# # 2003-2015 Victor Ustugov # header RCVD_BRACES Received =~ /\}\}/ describe RCVD_BRACES Received: Strange braces score RCVD_BRACES 7.0 tflags RCVD_BRACES mandatory_learn header RCVD_ILLEGAL_CHARS Received =~ /[\x80-\xff]/ describe RCVD_ILLEGAL_CHARS Received: has raw illegal character score RCVD_ILLEGAL_CHARS 4.0 header FORGED_GENERIC_RECEIVED Received =~ /^\s*(.+\n)*from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by (([\w\d-]+\.)+[a-zA-Z]{2,6}|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}); \w{3}, \d+ \w{3} 20\d\d \d\d\:\d\d\:\d\d [+-]\d\d\d0/ describe FORGED_GENERIC_RECEIVED Forged generic Received score FORGED_GENERIC_RECEIVED 3.6 header FORGED_GENERIC_RECEIVED2 Received =~ /^\s*(.+\n)*from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by ([\w\d-]+\.)+[a-z]{2,6} id [\w\d]{12}; \w{3}, \d+ \w{3} 20\d\d \d\d\:\d\d\:\d\d [+-]\d\d\d0/ describe FORGED_GENERIC_RECEIVED2 Forged generic Received score FORGED_GENERIC_RECEIVED2 3.6 header FORGED_GENERIC_RECEIVED3 Received =~ /^\s*(.+\n)*by \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} with SMTP id [a-zA-Z]{14}\.\d{13};[\r\n\s]*\w{3}, \d+ \w{3} 20\d\d \d\d\:\d\d\:\d\d [+-]\d\d\d0 \(GMT\)/ describe FORGED_GENERIC_RECEIVED3 Forged generic Received score FORGED_GENERIC_RECEIVED3 3.6 header FORGED_GENERIC_RECEIVED4 Received =~ /^\s*(.+\n)*from localhost by \S+;\s+\w{3}, \d+ \w{3} 20\d\d \d\d\:\d\d\:\d\d [+-]\d\d\d0[\s\r\n]*$/ describe FORGED_GENERIC_RECEIVED4 Forged generic Received score FORGED_GENERIC_RECEIVED4 3.6 header FORGED_GENERIC_RECEIVED5 Received =~ /^\s*from \[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\].*\n(.+\n)*from \1 by \S+;\s+\w{3}, \d+ \w{3} 20\d\d \d\d\:\d\d\:\d\d [+-]\d\d\d0$/ describe FORGED_GENERIC_RECEIVED5 Forged generic Received score FORGED_GENERIC_RECEIVED5 4.6 header INVALID_EXIM_RECEIVED To|Received =~ /?[\s\r\n]*\|.*from \d+\.\d+\.\d+\.\d+ \(HELO \S+\)[\s\r\n]*by \1 with esmtp \(\S*?[\?\@\(\)\s\.\+\*''\/\\,]\S*\)[\s\r\n]+id \S*?[\)\(<>\/\\,\-:=]/s describe INVALID_EXIM_RECEIVED Invalid Exim Received (1) (DSPAM_autolearn) score INVALID_EXIM_RECEIVED 5.0 header INVALID_EXIM_RECEIVED2 To|Received =~ /?[\s\r\n]*\|.*from \d+\.\d+\.\d+\.\d+ \(HELO \S+\)[\s\r\n]*by \1 with esmtp \([A-Z]{9,12} [A-Z]{5,6}\)[\s\r\n]+id [a-zA-Z\d]{6}-[a-zA-Z\d]{6}-[a-zA-Z\d]{2}[\s\r\n]+/s describe INVALID_EXIM_RECEIVED2 Invalid Exim Received (2) (DSPAM_autolearn) score INVALID_EXIM_RECEIVED2 3.0 header SUSPICIOUS_EXIM_RECEIVED Received =~ /^by \S+ with (esmtpa |esmtpsa \(TLS\d+\.\d+:\S+:\d+\)[\s\r\n]*)\(Exim 4\.\d\d(\.\d+)?\)[\s\r\n]*id [\w\d]{6}-[\w\d]{6}-[\w\d]{2}; [A-Z][a-z]{2}, \d\d [A-Z][a-z]{2} 2[01]\d\d \d\d:\d\d:\d\d [\-\+]\d\d\d\d$/ms describe SUSPICIOUS_EXIM_RECEIVED Supicious Exim Received (DSPAM_autolearn), already_read score SUSPICIOUS_EXIM_RECEIVED 3.9 tflags SUSPICIOUS_EXIM_RECEIVED mandatory_learn header INVALID_POSTFIX_RECEIVED Received =~ / \(Postfix\) with ESMTP id [A-Z\d]+([\s\r\n]+for <\S+?>)?;[\s\r\n]*[A-Z][a-z]{2}, \d{1,2} [A-Z][a-z]{2} \d\d\d\d \d\d:\d\d:\d\d [\+\-]\d\d\d\d$/ describe INVALID_POSTFIX_RECEIVED Invalid Postfix Received (DSPAM_autolearn) score INVALID_POSTFIX_RECEIVED 3.0 header __SENDMAIL_QUEUE_ID1 Received =~ /\(8\.\d+\.\d+\/8\.\d+\.\d+\) with E?SMTP id [A-Za-z0-9\-]{9,}/ #header __SENDMAIL_QUEUE_ID2 Received =~ /\(8\.\d+\.\d+\/8\.\d+\.\d+\) with E?SMTP id [A-Za-z0-9]{8}[0-9]{2,10}\b/ header __SENDMAIL_QUEUE_ID2 Received =~ /\(8\.\d+\.\d+\/8\.\d+\.\d+\) with E?SMTP id [k-x][\dAB][\dA-V][\dA-N][\dA-Za-z]{4}\d{2,10}\b/ header __Received_telesystems_ua Received =~ /\bsardina\.telesystems\.ua\b/ meta FORGED_SENDMAIL_QUEUE_ID __SENDMAIL_QUEUE_ID1 && !__SENDMAIL_QUEUE_ID2 && !__Received_telesystems_ua describe FORGED_SENDMAIL_QUEUE_ID Forged Sendmail Received score FORGED_SENDMAIL_QUEUE_ID 5.0 header __SENDMAIL_QUEUE_ID3 Received =~ /\((\s*sendmail )?8\.\d+\.\d+\/8\.\d+\.\d+\) with e?smtps?a? id [A-Za-z0-9\-]{9,}/ meta FORGED_SENDMAIL_QUEUE_ID2 __SENDMAIL_QUEUE_ID3 && !__SENDMAIL_QUEUE_ID2 && !POCHTARU && !POCHTARU_SMTP describe FORGED_SENDMAIL_QUEUE_ID2 Forged Sendmail Received score FORGED_SENDMAIL_QUEUE_ID2 5.0 header FORGED_SENDMAIL_RECEIVED_HELO Received =~ /from ([^\.\s]+) \(\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] helo=\1\)[\s\r\n]*by \S+ \( sendmail 8\.13\.3\/8\.13\.1\) with esmtpa id [\dA-Za-z]{6}-[\dA-Za-z]{6}-[\dA-Za-z]{2}/ describe FORGED_SENDMAIL_RECEIVED_HELO Forged Sendmail Received score FORGED_SENDMAIL_RECEIVED_HELO 4.0 header FORGED_SENDMAIL_RECEIVED_VER Received =~ /by \S+ \(8\.13\.8\/8\.13\.0\/3\.0\) with SMTP/ describe FORGED_SENDMAIL_RECEIVED_VER Forged Sendmail Received score FORGED_SENDMAIL_RECEIVED_VER 4.0 header FORGED_SENDMAIL_RECEIVED_IP Received =~ /from ([\w\d\-]+\.)+[a-z]{2,3}\(([\w\d\-]+\.)+[a-z]{2,3} \[([\w\d\-]+\.)+[a-z]{2,3}\]\)[\s\r\n]+by ([\w\d\-]+\.)+[a-z]{2,3} \(8\.11\.1\/8\.11\.1\) with ESMTP id eA5KcNf[A-F\d]{5}[\s\r\n]+for <\S+\@\S+>;/ describe FORGED_SENDMAIL_RECEIVED_IP Forged Sendmail Received score FORGED_SENDMAIL_RECEIVED_IP 5.0 header SUSPICIOUS_RECEIVED_VIA_SMTPD Received =~ /\bvia smtpd \(for / describe SUSPICIOUS_RECEIVED_VIA_SMTPD Suspicious header Received, may be generated by spamware score SUSPICIOUS_RECEIVED_VIA_SMTPD 2.0 header SUSPICIOUS_RECEIVED_HELO_0_0_0_0 Received =~ /from \S+(\.\S+)+ \(\[\d+\.\d+\.\d+\.\d+\] helo=0\.0\.0\.0\)/ describe SUSPICIOUS_RECEIVED_HELO_0_0_0_0 Suspicious HELO 0.0.0.0 in header Received score SUSPICIOUS_RECEIVED_HELO_0_0_0_0 3.0 header SUSPICIOUS_RECEIVED_DATE_WITHOUT_WDAY Received =~ /(;\s*|[\r\n]*\s+),+ \d+ (\w\w\w|.{2,7}) 20\d\d -?\d\d:\d\d:\d\d [\-\+]\d\d\d0\)?\s*([\r\n]*.*)*$/ describe SUSPICIOUS_RECEIVED_DATE_WITHOUT_WDAY Suspicious header Received score SUSPICIOUS_RECEIVED_DATE_WITHOUT_WDAY 3.5 meta Fake_Received_mail_ru __MAIL_RU_Received && !((__MAIL_RU_Return_Path || __MAIL_RU_X_Envelope_From) && __MAIL_RU_From) describe Fake_Received_mail_ru Fake helo mail.ru in header Received from non mail.ru sender address (DSPAM_autolearn) score Fake_Received_mail_ru 4.0 meta Fake_Received_gmail_com __GMAIL_COM_Received_HELO && !((__GMAIL_COM_Return_Path || __GMAIL_COM_X_Envelope_From) && __GMAIL_COM_From) && !GMAIL_COM && !GMAIL_COM_WEB describe Fake_Received_gmail_com Fake helo gmail.com in header Received from non gmail.com sender address (DSPAM_autolearn) score Fake_Received_gmail_com 4.0 header __RECEIVED_smtp_yandex_ru_1 Received =~ /from \[\d+\.\d+\.\d+\.\d+\] \((port=\d+ )?helo=smtp\.yandex\.ru\)/ header __RECEIVED_smtp_yandex_ru_2 Received =~ /from \[UNAVAILABLE\] \(\[\d+\.\d+\.\d+\.\d+\]:\d+ helo=smtp\.yandex\.ru\)/ header __RECEIVED_smtp_yandex_ru_3 Received =~ /from \S+ \(\[\d+\.\d+\.\d+\.\d+\]:\d+ helo=smtp\.yandex\.ru\)/ header __RECEIVED_smtp_yandex_ru_4 Received =~ /from \[\d+\.\d+\.\d+\.\d+\] \(account \S+ HELO smtp\.yandex\.ru\)/ header __RECEIVED_smtp_yandex_ru_5 Received =~ /from smtp\.yandex\.ru \(\[\d+\.\d+\.\d+\.\d+\]\)/ header __RECEIVED_smtp_yandex_ru_6 Received =~ /from smtp\.yandex\.ru \(\S+ \[\d+\.\d+\.\d+\.\d+\]\)/ #header __RECEIVED_smtp_yandex_ru_7 Received =~ /from unknown \(HELO smtp\.yandex\.ru\) \(\S+\@\d+\.\d+\.\d+\.\d+\)/ header __RECEIVED_smtp_yandex_ru_7 Received =~ /from \S+ \(HELO smtp\.yandex\.ru\) \(\S+\@\d+\.\d+\.\d+\.\d+\)/ header __RECEIVED_smtp_yandex_ru_8 Received =~ /from \S+ \(HELO smtp\.yandex\.ru\) \(\d+\.\d+\.\d+\.\d+\)/ header __RECEIVED_smtp_yandex_ru_9 Received =~ /from \S+ \(\[\d+\.\d+\.\d+\.\d+\] helo=smtp\.yandex\.ru\)/ meta FAKE_RECEIVED_smtp_yandex_ru ((__MAIL_RU_From && (__MAIL_RU_Return_Path || __MAIL_RU_X_Envelope_From)) || (__GMAIL_COM_From && (__GMAIL_COM_Return_Path || __GMAIL_COM_X_Envelope_From)) || (__UKR_NET_From && (__UKR_NET_Return_Path || __UKR_NET_X_Envelope_From))) && __RECEIVED_smtp_yandex_ru_1 || __RECEIVED_smtp_yandex_ru_2 || __RECEIVED_smtp_yandex_ru_3 || __RECEIVED_smtp_yandex_ru_4 || __RECEIVED_smtp_yandex_ru_5 || __RECEIVED_smtp_yandex_ru_6 || __RECEIVED_smtp_yandex_ru_7 || __RECEIVED_smtp_yandex_ru_8 || __RECEIVED_smtp_yandex_ru_9 describe FAKE_RECEIVED_smtp_yandex_ru Fake smtp.yandex.ru Received (DSPAM_autolearn), already_read score FAKE_RECEIVED_smtp_yandex_ru 5.0