# SpamAssassin rules file: body tests # # Please don't modify this file as your changes will be overwritten with # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # Note: body tests are run with long lines, so be sure to limit the # size of searches; use /.{0,30}/ instead of /.*/ to avoid huge # search times. # # Note: If you are adding a rule which looks for a phrase in the body # (as most of them do), please add it to rules/20_phrases.cf instead. # # <@LICENSE> # Copyright 2004 Apache Software Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ########################################################################### require_version @@VERSION@@ ########################################################################### # GTUBE test - the generic test for UBE. body GTUBE /XJS\*C4JDBQADN1\.NSBN3\*2IDNEN\*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL\*C\.34X/ describe GTUBE Generic Test for Unsolicited Bulk Email tflags GTUBE userconf noautolearn ########################################################################### # Message digest tests full RAZOR2_CHECK eval:check_razor2() describe RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) tflags RAZOR2_CHECK net # cf (confidence level) is how likely the message is spam. RAZOR2_CHECK # returns true if cf>=min_cf (as defined by user/config). These return # true depending on what cf value the message has. The algorithm goes: # check the message via razor, then go through each mime part and check # how razor scored it. If the part is contested (ie: it's been reported # as both ham and spam) it's ignored. SA takes the highest non-contested # part cf score and returns it for the range rules. ie: This is essentially # Razor 2's logic_method 4. # # Note: Disabling RAZOR2_CHECK (score RAZOR2_CHECK 0) will also disable # these checks. # # Note: The scores are set to 0 on these tests right now until they get # better integrated with SA overall. # body RAZOR2_CF_RANGE_51_100 eval:check_razor2_range('51','100') tflags RAZOR2_CF_RANGE_51_100 net describe RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% full DCC_CHECK eval:check_dcc() describe DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) tflags DCC_CHECK net full PYZOR_CHECK eval:check_pyzor() describe PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) tflags PYZOR_CHECK net # bug 2220. nice results meta DIGEST_MULTIPLE RAZOR2_CHECK + DCC_CHECK + PYZOR_CHECK > 1 describe DIGEST_MULTIPLE Message hits more than one network digest check tflags DIGEST_MULTIPLE net # this seems to be the new fashion (as of Jul 5 2002). base64-encoded parts need to # be stripped before this match body TRACKER_ID /^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\s*\z/is describe TRACKER_ID Incorporates a tracking ID number body WEIRD_QUOTING /[\042\223\224\262\263\271]{2}\S{0,16}[\042\223\224\262\263\271]{2}/ describe WEIRD_QUOTING Weird repeated double-quotation marks ########################################################################### # these tests doesn't actually use rawbody since rawbody isn't raw enough; # they must be written very carefully to avoid modifying the original content # MIME Content-Transfer-Encoding control rules rawbody __MIME_BASE64 eval:check_for_mime('mime_base64_count') describe __MIME_BASE64 Includes a base64 attachment rawbody __MIME_QP eval:check_for_mime('mime_qp_count') describe __MIME_QP Includes a quoted-printable attachment rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks') describe MIME_BASE64_BLANKS Extra blank lines in base64 encoding rawbody MIME_BASE64_NO_NAME eval:check_for_mime('mime_base64_no_name') describe MIME_BASE64_NO_NAME base64 attachment does not have a file name rawbody MIME_BASE64_TEXT eval:check_for_mime('mime_base64_encoded_text') describe MIME_BASE64_TEXT Message text disguised using base64 encoding rawbody MIME_MISSING_BOUNDARY eval:check_for_mime('mime_missing_boundary') describe MIME_MISSING_BOUNDARY MIME section missing boundary body MIME_HTML_MOSTLY eval:check_mime_multipart_ratio('0.00','0.01') describe MIME_HTML_MOSTLY Multipart message mostly text/html MIME # Steve Linford via Charlie Watts: good test! body MIME_HTML_ONLY eval:check_for_mime_html_only() describe MIME_HTML_ONLY Message only has text/html MIME parts # multipart/alternative has very good accuracy, other multipart types are # similar to MIME_HTML_ONLY so they don't need a separate rule header __CTYPE_MULTIPART_ALT Content-Type =~ /multipart\/alternative/i meta MIME_HTML_ONLY_MULTI (__CTYPE_MULTIPART_ALT && MIME_HTML_ONLY) describe MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts rawbody MIME_QP_LONG_LINE eval:check_for_mime('mime_qp_long_line') describe MIME_QP_LONG_LINE Quoted-printable line longer than 76 chars # actually indicates viruses, typically; just used here to clean corpora. rawbody MIME_SUSPECT_NAME eval:check_for_mime('mime_suspect_name') describe MIME_SUSPECT_NAME MIME filename does not match content # todo: better tflags category for these tests tflags MIME_SUSPECT_NAME userconf # note: __HIGHBITS is used by HTML_CHARSET_FARAWAY rawbody __MIME_CHARSET_FARAWAY eval:check_for_mime('mime_faraway_charset') body __HIGHBITS /(?:[\x80-\xff].?){4,}/ meta MIME_CHARSET_FARAWAY (__MIME_CHARSET_FARAWAY && __HIGHBITS) describe MIME_CHARSET_FARAWAY MIME character set indicates foreign language tflags MIME_CHARSET_FARAWAY userconf # This rule uses a simple algorithm to determine if the text and html # parts of an multipart/alternative message are different. body MPART_ALT_DIFF eval:multipart_alternative_difference('99', '100') describe MPART_ALT_DIFF HTML and text parts are different ########################################################################### body CHARSET_FARAWAY eval:check_for_faraway_charset() describe CHARSET_FARAWAY Character set indicates a foreign language tflags CHARSET_FARAWAY userconf body UNWANTED_LANGUAGE_BODY eval:check_language() describe UNWANTED_LANGUAGE_BODY Message written in an undesired language tflags UNWANTED_LANGUAGE_BODY userconf body BODY_8BITS eval:check_for_body_8bits() describe BODY_8BITS Body includes 8 consecutive 8-bit characters tflags BODY_8BITS userconf # duncf body EMAIL_ROT13 /\b[a-z(\]-]+\^[a-z-]+\([a-z]{2,3}\b/ describe EMAIL_ROT13 Body contains a ROT13-encoded email address test EMAIL_ROT13 ok qhabs^ebtref(pbz test EMAIL_ROT13 ok zxrggyre^riv-vap(pbz test EMAIL_ROT13 fail duncf-nospam@rogers.com body BLANK_LINES_70_80 eval:check_blank_line_ratio('70','80','4') body BLANK_LINES_80_90 eval:check_blank_line_ratio('80','90','4') body BLANK_LINES_90_100 eval:check_blank_line_ratio('90','100','4') describe BLANK_LINES_70_80 Message body has 70-80% blank lines describe BLANK_LINES_80_90 Message body has 80-90% blank lines describe BLANK_LINES_90_100 Message body has 90-100% blank lines body UNIQUE_WORDS eval:check_unique_words('0.946', '3.1') describe UNIQUE_WORDS Message body has many words used only once body DOMAIN_RATIO eval:check_domain_ratio('0.022') describe DOMAIN_RATIO Message body mentions many internet domains # If these are too expensive as a whole, then delete __LONGWORDS_B and # __LONGWORDS_C and replace with (__LONGWORDS_D || __LONGWORDS_A) which # is very close in quality. body __LONGWORDS_A /\b(?:[a-z]{8,}\s+){6}/ body __LONGWORDS_B /\b(?:[a-z]{7,}\s+){8}/ body __LONGWORDS_C /\b(?:[a-z]{6,}\s+){9}/ body __LONGWORDS_D /\b(?:[a-z]{5,}\s+){10}/ meta LONGWORDS (__LONGWORDS_A || __LONGWORDS_B || __LONGWORDS_C || __LONGWORDS_D) describe LONGWORDS Long string of long words