# # 2007-2022 Victor Ustugov # #meta FORGED_OUTLOOK_TAGS (!__YAHOO_BULK && __ANY_OUTLOOK_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY)) #describe FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format meta FORGED_MSMUA_TAGS (!__YAHOO_BULK && (__ANY_OUTLOOK_MUA || __CUST_X_Mailer_MWM || __CUST_X_Mailer_MWLM) && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY)) describe FORGED_MSMUA_TAGS Outlook/OE/MWM/MWLM can't send HTML in this format score FORGED_MSMUA_TAGS 1.0 meta EMPTY_X_MAILER __HAS_X_Mailer && __CUST_X_MAILER_EMPTY describe EMPTY_X_MAILER Empty X-Mailer score EMPTY_X_MAILER 4.0 meta __MS_BOUNDARY_NO_X_MAILER __CUST_Content_Type_multipart_OE_boundary && !__HAS_X_Mailer && !FROM_ZVIT_STA_GOV_UA meta __MS_BOUNDARY_NO_X_MAILER_FORGED_SENDER __MS_BOUNDARY_NO_X_MAILER && FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS meta MS_BOUNDARY_NO_X_MAILER_FORGED_SENDER_NO_MX __MS_BOUNDARY_NO_X_MAILER_FORGED_SENDER && SENDER_DOMAIN_NO_MX describe MS_BOUNDARY_NO_X_MAILER_FORGED_SENDER_NO_MX MS boundary found in header Content-Type and no header X-Mailer, forged sender address (sa-learn_candidate) score MS_BOUNDARY_NO_X_MAILER_FORGED_SENDER_NO_MX 6.2 meta MS_BOUNDARY_NO_X_MAILER_FORGED_SENDER __MS_BOUNDARY_NO_X_MAILER_FORGED_SENDER && !SENDER_DOMAIN_NO_MX && !__MAILMAN describe MS_BOUNDARY_NO_X_MAILER_FORGED_SENDER MS boundary found in header Content-Type and no header X-Mailer, forged sender address (sa-learn_candidate) score MS_BOUNDARY_NO_X_MAILER_FORGED_SENDER 5.2 meta MS_BOUNDARY_NO_X_MAILER __MS_BOUNDARY_NO_X_MAILER && !__MS_BOUNDARY_NO_X_MAILER_FORGED_SENDER && !__MAILMAN describe MS_BOUNDARY_NO_X_MAILER MS boundary found in header Content-Type and no header X-Mailer (sa-learn_candidate) score MS_BOUNDARY_NO_X_MAILER 2.8 meta __SENT_BY_PHP (__HAS_X_PHP_Originating_Script || __HAS_X_PHP_Script || (__HAS_X_Source_Dir && __CUST_X_Source_Dir_NOT_EMPTY)) meta MS_BOUNDARY_PHP __CUST_Content_Type_multipart_OE_boundary && __SENT_BY_PHP describe MS_BOUNDARY_PHP MS boundary found in message sent by PHP (sa-learn_candidate) score MS_BOUNDARY_PHP 3.5 meta MS_BOUNDARY_MAYBE_PHP __CUST_Content_Type_multipart_OE_boundary && __HAS_X_Source_Dir && !__CUST_X_Source_Dir_NOT_EMPTY describe MS_BOUNDARY_MAYBE_PHP MS boundary found in message sent by PHP score MS_BOUNDARY_MAYBE_PHP 0.5 meta __KNOWN_X_MAILER_MS __CUST_X_Mailer_OE || __CUST_X_Mailer_MWM || __CUST_X_Mailer_MWLM || __CUST_X_Mailer_MO || __CUST_X_Mailer_CDO2000 meta __KNOWN_X_MAILER __KNOWN_X_MAILER_MS || __THEBAT_MUA_ANY meta __KNOWN_USER_AGENT __User_Agent_Mozilla || __User_Agent_Mozilla5_Thunderbird || __User_Agent_Mozilla_Thunderbird || __User_Agent_Thunderbird || __User_Agent_Seamonkey || __User_Agent_Postbox || __User_Agent_Opera meta KNOWN_MUA_PHP (__KNOWN_X_MAILER || __KNOWN_USER_AGENT || __X_Mailer_mPOP_Web_Mail) && __SENT_BY_PHP describe KNOWN_MUA_PHP Thereis known MUA in headers X-Mailer or User-Agent in message sent by PHP score KNOWN_MUA_PHP 3.0 header __USER_AGENT_MOZILLA_IN_X_MAILER X-Mailer =~ /^\s*Mozilla\/[45]\.0\s/ meta USER_AGENT_MOZILLA_IN_X_MAILER __USER_AGENT_MOZILLA_IN_X_MAILER && !__HAS_X_SpamCop_sourceip describe USER_AGENT_MOZILLA_IN_X_MAILER User-Agent signature found in header X-Mailer score USER_AGENT_MOZILLA_IN_X_MAILER 3.5 # X-Mailer: Outlook-Express/7.0 (MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; # .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC # 6.0; TmstmpExt) header STRANGE_MUA_O_E X-Mailer =~ /^\s*Outlook-Express\/7\.0 \(/ describe STRANGE_MUA_O_E Strange X-Mailer Outlook-Express score STRANGE_MUA_O_E 5.0 header X_MAILER_Sendmail X-Mailer =~ /^\s*Sendmail (8\.\d+\.\d+\/8\.\d+\.\d+|3\.\d+\/3\.\d+)$/ describe X_MAILER_Sendmail Strange X-Mailer Sendmail (DSPAM_autolearn) score X_MAILER_Sendmail 6.0 header X_MAILER_SMTP_SENDMAIL X-Mailer =~ /^\s*SMTP\.SENDMAIL\.FFFFx029A$/ describe X_MAILER_SMTP_SENDMAIL Suspicious X-Mailer SMTP.SENDMAIL score X_MAILER_SMTP_SENDMAIL 4.0 header X_MAILER_Postfix X-Mailer =~ /^\s*Postfix 2\.\d\d$/ describe X_MAILER_Postfix Strange X-Mailer Postfix (DSPAM_autolearn) score X_MAILER_Postfix 5.0 header X_MAILER_Qmail X-Mailer =~ /^\s*(Qmail-3\.\d\d|Qmail 2\.\d\d)$/ describe X_MAILER_Qmail Strange X-Mailer Qmail (DSPAM_autolearn) score X_MAILER_Qmail 5.0 header X_MAILER_Gentoo X-Mailer =~ /^\s*Gentoo$/ describe X_MAILER_Gentoo Strange X-Mailer Gentoo (DSPAM_autolearn) score X_MAILER_Gentoo 5.0 header X_MAILER_Exim X-Mailer =~ /^\s*Exim \d+\.\d+$/ describe X_MAILER_Exim Strange X-Mailer Exim (DSPAM_autolearn) score X_MAILER_Exim 5.0 header User_Agent_postfix User-Agent =~ /^\s*postfix$/ describe User_Agent_postfix Strange User-Agent postfix score User_Agent_postfix 5.0 header __FORGED_X_MAILER X-Mailer =~ /^\s*(Microsoft Outlook|Outlook Express|Outlook Express 6|Outlook Express 6\.0|The Bat!?)$/ meta FORGED_X_MAILER __FORGED_X_MAILER && !SUSPICIOUS_MAILER_OE_WO_VER && !SUSPICIOUS_MAILER_The_Bat_WO_VER && !PS describe FORGED_X_MAILER Forged X-Mailer (DSPAM_autolearn) score FORGED_X_MAILER 5.0 meta FORGED_MUA_QUALCOMM_Eudora __QUALCOMM_Windows_Eudora_X_Mailer && !__X_Sender_Return_Path && __CUST_From_BASE64_windows_1251 && __CUST_Subject_QP_windows_1251 describe FORGED_MUA_QUALCOMM_Eudora Header Sender mismatch in message from QUALCOMM Windows Eudora score FORGED_MUA_QUALCOMM_Eudora 2.0 header __FORGED_MUA_QUALCOMM_Eudora_CT Content-Type =~ /^\s*multipart\/related;[\r\n\s]*type="multipart\/alternative";[\r\n\s]*boundary="=====================_\d{6,9}(==)?\.REL"$/ meta FORGED_MUA_QUALCOMM_Eudora_CT __QUALCOMM_Windows_Eudora_X_Mailer && __FORGED_MUA_QUALCOMM_Eudora_CT describe FORGED_MUA_QUALCOMM_Eudora_CT Message pretends to be send from QUALCOMM Eudora but has suspicious header Content-Type score FORGED_MUA_QUALCOMM_Eudora_CT 2.0 meta mPOP_Web_Mail_DIFFERENT_ADDRS __X_Mailer_mPOP_Web_Mail && !__CUST_X_Envelope_From_From && !__CUST_Return_Path_From && !__CUST_Return_path_From describe mPOP_Web_Mail_DIFFERENT_ADDRS X-Mailer: mPOP Web-Mail and different addresses in Return-Path and header From score mPOP_Web_Mail_DIFFERENT_ADDRS 3.0 header __mPOP_Web_Mail_From_Real From =~ /\@(mail\.ru|list\.ru|bk\.ru|inbox\.ru|ukr\.net)/ header __FAKE_mPOP_Web_Mail_Date Date =~ / \+0[34]00 *$/ meta FAKE_mPOP_Web_Mail __X_Mailer_mPOP_Web_Mail && !__mPOP_Web_Mail_From_Real && __TO_WITHOUT_REALNAME && __FROM_WITHOUT_REALNAME && __FAKE_mPOP_Web_Mail_Date && __CUST_Content_Type_text_plain describe FAKE_mPOP_Web_Mail Fake mPOP Web-Mail score FAKE_mPOP_Web_Mail 4.0 header X_MAILER_OUTLOOK_5_0 X-Mailer =~ /^\s*Outlook 5\.0$/ describe X_MAILER_OUTLOOK_5_0 Suspicious X-Mailer score X_MAILER_OUTLOOK_5_0 3.0 header FORGED_X_MAILER_Yamail X-Mailer =~ /^\s*Yamail$/ describe FORGED_X_MAILER_Yamail Forged X-Mailer Yamail score FORGED_X_MAILER_Yamail 3.0 header __MSGID_CHILKAT Message-ID =~ /^\s*$/ meta FAKE_X_MAILER_CHILKAT_MSGID __MSGID_CHILKAT && (__X_Mailer_Ximian_Evolution || __X_Mailer_Mutt || __X_Mailer_MIME_tools || __X_Mailer_IPB_PHP_Mailer || __THEBAT_MUA_ANY || __X_Mailer_Apple_Mail || __X_Mailer_Pegasus_Mail_Win32 || __X_Mailer_Sylpheed) describe FAKE_X_MAILER_CHILKAT_MSGID Fake X-Mailer with Chilkat Software Message-ID score FAKE_X_MAILER_CHILKAT_MSGID 7.0 ######################################## header __Reply_Subject Subject =~ /^[\s\r\n]*Re(\[\d+\])?:/i meta FAKE_REPLY_OE __Reply_Subject && (__CUST_X_Mailer_OE_5 || __CUST_X_Mailer_OE_6) && __CUST_References_EMPTY && !FAKE_REPLY_C describe FAKE_REPLY_OE Fake reply message score FAKE_REPLY_OE 1.5 meta FAKE_REPLY_MWM __Reply_Subject && __CUST_X_Mailer_MWM && __CUST_References_EMPTY && !FAKE_REPLY_C describe FAKE_REPLY_MWM Fake reply message score FAKE_REPLY_MWM 1.5 meta FAKE_REPLY_MWLM __Reply_Subject && __CUST_X_Mailer_MWLM && __CUST_References_EMPTY && !FAKE_REPLY_C describe FAKE_REPLY_MWLM Fake reply message score FAKE_REPLY_MWLM 1.5 meta FAKE_REPLY_MSO11 __Reply_Subject && __CUST_X_Mailer_MSO11 && __CUST_In_Reply_To_EMPTY && !FAKE_REPLY_C describe FAKE_REPLY_MSO11 Fake reply message score FAKE_REPLY_MSO11 1.5 meta FAKE_REPLY_MSO12 __Reply_Subject && __CUST_X_Mailer_MSO12 && (__CUST_References_EMPTY || __CUST_In_Reply_To_EMPTY) && !FAKE_REPLY_C describe FAKE_REPLY_MSO12 Fake reply message score FAKE_REPLY_MSO12 1.5 meta FAKE_REPLY_MSO14 __Reply_Subject && __CUST_X_Mailer_MSO14 && (__CUST_References_EMPTY || __CUST_In_Reply_To_EMPTY) && !FAKE_REPLY_C describe FAKE_REPLY_MSO14 Fake reply message score FAKE_REPLY_MSO14 1.5 meta FAKE_REPLY_Mozilla_Mail __Reply_Subject && __User_Agent_Mozilla5 && !__CUST_X_Mailer_CDO2000 && (__CUST_References_EMPTY || __CUST_In_Reply_To_EMPTY) && !FAKE_REPLY_C describe FAKE_REPLY_Mozilla_Mail Fake reply message score FAKE_REPLY_Mozilla_Mail 2.5 meta FAKE_REPLY_Mozilla_TB __Reply_Subject && __User_Agent_Thunderbird && (__CUST_References_EMPTY || __CUST_In_Reply_To_EMPTY) && !FAKE_REPLY_C describe FAKE_REPLY_Mozilla_TB Fake reply message score FAKE_REPLY_Mozilla_TB 2.5 meta FAKE_REPLY_Postbox __Reply_Subject && __User_Agent_Postbox && (__CUST_References_EMPTY || __CUST_In_Reply_To_EMPTY) && !FAKE_REPLY_C describe FAKE_REPLY_Postbox Fake reply message score FAKE_REPLY_Postbox 2.5