1 2# 3# Ruleset to match fill-in-this-form body text 4# common in scams and loan spams 5# occasional in phishing 6# 7# Requires multipass ReplaceTags plugin 8# 9# If you are using this with 3.2.5, make sure you get this as well: 10# http://svn.apache.org/viewvc/spamassassin/branches/3.2/lib/Mail/SpamAssassin/Plugin/ReplaceTags.pm 11# 12# <jhardin@impsec.org> 13# $Id$ 14# 15 16ifplugin Mail::SpamAssassin::Plugin::ReplaceTags 17 18 # Repetitive syntactic bits 19 replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?) 20 replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3} 21 replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s) 22 replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?) 23 replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])? 24 replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100})) 25 replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100}) 26 27 # Address variations 28 replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))? 29 replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])? 30 31 # Name variations 32 replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)? 33 34 # Telephone variations 35 replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3} 36 37 # Misc personal data 38 replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3} 39 40 # Loan application details 41 replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d) 42 43 # Financial/ID details (scams and phishing) 44 replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3} 45 replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)? 46 replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15}) 47 replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names? 48 replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER> 49 50 # All variations together 51 replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>) 52 53 # 5+ fields (high reliability) 54 # Leave this exposed, it's a fairly good spam sign by itself 55 body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i 56 body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i 57 replace_rules __FILL_THIS_FORM_LONG1 58 replace_rules __FILL_THIS_FORM_LONG2 59 meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2 60 meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY 61 describe FILL_THIS_FORM_LONG Fill in a form with personal information 62 score FILL_THIS_FORM_LONG 2.00 # limit 63 64 # 5+ fields that body paragraph processing didn't paste together 65 body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im 66 replace_rules __FILL_THIS_FORM_PARTIAL 67 tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5 68 rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20| |<\/\w+>){0,4}$)/im 69 replace_rules __FILL_THIS_FORM_PARTIAL_RAW 70 tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5 71 72 # 5+ fields in either format 73 # For easy use in metas 74 meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4) 75 meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML 76 describe FILL_THIS_FORM Fill in a form with personal information 77 #score FILL_THIS_FORM 1.00 78 tflags FILL_THIS_FORM publish 79 80 # 3 or 4 fields (low reliability, but still useful in metas 81 body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i 82 body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i 83 replace_rules __FILL_THIS_FORM_SHORT1 84 replace_rules __FILL_THIS_FORM_SHORT2 85 meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2) 86 meta FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL 87 describe FILL_THIS_FORM_SHORT Fill in a short form with personal information 88 score FILL_THIS_FORM_SHORT 1.00 # limit 89 90 # Add to score if loan question is present 91 body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i 92 replace_rules __FILL_THIS_FORM_LOAN1 93 meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1 94 meta FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE 95 describe FILL_THIS_FORM_LOAN Answer loan question(s) 96 score FILL_THIS_FORM_LOAN 2.0 97 98 # Add to score if fraud/phishing question is present 99 body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i 100 replace_rules __FILL_THIS_FORM_FRAUD_PHISH1 101 meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH) 102 meta FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO 103 describe FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) 104 #score FILL_THIS_FORM_FRAUD_PHISH 1.50 105 106else 107 meta __FILL_THIS_FORM_LONG1 0 108 meta __FILL_THIS_FORM_LONG2 0 109 meta __FILL_THIS_FORM_LONG 0 110 meta __FILL_THIS_FORM_PARTIAL 0 111 meta __FILL_THIS_FORM_PARTIAL_RAW 0 112 meta __FILL_THIS_FORM 0 113 meta __FILL_THIS_FORM_SHORT1 0 114 meta __FILL_THIS_FORM_SHORT2 0 115 meta __FILL_THIS_FORM_SHORT 0 116 meta __FILL_THIS_FORM_LOAN1 0 117 meta __FILL_THIS_FORM_LOAN 0 118 meta __FILL_THIS_FORM_FRAUD_PHISH1 0 119 meta __FILL_THIS_FORM_FRAUD_PHISH 0 120endif # Mail::SpamAssassin::Plugin::ReplaceTags 121