-Za-z]\.){0,7}
structure ([-0-9A-Za-z]{1,64}\.[A-Za-z]{2,4})>?
structure (?: \(.{1,500})?\n
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
structure Message-ID: <[-0-9A-Za-z._=+%]{1,64}@
structure (?:[-_0-9A-Za-z]{1,64}\.){0,7}\1>\n
define_structure __FS_MID_DOMAIN_FROM_AFTER
structure (?:^)
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
structure Message-ID: <[-0-9A-Za-z._=+%]{1,64}@
structure (?:[-_0-9A-Za-z]{1,64}\.){0,7}
structure ([-0-9A-Za-z]{1,64}\.[A-Za-z]{2,4})>\n
structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50}
structure From: .{1,100}@(?:[-_0-9A-Za-z]\.){0,7}\1>?
structure (?: \(.{1,500})?\n
# ... but it matches none of the other rules:
meta FS_RANDOM_MID_DOMAIN (__FS_MID_EXISTS && !__FS_MID_DOMAIN_RECEIVED && !__FS_MID_DOMAIN_FROM && !__FS_MID_DOMAIN_FROM_AFTER)
describe FS_RANDOM_MID_DOMAIN Message-Id's domain neither Received: nor From:
score FS_RANDOM_MID_DOMAIN 1.8
endif
