# SpamAssassin rules file: meta tests # # Please don't modify this file as your changes will be overwritten with # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # Add meta tests which cover *both* headers and body here. # # Note: body tests are run with long lines, so be sure to limit the # size of searches; use /.{0,30}/ instead of /.*/ to avoid huge # search times. # # <@LICENSE> # Copyright 2004 Apache Software Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ########################################################################### require_version @@VERSION@@ # some tests that will trigger FPs on ISO-2022-JP mails. body __ISO_2022_JP_DELIM /\e\$B/ header __MANY_EXCLS Subject =~ /![^!]+!/ header __PLING_PLING Subject =~ /!!!/ body __UPPERCASE_25_50 eval:check_for_uppercase('25', '50') body __UPPERCASE_50_75 eval:check_for_uppercase('50', '75') body __UPPERCASE_75_100 eval:check_for_uppercase('75', '100') meta MANY_EXCLAMATIONS (!__ISO_2022_JP_DELIM && __MANY_EXCLS) describe MANY_EXCLAMATIONS Subject has many exclamations meta UPPERCASE_25_50 (!__ISO_2022_JP_DELIM && __UPPERCASE_25_50) describe UPPERCASE_25_50 message body is 25-50% uppercase meta UPPERCASE_50_75 (!__ISO_2022_JP_DELIM && __UPPERCASE_50_75) describe UPPERCASE_50_75 message body is 50-75% uppercase meta UPPERCASE_75_100 (!__ISO_2022_JP_DELIM && __UPPERCASE_75_100) describe UPPERCASE_75_100 message body is 75-100% uppercase meta PLING_PLING (!__ISO_2022_JP_DELIM && __PLING_PLING) describe PLING_PLING Subject has lots of exclamation marks ############################################################################## # tvd - I really wish there was a better way to do this, but ... # perhaps make a quick eval that counts how many matches, then we use # the cached result in tests? meta NIGERIAN_BODY1 ( __NIGERIAN_BODY_1 + __NIGERIAN_BODY_2 + __NIGERIAN_BODY_3 + __NIGERIAN_BODY_5 + __NIGERIAN_BODY_6 + __NIGERIAN_BODY_7 + __NIGERIAN_BODY_8 + __NIGERIAN_BODY_9 + __NIGERIAN_BODY_10 + __NIGERIAN_BODY_11 + __NIGERIAN_BODY_12 + __NIGERIAN_BODY_13 + __NIGERIAN_BODY_14 + __NIGERIAN_BODY_15 + __NIGERIAN_BODY_16 + __NIGERIAN_BODY_17 + __NIGERIAN_BODY_18 + __NIGERIAN_BODY_19 + __NIGERIAN_BODY_20 + __NIGERIAN_BODY_21 + __NIGERIAN_BODY_22 + __NIGERIAN_BODY_25 + __NIGERIAN_BODY_26 + __NIGERIAN_BODY_27 + __NIGERIAN_BODY_28 + __NIGERIAN_BODY_29 + __NIGERIAN_BODY_30 + __NIGERIAN_BODY_31 + __NIGERIAN_BODY_32 + __NIGERIAN_BODY_33 + __NIGERIAN_BODY_34 + __NIGERIAN_BODY_35 + __NIGERIAN_BODY_36 + __NIGERIAN_BODY_37 + __NIGERIAN_BODY_38 + __NIGERIAN_BODY_39 + __NIGERIAN_BODY_40 + __NIGERIAN_BODY_41 + __NIGERIAN_BODY_42 + __NIGERIAN_BODY_43 + __NIGERIAN_BODY_44 + __NIGERIAN_BODY_45 + __NIGERIAN_BODY_46 ) > 1 describe NIGERIAN_BODY1 Message body looks like a Nigerian spam message 1+ meta NIGERIAN_BODY2 ( __NIGERIAN_BODY_1 + __NIGERIAN_BODY_2 + __NIGERIAN_BODY_3 + __NIGERIAN_BODY_5 + __NIGERIAN_BODY_6 + __NIGERIAN_BODY_7 + __NIGERIAN_BODY_8 + __NIGERIAN_BODY_9 + __NIGERIAN_BODY_10 + __NIGERIAN_BODY_11 + __NIGERIAN_BODY_12 + __NIGERIAN_BODY_13 + __NIGERIAN_BODY_14 + __NIGERIAN_BODY_15 + __NIGERIAN_BODY_16 + __NIGERIAN_BODY_17 + __NIGERIAN_BODY_18 + __NIGERIAN_BODY_19 + __NIGERIAN_BODY_20 + __NIGERIAN_BODY_21 + __NIGERIAN_BODY_22 + __NIGERIAN_BODY_25 + __NIGERIAN_BODY_26 + __NIGERIAN_BODY_27 + __NIGERIAN_BODY_28 + __NIGERIAN_BODY_29 + __NIGERIAN_BODY_30 + __NIGERIAN_BODY_31 + __NIGERIAN_BODY_32 + __NIGERIAN_BODY_33 + __NIGERIAN_BODY_34 + __NIGERIAN_BODY_35 + __NIGERIAN_BODY_36 + __NIGERIAN_BODY_37 + __NIGERIAN_BODY_38 + __NIGERIAN_BODY_39 + __NIGERIAN_BODY_40 + __NIGERIAN_BODY_41 + __NIGERIAN_BODY_42 + __NIGERIAN_BODY_43 + __NIGERIAN_BODY_44 + __NIGERIAN_BODY_45 + __NIGERIAN_BODY_46 ) > 2 describe NIGERIAN_BODY2 Message body looks like a Nigerian spam message 2+ meta NIGERIAN_BODY3 ( __NIGERIAN_BODY_1 + __NIGERIAN_BODY_2 + __NIGERIAN_BODY_3 + __NIGERIAN_BODY_5 + __NIGERIAN_BODY_6 + __NIGERIAN_BODY_7 + __NIGERIAN_BODY_8 + __NIGERIAN_BODY_9 + __NIGERIAN_BODY_10 + __NIGERIAN_BODY_11 + __NIGERIAN_BODY_12 + __NIGERIAN_BODY_13 + __NIGERIAN_BODY_14 + __NIGERIAN_BODY_15 + __NIGERIAN_BODY_16 + __NIGERIAN_BODY_17 + __NIGERIAN_BODY_18 + __NIGERIAN_BODY_19 + __NIGERIAN_BODY_20 + __NIGERIAN_BODY_21 + __NIGERIAN_BODY_22 + __NIGERIAN_BODY_25 + __NIGERIAN_BODY_26 + __NIGERIAN_BODY_27 + __NIGERIAN_BODY_28 + __NIGERIAN_BODY_29 + __NIGERIAN_BODY_30 + __NIGERIAN_BODY_31 + __NIGERIAN_BODY_32 + __NIGERIAN_BODY_33 + __NIGERIAN_BODY_34 + __NIGERIAN_BODY_35 + __NIGERIAN_BODY_36 + __NIGERIAN_BODY_37 + __NIGERIAN_BODY_38 + __NIGERIAN_BODY_39 + __NIGERIAN_BODY_40 + __NIGERIAN_BODY_41 + __NIGERIAN_BODY_42 + __NIGERIAN_BODY_43 + __NIGERIAN_BODY_44 + __NIGERIAN_BODY_45 + __NIGERIAN_BODY_46 ) > 3 describe NIGERIAN_BODY3 Message body looks like a Nigerian spam message 3+ meta NIGERIAN_BODY4 ( __NIGERIAN_BODY_1 + __NIGERIAN_BODY_2 + __NIGERIAN_BODY_3 + __NIGERIAN_BODY_5 + __NIGERIAN_BODY_6 + __NIGERIAN_BODY_7 + __NIGERIAN_BODY_8 + __NIGERIAN_BODY_9 + __NIGERIAN_BODY_10 + __NIGERIAN_BODY_11 + __NIGERIAN_BODY_12 + __NIGERIAN_BODY_13 + __NIGERIAN_BODY_14 + __NIGERIAN_BODY_15 + __NIGERIAN_BODY_16 + __NIGERIAN_BODY_17 + __NIGERIAN_BODY_18 + __NIGERIAN_BODY_19 + __NIGERIAN_BODY_20 + __NIGERIAN_BODY_21 + __NIGERIAN_BODY_22 + __NIGERIAN_BODY_25 + __NIGERIAN_BODY_26 + __NIGERIAN_BODY_27 + __NIGERIAN_BODY_28 + __NIGERIAN_BODY_29 + __NIGERIAN_BODY_30 + __NIGERIAN_BODY_31 + __NIGERIAN_BODY_32 + __NIGERIAN_BODY_33 + __NIGERIAN_BODY_34 + __NIGERIAN_BODY_35 + __NIGERIAN_BODY_36 + __NIGERIAN_BODY_37 + __NIGERIAN_BODY_38 + __NIGERIAN_BODY_39 + __NIGERIAN_BODY_40 + __NIGERIAN_BODY_41 + __NIGERIAN_BODY_42 + __NIGERIAN_BODY_43 + __NIGERIAN_BODY_44 + __NIGERIAN_BODY_45 + __NIGERIAN_BODY_46 ) > 4 describe NIGERIAN_BODY4 Message body looks like a Nigerian spam message 4+ body __NIGERIAN_BODY_1 /\b(?:financial|confiden(?:tial|ce)|safe|mutual|secret|success|risk-?free|details|business).{1,30}\btransaction\b/i body __NIGERIAN_BODY_2 /\btransaction\b.{1,30}\b(?:magnitude|diplomatic|strict|absolute|secret|confiden(?:tial|ce)|guarantee)/i body __NIGERIAN_BODY_3 /BASED ON INFORMATION GATHERED ABOUT YOU, WE BELIEVE\s*YOU WOULD BE IN A POSITION TO HELP US IN TRANSFER/i body __NIGERIAN_BODY_5 /\bpoisoned (?:to death )?by his business associate/i body __NIGERIAN_BODY_6 /\bIt is with trust and confidentiality\b/i body __NIGERIAN_BODY_7 /\bU\.?S\.?(?:D\.?)?\s*(?:\$\s*)?(?:\d+,\d+,\d+|\d+\.\d+\.\d+|\d+(?:\.\d+)?\s*milli?on)/i body __NIGERIAN_BODY_8 /\b(?:You may be sur?prised to receive this letter from me|this (?:letter|mail) (?:(?:may|will) come to you as|will be) a sur?prise)\b/i body __NIGERIAN_BODY_9 /\bthe .{1,10} son of\b/i body __NIGERIAN_BODY_10 /\burgent and(?: very)? (?:profitable|confidential) business (?:proposal|proposition)\b/i body __NIGERIAN_BODY_11 /\bassistance to relocate\b/i body __NIGERIAN_BODY_12 /\bto which will be transferred the sum\b/i body __NIGERIAN_BODY_13 /\byour(?: private)? (?:tele)?phone (?:and|&) fax Numbers?\b/i body __NIGERIAN_BODY_14 /\bthe importance of Secrecy\b/i body __NIGERIAN_BODY_15 /\bmodalities\b/i body __NIGERIAN_BODY_16 /\bI am a Private Investigator\b/i body __NIGERIAN_BODY_17 /\bWRITING THIS LETTER TO SOLICIT\b/i body __NIGERIAN_BODY_18 /\bSEVERAL ATTEMPTS HAVE BEEN MADE WITH OUT SUCCESS\b/i body __NIGERIAN_BODY_19 /\bMY PROPOSAL IS ACCEPTABLE\b/i body __NIGERIAN_BODY_20 /\d+%.{0,15}\)? (?:of (?:the total|this|the) (?:amount|sum|money)|for you|for my investment|for (?:us|me)|.{0,15}\bfor your expenses)\b/i body __NIGERIAN_BODY_21 /\bforeign account\b/i body __NIGERIAN_BODY_22 /\btrust (?:and|&) confidentiality\b/i body __NIGERIAN_BODY_25 /\bvery beneficial to both of us\b/i body __NIGERIAN_BODY_26 /\bmilli?on (?:.{1,25} thousand\s*)?(?:(?:united states|u\.?s\.?) dollars|(?i:U\.?S\.?D?))\b/i body __NIGERIAN_BODY_27 /\bcorrespondent branch\b/i body __NIGERIAN_BODY_28 /\btransaction is .{1,15} risk free.\b/i body __NIGERIAN_BODY_29 /\b(?:percentage|rate) of this money\b/i body __NIGERIAN_BODY_30 /\bfavou?rable response\b/i body __NIGERIAN_BODY_31 /\btotal acceptance and commitment\b/i body __NIGERIAN_BODY_32 /\blocate(?: .{1,20})? extended relative/i body __NIGERIAN_BODY_33 /\bhonest cooperation\b/i body __NIGERIAN_BODY_34 /\b(?:wife|son|brother|daughter) of the late\b/i body __NIGERIAN_BODY_35 /\bintuitive confidence/i body __NIGERIAN_BODY_36 /\battached to ticket number\b/i body __NIGERIAN_BODY_37 /\ball funds will be returned\b/i body __NIGERIAN_BODY_38 /\b(?:International\b.{1,15}\bLottery|lottery\b.{1,15}\binternational)\b/i body __NIGERIAN_BODY_39 /\bYOUR FULL NAMES?,?(?:and|&)? FULL CONTACT ADDRESS\b/i body __NIGERIAN_BODY_40 /\bsend .{1,30}\byour telefax Numbers?\b/i body __NIGERIAN_BODY_41 /(?:government|bank) of nigeria/i body __NIGERIAN_BODY_42 /nigerian? (?:national|government)/i body __NIGERIAN_BODY_43 /\blate .{0,15}(?:father|wife|husband|general|president|daughter|son|minister).{0,20}(?:wealthy|treasure|deposit|money|left|property|known|\$|US)/i body __NIGERIAN_BODY_44 /\b(?:of|the) late president\b/i body __NIGERIAN_BODY_45 /\bsum of ?(?:million|US|\$)|\b(?:deposit|left|huge|discovered|abandoned).{0,15} sum of/i body __NIGERIAN_BODY_46 /\bgive\s+you .{0,15}(?:fund|money|total|sum|contact|percent)\b/i ############################################################################## header __SANE_MSGID MESSAGEID =~ /^<[^<>\\ \t\n\r\x0b\x80-\xff]+\@[^<>\\ \t\n\r\x0b\x80-\xff]+>\s*$/m header __HAS_MSGID MESSAGEID =~ /\S/ header __MSGID_COMMENT MESSAGEID =~ /\(.*\)/m meta INVALID_MSGID __HAS_MSGID && !(__SANE_MSGID || __MSGID_COMMENT) describe INVALID_MSGID Message-Id is not valid, according to RFC 2822 header __MOZILLA_MUA X-Mailer =~ /\bMozilla\b/ header __MOZILLA_MSGID MESSAGEID =~ /^<[A-F\d]{8}\.[A-F1-9][A-F\d]{0,7}\@\S+>$/m meta FORGED_MUA_MOZILLA (__MOZILLA_MUA && !__UNUSABLE_MSGID && !__MOZILLA_MSGID) describe FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla header __PC_RND_HEADER ALL =~ /%RA?ND(?:OM)?_[A-Z]/i body __PC_RND_BODY /%RA?ND(?:OM)?_[A-Z]/i rawbody __PC_RND_RAWBODY /%RA?ND(?:OM)?_[A-Z]/i meta PERCENT_RANDOM (__PC_RND_HEADER || __PC_RND_BODY || __PC_RND_RAWBODY)