1# SPAMSW-PATTERNS.RC 2# 3# Recipes to catch known spam-only software. 4# 5# Last updated: 10/01/2011 6 7LOCALSCORE=0 8 9# Bogus AOL Mailer 10:0 11* ^X-Mailer:.*[^-_0-9a-z]AOL([^a-z0-9.]|\. |\.$|$) 12* ! ^Received: from .*[^-_0-9a-z]aol\.com([^a-z0-9.]|\. |\.$|$) 13{ 14 SBLOG="C3T-${TESTNAME} (Bogus AOL X-Mailer)" 15 INCLUDERC=${SBDIR}/functions/loglevel.rc 16 17 :0 18 * $ ${LOCALSCORE}^0 19 * 4^0 20 { LOCALSCORE=$= } 21} 22 23# Bogus AV Mailer 24# 25:0 D 26* ^X-Mailer: [a-z]+ [a-z]+ [a-z]+$ 27* ^Received: from [0-9][0-9][0-9]\.[0-9][0-9][0-9]\.[0-9][0-9][0-9]\.[0-9][0-9][0-9] \(\[[0-9][0-9][0-9]\.[0-9][0-9][0-9]\.[0-9][0-9][0-9]\.[0-9][0-9][0-9]\]\) 28* ^X-Declude-Sender: 29* ^X-Note: This E-mail was scanned by Declude JunkMail \(www\.declude\.com\) for spam\.$ 30{ 31 SBLOG="C3T-${TESTNAME} (Bogus AV Mailer)" 32 INCLUDERC=${SBDIR}/functions/loglevel.rc 33 34 :0 35 * $ ${LOCALSCORE}^0 36 * 4^0 37 { LOCALSCORE=$= } 38} 39 40# Book Words Mailer 41# 42:0 D 43* ^X-Mailer: ([a-z][a-z]+ )*$ 44* boundary=\"(--)?[0-9][0-9]+\" 45{ 46 SBLOG="C3T-${TESTNAME} (Book Words Mailer)" 47 INCLUDERC=${SBDIR}/functions/loglevel.rc 48 49 :0 50 * $ ${LOCALSCORE}^0 51 * 4^0 52 { LOCALSCORE=$= } 53} 54 55# Book Words Mailer (new) 56# 57# Testing a recipe for a morph of the Book Words Mailer. 58# 59:0 60* LEANTAG ?? no 61* ^Content-Type: multipart/alternative 62* ^[^0-9a-z]*boundary=\"[0-9]+\"$ 63{ 64 :0 BD 65 * -1000^0 66 * 1100^0 ^--[0-9]+$\ 67 Content-Type: text/plain;$\ 68 () charset=\"windows-1252\"$\ 69 Content-Transfer-Encoding: 7Bit$$\ 70 (([A-Za-z][a-z]+ )+$)+$$\ 71 --[0-9]+$\ 72 Content-Type: text/html;$\ 73 () charset=\"windows-1252\"$\ 74 Content-Transfer-Encoding: 7Bit$$\ 75 ()<html>$\ 76 ()<body>$\ 77 ()<font style=font-size:1px>(([A-Za-z][a-z]+ )+$)+</font>$ 78 { 79 SBLOG="C3T-${TESTNAME} (New Book Words Mailer)" 80 INCLUDERC=${SBDIR}/functions/loglevel.rc 81 82 :0 83 * $ ${LOCALSCORE}^0 84 * 4^0 85 { LOCALSCORE=$= } 86 } 87} 88 89# Cool Sender Toplu Mail 90:0 91* -1000^0 92* B ?? 600^0 (^|[^0-9a-z])Cool Sender([^a-z0-9.]|\. |\.$|$) 93* B ?? 600^0 (^|[^0-9a-z])Toplu Mail([^a-z0-9.]|\. |\.$|$) 94{ 95 SBLOG="C3T-${TESTNAME} (Cool Sender)" 96 INCLUDERC=${SBDIR}/functions/loglevel.rc 97 98 :0 99 * $ ${LOCALSCORE}^0 100 * 4^0 101 { LOCALSCORE=$= } 102} 103 104 105# DynaMailer 106:0 107* ! ^X-Mailer:.*(BillettServiceMail|GRMessageQueue) 108* ^(To:.*[^0-9a-z]d.?mail(er)?[^0-9a-z]|\ 109 X-Mailer: ([a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9][a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?$|\ 110 D(yna)?Mailer)) 111{ 112 SBLOG="C3T-${TESTNAME} (DynaMailer)" 113 INCLUDERC=${SBDIR}/functions/loglevel.rc 114 115 :0 116 * $ ${LOCALSCORE}^0 117 * 4^0 118 { LOCALSCORE=$= } 119} 120 121# Golden Launcher 122:0 123* ^X-Mailer: Microsoft Outlook Express 5\.00\.2919\.6900 DM 124{ 125 SBLOG="C3T-${TESTNAME} (Golden Launcher)" 126 INCLUDERC=${SBDIR}/functions/loglevel.rc 127 128 :0 129 * $ ${LOCALSCORE}^0 130 * 4^0 131 { LOCALSCORE=$= } 132} 133 134# MIME-ALT Mailer 135:0 D 136* -1000^0 137* 300^0 ^Received:.*[^0-9a-z.]mail\.pander\.com([^a-z0-9.]|\. |\.$|$) 138* 300^0 ^Received:.*[^0-9a-z.]mail\.poke\.com([^a-z0-9.]|\. |\.$|$) 139* 600^0 ^X-Mailer: mPOP Web-Mail 2\.19$ 140* 600^0 ^X-Mailer: miPOP WebMail 3\.29$ 141* 600^0 ^X-Originating-IP: \[[0-9a-z][-_0-9a-z]+\.[a-z][a-z][a-z]?[a-z]?IP\] 142* 600^0 boundary=\"--ALT-- 143* 600^0 ^Subject: (Fwd|Re): ([A-Z]+|%RND_UC_CHAR\[[0-9]-[0-9]\]),([0-9]+,)? [0-9a-z]+[^0-9a-zA-Z]* [0-9a-z]+[^0-9a-zA-Z]* [0-9a-z]+([^0-9a-zA-Z]*|\[[0-9]+\])$ 144{ 145 SBLOG="C3T-${TESTNAME} (MIME-ALT Mailer)" 146 INCLUDERC=${SBDIR}/functions/loglevel.rc 147 148 :0 149 * $ ${LOCALSCORE}^0 150 * 4^0 151 { LOCALSCORE=$= } 152} 153 154# mail.ru phony "legitimate" bulk mailing list 155:0 156* -1000^0 157* 1100^0 ^(Batched-Sender|From|Received|Reply-To|To):.*[^0-9a-z](mail\.ru|subscribe\.ru)([^a-z0-9.]|$) 158* 1100^0 ^(Batched-IP|Received|X-Original-IP):.*[^0-9a-z]194\.67\.45\.[0-9][0-9]?[0-9]?([^a-z0-9.]|$) 159* 1100^0 ^To:.*[^0-9a-z]subscribers@list\.ru([^a-z0-9.]|$) 160* 600^0 ^X-Mailer: miPOP WebMail 3\.29$ 161* 600^0 ^X-Originating-IP: \[[0-9a-z][-_0-9a-z]+\.[a-z][a-z][a-z]?[a-z]?IP\] 162* 600^0 boundary=\"--ALT-- 163* 600^0 ^Subject: (Fwd|Re): ([A-Z]+|%RND_UC_CHAR\[[0-9]-[0-9]\]),([0-9]+,)? [0-9a-z]+[^0-9a-zA-Z]* [0-9a-z]+[^0-9a-zA-Z]* [0-9a-z]+([^0-9a-zA-Z]*|\[[0-9]+\])$ 164{ 165 SBLOG="C3T-${TESTNAME} (mail.ru phony "legitimate" bulk email list)" 166 INCLUDERC=${SBDIR}/functions/loglevel.rc 167 168 :0 169 * $ ${LOCALSCORE}^0 170 * 4^0 171 { LOCALSCORE=$= } 172} 173 174# Message.html spam software 175# 176:0 177* LEANTAG ?? ^no$ 178* ^Content-Type: multipart/(alternative|mixed|related) 179{ 180 :0 B 181 * ^--[^ ]+$\ 182 Content-Type: text/plain; charset=us-ascii$\ 183 Content-Transfer-Encoding: 7bit$$\ 184 See attachment message\.html$ 185 { 186 SBLOG="C3T-${TESTNAME} (message.html mailer)" 187 INCLUDERC=${SBDIR}/functions/loglevel.rc 188 189 :0 190 * $ ${LOCALSCORE}^0 191 * 4^0 192 { LOCALSCORE=$= } 193 } 194} 195 196# Message.html spam software morph 197# 198:0 199* LEANTAG ?? ^no$ 200* ^Content-Type: multipart/alternative; boundary= 201{ 202 :0 B 203 * ^--[^ ]+$\ 204 Content-Type: text/(plain|html); charset=\"[-_0-9a-z]+\"$\ 205 Content-Transfer-Encoding: quoted-printable$$\ 206 (^[^ ]+$)+$\ 207 --[^ ]+$ 208 { 209 SBLOG="C3T-${TESTNAME} (new message.html mailer)" 210 INCLUDERC=${SBDIR}/functions/loglevel.rc 211 212 :0 213 * $ ${LOCALSCORE}^0 214 * 4^0 215 { LOCALSCORE=$= } 216 } 217} 218 219 220# mPop Bulk Mailer 221# 222# (Morph of MIME-ALT mailer) 223# 224:0 D 225* -1000^0 226* 600^0 ^X-Mailer: mPOP Web-Mail 2\.19$ 227* 600^0 ^X-Originating-IP: \[[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\] 228* 600^0 boundary=\"[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+\" 229{ 230 SBLOG="C3T-${TESTNAME} (mPop Bulk Mailer)" 231 INCLUDERC=${SBDIR}/functions/loglevel.rc 232 233 :0 234 * $ ${LOCALSCORE}^0 235 * 4^0 236 { LOCALSCORE=$= } 237} 238 239# myguestbook.exe 240:0 241* -1000^0 242* -200^1 ^[:;#>] 243* 500^0 ^References:\s+[A-F0-9]{9,9}$ 244* 500^0 ^X-References:\s+[A-F0-9]{9,9}, [A-F0-9]{9,9}$ 245* 500^0 ^X-Other-References:\s+[A-F0-9]{9,9}$ 246* 500^0 ^X-In-Response-To:\s+[A-F0-9]{9,9}$ 247* 500^0 ^X-See-Also:\s+[A-F0-9]{9,9}$ 248* 500^0 ^X-Via:.+#$ 249* 500^0 ^X-Mailer:.+Internet Mail Service \[[0-9.]+\] 250* 500^0 ^MessageID: 251{ 252 SBLOG="C3T-${TESTNAME} (myguestbook.exe mailer)" 253 INCLUDERC=${SBDIR}/functions/loglevel.rc 254 255 :0 256 * $ ${LOCALSCORE}^0 257 * 4^0 258 { LOCALSCORE=$= } 259} 260 261# Phony "The Bat" Email Client 262# 263:0 D 264* -1000^0 265* 600^0 ^X-Mailer: The Bat! \([0-9a-z.]+\) CD5BF9353B3B7091$ 266{ 267 SBLOG="C3T-${TESTNAME} (Phony The Bat Mailer)" 268 INCLUDERC=${SBDIR}/functions/loglevel.rc 269 270 :0 271 * $ ${LOCALSCORE}^0 272 * 4^0 273 { LOCALSCORE=$= } 274} 275 276# SXMailer 277:0 D 278* ^X-Mailer: sxmailer/ 279{ 280 SBLOG="C3T-${TESTNAME} (SXMailer)" 281 INCLUDERC=${SBDIR}/functions/loglevel.rc 282 283 :0 284 * $ ${LOCALSCORE}^0 285 * 4^0 286 { LOCALSCORE=$= } 287} 288 289# Other Spam Software X-Mailer: headers 290:0 291* ^X-(Mailer|Server): .*(\{\%xmailer\%\}|\ 292 [0-9]+KingInfo_Mailer|\ 293 4Admin\(tm\) Spam Filter|\ 294 Accucast|\ 295 AcquireWeb|\ 296 Anonymail|\ 297 AppMailer|\ 298 ArGoSoft MX Mailer|\ 299 Aristotle|\ 300 AutoroMail|\ 301 BallSacMailer|\ 302 BulkMailer|\ 303 carboxylic|\ 304 Carteiro TURBO|\ 305 cgiemail|\ 306 CSM[ ]|\ 307 Cybercreek Avalanche|\ 308 DailyXMailer|\ 309 DBM|\ 310 dd <[0-9][0-9]>|\ 311 diachronic|\ 312 Diffondi|\ 313 Direct Email|\ 314 disjunctive|\ 315 DM-SenderEX|\ 316 Easy Mass Mailer|\ 317 eBizmailer|\ 318 eGroups Message Poster|\ 319 EhooPost|\ 320 E-Mail Connection|\ 321 Email Panther|\ 322 eMerge|\ 323 Envex|\ 324 FletMail|\ 325 FoxMail|\ 326 Gammadyne|\ 327 GoldMine|\ 328 GRMessageQueue|\ 329 ikonmktg@|\ 330 ikonmktg\.com|\ 331 Jackpot|\ 332 JBH Msender|\ 333 jfmailer|\ 334 JiXing|\ 335 Kaufman Mail Warrior|\ 336 KingInfo_Mailer|\ 337 Klayperuda|\ 338 knowspam\.net|\ 339 Mach5|\ 340 Mail Bomber|\ 341 Mailchute|\ 342 Mailer Signature|\ 343 MailKing|\ 344 MailList Controller|\ 345 MailWorkZ|\ 346 MailXSender|\ 347 MassE-Mail|\ 348 massmail\.pl|\ 349 Mega-Mailer|\ 350 Millennium Mailer|\ 351 Mindcast|\ 352 Mircosoft|\ 353 MMailer|\ 354 Mozzila|\ 355 MSOUTLOOK|\ 356 Multimailer|\ 357 mxMAILPro|\ 358 Newsomemail|\ 359 Nixonmail|\ 360 Odulo BulkMail Master|\ 361 Opt-In Lightning|\ 362 PostCast|\ 363 Power Sending Sockets|\ 364 QuickSender|\ 365 QuickSMTP|\ 366 RIME|\ 367 RLSP Mailer|\ 368 Robot-Mail|\ 369 RoryMAILER|\ 370 SendBlaster|\ 371 Sir Mail-A-Lot|\ 372 SmartMailer|\ 373 SmartSend\.|\ 374 SMTP COMPONENT|\ 375 StormPost|\ 376 Super Mailer 9|\ 377 Telesale|\ 378 The HARVESTER|\ 379 TopMail|\ 380 UFO Mailer|\ 381 UFOMarketingPro|\ 382 V3,1,6,1|\ 383 VolleyMail|\ 384 WC Mail __ty__|\ 385 WelcomeMail|\ 386 X-Mailer|\ 387 YDH_optin_v[0-9].[0-9]|\ 388 yougotit|\ 389 YourWorldNews) 390{ 391 :0 392 { LOCALBUFFER=`${FORMAIL} -xX-Mailer:` } 393 394 SBLOG="C3T-${TESTNAME} (X-Mailer:${LOCALBUFFER})" 395 INCLUDERC=${SBDIR}/functions/loglevel.rc 396 397 :0 398 * $ ${LOCALSCORE}^0 399 * 4^0 400 { LOCALSCORE=$= } 401} 402 403# Spam Software -- Header Stigmata 404# 405:0 406* (^Abuse2-Tracking:|\ 407 (^|[^0-9a-z])boundary=\"MWZRelatedMessage\"|\ 408 ^Content-Alias:|\ 409 ^Content-Type: Commercial E-Mail|\ 410 ^Content-type: .*boundary=.?\#MYBOUNDARY\#|\ 411 ^Disposition-Notification-Options:|\ 412 ^FCC:|\ 413 ^From: [0-9a-z]+\|[0-9a-z]+ <[0-9a-z]+\|[0-9a-z]+@[0-9a-z]+\.[a-z][a-z]+>$|\ 414 ^Mail-System-Version: Broadc@st HTML|\ 415 ^Message-ID: <private\.company\.and\.not\.an\.ISP>|\ 416 ^Message-ID: <\$MESSAGE_ID>|\ 417 ^MIME-Version:.*[^0-9a-z]aortastafford|\ 418 ^MIME-Version:.*[^0-9a-z]sunflowerelsewhere|\ 419 ^Phone:|\ 420 ^Prevent-NonDelivery-Report:|\ 421 ^Received:.*ALLINTERNETUSERS|\ 422 ^Received:.*CLOAKED|\ 423 ^Received: from bulkserver|\ 424 ^Received:.*spam\.master|\ 425 ^Received:.*(^|[^-_0-9a-z])stealth([ ]|$)|\ 426 ^Received:.*--- unknown host ---|\ 427 ^Received:.*Wakeup|\ 428 ^Received:.*young-crook-|\ 429 RND_LC_CHAR\[[0-9]-[0-9]\]|\ 430 ^Status: MC|\ 431 ^Subject: \([0-9]*\).*\([0-9]*\)$|\ 432 ^To: .*_DeliverTo_[0-9a-z][-_0-9a-z]*@|\ 433 ^To: friends?@public\.com([^a-z0-9.]|\. |\.$|$)|\ 434 ^To.*(^|[^-_0-9a-z])user@|\ 435 ^To.*(^|[^-_0-9a-z])your?@|\ 436 ^To.*yourdomain\.com([^a-z0-9.]|\. |\.$|$)|\ 437 ^To.*WebSiteOwner@|\ 438 ^X-#:|\ 439 ^X-Advertisement:|\ 440 ^X-AMS:|\ 441 ^X-CS-IP:|\ 442 ^X-delete-me:|\ 443 ^x-dg:|\ 444 ^X-Distribution: Mass|\ 445 ^x-esmtp: [0-9] [0-9] [0-9]$|\ 446 ^X-Gmail-Received:|\ 447 ^X-Hyperlinkmail-ID:|\ 448 ^X-Identity-Key:|\ 449 ^X-Info: Antro Promotions|\ 450 ^X-Info: mailto:.* in case of spamming!|\ 451 ^X-MAIL-INFO:|\ 452 ^x-mpx-id:|\ 453 ^X-IdiRosNa: |\ 454 ^X-UtuBasAga: |\ 455 ^X-HrAga: |\ 456 ^X-BasUtuNaTeg: |\ 457 ^X-MimeOLE:Produced By Mircosoft|\ 458 ^X-Message-Info: |\ 459 ^X-visit: http://www\.WebPromote\.com/) 460* ! ^Received.*stealth\.net([^a-z0-9.]|\. |\.$|$) 461{ 462 SBLOG="C3T-${TESTNAME} (Header Stigmata)" 463 INCLUDERC=${SBDIR}/functions/loglevel.rc 464 465 :0 466 * $ ${LOCALSCORE}^0 467 * 4^0 468 { LOCALSCORE=$= } 469} 470 471# Spam Software -- bogus moderation headers 472:0 473* (^Approved: Yes \(([0-9a-z]*@)?[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\)$|\ 474 ^Approved-By: spamcheck@localhost \(127\.0\.0\.1\)$) 475* ! ^Received.*stealth\.net([^a-z0-9.]|\. |\.$|$) 476{ 477 SBLOG="C3T-${TESTNAME} (Bogus Usenet Moderation Headers)" 478 INCLUDERC=${SBDIR}/functions/loglevel.rc 479 480 :0 481 * $ ${LOCALSCORE}^0 482 * 4^0 483 { LOCALSCORE=$= } 484} 485 486# Spam Software Tracking Codes 487:0 BH 488* -1000^0 489* -500^0 ^Subject: Re: 490* -500^0 ^Subject:.*\(fwd\)$ 491* -500^0 ^Subject:.*\(EOM\)$ 492* -500^0 --.*forwarded message -- 493* -500^0 ^forwarded message:$ 494* 1100^0 ^X-MAIL-INFO: [0-9a-e]+$ 495* 1100^0 ^X-Track: [0-9]*;[a-z]+;[0-9]*$ 496* 1100^0 https?://([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?(:[0-9]+)?/track\?[a-z]=[0-9&=]+ 497* 1100^0 ^TM:[0-9]*;[a-z]+;[0-9]*$ 498* 1100^0 ^TM: <[0-9a-z;]+>$ 499* 1100^0 ^Xref: [0-9]+$ 500{ 501 SBLOG="C3T-${TESTNAME} (Tracking Codes)" 502 INCLUDERC=${SBDIR}/functions/loglevel.rc 503 504 :0 505 * $ ${LOCALSCORE}^0 506 * 4^0 507 { LOCALSCORE=$= } 508} 509 510# Spam Software -- body stigmata 511# 512:0 B 513* LEANTAG ?? ^no$ 514* -1000^0 515* 1100^0 ^--qzsoft_directmail_sep[ae]rator$ 516* 1100^0 (^|[^-_0-9a-z])This message has been sent using a trial-run version([^a-z0-9.]|\. |\.$|$) 517* 1100^0 (^|[^-_0-9a-z])TSmtpRelayServer([^a-z0-9.]|\. |\.$|$) 518* 1100^0 ()<!-- iServe\.com\.hk \.\.\. This page is encripted 519* 1100^0 ()<!-- Written by Chris Chan 520* 1100^0 ()<!-- All Rights Reserved by iServe Worldwide Ltd\. --> 521* 1100^0 ()\(This safeguard is not inserted when using the registered version\) 522* 1100^0 (^|[^-_0-9a-z])This message contains an HTML formatted message but your email([^a-z0-9.]|\. |\.$|$) 523* 1100^0 (^|[^-_0-9a-z])client does not support the display of HTML\. Please view this message in a([^a-z0-9.]|\. |\.$|$) 524* 1100^0 (^|[^-_0-9a-z])different mail client or forward this email to a web-based mail system([^a-z0-9.]|\. |\.$|$) 525* 1100^0 ^(<rndlt\[32\])+$ 526* 1100^0 https?://([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?(:[0-9]+)?/(bnr|helpmerhonda|sep)/305[0-9]+($|[^0-9]) 527* 300^0 ^()<html><body>$<center><!--[0-9a-z]+--> 528* 600^0 ^()<center><!--[0-9a-z]+--><a href=\"http://([0-9a-z][-_0-9a-z]+\.)+\.[a-z][a-z][a-z]?[a-z]?/host/default\.asp 529* 500^0 ()<img src=\"http://([0-9a-z][-_0-9a-z]+\.)+\.[a-z][a-z][a-z]?[a-z]?/pics/[0-9a-z]+\.(gif|jpe?g)\" 530* 300^0 ()</center>$</html></body>$ 531* 1100^0 ^\(c\) 1996-2003 DEMETRIUS Software$ 532* 1100^0 ^<!-- [0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z][0-9a-z]+ -->$ 533* 600^1 (^|[^-_0-9a-z])MaxBulk Mailer([^a-z0-9.]|\. |\.$|$) 534* 1100^0 %2e[0-9a-z]+(�|\.|=2E|%2E)[a-z][a-z][a-z]?[a-z]?%2e/[0-9a-z]+# 535* 600^1 (^|[^-_0-9a-z])mail to:( ) 536* 600^1 @</font>[a-z]+=2E 537* 600^0 ^This notification was sent using automated system\. Please<br>$ 538* 600^0 ^process to stop the auto-generated email\.<br>$ 539* 1100^0 [0-9]\[2$$------=_Part_ 540* 1100^0 ^This email has been sent with an unregistered version of MaxBulk Mailer$\ 541 MaxBulk Mailer is a new easy-to-use mail merge software for Macintosh$ 542* 1100^0 ^()<p>--- Sent by UNREGISTERED VERSION of <b>Atomic Mail Sender</b>\.\ 543 ()<br>Please register to remove this message\.$\ 544 ()</BODY></HTML>$ 545* 1100^0 ^This mailer was created with Campaigner\.$\ 546 http://www\.gotmarketing\.com\?testdrive_0$ 547* 1100^0 (^|[^0-9a-z])A HREF( )*=( )*\"h( )t( )?t( )?p( )?\ 548 :( )?/( )? 549* 1100^0 (^|[^0-9a-z])A HREF( )*=( )*\"h( )?t( )t( )?p( )?\ 550 :( )?/( )? 551* 1100^0 (^|[^0-9a-z])A HREF( )*=( )*\"h( )?t( )?t( )p( )?\ 552 :( )?/( )? 553* 1100^0 (^|[^0-9a-z])A HREF( )*=( )*\"h( )?t( )?t( )?p( )\ 554 :( )?/( )? 555* 1100^0 (^|[^0-9a-z])A HREF( )*=( )*\"h( )?t( )?t( )?p( )?\ 556 :( )/( )? 557* 1100^0 (^|[^0-9a-z])A HREF( )*=( )*\"h( )?t( )?t( )?p( )?\ 558 :( )?/( ) 559* 1100^0 :\\/[a-z]+\.net%2E[a-z] 560{ 561 SBLOG="C3T-${TESTNAME} (Body Stigmata)" 562 INCLUDERC=${SBDIR}/functions/loglevel.rc 563 564 :0 565 * $ ${LOCALSCORE}^0 566 * 4^0 567 { LOCALSCORE=$= } 568} 569 570# MIME encoded email with spamsign in Text/Plain section 571# 572# A lot of spamware uses a dual-part Text/HTML format, but puts 573# nothing in the text section at all. Legitimate email software 574# doesn't do this. 575# 576:0 577* LEANTAG ?? ^no$ 578* ^Content-Type: (multipart/(alternative|mixed|related)|\ 579 text/html) 580{ 581 :0 B 582 * -1000^0 583 * 1100^0 ^(- )?--[-_0-9a-z.=+/$]+$Content-Type: text/plain;?$?[^-_0-9a-z]*charset=.?[-0-9a-z]+.?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$Your mailer do not support HTML messages\.( )*Switch to a better mailer\.$ 584 * 1100^0 ^(- )?--[-_0-9a-z.=+/$]+$Content-Type: text/plain;?$?[^-_0-9a-z]*charset=.?[-0-9a-z]+.?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$No plain text content\. Please use a HTML enabled email reader(\.)?$$(- )?--[-_0-9a-z.=+/$]+$ 585 * 1100^0 ^(- )?--[-_0-9a-z.=+/$]+$Content-Type: text/plain;?$?[^-_0-9a-z]*charset=.?[-0-9a-z]+.?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$This is an HTML message\.$$(- )?--[-_0-9a-z.=+/$]+$ 586 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$(--------------------------------------------------------------------$)+\(This safeguard is not inserted when using the registered version\)$(--------------------------------------------------------------------$)+ 587 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+\.\.\.\.\. This is an HTML Message \! \.\.\.\.\.$ 588 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+Please use MIME\(HTML\) Email Client to read this mail$ 589 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+����һ��HTML��ʽ���ʼ�/This is a html format mail$ 590 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+Please use MIME-capable reader\.$ 591 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+If you are reading this message, your email browser does not support$ 592 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+HTML formatting\. Please disregard the HTML code below this message\.$ 593 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+Your Email Client does not support MIME encoding. Please upgrade to$ 594 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+(.*$)+\(almost every modern Email Client is MIME-capable\)\.$ 595 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+(.*$)+This message is in HTML format\. [0-9a-z\.]+$ 596 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+(.*$)+No text version was provided[0-9a-z\.]+$ 597 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+(.*$)+This mail was sent in html format\. Please open the attached file\.$ 598 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+(.*$)+�� �� ��$ 599 * 1100^0 ^This plain text message area is for recipients who have\ 600 email programs that do not support html $ 601 * 1100^0 ^Please view this message in HTML\. This is a Placeholder\.$ 602 * 1100^0 ^Please view this message in HTML\.$ 603 * 1100^0 ^Please use a HTML capable email client to view this message\.$ 604 * 1100^0 ^Get a capable html e-mailer$ 605 * 1100^0 ^No plain text content\. Please use a HTML enabled email reader$ 606 * 1100^0 ^[^0-9a-z]*If your e-mail software does not support html, please click here([^0-9a-z]|$) 607 * 1100^0 ^<!--$$[^0-9a-z]*This plain text message area is for recipients( ) 608 * 1100^0 ^(- )?--[-_0-9a-z.=+/$()]+$Content-Type: text/plain;?$Content-Transfer-Encoding: [-_0-9a-z\.]+$$+(.*$)+Here it is$ 609 * 600^1 (^|[^0-9a-z])MetaCreations([^0-9a-z]|$) 610 * 600^0 ^This license granted to you is effective until terminated\. 611 * 500^0 (^|[^0-9a-z])that the new layer is selected in the layers list\. 612 { 613 SBLOG="C3T-${TESTNAME} (Plain Text Section Spam Sign)" 614 INCLUDERC=${SBDIR}/functions/loglevel.rc 615 616 :0 617 * $ ${LOCALSCORE}^0 618 * 4^0 619 { LOCALSCORE=$= } 620 } 621} 622 623:0 624* -3^0 625* $ ${LOCALSCORE}^0 626{ LT4=yes } 627