# SARE Header Abuse Ruleset for SpamAssassin -- Not for SA 3.1
# Version:  01.03.16
# Created:  2004-04-25
# Modified: 2005-10-28

# Usage instructions and documentation in 70_sare_header0.cf 

# Full Revision History / Change Log in 70_sare_header.log
#@@# 01.03.16  Oct 28 2005
#@@#           Minor score updates based on additional mass-check
#@@#           Migrated SARE_MULT_RATW_02 to x31 file; RATWARE_NAME_ID is now in version 3.1.0
#@@#           Moved from file 1 to x31: SARE_MSGID_DBL_AT
#@@#           Moved from file 4 to x31: SARE_XMAIL_SUSP1

# License: Artistic - see http://www.rulesemporium.com/license.txt 
# Current Maintainer: Bob Menschel - RMSA@Menschel.net
# Current Home: http://www.rulesemporium.com/rules/70_sare_header0.cf 

#####################################################################################
#         SARE Message-ID rules
########  ######################   ##################################################

header    SARE_MSGID_DBL_AT        MESSAGEID =~ /(?!\@.+\@TLZ>)(?!(\@A)?\@0+\@comcast.net>)\@\S+\@.+>/
describe  SARE_MSGID_DBL_AT        Message ID has two at signs
score     SARE_MSGID_DBL_AT        1.000
#stype    SARE_MSGID_DBL_AT        max:1.0 # due to ham
#hist     SARE_MSGID_DBL_AT        Created by Bob Menschel May 3 2004, enhanced June 1 2004
#ham      SARE_MSGID_DBL_AT        HGTV <comments@hgtv.com>: <2002110_@TLZ27645874_@TLZ>
#ham      SARE_MSGID_DBL_AT        Web Response Help <wrhelp@microsoft.com>: <200336_@TLZ1365381_@TLZ>
#ham      SARE_MSGID_DBL_AT        "mailbox full" auto-bounce from prserv.net
#counts   SARE_MSGID_DBL_AT        759s/5h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_MSGID_DBL_AT        942s/22h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_MSGID_DBL_AT        160s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_MSGID_DBL_AT        317s/8h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_MSGID_DBL_AT        491s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_MSGID_DBL_AT        565s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_MSGID_DBL_AT        79s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_MSGID_DBL_AT        475s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_MSGID_DBL_AT        1s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE X-Mailer Rules
########  ######################   ##################################################

header    SARE_XMAIL_SUSP1         X-Mailer =~ /^[a-z][^A-Z0-9.]*$/
describe  SARE_XMAIL_SUSP1         X-Mailer suggests spam 
score     SARE_XMAIL_SUSP1         0.350
#ham      SARE_XMAIL_SUSP1         GM Card <GMCard.*@email.gmcard.com>
#counts   SARE_XMAIL_SUSP1         1270s/255h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_XMAIL_SUSP1         358s/1h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#max      SARE_XMAIL_SUSP1         405s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_XMAIL_SUSP1         0s/3h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_XMAIL_SUSP1         108s/3h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_XMAIL_SUSP1         11s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_XMAIL_SUSP1         74s/1h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_XMAIL_SUSP1         1s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

#####################################################################################
#         SARE Rules which examine multiple header types
########  ######################   ##################################################

header    __RATWARE_0_TZ_DATE      Date =~ / \+0000$/
header    __SARE_MULT_RATW_02A     ALL =~ m'\bMessage-ID: <[A-Z]{28}\.([^>]+)>\n.*\bFrom: \"[^\"]+\" <\1>\n's
header    __SARE_MULT_RATW_02B     ALL =~ m'\bFrom: \"[^\"]+\" <([^>]+)>\n.*\bMessage-ID: <[A-Z]{28}\.\1>\n's
meta      SARE_MULT_RATW_02        (__RATWARE_0_TZ_DATE && (__SARE_MULT_RATW_02A || __SARE_MULT_RATW_02B))
describe  SARE_MULT_RATW_02        Spammer sign in headers
score     SARE_MULT_RATW_02        4.888
#hist     SARE_MULT_RATW_02        LW_RATWARE3
#hist     SARE_MULT_RATW_02        Replaced __RATWARE_0_TZ_DATE with 3.0 __RATWARE_0_TZ_DATE
#hist     SARE_MULT_RATW_02        Suggested to Loren that this be submitted to Devs, Oct 03 2004
#counts   SARE_MULT_RATW_02        27935s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_MULT_RATW_02        583s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_MULT_RATW_02        744s/0h of 44757 corpus (16523s/28234h JH-SA3.0rc1) 10/03/04
#counts   SARE_MULT_RATW_02        0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_MULT_RATW_02        110s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_MULT_RATW_02        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#EOF