# SARE Spoof Ruleset for SpamAssassin
# Version: 1.06.12
# Created: 2004-03-01
# Modified: 2005-06-01
# Changes: Fixed SARE_SPOOF_OURI, re-upped score
# License:  Artistic - see http://www.rulesemporium.com/license.txt
# Current Maintainer: Fred Tarasevicius - tech2@i-is.com
# Current Home: http://www.rulesemporium.com/rules/70_sare_spoof.cf
# Comments: Some scores are high enough to counter whitelist entries, adjust as needed.

# The following NICE rule can be enabled if you choose, it works for me, adjust scores as needed.
#meta     SARE_LEGIT_PAYPAL	(__FROM_PAYPAL && __URI_PAYPAL && __RCVD_PAYPAL)
#describe SARE_LEGIT_PAYPAL	Has signs it's from paypal, from, headers, uri
#score    SARE_LEGIT_PAYPAL	-0.01

# Added to bugzilla, I contacted news.com and received the OK for this to happen.
blacklist_from   *@news.com

# Try to identify USBank.com e-mail
header   __RCVD_USBANK		Received =~ /usbank\.com/i
header   __FROM_USBANK		From =~ /usbank\.com/i
uri      __URI_USBANK		/usbank\.com/i
meta     SARE_FORGED_USBANK	(__FROM_USBANK && __URI_USBANK && !__RCVD_USBANK)
score    SARE_FORGED_USBANK	4.4	# needs score adjustment !!!!!!

#--------------------------------------------------------------------------------------------------#
## THESE RULES HAVE VERY LARGE SCORES, PLEASE ADJUST TO YOUR NEEDS, I NEED TO OVERRIDE WHITELIST. ##
#--------------------------------------------------------------------------------------------------#

# Try to identify PAYPAL spoofs by looking for elements which should always appear.
# If we have a From and an URL of one of these guys, we should also have a received line to match!
header   __RCVD_PAYPAL		Received =~ /\.(?:paypal|postdirect)\.com/i
header   __FROM_PAYPAL		From =~ /[\@\.]paypal\.com/i
uri      __URI_PAYPAL		/paypal\.com/i
meta     SARE_FORGED_PAYPAL	(__FROM_PAYPAL && __URI_PAYPAL && !__RCVD_PAYPAL)
describe SARE_FORGED_PAYPAL	Message appears to be forged, (paypal.com)
score    SARE_FORGED_PAYPAL	104.0

# Try to identify EBAY spoofs by looking for elements which should always appear.
# If we have a From and an URL of one of these guys, we should also have a received line to match!
header   __RCVD_EBAY		Received =~ /(?:email)?[^\s@]ebay\.com/i
header   __FROM_EBAY		From =~ /\@(?:email)?ebay\.com/i
uri      __URI_EBAY		/ebay\.com/i
meta     SARE_FORGED_EBAY	(__FROM_EBAY && __URI_EBAY && !__RCVD_EBAY)
describe SARE_FORGED_EBAY	Message appears to be forged, (ebay.com)
score    SARE_FORGED_EBAY	104.0

# Try to identify CITIBANK spoofs by looking for elements which should always appear.
# If we have a From and an URL of one of these guys, we should also have a received line to match!
header   __RCVD_CITIBNK		Received =~ /(?:citi(?:bank|cards|corp|bankcards)|acxiom|c2it)\.com/i
header   __FROM_CITIBNK		From =~ /citi(?:bank)?\.com/i
uri      __URI_CITIBNK		/citi(?:bank)?\.com/i
meta     SARE_FORGED_CITI	(__FROM_CITIBNK && __URI_CITIBNK && !__RCVD_CITIBNK)
describe SARE_FORGED_CITI	Message appears to be forged, (citibank.com)
score    SARE_FORGED_CITI	104.0

# Try to identify SUNTRUST spoofs by looking for elements which should always appear.
# If we have a From and an URL of one of these guys, we should also have a received line to match!
header   __RCVD_SUNTRUST	Received =~ /\.suntrust\.com/i
header   __FROM_SUNTRUST	From =~ /[\@\.]suntrust\.com/i
uri      __URI_SUNTRUST		/suntrust[a-z0-9-]{0,25}\.com/i
meta     SARE_FORGED_SUNTRUST	(__FROM_SUNTRUST && __URI_SUNTRUST && !__RCVD_SUNTRUST)
describe SARE_FORGED_SUNTRUST	Message appears to be forged, (suntrust.com)
score    SARE_FORGED_SUNTRUST	104.0



# I'm testing a few new variations of these rules, trying to find people just spoofing the from headers.
meta     SARE_FORGED_PAYPAL_C	(__FROM_PAYPAL && !__RCVD_PAYPAL)
describe SARE_FORGED_PAYPAL_C	Has Paypal from, no Paypal received header.
score    SARE_FORGED_PAYPAL_C	1.3

# About.com has plenty of spams which spoof their address.  Here's a set of rules just for them ;)
header   __RCVD_ABOUT_COM	Received =~ /about\.com/i
header   __FROM_ABOUT_COM	From =~ /about\.com/i
uri      __URI_ABOUT_COM	/about\.com/i
meta     SARE_FORGED_ABOUT	(!__RCVD_ABOUT_COM && __FROM_ABOUT_COM && !__URI_ABOUT_COM)
describe SARE_FORGED_ABOUT	Message appears to be forged, (about.com)
score    SARE_FORGED_ABOUT	2.0

# Some messages like to use message-id of large provider and a from of another.
header   __AT_YAHOO_MSGID	MESSAGEID =~ /\@yahoo\.com/i
header   __FROM_YAHOO_COM	From =~ /\@yahoo\.com/i
meta     SARE_MSGID_YAHOO	(__AT_YAHOO_MSGID && !__FROM_YAHOO_COM)
describe SARE_MSGID_YAHOO	Message-ID is forged, (yahoo.com)
score    SARE_MSGID_YAHOO	3.0

header   __AT_MSN_MSGID		MESSAGEID =~ /\@msn\.com/i
header   __FROM_MSN_COM		From =~ /\@msn\.com/i
meta     SARE_MSGID_MSN		(__AT_MSN_MSGID && (!__FROM_MSN_COM && !__FROM_HOTMAIL_COM && !__FROM_YAHOO_COM))
describe SARE_MSGID_MSN		Message-ID is forged, (msn.com)
score    SARE_MSGID_MSN		2.0

header   __AT_HOTMAIL_MSGID	MESSAGEID =~ /\@hotmail\.com/i
header   __FROM_HOTMAIL_COM	From =~ /\@hotmail\.com/i
meta     SARE_MSGID_HOTMAIL	(__AT_HOTMAIL_MSGID && (!__FROM_HOTMAIL_COM && !__FROM_MSN_COM && !__FROM_YAHOO_COM))
describe SARE_MSGID_HOTMAIL	Message-ID is forged, (hotmail.com)
score    SARE_MSGID_HOTMAIL	2.8

header   __AT_AOL_MSGID		MESSAGEID =~ /\@aol\.com/i
header   __FROM_AOL_COM		From =~ /\@aol\.com/i
meta     SARE_MSGID_AOL		(__AT_AOL_MSGID && !__FROM_AOL_COM)
describe SARE_MSGID_AOL		Message-ID is forged, (aol.com)
score    SARE_MSGID_AOL		2.0

header   __AT_EXCITE_MSGID	MESSAGEID =~ /\@excite\.com/i
header   __MY_RCVD_EXCITE	Received =~ /\.excite\.com/i
meta     SARE_MSGID_EXCITE	(__AT_EXCITE_MSGID && !__MY_RCVD_EXCITE)
describe SARE_MSGID_EXCITE	Message-ID is forged, (excite.com)
score    SARE_MSGID_EXCITE	3.0

header   __AT_CBS_MSGID		MESSAGEID =~ /\@cbs\.com/i
header   __FROM_CBS_COM		From =~ /\@cbs\.com/i
header   __MY_RCVD_CBS		Received =~ /\.cbs\.com/i
meta     SARE_MSGID_CBS		(__AT_CBS_MSGID && !__FROM_CBS_COM && !__MY_RCVD_CBS)
describe SARE_MSGID_CBS		Message-ID is forged, (cbs.com)
score    SARE_MSGID_CBS		2.0


# Added 22-4-2004 by Jesse Houwing
uri      SARE_SPOOF_COM2COM 	m{^https?://(?:\w+\.)+?com\.(?:\w+\.){2,}}i
describe SARE_SPOOF_COM2COM 	a.com.b.com
score    SARE_SPOOF_COM2COM 	2.5

uri      SARE_SPOOF_COM2OTH	 m{^https?://(?:\w+\.)+?com\.(?:\w+\.)+?com}i
describe SARE_SPOOF_COM2OTH	 a.com.b.c
score    SARE_SPOOF_COM2OTH	 2.5

uri      SARE_SPOOF_OURI         m{^(?:h|%68|%48)(?:t|%74|%54)(?:t|%74|%54)(?:p|%70|%50)(?:s|%73|%53)?(?::|%3a)(?:/|%2f){0,2}(?:[^@]+@)*?(?:a-z0-9_%-]+?(?:\.|%2e)){2,}(?:org|com|www)(?!\.edgesuite\.net)(?:(?:\.|%2e)[a-z0-9_%-]+?){2,}(?:(?::|%3a)\d+)?}i
describe SARE_SPOOF_OURI         URL has items in odd places
score    SARE_SPOOF_OURI         2.5

# Describe length test for 3.0 requirements:
# 12345678901234567890123456789012345678901234567890
#          1         2         3         4         5
# 

# EOF