# # 2007-2013 Victor Ustugov # # для проверки полей заголовков с учетом регистра названия поля нужен патч: # http://mta.org.ua/spamassassin-3.2.0/patches/3.2.0/patch-src::MultiCaseSensHeadersCheck-3.2.0.patch # header __SUSPICIOUS_MSGID_BOUNDARY_OE ALL =~ /^Message-Id: <[\da-f]{4}([\da-f]{8})\$([\da-f]{8})\$[\da-f]{8}\@.{50,500}boundary="----=_NextPart_000_[\dA-F]{4}_\1\.\2"/msi meta SUSPICIOUS_MSGID_BOUNDARY_OE __CUST_X_Mailer_OE && __SUSPICIOUS_MSGID_BOUNDARY_OE describe SUSPICIOUS_MSGID_BOUNDARY_OE Suspicious the same filetimes in header Message-ID and boundary attribute of header Content-Type score SUSPICIOUS_MSGID_BOUNDARY_OE 2.0 ###################################################################### meta CT_8BIT_CTE_7BIT_OE6 CT_8BIT_CTE_7BIT && __CUST_X_Mailer_OE_6 && __NONEMPTY_RAWBODY describe CT_8BIT_CTE_7BIT_OE6 8-bit header Content-Type found with 7-bit header Content-Transfer-Encoding in message from OE 6.x (DSPAM autolearn) score CT_8BIT_CTE_7BIT_OE6 2.2 meta CT_8BIT_CTE_7BIT_OE6_DSPAM_00_01 CT_8BIT_CTE_7BIT_OE6 && DSPAM_CHECK_00_01 describe CT_8BIT_CTE_7BIT_OE6_DSPAM_00_01 CT_8BIT_CTE_7BIT_OE6 DSPAM compensation score CT_8BIT_CTE_7BIT_OE6_DSPAM_00_01 3.5 meta MIME_CT_8BIT_CTE_7BIT_OE6 MIME_CT_8BIT_CTE_7BIT && __CUST_X_Mailer_OE_6 && __NONEMPTY_RAWBODY describe MIME_CT_8BIT_CTE_7BIT_OE6 8-bit header Content-Type found with 7-bit header Content-Transfer-Encoding in message from OE 6.x (DSPAM autolearn) score MIME_CT_8BIT_CTE_7BIT_OE6 2.2 meta MIME_CT_8BIT_CTE_7BIT_OE6_DSPAM_00_01 MIME_CT_8BIT_CTE_7BIT_OE6 && DSPAM_CHECK_00_01 describe MIME_CT_8BIT_CTE_7BIT_OE6_DSPAM_00_01 MIME_CT_8BIT_CTE_7BIT_OE6 DSPAM compensation score MIME_CT_8BIT_CTE_7BIT_OE6_DSPAM_00_01 3.5 ###################################################################### header __FORGED_MUA_OE_CHARSET_SUBJECT Subject:raw =~ /^[\s\r\n]*(\*\*\*\*\*SPAM\*\*\*\*\*|Spam:|\[(SPAM|Spam|spam)\] |\*S\*P\*A\*M\* |\{(SPAM|Spam|spam)\??\}|\[!! SPAM\]|\[SPAM PROBABLE\]:?|\[SUSPECTED SPAM\]|Suspected Spam:|\**May be Spam\**|\**(POSSIBLE )?SPAM\**|\[Spam Probability=\d+\]|X-IMail-SPAM-Premium|X-IMail-SPAM-Connection|!! SPAM Suspect : SPAM-Statistic !!)?[\s\r\n]*(((Re|RE|re)(\[\d+\])?|Fw|Fwd):|\[Re:\d+\])?\s*=\?(Windows|WINDOWS|Koi|KOI)/ meta FORGED_MUA_OE_CHARSET_SUBJECT __CUST_X_Mailer_OE && __FORGED_MUA_OE_CHARSET_SUBJECT describe FORGED_MUA_OE_CHARSET_SUBJECT Forged MUA Outlook Express (charset with capital in beginning of header Subject) score FORGED_MUA_OE_CHARSET_SUBJECT 1.0 header __FORGED_MUA_OE_CHARSET_FROM From:raw =~ /^[\s\r\n]*"?=\?(Windows|WINDOWS|Koi|KOI)/ meta FORGED_MUA_OE_CHARSET_FROM __CUST_X_Mailer_OE && __FORGED_MUA_OE_CHARSET_FROM describe FORGED_MUA_OE_CHARSET_FROM Forged MUA Outlook Express (charset with capital in beginning of header From) score FORGED_MUA_OE_CHARSET_FROM 1.0 header __FORGED_MUA_OE_CHARSET_REPLY_TO Reply-To:raw =~ /^[\s\r\n]*"?=\?(Windows|WINDOWS|Koi|KOI)/ meta FORGED_MUA_OE_CHARSET_REPLY_TO __CUST_X_Mailer_OE && __FORGED_MUA_OE_CHARSET_REPLY_TO describe FORGED_MUA_OE_CHARSET_REPLY_TO Forged MUA Outlook Express (charset with capital in beginning of header Reply-To) score FORGED_MUA_OE_CHARSET_REPLY_TO 1.0 header __FORGED_MUA_OE_CHARSET_TO To:raw =~ /^[\s\r\n]*"?=\?(Windows|WINDOWS|Koi|KOI)/ meta FORGED_MUA_OE_CHARSET_TO __CUST_X_Mailer_OE && __FORGED_MUA_OE_CHARSET_TO describe FORGED_MUA_OE_CHARSET_TO Forged MUA Outlook Express (charset with capital in beginning of header To) score FORGED_MUA_OE_CHARSET_TO 1.0 header __FORGED_MUA_OE_CHARSET_CC Cc:raw =~ /^[\s\r\n]*"?=\?(Windows|WINDOWS|Koi|KOI)/ meta FORGED_MUA_OE_CHARSET_CC __CUST_X_Mailer_OE && __FORGED_MUA_OE_CHARSET_CC describe FORGED_MUA_OE_CHARSET_CC Forged MUA Outlook Express (charset with capital in beginning of header Cc) score FORGED_MUA_OE_CHARSET_CC 1.0 ###################################################################### meta FORGED_MUA_OE_FROM_WOUT_QUOTE __CUST_X_Mailer_OE && !__CUST_FROM_EMPTY && __HEADER_FROM_WITHOUT_QUOTES && !__HEADER_FROM_ENCODED && !__MAILMAN describe FORGED_MUA_OE_FROM_WOUT_QUOTE Forged MUA Outlook Express (there aren't double quotes in header From) score FORGED_MUA_OE_FROM_WOUT_QUOTE 2.0 meta FORGED_MUA_OE_FROM !__CUST_FROM_EMPTY && !__FROM_QUOTA_OR_ANGLE_BRACKET && !__HEADER_FROM_WITHOUT_QUOTES && (__CUST_X_Mailer_OE_600 || __CUST_X_Mailer_OE_550) describe FORGED_MUA_OE_FROM Forged MUA Outlook Express (header From does not contains double quote and angle bracket) score FORGED_MUA_OE_FROM 2.0 meta FORGED_MUA_OE_REPLY_TO_WOUT_QUOTE __CUST_X_Mailer_OE && !__CUST_REPLY_TO_EMPTY && __HEADER_REPLY_TO_WITHOUT_QUOTES && !__HEADER_REPLY_TO_ENCODED && __CUST_List_Id_EMPTY && __CUST_List_Post_EMPTY && !__Mailing_List_Server describe FORGED_MUA_OE_REPLY_TO_WOUT_QUOTE Forged MUA Outlook Express (there aren't double quotes in header Reply-To) score FORGED_MUA_OE_REPLY_TO_WOUT_QUOTE 0.5 meta FORGED_MUA_OE_REPLY_TO !__CUST_REPLY_TO_EMPTY && !__REPLY_TO_QUOTA_OR_ANGLE_BRACKET && !__HEADER_REPLY_TO_WITHOUT_QUOTES && (__CUST_X_Mailer_OE_600 || __CUST_X_Mailer_OE_550) && __CUST_List_Id_EMPTY && __CUST_List_Post_EMPTY && !__Mailing_List_Server describe FORGED_MUA_OE_REPLY_TO Forged MUA Outlook Express (header Reply-To does not contains double quote and angle bracket) score FORGED_MUA_OE_REPLY_TO 2.0 meta FORGED_MUA_OE_TO_WOUT_QUOTE __CUST_X_Mailer_OE && !__CUST_TO_EMPTY && __HEADER_TO_WITHOUT_QUOTES && !__HEADER_TO_ENCODED && __CUST_List_Id_EMPTY && __CUST_List_Post_EMPTY && !__Mailing_List_Server describe FORGED_MUA_OE_TO_WOUT_QUOTE Forged MUA Outlook Express (there aren't double quotes in header To) score FORGED_MUA_OE_TO_WOUT_QUOTE 2.0 meta FORGED_MUA_OE_TO __TO_HAS_ADDR && !__CUST_TO_EMPTY && !__TO_QUOTA_OR_ANGLE_BRACKET && !__HEADER_TO_WITHOUT_QUOTES && (__CUST_X_Mailer_OE_600 || __CUST_X_Mailer_OE_550) && __CUST_List_Id_EMPTY && __CUST_List_Post_EMPTY && !__Mailing_List_Server && !__iPlanet_Messaging_Server describe FORGED_MUA_OE_TO Forged MUA Outlook Express (header To does not contains double quote and angle bracket) score FORGED_MUA_OE_TO 2.0 meta FORGED_MUA_OE_CC_WOUT_QUOTE __CUST_X_Mailer_OE && !__CUST_CC_EMPTY && __HEADER_CC_WITHOUT_QUOTES && !__HEADER_CC_ENCODED && __CUST_List_Id_EMPTY && __CUST_List_Post_EMPTY && !__Mailing_List_Server describe FORGED_MUA_OE_CC_WOUT_QUOTE Forged MUA Outlook Express (there aren't double quotes in header Cc) score FORGED_MUA_OE_CC_WOUT_QUOTE 2.0 meta FORGED_MUA_OE_CC !__CUST_CC_EMPTY && !__CC_QUOTA_OR_ANGLE_BRACKET && !__HEADER_CC_WITHOUT_QUOTES && (__CUST_X_Mailer_OE_600 || __CUST_X_Mailer_OE_550) && __CUST_List_Id_EMPTY && __CUST_List_Post_EMPTY && !__Mailing_List_Server describe FORGED_MUA_OE_CC Forged MUA Outlook Express (header Cc does not contains double quote and angle bracket) score FORGED_MUA_OE_CC 2.0 ###################################################################### # Microsoft Outlook Express 6.00.2900.2180 - Microsoft Outlook Express 6.00 from Windows XP Professional SP2 # Microsoft Outlook Express 6.00.2900.3598 - Microsoft Outlook Express 6.00 from Windows XP Professional SP2, fully patched # Microsoft Outlook Express 6.00.3790.0 - Microsoft Outlook Express 6.00 from Microsoft Windows Server 2003 Enterprise Edition # Microsoft Outlook Express 6.00.3790.1830 - Microsoft Outlook Express 6.00 from Microsoft Windows Server 2003 R2 Standard Edition SP1 #header __OE_Message_ID Message-ID:case =~ /^\s*<(0[\da-f]{3})?01[\da-f]{6}\$[\da-f]{8}\$[\da-f]{8}\@\S+>$/ header __OE_Message_ID Message-ID:case =~ /^\s*<([\da-f]{4})?01[\da-f]{6}\$[\da-f]{8}\$[\da-f]{8}\@\S+>$/ # Microsoft Outlook Express 6.00.2900.5512 - Microsoft Outlook Express 6.00 from Microsoft Windows XP Professional SP3 # Microsoft Outlook Express 6.00.2900.5843 - Microsoft Outlook Express 6.00 from Microsoft Windows XP Professional SP3, fully patched # Microsoft Outlook Express 6.00.2900.5931 - Microsoft Outlook Express 6.00 from Microsoft Windows XP Professional # Microsoft Outlook Express 6.00.3790.3959 - Microsoft Outlook Express 6.00 from Microsoft Windows Server 2003 R2 Standard Edition SP2 # Microsoft Outlook Express 6.00.3790.4548 - Microsoft Outlook Express 6.00 from Microsoft Windows Server 2003 R2 Standard Edition SP2, fully patched header __NEW_OE_Message_ID Message-ID:case =~ /^\s*<[A-Z\d]{32}\@\S+>$/ describe __NEW_OE_Message_ID Message-ID from OE 6.00.2900.5512, 6.00.2900.5843, 6.00.2900.5931, 6.00.3790.3959, 6.00.3790.4548 meta __NEW_OE_X_Mailer __CUST_X_Mailer_OE_6_00_2900_5512 || __CUST_X_Mailer_OE_6_00_2900_5843 || __CUST_X_Mailer_OE_6_00_2900_5931 || __CUST_X_Mailer_OE_6_00_3790_3959 || __CUST_X_Mailer_OE_6_00_3790_4548 meta FORGED_MUA_OE_Message_ID __CUST_X_Mailer_OE && !__OE_Message_ID && !__OE_MSGID_1 && !__OE_MSGID_3 && !(__NEW_OE_Message_ID && __NEW_OE_X_Mailer) && !__iPlanet_Messaging_Server && !__MAILMAN && !__UNUSABLE_MSGID describe FORGED_MUA_OE_Message_ID Forged MUA Outlook Express score FORGED_MUA_OE_Message_ID 2.5 header __Whitelisted_Message_ID_01 Message-ID =~ /^\s*<00[\da-f]{2}01c7[\da-f]{4}\$[\da-f]{7}0\$[\da-f]{4}a8c0\@/i header __Whitelisted_Message_ID_02 Message-ID =~ /^\s*<00[\da-f]{2}01c7[\da-f]{4}\$[\da-f]{7}0\$[\da-f]{6}a0\@/i header __FORGED_MUA_OUTLOOK_Message_ID_01 Message-ID =~ /^\s*<00[\da-f]{2}01c7[\da-f]{4}\$[\da-f]{7}0\$[\da-f]{8}\@mtu-net\.ru>$/ meta FORGED_MUA_OUTLOOK_Message_ID_01 __FORGED_MUA_OUTLOOK_Message_ID_01 && !__Whitelisted_Message_ID_01 && !__Whitelisted_Message_ID_02 describe FORGED_MUA_OUTLOOK_Message_ID_01 Mail pretending to be from Outlook Express (Message-ID 01: fake mtu-net.ru) (DSPAM autolearn) score FORGED_MUA_OUTLOOK_Message_ID_01 2.5 header __Whitelisted_Message_ID_03 Message-ID =~ /^\s*<00[\da-f]{2}01c7[\da-f]{4}\$[\da-f]{7}0\$0100007f\@localhost>$/i meta FORGED_MUA_OUTLOOK_Message_ID_02LH __Whitelisted_Message_ID_03 describe FORGED_MUA_OUTLOOK_Message_ID_02LH Mail pretending to be from Outlook Express (Message-ID 02: localhost) score FORGED_MUA_OUTLOOK_Message_ID_02LH 0.5 header __FORGED_MUA_OUTLOOK_Message_ID_02 Message-ID =~ /^\s*<00[\da-f]{2}01c7[\da-f]{4}\$[\da-f]{7}0\$[\da-f]{8}\@localhost>$/i #header __Message_ID_LocalHost Message-ID =~ /\@LocalHost>$/i header __Message_ID_LocalHost Message-ID =~ /\@localhost>$/ meta FORGED_MUA_OUTLOOK_Message_ID_02 __FORGED_MUA_OUTLOOK_Message_ID_02 && !__Message_ID_LocalHost && !__Whitelisted_Message_ID_03 describe FORGED_MUA_OUTLOOK_Message_ID_02 Mail pretending to be from Outlook Express (Message-ID 02: localhost but not 127.0.0.1) (DSPAM autolearn) score FORGED_MUA_OUTLOOK_Message_ID_02 2.5 header __FORGED_MUA_OUTLOOK_Message_ID_03 Message-ID =~ /^\s*<00[\da-f]{2}01c7[\da-f]{4}\$[\da-f]{7}0\$0100007f\@/i meta FORGED_MUA_OUTLOOK_Message_ID_03 __FORGED_MUA_OUTLOOK_Message_ID_03 && !__Whitelisted_Message_ID_03 describe FORGED_MUA_OUTLOOK_Message_ID_03 Mail pretending to be from Outlook Express (Message-ID 03: 127.0.0.1 but not localhost) (DSPAM autolearn) score FORGED_MUA_OUTLOOK_Message_ID_03 2.5 ##header __FORGED_MUA_OUTLOOK_Message_ID_04 Message-ID =~ /\@\d+\.\d+\.\d+\.\d+/i #header __FORGED_MUA_OUTLOOK_Message_ID_04 Message-ID =~ /\@\d+\./i header __FORGED_MUA_OUTLOOK_Message_ID_04 Message-ID =~ /\@\d+\.\d+\.\d+\.\d+>/i meta FORGED_MUA_OUTLOOK_Message_ID_04 __FORGED_MUA_OUTLOOK_Message_ID_04 && __CUST_X_Mailer_OE describe FORGED_MUA_OUTLOOK_Message_ID_04 Mail pretending to be from Outlook Express (Message-ID 04: IP address) (DSPAM autolearn) score FORGED_MUA_OUTLOOK_Message_ID_04 3.5 ###################################################################### header __FORGED_MUA_OE_X_Mailer_CT ALL =~ /(?is)^(.*\r?\n)?X-Mailer:\s*Microsoft Outlook Express.*?\r?\nContent-Type:/ meta FORGED_MUA_OE_X_Mailer_CT __FORGED_MUA_OE_X_Mailer_CT && !MAILLIST_RU && __CUST_List_Id_EMPTY && !__iPlanet_Messaging_Server && __CUST_X_MIMETrack_EMPTY describe FORGED_MUA_OE_X_Mailer_CT Forged MUA Outlook Express (X-Mailer and Content-Type) score FORGED_MUA_OE_X_Mailer_CT 3.5 meta FORGED_MUA_OE_CTE __CUST_X_Mailer_OE && __Content_Transfer_Encoding_8BIT describe FORGED_MUA_OE_CTE Forged MUA Outlook Express (Content-Transfer-Encoding) (DSPAM autolearn) score FORGED_MUA_OE_CTE 4.0 meta FORGED_MUA_OE_boundary __CUST_Content_Type_multipart && __CUST_X_Mailer_OE && !__CUST_Content_Type_multipart_OE_boundary && !(__MAILMAN && __MAILMAN_boundary) describe FORGED_MUA_OE_boundary Forged MUA Outlook Express score FORGED_MUA_OE_boundary 3.5 header __FORGED_MUA_OE_CT1 Content-type =~ /^\s*multipart\/related;[\s\r\n]*boundary="Boundary_\(ID_[a-zA-Z\d\/]{22}\)"; Type="multipart\/alternative"/ meta FORGED_MUA_OE_CT1 __FORGED_MUA_OE_CT1 && __CUST_X_Mailer_OE describe FORGED_MUA_OE_CT1 Forged MUA Outlook Express (Content-Type, boundary) score FORGED_MUA_OE_CT1 3.0 header __FORGED_MUA_OE_CT2 Content-Type =~ /^\s*multipart\/.+boundary="------------ms\d{24}"/ meta FORGED_MUA_OE_CT2 __FORGED_MUA_OE_CT2 && __CUST_X_Mailer_OE describe FORGED_MUA_OE_CT2 Forged MUA Outlook Express (Content-Type, boundary) score FORGED_MUA_OE_CT2 3.0 ###################################################################### header FORGED_MUA_OE_X_MAILER X-Mailer =~ /^\s*Microsoft Outlook Express V6/ describe FORGED_MUA_OE_X_MAILER Forged MUA Outlook Express (strange OE version number) score FORGED_MUA_OE_X_MAILER 3.0 meta UNSUPPORTED_OE_500 __CUST_X_Mailer_OE_500 && __CUST_X_MimeOLE_OE_500 describe UNSUPPORTED_OE_500 Old unsupported MUA score UNSUPPORTED_OE_500 1.5