###### Locales
# Discutées sur fcm <h9jg7cggax7p.dlg@tamnavulin.lacave.local>

header __LC1_X_MESSAGE_INFO         exists:X-Message-Info
describe __LC1_X_MESSAGE_INFO       Header X-Message-Info present (lacave)

header __LC1_X_ORIGINALAT           exists:X-OriginalArrival-Time
describe __LC1_X_ORIGINALAT         Header X-OriginalArrival-Time present (lacave)

header __LC1_MS_SMTPSVC             Received =~ /Microsoft SMTPSVC/
describe __LC1_MS_SMTPSVC           Went through MS SMTP (lacave)

meta LC1_X_MINFO_SPAM               (__LC1_X_MESSAGE_INFO && !__LC1_X_ORIGINALAT)
describe LC1_X_MINFO_SPAM           Possible spam with false X-Message-Info (lacave)
score LC1_X_MINFO_SPAM              1.0

meta LC1_FORGED_SMTPSVC             (__LC1_MS_SMTPSVC && !__LC1_X_ORIGINALAT)
describe LC1_FORGED_SMTPSVC         Forged MS SMTP (no X-original-a.t) (lacave)
score LC1_FORGED_SMTPSVC            1.0

# Relativement risquée...
full LC1_HTML_AHREF_IMG             /<[^a-z>]*a[^a-z>]*href[^>]*>(?:<!--[^>]*-->)*[^a-z<]*<[^a-z>]*img/i
describe LC1_HTML_AHREF_IMG         HTML link around an image (lacave)
score LC1_HTML_AHREF_IMG            3.0

# Maison
header LC1_TO_EMAIL_RANDOM          To =~ /[0-9a-zA-Z_.-]+\@([0-9a-zA-Z_-]+\.)+[a-z]{2,5} <[a-z]+>$/
describe LC1_TO_EMAIL_RANDOM        To looks like 'email <rnd_lc_word>' (lacave)
score LC1_TO_EMAIL_RANDOM           3.0

header LC1_ZOMBIE_RECEIVED          Received =~ /with DAV/
describe LC1_ZOMBIE_RECEIVED        Possible zombified sender (DAV) (lacave)
score LC1_ZOMBIE_RECEIVED           2.0

header LC1_TRUNCATED_MID            Message-ID =~ /<[^[>]{0,10}\[\d+$/
describe LC1_TRUNCATED_MID          Truncated invalid message-ID (lacave)
score LC1_TRUNCATED_MID             5.0

header LC1_RECEIVED_NUM_DOM         Received =~ /\(\d\.\d\.\d\/[a-z]+\.[a-z]{2,3}\)/
describe LC1_RECEIVED_NUM_DOM       Received like '(#.#.#/domain.tld)' (lacave)
score LC1_RECEIVED_NUM_DOM          5.0

###### Emprutés à Laura

# From "offer(s)@..." or "...@...offer..." or "friend(s)@...".
header LC2_OFFER_OR_FRIEND          From =~ /(?:offer|friend)s?\@/i
describe LC2_OFFER_OR_FRIEND        From offer/friend (lacave - Laura)
score LC2_OFFER_OR_FRIEND           4.0

header LC2_FROM_OFFER_DOMAIN        From =~ /\@[a-z0-9.]*offer/i
describe LC2_FROM_OFFER_DOMAIN      From ...@...offer... (lacave - Laura)
score LC2_FROM_OFFER_DOMAIN         4.0

# Fausses réponses mal formées.
header LC2_STRANGE_RE_SUBJECT       Subject =~ /^RE:[a-z]/
describe LC2_STRANGE_RE_SUBJECT     Malformed 'RE:' subject prefix (lacave - Laura)
score LC2_STRANGE_RE_SUBJECT        2.0

# Sujet mal formé.
header LC2_MALFORMED_SUBJECT        Subject =~ /^SUBJECT=Re: /
describe LC2_MALFORMED_SUBJECT      Strange 'SUBJECT=Re: ...' subject (lacave - Laura)
score LC2_MALFORMED_SUBJECT         2.0

header LC2_XMLR_RANDOM_WORDS        X-Mailer =~ /^(?:[a-z-]{4,} )+( ?[0-9])?$/
describe LC2_XMLR_RANDOM_WORDS      X-Mailer random lowercase words (lacave - Laura)
score LC2_XMLR_RANDOM_WORDS         2.0

header LC2_XMAILER_RVERSION         X-Mailer =~ /^[a-z-]{4,}\@version\s1\.2\d+$/
describe LC2_XMAILER_RVERSION       X-Mailer is random@version 2.2### (lacave - Laura)
score LC2_XMAILER_RVERSION          2.0

header LC2_FORMATED_MSGID           Message-Id =~ /^<[A-Z]{7}-\d{13}\@[a-z]+>$/
describe LC2_FORMATED_MSGID         Spamware Message-Id (lacave - Laura)
score LC2_FORMATED_MSGID            3.0

header LC2_WRONG_ORIGIP             X-Originating-IP =~ /^\[[a-z0-9\-]+.(?:com|net)IP\]$/
describe LC2_WRONG_ORIGIP           Strange X-Originating-IP (lacave - Laura)
score LC2_WRONG_ORIGIP              4.0

###### Empruntés sur rulesemporium.com

# http://www.rulesemporium.com/rules/header_abuse.cf
header LC3_FROM_CONSONNANTS         From =~ /\b[bcghjklmnpqrtvwxz]{6,20}\b/
describe LC3_FROM_CONSONNANTS       From consecutive consonants (lacave - RE)
score LC3_FROM_CONSONNANTS          1.666  # 460s/1h of 97268 corpus (79437s/17831h) 01/24/04

header LC3_TO_CONSONNANTS           To =~ /\b[bcghjklmnpqrstvwxz]{9,20}\b/
describe LC3_TO_CONSONNANTS         To consecutive consonants (lacave - RE)
score LC3_TO_CONSONNANTS            1.666  # type=spamp - 137s/0h of 97268 corpus (79437s/17831h) 01/24/04

#header BCS_XMAILERBOGUS         X-Mailer =~ /^[a-z][^A-Z0-9.]*$/
#describe BCS_XMAILERBOGUS       X-Mailer has NO uppercase letters, numbers, dots
#score BCS_XMAILERBOGUS          1.666

# http://www.rulesemporium.com/rules/ratware.cf
rawbody LC4_T_RATWARE_OOPS_01       /(?:<(?:\/|!|!--)?(?:RND(?:LT|MX|DG|MS|LINES?)\[?[0-9]?[0-9]?\]?|RANDOM_TEST))>/i
describe LC4_T_RATWARE_OOPS_01      Ratware use (<>) (lacave - RERW)
score LC4_T_RATWARE_OOPS_01         6.1

#+ %CHARSET
rawbody LC4_T_RATWARE_OOPS_02       /\%\s?(?:RANDOM_@?(?:WORD|TEXT|NUMBERS?|CHARS?|=|NLS[0-9]|DATE|TIME)|PRIORITY_NUMBER|RND_?(?:\:.{1,10}|AD|ALL_|ALL_OTHER_MEDS|BUY|BUY_TAG|DG|IMA|LINES?|LT|MS|MEDS?|MX|SYB|TEXT|URL|WORD|([UL]C_)?CHAR)|MESSAGE_BODY|BOUNDARY|STRING_CONST|CUSTOM[0-9]_)/i
describe LC4_T_RATWARE_OOPS_02      Ratware use (%) (lacave - RERW)
score LC4_T_RATWARE_OOPS_02         6.1

rawbody LC4_T_RATWARE_OOPS_03       /!RANDOM_(?:NUMBERS?|CHARS?)!/i
describe LC4_T_RATWARE_OOPS_03      Ratware use (!!) (lacave - RERW)
score LC4_T_RATWARE_OOPS_03         6.1

rawbody LC4_T_RATWARE_OOPS_04       /\[RANDOMIZE\]/i
describe LC4_T_RATWARE_OOPS_04      Ratware use ([]) (lacave - RERW)
score LC4_T_RATWARE_OOPS_04         6.1

rawbody LC4_T_RATWARE_OOPS_05       /\$(?:R\s?A\s?N\s?D\s?O\s?M\s?I\s?Z\s?E|(?:|FIRST|LAST)NAME|STRIPPEDUSER)/i
describe LC4_T_RATWARE_OOPS_05      Ratware use ($) (lacave - RERW)
score LC4_T_RATWARE_OOPS_05         6.1

#rawbody LC4_T_RATWARE_OOPS_06       /(?:random_subj|\\messages\\names.{0,5}|lines|words)\.txt/i
#describe LC4_T_RATWARE_OOPS_06      Ratware use (.txt) (lacave - RERW)
#score LC4_T_RATWARE_OOPS_06         6.1

rawbody LC4_T_RATWARE_OOPS_07       /https?:\/\/.{0,20}<urlmask/i
describe LC4_T_RATWARE_OOPS_07      Ratware use (urlmask) (lacave - RERW)
score LC4_T_RATWARE_OOPS_07         6.1

#<a href=ptth:\\
rawbody LC4_T_RATWARE_OOPS_08       /<a\shref=ptth:\\\\/i
describe LC4_T_RATWARE_OOPS_08      Ratware use (ptth) (lacave - RERW)
score LC4_T_RATWARE_OOPS_08         1.1

#http://www..
rawbody LC4_T_RATWARE_OOPS_09       /http:\/\/www\.\./i
describe LC4_T_RATWARE_OOPS_09      Ratware use (..) (lacave - RERW)
score LC4_T_RATWARE_OOPS_09         1.1

rawbody LC4_T_RATWARE_OOPS_10       /https?:\/\/.{0,5}TO_NAME\@/i
describe LC4_T_RATWARE_OOPS_10      Ratware use (TO_NAME) (lacave - RERW)
score LC4_T_RATWARE_OOPS_10         6.1

rawbody LC4_T_RATWARE_OOPS_11       /http:\/\/.{0,10}http\:\/\//i
describe LC4_T_RATWARE_OOPS_11      Ratware use (http^2) (lacave - RERW)
score LC4_T_RATWARE_OOPS_11         0.416

#Dear {first_name}
rawbody LC4_T_RATWARE_OOPS_12       /Dear \{first_name\}/i
describe LC4_T_RATWARE_OOPS_12      Ratware vomit (lacave - RERW)
score LC4_T_RATWARE_OOPS_12         1.2

#Has a RANDOM_ or RND_ something
rawbody LC4_T_RATWARE_OOPS_13       /(?:<|\%|!|\[|\{|\$)(?:RND|RANDOM)_?/
describe LC4_T_RATWARE_OOPS_13      RANDOM spammer goof (lacave - RERW)
score LC4_T_RATWARE_OOPS_13         1.5

#Has a RANDOM_ or RND_ something
rawbody LC4_T_RATWARE_OOPS_14       /(?:RND|RANDOM|RAND)_/
describe LC4_T_RATWARE_OOPS_14      RANDOM spammer goof (lacave - RERW)
score LC4_T_RATWARE_OOPS_14         0.7

#addition maison
header LC4_T_RATWARE_OOPS_15        Received =~ /(?:<|%|!|\[|\{|\$)CURRENT_DATE_TIME/
describe LC4_T_RATWARE_OOPS_15      CURRENT_DATE_TIME in rcvd hdr (lacave - RERW)
score LC4_T_RATWARE_OOPS_15         6.1

header LC4_T_RATWARE_OOPS_16        From =~ /(?:<|%|!|\[|\{|\$)(?:FROM_USER|RND)/
describe LC4_T_RATWARE_OOPS_16      FROM_USER oops (lacave - RERW)
score LC4_T_RATWARE_OOPS_16         6.1

header LC4_T_RATWARE_OOPS_17        Message-ID =~ /^<(?:<|%|!|\[|\{|\$)MESSAGEID\@/
describe LC4_T_RATWARE_OOPS_17      MESAGEID oops (lacave - RERW)
score LC4_T_RATWARE_OOPS_17         6.1

rawbody LC4_T_RATWARE_OOPS_18       /^Content-Type: .*(?:<|%|!|\[|\{|\$)CHARSET/
describe LC4_T_RATWARE_OOPS_18      CHARSET oops (lacave - RERW)
score LC4_T_RATWARE_OOPS_18         6.1

#Snags this X-Mailer: Microsoft Outlook, Build 10.0.<rnds[2605,2627,2616,3416,4024,4510]>
header LC4_T_RATWARE_MMV           X-Mailer =~ /Microsoft Outlook.{0,30}<rnds\[.{1,30}\]>/i
describe LC4_T_RATWARE_MMV         Multiple versions MS Outlook goof (lacave - RERW)
score LC4_T_RATWARE_MMV            6.1

#Snags this X-MimeOLE: Produced By Microsoft MimeOLE V6.00.<rnds[2462.0000,2479.0006,2505.0000,2600.0000,2800.1081,2800.1082,2800.1106,2800.1123,2800.1165]>
header LC4_T_RATWARE_MIME          X-MimeOLE =~ /Produced By Microsoft MimeOLE.{1,10}<rnds\[.{1,30}\]>/i
describe LC4_T_RATWARE_MIME        Multiple versions MS MimeOLE goof (lacave - RERW)
score LC4_T_RATWARE_MIME           6.1

#Actually received some of these.  It's generally intentional when people post to lists :)
#$MUNGED
header LC4_T_MUNGED_FROM            From =~ /\$?MUNGED\@/
describe LC4_T_MUNGED_FROM          From address munged, literally (lacave - RERW)
score LC4_T_MUNGED_FROM             2.3

header LC4_T_MUNGED_TOCC            ToCc =~ /\$?MUNGED\@/
describe LC4_T_MUNGED_TOCC          To/CC address munged, literally (lacave - RERW)
score LC4_T_MUNGED_TOCC             2.3

#FIRSTNAME|LASTNAME|STRIPPEDUSER
header LC4_T_RATWARE_UVF            From =~ /\$(?:FIRSTNAME|LASTNAME|STRIPPEDUSER)/i
describe LC4_T_RATWARE_UVF          From includes ratware variable (lacave - RERW)
score LC4_T_RATWARE_UVF             3.3

header LC4_T_RATWARE_UVT            ToCc =~ /\$(?:FIRSTNAME|LASTNAME|STRIPPEDUSER)/i
describe LC4_T_RATWARE_UVT          To/CC includes ratware variable (lacave - RERW)
score LC4_T_RATWARE_UVT             3.3