local.sco

flex是linux下一个很有用的高效的编译器工具

# Anti-Spam score file
# required_score 5.0
# Start of geneaated scores.  <gen:mutable>
# ********************************************************************************
# 1. body tests --> 20_body_tests.cf
# ********************************************************************************

body TRACKER_ID			/^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\s*\z/is
describe TRACKER_ID	       Incorporates a tracking ID number

body WEIRD_QUOTING		/[\042\223\224\262\263\271]{2}\S{0,16}[\042\223\224\262\263\271]{2}/
describe WEIRD_QUOTING	       Weird repeated double-quotation marks

body EMAIL_ROT13               /\b[a-z(\]-]+\^[a-z-]+\([a-z]{2,3}\b/
describe EMAIL_ROT13           Body contains a ROT13-encoded email address

rawbody INTERRUPTUS            /(?:[a-zA-Z0-9]<[\/ ]{0,2}?(?!br)(?!p)(?!sup)(?!li)(?!b)(?!i)(?!option)(?!a (?:href|name))(?:\b|!--)[^>]{0,64}?>[a-zA-Z0-9].{0,64}){3}/i
describe INTERRUPTUS           Message looks to contain HTML-interrupted text

rawbody MIME_BASE64_BLANKS	eval:check_for_mime('mime_base64_blanks')
describe MIME_BASE64_BLANKS	Extra blank lines in base64 encoding

rawbody MIME_BASE64_NO_NAME	eval:check_for_mime('mime_base64_no_name')
describe MIME_BASE64_NO_NAME	base64 attachment does not have a file name

body MIME_BAD_ISO_CHARSET	eval:check_for_mime('mime_bad_iso_charset')
describe MIME_BAD_ISO_CHARSET	MIME character set is an unknown ISO charset

rawbody  MIME_QP_LONG_LINE	eval:check_for_mime('mime_qp_long_line')
describe MIME_QP_LONG_LINE	Quoted-printable line longer than 76 chars

rawbody MIME_BASE64_TEXT	eval:check_for_mime('mime_base64_encoded_text')
describe MIME_BASE64_TEXT	Message text disguised using base64 encoding

rawbody  MIME_MISSING_BOUNDARY	eval:check_for_mime('mime_missing_boundary')
describe MIME_MISSING_BOUNDARY	MIME section missing boundary

body MISSING_MIME_HB_SEP	eval:check_msg_parse_flags('missing_mime_head_body_separator')
describe MISSING_MIME_HB_SEP	Missing blank line between MIME header and body

body MIME_HTML_MOSTLY		eval:check_mime_multipart_ratio('0.00','0.01')
describe MIME_HTML_MOSTLY	Multipart message mostly text/html MIME

body MIME_HTML_ONLY		eval:check_for_mime_html_only()
describe MIME_HTML_ONLY		Message only has text/html MIME parts

body MPART_ALT_DIFF	        eval:multipart_alternative_difference('99', '100')
describe MPART_ALT_DIFF	        HTML and text parts are different

body MPART_ALT_DIFF_COUNT	eval:multipart_alternative_difference_count('3', '1')
describe MPART_ALT_DIFF_COUNT	HTML and text parts are different

body CHARSET_FARAWAY		eval:check_for_faraway_charset()
describe CHARSET_FARAWAY	Character set indicates a foreign language
tflags CHARSET_FARAWAY		userconf

body BLANK_LINES_70_80	        eval:check_blank_line_ratio('70','80','4')
describe BLANK_LINES_70_80      Message body has 70-80% blank lines

body BLANK_LINES_80_90	        eval:check_blank_line_ratio('80','90','4')
describe BLANK_LINES_80_90      Message body has 80-90% blank lines

body BLANK_LINES_90_100	        eval:check_blank_line_ratio('90','100','4')
describe BLANK_LINES_90_100     Message body has 90-100% blank lines

body UNIQUE_WORDS	        eval:check_unique_words('0.946', '3.1')
describe UNIQUE_WORDS	        Message body has many words used only once

body DOMAIN_RATIO	        eval:check_domain_ratio('0.022')
describe DOMAIN_RATIO	        Message body mentions many internet domains

body HTTPS_IP_MISMATCH	        eval:check_https_ip_mismatch()
describe HTTPS_IP_MISMATCH	IP to HTTPS link found in HTML

# ********************************************************************************
# 2. compensation for common false positives --> 20_compensate.cf
# ********************************************************************************
# The message was never sent via an untrustworthy host.
header ALL_TRUSTED              eval:check_all_trusted()
describe ALL_TRUSTED            Passed through trusted hosts only via SMTP
tflags ALL_TRUSTED              nice

header NO_RELAYS                eval:check_no_relays()
tflags NO_RELAYS                nice userconf
describe NO_RELAYS              Informational: message was not relayed via SMTP

#********************************************************************************
# 4. drug tests --> 20_drugs.cf
#********************************************************************************
header SUBJECT_DRUG_GAP_C	Subject =~ /\bc.{0,2}i.{0,2}a.{0,2}l.{0,2}i.{0,2}s\b/i
describe SUBJECT_DRUG_GAP_C	Subject contains a gappy version of 'cialis'

header SUBJECT_DRUG_GAP_L	Subject =~ /l.{0,2}e.{0,2}v.{0,2}i.{0,2}t.{0,2}r.{0,2}a/i
describe SUBJECT_DRUG_GAP_L	Subject contains a gappy version of 'levitra'

header SUBJECT_DRUG_GAP_P	Subject =~ /p.{0,2}h.{0,6}t.{0,2}e.{0,2}r.{0,2}m/i
describe SUBJECT_DRUG_GAP_P	Subject contains a gappy version of 'phentermine'

header SUBJECT_DRUG_GAP_S	Subject =~ /\bs.{0,1}o.{0,1}m.{0,1}a\b/i
describe SUBJECT_DRUG_GAP_S	Subject contains a gappy version of 'soma'

header SUBJECT_DRUG_GAP_VA	Subject =~ /v.{0,2}a.{0,2}l.{0,2}i.{0,2}u.{0,2}m/i
describe SUBJECT_DRUG_GAP_VA	Subject contains a gappy version of 'valium'

header SUBJECT_DRUG_GAP_VIC	Subject =~ /v.{0,2}i.{0,2}c.{0,2}[0o].{0,2}d.{0,2}i.{0,2}n/i
describe SUBJECT_DRUG_GAP_VIC	Subject contains a gappy version of 'vicodin'

header SUBJECT_DRUG_GAP_X	Subject =~ /x.{0,2}a.{0,2}n.{0,2}a.{0,2}x/i
describe SUBJECT_DRUG_GAP_X	Subject contains a gappy version of 'xanax'

body DRUG_DOSAGE		m{[\d\.]+ *\$? *(?:[\\/]|per) *d.?o.?s.?e}i
describe DRUG_DOSAGE		Talks about price per dose

body DRUG_ED_CAPS		/\bCIALIS|LEVITRA|VIAGRA/
describe DRUG_ED_CAPS		Mentions an E.D. drug

body DRUG_ED_COMBO		/\bviagra .{0,15}(?:phentermine|xenical|tenuate|zyban|propecia)\b/i
describe DRUG_ED_COMBO		Viagra and other drugs

body DRUG_ED_SILD		/\bsildenafil\b/i
describe DRUG_ED_SILD		Talks about an E.D. drug using its chemical name

body DRUG_ED_GENERIC		/Generic Viagra/
describe DRUG_ED_GENERIC	Mentions Generic Viagra

body DRUG_ED_ONLINE		/\bviagra .{0,25}(?:express|online|overnight)/i
describe DRUG_ED_ONLINE		Fast Viagra Delivery 

body DEEP_DISC_MEDS		/\bdeep discount med(?:s|ications)\b/i
describe DEEP_DISC_MEDS		Deep discount medications

body ONLINE_PHARMACY		/\bonline pharmacy|\b(?:drugs|medications) online/i
describe ONLINE_PHARMACY	Online Pharmacy

body NO_PRESCRIPTION		/no.{1,10}P(?:er|re)scription.{1,10}(?:needed|require|necessary)/i
describe NO_PRESCRIPTION	No prescription needed

body VIA_GAP_GRA                /\bvia.gra\b/i
describe VIA_GAP_GRA            Attempts to disguise the word 'viagra'

body DRUGS_SMEAR1               /(?:Viagra|Valium|Xanax|Soma|Cialis){2}/i
describe DRUGS_SMEAR1	        Two or more drugs crammed together into one word

#********************************************************************************
# 6. header tests --> 20_head_tests.cf
#********************************************************************************

header HEAD_LONG		eval:check_msg_parse_flags('truncated_header')
describe HEAD_LONG		Message headers are very long

header MISSING_HB_SEP		eval:check_msg_parse_flags('missing_head_body_separator')
describe MISSING_HB_SEP		Missing blank line between message header and body

header UNPARSEABLE_RELAY        eval:check_relays_unparseable()
tflags UNPARSEABLE_RELAY        userconf
describe UNPARSEABLE_RELAY      Informational: message has unparseable relay lines

header DATE_IN_PAST_03_06	eval:check_for_shifted_date('-6', '-3')
describe DATE_IN_PAST_03_06	Date: is 3 to 6 hours before Received: date

header DATE_IN_PAST_06_12	eval:check_for_shifted_date('-12', '-6')
describe DATE_IN_PAST_06_12	Date: is 6 to 12 hours before Received: date

header DATE_IN_PAST_12_24	eval:check_for_shifted_date('-24', '-12')
describe DATE_IN_PAST_12_24	Date: is 12 to 24 hours before Received: date

header DATE_IN_PAST_24_48	eval:check_for_shifted_date('-48', '-24')
describe DATE_IN_PAST_24_48	Date: is 24 to 48 hours before Received: date

header DATE_IN_PAST_48_96	eval:check_for_shifted_date('-96', '-48')
describe DATE_IN_PAST_48_96	Date: is 48 to 96 hours before Received: date

header DATE_IN_PAST_96_XX	eval:check_for_shifted_date('undef', '-96')
describe DATE_IN_PAST_96_XX	Date: is 96 hours or more before Received: date

header DATE_IN_FUTURE_03_06	eval:check_for_shifted_date('3', '6')
describe DATE_IN_FUTURE_03_06	Date: is 3 to 6 hours after Received: date

header DATE_IN_FUTURE_06_12	eval:check_for_shifted_date('6', '12')
describe DATE_IN_FUTURE_06_12	Date: is 6 to 12 hours after Received: date

header DATE_IN_FUTURE_12_24	eval:check_for_shifted_date('12', '24')
describe DATE_IN_FUTURE_12_24	Date: is 12 to 24 hours after Received: date

header DATE_IN_FUTURE_24_48	eval:check_for_shifted_date('24', '48')
describe DATE_IN_FUTURE_24_48	Date: is 24 to 48 hours after Received: date

header DATE_IN_FUTURE_48_96	eval:check_for_shifted_date('48', '96')
describe DATE_IN_FUTURE_48_96	Date: is 48 to 96 hours after Received: date

header DATE_IN_FUTURE_96_XX	eval:check_for_shifted_date('96', 'undef')
describe DATE_IN_FUTURE_96_XX	Date: is 96 hours or more after Received: date

header UNRESOLVED_TEMPLATE	eval:check_unresolved_template()
describe UNRESOLVED_TEMPLATE	Headers contain an unresolved template

header SUBJ_ILLEGAL_CHARS	eval:check_illegal_chars('Subject','0.00','2')
describe SUBJ_ILLEGAL_CHARS	Subject: has too many raw illegal characters

header FROM_ILLEGAL_CHARS	eval:check_illegal_chars('From','0.20','2')
describe FROM_ILLEGAL_CHARS	From: has too many raw illegal characters

header HEAD_ILLEGAL_CHARS	eval:check_illegal_chars('ALL','0.010','2')
describe HEAD_ILLEGAL_CHARS	Headers have too many raw illegal characters

header SUBJ_HAS_UNIQ_ID		eval:check_for_unique_subject_id()
describe SUBJ_HAS_UNIQ_ID	Subject contains a unique ID

header MSGID_FROM_MTA_ID	eval:message_id_from_mta()
describe MSGID_FROM_MTA_ID	Message-Id for external message added locally

header FROM_AND_TO_SAME		eval:check_for_from_to_same()
describe FROM_AND_TO_SAME	From and To are the same, but not exactly

header FORGED_RCVD_HELO		eval:check_for_forged_received_helo()
describe FORGED_RCVD_HELO	Received: contains a forged HELO

header RCVD_HELO_IP_MISMATCH	eval:helo_ip_mismatch()
describe RCVD_HELO_IP_MISMATCH	Received: HELO and IP do not match, but should

header RCVD_NUMERIC_HELO	eval:check_for_numeric_helo()
describe RCVD_NUMERIC_HELO	Received: contains an IP address used for HELO

header RCVD_ILLEGAL_IP		eval:check_for_illegal_ip()
describe RCVD_ILLEGAL_IP	Received: contains illegal IP address

header FORGED_AOL_RCVD	        eval:check_for_fake_aol_relay_in_rcvd()
describe FORGED_AOL_RCVD	Received forged, contains fake AOL relays

header SUBJ_ALL_CAPS		eval:subject_is_all_caps()
describe SUBJ_ALL_CAPS		Subject is all capitals

header FORGED_YAHOO_RCVD	eval:check_for_forged_yahoo_received_headers()
describe FORGED_YAHOO_RCVD	'From' yahoo.com does not match 'Received' headers

header FORGED_JUNO_RCVD		eval:check_for_forged_juno_received_headers()
describe FORGED_JUNO_RCVD	'From' juno.com does not match 'Received' headers

header FORGED_GW05_RCVD		eval:check_for_forged_gw05_received_headers()
describe FORGED_GW05_RCVD	Forged 'by gw05' 'Received:' header found

header CHARSET_FARAWAY_HEADER	eval:check_for_faraway_charset_in_headers()
describe CHARSET_FARAWAY_HEADER	A foreign language charset used in headers
tflags CHARSET_FARAWAY_HEADER	userconf

# this is a quite common false positive, as it's legal to remove a To but leave
# a CC. so don't score it high.
header MISSING_HEADERS		eval:check_for_missing_to_header()
describe MISSING_HEADERS	Missing To: header

header SUSPICIOUS_RECIPS	eval:similar_recipients('0.65','undef')
describe SUSPICIOUS_RECIPS	Similar addresses in recipient list

header SORTED_RECIPS		eval:sorted_recipients()
describe SORTED_RECIPS		Recipient list is sorted by address

header ADDRESS_IN_SUBJECT	eval:check_for_to_in_subject('address')
describe ADDRESS_IN_SUBJECT	To: address appears in Subject

header LOCALPART_IN_SUBJECT	eval:check_for_to_in_subject('user')
describe LOCALPART_IN_SUBJECT	Local part of To: address appears in Subject

header HEADER_COUNT_CTYPE	eval:check_header_count_range('Content-Type','2','999')
describe HEADER_COUNT_CTYPE	Multiple Content-Type headers found

header NO_RDNS_DOTCOM_HELO	eval:check_for_no_rdns_dotcom_helo()
describe NO_RDNS_DOTCOM_HELO	Host HELO'd as a big ISP, but had no rDNS

header FRAGMENTED_MESSAGE	Content-Type =~ /\bmessage\/partial/i
describe FRAGMENTED_MESSAGE	Partial message

# a forged Hotmail message; host HELO'd as hotmail.com, but it wasn't
header FORGED_HOTMAIL_RCVD	eval:check_for_forged_hotmail_received_headers()
describe FORGED_HOTMAIL_RCVD	Forged hotmail.com 'Received:' header found

header NO_REAL_NAME		From =~ /^["\s]*\<?\S+\@\S+\>?\s*$/
describe NO_REAL_NAME		From: does not include a real name

header FROM_BLANK_NAME		From =~ /(?:\s|^)"" <\S+>/i
describe FROM_BLANK_NAME	From: contains empty name

header FROM_ENDS_IN_NUMS	From:addr =~ /\D\d{8,}\@/i
describe FROM_ENDS_IN_NUMS	From: ends in many numbers