2023-08-09 02:01:18 -04:00
|
|
|
#--------------------------------------------------
|
|
|
|
# Version 0.01
|
|
|
|
#--------------------------------------------------
|
|
|
|
|
|
|
|
#--------------------------------------------------
|
|
|
|
# top level domain matching, from a github gist
|
|
|
|
#--------------------------------------------------
|
|
|
|
|
|
|
|
header SPAMMY_TLD_IN_RCVD Received =~ /(\.net\.ae|\.net\.id|\.ro|\.cz|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.ua|\.com\.br|\.gr|\.hr|\.dk|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)\s/i
|
|
|
|
score SPAMMY_TLD_IN_RCVD 0.3
|
|
|
|
describe SPAMMY_TLD_IN_RCVD Spammy TLD used in Received line
|
|
|
|
|
|
|
|
header SPAMMY_TLD_IN_FROM From =~ /(\.net\.ae|\.net\.id|\.ro|\.co\.jp|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.ua|\.com\.br|\.gr|\.hr|\.cz|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)>$/i
|
|
|
|
score SPAMMY_TLD_IN_FROM 0.3
|
|
|
|
describe SPAMMY_TLD_IN_FROM Spammy TLD used in From line
|
|
|
|
|
|
|
|
header __HIGH_SPAMMY_TLD_RCVD Received =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i
|
|
|
|
header __HIGH_SPAMMY_TLD_FROM From =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i
|
|
|
|
uri __HIGH_SPAMMY_TLD_URI /\.(win|bid|top|club|date|stream|xyz)\/.+/i
|
|
|
|
meta HIGH_SPAMMY_TLD (__HIGH_SPAMMY_TLD_RCVD && __HIGH_SPAMMY_TLD_FROM && __HIGH_SPAMMY_TLD_URI)
|
|
|
|
score HIGH_SPAMMY_TLD 1.1
|
|
|
|
describe HIGH_SPAMMY_TLD HIGH spammy tld used in Received, From and link
|
|
|
|
|
2023-08-28 01:52:05 -04:00
|
|
|
#--------------------------------------------------
|
|
|
|
# no SPF fuck you score
|
|
|
|
#--------------------------------------------------
|
2023-09-04 09:29:58 -04:00
|
|
|
header NOSPF Received-SPF = /None/i
|
2023-08-28 01:52:05 -04:00
|
|
|
score NOSPF 3.0
|
|
|
|
|
2023-09-04 09:29:58 -04:00
|
|
|
header SOFTFAILSPF Received-SPF = /Softfail/i
|
|
|
|
score SOFTFAILSPF 3.0
|
|
|
|
|
2023-08-09 02:01:18 -04:00
|
|
|
#--------------------------------------------------
|
|
|
|
# uri matching
|
|
|
|
#--------------------------------------------------
|
|
|
|
|
|
|
|
# Something with ketoxplode.
|
|
|
|
uri SPAM_LINK_1 /ketoxplode/i
|
|
|
|
score SPAM_LINK_1 5
|
|
|
|
describe SPAM_LINK_1 Spam link
|
|
|
|
|
|
|
|
#--------------------------------------------------
|
|
|
|
# from matching
|
|
|
|
#--------------------------------------------------
|
|
|
|
header FROM_KETO From =~ /ketoxplode/i
|
|
|
|
score FROM_KETO 5.0
|
2023-08-12 04:30:16 -04:00
|
|
|
|
2023-08-15 14:46:37 -04:00
|
|
|
header FROM_ICS_ALERTS From =~ /icsmailing/i
|
|
|
|
score FROM_ICS_ALERTS 2.0
|
|
|
|
|
2023-09-04 09:29:58 -04:00
|
|
|
#--------------------------------------------------
|
2023-08-12 04:30:16 -04:00
|
|
|
# Subject matching
|
|
|
|
#--------------------------------------------------
|
|
|
|
header __SUBJECT_LUCHTBRUG Subject =~ /luchtbrug/i
|
|
|
|
header __SUBJECT_LUCHTBRUGVRAAG Subject =~ /vragenlijst/i
|
|
|
|
meta SUBJECT_LUCHTBRUG (__SUBJECT_LUCHTBRUG && __SUBJECT_LUCHTBRUGVRAAG)
|
2023-08-15 14:46:37 -04:00
|
|
|
score SUBJECT_LUCHTBRUG 5.0
|
|
|
|
|
|
|
|
header __SUBJECT_ICS_ALERTS Subject =~ /card alerts/i
|
2023-09-04 09:29:58 -04:00
|
|
|
score __SUBJECT_ICS_ALERTS 5.0
|
2023-08-28 01:52:05 -04:00
|
|
|
|
|
|
|
header __SUBJECT_MIKEBOS Subject =~/mikebos/i
|
2023-09-04 09:29:58 -04:00
|
|
|
score __SUBJECT_MIKEBOS 5.0
|
2023-08-28 01:52:05 -04:00
|
|
|
|
2023-09-04 09:29:58 -04:00
|
|
|
header __SUBJECT_UITROEPTEKENS =~ /!!!/i
|
2023-08-28 01:52:05 -04:00
|
|
|
score __SUBJECT_UITROEPTEKENS 2.5
|