# # 2007-2009 Victor Ustugov # header __X_MAILER_EXISTS ALL =~ /^(.+\r?\n)*X-Mailer:\s*\r?\n/ meta EMPTY_X_MAILER __X_MAILER_EXISTS && __CUST_X_MAILER_EMPTY describe EMPTY_X_MAILER Empty X-Mailer score EMPTY_X_MAILER 4.0 header X_MAILER_Sendmail X-Mailer =~ /^\s*Sendmail (8\.\d+\.\d+\/8\.\d+\.\d+|3\.\d+\/3\.\d+)$/ describe X_MAILER_Sendmail Strange X-Mailer Sendmail (DSPAM autolearn) score X_MAILER_Sendmail 6.0 header X_MAILER_SMTP_SENDMAIL X-Mailer =~ /^\s*SMTP\.SENDMAIL\.FFFFx029A$/ describe X_MAILER_SMTP_SENDMAIL Suspicious X-Mailer SMTP.SENDMAIL score X_MAILER_SMTP_SENDMAIL 4.0 header X_MAILER_Postfix X-Mailer =~ /^\s*Postfix 2\.\d\d$/ describe X_MAILER_Postfix Strange X-Mailer Postfix (DSPAM autolearn) score X_MAILER_Postfix 5.0 header X_MAILER_Qmail X-Mailer =~ /^\s*(Qmail-3\.\d\d|Qmail 2\.\d\d)$/ describe X_MAILER_Qmail Strange X-Mailer Qmail (DSPAM autolearn) score X_MAILER_Qmail 5.0 header X_MAILER_Gentoo X-Mailer =~ /^\s*Gentoo$/ describe X_MAILER_Gentoo Strange X-Mailer Gentoo (DSPAM autolearn) score X_MAILER_Gentoo 5.0 header X_MAILER_Exim X-Mailer =~ /^\s*Exim \d+\.\d+$/ describe X_MAILER_Exim Strange X-Mailer Exim (DSPAM autolearn) score X_MAILER_Exim 5.0 header __FORGED_X_MAILER X-Mailer =~ /^\s*(Microsoft Outlook|Outlook Express|Outlook Express 6|Outlook Express 6\.0|The Bat)$/ meta FORGED_X_MAILER __FORGED_X_MAILER && !PS describe FORGED_X_MAILER Forged X-Mailer (DSPAM autolearn) score FORGED_X_MAILER 5.0 meta FORGED_MUA_QUALCOMM_Eudora __QUALCOMM_Windows_Eudora_X_Mailer && !__X_Sender_Return_Path && __CUST_From_BASE64_windows_1251 && __CUST_Subject_QP_windows_1251 describe FORGED_MUA_QUALCOMM_Eudora Header Sender mismatch in message from QUALCOMM Windows Eudora score FORGED_MUA_QUALCOMM_Eudora 2.0 header __FORGED_MUA_QUALCOMM_Eudora_CT Content-Type =~ /^\s*multipart\/related;[\r\n\s]*type="multipart\/alternative";[\r\n\s]*boundary="=====================_\d{6,9}(==)?\.REL"$/ meta FORGED_MUA_QUALCOMM_Eudora_CT __QUALCOMM_Windows_Eudora_X_Mailer && __FORGED_MUA_QUALCOMM_Eudora_CT describe FORGED_MUA_QUALCOMM_Eudora_CT Forged mail pretending to be from QUALCOMM Eudora (suspicious header Content-Type) score FORGED_MUA_QUALCOMM_Eudora_CT 2.0 meta mPOP_Web_Mail_DIFFERENT_ADDRS __X_Mailer_mPOP_Web_Mail && !__CUST_X_Envelope_From_From && !__CUST_Return_Path_From && !__CUST_Return_path_From describe mPOP_Web_Mail_DIFFERENT_ADDRS X-Mailer: mPOP Web-Mail and different addresses in Return-Path and header From score mPOP_Web_Mail_DIFFERENT_ADDRS 3.0 header __mPOP_Web_Mail_From_Real From =~ /\@(mail\.ru|list\.ru|bk\.ru|inbox\.ru|ukr\.net)/ header __FAKE_mPOP_Web_Mail_Date Date =~ / \+0[34]00 *$/ meta FAKE_mPOP_Web_Mail __X_Mailer_mPOP_Web_Mail && !__mPOP_Web_Mail_From_Real && __TO_WITHOUT_REALNAME && __FROM_WITHOUT_REALNAME && __FAKE_mPOP_Web_Mail_Date && __CUST_Content_Type_text_plain describe FAKE_mPOP_Web_Mail Fake mPOP Web-Mail score FAKE_mPOP_Web_Mail 4.0 header X_MAILER_OUTLOOK_5_0 X-Mailer =~ /^\s*Outlook 5\.0$/ describe X_MAILER_OUTLOOK_5_0 Suspicious X-Mailer score X_MAILER_OUTLOOK_5_0 3.0 header FORGED_X_MAILER_Yamail X-Mailer =~ /^\s*Yamail$/ describe FORGED_X_MAILER_Yamail Forged X-Mailer Yamail score FORGED_X_MAILER_Yamail 3.0 ######################################## header __Reply_Subject Subject =~ /^[\s\r\n]*Re(\[\d+\])?:/i meta FAKE_REPLY_OE __Reply_Subject && (__CUST_X_Mailer_OE_5 || __CUST_X_Mailer_OE_6) && __CUST_References_EMPTY && !FAKE_REPLY_C describe FAKE_REPLY_OE Fake reply message score FAKE_REPLY_OE 1.5 meta FAKE_REPLY_MSO12 __Reply_Subject && __CUST_X_Mailer_MSO12 && (__CUST_References_EMPTY || __CUST_In_Reply_To_EMPTY) && !FAKE_REPLY_C describe FAKE_REPLY_MSO12 Fake reply message score FAKE_REPLY_MSO12 1.5 meta FAKE_REPLY_MSO11 __Reply_Subject && __CUST_X_Mailer_MSO11 && __CUST_In_Reply_To_EMPTY && !FAKE_REPLY_C describe FAKE_REPLY_MSO11 Fake reply message score FAKE_REPLY_MSO11 1.5 meta FAKE_REPLY_Mozilla_Mail __Reply_Subject && __User_Agent_Mozilla5 && !__CUST_X_Mailer_CDO2000 && (__CUST_References_EMPTY || __CUST_In_Reply_To_EMPTY) && !FAKE_REPLY_C describe FAKE_REPLY_Mozilla_Mail Fake reply message score FAKE_REPLY_Mozilla_Mail 1.5 meta FAKE_REPLY_Mozilla_TB __Reply_Subject && __User_Agent_Thunderbird && (__CUST_References_EMPTY || __CUST_In_Reply_To_EMPTY) && !FAKE_REPLY_C describe FAKE_REPLY_Mozilla_TB Fake reply message score FAKE_REPLY_Mozilla_TB 1.5