# # 2007 Victor Ustugov # header SUSPICIOUS_X_Matched_Lists X-Matched-Lists =~ /^\[\]$/ describe SUSPICIOUS_X_Matched_Lists Suspicious X-Matched-Lists score SUSPICIOUS_X_Matched_Lists 1.5 header SUSPICIOUS_MESSAGE_ID Message-ID =~ /^<\S+\@\S+\s+>$/ describe SUSPICIOUS_MESSAGE_ID Suspicious Message-ID score SUSPICIOUS_MESSAGE_ID 2.0 header SUSPICIOUS_FROM_ADDR From =~ /^.*<\S+\@\S+\s+>$/ describe SUSPICIOUS_FROM_ADDR Suspicious header From score SUSPICIOUS_FROM_ADDR 2.0 header SUSPICIOUS_REPLY_TO_ADDR Reply-To =~ /^.*<\S+\@\S+\s+>$/ describe SUSPICIOUS_REPLY_TO_ADDR Suspicious header Reply-To score SUSPICIOUS_REPLY_TO_ADDR 2.0 header SUSPICIOUS_TO_ADDR To =~ /^.*<\S+\@\S+\s+>$/ describe SUSPICIOUS_TO_ADDR Suspicious header To score SUSPICIOUS_TO_ADDR 2.0 header SUSPICIOUS_FROM_REALNAME From =~ /^\s*"\s/ describe SUSPICIOUS_FROM_REALNAME Suspicious real name in header From score SUSPICIOUS_FROM_REALNAME 0.5 header SUSPICIOUS_REPLY_TO_REALNAME Reply-To =~ /^\s*"\s/ describe SUSPICIOUS_REPLY_TO_REALNAME Suspicious real name header Reply-To score SUSPICIOUS_REPLY_TO_REALNAME 0.5 header SUSPICIOUS_TO_REALNAME To =~ /^\s*(.+,[\s\r\n]*)*"\s/ describe SUSPICIOUS_TO_REALNAME Suspicious real name header To score SUSPICIOUS_TO_REALNAME 0.5 header SUSPICIOUS_FROM_REALNAME2 From =~ /\s"\s; Mon, 19 Mar 2007 14:05:04 +0100 # # Received: from leopg9.no-ip.org ([89.150.201.69]) # by mc2.sverige.net (JPHS Mail server v2.1.3) with ASMTP id MOB44030 # for ; Sat, 07 Apr 2007 12:46:30 +0200 # # forged: # # Received: from olaz # by PEREZ-MORRIS.COM with ASMTP id 6EE4F1F6 # for ; Sat, 24 Mar 2007 21:59:02 +0100 # # Received: from big-cat # by DECISIONSTRATEGIES.COM with ASMTP id D032ADC5 # for <3dreferent@falbi.ua>; Sat, 24 Mar 2007 18:09:35 -0500 # header SUSPICIOUS_ASMTP_RECEIVED Received =~ /from \S+[\s\r\n]+by \S+ with ASMTP id [A-Z\d]{8}\b/ describe SUSPICIOUS_ASMTP_RECEIVED Suspicious AMSTP Received score SUSPICIOUS_ASMTP_RECEIVED 3.0 header RECEIVED_SPAMWARE_HELO Received =~ /(from |helo=)(QRJATYDI|QRJATIDI|SOCKFAULT1|RDOBYESV)/ describe RECEIVED_SPAMWARE_HELO Header Received contains spamware helo score RECEIVED_SPAMWARE_HELO 3.0 # X-Mailer: mPOP Web-Mail 2.19 # X-Antivirus: avast! (VPS 000731-0, 06.04.2007), Outbound message header __X_Mailer_mPOP_Web_Mail X-Mailer =~ /^mPOP Web-Mail \d+\.\d+$/ header __X_Antivirus_avast X-Antivirus =~ /^avast! \(VPS .+\), Outbound message$/ meta FORGED_mPOP_WEBMAIL __X_Mailer_mPOP_Web_Mail && __X_Antivirus_avast describe FORGED_mPOP_WEBMAIL Personal antivirus with Web Mail mailer score FORGED_mPOP_WEBMAIL 3.0 #header FORGED_X_Antivirus_avast X-Antivirus =~ /^avast! \(VPS \d{6}-\d, \d\d\/\d\d\/\d\d\d\d\), Outbound message$/ #describe FORGED_X_Antivirus_avast Forged personal antivirus avast #score FORGED_X_Antivirus_avast 2.5 # forged: # X-RAV-Antivirus: This e-mail has been scanned for viruses on host: [forged] # X-RAV-AntiVirus: This message has been scanned for viruses on [forged] header DEAD_RAV_ANTIVIRUS X-RAV-AntiVirus =~ /./ describe DEAD_RAV_ANTIVIRUS Dead RAV AntiVirus score DEAD_RAV_ANTIVIRUS 3.0 header FORGED_NORTON_ANTIVIRUS X-Virus-Scanned =~ /^Norton$/ describe FORGED_NORTON_ANTIVIRUS Forged Norton AV score FORGED_NORTON_ANTIVIRUS 3.0 header FAKE_OR_UNKNOWN_AV_AMERISERV X-Virus-Scanned =~ /^by Ameriserv.net Anti-Virus E-Gateway$/ describe FAKE_OR_UNKNOWN_AV_AMERISERV Fake unknown AV score FAKE_OR_UNKNOWN_AV_AMERISERV 3.0 header FAKE_GMX_AV X-GMX-Antivirus =~ /^0 \(no virus found\)$/ describe FAKE_GMX_AV Fake GMX AV score FAKE_GMX_AV 3.0 header FORGED_AntiVir_MailGate X-AntiVirus =~ /^OK! AntiVir MailGate Version 2\.\d+\.\d+; AVE: \d+\.\d+\.\d+\.\d+; VDF: \d+\.\d+\.\d+\.\d+$/ describe FORGED_AntiVir_MailGate Forged AntiVir MailGate score FORGED_AntiVir_MailGate 3.5 header SUSPICIOUS_AntiVir_MailGate X-AntiVirus =~ /^checked by AntiVir MailGate (\(version: 2\.0\.1\.10; AVE: 6\.20\.0\.1; VDF: 6\.20\.0\.46; host: \S+\)|\(version: 2\.0\.1\.5; AVE: 6\.17\.0\.2; VDF: 6\.17\.0\.5; host: \S+\))$/ describe SUSPICIOUS_AntiVir_MailGate Suspicious AntiVir MailGate score SUSPICIOUS_AntiVir_MailGate 3.0 header SUSPICIOUS_AntiVir_MailGate X-AntiVirus =~ /^Checked by Dr\.Web \(http:\/\/www\.drweb\.net\)$/ describe SUSPICIOUS_AntiVir_MailGate Suspicious AntiVir DrWeb score SUSPICIOUS_AntiVir_MailGate 4.0 # # Version numbers from http://www.avira.com/en/downloads/avira_antivir_unix_mailgate.html contains "-" # header SUSPICIOUS_AntiVir_MailGate_Ver X-AntiVirus =~ /^checked by AntiVir MailGate \(version: 2(\.\d+){2,};$/ describe SUSPICIOUS_AntiVir_MailGate_Ver Suspicious AntiVir MailGate version score SUSPICIOUS_AntiVir_MailGate_Ver 3.0 header DESPRECATED_AMAVIS_0_2_X X-AntiVirus =~ /^scanned for viruses by AMaViS 0\.2\.\d+ \(http:\/\/amavis\.org\/\)$/ describe DESPRECATED_AMAVIS_0_2_X Deprecated content scanner AMaViS 0.2.X score DESPRECATED_AMAVIS_0_2_X 3.0 header __AMAVIS_0_2_EXISCAN_X_Scanner X-Scanner =~ /^[a-z]+ for [a-z]+ \(http:\/\/duncanthrax\.net\/exiscan\/\)$/ header __AMAVIS_0_2_EXISCAN_X_Virus_Scanner X-Virus-Scanner =~ /^AMaVis 0\.2\.0-pre6 \/ Virus Scan$/ meta DESPRECATED_AMAVIS_0_2_EXISCAN __AMAVIS_0_2_EXISCAN_X_Scanner && __AMAVIS_0_2_EXISCAN_X_Virus_Scanner describe DESPRECATED_AMAVIS_0_2_EXISCAN Strange X-Scanner and deprecated X-Virus-Scanner score DESPRECATED_AMAVIS_0_2_EXISCAN 5.0 header HEADER_FROM_0A ALL:raw =~ /^From:\x0a /mi describe HEADER_FROM_0A Header From begins with 0x0A score HEADER_FROM_0A 1.5 header HEADER_TO_0A ALL:raw =~ /^To:\x0a /mi describe HEADER_TO_0A Header To begins with 0x0A score HEADER_TO_0A 1.5 header HEADER_CC_0A ALL:raw =~ /^Cc:\x0a /mi describe HEADER_CC_0A Header Cc begins with 0x0A score HEADER_CC_0A 1.5 header HEADER_SUBJECT_0A ALL:raw =~ /^Subject:\x0a /mi describe HEADER_SUBJECT_0A Header Subject begins with 0x0A score HEADER_SUBJECT_0A 1.5 header __HEADER_FROM_TAB ALL:raw =~ /^From:\t/mi meta HEADER_FROM_TAB __HEADER_FROM_TAB && !__Yandex describe HEADER_FROM_TAB From begins with tab score HEADER_FROM_TAB 2.5 header __HEADER_TO_TAB ALL:raw =~ /^To:\t/mi meta HEADER_TO_TAB __HEADER_TO_TAB && !__Yandex describe HEADER_TO_TAB To begins with tab score HEADER_TO_TAB 2.5 header __HEADER_CC_TAB ALL:raw =~ /^Cc:\t/mi meta HEADER_CC_TAB __HEADER_CC_TAB && !__Yandex describe HEADER_CC_TAB Cc begins with tab score HEADER_CC_TAB 2.5 header __HEADER_DATE_TAB ALL:raw =~ /^Date:\t/mi meta HEADER_DATE_TAB __HEADER_DATE_TAB && !__Yandex describe HEADER_DATE_TAB Date begins with tab score HEADER_DATE_TAB 2.5 header __HEADER_SUBJECT_TAB ALL:raw =~ /^Subject:\t/mi meta HEADER_SUBJECT_TAB __HEADER_SUBJECT_TAB && !__Yandex describe HEADER_SUBJECT_TAB Subject begins with tab score HEADER_SUBJECT_TAB 2.5 header X_MAILER_Sendmail X-Mailer =~ /^Sendmail 8\.\d+\.\d+\/8\.\d+\.\d+$/ describe X_MAILER_Sendmail Strange X-Mailer Sendmail score X_MAILER_Sendmail 4.0 header FORGED_X_MAILER X-Mailer =~ /^(Microsoft Outlook|Outlook Express|Outlook Express 6|Outlook Express 6\.0|The Bat)$/ describe FORGED_X_MAILER Forged X-Mailer score FORGED_X_MAILER 4.0 header __X_MAILER_EXISTS ALL =~ /^(.+\r?\n)*X-Mailer:\s*\r?\n/ meta EMPTY_X_MAILER __X_MAILER_EXISTS && __CUST_X_MAILER_EMPTY describe EMPTY_X_MAILER Empty X-Mailer score EMPTY_X_MAILER 4.0 header SPAMWARE_X_MAILER X-Mailer =~ /^(iBriteMail .+)$/ describe SPAMWARE_X_MAILER SpamWare X-Mailer score SPAMWARE_X_MAILER 3.0 header SPAMWARE_X_MAILER_MMailer X-Mailer =~ /^MMailer v3\.[01]$/ describe SPAMWARE_X_MAILER_MMailer SpamWare X-Mailer MMailer score SPAMWARE_X_MAILER_MMailer 5.0 header FROM_administrator_freemail_hu From =~ /(admlnistrator|adminlstrator)\@freemail\.hu/ describe FROM_administrator_freemail_hu From administrator@freemail.hu score FROM_administrator_freemail_hu 4.0 header ENV_FROM_administrator_freemail_hu X-Envelope-From =~ /^<(admlnistrator|adminlstrator)\@freemail\.hu>$/ describe ENV_FROM_administrator_freemail_hu From administrator@freemail.hu score ENV_FROM_administrator_freemail_hu 4.0 header RETURN_PATH_administrator_freemail_hu Return-Path =~ /^<(admlnistrator|adminlstrator)\@freemail\.hu>$/ describe RETURN_PATH_administrator_freemail_hu From administrator@freemail.hu score RETURN_PATH_administrator_freemail_hu 4.0 header HEADER_FROM_MAILBOX_MINUS From =~ /^\s*([_\-]\S+\@|.+<[_\-]\S+\@)/ describe HEADER_FROM_MAILBOX_MINUS Header From mailbox begins with "-" or "_" score HEADER_FROM_MAILBOX_MINUS 2.0 header __INVALID_THREAD_INDEX Thread-Index =~ /^\s*[0-9A-Za-z\/_\+=]{27,}$/ meta INVALID_THREAD_INDEX1 !__CUST_THREAD_INDEX_EMPTY && !__INVALID_THREAD_INDEX describe INVALID_THREAD_INDEX1 Invalid header Thread-Index score INVALID_THREAD_INDEX1 1.5 header INVALID_THREAD_INDEX2 Thread-Index =~ /[,\.''""\*\(\)\{\}<>\@]/ describe INVALID_THREAD_INDEX2 Invalid header Thread-Index score INVALID_THREAD_INDEX2 2.5 header INVALID_EXIM_RECEIVED To|Received =~ /?[\s\r\n]*\|.*from \d+\.\d+\.\d+\.\d+ \(HELO \S+\)[\s\r\n]*by \1 with esmtp \(\S*?[\?\@\(\)\s\.\+\*''\/\\,]\S*\)[\s\r\n]+id \S*?[\)\(<>\/\\,\-:=]/s describe INVALID_EXIM_RECEIVED Invalid Exim Received score INVALID_EXIM_RECEIVED 5.0 header INVALID_POSTFIX_RECEIVED Received =~ / \(Postfix\) with ESMTP id [A-Z\d]+([\s\r\n]+for <\S+?>)?;[\s\r\n]*[A-Z][a-z]{2}, \d{1,2} [A-Z][a-z]{2} \d\d\d\d \d\d:\d\d:\d\d [\+\-]\d\d\d\d$/ describe INVALID_POSTFIX_RECEIVED Invalid Postfix Received score INVALID_POSTFIX_RECEIVED 3.0 header __SENDMAIL_QUEUE_ID1 Received =~ /\(8\.\d+\.\d+\/8\.\d+\.\d+\) with E?SMTP id [A-Za-z0-9]{9,}/ header __SENDMAIL_QUEUE_ID2 Received =~ /\(8\.\d+\.\d+\/8\.\d+\.\d+\) with E?SMTP id [A-Za-z0-9]{8}[0-9]{2,10}\b/ meta FORGED_SENDMAIL_QUEUE_ID __SENDMAIL_QUEUE_ID1 && !__SENDMAIL_QUEUE_ID2 describe FORGED_SENDMAIL_QUEUE_ID Forged Sendmail Received score FORGED_SENDMAIL_QUEUE_ID 5.0 header FORGED_SENDMAIL_RECEIVED_HELO Received =~ /from ([^\.\s]+) \(\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] helo=\1\)[\s\r\n]*by \S+ \( sendmail 8\.13\.3\/8\.13\.1\) with esmtpa id [\dA-Za-z]{6}-[\dA-Za-z]{6}-[\dA-Za-z]{2}/ describe FORGED_SENDMAIL_RECEIVED_HELO Forged Sendmail Received score FORGED_SENDMAIL_RECEIVED_HELO 4.0 header FORGED_SENDMAIL_RECEIVED_VER Received =~ /by \S+ \(8\.13\.8\/8\.13\.0\/3\.0\) with SMTP/ describe FORGED_SENDMAIL_RECEIVED_VER Forged Sendmail Received score FORGED_SENDMAIL_RECEIVED_VER 4.0 header SUSPICIOUS_RECEIVED_VIA_SMTPD Received =~ /\bvia smtpd \(for / describe SUSPICIOUS_RECEIVED_VIA_SMTPD Suspicious header Received, may be generated by spamware score SUSPICIOUS_RECEIVED_VIA_SMTPD 2.0 meta MAPI_X_Mailer __Received_with_Microsoft_SMTPSVC && __X_MimeOLE_Microsoft_Exchange && !__CUST_X_MAILER_EMPTY describe MAPI_X_Mailer Sent via MAPI and has X-Mailer score MAPI_X_Mailer 2.5 meta Exchange_OE __Received_with_Microsoft_SMTPSVC && __CUST_X_Mailer_OE describe Exchange_OE Send via Exchange with OE score Exchange_OE 2.0 # # Content-Type: multipart/mixed; # boundary="----=_NextPart_000_00A4_01C2A9A6.49E3536E" # Content-Type: multipart/related; # boundary="----=_NextPart_000_00CE_01C2A9A6.58469320" # Content-Type: multipart/alternative; # boundary="----=_NextPart_001_00F0_01C2A9A6.0D05708C" # Content-Type: multipart/related; # Type="multipart/alternative"; # boundary="----=_NextPart_000_00EF_01C2A9A6.0D05708C" # header MACRO_DMS_CONTENT_TYPE Content-Type =~ /^multipart.+boundary="----=_NextPart_000_[A-Z\d]{4}_(01C2A9A6|01C2A75B|01C2AA85)\.[A-Z\d]{8}"[\r\n]*$/s describe MACRO_DMS_CONTENT_TYPE Suspicious boundary in Content-Type score MACRO_DMS_CONTENT_TYPE 5.0 # # To: %AMS_MESSAGE_TO% # header MACRO_AMS_MESSAGE_TO To =~ /^\%AMS_MESSAGE_TO\%$/ describe MACRO_AMS_MESSAGE_TO Macro AMS_MESSAGE_TO found in header To score MACRO_AMS_MESSAGE_TO 5.0 header __MACRO_TO To =~ /^\s*(%\S+%|%[A-Z_\-]+)$/i meta MACRO_TO __MACRO_TO && !MACRO_AMS_MESSAGE_TO describe MACRO_TO Macro found in header To score MACRO_TO 3.0 # # Subject: %AMS_MESSAGE_SUBJECT% # header MACRO_AMS_MESSAGE_SUBJECT Subject =~ /^\%AMS_MESSAGE_SUBJECT\%$/ describe MACRO_AMS_MESSAGE_SUBJECT Macro AMS_MESSAGE_TO found in header Subject score MACRO_AMS_MESSAGE_SUBJECT 5.0 # # Subject: Doc % FROM_NAME # header __MACRO_SUBJECT Subject =~ /(%\S+%|%\s?[A-Z_\-]+)\s*$/i meta MACRO_SUBJECT __MACRO_SUBJECT && !MACRO_AMS_MESSAGE_SUBJECT describe MACRO_SUBJECT Macro found in header Subject score MACRO_SUBJECT 3.0 # # Date: %AMS_MESSAGE_DATE% # header MACRO_AMS_MESSAGE_DATE Date =~ /^\%AMS_MESSAGE_DATE\%$/ describe MACRO_AMS_MESSAGE_DATE Macro AMS_MESSAGE_TO found in header Date score MACRO_AMS_MESSAGE_DATE 5.0 header __MACRO_DATE Date =~ /^\s*(%\S+%|%[A-Z_\-]+)$/i meta MACRO_DATE __MACRO_DATE && !MACRO_AMS_MESSAGE_DATE describe MACRO_DATE Macro found in header Date score MACRO_DATE 3.0 # # Content-Type: multipart/alternative; # boundary="%AMS_NEXTPART%" # header MACRO_AMS_NEXTPART Content-Type =~ /\%AMS_NEXTPART\%/ describe MACRO_AMS_NEXTPART Macro AMS_MESSAGE_TO found in header Content-Type score MACRO_AMS_NEXTPART 5.0 # # Content-Type: text/plain; charset=%CHARSET # header MACRO_CONTENT_TYPE Content-Type =~ /\%CHARSET/ describe MACRO_CONTENT_TYPE Macro found in header Content-Type score MACRO_CONTENT_TYPE 4.0 # # Received: from %RECEIVED.yahoo.com ([125.162.8.240]) by 122.252.111.133 %REC_WITH; # Thu, 05 Apr 2007 16:54:55 -0100 # header MACRO_RECEIVED Received =~ /.*(from \%\S+(\.[a-zA-Z-\d]+)* |\%REC_WITH)/s describe MACRO_RECEIVED Macro found in header Received score MACRO_RECEIVED 3.0 # # Message-ID: <%MESSAGEID@yahoo.com> # header MACRO_MESSAGE_ID Message-ID =~ /^\s*\<\%\S+(\.[a-zA-Z-\d]+)*\@/ describe MACRO_MESSAGE_ID Macro found in header Message-ID score MACRO_MESSAGE_ID 3.0