# # 2007-2009 Victor Ustugov # header __FORGED_THEBAT_NET_MESSAGE_MSGID Message-ID =~ /\@thebat\.net>$/ header __FORGED_THEBAT_NET_MESSAGE_From From =~ /\@thebat\.net>?$/ meta FORGED_THEBAT_NET_MESSAGE __FORGED_THEBAT_NET_MESSAGE_MSGID && !__CUST_FROM_EMPTY && !__FORGED_THEBAT_NET_MESSAGE_From && __THEBAT_MUA_ANY describe FORGED_THEBAT_NET_MESSAGE Forged thebat.net message score FORGED_THEBAT_NET_MESSAGE 3.5 header __FORGED_MUA_THEBAT_Message_ID_01 Message-ID =~ /\@\d+\.\d+\.\d+\.\d+>$/i meta FORGED_MUA_THEBAT_Message_ID_01 __FORGED_MUA_THEBAT_Message_ID_01 && __THEBAT_MUA_ANY describe FORGED_MUA_THEBAT_Message_ID_01 Mail pretending to be from The Bat! (Message-ID: IP address) (DSPAM autolearn) score FORGED_MUA_THEBAT_Message_ID_01 3.5 header __THEBAT_MSGID Message-ID =~ /^\s*<\d+\.(19[789]\d|20\d\d)(0\d|1[012])([012]\d|3[01])([0-5]\d)([0-5]\d)([0-5]\d)\@\S+>$/ header __THEBAT_MSGID_Common Message-ID =~ /^\s*<\d+\.\d{14}\@\S+>$/ meta FORGED_MUA_THEBAT_Message_ID_02 __THEBAT_MUA_ANY && !__THEBAT_MSGID && !__THEBAT_MSGID_Common && !Likis_SPN_Price_list describe FORGED_MUA_THEBAT_Message_ID_02 Mail pretending to be from The Bat! (forged Message-ID) score FORGED_MUA_THEBAT_Message_ID_02 3.0 meta FORGED_MUA_THEBAT_Message_ID_02l __THEBAT_MUA_ANY && !__THEBAT_MSGID && __THEBAT_MSGID_Common describe FORGED_MUA_THEBAT_Message_ID_02l Mail pretending to be from The Bat! (forged Message-ID) (DSPAM autolearn) score FORGED_MUA_THEBAT_Message_ID_02l 4.0 meta FORGED_MUA_THEBAT_X_MSMAIL_PRIORITY __THEBAT_MUA_ANY && __CUST_X_MSMAIL_PRIORITY_NOT_EMPTY describe FORGED_MUA_THEBAT_X_MSMAIL_PRIORITY Mail pretending to be from The Bat! (X-MSMail-Priority) (DSPAM autolearn) score FORGED_MUA_THEBAT_X_MSMAIL_PRIORITY 4.5 rawbody __FORGED_MUA_THEBAT_INVALID_TAG /\s*$/ meta FROM_ANGLE_BRACKETS_THEBAT __FROM_ANGLE_BRACKETS && __THEBAT_MUA describe FROM_ANGLE_BRACKETS_THEBAT The Bat! doesn't use angle brackets without real name score FROM_ANGLE_BRACKETS_THEBAT 2.5 header __TO_ANGLE_BRACKETS To =~ /^\s*<\S+\@\S+>\s*/ meta TO_ANGLE_BRACKETS_THEBAT __TO_ANGLE_BRACKETS && __THEBAT_MUA describe TO_ANGLE_BRACKETS_THEBAT The Bat! doesn't use angle brackets without real name score TO_ANGLE_BRACKETS_THEBAT 2.5 header __REPLYTO_ANGLE_BRACKETS Reply-To =~ /^\s*<\S+\@\S+>\s*$/ meta REPLYTO_ANGLE_BRACKETS_THEBAT __REPLYTO_ANGLE_BRACKETS && __THEBAT_MUA describe REPLYTO_ANGLE_BRACKETS_THEBAT The Bat! doesn't use angle brackets without real name score REPLYTO_ANGLE_BRACKETS_THEBAT 2.5 ######################################## #header __FORGED_MUA_BAT_CHARSET_SUBJECT Subject:raw =~ /^[\s\r\n]*(Spam:|\[(SPAM|Spam|spam)\] |\*S\*P\*A\*M\* |\{(SPAM|Spam|spam)\??\}|\[!! SPAM\]|\[SPAM PROBABLE\]:?|\[SUSPECTED SPAM\]|Suspected Spam:|\**May be Spam\**|\**(POSSIBLE )?SPAM\**|\[Spam Probability=\d+\]|X-IMail-SPAM-Premium|X-IMail-SPAM-Connection|!! SPAM Suspect : SPAM-Statistic !!)?[\s\r\n]*(((Re|RE|re)(\[\d+\])?|Fw|Fwd):|\[Re:\d+\])?\s*=\?(Windows|WINDOWS|Koi|KOI)/ #meta FORGED_MUA_BAT_CHARSET_SUBJECT __THEBAT_MUA_ANY && __FORGED_MUA_BAT_CHARSET_SUBJECT #describe FORGED_MUA_BAT_CHARSET_SUBJECT Forged MUA The Bat! (charset with capital in beginning of header Subject) #score FORGED_MUA_BAT_CHARSET_SUBJECT 1.0 # #header __FORGED_MUA_BAT_CHARSET_FROM From:raw =~ /^[\s\r\n]*"?=\?(Windows|WINDOWS|Koi|KOI)/ #meta FORGED_MUA_BAT_CHARSET_FROM __THEBAT_MUA_ANY && __FORGED_MUA_BAT_CHARSET_FROM #describe FORGED_MUA_BAT_CHARSET_FROM Forged MUA The Bat! (charset with capital in beginning of header From) #score FORGED_MUA_BAT_CHARSET_FROM 1.0 # #header __FORGED_MUA_BAT_CHARSET_REPLY_TO Reply-To:raw =~ /^[\s\r\n]*"?=\?(Windows|WINDOWS|Koi|KOI)/ #meta FORGED_MUA_BAT_CHARSET_REPLY_TO __THEBAT_MUA_ANY && __FORGED_MUA_BAT_CHARSET_REPLY_TO #describe FORGED_MUA_BAT_CHARSET_REPLY_TO Forged MUA The Bat! (charset with capital in beginning of header Reply-To) #score FORGED_MUA_BAT_CHARSET_REPLY_TO 1.0 # #header __FORGED_MUA_BAT_CHARSET_TO To:raw =~ /^[\s\r\n]*"?=\?(Windows|WINDOWS|Koi|KOI)/ #meta FORGED_MUA_BAT_CHARSET_TO __THEBAT_MUA_ANY && __FORGED_MUA_BAT_CHARSET_TO #describe FORGED_MUA_BAT_CHARSET_TO Forged MUA The Bat! (charset with capital in beginning of header To) #score FORGED_MUA_BAT_CHARSET_TO 1.0 # #header __FORGED_MUA_BAT_CHARSET_CC Cc:raw =~ /^[\s\r\n]*"?=\?(Windows|WINDOWS|Koi|KOI)/ #meta FORGED_MUA_BAT_CHARSET_CC __THEBAT_MUA_ANY && __FORGED_MUA_BAT_CHARSET_CC #describe FORGED_MUA_BAT_CHARSET_CC Forged MUA The Bat! (charset with capital in beginning of header Cc) #score FORGED_MUA_BAT_CHARSET_CC 1.0 ######################################## header SUSPICIOUS_MAILER_TheBat X-Mailer =~ /^\s*TheBat v\.3\.0$/ describe SUSPICIOUS_MAILER_TheBat Suspicious MUA TheBat v.3.0 (DSPAM autolearn) score SUSPICIOUS_MAILER_TheBat 4.0 header SUSPICIOUS_MAILER_TheBat_4 X-Mailer =~ /^\s*TheBat 4\.\d$/ describe SUSPICIOUS_MAILER_TheBat_4 Suspicious MUA TheBat 4.x (DSPAM autolearn) score SUSPICIOUS_MAILER_TheBat_4 4.0 header SUSPICIOUS_USERAGENT_TheBat_4 User-Agent =~ /^\s*TheBat 4\.\d$/ describe SUSPICIOUS_USERAGENT_TheBat_4 Suspicious MUA TheBat 4.x (DSPAM autolearn) score SUSPICIOUS_USERAGENT_TheBat_4 4.0 header SUSPICIOUS_MAILER_TheBat_WO_VER X-Mailer =~ /^\s*TheBat!$/ describe SUSPICIOUS_MAILER_TheBat_WO_VER Suspicious MUA TheBat! without version number (DSPAM autolearn) score SUSPICIOUS_MAILER_TheBat_WO_VER 4.0 header SUSPICIOUS_MAILER_The_Bat_WO_VER X-Mailer =~ /^\s*The Bat!$/ describe SUSPICIOUS_MAILER_The_Bat_WO_VER Suspicious MUA The Bat! without version number (DSPAM autolearn) score SUSPICIOUS_MAILER_The_Bat_WO_VER 4.0 header SUSPICIOUS_MAILER_TheBat_WO_Brackets X-Mailer =~ /^\s*The Bat! \d\.\d\d? Business$/ describe SUSPICIOUS_MAILER_TheBat_WO_Brackets Suspicious MUA The Bat! without brackets in version number (DSPAM autolearn) score SUSPICIOUS_MAILER_TheBat_WO_Brackets 3.0