Failed to save the file to the "xx" directory.

Failed to save the file to the "ll" directory.

Failed to save the file to the "mm" directory.

Failed to save the file to the "wp" directory.

403WebShell
403Webshell
Server IP : 66.29.132.124  /  Your IP : 18.191.218.234
Web Server : LiteSpeed
System : Linux business141.web-hosting.com 4.18.0-553.lve.el8.x86_64 #1 SMP Mon May 27 15:27:34 UTC 2024 x86_64
User : wavevlvu ( 1524)
PHP Version : 7.4.33
Disable Function : NONE
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : ON  |  Sudo : OFF  |  Pkexec : OFF
Directory :  /proc/self/root/var/lib/spamassassin/3.004006/updates_spamassassin_org/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :


[ Back ]     

Current File : /proc/self/root/var/lib/spamassassin/3.004006/updates_spamassassin_org/20_ratware.cf
# SpamAssassin rules file: known spam mailers
#
# Sometimes these leave 'sent by mailername' fingerprints in the
# headers, which provide a nice way for us to catch them.
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use /etc/mail/spamassassin/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at:
# 
#     http://www.apache.org/licenses/LICENSE-2.0
# 
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################

header RATWARE_EGROUPS		X-Mailer =~ /eGroups Message Poster/
describe RATWARE_EGROUPS	Bulk email fingerprint (eGroups) found

# Note that the tests which look at the "ALL" pseudoheader are slower than
# the specific header.
# 100% overlap with X-Stormpost-To: header, but seems wise to leave it in
header RATWARE_OE_MALFORMED	X-Mailer =~ /^Microsoft Outlook Express \d(?:\.\d+){3} \w+$/
describe RATWARE_OE_MALFORMED	X-Mailer has malformed Outlook Express version
header RATWARE_MOZ_MALFORMED	User-Agent =~ /Mozilla\/5\.0\d\d/
describe RATWARE_MOZ_MALFORMED	Bulk email fingerprint (Mozilla malformed) found

header RATWARE_MPOP_WEBMAIL	X-Mailer =~ /mPOP Web-Mail/i
describe RATWARE_MPOP_WEBMAIL	Bulk email fingerprint (mPOP Web-Mail)

###########################################################################
# Now, detect forgeries of real MUAs
#
# NOTE: these rules should specify version numbers!

# first define situations where servers rewrite message id so we can't use message id to detect forgeries

header __HOTMAIL_BAYDAV_MSGID		MESSAGEID =~ /^<[A-Z]{3}\d+-(?:DAV|SMTP)\d+[A-Z0-9]{25}\@phx\.gbl>$/m

header __IPLANET_MESSAGING_SERVER Received =~ /iPlanet Messaging Server/

header __LYRIS_EZLM_REMAILER  List-Unsubscribe =~ /<mailto:(?:leave-\S+|\S+-unsubscribe)\@\S+>$/

header __SYMPATICO_MSGID		MESSAGEID =~ /^<BAYC\d+-PASMTP\d+[A-Z0-9]{25}\@CEZ\.ICE>$/m

header __WACKY_SENDMAIL_VERSION Received =~ /\/CWT\/DCE\)/

header __GROUPSIO_MSGID		MESSAGEID =~ /^<[[:xdigit:]]+\.[[:xdigit:]]+\@groups.io>$/m

header __HAS_XORIGMSGID		X-Orig-Message-Id =~ /^<.+\@.+>$/m

meta   __GROUPSIO_GATED		__GROUPSIO_MSGID && __HAS_XORIGMSGID

#bz8202
header	__MCRSFT_MSGID	MESSAGEID =~ /^<[[:alnum:]]{30,45}@[^>]*\.(outlook|exchangelabs).com>$/im

meta	__UNUSABLE_MSGID (__MCRSFT_MSGID || __LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID && __GROUPSIO_GATED)

## now on to the forgery rules

# AOL
header __AOL_MUA		X-Mailer =~ /\bAOL\b/

# Internet Mail Service
header __IMS_MUA		X-Mailer =~ /Internet Mail Service/
header __IMS_MSGID		MESSAGEID =~ /^<[A-F\d]{36,40}\@\S+>$/m
meta FORGED_MUA_IMS		(__IMS_MUA && !__IMS_MSGID && !__UNUSABLE_MSGID)
describe FORGED_MUA_IMS		Forged mail pretending to be from IMS

# Message ID format introduced by Vista MAPI, maybe also Windows 2003 Server SP2
header __VISTA_MSGID		MESSAGEID =~ /^<[A-F\d]{32}\@\S+>$/m

# Outlook Express 4, 5, and 6
header __OE_MUA			X-Mailer =~ /\bOutlook Express [456]\./
header __OE_MSGID_1		MESSAGEID =~ /^<[A-Za-z0-9-]{7}[A-Za-z0-9]{20}\@hotmail\.com>$/m
header __OE_MSGID_2		MESSAGEID =~ /^<(?:[0-9a-f]{8}|[0-9a-f]{12})\$[0-9a-f]{8}\$[0-9a-f]{8}\@\S+>$/m
meta __FORGED_OE		(__OE_MUA && !__OE_MSGID_1 && !__OE_MSGID_2 && !__UNUSABLE_MSGID)

# Outlook versions that usually use "dollar signs"
header __OUTLOOK_DOLLARS_MUA	X-Mailer =~ /^Microsoft Outlook(?: 8| CWS, Build 9|, Build 10)\./
header __OUTLOOK_DOLLARS_OTHER	MESSAGEID =~ /^<\!\~\!/m
meta __FORGED_OUTLOOK_DOLLARS	(__OUTLOOK_DOLLARS_MUA && !__OE_MSGID_2 && !__OUTLOOK_DOLLARS_OTHER && !__VISTA_MSGID && !__IMS_MSGID && !__UNUSABLE_MSGID)
# use new meta rules to implement FORGED_MUA_OUTLOOK rule from 2.60

# bug 7567: obviously fake Outlook X-Mailer
header __OUTLOOK_FAKE_MUA       X-Mailer =~ /^Outlook$/

# bug 5496: avoid some FPs
header __FMO_EXCL_O3416   X-Mailer =~ /^Microsoft Outlook, Build 10.0.3416$/
header __FMO_EXCL_OE3790  X-Mailer =~ /^Microsoft Outlook Express 6.00.3790.3959$/
# bug 5910: __VISTA_MSGID also now used by Outlook Express from XP SP3
#
meta FORGED_MUA_OUTLOOK         ((__FORGED_OE || __FORGED_OUTLOOK_DOLLARS || __OUTLOOK_FAKE_MUA) && !__FMO_EXCL_O3416 && !__FMO_EXCL_OE3790 && !__VISTA_MSGID)
describe FORGED_MUA_OUTLOOK	Forged mail pretending to be from MS Outlook

# Outlook IMO (Internet Mail Only)
header __OIMO_MUA		X-Mailer =~ /Outlook IMO/
header __OIMO_MSGID		MESSAGEID =~ /^<[A-P]{28}\.[-\w.]+\@\S+>$/m
meta FORGED_MUA_OIMO		(__OIMO_MUA && !__OIMO_MSGID && !__OE_MSGID_2 && !__UNUSABLE_MSGID)
describe FORGED_MUA_OIMO	Forged mail pretending to be from MS Outlook IMO

# Not Ratware...

header __HAS_X_LOOP		exists:X-Loop
header __HAS_X_MAILING_LIST	exists:X-Mailing-List
header __HAS_X_MAILMAN_VERSION	exists:X-Mailman-Version
describe MAILING_LIST_MULTI	Multiple indicators imply a widely-seen list manager
meta   MAILING_LIST_MULTI	__HAS_X_LOOP + __HAS_X_MAILING_LIST + __HAS_X_MAILMAN_VERSION + __HAS_X_BEEN_THERE +__DOS_HAS_LIST_UNSUB + __ML1 + __ML2 + __ML3 + __ML4 + __ML5 > 2
tflags MAILING_LIST_MULTI	nice

# QUALCOMM Eudora
# Note: uses X_LOOP and X_MAILING_LIST as subrules
# X-Mailer: QUALCOMM Windows Eudora Version 5.0   (and 5.1)
# X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
# updated to fix bugs 2047, 2598, 2654
# NOTE: this is the *only* spammish Eudora MUA pattern that wasn't
# ignored using __OLD_EUDORA1 and __OLD_EUDORA2 under previous rules.
# v7 can't be tested, as it sometimes doesn't generate MID
header __EUDORA_MUA             X-Mailer =~ /^QUALCOMM Windows Eudora (?:Pro |Light )?Version [3456]\./
header __EUDORA_MSGID		MESSAGEID =~ /^<(?:\d\d?\.){3,5}\d{14}\.[a-f0-9]{8}\@\S+(?:\sport\s\d+)?>$/m
meta FORGED_MUA_EUDORA          __EUDORA_MUA && !( __EUDORA_MSGID || __UNUSABLE_MSGID || MAILING_LIST_MULTI || MSGID_FROM_MTA_HEADER )
describe FORGED_MUA_EUDORA	Forged mail pretending to be from Eudora
  
# From private mail with developers.  Some top tips here!
header __THEBAT_MUA		X-Mailer =~ /^The Bat!/
header __THEBAT_MUA_V1		X-Mailer =~ /^The Bat! \(v1\./
#header __THEBAT_MUA_V2		X-Mailer =~ /^The Bat! \(v2\./
#header __THEBAT_MUA_V3		X-Mailer =~ /^The Bat! \(v3\./
header __CTYPE_CHARSET_QUOTED	Content-Type =~ /charset=\"/i
header __CTYPE_HAS_BOUNDARY	Content-Type =~ /boundary/i
header __BAT_BOUNDARY		Content-Type =~ /boundary=\"-{10}[A-F0-9]{4,}\"/
header __MAILMAN_21             X-Mailman-Version =~ /\d/
meta FORGED_MUA_THEBAT_CS	(__THEBAT_MUA && __CTYPE_CHARSET_QUOTED && !__MAILMAN_21)
meta FORGED_MUA_THEBAT_BOUN     (__THEBAT_MUA && __CTYPE_HAS_BOUNDARY && !__BAT_BOUNDARY && !__MAILMAN_21)
describe FORGED_MUA_THEBAT_CS	Mail pretending to be from The Bat! (charset)
describe FORGED_MUA_THEBAT_BOUN Mail pretending to be from The Bat! (boundary)

# bug 4649: bulk mail sent via Yahoo! often looks forged, even when it is not
header __YAHOO_BULK		Received =~ /from \[\S+\] by \S+\.(?:groups|scd|dcn)\.yahoo\.com with NNFMP/

meta FORGED_OUTLOOK_HTML	(!__YAHOO_BULK && __ANY_OUTLOOK_MUA && MIME_HTML_ONLY)
describe FORGED_OUTLOOK_HTML	Outlook can't send HTML message only

# bug 2525: FORGED_IMS_HTML fp'ing because new IMS *DOES* use text/html
# ctype.  ARGH.  This was noted in build 5.5.2656.59, so permit builds
# after that to get away with it.
header __IMS_HTML_BUILDS	X-Mailer =~ /^Internet Mail Service .(?:[6789]\.|5\.[6789]|5\.5\.(?:[3456789]|2[789]|26[6789]|265[6789]))/
header __IMS_HTML_RCVD		Received =~ /\bby \S+ with Internet Mail Service .(?:[6789]\.|5\.[6789]|5\.5\.(?:[3456789]|2[789]|26[6789]|265[6789]))/
meta FORGED_IMS_HTML		(!__YAHOO_BULK && __IMS_MUA && MIME_HTML_ONLY && !(__IMS_HTML_BUILDS && __IMS_HTML_RCVD))
describe FORGED_IMS_HTML	IMS can't send HTML message only

meta FORGED_THEBAT_HTML		(__THEBAT_MUA_V1 && MIME_HTML_ONLY)
describe FORGED_THEBAT_HTML	The Bat! can't send HTML message only

# bug 2513
header __REPTO_QUOTE		Reply-To =~ /".*"\s*\</
meta REPTO_QUOTE_AOL		__REPTO_QUOTE && __AOL_MUA
describe REPTO_QUOTE_AOL	AOL doesn't do quoting like this

meta REPTO_QUOTE_IMS		__REPTO_QUOTE && __IMS_MUA
describe REPTO_QUOTE_IMS	IMS doesn't do quoting like this

meta REPTO_QUOTE_MSN		__REPTO_QUOTE && (__FROM_MSN_COM || __AT_MSN_MSGID)
describe REPTO_QUOTE_MSN	MSN doesn't do quoting like this

meta REPTO_QUOTE_QUALCOMM	__REPTO_QUOTE && __ANY_QUALCOMM_MUA
describe REPTO_QUOTE_QUALCOMM	Qualcomm/Eudora doesn't do quoting like this

meta REPTO_QUOTE_YAHOO		__REPTO_QUOTE && (__FROM_YAHOO_COM || __AT_YAHOO_MSGID)
describe REPTO_QUOTE_YAHOO	Yahoo! doesn't do quoting like this

# bug 1561
# stronger version of USER_AGENT_APPLEMAIL
# Apple Mail doesn't send text/html at all (unless it's an attachment)
# It'll send text/plain, or multipart/alternative with text/plain and
# text/enriched parts (boundary of "Apple-Mail-\d--\d+").  It can, however,
# send a multipart/mixed with a single text/html attachment, so don't use
# MIME_HTML_ONLY.
# perhaps limit CTYPE to "text/plain", "multipart/alternative" with
# "text/plain" and "text/enhanced", or "multipart/mixed"?
# bug 4223: expand for new Apple Mail version format
header __X_MAILER_APPLEMAIL	X-Mailer =~ /^Apple Mail \(\d\.\d+(?:\.\d+)?\)$/
header __MSGID_APPLEMAIL        Message-Id =~ /^<[0-9A-F]{8}-(?:[0-9A-F]{4}-){3}[0-9A-F]{12}\@\S+>$/
header __MIME_VERSION_APPLEMAIL	Mime-Version =~ /^1\.0 \(Apple Message framework v\d+(?:\.\d+)?\)$/
meta __USER_AGENT_APPLEMAIL	!__CTYPE_HTML && __X_MAILER_APPLEMAIL && (__MSGID_APPLEMAIL || __MIME_VERSION_APPLEMAIL)

# 2003-02-23: quinlan
# some useful meta rule sub-elements
header __CTYPE_HTML		Content-Type =~ /text\/html/i
header __ANY_IMS_MUA		X-Mailer =~ /^Internet Mail Service\b/
header __ANY_OUTLOOK_MUA	X-Mailer =~ /^Microsoft (?:Office )?Outlook\b/

header __ANY_QUALCOMM_MUA       X-Mailer =~ /\bQUALCOMM\b/
meta FORGED_QUALCOMM_TAGS	(__ANY_QUALCOMM_MUA && __MIME_HTML && !__TAG_EXISTS_HTML)
describe FORGED_QUALCOMM_TAGS	QUALCOMM mailers can't send HTML in this format

meta FORGED_IMS_TAGS		(!__YAHOO_BULK && __ANY_IMS_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY))
describe FORGED_IMS_TAGS	IMS mailers can't send HTML in this format

meta FORGED_OUTLOOK_TAGS	(!__YAHOO_BULK && __ANY_OUTLOOK_MUA && __MIME_HTML && !(__TAG_EXISTS_HTML && __TAG_EXISTS_HEAD && __TAG_EXISTS_META && __TAG_EXISTS_BODY))
describe FORGED_OUTLOOK_TAGS	Outlook can't send HTML in this format

# Send-Safe ratware (idea from Alan Curry)
# random alphanumerics, separated into groups of 16 by dashes (the first
# and last group may be shorter), with a lowercase "l" and a number
# appended. The final number is the length of the whole string not
# including the dashes or the "l<number>".  Why? I have no idea.  It's
# not a tracking code - the spamware does not save it locally.
#
# jm: it's specifically to throw off MIME base64 encoding, to evade AOL's
# filters.
#
# http://groups.google.com/groups?selm=atp1ip0n22%40enews3.newsguy.com
rawbody RATWARE_HASH_DASH	/[a-z\d]-[a-z\d]{16}-[a-z\d]{1,16}(?-i:l)\d/i
describe RATWARE_HASH_DASH	Contains a hashbuster in Send-Safe format

########################################################################
# Most ratware uses message templates I would guess.
# Here's two popular ones...

########################################################################
# This ratware always uses a +0000 TZ in the Date header, and has a multiplicity
# of From: header formats. ("From" header samples from Steven Champeon
# <schampeo.hesketh.com> via the spamtools.lists.abuse.net and SPAM-L lists).
#
# "First Last" <firstlast_[a-z][a-z]@somedomain>        1
# "First Last" <firstlast[a-z][a-z]@somedomain>         1
# "First Last" <first.last[a-z][a-z]@somedomain>        1
# "First Last" <first_last[a-z][a-z]@somedomain>        1
# "First Last" <first_last_[a-z][a-z]@somedomain>       1
# "First Last" <flast_[a-z][a-z]@somedomain>            2
# "First Last" <flast[a-z][a-z]@somedomain>             2
# "First Last" <f.last_[a-z][a-z]@somedomain>           2
# "First Last" <f.last[a-z][a-z]@somedomain>            2
# "First Last" <f_last[a-z][a-z]@somedomain>            2
# "First Last" <last[a-z][a-z]@somedomain>              3
# "First M. Last" <firstlast_[a-z][a-z]@somedomain>     4
# "First M. Last" <firstlast[a-z][a-z]@somedomain>      4
# "First M. Last" <first.m.last[a-z][a-z]@somedomain>   5
# "First M. Last" <firstmlast[a-z][a-z]@somedomain>     5
# "First M. Last" <firstmlast_[a-z][a-z]@somedomain>    5
# "First M. Last" <fmlast_[a-z][a-z]@somedomain>        6
# "First M. Last" <mlast[a-z][a-z]@somedomain>          7
# "First M. Last" <m.last[a-z][a-z]@somedomain>         7
header __0_TZ_1      From =~ /^\"(\w)(\w+) (\w+)\" <\1\2[\._]?\3_?[a-z][a-z]\@/i
header __0_TZ_2      From =~ /^\"(\w)(\w+) (\w+)\" <\1[\._]?\3_?[a-z][a-z]\@/i
header __0_TZ_3      From =~ /^\"(\w)(\w+) (\w+)\" <\3_?[a-z][a-z]\@/i
header __0_TZ_4      From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\2[\._]?\4_?[a-z][a-z]\@/i
header __0_TZ_5      From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\2[\._]?\3[\._]?\4_?[a-z][a-z]\@/i
header __0_TZ_6      From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\1\3\4_?[a-z][a-z]\@/i
header __0_TZ_7      From =~ /^\"(\w)(\w+) (\w)\. (\w+)\" <\3[\._]?\4_?[a-z][a-z]\@/i

header __RATWARE_0_TZ_DATE	Date =~ / \+0000$/

meta RATWARE_ZERO_TZ   		(__RATWARE_0_TZ_DATE && __CTYPE_HTML && (__0_TZ_1 || __0_TZ_2 || __0_TZ_3 || __0_TZ_4 || __0_TZ_5 || __0_TZ_6 || __0_TZ_7))
describe RATWARE_ZERO_TZ	Bulk email fingerprint (+0000) found


header X_MESSAGE_INFO		exists:X-Message-Info
describe X_MESSAGE_INFO		Bulk email fingerprint (X-Message-Info) found

# case-sensitive rule
# only significant rules with no FPs, hit recently, on 2+ corpuses
header HEADER_SPAM		ALL =~ /^(?:Alternate-Recipient|Antivirus|Approved|Delivery-Notification|Disclose-Recipients|Error-path|Language|Location|Mime-Subversion|Newsletter-ID|PID|Rot|UID|X-BounceTrace|X-CS-IP|X-Company-Address|X-Company-City|X-Company-Country|X-Company-State|X-Company-Zip|X-E(?:[Mm]ail)?|X-Encoding|X-Originating-Company|X-RMD-Text|X-SG4|X-SP-Track-ID|X-Webmail-Time|X-bounce-to):/m
describe HEADER_SPAM		Bulk email fingerprint (header-based) found

header RATWARE_RCVD_PF		Received =~ / \(Postfix\) with ESMTP id [^;]+\; \S+ \d+ \S+ \d+ \d+:\d+:\d+ \S+$/s
describe RATWARE_RCVD_PF	Bulk email fingerprint (Received PF) found

header RATWARE_RCVD_AT		Received =~ / by \S+\@\S+ with Microsoft SMTPSVC/
describe RATWARE_RCVD_AT	Bulk email fingerprint (Received @) found

header __RCVD_WITH_EXCHANGE	Received =~ /with Microsoft Exchange Server/

meta RATWARE_OUTLOOK_NONAME	__MSGID_DOLLARS_OK && !__HAS_X_MAILER && !__RCVD_WITH_EXCHANGE
describe RATWARE_OUTLOOK_NONAME	Bulk email fingerprint (Outlook no name) found



header __MIMEOLE_MS		X-MIMEOLE =~ /^Produced By Microsoft MimeOLE/
meta RATWARE_MS_HASH 		__MSGID_DOLLARS_OK && !__MIMEOLE_MS && !__RCVD_WITH_EXCHANGE
describe RATWARE_MS_HASH	Bulk email fingerprint (msgid ms hash) found

###########################################################################

ifplugin Mail::SpamAssassin::Plugin::HeaderEval

header __GATED_THROUGH_RCVD_REMOVER  eval:gated_through_received_hdr_remover()

header __RATWARE_NAME_ID	eval:check_ratware_name_id()
meta RATWARE_NAME_ID		__RATWARE_0_TZ_DATE && __RATWARE_NAME_ID
describe RATWARE_NAME_ID	Bulk email fingerprint (msgid from) found

header RATWARE_EFROM		eval:check_ratware_envelope_from()
describe RATWARE_EFROM		Bulk email fingerprint (envfrom) found

endif

###########################################################################

ifplugin Mail::SpamAssassin::Plugin::MIMEEval

body __MIME_HTML		eval:check_for_mime_html()

endif

###########################################################################

ifplugin Mail::SpamAssassin::Plugin::HTMLEval

body __TAG_EXISTS_BODY		eval:html_tag_exists('body')
body __TAG_EXISTS_HEAD		eval:html_tag_exists('head')
body __TAG_EXISTS_HTML		eval:html_tag_exists('html')
body __TAG_EXISTS_META		eval:html_tag_exists('meta')
body __TAG_EXISTS_STYLE		eval:html_tag_exists('style')
body __TAG_EXISTS_SCRIPT	eval:html_tag_exists('script')

endif

Youez - 2016 - github.com/yon3zu
LinuXploit