ftp.f-secure.com

home *** CD-ROM | disk | FTP | other *** search

/ ftp.f-secure.com / 2014.06.ftp.f-secure.com.tar / ftp.f-secure.com / support / hotfix / fsis / IS-SpamControl.fsfix / iufssc / rules / 96_fs-suspect.cf < prev next >

Wrap

Text File | 2006-11-29 | 37KB | 1,011 lines

# 96_fs-suspect.cf -- era Thu Nov 25 15:27:28 2004 # Copyright (C) 2004-2006 F-Secure Corporation # $Id: 96_fs-suspect.cf 4093 2006-11-02 12:22:52Z eriker $ ifplugin FS::MsgStructure # rule: MSGSTRUCT_RATWARE_GET_CAPABLE # created 2004-11-18 or thereabouts # edit 2005-01-25: allow multipart/related as well as multipart/alternative # edit 2005-01-25: MIME separator can be Java [sic!] instead of ----=_NextPart_ # edit 2005-05-16: permit any allowable MIME boundary separator string # test: spam-2005-01-25/-3288733836-1106534578.V802I3c2d2.localhost.localdomain # test: spam-2005-01-25/-3288707794-1106592792.V802I3dbff.localhost.localdomain # test: spam-2005-05-16/df-2005-05-16-006062.txt # tracker: ratware-get-capable define_structure MSGSTRUCT_RATWARE_GET_CAPABLE structure ^This is a multi-part message in MIME format\.\n\n structure -{2}[-=_.0-9A-Za-z]{7,64}\n structure Content-Type: multipart/(?:related|alternative);\n structure (?: ){8}boundary="([-=_.0-9A-Za-z]{7,64})"\n\n structure -{2}\1\n structure Content-Type: text/plain;\n structure (?: ){8}charset="us-ascii"\n structure Content-Transfer-Encoding: 7bit\n\n structure Get a capable html e-mailer\n\n\n structure -{2}\1\n describe MSGSTRUCT_RATWARE_GET_CAPABLE Ratware "Get a capable html e-mailer" score MSGSTRUCT_RATWARE_GET_CAPABLE 20 # rule: MSGSTRUCT_ASCII_BASE64 # added 2005-05-18 # test: spam-2005-05-18/df-2005-05-18-001520.txt define_structure MSGSTRUCT_ASCII_BASE64 structure (?:^) structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} structure MIME-Version: 1\.0\n structure Content-Type: text/plain\n structure Content-Transfer-Encoding: base64\n describe MSGSTRUCT_ASCII_BASE64 MIME lacks explicit charset, uses base64 text score MSGSTRUCT_ASCII_BASE64 3 # rule: MIME_BOUNDARY_SQ # added 2005-05-18 # test: spam-2005-05-18/df-2005-05-18-001932.txt define_structure MIME_BOUNDARY_SQ structure (?:^) structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} structure MIME-Version: 1\.0\n structure Content-Type: multipart/(?:related|alternative);\n structure \tboundary="--(?:[-0-9]{3,15}\[[0-9]\]){3}"\n describe MIME_BOUNDARY_SQ Nonstandard MIME boundary with square brackets in it score MIME_BOUNDARY_SQ 3 # rule: MIME_BOUNDARY_MASSIVELY_ILLEGAL # added 2005-05-19 # test: spam-2005-05-19/df-2005-05-19-000763.txt define_structure MIME_BOUNDARY_MASSIVELY_ILLEGAL structure (?:^) structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} structure MIME-Version: 1\.0\n structure Content-Type: multipart/(?:related|alternative);\n structure \tboundary="--(?:[-=0-9A-Za-z.]{0,20}[^-=0-9A-Za-z.\"]){4,20}" describe MIME_BOUNDARY_MASSIVELY_ILLEGAL Multple disallowed characters score MIME_BOUNDARY_MASSIVELY_ILLEGAL 7 # rule: MSGSTRUCT_MIME_ASCII_8BIT_REL # added 2005-05-13 # edit 2005-05-16: rename to distinguish sigle-part from multipart/related # test: spam-2005-05-13/df-2005-05-13-001185.txt # test: spam-2005-05-13/df-2005-05-13-005515.txt # test: spam-2005-05-13/df-2005-05-13-005503.txt define_structure MSGSTRUCT_MIME_ASCII_8BIT_REL structure (?:^) structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} structure MIME-Version: 1\.0\n # telltale sign #1: X-MimeOLE between Mime-Version and Content-Type structure X-MimeOLE: Produced By Microsoft (?:Exchange|MimeOLE) structure (?: )V[1-9][0-9]?\.[0-9]{1,2}\.[0-9]{4}\.[0-9]{1,4}\n # telltale sign #2: multipart/related structure Content-Type: multipart/related;\n structure \tboundary="(--[-A-Za-z0-9._]{5,65})"\n structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} # telltale sign #3: no MIME preamble structure \n--\1\n # telltale sign #4: Content is text/plain us-ascii 8bit (sic) structure Content-Type: text/plain; charset=us-ascii\n structure Content-Transfer-Encoding: 8bit\n\n describe MSGSTRUCT_MIME_ASCII_8BIT_REL Multipart/related, first is ASCII/8bit score MSGSTRUCT_MIME_ASCII_8BIT_REL 4 # rule: MSGSTRUCT_MIME_ASCII_8BIT # added 2005-05-16 # test: spam-2005-05-16/df-2005-05-16-004390.txt # test: spam-2005-05-16/df-2005-05-16-007205.txt # test: spam-2005-05-16/df-2005-05-16-007166.txt # test: spam-2005-05-16/df-2005-05-16-007192.txt # test: spam-2005-05-16/df-2005-05-16-007198.txt define_structure MSGSTRUCT_MIME_ASCII_8BIT structure (?:^) structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} # telltale sign #1: From, To, Subject, Date before MIME-Version structure From: "([^\"]{0,64})" structure (?: )<([-A-Za-z0-9._%=]{1,50}\@[-A-Za-z0-9.]{5,64})>\n structure To: .{1,300}(\n[ \t].{1,300}){0,200}\n # telltale sign #1.5: base64-encoded Subject (not acting on that here) structure Subject: .{1,300}(\n[ \t].{1,300}){0,200}\n structure Date: structure (?: )(?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), [ 0-3][0-9] structure (?: )(?:J(?:an|u[nl])|Feb|Ma[ry]|A(?:pr|ug)|Sep|Oct|Nov|Dec) structure (?: )[12][0-9]{3} [012][0-9](?::[0-5][0-9]){2} # weird forgery: time zone +310000 # #(?: )[+-][01][0-9][0-5]0\n structure (?: )[-+][0-9]{4,6}\n # so here's the MIME-Version header structure MIME-Version: 1\.0\n # telltale sign #2: X-headers between Mime-Version and Content-Type structure X-Sender: <\2>\n structure Sender: <\2>\n # variation: with or without Reply-To: structure (?:Reply-To: "\1" <\2>\n)? # telltale sign #2.5: slightly weird In-Reply-To: (not acting on that here) structure In-Reply-To: <[-.=_0-9A-Za-z\$]{5,64}\@[-A-Za-z0-9.]{3,64}>\n # some variations observed here ... structure (?: structure (?:X-Priority: 3 $Normal$\n structure X-MSMail-Priority: Normal\n)? # order of these may vary; mimole may be missing (for simplicity, allow either) structure (?:X-Mailer: Microsoft Outlook(?: IMO)?, structure (?: )Build [1-9][0-9]?(?:\.[0-9]{1,4}){1,2} structure (?: $[1-9]\.[0-9]{1,2}(?:\.[0-9]{1,4}){1,2}$)?\n| structure X-M[Ii][Mm][Ee]OLE: Produced By Microsoft (?:MimeOLE|Exchange) structure (?: )V[5-9]\.[0-9]{1,2}\.[0-9]{1,4}\.[0-9]{1,4}\n){1,2} structure | structure X-Mailer: .{1,64}\n) # telltale sign #2: text/plain; charset=us-ascii, CTE 8bit structure Content-Type: text/plain;\n structure \tcharset="us-ascii"\n structure Content-Transfer-Encoding: 8bit\n describe MSGSTRUCT_MIME_ASCII_8BIT MIME single body part US-ASCII/8bit score MSGSTRUCT_MIME_ASCII_8BIT 4 # rule: SUBJ_BASE64_GRATUITOUS # added 2005-05-16 # test: spam-2005-05-16/df-2005-05-16-007192.txt header __SUBJ_BASE64 Subject:raw =~ /^=\?(?:[Ii][Ss][Oo]-8859-15?|[Uu][Ss]-[Aa][Ss][Cc][Ii][Ii])\?[Bb]\?/ header __SUBJ_8BIT Subject =~ /[\x80-\xFF]/ # Do not trigger on a final control character (\0, \n, whatever) header __SUBJ_CTRL Subject =~ /[\x00-\x1F]./ meta SUBJ_BASE64_GRATUITOUS (__SUBJ_BASE64 && !__SUBJ_8BIT && !__SUBJ_CTRL) describe SUBJ_BASE64_GRATUITOUS Subject needlessly base64-encoded score SUBJ_BASE64_GRATUITOUS 4 # rule: MSGSTRUCT_DATE_IN_BODY # added 2005-05-16 # test: spam-2005-05-16/df-2005-05-16-003356.txt # target: semi-rare define_structure MSGSTRUCT_DATE_IN_BODY structure (?:^) structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} # Here's the Date: header structure Date: ( structure (?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), [ 0-3][0-9] structure (?: )(?:J(?:an|u[nl])|Feb|Ma[ry]|A(?:pr|ug)|Sep|Oct|Nov|Dec) structure (?: )[12][0-9]{3} [012][0-9](?::[0-5][0-9]){2} [-+][01][0-9][0-5]0) ######## TODO: maybe (TZZ) too? structure \n structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} structure \n structure (?:.{0,1023}\n){0,50} structure .{0,999}\1\n describe MSGSTRUCT_DATE_IN_BODY Contents of Date header repeated in body score MSGSTRUCT_DATE_IN_BODY 4 # rule: MSGSTRUCT_HTTP_HEADERS # added 2005-05-19 # test: spam-2005-05-19/df-2005-05-19-000344.txt # test: spam-2005-05-19/df-2005-05-19-002153.txt # test: spam-2005-05-19/df-2005-05-19-000246.txt define_structure MSGSTRUCT_HTTP_HEADERS structure (?:^) structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} structure From: .{1,1019}\n # telltale sign #1: HTTP-type headers after From: structure (?:(?:User-Agent|(?:X-)?Accept-Language): .{1,999}\n structure (?:[ \t].{0,1023}\n){0,50}){1,5} # skip up to MIME-Version just in case we missed some ... structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} structure MIME-Version: 1\.0\n # telltale sign #2: To: and Cc: and Subject: before Content-* structure To: .{1,1024}\n # telltale sign #3: Cc: always present, with >= two addresses, <= two per line structure Cc: [^,]{5,64}(?:, [^,]{5,64})? structure (?:(?:,\n\t[^,]{5,64}(?:, [^,]{5,64})?){0,20} structure ,\n\t[^,]{5,64}(, [^,]{5,64})?)?\n structure Subject: .{1,1024}\n structure (?:[ \t].{0,1023}\n){0,50} structure Content-Type: describe MSGSTRUCT_HTTP_HEADERS HTTP headers between From and MIME-Version score MSGSTRUCT_HTTP_HEADERS 7 # rule: URI_RAW_CR # added 2005-05-19 # test: spam-2005-05-19/df-2005-05-19-009927.txt uri URI_RAW_CR /\r/ describe URI_RAW_CR URI contains raw carriage return score URI_RAW_CR 7 # rule: MSGSTRUCT_PLAINTEXT_QUOTATIONS # added 2005-05-10 # test: spam-2005-05-10/df-2005-05-10-000325.txt # test: spam-2005-05-10/df-2005-05-10-000358.txt # test: spam-2005-05-10/df-2005-05-10-000571.txt # test: spam-2005-05-10/df-2005-05-10-002958.txt # test: spam-2005-05-10/df-2005-05-10-005705.txt define_structure MSGSTRUCT_PLAINTEXT_QUOTATIONS # Headers structure (?:^) structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} # MIME headers structure MIME-Version: 1\.0\n structure Content-Type: multipart/alternative;\n structure \tboundary="(----=_NextPart_[_0-9A-F]{17}\.[0-9A-F]{8})"\n structure X-Priority: 3\n structure X-MSMail-Priority: Normal\n structure X-Mailer: Microsoft Outlook Express 6\.00(?:\.[0-9]{4}){2}\n structure X-MimeOLE: Produced By Microsoft MimeOLE V6\.00\.[0-9]{4}\.[0-9]{3}\n # Allow for more headers structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} # Neck structure \n # Body structure This is a multi-part message in MIME format\.\n\n # text/plain part structure --\1\n structure Content-Type: text/plain;\n structure \tcharset="(?: structure [Ii][Ss][Oo]-8859-[1-9][0-5]?|[Uu][Ss]-[Aa][Ss][Cc][Ii][Ii] structure )"\n structure Content-Transfer-Encoding: (?:quoted-printable|7bit)\n\n # Now, a long sequence of comma-separated quotations structure (?:".{1,1022}",\n){5,60}\n{1,5} # HTML part structure --\1\n structure Content-Type: text/html describe MSGSTRUCT_PLAINTEXT_QUOTATIONS Text part with comma-separated quotes score MSGSTRUCT_PLAINTEXT_QUOTATIONS 7 # rule: MSGSTRUCT_BOGUS_ISO_CHARSET # added 2004-07-14 # edit 2005-05-11: reimplemented as MSGSTRUCT rule # test: spam-2005-05-11/df-2005-05-11-000082.txt define_structure MSGSTRUCT_BOGUS_ISO_CHARSET structure (?:^) structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} structure MIME-Version: 1\.0\n structure Content-Type: multipart/alternative;\n structure \tboundary="(--[-A-Za-z0-9]{5,70})"\n structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} structure \n structure --\1\n structure Content-Type: text/plain;\n structure \tcharset="iso-(?!8859|2202)[0-9A-F]{4}-[0-9A-F]?"\n describe MSGSTRUCT_BOGUS_ISO_CHARSET Bogus iso-xxxx-y charset designator score MSGSTRUCT_BOGUS_ISO_CHARSET 5 # rule: MSGSTRUCT_RATWARE_MIME_CHARSET_OPENSQ # added 2005-01-07 # test: spam-2005-01-07/1772148336-1105016916.V802I3cdbb.localhost.localdomain # test: spam-2005-01-07/1772148340-1105016918.V802I3cdbc.localhost.localdomain define_structure MSGSTRUCT_RATWARE_MIME_CHARSET_OPENSQ structure \n structure --[-=_A-Za-z0-9]{14,60}\n structure Content-[Tt]ype: text/(?:plain|html);(?:\n?[ \t]{1,7}) structure [Cc][Hh][Aa][Rr][Ss][Ee][Tt]="?[Ii][Ss][Oo]-[-0-9]{0,12} structure \[ describe MSGSTRUCT_RATWARE_MIME_CHARSET_OPENSQ Non-MIME charset with "[" in it score MSGSTRUCT_RATWARE_MIME_CHARSET_OPENSQ 7 # rule: MSGSTRUCT_HEADER_BLEED # added 2005-01-25 # test: spam-2005-01-25/-3288731599-1106539307.V802I3c50e.localhost.localdomain # test: spam-2005-01-25/-3288706991-1106594468.V802I3dcc6.localhost.localdomain # target: semi-rare define_structure MSGSTRUCT_HEADER_BLEED structure ^(?:.{4,90}\n)? structure (?:(?:Received|From|To|Subject|Date| structure Mime-Version|Content-Type|Content-Transfer-Encoding| structure X-[-A-Za-z0-9]{1,50}):.{1,300}\n structure (?:[ \t].{4,90}\n){0,3}){4} describe MSGSTRUCT_HEADER_BLEED Headers spilling into beginning of body score MSGSTRUCT_HEADER_BLEED 3 # rule: MSGSTRUCT_FORGED_FROM_IP_PAREN_PORT_HELO # added 2005-05-12 # edit 2005-05-13: allow longer and case variations in helo=[string] # test: spam-2005-05-12/df-2005-05-12-001462.txt # test: spam-2005-05-13/df-2005-05-13-006295.txt # test: spam-2005-05-13/df-2005-05-13-006296.txt # test: spam-2005-05-13/df-2005-05-13-006298.txt define_structure MSGSTRUCT_FORGED_FROM_IP_PAREN_PORT_HELO structure (?:^) structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} # telltale sign #1: from [IP] (port=\d+ helo=[weird])<nl> structure Received: from \[[1-9][.0-9]{6,14}\] $port=\d{1,5} structure (?: )helo=\[[A-Za-z0-9.]{1,60}\]$\n # telltale sign #2: space after lowercase "with esmtp" structure (?: )by [-A-Za-z0-9.]{5,64} with esmtp(?: )\n # telltale sign #3: weird queue id (first sample has "guerrilla" in it) structure (?: )id \d{5,12}[A-Za-z0-9]{10,64}\n # telltale sign #4: no <brokets> around "for" address structure (?: )for [-A-Za-z0-9._%=]{1,50}\@[-A-Za-z0-9.]{5,64}; structure (?: )(?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), [ 0-3][0-9] structure (?: )(?:J(?:an|u[nl])|Feb|Ma[ry]|A(?:pr|ug)|Sep|Oct|Nov|Dec) structure (?: )[12][0-9]{3} [012][0-9](?::[0-5][0-9]){2} [+-][01][0-9][0-5]0\n structure (?:(?!Received:)[A-Za-z0-9].{0,1023}\n structure (?:[ \t].{0,1023}\n){0,50}){0,50} structure \n describe MSGSTRUCT_FORGED_FROM_IP_PAREN_PORT_HELO Clumsy forged Received header score MSGSTRUCT_FORGED_FROM_IP_PAREN_PORT_HELO 4 # rule: MSGSTRUCT_HELO_VICTIM_IP # added 2005-01-28 # test: spam-2005-01-28/-3029589561-1106835902.V802I3d6d9.localhost.localdomain # This handles a special case which makes do without any DNS whatsoever. # It requires that the receiving host is a relay which stamps in a sensible # header with Received: information which includes its own IP address. ######## TODO: handle general case where DNS access is required ######## TODO: extend to handle Exim etc headers define_structure MSGSTRUCT_HELO_VICTIM_IP structure \nReceived: from .{1,70}[[(] structure ( structure (?:1[0-9]{0,2}|2(?:[0-4][0-9]?|5[0-4]?|[6-9])?|[3-9][0-9]?)\. structure (?:0|1[0-9]{0,2}|2(?:[0-4][0-9]?|5[0-5]?|[6-9])?|[3-9][0-9]?)\. structure (?:0|1[0-9]{0,2}|2(?:[0-4][0-9]?|5[0-5]?|[6-9])?|[3-9][0-9]?)\. structure (?:1[0-9]{0,2}|2(?:[0-4][0-9]?|5[0-4]?|[6-9])?|[3-9][0-9]?) structure )[])].{0,200}\n structure (?:.{1,300}\n){0,64} structure Received: (?:from \1) ######## TODO: handle Exim Received: format describe MSGSTRUCT_HELO_VICTIM_IP HELOs with IP address of victim host score MSGSTRUCT_HELO_VICTIM_IP 3 # rule: FS_HELO_VICTIM_DOMAIN # added 2005-09-13 # edit 2006-02-17: tweak down score significantly # test: ######## TODO: provide sample # temp: silly/00026.msg header __FS_HELO_VICTIM_DOMAIN X-Spam-Relays-Untrusted =~ / helo=([^ ]+) by=(?:[^ ]+\.)?\1 [^\]]*\]\s*$/ header __FS_HELO_SAME_DOMAIN X-Spam-Relays-Untrusted =~ / rdns=(?:[^ ]+\.)?([^ ]+) helo=\1 by=(?:[^ ]+\.)?\1 [^\]]*\]\s*$/ meta FS_HELO_VICTIM_DOMAIN (__FS_HELO_VICTIM_DOMAIN && ! __FS_HELO_SAME_DOMAIN) describe FS_HELO_VICTIM_DOMAIN HELOs with domain name of victim score FS_HELO_VICTIM_DOMAIN 0.5 # rule: FS_URL_IMAGE_DIR_NONIMAGE # added 2006-04-20 # test: phishing-samples@fs/d-fence/virus-gT20n+eyCWAM.msg uri FS_URL_IMAGE_DIR_NONIMAGE m{/(?:images|pics?|img|gif)/+(?:[^/]+/+)+[^/]+\.html$} describe FS_URL_IMAGE_DIR_NONIMAGE Suspect link to HTML in subdir of image dir score FS_URL_IMAGE_DIR_NONIMAGE 0.5 # rule: FS_PHP_MAIL # added 2006-04-20 # edit 2006-11-01: protect against regex recursion # test: phishing-samples@fs/d-fence/virus-9GDL4yaY7EqL.msg # test: phishing-samples@fs/d-fence/virus-gT20n+eyCWAM.msg header __FS_PHP_X_SCRIPT exists:X-PHP-Script define_structure __FS_STRUCT_PHP_MAIL structure (?:^) structure (?:(?!X-AntiAbuse:).{1,1023}\n)+ structure X-AntiAbuse: This header was added to track abuse,[ ] structure please include it with any abuse report\n structure X-AntiAbuse: Primary Hostname - .{1,120}\n structure X-AntiAbuse: Original Domain - .{1,120}\n structure X-AntiAbuse: Originator/Caller UID/GID - .{1,120}\n structure X-AntiAbuse: Sender Address Domain - meta FS_PHP_MAIL (__FS_PHP_X_SCRIPT || __FS_STRUCT_PHP_MAIL) describe FS_PHP_MAIL Message was sent via PHPmail (open webmail form?) score FS_PHP_MAIL 0.1 # rule: FS_RATWARE_RECEIVED_IP_BIGINT # added 2006-04-25 # test: phishing-samples@fs/d-fence/virus-L4f6i-I6ZYNU.msg # test: phishing-samples@fs/d-fence/virus-sCMSOp7E7K1Q.msg define_structure FS_RATWARE_RECEIVED_IP_BIGINT structure (?:^) structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} structure Received: from [-\@:A-Za-z0-9_.]{1,70} # The beef: spoofed reverse DNS and IP are a big (optionally negative) integer structure [ ]$-?[0-9]{8,20} \[-?[0-9]{8,20}\]$\n # Received: header is continued over several lines structure (?:[ \t].{0,1023}\n){1,50} # Permit additional headers, as long as they are not Received: headers structure (?:(?!Received:)[A-Za-z0-9].{0,1023}\n structure (?:[ \t].{0,1023}\n){0,50}){0,50} structure \n describe FS_RATWARE_RECEIVED_IP_BIGINT Received: from 12345678 ([23456789]) score FS_RATWARE_RECEIVED_IP_BIGINT 9 # rule: FS_RATWARE_THEBAT_X15 # added 2006-05-18 # edit 2006-05-19: additional variations in unreg key; rename rule accordingly # test: df-2006-05-18-007226.txt # test: df-2006-05-19-007793.txt # test: df-2006-05-19-004255.txt # test: df-2006-05-19-004651.txt # fail: reference-ham/0004the-bat-365pro.eml # fail: reference-ham/0005the-bat-211unreg.eml # fail: reference-ham/0006the-bat-200unreg.eml header FS_RATWARE_THEBAT_X15 X-Mailer =~ m{^The Bat! $v\d\.\d+\.\d+(?:\.\d+)?$ [A-Za-z0-9]{15,18}$} describe FS_RATWARE_THEBAT_X15 Forged The Bat! -- invalid unreg. key score FS_RATWARE_THEBAT_X15 5 # rule: FS_RATWARE_X_MAILER_EMPTY_X15 # added 2006-05-19 # test: df-2006-05-19-002852.txt # test: df-2006-05-19-004257.txt header FS_RATWARE_X_MAILER_EMPTY_X15 X-Mailer =~ m{^$v\d\.\d+\.\d+(?:\.\d+)?$ [A-Za-z0-9]{15,18}$} describe FS_RATWARE_X_MAILER_EMPTY_X15 X-Mailer with only (vn.n.n) KEYFN0RDD score FS_RATWARE_X_MAILER_EMPTY_X15 5 # rule: FS_MSGSTRUCT_HTML_NESTED_A_HREF # added 2006-05-22 # edit 2006-05-31: tighten up regex # test: d-fence/virus-0TJiYpzmLasU.msg # fail: hard_ham/00015.ada83ed8f5e09b7dd5b268dafb0d7e8d # fail: hard_ham/00082.a405e76faf9463d464229306b1e0c93f define_structure FS_MSGSTRUCT_HTML_NESTED_A_HREF structure <[Aa]\s+[Hh][Rr][Ee][Ff]=[^<>]+> structure (?:[^<]|<[^/\s]|<\s*/[^Aa\s]|<\s*/\s*[Aa][^\s>]){0,99} structure <[Aa]\s+[Hh][Rr][Ee][Ff]= describe FS_MSGSTRUCT_HTML_NESTED_A_HREF Nested <a href> tags in HTML score FS_MSGSTRUCT_HTML_NESTED_A_HREF 5 # rule: FS_HTML_JS_OBFU # added 2006-05-22 # edit 2006-09-18: tighten regex slightly; samples were wrong # test: d-fence/virus-4mJ68OLM+Ax8.msg # test: d-fence/virus-P7Fn5j1Grjgf.msg full FS_HTML_JS_OBFU m{<\s*(?:(?!script|type=)[^<>]*)\s(?:type=("?)text/_javascript\1|language=("?)_javascript\2)[^<>]*>\s*<\s*/\s*script\s*>}i describe FS_HTML_JS_OBFU JavaScript with invalid <script> tag score FS_HTML_JS_OBFU 9 # rule: MSGSTRUCT_SUBJECT_DATE_BLEED # added 2005-01-26 # test: spam-2005-01-26/-3202406723-1106620521.V802I3c1e0.localhost.localdomain define_structure MSGSTRUCT_SUBJECT_DATE_BLEED structure \nSubject:.{1,200} # RFC822 date stamp, starting with day of week structure ((?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), # day of month and month structure (?: )[ 0-3][0-9] (?:Jan|Feb|Ma[ry]|Apr|Ju[nl]|Aug|Sep|Oct|Nov|Dec) # year structure (?: (?:19[7-9]|2[01][0-9])[0-9] ) # time structure [0-2][0-9]:[0-5][0-9]:[0-5][0-9] # optional time zone structure (?: [+-][01][0-9][013][05] # Optional time zone name. # <http://www.worldtimezone.com/wtz-names/timezonenames.html> lists a zillion # but only a few are actually in common use. # Anyway, accept any 2-3 uppercase chars followed by "T" structure (?: $[A-Z]{2,3}T$)?)?\n) # And now a Date: header immediately after, containing the same date stamp structure Date: \1 describe MSGSTRUCT_SUBJECT_DATE_BLEED Subject contains Date: score MSGSTRUCT_SUBJECT_DATE_BLEED 10 # rule: MSGSTRUCT_CP1252_7BIT_BOGUS # added 2005-05-13 # test: spam-2005-05-13/df-2005-05-13-002617.txt define_structure MSGSTRUCT_CP1252_7BIT_BOGUS structure ^This is a multi-part message in MIME format\.\n\n structure (--[-=_A-Za-z0-9.]{2,78}\n) structure Content-Type: text/plain;\n # telltale sign #1: Windows-1252 in proper case structure \tcharset="Windows-1252"\n # telltale sign #2: CTE 7bit (sic) structure Content-Transfer-Encoding: 7bit\n\n # telltale sign #3: actually being neither structure (?:(?!\1)[ -~\n]{0,5}[\x80-\xFF]){9} describe MSGSTRUCT_CP1252_7BIT_BOGUS Claims Windows-1252 / 7bit but is neither score MSGSTRUCT_CP1252_7BIT_BOGUS 3 # rule: MSGSTRUCT_CP1252_7BIT_EMPTY # added 2005-05-13 # test: spam-2005-05-13/df-2005-05-13-002650.txt define_structure MSGSTRUCT_CP1252_7BIT_EMPTY structure ^This is a multi-part message in MIME format\.\n\n structure (--[-=_A-Za-z0-9.]{2,78}\n) structure Content-Type: text/plain;\n # telltale sign #1: Windows-1252 in proper case structure \tcharset="Windows-1252"\n # telltale sign #2: CTE 7bit (sic) structure Content-Transfer-Encoding: 7bit\n\n # telltale sign #3: the body part is empty structure \n{0,50}\1 describe MSGSTRUCT_CP1252_7BIT_EMPTY Empty Windows-1252 / 7bit (sic) body part score MSGSTRUCT_CP1252_7BIT_EMPTY 2 # rule: MSGSTRUCT_CP1252_7BIT # added 2005-05-13 # test: spam-2005-05-13/df-2005-05-13-002617.txt define_structure MSGSTRUCT_CP1252_7BIT structure ^This is a multi-part message in MIME format\.\n\n structure (--[-=_A-Za-z0-9.]{2,78}\n) structure Content-Type: text/plain;\n # telltale sign #1: Windows-1252 in proper case structure \tcharset="Windows-1252"\n # telltale sign #2: CTE 7bit (sic) structure Content-Transfer-Encoding: 7bit\n\n describe MSGSTRUCT_CP1252_7BIT Windows-1252 / 7bit (sic) body part score MSGSTRUCT_CP1252_7BIT 1 # rule: MSGSTRUCT_RATWARE_LAST_NULL # added 2005-01-26 # edit 2005-05-26: single newline before null is sufficient # test: spam-2005-01-24/3241406157-1106441111.V802I3befd.localhost.localdomain # test: spam-2005-05-26/df-2005-05-26-000602.txt define_structure MSGSTRUCT_RATWARE_LAST_NULL structure \n\000$ describe MSGSTRUCT_RATWARE_LAST_NULL Last character of message is ASCII NUL score MSGSTRUCT_RATWARE_LAST_NULL 4.5 # rule: MSGSTRUCT_CT_CONTD_EMPTY # added 2005-02-14 # test: spam-2005-02-13/287154983-1108179865.V802I3c32e.localhost.localdomain # target: semi-rare define_structure MSGSTRUCT_CT_CONTD_EMPTY # Workaround to get proper anchor to beginning of message headers structure (?:^) # Skip any intermediate headers structure (?:[ \tA-Z].{5,300}\n){0,50} # Up to Content-Type structure Content-[Tt]ype: [a-z/]+;[ \t]{0,20}charset="?[-a-z0-9]{5,15}"? # Here's the rub: an empty continuation on a new header line structure \n[ \t]{1,64}\n describe MSGSTRUCT_CT_CONTD_EMPTY Content-Type: header has empty continuation score MSGSTRUCT_CT_CONTD_EMPTY 5 # rule: MSGSTRUCT_RATWARE_MIME_PERSON_COMMA # added 2005-01-18 # test: spam-2005-01-18/2722742460-1106005202.V802I3da74.localhost.localdomain # target: rare define_structure MSGSTRUCT_RATWARE_MIME_PERSON_COMMA structure ^--[A-Za-z.0-9]{7,90}\n structure Content-[Tt]ype: text/plain;[ \t]{0,4}(?:\n[ \t]{1,19})? structure [A-Z][a-z]{2,17},\n\n describe MSGSTRUCT_RATWARE_MIME_PERSON_COMMA MIME header bleeds into greeting score MSGSTRUCT_RATWARE_MIME_PERSON_COMMA 7 # rule: FS_REPEATED_URL # added 2005-05-25 # edit 2005-11-11: tweak down score from 5 # edit 2006-09-28: regex recursion fix # test: spam-2005-05-24/df-2005-05-24-009323.txt define_structure FS_REPEATED_URL structure \n structure (https?://[-A-Za-z0-9._]{5,200}/(?:[-A-Za-z0-9._/\?%+;]{0,200}))\n structure (?:.{0,1024}\n){0,200} structure \1 describe FS_REPEATED_URL The same URL alone on a line twice score FS_REPEATED_URL 1 # rule: FS_HTML_TEXTAREAxN_IMG # added 2006-10-23 # test: reference-spam/textarea/2006-10-16_00-49-55_352 # test: reference-spam/textarea/2006-10-16_06-03-40_163 # test: reference-spam/textarea/2006-10-16_14-14-52_453 # test: reference-spam/textarea/2006-10-16_15-34-32_106 # test: reference-spam/textarea/2006-10-16_16-06-43_116 # test: reference-spam/textarea/2006-10-16_16-26-43_036 # test: reference-spam/textarea/2006-10-16_18-34-06_038 # test: reference-spam/textarea/2006-10-16_23-04-35_316 # test: reference-spam/textarea/2006-10-16_05-40-01_237 # test: reference-spam/textarea/2006-10-16_23-59-58_512 # test: reference-spam/textarea/2006-10-16_05-15-44_992 # fail: reference-spam/textarea 2006-10-16_10-04-52_615 (mangled) # fail: reference-spam/textarea 2006-10-16_10-04-31_387 (mangled) # fail: reference-spam/textarea/2006-10-16_13-12-52_831 # fail: reference-spam/textarea/2006-10-16_19-24-05_471 define_structure FS_HTML_TEXTAREAxN_IMG structure \n structure (?:<TEXTAREA>[^\n<>]{1,99}</TEXTAREA>\n){10} structure (?:<TEXTAREA>[^\n<>]{1,99}</TEXTAREA> structure <TEXTAREA>[^\n<>]{1,99}</TEXTAREA>\n)? structure (?:<TEXTAREA>[^\n<>]{1,99}</TEXTAREA>\n){10,40} structure \n?</(?i:body)>\n?</(?i:html)>\n\n # capture predictable part of MIME separator into \1 structure ------=_NextPart_001_000E_([0-9A-F]{8})\.[0-9A-F]{8}--\n\n # recurs here structure ------=_NextPart_000_0001_\1\.[0-9A-F]{8}\n structure Content-Type: image/jpeg;\n describe FS_HTML_TEXTAREAxN_IMG HTML spam, multiple TEXTAREAs + image score FS_HTML_TEXTAREAxN_IMG 9 # rule: MSGSTRUCT_STOX_OPTOUT # added 2005-02-24 # edit 2005-03-08: generalized to just the peculiar address format # edit 2005-03-08: permit space before @ # edit 2005-03-08: anchor to end of message, optional single line in between # test: spam-2005-02-24/1237624726-1109132397.V802I3c349.localhost.localdomain # test: spam-2005-03-08/2274592574-1110159471.V802I3c051.localhost.localdomain define_structure MSGSTRUCT_STOX_OPTOUT structure (?:[ \t])$([-~]) structure [a-zA-Z+=0-9._]{2,17} structure (?: )? structure \@([A-Za-z0-9][-_A-Za-z0-9]{0,17}\.){1,5}[A-Za-z]{2,5} structure \1$\n{1,15} structure (?:.{1,20}\n{1,15})? structure $ describe MSGSTRUCT_STOX_OPTOUT Opt-out template "opt-out language (-addr-)" score MSGSTRUCT_STOX_OPTOUT 3 # rule: MSGSTRUCT_RATWARE_DM_HEADERS # added 2005-03-09 # test: spam-2005-03-15/2879611028-1110758229.V802I3be30.localhost.localdomain # # Based on screen shot from <http://www.dark-mailer.com/dark/screenshots.asp> # # DM apparently randomizes the order of headers, so we could try to # look for random order, i.e. any order outside of the known good ones. # (Hmm, I guess actually you can configure multiple sets and it will rotate # through those sets. Yes, that's probably what rotating headers means.) # # For now, just testing for a static list in a given order, though. # This is probably configurable, but many users seem to use the default. # # (Ignoring the Received: header for now, although that would be really # telltale.) define_structure MSGSTRUCT_RATWARE_DM_HEADERS structure (?:^) structure (?:[-A-Za-z0-9_]{1,55}:.{1,300}\n structure (?:[ \t].{1,200}\n){0,40} structure ){0,40} structure Message-ID:.{1,120}\n structure (?:[-A-Za-z0-9_]{1,55}:.{1,300}\n){0,40} structure From:( "[^"]{1,200}" <[^<>\@"']{1,70}\@[^<>\@"']{1,70}>\n) structure Reply-To:\1 structure To:.{1,200}\n structure (?:[ \t].{1,200}\n){0,40} structure (?:Cc:.{1,200}\n structure (?:[ \t].{1,200}\n){0,40} structure ){0,40} structure Subject:.{1,200}\n structure (?:[ \t].{1,200}\n){0,40} structure Date:.{1,90}\n structure X-Mailer:.{1,200}\n structure MIME-Version: 1\.0\n structure Content-Type: multipart/alternative;\n ######## TODO: fixed number of spaces here? How many? structure [ \t]{1,12}boundary="([^"]{1,70})"\n structure X-Priority:.{1,90}\n structure X-MSMail-Priority:.{1,90}\n structure (?:[-A-Za-z0-9_]{1,55}:.{1,300}\n structure (?:[ \t].{1,200}\n){0,40} structure ){0,40} structure \n{1,2} structure --\2\n describe MSGSTRUCT_RATWARE_DM_HEADERS Headers from Dark Mailer 2.00 ratware score MSGSTRUCT_RATWARE_DM_HEADERS 9 # rule: MSGSTRUCT_DUMP_ADDRESS_MIME # added 2005-02-14 # test: spam-2005-02-13/287159407-1108188501.V802I3c788.localhost.localdomain # tracker: address-at-end 2005-02-14 ######## TODO: audit for false positives ######## TODO: figure out scientific score # target: semi-rare define_structure MSGSTRUCT_DUMP_ADDRESS_MIME # Lots of empty lines (prolly more than five, but we're liberal) structure \n{5} # Removal instruction structure (?!http)[-a-z ']{4,15}: ? # with URL (lacking http:// part) structure [A-Za-z][a-z_0-9]{1,20}(?:\.[A-Za-z0-9]{3,20}){0,4}\.[A-Za-z]{2,4} structure (/[A-Za-z0-9_]{1,19}){1,9}/? structure \n{2,4} # Followed by a massive word salad where full stops are preceded by space structure [A-Z][-a-z']{0,19}(?: (?:[A-Za-z][-a-z']{0,19}|\.)){2,12}\n structure (?: # (Anomaly: accept full stop as first character of internal word as well) structure [A-Za-z][-a-z']{0,19}(?: (?:[.A-Za-z][-a-z']{0,19}|\.)){2,12}\n structure ){1,32} # Followed by empty line and an email address structure \n{1,3} structure [A-Za-z0-9._]{4,44}\@ structure [A-Za-z][a-z_0-9]{1,20}(?:\.[A-Za-z0-9]{3,20}){0,4}\.[A-Za-z]{2,4} # Followed by optional empty line and the closing MIME boundary structure \n{0,3} structure -- structure [-A-Za-z0-9_]{14,50}-- structure \n{1,5}$ describe MSGSTRUCT_DUMP_ADDRESS_MIME Removal URL followed by word salad score MSGSTRUCT_DUMP_ADDRESS_MIME 7 # rule: FS_RATWARE_FCC_XID # added 2006-02-15 # test: spam-2006-02-01/df-2006-02-01-001514.txt # test: spam-2006-02-01/df-2006-02-01-005360.txt define_structure FS_RATWARE_FCC_XID structure (?:^) structure (?:[A-Za-z0-9].{0,1023}\n(?:[ \t].{0,1023}\n){0,50}){0,50} # telltale sign #1: FCC: header of a peculiar format structure FCC: mailbox:// # grab email address into \1 structure ([-_A-Za-z0-9]{1,64} structure \@(?:[A-Za-z0-9][-_A-Za-z0-9]{0,17}\.){1,5}[A-Za-z]{2,5}) structure /[Ss]ent\n # immediately followed by this structure X-Identity-Key:[ \t]{1,12}[-_A-Za-z0-9]{1,90}\n structure Date: structure (?: )(?:Mon|T(?:ue|hu)|Wed|Fri|S(?:at|un)), [ 0-3][0-9] structure (?: )(?:J(?:an|u[nl])|Feb|Ma[ry]|A(?:pr|ug)|Sep|Oct|Nov|Dec) structure (?: )[12][0-9]{3} [012][0-9](?::[0-5][0-9]){2} structure (?: [+-][01][0-9][013][05] structure (?: $[A-Z]{2,3}T$)?)?\n structure From: .{1,99} < # here's the rub -- the mailbox name again structure \1 structure >\n describe FS_RATWARE_FCC_XID Ratware with FCC: and X-Identity-Key: headers score FS_RATWARE_FCC_XID 6 # rule: FS_RATWARE_MIME_PREAMBLE_SPACED_OUT # added 2006-02-15 # test: spam-2006-02-01/df-2006-02-01-001514.txt define_structure __FS_RATWARE_MIME_PREAMBLE_SPACED_OUT structure ^ structure This[ ]{1,40} structure is[ ]{1,40} structure a[ ]{1,40} structure multi-part[ ]{1,40} structure message[ ]{1,40} structure in[ ]{1,40} structure MIME[ ]{1,40} structure format\.\n define_structure __FS_RATWARE_MIME_PREAMBLE_SPACED_NOT structure ^ structure This[ ] structure is[ ] structure a[ ] structure multi-part[ ] structure message[ ] structure in[ ] structure MIME[ ] structure format\.\n meta FS_RATWARE_MIME_PREAMBLE_SPACED_OUT (! __FS_RATWARE_MIME_PREAMBLE_SPACED_NOT && __FS_RATWARE_MIME_PREAMBLE_SPACED_OUT) describe FS_RATWARE_MIME_PREAMBLE_SPACED_OUT Spaced-out MIME preamble text score FS_RATWARE_MIME_PREAMBLE_SPACED_OUT 6 # rule: MSGSTRUCT_RATWARE_BASE64_BLEED # added 2005-01-18 # test: spam-2005-01-18/2722734622-1105983182.V802I3d2fe.localhost.localdomain # target: rare define_structure MSGSTRUCT_RATWARE_BASE64_BLEED structure ^[ \t]{1,7}[A-Za-z0-9+/]{18,90}\nReceived: describe MSGSTRUCT_RATWARE_BASE64_BLEED Headers with base64 spill into body score MSGSTRUCT_RATWARE_BASE64_BLEED 7 # rule: MSGSTRUCT_GOURANGA # added 2005-01-28 # test: reference-spam/0001gouranga.eml # target: rare # tracker: gouranga / 2005-01-28 define_structure MSGSTRUCT_GOURANGA structure ^Call out Gouranga be happy!!!\n structure Gouranga Gouranga Gouranga \.\.\.\.\n structure That which brings the highest happiness!!\n{0,6}$ describe MSGSTRUCT_GOURANGA Hare Krishna Gouranga spam template score MSGSTRUCT_GOURANGA 4.5 endif # rule: URI_HTTP_HTTP # added 2005-03-02 # edit 2005-03-15: shorter more focused regex; add comma to disallowed chars # test: spam-2005-03-10/2447413657-1110383392.V802I3d049.localhost.localdomain # tracker: http-redir-maybe 2005-02-23; update 2005-03-02 2005-03-08 2005-03-15 # target: semi-rare uri URI_HTTP_HTTP /(%[0-9A-F]{2}|[^A-Za-z0-9"'<>,])https?[%:]/ describe URI_HTTP_HTTP URI appears to contain a http redirect score URI_HTTP_HTTP 1.0 # rule: SUBJECT_FULL_STOP # added 2005-03-08 # test: spam-2005-03-06/2101801134-1110000206.V802I3c5d2.localhost.localdomain ######## TODO: audit for false positives ######## TODO: figure out scientific score # tracker: subject-full-stop 2005-03-02 (shared with SUBJECT_FULL_STOP_SP) header SUBJECT_FULL_STOP Subject =~ /\.$/ describe SUBJECT_FULL_STOP Subject ends in full stop score SUBJECT_FULL_STOP 1.0 # rule: SUBJECT_FULL_STOP_SP # added 2005-03-08 # test: spam-2005-03-06/2101798498-1109992525.V802I3c34b.localhost.localdomain ######## TODO: audit for false positives ######## TODO: figure out scientific score # tracker: subject-full-stop 2005-03-02 (shared with SUBJECT_FULL_STOP) header SUBJECT_FULL_STOP_SP Subject =~ /\.[ \t]+$/ describe SUBJECT_FULL_STOP_SP Subject ends in full stop and whitespace score SUBJECT_FULL_STOP_SP 1.5 # rule: OPERATION_SYSTEM # added 2005-03-09 # test: spam-2005-03-08/2274591222-1110155608.V802I3beff.localhost.localdomain ######## TODO: schedule for 2005-03-15 ######## TODO: audit for false positives ######## TODO: figure out scientific score body OPERATION_SYSTEM /\boperation system\b/ describe OPERATION_SYSTEM Body mentions "operation system" score OPERATION_SYSTEM 1.5 # rule: OBFUSCATED_STOCK # created 2005-01-18 # edit 2005-02-28: typo fix (duh) # edit 2005-03-09: word boundaries (duh) ######## TODO: regression tests body OBFUSCATED_STOCK /\b(?![Ss]tock|STOCK)[5Ss]{1,3}[Tt+]{1,3}[O0o]{1,3}[Cc]{0,3}[Kk](?:[5Ss]{1,3})?\b/ describe OBFUSCATED_STOCK Uses word "stock" with funny 5p3ll1n6 score OBFUSCATED_STOCK 2 # rule: OBFUSCATED_DOWNLOAD # created 2005-01-18 # edit 2005-02-28: typo fix (duh) # edit 2005-03-09: word boundary (duh) ######## TODO: regression tests body OBFUSCATED_DOWNLOAD /\b(?![Dd]ownload|DOWNLOAD)[Dd]{1,3}.?[Oo0]{1,3}.?[Ww]{1,3}.?[Nn]{1,3}.?[Ll1]{1,3}.?[0Oo]{1,3}.?[Aa]{0,3}.?[Dd]/ describe OBFUSCATED_DOWNLOAD Uses word "download" with funny 5p3ll1n6 score OBFUSCATED_DOWNLOAD 3 # rule: OBFUSCATED_SOFTWARE # created 2005-02-28 # edit 2005-03-09: word boundaries (duh) # test: spam-2005-02-28/1583368982-1109516276.V802I3ceb8.localhost.localdomain # test: spam-2005-02-28/1583368997-1109516284.V802I3cebc.localhost.localdomain body OBFUSCATED_SOFTWARE /\b(?![Ss]oftware|SOFTWARE)[Ss5]{1,3}.?[Oo0]{1,3}.?[Ff]{1,3}.?[Tt\+]{1,3}.?[Ww]{1,3}.?[Aa4]{0,3}.?[Rr]{1,3}[Ee3]{0,3}\b/ describe OBFUSCATED_SOFTWARE Uses word "software" with funny 5p3ll1n6 score OBFUSCATED_SOFTWARE 3 # rule: OBFUSCATED_WINDOWS # created 2005-02-28 # edit 2005-03-09: word boundaries (duh) # edit 2006-01-13: prevent false positives from dictionary hits # test: spam-2005-02-28/1583368997-1109516284.V802I3cebc.localhost.localdomain body OBFUSCATED_WINDOWS /\b(?![Ww]in(d(o(w'?[sz]|[sz]e)|sor)|sock)|[Ww][Ww][Ww]\.|WIN(D(OW'?S|SOR)|SOCK))[Ww]{1,3}.?[Ii1l]{1,3}.?[Nn]{1,3}.?[Dd]{1,3}.?[Oo0]{1,3}.?[Ww]{0,3}.?[SsZz]{1,3}\b/ describe OBFUSCATED_WINDOWS Uses word "windows" with funny 5p3ll1n6 score OBFUSCATED_WINDOWS 2 # rule: FS_MIME_BOUNDARY_MADE # added 2006-03-10 # edit 2006-03-13: restrict properly to top-level MIME bounary only # test: ######## TODO: provide sample ######## temp: spam-samples/youreudomain-sandbacka-2006-03-13.msg header FS_MIME_BOUNDARY_MADE Content-type =~ m{multipart/[^;\s]+; boundary=boundary-EU\.se-made$} describe FS_MIME_BOUNDARY_MADE Funny MIME boundary "EU.se-made" score FS_MIME_BOUNDARY_MADE 4