1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
# SpamAssassin rules file: body tests
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# Note: body tests are run with long lines, so be sure to limit the
# size of searches; use /.{0,30}/ instead of /.*/ to avoid huge
# search times.
#
# Note: If you are adding a rule which looks for a phrase in the body
# (as most of them do), please add it to rules/20_phrases.cf instead.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
require_version @@VERSION@@
###########################################################################
# GTUBE test - the generic test for UBE.
body GTUBE /XJS\*C4JDBQADN1\.NSBN3\*2IDNEN\*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL\*C\.34X/
describe GTUBE Generic Test for Unsolicited Bulk Email
tflags GTUBE userconf noautolearn
###########################################################################
# this seems to be the new fashion (as of Jul 5 2002). base64-encoded
# parts need to be stripped before this match
body TRACKER_ID /^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\s*\z/is
describe TRACKER_ID Incorporates a tracking ID number
body WEIRD_QUOTING /[\042\223\224\262\263\271]{2}\S{0,16}[\042\223\224\262\263\271]{2}/
describe WEIRD_QUOTING Weird repeated double-quotation marks
###########################################################################
# multipart/alternative has very good accuracy, other multipart types are
# similar to MIME_HTML_ONLY so they don't need a separate rule
header __CTYPE_MULTIPART_ALT Content-Type =~ /multipart\/alternative/i
meta MIME_HTML_ONLY_MULTI (__CTYPE_MULTIPART_ALT && MIME_HTML_ONLY)
describe MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
# note: __HIGHBITS is used in rules/20_html_tests.cf, HTML_CHARSET_FARAWAY
meta MIME_CHARSET_FARAWAY (__MIME_CHARSET_FARAWAY && __HIGHBITS)
describe MIME_CHARSET_FARAWAY MIME character set indicates foreign language
tflags MIME_CHARSET_FARAWAY userconf
###########################################################################
# duncf
body EMAIL_ROT13 /\b[a-z(\]-]+\^[a-z-]+\([a-z]{2,3}\b/
describe EMAIL_ROT13 Body contains a ROT13-encoded email address
test EMAIL_ROT13 ok qhabs^ebtref(pbz
test EMAIL_ROT13 ok zxrggyre^riv-vap(pbz
test EMAIL_ROT13 fail duncf-nospam@rogers.com
# this could use more work
body __LONGWORDS_A /\b(?:[a-z]{8,}[\s\.]+){6}/
body __LONGWORDS_B /\b(?:[a-z]{6,}[\s\.]+){9}/
body __LONGWORDS_C /\b(?:[a-z]{5,}[\s\.]+){10}/
meta LONGWORDS (__LONGWORDS_A + __LONGWORDS_B + __LONGWORDS_C > 1)
describe LONGWORDS Long string of long words
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::BodyEval
# This rule uses a simple algorithm to determine if the text and html
# parts of an multipart/alternative message are different.
body MPART_ALT_DIFF eval:multipart_alternative_difference('99', '100')
describe MPART_ALT_DIFF HTML and text parts are different
body MPART_ALT_DIFF_COUNT eval:multipart_alternative_difference_count('3', '1')
describe MPART_ALT_DIFF_COUNT HTML and text parts are different
body BLANK_LINES_80_90 eval:check_blank_line_ratio('80','90','4')
describe BLANK_LINES_80_90 Message body has 80-90% blank lines
# it's the ratio of spaces to non-spaces in each paragraph. apparently
# messages where generally there are lots of spaces mean the message is spam.
# 8.532 10.6051 0.1897 0.982 0.75 0.01 T_VERTICAL_WORDS_TVD_1
body TVD_SPACE_RATIO eval:tvd_vertical_words('0','10')
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
# 0.767 0.9097 0.0000 1.000 0.84 1.00 MULTIPART_ALT_NON_TEXT
body MULTIPART_ALT_NON_TEXT eval:check_ma_non_text()
body CHARSET_FARAWAY eval:check_for_faraway_charset()
describe CHARSET_FARAWAY Character set indicates a foreign language
tflags CHARSET_FARAWAY userconf
# these tests doesn't actually use rawbody since rawbody isn't raw enough;
# they must be written very carefully to avoid modifying the original content
# MIME Content-Transfer-Encoding control rules
rawbody __MIME_BASE64 eval:check_for_mime('mime_base64_count')
describe __MIME_BASE64 Includes a base64 attachment
rawbody __MIME_QP eval:check_for_mime('mime_qp_count')
describe __MIME_QP Includes a quoted-printable attachment
rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks')
describe MIME_BASE64_BLANKS Extra blank lines in base64 encoding
rawbody MIME_BASE64_TEXT eval:check_for_mime('mime_base64_encoded_text')
describe MIME_BASE64_TEXT Message text disguised using base64 encoding
body MISSING_MIME_HB_SEP eval:check_msg_parse_flags('missing_mime_head_body_separator')
describe MISSING_MIME_HB_SEP Missing blank line between MIME header and body
body MIME_HTML_MOSTLY eval:check_mime_multipart_ratio('0.00','0.01')
describe MIME_HTML_MOSTLY Multipart message mostly text/html MIME
# Steve Linford via Charlie Watts: good test!
body MIME_HTML_ONLY eval:check_for_mime_html_only()
describe MIME_HTML_ONLY Message only has text/html MIME parts
rawbody MIME_QP_LONG_LINE eval:check_for_mime('mime_qp_long_line')
describe MIME_QP_LONG_LINE Quoted-printable line longer than 76 chars
rawbody __MIME_CHARSET_FARAWAY eval:check_for_mime('mime_faraway_charset')
body MIME_BAD_ISO_CHARSET eval:check_for_mime('mime_bad_iso_charset')
describe MIME_BAD_ISO_CHARSET MIME character set is an unknown ISO charset
endif
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::URIEval
body HTTPS_IP_MISMATCH eval:check_https_ip_mismatch()
describe HTTPS_IP_MISMATCH IP to HTTPS link found in HTML
body URI_TRUNCATED eval:check_uri_truncated()
describe URI_TRUNCATED Message contained a URI which was truncated
endif
|