# Copyright (c) 2005 Daryl C. W. O'Shea, DOS Technologies. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. loadplugin Mail::SpamAssassin::Plugin::WebRedirect /etc/mail/spamassassin/WebRedirect.pm web_redirect_max_checks 3 web_redirect_host geocities.com *.geocities.com geocities.yahoo.com.?? web_redirect_host tripod.com *.tripod.com tripod.lycos.com web_redirect_host spaces.msn.com web_redirect_skip_host example.com *.example.com # Eval rules that test the HTTP status code returned header WEB_301 eval:WebRedirect_Status(301) score WEB_301 1.0 describe WEB_301 Contains a web link that returns 301 tflags WEB_301 net header WEB_302 eval:WebRedirect_Status(302) score WEB_302 1.0 describe WEB_302 Contains a web link that returns 302 tflags WEB_302 net header WEB_403 eval:WebRedirect_Status(403) score WEB_403 4.0 describe WEB_403 Contains a web link that returns 403 tflags WEB_403 net header WEB_404 eval:WebRedirect_Status(404) score WEB_404 2.5 describe WEB_404 Contains a web link that returns 404 tflags WEB_404 net # Tests against plaintext found in web pages header WEB_HTTP_REDIR Web-Redirect =~ /http-equiv="refresh".{0,100}url=/i score WEB_HTTP_REDIR 2.0 describe WEB_HTTP_REDIR A web link contains an http-equiv redirect tflags WEB_HTTP_REDIR net header WEB_UNSUBSCRIBE Web-Redirect =~ /\bunsubscribe?\b/i score WEB_UNSUBSCRIBE 2.5 describe WEB_UNSUBSCRIBE Contains a web link that mentions unsubscribing tflags WEB_UNSUBSCRIBE net header WEB_SEXUAL Web-Redirect =~ /\bsexual\b/ score WEB_SEXUAL 0.5 describe WEB_SEXUAL Contains a Geocities link that mentions sexual tflags WEB_SEXUAL net header WEB_RE_HTMLCRYPT Web-Redirect =~ /\bHTMLCrypt\b/ score WEB_RE_HTMLCRYPT 1.0 describe WEB_RE_HTMLCRYPT Contains a html redirect page with crypt in it! tflags WEB_RE_HTMLCRYPT net header WEB_RE_DECRYPT Web-Redirect =~ /Decrypt the HTML/ score WEB_RE_DECRYPT 1.0 describe WEB_RE_DECRYPT Contains link to web page that decrypts itself tflags WEB_RE_DECRYPT net header WEB_JS_ENCODE Web-Redirect =~ /\bJScript\.Encode\b/ score WEB_JS_ENCODE 3.0 describe WEB_JS_ENCODE Links to a Geocities page containing encoded data tflags WEB_JS_ENCODE net header WEB_RE_ONLOAD_JS Web-Redirect =~ /\bbody\s+onload\s*=\s*"javascript:location\.href='/ score WEB_RE_ONLOAD_JS 1.0 describe WEB_RE_ONLOAD_JS Links to web page that redirects you upon loading tflags WEB_RE_ONLOAD_JS net header WEB_RE_LOC_HREF Web-Redirect =~ /\blocation\.href\s*=/ score WEB_RE_LOC_HREF 4.0 describe WEB_RE_LOC_HREF Links to web page that contains 'location.href=' tflags WEB_RE_LOC_HREF net header WEB_RE_HOTLOG Web-Redirect =~ /\bhotlog\.ru\b/ score WEB_RE_HOTLOG 2.0 describe WEB_RE_HOTLOG Links to web page that uses hotlog.ru tflags WEB_RE_HOTLOG net header WEB_ADULT Web-Redirect =~ /\b(?:SEXUAL CONTENT WARNING|ADULTS ONLY)\b/ score WEB_ADULT 2.0 describe WEB_ADULT Links to web page that contains adult content tflags WEB_ADULT net header WEB_SUBSCRIBTION Web-Redirect =~ /\bsubscribtion\b/ score WEB_SUBSCRIBTION 2.0 describe WEB_SUBSCRIBTION Offers to stop your 'subscribtion' tflags WEB_SUBSCRIBTION net header WEB_UNSUB_PHP Web-Redirect =~ /\bunsubscribed.php\b/ score WEB_UNSUB_PHP 2.0 describe WEB_UNSUB_PHP Links to site that contains 'unsubscribed.php' tflags WEB_UNSUB_PHP net header WEB_SUBSCRIBED Web-Redirect =~ /\byou\s+were\s+subscribed\b/ score WEB_SUBSCRIBED 2.0 describe WEB_SUBSCRIBED Claims that you were subscribed to something tflags WEB_SUBSCRIBED net header WEB_EXIT_SITE Web-Redirect =~ /\bEXIT SITE\b/ score WEB_EXIT_SITE 0.75 describe WEB_EXIT_SITE Links to a site that offers you to exit it tflags WEB_EXIT_SITE net header WEB_LOC_HREF_ADD Web-Redirect =~ /\blocation\."?\s*\+\s*"href\s*=/ score WEB_LOC_HREF_ADD 4.0 describe WEB_LOC_HREF_ADD Page contains addition of 'location.' + 'href' tflags WEB_LOC_HREF_ADD net # http://spaces.msn.com/members/isidrolangham/ header WEB_REPLICA_WATCH Web-Redirect =~ /\bReplica-Watch-Store\b/ score WEB_REPLICA_WATCH 3.0 describe WEB_REPLICA_WATCH Page contains 'Replica-Watch-Store' tflags WEB_REPLICA_WATCH net # Tests against decoded cyphertext found in web pages header WEB_ENRE_LOC_HREF Web-Redirect-Encoded =~ /\blocation\.href\s*=/ score WEB_ENRE_LOC_HREF 3.0 describe WEB_ENRE_LOC_HREF Web page contains encoded 'location.href=' tflags WEB_ENRE_LOC_HREF net header WEB_ENRE_ON_LOAD Web-Redirect-Encoded =~ /\bbody\.onload\s*=/ score WEB_ENRE_ON_LOAD 3.0 describe WEB_ENRE_ON_LOAD Linked web page contains encoded 'body.onload' tflags WEB_ENRE_ON_LOAD net header WEB_ENRE_URI_ADD Web-Redirect-Encoded =~ /\bprefix\s*\+\s*domain(?:_to)?\b/ score WEB_ENRE_URI_ADD 1.0 describe WEB_ENRE_URI_ADD Page contains encoded addition of prefix + domain tflags WEB_ENRE_URI_ADD net header WEB_ENCODED_DATA Web-Redirect-Encoded !~ /^(?:---new-page---)*$/ score WEB_ENCODED_DATA 2.0 describe WEB_ENCODED_DATA Links to a web page containing encoded data tflags WEB_ENCODED_DATA net