# # 2007-2023 Victor Ustugov # header SUSPICIOUS_BOUNDARY Content-Type =~ /^\s*multipart.+boundary="----=_NextPart_000_[A-Z\d]{4}_(00EBFFA4|0102FFA4|32C6FFA4|3302FFA4)\.[A-Z\d]{8}"[\r\n]*$/s describe SUSPICIOUS_BOUNDARY Suspicious boundary in header Content-Type (DSPAM_autolearn) score SUSPICIOUS_BOUNDARY 5.2 header __SUSPICIOUS_BOUNDARY2 Content-Type =~ /^\s*multipart.+boundary="----=_NextPart_000_[A-Z\d]{4}_(01C6527E)\.[A-Z\d]{8}"[\r\n]*$/s meta SUSPICIOUS_BOUNDARY2 __SUSPICIOUS_BOUNDARY2 && !BALANCE_CLUB && !FROM_ZVIT_STA_GOV_UA describe SUSPICIOUS_BOUNDARY2 Suspicious boundary in header Content-Type (DSPAM_autolearn) score SUSPICIOUS_BOUNDARY2 4.7 header SUSPICIOUS_BOUNDARY3 Content-Type =~ /^\s*multipart.+boundary="-----000-00\d\d-01[CD][\dA-F]{5}-[\dA-F]{8}"[\r\n]*$/s describe SUSPICIOUS_BOUNDARY3 Suspicious boundary in header Content-Type (DSPAM_autolearn) score SUSPICIOUS_BOUNDARY3 3.0 header __SUSPICIOUS_BOUNDARY4_CT Content-Type =~ /^\s*multipart.+boundary="----=_NextPart_000_[A-Z\d]{4}_01C4[\dA-F]{4}\.[A-Z\d]{8}"[\r\n]*$/s header __SUSPICIOUS_BOUNDARY4_Date Date =~ /^\s*\w\w\w,\s+\d+\s+\w\w\w 200[789]/ meta SUSPICIOUS_BOUNDARY4 __SUSPICIOUS_BOUNDARY4_CT && __SUSPICIOUS_BOUNDARY4_Date describe SUSPICIOUS_BOUNDARY4 Suspicious boundary in header Content-Type (DSPAM_autolearn) score SUSPICIOUS_BOUNDARY4 4.0 # # Content-Type: multipart/mixed; # boundary="----=_NextPart_000_00A4_01C2A9A6.49E3536E" # Content-Type: multipart/related; # boundary="----=_NextPart_000_00CE_01C2A9A6.58469320" # Content-Type: multipart/alternative; # boundary="----=_NextPart_001_00F0_01C2A9A6.0D05708C" # Content-Type: multipart/related; # Type="multipart/alternative"; # boundary="----=_NextPart_000_00EF_01C2A9A6.0D05708C" # header __MACRO_DMS_CONTENT_TYPE Content-Type =~ /^\s*multipart.+boundary="----=_NextPart_000_[A-Z\d]{4}_(01C2A9A6|01C2A75B|01C2AA85)\.[A-Z\d]{8}"[\r\n]*$/s meta MACRO_DMS_CONTENT_TYPE __MACRO_DMS_CONTENT_TYPE && !KS_INFORM describe MACRO_DMS_CONTENT_TYPE Suspicious boundary in header Content-Type (DSPAM_autolearn, already_read) score MACRO_DMS_CONTENT_TYPE 7.0 # # Content-Type: multipart/related; # boundary="----=_NextPart_000_0012_73307063.9771C4FD" # Content-Type: multipart/mixed; # boundary="----=_NextPart_000_0012_8561DA49.5D9B045C" # Content-Type: multipart/related; # boundary="----=_NextPart_000_0012_612AE8F3.26F247BB" # header SUSPICIOUS_BOUNDARY_FAKE_FTIME_12 Content-Type =~ /^\s*multipart.+boundary="----=_NextPart_000_0012_(0[02-9A-F]|[1-9A-F][\dA-Z])[A-F\d]{6}\.[\dA-F]{8}"[\r\n]*$/s #describe SUSPICIOUS_BOUNDARY_FAKE_FTIME_12 Suspicious boundary in header Content-Type (DSPAM_autolearn, bayes_recheck) describe SUSPICIOUS_BOUNDARY_FAKE_FTIME_12 Suspicious boundary in header Content-Type (DSPAM_autolearn, bayes_recheck, sa-learn_candidate) score SUSPICIOUS_BOUNDARY_FAKE_FTIME_12 4.0 tflags SUSPICIOUS_BOUNDARY_FAKE_FTIME_12 mandatory_learn header __SUSPICIOUS_BOUNDARY_FAKE_FTIME Content-Type =~ /^\s*multipart.+boundary="----=_NextPart_000_[\dA-F]{4}_(0[02-9A-F]|[1-9A-F][\dA-Z])[A-F\d]{6}\.[\dA-F]{8}"[\r\n]*$/s meta SUSPICIOUS_BOUNDARY_FAKE_FTIME __SUSPICIOUS_BOUNDARY_FAKE_FTIME && !SUSPICIOUS_BOUNDARY_FAKE_FTIME_12 && !SUSPICIOUS_BOUNDARY_FAKE_FTIME_01 describe SUSPICIOUS_BOUNDARY_FAKE_FTIME Suspicious boundary in header Content-Type (sa-learn_candidate) score SUSPICIOUS_BOUNDARY_FAKE_FTIME 2.0 header SUSPICIOUS_BOUNDARY_FAKE_FTIME_01 Content-Type =~ /^\s*multipart.+boundary="----=_NextPart_000_0001_(0[02-9A-F]|[1-9A-F][\dA-Z])[A-F\d]{6}\.[\dA-F]{8}"[\r\n]*$/s describe SUSPICIOUS_BOUNDARY_FAKE_FTIME_01 Suspicious boundary in header Content-Type (sa-learn_candidate) score SUSPICIOUS_BOUNDARY_FAKE_FTIME_01 0.1 ######################################## # # To: %AMS_MESSAGE_TO% # #header MACRO_AMS_MESSAGE_TO To =~ /^\s*\%AMS_MESSAGE_TO\%$/ header MACRO_AMS_MESSAGE_TO To =~ /\%AMS_MESSAGE_TO\%/ describe MACRO_AMS_MESSAGE_TO Macro AMS_MESSAGE_TO found in header To (DSPAM_autolearn) score MACRO_AMS_MESSAGE_TO 5.0 header __MACRO_TO To =~ /^\s*(%\S+%|%[A-Z_\-]+)$/i meta MACRO_TO __MACRO_TO && !MACRO_AMS_MESSAGE_TO describe MACRO_TO Macro found in header To (DSPAM_autolearn) score MACRO_TO 3.0 # # Subject: %AMS_MESSAGE_SUBJECT% # header MACRO_AMS_MESSAGE_SUBJECT Subject =~ /^\s*\%AMS_MESSAGE_SUBJECT\%$/ describe MACRO_AMS_MESSAGE_SUBJECT Macro AMS_MESSAGE_TO found in header Subject (DSPAM_autolearn) score MACRO_AMS_MESSAGE_SUBJECT 5.0 # # Subject: Doc % FROM_NAME # #header __MACRO_SUBJECT Subject =~ /(%\S+%|%\s?[A-Z_\-]+)\s*$/i #meta MACRO_SUBJECT __MACRO_SUBJECT && !MACRO_AMS_MESSAGE_SUBJECT #describe MACRO_SUBJECT Macro found in header Subject (DSPAM_autolearn) #score MACRO_SUBJECT 3.0 header __MACRO_SUBJECT Subject =~ /%\S+%/ meta MACRO_SUBJECT __MACRO_SUBJECT && !MACRO_AMS_MESSAGE_SUBJECT describe MACRO_SUBJECT Macro found in header Subject (sa-learn_candidate) score MACRO_SUBJECT 3.0 header __MACRO2_SUBJECT Subject =~ /\s%\s?[A-Z_\-]+\s*$/ meta MACRO2_SUBJECT __MACRO2_SUBJECT && !MACRO_AMS_MESSAGE_SUBJECT describe MACRO2_SUBJECT Macro found in header Subject score MACRO2_SUBJECT 2.0 # # Date: %AMS_MESSAGE_DATE% # header MACRO_AMS_MESSAGE_DATE Date =~ /^\s*\%AMS_MESSAGE_DATE\%$/ describe MACRO_AMS_MESSAGE_DATE Macro AMS_MESSAGE_TO found in header Date (DSPAM_autolearn) score MACRO_AMS_MESSAGE_DATE 5.0 header __MACRO_DATE Date =~ /^\s*(%\S+%|%[A-Z_\-]+)$/i meta MACRO_DATE __MACRO_DATE && !MACRO_AMS_MESSAGE_DATE describe MACRO_DATE Macro found in header Date (DSPAM_autolearn) score MACRO_DATE 3.0 # # Content-Type: multipart/alternative; # boundary="%AMS_NEXTPART%" # header MACRO_AMS_NEXTPART Content-Type =~ /\%AMS_NEXTPART\%/ describe MACRO_AMS_NEXTPART Macro AMS_MESSAGE_TO found in header Content-Type (DSPAM_autolearn) score MACRO_AMS_NEXTPART 5.0 # # Content-Type: text/plain; charset=%CHARSET # header MACRO_CONTENT_TYPE Content-Type =~ /\%CHARSET/ describe MACRO_CONTENT_TYPE Macro found in header Content-Type (DSPAM_autolearn) score MACRO_CONTENT_TYPE 4.0 # # X-Mailer: Microsoft Outlook Express %OE_VERSION%OE_SUBVERSION # header MACRO_X_MAILER X-Mailer =~ /^\s*Microsoft Outlook Express \%OE_VERSION\%OE_SUBVERSION$/ describe MACRO_X_MAILER Macro found in header X-Mailer (DSPAM_autolearn) score MACRO_X_MAILER 4.0 # # X-MimeOLE: Produced By Microsoft MimeOLE V%OE_VERSION%OE_SUBVERSION # header MACRO_X_MIMEOLE X-MimeOLE =~ /^\s*Produced By Microsoft MimeOLE V\%OE_VERSION\%OE_SUBVERSION$/ describe MACRO_X_MIMEOLE Macro found in header X-MimeOLE (DSPAM_autolearn) score MACRO_X_MIMEOLE 4.0 # # Received: from %RECEIVED.yahoo.com ([125.162.8.240]) by 122.252.111.133 %REC_WITH; # Thu, 05 Apr 2007 16:54:55 -0100 # header MACRO_RECEIVED Received =~ /.*(from \%\S+(\.[a-zA-Z-\d]+)* |\%REC_WITH)/s describe MACRO_RECEIVED Macro found in header Received (DSPAM_autolearn) score MACRO_RECEIVED 5.0 # # Message-ID: <%MESSAGEID@yahoo.com> # header MACRO_MESSAGEID Message-ID =~ /^\s*\<\%\S+(\.[a-zA-Z-\d]+)*\@/ describe MACRO_MESSAGEID Macro found in header Message-ID (DSPAM_autolearn) score MACRO_MESSAGEID 3.0 # # Message-ID: <%MESSAGE_ID%> # header MACRO_MESSAGE_ID Message-ID =~ /^\s*\<\%MESSAGE_ID\%>/ describe MACRO_MESSAGE_ID Macro found in header Message-ID (DSPAM_autolearn) score MACRO_MESSAGE_ID 3.0 # # Received: from $FROM_NAME $FROM_NAME (10.18.14.13) by tm630 (PowerMTA(TM) v3.2r4) id hfp16o78d63j87 for ; Fri, 30 Nov 2007 02:31:30 +0100 # # Received: from $FROM_NAME $FROM_NAME (10.10.17.19) by clsm-74-212-49-27-pppoe.dsl.clsm.epix.net (PowerMTA(TM) v3.2r4) id hfp72o45d71j84 for ; Wed, 5 Dec 2007 06:46:57 -0500 # header MACRO_RECEIVED_FROM_NAME Received =~ /from \$FROM_NAME \$FROM_NAME \(10\.\d{1,3}\.\d{1,3}\.\d{1,3}\) by[\s\r\n]+\S+ \(PowerMTA\(TM\) v3\.2r4\) id [a-z\d]{14}[\s\r\n]+for <\S+\@\S+>;/ describe MACRO_RECEIVED_FROM_NAME Macro found in header Received (DSPAM_autolearn) score MACRO_RECEIVED_FROM_NAME 5.0 # # From: {RUS_FROM} # From: {RUS_FROM} # header MACRO_FROM_NAME From =~ /^\s*\{RUS_FROM\} ]+/ describe MACRO_FROM_LOCALPART Macro found in local part of header From (DSPAM_autolearn) score MACRO_FROM_LOCALPART 5.0 # # To: {nTagMailTo}@falbi.ua # header MACRO_TO_LOCALPART To =~ /^\s*\{\S+\}\@[^\@\>]+/ describe MACRO_TO_LOCALPART Macro found in local part of header To (DSPAM_autolearn) score MACRO_TO_LOCALPART 5.0 # # Subject: Subject: $REPLINK # header MACRO_SUBJECT_DOUBLED_NAME Subject =~ /^\s*Subject: \$\S+\s*$/ describe MACRO_SUBJECT_DOUBLED_NAME Macro found in header Subject, header name doubled (DSPAM_autolearn) score MACRO_SUBJECT_DOUBLED_NAME 5.0 # # From: {TAGMAILFROM} # header MACRO_FROM_ADDRESS From =~ /^\s*\{\S+\}$/ describe MACRO_FROM_ADDRESS Macro found in header From (DSPAM_autolearn) score MACRO_FROM_ADDRESS 5.0 # # To: {nTagMailTo} # header MACRO_TO_ADDRESS To =~ /^\s*\{\S+\}$/ describe MACRO_TO_ADDRESS Macro found in header To (DSPAM_autolearn) score MACRO_TO_ADDRESS 5.0 # # Subject: $REPSBJ # header MACRO_SUBJECT_REPSBJ Subject =~ /^\s*\$REPSBJ$/ describe MACRO_SUBJECT_REPSBJ Macro $REPSBJ found in header Subject (DSPAM_autolearn) score MACRO_SUBJECT_REPSBJ 5.0 # # Subject: {DIKSBJ} # header MACRO_SUBJECT_DIKSBJ Subject =~ /^\s*\{DIKSBJ\}$/ describe MACRO_SUBJECT_DIKSBJ Macro {DIKSBJ} found in header Subject (DSPAM_autolearn) score MACRO_SUBJECT_DIKSBJ 5.0 header MAYBE_MACRO_IN_SUBJECT Subject =~ /^\s*\{[A-Z]{3,}\}$/ describe MAYBE_MACRO_IN_SUBJECT May be macro found in header Subject score MAYBE_MACRO_IN_SUBJECT 1.0 # # From: "{_FIRSTNAME1} {_LASTNAME1}" # header MACRO_NAMES_FROM From =~ /^\s*"\{_FIRSTNAME1\} \{_LASTNAME1\}" \ # header MACRO_NAMES_FROM2 From =~ /^\s*"\[\?var=FIRSTNAME\] \[\?var=LASTNAME\]" \ # header MACRO_MSGID_DOUBLEAT Message-ID =~ /^\s*<\@\@MESSAGE_ID>$/ describe MACRO_MSGID_DOUBLEAT There is macro in header Message-ID (DSPAM_autolearn) score MACRO_MSGID_DOUBLEAT 3.5 ifplugin Mail::SpamAssassin::Plugin::DSPAM meta MACRO_MSGID_DOUBLEAT_DSPAM MACRO_MSGID_DOUBLEAT && DSPAM_CHECK_00_01 describe MACRO_MSGID_DOUBLEAT_DSPAM MACRO_MSGID_DOUBLEAT DSPAM compensation score MACRO_MSGID_DOUBLEAT_DSPAM 3.5 endif # # From: "ðÉÍÅÎ {_RASTNAME}" # header MACRO_FROM_RASTNAME From =~ /^\s*".+? \{_RASTNAME\}"[\s\r\n]+ # Reply-To: {#FROM_DESCR} <{#FROM_ADDR}> # Message-ID: <{DIGITS>9<9}.{LINE[date]}{DIGITS>6<6}@{#LAST_DNS}> # To: {LINE[to]} <{#FIRST_EMAIL}> # Subject: {LINE[subj]} # # Virus check: {WORDS[words]>30<300} # header MACRO_LINE_DATE Date =~ /^\s*\{\#DATE\}$/ describe MACRO_LINE_DATE Thereis a macro in header Date (DSPAM_autolearn) score MACRO_LINE_DATE 3.0 header MACRO_LINE_FROM From =~ /\{LINE\[from\]\}/ describe MACRO_LINE_FROM Thereis a macro in header From (DSPAM_autolearn) score MACRO_LINE_FROM 3.0 header MACRO_LINE_FROM_ADDR From =~ /<\{LINE\[fr\]\}>/ describe MACRO_LINE_FROM_ADDR Thereis a macro in header From (DSPAM_autolearn) score MACRO_LINE_FROM_ADDR 3.0 header MACRO_LINE_REPLY_TO Reply-To =~ /\{\#FROM_DESCR\}/ describe MACRO_LINE_REPLY_TO Thereis a macro in header Reply-To (DSPAM_autolearn) score MACRO_LINE_REPLY_TO 3.0 header MACRO_LINE_REPLY_TO_ADDR Reply-To =~ /<\{\#FROM_ADDR\}>/ describe MACRO_LINE_REPLY_TO_ADDR Thereis a macro in header Reply-To (DSPAM_autolearn) score MACRO_LINE_REPLY_TO_ADDR 3.0 header MACRO_LINE_MSGID Message-ID =~ /^\s*<\{DIGITS>9<9\}\.\{LINE\[date\]\}\{DIGITS>6<6\}\@\{\#LAST_DNS\}>$/ describe MACRO_LINE_MSGID Thereis a macro in header Message-ID (DSPAM_autolearn) score MACRO_LINE_MSGID 3.0 header MACRO_LINE_TO To =~ /\{LINE\[to\]\}/ describe MACRO_LINE_TO Thereis a macro in header To (DSPAM_autolearn) score MACRO_LINE_TO 3.0 header MACRO_LINE_TO_ADDR To =~ /<\{\#FIRST_EMAIL\}>/ describe MACRO_LINE_TO_ADDR Thereis a macro in header To (DSPAM_autolearn) score MACRO_LINE_TO_ADDR 3.0 header MACRO_LINE_SUBJECT Subject =~ /^\s*\{LINE\[subj\]\}$/ describe MACRO_LINE_SUBJECT Thereis a macro in header Subject (DSPAM_autolearn) score MACRO_LINE_SUBJECT 3.0 body MACRO_LINE_BODY_Virus_check /Virus check: \{WORDS\[words\]>30<300\}/ describe MACRO_LINE_BODY_Virus_check Thereis a macro in message body (DSPAM_autolearn) score MACRO_LINE_BODY_Virus_check 3.0 # # X-Mailer: apqfgzpsq{LET:.,_, ,-}99 # X-Mailer: apybp{LET:.,_, ,-}68 # X-Mailer: ayhsiiowzy{LET:.,_, ,-}59 # X-Mailer: bccntxhggs{LET:.,_, ,-}72 # X-Mailer: bgetzdkz{LET:.,_, ,-}15 # X-Mailer: brjbmles{LET:.,_, ,-}01 # header MACRO_X_MAILER_LET X-Mailer =~ /^\s*[a-z]{3,}\{LET:.,_, ,-\}\d+$/ describe MACRO_X_MAILER_LET There is a macro in header X-Mailer, already_read score MACRO_X_MAILER_LET 3.0 # Received: from [221.180.201.145] (helo=xrcuqlmcvgzc.nupeypvoifpji.{LET:ru,org,com,va,net,biz,info,tv,ua,su}) # by j80220.upc-j.chello.nl with esmtpa (Exim 4.69) # (envelope-from ) # id 1MMRC8-6298xa-BO # for ; Wed, 3 Feb 2010 09:01:40 +0100 header MACRO_RECEIVED_LET Received =~ /\{LET:ru,org,com,va,net,biz,info,tv,ua,su\}/ describe MACRO_RECEIVED_LET There is a macro in header Received, already_read score MACRO_RECEIVED_LET 5.0 # # From:% # header MACRO_FROM_PERSENT From =~ /^\% # # # # # # # # full HTML_BODY_NO_CHARSET_NO_TITLE /[\s\r\n]+[\s\r\n]+[\s\r\n]+<\/title>[\s\r\n]+<\/head>[\s\r\n]+<body>/ describe HTML_BODY_NO_CHARSET_NO_TITLE HTML body without charset and title, already_read score HTML_BODY_NO_CHARSET_NO_TITLE 5.5 # # <html> # # <head> # <meta http-equiv=Content-Language content=en-us> # <meta http-equiv=Content-Type content=text/html; > # <title>Ðó÷íaÿ ðeãèñòðaöèÿ ía 1ÎÎ ñaìûõ # # # # full HTML_BODY_NO_CHARSET_CL_EN_US /[\s\r\n]+[\s\r\n]+[\s\r\n]+[\s\r\n]+[^<]*[\x80-\xFF][^<]*<\/title>[\s\r\n]+<\/head>[\s\r\n]+<body>/ describe HTML_BODY_NO_CHARSET_CL_EN_US HTML body without charset but with Content-Language en-us and 7-bit title score HTML_BODY_NO_CHARSET_CL_EN_US 4.0 # # <html> # # <head> # <meta http-equiv=Content-Type content=text/html; > # <title>Âû ëþáèòå äàpèòü è ïoëó÷àòü ïoäà # # # # full HTML_BODY_NO_CHARSET /[\s\r\n]+[\s\r\n]+[\s\r\n]+[^<]+<\/title>[\s\r\n]+<\/head>[\s\r\n]+<body>/ describe HTML_BODY_NO_CHARSET HTML body without charset score HTML_BODY_NO_CHARSET 3.5