init

main_mike.cf

@@ -0,0 +1,40 @@
+#--------------------------------------------------
+# Version 0.01
+#--------------------------------------------------
+
+#--------------------------------------------------
+# top level domain matching, from a github gist
+#--------------------------------------------------
+	
+header SPAMMY_TLD_IN_RCVD Received =~ /(\.net\.ae|\.net\.id|\.ro|\.cz|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.ua|\.com\.br|\.gr|\.hr|\.dk|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)\s/i
+score SPAMMY_TLD_IN_RCVD 0.3
+describe SPAMMY_TLD_IN_RCVD Spammy TLD used in Received line
+
+header SPAMMY_TLD_IN_FROM From =~ /(\.net\.ae|\.net\.id|\.ro|\.co\.jp|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.ua|\.com\.br|\.gr|\.hr|\.cz|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)>$/i
+score SPAMMY_TLD_IN_FROM 0.3
+describe SPAMMY_TLD_IN_FROM Spammy TLD used in From line
+
+header __HIGH_SPAMMY_TLD_RCVD Received =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i
+header __HIGH_SPAMMY_TLD_FROM From =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i
+uri __HIGH_SPAMMY_TLD_URI /\.(win|bid|top|club|date|stream|xyz)\/.+/i
+meta HIGH_SPAMMY_TLD (__HIGH_SPAMMY_TLD_RCVD && __HIGH_SPAMMY_TLD_FROM && __HIGH_SPAMMY_TLD_URI)
+score HIGH_SPAMMY_TLD 1.1
+describe HIGH_SPAMMY_TLD HIGH spammy tld used in Received, From and link
+
+#--------------------------------------------------
+# uri matching
+#--------------------------------------------------
+
+# Something with ketoxplode.
+# the common parts are:
+# - the first parameter name is one char long
+# - at least two more parameter follow
+uri SPAM_LINK_1 /ketoxplode/i
+score SPAM_LINK_1 5
+describe SPAM_LINK_1 Spam link
+
+#--------------------------------------------------
+# from matching
+#--------------------------------------------------
+header FROM_KETO From =~ /ketoxplode/i
+score FROM_KETO 5.0