# SARE High Risk Ruleset for SpamAssassin # Version: 01.01.02 # Created: 2004-05-28 # Modified: 2005-02-10 # Changes: 00.01.00 - Created new rule set with high risk rule from spoof.cf # 00.01.01 - Updated score based on new mass-check # 01.01.02 - Updated score based on new mass-check (updated high version #, just because) # License: Artistic - see http://www.rulesemporium.com/license.txt # Current Maintainer: Bob Menschel - highrisk@rulesemporium.com # Current Home: http://www.rulesemporium.com/rules/70_sare_highrisk.cf # # This rule set is reserved for rules that seem to be very promising, # but which have a very high risk of false positives. Only the most # aggressive sites which actively scan for false positives should use # these rules. ########################################################################### # Generic tests used to identify potential ham ########################################################################### header __SARE_EXIST_XAPPTO exists:X-Apparently-To header __SARE_EXIST_XORIGIP exists:X-Originating-IP header __SARE_EXIST_XSNDR exists:X-Sender header __SARE_PREC_BULK Precedence =~ m'bulk' ########################################################################### # Tests specific to Yahoo Groups mailing lists ########################################################################### header __SARE_EXIST_XYPROF exists:X-Yahoo-Profile header __SARE_EXIST_YGRMTIP exists:X-eGroups-Remote-IP header __SARE_YG_MAILLIST Mailing-List =~ m'list (\w+)\@yahoogroups\.com; contact \1-owner\@yahoogroups\.com' header __SARE_YG_MSGID Message-ID =~ m'<.{10,}\@eGroups\.com>' header __SARE_YG_UAGENT User-Agent =~ m'eGroups' header __SARE_YG_UNSUB List-Unsubscribe =~ m'' header __SARE_YG_XEGRTN X-eGroups-Return =~ m'\@returns.groups.yahoo.com' header __SARE_YG_XMAILER X-Mailer =~ m'Yahoo Groups Message Poster' ########################################################################### # SARE_HIRISK_FORGED_ATT ########################################################################### # This rule is like the spoof records found in SARE's spoof.cf rule set, # except that emails which match this rule do not claim to be from a specific # company (eg: PayPal or Ebay), but instead claim to be from some individual # ISP user within the AT&T domain. # Since such users can easily send emails through Yahoo Groups webmail interfaces # and similar systems, we cannot be state that emails from the AT&T domains must # come from some AT&T computer system. # We attempt here to exclude the known webmail and similar sources such emails # could come from, but we're confident we have not been able to list them all. header __SARE_HIRISK_FROM_ATT From =~ /\@(?:(?:worldnet|broadband|aetrs\.cmd)\.)?att.(?:net|com)/i header __SARE_HIRISK_ATT_MSGI MESSAGEID =~ /att\.(?:com|net)/ header __SARE_HIRISK_ATT_RCVD Received =~ /att\.(?:net|com)/ header __SARE_HIRISK_ATT_RTN Return-path =~ /att\.(?:net|com)\>/ header __SARE_HIRISK_FROM_AT2 From =~ /\@(?:att[-._].*|.*[-._]att\..*)(?:com|net)/i meta SARE_HIRISK_FORGED_ATT ( __SARE_HIRISK_FROM_AT2 && !__SARE_HIRISK_ATT_RCVD && !__SARE_HIRISK_ATT_MSGI && !__SARE_HIRISK_ATT_RTN && !__SARE_EXIST_XAPPTO && !__SARE_EXIST_XORIGIP && !__SARE_EXIST_XSNDR && !__SARE_PREC_BULK && !__SARE_EXIST_XYPROF && !__SARE_EXIST_YGRMTIP && !__SARE_YG_MAILLIST && !__SARE_YG_MSGID && !__SARE_YG_UAGENT && !__SARE_YG_UNSUB && !__SARE_YG_XEGRTN && !__SARE_YG_XMAILER ) score SARE_HIRISK_FORGED_ATT 0.184 #hist SARE_HIRISK_FORGED_ATT Enhanced by Bob Menschel May 20 2004 to avoid many Yahoo Groups ham hits #ham SARE_HIRISK_FORGED_ATT Hits emails sent by online feedback email forms that send "from" correspondant but on recipient's domain #note SARE_HIRISK_FORGED_ATT Those with such email forms within their domain should add rule to apply negative score to such emails. #counts SARE_HIRISK_FORGED_ATT 36s/2h of 118868 corpus (71085s/47783h RM) 02/10/05 #counts SARE_HIRISK_FORGED_ATT 192s/1h of 93110 corpus (71306s/21804h RM) 05/20/04 #counts SARE_HIRISK_FORGED_ATT 4s/0h of 54068 corpus (16890s/37178h JH-3.01) 02/02/05 #counts SARE_HIRISK_FORGED_ATT 3s/10h of 22027 corpus (18702s/3325h MY) 02/02/05 # EOF