# whitelist for ebay DomainKey-Signature /^DomainKey/ OK # whitelist false-positive match for cialis /commercialis|provincialis|socialis|Catalys|alias|clear/ OK # To/CC: Privacy List /lists\.efa\.org\.au/ OK /localhost.taz.net.au/ OK # discard nigerian and lottery scams /^X-Spam-Status:.*(?:NA_DOLLARS|NIGERIAN_BODY|US_DOLLARS|MILLION_USD|URG_BIZ|RISK_FREE|SUBJ_ILLEGAL_CHARS|BAYES_99)/ DISCARD /^X-Spam-Status:.*HTML_IMAGE_ONLY_(?:0[48]|12)/ DISCARD /^X-Spam-Status:.*HTML_IMAGE_ONLY_(2[04])/ REDIRECT sa-spam@taz.net.au # discard scores >=10.0, hold if score >= 5.0 & <10 /^X-Spam-Status: Yes, (?:hits|score)=([1-9][0-9][0-9.]*|1[0-9][0-9][0-9.]+)/ REDIRECT sa-spam@taz.net.au /^X-Spam-Status: Yes, (?:hits|score)=([5-9]\.\d+)/ HOLD SpamAssassin Score too high ($1) # non-printable characters in headers are a violation of RFC - only seen # in asian spam. reject sequences of 5-or-more non-printable chars. #/[[:^print:]]{5,}/ REJECT # this is a better way of doing it... # Control characters or too many 8-bit characters /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\x9f\xff]/ REJECT /(?:[a-z0-9]?[\x80-\xff]){6,}/ REJECT # numeric-only usernames aren't valid at compuserve, hotmail etc /^(?:To|From|Cc|Reply-To):.*[ <]\d+@(?:compuserve|hotmail|aol|juno|bigfoot|prodigy|yahoo)\.(?:com|net|org)/ REJECT /^(?:To|From|Cc|Reply-To):.*[ <]\d+@(?:onramp|prodigy|uu)\.net/ REJECT # spam-sign in to or from headers #/^(?:To|From):\s*$/ REJECT /^From:\s*$/ REJECT /^(?:To|From|Cc|Reply-To):.*friend@public.com/ REJECT /^(?:To|From|Cc|Reply-To):.*dontreply@/ REJECT /^(?:To|From|Cc|Reply-To):.*customer@aol/ REJECT # japanese and other crap /^Content-Type:.*charset\s*=\s*"?iso-[a-z0-9]*-(?:jp|cn|kr|ru|pl|hu)"?/ REJECT # spamware mailers /^(?:Received|Message-Id|X-(?:Mailer|Sender)):.*\b(?:AutoMail|E-Broadcaster|Emailer Platinum|eMarksman|Extractor|e-Merge|from stealth[^.]|Global Messenger|GroupMaster|Mailcast|MailKing|Match10|MassE-Mail|massmail\.pl|News Breaker|Powermailer|Quick Shot|Ready Aim Fire|WindoZ|WorldMerge|Yourdora)\b/ REJECT /^X-Mailer:.*\b(?:Aristotle|Avalanche|Blaster|Bomber|DejaVu|eMerge|Extractor|UltraMail|Sonic|Floodgate|GeoList|Mach10|MegaPro|Aureate|MultiMailer|Bluecom|Achi-Kochi Mail|Direct Email|Andrew's SuperCool Blastoise|MailerGear|Advanced Mass Sender|SpireMail|MailWorkZ|UltimDBMail|Mabry|JiXing|Easy Mass Mailer|EhooPost|MailBZ)\b/ REJECT /^X-Mailer:\s+[a-z0-9]+\d+[a-z0-9]+$/ REJECT /^X-INFO_[ABC]Z:/ REJECT /^X-(?:Camp|Misc|Msg)_ID:/ REJECT # block unwanted content-types. /^(Content-Type:.*|\s+)charset\s*=\s*"?(?:big5|euc-kr|gb2312|ks_c_5601-1987|koi8-r)"?/ REJECT /^Subject:.*=\?(?:big5|euc-kr|gb2312|ks_c_5601-1987|koi8-r|iso-[a-z0-9]*-(?:jp|cn|kr|ru|pl|hu))\?/ REJECT /^Subject:.*=\?shift-jis/ REJECT # corrupt gifs. probably virus. filename always seems to be someword.[0-9].gif /^(?:Content-(?:Disposition: (?:attachment|inline);|Type:).*|\s+)(?:file)?name\s*=\s*"\w*\.[0-9]*\.gif"?\s*$/ REJECT virus rejected ### ### ### VIRUSES ### ### /^To: Microsoft Customer/ REJECT VIRUS # hybris virus #/^To: mail2news_nospam-.*-alt.comp.virus@anon.lcs.mit.edu/ REJECT VIRUS /^Subject: Snowhite and the Seven Dwarfs - The REAL story!/ REJECT VIRUS (hybris) # sircam virus uses an invalid content-disposition header /^Content-Disposition: Multipart message/i REJECT VIRUS (sircam) # Outlook buffer overflow exploit - date header >80 characters. /^Date:.{79}/ REJECT VIRUS # Nimda virus email component (readme.exe attachment) #/^X-Unsent: 1/ REJECT VIRUS (Nimda) /^Subject: new photos from my party!/ REJECT VIRUS # commented out when i started using Jim Seymour's rule instead, 2003-10-01 #/^Content-(Disposition|Type):\s+.*(file)?name="?.*\.(ad[ep]|asd|ba[st]|c[ho]m|cmd|cpl|crt|dll|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|ocx|pcd|pif|reg|sc[rt]|sh[bs]|url|vb[esx]?|vxd|ws[cfh])\b"?\s*$/ REJECT executable file type rejected, please compress with zip and resend # latest bugbear virus sends zip compressed attachments /^(?:Content-(?:Disposition: attachment;|Type:).*|\s+)(?:file)?name\s*=\s*"(?:privatepix|brandnew|pics|movies|sex videos|my_movie|yourfreemovie|australia|aussie_pix|24Live|your_details|message)\.zip"?\s*$/ REJECT VIRUS # temporary -- remove once sobig.f dies away. /^subject: re: (?:details|approved|re: my details|thank you!|that movie|your application|wicked screensaver)$/ REJECT VIRUS Sobig.F probable. Try different subject line. /^subject: (?:thank you!|your details)$/ REJECT VIRUS Sobig.F probable. Try different subject line. # swen virus #/^SUBJECT:/i REJECT SWEN virus rejected # block executable attachments. # see http://jimsun.linxnet.com/misc/header_checks.txt /^Content-(?:Disposition|Type):\s+.+?(?:file)?name\s*=\s*"?.+?\.(?:386|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cbt|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jse?|keyreg|lib|lnk]|mht(m|ml)?|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|pot|pps|prg|reg|sc[rt]|sh[bs]|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT VIRUS - ".$2" file attachment types are dangerous and not allowed # ".com" handled differently as above lines would catch attachments like # "user@example.com PGP Keys.txt" # "(\.\S{2,4})?(\?=)?"?(;|$)" terminator idea (modified) compliments of # Noel Jones /^Content-(?:Disposition|Type):\s+.+?(?:file)?name\s*=\s*"?.+?\.com(?:\.\S{2,4})?(\?=)?"?(;|$)/ REJECT VIRUS - ".com" file attachment types are dangerous and not allowed ### ### ### VIRUSES ### ### # Disallow message fragmentation, as it will bypass the other tests # Ref: http://www.securiteam.com/securitynews/5YP0A0K8CM.html /^Content-(?:Disposition|Type):\s+.*?message\/partial\b/ REJECT /\b[0-9]{5,}x\.comIP/ REJECT # unwanted spam/virus notifications /Received: from MailMarshal.Engine/ REJECT unwanted virus notification. /Subject: VIRUS \(Worm.SomeFool.Gen-2\) IN MAIL FROM YOU/ REJECT unwanted virus notification. /Subject: MailMonitor Alert/ REJECT unwanted virus notification. /^Subject:.*SEXUALLY.?EXPLICIT/ REJECT # Cialis, hydrocodone, levitra, viagra, vicodin, etc /\b(C.?[:yit|1l].?[ãa\@4].?(?:[l1|].?){1,2}[:yitãa\@4|l1].?[s5]|L.?[e3].?V.?[:yit|1l].?T.?R.?[ãa\@4]|V.?[:yit|1l].?[ãa\@4e].?g.?r.?[ãa\@4]|V.?[:yit|1l].?C.?[O0].?D.?[:yit|1l].?N?|\bH.?[:yit|1l].?d.?r.?[o0].?c.?[o0].?d.?[o0].?n.?[e3]|T.?[ãa\@4].?d.?[ãa\@4].?[l1|].?[ãa\@4].?f.?[:yit|1l].?[l1|])/ REJECT # more pharmaspam /^Subject:.*medic(?:ation|ine).*(?:p[er][re]scription|buy|order|save|discount|generic|deliver|premium|rates|online|cost|price|refill|shipping|quality|available)/ REJECT /^Subject:.*(?:p[er][re]scription|buy|order|save|discount|generic|deliver|premium|rates|online|cost|price|refill|shipping|quality|available).*medic(?:ation|ine)/ REJECT /\bD.R.U.G.S\b/ REJECT /^From:\s*"?Alice A\. ?Walker"?/ REJECT /ST0RE|0rder|DISC0UNT|PRlCES|Downl0ad|st0ck|VlAGRRA|CI.IS|VIAGRR|VI.GRRA/ REJECT /cailis|ptabs|Hoodia|Hoddia/ REJECT /CjALjj\.S|CjALj\.S|Cj\.\.aljs|CjAALj\.S/ REJECT /Prropecja|Levjttra|Ambbjen|CjALLjS|VALLjUM|VjAGGRA|Vjaagra|Vjjagra/ REJECT /Sooftt\.abs|Softt\.\.abs|Sofftt\.abs|Sofft T\.abss|Softtt\.abs/ REJECT /Subject:.*(?:T[1l]m[3e]ly|[O0]ff[3e]r[1l]ngs|m[3e]d[1i]cat[1i]0n|ph\w*(?:ar|ra)\w*c\w*y)/ REJECT # cracker mail /Subject:.*(?:dtserver|Curatator|BannerDor)/ HOLD cracker mail # 419 /URGENT BUSINESS ASSISTANCE/ REJECT /WINNING NOTIFICATION/ REJECT /From the Desk of/ REJECT /Subject:.*(?:lotteries|lotto international)/ REJECT /Subject:.*PLEASE CONTACT ME IMMEDIATELY|YOUR ASSITANCE IS NEEDED|Seeking your partnership|YOUR HELP IS NEEDED/ REJECT /Subject:(?:\s*From:|.*(?:REPRESENTATIVE\s*NEEDED|Greetings|Your\s*Reply\.|REPLY\s*URGENTLY|BUSINESS\s*RELATIONSHIP|URGENT.*(?:HELP|RESPONSE|REPLY|ASSIST|INFO|BUSINESS|ASSISTANCE)|SECURE.*INVEST|BUSINESS.*(?:PROPOSAL|INVESTMENT)))/ REJECT #/REPLICA WATCH|watch replica/ REJECT /(?:reproductions?|REPLICA(?:tion)?s?|imitation) (?:wrist.?)?(?:WATCH|r[o0]lex|time.?piece)|(?:watch|r[o0]lex|time.?piece) (?:repli[ck]a|repro|imitation)|ROLEX, CARTIER, PIAGET Replicas|r0lex|Replicated to the smallest detail|R.[o0].l.e.x/ REJECT /R.E.P.L.I.C.A|W.A.T.C.H/ REJECT /Subject:.*(?:reproductions?|REPLICA(?:tion)?s?|imitation|affordable) (?:of )?(?:wrist.?)?(?:WATCH|r[o0]lex|time.?piece)/ REJECT /Subject:.*(?:watch|r[o0]lex|time.?piece|quality) (?:repli[ck]a|repro|imitation)/ REJECT /Subject:.*r0lex/ REJECT # crap from todd. /^From:.*<(?:MAILER-DAEMON|postmaster)@(?:[^.]*\.)?(?:ah\.net|inoz\.com)>/ REJECT # pump and dump /Gr0wth|R[3e]p0rt|0pt[1il]0ns|c0nsu[il1]t/ REJECT /Inf0rmati0n|c0ntains|predicti0ns|expectati0ns|pr0jecti0ns|0bjectives|g0als|assumpti0ns|perf0rmance/ REJECT /S.?t.?o.?c.?k.? .?A.?l.?e.?r.?t/ REJECT /A\|ert|Recommendati0n/ REJECT /St0ck|h0t|Brand new sto ?ck|A\|ert|Recommendati0n|Sh0rt|STR0NG|M0ney|GL0RY|GR0UP/ REJECT /Subject:.*(?:Company Spotlight|Emerging Equity|Stock Trading|Wall.*Street|M.?i.?c.?r.?o.?c.?a.?p|Big profits|Watch this|Turbocharge.*Portfolio|Stock Wizard|(?:Harvest|Gains|this).*stock|Equity Trader|[1I]nv[3e]st[o0]r (?:[1I]ns[1i]ght|[3E]dg[3e]|Tr[4@a]ck[3e]r)|(?:Financial|Exclusive).*Market|St[0o]ck.*[0O]pp?[0o]rtun[1il]ty|[1i]nv[3e][5s]t[0o]r'?[5s].?.*[1i]n[5s][1i]ght|Penny Sto(?:x|ck)|Small Stock|\bSt[o0]x\b|INVESTMENT PLAN|Equity Newsletter|St[o0]ck [o0]pportunities|0pportunities|(?:Investor|St[o0]ck) R[e3]p[o0]rt|St[0o]kk|Marrkett|Our Picks|Winners Circle|St[o0]ck (?:M[@a4]rk[3e]t|RADAR|Barometer)|L@@K|Big Returns|All Investors|(?:Urgent|Equity|Alert){2,}|Stock Profiler|(?:Special |Situation ){1,}\s*Report|Invest0r|stoc?k? analysis)/ REJECT /Subject:.*(?:Highly Profitable|Penny Stock of the (?:Week|Month|Year|Decade))/ REJECT /^(?:pr0f1led|Se ct0r|Symb01|C0mpany Info):/ REJECT /r3g1stered|1nvestment|advis0r|br0ker|GWNV accepts no liability|th0usand|d0ll4rs|0pportunity|Small.?Cap/ REJECT # Misc /X-EMV-CampagneId:|X-EMV-MemberId:/ REJECT /Seminario|OBJETIVO|CONTENIDO|CONFERENCISTAS|Autoliquidacion/ REJECT /^Subject: (?:Hey|Fwd?)[:,;]?\s*(?:hello|to\s*)?(?:cas|postmaster|webmaster|root|toni)/ REJECT /Subject:.*(?:(?:look|see) (?:new|here))/ REJECT /Seminario|OBJETIVO|CONTENIDO|CONFERENCISTAS|Autoliquidacion/ REJECT # diploma spam /Bachel0rs|D0ctorate|rec0rds|opp0rtunity|all0wing|c0llege/ REJECT /Subject:.*(?:legal diploma)/ REJECT /G.?e.?n.?u.?i.?n.?e.? .?C.?o.?l.?l.?e.?g.?e.? .?D.?e.?g.?r.?e.?e|No Study Required/ REJECT # mortgage spam /Subject:.*(?:refi.*(home|equity|loan)|app.*loan|loan.*app)/ REJECT # pirate software /Subject:.*(?:0EM|Buy OEM|OEM Software|S0ftw[4\@a]r[3e]|Corel Draw|Photoshop, Windows, Office|Full version|s[0o]ftw[4\@a]r[3e].*pr[1li]c[3e]|pr[1li]c[3e].*s[0o]ftw[4\@a]r[3e]|cheap oem|oem soft)/ REJECT # phishies /Subject:.*(?:Your account.*(?:compromised|limited|flagged|suspended|confirm|violate)|Security Center|Confirm Your Email Address|Limited accounts|Card Blocked|restore.*account.*access|new.*anti.*fraud.*system|identified.*unusual.*activit|Fraud Prevention|Notif.*account|Account.*(?:Review|Security)|Routing Code)/ REJECT # Re: 5-letter-word followed by "news" in subject - e.g. "Re: wujir news" /^Subject: Re: \w{5} news/ REJECT # whitelist for mailman confirmations #/^Subject: (?:Re: )*confirm [0-9a-z]+$/ OK # any word with embedded digits (needs mailman whitelist entry above) # too many false positives #/Subject:.*\b[A-Z0-9]*(?:[A-Z]+\d+[A-Z]+){1,}[A-Z0-9]*\b/ REJECT