Custom rule set for spamassassin
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
This repo is archived. You can view files and clone it, but cannot push or open issues/pull-requests.

245 lines
10 KiB

  1. #--------------------------------------------------
  2. # top level domain matching
  3. #--------------------------------------------------
  4. header SPAMMY_TLD_IN_RCVD Received =~ /(\.net\.ae|\.net\.id|\.ro|\.ru|\.co\.jp|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.cu\.ua|\.com\.br|\.gr|\.hr|\.dk|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)\s/i
  5. score SPAMMY_TLD_IN_RCVD 0.5
  6. describe SPAMMY_TLD_IN_RCVD Spammy TLD used in Received line
  7. header SPAMMY_TLD_IN_FROM From =~ /(\.net\.ae|\.net\.id|\.ro|\.ru|\.co\.jp|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.cu\.ua|\.com\.br|\.gr|\.hr|\.dk|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)>$/i
  8. score SPAMMY_TLD_IN_FROM 0.5
  9. describe SPAMMY_TLD_IN_FROM Spammy TLD used in From line
  10. header __HIGH_SPAMMY_TLD_RCVD Received =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i
  11. header __HIGH_SPAMMY_TLD_FROM From =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i
  12. uri __HIGH_SPAMMY_TLD_URI /\.(win|bid|top|club|date|stream|xyz)\/.+/i
  13. meta HIGH_SPAMMY_TLD (__HIGH_SPAMMY_TLD_RCVD && __HIGH_SPAMMY_TLD_FROM && __HIGH_SPAMMY_TLD_URI)
  14. score HIGH_SPAMMY_TLD 1.25
  15. describe HIGH_SPAMMY_TLD HIGH spammy tld used in Received, From and link
  16. #--------------------------------------------------
  17. # Software matching
  18. #--------------------------------------------------
  19. header EVALED_PHP X-PHP-Originating-Script =~ /eval\(\)\'d code/i
  20. score EVALED_PHP 0.75
  21. describe EVALED_PHP Mail send from evaled PHP code
  22. # outdated php version
  23. header OUTDATED_PHP X-Mailer =~ /PHP v?5\.[1234].*/i
  24. score OUTDATED_PHP 0.1
  25. describe OUTDATED_PHP Mail send from an outdated PHP version
  26. header X_MAILER_SENDEMAIL X-Mailer =~ /sendEmail/i
  27. score X_MAILER_SENDEMAIL 0.2
  28. header VULN_PHPMAILER X-Mailer =~ /PHPMailer 5\.2\.[0-9] /i
  29. score VULN_PHPMAILER 0.75
  30. describe VULN_PHPMAILER Mail was sent from a vulnerable version of PHPMailer
  31. # Various meta rules to match wordpress
  32. header __WP_X_PHP_ORIG_SCRIPT X-PHP-Originating-Script =~ /(post|gallery|user)\.php/i
  33. header __WP_X_PHP_SCRIPT X-PHP-Script =~ /(post|gallery|user)\.php/i
  34. header __WP_X_SOURCE X-Source =~ /php-cgi/i
  35. header __WP_X_SOURCE_ARGS X-Source-Args =~ /(post|gallery|user)\.php/i
  36. header __WP_PATH_X_SOURCE_ARGS X-Source-Args =~ /\/wp\-(content|includes)\//i
  37. # Various meta rules to match joomla
  38. # e.g. X-Source-Args: /usr/bin/php /home/joventa/public_html/OLD/components/com_contact/helpers/files.php
  39. header __JO_COMP_X_SOURCE_ARGS X-Source-Args =~ /components\/com_/i
  40. header __JO_X_SOURCE_ARGS X-Source-Args =~ /\/joomla\//i
  41. meta CMS_MAIL ( __WP_X_PHP_ORIG_SCRIPT || __WP_X_PHP_SCRIPT || __WP_X_SOURCE || __WP_X_SOURCE_ARGS || __WP_PATH_X_SOURCE_ARGS || __JO_COMP_X_SOURCE_ARGS || __JO_X_SOURCE_ARGS )
  42. score CMS_MAIL 1.25
  43. describe CMS_MAIL Mail sent from a probably hacked CMS (like Wordpress or Joomla)
  44. #--------------------------------------------------
  45. # Header matching
  46. #--------------------------------------------------
  47. header X_ORG_REAL_CAPITAL X-Organization =~ /RealCapitalMarkets\.com/i
  48. score X_ORG_REAL_CAPITAL 3.5
  49. #--------------------------------------------------
  50. # Subject matching
  51. #--------------------------------------------------
  52. header __SUBJECT_NEIGHBOR Subject =~ /Neighbou?r/i
  53. header __SUBJECT_NEXT_DOOR Subject =~ /next door/i
  54. meta SUBJECT_NEIGHBOUR (__SUBJECT_NEIGHBOR || __SUBJECT_NEXT_DOOR)
  55. score SUBJECT_NEIGHBOUR 0.5
  56. header __SUBJECT_VIAGRA Subject =~ /viagra/i
  57. header __SUBJECT_PILLS Subject =~ /pills/i
  58. header __SUBJECT_HEALTH_SECRET Subject =~ /health secret/i
  59. meta SUBJECT_HEALTH (__SUBJECT_VIAGRA || __SUBJECT_PILLS || __SUBJECT_HEALTH_SECRET)
  60. score SUBJECT_HEALTH 0.2
  61. describe SUBJECT_HEALTH health-related subject
  62. header SUBJECT_DARLEHEN Subject =~ /Darlehen Angebot jetzt bewerben/i
  63. score SUBJECT_DARLEHEN 1.0
  64. header __FROM_DAVIS_WRIGHT From =~ /Davis Wright/i
  65. header __SUBJECT_LEG_DARLEHEN Subject =~ /Legitimes Darlehen Angebot/i
  66. meta DAVIS_WRIGHT_DARLEHEN (__FROM_DAVIS_WRIGHT && __SUBJECT_LEG_DARLEHEN)
  67. score DAVIS_WRIGHT_DARLEHEN 1.5
  68. header __FROM_KEVIN_PAGE From =~ /Kevin Page/i
  69. meta KEVIN_PAGE_DARLEHEN (__FROM_KEVIN_PAGE && SUBJECT_DARLEHEN)
  70. score KEVIN_PAGE_DARLEHEN 1.5
  71. # "Domain Expiration SEO" spam
  72. header __SUBJECT_EXP_SEO Subject =~ /Expiration SEO/i
  73. header __FROM_EXP_SEO From =~ /(Domain Expiration SEO|Final Reminder)/i
  74. meta EXPIRATION_SEO (__SUBJECT_EXP_SEO && __FROM_EXP_SEO)
  75. score EXPIRATION_SEO 1.0
  76. describe EXPIRATION_SEO Variation of Domain SEO spam
  77. # "SEO issue" spam
  78. header __SUBJECT_SEO_ISSUE Subject =~ /SEO Issue/i
  79. body __BODY_SEO_ISSUE /\s+(Search Specialist|Hello Team)/i
  80. meta SEO_ISSUE (__SUBJECT_SEO_ISSUE && __BODY_SEO_ISSUE)
  81. score SEO_ISSUE 1.0
  82. describe SEO_ISSUE Variation of Domain SEO spam
  83. # Domain Alert
  84. header __SUBJECT_DOMAIN_ALERT Subject =~ /This is your Final (Reminder|Notice)/i
  85. header __FROM_DOMAIN_ALERT From =~ /(Internet Services|Domain Notice|directimpactdesigns.com)/i
  86. body __BODY_DOMAIN_ALERT /\s+search engine registration/i
  87. meta DOMAIN_ALERT (__SUBJECT_DOMAIN_ALERT && __FROM_DOMAIN_ALERT && __BODY_DOMAIN_ALERT)
  88. score DOMAIN_ALERT 1.0
  89. describe DOMAIN_ALERT Variations of search engine registration spam
  90. header __FROM_BITCOIN_CODE From =~ /bestofmesh.com/i
  91. uri __BITCOIN_CODE_LINK /track.bestofmesh.com.*/i
  92. meta BITCOIN_CODE (__FROM_BITCOIN_CODE && __BITCOIN_CODE_LINK)
  93. score BITCOIN_CODE 0.8
  94. # customlogobuilders.press
  95. header FROM_CUSTOMLOGOBUILDERS From =~ /customlogobuilders.press/i
  96. score FROM_CUSTOMLOGOBUILDERS 1.0
  97. #--------------------------------------------------
  98. # uri matching
  99. #--------------------------------------------------
  100. # Something like .... /plugin.php?t=147&SeBJYnc8AzD8YLd4kvf4uNR=Fqz&12i=Cwb&4f=cL4g
  101. # the common parts are:
  102. # - the first parameter name is one char long
  103. # - at least two more parameter follow
  104. uri SPAM_LINK_1 /\/[a-z]+\.php\?\w=[a-zA-Z0-9]+(&[\w\d]+=[a-zA-Z0-9]+){2,}/i
  105. score SPAM_LINK_1 0.4
  106. describe SPAM_LINK_1 Spam link
  107. # same as above but focused on the link title
  108. rawbody SPAM_LINK_2 /\>.*(profile is here|new photos|photos are here).*\<\/a\>/i
  109. score SPAM_LINK_2 0.4
  110. describe SPAM_LINK_2 Spam link title
  111. # Something like ..../l/lt2K2240EH14R/1014LP2140G4657WU60A33287012SM1334722588
  112. # Common parts:
  113. # - first part is always one character
  114. # - three parts in total
  115. uri SPAM_LINK_3 /\/\w\/\w{10,}\/\w{10,}/i
  116. score SPAM_LINK_3 0.4
  117. describe SPAM_LINK_3 Spam link
  118. # /pass.php?utm_source=6900l3njtv&utm_medium=nc6600mc98&utm_campaign=a1q4sxq0wo&utm_term=tvec4xo652&utm_content=403g22e07g
  119. # Common parts
  120. # - always a .php file in the root of the domain
  121. # - only GA tracking parameters
  122. # - values for utm_source, utm_medium and utm_campaign are always the same (at least between 2017-07 and 2017-10),
  123. # utm_term varies slightly and utm_content is random
  124. # - all tracking parameters have 10 chars
  125. uri SPAM_LINK_4 /\/[a-z]+\.php\?utm_source=[a-zA-Z0-9]{10}&utm_medium=[a-zA-Z0-9]{10}&utm_campaign=[a-zA-Z0-9]{10}&utm_term=[a-zA-Z0-9]{10}&utm_content=[a-zA-Z0-9]{10}/i
  126. score SPAM_LINK_4 0.4
  127. describe SPAM_LINK_4 Spam link
  128. uri SPAM_LINK_4_EXTRA /\/[a-z]+\.php\?utm_source=6900l3njtv&utm_medium=nc6600mc98&utm_campaign=a1q4sxq0wo&utm_term=[a-zA-Z0-9]{10}&utm_content=[a-zA-Z0-9]{10}/i
  129. score SPAM_LINK_4_EXTRA 0.4
  130. describe SPAM_LINK_4_EXTRA Spam link (extra score)
  131. # sth. /mw/index.php/campaigns/pc118pw7p78bf/track-url/eo948g9ba3535/955e46674ff54a5792d9fa1782e483d77e4fdfc8
  132. uri SPAM_LINK_5 /\/campaigns\/[a-zA-Z0-9]{13}\/track-url\/[a-zA-Z0-9]{13}\/[a-zA-Z0-9]{40}/i
  133. score SPAM_LINK_5 0.4
  134. describe SPAM_LINK_5 Spam link
  135. uri SPAM_LINK_6 /\/[a-zA-Z0-9]{13,18}\/[a-zA-Z0-9-_]{43}\/[a-zA-Z0-9-_]{107,128}/i
  136. score SPAM_LINK_6 0.4
  137. describe SPAM_LINK_6 Spam link
  138. # looks almost the same as SPAM_LINK_6
  139. # characteristics:
  140. # - TLD: .date or .trade
  141. # - Domain always with leading www.
  142. # - path:
  143. # First part between 7 and 10 chars
  144. # Second part between 16 and 22 chars
  145. # Third part always(?) 43 chars
  146. # Fourth part > 80 chars but varying in length
  147. uri SPAM_LINK_7_HIGH /www\.[a-zA-Z0-9]+\.(date|trade)\/[a-zA-Z0-9-_]{6,13}\/[a-zA-Z0-9-_]{13,24}\/[a-zA-Z0-9-_]{40,65}\/[a-zA-Z0-9-_]{80,999}/i
  148. score SPAM_LINK_7_HIGH 1.2
  149. describe SPAM_LINK_7_HIGH high scored spam link
  150. #--------------------------------------------------
  151. # Mime matching
  152. #--------------------------------------------------
  153. mimeheader DOC_ATTACHED Content-Disposition =~ /filename\=.*\.docx?/i
  154. score DOC_ATTACHED 1.0
  155. describe DOC_ATTACHED Contains .doc or .docx attachment
  156. mimeheader XLS_ATTACHED Content-Disposition =~ /filename\=.*\.xlsx?/i
  157. score XLS_ATTACHED 1.0
  158. describe XLS_ATTACHED Contains .xls or .xlsx attachment
  159. mimeheader __ZIP_ATTACHED Content-Disposition =~ /filename\=.*\.zip/i
  160. describe __ZIP_ATTACHED Contains .zip attachment
  161. #--------------------------------------------------
  162. # Text matching
  163. #--------------------------------------------------
  164. header __SUBJECT_FUCK Subject =~ /f[ua5\&\%]ck/i
  165. body __BODY_FUCK /\s+(fuck|sex|masturbate|anal)\s+/i
  166. meta FUCKED_MAIL (__SUBJECT_FUCK || __BODY_FUCK )
  167. score FUCKED_MAIL 0.5
  168. describe FUCKED_MAIL Contains variations of 'fuck' in the subject and/or body
  169. header __SUBJECT_FAX_RECEIVED Subject =~ /You have 1 new fax, document/i
  170. header __SUBJECT_FAX_RECEIVED2 Subject =~ /You have received a new fax, document /i
  171. meta FAX_RECEIVED ((__SUBJECT_FAX_RECEIVED || __SUBJECT_FAX_RECEIVED2) && __ZIP_ATTACHED)
  172. score FAX_RECEIVED 1.2
  173. body __BODY_VIAGRA /viagra/i
  174. body __BODY_PILLS /pills/i
  175. body __BODY_HEALTH_SECRET /health secret/i
  176. meta BODY_HEALTH (__BODY_VIAGRA || __BODY_PILLS || __BODY_HEALTH_SECRET)
  177. score BODY_HEALTH 0.2
  178. describe BODY_HEALTH health-related body text
  179. body __LEAKED_PWD1a /(I know )?[a-zA-Z0-9]{1,99} one of your pass./i
  180. body __LEAKED_PWD1b /I (do )?know [a-zA-Z0-9]{1,99} one of your pass word./i
  181. body __LEAKED_PWD2 /I actually (installed|placed) a (malware|software) on the (18+|xxx) (streaming|videos|video clips) \((porn|porno|sexually graphic)\)/i
  182. meta LEAKED_PWD ((__LEAKED_PWD1a || __LEAKED_PWD1b) && __LEAKED_PWD2)
  183. score LEAKED_PWD 2.0
  184. #--------------------------------------------------
  185. # Some very persistent spammers
  186. #--------------------------------------------------
  187. header FROM_MUNGAI From =~ /MUNGAI KIHANYA TRAINING/i
  188. score FROM_MUNGAI 2.5
  189. header FROM_KINETIC From =~ /KINETIC (ENTERPRISES|TECHNOLOGIEZ)/i
  190. score FROM_KINETIC 1.0
  191. header FROM_KINETIC2 From =~ /\*\s*KINETIC/i
  192. score FROM_KINETIC2 1.0
  193. meta KINETIC_SCREAMING (FROM_KINETIC2 && SUBJ_ALL_CAPS)
  194. score KINETIC_SCREAMING 2.5