1
2# Shot in the dark, spotted by coincidence.  Seeing more of these soon?
3
4header  THEBAT_UNREG  X-Mailer =~ /^The Bat! .{0,20} UNREG$/
5
6
7# Bunch of rules to detect Opera MUA fakes.  These seem to just have started.
8# The Message-Id masks used are based on some brief real mail and Opera specs.
9
10header   __OPERA_MUA           User-Agent =~ /^Opera /
11
12header   __OPERA_MID_NO_DIGIT  Message-ID =~ /^<[^0-9]{2,40}\@/
13header   __OPERA_MID_NON_OP    Message-ID =~ /^<[^o][^p]\./
14# header   __OPERA_MID_MASK      Message-ID =~ /^<[a-z0-9]{2}\.[a-z0-9]{14}\@/
15
16meta     OPERA_MID_NO_DIGIT    __OPERA_MUA && __OPERA_MID_NO_DIGIT
17describe OPERA_MID_NO_DIGIT    MUA Opera, Message-Id does not contain digit
18
19meta     OPERA_MID_NON_OP      __OPERA_MUA && __OPERA_MID_NON_OP
20describe OPERA_MID_NON_OP      MUA Opera, Message-Id does not start with op
21
22# meta     OPERA_MID_BAD_MASK    __OPERA_MUA && !__OPERA_MID_MASK
23# describe OPERA_MID_BAD_MASK    MUA Opera, bad Message-Id mask
24
25
26# Some old stuff rotting in a testing env only, that previously was extracted
27# to hit on the low scoring "Real men" spam wave.  The very same pattern seems
28# to be used with changed content, obfuscated, still scoring rather low.
29
30rawbody  __PQRTW_4_A     m,<a name="\#[pqrtw]{4}">\s*</a>,
31rawbody  __PQRTW_4_SPAN  m,<span name="\#[pqrtw]{4}">\s*</span>,
32
33meta     PQRTW_4         __PQRTW_4_A || __PQRTW_4_SPAN
34
35
36# There is a need to upload tiny HTML files to some mass hoster dump?  Right,
37# there is exactly one reason to do so...  Compare the ratios for both, HTML
38# files and all files.  I love shots in the dark.
39
40# livefilestore.com  Domain Status: Registered And No Website
41
42uri  LIVEFILESTORE       m~livefilestore.com/~
43uri  LIVEFILESTORE_HTML  m~livefilestore.com/[^/]{0,100}/[^/]{0,20}\.html?$~
44
45
46# Pretty decent Outlook forgery.  At the very least, they finally start to get
47# the Message-Id correct.  And indeed, the MIME multipart boundary and the
48# Message-Id do share the same format.  However, the timestamps are created
49# *individually*, and there pretty much is no way for a human that these could
50# be identical.  Only a bot can do that.
51
52# A bunch of spam, in particular a couple variants of some rather static
53# German spam recently started avoiding the gross forgery KB_RATWARE_MSGID and
54# FORGED_RELAY_MUA_TO_MX, as well as some blacklists.  An opportunity to look
55# for more forgery.  I don't need your bloody payload, the headers are
56# sufficient to block you.
57
58
59# FIXME  "It is suggested that [...] names have a length of no more than 22
60#        characters, as an informal convention."  -- from M::SA:Conf
61
62#        Evaluate full results first.  mc-fast results are really weird, with
63#        no hits for the full BOT variant.
64
65
66# This variant works just fine locally, but doesn't hit in mass-checks.  Most
67# likely an issue with the multi-line Content-Type: header.
68
69# header  KB_RATWARE_OUTLOOK_BOT  ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}^Content-Type: multipart.[^;]{10,20}; boundary="----=_NextPart_000_...._\1\.\2/msi  # "
70
71
72# Some variants with varying fuzzyness, to investigate accuracy.
73
74header  KB_RATWARE_OUTLOOK_16  ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi  # "
75
76header  KB_RATWARE_OUTLOOK_12  ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi  # "
77
78header  KB_RATWARE_OUTLOOK_08  ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi  # "
79
80
81# Slightly stricter Message-Id variant.  Testing.
82
83header  KB_RATWARE_OUTLOOK_MID  ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi
84
85
86# header  __IS_MIME_MSG       exists:MIME-Version
87# header  __IS_MICROSOFT_MUA  X-Mailer =~ /^Microsoft /
88
89# header  __KB_OUTLOOK_MUA    X-Mailer =~ /^Microsoft (?:Office )?Outlook\b/
90
91
92# Less minimal chars between headers, and reverse variant of RATWARE_BOUNDARY.
93# Supersedes all RATWARE_OUTLOOK_* devel stuff above.
94
95header __RATWARE_BOUND_A  ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # "
96
97header __RATWARE_BOUND_B  ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # "
98
99meta   KB_RATWARE_BOUNDARY   __RATWARE_BOUND_A || __RATWARE_BOUND_B
100
101
102# Explain later. ;)
103
104header THREAD_INDEX_HEX  Thread-Index =~ /^[a-z0-9]{30}/
105
106header __THREAD_INDEX_GOOD  Thread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$,
107
108header __HAS_THREAD_INDEX  exists:Thread-Index
109
110meta   THREAD_INDEX_BAD  __HAS_THREAD_INDEX && !__THREAD_INDEX_GOOD
111
112
113# Some sneaky German porn spam, 2008-10-15
114
115header   KB_CTYPE_SPACE   Content-Type =~ /charset="ISO /  # " emacs
116
117header   __KB_UA_MOZ      User-Agent =~ /\bMozilla/
118
119meta     KB_CTYPE_SP_MOZ  ( KB_CTYPE_SPACE && __KB_UA_MOZ )
120describe KB_CTYPE_SP_MOZ  Mozilla does not do that, I hope
121
122header   KB_FORGED_MOZ4   User-Agent =~ /\bMozilla 4/
123describe KB_FORGED_MOZ4   Mozilla 4 uses X-Mailer
124
125