Last active
July 7, 2023 23:16
-
-
Save LuisCardenasSolis/64be81080c4de25c74ff4899bdd2539a to your computer and use it in GitHub Desktop.
Custom rule for spamassassin
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#WHITELIST | |
whitelist_from *@perulinux.pe | |
whitelist_from *@bcp.com.pe | |
whitelist_from *@scotiabank.com.pe | |
whitelist_from *@verisure.pe | |
whitelist_from *@telefonica.com | |
whitelist_from *@munlima.gob.pe | |
whitelist_from *@alignet.com | |
whitelist_from *@pay-me.com | |
whitelist_from *@perutributario.com.pe | |
whitelist_from *@banbif.com.pe | |
whitelist_from *@acepta.pe | |
whitelist_from *@hubspot.com | |
whitelist_from *@godaddy.com | |
whitelist_from *@ttr-group.de | |
whitelist_from *@gestion.pe | |
whitelist_from *@grupobbva.com.pe | |
#BLACKLIST | |
blacklist_from *@antojoscaseros.com | |
blacklist_from *@antryx.net.pe | |
blacklist_from *@babilima.com | |
blacklist_from *@binexi.com | |
blacklist_from *@bisonmarkets.com | |
blacklist_from *@cartrackgps.net | |
blacklist_from *@casonamollepata.com | |
blacklist_from *@chopscarnesyparrillas.com | |
blacklist_from *@classicoqatar.com | |
blacklist_from *@cmail19.com | |
blacklist_from *@cmail20.com | |
blacklist_from *@contadoresyperitos.com | |
blacklist_from *@creativaemailmarketing.com | |
blacklist_from *@dekorimeks.com | |
blacklist_from *@dsite.net | |
blacklist_from *@dynforms.com | |
blacklist_from *@e.arellanos@municallao.gob.pe | |
blacklist_from *@emark4.embluejet.com | |
blacklist_from *@emark9.embluejet.com | |
blacklist_from *@eurasianstudies.org | |
blacklist_from *@expoeverything.org | |
blacklist_from *@flkta.com | |
blacklist_from *@forward.net.pe | |
blacklist_from *@grupocreativorom.com | |
blacklist_from *@gwoo.com | |
blacklist_from *@hanazza.com | |
blacklist_from *@housesecurity-peru.com | |
blacklist_from *@hydroinex.com | |
blacklist_from *@kbdf.net | |
blacklist_from *@lapzil.com | |
blacklist_from *@lokring.net | |
blacklist_from *@ma.edestinos.com.pe | |
blacklist_from *@mailer2.gacetajuridica.com.pe | |
blacklist_from *@maximixe.com | |
blacklist_from *@mcdanielsco.com | |
blacklist_from *@md-line.com | |
blacklist_from *@newsletter.panuts.com | |
blacklist_from *@niyoshi-david.com | |
blacklist_from *@ommunity.3ds.com | |
blacklist_from *@php1.housesecurity-peru.com | |
blacklist_from *@php1.mcdanielsco.com | |
blacklist_from *@php2.housesecurity-peru.com | |
blacklist_from *@principal-goal.com | |
blacklist_from *@realityturn.com | |
blacklist_from *@record.shopingcenter.co | |
blacklist_from *@remsp.com | |
blacklist_from *@riadealvor.org | |
blacklist_from *@rumtoler.com | |
blacklist_from *@sendpulse.info | |
blacklist_from *@servicioscalidad.com | |
blacklist_from *@sfk-security.com | |
blacklist_from *@sofarelli.com | |
blacklist_from *@southernriver.org | |
blacklist_from *@sparelec.com | |
blacklist_from *@trytdd.org | |
blacklist_from *@vardell.org | |
blacklist_from *@vatran.net | |
blacklist_from *@youcanweb.net | |
blacklist_from *@bencresners.com | |
blacklist_from *@administrator.com | |
blacklist_from *@one-email.com | |
blacklist_from *@realsystems.com.pe | |
blacklist_from *@clubsatlanta.com | |
blacklist_from *@dunapanel.com | |
blacklist_from *@t-online.de | |
blacklist_from *@pappaya.com | |
blacklist_from *@fgjcdmx.gob.mx | |
blacklist_from *@*factu0id991.org | |
blacklist_from *@*minster9766.org | |
blacklist_from *@*factu04.* | |
blacklist_from *@*fact093.com | |
blacklist_from *@*.fact*.com | |
blacklist_from *@dyd.gov.bd | |
blacklist_from *@gestao.cosmake.com.pt | |
blacklist_from *@teleportstation.ga | |
blacklist_from dtfteetrs6@gmail.com | |
blacklist_from *@soolrange.ga | |
blacklist_from *@f-yax.info | |
blacklist_from *@moriaa.com | |
blacklist_from *@*.bissmex.win | |
blacklist_from *@*.wwwshiraz.com | |
blacklist_from *@lmv.com.co | |
blacklist_from *@pakdisasterfoundation.org | |
blacklist_from *@accesofinanciero.com | |
blacklist_from *@austrelis-sa.com | |
blacklist_from *@funcionpublica.com | |
blacklist_from *@e.anntaylorfactory.com | |
blacklist_from sgogob@gmail.com | |
blacklist_from *@testcontrol.com.pe | |
blacklist_from *@mail.promart-agora.pe | |
blacklist_from *@maxwellleadership.com | |
blacklist_from *@emails.skechers.com | |
blacklist_from *@mail.oechsle-agora.pe | |
blacklist_from *@e.loftoutlet.com | |
blacklist_from citas@sunat.gob.pe | |
blacklist_from noreply@volvo.com | |
blacklist_from *@lmv.com.co | |
blacklist_from *@pakdisasterfoundation.org | |
blacklist_from *@cfeaccesofinanciero.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
header BLOCK_MESSAGE_PHISHING subject =~ /(atacado por piratas|fotos de la orden|tienes correos entrantes pendientes|todos los datos de su dispositivo fueron copiados|Suspension Notification|Important Notice|password update|Exceeded Storage|Mail Delivery Notification|Todos sus datos fueron copiados|FONDO BENEFICIARIO|Actualiza tu cuenta|Verifique su correo|Advertencia de servicio|caducidad de la contrasena|participa y gana un|Password Expiry|Pending emails|Incoming failed mails|Verification Notice|Neftlix est.*de cancel|Alerta de servicio de contrase|Action Required|Resolucion de Archivo Provisional)/i | |
describe BLOCK_MESSAGE_PHISHING Asuntos hack | |
score BLOCK_MESSAGE_PHISHING 15.0 | |
body PHISHING_BODY /(Su sistema ha sido hackeado|billetera.*bitcoin|monedero.*bitcoin|Comprar.*bitcoins|BANQUE ATLANTIQUE INTERNATIONAL|su cuenta ha caducado|devbhumiexpress|tiene.*para recuperar .* correo|haga clic.* para.*(?:correo|actualiz)|cuenta.*acaba de expirar|password.*expire|no puede recibir nuevos mensajes|continuar usando su.*correo.*confirme|You.*Incoming.*(?:email|message)|Mi difunto esposo|Emails will be deleted automatically|(?:cuenta|correo).*verific.*actualiz|you.*account.*suspended|su (?:cuenta|correo|membres.*) se suspender.*completar|account.*need.*update now|Verifique la propiedad de la cuenta)/i | |
describe PHISHING_BODY Phishing in message body | |
score PHISHING_BODY 10.0 | |
header BLOCK_BOUNCE_SPAM ALL =~ /bounce.*\@|\@.*bounce|noreply.*\@|no-reply.*\@/i | |
describe BLOCK_BOUNCE_SPAM Spam message hidden as bounce or noreply | |
score BLOCK_BOUNCE_SPAM 1.5 | |
header BLOCK_INFO_SPAM From =~ /info\@|marketing\@|newsletter\@|root\@|boletin\@//i | |
describe BLOCK_INFO_SPAM Spam account | |
score BLOCK_INFO_SPAM 1.2 | |
header BLOCK_LARGE_EMAIL From =~ /[A-Z0-9._%+-]{35}+\@/i | |
describe BLOCK_LARGE_EMAIL Large email in from | |
score BLOCK_LARGE_EMAIL 0.5 | |
header VPS_SPAMER Received =~ /vps/i | |
describe VPS_SPAMER Host VPS | |
score VPS_SPAMER 3.5 | |
header LOCK_SPAMERS Received =~ /(housesecurity\-peru\.com|orbitta\.es|constantcontact\.com|rsgsv\.net|mcdlv\.net|email\-platform\.com|iniciarsesionmsn\.com|hubspotemail\.net|mercadolibre\.com|costcoventasonline|llonesdemasaje|cercontrh\.com|usinacrh\.com)/i | |
describe LOCK_SPAMERS Domain spamer | |
score LOCK_SPAMERS 10.0 | |
header ATTACHMENT_HTML ALL =~ /filename=".*\.html"/i | |
describe ATTACHMENT_HTML Message with HTML attachment | |
score ATTACHMENT_HTML 8.0 | |
header MAILING_LIST_UNSUBSCRIBE List-Unsubscribe =~ /subscribe/i | |
describe MAILING_LIST_UNSUBSCRIBE List subscribe boletin | |
score MAILING_LIST_UNSUBSCRIBE 1.8 | |
header NOT_TO_RECIPIENT To =~ /undisclosed-recipient/i | |
describe NOT_TO_RECIPIENT Fail to recipient | |
score NOT_TO_RECIPIENT 10.0 | |
uri PHISHING_URL /\.host\.secureserver\.net|ipfs\.io|api\.whatsapp\.com|cloudapp\.azure\.com|amplifyapp\.com/ | |
describe PHISHING_URL url blocked | |
score PHISHING_URL 10.0 | |
header SERVERS_WHITELIST Received =~ /(mail\.ondemand\.com|mta\.info\.latam\.com|\.zoom\.us|\.id\.hp\.com|salesforce\.com|\.bizagi\.com|\.bbva\.com\.pe)/i | |
describe SERVERS_WHITELIST Server Whitelist | |
score SERVERS_WHITELIST -10.0 | |
header CALENDAR_GOOGLE Sender =~ /calendar-notification\@google\.com/i | |
describe CALENDAR_GOOGLE Calendar google notification | |
score CALENDAR_GOOGLE -10.0 | |
#BYPASS OFFICE SPLIT DOMAIN | |
header __DOMAIN_OFFICE_FROM From =~ /\@DOMAIN\.com\.pe/i | |
header __SERVER_OFFICE Received =~ /\.outbound\.protection\.outlook\.com/i | |
meta BYPASS_DOMAIN_OFFICE ( __DOMAIN_OFFICE_FROM && __SERVER_OFFICE ) | |
score BYPASS_DOMAIN_OFFICE -20.0 | |
#BYPASS GSUITE SPLIT DOMAIN | |
header __DOMAIN_GSUITE_FROM From =~ /\@DOMAIN\.com/i | |
header __SERVER_GSUITE Received =~ /\.google\.com/i | |
header __SPF_GSUITE Received-SPF =~ /pass/ | |
meta BYPASS_GSUITE ( __DOMAIN_GSUITE_FROM && __SERVER_GSUITE && __SPF_GSUITE) | |
score BYPASS_GSUITE -20.0 | |
#RESTRICT | |
score HEADER_FROM_DIFFERENT_DOMAINS 3.0 | |
score BAYES_00 0 0 -0.4 -0.8 | |
# URI | |
score RCVD_IN_DNSWL_HI 0 -0.5 0 -0.5 | |
score USER_IN_DEF_SPF_WL -0.7 | |
score URI_GOOGLE_PROXY 0.8 0.5 0.8 0.5 | |
# DNSWL | |
score RCVD_IN_DNSWL_NONE 0 -0.0001 0 -0.0001 | |
score RCVD_IN_DNSWL_LOW 0 -0.7 0 -0.7 | |
score RCVD_IN_DNSWL_MED 0 -0.3 0 -0.3 | |
score RCVD_IN_DNSWL_HI 0 -0.5 0 -0.5 | |
score RCVD_IN_DNSWL_BLOCKED 0 0.001 0 0.001 | |
# IADB | |
score RCVD_IN_IADB_VOUCHED 0 -0.2 0 -0.2 | |
score RCVD_IN_IADB_DOPTIN 0 -0.4 0 -0.4 | |
score RCVD_IN_IADB_ML_DOPTIN 0 -0.6 0 -0.6 | |
score RCVD_IN_IADB_OPTIN 0 -0.4 0 -0.4 | |
#SPF | |
ifplugin Mail::SpamAssassin::Plugin::SPF | |
score USER_IN_DEF_SPF_WL -1.0 | |
endif # Mail::SpamAssassin::Plugin::SPF | |
#DKIM | |
ifplugin Mail::SpamAssassin::Plugin::DKIM | |
score USER_IN_DEF_DKIM_WL -1.0 | |
endif # Mail::SpamAssassin::Plugin::DKIM |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#emailthiefurls.cf (Zimbra 0 day 03-02-2022) | |
uri EMAILTHIEF_URI /www\.newsonline\.gq|mx\.newsonline\.gq|www\.spiritx\.ga|support\.newsonline\.gq|www\.thunderchannel\.tk|shadownight\.playquicksand\.tk|www\.windsoft\.cf|tigerstrike\.iceywindflow\.ml|shadowmaster\.iceywindflow\.ml|www\.iceywindflow\.gq|chargedboltsentry\.spiritfield\.tk|newsonline\.gq|spiritx\.ga|secretstep\.tk|spiritfield\.ga|www\.news-voice\.ml|www\.findtruth\.ml|news-online\.ml|iceywindflow\.gq|playquicksand\.tk|windsoft\.cf|findtruth\.ml|iceywindflow\.ml|news-voice\.ml|bruising-intellect\.ml|thunderchannel\.tk|spiritfield\.ml|iceywindflow\.cf|thunderchannel\.cf|spiritfield\.tk|update\.secretstep\.tk|mail\.bruising-intellect\.ml|www\.news-online\.ml|www\.thunderchannel\.cf|www\.spiritfield\.ga|winderosion\.spiritfield\.ml|flameshock\.spiritfield\.tk|windsource\.thunderchannel\.cf|yahoo-movie\.spiritx\.ga|windsource\.thunderchannel\.tk|opticaleel\.iceywindflow\.cf|shadownight\.spiritfield\.ga|www\.yahoo-corporation\.ml|amazon-check\.gq|amazon-team\.tk|yahoo-corporation\.ml|playquicksand\.gq|yahoo-corporation\.tk|playquicksand\.cf|spiritfield\.cf|amazon-check\.ga|amazon-check\.cf|amazon-check\.tk|playquicksand\.ml|www\.playquicksand\.cf|www\.amazon-check\.ga|www\.playquicksand\.gq/ | |
describe EMAILTHIEF_URI Body contains any of bad urls related to EmailThief vuln | |
score EMAILTHIEF_URI 6.0 | |
header EMAILTHIEF_IP Received =~ /(206\.166\.251\.141|206\.166\.251\.166|108\.160\.133\.32|172\.86\.75\.158)/i | |
describe EMAILTHIEF_IP Ip remitent EmailThief vuln | |
score EMAILTHIEF_IP 10.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment