70_sare_spoof.cf 20 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461
  1. # SARE Spoof Ruleset for SpamAssassin
  2. # Version: 1.09.21
  3. # Created: 2004-03-01
  4. # Modified: 2007-01-15
  5. # Changes: Various Updates
  6. # License: Artistic - see http://www.rulesemporium.com/license.txt
  7. # Current Maintainer: Fred Tarasevicius - tech2@i-is.com
  8. # Current Home: http://www.rulesemporium.com/rules/70_sare_spoof.cf
  9. # Comments: To counter whitelists, some rules have extra meta rules to score 100 to override whitelist_from's.
  10. # META RULES USED BY MULTIPLE RULES:
  11. uri __URI_IS_IP /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\//
  12. # The following NICE rules can be enabled if you choose, it works for me, adjust scores as needed.
  13. meta SARE_LEGIT_PAYPAL (__FROM_PAYPAL && __URI_PAYPAL && __RCVD_PAYPAL)
  14. describe SARE_LEGIT_PAYPAL Has signs it's from paypal, from, headers, uri
  15. score SARE_LEGIT_PAYPAL -0.01
  16. #meta SARE_LEGIT_EBAY (__FROM_EBAY && __URI_EBAY && __RCVD_EBAY)
  17. #describe SARE_LEGIT_EBAY Has signs it's from ebay, from, headers, uri
  18. #score SARE_LEGIT_EBAY -0.01
  19. # Simple test recommended by jdow from SA-users list.
  20. header __EBAY_FRM_NAME From:name =~ /\bebay\b/i
  21. header __EBAY_ADDRESS From:addr =~ /[\@\.]ebay\.(?:com(?:\.au|\.cn|\.hk|\.my|\.sg)?|co\.uk|at|be|ca|fr|de|in|ie|it|nl|ph|pl|es|se|ch)/i
  22. meta SARE_EBAY_SPOOF_NAME (__EBAY_FRM_NAME && !__EBAY_ADDRESS)
  23. score SARE_EBAY_SPOOF_NAME 0.94
  24. # NEEDS MORE TESTING
  25. header __SARE_NAME_VISA From:name =~ /visa/i
  26. header __SARE_ADDR_VISA From:addr =~ /visa/i
  27. meta SARE_FORGE_NAME_VISA (__SARE_NAME_VISA && !__SARE_ADDR_VISA)
  28. score SARE_FORGE_NAME_VISA 0.399
  29. #counts FM_NAME_VISA_FORGE 1s/0h of 12260 corpus (6588s/5672h CT) 03/17/06
  30. #counts FM_NAME_VISA_FORGE 18s/0h of 22976 corpus (17263s/5713h MY) 03/17/06
  31. #counts FM_NAME_VISA_FORGE 3s/0h of 103688 corpus (96287s/7401h FVGT) 03/17/06
  32. #counts FM_NAME_VISA_FORGE 43s/0h of 108996 corpus (71372s/37624h DOC) 03/17/06
  33. uri __SPOOF_FLAGS /flagstar\.com/i
  34. header __FROM_FLAGSTAR From =~ /\bflagstar\.com/i
  35. header __RCVD_FLAGSTAR Received =~ /\bflagstar\.com/i
  36. meta SARE_SPOOF_FLAGSTAR (__SPOOF_FLAGS && __FROM_FLAGSTAR && !__RCVD_FLAGSTAR)
  37. score SARE_SPOOF_FLAGSTAR 3.667
  38. #counts SARE_SPOOF_FLAGSTAR 1s/0h of 42564 corpus (34322s/8242h FVGT) 05/26/06
  39. # Try to identify USBank.com e-mail
  40. header __RCVD_USBANK Received =~ /usbank\.com/i
  41. header __FROM_USBANK From =~ /usbank\.com/i
  42. uri __URI_USBANK /usbank\.com/i
  43. meta SARE_FORGED_USBANK (__FROM_USBANK && __URI_USBANK && !__RCVD_USBANK)
  44. score SARE_FORGED_USBANK 4.4
  45. #--------------------------------------------------------------------------------------------------#
  46. ## THESE RULES HAVE VERY LARGE SCORES, PLEASE ADJUST TO YOUR NEEDS, I NEED TO OVERRIDE WHITELIST. ##
  47. #--------------------------------------------------------------------------------------------------#
  48. # Try to identify PAYPAL spoofs by looking for elements which should always appear.
  49. # If we have a From and an URL of one of these guys, we should also have a received line to match!
  50. header __RCVD_PAYPAL Received =~ /\.(?:paypal|postdirect)\.com/i
  51. header __FROM_PAYPAL From =~ /[\@\.]paypa[l1i]\.co[mn]/i
  52. uri __URI_PAYPAL /[^\@]paypa[lI1]\.com/i
  53. meta SARE_FORGED_PAYPAL (__FROM_PAYPAL && __URI_PAYPAL && !__RCVD_PAYPAL)
  54. describe SARE_FORGED_PAYPAL Message appears to be forged, (paypal.com)
  55. score SARE_FORGED_PAYPAL 4.0
  56. # If the message is whitelisted, add 100 points to over-ride whitelist.
  57. meta SARE_FPP_BLOCKER (SARE_FORGED_PAYPAL && USER_IN_WHITELIST)
  58. score SARE_FPP_BLOCKER 100
  59. # Try to identify EBAY spoofs by looking for elements which should always appear.
  60. # If we have a From and an URL of one of these guys, we should also have a received line to match!
  61. header __RCVD_EBAY1 Received =~ /(?:email)?[^\s@]ebay\.(?:com(?:\.au|\.cn|\.hk|\.my|\.sg)?|co\.uk|at|be|ca|fr|de|in|ie|it|nl|ph|pl|es|se|ch)/i
  62. header __RCVD_EBAY2 Received =~ /ebay\.(?:easynet\.de|emarsys\.net)/
  63. header __RCVD_EBAY3 Received =~ /sjc\.liveworld\.com/
  64. meta __RCVD_EBAY (__RCVD_EBAY1 || __RCVD_EBAY2 || __RCVD_EBAY3)
  65. header __FROM_EBAY From =~ /\@(?:e?mail.?)?ebay\.c/i
  66. uri __URI_EBAY /\.ebay(?:static)?\.com/i
  67. meta SARE_FORGED_EBAY (__FROM_EBAY && __URI_EBAY && !__RCVD_EBAY)
  68. describe SARE_FORGED_EBAY Message appears to be forged, (ebay.com)
  69. score SARE_FORGED_EBAY 4.0
  70. meta SARE_FEB_BLOCKER (SARE_FORGED_EBAY && USER_IN_WHITELIST)
  71. score SARE_FEB_BLOCKER 100
  72. # Try to identify SUNTRUST spoofs by looking for elements which should always appear.
  73. # If we have a From and an URL of one of these guys, we should also have a received line to match!
  74. header __RCVD_SUNTRUST Received =~ /\.suntrust\.com/i
  75. header __FROM_SUNTRUST From =~ /[\@\.]suntrust\.com/i
  76. uri __URI_SUNTRUST /suntrust[a-z0-9-]{0,25}\.com/i
  77. meta SARE_FORGED_SUNTRUST (__FROM_SUNTRUST && __URI_SUNTRUST && !__RCVD_SUNTRUST)
  78. describe SARE_FORGED_SUNTRUST Message appears to be forged, (suntrust.com)
  79. score SARE_FORGED_SUNTRUST 4.0
  80. meta SARE_SUN_BLOCKER (SARE_FORGED_SUNTRUST && USER_IN_WHITELIST)
  81. score SARE_SUN_BLOCKER 100
  82. header __RCVD_WACHOVIA Received =~ /wachovia\.com[^\)]/i
  83. header __FROM_WACHOVIA From =~ /\@wachovia\.com/i
  84. uri __URI_WACHOVIA /\bwachovia\.com/i
  85. meta SARE_FORGED_WACHOVIA (__FROM_WACHOVIA && __URI_WACHOVIA && !__RCVD_WACHOVIA)
  86. score SARE_FORGED_WACHOVIA 3.0
  87. #counts SARE_FORGED_WACHOVIA 0s/0h of 82118 corpus (57948s/24170h ML) 04/03/06
  88. #counts SARE_FORGED_WACHOVIA 0s/0h of 12246 corpus (6574s/5672h CT) 04/03/06
  89. #counts SARE_FORGED_WACHOVIA 0s/0h of 10377 corpus (7302s/3075h ) 04/03/06
  90. #counts SARE_FORGED_WACHOVIA 0s/0h of 22951 corpus (17237s/5714h MY) 04/03/06
  91. #counts SARE_FORGED_WACHOVIA 2s/0h of 41810 corpus (34135s/7675h FVGT) 04/03/06
  92. # Try to identify CHASEBANK spoofs by looking for elements which should always appear.
  93. # If we have a From and an URL of one of these guys, we should also have a received line to match!
  94. header __RCVD_CHASE_A Received =~ /[^@]\bchase\.com/i
  95. header __RCVD_CHASE_B Received =~ /\bbigfootinteractive\.com/i
  96. meta __RCVD_CHASE (__RCVD_CHASE_A || __RCVD_CHASE_B)
  97. header __FROM_CHASE From =~ /\bchase\.com/i
  98. uri __URI_CHASE m'(?:\.chase\.com|http://chase)'i
  99. meta SARE_FORGED_CHASE (__FROM_CHASE && __URI_CHASE && (!__RCVD_CHASE && !__RCVD_BANKONE))
  100. describe SARE_FORGED_CHASE Message appears to be forged, (chase.com)
  101. score SARE_FORGED_CHASE 3.4
  102. header __RCVD_BANKONE Received =~ /\bbankone\.com/i
  103. header __FROM_BANKONE From =~ /\bbankone\.com/i
  104. uri __URI_BANKONE /\.bankone\.com/i
  105. meta SARE_FORGED_BANK1 (__FROM_BANKONE && __URI_BANKONE && (!__RCVD_CHASE && !__RCVD_BANKONE))
  106. score SARE_FORGED_BANK1 3.0
  107. # Try to identify CITIBANK spoofs by looking for elements which should always appear.
  108. # If we have a From and an URL of one of these guys, we should also have a received line to match!
  109. header __RCVD_CITIBNK_A Received =~ /(?:citi(?:bank(?:cards)?|cards|corp|bankcards)|acxiom|c2it)\.com/i
  110. header __RCVD_CITIBNK_B Received =~ /bridgetrack\.com/i
  111. meta __RCVD_CITIBNK (__RCVD_CITIBNK_A || __RCVD_CITIBNK_B || __RCVD_CHASE_B)
  112. header __FROM_CITIBNK From =~ /\bciti(?:bank)?(?:cards)?\.com/i
  113. uri __URI_CITIBNK /\bciti(?:bank)?\.com/i
  114. meta SARE_FORGED_CITI (__FROM_CITIBNK && __URI_CITIBNK && !__RCVD_CITIBNK)
  115. describe SARE_FORGED_CITI Message appears to be forged, (citibank.com)
  116. score SARE_FORGED_CITI 4.0
  117. meta SARE_CIT_BLOCKER (SARE_FORGED_CITI && USER_IN_WHITELIST)
  118. score SARE_CIT_BLOCKER 100
  119. # I'm testing a few new variations of these rules, trying to find people just spoofing the from headers.
  120. meta SARE_FORGED_PAYPAL_C (__FROM_PAYPAL && !__RCVD_PAYPAL)
  121. describe SARE_FORGED_PAYPAL_C Has Paypal from, no Paypal received header.
  122. score SARE_FORGED_PAYPAL_C 1.3
  123. # About.com has plenty of spams which spoof their address. Here's a set of rules just for them ;)
  124. header __RCVD_ABOUT_COM Received =~ /\.about\.com/i
  125. header __FROM_ABOUT_COM From =~ /\babout\.com/i
  126. uri __URI_ABOUT_COM /\.about\.com/i
  127. meta SARE_FORGED_ABOUT (!__RCVD_ABOUT_COM && __FROM_ABOUT_COM && !__URI_ABOUT_COM)
  128. describe SARE_FORGED_ABOUT Message appears to be forged, (about.com)
  129. score SARE_FORGED_ABOUT 2.879
  130. # another spoof using forms
  131. rawbody __FHAS_HTML_FORM /<form/i
  132. rawbody __FHAS_EBAY_FORM /<form (?:name="\w{4,20}"\s)?(?:method="?post"?\s)?action="?http:\/\/[^.]{3,7}\.ebay\.com[^>]{4,125}>/i
  133. meta __HASFORM_NOT_EBAY (__FHAS_HTML_FORM && !__FHAS_EBAY_FORM)
  134. meta SARE_SPOOF_EBAYFORM (__FROM_EBAY && __HASFORM_NOT_EBAY)
  135. score SARE_SPOOF_EBAYFORM 1.495
  136. # New set for spoofs
  137. header __RCVD_2CHECKOUT Received =~ /\.2checkout\.com/i
  138. header __FROM_2CHECKOUT From =~ /\@2checkout\.com/i
  139. uri __URI_2CHECKOUT /\b2checkout\.com/i
  140. meta SARE_FORGED_2CHK (__FROM_2CHECKOUT && __URI_2CHECKOUT && !__RCVD_2CHECKOUT)
  141. score SARE_FORGED_2CHK 3.0
  142. header __RCVD_2CO Received =~ /\.2co\.com/i
  143. header __FROM_2CO From =~ /\@2co\.com/i
  144. uri __URI_2CO /\b2co\.com/i
  145. meta SARE_FORGED_2CO (__FROM_2CO && __URI_2CO && !__RCVD_2CO)
  146. score SARE_FORGED_2CO 3.0
  147. header __RCVD_53 Received =~ /\.53\.com/i
  148. header __FROM_53 From =~ /\@53\.com/i
  149. uri __URI_53 /\b53\.com/i
  150. meta SARE_FORGED_53 (__FROM_53 && __URI_53 && !__RCVD_53)
  151. score SARE_FORGED_53 3.0
  152. header __RCVD_AMAZON Received =~ /\.amazon\.com/i
  153. header __FROM_AMAZON From =~ /\@amazon\.com/i
  154. uri __URI_AMAZON /\bamazon\.com/i
  155. meta SARE_FORGED_AMAZON (__FROM_AMAZON && __URI_AMAZON && !__RCVD_AMAZON)
  156. score SARE_FORGED_AMAZON 3.0
  157. header __RCVD_AMERITR Received =~ /\.ameritrade\.com/i
  158. header __FROM_AMERITR From =~ /\@ameritrade\.com/i
  159. uri __URI_AMERITR /\bameritrade\.com/i
  160. meta SARE_FORGED_AMERIT (__FROM_AMERITR && __URI_AMERITR && !__RCVD_AMERITR)
  161. score SARE_FORGED_AMERIT 3.0
  162. header __RCVD_AMEX Received =~ /\.americanexpress\.com/i
  163. header __FROM_AMEX From =~ /\@americanexpress\.com/i
  164. uri __URI_AMEX /\bamericanexpress\.com/i
  165. meta SARE_FORGED_AMEX (__FROM_AMEX && __URI_AMEX && !__RCVD_AMEX)
  166. score SARE_FORGED_AMEX 3.0
  167. header __RCVD_BANKNORTH Received =~ /\.banknorth\.com/i
  168. header __FROM_BANKNORTH From =~ /\@banknorth\.com/i
  169. uri __URI_BANKNORTH /\bbanknorth\.com/i
  170. meta SARE_FORGED_BANK_N (__FROM_BANKNORTH && __URI_BANKNORTH && !__RCVD_BANKNORTH)
  171. score SARE_FORGED_BANK_N 3.0
  172. header __RCVD_BANKOFA1 Received =~ /\.bankofamerica\.com/i
  173. header __RCVD_BANKOFA2 Received =~ /\.customercenter\.net/i
  174. meta __RCVD_BANKOFA (__RCVD_BANKOFA1 || __RCVD_BANKOFA2)
  175. header __FROM_BANKOFA From =~ /[\@\.]bankofamerica\.com/i
  176. uri __URI_BANKOFA /\bbankofamerica\.com/i
  177. meta SARE_FORGED_BANKOFA (__FROM_BANKOFA && __URI_BANKOFA && !__RCVD_BANKOFA)
  178. score SARE_FORGED_BANKOFA 3.0
  179. header __RCVD_BANKOFO Received =~ /\.bankofoklahoma\.com/i
  180. header __FROM_BANKOFO From =~ /\@bankofoklahoma\.com/i
  181. uri __URI_BANKOFO /\bbankofoklahoma\.com/i
  182. meta SARE_FORGED_BANKOFO (__FROM_BANKOFO && __URI_BANKOFO && !__RCVD_BANKOFO)
  183. score SARE_FORGED_BANKOFO 3.0
  184. header __RCVD_BANKOFW Received =~ /\.bankofthewest\.com/i
  185. header __FROM_BANKOFW From =~ /\@bankofthewest\.com/i
  186. uri __URI_BANKOFW /\bbankofthewest\.com/i
  187. meta SARE_FORGED_BANKOFW (__FROM_BANKOFW && __URI_BANKOFW && !__RCVD_BANKOFW)
  188. score SARE_FORGED_BANKOFW 3.0
  189. header __RCVD_CAPITAL1 Received =~ /\.capitalone\.com/i
  190. header __FROM_CAPITAL1 From =~ /\@capitalone\.com/i
  191. uri __URI_CAPITAL1 /\bcapitalone\.com/i
  192. meta SARE_FORGED_CAPITAL (__FROM_CAPITAL1 && __URI_CAPITAL1 && !__RCVD_CAPITAL1)
  193. score SARE_FORGED_CAPITAL 3.0
  194. header __RCVD_CFSBANK Received =~ /\.citizensfirstbank\.com/i
  195. header __FROM_CFSBANK From =~ /\@citizensfirstbank\.com/i
  196. uri __URI_CFSBANK /\bcitizensfirstbank\.com/i
  197. meta SARE_FORGED_CFSBANK (__FROM_CFSBANK && __URI_CFSBANK && !__RCVD_CFSBANK)
  198. score SARE_FORGED_CFSBANK 3.0
  199. header __RCVD_CHARTER1 Received =~ /\.charterone(?:bank)?\.com/i
  200. header __FROM_CHARTER1 From =~ /\@charterone(?:bank)?\.com/i
  201. uri __URI_CHARTER1 /\bcharterone(?:bank)?\.com/i
  202. meta SARE_FORGED_CHARTER (__FROM_CHARTER1 && __URI_CHARTER1 && !__RCVD_CHARTER1)
  203. score SARE_FORGED_CHARTER 3.0
  204. header __RCVD_CITIZENS Received =~ /\.citizensbank\.com/i
  205. header __FROM_CITIZENS From =~ /\@citizensbank\.com/i
  206. uri __URI_CITIZENS /\bcitizensbank\.com/i
  207. meta SARE_FORGED_CITIZEN (__FROM_CITIZENS && __URI_CITIZENS && !__RCVD_CITIZENS)
  208. score SARE_FORGED_CITIZEN 3.0
  209. header __RCVD_COMFED Received =~ /\.comfedbank\.com/i
  210. header __FROM_COMFED From =~ /\@comfedbank\.com/i
  211. uri __URI_COMFED /\bcomfedbank\.com/i
  212. meta SARE_FORGED_COMFED (__FROM_COMFED && __URI_COMFED && !__RCVD_COMFED)
  213. score SARE_FORGED_COMFED 3.0
  214. header __RCVD_COMMERCE Received =~ /\.commercebank\.com/i
  215. header __FROM_COMMERCE From =~ /\@commercebank\.com/i
  216. uri __URI_COMMERCE /\bcommercebank\.com/i
  217. meta SARE_FORGED_COMMERCE (__FROM_COMMERCE && __URI_COMMERCE && !__RCVD_COMMERCE)
  218. score SARE_FORGED_COMMERCE 3.0
  219. header __RCVD_DISCOVER Received =~ /\.discovercard\.com/i
  220. header __FROM_DISCOVER From =~ /\@discovercard\.com/i
  221. uri __URI_DISCOVER /\bdiscovercard\.com/i
  222. meta SARE_FORGED_DISCOVER (__FROM_DISCOVER && __URI_DISCOVER && !__RCVD_DISCOVER)
  223. score SARE_FORGED_DISCOVER 3.0
  224. header __RCVD_EGOLD Received =~ /\.e-goldk\.com/i
  225. header __FROM_EGOLD From =~ /\@e-gold\.com/i
  226. uri __URI_EGOLD /\be-gold\.com/i
  227. meta SARE_FORGED_EGOLD (__FROM_EGOLD && __URI_EGOLD && !__RCVD_EGOLD)
  228. score SARE_FORGED_EGOLD 3.0
  229. header __RCVD_FDIC Received =~ /\.fdic\.gov/i
  230. header __FROM_FDIC From =~ /\@fdic\.gov/i
  231. uri __URI_FDIC /\bfdic\.gov/i
  232. meta SARE_FORGED_FDIC (__FROM_FDIC && __URI_FDIC && !__RCVD_FDIC)
  233. score SARE_FORGED_FDIC 3.0
  234. header __RCVD_FLEET Received =~ /\.fleet(?:bank)?\.com/i
  235. header __FROM_FLEET From =~ /\@fleet(?:bank)?\.com/i
  236. uri __URI_FLEET /\bfleet(?:bank)?\.com/i
  237. meta SARE_FORGED_FLEET (__FROM_FLEET && __URI_FLEET && !__RCVD_FLEET)
  238. score SARE_FORGED_FLEET 3.0
  239. header __RCVD_HUNTINGTON Received =~ /\.(?:exacttarget|huntington)\.com/i
  240. header __FROM_HUNTINGTON From =~ /\@huntington\.com/i
  241. uri __URI_HUNTINGTON /\bhuntington\.com/i
  242. meta SARE_FORGED_HUNTIN (__FROM_HUNTINGTON && __URI_HUNTINGTON && !__RCVD_HUNTINGTON)
  243. score SARE_FORGED_HUNTIN 3.0
  244. header __RCVD_KEYBANK Received =~ /\.keybank\.com/i
  245. header __FROM_KEYBANK From =~ /\@keybank\.com/i
  246. uri __URI_KEYBANK /\bkeybank\.com/i
  247. meta SARE_FORGED_KEY (__FROM_KEYBANK && __URI_KEYBANK && !__RCVD_KEYBANK)
  248. score SARE_FORGED_KEY 3.0
  249. header __RCVD_LASALLE Received =~ /\.lasallebank\.com/i
  250. header __FROM_LASALLE From =~ /\@lasallebank\.com/i
  251. uri __URI_LASALLE /\blasallebank\.com/i
  252. meta SARE_FORGED_LASAL (__FROM_LASALLE && __URI_LASALLE && !__RCVD_LASALLE)
  253. score SARE_FORGED_LASAL 3.0
  254. header __RCVD_MIBANK Received =~ /\.mibank\.com/i
  255. header __FROM_MIBANK From =~ /\@mibank\.com/i
  256. uri __URI_MIBANK /\bmibank\.com/i
  257. meta SARE_FORGED_MIBANK (__FROM_MIBANK && __URI_MIBANK && !__RCVD_MIBANK)
  258. score SARE_FORGED_MIBANK 3.0
  259. header __RCVD_MBNA Received =~ /\.mbna\.com/i
  260. header __FROM_MBNA From =~ /\@mbna\.com/i
  261. uri __URI_MBNA /\bmbna\.com/i
  262. meta SARE_FORGED_MBNA (__FROM_MBNA && __URI_MBNA && !__RCVD_MBNA)
  263. score SARE_FORGED_MBNA 3.0
  264. header __RCVD_NCUA Received =~ /\.ncua\.gov/i
  265. header __FROM_NCUA From =~ /\@ncua\.gov/i
  266. uri __URI_NCUA /\bncua\.gov/i
  267. meta SARE_FORGED_NCUA (__FROM_NCUA && __URI_NCUA && !__RCVD_NCUA)
  268. score SARE_FORGED_NCUA 3.0
  269. header __RCVD_REGIONS Received =~ /\.regionsbank\.com/i
  270. header __FROM_REGIONS From =~ /\@regionsbank\.com/i
  271. uri __URI_REGIONS /\bregionsbank\.com/i
  272. meta SARE_FORGED_REGION (__FROM_REGIONS && __URI_REGIONS && !__RCVD_REGIONS)
  273. score SARE_FORGED_REGION 3.0
  274. header __RCVD_SKYBANK Received =~ /\.sky(?:-bank|fi)\.com/i
  275. header __FROM_SKYBANK From =~ /\@sky(?:-bank|fi)\.com/i
  276. uri __URI_SKYBANK /\bsky(?:-bank|fi)\.com/i
  277. meta SARE_FORGED_SKY (__FROM_SKYBANK && __URI_SKYBANK && !__RCVD_SKYBANK)
  278. score SARE_FORGED_SKY 3.0
  279. header __RCVD_STRUST Received =~ /\.southtrust\.com/i
  280. header __FROM_STRUST From =~ /\@southtrust\.com/i
  281. uri __URI_STRUST /\bsouthtrust\.com/i
  282. meta SARE_FORGED_STRUST (__FROM_STRUST && __URI_STRUST && !__RCVD_STRUST)
  283. score SARE_FORGED_STRUST 3.0
  284. header __RCVD_TCFBANK Received =~ /\.tcfbank\.com/i
  285. header __FROM_TCFBANK From =~ /\@tcfbank\.com/i
  286. uri __URI_TCFBANK /\btcfbank\.com/i
  287. meta SARE_FORGED_TCF (__FROM_TCFBANK && __URI_TCFBANK && !__RCVD_TCFBANK)
  288. score SARE_FORGED_TCF 3.0
  289. header __RCVD_VISA Received =~ /\.visa\.com/i
  290. header __FROM_VISA From =~ /\@visa\.com/i
  291. uri __URI_VISA /visa/i
  292. meta SARE_FORGED_VISA (__FROM_VISA && __URI_VISA && !__RCVD_VISA)
  293. score SARE_FORGED_VISA 3.0
  294. header __RCVD_WELLS Received =~ /\.wellsfargo\.com/i
  295. header __FROM_WELLS From =~ /\@wellsfargo\.com/i
  296. uri __URI_WELLS /\bwellsfargo\.com/i
  297. meta SARE_FORGED_WELLS (__FROM_WELLS && __URI_WELLS && !__RCVD_WELLS)
  298. score SARE_FORGED_WELLS 4.209
  299. header __RCVD_WESTERN Received =~ /\.westernunion\.com/i
  300. header __FROM_WESTERN From =~ /\@westernunion\.com/i
  301. uri __URI_WESTERN /\bwesternunion\.com/i
  302. meta SARE_FORGED_WESTERN (__FROM_WESTERN && __URI_WESTERN && !__RCVD_WESTERN)
  303. score SARE_FORGED_WESTERN 3.0
  304. # Catch Common banks with IP address for URL.
  305. meta __POPULAR_BANKS (__URI_PAYPAL || __URI_EBAY || __URI_CITIBNK || __URI_SUNTRUST || __URI_CHASE || __URI_BANKONE || __URI_ABOUT_COM || __URI_2CHECKOUT || __URI_2CO || __URI_53 || __URI_AMAZON || __URI_AMERITR || __URI_AMEX || __URI_BANKNORTH || __URI_BANKOFA || __URI_BANKOFO || __URI_BANKOFW || __URI_CAPITAL1 || __URI_CFSBANK || __URI_CHARTER1 || __URI_CITIZENS || __URI_COMFED || __URI_COMMERCE || __URI_DISCOVER || __URI_EGOLD || __URI_FDIC || __URI_FLEET || __URI_HUNTINGTON || __URI_KEYBANK || __URI_LASALLE || __URI_MIBANK || __URI_MBNA || __URI_NCUA || __URI_REGIONS || __URI_SKYBANK || __URI_STRUST || __URI_TCFBANK || __URI_VISA || __URI_WELLS || __URI_WESTERN)
  306. meta SARE_BANK_URI_IP (__POPULAR_BANKS && __URI_IS_IP)
  307. score SARE_BANK_URI_IP 0.653
  308. # Added 22-4-2004 by Jesse Houwing
  309. uri SARE_SPOOF_COM2COM m{^https?://(?:\w+\.)+?com\.(?:\w+\.){2,}}i
  310. describe SARE_SPOOF_COM2COM a.com.b.com
  311. score SARE_SPOOF_COM2COM 2.536
  312. uri SARE_SPOOF_COM2OTH m{^https?://(?:\w+\.)+?com\.(?:\w+\.)+?com}i
  313. describe SARE_SPOOF_COM2OTH a.com.b.c
  314. score SARE_SPOOF_COM2OTH 2.536
  315. uri SARE_SPOOF_OURI m{^(?:h|%68|%48)(?:t|%74|%54)(?:t|%74|%54)(?:p|%70|%50)(?:s|%73|%53)?(?::|%3a)(?:/|%2f){0,2}(?:[^@]+@)*?(?:a-z0-9_%-]+?(?:\.|%2e)){2,}(?:org|com|www)(?!\.edgesuite\.net)(?:(?:\.|%2e)[a-z0-9_%-]+?){2,}(?:(?::|%3a)\d+)?}i
  316. describe SARE_SPOOF_OURI URL has items in odd places
  317. score SARE_SPOOF_OURI 2.536
  318. # Added 07/28/2005 submitted by e-mail
  319. header __LOCAL_PP_ISFROMPP From:addr =~ /\@(?:paypal|ebay)\.com$/i
  320. header __LOCAL_PP_S_UPD Subject: =~ m'(?:confirm|update) (?:your|the) (?:billing)?(?:records?|information|account)'i
  321. header __LOCAL_PP_S_AUT Subject: =~ m'unauthori[sz]ed access'i
  322. body __LOCAL_PP_B_UPD m'(?:confirm|updated?|verify|restore) (?:your|the) (?:account|current|billing|personal)? ?(?:records?|information|account|identity|access|data)'i
  323. body __LOCAL_PP_B_ATT m'one or more attempts'i
  324. body __LOCAL_PP_B_ACT m'unusual activity'i
  325. uri __LOCAL_PP_PPCGIURL m'https?://www\.paypal\.com/([A-Za-z0-9-_]+/)?cgi-bin/webscr\?'i
  326. uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!(paypal|ebay)\.com)(?:[A-Za-z0-9-_\.]+)'i
  327. meta SARE_SPOOF_BADURL (__LOCAL_PP_ISFROMPP && ((__LOCAL_PP_S_AUT || __LOCAL_PP_B_ATT || __LOCAL_PP_B_ACT || __LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) || __LOCAL_PP_PPCGIURL) && __LOCAL_PP_NONPPURL)
  328. meta SARE_SPOOF_BADADDR (!__LOCAL_PP_ISFROMPP && ((__LOCAL_PP_S_AUT || __LOCAL_PP_B_ATT || __LOCAL_PP_B_ACT || __LOCAL_PP_B_UPD || __LOCAL_PP_S_UPD) && __LOCAL_PP_PPCGIURL))
  329. score SARE_SPOOF_BADURL 1.059
  330. score SARE_SPOOF_BADADDR 1.059
  331. # Describe length test for 3.0 requirements:
  332. # 12345678901234567890123456789012345678901234567890
  333. # 1 2 3 4 5
  334. #
  335. # EOF