@@ -37,18 +37,6 @@ metric { | |||
weight = 0.30; | |||
description = "Sender is forged (different From: header and smtp MAIL FROM: addresses)"; | |||
} | |||
symbol "MIME_HTML_ONLY" { | |||
weight = 0.2; | |||
description = "Messages that have only HTML part"; | |||
} | |||
symbol "FM_FAKE_HELO_VERIZON" { | |||
weight = 2.0; | |||
description = "Fake helo for verizon provider"; | |||
} | |||
symbol "MISSING_TO" { | |||
weight = 2.0; | |||
description = "To header is missing"; | |||
} | |||
symbol "R_MIXED_CHARSET" { | |||
weight = 5.0; | |||
description = "Mixed characters in a message"; | |||
@@ -91,15 +79,6 @@ metric { | |||
group "subject" { | |||
max_score = 6.0; | |||
symbol "LONG_SUBJ" { | |||
weight = 6.0; | |||
description = "Subject is too long"; | |||
} | |||
symbol "SUBJ_ALL_CAPS" { | |||
weight = 3.0; | |||
description = "No lower case letters in subject"; | |||
} | |||
} | |||
group "mua" { | |||
@@ -109,70 +88,6 @@ metric { | |||
} | |||
} | |||
group "body" { | |||
symbol "R_WHITE_ON_WHITE" { | |||
weight = 4.0; | |||
description = "White color on white background in HTML messages"; | |||
} | |||
symbol "HTML_SHORT_LINK_IMG_1" { | |||
weight = 3.0; | |||
description = "Short html part with a link to an image"; | |||
} | |||
symbol "HTML_SHORT_LINK_IMG_2" { | |||
weight = 1.0; | |||
description = "Short html part with a link to an image"; | |||
} | |||
symbol "HTML_SHORT_LINK_IMG_3" { | |||
weight = 0.5; | |||
description = "Short html part with a link to an image"; | |||
} | |||
symbol "R_PARTS_DIFFER" { | |||
weight = 1.0; | |||
description = "Text and HTML parts differ"; | |||
} | |||
symbol "R_EMPTY_IMAGE" { | |||
weight = 2.0; | |||
description = "Message contains empty parts and image"; | |||
} | |||
symbol "DRUGS_MANYKINDS" { | |||
weight = 2.0; | |||
description = "Drugs patterns inside message"; | |||
} | |||
symbol "DRUGS_ANXIETY" { | |||
weight = 2.0; | |||
description = ""; | |||
} | |||
symbol "DRUGS_MUSCLE" { | |||
weight = 2.0; | |||
description = ""; | |||
} | |||
symbol "DRUGS_ANXIETY_EREC" { | |||
weight = 2.0; | |||
description = ""; | |||
} | |||
symbol "DRUGS_DIET" { | |||
weight = 2.0; | |||
description = ""; | |||
} | |||
symbol "DRUGS_ERECTILE" { | |||
weight = 2.0; | |||
description = ""; | |||
} | |||
symbol "ADVANCE_FEE_2" { | |||
weight = 3.300000; | |||
description = "2 'advance fee' patterns in a message"; | |||
} | |||
symbol "ADVANCE_FEE_3" { | |||
weight = 2.120000; | |||
description = "3 'advance fee' patterns in a message"; | |||
} | |||
symbol "R_LOTTO" { | |||
weight = 8.0; | |||
description = "Lotto signatures"; | |||
} | |||
} | |||
group "rbl" { | |||
symbol "DNSWL_BLOCKED" { | |||
weight = 0.0; | |||
@@ -577,22 +492,6 @@ metric { | |||
} | |||
} | |||
group "date" { | |||
symbol "DATE_IN_FUTURE" { | |||
weight = 4.0; | |||
description = "Message date is in future"; | |||
} | |||
symbol "DATE_IN_PAST" { | |||
weight = 1.0; | |||
description = "Message date is in past"; | |||
} | |||
symbol "MISSING_DATE" { | |||
weight = 1.0; | |||
description = "Message date is missing"; | |||
} | |||
} | |||
group "hfilter" { | |||
symbol "HFILTER_HELO_BAREIP" { | |||
weight = 3.00; | |||
@@ -774,13 +673,6 @@ metric { | |||
one_shot = true; | |||
} | |||
} | |||
group "url" { | |||
symbol "R_SUSPICIOUS_URL" { | |||
weight = 6.0; | |||
description = "Obfusicated or suspicious URL has been found in a message"; | |||
one_shot = true; | |||
} | |||
} | |||
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/metrics.conf" | |||
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/metrics.conf" |
@@ -18,7 +18,12 @@ local rspamd_regexp = require "rspamd_regexp" | |||
local rspamd_logger = require "rspamd_logger" | |||
-- Messages that have only HTML part | |||
reconf['MIME_HTML_ONLY'] = 'has_only_html_part()' | |||
reconf['MIME_HTML_ONLY'] = { | |||
re = 'has_only_html_part()', | |||
score = 0.2, | |||
description = 'Messages that have only HTML part', | |||
group = 'header' | |||
} | |||
local function check_html_image(task, min, max) | |||
local tp = task:get_text_parts() |
@@ -77,70 +77,87 @@ rspamd_config.LONG_SUBJ = { | |||
} | |||
-- Different text parts | |||
rspamd_config.R_PARTS_DIFFER = function(task) | |||
local distance = task:get_mempool():get_variable('parts_distance', 'double') | |||
if distance then | |||
local nd = tonumber(distance) | |||
-- ND is relation of different words to total words | |||
if nd >= 0.5 then | |||
local tw = task:get_mempool():get_variable('total_words', 'int') | |||
if tw then | |||
local score | |||
if tw > 30 then | |||
-- We are confident about difference | |||
score = (nd - 0.5) * 2.0 | |||
else | |||
-- We are not so confident about difference | |||
score = (nd - 0.5) | |||
rspamd_config.R_PARTS_DIFFER = { | |||
callback = function(task) | |||
local distance = task:get_mempool():get_variable('parts_distance', 'double') | |||
if distance then | |||
local nd = tonumber(distance) | |||
-- ND is relation of different words to total words | |||
if nd >= 0.5 then | |||
local tw = task:get_mempool():get_variable('total_words', 'int') | |||
if tw then | |||
local score | |||
if tw > 30 then | |||
-- We are confident about difference | |||
score = (nd - 0.5) * 2.0 | |||
else | |||
-- We are not so confident about difference | |||
score = (nd - 0.5) | |||
end | |||
task:insert_result('R_PARTS_DIFFER', score, | |||
string.format('%.1f%%', tostring(100.0 * nd))) | |||
end | |||
task:insert_result('R_PARTS_DIFFER', score, | |||
string.format('%.1f%%', tostring(100.0 * nd))) | |||
end | |||
end | |||
end | |||
return false | |||
end | |||
return false | |||
end, | |||
score = 1.0, | |||
description = 'Text and HTML parts differ', | |||
group = 'body' | |||
} | |||
-- Date issues | |||
rspamd_config.MISSING_DATE = function(task) | |||
if rspamd_config:get_api_version() >= 5 then | |||
local date = task:get_header_raw('Date') | |||
if date == nil or date == '' then | |||
return true | |||
end | |||
end | |||
return false | |||
end | |||
rspamd_config.DATE_IN_FUTURE = function(task) | |||
if rspamd_config:get_api_version() >= 5 then | |||
local dm = task:get_date{format = 'message'} | |||
local dt = task:get_date{format = 'connect'} | |||
-- An 2 hour | |||
if dm > 0 and dm - dt > 7200 then | |||
return true | |||
end | |||
end | |||
return false | |||
end | |||
rspamd_config.DATE_IN_PAST = function(task) | |||
if rspamd_config:get_api_version() >= 5 then | |||
local dm = task:get_date{format = 'message', gmt = true} | |||
local dt = task:get_date{format = 'connect', gmt = true} | |||
-- A day | |||
if dm > 0 and dt - dm > 86400 then | |||
return true | |||
end | |||
end | |||
return false | |||
end | |||
rspamd_config.MISSING_DATE = { | |||
callback = function(task) | |||
if rspamd_config:get_api_version() >= 5 then | |||
local date = task:get_header_raw('Date') | |||
if date == nil or date == '' then | |||
return true | |||
end | |||
end | |||
return false | |||
end, | |||
score = 1.0, | |||
description = 'Message date is missing', | |||
group = 'date' | |||
} | |||
rspamd_config.DATE_IN_FUTURE = { | |||
callback = function(task) | |||
if rspamd_config:get_api_version() >= 5 then | |||
local dm = task:get_date{format = 'message'} | |||
local dt = task:get_date{format = 'connect'} | |||
-- 2 hours | |||
if dm > 0 and dm - dt > 7200 then | |||
return true | |||
end | |||
end | |||
return false | |||
end, | |||
score = 4.0, | |||
description = 'Message date is in future', | |||
group = 'date' | |||
} | |||
rspamd_config.DATE_IN_PAST = { | |||
callback = function(task) | |||
if rspamd_config:get_api_version() >= 5 then | |||
local dm = task:get_date{format = 'message', gmt = true} | |||
local dt = task:get_date{format = 'connect', gmt = true} | |||
-- A day | |||
if dm > 0 and dt - dm > 86400 then | |||
return true | |||
end | |||
end | |||
return false | |||
end, | |||
score = 1.0, | |||
description = 'Message date is in past', | |||
group = 'date' | |||
} | |||
rspamd_config.R_SUSPICIOUS_URL = function(task) | |||
rspamd_config.R_SUSPICIOUS_URL = { | |||
callback = function(task) | |||
local urls = task:get_urls() | |||
if urls then | |||
@@ -151,7 +168,12 @@ rspamd_config.R_SUSPICIOUS_URL = function(task) | |||
end | |||
end | |||
return false | |||
end | |||
end, | |||
score = 6.0, | |||
one_shot = true, | |||
description = 'Obfusicated or suspicious URL has been found in a message', | |||
group = 'url' | |||
} | |||
rspamd_config.BROKEN_HEADERS = { | |||
callback = function(task) |
@@ -31,7 +31,12 @@ local drugs_diet7 = '/\\b_{0,3}t[_\\W]?[e3\\xE8-\\xEB][_\\W]?n[_\\W]?u[_\\W]?a[_ | |||
local drugs_diet8 = '/\\b_{0,3}d[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?d[_\\W]?r[_\\W][e3\\xE8-\\xEB[_\\W]?xx?_{0,3}\\b/irP' | |||
local drugs_diet9 = '/\\b_{0,3}a[_\\W]?d[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?p[_\\W]?[e3\\xE8-\\xEB][_\\W]?x_{0,3}\\b/irP' | |||
local drugs_diet10 = '/\\b_{0,3}x?x[_\\W]?[e3\\xE8-\\xEB][_\\W]?n[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?c[_\\W]?[a4\\xE0-\\xE6@][_\\W]?l_{0,3}\\b/irP' | |||
reconf['DRUGS_DIET'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_diet1, drugs_diet2, drugs_diet3, drugs_diet4, drugs_diet5, drugs_diet6, drugs_diet7, drugs_diet8, drugs_diet9, drugs_diet10) | |||
reconf['DRUGS_DIET'] = { | |||
re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_diet1, drugs_diet2, drugs_diet3, drugs_diet4, drugs_diet5, drugs_diet6, drugs_diet7, drugs_diet8, drugs_diet9, drugs_diet10), | |||
score = 2.0, | |||
description = 'Drugs pattern in body', | |||
group = 'body' | |||
} | |||
local drugs_erectile1 = '/(?:\\b|\\s)[_\\W]{0,3}(?:\\\\\\/|V)[_\\W]{0,3}[ij1!|l\\xEC\\xED\\xEE\\xEF][_\\W]{0,3}[a40\\xE0-\\xE6@][_\\W]{0,3}[xyz]?[gj][_\\W]{0,3}r[_\\W]{0,3}[a40\\xE0-\\xE6@][_\\W]{0,3}x?[_\\W]{0,3}(?:\\b|\\s)/irP' | |||
local drugs_erectile2 = '/\\bV(?:agira|igara|iaggra|iaegra)\\b/irP' | |||
local drugs_erectile3 = '/(?:\\A|[\\s\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\x7f])[_\\W]{0,3}C[_\\W]{0,3}[ij1!|l\\xEC\\xED\\xEE\\xEF][_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}l?[l!|1][_\\W]{0,3}[i1!|l\\xEC-\\xEF][_\\W]{0,3}s[_\\W]{0,3}(?:\\b|\\s)/irP' | |||
@@ -41,7 +46,12 @@ local drugs_erectile6 = '/\\b_{0,3}L[_\\W]?[e3\\xE8-\\xEB][_\\W]?(?:\\\\\\/|V)[_ | |||
local drugs_erectile8 = '/\\b_{0,3}T[_\\W]?[a4\\xE0-\\xE6@][_\\W]?d[_\\W]?[a4\\xE0-\\xE6@][_\\W]?l[_\\W]?[a4\\xE0-\\xE6@][_\\W]?f[_\\W]?[i1!|l\\xEC-\\xEF][_\\W]?l_{0,3}\\b/irP' | |||
local drugs_erectile10 = '/\\b_{0,3}V[_\\W]?(?:i|\\ï\\;)[_\\W]?(?:a|\\à|\\å)\\;?[_\\W]?g[_\\W]?r[_\\W]?(?:a|\\à|\\å)\\b/irP' | |||
local drugs_erectile11 = '/(?:\\b|\\s)_{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}p[_\\W]{0,3}c[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}[l!|1][_\\W]{0,3}[i1!|l\\xEC-\\xEF][_\\W]{0,3}s_{0,3}\\b/irP' | |||
reconf['DRUGS_ERECTILE'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_erectile1, drugs_erectile2, drugs_erectile3, drugs_erectile4, drugs_erectile5, drugs_erectile6, drugs_erectile8, drugs_erectile10, drugs_erectile11) | |||
reconf['DRUGS_ERECTILE'] = { | |||
re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_erectile1, drugs_erectile2, drugs_erectile3, drugs_erectile4, drugs_erectile5, drugs_erectile6, drugs_erectile8, drugs_erectile10, drugs_erectile11), | |||
score = 2.0, | |||
description = 'Drugs pattern in body', | |||
group = 'body' | |||
} | |||
local drugs_anxiety1 = '/(?:\\b|\\s)[_\\W]{0,3}x?x[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}n[_\\W]{0,3}[ea4\\xE1\\xE2\\xE3@][_\\W]{0,3}xx?_{0,3}\\b/irP' | |||
local drugs_anxiety2 = '/\\bAlprazolam\\b/irP' | |||
local drugs_anxiety3 = '/(?:\\b|\\s)[_\\W]{0,3}(?:\\\\\\/|V)[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}[l|][_\\W]{0,3}[i1!|l\\xEC-\\xEF][_\\W]{0,3}[u\\xB5\\xF9-\\xFC][_\\W]{0,3}m\\b/irP' | |||
@@ -51,8 +61,18 @@ local drugs_anxiety6 = '/\\b_{0,3}l[_\\W]?[o0\\xF2-\\xF6][_\\W]?r[_\\W]?[a4\\xE0 | |||
local drugs_anxiety7 = '/\\b_{0,3}c[_\\W]?l[_\\W]?[o0\\xF2-\\xF6][_\\W]?n[_\\W]?[a4\\xE0-\\xE6@][_\\W]?z[_\\W]?e[_\\W]?p[_\\W]?[a4\\xE0-\\xE6@][_\\W]?m\\b/irP' | |||
local drugs_anxiety8 = '/\\bklonopin\\b/irP' | |||
local drugs_anxiety9 = '/\\brivotril\\b/irP' | |||
reconf['DRUGS_ANXIETY'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_anxiety1, drugs_anxiety2, drugs_anxiety3, drugs_anxiety4, drugs_anxiety5, drugs_anxiety6, drugs_anxiety7, drugs_anxiety8, drugs_anxiety9) | |||
reconf['DRUGS_ANXIETY_EREC'] = string.format('(%s) & (%s)', reconf['DRUGS_ERECTILE'], reconf['DRUGS_ANXIETY']) | |||
reconf['DRUGS_ANXIETY'] = { | |||
re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_anxiety1, drugs_anxiety2, drugs_anxiety3, drugs_anxiety4, drugs_anxiety5, drugs_anxiety6, drugs_anxiety7, drugs_anxiety8, drugs_anxiety9), | |||
score = 2.0, | |||
description = 'Drugs pattern in body', | |||
group = 'body' | |||
} | |||
reconf['DRUGS_ANXIETY_EREC'] = { | |||
re = string.format('(%s) & (%s)', reconf['DRUGS_ERECTILE']['re'], reconf['DRUGS_ANXIETY']['re']), | |||
score = 2.0, | |||
description = 'Drugs pattern in body', | |||
group = 'body' | |||
} | |||
local drugs_pain1 = '/\\b_{0,3}h[_\\W]?y[_\\W]?d[_\\W]?r[_\\W]?[o0\\xF2-\\xF6][_\\W]?c[_\\W]?[o0\\xF2-\\xF6][_\\W]?d[_\\W]?[o0\\xF2-\\xF6][_\\W]?n[_\\W]?e_{0,3}\\b/irP' | |||
local drugs_pain2 = '/\\b_{0,3}c[o0\\xF2-\\xF6]deine_{0,3}\\b/irP' | |||
local drugs_pain3 = '/(?:\\b|\\s)[_\\W]{0,3}[u\\xB5\\xF9-\\xFC][_\\W]{0,3}l[_\\W]{0,3}t[_\\W]{0,3}r[_\\W]{0,3}[a4\\xE0-\\xE6@][_\\W]{0,3}m_{0,3}\\b/irP' | |||
@@ -78,6 +98,16 @@ local drugs_muscle2 = '/\\b_{0,3}cycl[o0\\xF2-\\xF6]b[e3\\xE8-\\xEB]nz[a4\\xE0-\ | |||
local drugs_muscle3 = '/\\b_{0,3}f[_\\W]?l[_\\W]?[e3\\xE8-\\xEB][_\\W]?x[_\\W]?[e3\\xE8-\\xEB][_\\W]?r[_\\W]?[i1!|l\\xEC-\\xEF]_{0,3}[_\\W]?l_{0,3}\\b/irP' | |||
local drugs_muscle4 = '/\\b_{0,3}z[_\\W]?a[_\\W]?n[_\\W]?a[_\\W]?f[_\\W]?l[_\\W]?e[_\\W]?x_{0,3}\\b/irP' | |||
local drugs_muscle5 = '/\\bskelaxin\\b/irP' | |||
reconf['DRUGS_MUSCLE'] = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_muscle1, drugs_muscle2, drugs_muscle3, drugs_muscle4, drugs_muscle5) | |||
reconf['DRUGS_MANYKINDS'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], reconf['DRUGS_ERECTILE'], reconf['DRUGS_DIET'], drugs_pain, drugs_sleep, reconf['DRUGS_MUSCLE'], reconf['DRUGS_ANXIETY']) | |||
reconf['DRUGS_MUSCLE'] = { | |||
re = string.format('((%s) | (%s) | (%s)) & ((%s) | (%s) | (%s) | (%s) | (%s))', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], drugs_muscle1, drugs_muscle2, drugs_muscle3, drugs_muscle4, drugs_muscle5), | |||
score = 2.0, | |||
description = 'Drugs pattern in body', | |||
group = 'body' | |||
} | |||
reconf['DRUGS_MANYKINDS'] = { | |||
re = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], reconf['DRUGS_ERECTILE']['re'], reconf['DRUGS_DIET']['re'], drugs_pain, drugs_sleep, reconf['DRUGS_MUSCLE']['re'], reconf['DRUGS_ANXIETY']['re']), | |||
score = 2.0, | |||
description = 'Drugs pattern in body', | |||
group = 'body' | |||
} | |||
@@ -70,5 +70,16 @@ local fraud_yqv = '/nigerian? (?:national|government)/irP' | |||
local fraud_yja = '/over-invoice/irP' | |||
local fraud_ypo = '/the total sum/irP' | |||
local fraud_uoq = '/vital documents/irP' | |||
reconf['ADVANCE_FEE_2'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 2)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly) | |||
reconf['ADVANCE_FEE_3'] = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly) | |||
reconf['ADVANCE_FEE_2'] = { | |||
re = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 2)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly), | |||
score = 3.3, | |||
description = "2 'advance fee' patterns in a message", | |||
group = 'body' | |||
} | |||
reconf['ADVANCE_FEE_3'] = { | |||
re = string.format('((%s) | (%s) | (%s)) & ((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], fraud_kjv, fraud_irj, fraud_neb, fraud_xjr, fraud_ezy, fraud_zfj, fraud_kdt, fraud_bgp, fraud_fbi, fraud_jbu, fraud_jyg, fraud_xvw, fraud_snt, fraud_ltx, fraud_mcq, fraud_pvn, fraud_fvu, fraud_ckf, fraud_fcw, fraud_mqo, fraud_tcc, fraud_gbw, fraud_nrg, fraud_rlx, fraud_axf, fraud_thj, fraud_yqv, fraud_yja, fraud_ypo, fraud_uoq, fraud_dbi, fraud_bep, fraud_dpr, fraud_qxx, fraud_qfy, fraud_pts, fraud_tdp, fraud_gan, fraud_ipk, fraud_aon, fraud_wny, fraud_aum, fraud_wfc, fraud_yww, fraud_ulk, fraud_iou, fraud_jnb, fraud_irt, fraud_etx, fraud_wdr, fraud_uuy, fraud_mly), | |||
score = 2.12, | |||
description = "3 'advance fee' patterns in a message", | |||
group = 'body' | |||
} | |||
@@ -520,7 +520,12 @@ reconf['STOX_REPLY_TYPE'] = { | |||
-- Fake Verizon headers | |||
local fhelo_verizon = 'X-Spam-Relays-Untrusted=/^[^\\]]+ helo=[^ ]+verizon\\.net /iH' | |||
local fhost_verizon = 'X-Spam-Relays-Untrusted=/^[^\\]]+ rdns=[^ ]+verizon\\.net /iH' | |||
reconf['FM_FAKE_HELO_VERIZON'] = string.format('(%s) & !(%s)', fhelo_verizon, fhost_verizon) | |||
reconf['FM_FAKE_HELO_VERIZON'] = { | |||
re = string.format('(%s) & !(%s)', fhelo_verizon, fhost_verizon), | |||
score = 2.0, | |||
description = 'Fake helo for verizon provider', | |||
group = 'header' | |||
} | |||
-- Forged yahoo msgid | |||
local at_yahoo_msgid = 'Message-Id=/\\@yahoo\\.com\\b/iH' |
@@ -28,4 +28,9 @@ local kam_lotto3 = '/(won|claim|cash prize|pounds? sterling)/isrP' | |||
local kam_lotto4 = '/(claims (officer|agent)|lottery coordinator|fiduciary (officer|agent)|fiduaciary claims)/isrP' | |||
local kam_lotto5 = '/(freelotto group|Royal Heritage Lottery|UK National (Online)? Lottery|U\\.?K\\.? Grand Promotions|Lottery Department UK|Euromillion Loteria|Luckyday International Lottery|International Lottery)/isrP' | |||
local kam_lotto6 = '/(Dear Lucky Winner|Winning Notification|Attention:Winner|Dear Winner)/isrP' | |||
reconf['R_LOTTO'] = string.format('((%s) | (%s) | (%s)) & (((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s)) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], r_lotto_from, r_lotto_subject, r_lotto_body, kam_lotto1, kam_lotto2, kam_lotto3, kam_lotto4, kam_lotto5, kam_lotto6) | |||
reconf['R_LOTTO'] = { | |||
re = string.format('((%s) | (%s) | (%s)) & (((%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s) + (%s)) >= 3)', reconf['R_UNDISC_RCPT']['re'], reconf['R_BAD_CTE_7BIT']['re'], reconf['R_NO_SPACE_IN_FROM']['re'], r_lotto_from, r_lotto_subject, r_lotto_body, kam_lotto1, kam_lotto2, kam_lotto3, kam_lotto4, kam_lotto5, kam_lotto6), | |||
score = 8.0, | |||
description = 'Lotto signatures', | |||
group = 'body' | |||
} |