|
|
@@ -30,90 +30,151 @@ |
|
|
|
<metric> |
|
|
|
<name>default</name> |
|
|
|
<required_score>10.0</required_score> |
|
|
|
<!-- Sample actions --> |
|
|
|
<action>reject</action> |
|
|
|
<action>greylist:5</action> |
|
|
|
<action>add_header:5</action> |
|
|
|
|
|
|
|
<!-- Weights for symbols --> |
|
|
|
|
|
|
|
<!-- Subject is missing inside message --> |
|
|
|
<symbol weight="2.00">MISSING_SUBJECT</symbol> |
|
|
|
<!-- Message pretends to be send from Outlook but has 'strange' tags --> |
|
|
|
<symbol weight="2.10">FORGED_OUTLOOK_TAGS</symbol> |
|
|
|
<!-- Sender is forged (different From: header and smtp MAIL FROM: addresses) --> |
|
|
|
<symbol weight="5.00">FORGED_SENDER</symbol> |
|
|
|
<symbol weight="2.00">DRUGS_MANYKINDS</symbol> |
|
|
|
<symbol weight="3.30">ADVANCE_FEE_2</symbol> |
|
|
|
<symbol weight="2.12">ADVANCE_FEE_3</symbol> |
|
|
|
<!-- Recipients seems to be autogenerated (works if recipients count is more than 5) --> |
|
|
|
<symbol weight="3.50">SUSPICIOUS_RECIPS</symbol> |
|
|
|
<!-- Fake reply (has RE in subject, but has not References header) --> |
|
|
|
<symbol weight="6.00">FAKE_REPLY_C</symbol> |
|
|
|
<!-- Messages that have only HTML part --> |
|
|
|
<symbol weight="1.00">MIME_HTML_ONLY</symbol> |
|
|
|
<symbol weight="5.50">AB_SURBL_MULTI</symbol> |
|
|
|
<!-- Forged yahoo msgid --> |
|
|
|
<symbol weight="2.00">FORGED_MSGID_YAHOO</symbol> |
|
|
|
<symbol weight="5.50">SC_SURBL_MULTI</symbol> |
|
|
|
<!-- Forged The Bat! MUA headers --> |
|
|
|
<symbol weight="2.00">FORGED_MUA_THEBAT_BOUN</symbol> |
|
|
|
<!-- Charset is missing in a message --> |
|
|
|
<symbol weight="5.00">R_MISSING_CHARSET</symbol> |
|
|
|
<!-- Two received headers with ip addresses --> |
|
|
|
<symbol weight="2.00">RCVD_DOUBLE_IP_SPAM</symbol> |
|
|
|
<symbol weight="5.50">OB_SURBL_MULTI</symbol> |
|
|
|
<!-- Forged outlook HTML signature --> |
|
|
|
<symbol weight="5.00">FORGED_OUTLOOK_HTML</symbol> |
|
|
|
<symbol weight="-2.00">WHITELIST_IP</symbol> |
|
|
|
<!-- Recipients are absent or undisclosed --> |
|
|
|
<symbol weight="5.00">R_UNDISC_RCPT</symbol> |
|
|
|
<symbol weight="2.00">DRUGS_ANXIETY</symbol> |
|
|
|
<symbol weight="2.00">DRUGS_MUSCLE</symbol> |
|
|
|
<symbol weight="2.00">DRUGS_ANXIETY_EREC</symbol> |
|
|
|
<symbol weight="5.50">PH_SURBL_MULTI</symbol> |
|
|
|
<!-- White color on white background in HTML messages --> |
|
|
|
<symbol weight="9.00">R_WHITE_ON_WHITE</symbol> |
|
|
|
<!-- Short html part with a link to an image --> |
|
|
|
<symbol weight="3.00">HTML_SHORT_LINK_IMG_2</symbol> |
|
|
|
<!-- Forged outlook MUA --> |
|
|
|
<symbol weight="3.00">FORGED_MUA_OUTLOOK</symbol> |
|
|
|
<symbol weight="2.00">DRUGS_ERECTILE</symbol> |
|
|
|
<!-- Fake helo for verizon provider --> |
|
|
|
<symbol weight="2.00">FM_FAKE_HELO_VERIZON</symbol> |
|
|
|
<!--Quoted reply-to from yahoo (seems to be forged) --> |
|
|
|
<symbol weight="2.00">REPTO_QUOTE_YAHOO</symbol> |
|
|
|
<!-- Mime-OLE is needed but absent (e.g. fake Outlook or fake Exchange) --> |
|
|
|
<symbol weight="5.00">MISSING_MIMEOLE</symbol> |
|
|
|
<symbol weight="9.50">RAMBLER_URIBL</symbol> |
|
|
|
<!-- To header is missing --> |
|
|
|
<symbol weight="2.00">MISSING_TO</symbol> |
|
|
|
<symbol weight="0.33">FROM_EXCESS_BASE64</symbol> |
|
|
|
<symbol weight="-5.00">FROM_WORLDBANK</symbol> |
|
|
|
<symbol weight="-5.00">FROM_CBR</symbol> |
|
|
|
<symbol weight="-5.00">FROM_CSHOP</symbol> |
|
|
|
<symbol weight="-5.00">FROM_MIRHOSTING</symbol> |
|
|
|
<symbol weight="-5.00">FROM_PASSIFLORA</symbol> |
|
|
|
<symbol weight="10.00">R_SPAM_FROM_VALUEHOST</symbol> |
|
|
|
<!-- From that contains encoded characters while base 64 is not needed as all symbols are 7bit --> |
|
|
|
<symbol weight="0.33">FROM_EXCESS_BASE64</symbol> |
|
|
|
<!-- Mixed characters in a message --> |
|
|
|
<symbol weight="5.00">R_MIXED_CHARSET</symbol> |
|
|
|
<!-- Recipients list seems to be sorted --> |
|
|
|
<symbol weight="3.50">SORTED_RECIPS</symbol> |
|
|
|
<!-- Spambots signatures in received headers --> |
|
|
|
<symbol weight="3.00">R_RCVD_SPAMBOTS</symbol> |
|
|
|
<symbol weight="5.50">JP_SURBL_MULTI</symbol> |
|
|
|
<!-- To header seems to be autogenerated --> |
|
|
|
<symbol weight="3.00">R_TO_SEEMS_AUTO</symbol> |
|
|
|
<!-- Subject needs encoding --> |
|
|
|
<symbol weight="1.00">SUBJECT_NEEDS_ENCODING</symbol> |
|
|
|
<!-- Spam string at the end of message to make statistics faults 0--> |
|
|
|
<symbol weight="3.84">TRACKER_ID</symbol> |
|
|
|
<symbol weight="8.00">R_LOTTO</symbol> |
|
|
|
<!-- No space in from header --> |
|
|
|
<symbol weight="3.00">R_NO_SPACE_IN_FROM</symbol> |
|
|
|
<!-- Subject seems to be spam --> |
|
|
|
<symbol weight="8.00">R_SAJDING</symbol> |
|
|
|
<!-- Detects bad content-transfer-encoding for text parts --> |
|
|
|
<symbol weight="6.00">R_BAD_CTE_7BIT</symbol> |
|
|
|
<symbol weight="5.50">WS_SURBL_MULTI</symbol> |
|
|
|
<!-- Flash redirect on imageshack.us --> |
|
|
|
<symbol weight="10.00">R_FLASH_REDIR_IMGSHACK</symbol> |
|
|
|
<!-- Message id is incorrect --> |
|
|
|
<symbol weight="5.00">INVALID_MSGID</symbol> |
|
|
|
<!-- Message id is missing --> |
|
|
|
<symbol weight="3.00">MISSING_MID</symbol> |
|
|
|
<symbol weight="2.00">DRUGS_DIET</symbol> |
|
|
|
<!-- Recipients are not the same as RCPT TO: mail command --> |
|
|
|
<symbol weight="3.00">FORGED_RECIPIENTS</symbol> |
|
|
|
<!-- Forged Exchange messages --> |
|
|
|
<symbol weight="2.00">RATWARE_MS_HASH</symbol> |
|
|
|
<!-- Reply-type in content-type --> |
|
|
|
<symbol weight="1.00">STOX_REPLY_TYPE</symbol> |
|
|
|
<!-- IP in received headers is in PBL --> |
|
|
|
<symbol weight="3.00">R_IP_PBL</symbol> |
|
|
|
<!-- One received header in a message --> |
|
|
|
<symbol weight="1.00">ONCE_RECEIVED</symbol> |
|
|
|
<!-- One received header with 'bad' patterns inside --> |
|
|
|
<symbol weight="4.00">ONCE_RECEIVED_STRICT</symbol> |
|
|
|
<!-- Received headers contains addresses from RBL --> |
|
|
|
<symbol weight="1.00">RECEIVED_RBL</symbol> |
|
|
|
<!-- Text and HTML parts differ --> |
|
|
|
<symbol weight="3.00">R_PARTS_DIFFER</symbol> |
|
|
|
<!-- Only Content-Type header without other MIME headers --> |
|
|
|
<symbol weight="2.00">MIME_HEADER_CTYPE_ONLY</symbol> |
|
|
|
<!-- Message contains empty parts and image --> |
|
|
|
<symbol weight="2.00">R_EMPTY_IMAGE</symbol> |
|
|
|
|
|
|
|
<!-- Drugs patterns inside message --> |
|
|
|
<symbol weight="2.00">DRUGS_MANYKINDS</symbol> |
|
|
|
<!-- Specific drugs signatures --> |
|
|
|
<symbol weight="2.00">DRUGS_ANXIETY</symbol> |
|
|
|
<symbol weight="2.00">DRUGS_MUSCLE</symbol> |
|
|
|
<symbol weight="2.00">DRUGS_ANXIETY_EREC</symbol> |
|
|
|
<symbol weight="2.00">DRUGS_DIET</symbol> |
|
|
|
<symbol weight="2.00">DRUGS_ERECTILE</symbol> |
|
|
|
|
|
|
|
<!-- 2 or 3 'advance fee' patterns in a message --> |
|
|
|
<symbol weight="3.30">ADVANCE_FEE_2</symbol> |
|
|
|
<symbol weight="2.12">ADVANCE_FEE_3</symbol> |
|
|
|
|
|
|
|
<!-- Lotto signatures --> |
|
|
|
<symbol weight="8.00">R_LOTTO</symbol> |
|
|
|
|
|
|
|
<!-- Statistics --> |
|
|
|
<symbol weight="3.00">BAYES_SPAM</symbol> |
|
|
|
<symbol weight="-3.00">BAYES_HAM</symbol> |
|
|
|
|
|
|
|
<!-- Fuzzy lists example --> |
|
|
|
<symbol weight="1.00">R_FUZZY</symbol> |
|
|
|
<symbol weight="1.00">R_FUZZY1</symbol> |
|
|
|
<symbol weight="1.00">R_FUZZY2</symbol> |
|
|
|
<symbol weight="1.00">R_FUZZY3</symbol> |
|
|
|
|
|
|
|
|
|
|
|
<!-- SPF rules --> |
|
|
|
<symbol weight="3.00">R_SPF_FAIL</symbol> |
|
|
|
<symbol weight="1.00">R_SPF_SOFTFAIL</symbol> |
|
|
|
<symbol weight="-3.00">R_SPF_ALLOW</symbol> |
|
|
|
|
|
|
|
<symbol weight="-2.00">MAILLIST</symbol> |
|
|
|
|
|
|
|
<symbol weight="3.00">R_IP_PBL</symbol> |
|
|
|
<!-- Whitelisted client's IP --> |
|
|
|
<symbol weight="-2.00">WHITELIST_IP</symbol> |
|
|
|
<!-- Message seems to be from maillist --> |
|
|
|
<symbol weight="-2.00">MAILLIST</symbol> |
|
|
|
|
|
|
|
<!-- multi.surbl.org lists (more details at http://www.surbl.org) --> |
|
|
|
<!-- Phishing and malware sites --> |
|
|
|
<symbol weight="5.50">PH_SURBL_MULTI</symbol> |
|
|
|
<!-- Outblaze URI Blacklist --> |
|
|
|
<symbol weight="5.50">OB_SURBL_MULTI</symbol> |
|
|
|
<!-- AbuseButler web sites --> |
|
|
|
<symbol weight="5.50">AB_SURBL_MULTI</symbol> |
|
|
|
<!-- SpamCop web sites --> |
|
|
|
<symbol weight="5.50">SC_SURBL_MULTI</symbol> |
|
|
|
<!-- jwSpamSpy + Prolocation sites --> |
|
|
|
<symbol weight="5.50">JP_SURBL_MULTI</symbol> |
|
|
|
<!-- sa-blacklist web sites --> |
|
|
|
<symbol weight="5.50">WS_SURBL_MULTI</symbol> |
|
|
|
|
|
|
|
<symbol weight="1.00">ONCE_RECEIVED</symbol> |
|
|
|
<symbol weight="4.00">ONCE_RECEIVED_STRICT</symbol> |
|
|
|
<!-- rambler.ru uribl --> |
|
|
|
<symbol weight="9.50">RAMBLER_URIBL</symbol> |
|
|
|
|
|
|
|
<symbol weight="1.00">RECEIVED_RBL</symbol> |
|
|
|
|
|
|
|
<symbol weight="3.00">R_PARTS_DIFFER</symbol> |
|
|
|
<symbol weight="2.00">MIME_HEADER_CTYPE_ONLY</symbol> |
|
|
|
</metric> |
|
|
|
<!-- End of factors section --> |
|
|
|
|