# # 2003-2013 Victor Ustugov # # ÒÅÇÕÌÑÒÎÙÅ ×ÙÒÁÖÅÎÉÑ ÄÌÑ ÐÒÏ×ÅÒËÉ ÔÅÌÁ ÓÏÏÂÝÅÎÉÑ # meta MIME_MISSING_CHARSET __MIME_Content_Type_html_without_charset && !MIME_MISSING_CHARSET_CTE_7Bit describe MIME_MISSING_CHARSET MIME charset missing score MIME_MISSING_CHARSET 2.0 meta MIME_MISSING_CHARSET_CTE_7Bit __MIME_Content_Type_html_without_charset && __MIME_Content_Transfer_Encoding_7Bit describe MIME_MISSING_CHARSET_CTE_7Bit MIME charset missing with Content-Transfer-Encoding: 7Bit score MIME_MISSING_CHARSET_CTE_7Bit 3.0 ######################################## body BODY_ADDRESS_SOURCE /^.*?(ÁÄÒÅÓ\s+(ÂÙÌ\s+)*(×ÚÑÔ|ÐÏÌÕÞÅÎ)\s+ÉÚ\s+(ÏÔËÒÙÔ|Ó×ÏÂÏÄÎ|ÐÕÂÌÉÞÎ)(ÏÇÏ|ÙÈ)\s+(ÉÓÔÏÞÎÉË|ÒÅÓÕÒÓ)(Á|Ï×)|àäðåñ\s+(áûë\s+)*(âçÿò|ïîëó÷åí)\s+èç\s+(îòêðûò|ñâîáîäí|ïóáëè÷í)(îãî|ûõ)\s+(èñòî÷íèê|ðåñóðñ)(à|îâ))/ describe BODY_ADDRESS_SOURCE reference to open or public address source score BODY_ADDRESS_SOURCE 3.5 body BODY_LAW_RUSSIAN /^.*?((Ð|Þ)\.\s*4\s+ÓÔ\.\s*29\s+ëÏÎÓÔÉÔÕÃÉÉ\s+òæ|(ï|÷)\.\s*4\s+ñò\.\s*29\s+Êîíñòèòóöèè\s+ÐÔ)/ describe BODY_LAW_RUSSIAN reference to Russian Law score BODY_LAW_RUSSIAN 2.5 body BODY_LAW_UKRAINIAN /^.*?(ÔÁÔØÅÊ\s+34\s+ëÏÎÓÔÉÔÕÃÉÉ\s+õËÒÁÉÎÙ|òàòüåé\s+34\s+Êîíñòèòóöèè\s+Óêðàèíû)/ describe BODY_LAW_UKRAINIAN reference to Ukrainian Law score BODY_LAW_UKRAINIAN 2.5 body SEE_FOR_YOURSELF /See (?:for|it) yourself\b/i describe SEE_FOR_YOURSELF See for yourself score SEE_FOR_YOURSELF 0.5 body ORDER_NOW /\border (?:now|soon|fast|quickly|while)\b/i describe ORDER_NOW Encourages you to waste no time in ordering score ORDER_NOW 0.5 #rawbody BODY_cid_Documents_and_Settings // describe BODY_color_3D Strange 3D in BODY tag score BODY_color_3D 1.5 full BODY_META_KOI_8R // describe BODY_META_KOI_8R Strange charset koi-8r in META tag score BODY_META_KOI_8R 2.0 # # # # # # full BODY_META_KOI_8 /|"|>)/i describe BODY_META_KOI_8 Strange charset koi-8 in META tag score BODY_META_KOI_8 1.0 full BODY_HTML_TITLE_Untitled /Untitled<\/title>/ describe BODY_HTML_TITLE_Untitled Strange HTML title "Untitled" score BODY_HTML_TITLE_Untitled 1.5 # Óâaæaeìûé (-aÿ) /imena_na_russkom.txt[/string], # Óâaæaåìûé (-àÿ) /imena_na_russkom.txt[/string], # Óâaæàeìûé (-aÿ) /imena_na_russkom.txt[/string], # Óâaæàåìûé (-aÿ) /imena_na_russkom.txt[/string], # Óâàæaeìûé (-aÿ) /imena_na_russkom.txt[/string], # Óâàæàåìûé (-aÿ) /imena_na_russkom.txt[/string], full BODY_imena_na_russkom /\r?\n \r?\n\r?\n......... \(-..\) \/imena_na_russkom\.txt\[\/string\],/ describe BODY_imena_na_russkom Distinguished imena_na_russkom.txt score BODY_imena_na_russkom 3.5 # # Ïpèâeòñòâóþ, /imena_na_russkom.txt;[/string] # full __BODY_imena_na_russkom2 /\/imena_na_russkom\.txt;\[\/string\]/ meta BODY_imena_na_russkom2 __BODY_imena_na_russkom2 && !BODY_imena_na_russkom describe BODY_imena_na_russkom2 Distinguished imena_na_russkom.txt score BODY_imena_na_russkom2 2.5 # # [string/chasy2/msg1.txt[/string] http://www.prevecht.ru # full BODY_string_chasy2_msg1 /\[string\/chasy2\/msg1\.txt\[\/string\] http:\/\/www(\.\S+){2,}/ describe BODY_string_chasy2_msg1 Distinguished string/chasy2/msg1.txt score BODY_string_chasy2_msg1 2.5 # # Content-Type: Text/Plain; # # charset="utf-8" # Content-Transfer-Encoding: base64 # header __CHARSET_WITHOUT_TAB_CT Content-Type =~ /^\s*text\/(plain|html);$/i body __CHARSET_WITHOUT_TAB_BODY /^charset="utf-8"\s+Content-Transfer-Encoding: base64/ meta CHARSET_WITHOUT_TAB __CHARSET_WITHOUT_TAB_CT && __CHARSET_WITHOUT_TAB_BODY && __CUST_Content_Transfer_Encoding_EMPTY describe CHARSET_WITHOUT_TAB Content-Type with charset on new line without tab or space score CHARSET_WITHOUT_TAB 2.0 # # X-Script-Id: 1262524196.544816 # body BODY_X_Script_Id /^X-Script-Id: 1\d{9}\.\d+/ describe BODY_X_Script_Id Message body begins with X-Script-Id: score BODY_X_Script_Id 3.0 # # http://tinyurl.com/yg8hq42 # body BODY_TINYURL_COM /http:\/\/tinyurl\.com\// describe BODY_TINYURL_COM Blacklisted Short URL Service score BODY_TINYURL_COM 2.0 # # http://cid-0e8075b2e07427be.spaces.live.com # body BODY_CID_NUM_SPACES_LIVE_COM /http:\/\/cid-[\da-f]{16}\.spaces\.live\.com/ describe BODY_CID_NUM_SPACES_LIVE_COM Blacklisted URL score BODY_CID_NUM_SPACES_LIVE_COM 3.0 # # {%END_QUOTEDPRINTABLE%} # ------=_NextPart_000_0011_01CD33E4.549344B0 # full SUSP_BODY_END_QUOTEDPRINTABLE /\{\%END_QUOTEDPRINTABLE\%\}/ describe SUSP_BODY_END_QUOTEDPRINTABLE Suspicious body fragment (DSPAM_autolearn), already_read score SUSP_BODY_END_QUOTEDPRINTABLE 5.0 tflags SUSP_BODY_END_QUOTEDPRINTABLE mandatory_learn # # --_NextPart_000_0002_56ZA9646.Y15PCYCQ # Content-Type: text/plain; # charset="koi8-r" # Content-Transfer-Encoding: quoted-printable # # {_BODY_TEXT} # --_NextPart_000_0002_56ZA9646.Y15PCYCQ # full SUSP_BODY_TEXT /\{_BODY_TEXT\}/ describe SUSP_BODY_TEXT Suspicious body fragment (DSPAM_autolearn), already_read score SUSP_BODY_TEXT 5.0 tflags SUSP_BODY_TEXT mandatory_learn # # ------=_NextPart_000_0DB5_01CDF6F2.D1086800 # Content-Type: text/plain; # charset="windows-1251" # Content-Transfer-Encoding: quoted-printable # full __BODY_MULTIPART /------=_NextPart_\d\d\d_[\dA-F]{4}_[\dA-F]{8}\.[\dA-F]{8}\r?\nContent-Type: text\/(plain|html);[\s\r\n]*charset="?[a-zA-Z\d\-]+?"?\r?\nContent-Transfer-Encoding:/ meta MIME_Version_without_CT_CTE_FAKE_MULTIPART __MIME_Version_without_CT_CTE && __BODY_MULTIPART describe MIME_Version_without_CT_CTE_FAKE_MULTIPART Header MIME-Version without headers Content-Type and Content-Transfer-Encoding, and multipart body score MIME_Version_without_CT_CTE_FAKE_MULTIPART 4.0