commit 4ed192fde05db226868a8d0fcdea0d7e962c2c5a
Author: Josh Soref <2119212+jsoref@users.noreply.github.com>
Date: Wed Aug 16 21:36:15 2023 -0400
Add descriptions for most items that were missing descriptions
diff --git a/rules/20_body_tests.cf b/rules/20_body_tests.cf
index 55223a5..cf9f6cd 100644
--- a/rules/20_body_tests.cf
+++ b/rules/20_body_tests.cf
@@ -109,6 +109,7 @@ ifplugin Mail::SpamAssassin::Plugin::MIMEEval
# 0.767 0.9097 0.0000 1.000 0.84 1.00 MULTIPART_ALT_NON_TEXT
body MULTIPART_ALT_NON_TEXT eval:check_ma_non_text()
+describe MULTIPART_ALT_NON_TEXT Message claims to have alternatives but doesn't have a text alternative
body CHARSET_FARAWAY eval:check_for_faraway_charset()
describe CHARSET_FARAWAY Character set indicates a foreign language
diff --git a/rules/20_head_tests.cf b/rules/20_head_tests.cf
index 5c66005..a8402cb 100644
--- a/rules/20_head_tests.cf
+++ b/rules/20_head_tests.cf
@@ -74,12 +74,14 @@ describe MSGID_SPAM_LETTERS Spam tool Message-Id: (letters variant)
+# https://svn.apache.org/viewvc/spamassassin/trunk/rules/20_head_tests.cf?r1=126458&r2=126457&pathrev=126458
# negative lookahead exempts this MUA from circa 1997-2000
# X-Mailer: Microsoft Outlook Express 4.71.1712.3
# Message-ID: <01bd45da$2649cdc0$LocalHost@andrew>
header __MSGID_DOLLARS_OK MESSAGEID =~ /<[0-9a-f]{4,}\$[0-9a-f]{4,}\$[0-9a-f]{4,}\@\S+>/
header __MSGID_DOLLARS_MAYBE MESSAGEID =~ /<\w{4,}\$\w{4,}\$(?!localhost)\w{4,}\@\S+>/i
meta MSGID_DOLLARS_RANDOM __MSGID_DOLLARS_MAYBE && !__MSGID_DOLLARS_OK
+describe MSGID_DOLLARS_RANDOM Spam from 2005 with dollars in the message id
# bit of a ratware rule, but catches a bit more than just the one ratware
header __MSGID_RANDY Message-ID =~ /<[a-z\d][a-z\d\$-]{10,29}[a-z\d]\@[a-z\d][a-z\d.]{3,12}[a-z\d]>/
diff --git a/rules/20_html_tests.cf b/rules/20_html_tests.cf
index d6aa9c4..9cd28a5 100644
--- a/rules/20_html_tests.cf
+++ b/rules/20_html_tests.cf
@@ -42,6 +42,7 @@ describe HTML_SHORT_CENTER HTML is very short with CENTER tag
meta HTML_TITLE_SUBJ_DIFF __HTML_TITLE_SUBJ_DIFF && !__MIME_ATTACHMENT
+describe HTML_TITLE_SUBJ_DIFF HTML title differs from message Subject
meta HTML_CHARSET_FARAWAY (__HTML_CHARSET_FARAWAY && __HIGHBITS)
describe HTML_CHARSET_FARAWAY A foreign language charset used in HTML markup
diff --git a/rules/20_mailspike.cf b/rules/20_mailspike.cf
index ae942d2..2496eb9 100644
--- a/rules/20_mailspike.cf
+++ b/rules/20_mailspike.cf
@@ -64,7 +64,9 @@ reuse RCVD_IN_MSPIKE_H2
meta __RCVD_IN_MSPIKE_LOW RCVD_IN_MSPIKE_L5 || RCVD_IN_MSPIKE_L4 || RCVD_IN_MSPIKE_L3
tflags __RCVD_IN_MSPIKE_LOW net
+# https://svn.apache.org/viewvc?view=revision&revision=1037373
meta RCVD_IN_MSPIKE_ZBI __RCVD_IN_MSPIKE_Z && !__RCVD_IN_MSPIKE_LOW
+describe RCVD_IN_MSPIKE_ZBI Spam wave (2010) participant
tflags RCVD_IN_MSPIKE_ZBI net
## Meta rules for aggregating good and bad senders
diff --git a/rules/20_uri_tests.cf b/rules/20_uri_tests.cf
index 0f62be8..4b210aa 100644
--- a/rules/20_uri_tests.cf
+++ b/rules/20_uri_tests.cf
@@ -29,6 +29,7 @@ require_version @@VERSION@@
# not expecting any hits on this (yet)
uri HIGH_CODEPAGE_URI /^https?:\/\/[^\/]*\&\#(?:\d{4,}|[3456789]\d\d);/i
tflags HIGH_CODEPAGE_URI userconf
+describe HIGH_CODEPAGE_URI Appears to be an IDN spoofing attack -- if you see this, please report
###########################################################################
diff --git a/rules/50_scores.cf b/rules/50_scores.cf
index 28d9980..b1795b5 100644
--- a/rules/50_scores.cf
+++ b/rules/50_scores.cf
@@ -767,7 +767,9 @@ endif # Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::AskDNS
#
score DKIMDOMAIN_IN_DWL 0 -3.5 0 -3.5
+describe DKIMDOMAIN_IN_DWL Unsupported response -- formerly: Signing domain listed in Spamhaus DWL
score DKIMDOMAIN_IN_DWL_UNKNOWN 0 -0.01 0 -0.01
+describe DKIMDOMAIN_IN_DWL_UNKNOWN Unsupported response -- formerly: Unrecognized response from Spamhaus DWL
#
endif
diff --git a/rulesrc/sandbox/dos/20_uri.cf b/rulesrc/sandbox/dos/20_uri.cf
index 7205bf7..79e935b 100644
--- a/rulesrc/sandbox/dos/20_uri.cf
+++ b/rulesrc/sandbox/dos/20_uri.cf
@@ -1,4 +1,5 @@
uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
+describe GEO_QUERY_STRING Geocities (obsolete web host) query
# 20080928 - One line followed by a live spaces URI, may need more to avoid FPs
uri DOS_LIVE_SPACES_CID /^http:\/\/cid-.{10,20}\.spaces\.live\.com\/$/
diff --git a/rulesrc/sandbox/dos/70_other.cf b/rulesrc/sandbox/dos/70_other.cf
index 3bd12ad..2d1714b 100644
--- a/rulesrc/sandbox/dos/70_other.cf
+++ b/rulesrc/sandbox/dos/70_other.cf
@@ -161,6 +161,7 @@ body __DOS_STRONG_CF /\bstrong cash flow/i
body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i
meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)
+describe DOS_STOCK_BAT2 Probable pump and dump stock spam
# http://www.fod*rx.com
@@ -283,8 +284,10 @@ header DOS_PORN_BOUNDARY Content-Type =~ /\bboundary="----\#(?:SUBSTANCE|
describe DOS_PORN_BOUNDARY Content boundary common to porn spam
score DOS_PORN_BOUNDARY 1.0
+# This rule was still matching spam in 2011: https://gist.github.com/wmoxam/1238398
# 20070225
header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/
+describe X_MAILER_CME_6543_MSN Spam from 2007-2011
# 20070723
diff --git a/rulesrc/sandbox/fanf/10_headers.cf b/rulesrc/sandbox/fanf/10_headers.cf
index 6c1151a..6a96464 100644
--- a/rulesrc/sandbox/fanf/10_headers.cf
+++ b/rulesrc/sandbox/fanf/10_headers.cf
@@ -3,6 +3,7 @@
# same as RCVD_FORGED_WROTE but allowing capitalized host names
#
header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
+describe RCVD_FORGED_WROTE2 Forged receive header
header RCVD_FORGED_WROTE3 Received =~ /from \[[0-9.]+\] \(port=\d+ helo=\S+[A-Za-z]+\) by (\S+) with asmtp id \S{6}-\S{6}-\S\S for \S+@\1;/s
diff --git a/rulesrc/sandbox/fanf/30_text.cf b/rulesrc/sandbox/fanf/30_text.cf
index 3509676..845cd09 100644
--- a/rulesrc/sandbox/fanf/30_text.cf
+++ b/rulesrc/sandbox/fanf/30_text.cf
@@ -1,7 +1,10 @@
# bits of text from spam
body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
+describe SHORT_TERM_PRICE Text about short term stock prices
body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i
+describe LONG_TERM_PRICE Text about long term stock prices
meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
+describe STOCK_PRICES Text about short and long term stock prices
rawbody IMG_ALT_BRACKETS /^/
diff --git a/rulesrc/sandbox/felicity/70_other.cf b/rulesrc/sandbox/felicity/70_other.cf
index 1b1c30b..5300040 100644
--- a/rulesrc/sandbox/felicity/70_other.cf
+++ b/rulesrc/sandbox/felicity/70_other.cf
@@ -140,6 +140,7 @@ body TVD_DEAR_HOMEOWNER /^dear homeowner/i
describe TVD_DEAR_HOMEOWNER Spam with generic salutation of "dear homeowner"
body TVD_ENHANCE /(?:enhanc(?:e(?:ment)?|ing)|improv(?:e|ing)) .{0,20}sexual (?:stamina|performance)/i
+describe TVD_ENHANCE Spam about enhancing sexual performance
body __TVD_GET_STOCK /(?i:OTC)[^-\/\\'.]{2,8}(?:[A-Z]\s*){3,5}\b/
meta TVD_GET_STOCK __TVD_GET_STOCK && !__VIA_ML && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__RP_MATCHES_RCVD && !__BUGGED_IMG && !__MSOE_MID_WRONG_CASE
@@ -231,8 +232,10 @@ describe TVD_FLOAT_GENERAL Message uses CSS float style
#rawbody T_TVD_FLOAT_GENERAL5 /\bstyle="[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]\s*\s*(?-i:[a-z])+\s*= 2)
+describe HK_WIN Lottery scam
score HK_WIN 1
#body __HK_LOTTO_1 /\b(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department) ?lot(?:eri[ej]|t(?:ery|o))/i
@@ -202,6 +204,7 @@ body __HK_SCAM_S25 /\bbank (?:in|of) ghana/i
#body __HK_SCAM_S22 /\bmining companies/i
#body __HK_SCAM_S23 /(?:\b(?:urgent alert|start trade|get it at monday)\b|\b(?:5-|five )day price:)/i
meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25
+describe HK_SCAM Classic scam
score HK_SCAM 2
tflags HK_SCAM publish
@@ -230,14 +233,18 @@ ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
header __HK_NAME_MR_MRS From:name =~ /^M(?:RS?|ISS)\b/mi
meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM
+ describe HK_NAME_MR_MRS From starts with MR/MRS/MISS and it is not a free mail provider
score HK_NAME_MR_MRS 1.0
meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
+ describe HK_NAME_MR_MRS From starts with MR/MRS/MISS and it is a free mail provider
score HK_NAME_FM_MR_MRS 1.5
header __HK_NAME_FROM From:name =~ /^FROM\b/mi
meta HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM
+ describe HK_NAME_FROM From starts with FROM and it is not a free mail provider
score HK_NAME_FROM 1.0
meta HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM
+ describe HK_NAME_FM_FROM From starts with FROM and it is a free mail provider
score HK_NAME_FM_FROM 1.5
endif
@@ -262,6 +269,7 @@ meta HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN
mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/
score HK_CTE_RAW 2
+describe HK_CTE_RAW Inappropriate Content-Transfer-Encoding (raw)
tflags HK_CTE_RAW publish
mimeheader __CT_UTF7 Content-Type =~ /\bcharset=.?utf-7\b/i
diff --git a/rulesrc/sandbox/jhardin/20_misc_testing.cf b/rulesrc/sandbox/jhardin/20_misc_testing.cf
index b6964b3..97981f0 100644
--- a/rulesrc/sandbox/jhardin/20_misc_testing.cf
+++ b/rulesrc/sandbox/jhardin/20_misc_testing.cf
@@ -216,6 +216,7 @@ ifplugin Mail::SpamAssassin::Plugin::SPF
#meta FROM_MISSP_SPF_FAIL1 (__FROM_RUNON && !SPF_PASS)
#tflags FROM_MISSP_SPF_FAIL1 net
meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL)
+ describe FROM_MISSP_SPF_FAIL Poorly formed `From` and SPF failed
tflags FROM_MISSP_SPF_FAIL net
score FROM_MISSP_SPF_FAIL 2.00 # limit
endif
@@ -1488,10 +1489,12 @@ score BODY_SINGLE_URI 2.500 # limit
body __UNSUBSCRIBE_ES /\b(?:Para darte de baja y no recibir ning(?:=FA|[\xfa]|[\xc3][\xba])n|Si no desea que le enviemos publicidad|Si desea eliminar su correo [^\s@]{1,64}@[^\s@]{1,64} de nuestra lista|no recibir estos boletines a: [^\s@]{1,64}@[^\s@]{1,64} simplemente|Si no desea recibir m(?:=E1|[\xe1]|[\xc3][\xa1]|a)s notificaciones)\b/i
meta UNSUBSCRIBE_ES __UNSUBSCRIBE_ES
+describe UNSUBSCRIBE_ES Unsubscribe text (Spanish)
score UNSUBSCRIBE_ES 2.500 # limit
body __UNSUBSCRIBE_PT /\bSe n(?:a|=E3|[\xe3]|[\xc3][\xa3])o desejar mais receber nossos e-?mails?\b/i
meta UNSUBSCRIBE_PT __UNSUBSCRIBE_PT
+describe UNSUBSCRIBE_PT Unsubscribe text (Portuguese)
score UNSUBSCRIBE_PT 2.500 # limit
body __URI_DBL_PROTO m,\b(?:https?:/+){2},i
@@ -1520,6 +1523,7 @@ describe GAPPY_LOW_CONTRAST Gappy subject + hidden text
score GAPPY_LOW_CONTRAST 2.500 # limit
meta URI_ONLY_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __BODY_URI_ONLY
+describe URI_ONLY_LOW_CONTRAST Body is just a URI + hidden text
score URI_ONLY_LOW_CONTRAST 2.500 # limit
meta SUBJ_OBFU_LOW_CNTRST (HTML_FONT_LOW_CONTRAST && __SUBJ_OBFU_PUNCT) && !ALL_TRUSTED && !__NOT_A_PERSON && !__THREADED
@@ -3795,6 +3799,7 @@ tflags URI_AZURE_CLOUDAPP publish
uri __URI_ADOBESPARK m,https?://branchlink\.adobespark\.com/,i
meta URI_ADOBESPARK __URI_ADOBESPARK
+describe URI_ADOBESPARK Adobe Cloud phishing
score URI_ADOBESPARK 3.500 # limit
tflags URI_ADOBESPARK publish
@@ -3988,19 +3993,24 @@ tflags URI_LONG_REPEAT publish
body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store|storage facility)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock|stor(?:e|age))|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|stor(?:e|age))|just arrived in our (?:warehouse|stor(?:e|age))|we will (?:contact the (?:warehouse|logistics|store|storage(?: facility)) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our (?:warehouse|storage)|this (?:new )?(?:merchandise|product|item) is (?:now )?(?:ready (?:to ship )?|available )(?:at|in|from) our (?:warehouse|stock|stor(?:e|age)))/i
score READY_TO_SHIP 1.250 # limit
+describe READY_TO_SHIP "Item ready to ship"
body WANT_TO_ORDER /you(?:'d)? (?:(?:would )?like|want|(?:are |(?:would )?be )?interested|need|wish)(?: to| in)? (?:plac(?:e|ing) an order|order(?:ing)? (?:for )?(?:this|it|now|today|our \w+)|(?:(?:tak|receiv)(e|ing)|pick up) (?:one (?:o[rt] two )?(?:\w+ ){0,2}|this (?:item|product) |some )(?:today|now|of our))\b/i
+describe WANT_TO_ORDER "Would you like to order a product?"
score WANT_TO_ORDER 2.750 # limit
body YOUR_DELIVERY_ADDRESS /(?:(?:respond|reply|answer) (?:to )?(?:our|this) ?e?mail (?:[\w,]+\s){0,10}(?:with|and send(?: us)?)|we need to know|let us know|(?:send|provide|tell|inform)(?: us)?(?: of)?|confirm|indicate)(?: t?he (?:order )?quantity and)? (?:your |the )?(?:detailed |specific |exact )?(?:(?:delivery |shipping |mailing |shipment |receiving )?(?:address|location)(?:\s?[,.;]|(?: and| so)? we| if you)|address (?:for|of) (?:shipping|delivery|shipment))|(?:provide|give) us (?:with |details of )(?:the |your )?address,? (?:and )?we will contact (?:the )?(?:warehouse|logistics|storage(?: facility))|your (?:mailing|shipping) address to (?:arrange|set ?up) (?:shipment|delivery) (?:(?:for|to) you|of th)/i
+describe YOUR_DELIVERY_ADDRESS "We need your delivery address"
score YOUR_DELIVERY_ADDRESS 1.250 # limit
body __NEW_PRODUCTS /\bhere are new products|\b(?:Our company|we) (?:has |have )?(?:(?:recently|just|newly) (?:introduce|release|launche)[ds](?: a| our| the)? (?:new|(?:\w+\s){1,5}below)|a new (?!cat\s|kitten\s|dog\s|puppy\s|pet\s|baby\s|child\s|boy\s|girl\s)(?:\w+\s){1,5} here)|recently,? our company (?:launch|releas)ed|\bI want to recommend a new (?:\w+ ){1,5}(?:we|our)\b|latest version of our (?:stock|product)|\b(?:our|a) new (?:\w+ ){1,3}has (?:recently|just) been released/i
meta NEW_PRODUCTS __NEW_PRODUCTS && !__STY_INVIS_MANY
+describe NEW_PRODUCTS "New product offering"
score NEW_PRODUCTS 1.250 # limit
tflags NEW_PRODUCTS publish
body DETAILS_OF_PRODUCT /(?:Please|kindly) (?:see|refer to|check(?: out)?) the (?:details of the product|(?:detailed |complete |specific )?product (?:details|information)) (below|following|that follow|in detail)|the following (?:(?:is the )?(?:detailed )?product information|is a brief introduction to (?:\w+\s){0,5}this product)|\bhere (is|are) some basic information about this|you can (?:\w+ )?understand our product|take a look at this product|interested in learning about (?:this|our product)|grasp our (?:product|goods)|details can be checked below|(?:provide|present) you \w+ the product(?:[-\s]specific)? (?:details|information)/i
+describe DETAILS_OF_PRODUCT "See product details"
score DETAILS_OF_PRODUCT 1.250 # limit
# Don't joe-job a SA dev's wife
@@ -4009,10 +4019,12 @@ header __ADULTDATINGCOMPANY_FROM From:name =~ /\bAdultDatingCompany\b/i
header __ADULTDATINGCOMPANY_REPTO Reply-To:name =~ /\bAdultDatingCompany\b/i
meta ADULT_DATING_COMPANY __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO
score ADULT_DATING_COMPANY 10.000 # limit
+describe ADULT_DATING_COMPANY "AdultDatingCompany"
tflags ADULT_DATING_COMPANY publish
body CHINA_MANUFACTURER /\bWe are China located manufacture/i
+describe CHINA_MANUFACTURER Message about Chinese manufacturer
score CHINA_MANUFACTURER 2.500 # limit
meta POSSIBLE_AMAZON_PHISH_01 (__FROM_NAME_AMAZONCOM && __NAME_EMAIL_DIFF)
@@ -4041,6 +4053,7 @@ describe POSSIBLE_GMAIL_PHISHER Apparent phishing email sent from a gmail
header __REPTO_INFONUMSCOM Reply-To:addr =~ /^info@\d{5,}\.com$/i
meta REPTO_INFONUMSCOM __REPTO_INFONUMSCOM
+describe REPTO_INFONUMSCOM Reply to info at numbered .com domain
score REPTO_INFONUMSCOM 3.000 # limit
tflags REPTO_INFONUMSCOM publish
diff --git a/rulesrc/sandbox/jm/20_basic.cf b/rulesrc/sandbox/jm/20_basic.cf
index 08d2991..5eb9b7d 100644
--- a/rulesrc/sandbox/jm/20_basic.cf
+++ b/rulesrc/sandbox/jm/20_basic.cf
@@ -4,7 +4,9 @@
# compiler will take care of the hard work of copying them around for me, while
# they're still working well.
+# https://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_basic.cf?annotate=416079&pathrev=416079
header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
+describe MID_DEGREES Message ID from degree spam (2006-06-21)
## score MID_DEGREES 3
# from Clifton
@@ -13,13 +15,16 @@ header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
header TT_MSGID_TRUNC Message-Id =~ /^\s*[^<>\s]+\[\d+$/
describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits
-# testing for Dave Funk (mail of 11/16); compare with AXB_FAKETZ, GMD_FAKETZ.
+# testing for Dave Funk (mail of 2006/11/16); compare with AXB_FAKETZ, GMD_FAKETZ.
+# https://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_basic.cf?r1=489349&r2=489350&pathrev=489350&
# pretty good; less FPs than AXB_FAKETZ, however, same FP level but less 0.01%
# less hits than GMD_FAKETZ, so that's still better
header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
+describe L_SPAM_TOOL_13 Date has fake timezone
## score L_SPAM_TOOL_13 3.0
header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/
+describe JM_RCVD_QMAILV1 Rare unmaintained mail server (Qmail)
# ---------------------------------------------------------------------------
# Informational rules
@@ -132,20 +137,27 @@ header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
+describe JM_TORA_XM Spam from 2012 https://scamsurvivors.com/forum/viewtopic.php?f=6&t=1722&start=230
# HELO as localhost. we should really be rejecting this at MTA, but hey.
# it seems most of us let these slip through our MTA configs; 3% of spam, no FPs
header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
+describe HELO_LOCALHOST Sender claims to be localhost the MTA should have rejected it
header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
+describe HELO_OEM Sending server claims to be `pc` or `oem*`
header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
+describe HELO_FRIEND Sending server claims to be `friend`
+# https://svn.apache.org/viewvc?view=revision&revision=496293
header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s
+describe MIME_BOUND_EQ_REL Boundary matches spam from 2006-01-15
body __DBLCLAIM /avoid double claiming/
body __CASHPRZ /cash prize of/
meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ)
+describe LOTTERY_1 Lottery spam
# ---------------------------------------------------------------------------
# Testing bit
@@ -165,18 +177,27 @@ describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type h
uri __HAS_ANY_URI /^\w+:\/\//
body __HAS_ANY_EMAIL /\w@\S+\.\w/
meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
+describe SB_GIF_AND_NO_URIS Message has gifs, no uri and no email addresses
meta CTYPE_001C_A (0) # obsolete
+describe CTYPE_001C_A This obsolete meta shouldn't trigger -- if you see this, please file a bug
header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
+describe CTYPE_001C_B Suspicious multipart boundary (?) -- if you can clarify this, please file a PR
header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: /
header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/
meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
+describe MSOE_MID_WRONG_CASE Bulk email software identified by pretending to be Outlook Express
+# https://svn.apache.org/viewvc?view=revision&revision=481003
+# https://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_basic.cf?annotate=481330&pathrev=481330
header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/
+describe STOX_REPLY_TYPE Suspicious `reply-type`
body CURR_PRICE /\bCurrent Price:/
+describe CURR_PRICE Has suspicious content `Current Price`
meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE
+describe STOX_AND_PRICE Spam from 2006 with suspicious content `Current Price` and `reply-type`
# bug 5224: basic OE multipart/related check. see what the overlaps
# are like
@@ -186,7 +207,9 @@ tflags OE_MULTIPART_RELATED nopublish
# more trials of bad HELO strings
header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
+describe HELO_LH_LD Sending server claims to be `localhost.localdomain`
header HELO_LH_HOME X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
+describe HELO_LH_HOME Sending server claims to be `*.home` or `*.lan`
# requested experiment: PBL hitrates on URIs
@@ -212,6 +235,7 @@ header TEMPLATE_203_RCVD Received =~ /from 192.168.0.\d+ \(203-219-/
# good Message-ID pattern for recent stock spam
header STOX_BOUND_090909_B Content-Type:raw =~ /;\n boundary=\"------------0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]\"$/s
+describe STOX_BOUND_090909_B Stock spam
header STOX_UA User-Agent =~ /^Thunderbird 1.5.0.12 \(Windows\/20070509\)/
meta STOX_META_5 (STOX_BOUND_090909_B && EMPTY_MESSAGE)
@@ -224,6 +248,7 @@ meta CARD_DIRECT_WWW_ADDRESS (__CARD_DIRECT_WWW_ADDRESS && !__LEGIT_MARLO_CARD)
body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/
body __AFF_LOTTERY /(?:lottery|winner)/i
meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY)
+describe LOTTERY_PH_004470 Lottery spam
# Jo Rhett wants this tested
meta TVD_PDF_FINGER01_JO (__TVD_MIME_CT_MM && __TVD_MIME_ATT && !__TVD_BODY)
@@ -237,6 +262,7 @@ header JM_FAKE_PSMTP_RCVD Received =~ /^from \[\d+\.\d+\.\d+\.\d+\] by \S+\.\S
# use of the "I Feel Lucky" button in Google, thanks LR
uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/
tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign
+describe JM_I_FEEL_LUCKY URI appears to be for Google "I Feel Lucky"
# some auto-discovered header rules
header JM_0800_GMT Received =~ / \+0800 \(GMT\)$/
@@ -256,7 +282,9 @@ body JM_NICE_GIRL /I am nice girl that would like to chat with you\. /
header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/
rawbody __HS_QUOTE /^> /
+# https://svn.apache.org/viewvc?view=revision&revision=594329
meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE))
+describe STOX_REPLY_TYPE_WITHOUT_QUOTES Suspicious `reply-type` from 2006-2007 without re/fw/quoted content
rawbody IMG_CID_PART1 / 10)
# JHardin: don't hit 127.x.x.x (loopback) addresses
header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i
meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED
+describe FSL_HELO_BARE_IP_1 Sending server said HELO by IP instead of domain
# score FSL_HELO_BARE_IP_1 0.001
@@ -111,12 +115,14 @@ header __FSL_HELO_BARE_IP_2 X-Spam-Relays-Untrusted =~ /helo=(?!127)\d{1,3}\
meta FSL_HELO_BARE_IP_2 __FSL_HELO_BARE_IP_2 && !FSL_HELO_BARE_IP_1 && !__VIA_ML && !__HAS_ERRORS_TO
header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i
+describe FSL_HELO_NON_FQDN_1 Sending server said HELO without a fully qualified domain name
# score FSL_HELO_NON_FQDN_1 0.001
# header FSL_HELO_NON_FQDN_2 X-Spam-Relays-External =~ /\bhelo=[a-zA-Z0-9-_]+\b/i
# score FSL_HELO_NON_FQDN_2 0.001
header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/
+describe FSL_FAKE_HOTMAIL_RVCD Forged hotmail server domain (Microsoft uses other domains for outbound mail)
# score FSL_FAKE_HOTMAIL_RCVD 0.001
# header FSL_FAKE_YAHOO_RCVD X-Spam-Relays-External =~ /mx\.mail\.yahoo.com/
@@ -142,15 +148,18 @@ header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.co
# score FSL_HELO_HOME 0.001
header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i
+describe FSL_HELO_SETUP Sending server said HELO with `.setup`
# score FSL_HELO_SETUP 0.001
header FSL_HELO_FIREWALL X-Spam-Relays-External =~ /\bhelo=\S+\.firewall\b/i
# score FSL_HELO_FIREWALL 0.001
header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i
+describe FSL_HELO_DEVICE Sending server claimed to be `device/speedtouch.lan`
# score FSL_HELO_DEVICE 0.001
header FSL_HELO_FAKE X-Spam-Relays-External =~ /\bhelo=(?:yandex.ru|(?:hotmail|gmail|google|yahoo|msn|microsoft)\.com)\b/i
+describe FSL_HELO_FAKE Sending server incorrectly claimed to be major free public email vendor
# score FSL_HELO_FAKE 0.001
# Testing