Chip 2003 April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2003 April / Chip_2003-04_cd1.bin / tema / internet / spam / download / sweas / sweasx86.exe / %MAINDIR% / spamfltr / system.sfr < prev next >

Wrap

Text File | 2003-02-24 | 19.3 KB | 635 lines

// ------------------------------------------------------------------- // MailGate SpamWeasel Filter Rules - Version 1.002 - May 2001 // // This file contains the spam filter system rules. // DO NOT EDIT THIS FILE as updates will overwrite any changes you make. // Updates to these rules are available for download on our website. // Vist http://www.mailgate.com to check out the latest version. // ------------------------------------------------------------------- // ------------------------------------------------------------------- // Section 1 - Rules to positively identify Non Spam mails and // definite Spam using user defined lists. // ------------------------------------------------------------------- // ------------------------------------------------------------------- #rule "Pass if From listed in 'Friendly From Addresses'" // // This rule checks the mail From: address and marks the mail as // Not Spam if the sender is listed in the 'Friendly From Addresses' // pattern list. You should add your own friendly addresses to this // list in the patterns tab so your friends emails are always passed. // from$ = ParseAddress(HeaderFieldValue("From")) if MatchesListItem("Friendly From Addresses",from$) then IsOK() endif #endrule // ------------------------------------------------------------------- #rule "Spam if From listed in 'Unfriendly From Addresses'" // // This rule checks the mail From: address and marks the mail as // Spam if the sender is listed in the 'Unfriendly From Addresses' // pattern list. // If you are troubled by regular mails from known sources, like // unwanted lists, which you can not unsubscribe from you can add // these addresses to this list to block these mails. // from$ = ParseAddress(HeaderFieldValue("From")) if MatchesListItem("Unfriendly From Addresses",from$) then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Spam if To or Cc address is not found in 'My Addresses'" // // This rule checks the addresses in the To: and/or CC: fields // against the 'My Addresses' patterns list. Mail marked as Spam // if a match is NOT found otherwise the mail is passed on for // further checks. // TIP - You should enable either this rule or the similar rule // "Pass if To or Cc address is found in 'My Addresses'". // This rule can be useful to seperate out mails sent to general // addresses and not to your to personal addresses. // addr$ = GetFirstAddress("To") :loop if length(addr$) = 0 then loopend: if MatchesListItem("My Addresses",addr$) then goto notspam: addr$ = GetNextAddress() goto loop: :loopend addr$ = GetFirstAddress("Cc") :loop2 if length(addr$) = 0 then loopend2: if MatchesListItem("My Addresses",addr$) then goto notspam: addr$ = GetNextAddress() goto loop2: :loopend2 IsSpam() :notspam #endrule // ------------------------------------------------------------------- #rule "Pass if To or Cc address is found in 'My Addresses'" // // This rule checks the addresses in the To: and/or CC: fields // against the 'My Addresses' patterns list. Mail passes as NOT Spam // if a match IS found otherwise the mail is passed on for further // checks. // Note - If you use this rule and a match is not found the mail // may still pass if none of the other rules identify it as spam. // TIP - You should enable either this rule or the similar rule // "Spam if To and Cc addresses are not found in 'My Addresses'" // This rule can be useful to seperate mail addressed to a personal // address from mail using a more general address // like 'info@mydomain.com'. // addr$ = GetFirstAddress("To") :loop if length(addr$) = 0 then loopend: if MatchesListItem("My Addresses",addr$) then goto notspam: addr$ = GetNextAddress() goto loop: :loopend addr$ = GetFirstAddress("Cc") :loop2 if length(addr$) = 0 then loopend2: if MatchesListItem("My Addresses",addr$) then goto notspam: addr$ = GetNextAddress() goto loop2: :loopend2 goto end: :notspam IsOK() :end #endrule // ------------------------------------------------------------------- #rule "Pass if Subject listed in 'Friendly Subjects'" // // This rule checks the mail Subject: field and marks the mail as // Not Spam if the subject is listed in the 'Friendly Subject' // pattern list. // field$ = HeaderFieldValue("Subject") if MatchesListItem("Friendly Subjects",field$) then IsOk() endif #endrule // ------------------------------------------------------------------- // Section 2 - Rules to check mail header integrity. // ------------------------------------------------------------------- // ------------------------------------------------------------------- #rule "Check for valid Message-Id:" // // This rule checks that the Message-Id: field follows the RFC standards // guidelines. Spam mail with a fake mail header may have a false // Message-Id. // Mail is marked as Spam if the check fails. // field$ = HeaderFieldValue("Message-Id") if not WildcardMatch(field$,"<*@*>*") then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check for blank or missing From: field" // // This rule checks that the From field both exists and is not blank. // Mail is marked as Spam if the check fails. // if not HeaderFieldExists("From") then IsSpam() endif if HeaderFieldValue("From") = "" then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check for blank or missing To: field" // // This rule checks that the To: field both exists and is not blank. // Mail is marked as Spam if the check fails. // if not HeaderFieldExists("To") then IsSpam() endif if HeaderFieldValue("To") = "" then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check Date: field is present and valid" // // This rule checks the Date: field both exists and is valid. // Mail is marked as Spam if the check fails. // if not IsValidDate(HeaderFieldValue("Date")) then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check for all zero IP address" // // This rule checks for an all zero IP address appearing in the mail // header Received ... for... section. // This section of the mail header records the path a mail has taken // through the Internet and will normally record the IP addresses of // the servers used. All zero IP addresses indicates the header data // is fake. // Mail is marked as Spam if a match is found. // if WildcardMatchHeader("*^Received:*0.0.0.0*") then goto spam: if WildcardMatchHeader("*^Received:*000.000.000.000*") then goto spam: goto notspam: :spam IsSpam() :notspam #endrule // ------------------------------------------------------------------- // Section 3 - Rules to check if typical Spam mail header fields // exist or contain known Spam markers. // ------------------------------------------------------------------- // ------------------------------------------------------------------- #rule "Check X-Mailer: field for bulk emailer programs" // // This rule checks the X-mailer: field for a match against known // bulk email programs in the 'Bulk Emailer Programs' list. // X-Mailer: generally contains a reference to the email software // used to create the mail so this rule can identify mail sent // by Bulk or Spam mail creation programs. // Mail is marked as Spam if a match is found. // Field$ = HeaderFieldValue("X-mailer") if MatchesListItem("Bulk Emailer Programs",field$) then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check header for matches listed in 'Definite Spam Markers'" // // This rule checks the header generally for the existence of // matches with the contents of the list 'Definite Spam Markers'. // Mail is marked as Spam if a match is found. // This list contain pattern matches for known spam mail and this // rule should normally be given a high priority setting. // if HeaderMatchesListItem("Definite Spam Markers") then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check header for matches listed in 'Likely Spam Markers'" // // This rule checks the header generally for the existence of // matches with the contents of the list 'Likely Spam Markers'. // Mail is marked as Spam if a match is found. // This list contain pattern matches for probable spam mail and // this rule should normally be given a lower priority setting. // if HeaderMatchesListItem("Likely Spam Markers") then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check if X-BulkEmail: header field exists" // // This rule checks to see if the header field BulkEmail: exists. // Mail is marked as Spam if it is found. // Note - There is more than one way for doing this type of check. // See "Check if X-Advertisement: header field exists" for an // alternative scripting method. // if HeaderFieldExists("X-BulkEmail") then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check if X-Authentication-Warning: header field exists" // // This rule checks to see if the header field // X-Authentication-Warning: exists. Mail is marked as Spam if it // is found. // Note - There is more than one way for doing this type of check. // See "Check if X-Advertisement: header field exists" for an // alternative scripting method. // if HeaderFieldExists("X-Authentication-Warning") then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check if X-Advertisement: header field exists" // // This rule checks to see if the header field X-Advetisement: exists. // Mail is marked as Spam if it is found. // Note - There is more than one way for doing this type of check. // See "Check if X-Authentication-Warning: header field exists" for an // alternative scripting method. Note the use of ^ to define the // start of a new line in the data in this rule. // if WildcardMatchHeader("*^X-Adverti[zs]e*") then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check Mail Header for 'Likely Spam Words'" // // This rule checks the mail header for any of the words in the // 'Likely Spam Words' word list. // Mail is marked as Spam if a match is found. // if FindWordInHeader("Likely Spam Words") then IsSpam() endif #endrule // ------------------------------------------------------------------- // Section 4 - Rules for more general checks on the mail // addresses used. // ------------------------------------------------------------------- // ------------------------------------------------------------------- #rule "Check To/Cc addresses against 'Spam Domain Patterns'" // // This rule checks the To/Cc fields for a match against the // 'Spam domain patterns' list. These domains are typically found in // the addresses used in false mail headers. // Mail is marked as Spam if a match is found. // if MatchesListItem("Spam domain patterns",HeaderFieldValue("To")) then goto spam: if MatchesListItem("Spam domain patterns",HeaderFieldValue("Cc")) then goto spam: goto notspam: :spam IsSpam() :notspam #endrule // ------------------------------------------------------------------- #rule "Check From: against valid 'Root domains'" // // This rule checks the address in the From: field against the // valid 'Root domains' patterns list. This will identify if a false // From address has been used. // Mail is marked as Spam if a valid domain match is not found. // field$ = ParseAddress(HeaderFieldValue("From")) if not MatchesListItem("Root domains",field$) then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check From: against 'Known Spammer From addresses'" // // This rule checks the From: address against the list of // 'Known Spammer From addresses'. // Mail is marked as Spam if a match is found. // field$ = ParseAddress(HeaderFieldValue("From")) if MatchesListItem("Known Spammer From addresses",field$) then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check all addresses for 'friend@public'" // // This rule checks for 'friend@public' appearing in any of the addressing // fields. Existence of this indicates a false mail header. // Mail is marked as spam if it is found. // if WildcardMatch(HeaderFieldValue("To"),"*friend@public.*") then goto spam: if WildcardMatch(HeaderFieldValue("From"),"*friend@public.*") then goto spam: if WildcardMatch(HeaderFieldValue("Reply-To"),"*friend@public.*") then goto spam: if WildcardMatch(HeaderFieldValue("X-Reply-To"),"*friend@public.*") then goto spam: goto notspam: :spam IsSpam() :notspam #endrule // ------------------------------------------------------------------- #rule "Check From: for an account ending in a number" // // This rule checks the From: field for an email address user part that // ends with a number. Spam quite often originates from mail accounts // with the large portals which use this style of account name. // Mail is marked as Spam if a match is found. // field$ = ParseAddress(HeaderFieldValue("From")) if WildcardMatch(field$,"*[0-9]@*") then IsSpam() endif #endrule // ------------------------------------------------------------------- // Section 5 - Subject analysis rules to check for typical // Spam characteristics. These rules are the least accurate method of // identifying Spam and should be used with care. // ------------------------------------------------------------------- // ------------------------------------------------------------------- #rule "Check if Subject: is all uppercase" // // This rules checks the Subject: field for all uppercase characters. // This is typical of Spam mail. Mail is marked as Spam if all uppercase // characters are found. // field$ = HeaderFieldValue("Subject") if (field$ = Upper(field$)) and (Length(field$) > 0) then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check that the Subject: is not a question" // // This rule checks the Subject for a '?' character. // Marks the mail as spam if it is found. // if WildcardMatch(HeaderFieldValue("Subject"),"*\?") then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check the Subject: against 'Money Patterns'" // // This rule checks the Subject against the 'Money patterns' list. // Money patterns are typical of commercial advert mails. // Mail is marked as Spam if a match is found. // NOTE - Some mail clients convert international 'Money' characters // into encoded phrases to resolve issues with differing character // sets. This can lead to matches not being made when expected. // field$ = HeaderFieldValue("Subject") if MatchesListItem("Money patterns",field$) then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check the Subject: against 'Usual Spam Subject Phrases'" // // This rule checks the Subject for a match against the // 'Usual Spam Subject Phrases' list. Mail is marked as Spam if // a match is found. // field$ = HeaderFieldValue("Subject") if MatchesListItem("Usual spam subject phrases",field$) then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check the Subject: against 'Usual Spam Subject Words'" // // This rule checks the Subject for a match against the // 'Usual Spam Subject Words' list. Mail is marked as Spam if // a match is found. // field$ = HeaderFieldValue("Subject") if FindWordInString("Usual Spam Subject Words",field$) then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check the Subject: against 'Adult Words'" // // This rule checks the Subject for a match against the 'Adult words' // list. Mail is marked as Spam if a match is found. // field$ = HeaderFieldValue("Subject") if FindWordInString("Adult Words",field$) then IsSpam() endif #endrule // ------------------------------------------------------------------- // Section 6 - Mail Body analysis rules to check for typical // Spam characteristics. These rules are the least accurate method of // identifying Spam and should be used with care. // ------------------------------------------------------------------- // ------------------------------------------------------------------- #rule "Check Mail Body for 'Usual Spam Message Phrases'" // // This rule checks the mail body for any of the phrases in the // 'Usual spam message phrases' list. Mail is marked as Spam if // a match is found. // if BodyMatchesListItem("Usual spam message phrases") then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check Mail Body for 'Adult Words'" // // This rule checks the mail body for any of the words in the // 'Adult Words' word list. Mail is marked as Spam if // a match is found. // if FindWordInBody("Adult Words") then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check Mail Body GUARANTEE in capitals" // // This rule check the mail body for the word GUARANTEE (in uppercase). // Mail is marked as Spam if a match is found. // if WildcardMatchBody("*[G][U][A][R][A][N][T][E][E]*") then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check Mail Body for BILLION/MILLION in capitals" // // This rule check the mail body for the words BILLION or MILLION // (in uppercase). Mail is marked as Spam if a match is found. // if WildcardMatchBody("*[BM][I][L][L][I][O][N]*") then IsSpam() endif #endrule // ------------------------------------------------------------------- #rule "Check Mail Body for FREE in capitals" // // This rule check the mail body for the word FREE (in uppercase). // Mail is marked as Spam if a match is found. // if WildcardMatchBody("*[F][R][E][E]*") then IsSpam() endif #endrule // ------------------------------------------------------------------- // Section 7 - Using Mail Body analysis rules to check for undesirable // attachments. Note this should be used in conjunction with other // Anti-Virus measures. // ------------------------------------------------------------------- // ------------------------------------------------------------------- #rule "Check Mail Body for 'Undesirable Attachment Marks'" // // This rule checks the mail body for a match with patterns in the // 'Undesirable Attachment Marks' list. This method should not be // treated as your primary defence against viruses, but can assist // in an overall strategy. // Mail is marked as Spam if a match is found. // if BodyMatchesListItem("Undesirable Attachment Marks") then IsSpam() endif #endrule