This is a subset of the rules I've added to catch spam that's gotten into
my inbox. Round scores are probably wholly made up. Others were probably
chosen to make a certain message hit 5.0.
# I hate "newsletters" with a passion. I could reduce this to one `full'
# rule to avoid double-billing, but I don't get any *legitimate* newsletters.
header SUBJ_NEWSLETTER Subject =~ /newsletter/i
describe SUBJ_NEWSLETTER Newsletter (bjj)
score SUBJ_NEWSLETTER 1.5
header FROM_NEWSLETTER From =~ /newsletter/i
describe FROM_NEWSLETTER Newsletter (bjj)
score FROM_NEWSLETTER 1.5
rawbody NEWSLETTER /newsletter/i
describe NEWSLETTER Newsletter (bjj)
score NEWSLETTER 1.1
# A start on a list of from addresses that generally indicate spam.
# I should expand this.
header FROM_BIZ From =~ /(?:offer|sales|alert)[^@]*@/i
describe FROM_BIZ From is generic business name (bjj)
score FROM_BIZ 1.5
# Ooh, hot stock tips! This one will probably gain some new variations
# over time.
rawbody STOCKMARKET /NASD.{0,30}symbol/i
describe STOCKMARKET Mentions NASDAQ ticker (bjj)
score STOCKMARKET 1.5
body IGNORE_ME /ignore this (e-?)?mail/i
describe IGNORE_ME Instructs to ignore (bjj)
score IGNORE_ME 2.6
body CREDIT_0 /bad credit\?|financial advi/i
describe CREDIT_0 Words and phrases related to credit (0) (bjj)
score CREDIT_0 1.5
rawbody OPTOUT_LINK /\/optout\./i
describe OPTOUT_LINK Links to opt-out form (bjj)
score OPTOUT_LINK 2
# These are spamware as far as I can tell.
header SPAMWARE_0 X-Mailer =~ /Delano e-Business Interaction Server|Accucast /
describe SPAMWARE_0 Bulk email software fingerprints found in headers (0) (bjj)
score SPAMWARE_0 4.9
header SPAMWARE_1 X-Ecast-User-Info =~ /./
describe SPAMWARE_1 Bulk email software fingerprints found in headers (1) (bjj)
score SPAMWARE_1 4.9
body SPAMWARE_2 /Powered by List Builder/
describe SPAMWARE_2 Bulk email software fingerprints found in body (2) (bjj)
score SPAMWARE_2 4.9
# This is some variation of the greeting card spam. Spammer uses a program
# to fill out some online form which then sends email on their behalf.
header EXPLOITABLE_WEB_FORM X-Mailer =~ /eGroups Message/
describe EXPLOITABLE_WEB_FORM Web form that spammers use to relay (bjj)
score EXPLOITABLE_WEB_FORM 2
# I can't remember if I researched this one. Some kind of credit claimed
# in the body for the emailer, which is probably spamware.
body IMAIL_SERVER /\bimail server/i
score IMAIL_SERVER 1.2
# Anyone have a better rule for this? This and the nigerian spam mutate
# a lot faster than other form spam.
body SIERRA_LEONE /Sierra-Leone/i
score SIERRA_LEONE 4
# Yes, even legitimate email earns a point here. Not nearly enough to
# mark it as spam if the rest is legit. Heck, in junkfilter I used to
# drop ALL of msn.com for YEARS and it was only wrong once (sorry dad).
header FREE_EMAIL From =~ /\@(?:yahoo|hotmail|dcemail)\.com/
describe FREE_EMAIL Free email provider (forged or not) (bjj)
score FREE_EMAIL 1
# One nice thing about junkfilter was macros like $JFBMAIL which you
# could use in your regexps to get a pattern to match all of the variations
# of `email' without having to spell it out everywhere.
body B_EXCUSE_0 /you(?:'ve| have)? rec[ie][ie]ved this (?:e-?)?mail/i
describe B_EXCUSE_0 Explains why you got this email (bjj)
score B_EXCUSE_0 1.5
body B_PORN_0 /(?:live|streaming) video feeds/i
describe B_PORN_0 Uses words and phrases which indicate porn (0) (bjj)
score B_PORN_0 2
body B_PORN_1 /\b(?:schoolgirls|wh\.?ores|s\.?luts)/i
describe B_PORN_1 Uses words and phrases which indicate porn (1) (bjj)
score B_PORN_1 2
# I also switched the DEAR_SOMEBODY score from negative to positive.
body DEAR_SOMEBODY_BANG /Dear .{0,40}!/i
describe DEAR_SOMEBODY_BANG Dear somebody!!! (bjj)
score DEAR_SOMEBODY_BANG 2
# Again, free webhosting isn't bad by itself, but often roves in packs
# with spam.
rawbody FREE_WEBHOSTING
/http:\/\/[^\/]{0,20}(?:tripod\.lycos\.com|geocities\.com|communities\.msn\.com|cleanfreehost\.com)\//i
describe FREE_WEBHOSTING Links to free webhosting (bjj)
score FREE_WEBHOSTING 1.2
# The next two are for a new popular set of legal disclaimers
body SECTION_227 /(pursuant|legal|usc|u.s.c).{0,80}sec(tion)?\.? *227/i
describe SECTION_227 Claims complaiance with SPAM regulations (S227) (bjj)
score SECTION_227 3
body THREAT_ECPA /violation.{0,20}2511.{0,80}(privacy act|ECPA)/i
describe THREAT_ECPA Threatens you with ECPA for interfering with delivery (bjj)
score THREAT_ECPA 3
# I thought there was a general rule for foreign charsets, but it wasn't
# matching, and I get tons of chinese spam.
full SUBJ_FOREIGN_CHARSET /=\?big5\?/
describe SUBJ_FOREIGN_CHARSET Uses foreign charset (bjj)
score SUBJ_FOREIGN_CHARSET 5
# Just like the body rule.
header SUBJ_FREE Subject =~ /\bfree(?!\()\b/i
describe SUBJ_FREE No such thing as a free subject (bjj)
score SUBJ_FREE 1.5
# For me this is someone ELSE visiting/downloading/etc 99% of the time.
# When I do something like this and expect/need the respones I just look
# in my junk folder...
body THANKS_FOR_NOTHING /thank(?:s| you)
for.{1,30}(?:visit|download|join|register|consider|sign)ing/i
describe THANKS_FOR_NOTHING Thanking me for something I didn't do (bjj)
score THANKS_FOR_NOTHING 1.5
header WELCOME Subject =~ /Welcome to/i
describe WELCOME Oh sure, I bet I joined something else (bjj)
score WELCOME 1.5
header SUBJ_YOUR Subject =~ /^Your\b/i
describe SUBJ_YOUR My very own subject! (bjj)
score SUBJ_YOUR 1
rawbody CLICK_LINK /click on the link/i
score CLICK_LINK 0.5
rawbody FORGETFUL /forgot your password/i
describe FORGETFUL No, I did not forget my password (bjj)
score FORGETFUL 1
# Lots of mail from anonymous groups of spammers is signed `The eSpam Team'
# or `Your IrritatingMail Team'. Or in German, `Das Team'. Maybe it's
# Turkish immigrants in Germany?
rawbody SINCERE_TEAM /^(?:the|das|y?our)\b.{0,20}\bteam/i
describe SINCERE_TEAM Mail from a proud team (bjj)
score SINCERE_TEAM 1
body FREE_TRIAL /free trial\b/i
describe FREE_TRIAL They'll never convict me at my free trial! (bjj)
score FREE_TRIAL 2
body MEMBERSHIP /\bmember(?:ship)?\b/i
describe BODY Membership (bjj)
score MEMBERSHIP 0.7
rawbody DOUBLECLICK /ad\.doubleclick\.net/
score DOUBLECLICK 3.9
body TEENS /\bteens|kiddie?\b/i
describe TEENS Mmm, teens! (bjj)
score TEENS 0.5
# I think there's an eval-rule for this but I needed it to avoid Chinese spam.
full 8BIT_BODY /[\200-\377]{5,}/
score 8BIT_BODY 3
# My friends almost never write me mail with formal salutations, but for
# some reason, spammers do it all the time
rawbody BEST_REGARDS /(?:(?:kind|best) regards|sincerely)/i
describe BEST_REGARDS Why do spammers send best regards and my friends don't? (bjj)
score BEST_REGARDS 0.5
rawbody HUGE_SAVINGS /\bsave (?:\d{2,3}\%|hundreds|thousands)/i
describe HUGE_SAVINGS Save 75% on spam! (bjj)
score HUGE_SAVINGS 2
rawbody WIN_BIG /win [\$\243][0-9,0]{3,}/i
describe WIN_BIG Win big money! (bjj)
score WIN_BIG 2
rawbody BIG_JACKPOT /[\$\243][0-9,0]{3,}.{0,10}(?:jackpot|prize|cash)/i
describe BIG_JACKPOT Win big money! (bjj)
score BIG_JACKPOT 2
body NO_REPLY /(?:do not|don't) reply to this/i
describe NO_REPLY Don't reply? Hell, I won't even READ it! (bjj)
score NO_REPLY 2
body EYES_ONLY /(?:if you are not the addressee|privileged.{0,30}confidential)/i
describe EYES_ONLY Tries to sound like you intercepted something secret (bjj)
score EYES_ONLY 2
body STRICTLY_CONFIDENTIAL /STRICTLY CONFIDENTIAL/
score STRICTLY_CONFIDENTIAL 1
body FREE_STUFF /free stuff/i
describe FREE_STUFF TANSTAAFL (bjj)
scoree FREE_STUFF 1
rawbody HTTP_AD /http:\/\/ads?\b.{0,40}\?.{1,20}=/i
describe HTTP_AD Link to an advertisement (bjj)
score HTTP_AD 2
# I know someone will point out that this doesn't necessarily indicate
# spam. And that's why it only scores 1.5!
rawbody MS_HTML /meta name=Generator content="Microsoft/
describe MS_HTML HTML Generated by Microsoft (bjj)
score MS_HTML 1.5
rawbody MUST_BE_OLD /must be (?:18|21)/i
describe MUST_BE_OLD Must be old enough to read this spam (bjj)
score MUST_BE_OLD 1.5
# More (badly) machine-generated html
rawbody SPACED_OUT /(?:\ ){5,}/i
describe SPACED_OUT Stupid formatting (bjj)
score SPACED_OUT 1
header RETURN_RECEIPT Disposition-Notification-To =~ /./
describe RETURN_RECEIPT Wants a return receipt (bjj)
score RETURN_RECEIPT 0.7
rawbody SHIPPING_N_HANDLING /shipping.{1,6}handling/i
describe SHIPPING_N_HANDLING I'd rather they didn't handle it! (bjj)
score SHIPPING_N_HANDLING 1
rawbody FAUX_PRESS_RELEASE /(?:for immediate|press) release/i
score FAUX_PRESS_RELEASE 1
# I bet there are more redirectors in .to, but I haven't found them all
# Similar to the free webhosting rule above.
rawbody BITE_ME_TONGA /http:\/\/(?:come|go|explode)\.to\//i
describe BITE_ME_TONGA Bite me, Kingdom of Tonga
score BITE_ME_TONGA 1.5
body NIGERIA /\bNigerian?\b/i
score NIGERIA 2
--
Ben Jackson
<[EMAIL PROTECTED]>
http://www.ben.com/
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
