1# SB-COMMON.RC 2# 3# COMMON SPAM PATTERNS 4# 5# Patterns that can be called upon as part of other 6# pattern matching recipes. 7# 8# Last updated: 10/14/2016 9 10## Botnet Headers 11 12:0 13* LOCALTAG ?? ^no$ 14{ 15 LOCALDESCRIPTION='Pattern Match' 16 LT4=no 17 TESTNAME='Botnet Header' 18 TESTSCORE=5 19 TESTTYPE=ALL 20 TESTLAST=20161014 21 TESTUPDATED=20161014 22 23 # No From header 24 :0 25 * H ?? ! ^From: 26 { 27 LT4=yes 28 SBLOG="C3T-${TESTNAME} (No From Header)" 29 INCLUDERC=${SBDIR}/functions/loglevel.rc 30 31 :0 32 * SBRULEHITS ?? ^NULL$ 33 { SBRULEHITS='cs_hd_nofrom' } 34 35 :0 E 36 { SBRULEHITS="${FHRULEHITS} cs_hd_nofrom" } 37 } 38 39 # From contains no email address 40 :0 41 * ! ^From:.*@([0-9a-z������������������������������������]\ 42 [-_0-9a-z������������������������������������]*\.)+\ 43 (xn--[0-9a-z][0-9a-z]*|\ 44 ([a-z������������������������������������]|\?)\ 45 ([a-z������������������������������������]|\?)\ 46 ([a-z������������������������������������]|\?)*\ 47 (\.[a-z������������������������������������]\ 48 [a-z������������������������������������])?) 49 { 50 LT4=yes 51 SBLOG="C3T-${TESTNAME} (No email address in From header)" 52 INCLUDERC=${SBDIR}/functions/loglevel.rc 53 54 :0 55 * SBRULEHITS ?? ^NULL$ 56 { SBRULEHITS='cs_hd_nofromemail' } 57 58 :0 E 59 { SBRULEHITS="${FHRULEHITS} cs_hd_nofromemail" } 60 } 61 62 :0 63 * LT4 ?? ^yes$ 64 { 65 INCLUDERC=${SBDIR}/functions/rc-sub.rc 66 } 67} 68 69## Drop Box Email Addresses 70 71:0 72* LOCALTAG ?? ^no$ 73{ 74 LOCALDESCRIPTION='Pattern Match' 75 LT4=no 76 TESTNAME='Drop Box' 77 TESTSCORE=2 78 TESTTYPE=ALL 79 TESTLAST=20161014 80 TESTUPDATED=20161014 81 82 ### Reply-to Drop Box 83 :0 84 * ! REPLYTOEMAIL ?? ^noemail@example\.com$ 85 * ! FIRSTRECVDOMAIN ?? ^(facebook\.com)$ 86 * ! FROMDOMAIN ?? ^(indiatimes\.com|\ 87 wetransfer\.com)$ 88 * ! REPLYTOLOGIN ?? ^(abuse|\ 89 admin|\ 90 daemon|\ 91 mail|\ 92 news|\ 93 mailer-daemon|\ 94 postmaster|\ 95 root|\ 96 webmaster) 97 * $ ! FROMEMAIL ?? ^${REPLYTOEMAIL}$ 98 { 99 :0 100 * ? ${FGREP} -i -x "${REPLYTODOMAIN}" ${SBDIR}/info/freemail_domains.txt 101 { 102 SBLOG="C3T-${TESTNAME} (Dropbox: Reply-to Email ${REPLYTOEMAIL})" 103 INCLUDERC=${SBDIR}/functions/loglevel.rc 104 105 :0 106 * SBRULEHITS ?? ^NULL$ 107 { SBRULEHITS="RE-cs_dbx" } 108 109 :0 E 110 { SBRULEHITS="${FHRULEHITS} RE-cs_dbx" } 111 } 112 } 113 114 ### Message Body Drop Box 115 :0 116 * ! FIRSTBODYEMAIL ?? ^noemail@example\.com$ 117 * ! FIRSTRECVDOMAIN ?? ^(facebook\.com)$ 118 * ! FROMDOMAIN ?? ^(indiatimes\.com|\ 119 wetransfer\.com)$ 120 * ! REPLYTOLOGIN ?? ^(abuse|\ 121 admin|\ 122 daemon|\ 123 mail|\ 124 news|\ 125 mailer-daemon|\ 126 postmaster|\ 127 root|\ 128 webmaster) 129 * ! FIRSTBODYLOGIN ?? ^(abuse|\ 130 admin|\ 131 daemon|\ 132 mail|\ 133 news|\ 134 mailer-daemon|\ 135 postmaster|\ 136 root|\ 137 webmaster) 138 * $ ! FROMEMAIL ?? ^${FIRSTBODYEMAIL}$ 139 * $ ! REPLYTOEMAIL ?? ^${FIRSTBODYEMAIL}$ 140 { 141 :0 142 * ? ${FGREP} -i -x "${FIRSTBODYEDOMAIN}" ${SBDIR}/info/freemail_domains.txt 143 { 144 SBLOG="C3T-${TESTNAME} (Dropbox: Body Email ${FIRSTBODYEMAIL})" 145 INCLUDERC=${SBDIR}/functions/loglevel.rc 146 147 :0 148 * SBRULEHITS ?? ^NULL$ 149 { SBRULEHITS="BE1-cs_dbx" } 150 151 :0 E 152 { SBRULEHITS="${FHRULEHITS} BE1-cs_dbx" } 153 } 154 } 155 156 :0 157 * LT4 ?? ^yes$ 158 { 159 INCLUDERC=${SBDIR}/functions/rc-sub.rc 160 } 161} 162 163## Spamware 164 165:0 166* LOCALTAG ?? ^no$ 167{ 168 LOCALDESCRIPTION='Pattern Match' 169 LT4=no 170 TESTNAME='Spamware' 171 TESTSCORE=5 172 TESTTYPE=ALL 173 TESTLAST=20161014 174 TESTUPDATED=20161014 175 176 ### Email Sending System 177 :0 178 * -3^0 179 * $ H ?? 2^0 ^Sender: <user-rt@${REPLYTODOMAIN}>$ 180 * H ?? 1^0 ^X-Mailer: Email Sending System$ 181 * $ H ?? 1^0 ^X-Mailer: ${REPLYTODOMAIN}$ 182 * $ H ?? 1^0 ^X-Complaints-To: abuse@${REPLYTODOMAIN}$ 183 { 184 SBLOG="C3T-${TESTNAME} (Spamware: Email Sending System)" 185 INCLUDERC=${SBDIR}/functions/loglevel.rc 186 187 :0 188 * SBRULEHITS ?? ^NULL$ 189 { SBRULEHITS='cs_sw_emailss' } 190 191 :0 E 192 { SBRULEHITS="${FHRULEHITS} cs_sw_emailss" } 193 } 194 195 ### Interspire Mailer 196 :0 197 * -3^0 198 * H ?? 1^0 ^X-Mailer-LID: 199 * H ?? 1^0 ^X-Mailer-RecptId: 200 * H ?? 1^0 ^X-Mailer-SID: 201 * H ?? 1^0 ^X-Mailer-Sent-By: 202 * B ?? 1^0 ^Your email client cannot read this email\.$\ 203 1^0 To view it online, please go here:$\ 204 1^0 http:// 205 * B ?? 1^0 ^To stop receiving these$\ 206 1^0 emails:http:// 207 * B ?? 1^0 ^Powered by Interspire$ 208 { 209 SBLOG="C3T-${TESTNAME} (Spamware: Interspire)" 210 INCLUDERC=${SBDIR}/functions/loglevel.rc 211 212 :0 213 * SBRULEHITS ?? ^NULL$ 214 { SBRULEHITS='cs_sw_interspire' } 215 216 :0 E 217 { SBRULEHITS="${FHRULEHITS} cs_sw_interspire" } 218 } 219 220 ### SwiftMailer 221 :0 222 * -3^0 223 * H ?? 4^0 ^X-PHP-Originating-Script: [1-9][0-9]*:SimpleMailInvoker\.php$ 224 * H ?? 4^0 ^X-Mw-Mailer: SwiftMailer([^0-9a-z]|$) 225 * H ?? 2^0 ^X-Mw-Subscriber-Uid: 226 * H ?? 2^0 ^X-Mw-Tracking-Did: 227 * B ?? 4^0 /mailwizz/ 228 { 229 SBLOG="C3T-${TESTNAME} (Spamware: SwiftMailer)" 230 INCLUDERC=${SBDIR}/functions/loglevel.rc 231 232 :0 233 * SBRULEHITS ?? ^NULL$ 234 { SBRULEHITS='cs_sw_swiftmailer' } 235 236 :0 E 237 { SBRULEHITS="${FHRULEHITS} cs_sw_swiftmailer" } 238 } 239 240 :0 241 * LT4 ?? ^yes$ 242 { 243 INCLUDERC=${SBDIR}/functions/rc-sub.rc 244 } 245} 246