# # 2007-2013 Victor Ustugov # header __FORGED_THEBAT_NET_MESSAGE_MSGID Message-ID =~ /\@thebat\.net>$/ header __FORGED_THEBAT_NET_MESSAGE_From From =~ /\@thebat\.net>?$/ meta FORGED_THEBAT_NET_MESSAGE __FORGED_THEBAT_NET_MESSAGE_MSGID && !__CUST_FROM_EMPTY && !__FORGED_THEBAT_NET_MESSAGE_From && __THEBAT_MUA_ANY describe FORGED_THEBAT_NET_MESSAGE Forged thebat.net message score FORGED_THEBAT_NET_MESSAGE 3.5 header __FORGED_MUA_THEBAT_MSGID_IP Message-ID =~ /\@\d+\.\d+\.\d+\.\d+>$/i meta FORGED_MUA_THEBAT_MSGID_IP __THEBAT_MUA_ANY && __FORGED_MUA_THEBAT_MSGID_IP describe FORGED_MUA_THEBAT_MSGID_IP Message pretends to be send from The Bat! but has forged Message-ID (IP address) (DSPAM autolearn) score FORGED_MUA_THEBAT_MSGID_IP 3.5 header __THEBAT_MSGID Message-ID =~ /^\s*<\d+\.(19[789]\d|20\d\d)(0\d|1[012])([012]\d|3[01])([0-5]\d)([0-5]\d)([0-5]\d)\@\S+>$/ header __THEBAT_MSGID_Common Message-ID =~ /^\s*<\d+\.\d{14}\@\S+>$/ meta FORGED_MUA_THEBAT_MSGID __THEBAT_MUA_ANY && !__THEBAT_MSGID && __THEBAT_MSGID_Common && !__MAILMAN && !__UNUSABLE_MSGID describe FORGED_MUA_THEBAT_MSGID Message pretends to be send from The Bat! but has forged Message-ID (DSPAM autolearn) score FORGED_MUA_THEBAT_MSGID 4.0 meta FORGED_MUA_THEBAT_MSGID_UNKNOWN __THEBAT_MUA_ANY && !__THEBAT_MSGID && !__THEBAT_MSGID_Common && !__UNUSABLE_MSGID && !Likis_SPN_Price_list && !PhTrd_Indy9 describe FORGED_MUA_THEBAT_MSGID_UNKNOWN Message pretends to be send from The Bat! but has forged Message-ID score FORGED_MUA_THEBAT_MSGID_UNKNOWN 3.0 meta FORGED_MUA_THEBAT_X_MSMAIL_PRIORITY __THEBAT_MUA_ANY && __CUST_X_MSMAIL_PRIORITY_NOT_EMPTY describe FORGED_MUA_THEBAT_X_MSMAIL_PRIORITY Message pretending to be from The Bat! (X-MSMail-Priority) (DSPAM autolearn) score FORGED_MUA_THEBAT_X_MSMAIL_PRIORITY 4.5 rawbody __FORGED_MUA_THEBAT_INVALID_TAG /\s*$/ meta FROM_ANGLE_BRACKETS_THEBAT __FROM_ANGLE_BRACKETS && __THEBAT_MUA && !PhTrd_Indy9 describe FROM_ANGLE_BRACKETS_THEBAT The Bat! doesn't use angle brackets without real name score FROM_ANGLE_BRACKETS_THEBAT 2.5 header __TO_ANGLE_BRACKETS To =~ /^\s*<\S+\@\S+>\s*/ meta TO_ANGLE_BRACKETS_THEBAT __TO_ANGLE_BRACKETS && __THEBAT_MUA describe TO_ANGLE_BRACKETS_THEBAT The Bat! doesn't use angle brackets without real name score TO_ANGLE_BRACKETS_THEBAT 2.5 header __REPLYTO_ANGLE_BRACKETS Reply-To =~ /^\s*<\S+\@\S+>\s*$/ meta REPLYTO_ANGLE_BRACKETS_THEBAT __REPLYTO_ANGLE_BRACKETS && __THEBAT_MUA describe REPLYTO_ANGLE_BRACKETS_THEBAT The Bat! doesn't use angle brackets without real name score REPLYTO_ANGLE_BRACKETS_THEBAT 2.5 ######################################## #header __FORGED_MUA_BAT_CHARSET_SUBJECT Subject:raw =~ /^[\s\r\n]*(Spam:|\[(SPAM|Spam|spam)\] |\*S\*P\*A\*M\* |\{(SPAM|Spam|spam)\??\}|\[!! SPAM\]|\[SPAM PROBABLE\]:?|\[SUSPECTED SPAM\]|Suspected Spam:|\**May be Spam\**|\**(POSSIBLE )?SPAM\**|\[Spam Probability=\d+\]|X-IMail-SPAM-Premium|X-IMail-SPAM-Connection|!! SPAM Suspect : SPAM-Statistic !!)?[\s\r\n]*(((Re|RE|re)(\[\d+\])?|Fw|Fwd):|\[Re:\d+\])?\s*=\?(Windows|WINDOWS|Koi|KOI)/ #meta FORGED_MUA_BAT_CHARSET_SUBJECT __THEBAT_MUA_ANY && __FORGED_MUA_BAT_CHARSET_SUBJECT #describe FORGED_MUA_BAT_CHARSET_SUBJECT Forged MUA The Bat! (charset with capital in beginning of header Subject) #score FORGED_MUA_BAT_CHARSET_SUBJECT 1.0 # #header __FORGED_MUA_BAT_CHARSET_FROM From:raw =~ /^[\s\r\n]*"?=\?(Windows|WINDOWS|Koi|KOI)/ #meta FORGED_MUA_BAT_CHARSET_FROM __THEBAT_MUA_ANY && __FORGED_MUA_BAT_CHARSET_FROM #describe FORGED_MUA_BAT_CHARSET_FROM Forged MUA The Bat! (charset with capital in beginning of header From) #score FORGED_MUA_BAT_CHARSET_FROM 1.0 # #header __FORGED_MUA_BAT_CHARSET_REPLY_TO Reply-To:raw =~ /^[\s\r\n]*"?=\?(Windows|WINDOWS|Koi|KOI)/ #meta FORGED_MUA_BAT_CHARSET_REPLY_TO __THEBAT_MUA_ANY && __FORGED_MUA_BAT_CHARSET_REPLY_TO #describe FORGED_MUA_BAT_CHARSET_REPLY_TO Forged MUA The Bat! (charset with capital in beginning of header Reply-To) #score FORGED_MUA_BAT_CHARSET_REPLY_TO 1.0 # #header __FORGED_MUA_BAT_CHARSET_TO To:raw =~ /^[\s\r\n]*"?=\?(Windows|WINDOWS|Koi|KOI)/ #meta FORGED_MUA_BAT_CHARSET_TO __THEBAT_MUA_ANY && __FORGED_MUA_BAT_CHARSET_TO #describe FORGED_MUA_BAT_CHARSET_TO Forged MUA The Bat! (charset with capital in beginning of header To) #score FORGED_MUA_BAT_CHARSET_TO 1.0 # #header __FORGED_MUA_BAT_CHARSET_CC Cc:raw =~ /^[\s\r\n]*"?=\?(Windows|WINDOWS|Koi|KOI)/ #meta FORGED_MUA_BAT_CHARSET_CC __THEBAT_MUA_ANY && __FORGED_MUA_BAT_CHARSET_CC #describe FORGED_MUA_BAT_CHARSET_CC Forged MUA The Bat! (charset with capital in beginning of header Cc) #score FORGED_MUA_BAT_CHARSET_CC 1.0 ######################################## header SUSPICIOUS_MAILER_TheBat_1 X-Mailer =~ /^\s*TheBat v\.1\.0$/ describe SUSPICIOUS_MAILER_TheBat_1 Suspicious MUA TheBat v.1.0 (DSPAM autolearn) score SUSPICIOUS_MAILER_TheBat_1 4.0 header SUSPICIOUS_MAILER_TheBat_3 X-Mailer =~ /^\s*TheBat v\.3\.0$/ describe SUSPICIOUS_MAILER_TheBat_3 Suspicious MUA TheBat v.3.0 (DSPAM autolearn) score SUSPICIOUS_MAILER_TheBat_3 4.0 header SUSPICIOUS_MAILER_TheBat_4 X-Mailer =~ /^\s*TheBat 4\.\d$/ describe SUSPICIOUS_MAILER_TheBat_4 Suspicious MUA TheBat 4.x (DSPAM autolearn) score SUSPICIOUS_MAILER_TheBat_4 4.0 header SUSPICIOUS_USERAGENT_TheBat_4 User-Agent =~ /^\s*TheBat 4\.\d$/ describe SUSPICIOUS_USERAGENT_TheBat_4 Suspicious MUA TheBat 4.x (DSPAM autolearn) score SUSPICIOUS_USERAGENT_TheBat_4 4.0 header SUSPICIOUS_MAILER_TheBat_WO_VER X-Mailer =~ /^\s*TheBat!$/ describe SUSPICIOUS_MAILER_TheBat_WO_VER Suspicious MUA TheBat! without version number (DSPAM autolearn) score SUSPICIOUS_MAILER_TheBat_WO_VER 4.0 header SUSPICIOUS_MAILER_The_Bat_WO_VER X-Mailer =~ /^\s*The Bat!$/ describe SUSPICIOUS_MAILER_The_Bat_WO_VER Suspicious MUA The Bat! without version number (DSPAM autolearn) score SUSPICIOUS_MAILER_The_Bat_WO_VER 4.0 header SUSPICIOUS_MAILER_TheBat_WO_Brackets X-Mailer =~ /^\s*The Bat! \d\.\d\d? Business$/ describe SUSPICIOUS_MAILER_TheBat_WO_Brackets Suspicious MUA The Bat! without brackets in version number (DSPAM autolearn) score SUSPICIOUS_MAILER_TheBat_WO_Brackets 3.0