From 5c608812ea6e1c238f968804250dd7afa890bd39 Mon Sep 17 00:00:00 2001
From: Mike Bos <mikebos@deboskes.nl>
Date: Wed, 9 Aug 2023 08:01:18 +0200
Subject: [PATCH] init

---
 main_mike.cf | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 main_mike.cf

diff --git a/main_mike.cf b/main_mike.cf
new file mode 100644
index 0000000..8e65356
--- /dev/null
+++ b/main_mike.cf
@@ -0,0 +1,40 @@
+#--------------------------------------------------
+# Version 0.01
+#--------------------------------------------------
+
+#--------------------------------------------------
+# top level domain matching, from a github gist
+#--------------------------------------------------
+	
+header SPAMMY_TLD_IN_RCVD Received =~ /(\.net\.ae|\.net\.id|\.ro|\.cz|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.ua|\.com\.br|\.gr|\.hr|\.dk|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)\s/i
+score SPAMMY_TLD_IN_RCVD 0.3
+describe SPAMMY_TLD_IN_RCVD Spammy TLD used in Received line
+
+header SPAMMY_TLD_IN_FROM From =~ /(\.net\.ae|\.net\.id|\.ro|\.co\.jp|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.ua|\.com\.br|\.gr|\.hr|\.cz|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.icu|\.press|\.pro|\.pet|\.kim|\.red)>$/i
+score SPAMMY_TLD_IN_FROM 0.3
+describe SPAMMY_TLD_IN_FROM Spammy TLD used in From line
+
+header __HIGH_SPAMMY_TLD_RCVD Received =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i
+header __HIGH_SPAMMY_TLD_FROM From =~ /\.(win|bid|top|club|date|stream|xyz|icu)\/.*/i
+uri __HIGH_SPAMMY_TLD_URI /\.(win|bid|top|club|date|stream|xyz)\/.+/i
+meta HIGH_SPAMMY_TLD (__HIGH_SPAMMY_TLD_RCVD && __HIGH_SPAMMY_TLD_FROM && __HIGH_SPAMMY_TLD_URI)
+score HIGH_SPAMMY_TLD 1.1
+describe HIGH_SPAMMY_TLD HIGH spammy tld used in Received, From and link
+
+#--------------------------------------------------
+# uri matching
+#--------------------------------------------------
+
+# Something with ketoxplode.
+# the common parts are:
+# - the first parameter name is one char long
+# - at least two more parameter follow
+uri SPAM_LINK_1 /ketoxplode/i
+score SPAM_LINK_1 5
+describe SPAM_LINK_1 Spam link
+
+#--------------------------------------------------
+# from matching
+#--------------------------------------------------
+header FROM_KETO From =~ /ketoxplode/i
+score FROM_KETO 5.0