/usr/share/spamassassin/20_ratware.cf is in spamassassin 3.4.1-8build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 | # SpamAssassin rules file: known spam mailers
#
# Sometimes these leave 'sent by mailername' fingerprints in the
# headers, which provide a nice way for us to catch them.
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
header RATWARE_EGROUPS X-Mailer =~ /eGroups Message Poster/
describe RATWARE_EGROUPS Bulk email fingerprint (eGroups) found
# Note that the tests which look at the "ALL" pseudoheader are slower than
# the specific header.
# 100% overlap with X-Stormpost-To: header, but seems wise to leave it in
header RATWARE_OE_MALFORMED X-Mailer =~ /^Microsoft Outlook Express \d(?:\.\d+){3} \w+$/
describe RATWARE_OE_MALFORMED X-Mailer has malformed Outlook Express version
header RATWARE_MOZ_MALFORMED User-Agent =~ /Mozilla\/5\.0\d\d/
describe RATWARE_MOZ_MALFORMED Bulk email fingerprint (Mozilla malformed) found
header RATWARE_MPOP_WEBMAIL X-Mailer =~ /mPOP Web-Mail/i
describe RATWARE_MPOP_WEBMAIL Bulk email fingerprint (mPOP Web-Mail)
###########################################################################
# Now, detect forgeries of real MUAs
#
# NOTE: these rules should specify version numbers!
# first define situations where servers rewrite message id so we can't use message id to detect forgeries
header __HOTMAIL_BAYDAV_MSGID MESSAGEID =~ /^<[A-Z]{3}\d+-(?:DAV|SMTP)\d+[A-Z0-9]{25}\@phx\.gbl>$/m
header __IPLANET_MESSAGING_SERVER Received =~ /iPlanet Messaging Server/
header __LYRIS_EZLM_REMAILER List-Unsubscribe =~ /<mailto:(?:leave-\S+|\S+-unsubscribe)\@\S+>$/
header __SYMPATICO_MSGID MESSAGEID =~ /^<BAYC\d+-PASMTP\d+[A-Z0-9]{25}\@CEZ\.ICE>$/m
header __WACKY_SENDMAIL_VERSION Received =~ /\/CWT\/DCE\)/
meta __UNUSABLE_MSGID (__LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID)
## now on to the forgery rules
# AOL
header __AOL_MUA X-Mailer =~ /\bAOL\b/
# Internet Mail Service
header __IMS_MUA X-Mailer =~ /Internet Mail Service/
header __IMS_MSGID MESSAGEID =~ /^<[A-F\d]{36,40}\@\S+>$/m
meta FORGED_MUA_IMS (__IMS_MUA && !__IMS_MSGID && !__UNUSABLE_MSGID)
describe FORGED_MUA_IMS Forged mail pretending to be from IMS
# Message ID format introduced by Vista MAPI, maybe also Windows 2003 Server SP2
header __VISTA_MSGID MESSAGEID =~ /^<[A-F\d]{32}\@\S+>$/m
# Outlook Express 4, 5, and 6
header __OE_MUA X-Mailer =~ /\bOutlook Express [456]\./
header __OE_MSGID_1 MESSAGEID =~ /^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\@hotmail\.com>$/m
header __OE_MSGID_2 MESSAGEID =~ /^<(?:[0-9a-f]{8}|[0-9a-f]{12})\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m
meta __FORGED_OE (__OE_MUA && !__OE_MSGID_1 && !__OE_MSGID_2 && !__UNUSABLE_MSGID)
# Outlook versions that usually use "dollar signs"
header __OUTLOOK_DOLLARS_MUA X-Mailer =~ /^Microsoft Outlook(?: 8| CWS, Build 9|, Build 10)\./
header __OUTLOOK_DOLLARS_OTHER MESSAGEID =~ /^<\!\~\!/m
meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA && !__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID && !__IMS_MSGID && !__UNUSABLE_MSGID)
# use new meta rules to implement FORGED_MUA_OUTLOOK rule from 2.60
# bug 5496: avoid some FPs
header __FMO_EXCL_O3416 X-Mailer =~ /^Microsoft Outlook, Build 10.0.3416$/
header __FMO_EXCL_OE3790 X-Mailer =~ /^Microsoft Outlook Express 6.00.3790.3959$/
# bug 5910: __VISTA_MSGID also now used by Outlook Express from XP SP3
#
meta FORGED_MUA_OUTLOOK ((__FORGED_OE || __FORGED_OUTLOOK_DOLLARS) && !__FMO_EXCL_O3416 && !__FMO_EXCL_OE3790 && !__VISTA_MSGID)
describe FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
# Outlook IMO (Internet Mail Only)
header __OIMO_MUA X-Mailer =~ /Outlook IMO/
header __OIMO_MSGID MESSAGEID =~ /^<[A-P]{28}\.[-\w.]+\@\S+>$/m
meta FORGED_MUA_OIMO (__OIMO_MUA && !__OIMO_MSGID && !__OE_MSGID_2 && !__UNUSABLE_MSGID)
describe FORGED_MUA_OIMO Forged mail pretending to be from MS Outlook IMO
# QUALCOMM Eudora
# Note: uses X_LOOP and X_MAILING_LIST as subrules
# X-Mailer: QUALCOMM Windows Eudora Version 5.0 (and 5.1)
# X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
# updated to fix bugs 2047, 2598, 2654
# NOTE: this is the *only* spammish Eudora MUA pattern that wasn't
# ignored using __OLD_EUDORA1 and __OLD_EUDORA2 under previous rules.
header __EUDORA_MUA X-Mailer =~ /^QUALCOMM Windows Eudora (?:Pro |Light )?Version [3456]\./
header __EUDORA_MSGID MESSAGEID =~ /^<(?:\d\d?\.){3,5}\d{14}\.[a-f0-9]{8}\@\S+(?:\sport\s\d+)?>$/m
header __HAS_X_LOOP exists:X-Loop
header __HAS_X_MAILING_LIST exists:X-Mailing-List
meta FORGED_MUA_EUDORA (__EUDORA_MUA && !__EUDORA_MSGID && !__UNUSABLE_MSGID && !__HAS_X_LOOP && !__HAS_X_MAILING_LIST)
describe FORGED_MUA_EUDORA Forged mail pretending to be from Eudora
# From private mail with developers. Some top tips here!
header __THEBAT_MUA X-Mailer =~ /^The Bat!/
header __THEBAT_MUA_V1 X-Mailer =~ /^The Bat! \(v1\./
#header __THEBAT_MUA_V2 X-Mailer =~ /^The Bat! \(v2\./
#header __THEBAT_MUA_V3 X-Mailer =~ /^The Bat! \(v3\./
header __CTYPE_CHARSET_QUOTED Content-Type =~ /charset=\"/i
header __CTYPE_HAS_BOUNDARY Content-Type =~ /boundary/i
header __BAT_BOUNDARY Content-Type =~ /boundary=\"-{10}[A-F0-9]{4,}\"/
header __MAILMAN_21 X-Mailman-Version =~ /\d/
meta FORGED_MUA_THEBAT_CS (__THEBAT_MUA && __CTYPE_CHARSET_QUOTED && !__MAILMAN_21)
meta FORGED_MUA_THEBAT_BOUN (__THEBAT_MUA && __CTYPE_HAS_BOUNDARY && !__BAT_BOUNDARY && !__MAILMAN_21)
describe FORGED_MUA_THEBAT_CS Mail pretending to be from The Bat! (charset)
describe FORGED_MUA_THEBAT_BOUN Mail pretending to be from The Bat! (boundary)
# bug 4649: bulk mail sent via Yahoo! often looks forged, even when it is not
header __YAHOO_BULK Received =~ /from \[\S+\] by \S+\.(?:groups|scd|dcn)\.yahoo\.com with NNFMP/
meta FORGED_OUTLOOK_HTML (!__YAHOO_BULK && __ANY_OUTLOOK_MUA && MIME_HTML_ONLY)
describe FORGED_OUTLOOK_HTML Outlook can't send HTML message only
# bug 2525: FORGED_IMS_HTML fp'ing because new IMS *DOES* use text/html
# ctype. ARGH. This was noted in build 5.5.2656.59, so permit builds
# after that to get away with it.
header __IMS_HTML_BUILDS X-Mailer =~ /^Internet Mail Service .(?:[6789]\.|5\.[6789]|5\.5\.(?:[3456789]|2[789]|26[6789]|265[6789]))/
header __IMS_HTML_RCVD Received =~ /\bby \S+ with Internet Mail Service .(?:[6789]\.|5\.[6789]|5\.5\.(?:[3456789]|2[789]|26[6789]|265[6789]))/
meta FORGED_IMS_HTML (!__YAHOO_BULK && __IMS_MUA && MIME_HTML_ONLY && !(__IMS_HTML_BUILDS && __IMS_HTML_RCVD))
describe FORGED_IMS_HTML IMS can't send HTML message only
meta FORGED_THEBAT_HTML (__THEBAT_MUA_V1 && MIME_HTML_ONLY)
describe FORGED_THEBAT_HTML The Bat! can't send HTML message only
# bug 2513
header __REPTO_QUOTE Reply-To =~ /".*"\s*\</
meta REPTO_QUOTE_AOL __REPTO_QUOTE && __AOL_MUA
describe REPTO_QUOTE_AOL AOL doesn't do quoting like this
meta REPTO_QUOTE_IMS __REPTO_QUOTE && __IMS_MUA
describe REPTO_QUOTE_IMS IMS doesn't do quoting like this
meta REPTO_QUOTE_MSN __REPTO_QUOTE && (__FROM_MSN_COM || __AT_MSN_MSGID)
describe REPTO_QUOTE_MSN MSN doesn't do quoting like this
meta REPTO_QUOTE_QUALCOMM __REPTO_QUOTE && __ANY_QUALCOMM_MUA
describe REPTO_QUOTE_QUALCOMM Qualcomm/Eudora doesn't do quoting like this
meta REPTO_QUOTE_YAHOO __REPTO_QUOTE && (__FROM_YAHOO_COM || __AT_YAHOO_MSGID)
describe REPTO_QUOTE_YAHOO Yahoo! doesn't do quoting like this
# bug 1561
# stronger version of USER_AGENT_APPLEMAIL
# Apple Mail doesn't send text/html at all (unless it's an attachment)
# It'll send text/plain, or multipart/alternative with text/plain and
# text/enriched parts (boundary of "Apple-Mail-\d--\d+"). It can, however,
# send a multipart/mixed with a single text/html attachment, so don't use
# MIME_HTML_ONLY.
# perhaps limit CTYPE to "text/plain", "multipart/alternative" with
# "text/plain" and "text/enhanced", or "multipart/mixed"?
# bug 4223: expand for new Apple Mail version format
header __X_MAILER_APPLEMAIL X-Mailer =~ /^Apple Mail \(\d\.\d+(?:\.\d+)?\)$/
header __MSGID_APPLEMAIL Message-Id =~ /^<[0-9A-F]{8}-(?:[0-9A-F]{4}-){3}[0-9A-F]{12}\@\S+>$/
header __MIME_VERSION_APPLEMAIL Mime-Version =~ /^1\.0 \(Apple Message framework v\d+(?:\.\d+)?\)$/
meta __USER_AGENT_APPLEMAIL !__CTYPE_HTML && __X_MAILER_APPLEMAIL && (__MSGID_APPLEMAIL || __MIME_VERSION_APPLEMAIL)
# 2003-02-23: quinlan
# some useful meta rule sub-elements
header __CTYPE_HTML Content-Type =~ /text\/html/i
header __ANY_IMS_MUA X-Mailer =~ /^Internet Mail Service\b/
header __ANY_OUTLOOK_MUA X-Mailer =~ /^Microsoft (?:Office )?Outlook\b/
header __ANY_QUALCOMM_MUA X-Mailer =~ /\bQUALCOMM\b/
meta FORGED_QUALCOMM_TAGS (__ANY_QUALCOMM_MUA && __MIME_HTML && !__TAG_EXISTS_HTML)
describe FORGED_QUALCOMM_TAGS QUALCOMM mailers can't send HTML in this format
meta FORGED_IMS_TAGS (!__YAHOO_BULK && __ANY_IMS_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY))
describe FORGED_IMS_TAGS IMS mailers can't send HTML in this format
meta FORGED_OUTLOOK_TAGS (!__YAHOO_BULK && __ANY_OUTLOOK_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY))
describe FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
# Send-Safe ratware (idea from Alan Curry)
# random alphanumerics, separated into groups of 16 by dashes (the first
# and last group may be shorter), with a lowercase "l" and a number
# appended. The final number is the length of the whole string not
# including the dashes or the "l<number>". Why? I have no idea. It's
# not a tracking code - the spamware does not save it locally.
#
# jm: it's specifically to throw off MIME base64 encoding, to evade AOL's
# filters.
#
# http://groups.google.com/groups?selm=atp1ip0n22%40enews3.newsguy.com
rawbody RATWARE_HASH_DASH /[a-z\d]-[a-z\d]{16}-[a-z\d]{1,16}(?-i:l)\d/i
describe RATWARE_HASH_DASH Contains a hashbuster in Send-Safe format
########################################################################
# Most ratware uses message templates I would guess.
# Here's two popular ones...
########################################################################
# This ratware always uses a +0000 TZ in the Date header, and has a multiplicity
# of From: header formats. ("From" header samples from Steven Champeon
# <schampeo.hesketh.com> via the spamtools.lists.abuse.net and SPAM-L lists).
#
# "First Last" <firstlast_[a-z][a-z]@somedomain> 1
# "First Last" <firstlast[a-z][a-z]@somedomain> 1
# "First Last" <first.last[a-z][a-z]@somedomain> 1
# "First Last" <first_last[a-z][a-z]@somedomain> 1
# "First Last" <first_last_[a-z][a-z]@somedomain> 1
# "First Last" <flast_[a-z][a-z]@somedomain> 2
# "First Last" <flast[a-z][a-z]@somedomain> 2
# "First Last" <f.last_[a-z][a-z]@somedomain> 2
# "First Last" <f.last[a-z][a-z]@somedomain> 2
# "First Last" <f_last[a-z][a-z]@somedomain> 2
# "First Last" <last[a-z][a-z]@somedomain> 3
# "First M. Last" <firstlast_[a-z][a-z]@somedomain> 4
# "First M. Last" <firstlast[a-z][a-z]@somedomain> 4
# "First M. Last" <first.m.last[a-z][a-z]@somedomain> 5
# "First M. Last" <firstmlast[a-z][a-z]@somedomain> 5
# "First M. Last" <firstmlast_[a-z][a-z]@somedomain> 5
# "First M. Last" <fmlast_[a-z][a-z]@somedomain> 6
# "First M. Last" <mlast[a-z][a-z]@somedomain> 7
# "First M. Last" <m.last[a-z][a-z]@somedomain> 7
header __0_TZ_1 From =~ /^\"(\w)(\w+) (\w+)\" <\1\2[\._]?\3_?[a-z][a-z]\@/i
header __0_TZ_2 From =~ /^\"(\w)(\w+) (\w+)\" <\1[\._]?\3_?[a-z][a-z]\@/i
header __0_TZ_3 From =~ /^\"(\w)(\w+) (\w+)\" <\3_?[a-z][a-z]\@/i
header __0_TZ_4 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\2[\._]?\4_?[a-z][a-z]\@/i
header __0_TZ_5 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\2[\._]?\3[\._]?\4_?[a-z][a-z]\@/i
header __0_TZ_6 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\3\4_?[a-z][a-z]\@/i
header __0_TZ_7 From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\3[\._]?\4_?[a-z][a-z]\@/i
header __RATWARE_0_TZ_DATE Date =~ / \+0000$/
meta RATWARE_ZERO_TZ (__RATWARE_0_TZ_DATE && __CTYPE_HTML && (__0_TZ_1 || __0_TZ_2 || __0_TZ_3 || __0_TZ_4 || __0_TZ_5 || __0_TZ_6 || __0_TZ_7))
describe RATWARE_ZERO_TZ Bulk email fingerprint (+0000) found
header X_MESSAGE_INFO exists:X-Message-Info
describe X_MESSAGE_INFO Bulk email fingerprint (X-Message-Info) found
# case-sensitive rule
# only significant rules with no FPs, hit recently, on 2+ corpuses
header HEADER_SPAM ALL:raw =~ /^(Alternate-Recipient|Antivirus|Approved|Delivery-Notification|Disclose-Recipients|Error-path|Language|Location|Mime-Subversion|Newsletter-ID|PID|Rot|UID|X-BounceTrace|X-CS-IP|X-Company-Address|X-Company-City|X-Company-Country|X-Company-State|X-Company-Zip|X-E(?:[Mm]ail)?|X-Encoding|X-Originating-Company|X-RMD-Text|X-SG4|X-SP-Track-ID|X-Webmail-Time|X-bounce-to):/m
describe HEADER_SPAM Bulk email fingerprint (header-based) found
header RATWARE_RCVD_PF Received =~ / \(Postfix\) with ESMTP id [^;]+\; \S+ \d+ \S+ \d+ \d+:\d+:\d+ \S+$/s
describe RATWARE_RCVD_PF Bulk email fingerprint (Received PF) found
header RATWARE_RCVD_AT Received =~ / by \S+\@\S+ with Microsoft SMTPSVC/
describe RATWARE_RCVD_AT Bulk email fingerprint (Received @) found
header __RCVD_WITH_EXCHANGE Received =~ /with Microsoft Exchange Server/
meta RATWARE_OUTLOOK_NONAME __MSGID_DOLLARS_OK && !__HAS_X_MAILER && !__RCVD_WITH_EXCHANGE
describe RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) found
header __MIMEOLE_MS X-MIMEOLE =~ /^Produced By Microsoft MimeOLE/
meta RATWARE_MS_HASH __MSGID_DOLLARS_OK && !__MIMEOLE_MS && !__RCVD_WITH_EXCHANGE
describe RATWARE_MS_HASH Bulk email fingerprint (msgid ms hash) found
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header __GATED_THROUGH_RCVD_REMOVER eval:gated_through_received_hdr_remover()
header __RATWARE_NAME_ID eval:check_ratware_name_id()
meta RATWARE_NAME_ID __RATWARE_0_TZ_DATE && __RATWARE_NAME_ID
describe RATWARE_NAME_ID Bulk email fingerprint (msgid from) found
header RATWARE_EFROM eval:check_ratware_envelope_from()
describe RATWARE_EFROM Bulk email fingerprint (envfrom) found
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
body __MIME_HTML eval:check_for_mime_html()
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
body __TAG_EXISTS_BODY eval:html_tag_exists('body')
body __TAG_EXISTS_HEAD eval:html_tag_exists('head')
body __TAG_EXISTS_HTML eval:html_tag_exists('html')
body __TAG_EXISTS_META eval:html_tag_exists('meta')
body __TAG_EXISTS_STYLE eval:html_tag_exists('style')
body __TAG_EXISTS_SCRIPT eval:html_tag_exists('script')
endif
|