Custom rule set for rspamd
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

58 lines
2.4 KiB

# SPAM_LINK_1
# Something like .... /plugin.php?t=147&SeBJYnc8AzD8YLd4kvf4uNR=Fqz&12i=Cwb&4f=cL4g
# the common parts are:
# - the first parameter name is one char long
# - at least two more parameter follow
/\/[a-z]+\.php\?\w=[a-zA-Z0-9]+(&[\w\d]+=[a-zA-Z0-9]+){2,}/i SPAM_LINK_1:0.4
# SPAM_LINK_3
# Something like ..../l/lt2K2240EH14R/1014LP2140G4657WU60A33287012SM1334722588
# Common parts:
# - first part is always one character
# - three parts in total
/\/\w\/\w{10,}\/\w{10,}/i SPAM_LINK_3:0.4
# SPAM_LINK_4
# /pass.php?utm_source=6900l3njtv&utm_medium=nc6600mc98&utm_campaign=a1q4sxq0wo&utm_term=tvec4xo652&utm_content=403g22e07g
# Common parts
# - always a .php file in the root of the domain
# - only GA tracking parameters
# - values for utm_source, utm_medium and utm_campaign are always the same (at least between 2017-07 and 2017-10),
# utm_term varies slightly and utm_content is random
# - all tracking parameters have 10 chars
/\/[a-z]+\.php\?utm_source=[a-zA-Z0-9]{10}&utm_medium=[a-zA-Z0-9]{10}&utm_campaign=[a-zA-Z0-9]{10}&utm_term=[a-zA-Z0-9]{10}&utm_content=[a-zA-Z0-9]{10}/i SPAM_LINK_4:0.4
# SPAM_LINK_5
# sth. /mw/index.php/campaigns/pc118pw7p78bf/track-url/eo948g9ba3535/955e46674ff54a5792d9fa1782e483d77e4fdfc8
/\/campaigns\/[a-zA-Z0-9]{13}\/track-url\/[a-zA-Z0-9]{13}\/[a-zA-Z0-9]{40}/i SPAM_LINK_5:0.4
# SPAM_LINK_6
/\/[a-zA-Z0-9]{13,18}\/[a-zA-Z0-9-_]{43}\/[a-zA-Z0-9-_]{107,128}/i SPAM_LINK_6:0.4
# SPAM_LINK_7
# looks almost the same as SPAM_LINK_6
# characteristics:
# - TLD: .date or .trade
# - Domain always with leading www.
# - path:
# First part between 7 and 10 chars
# Second part between 16 and 22 chars
# Third part always(?) 43 chars
# Fourth part > 80 chars but varying in length
/www\.[a-zA-Z0-9]+\.(date|trade)\/[a-zA-Z0-9-_]{6,13}\/[a-zA-Z0-9-_]{13,24}\/[a-zA-Z0-9-_]{40,65}\/[a-zA-Z0-9-_]{80,999}/i SPAM_LINK_7:0.4
# SPAM_LINK_8
# Primarily used in bitcoin/crypto currency spam
# characteristics:
# - emails contain at least one link to .../?xtl=<random{120-300}>&eih=<random{,40}>
# - emails contain at least one link to .../?xul=<random>
/\?xtl=[a-zA-Z0-9]{100,300}&eih=[a-zA-Z0-9]{20,40}/i SPAM_LINK_8a:0.1
/\?xul=[a-zA-Z0-9]{70,120}&eih=[a-zA-Z0-9]{20,40}/i SPAM_LINK_8b:0.1
# SPAM_LINK_9
# Primarily used in bitcoin/crypto currency spam
# - Subdomain of .page.link
# - Very short path (typically less than 5 chars)
/\.page\.link\/[a-zA-Z0-9]{1,8}/i SPAM_LINK_9:0.4