# SARE Header Abuse Ruleset for SpamAssassin -- Not for SA 2.64 thru SA 3.0.0
# Version:  01.03.16
# Created:  2004-04-25
# Modified: 2005-10-28

# Usage instructions and documentation in 70_sare_header0.cf 

# Full Revision History / Change Log in 70_sare_header.log
#@@# 01.03.16  Oct 28 2005
#@@#           Minor score updates based on additional mass-check

#####################################################################################
#         SARE Header-Exists rules
########  ######################   ##################################################

header    __SARE_HEAD_HDR_XMSGIN    exists:X-Message-Info
meta      SARE_HEAD_HDR_XMSGINF    __SARE_HEAD_HDR_XMSGIN && !X_MESSAGE_INFO 
describe  SARE_HEAD_HDR_XMSGINF    Message headers used which identify spam
score     SARE_HEAD_HDR_XMSGINF    1.666
#ham      SARE_HEAD_HDR_XMSGINF    confirmed (4) 
#hist     SARE_HEAD_HDR_XMSGINF    From Fred T
#V264     SARE_HEAD_HDR_XMSGINF    X_MESSAGE_INFO
#V300     SARE_HEAD_HDR_XMSGINF    X_MESSAGE_INFO
#counts   SARE_HEAD_HDR_XMSGINF    1986s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HEAD_HDR_XMSGINF    5782s/0h of 114229 corpus (81068s/33161h RM) 01/15/05
#counts   SARE_HEAD_HDR_XMSGINF    3s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_HEAD_HDR_XMSGINF    651s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMSGINF    2555s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_HEAD_HDR_XMSGINF    271s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_HEAD_HDR_XMSGINF    622s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMSGINF    1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Received Header IP Address Rules
########  ######################   ##################################################

header    __SARE_RECV_IP_FROMIP1   Received =~ /from\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])\s+by\s+((?:1?\d\d?|2[0-4]\d|25[0-4])\.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])/i
meta      SARE_RECV_IP_FROMIP1     __SARE_RECV_IP_FROMIP1 && !RCVD_DOUBLE_IP_SPAM
describe  SARE_RECV_IP_FROMIP1     Received line is IP address from IP address
score     SARE_RECV_IP_FROMIP1     1.666
#hist     SARE_RECV_IP_FROMIP1     From Regis Wilson, Wed, 24 Mar 2004, SUSP_IP_RECEIVED
#hist     SARE_RECV_IP_FROMIP1     Aug 10 2004, Bob Menschel, modified into meta to avoid 3.0.0 duplication
#ham      SARE_RECV_IP_FROMIP1     ham: South Valley Bank
#V264     SARE_RECV_IP_FROMIP1     RCVD_DOUBLE_IP_SPAM
#V300     SARE_RECV_IP_FROMIP1     RCVD_DOUBLE_IP_SPAM
#counts   SARE_RECV_IP_FROMIP1     2940s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_IP_FROMIP1     9198s/1h of 119325 corpus (98981s/20344h RM) 03/24/04
#counts   SARE_RECV_IP_FROMIP1     1784s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_FROMIP1     53s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_RECV_IP_FROMIP1     639s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_FROMIP1     125s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_RECV_IP_FROMIP1     325s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_FROMIP1     1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_SUSP_1         Received =~ /from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} by \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3};/
describe  SARE_RECV_SUSP_1         Relayed through probable spammer zombie
score     SARE_RECV_SUSP_1         2.222
#hist     SARE_RECV_SUSP_1         Carl Friend: CRF_RATWARE_ZOMBIE, Fred T. RE_hrip_IPfromIPb
#V264     SARE_RECV_SUSP_1         RCVD_DOUBLE_IP_SPAM
#V300     SARE_RECV_SUSP_1         RCVD_DOUBLE_IP_SPAM
#counts   SARE_RECV_SUSP_1         2705s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_RECV_SUSP_1         5940s/0h of 100687 corpus (81249s/19438h RM) 03/05/04
#counts   SARE_RECV_SUSP_1         1492s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_SUSP_1         37s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_RECV_SUSP_1         582s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_SUSP_1         127s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_RECV_SUSP_1         320s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_SUSP_1         1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Content-Type and Boundary rules
########  ######################   ##################################################

header    SARE_BOUNDARY_07         Content-Type =~ /boundary="--\d+"/
describe  SARE_BOUNDARY_07         Ratware all digits after two dashes boundary  
score     SARE_BOUNDARY_07         1.666
#ham      SARE_BOUNDARY_07         confirmed (1)
#hist     SARE_BOUNDARY_07         Created by Bob Menschel May 15 2004
#V264     SARE_BOUNDARY_07         MIME_BOUND_DD_DIGITS
#V300     SARE_BOUNDARY_07         MIME_BOUND_DD_DIGITS
#counts   SARE_BOUNDARY_07         20929s/1h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_BOUNDARY_07         4233s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_BOUNDARY_07         0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_BOUNDARY_07         391s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_BOUNDARY_07         1001s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_BOUNDARY_07         1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#EOF