# # 2003-2015 Victor Ustugov # # ÄÌÑ ÐÒÏ×ÅÒËÉ ËÏÍÂÉÎÁÃÉÊ ÐÏÌÅÊ ÚÁÇÏÌÏ×ËÁ ÎÕÖÅÎ ÐÁÔÞ: # http://mta.org.ua/spamassassin-3.4.0/patches/3.3.2/patch-src::MultiCaseSensHeadersCheck-3.3.2.patch # ######################################## #meta TO_undisclosed_recipients __CUST_TO_undisclosed_recipients #describe TO_undisclosed_recipients Message to undisclosed-recipients:; #score TO_undisclosed_recipients 1.5 ######################################## header REPLY_TO_NOTLD Reply-To:addr !~ /\./ [if-unset: foo@bar.com] describe REPLY_TO_NOTLD E-mail address in header Reply-To doesn't have TLD score REPLY_TO_NOTLD 1.5 header X_LIBRARY exists:X-Library describe X_LIBRARY Message has X-Library header score X_LIBRARY 1.0 ######################################## header __NO_SB_REALNAME_FROM From =~ /["\d\w\.\*] header EMPTY_REALNAME_ADDR_TO To =~ /\s*"" <>$/ describe EMPTY_REALNAME_ADDR_TO Suspicious header To: empty real name and empty address score EMPTY_REALNAME_ADDR_TO 3.5 # From: =?koi8-r?B?aHR0cDovL2luZGlnb3VhLmNvbS8=?= <> header EMPTY_ADDR_FROM From =~ /<>$/ describe EMPTY_ADDR_FROM Suspicious empty address in header From score EMPTY_ADDR_FROM 2.0 # Reply-To: =?koi8-r?B?aHR0cDovL2luZGlnb3VhLmNvbS8=?= header ADDR_URL_REPLYTO Reply-To =~ /$/ describe ADDR_URL_REPLYTO Suspicious address in header Reply-To score ADDR_URL_REPLYTO 3.0 # From: "http://indigoua.com/" header REALNAME_URL_FROM From =~ /^\s*"http:\/\/\S+?(\.\S+)+\/" header STRANGE_HEADER_TO_ADDRESS To =~ /<[^<>\@]+\@[^<>\@]+\@[^<>\@]+>/ describe STRANGE_HEADER_TO_ADDRESS Strange address in header To (two symbols "@") score STRANGE_HEADER_TO_ADDRESS 3.0 ######################################## #Message-ID: <191754b4cf425eb48837a015fdb987fb@offerdable.info/emailing> header SUSPICIOUS_MESSAGE_ID_SLASH Message-ID =~ /\@\S+\/\S+>$/ describe SUSPICIOUS_MESSAGE_ID_SLASH Suspicious Message-ID score SUSPICIOUS_MESSAGE_ID_SLASH 2.0 ######################################## header SUSPICIOUS_MESSAGE_ID_SB_BEG Message-ID =~ /^\s*<\s+\S+\@\S+>$/ describe SUSPICIOUS_MESSAGE_ID_SB_BEG Suspicious Message-ID score SUSPICIOUS_MESSAGE_ID_SB_BEG 2.5 header SUSPICIOUS_MESSAGE_ID_SB_END Message-ID =~ /^\s*<\S+\@\S+\s+>$/ describe SUSPICIOUS_MESSAGE_ID_SB_END Suspicious Message-ID score SUSPICIOUS_MESSAGE_ID_SB_END 2.5 header SUSPICIOUS_FROM_SB_BEG From =~ /<\s+\S+\@\S+>$/ describe SUSPICIOUS_FROM_SB_BEG Suspicious header From score SUSPICIOUS_FROM_SB_BEG 2.0 header SUSPICIOUS_FROM_SB3_END From =~ /<\S+\@\S+\s{3,}>$/ describe SUSPICIOUS_FROM_SB3_END Suspicious header From score SUSPICIOUS_FROM_SB3_END 3.5 header __SUSPICIOUS_FROM_SB_END From =~ /<\S+\@\S+\s+>$/ meta SUSPICIOUS_FROM_SB_END __SUSPICIOUS_FROM_SB_END && !SUSPICIOUS_FROM_SB3_END describe SUSPICIOUS_FROM_SB_END Suspicious header From score SUSPICIOUS_FROM_SB_END 2.5 header SUSPICIOUS_REPLY_TO_SB_BEG Reply-To =~ /<\s+\S+\@\S+>$/ describe SUSPICIOUS_REPLY_TO_SB_BEG Suspicious header Reply-To score SUSPICIOUS_REPLY_TO_SB_BEG 2.5 header SUSPICIOUS_REPLY_TO_SB_END Reply-To =~ /<\S+\@\S+\s+>$/ describe SUSPICIOUS_REPLY_TO_SB_END Suspicious header Reply-To score SUSPICIOUS_REPLY_TO_SB_END 2.5 header SUSPICIOUS_TO_SB_BEG To =~ /<\s+\S+\@\S+>$/ describe SUSPICIOUS_TO_SB_BEG Suspicious header To score SUSPICIOUS_TO_SB_BEG 2.5 header SUSPICIOUS_TO_SB_END To =~ /<\S+\@\S+\s+>$/ describe SUSPICIOUS_TO_SB_END Suspicious header To score SUSPICIOUS_TO_SB_END 2.5 ######################################## header SUSPICIOUS_FROM_REALNAME From =~ /^\s*"\s/ describe SUSPICIOUS_FROM_REALNAME Suspicious real name in header From score SUSPICIOUS_FROM_REALNAME 0.5 header SUSPICIOUS_REPLY_TO_REALNAME Reply-To =~ /^\s*"\s/ describe SUSPICIOUS_REPLY_TO_REALNAME Suspicious real name header Reply-To score SUSPICIOUS_REPLY_TO_REALNAME 0.5 # âðåìåííî îòêëþ÷åíî èç-çà ïîëó÷åíèÿ ñëåäóþùåãî ñîîáùåíèÿ ïðè ïðîâåðêå ïèñåì ñ áîëüøèì êîëè÷åñòâîì àäðåñîâ â ïîëå To: # Complex regular subexpression recursion limit (32766) exceeded at /usr/local/etc/mail/spamassassin/94_85_headers_tests-0.01.cf, rule SUSPICIOUS_TO_REALNAME, line 1. #header SUSPICIOUS_TO_REALNAME To =~ /^\s*(.+,\s*[\s\r\n]*)*"\s/ #describe SUSPICIOUS_TO_REALNAME Suspicious real name header To #score SUSPICIOUS_TO_REALNAME 0.5 ######################################## header SUSPICIOUS_FROM_REALNAME2 From =~ /\s"\s$/ describe simple_solutions_mybusiness_Reply_To Message from simple-solutions/mybusiness score simple_solutions_mybusiness_Reply_To 3.0 header FROM_SEM_SEM_1 From =~ /\@\d+(inst|mos|msk|ros|russ|sem|seminar)-(edu|post|rass|russ|sem|seminar)\.ru>$/ describe FROM_SEM_SEM_1 Probably message from sem-sem domain score FROM_SEM_SEM_1 3.0 header FROM_SEM_SEM_2 From =~ /\@(seminar)\d+(inst|mail|msk|sem)\.ru>$/ describe FROM_SEM_SEM_2 Probably message from sem-sem domain score FROM_SEM_SEM_2 3.0 header FROM_SEM_SEM_3 From =~ /\@(inst|mos|msk|ros|rus|russ|sem|seminar|train)-?(buhg|confer|dispatch|economy|education|educationieuso|ieuso|inf|inform|institute|ipk|know|lect|management|novat|obuch|optim|orgsem|potok|proff|qual|rost|study|ucheb|workshop|znan)\.ru>$/ describe FROM_SEM_SEM_3 Probably message from sem-sem domain score FROM_SEM_SEM_3 3.0 ######################################## # # correct: # # Received: from [10.0.0.4] ([62.85.194.4]) # by mail.venus.it (Mail Server) with ASMTP (SSL) id YQY57704 # for ; Mon, 19 Mar 2007 14:05:04 +0100 # # Received: from leopg9.no-ip.org ([89.150.201.69]) # by mc2.sverige.net (JPHS Mail server v2.1.3) with ASMTP id MOB44030 # for ; Sat, 07 Apr 2007 12:46:30 +0200 # # forged: # # Received: from olaz # by PEREZ-MORRIS.COM with ASMTP id 6EE4F1F6 # for ; Sat, 24 Mar 2007 21:59:02 +0100 # # Received: from big-cat # by DECISIONSTRATEGIES.COM with ASMTP id D032ADC5 # for <3dreferent@fabli.ua>; Sat, 24 Mar 2007 18:09:35 -0500 # header SUSPICIOUS_ASMTP_RECEIVED Received =~ /from \S+[\s\r\n]+by \S+ with ASMTP id [A-Z\d]{8}\b/ describe SUSPICIOUS_ASMTP_RECEIVED Suspicious ASMTP Received score SUSPICIOUS_ASMTP_RECEIVED 3.0 header RECEIVED_SPAMWARE_HELO Received =~ /(from |helo=|HELO )(QRJATYDI|QRJATIDI|SOCKFAULT1|RDOBYESV)/ describe RECEIVED_SPAMWARE_HELO Header Received contains spamware helo (DSPAM_autolearn), already_read score RECEIVED_SPAMWARE_HELO 4.0 ######################################## # Antiviruses # # X-Mailer: mPOP Web-Mail 2.19 # X-Antivirus: avast! (VPS 000731-0, 06.04.2007), Outbound message header __X_Antivirus_avast X-Antivirus =~ /^\s*avast! \(VPS .+\), Outbound message$/ meta FORGED_PERSONAL_AVAST_OUT __X_Mailer_mPOP_Web_Mail && __X_Antivirus_avast describe FORGED_PERSONAL_AVAST_OUT Personal antivirus with Web Mail mailer score FORGED_PERSONAL_AVAST_OUT 3.0 header FORGED_PERSONAL_AVAST_IN X-Antivirus =~ /^\s*avast! \(VPS .+\), Inbound message$/ describe FORGED_PERSONAL_AVAST_IN Personal antivirus score FORGED_PERSONAL_AVAST_IN 2.0 #header FORGED_X_Antivirus_avast X-Antivirus =~ /^\s*avast! \(VPS \d{6}-\d, \d\d\/\d\d\/\d\d\d\d\), Outbound message$/ #describe FORGED_X_Antivirus_avast Forged personal antivirus avast #score FORGED_X_Antivirus_avast 2.5 # forged: # X-RAV-Antivirus: This e-mail has been scanned for viruses on host: [forged] # X-RAV-AntiVirus: This message has been scanned for viruses on [forged] header DEAD_RAV_ANTIVIRUS X-RAV-AntiVirus =~ /./ describe DEAD_RAV_ANTIVIRUS Dead RAV AntiVirus score DEAD_RAV_ANTIVIRUS 3.0 header FORGED_NORTON_ANTIVIRUS X-Virus-Scanned =~ /^\s*Norton$/ describe FORGED_NORTON_ANTIVIRUS Forged Norton AV score FORGED_NORTON_ANTIVIRUS 3.0 header FAKE_OR_UNKNOWN_AV_AMERISERV X-Virus-Scanned =~ /^\s*by Ameriserv.net Anti-Virus E-Gateway$/ describe FAKE_OR_UNKNOWN_AV_AMERISERV Fake unknown AV score FAKE_OR_UNKNOWN_AV_AMERISERV 3.0 header FAKE_GMX_AV X-GMX-Antivirus =~ /^\s*0 \(no virus found\)$/ describe FAKE_GMX_AV Fake GMX AV score FAKE_GMX_AV 3.0 header FORGED_AntiVir_MailGate X-AntiVirus =~ /^\s*OK! AntiVir MailGate Version 2\.\d+\.\d+; AVE: \d+\.\d+\.\d+\.\d+; VDF: \d+\.\d+\.\d+\.\d+$/ describe FORGED_AntiVir_MailGate Forged AntiVir MailGate score FORGED_AntiVir_MailGate 3.5 header SUSPICIOUS_AntiVir_MailGate X-AntiVirus =~ /^\s*checked by AntiVir MailGate (\(version: 2\.0\.1\.10; AVE: 6\.20\.0\.1; VDF: 6\.20\.0\.46; host: \S+\)|\(version: 2\.0\.1\.5; AVE: 6\.17\.0\.2; VDF: 6\.17\.0\.5; host: \S+\))$/ describe SUSPICIOUS_AntiVir_MailGate Suspicious AntiVir MailGate score SUSPICIOUS_AntiVir_MailGate 3.0 header SUSPICIOUS_AntiVir_MailGate X-AntiVirus =~ /^\s*Checked by Dr\.Web \(http:\/\/www\.drweb\.net\)$/ describe SUSPICIOUS_AntiVir_MailGate Suspicious AntiVir DrWeb score SUSPICIOUS_AntiVir_MailGate 4.0 header SUSPICIOUS_AntiVir_Polski X-AntiVirus =~ /^\s*kaner antywirusowy poczty Wirtualnej Polski S\. A\.$/ describe SUSPICIOUS_AntiVir_Polski Suspicious X-AntiVirus header name for this antivirus score SUSPICIOUS_AntiVir_Polski 1.0 # # Version numbers from http://www.avira.com/en/downloads/avira_antivir_unix_mailgate.html contains "-" # header SUSPICIOUS_AntiVir_MailGate_Ver X-AntiVirus =~ /^\s*checked by AntiVir MailGate \(version: 2(\.\d+){2,};$/ describe SUSPICIOUS_AntiVir_MailGate_Ver Suspicious AntiVir MailGate version score SUSPICIOUS_AntiVir_MailGate_Ver 3.0 header DESPRECATED_AMAVIS_0_2_X X-AntiVirus =~ /^\s*scanned for viruses by AMaViS 0\.2\.\d+ \(http:\/\/amavis\.org\/\)$/ describe DESPRECATED_AMAVIS_0_2_X Deprecated content scanner AMaViS 0.2.X score DESPRECATED_AMAVIS_0_2_X 3.0 header __AMAVIS_0_2_EXISCAN_X_Scanner X-Scanner =~ /^\s*[a-z]+ for [a-z]+ \(http:\/\/duncanthrax\.net\/exiscan\/\)$/ header __AMAVIS_0_2_EXISCAN_X_Virus_Scanner X-Virus-Scanner =~ /^\s*AMaVis 0\.2\.0-pre6 \/ Virus Scan$/ meta DESPRECATED_AMAVIS_0_2_EXISCAN __AMAVIS_0_2_EXISCAN_X_Scanner && __AMAVIS_0_2_EXISCAN_X_Virus_Scanner describe DESPRECATED_AMAVIS_0_2_EXISCAN Strange X-Scanner and deprecated X-Virus-Scanner score DESPRECATED_AMAVIS_0_2_EXISCAN 5.0 ######################################## header __VALID_THREAD_INDEX Thread-Index =~ /^\s*[0-9A-Za-z\/_\+=]{27,}$/ meta INVALID_THREAD_INDEX1 !__CUST_THREAD_INDEX_EMPTY && !__VALID_THREAD_INDEX describe INVALID_THREAD_INDEX1 Invalid header Thread-Index score INVALID_THREAD_INDEX1 1.5 header INVALID_THREAD_INDEX2 Thread-Index =~ /[,\.''""\*\(\)\{\}<>\@]/ describe INVALID_THREAD_INDEX2 Invalid header Thread-Index score INVALID_THREAD_INDEX2 2.5 ######################################## meta __X_Orig_IP_without_X_Mailer_hidden_MSO (!__HAS_X_Mailer && __HAS_Thread_Topic && __HAS_Thread_Index && __HAS_Accept_Language && __HAS_Content_Language && __HAS_X_MS_Has_Attach && __HAS_X_MS_TNEF_Correlator) meta X_Orig_IP_without_X_Mailer !__CUST_X_Originating_IP_EMPTY && __CUST_X_MAILER_EMPTY && !__HAS_User_Agent && !HotMail_COM && !MSN_COM && !__GALA_NET_From && !__BIGMIR_NET_From && !GMAIL_COM_WEB && !__X_Orig_IP_without_X_Mailer_hidden_MSO && !(__X_Envelope_From_GoogleDoc || __Return_Path_GoogleDoc) describe X_Orig_IP_without_X_Mailer header X-Originating-IP without header X-Mailer score X_Orig_IP_without_X_Mailer 2.0 header __CUST_X_Originating_IP X-Originating-IP =~ /^\s*\[?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(, \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})*\]?$/ #header __CUST_X_Originating_IP_via_proxy X-Originating-IP =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|unknown) via proxy \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]$/ #header __CUST_X_Originating_IP_via_proxy X-Originating-IP =~ /^\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(, \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})*( via proxy \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\])?$/ #header __CUST_X_Originating_IP_via_proxy X-Originating-IP =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(, \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})*|unknown)( via proxy \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\])?$/ header __CUST_X_Originating_IP_via_proxy X-Originating-IP =~ /^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|unknown)(, \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})*( via proxy \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\])?$/ meta SUSPICIOUS_X_Originating_IP !__CUST_X_Originating_IP_EMPTY && !__CUST_X_Originating_IP && !__CUST_X_Originating_IP_via_proxy describe SUSPICIOUS_X_Originating_IP Suspicious header X-Originating-IP score SUSPICIOUS_X_Originating_IP 2.5 header __CUST_X_Originating_IP_wrong X-Originating-IP =~ /([03-9]\d\d|\.0\d|2[6-9]\d|25[6-9])/ meta INVALID_X_Originating_IP !__CUST_X_Originating_IP_EMPTY && __CUST_X_Originating_IP_wrong describe INVALID_X_Originating_IP Invalid IP in header X-Originating-IP score INVALID_X_Originating_IP 2.5 ######################################## header __To_Real_Name_All_Caps To =~ /^\s*"?[A-Z²ª¯«»– ÀÁÂÃÄŨÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞß\s\d!"'\#\$\%\^\&\*\(\)\-_\+=\[\]\{\}\\\/;:<>\?\.,\|]*[A-Z²ª¯«»– ÀÁÂÃÄŨÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞß]*[A-Z²ª¯«»– ÀÁÂÃÄŨÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞß\s\d!"'\#\$\%\^\&\*\(\)\-_\+=\[\]\{\}\\\/;:<>\?.,\|]*"? \?\.,\|]*[A-Z²ª¯«»– ÀÁÂÃÄŨÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞß]*[A-Z²ª¯«»– ÀÁÂÃÄŨÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞß\s\d!"'\#\$\%\^\&\*\(\)\-_\+=\[\]\{\}\\\/;:<>\?.,\|]*"? $/i describe HEADER_TO_SUBJECT_PREFIX Header To address begins with "RE:", "FWD:" or "FW" score HEADER_TO_SUBJECT_PREFIX 3.0 header Subject_prefix_in_To To =~ /^[\s\r\n]*"?(Re(\[\d+\])?|Fw|Fwd):/i describe Subject_prefix_in_To Subject prefix ("Re:", "Fw:" or "Fwd:") found in To header field (DSPAM_autolearn) score Subject_prefix_in_To 4.5 header Subject_prefix_in_From From =~ /^[\s\r\n]*"?(Re(\[\d+\])?|Fw|Fwd):/i describe Subject_prefix_in_From Subject prefix ("Re:", "Fw:" or "Fwd:") found in From header field (DSPAM_autolearn) score Subject_prefix_in_From 4.5 header Subject_prefix_in_Reply_To Reply-To =~ /^[\s\r\n]*"?(Re(\[\d+\])?|Fw|Fwd):/i describe Subject_prefix_in_Reply_To Subject prefix ("Re:", "Fw:" or "Fwd:") found in Reply-To header field (DSPAM_autolearn) score Subject_prefix_in_Reply_To 4.5 ######################################## # # From: =?koi8-r?B?IuHOxNLFyiI=?= 41365e764a@rambler.ru # header FROM_WITHOUT_ANGLE_BRACKETS From =~ /^\s*.+ [^<\(]+\@[^>\)]+$/ describe FROM_WITHOUT_ANGLE_BRACKETS header From has realname and has not angle brackets score FROM_WITHOUT_ANGLE_BRACKETS 3.5 meta MISSING_HEADER_FROM __CUST_FROM_EMPTY describe MISSING_HEADER_FROM Missing header From score MISSING_HEADER_FROM 1.0 ######################################## meta TO_EXISTS_BUT_EMPTY __HAS_TO && __CUST_TO_EMPTY && __CUST_CC_EMPTY describe TO_EXISTS_BUT_EMPTY Header To exists but empty score TO_EXISTS_BUT_EMPTY 2.0 ######################################## header __TO_DOUBLED ALL =~ /^To:\s*[^\r\n]*?\r?\n(.*\r?\n)*To:/mi meta TO_DOUBLED_WITHOUT_FROM __TO_DOUBLED && !__HAS_FROM describe TO_DOUBLED_WITHOUT_FROM There are two headers To and there is no any header From score TO_DOUBLED_WITHOUT_FROM 5.0 meta TO_DOUBLED __TO_DOUBLED && __HAS_FROM describe TO_DOUBLED There are two headers To score TO_DOUBLED 2.5 header CC_DOUBLED ALL =~ /^Cc:\s*[^\r\n]*?\r?\n(.*\r?\n)*Cc:/mi describe CC_DOUBLED There are two headers Cc score CC_DOUBLED 3.0 #Cc: ; Tue, 22 Feb 2011 17:34:45 -0300 #Cc: #Date: Tue, 22 Feb 2011 17:34:45 -0300 header CC_DOUBLED_WITH_DATE_IN_CC Date|Cc =~ /^\s*(.+?)[\r\n\s]*\|.*?(<\S+?>); \1\r?\n\s*\2\r?\n?$/ #header CC_DOUBLED_WITH_DATE_IN_CC Date|Cc =~ /^\s*(.+?)[\r\n\s]*\|.*?(<\S+?>); \1\r?\n\s*\2/ describe CC_DOUBLED_WITH_DATE_IN_CC There are two headers Cc and first header Cc contains header Date value score CC_DOUBLED_WITH_DATE_IN_CC 8.0 ######################################## meta BCC_NOT_EMPTY !__CUST_BCC_EMPTY && !__Lotus_Notes_Release && !GMAIL_COM_WEB && !__GMAIL_COM_SMTP_OTHER_DOMAIN_RCVD describe BCC_NOT_EMPTY Header Bcc not empty score BCC_NOT_EMPTY 2.5 meta BCC_EXISTS_BUT_EMPTY __HAS_BCC && __CUST_BCC_EMPTY && !__Lotus_Notes_Release && !HotMail_COM && !ZEND describe BCC_EXISTS_BUT_EMPTY Haader Bcc exists but empty score BCC_EXISTS_BUT_EMPTY 1.0 ######################################## meta MAPI_X_Mailer __Received_with_Microsoft_SMTPSVC && __X_MimeOLE_Microsoft_Exchange && !__CUST_X_MAILER_EMPTY describe MAPI_X_Mailer Sent via MAPI and has X-Mailer score MAPI_X_Mailer 2.5 meta Exchange_OE __Received_with_Microsoft_SMTPSVC && __CUST_X_Mailer_OE describe Exchange_OE Send via Exchange with OE score Exchange_OE 2.0 meta X_Mailer_OE_4 __CUST_X_Mailer_OE_4 describe X_Mailer_OE_4 Very old version of Microsoft Outlook Express score X_Mailer_OE_4 2.0 header X_Mailer_N_A X-Mailer =~ /^\s*N\/A$/ describe X_Mailer_N_A Strange Mailer score X_Mailer_N_A 2.0 ######################################## header SUSPICIOUS_X_FID X-FID =~ /^\s*FLAVOR00-NONE-0000-0000-000000000000$/ describe SUSPICIOUS_X_FID Suspicious X-FID score SUSPICIOUS_X_FID 2.5 header SUSPICIOUS_X_Matched_Lists X-Matched-Lists =~ /^\s*\[\]$/ describe SUSPICIOUS_X_Matched_Lists Suspicious X-Matched-Lists score SUSPICIOUS_X_Matched_Lists 1.5 #header SUSPICIOUS_xOriginalSenderIP xOriginalSenderIP =~ /^\s*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/ header SUSPICIOUS_xOriginalSenderIP xOriginalSenderIP =~ /./ describe SUSPICIOUS_xOriginalSenderIP Suspicious xOriginalSenderIP score SUSPICIOUS_xOriginalSenderIP 2.5 header __SUSPICIOUS_DATE_8bit_month Date =~ /^\s*\S{3}, \d+ \S{0,2}[\x80-\xFF]\S{0,2} 20\d\d \d\d:\d\d:\d\d/i header __SUSPICIOUS_DATE_8bit_wday Date =~ /^\s*\S{0,2}[\x80-\xFF]\S{0,2}, \d+ \S{3} 20\d\d \d\d:\d\d:\d\d/i meta SUSPICIOUS_DATE_8bit __SUSPICIOUS_DATE_8bit_month || __SUSPICIOUS_DATE_8bit_wday describe SUSPICIOUS_DATE_8bit Suspicious header Date score SUSPICIOUS_DATE_8bit 3.5 header SUSPICIOUS_DATE_WITHOUT_WDAY Date =~ /^\s*,+ \d+ (\w\w\w|.{2,7}) 20\d\d -?\d\d:\d\d:\d\d [\-\+]\d\d\d0\s*$/ describe SUSPICIOUS_DATE_WITHOUT_WDAY Suspicious header Date score SUSPICIOUS_DATE_WITHOUT_WDAY 3.5 ######################################## header SUBJECT_IN_FROM Subject|From =~ /^(.*?)\s*[\r\n]*\|"?\1"?\s+$/ describe FROM_DOMAIN_EMPTY Suspicious empty domain in header From (DSPAM_autolearn) score FROM_DOMAIN_EMPTY 2.0 ######################################## header __BOUNCE_MESSAGE_MUA_Subject Subject =~ /^\s*Mail delivery failed: returning message to sender$/ meta BOUNCE_MESSAGE_MUA_X_Mailer __BOUNCE_MESSAGE_MUA_Subject && __X_Mailer_Thunderbird describe BOUNCE_MESSAGE_MUA_X_Mailer Fake bounce message (DSPAM_autolearn) score BOUNCE_MESSAGE_MUA_X_Mailer 4.0 meta BOUNCE_MESSAGE_MUA_Sender __BOUNCE_MESSAGE_MUA_Subject && (__X_Envelope_From_NOT_Null || __Return_Path_NOT_Null) describe BOUNCE_MESSAGE_MUA_Sender Fake bounce message (DSPAM_autolearn) score BOUNCE_MESSAGE_MUA_Sender 4.0 ######################################## header FROM_DOUBLE_HEADER_NAME From =~ /^\s*From: / describe FROM_DOUBLE_HEADER_NAME There is header name in header value score FROM_DOUBLE_HEADER_NAME 3.0 ######################################## header __CT_TEXT_WITHOUT_CHARSET Content-Type =~ /^\s*text\/(plain|html)$/ header __CT_TEXT_PLAIN_WITHOUT_CHARSET Content-Type =~ /^\s*text\/plain$/ meta CT_TEXT_WITHOUT_CHARSET __CT_TEXT_WITHOUT_CHARSET && !IX_NET_UA_TECH && !IX_NET_UA_TECH_STAFF && !(__Yandex_HTTP && __CUST_Content_Transfer_Encoding_7bit) && !(__UKR_NET_auto_generated || __UKR_NET_auto_replied) describe CT_TEXT_WITHOUT_CHARSET text Content-Type without charset score CT_TEXT_WITHOUT_CHARSET 3.5 header CT_STUPID_CHARSET_KOI8_R Content-Type =~ /^\s*text\/plain;[\s\r\n]*charset="\{KOI8-R\}"$/ describe CT_STUPID_CHARSET_KOI8_R Stupid charset {KOI8-R} there is in header Content-Type score CT_STUPID_CHARSET_KOI8_R 4.0 ######################################## header HEADER_FROM_ENCODED_WO_CHARSET From =~ /^\s*=\?\?B\?.+\?=/ describe HEADER_FROM_ENCODED_WO_CHARSET Header From encoded withown charset definition score HEADER_FROM_ENCODED_WO_CHARSET 2.0 header HEADER_REPLYTO_ENCODED_WO_CHARSET Reply-To =~ /^\s*=\?\?B\?.+\?=/ describe HEADER_REPLYTO_ENCODED_WO_CHARSET Header From encoded withown charset definition score HEADER_REPLYTO_ENCODED_WO_CHARSET 2.0 ######################################## header CTE_noEncode Content-Transfer-Encoding =~ /^\s*noEncode$/ describe CTE_noEncode Suspicious Content-Transfer-Encoding score CTE_noEncode 3.0 #header __X_MAILER_ONE_WORD X-Mailer =~ /^\s*\S+$/ header __X_MAILER_ONE_WORD X-Mailer =~ /^\s*[\S\.]+$/ meta X_MAILER_ONE_WORD __X_MAILER_ONE_WORD && !X_MAILER_ONE_WORD_SUSP && !PHARMA_NET_UA && !__X_Mailer_YahooMailWebService && !__X_Mailer_Redmine && !__X_Mailer_Online_ua describe X_MAILER_ONE_WORD Only one word where is in header X-Mailer score X_MAILER_ONE_WORD 1.5 header X_MAILER_ONE_WORD_SUSP X-Mailer =~ /^\s*[a-z]+[\.\-]\d+$/ describe X_MAILER_ONE_WORD_SUSP Suspicious one word X-Mailer score X_MAILER_ONE_WORD_SUSP 2.5 header X_MAILER_mailer X-mailer =~ /^\s*mailer$/ describe X_MAILER_mailer Suspicious X-Mailer score X_MAILER_mailer 2.0 meta X_MAILER_MIME_Lite __CUST_X_Mailer_MIME_Lite describe X_MAILER_MIME_Lite X-Mailer MIME::Lite score X_MAILER_MIME_Lite 0.8 header X_MAILER_DOUBLE_FNAME X-Mailer =~ /^\s*X-Mailer:\s+\S/ describe X_MAILER_DOUBLE_FNAME X-Mailer value begins with X-Mailer field name score X_MAILER_DOUBLE_FNAME 3.0 header EMAIL_ADDR_IN_X_MAILER X-Mailer =~ /^\s*\S+\@\S+(\.\S+)+$/ describe EMAIL_ADDR_IN_X_MAILER There is an e-mail address in header X-Mailer score EMAIL_ADDR_IN_X_MAILER 2.0 ######################################## meta List_Unsubscribe_WITHOUT_List_Id __HAS_LIST_UNSUBSCRIBE && !__HAS_LIST_ID && !__MAILCHIMP && !__USNDR_COM describe List_Unsubscribe_WITHOUT_List_Id Message with header List-Unsubscribe and without header List-Id score List_Unsubscribe_WITHOUT_List_Id 1.0 header __SUSPICIOUS_List_Unsubscribe1 List-Unsubscribe =~ /^\s*$/ header __SUSPICIOUS_List_Unsubscribe2 List-Unsubscribe =~ /^\s*$/ meta SUSPICIOUS_List_Unsubscribe (__SUSPICIOUS_List_Unsubscribe1 || __SUSPICIOUS_List_Unsubscribe2) && !__HAS_LIST_ID describe SUSPICIOUS_List_Unsubscribe List-Unsubscribe without List-Id score SUSPICIOUS_List_Unsubscribe 2.0 meta List_Unsubscribe_WITHOUT_sender_address __HAS_LIST_UNSUBSCRIBE && (__DSN_X_Envelope_From || __DSN_Return_path || (!__HAS_X_Envelope_From && !__HAS_Return_Path)) describe List_Unsubscribe_WITHOUT_sender_address Message with header List-Unsubscribe and without sender address in Return-path/X-Envelope-To score List_Unsubscribe_WITHOUT_sender_address 4.0 ######################################## #header FROM_MARKERS From =~ /^\s*([\-\~=])([\-\~=])?([\-\~=])?([\-\~=])?([\-\~=])?.+\5\4\3\2\1[\s\r\n]*$/ describe HEADER_TO_SUSP_POINT Suspicious header To score HEADER_TO_SUSP_POINT 3.0 header HEADER_TO_SUSP_POINTS To =~ /^\s*"\.\." <\.\.>$/ describe HEADER_TO_SUSP_POINTS Suspicious header To score HEADER_TO_SUSP_POINTS 3.0 header HEADER_TO_DOUBLE_BRACKETS To =~ /<<\S+\@\S+>>/ describe HEADER_TO_DOUBLE_BRACKETS Strange doubled brackets in header To, already_read score HEADER_TO_DOUBLE_BRACKETS 3.0 header HEADER_TO_DOUBLE_BRACKET_LEFT To =~ /<<[^\@]+\@[^>]+>(\s*,.+)?$/ #header HEADER_TO_DOUBLE_BRACKET_LEFT To =~ /<<[^\@]+\@/ describe HEADER_TO_DOUBLE_BRACKET_LEFT Strange doubled bracket in header To score HEADER_TO_DOUBLE_BRACKET_LEFT 3.0 header HEADER_TO_DOUBLE_BRACKET_RIGTH To =~ /^(.*[^<])?<[^\@]+\@[^>]+>>(\s*,.+)?$/ describe HEADER_TO_DOUBLE_BRACKET_RIGTH Strange doubled bracket in header To score HEADER_TO_DOUBLE_BRACKET_RIGTH 3.0 header HEADER_CC_SUSP_POINT Cc =~ /^\s*"\." <\.>$/ describe HEADER_CC_SUSP_POINT Suspicious header To score HEADER_CC_SUSP_POINT 3.0 header HEADER_CC_SUSP_POINTS Cc =~ /^\s*"\.\." <\.\.>$/ describe HEADER_CC_SUSP_POINTS Suspicious header To score HEADER_CC_SUSP_POINTS 3.0 header HEADER_CC_DOUBLE_BRACKETS Cc =~ /<<\S+\@\S+>>/ describe HEADER_CC_DOUBLE_BRACKETS Strange doubled brackets in header To, already_read score HEADER_CC_DOUBLE_BRACKETS 3.0 header HEADER_CC_DOUBLE_BRACKET_LEFT Cc =~ /<<[^\@]+\@[^>]+>(\s*,.+)?$/ describe HEADER_CC_DOUBLE_BRACKET_LEFT Strange doubled bracket in header To score HEADER_CC_DOUBLE_BRACKET_LEFT 3.0 header HEADER_CC_DOUBLE_BRACKET_RIGTH Cc =~ /^(.*[^<])?<[^\@]+\@[^>]+>>(\s*,.+)?$/ describe HEADER_CC_DOUBLE_BRACKET_RIGTH Strange doubled bracket in header To score HEADER_CC_DOUBLE_BRACKET_RIGTH 3.0 header __FROM_DIGITS_MIXED_WITH_LETTERS From =~ /((\d[a-z]+\d+[a-z])|([a-z]{2,}\d{2,}[a-z]{2,})|([a-z]\d+[a-z]+\d)|([a-z]_\d+_[a-z])|([a-z]\d{3,}[a-z]))\@/i header __FROM_MAIL_RU_FORWARD_SERVICE From =~ /Mail\.Ru Forward Service/ meta FROM_DIGITS_MIXED_WITH_LETTERS __FROM_DIGITS_MIXED_WITH_LETTERS && !__SUBSCRIBERU_FROM && !__FROM_MAIL_RU_FORWARD_SERVICE describe FROM_DIGITS_MIXED_WITH_LETTERS Header FROM: digits mixed with letters score FROM_DIGITS_MIXED_WITH_LETTERS 1.5 header HEADER_DATE_TIMEZONE_0000 Date =~ / ,0000$/ describe HEADER_DATE_TIMEZONE_0000 Invalid timezone score HEADER_DATE_TIMEZONE_0000 2.0 header RECEIVED_IN_ADR_ARPA Received =~ /helo=\d+\.\d+\.\d+\.\d+\.in-addr\.arpa/ describe RECEIVED_IN_ADR_ARPA Suspicious helo in header Received score RECEIVED_IN_ADR_ARPA 2.0 header REPLY_TO_SLASH Reply-to =~ /^\s*[^<\@]+\@\S+\\$/ describe REPLY_TO_SLASH Suspicious slash at the end of header Reply-to score REPLY_TO_SLASH 2.0 # # X-Mail-From: 50684-6786-OCUCWWY-ADY9S-K5LB0-N5Z46SS-YAISPU-F-G8-89283399-5b18666e4s6f222@ns.ru # X-Mail-From: 28359-6116-VQAQQAF-DXN4I-C3SL8-J7H42DP-HSLUIU-T-M6-08429249-6s69870y1x5a577@holidayinnflinders.com.au # X-Mail-From: 17939-9960-COFXNPB-FJX7F-Q3OP0-J8L91SJ-XDQOYM-L-L8-58520287-2e43376u9f6d417@qw.ru # X-Mail-From: 00633-6854-FQXRIAX-JQP1R-V5WF9-L4J99VD-KABCXE-R-F9-76848897-3f46672t1s1t848@su.ru # X-Mail-From: 98333-9722-XGWWJBS-XOG2Z-I7GA7-W8H73CB-WFNWUS-W-S5-15158370-1l43180z5t6u062@ozemail.com.au # X-Mail-From: 96993-3710-BBSLHNT-MVM7F-E9GA1-J3I29NL-AHGWUQ-E-C1-72467885-3n76678q9o2c237@ozemail.com.au # X-Mail-From: 27661-1580-UTDMCLG-DIZ8X-G6BD2-R6O80GV-HVROEJ-P-M0-53961751-9i67460l5q8o114@asporno.ru # X-Mail-From: 35897-8473-DKAJNRO-XLA0A-X0XI7-J1V39VL-BMSQEU-R-Q4-22889282-0l55175x4k9k984@lvp.net # X-Mail-From: 69357-5507-UCZEFTR-BVI2V-M5GS7-S0N27LR-JAWIOH-C-B0-85208255-6l10787m5a5h080@nirvana-plus.ru # X-Mail-From: 52008-0737-DTZEOEC-EFX1D-W1OY8-T6K43FU-QAYMTJ-C-N0-12185093-9f34677c5a0n822@executivesearch.ru # X-Mail-From: 40634-2832-XNCSIWF-FRP6X-E8QG5-X0S07YY-IUQTIX-Z-M6-89179524-0t50855g3z1n627@obf.info # X-Mail-From: 53163-8628-RMRVFRY-GSW2U-V7ID0-L8W88CB-EHAGTV-D-U7-86067999-1b18792h3w0b796@energo-expo72.ru # X-Mail-From: 77369-1901-JCQQMUI-FDV6U-N1YR5-T8C69KB-DEQDRK-K-K5-31943783-8e97713l7r9p311@to.net # X-Mail-From: 67880-1496-HPJGQFW-UOK2P-L5UJ0-B7X89MF-OKRYLC-O-I0-29072179-9u64705k4k4d851@econavt-shop.ru # header SUSPICIOUS_X_MAIL_FROM X-Mail-From =~ /^(<\S+\@\S+>[\s\r\n]*)*\s*\d{5}-\d{4}-[A-Z\d]{7}-[A-Z\d]{5}-[A-Z\d]{5}-[A-Z\d]{7}-[A-Z\d]{6}-[A-Z\d]-[A-Z\d]{2}-\d{8}-[a-z\d]{15}\@\S+$/ describe SUSPICIOUS_X_MAIL_FROM Suspicious header X-Mail-From, may be spamware score SUSPICIOUS_X_MAIL_FROM 2.0 # # Message-Id: <69086-8165-XSJZWYN-PUD7I-Z1ZX1-Q3V25XP-MOZJED-W-K7-11286091-1a28389w1d7c039@ns.ru> # Message-Id: <30054-9500-DETFJGI-GXR6N-O9OI8-K3T14RL-RGSRMD-P-P9-10764440-7u86044o5y1y801@holidayinnflinders.com.au> # Message-Id: <89369-0241-AETABKI-NIU1D-C8MY5-M8Z28VY-OHMDQS-E-R5-24559745-1y22033v9r0y510@qw.ru> # Message-Id: <34827-3285-NJSDHXY-FYK9D-I1IM4-D8G71CL-DRFOYN-H-E9-70775634-8h63200j5j4h526@su.ru> # Message-Id: <15168-9837-OYHQFGR-IGU7C-L4WO3-X0U16IU-WXGHKW-Z-V4-79634968-1l43998z7t1o416@ozemail.com.au> # Message-Id: <24516-6707-MXAIUBO-IBN4M-Z8IM8-N7J41YB-WEUJSZ-F-A1-39513359-7i68459k8u8y002@ozemail.com.au> # Message-Id: <92503-9793-RZOABIJ-HDA8P-H2YB6-N4Y06NH-ETVKEY-N-Y0-80663779-5y91456q2g8z498@asporno.ru> # Message-Id: <80047-5398-ZPBFMXU-JTG4D-L0DP1-K1N78HL-RNXJQF-J-Y0-89186697-4s32479w0r0k001@lvp.net> # Message-Id: <83370-1743-JWRRTJM-JPM2M-U9UI0-T6I64OT-WGGGZF-A-X9-32521506-8v76496x7i9r369@nirvana-plus.ru> # Message-Id: <47862-4057-AOUSLEK-THM0C-U2SP1-B9P95PP-HVBNPQ-P-A4-87719494-8y82808c7v9p046@executivesearch.ru> # Message-Id: <79438-5088-POFLOVY-AUS2E-P9XJ0-X4U83ZH-GKKCQD-R-Z5-58715692-7n55537j9m2h830@obf.info> # Message-Id: <99137-6167-XZEGOGL-ERN9R-B2LW0-E2B51VJ-QTQLAN-T-W0-79274628-3t62315z9h0y061@energo-expo72.ru> # Message-Id: <47913-5599-XPMCHFT-PFX1A-B5ZT5-Y0H91OV-HROFDL-H-N6-59528973-4x86997q9q5x105@to.net> # # header SPAMWARE_MSGID_LONG Message-Id =~ /^\s*<\d{5}-\d{4}-[A-Z\d]{7}-[A-Z\d]{5}-[A-Z\d]{5}-[A-Z\d]{7}-[A-Z\d]{6}-[A-Z\d]-[A-Z\d]{2}-\d{8}-[a-z\d]{15}\@\S+>$/ describe SPAMWARE_MSGID_LONG Suspicious header Message-Id, may be spamware score SPAMWARE_MSGID_LONG 2.0 header FROM_DOMAIN_SUSPICIOUS_SPF From =~ /(\@programma-seminaroff\.ru|\@gogomail\.ru|\@edubank\.ru|\@secondmail\.ru|\@udumail\.ru|\@lowerconnect\.com|\@edupost\.ru|\@optimcons\.ru|\@teamseminar\.ru|\@seminarya\.ru|\@abapost\.ru|\@agalist\.ru|\@bingogo\.ru|\@coopmail\.ru|\@ctcuser\.ru|\@emptypost\.ru|\@fastclient\.ru|\@mail495\.ru|\@master-education\.ru|\@msgidmail\.ru|\@mskeducation\.ru|\@mtt-master\.ru|\@school-sale\.ru|\@seminar-for-you\.ru|\@seminarok\.ru|\@uprmail\.ru|\@vaiomay\.ru|\@vedinformer\.ru|\@worldedumail\.ru|\@worldwidglobal\.ru|\@wsewomail\.ru)/ describe FROM_DOMAIN_SUSPICIOUS_SPF Domain from header From with suspicious SPF record (DSPAM_autolearn), already_read score FROM_DOMAIN_SUSPICIOUS_SPF 5.0 header FROM_SUSPICIOUS_GUIDES From =~ /^\s*("\^.+?\^"|"<.+?>"|= .+? =) \s+$/ ##header FROM_SUSP_SPACE_END From =~ />[ \t]+$/ #header FROM_SUSP_SPACE_END ALL =~ /^From:.+>[ \t]+$/mi #describe FROM_SUSP_SPACE_END Suspicious space at the end of header From #score FROM_SUSP_SPACE_END 2.0 header SUSPICIOUS_FROM_DOUBLE_DOT From =~ /^\s*"\. \." <\S+>$/ describe SUSPICIOUS_FROM_DOUBLE_DOT Suspicious real name in header From score SUSPICIOUS_FROM_DOUBLE_DOT 2.0 header __FREEMAIL_ENVFROM_END_DIGITS3 eval:check_freemail_header('EnvelopeFrom', '\d\d\d@') meta FREEMAIL_ENVFROM_END_DIGITS3 (__FREEMAIL_ENVFROM_END_DIGITS3 && !__FREEMAIL_ENVFROM_END_DIGITS4 && !__FREEMAIL_ENVFROM_END_DIGITS5) && (!__FREEMAIL_REPLYTO_END_DIGITS3 && !__FREEMAIL_REPLYTO_END_DIGITS4 && !__FREEMAIL_REPLYTO_END_DIGITS5) describe FREEMAIL_ENVFROM_END_DIGITS3 Envelope-from freemail username ends in digits score FREEMAIL_ENVFROM_END_DIGITS3 1.0 header __FREEMAIL_REPLYTO_END_DIGITS3 eval:check_freemail_header('Reply-To', '\d\d\d@') meta FREEMAIL_REPLYTO_END_DIGITS3 (__FREEMAIL_REPLYTO_END_DIGITS3 && !__FREEMAIL_REPLYTO_END_DIGITS4 && !__FREEMAIL_REPLYTO_END_DIGITS5) && (!__FREEMAIL_ENVFROM_END_DIGITS3 && !__FREEMAIL_ENVFROM_END_DIGITS4 && !__FREEMAIL_ENVFROM_END_DIGITS5) describe FREEMAIL_REPLYTO_END_DIGITS3 Reply-To freemail username ends in digits score FREEMAIL_REPLYTO_END_DIGITS3 1.0 meta FREEMAIL_ENVFROM_REPLYTO_END_DIGITS3 (__FREEMAIL_ENVFROM_END_DIGITS3 && !__FREEMAIL_ENVFROM_END_DIGITS4 && !__FREEMAIL_ENVFROM_END_DIGITS5) && (__FREEMAIL_REPLYTO_END_DIGITS3 && !__FREEMAIL_REPLYTO_END_DIGITS4 && !__FREEMAIL_REPLYTO_END_DIGITS5) describe FREEMAIL_ENVFROM_REPLYTO_END_DIGITS3 Envelope-from and Reply-To freemail username end in digits score FREEMAIL_ENVFROM_REPLYTO_END_DIGITS3 1.5 header __FREEMAIL_ENVFROM_END_DIGITS4 eval:check_freemail_header('EnvelopeFrom', '\d\d\d\d@') meta FREEMAIL_ENVFROM_END_DIGITS4 (__FREEMAIL_ENVFROM_END_DIGITS4 && !__FREEMAIL_ENVFROM_END_DIGITS5) && (!__FREEMAIL_REPLYTO_END_DIGITS4 && !__FREEMAIL_REPLYTO_END_DIGITS5) describe FREEMAIL_ENVFROM_END_DIGITS4 Envelope-from freemail username ends in digits score FREEMAIL_ENVFROM_END_DIGITS4 1.5 header __FREEMAIL_REPLYTO_END_DIGITS4 eval:check_freemail_header('Reply-To', '\d\d\d\d@') meta FREEMAIL_REPLYTO_END_DIGITS4 (__FREEMAIL_REPLYTO_END_DIGITS4 && !__FREEMAIL_REPLYTO_END_DIGITS5) && (!__FREEMAIL_ENVFROM_END_DIGITS4 && !__FREEMAIL_ENVFROM_END_DIGITS5) describe FREEMAIL_REPLYTO_END_DIGITS4 Reply-To freemail username ends in digits score FREEMAIL_REPLYTO_END_DIGITS4 1.5 meta FREEMAIL_ENVFROM_REPLYTO_END_DIGITS4 (__FREEMAIL_ENVFROM_END_DIGITS4 && !__FREEMAIL_ENVFROM_END_DIGITS5) && (__FREEMAIL_REPLYTO_END_DIGITS4 && !__FREEMAIL_REPLYTO_END_DIGITS5) describe FREEMAIL_ENVFROM_REPLYTO_END_DIGITS4 Envelope-from and Reply-To freemail username end in digits score FREEMAIL_ENVFROM_REPLYTO_END_DIGITS4 2.0 header __FREEMAIL_ENVFROM_END_DIGITS5 eval:check_freemail_header('EnvelopeFrom', '\d\d\d\d\d@') meta FREEMAIL_ENVFROM_END_DIGITS5 __FREEMAIL_ENVFROM_END_DIGITS5 && !__FREEMAIL_REPLYTO_END_DIGITS5 describe FREEMAIL_ENVFROM_END_DIGITS5 Envelope-from freemail username ends in digits score FREEMAIL_ENVFROM_END_DIGITS5 2.5 header __FREEMAIL_REPLYTO_END_DIGITS5 eval:check_freemail_header('Reply-To', '\d\d\d\d\d@') meta FREEMAIL_REPLYTO_END_DIGITS5 __FREEMAIL_REPLYTO_END_DIGITS5 && !__FREEMAIL_ENVFROM_END_DIGITS5 describe FREEMAIL_REPLYTO_END_DIGITS5 Reply-To freemail username ends in digits score FREEMAIL_REPLYTO_END_DIGITS5 2.5 meta FREEMAIL_ENVFROM_REPLYTO_END_DIGITS5 __FREEMAIL_REPLYTO_END_DIGITS5 && __FREEMAIL_ENVFROM_END_DIGITS5 describe FREEMAIL_ENVFROM_REPLYTO_END_DIGITS5 Envelope-from and Reply-To freemail username end in digits score FREEMAIL_ENVFROM_REPLYTO_END_DIGITS5 3.0 header SUSP_HEADER_MessageID MessageID =~ /^\s*<\S+\@\S+>$/ describe SUSP_HEADER_MessageID Suspicious header name MessageID score SUSP_HEADER_MessageID 5.0 meta ORG_EXISTS_BUT_EMPTY __HAS_ORGANIZATION && __CUST_ORG_EMPTY describe ORG_EXISTS_BUT_EMPTY Header Organization exists but empty score ORG_EXISTS_BUT_EMPTY 2.0 meta __MIME_Version_without_CT_CTE __MIME_VERSION && !__CT && !__CTE meta MIME_Version_without_CT_CTE __MIME_Version_without_CT_CTE && !__BODY_MULTIPART describe MIME_Version_without_CT_CTE Header MIME-Version without headers Content-Type and Content-Transfer-Encoding score MIME_Version_without_CT_CTE 3.0 header TO_WITHOUT_SPACES_AND_BRACKETS To =~ /^\s*[^<\@\s]+\@[^\@>\s]+,([^<\@\s]+\@[^\@>\s]+)+$/ describe TO_WITHOUT_SPACES_AND_BRACKETS Header To with some addresses without spaces and angle brackets score TO_WITHOUT_SPACES_AND_BRACKETS 0.1 header __CT_OR_CTE_BEFORE_TO_OR_FROM ALL =~ /(?is)^(.*\r?\n)?(Content-Type|Content-Transfer-Encoding):.+?\r?\n(.+\r?\n)*(From|To):/ meta CT_OR_CTE_BEFORE_TO_OR_FROM __CT_OR_CTE_BEFORE_TO_OR_FROM && !I_COM_UA && !__iPhone && !__iPad && !IMENA_UA && !IX_NET_UA_TECH && !IX_NET_UA_MANAGERS && !IX_NET_UA_TECH_STAFF && !__X_MimeOLE_Microsoft_Exchange_65 && !__User_Agent_Heirloom_mailx && !__X_Mailer_MIME_tools && !__USER_AGENT_Roundcube && !__KUPONATOR_FROM && !__UKRNET_HTTP && !(__UKR_NET_auto_generated || __UKR_NET_auto_replied) && !__MAILMAN && !__USNDR_COM describe CT_OR_CTE_BEFORE_TO_OR_FROM Header Content-Type or Content-Transfer-Encoding is before header To or From score CT_OR_CTE_BEFORE_TO_OR_FROM 1.0 header STRANGE_PREFIX_HEADER_TO To =~ /^\s*To: <\S+>$/ describe STRANGE_PREFIX_HEADER_TO There is strange substring "To:" in header To score STRANGE_PREFIX_HEADER_TO 3.0 header STRANGE_PREFIX_HEADER_TO_DOUBLED To =~ /^.+\r?\n\s*To: <\S+>$/ describe STRANGE_PREFIX_HEADER_TO_DOUBLED There is strange substring "To:" in header To score STRANGE_PREFIX_HEADER_TO_DOUBLED 5.0 # Content-Transfer-Encoding: base64 text/plain; charset=utf-8 header CTE_text_plain Content-Transfer-Encoding =~ /text\/(plain|html)/ describe CTE_text_plain Content type parameter found in header Content-Transfer-Encoding score CTE_text_plain 5.0 header CTE_charset Content-Transfer-Encoding =~ /charset=/ describe CTE_charset Charset found in header Content-Transfer-Encoding score CTE_charset 5.0 # # Content-Type: multipart/alternative; # # boundary="----=_NextPart_000_1390_01CF572A.0A764600" # header Content_Type_Strange_Space_Row ALL:raw =~ /Content-Type:[^\r\n]+\r?\n \r?\n\t\S/mi describe Content_Type_Strange_Space_Row Strange row with one space in header Content-Type score Content_Type_Strange_Space_Row 3.0 # # Subject: =?windows-1251?B?x+Ds8/fo6yD18ODvPyDK6+jv8eAgq8Dt8uj1?= # # =?windows-1251?B?8ODvuyDv7uzu5uXyIOfg4fvy/CDuIO3l7CDw?= # # =?windows-1251?B?4Ocg6CDt4OLx5ePk4CE=?= # header Subject_Strange_Space_Row ALL:raw =~ /Subject:[^\r\n]+\r?\n \r?\n\t\S/mi describe Subject_Strange_Space_Row Strange row with one space in header Subject score Subject_Strange_Space_Row 3.0 ###{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) # #ifplugin Mail::SpamAssassin::Plugin::FreeMail # ifplugin Mail::SpamAssassin::Plugin::HeaderEval # if (version >= 3.004000) # meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS # describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different ## score FREEMAIL_FORGED_FROMDOMAIN 0.25 # tflags FREEMAIL_FORGED_FROMDOMAIN publish #endif #endif #endif ###} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) #score FREEMAIL_FORGED_FROMDOMAIN 0.001 0.001 0.001 0.001 meta FREEMAIL_FORGED_FROMDOMAIN_TRUST FREEMAIL_FORGED_FROMDOMAIN && (__HAS_X_Yandex_Forward || __LINKEDIN_COM || __WORK_UA || __RABOTA_UA || __PROM_UA || __CMAIL_COM_OTHER_FROM || __GOOGLE_DOCS_Return_path || __GOOGLE_DOCS_X_Envelope_From || __GOOGLE_CALENDAR_Return_path || __GOOGLE_CALENDAR_X_Envelope_From) describe FREEMAIL_FORGED_FROMDOMAIN_TRUST 2nd level domains in From and EnvelopeFrom freemail headers are different in mail forwarding, mail notification or from mailing service score FREEMAIL_FORGED_FROMDOMAIN_TRUST 0.01 meta FREEMAIL_FORGED_FROMDOMAIN_MAILSERVICE_NOT_TRUST FREEMAIL_FORGED_FROMDOMAIN && (__MAILCHIMP || __MANDRILLAPP_COM || __MAILGEESE_COM || __SMARTRESPONDER_RU || __JUSTCLICK_RU || __MLSENDRU_COM || __USNDR_COM || __ESPUTNIK_COM_UA) describe FREEMAIL_FORGED_FROMDOMAIN_MAILSERVICE_NOT_TRUST 2nd level domains in From and EnvelopeFrom freemail headers are different from mailing service score FREEMAIL_FORGED_FROMDOMAIN_MAILSERVICE_NOT_TRUST 0.5 meta FREEMAIL_FORGED_FROMDOMAIN_MAILLIST FREEMAIL_FORGED_FROMDOMAIN && __HAS_LIST_ID describe FREEMAIL_FORGED_FROMDOMAIN_MAILLIST 2nd level domains in From and EnvelopeFrom freemail headers are different in message from maillist score FREEMAIL_FORGED_FROMDOMAIN_MAILLIST -0.01 meta FREEMAIL_FORGED_FROMDOMAIN_PHP FREEMAIL_FORGED_FROMDOMAIN && (__HAS_X_PHP_Originating_Script || __HAS_X_PHP_Script || __HAS_X_Source_Dir) describe FREEMAIL_FORGED_FROMDOMAIN_PHP 2nd level domains in From and EnvelopeFrom freemail headers are different in message sent by PHP score FREEMAIL_FORGED_FROMDOMAIN_PHP 1.7 meta FREEMAIL_FORGED_FROMDOMAIN_NOT_MAILLIST FREEMAIL_FORGED_FROMDOMAIN && !FREEMAIL_FORGED_FROMDOMAIN_TRUST && !FREEMAIL_FORGED_FROMDOMAIN_MAILSERVICE_NOT_TRUST && !FREEMAIL_FORGED_FROMDOMAIN_MAILLIST && !FREEMAIL_FORGED_FROMDOMAIN_PHP describe FREEMAIL_FORGED_FROMDOMAIN_NOT_MAILLIST 2nd level domains in From and EnvelopeFrom freemail headers are different score FREEMAIL_FORGED_FROMDOMAIN_NOT_MAILLIST 2.0 # From: "kurort-mishor.ru" header FROM_WITHOUT_AT From =~ /^\s*".+"\s+<[^\@]+>$/ describe FROM_WITHOUT_AT Header From without @ score FROM_WITHOUT_AT 3.0 meta X_Priority_EXISTS_BUT_EMPTY __HAS_X_Priority && __CUST_X_PRIORITY_EMPTY describe X_Priority_EXISTS_BUT_EMPTY Header X-Priority exists but empty score X_Priority_EXISTS_BUT_EMPTY 2.0 meta X_MSMail_Priority_EXISTS_BUT_EMPTY __HAS_X_MSMail_Priority && __CUST_X_MSMAIL_PRIORITY_EMPTY describe X_MSMail_Priority_EXISTS_BUT_EMPTY Header X-MSMail-Priority exists but empty score X_MSMail_Priority_EXISTS_BUT_EMPTY 2.0 header TO_DOUBLED_BRACKET_BEGIN To =~ /<<[^<>\@]+\@[^<>]+>>?(,[.\r\n]+)?$/ describe TO_DOUBLED_BRACKET_BEGIN Doubled bracket in header To score TO_DOUBLED_BRACKET_BEGIN 2.0 header TO_DOUBLED_BRACKET_END To =~ /<[^<>\@]+\@[^<>]+>>$/ describe TO_DOUBLED_BRACKET_END Doubled bracket in header To score TO_DOUBLED_BRACKET_END 2.0 header CC_DOUBLED_BRACKET_BEGIN Cc =~ /<<[^<>\@]+\@[^<>]+>>?(,[.\r\n]+)?$/ describe CC_DOUBLED_BRACKET_BEGIN Doubled bracket in header Cc score CC_DOUBLED_BRACKET_BEGIN 2.0 header CC_DOUBLED_BRACKET_END Cc =~ /<[^<>\@]+\@[^<>]+>>$/ describe CC_DOUBLED_BRACKET_END Doubled bracket in header Cc score CC_DOUBLED_BRACKET_END 2.0 meta FROM_MAIL_UA_ENV_FROM_GMAIL_COM (__GMAIL_COM_Return_Path || __GMAIL_COM_X_Envelope_From) && __MAIL_UA_From describe FROM_MAIL_UA_ENV_FROM_GMAIL_COM There is domain mail.ua in header From and domain gmail.com in MAIL From SMTP command score FROM_MAIL_UA_ENV_FROM_GMAIL_COM 3.0 meta FROM_GOOGLEMAIL_COM_ENV_FROM_YAHOO_COM (__YAHOO_COM_Return_Path || __YAHOO_COM_X_Envelope_From) && __GOOGLEMAIL_COM_From describe FROM_GOOGLEMAIL_COM_ENV_FROM_YAHOO_COM There is domain googlemail.com in header From and domain yahoo.com in MAIL From SMTP command score FROM_GOOGLEMAIL_COM_ENV_FROM_YAHOO_COM 3.0 # Return-path: # Message-ID: <20140903220618.0TNOXPOJWXXM@www.yahoo.com> # From: =?koi8-r?B?58XOwQ==?= meta FROM_GOOGLEMAIL_COM_MSGID_WWW_YAHOO_COM __GOOGLEMAIL_COM_From && __YAHOO_COM_WWW_MSGID describe FROM_GOOGLEMAIL_COM_MSGID_WWW_YAHOO_COM Suspicious combination of header From domain and Message-ID domain score FROM_GOOGLEMAIL_COM_MSGID_WWW_YAHOO_COM 3.0 # Return-path: # Message-ID: # From: =?windows-1251?B?zOXy7uTo6uAg5O717uTgIOTuIDMwMCQ=?= meta FROM_YAHOO_COM_MSGID_GOOGLE_RU __YAHOO_COM_From && __GOOGLE_RU_MSGID describe FROM_YAHOO_COM_MSGID_GOOGLE_RU Suspicious combination of header From domain and Message-ID domain score FROM_YAHOO_COM_MSGID_GOOGLE_RU 4.0 # Return-path: # Message-ID: <2545C51D0C6E4BF2BB776B946A465B18@mail.ru> # Reply-To: =?windows-1251?B?wbPn7eXxIOIgquLw7u+z?= # From: =?windows-1251?B?wbPn7eXxIOIgquLw7u+z?= meta FROM_NOKIAMAIL_COM_MSGID_MAIL_RU __NOKIAMAIL_COM_From && __MAIL_RU_MSGID describe FROM_NOKIAMAIL_COM_MSGID_MAIL_RU Suspicious combination of header From domain and Message-ID domain score FROM_NOKIAMAIL_COM_MSGID_MAIL_RU 3.0 # Return-path: # Reply-To: =?koi8-r?B?5c3FzNjRziDiwdLBzs/X?= # From: =?koi8-r?B?5c3FzNjRziDiwdLBzs/X?= # Message-Id: <78058-44888-TERBHC5-2NGIA-0O2WB-MB3C05M-9J2@gmail.com> meta FROM_YAHOO_COM_MSGID_GMAIL_COM __YAHOO_COM_From && __GMAIL_COM_MSGID describe FROM_YAHOO_COM_MSGID_GMAIL_COM Suspicious combination of header From domain and Message-ID domain score FROM_YAHOO_COM_MSGID_GMAIL_COM 3.0 # Return-path: # From: LADY ROSE BANDA # Reply-To: LADY ROSE BANDA # Message-ID: <1757001866.243166.1415024204386.JavaMail.yahoo@jws10091.mail.ne1.yahoo.com> meta FROM_OUTLOOK_COM_MSGID_YAHOO_COM __OUTLOOK_COM_From && __YAHOO_COM_MAIL_MSGID describe FROM_OUTLOOK_COM_MSGID_YAHOO_COM Suspicious combination of header From domain and Message-ID domain score FROM_OUTLOOK_COM_MSGID_YAHOO_COM 3.0 header __NOREPLY_SECURESERVER_NET_RETURN_PATH Return-Path =~ /^\s*$/ header __NOREPLY_SECURESERVER_NET_ENV_FROM X-Envelope-From =~ /^\s*$/ meta NOREPLY_SECURESERVER_NET_FREEMAIL_FROM (__NOREPLY_SECURESERVER_NET_RETURN_PATH || __NOREPLY_SECURESERVER_NET_ENV_FROM) && FREEMAIL_FROM describe NOREPLY_SECURESERVER_NET_FREEMAIL_FROM Message from noreply@secureserver.net with freemail address in header From (DSPAM_autolearn), already_read score NOREPLY_SECURESERVER_NET_FREEMAIL_FROM 5.0 meta NOREPLY_SECURESERVER_NET_FREEMAIL_REPLYTO (__NOREPLY_SECURESERVER_NET_RETURN_PATH || __NOREPLY_SECURESERVER_NET_ENV_FROM) && !FREEMAIL_FROM && __freemail_hdr_replyto describe NOREPLY_SECURESERVER_NET_FREEMAIL_REPLYTO Message from noreply@secureserver.net with freemail address in header Reply-To (DSPAM_autolearn), already_read score NOREPLY_SECURESERVER_NET_FREEMAIL_REPLYTO 5.0 header __FROM_UKR_RUS From =~ /\@\S+\.(ua|ru)>?\s*$/ meta NOREPLY_SECURESERVER_NET_FROM_URK_RUS (__NOREPLY_SECURESERVER_NET_RETURN_PATH || __NOREPLY_SECURESERVER_NET_ENV_FROM) && !NOREPLY_SECURESERVER_NET_FREEMAIL_FROM && !NOREPLY_SECURESERVER_NET_FREEMAIL_REPLYTO && __FROM_UKR_RUS describe NOREPLY_SECURESERVER_NET_FROM_URK_RUS Message from noreply@secureserver.net with UKR/RUS address in header From (DSPAM_autolearn), already_read score NOREPLY_SECURESERVER_NET_FROM_URK_RUS 5.0 meta NOREPLY_SECURESERVER_NET (__NOREPLY_SECURESERVER_NET_RETURN_PATH || __NOREPLY_SECURESERVER_NET_ENV_FROM) && !NOREPLY_SECURESERVER_NET_FREEMAIL_FROM && !NOREPLY_SECURESERVER_NET_FREEMAIL_REPLYTO && !NOREPLY_SECURESERVER_NET_URK_RUS describe NOREPLY_SECURESERVER_NET Message from noreply@secureserver.net score NOREPLY_SECURESERVER_NET 1.0 header FROM_EXCESS_SPACES From =~ /< [^\@]+\@[^>]+ >\s*$/ describe FROM_EXCESS_SPACES From: suspicious spaces score FROM_EXCESS_SPACES 2.0 header REPLYTO_EXCESS_SPACES Reply-To =~ /< [^\@]+\@[^>]+ >\s*$/ describe REPLYTO_EXCESS_SPACES Reply-To: suspicious spaces score REPLYTO_EXCESS_SPACES 2.0 header References_8bit References =~ /[\x80-\xff]/ describe References_8bit 8-bit character found in header References score References_8bit 4.5 header X_Matter_8bit X-Matter =~ /[\x80-\xff]/ describe X_Matter_8bit 8-bit character found in header X-Matter score X_Matter_8bit 0.5 meta References_X_Matter_8bit References_8bit && X_Matter_8bit describe References_X_Matter_8bit 8-bit characters found in header References and header X-Matter score References_X_Matter_8bit 4.0 meta CUST_content_transfer_encoding_qp __CUST_content_transfer_encoding_qp describe CUST_content_transfer_encoding_qp Suspicious case-sensitive name of header content-transfer-encoding score CUST_content_transfer_encoding_qp 0.5 meta CUST_Content_Type_html_cp1251_quoted __CUST_Content_Type_html_cp1251_quoted describe CUST_Content_Type_html_cp1251_quoted Suspicious charset in header Content-Type score CUST_Content_Type_html_cp1251_quoted 2.0 meta CUST_From_BASE64_cp1251 __CUST_From_BASE64_cp1251 describe CUST_From_BASE64_cp1251 Suspicious charset in header From score CUST_From_BASE64_cp1251 0.5 meta CUST_Reply_To_BASE64_cp1251 __CUST_Reply_To_BASE64_cp1251 describe CUST_Reply_To_BASE64_cp1251 Suspicious charset in header Reply-To score CUST_Reply_To_BASE64_cp1251 0.5 meta CUST_Subject_BASE64_cp1251 __CUST_Subject_BASE64_cp1251 describe CUST_Subject_BASE64_cp1251 Suspicious charset in header Subject score CUST_Subject_BASE64_cp1251 0.5 # Message-ID: header EMPTY_MSGID_DOMAIN Message-ID =~ /^\s*<\S+\@ >$/ describe EMPTY_MSGID_DOMAIN Stupid domain in header Message-ID score EMPTY_MSGID_DOMAIN 5.0 ## Return-path: ## Return-path: #header __CAPITALS_Return_Path Return-path =~ /\@([a-z\d\-]+\.)*[A-Z]+\.[a-z]+>$/ #header __CAPITALS_X_Envelope_From X-Envelope-From =~ /\@([a-z\d\-]+\.)*[A-Z]+\.[a-z]+>$/ #meta SENDER_DOMAIN_CAPITALS __CAPITALS_Return_Path || __CAPITALS_X_Envelope_From #describe SENDER_DOMAIN_CAPITALS There are only capitals in Second level of sender domain #score SENDER_DOMAIN_CAPITALS 0.01 header __ID88NAT_NET_RECEIVED Received =~ /id88nat\.net/ meta ID88NAT_NET_FREEMAIL_DOMAINS __ID88NAT_NET_RECEIVED && (__UKR_NET_From || __MAIL_RU_From || __RAMBLER_RU_From) describe ID88NAT_NET_FREEMAIL_DOMAINS Message from id88nat.net hosts with ukr.net/mail.ru/rambler.ru sender domain score ID88NAT_NET_FREEMAIL_DOMAINS 5.0 # # Reply-To: =?windows-1251?B?zuvl4w==?= # header STRANGE_UTF8_MARKER ALL =~ /^(.*\n)*\xEF\xBB\xBF\S+:/ describe STRANGE_UTF8_MARKER There is strange UTF-8 bytes sequence in the beginning of header name score STRANGE_UTF8_MARKER 4.0