# # 2005-2013 Victor Ustugov # # для проверки комбинаций полей заголовка нужен патч: # http://mta.org.ua/spamassassin-3.2.0/patches/3.2.0/patch-src::MultiCaseSensHeadersCheck-3.2.0.patch # #meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF) describe FAKE_REPLY_C Fake reply message #header __AXB_MO_OL_E023A X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.5512/ #header __AXB_XM_OL_E023A X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2900\.5512/ #meta AXB_XMAILER_MIMEOLE_OL_E023A (__AXB_XM_OL_E023A && __AXB_MO_OL_E023A) score AXB_XMAILER_MIMEOLE_OL_E023A 0 #header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi header __KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{50,400}boundary="----=_NextPart_000_...._\1\.\2"/msi meta KB_RATWARE_OUTLOOK_MID __KB_RATWARE_OUTLOOK_MID && !SUSPICIOUS_MSGID_BOUNDARY_OE #header __TO_UNDISCLOSED To =~ /(?:undisclosed-recipients|destinataires inconnus):/i header __TO_UNDISCLOSED To =~ /(?:undisclosed[\s\-]recipients|destinataires inconnus):/i meta TO_UNDISCLOSED __TO_UNDISCLOSED describe TO_UNDISCLOSED Message to undisclosed recipients score TO_UNDISCLOSED 1.5 #header __MAILMAN_MSGID MESSAGEID =~ /^]+)>[\s\r\n]*\|$/ #meta __MAILMAN_ANONYM_LIST __MAILMAN && __MAILMAN_MSGID_ANONYM_LIST meta __UNUSABLE_MSGID (__MAILMAN_MSGID_ANONYM_LIST || __LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID) ## negative lookahead exempts this MUA from circa 1997-2000 ## X-Mailer: Microsoft Outlook Express 4.71.1712.3 ## Message-ID: <01bd45da$2649cdc0$LocalHost@andrew> #header __MSGID_DOLLARS_OK MESSAGEID =~ /<[0-9a-f]{4,}\$[0-9a-f]{4,}\$[0-9a-f]{4,}\@\S+>/m #header __MSGID_DOLLARS_OK MESSAGEID =~ /<[0-9a-f]{4,}\$[0-9a-f]{4,}\$[0-9a-f]{4,}\@\S+>/mi #header __MSGID_DOLLARS_MAYBE MESSAGEID =~ /<\w{4,}\$\w{4,}\$(?!localhost)\w{4,}\@\S+>/mi #meta MSGID_DOLLARS_RANDOM __MSGID_DOLLARS_MAYBE && !__MSGID_DOLLARS_OK ## bug 5496: avoid some FPs #header __FMO_EXCL_O3416 X-Mailer =~ /^Microsoft Outlook, Build 10.0.3416$/ #header __FMO_EXCL_OE3790 X-Mailer =~ /^Microsoft Outlook Express 6.00.3790.3959$/ ## bug 5910: __VISTA_MSGID also now used by Outlook Express from XP SP3 ## #meta FORGED_MUA_OUTLOOK ((__FORGED_OE || __FORGED_OUTLOOK_DOLLARS) && !__FMO_EXCL_O3416 && !__FMO_EXCL_OE3790 && !__VISTA_MSGID) #describe FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook meta FORGED_MUA_OUTLOOK ((__FORGED_OE || __FORGED_OUTLOOK_DOLLARS) && !__FMO_EXCL_O3416 && !__FMO_EXCL_OE3790 && !__VISTA_MSGID) && !__MAILMAN_ANONYM_LIST meta FROM_EXCESS_QP __FROM_ENCODED_QP && !__FROM_NEEDS_MIME describe FROM_EXCESS_QP From: quoted-printable encoded unnecessarily score FROM_EXCESS_QP 1.0 header __TO_NEEDS_MIME To =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/ header __TO_ENCODED_QP To:raw =~ /=\?\S+\?Q\?/i header __TO_ENCODED_B64 To:raw =~ /=\?\S+\?B\?/i meta TO_EXCESS_QP __TO_ENCODED_QP && !__TO_NEEDS_MIME describe TO_EXCESS_QP To: quoted-printable encoded unnecessarily score TO_EXCESS_QP 1.0 meta TO_EXCESS_BASE64 __TO_ENCODED_B64 && !__TO_NEEDS_MIME describe TO_EXCESS_BASE64 To: base64 encoded unnecessarily score TO_EXCESS_BASE64 1.2 header __REPLY_TO_NEEDS_MIME Reply-To =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/ header __REPLY_TO_ENCODED_QP Reply-To:raw =~ /=\?\S+\?Q\?/i header __REPLY_TO_ENCODED_B64 Reply-To:raw =~ /=\?\S+\?B\?/i meta REPLY_TO_EXCESS_QP __REPLY_TO_ENCODED_QP && !__REPLY_TO_NEEDS_MIME describe REPLY_TO_EXCESS_QP Reply-To: quoted-printable encoded unnecessarily score REPLY_TO_EXCESS_QP 1.0 meta REPLY_TO_EXCESS_BASE64 __REPLY_TO_ENCODED_B64 && !__REPLY_TO_NEEDS_MIME describe REPLY_TO_EXCESS_BASE64 Reply-To: base64 encoded unnecessarily score REPLY_TO_EXCESS_BASE64 1.2 header __CC_NEEDS_MIME Cc =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/ header __CC_ENCODED_QP Cc:raw =~ /=\?\S+\?Q\?/i header __CC_ENCODED_B64 Cc:raw =~ /=\?\S+\?B\?/i meta CC_EXCESS_QP __CC_ENCODED_QP && !__CC_NEEDS_MIME describe CC_EXCESS_QP Cc: quoted-printable encoded unnecessarily score CC_EXCESS_QP 1.0 meta CC_EXCESS_BASE64 __CC_ENCODED_B64 && !__CC_NEEDS_MIME describe CC_EXCESS_BASE64 Cc: base64 encoded unnecessarily score CC_EXCESS_BASE64 1.2 #header SUBJ_ILLEGAL_CHARS eval:check_illegal_chars('Subject','0.00','2') #describe SUBJ_ILLEGAL_CHARS Subject: has too many raw illegal characters #score SUBJ_ILLEGAL_CHARS 3.360 3.360 3.978 4.279 score SUBJ_ILLEGAL_CHARS 0.5 header __SUBJ_ILLEGAL_CHAR eval:check_illegal_chars('Subject','0.00','1') meta SUBJ_ILLEGAL_CHAR __SUBJ_ILLEGAL_CHAR && !SUBJ_ILLEGAL_CHARS describe SUBJ_ILLEGAL_CHAR Subject: has raw illegal character score SUBJ_ILLEGAL_CHAR 0.2 #header FROM_ILLEGAL_CHARS eval:check_illegal_chars('From','0.20','2') #describe FROM_ILLEGAL_CHARS From: has too many raw illegal characters #score FROM_ILLEGAL_CHARS 3.280 3.280 3.792 4.100 score FROM_ILLEGAL_CHARS 0.5 header __FROM_ILLEGAL_CHAR eval:check_illegal_chars('From','0.20','1') meta FROM_ILLEGAL_CHAR __FROM_ILLEGAL_CHAR && !FROM_ILLEGAL_CHARS describe FROM_ILLEGAL_CHAR From: has raw illegal character score FROM_ILLEGAL_CHAR 0.2 #header HEAD_ILLEGAL_CHARS eval:check_illegal_chars('ALL','0.010','2') #describe HEAD_ILLEGAL_CHARS Headers have too many raw illegal characters #score HEAD_ILLEGAL_CHARS 1.652 1.519 1.796 1.606 score HEAD_ILLEGAL_CHARS 0.5 header __HEAD_ILLEGAL_CHAR eval:check_illegal_chars('ALL','0.010','1') meta HEAD_ILLEGAL_CHAR __HEAD_ILLEGAL_CHAR && !HEAD_ILLEGAL_CHARS describe HEAD_ILLEGAL_CHAR Headers have raw illegal character score HEAD_ILLEGAL_CHAR 0.2 header TO_ILLEGAL_CHARS eval:check_illegal_chars('To','0.20','2') describe TO_ILLEGAL_CHARS To: has too many raw illegal characters score TO_ILLEGAL_CHARS 0.5 header __TO_ILLEGAL_CHAR eval:check_illegal_chars('To','0.00','1') meta TO_ILLEGAL_CHAR __TO_ILLEGAL_CHAR && !TO_ILLEGAL_CHARS describe TO_ILLEGAL_CHAR To: has raw illegal character score TO_ILLEGAL_CHAR 0.2 header REPLY_TO_ILLEGAL_CHARS eval:check_illegal_chars('Reply-To','0.20','2') describe REPLY_TO_ILLEGAL_CHARS Reply-To: has too many raw illegal characters score REPLY_TO_ILLEGAL_CHARS 0.5 header __REPLY_TO_ILLEGAL_CHAR eval:check_illegal_chars('Reply-To','0.00','1') meta REPLY_TO_ILLEGAL_CHAR __REPLY_TO_ILLEGAL_CHAR && !REPLY_TO_ILLEGAL_CHARS describe REPLY_TO_ILLEGAL_CHAR Reply-To: has raw illegal character score REPLY_TO_ILLEGAL_CHAR 0.2 header CC_ILLEGAL_CHARS eval:check_illegal_chars('Cc','0.20','2') describe CC_ILLEGAL_CHARS Cc: has too many raw illegal characters score CC_ILLEGAL_CHARS 0.5 header __CC_ILLEGAL_CHAR eval:check_illegal_chars('Cc','0.00','1') meta CC_ILLEGAL_CHAR __CC_ILLEGAL_CHAR && !CC_ILLEGAL_CHARS describe CC_ILLEGAL_CHAR Cc: has raw illegal character score CC_ILLEGAL_CHAR 0.2 #header SUBJ_ALL_CAPS eval:subject_is_all_caps() #describe SUBJ_ALL_CAPS Subject is all capitals #score SUBJ_ALL_CAPS 1.049 1.166 0.459 0.997 header __SUBJ_ALL_CAPS eval:subject_is_all_caps() meta SUBJ_ALL_CAPS __SUBJ_ALL_CAPS && __CUST_Subject_7bit describe SUBJ_ALL_CAPS Subject is all capitals score SUBJ_ALL_CAPS 1.2 #meta FORGED_MUA_THEBAT_CS (__THEBAT_MUA && __CTYPE_CHARSET_QUOTED) #describe FORGED_MUA_THEBAT_CS Mail pretending to be from The Bat! (charset) meta FORGED_MUA_THEBAT_CS (__THEBAT_MUA && __CTYPE_CHARSET_QUOTED) && __CUST_X_Mailman_Version_EMPTY && __CUST_List_Id_EMPTY #header __REPTO_OVERQUOTE Reply-To =~ /"[\w. -]+"\s*\]*\@[^>]*\@/ ##describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters #header __MSO12_From_Message_ID1 From|Message-ID:case =~ /^[^\.]+\@[^\.]+\.([^>]+)>[\s\r\n]*\|\s*<0[\da-f]{3}01[\da-f]{6}\$[\da-f]{8}\$[\da-f]{8}\$\@\1>$/i #header __MSO12_From_Message_ID2 From|Message-ID:case =~ /^.+\.(\S+\@[^>]+)>[\s\r\n]*\|\s*<0[\da-f]{3}01[\da-f]{6}\$[\da-z]{8}\$[\da-z]{8}\$\@\1>$/i header __MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/ meta MSGID_MULTIPLE_AT __MSGID_MULTIPLE_AT && (!__CUST_X_Mailer_MSO12 || !(__MSO12_From_Message_ID1 || __MSO12_From_Message_ID2)) #header __RCVD_WITH_EXCHANGE Received =~ /with Microsoft Exchange Server/ #meta RATWARE_OUTLOOK_NONAME __MSGID_DOLLARS_OK && !__HAS_X_MAILER && !__RCVD_WITH_EXCHANGE #describe RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) found #meta RATWARE_MS_HASH __MSGID_DOLLARS_OK && !__MIMEOLE_MS && !__RCVD_WITH_EXCHANGE #describe RATWARE_MS_HASH Bulk email fingerprint (msgid ms hash) found meta RATWARE_OUTLOOK_NONAME __MSGID_DOLLARS_OK && !__HAS_X_MAILER && !__RCVD_WITH_EXCHANGE && !__RCVD_WITH_EXCHANGE_2007 meta RATWARE_MS_HASH __MSGID_DOLLARS_OK && !__MIMEOLE_MS && !__RCVD_WITH_EXCHANGE && !__RCVD_WITH_EXCHANGE_2007 ## Outlook Express 4, 5, and 6 #header __OE_MUA X-Mailer =~ /\bOutlook Express [456]\./ #header __OE_MSGID_1 MESSAGEID =~ /^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\@hotmail\.com>$/m #header __OE_MSGID_2 MESSAGEID =~ /^<(?:[0-9a-f]{8}|[0-9a-f]{12})\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m #header __OE_MSGID_3 MESSAGEID =~ /^$/m #meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 && !__OE_MSGID_2 && !__OE_MSGID_3 && !__UNUSABLE_MSGID) meta __FORGED_OE __OE_MUA && !__OE_MSGID_1 && !__OE_MSGID_2 && !__OE_MSGID_3 && !__UNUSABLE_MSGID && !(__NEW_OE_Message_ID && __NEW_OE_X_Mailer) ifplugin Mail::SpamAssassin::Plugin::HeaderEval #header CHARSET_FARAWAY_HEADER eval:check_for_faraway_charset_in_headers() #describe CHARSET_FARAWAY_HEADER A foreign language charset used in headers #tflags CHARSET_FARAWAY_HEADER userconf #score CHARSET_FARAWAY_HEADER 3.200 header __CHARSET_FARAWAY_HEADER eval:check_for_faraway_charset_in_headers() meta CHARSET_FARAWAY_HEADER __CHARSET_FARAWAY_HEADER && !(GMAIL_COM && (__CUST_Subject_BASE64_GB2312 || __CUST_Subject_BASE64_ISO_2022_JP || __CUST_From_BASE64_GB2312 || __CUST_From_BASE64_ISO_2022_JP)) && !EBEWE_COM endif ##{ SUBJ_RE_NUM #meta SUBJ_RE_NUM !__THEBAT_MUA && __SUBJ_RE_NUM #describe SUBJ_RE_NUM Subject is faking 'The Bat!' responses meta SUBJ_RE_NUM !__THEBAT_MUA && __SUBJ_RE_NUM && !__UKRNET ##} SUBJ_RE_NUM #meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT ##header FH_DATE_PAST_20XX Date =~ /20[1-9][0-9]/ [if-unset: 2006] ##describe FH_DATE_PAST_20XX The date is grossly in the future. ##score FH_DATE_PAST_20XX 2.075 3.384 3.554 3.188 # n=2 #header FH_DATE_PAST_20XX Date =~ /20(1[2-9]|[2-9]\d)/ [if-unset: 2006] #meta FORGED_MUA_THEBAT_BOUN (__THEBAT_MUA && __CTYPE_HAS_BOUNDARY && !__BAT_BOUNDARY && !__MAILMAN_21) #describe FORGED_MUA_THEBAT_BOUN Mail pretending to be from The Bat! (boundary) meta FORGED_MUA_THEBAT_BOUN (__THEBAT_MUA && __CTYPE_HAS_BOUNDARY && !__BAT_BOUNDARY && !__MAILMAN_21) && !PhTrd_Indy9 #meta __TO_NO_BRKTS_NORDNS __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && RDNS_NONE #meta TO_NO_BRKTS_NORDNS __TO_NO_BRKTS_NORDNS && !__MANY_RECIPS && !__FROM_RUNON && !__VIA_ML && !__TO___LOWER && !ALL_TRUSTED && !__COMMENT_EXISTS && !__DOS_HAS_LIST_UNSUB && !__OE_MSGID_1 && !__MSGID_JAVAMAIL && !__CTYPE_MULTIPART_MIXED && !__UNSUB_LINK && !__JM_REACTOR_DATE && !__TAG_EXISTS_CENTER && !__HAS_UA && !__TO_EQ_FROM_DOM && !__TAG_EXISTS_STYLE ##score TO_NO_BRKTS_NORDNS 2.75 # limit #describe TO_NO_BRKTS_NORDNS To: misformatted and no rDNS meta TO_NO_BRKTS_NORDNS !I_COM_UA && !__iPad && !__iPhone && __TO_NO_BRKTS_NORDNS && !__MANY_RECIPS && !__FROM_RUNON && !__VIA_ML && !__TO___LOWER && !ALL_TRUSTED && !__COMMENT_EXISTS && !__DOS_HAS_LIST_UNSUB && !__OE_MSGID_1 && !__MSGID_JAVAMAIL && !__CTYPE_MULTIPART_MIXED && !__UNSUB_LINK && !__JM_REACTOR_DATE && !__TAG_EXISTS_CENTER && !__HAS_UA && !__TO_EQ_FROM_DOM && !__TAG_EXISTS_STYLE