Last active
August 12, 2024 14:38
-
-
Save jult/9bfdc4d07b44be01a02cc2aaf25b7c39 to your computer and use it in GitHub Desktop.
SpamAssassin rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Put this file under /etc/spamassassin/ and run an sa-update or reload amavis etc. | |
# | |
#-------------------------------------------------- | |
# The only RBL I trust, UCEPROTECT1 (single IP, not IP-ranges or entire ISPs) http://uceprotect.net | |
#-------------------------------------------------- | |
header RCVD_IN_UCEPROTECT1 eval:check_rbl_txt('uceprotect1', 'dnsbl-1.uceprotect.net') | |
describe RCVD_IN_UCEPROTECT1 Listed in dnsbl-1.uceprotect.net | |
tflags RCVD_IN_UCEPROTECT1 net | |
score RCVD_IN_UCEPROTECT1 1.8 | |
#-------------------------------------------------- | |
# top level domain matching, and no, not Russia or China; In 2022 I got the absolute most spam from .cz and .ua actually! | |
#-------------------------------------------------- | |
header SPAMMY_TLD_IN_RCVD Received =~ /(\.net\.ae|\.net\.id|\.ro|\.cz|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.ua|\.com\.br|\.gr|\.hr|\.dk|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)\s/i | |
score SPAMMY_TLD_IN_RCVD 0.3 | |
describe SPAMMY_TLD_IN_RCVD Spammy TLD used in Received line | |
header SPAMMY_TLD_IN_FROM From =~ /(\.net\.ae|\.net\.id|\.ro|\.co\.jp|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.ua|\.com\.br|\.gr|\.hr|\.cz|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)>$/i | |
score SPAMMY_TLD_IN_FROM 0.3 | |
describe SPAMMY_TLD_IN_FROM Spammy TLD used in From line | |
header __HIGH_SPAMMY_TLD_RCVD Received =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i | |
header __HIGH_SPAMMY_TLD_FROM From =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i | |
uri __HIGH_SPAMMY_TLD_URI /\.(win|bid|top|club|date|stream|xyz)\/.+/i | |
meta HIGH_SPAMMY_TLD (__HIGH_SPAMMY_TLD_RCVD && __HIGH_SPAMMY_TLD_FROM && __HIGH_SPAMMY_TLD_URI) | |
score HIGH_SPAMMY_TLD 1.1 | |
describe HIGH_SPAMMY_TLD HIGH spammy tld used in Received, From and link | |
#-------------------------------------------------- | |
# Software matching | |
#-------------------------------------------------- | |
header EVALED_PHP X-PHP-Originating-Script =~ /eval\(\)\'d code/i | |
score EVALED_PHP 0.4 | |
describe EVALED_PHP Mail send from evaled PHP code | |
# outdated php version | |
header OUTDATED_PHP X-Mailer =~ /PHP v?5\.[1234].*/i | |
score OUTDATED_PHP 0.1 | |
describe OUTDATED_PHP Mail send from an outdated PHP version | |
header X_MAILER_SENDEMAIL X-Mailer =~ /sendEmail/i | |
score X_MAILER_SENDEMAIL 0.3 | |
header VULN_PHPMAILER X-Mailer =~ /PHPMailer 5\.2\.[0-9] /i | |
score VULN_PHPMAILER 0.3 | |
describe VULN_PHPMAILER Mail was sent from a vulnerable version of PHPMailer | |
# Various meta rules to match wordpress | |
header __WP_X_PHP_ORIG_SCRIPT X-PHP-Originating-Script =~ /(post|gallery|user)\.php/i | |
header __WP_X_PHP_SCRIPT X-PHP-Script =~ /(post|gallery|user)\.php/i | |
header __WP_X_SOURCE X-Source =~ /php-cgi/i | |
header __WP_X_SOURCE_ARGS X-Source-Args =~ /(post|gallery|user)\.php/i | |
header __WP_PATH_X_SOURCE_ARGS X-Source-Args =~ /\/wp\-(content|includes)\//i | |
# Various meta rules to match joomla | |
# e.g. X-Source-Args: /usr/bin/php /home/joventa/public_html/OLD/components/com_contact/helpers/files.php | |
header __JO_COMP_X_SOURCE_ARGS X-Source-Args =~ /components\/com_/i | |
header __JO_X_SOURCE_ARGS X-Source-Args =~ /\/joomla\//i | |
meta CMS_MAIL ( __WP_X_PHP_ORIG_SCRIPT || __WP_X_PHP_SCRIPT || __WP_X_SOURCE || __WP_X_SOURCE_ARGS || __WP_PATH_X_SOURCE_ARGS || __JO_COMP_X_SOURCE_ARGS || __JO_X_SOURCE_ARGS ) | |
score CMS_MAIL 0.75 | |
describe CMS_MAIL Mail sent from a probably hacked CMS (like Wordpress or Joomla) | |
#-------------------------------------------------- | |
# Header matching | |
#-------------------------------------------------- | |
header X_ORG_REAL_CAPITAL X-Organization =~ /RealCapitalMarkets\.com/i | |
score X_ORG_REAL_CAPITAL 3.0 | |
#-------------------------------------------------- | |
# Subject matching | |
#-------------------------------------------------- | |
header __SUBJECT_NEIGHBOR Subject =~ /Neighbou?r/i | |
header __SUBJECT_NEXT_DOOR Subject =~ /next door/i | |
meta SUBJECT_NEIGHBOUR (__SUBJECT_NEIGHBOR || __SUBJECT_NEXT_DOOR) | |
score SUBJECT_NEIGHBOUR 0.3 | |
header __SUBJECT_VIAGRA Subject =~ /viagra/i | |
header __SUBJECT_PILLS Subject =~ /pills/i | |
header __SUBJECT_HEALTH_SECRET Subject =~ /health secret/i | |
meta SUBJECT_HEALTH (__SUBJECT_VIAGRA || __SUBJECT_PILLS || __SUBJECT_HEALTH_SECRET) | |
score SUBJECT_HEALTH 0.4 | |
describe SUBJECT_HEALTH health-related subject | |
header SUBJECT_DARLEHEN Subject =~ /Darlehen Angebot jetzt bewerben/i | |
score SUBJECT_DARLEHEN 0.2 | |
header __FROM_DAVIS_WRIGHT From =~ /Davis Wright/i | |
header __SUBJECT_LEG_DARLEHEN Subject =~ /Legitimes Darlehen Angebot/i | |
meta DAVIS_WRIGHT_DARLEHEN (__FROM_DAVIS_WRIGHT && __SUBJECT_LEG_DARLEHEN) | |
score DAVIS_WRIGHT_DARLEHEN 1.0 | |
header __FROM_KEVIN_PAGE From =~ /Kevin Page/i | |
meta KEVIN_PAGE_DARLEHEN (__FROM_KEVIN_PAGE && SUBJECT_DARLEHEN) | |
score KEVIN_PAGE_DARLEHEN 1.0 | |
# "Domain Expiration SEO" spam | |
header __SUBJECT_EXP_SEO Subject =~ /Expiration SEO/i | |
header __FROM_EXP_SEO From =~ /(Domain Expiration SEO|Final Reminder)/i | |
meta EXPIRATION_SEO (__SUBJECT_EXP_SEO && __FROM_EXP_SEO) | |
score EXPIRATION_SEO 0.3 | |
describe EXPIRATION_SEO Variation of Domain SEO spam | |
# "SEO issue" spam | |
header __SUBJECT_SEO_ISSUE Subject =~ /SEO Issue/i | |
body __BODY_SEO_ISSUE /\s+(Search Specialist|Hello Team)/i | |
meta SEO_ISSUE (__SUBJECT_SEO_ISSUE && __BODY_SEO_ISSUE) | |
score SEO_ISSUE 0.4 | |
describe SEO_ISSUE Variation of Domain SEO spam | |
# Domain Alert | |
header __SUBJECT_DOMAIN_ALERT Subject =~ /This is your Final (Reminder|Notice)/i | |
header __FROM_DOMAIN_ALERT From =~ /(Internet Services|Domain Notice|directimpactdesigns.com)/i | |
body __BODY_DOMAIN_ALERT /\s+search engine registration/i | |
meta DOMAIN_ALERT (__SUBJECT_DOMAIN_ALERT && __FROM_DOMAIN_ALERT && __BODY_DOMAIN_ALERT) | |
score DOMAIN_ALERT 0.5 | |
describe DOMAIN_ALERT Variations of search engine registration spam | |
header __FROM_BITCOIN_CODE From =~ /bestofmesh.com/i | |
uri __BITCOIN_CODE_LINK /track.bestofmesh.com.*/i | |
meta BITCOIN_CODE (__FROM_BITCOIN_CODE && __BITCOIN_CODE_LINK) | |
score BITCOIN_CODE 0.8 | |
# customlogobuilders.press | |
header FROM_CUSTOMLOGOBUILDERS From =~ /customlogobuilders.press/i | |
score FROM_CUSTOMLOGOBUILDERS 1.0 | |
#-------------------------------------------------- | |
# uri matching | |
#-------------------------------------------------- | |
# Something like .... /plugin.php?t=147&SeBJYnc8AzD8YLd4kvf4uNR=Fqz&12i=Cwb&4f=cL4g | |
# the common parts are: | |
# - the first parameter name is one char long | |
# - at least two more parameter follow | |
uri SPAM_LINK_1 /\/[a-z]+\.php\?\w=[a-zA-Z0-9]+(&[\w\d]+=[a-zA-Z0-9]+){2,}/i | |
score SPAM_LINK_1 0.4 | |
describe SPAM_LINK_1 Spam link | |
# same as above but focused on the link title | |
rawbody SPAM_LINK_2 /\>.*(profile is here|new photos|photos are here).*\<\/a\>/i | |
score SPAM_LINK_2 0.4 | |
describe SPAM_LINK_2 Spam link title | |
# Something like ..../l/lt2K2240EH14R/1014LP2140G4657WU60A33287012SM1334722588 | |
# Common parts: | |
# - first part is always one character | |
# - three parts in total | |
uri SPAM_LINK_3 /\/\w\/\w{10,}\/\w{10,}/i | |
score SPAM_LINK_3 0.4 | |
describe SPAM_LINK_3 Spam link | |
# /pass.php?utm_source=6900l3njtv&utm_medium=nc6600mc98&utm_campaign=a1q4sxq0wo&utm_term=tvec4xo652&utm_content=403g22e07g | |
# Common parts | |
# - always a .php file in the root of the domain | |
# - only GA tracking parameters | |
# - values for utm_source, utm_medium and utm_campaign are always the same (at least between 2017-07 and 2017-10), | |
# utm_term varies slightly and utm_content is random | |
# - all tracking parameters have 10 chars | |
uri SPAM_LINK_4 /\/[a-z]+\.php\?utm_source=[a-zA-Z0-9]{10}&utm_medium=[a-zA-Z0-9]{10}&utm_campaign=[a-zA-Z0-9]{10}&utm_term=[a-zA-Z0-9]{10}&utm_content=[a-zA-Z0-9]{10}/i | |
score SPAM_LINK_4 0.4 | |
describe SPAM_LINK_4 Spam link | |
uri SPAM_LINK_4_EXTRA /\/[a-z]+\.php\?utm_source=6900l3njtv&utm_medium=nc6600mc98&utm_campaign=a1q4sxq0wo&utm_term=[a-zA-Z0-9]{10}&utm_content=[a-zA-Z0-9]{10}/i | |
score SPAM_LINK_4_EXTRA 0.4 | |
describe SPAM_LINK_4_EXTRA Spam link (extra score) | |
# sth. /mw/index.php/campaigns/pc118pw7p78bf/track-url/eo948g9ba3535/955e46674ff54a5792d9fa1782e483d77e4fdfc8 | |
uri SPAM_LINK_5 /\/campaigns\/[a-zA-Z0-9]{13}\/track-url\/[a-zA-Z0-9]{13}\/[a-zA-Z0-9]{40}/i | |
score SPAM_LINK_5 0.4 | |
describe SPAM_LINK_5 Spam link | |
uri SPAM_LINK_6 /\/[a-zA-Z0-9]{13,18}\/[a-zA-Z0-9-_]{43}\/[a-zA-Z0-9-_]{107,128}/i | |
score SPAM_LINK_6 0.4 | |
describe SPAM_LINK_6 Spam link | |
# looks almost the same as SPAM_LINK_6 | |
# characteristics: | |
# - TLD: .date or .trade | |
# - Domain always with leading www. | |
# - path: | |
# First part between 7 and 10 chars | |
# Second part between 16 and 22 chars | |
# Third part always(?) 43 chars | |
# Fourth part > 80 chars but varying in length | |
uri SPAM_LINK_7_HIGH /www\.[a-zA-Z0-9]+\.(date|trade)\/[a-zA-Z0-9-_]{6,13}\/[a-zA-Z0-9-_]{13,24}\/[a-zA-Z0-9-_]{40,65}\/[a-zA-Z0-9-_]{80,999}/i | |
score SPAM_LINK_7_HIGH 1.2 | |
describe SPAM_LINK_7_HIGH high scored spam link | |
#-------------------------------------------------- | |
# Mime matching | |
#-------------------------------------------------- | |
mimeheader DOC_ATTACHED Content-Disposition =~ /filename\=.*\.docx?/i | |
score DOC_ATTACHED 1.0 | |
describe DOC_ATTACHED Contains .doc or .docx attachment | |
mimeheader XLS_ATTACHED Content-Disposition =~ /filename\=.*\.xlsx?/i | |
score XLS_ATTACHED 1.0 | |
describe XLS_ATTACHED Contains .xls or .xlsx attachment | |
mimeheader __ZIP_ATTACHED Content-Disposition =~ /filename\=.*\.zip/i | |
describe __ZIP_ATTACHED Contains .zip attachment | |
#-------------------------------------------------- | |
# Text matching | |
#-------------------------------------------------- | |
header __SUBJECT_FUCK Subject =~ /f[ua5\&\%]ck/i | |
body __BODY_FUCK /\s+(fuck|sex|masturbate|anal)\s+/i | |
meta FUCKED_MAIL (__SUBJECT_FUCK || __BODY_FUCK ) | |
score FUCKED_MAIL 0.5 | |
describe FUCKED_MAIL Contains variations of 'fuck' in the subject and/or body | |
header __SUBJECT_FAX_RECEIVED Subject =~ /You have 1 new fax, document/i | |
header __SUBJECT_FAX_RECEIVED2 Subject =~ /You have received a new fax, document /i | |
meta FAX_RECEIVED ((__SUBJECT_FAX_RECEIVED || __SUBJECT_FAX_RECEIVED2) && __ZIP_ATTACHED) | |
score FAX_RECEIVED 1.2 | |
body __BODY_VIAGRA /viagra/i | |
body __BODY_PILLS /pills/i | |
body __BODY_HEALTH_SECRET /health secret/i | |
meta BODY_HEALTH (__BODY_VIAGRA || __BODY_PILLS || __BODY_HEALTH_SECRET) | |
score BODY_HEALTH 0.2 | |
describe BODY_HEALTH health-related body text | |
body __LEAKED_PWD1a /(I know )?[a-zA-Z0-9]{1,99} one of your pass./i | |
body __LEAKED_PWD1b /I (do )?know [a-zA-Z0-9]{1,99} one of your pass word./i | |
body __LEAKED_PWD2 /I actually (installed|placed) a (malware|software) on the (18+|xxx) (streaming|videos|video clips) \((porn|porno|sexually graphic)\)/i | |
meta LEAKED_PWD ((__LEAKED_PWD1a || __LEAKED_PWD1b) && __LEAKED_PWD2) | |
score LEAKED_PWD 2.0 | |
#-------------------------------------------------- | |
# Some very persistent spammers | |
#-------------------------------------------------- | |
header FROM_MUNGAI From =~ /MUNGAI KIHANYA TRAINING/i | |
score FROM_MUNGAI 2.0 | |
header FROM_KINETIC From =~ /KINETIC (ENTERPRISES|TECHNOLOGIEZ)/i | |
score FROM_KINETIC 1.0 | |
header FROM_KINETIC2 From =~ /\*\s*KINETIC/i | |
score FROM_KINETIC2 1.0 | |
meta KINETIC_SCREAMING (FROM_KINETIC2 && SUBJ_ALL_CAPS) | |
score KINETIC_SCREAMING 2.0 | |
ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
askdns DNSWL_DWL_HI _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.3/ | |
tflags DNSWL_DWL_HI nice net | |
describe DNSWL_DWL_HI dwl.dnswl.org high trust | |
score DNSWL_DWL_HI -4 | |
askdns DNSWL_DWL_MED _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.2/ | |
tflags DNSWL_DWL_MED nice net | |
describe DNSWL_DWL_MED dwl.dnswl.org medium trust | |
score DNSWL_DWL_MED -2 | |
askdns DNSWL_DWL_LOW _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.1/ | |
tflags DNSWL_DWL_LOW nice net | |
describe DNSWL_DWL_LOW dwl.dnswl.org low trust | |
score DNSWL_DWL_LOW -1 | |
askdns DNSWL_DWL_NONE _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.0/ | |
tflags DNSWL_DWL_NONE nice net | |
describe DNSWL_DWL_NONE dwl.dnswl.org listed, but no particular trust information available | |
score DNSWL_DWL_NONE -0.2 | |
endif # Mail::SpamAssassin::Plugin::AskDNS |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
thank you!