# # 2003-2009 Victor Ustugov # header RCVD_ILLEGAL_CHARS Received =~ /[\x80-\xff]/ describe RCVD_ILLEGAL_CHARS Received: has raw illegal character score RCVD_ILLEGAL_CHARS 4.0 header FORGED_GENERIC_RECEIVED Received =~ /^\s*(.+\n)*from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by (([\w\d-]+\.)+[a-zA-Z]{2,6}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}); \w{3}, \d+ \w{3} 20\d\d \d\d\:\d\d\:\d\d [+-]\d\d\d0/ describe FORGED_GENERIC_RECEIVED Forged generic Received score FORGED_GENERIC_RECEIVED 3.6 header FORGED_GENERIC_RECEIVED2 Received =~ /^\s*(.+\n)*from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by ([\w\d-]+\.)+[a-z]{2,6} id [\w\d]{12}; \w{3}, \d+ \w{3} 20\d\d \d\d\:\d\d\:\d\d [+-]\d\d\d0/ describe FORGED_GENERIC_RECEIVED2 Forged generic Received score FORGED_GENERIC_RECEIVED2 3.6 header FORGED_GENERIC_RECEIVED3 Received =~ /^\s*(.+\n)*by \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} with SMTP id [a-zA-Z]{14}\.\d{13};[\r\n\s]*\w{3}, \d+ \w{3} 20\d\d \d\d\:\d\d\:\d\d [+-]\d\d\d0 \(GMT\)/ describe FORGED_GENERIC_RECEIVED3 Forged generic Received score FORGED_GENERIC_RECEIVED3 3.6 header FORGED_GENERIC_RECEIVED4 Received =~ /^\s*(.+\n)*from localhost by \S+;\s+\w{3}, \d+ \w{3} 20\d\d \d\d\:\d\d\:\d\d [+-]\d\d\d0[\s\r\n]*$/ describe FORGED_GENERIC_RECEIVED4 Forged generic Received score FORGED_GENERIC_RECEIVED4 3.6 header FORGED_GENERIC_RECEIVED5 Received =~ /^\s*from \[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\].*\n(.+\n)*from \1 by \S+;\s+\w{3}, \d+ \w{3} 20\d\d \d\d\:\d\d\:\d\d [+-]\d\d\d0$/ describe FORGED_GENERIC_RECEIVED5 Forged generic Received score FORGED_GENERIC_RECEIVED5 4.6 header INVALID_EXIM_RECEIVED To|Received =~ /?[\s\r\n]*\|.*from \d+\.\d+\.\d+\.\d+ \(HELO \S+\)[\s\r\n]*by \1 with esmtp \(\S*?[\?\@\(\)\s\.\+\*''\/\\,]\S*\)[\s\r\n]+id \S*?[\)\(<>\/\\,\-:=]/s describe INVALID_EXIM_RECEIVED Invalid Exim Received (1) (DSPAM autolearn) score INVALID_EXIM_RECEIVED 5.0 header INVALID_EXIM_RECEIVED2 To|Received =~ /?[\s\r\n]*\|.*from \d+\.\d+\.\d+\.\d+ \(HELO \S+\)[\s\r\n]*by \1 with esmtp \([A-Z]{9,12} [A-Z]{5,6}\)[\s\r\n]+id [a-zA-Z\d]{6}-[a-zA-Z\d]{6}-[a-zA-Z\d]{2}[\s\r\n]+/s describe INVALID_EXIM_RECEIVED2 Invalid Exim Received (2) (DSPAM autolearn) score INVALID_EXIM_RECEIVED2 3.0 header INVALID_POSTFIX_RECEIVED Received =~ / \(Postfix\) with ESMTP id [A-Z\d]+([\s\r\n]+for <\S+?>)?;[\s\r\n]*[A-Z][a-z]{2}, \d{1,2} [A-Z][a-z]{2} \d\d\d\d \d\d:\d\d:\d\d [\+\-]\d\d\d\d$/ describe INVALID_POSTFIX_RECEIVED Invalid Postfix Received (DSPAM autolearn) score INVALID_POSTFIX_RECEIVED 3.0 header __SENDMAIL_QUEUE_ID1 Received =~ /\(8\.\d+\.\d+\/8\.\d+\.\d+\) with E?SMTP id [A-Za-z0-9\-]{9,}/ #header __SENDMAIL_QUEUE_ID2 Received =~ /\(8\.\d+\.\d+\/8\.\d+\.\d+\) with E?SMTP id [A-Za-z0-9]{8}[0-9]{2,10}\b/ header __SENDMAIL_QUEUE_ID2 Received =~ /\(8\.\d+\.\d+\/8\.\d+\.\d+\) with E?SMTP id [k-y][\dAB][\dA-V][\dA-N][\dA-Za-z]{4}\d{2,10}\b/ meta FORGED_SENDMAIL_QUEUE_ID __SENDMAIL_QUEUE_ID1 && !__SENDMAIL_QUEUE_ID2 describe FORGED_SENDMAIL_QUEUE_ID Forged Sendmail Received score FORGED_SENDMAIL_QUEUE_ID 5.0 header __SENDMAIL_QUEUE_ID3 Received =~ /\((\s*sendmail )?8\.\d+\.\d+\/8\.\d+\.\d+\) with e?smtps?a? id [A-Za-z0-9\-]{9,}/ meta FORGED_SENDMAIL_QUEUE_ID2 __SENDMAIL_QUEUE_ID3 && !__SENDMAIL_QUEUE_ID2 && !POCHTARU && !POCHTARU_SMTP describe FORGED_SENDMAIL_QUEUE_ID2 Forged Sendmail Received score FORGED_SENDMAIL_QUEUE_ID2 5.0 header FORGED_SENDMAIL_RECEIVED_HELO Received =~ /from ([^\.\s]+) \(\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] helo=\1\)[\s\r\n]*by \S+ \( sendmail 8\.13\.3\/8\.13\.1\) with esmtpa id [\dA-Za-z]{6}-[\dA-Za-z]{6}-[\dA-Za-z]{2}/ describe FORGED_SENDMAIL_RECEIVED_HELO Forged Sendmail Received score FORGED_SENDMAIL_RECEIVED_HELO 4.0 header FORGED_SENDMAIL_RECEIVED_VER Received =~ /by \S+ \(8\.13\.8\/8\.13\.0\/3\.0\) with SMTP/ describe FORGED_SENDMAIL_RECEIVED_VER Forged Sendmail Received score FORGED_SENDMAIL_RECEIVED_VER 4.0 header FORGED_SENDMAIL_RECEIVED_IP Received =~ /from ([\w\d\-]+\.)+[a-z]{2,3}\(([\w\d\-]+\.)+[a-z]{2,3} \[([\w\d\-]+\.)+[a-z]{2,3}\]\)[\s\r\n]+by ([\w\d\-]+\.)+[a-z]{2,3} \(8\.11\.1\/8\.11\.1\) with ESMTP id eA5KcNf[A-F\d]{5}[\s\r\n]+for <\S+\@\S+>;/ describe FORGED_SENDMAIL_RECEIVED_IP Forged Sendmail Received score FORGED_SENDMAIL_RECEIVED_IP 5.0 header SUSPICIOUS_RECEIVED_VIA_SMTPD Received =~ /\bvia smtpd \(for / describe SUSPICIOUS_RECEIVED_VIA_SMTPD Suspicious header Received, may be generated by spamware score SUSPICIOUS_RECEIVED_VIA_SMTPD 2.0 header SUSPICIOUS_RECEIVED_HELO_0_0_0_0 Received =~ /from \S+(\.\S+)+ \(\[\d+\.\d+\.\d+\.\d+\] helo=0\.0\.0\.0\)/ describe SUSPICIOUS_RECEIVED_HELO_0_0_0_0 Suspicious HELO 0.0.0.0 in header Received score SUSPICIOUS_RECEIVED_HELO_0_0_0_0 3.0 header SUSPICIOUS_RECEIVED_DATE_WITHOUT_WDAY Received =~ /(;\s*|[\r\n]*\s+),+ \d+ (\w\w\w|.{2,7}) 20\d\d -?\d\d:\d\d:\d\d [\-\+]\d\d\d0\)?\s*([\r\n]*.*)*$/ describe SUSPICIOUS_RECEIVED_DATE_WITHOUT_WDAY Suspicious header Received score SUSPICIOUS_RECEIVED_DATE_WITHOUT_WDAY 3.5