Well I have a bunch I'm testing out. Some great ones here. Working very
nice, so I figure I would share them out. Keep in mind that some of these
WORKSTATION rules are for observation purposes. I'm well aware some of the
headers could be legit.
I will score these small as usual so they just say, "Hey, could be spam,
could be a letter from grandma. Lets give it .33 and see!"
Rules may be line wrapped due to 'inside the box' technology :-)
header MY_BOUNDARY1 Content-Type =~ /boundary.('|")[^\d]*('|")$/
describe MY_BOUNDARY1 Boundary contains no Numbers!
score MY_BOUNDARY1 .55
header MY_BOUNDARY2 Content-Type =~ /boundary\=('|")?\~{10,}/
describe MY_BOUNDARY2 Too many ~'s in the boundary.
score MY_BOUNDARY2 2.5
header MY_BOUNDARY3 Content-Type =~ /\.(com|net|biz)/i
describe MY_BOUNDARY3 Boundary contains a root domain (.com)
score MY_BOUNDARY3 .75
header MY_BOUNDARY4 Content-Type =~ /06986E0E1E1963/
describe MY_BOUNDARY4 Known spammer Boundary found
score MY_BOUNDARY4 1.0
header WORKSTATION_NAME Received =~ /^from \w+
\(\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)/
describe WORKSTATION_NAME Header includes a server with no FQDN.
score WORKSTATION_NAME 0.25
# This seems to hit EVERY time my rule MY_IP hits. It is the second part of
it.
# Not really needed if MY_IP catches it, but why not test for it.
header WORKSTATION_NAME2 Received =~ /^from
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by/
describe WORKSTATION_NAME2 Received is missing a FQDN, no parens, and IP
only.
score WORKSTATION_NAME2 0.01
header WORKSTATION_NAME3 Received =~ /^from \(.?\[.?\].?\)\b/
describe WORKSTATION_NAME3 Contains an empty Recieved IP. Seen only once.
score WORKSTATION_NAME3 0.01
header WORKSTATION_NAME4 Received =~ /^from unknown \(\w+ \w+\)\b/
describe WORKSTATION_NAME4 Received contains an unknown FQDN with possible
HELO.
score WORKSTATION_NAME4 0.01
header WORKSTATION_NAME5 Received =~ /^from \(HELO \w+\)
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\] by /
describe WORKSTATION_NAME5 RCVD has no FQDN and a HELO.
score WORKSTATION_NAME5 0.25
header WORKSTATION_NAME6 Received =~ /^from \w+ \((\w+\.)?\w+\.\w+\.\w+
\[\d{1,3}\./
describe WORKSTATION_NAME6 RCVD has FQDN inside IP parens after a
workstation name.
score WORKSTATION_NAME6 0.33
# This is usually a spoof of sort.
# Waiting for more hits to decide on it.
header WORKSTATION_NAME7 Received =~ /^from
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} \((\w+\.)?\w+\.\w+\.\w+ \[\d{1,3}\./
describe WORKSTATION_NAME7 RCVD has IP, then IP inside parens, then IP
inside Brackets.
score WORKSTATION_NAME7 0.01
# Change to your own Domain name!!!!
# Change {5,15} if you have email names longer or shorter then this.
header MY_RCVD_TOKEN Received =~ /\w{5,15}\*\*merchantsoverseas\*com\@/i
describe MY_RCVD_TOKEN Received line contains a munged email address.
score MY_RCVD_TOKEN 1.5
# This is a second receival line from an internal email gateway from cp.net
# First line was legit.
# Original second line:
# Received: (cpmta 25817 invoked from network); 20 Aug 2003 19:59:48
# Possible meta rule for this later +/-
# These look completely legit, but figured I'd pass therule on anyway.
header MY_RCVD_TEST1 Received =~ /^\(\w+ \d+ \w+/
describe MY_RCVD_TEST1 RCVD from and internal net GW? Testing for S/O
score MY_RCVD_TEST1 0.01
# This is the third receival line from cp.net in series.
# Original line:
# Received: from 205.184.173.238 (HELO oemcomputer) by smtp.peoplepc.com
(209.228.32.181) with SMTP;
# Possible meta rule later on. +/-
# Also looks legit. Testing only.
header MY_RCVD_TEST2 Received =~ /^from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
\(HELO/
describe MY_RCVD_TEST2 RCVD has IP in no Parens, and a HELO. Possible ham
from internal email GW.
score MY_RCVD_TEST2 0.01
# These header rules are working great!
header MY_HEADER_TAG1 X-E =~ /./i
describe MY_HEADER_TAG1 Spam header tag found, X-E:
score MY_HEADER_TAG1 0.01
header MY_HEADER_TAG2 X-I =~ /./i
describe MY_HEADER_TAG2 Spam header tag found, X-I:
score MY_HEADER_TAG2 0.01
header MY_HEADER_TAG3 OptinId =~ /./i
describe MY_HEADER_TAG3 Spam header tag found, OptinId:
score MY_HEADER_TAG3 0.01
header MY_HEADER_TAG4 RefId =~ /./i
describe MY_HEADER_TAG4 Spam header tag found, RefId:
score MY_HEADER_TAG4 0.01
header MY_HEADER_TAG5 X-yd =~ /./i
describe MY_HEADER_TAG5 Spam header tag found, X-yd:
score MY_HEADER_TAG5 0.01
header MY_HEADER_TAG6 List-Unsubscribe =~ /^\<mailto/i
describe MY_HEADER_TAG6 Possible spam tag in list unsub, Mailto:
score MY_HEADER_TAG6 0.01
To all those who recently submitted rule for the Emporeum:
I'm getting to it :-P
As always; feedback, praise, and coffee are welcomed.
Chris Santerre
System Admin and SA Custom Rules Emporium keeper
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
"A little nonsense now and then, is relished by the wisest men." - Willy
Wonka
-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
