# # 2007-2013 Victor Ustugov # # для проверки комбинаций полей заголовка нужен патч: # http://mta.org.ua/spamassassin-3.4.0/patches/3.3.2/patch-src::MultiCaseSensHeadersCheck-3.3.2.patch # для проверки полей заголовков с учетом регистра названия поля нужен патч: # http://mta.org.ua/spamassassin-3.4.0/patches/3.3.2/patch-src::MultiCaseSensHeadersCheck-3.3.2.patch # header FAKE_MUA_OUTLOOK X-Mailer =~ /^\s*Outlook$/ describe FAKE_MUA_OUTLOOK Fake MUA Outlook score FAKE_MUA_OUTLOOK 6.0 ###################################################################### header __SUSPICIOUS_MSGID_BOUNDARY_MSO12 ALL =~ /^Message-ID: <[\da-f]{4}([\da-f]{8})\$([\da-f]{8})\$[\da-f]{8}\$\@.{50,500}boundary="----=_NextPart_000_[\dA-F]{4}_\1\.\2"/msi meta SUSPICIOUS_MSGID_BOUNDARY_MSO12 __CUST_X_Mailer_MSO12 && !__CUST_Date_0000 && __SUSPICIOUS_MSGID_BOUNDARY_MSO12 describe SUSPICIOUS_MSGID_BOUNDARY_MSO12 Suspicious the same filetimes in header Message-ID and boundary attribute of header Content-Type score SUSPICIOUS_MSGID_BOUNDARY_MSO12 2.0 ###################################################################### meta CT_8BIT_CTE_7BIT_MSO CT_8BIT_CTE_7BIT && __CUST_X_Mailer_MSO describe CT_8BIT_CTE_7BIT_MSO 8-bit header Content-Type found with 7-bit header Content-Transfer-Encoding in message from MSO (DSPAM_autolearn) score CT_8BIT_CTE_7BIT_MSO 2.0 meta CT_8BIT_CTE_7BIT_MSO_DSPAM_00_01 CT_8BIT_CTE_7BIT_MSO && DSPAM_CHECK_00_01 describe CT_8BIT_CTE_7BIT_MSO_DSPAM_00_01 CT_8BIT_CTE_7BIT DSPAM compensation score CT_8BIT_CTE_7BIT_MSO_DSPAM_00_01 3.5 ###################################################################### meta FORGED_MUA_MSO_CHARSET_SUBJECT __CUST_X_Mailer_MSO1X && __FORGED_MUA_OE_CHARSET_SUBJECT describe FORGED_MUA_MSO_CHARSET_SUBJECT Forged MUA Microsoft Outlook (charset with capital in beginning of header Subject) score FORGED_MUA_MSO_CHARSET_SUBJECT 1.0 meta FORGED_MUA_MSO_CHARSET_FROM __CUST_X_Mailer_MSO1X && __FORGED_MUA_OE_CHARSET_FROM describe FORGED_MUA_MSO_CHARSET_FROM Forged MUA Microsoft Outlook (charset with capital in beginning of header From) score FORGED_MUA_MSO_CHARSET_FROM 1.0 meta FORGED_MUA_MSO_CHARSET_REPLY_TO __CUST_X_Mailer_MSO1X && __FORGED_MUA_OE_CHARSET_REPLY_TO describe FORGED_MUA_MSO_CHARSET_REPLY_TO Forged MUA Microsoft Outlook (charset with capital in beginning of header Reply-To) score FORGED_MUA_MSO_CHARSET_REPLY_TO 1.0 meta FORGED_MUA_MSO_CHARSET_TO __CUST_X_Mailer_MSO1X && __FORGED_MUA_OE_CHARSET_TO describe FORGED_MUA_MSO_CHARSET_TO Forged MUA Microsoft Outlook (charset with capital in beginning of header To) score FORGED_MUA_MSO_CHARSET_TO 1.0 meta FORGED_MUA_MSO_CHARSET_CC __CUST_X_Mailer_MSO1X && __FORGED_MUA_OE_CHARSET_CC describe FORGED_MUA_MSO_CHARSET_CC Forged MUA Microsoft Outlook (charset with capital in beginning of header Cc) score FORGED_MUA_MSO_CHARSET_CC 1.0 ###################################################################### meta FORGED_MUA_MSO_FROM_WOUT_QUOTE __CUST_X_Mailer_MSO1X && !__CUST_FROM_EMPTY && __HEADER_FROM_WITHOUT_QUOTES && !__HEADER_FROM_ENCODED && !__MAILMAN describe FORGED_MUA_MSO_FROM_WOUT_QUOTE Forged MUA Microsoft Outlook (there aren't double quotes in header From) score FORGED_MUA_MSO_FROM_WOUT_QUOTE 2.0 meta FORGED_MUA_MSO_FROM __CUST_X_Mailer_MSO1X && !__CUST_FROM_EMPTY && !__FROM_QUOTA_OR_ANGLE_BRACKET && !__HEADER_FROM_WITHOUT_QUOTES describe FORGED_MUA_MSO_FROM Forged MUA Microsoft Outlook (header From does not contains double quote and angle bracket) score FORGED_MUA_MSO_FROM 2.0 meta FORGED_MUA_MSO_REPLY_TO_WOUT_QUOTE __CUST_X_Mailer_MSO1X && !__CUST_REPLY_TO_EMPTY && __HEADER_REPLY_TO_WITHOUT_QUOTES && !__HEADER_REPLY_TO_ENCODED && __CUST_List_Id_EMPTY && __CUST_List_Post_EMPTY && !__Mailing_List_Server describe FORGED_MUA_MSO_REPLY_TO_WOUT_QUOTE Forged MUA Microsoft Outlook (there aren't double quotes in header Reply-To) score FORGED_MUA_MSO_REPLY_TO_WOUT_QUOTE 0.5 meta FORGED_MUA_MSO_REPLY_TO __CUST_X_Mailer_MSO1X && !__CUST_REPLY_TO_EMPTY && !__REPLY_TO_QUOTA_OR_ANGLE_BRACKET && !__HEADER_REPLY_TO_WITHOUT_QUOTES && __CUST_List_Id_EMPTY && __CUST_List_Post_EMPTY && !__Mailing_List_Server describe FORGED_MUA_MSO_REPLY_TO Forged MUA Microsoft Outlook (header Reply-To does not contains double quote and angle bracket) score FORGED_MUA_MSO_REPLY_TO 2.0 meta FORGED_MUA_MSO_TO_WOUT_QUOTE __CUST_X_Mailer_MSO1X && !__CUST_TO_EMPTY && __HEADER_TO_WITHOUT_QUOTES && !__HEADER_TO_ENCODED && __CUST_List_Id_EMPTY && __CUST_List_Post_EMPTY && !__Mailing_List_Server describe FORGED_MUA_MSO_TO_WOUT_QUOTE Forged MUA Microsoft Outlook (there aren't double quotes in header To) score FORGED_MUA_MSO_TO_WOUT_QUOTE 2.0 meta FORGED_MUA_MSO_TO __CUST_X_Mailer_MSO1X && !__CUST_TO_EMPTY && !__TO_QUOTA_OR_ANGLE_BRACKET && !__HEADER_TO_WITHOUT_QUOTES && __CUST_List_Id_EMPTY && __CUST_List_Post_EMPTY && !__Mailing_List_Server describe FORGED_MUA_MSO_TO Forged MUA Microsoft Outlook (header To does not contains double quote and angle bracket) score FORGED_MUA_MSO_TO 2.0 meta FORGED_MUA_MSO_CC_WOUT_QUOTE __CUST_X_Mailer_MSO1X && !__CUST_CC_EMPTY && __HEADER_CC_WITHOUT_QUOTES && !__HEADER_CC_ENCODED && !__MAILMAN describe FORGED_MUA_MSO_CC_WOUT_QUOTE Forged MUA Microsoft Outlook (there aren't double quotes in header Cc) score FORGED_MUA_MSO_CC_WOUT_QUOTE 2.0 meta FORGED_MUA_MSO_CC __CUST_X_Mailer_MSO1X && !__CUST_CC_EMPTY && !__CC_QUOTA_OR_ANGLE_BRACKET && !__HEADER_CC_WITHOUT_QUOTES && __CUST_List_Id_EMPTY && __CUST_List_Post_EMPTY && !__Mailing_List_Server describe FORGED_MUA_MSO_CC Forged MUA Microsoft Outlook (header Cc does not contains double quote and angle bracket) score FORGED_MUA_MSO_CC 2.0 ###################################################################### #header __MSO12_Message_ID Message-ID:case =~ /^\s*<0[\da-f]{3}[\da-f]{8}\$[\da-f]{8}\$[\da-f]{8}\$(\@[a-zA-Z\d_]+)?\@[^\@>]+>$/ #meta FORGED_MUA_MSO12_Message_ID __CUST_X_Mailer_MSO12 && !__MSO12_Message_ID #describe FORGED_MUA_MSO12_Message_ID Forged MUA Microsoft Office Outlook 12 #score FORGED_MUA_MSO12_Message_ID 2.5 #header __MSO12_Message_ID Message-ID:case =~ /^\s*<0[\da-f]{3}01[\da-f]{6}\$[\da-f]{8}\$[\da-f]{8}\$(\@[a-zA-Z\d_]+)?\@[^\@>]+>$/ header __MSO12_Message_ID Message-ID:case =~ /^\s*<[\da-f]{12}\$[\da-f]{8}\$[\da-f]{8}\$(\@[a-zA-Z\d_-]+)?\@[^\@>]+>$/ header __MSO12_From_Message_ID1 From|Message-ID:case =~ /^[^\@]+\@[^\.]+\.([^>]+)>[\s\r\n]*\|\s*<[\da-f]{4}01[\da-f]{6}\$[\da-f]{8}\$[\da-f]{8}\$\@\1>$/i header __MSO12_From_Message_ID2 From|Message-ID:case =~ /^.+\.(\S+\@[^>]+)>[\s\r\n]*\|\s*<[\da-f]{4}01[\da-f]{6}\$[\da-z]{8}\$[\da-z]{8}\$\@\1>$/i header __MSO12_Message_ID2 Message-ID:case =~ /^\s*$/ meta FORGED_MUA_MSO12_Message_ID (__CUST_X_Mailer_MSO12 && (!__MSO12_Message_ID || !(__MSO12_From_Message_ID1 || __MSO12_From_Message_ID2))) && !__MSO12_Message_ID2 && !__Message_ID_Google && !__MAILMAN && !__UNUSABLE_MSGID describe FORGED_MUA_MSO12_Message_ID Forged MUA Microsoft Office Outlook 12 score FORGED_MUA_MSO12_Message_ID 2.5 ###################################################################### meta FORGED_MUA_MSO_boundary __CUST_Content_Type_multipart && __CUST_X_Mailer_MSO && !__CUST_Content_Type_multipart_OE_boundary && !(__MAILMAN && __MAILMAN_boundary) describe FORGED_MUA_MSO_boundary Forged MUA Microsoft Office Outlook score FORGED_MUA_MSO_boundary 2.5 ###################################################################### #X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) #X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 header __OBSOLETED_MSO9_X_Mailer X-Mailer =~ /^\s*Microsoft Outlook IMO, Build 9\.0\.\d+ \(9\.0\.\d+\.0\)$/ header __OBSOLETED_MSO9_X_MimeOLE X-MimeOLE =~ /^\s*Produced By Microsoft MimeOLE V4\.7\d+\.\d+\.\d+$/ meta OBSOLETED_MSO9 __OBSOLETED_MSO9_X_Mailer && __OBSOLETED_MSO9_X_MimeOLE describe OBSOLETED_MSO9 Obsoleted combination MSO version and IE version score OBSOLETED_MSO9 1.5