home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
PC World 2003 December
/
PCWorld_2003-12_cd.bin
/
Software
/
Vyzkuste
/
saproxy
/
SAproxyInstaller.exe
/
{app}
/
rules
/
20_compensate.cf
< prev
next >
Wrap
Text File
|
2003-03-17
|
13KB
|
289 lines
# SpamAssassin rules file: compensation for common false positives
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of either the Artistic License or the GNU General
# Public License as published by the Free Software Foundation; either
# version 1 of the License, or (at your option) any later version.
#
# See the file "License" in the top level of the SpamAssassin source
# distribution for more details.
#
###########################################################################
# Header compensation tests
#
# Note: HTML compensation tests are in 20_body_tests.cf
require_version @@VERSION@@
# support for Habeas sender-warranted email: http://www.habeas.com/
header HABEAS_SWE eval:message_is_habeas_swe()
describe HABEAS_SWE Uses the Habeas warrant mark (http://www.habeas.com/)
tflags HABEAS_SWE nice
header GENUINE_EBAY_RCVD eval:check_for_from_domain_in_received_headers('ebay.com', 'true')
describe GENUINE_EBAY_RCVD Message from eBay
tflags GENUINE_EBAY_RCVD nice
header APPROVED_BY exists:Approved-By
describe APPROVED_BY Has an Approved-By moderated list header
tflags APPROVED_BY nice
# This is a Bugzilla bug status report e-mail and probably OK
header BUGZILLA_BUG eval:message_from_bugzilla()
describe BUGZILLA_BUG Looks like a Bugzilla bug
tflags BUGZILLA_BUG nice
header DEBIAN_BTS_BUG eval:message_from_debian_bts()
describe DEBIAN_BTS_BUG Looks like a Debian BTS bug
tflags DEBIAN_BTS_BUG nice
# give a negative score to Majordomo results.
header MAJORDOMO Subject =~ /Majordomo (?:request )?results/
describe MAJORDOMO From Majordomo
tflags MAJORDOMO nice
header REFERENCES References =~ /^(<(?:[a-zA-Z0-9.!\#\$%&'*\+\/=?\^_{}|~-]+|\".+\")\@(?:[a-zA-Z0-9.-]+|\[\d{1,3}(?:\.\d{1,3}){3}\])>\s*)+$/
describe REFERENCES Has a valid-looking References header
tflags REFERENCES nice
# User-Agent isn't usually found with spam, but ignore it if we already account with a compensate rule
header __USER_AGENT exists:User-Agent
meta USER_AGENT ( __USER_AGENT && !USER_AGENT_PINE && !USER_AGENT_MUTT && !USER_AGENT_MOZILLA_UA && !USER_AGENT_MOZILLA_XM && !USER_AGENT_MACOE && !USER_AGENT_ENTOURAGE && !USER_AGENT_KMAIL && !USER_AGENT_IMP && !USER_AGENT_TONLINE && !USER_AGENT_APPLEMAIL && !USER_AGENT_GNUS_UA && !USER_AGENT_GNUS_XM && !USER_AGENT_VM && !USER_AGENT_MSN && !USER_AGENT_FORTE && !USER_AGENT_XIMIAN )
describe USER_AGENT Has a User-Agent header
tflags USER_AGENT nice
# these headers have very low correlation with spam
header CRON_ENV exists:X-Cron-Env
header IN_REP_TO exists:In-Reply-To
header X_AUTH_WARNING exists:X-Authentication-Warning
header X_MAILING_LIST exists:X-Mailing-List
header X_LOOP exists:X-Loop
header X_ACCEPT_LANG exists:X-Accept-Language
header RESENT_TO exists:Resent-To
describe CRON_ENV Has a X-Cron-Env header
describe IN_REP_TO Has a In-Reply-To header
describe X_AUTH_WARNING Has a X-Authentication-Warning header
describe X_MAILING_LIST Has a X-Mailing-List header
describe X_LOOP Has a X-Loop header
describe X_ACCEPT_LANG Has a X-Accept-Language header
describe RESENT_TO Has a Resent-To header
tflags CRON_ENV nice
tflags IN_REP_TO nice
tflags X_AUTH_WARNING nice
tflags X_MAILING_LIST nice
tflags X_LOOP nice
tflags X_ACCEPT_LANG nice
tflags RESENT_TO nice
# came from a known mailing list system -- but one which does *not* have built-in
# (or working!) spam filtering.
header KNOWN_MAILING_LIST eval:detect_mailing_list()
describe KNOWN_MAILING_LIST Email came from some known mailing list software
tflags KNOWN_MAILING_LIST nice
# from Theo Van Dinter, see http://www.hughes-family.org/bugzilla/show_bug.cgi?id=591
body MSN_GROUPS eval:check_for_msn_groups_headers()
describe MSN_GROUPS Came from MSN Communities
tflags MSN_GROUPS nice
# some non-spam rules from http://www.darkmere.gen.nz/2002/0628.html
header Q_FOR_SELLER Subject =~ /Question.*(?:for|to|from eBay).*(?:seller|Member)/
describe Q_FOR_SELLER Subject is an eBay question
tflags Q_FOR_SELLER nice
header SUBJECT_IS_IN_REVIEW Subject =~ /\bin review\b/i
describe SUBJECT_IS_IN_REVIEW Subject contains newsletter header (in review)
tflags SUBJECT_IS_IN_REVIEW nice
header FROM_EGROUPS X-eGroups-Return =~ /^sentto-.*\@returns\.groups\.yahoo\.com$/
describe FROM_EGROUPS Appears to be from yahoo groups
tflags FROM_EGROUPS nice
# compensate for common false pos on above rule: Yahoo! webmail
header YAHOO_MSGID_ADDED ALL =~ /Message-Id: <\S+\.mail\.yahoo\.com>\nReceived: .*by \S+mail\.yahoo\.com via HTTP;/s
describe YAHOO_MSGID_ADDED 'Message-Id' was added by yahoo.com, that's OK
tflags YAHOO_MSGID_ADDED nice
###########################################################################
# Body compensation tests
###########################################################################
body HOTMAIL_FOOTER1 /Send and receive Hotmail on your mobile device\b/
describe HOTMAIL_FOOTER1 Common footer for Hotmail
tflags HOTMAIL_FOOTER1 nice
body HOTMAIL_FOOTER2 /Get your FREE download of MSN Explorer at\b/
describe HOTMAIL_FOOTER2 Common footer for Hotmail
tflags HOTMAIL_FOOTER2 nice
body HOTMAIL_FOOTER3 /Get Your Private, Free E-mail from MSN Hotmail at http:\/\/www\.hotmail\.com\./
describe HOTMAIL_FOOTER3 Common footer for Hotmail
tflags HOTMAIL_FOOTER3 nice
body HOTMAIL_FOOTER5 /Chat with friends online, try MSN Messenger\b/
describe HOTMAIL_FOOTER5 Common footer for Hotmail
tflags HOTMAIL_FOOTER5 nice
body MSN_FOOTER1 /MSN Photos is the easiest way to share and print your photos\b/
describe MSN_FOOTER1 Common footer for MSN
tflags MSN_FOOTER1 nice
body GROUPS_YAHOO_1 /^Your use of Yahoo! Groups is subject to http:\/\/\Qdocs.yahoo.com\E\/info\/terms\//
describe GROUPS_YAHOO_1 Yahoo! Groups message
tflags GROUPS_YAHOO_1 nice
# signature tests
full SIGNATURE_SHORT_DENSE eval:check_signature('1', '7', '0')
describe SIGNATURE_SHORT_DENSE Short signature present (no empty lines)
tflags SIGNATURE_SHORT_DENSE nice
full SIGNATURE_SHORT_SPARSE eval:check_signature('1', '7', '1')
describe SIGNATURE_SHORT_SPARSE Short signature present (empty lines)
tflags SIGNATURE_SHORT_SPARSE nice
full SIGNATURE_LONG_DENSE eval:check_signature('8', '15', '0')
describe SIGNATURE_LONG_DENSE Long signature present (no empty lines)
tflags SIGNATURE_LONG_DENSE nice
full SIGNATURE_LONG_SPARSE eval:check_signature('8', '15', '1')
describe SIGNATURE_LONG_SPARSE Long signature present (empty lines)
tflags SIGNATURE_LONG_SPARSE nice
body MAILMAN_CONFIRM /^We have received a request from \S+ for subscription of your email address, \S+, to the \S+ mailing list\./
describe MAILMAN_CONFIRM A MailMan confirm-your-address message
tflags MAILMAN_CONFIRM nice
rawbody __PGP_BEGIN /^-----BEGIN PGP SIGNATURE-----$/
rawbody __PGP_MIDDLE /^[0-9A-Za-z+\/]{64}$/
rawbody __PGP_END /^-----END PGP SIGNATURE-----$/
meta PGP_SIGNATURE (__PGP_BEGIN && __PGP_MIDDLE && __PGP_END)
describe PGP_SIGNATURE Contains a PGP-signed message
tflags PGP_SIGNATURE nice
header PGP_SIGNATURE_2 Content-Type =~ /protocol=.?application\/pgp-signature.?;/i
describe PGP_SIGNATURE_2 Contains a PGP-signed message (signature attached)
tflags PGP_SIGNATURE_2 nice
header __SMIME_SIGNED_HDR Content-Type =~ /multipart\/signed;.*protocol=/i
full __SMIME_SIGNED_BODY /\nContent-Type: application\/x-pkcs7-signature;/
meta SMIME_SIGNATURE (__SMIME_SIGNED_HDR && __SMIME_SIGNED_BODY)
describe SMIME_SIGNATURE Contains an S/MIME-signed message
tflags SMIME_SIGNATURE nice
rawbody PATCH_UNIFIED_DIFF /^\@\@ [-+0-9]+,[0-9]+ [-+0-9]+,[0-9]+ \@\@$/
describe PATCH_UNIFIED_DIFF Contains what looks like a patch from diff -u
tflags PATCH_UNIFIED_DIFF nice
rawbody PATCH_CONTEXT_DIFF /^\*{3} \S+\s+.{10,}\b\d{2}:\d{2}:\d{2}\s/
describe PATCH_CONTEXT_DIFF Contains what looks like a patch from diff -c
tflags PATCH_CONTEXT_DIFF nice
body DISCLAIMER_LEGALESE /This e?-?mail.{1,20}confidential.{1,20}legally privileged/i
describe DISCLAIMER_LEGALESE Contains what looks like an 'E-Mail Disclaimer'
tflags DISCLAIMER_LEGALESE nice
# The regexp begins with "(?:\"|--- )?" because, in addition to
# possibly begining with a double quote, it might also begin with
# "--- ", which is used by the Yahoo! groups web form when
# doing attribution.
#
# The regexp ends with "\s*(?:$|>)" rather than "$" because, by
# the time the "body" tests are done, this:
#
# foo@bar.com writes:
# > blah blah blah
#
# becomes
#
# foo@bar.com writes: > blah blah blah
#
body EMAIL_ATTRIBUTION /^(?:\"|--- )?\w.{4,80} (?:wrote|writes):\s*(?:$|>)/
describe EMAIL_ATTRIBUTION Contains what looks like an email attribution
tflags EMAIL_ATTRIBUTION nice
rawbody QUOTED_EMAIL_TEXT /^>+\s+.{60,72}$/
describe QUOTED_EMAIL_TEXT Contains what looks like a quoted email text
tflags QUOTED_EMAIL_TEXT nice
body QUOTE_TWICE_1 /^> >\s/
describe QUOTE_TWICE_1 Contains twice quoted reply
tflags QUOTE_TWICE_1 nice
# spamassassin@davidgreenaway.com (David Greenaway)
body FORGOTTEN_PASSWORD /[fF]org[oe]t.{0,25}[pP]assword/
describe FORGOTTEN_PASSWORD Contains a password retrieval system
tflags FORGOTTEN_PASSWORD nice
###########################################################################
# meta compensation tests
###########################################################################
header __EVITE_CTYPE Content-Type =~ /(?:multipart\/alternative|text\/(?:plain|html));/
header __EVITE_RCVD Received =~ /\b(?:evite|evt\S*\.citysearch)\.com/
uri __EVITE_URI /\bevite(?:\.citysearch)?\.com\/.*iid=[A-Z]{20}/
meta EVITE ((__EVITE_RCVD && __EVITE_URI) || (__EVITE_CTYPE && (__EVITE_RCVD || __EVITE_URI)))
describe EVITE Message looks like an Evite
tflags EVITE nice
meta REPLY_WITH_QUOTES ((IN_REP_TO + REFERENCES + EMAIL_ATTRIBUTION + QUOTED_EMAIL_TEXT) > 2)
describe REPLY_WITH_QUOTES Reply with quoted text
tflags REPLY_WITH_QUOTES nice
###########################################################################
# Till now no spammer told me where he's working at :o)
# -- Malte
# freqs: 2.273 0.383 3.416 0.10 1.00 HAS_ORGANIZATION
header HAS_ORGANIZATION exists:Organization
describe HAS_ORGANIZATION Where are you working at?
tflags HAS_ORGANIZATION nice
body HOTMAIL_FOOTER4 /Join the world's largest e-mail service with MSN Hotmail\./
describe HOTMAIL_FOOTER4 Common footer for Hotmail
tflags HOTMAIL_FOOTER4 nice
header MAILER_DAEMON From =~ /^(?:Mail Delivery \w+ )?<?mailer.?daemon\@\S+>?(?: \(Mail Delivery \w+\))?$/i
describe MAILER_DAEMON From the Mailer-Daemon
tflags MAILER_DAEMON nice
header FAILURE_NOTICE_1 Subject =~ /^(?:failure notice|returned mail:|Delivery Status Notification|Undeliverable:)/i
describe FAILURE_NOTICE_1 Mailer daemon failure notice (1)
tflags FAILURE_NOTICE_1 nice
body FAILURE_NOTICE_2 /\b(?:Delivery to the following recipients failed|This Message was undeliverable|The following addresses had permanent fatal errors|did not reach the following recipient)\b/i
describe FAILURE_NOTICE_2 Mailer daemon failure notice (2)
tflags FAILURE_NOTICE_2 nice
header FWD_MSG Subject =~ /Fwd:\s/
describe FWD_MSG Forwarded email
tflags FWD_MSG nice
test FWD_MSG ok Subject: Fwd: Dracula
test FWD_MSG ok Subject: [landho] Fwd: tell rod
test FWD_MSG fail Subject: Fwd:Pure Opt-In for half the price
test FWD_MSG fail Subject: Re: RE: FWD: search results . . .
header __ORIG_MESSAGE_AGENT X-Mailer =~ /\b(?:Microsoft Outlook|Internet Mail Service|Mozilla|AOL)\b/
rawbody __ORIG_MESSAGE_LINE /^-{5,8} ?Original Message ?-{5,8}$/
meta ORIGINAL_MESSAGE (__ORIG_MESSAGE_AGENT && __ORIG_MESSAGE_LINE)
describe ORIGINAL_MESSAGE Looks like a reply to a message
tflags ORIGINAL_MESSAGE nice
# 3.351 0.0060 4.5117 0.001 0.97 -1.00 T_MSGID_GOOD_EXCHANGE
header MSGID_GOOD_EXCHANGE Message-Id =~ /^<[A-Z]{28}\.\S+\@\S+>$/
describe MSGID_GOOD_EXCHANGE Message-Id indicates the message was sent from MS Exchange
tflags MSGID_GOOD_EXCHANGE nice
# mailman list reminder mails are getting tagged in 2.41, adding a rule to check for these
header __FROM_MAILMAN_OWNER From:addr =~ /^mailman-owner@/
header __SUBJECT_MAILMAN_REMIND Subject =~ /\bmailing list memberships reminder\b/
meta MAILMAN_REMINDER (__FROM_MAILMAN_OWNER && __SUBJECT_MAILMAN_REMIND)
describe MAILMAN_REMINDER Mail headers indicate a mailman membership reminder
tflags MAILMAN_REMINDER nice
