andi.de » Linux

Weg damit

Andi — Tue, 01 May 2007 20:44:10 +0000

Hin und wieder ist es nötig, aber ein bisschen Respekt hat man doch jedesmal wieder davor — und checkt fünfmal, dass man es auch auf der richtigen Maschine ausführt… :

dd if=/dev/zero of=/dev/sda bs=10240
dd if=/dev/zero of=/dev/sdb bs=10240

Und tschüß

DoS-Angriffe erfolgreich aufhalten

Andi — Fri, 16 Feb 2007 23:50:30 +0000

Immer wieder versuchen nervige Script-Kiddies, Spam-Bots oder sonstige bösgestimmte Zeitgenossen, durch viele Anfragen an Webserver in sehr kurzer Zeit deren Funktion zu beeinträchtigen und die Auslieferung der Inhalte an „normale“ Besucher dadurch zu erschweren oder gar ganz zu verhindern.
Heutzutage generieren sich viele Webprojekte aus dynamisch erzeuten Seiten; die Bildung der Inhalte benötigt daher Rechenzeit und Speicher auf derm Webserver, was das DoS-Problem verstärkt. Durch zu viele Anfragen in zu kurzer Zeit steigt die CPU-Auslastung an und in ungünstigen Situation ist kein Seiteaufbau mehr möglich, da dem Server der RAM ausgeht.
Um hier Entlastung zu bringen wurde das Apache-Modul mod_evasive entwickelt (Download-Mirror), welches die maximal möglichen Verbindungen pro IP-Adresse kontrolliert und im Bedarfsfall abblockt.
mod_evasive erstellt intern eine Liste von zugreifenden IPs und angeforderten URLs. Sobald in einer einstellbaren Zeitspanne ein festgelegter Schwellwert überschritten wird, lehnt das Modul weitere Zugriffe innerhalb einer Blacklist-Frist mit einem 403-Forbidden-Fehler ab — hierduch erfolgt kein rechenintensiver Aufruf von Inhalten mehr und viele DoS-Attacken laufen ins Leere.
Die Installation ist einfach. Das Modul kann im Quelltext bezogen werden und bei installieren Apache-dev-Quellen simpel durch Aufruf von

apxs -i -a -c mod_evasive20.c

kompiliert und den Apache-Modulen zugefügt werden.
Bei der Installation wird ein Eintrag in die httpd.conf eingefügt; zusätzlich empfiehlt sich, die Parameter von mod_evasive an die eigenen Bedürfnisse anzupassen.
Hierzu fügt man in der Apache-Konfiguration einen Abschnitt ein:


    DOSHashTableSize    3096
    DOSPageCount        5
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10

Die Bedeutung der einzelnen Option sind in der Dokumentation erläutert.
Nach einem Neustart von Apache greift der Schutz. Bei Bedarf kann bei IP-Blacklistungen eine eMail an eine beliebige Adresse geschickt werden. Hierzu kann man oben zusätzlich die Option DOSEmailNotify admin@mydomain.net mit passender Adresse eintragen.
Anzumerken bleibt, dass mod_evasive zwar eine deutliche Lastreduktion bei Angriffen bieten kann, einen vollständigen Schutz leistet aber nur ein Abblocken der DoS-Pakete mittels Firewall, bevor sie Apache überhaut erreichen können.

mod_rewrite: Variablen auf neues Ziel umleiten

Andi — Mon, 08 Jan 2007 16:39:21 +0000

Vielleicht standet ihr auch schon vor dem Problem: die URL-Struktur einer Webpräsenz hat sich geändert, Skripte, welche Inhalte dynamisch generieren, liegen an anderen Orten und u.U. hat sich auch die Struktur der zu übergebenden GET-Variablen geändert.
Prinzipiell eigentlich kein Problem, schließlich sollten die dynamischen Inhalte aus dem Gesamtkontext mit der neuen Struktur erzeugt werden; anders sieht es jedoch aus, wenn es sich bei den Skript-Dateien um wichtige Inhalte handelt, die auch bei Google schon gut indiziert sind.
Es wäre ärgerlich, wenn die bei Google geführten Links nicht mehr gültig sind und ins Leere laufen – oder sogar 404-Fehler erzeugen.
Um die Struktur von Web-Präsenzen auf neue Ziele „umzubiegen“ bietet sich ein Regelwerk in der sogenannten .htaccess-Datei an.
Leider ist die Umleitung von GET-Variablen nicht ganz trivial.
Der erste Gedanke wäre z.B. folgende Lösung, um die Parameter des Skripts datei.php — param1 sowie param2 auf die neue Location umzuleiten:

RewriteRule ^datei\.php\?param1=([^&]+)¶m2([^&]+) /neu/datei/$2/$1 [R=301,L]
#falsch!!

So klappt es leider nicht, da mod_rewrite diese Behandlung von QueryParametern nicht toleriert.
Der richtige Ansatz läuft über Analyse des QueryStrings, um die GET-Parameter zu separieren:

RewriteEngine On 
RewriteCond %{QUERY_STRING} ^param1=([^&]+)¶m2=([^&]+)$ 
RewriteRule ^datei\.php$ /datei/%2/%1? [R=301,L]

Per %n wird hier auf die ‘Variablen’ der vorigen RewriteCond zugegriffen.
Nach diesem Muster lassen sich auch anspruchsvolle Umstukturierungen “google-freundlich” durchführen. Beispiele für weitere Rewrite-Methoden gibt es in der Apache-Dokumentation.

Spamassassin: Tests und deren Beschreibung

Andi — Fri, 24 Nov 2006 21:46:45 +0000

Wer sich schon einmal näher mit Spamassassin beschäftigt hat wird wissen, dass dieses hilfreiche Werkzeug die durchgeleitete eMail mittels verschiedener Algorithmen bewertet und während der Ausführung der diversen Tests bei passender Konfiguration die als positiv erkannten Spamerkennungs-Treffer durch Schlagworte im Mailheader anzeigt.
Ein Beispiel:

X-Spam-Status: No, score=-1.5 required=8.8 tests=AWL,BAYES_00,
    FORGED_RCVD_HELO,HTML_90_100,HTML_IMAGE_RATIO_02,HTML_MESSAGE,
    SPF_HELO_PASS autolearn=no version=3.1.1

Die Stichwörter besitzen zwar einigermaßen sprechende Namen, manchmal wäre es aber doch hilfreich, nähere Details über den positiven Treffer zu erhalten.
Hier eine Auflistung der am häufigsten anzutreffenden Schlüsselworte mit Erklärung und Ort der Erkennung:

Schlüsselwort	Erklärung	Ort
ACCESSDB	Message would have been caught by accessdb	header
ACT_NOW_CAPS	Talks about ‘acting now’ with capitals	body
ADDR_FREE	From Address contains FREE	header
ADDRESS_IN_SUBJECT	To: address appears in Subject	header
ALL_NATURAL	Spam is 100% natural?!	body
ALL_TRUSTED	Passed through trusted hosts only via SMTP	header
AMATEUR_PORN	Possible porn – Amateur Porn	body
AMAZING_STUFF	Amazing Stuff	body
AS_SEEN_ON	As seen on national TV!	body
AWL	From: address is in the auto white-list	header
BAD_CREDIT	Eliminate Bad Credit	body
BAD_ENC_HEADER	Message has bad MIME encoding in the header	header
BANG_EXERCISE	Talks about exercise with an exclamation!	body
BANG_GUAR	Something is emphatically guaranteed	body
BANG_MORE	Talks about more with an exclamation!	body
BANG_OPRAH	Talks about Oprah with an exclamation!	body
BARGAIN_URL	Includes a link to a likely spammer domain	uri
BAYES_00	Bayesian spam probability is 0 to 1%	body
BAYES_05	Bayesian spam probability is 1 to 5%	body
BAYES_20	Bayesian spam probability is 5 to 20%	body
BAYES_40	Bayesian spam probability is 20 to 40%	body
BAYES_50	Bayesian spam probability is 40 to 60%	body
BAYES_60	Bayesian spam probability is 60 to 80%	body
BAYES_80	Bayesian spam probability is 80 to 95%	body
BAYES_95	Bayesian spam probability is 95 to 99%	body
BAYES_99	Bayesian spam probability is 99 to 100%	body
BE_BOSS	Be your own boss	body
BEST_PORN	Possible porn – Best, Largest, Most Porn	body
BILL_1618	Possible mention of bill 1618 (anti-spam bill)	body
BILLION_DOLLARS	Talks about lots of money	body
BIZ_TLD	Contains an URL in the BIZ top-level domain	uri
BLANK_LINES_70_80	Message body has 70-80% blank lines	body
BLANK_LINES_80_90	Message body has 80-90% blank lines	body
BLANK_LINES_90_100	Message body has 90-100% blank lines	body
BODY_8BITS	Body includes 8 consecutive 8-bit characters	body
BODY_ENHANCEMENT	Information on growing body parts	body
BODY_ENHANCEMENT2	Information on getting larger body parts	body
CHARSET_FARAWAY	Character set indicates a foreign language	body
CHARSET_FARAWAY_HEADER	A foreign language charset used in headers	header
CHINA_HEADER	Involves ‘china.com’	header
CLICK_BELOW_CAPS	Asks you to click below (in capital letters)	body
CLICK_TO_REMOVE_1	Click to be removed	body
COMPETE	Compete for your business	body
CONFIDENTIAL_ORDER	Confidentiality on all orders	body
CONSOLIDATE_DEBT	Consolidate debt, credit, or bills	body
CUM_SHOT	Possible porn – Cum Shot	body
DATE_IN_FUTURE_03_06	Date: is 3 to 6 hours after Received: date	header
DATE_IN_FUTURE_06_12	Date: is 6 to 12 hours after Received: date	header
DATE_IN_FUTURE_12_24	Date: is 12 to 24 hours after Received: date	header
DATE_IN_FUTURE_24_48	Date: is 24 to 48 hours after Received: date	header
DATE_IN_FUTURE_48_96	Date: is 48 to 96 hours after Received: date	header
DATE_IN_FUTURE_96_XX	Date: is 96 hours or more after Received: date	header
DATE_IN_PAST_03_06	Date: is 3 to 6 hours before Received: date	header
DATE_IN_PAST_06_12	Date: is 6 to 12 hours before Received: date	header
DATE_IN_PAST_12_24	Date: is 12 to 24 hours before Received: date	header
DATE_IN_PAST_24_48	Date: is 24 to 48 hours before Received: date	header
DATE_IN_PAST_48_96	Date: is 48 to 96 hours before Received: date	header
DATE_IN_PAST_96_XX	Date: is 96 hours or more before Received: date	header
DATE_SPAMWARE_Y2K	Date header uses unusual Y2K formatting	header
DCC_CHECK	Listed in DCC (http://rhyolite.com/anti-spam/dcc/)	full
DEAR_FRIEND	Dear Friend? That’s not very dear!	body
DEAR_SOMETHING	Contains ‘Dear (something)’	body
DEEP_DISC_MEDS	Deep discount medications	body
DIET_1	Lose Weight Spam	body
DIET_2	Describes weight loss	body
DIET_3	Describes body fat loss	body
DISGUISE_PORN	Attempts to disguise porn words	body
DISGUISE_PORN_MUNDANE	Attempts to disguise mundane words used in porn	body
DK_POLICY_SIGNALL	Domain Keys: policy says domain signs all mails	header
DK_POLICY_SIGNSOME	Domain Keys: policy says domain signs some mails	header
DK_POLICY_TESTING	Domain Keys: policy says domain is testing DK	header
DK_SIGNED	Domain Keys: message has an unverified signature	header
DK_VERIFIED	Domain Keys: signature passes verification	header
DNS_FROM_AHBL_RHSBL	From: sender listed in dnsbl.ahbl.org	header
DNS_FROM_RFC_ABUSE	Envelope sender in abuse.rfc-ignorant.org	header
DNS_FROM_RFC_BOGUSMX	Envelope sender in bogusmx.rfc-ignorant.org	header
DNS_FROM_RFC_DSN	Envelope sender in dsn.rfc-ignorant.org	header
DNS_FROM_RFC_POST	Envelope sender in postmaster.rfc-ignorant.org	header
DNS_FROM_RFC_WHOIS	Envelope sender in whois.rfc-ignorant.org	header
DNS_FROM_SECURITYSAGE	Envelope sender in blackholes.securitysage.com	header
DOMAIN_4U2	Domain name containing a "4u" variant	uri
DOMAIN_RATIO	Message body mentions many internet domains	body
DRUG_DOSAGE	Talks about price per dose	body
DRUG_ED_CAPS	Mentions an E.D. drug	body
DRUG_ED_COMBO	Viagra and other drugs	body
DRUG_ED_GENERIC	Mentions Generic Viagra	body
DRUG_ED_ONLINE	Fast Viagra Delivery	body
DRUG_ED_SILD	Talks about an E.D. drug using its chemical name	body
DRUGS_SMEAR1	Two or more drugs crammed together into one word	body
EARN_PER_WEEK	Contains ‘earn (dollar) something per week’	body
EM_ROLEX	Message puts emphasis on the watch manufacturer	body
EMAIL_ROT13	Body contains a ROT13-encoded email address	body
ENGLISH_UCE_SUBJECT	Subject contains an English UCE tag	header
ENTITY_DEC_ALPHANUM	HTML contains needlessly encoded characters	rawbody
EXCUSE_10	"if you do not wish to receive any more"	body
EXCUSE_12	Nobody’s perfect	body
EXCUSE_23	Claims you have provided permission	body
EXCUSE_24	Claims you wanted this ad	body
EXCUSE_4	Claims you can be removed from the list	body
EXCUSE_6	Claims you can be removed from the list	body
EXCUSE_REMOVE	Talks about how to be removed from mailings	body
EXTRA_CASH	Offers Extra Cash	body
EXTRA_MPART_TYPE	Header has extraneous Content-type:…type= entry	header
FAKE_HELO_EMAIL_COM	Host HELO did not match rDNS: email.com	header
FAKE_HELO_EUDORAMAIL	Host HELO did not match rDNS: eudoramail.com	header
FAKE_HELO_EXCITE	Host HELO did not match rDNS: excite.com	header
FAKE_HELO_LYCOS	Host HELO did not match rDNS: lycos.com	header
FAKE_HELO_MAIL_COM	Host HELO did not match rDNS: mail.com	header
FAKE_HELO_MAIL_COM_DOM	Relay HELO’d with suspicious hostname (mail.com)	header
FAKE_HELO_MSN	Host HELO did not match rDNS: msn.com	header
FAKE_HELO_YAHOO_CA	Host HELO did not match rDNS: yahoo.ca	header
FAKE_OUTBLAZE_RCVD	Received header contains faked ‘mr.outblaze.com’	header
FAKED_UNDISC_RECIPS	Faked To "Undisclosed-Recipients"	header
FIN_FREE	Freedom of a financial nature	body
FORGED_AOL_RCVD	Received forged, contains fake AOL relays	header
FORGED_EUDORAMAIL_RCVD	Forged eudoramail.com ‘Received:’ header found	header
FORGED_GW05_RCVD	Forged ‘by gw05′ ‘Received:’ header found	header
FORGED_HOTMAIL_RCVD	Forged hotmail.com ‘Received:’ header found	header
FORGED_HOTMAIL_RCVD2	hotmail.com ‘From’ address, but no ‘Received:’	header
FORGED_JUNO_RCVD	‘From’ juno.com does not match ‘Received’ headers	header
FORGED_RCVD_HELO	Received: contains a forged HELO	header
FORGED_TELESP_RCVD	Contains forged hostname for a DSL IP in Brazil	header
FORGED_YAHOO_RCVD	‘From’ yahoo.com does not match ‘Received’ headers	header
FORWARD_LOOKING	Stock Disclaimer Statement	body
FRAGMENTED_MESSAGE	Partial message	header
FREE_ACCESS	Contains ‘free access’ with capitals	body
FREE_PORN	Possible porn – Free Porn	body
FREE_PREVIEW	Free Preview	body
FREE_QUOTE_INSTANT	Free express or no-obligation quote	body
FREE_SAMPLE	Contains ‘free sample’ with capitals	body
FROM_ALL_NUMS	From numeric address (except US/Canada phones)	header
FROM_AND_TO_SAME	From and To are the same, but not exactly	header
FROM_BLANK_NAME	From: contains empty name	header
FROM_DOMAIN_NOVOWEL	From: domain has series of non-vowel letters	header
FROM_ENDS_IN_NUMS	From: ends in many numbers	header
FROM_HAS_MIXED_NUMS	From: contains numbers mixed in with letters	header
FROM_HAS_ULINE_NUMS	From: contains an underline and numbers/letters	header
FROM_ILLEGAL_CHARS	From: has too many raw illegal characters	header
FROM_LOCAL_DIGITS	From: localpart has long digit sequence	header
FROM_LOCAL_HEX	From: localpart has long hexadecimal sequence	header
FROM_LOCAL_NOVOWEL	From: localpart has series of non-vowel letters	header
FROM_NO_LOWER	From address has no lower-case characters	header
FROM_NO_USER	From: has no local-part before @ sign	header
FROM_NONSENDING_DOMAIN	Message is from domain that never sends email	header
FROM_OFFERS	From address is "at something-offers"	header
FROM_STARTS_WITH_NUMS	From: starts with many numbers	header
FRONTPAGE	Frontpage used to create the message	rawbody
FULL_REFUND	Offers a full refund	body
FUZZY_AFFORDABLE	Attempt to obfuscate words in spam	body
FUZZY_AMBIEN	Attempt to obfuscate words in spam	body
FUZZY_BILLION	Attempt to obfuscate words in spam	body
FUZZY_CELEBREX	Attempt to obfuscate words in spam	body
FUZZY_CPILL	Attempt to obfuscate words in spam	body
FUZZY_CREDIT	Attempt to obfuscate words in spam	body
FUZZY_ERECT	Attempt to obfuscate words in spam	body
FUZZY_FOLLOW	Attempt to obfuscate words in spam	body
FUZZY_GUARANTEE	Attempt to obfuscate words in spam	body
FUZZY_MEDICATION	Attempt to obfuscate words in spam	body
FUZZY_MILF	Attempt to obfuscate words in spam	body
FUZZY_MILLION	Attempt to obfuscate words in spam	body
FUZZY_MONEY	Attempt to obfuscate words in spam	body
FUZZY_MORTGAGE	Attempt to obfuscate words in spam	body
FUZZY_OBLIGATION	Attempt to obfuscate words in spam	body
FUZZY_OFFERS	Attempt to obfuscate words in spam	body
FUZZY_PHARMACY	Attempt to obfuscate words in spam	body
FUZZY_PHENT	Attempt to obfuscate words in spam	body
FUZZY_PLEASE	Attempt to obfuscate words in spam	body
FUZZY_PRESCRIPT	Attempt to obfuscate words in spam	body
FUZZY_PRICES	Attempt to obfuscate words in spam	body
FUZZY_REFINANCE	Attempt to obfuscate words in spam	body
FUZZY_REMOVE	Attempt to obfuscate words in spam	body
FUZZY_ROLEX	Attempt to obfuscate words in spam	body
FUZZY_SOFTWARE	Attempt to obfuscate words in spam	body
FUZZY_THOUSANDS	Attempt to obfuscate words in spam	body
FUZZY_TRAMADOL	Attempt to obfuscate words in spam	body
FUZZY_VICODIN	Attempt to obfuscate words in spam	body
FUZZY_VIOXX	Attempt to obfuscate words in spam	body
FUZZY_VLIUM	Attempt to obfuscate words in spam	body
FUZZY_VPILL	Attempt to obfuscate words in spam	body
FUZZY_XPILL	Attempt to obfuscate words in spam	body
GAPPY_SUBJECT	Subject: contains G.a.p.p.y-T.e.x.t	header
GET_PAID	Get Paid	body
GTUBE	Generic Test for Unsolicited Bulk Email	body
GUARANTEED_100_PERCENT	One hundred percent guaranteed	body
GUARANTEED_STUFF	Guaranteed Stuff	body
HABEAS_ACCREDITED_COI	Habeas Accredited Confirmed Opt-In or Better	header
HABEAS_ACCREDITED_SOI	Habeas Accredited Opt-In or Better	header
HABEAS_CHECKED	Habeas Checked	header
HAIR_LOSS	Cures Baldness	body
HARDCORE_PORN	Possible porn – Hardcore Porn	body
HASHCASH_20	Contains valid Hashcash token (20 bits)	header
HASHCASH_21	Contains valid Hashcash token (21 bits)	header
HASHCASH_22	Contains valid Hashcash token (22 bits)	header
HASHCASH_23	Contains valid Hashcash token (23 bits)	header
HASHCASH_24	Contains valid Hashcash token (24 bits)	header
HASHCASH_25	Contains valid Hashcash token (25 bits)	header
HASHCASH_2SPEND	Hashcash token already spent in another mail	header
HASHCASH_HIGH	Contains valid Hashcash token (>25 bits)	header
HDR_ORDER_MTSRIX	Headers are in order found in spam (MTSRIX)	header
HDR_ORDER_TRIMRS	Headers are in order found in spam (TRIMRS)	header
HEAD_ILLEGAL_CHARS	Headers have too many raw illegal characters	header
HEAD_LONG	Message headers are very long	header
HEADER_COUNT_CTYPE	Multiple Content-Type headers found	header
HEADER_SPAM	Bulk email fingerprint (header-based) found	header
HELO_DYNAMIC_ADELPHIA	Relay HELO’d using suspicious hostname (Adelphia)	header
HELO_DYNAMIC_ATTBI	Relay HELO’d using suspicious hostname (ATTBI.com)	header
HELO_DYNAMIC_CHELLO_NL	Relay HELO’d using suspicious hostname (Chello.nl)	header
HELO_DYNAMIC_CHELLO_NO	Relay HELO’d using suspicious hostname (Chello.no)	header
HELO_DYNAMIC_COMCAST	Relay HELO’d using suspicious hostname (Comcast)	header
HELO_DYNAMIC_DHCP	Relay HELO’d using suspicious hostname (DHCP)	header
HELO_DYNAMIC_DIALIN	Relay HELO’d using suspicious hostname (T-Dialin)	header
HELO_DYNAMIC_HCC	Relay HELO’d using suspicious hostname (HCC)	header
HELO_DYNAMIC_HEXIP	Relay HELO’d using suspicious hostname (Hex IP)	header
HELO_DYNAMIC_HOME_NL	Relay HELO’d using suspicious hostname (Home.nl)	header
HELO_DYNAMIC_IPADDR	Relay HELO’d using suspicious hostname (IP addr 1)	header
HELO_DYNAMIC_IPADDR2	Relay HELO’d using suspicious hostname (IP addr 2)	header
HELO_DYNAMIC_NTL	Relay HELO’d using suspicious hostname (NTL)	header
HELO_DYNAMIC_OOL	Relay HELO’d using suspicious hostname (OptOnline)	header
HELO_DYNAMIC_ROGERS	Relay HELO’d using suspicious hostname (Rogers)	header
HELO_DYNAMIC_RR2	Relay HELO’d using suspicious hostname (RR 2)	header
HELO_DYNAMIC_SPLIT_IP	Relay HELO’d using suspicious hostname (Split IP)	header
HELO_DYNAMIC_TELIA	Relay HELO’d using suspicious hostname (Telia)	header
HELO_DYNAMIC_VELOX	Relay HELO’d using suspicious hostname (Veloxzone)	header
HELO_DYNAMIC_VTR	Relay HELO’d using suspicious hostname (VTR)	header
HELO_DYNAMIC_YAHOOBB	Relay HELO’d using suspicious hostname (YahooBB)	header
HIDDEN_CHARGES	Talks about Hidden Charges	body
HIDE_WIN_STATUS	Javascript to hide URLs in browser	rawbody
HIGH_CODEPAGE_URI	/^https?:\/\/[^\/]*\&\#(?:\d{4,}\| [3456789]\d\d);/i	uri
HOT_NASTY	Possible porn – Hot, Nasty, Wild, Young	body
HTML_00_10	Message is 0% to 10% HTML	body
HTML_10_20	Message is 10% to 20% HTML	body
HTML_20_30	Message is 20% to 30% HTML	body
HTML_30_40	Message is 30% to 40% HTML	body
HTML_40_50	Message is 40% to 50% HTML	body
HTML_50_60	Message is 50% to 60% HTML	body
HTML_60_70	Message is 60% to 70% HTML	body
HTML_70_80	Message is 70% to 80% HTML	body
HTML_80_90	Message is 80% to 90% HTML	body
HTML_90_100	Message is 90% to 100% HTML	body
HTML_ATTR_BAD	HTML has many bad attributes in tags	body
HTML_ATTR_UNIQUE	HTML appears to have random attributes in tags	body
HTML_BACKHAIR_2	HTML tags used to obfuscate words	body
HTML_BACKHAIR_4	HTML tags used to obfuscate words	body
HTML_BACKHAIR_8	HTML tags used to obfuscate words	body
HTML_BADTAG_00_10	HTML message is 0% to 10% bad tags	body
HTML_BADTAG_10_20	HTML message is 10% to 20% bad tags	body
HTML_BADTAG_20_30	HTML message is 20% to 30% bad tags	body
HTML_BADTAG_30_40	HTML message is 30% to 40% bad tags	body
HTML_BADTAG_40_50	HTML message is 40% to 50% bad tags	body
HTML_BADTAG_50_60	HTML message is 50% to 60% bad tags	body
HTML_BADTAG_60_70	HTML message is 60% to 70% bad tags	body
HTML_BADTAG_70_80	HTML message is 70% to 80% bad tags	body
HTML_BADTAG_80_90	HTML message is 80% to 90% bad tags	body
HTML_BADTAG_90_100	HTML message is 90% to 100% bad tags	body
HTML_COMMENT_SAVED_URL	HTML message is a saved web page	body
HTML_COMMENT_SHORT	HTML comment is very short	body
HTML_EHTML2	HTML has doubled end HTML tag	rawbody
HTML_EMBEDS	HTML with embedded plugin object	body
HTML_EVENT_UNSAFE	HTML contains unsafe auto-executing code	body
HTML_EXTRA_CLOSE	HTML contains far too many close tags	body
HTML_FONT_BIG	HTML tag for a big font size	body
HTML_FONT_FACE_BAD	HTML font face is not a word	body
HTML_FONT_FACE_CAPS	HTML font face has excess capital characters	body
HTML_FONT_INVISIBLE	HTML font color is same as background	body
HTML_FONT_LOW_CONTRAST	HTML font color similar to background	body
HTML_FONT_SIZE_HUGE	HTML font size is huge	body
HTML_FONT_SIZE_LARGE	HTML font size is large	body
HTML_FONT_SIZE_NONE	HTML font size is negative	body
HTML_FONT_SIZE_TINY	HTML font size is tiny	body
HTML_FONT_TINY	HTML tag for a tiny font size	body
HTML_FORMACTION_MAILTO	HTML includes a form which sends mail	body
HTML_IMAGE_ONLY_04	HTML: images with 0-400 bytes of words	body
HTML_IMAGE_ONLY_08	HTML: images with 400-800 bytes of words	body
HTML_IMAGE_ONLY_12	HTML: images with 800-1200 bytes of words	body
HTML_IMAGE_ONLY_16	HTML: images with 1200-1600 bytes of words	body
HTML_IMAGE_ONLY_20	HTML: images with 1600-2000 bytes of words	body
HTML_IMAGE_ONLY_24	HTML: images with 2000-2400 bytes of words	body
HTML_IMAGE_ONLY_28	HTML: images with 2400-2800 bytes of words	body
HTML_IMAGE_ONLY_32	HTML: images with 2800-3200 bytes of words	body
HTML_IMAGE_RATIO_02	HTML has a low ratio of text to image area	body
HTML_IMAGE_RATIO_04	HTML has a low ratio of text to image area	body
HTML_IMAGE_RATIO_06	HTML has a low ratio of text to image area	body
HTML_IMAGE_RATIO_08	HTML has a low ratio of text to image area	body
HTML_LINK_IMAGE_BUG	HTML link plus image plus web bug	body
HTML_LINK_OPT_OUT	HTML link text says "opt out" or similar	body
HTML_LINK_PUSH_HERE	HTML link text says "push here" or similar	body
HTML_MESSAGE	HTML included in message	body
HTML_NONELEMENT_00_10	0% to 10% of HTML elements are non-standard	body
HTML_NONELEMENT_10_20	10% to 20% of HTML elements are non-standard	body
HTML_NONELEMENT_20_30	20% to 30% of HTML elements are non-standard	body
HTML_NONELEMENT_30_40	30% to 40% of HTML elements are non-standard	body
HTML_NONELEMENT_40_50	40% to 50% of HTML elements are non-standard	body
HTML_NONELEMENT_50_60	50% to 60% of HTML elements are non-standard	body
HTML_NONELEMENT_60_70	60% to 70% of HTML elements are non-standard	body
HTML_NONELEMENT_70_80	70% to 80% of HTML elements are non-standard	body
HTML_NONELEMENT_80_90	80% to 90% of HTML elements are non-standard	body
HTML_NONELEMENT_90_100	90% to 100% of HTML elements are non-standard	body
HTML_OBFUSCATE_05_10	Message is 5% to 10% HTML obfuscation	body
HTML_OBFUSCATE_10_20	Message is 10% to 20% HTML obfuscation	body
HTML_OBFUSCATE_20_30	Message is 20% to 30% HTML obfuscation	body
HTML_OBFUSCATE_30_40	Message is 30% to 40% HTML obfuscation	body
HTML_OBFUSCATE_40_50	Message is 40% to 50% HTML obfuscation	body
HTML_OBFUSCATE_50_60	Message is 50% to 60% HTML obfuscation	body
HTML_OBFUSCATE_60_70	Message is 60% to 70% HTML obfuscation	body
HTML_OBFUSCATE_70_80	Message is 70% to 80% HTML obfuscation	body
HTML_OBFUSCATE_80_90	Message is 80% to 90% HTML obfuscation	body
HTML_OBFUSCATE_90_100	Message is 90% to 100% HTML obfuscation	body
HTML_SHORT_LENGTH	HTML is extremely short	body
HTML_SHOUTING3	HTML has very strong "shouting" markup	body
HTML_SHOUTING4	HTML has very strong "shouting" markup	body
HTML_SHOUTING5	HTML has very strong "shouting" markup	body
HTML_SHOUTING6	HTML has very strong "shouting" markup	body
HTML_SHOUTING7	HTML has very strong "shouting" markup	body
HTML_TAG_BALANCE_BODY	HTML has unbalanced "body" tags	body
HTML_TAG_BALANCE_HEAD	HTML has unbalanced "head" tags	body
HTML_TAG_EXIST_BGSOUND	HTML has "bgsound" tag	body
HTML_TAG_EXIST_MARQUEE	HTML has "marquee" tag	body
HTML_TAG_EXIST_TBODY	HTML has "tbody" tag	body
HTML_TEXT_AFTER_BODY	HTML contains text after BODY close tag	body
HTML_TEXT_AFTER_HTML	HTML contains text after HTML close tag	body
HTML_TINY_FONT	body contains 1 or 0-point font	rawbody
HTML_TITLE_EMPTY	HTML title contains no text	body
HTML_TITLE_UNTITLED	HTML title contains "Untitled"	body
HTML_WEB_BUGS	Image tag intended to identify you	body
HTTP_77	Contains an URL-encoded hostname (HTTP77)	uri
HTTP_CTRL_CHARS_HOST	Uses control sequences inside a URL hostname	uri
HTTP_ESCAPED_HOST	Uses %-escapes inside a URL’s hostname	uri
HTTP_EXCESSIVE_ESCAPES	Completely unnecessary %-escapes inside a URL	uri
HTTPS_IP_MISMATCH	IP to HTTPS link found in HTML	body
IMPOTENCE	Impotence cure	body
INFO_TLD	Contains an URL in the INFO top-level domain	uri
INTERRUPTUS	Message looks to contain HTML-interrupted text	rawbody
INVALID_DATE	Invalid Date: header (not RFC 2822)	header
INVALID_DATE_TZ_ABSURD	Invalid Date: header (timezone does not exist)	header
INVALID_TZ_CST	Invalid date in header (wrong CST timezone)	header
INVALID_TZ_EST	Invalid date in header (wrong EST timezone)	header
INVALID_TZ_GMT	Invalid date in header (wrong GMT/UTC timezone)	header
INVESTMENT_ADVICE	Message mentions investment advice	body
INVESTMENT_EXPERT	Message mentions investment expert	body
IP_LINK_PLUS	Dotted-decimal IP address followed by CGI	uri
JAPANESE_UCE_SUBJECT	Subject contains a Japanese UCE tag	header
JOIN_MILLIONS	Join Millions of Americans	body
KOREAN_UCE_SUBJECT	Subject: contains Korean unsolicited email tag	header
LIVE_PORN	Possible porn – Live Porn	body
LOCALPART_IN_SUBJECT	Local part of To: address appears in Subject	header
LOTS_OF_STUFF	Thousands or millions of pictures, movies, etc.	body
LOW_PRICE	Lowest Price	body
MAILTO_SUBJ_REMOVE	mailto URI includes removal text	rawbody
MAILTO_TO_REMOVE	Includes a ‘remove’ email address	uri
MAILTO_TO_SPAM_ADDR	Includes a link to a likely spammer email	uri
MALE_ENHANCE	Message talks about enhancing men	body
MARKETING_PARTNERS	Claims you registered with a partner	body
MEET_SINGLES	Meet Singles	body
MICRO_CAP_WARNING	SEC-mandated penny-stock warning	body
MICROSOFT_EXECUTABLE	Message includes Microsoft executable program	body
MILLION_USD	Talks about millions of dollars	body
MIME_BAD_ISO_CHARSET	MIME character set is an unknown ISO charset	body
MIME_BASE64_BLANKS	Extra blank lines in base64 encoding	rawbody
MIME_BASE64_NO_NAME	base64 attachment does not have a file name	rawbody
MIME_BASE64_TEXT	Message text disguised using base64 encoding	rawbody
MIME_BOUND_DD_DIGITS	Spam tool pattern in MIME boundary	header
MIME_BOUND_DIGITS_15	Spam tool pattern in MIME boundary	header
MIME_BOUND_DIGITS_7	Spam tool pattern in MIME boundary	header
MIME_BOUND_MANY_HEX	Spam tool pattern in MIME boundary	header
MIME_BOUND_RKFINDY	Spam tool pattern in MIME boundary (rfkindy)	header
MIME_HTML_MOSTLY	Multipart message mostly text/html MIME	body
MIME_HTML_ONLY	Message only has text/html MIME parts	body
MIME_MISSING_BOUNDARY	MIME section missing boundary	rawbody
MIME_QP_LONG_LINE	Quoted-printable line longer than 76 chars	rawbody
MIME_SUSPECT_NAME	MIME filename does not match content	body
MISSING_DATE	Missing Date: header	header
MISSING_HB_SEP	Missing blank line between message header and body	header
MISSING_HEADERS	Missing To: header	header
MISSING_MIME_HB_SEP	Missing blank line between MIME header and body	body
ML_MARKETING	Multi Level Marketing mentioned	body
MONEY_BACK	Money back guarantee	body
MORE_SEX	Talks about a bigger drive for sex	body
MORTGAGE_BEST	Information on mortgages	body
MORTGAGE_PITCH	Looks like mortgage pitch	body
MORTGAGE_RATES	Information on mortgage rates	body
MPART_ALT_DIFF	HTML and text parts are different	body
MPART_ALT_DIFF_COUNT	HTML and text parts are different	body
MSGID_FROM_MTA_HOTMAIL	Message-Id was added by a hotmail.com relay	header
MSGID_FROM_MTA_ID	Message-Id for external message added locally	header
MSGID_LONG	Message-ID is unusually long	header
MSGID_MULTIPLE_AT	Message-ID contains multiple ‘@’ characters	header
MSGID_NO_HOST	Message-Id has no hostname	header
MSGID_OUTLOOK_INVALID	Message-Id is fake (in Outlook Express format)	header
MSGID_RATWARE1	Bulk email fingerprint found	header
MSGID_SHORT	Message-ID is unusually short	header
MSGID_SPAM_99X9XX99	Spam tool Message-Id: (99×9xx99 variant)	header
MSGID_SPAM_ALPHA_NUM	Spam tool Message-Id: (alpha-numeric variant)	header
MSGID_SPAM_CAPS	Spam tool Message-Id: (caps variant)	header
MSGID_SPAM_LETTERS	Spam tool Message-Id: (letters variant)	header
MSGID_SPAM_ZEROES	Spam tool Message-Id: (12-zeroes variant)	header
MSGID_YAHOO_CAPS	Message-ID has ALLCAPS@yahoo.com	header
NA_DOLLARS	Talks about a million North American dollars	body
NASTY_GIRLS	Possible porn – Nasty Girls	body
NO_COST	No such thing as a free lunch (3)	body
NO_DNS_FOR_FROM	Envelope sender has no MX or A DNS records	header
NO_FORMS	No Claim Forms	body
NO_MEDICAL	No Medical Exams	body
NO_OBLIGATION	There is no obligation	body
NO_PRESCRIPTION	No prescription needed	body
NO_RDNS_DOTCOM_HELO	Host HELO’d as a big ISP, but had no rDNS	header
NO_REAL_NAME	From: does not include a real name	header
NO_RELAYS	Informational: message was not relayed via SMTP	header
NONEXISTENT_CHARSET	Character set doesn’t exist	header
NORMAL_HTTP_TO_IP	Uses a dotted-decimal IP address in URL	uri
NOT_ADVISOR	Not registered investment advisor	body
NUMERIC_HTTP_ADDR	Uses a numeric IP address in URL	uri
OBSCURED_EMAIL	Message seems to contain rot13ed address	body
OFFSHORE_SCAM	Off Shore Scams	body
ONE_TIME	One Time Rip Off	body
ONLINE_PHARMACY	Online Pharmacy	body
OPTING_OUT_CAPS	Talks about opting out (capitalized version)	body
ORG_MIME_TOOLS	Organization is MIME-tools	header
PLING_QUERY	Subject has exclamation mark and question mark	header
PORN_15	Possible porn – various types of feline	body
PORN_16	Possible porn – nasty, dirty, little etc.	body
PORN_URL_MISC	URL uses words/phrases which indicate porn (misc)	uri
PORN_URL_SEX	URL uses words/phrases which indicate porn (sex)	uri
PORN_URL_SLUT	URL uses words/phrases which indicate porn (slut)	uri
PREST_NON_ACCREDITED	‘Prestigious Non-Accredited Universities’	body
PREVENT_NONDELIVERY	Message has Prevent-NonDelivery-Report header	header
PRICES_ARE_AFFORDABLE	Message says that prices aren’t too expensive	body
PYZOR_CHECK	Listed in Pyzor (http://pyzor.sf.net/)	full
QUALIFY_FOR_THIS	Qualify for this special…	body
RATWARE_BOUND_PIECE	Bulk email fingerprint (piece boundary) found	header
RATWARE_EFROM	Bulk email fingerprint (envfrom) found	header
RATWARE_EGROUPS	Bulk email fingerprint (eGroups) found	header
RATWARE_GECKO_BUILD	Bulk email fingerprint (Gecko faked) found	header
RATWARE_HASH_2	Bulk email fingerprint (hash 2) found	header
RATWARE_HASH_2_V2	Bulk email fingerprint (hash 2 v2) found	header
RATWARE_HASH_DASH	Contains a hashbuster in Send-Safe format	rawbody
RATWARE_JPFREE	Bulk email fingerprint (jpfree) found	header
RATWARE_MOZ_MALFORMED	Bulk email fingerprint (Mozilla malformed) found	header
RATWARE_MPOP_WEBMAIL	Bulk email fingerprint (mPOP Web-Mail)	header
RATWARE_NETIP	Bulk email fingerprint (netIP) found	header
RATWARE_OE_MALFORMED	X-Mailer has malformed Outlook Express version	header
RATWARE_RCVD_AT	Bulk email fingerprint (Received @) found	header
RATWARE_RCVD_LC_ESMTP	Bulk email fingerprint (’esmtp’ Received) found	header
RATWARE_RCVD_PF	Bulk email fingerprint (Received PF) found	header
RATWARE_STORM_URI	Bulk email fingerprint (StormPost) found	uri
RAZOR2_CF_RANGE_51_100	Razor2 gives confidence level above 50%	full
RAZOR2_CF_RANGE_E4_51_100	Razor2 gives engine 4 confidence level above 50%	full
RAZOR2_CF_RANGE_E8_51_100	Razor2 gives engine 8 confidence level above 50%	full
RAZOR2_CHECK	Listed in Razor2 (http://razor.sf.net/)	full
RCVD_AM_PM	Received headers forged (AM/PM)	header
RCVD_BONUS_SPC_DATE	Bulk email fingerprint (bonus space) found	header
RCVD_BY_IP	Received by mail server with no name	header
RCVD_FAKE_HELO_DOTCOM	Received contains a faked HELO hostname	header
RCVD_HELO_IP_MISMATCH	Received: HELO and IP do not match, but should	header
RCVD_ILLEGAL_IP	Received: contains illegal IP address	header
RCVD_IN_BL_SPAMCOP_NET	Received via a relay in bl.spamcop.net	header
RCVD_IN_BSP_OTHER	Sender is in Bonded Sender Program (other relay)	header
RCVD_IN_BSP_TRUSTED	Sender is in Bonded Sender Program (trusted relay)	header
RCVD_IN_DSBL	Received via a relay in list.dsbl.org	header
RCVD_IN_IADB_VOUCHED	ISIPP IADB lists as vouched-for sender	header
RCVD_IN_MAPS_DUL	Relay in DUL, http://www.mail-abuse.org/dul/	header
RCVD_IN_MAPS_NML	Relay in NML, http://www.mail-abuse.org/nml/	header
RCVD_IN_MAPS_RBL	Relay in RBL, http://www.mail-abuse.org/rbl/	header
RCVD_IN_MAPS_RSS	Relay in RSS, http://www.mail-abuse.org/rss/	header
RCVD_IN_NJABL_CGI	NJABL: sender is an open formmail	header
RCVD_IN_NJABL_DUL	NJABL: dialup sender did non-local SMTP	header
RCVD_IN_NJABL_MULTI	NJABL: sent through multi-stage open relay	header
RCVD_IN_NJABL_PROXY	NJABL: sender is an open proxy	header
RCVD_IN_NJABL_RELAY	NJABL: sender is confirmed open relay	header
RCVD_IN_NJABL_SPAM	NJABL: sender is confirmed spam source	header
RCVD_IN_SBL	Received via a relay in Spamhaus SBL	header
RCVD_IN_SORBS_BLOCK	SORBS: sender demands to never be tested	header
RCVD_IN_SORBS_DUL	SORBS: sent directly from dynamic IP address	header
RCVD_IN_SORBS_HTTP	SORBS: sender is open HTTP proxy server	header
RCVD_IN_SORBS_MISC	SORBS: sender is open proxy server	header
RCVD_IN_SORBS_SMTP	SORBS: sender is open SMTP relay	header
RCVD_IN_SORBS_SOCKS	SORBS: sender is open SOCKS proxy server	header
RCVD_IN_SORBS_WEB	SORBS: sender is a abuseable web server	header
RCVD_IN_SORBS_ZOMBIE	SORBS: sender is on a hijacked network	header
RCVD_IN_WHOIS_BOGONS	CompleteWhois: sender on bogons IP block	header
RCVD_IN_WHOIS_HIJACKED	CompleteWhois: sender on hijacked IP block	header
RCVD_IN_WHOIS_INVALID	CompleteWhois: sender on invalid IP block	header
RCVD_IN_XBL	Received via a relay in Spamhaus XBL	header
RCVD_NUMERIC_HELO	Received: contains an IP address used for HELO	header
RECEIVE_OFFER	Receive a special offer	body
REFINANCE_NOW	Home refinancing	body
REFINANCE_YOUR_HOME	Home refinancing	body
REMOVE_BEFORE_LINK	Removal phrase right before a link	body
REMOVE_PAGE	URL of page called "remove"	uri
REMOVE_POSTAL	Send real mail to be unsubscribed	body
REPLICA_WATCH	Message talks about a replica watch	body
REPLY_TO_EMPTY	Reply-To: is empty	header
RESISTANCE_IS_FUTILE	Resistance to this spam is futile	body
REVERSE_AGING	Reverses Aging	body
RISK_FREE	Risk free. Suuurreeee….	body
ROUND_THE_WORLD	Received: says mail sent around the world (DNS)	header
ROUND_THE_WORLD_LOCAL	Received: says mail sent around the world (HELO)	header
SATIS_GUAR	Mail guarantees satisfaction	body
SAVE_THOUSANDS	Save big money	body
SEE_FOR_YOURSELF	See for yourself	body
SENT_IN_COMPLIANCE	Claims compliance with spam regulations	body
SOME_BREAKTHROUGH	Describes some sort of breakthrough	body
SOMETHING_FOR_ADULTS	Possible porn – Adult Web Sites	body
SORTED_RECIPS	Recipient list is sorted by address	header
SPF_FAIL	SPF: sender does not match SPF record (fail)	header
SPF_HELO_FAIL	SPF: HELO does not match SPF record (fail)	header
SPF_HELO_NEUTRAL	SPF: HELO does not match SPF record (neutral)	header
SPF_HELO_PASS	SPF: HELO matches SPF record	header
SPF_HELO_SOFTFAIL	SPF: HELO does not match SPF record (softfail)	header
SPF_NEUTRAL	SPF: sender does not match SPF record (neutral)	header
SPF_PASS	SPF: sender matches SPF record	header
SPF_SOFTFAIL	SPF: sender does not match SPF record (softfail)	header
SPOOF_COM2COM	URI contains ".com" in middle and end	uri
SPOOF_COM2OTH	URI contains ".com" in middle	uri
SPOOF_NET2COM	URI contains ".net" or ".org", then ".com"	uri
SPOOF_OURI	URI has items in odd places	uri
STOCK_ALERT	Offers a alert about a stock	body
STRONG_BUY	Tells you about a strong buy	body
SUB_FREE_OFFER	Subject starts with "Free"	header
SUB_HELLO	Subject starts with "Hello"	header
SUBJ_2_NUM_PARENS	Subject contains common spam sign (2 numbers)	header
SUBJ_ALL_CAPS	Subject is all capitals	header
SUBJ_AS_SEEN	Subject contains "As Seen"	header
SUBJ_BUY	Subject line starts with Buy or Buying	header
SUBJ_CONSONANTS	Subject contains consecutive consonants in "word"	header
SUBJ_DOLLARS	Subject starts with dollar amount	header
SUBJ_FOR_ONLY	Subject contains "For Only"	header
SUBJ_FREE_CAP	Subject contains "FREE" in CAPS	header
SUBJ_GUARANTEED	Subject GUARANTEED	header
SUBJ_HAS_SPACES	Subject contains lots of white space	header
SUBJ_HAS_UNIQ_ID	Subject contains a unique ID	header
SUBJ_ILLEGAL_CHARS	Subject: has too many raw illegal characters	header
SUBJ_LIFE_INSURANCE	Subject includes "life insurance"	header
SUBJ_YOUR_DEBT	Subject contains "Your Bills" or similar	header
SUBJ_YOUR_FAMILY	Subject contains "Your Family"	header
SUBJ_YOUR_OWN	Subject contains "Your Own"	header
SUBJECT_DIET	Subject talks about losing pounds	header
SUBJECT_DRUG_GAP_C	Subject contains a gappy version of ‘cialis’	header
SUBJECT_DRUG_GAP_L	Subject contains a gappy version of ‘levitra’	header
SUBJECT_DRUG_GAP_P	Subject contains a gappy version of ‘phentermine’	header
SUBJECT_DRUG_GAP_S	Subject contains a gappy version of ’soma’	header
SUBJECT_DRUG_GAP_VA	Subject contains a gappy version of ‘valium’	header
SUBJECT_DRUG_GAP_VIC	Subject contains a gappy version of ‘vicodin’	header
SUBJECT_DRUG_GAP_X	Subject contains a gappy version of ‘xanax’	header
SUBJECT_SEXUAL	Subject indicates sexually-explicit content	header
SUSPICIOUS_RECIPS	Similar addresses in recipient list	header
TERRA_ES	Contains URI to a document hosted at ‘terra.es’	uri
TO_ADDRESS_EQ_REAL	To: repeats address as real name	header
TO_EMPTY	To: is empty	header
TO_MALFORMED	To: has a malformed address	header
TO_NO_USER	To: has no local-part before @ sign	header
TO_RECIP_MARKER	To header contains ‘recipient’ marker	header
TO_TXT	Sent to a text file	header
TRACKER_ID	Incorporates a tracking ID number	body
UNCLAIMED_MONEY	People just leave money laying around	body
UNCLOSED_BRACKET	Headers contain an unclosed bracket	header
UNDISC_RECIPS	Valid-looking To "undisclosed-recipients"	header
UNIQUE_WORDS	Message body has many words used only once	body
UNPARSEABLE_RELAY	Informational: message has unparseable relay lines	header
UNRESOLVED_TEMPLATE	Headers contain an unresolved template	header
UNWANTED_LANGUAGE_BODY	Message written in an undesired language	body
URG_BIZ	Contains urgent matter	body
URI_4YOU	Message has URI 4you	uri
URI_AFFILIATE	Contains a URI with an affiliate ID code	uri
URI_DIGITS	URI hostname has long digit sequence	uri
URI_HEX	URI hostname has long hexadecimal sequence	uri
URI_UPPER_LOWER	URI contains capitalized hostname parts ("Abcde")	uri
URIBL_AB_SURBL	Contains an URL listed in the AB SURBL blocklist	body
URIBL_JP_SURBL	Contains an URL listed in the JP SURBL blocklist	body
URIBL_OB_SURBL	Contains an URL listed in the OB SURBL blocklist	body
URIBL_PH_SURBL	Contains an URL listed in the PH SURBL blocklist	body
URIBL_SBL	Contains an URL listed in the SBL blocklist	body
URIBL_SC_SURBL	Contains an URL listed in the SC SURBL blocklist	body
URIBL_WS_SURBL	Contains an URL listed in the WS SURBL blocklist	body
US_DOLLARS_3	Mentions millions of (dollar) ((dollar) NN,NNN,NNN.NN)	body
USER_IN_ALL_SPAM_TO	User is listed in ‘all_spam_to’	header
USER_IN_BLACKLIST	From: address is in the user’s black-list	header
USER_IN_BLACKLIST_TO	User is listed in ‘blacklist_to’	header
USER_IN_DEF_SPF_WL	From: address is in the default SPF white-list	header
USER_IN_DEF_WHITELIST	From: address is in the default white-list	header
USER_IN_MORE_SPAM_TO	User is listed in ‘more_spam_to’	header
USER_IN_SPF_WHITELIST	From: address is in the user’s SPF whitelist	header
USER_IN_WHITELIST	From: address is in the user’s white-list	header
USER_IN_WHITELIST_TO	User is listed in ‘whitelist_to’	header
USERPASS	URL contains username and (optional) password	uri
VIA_GAP_GRA	Attempts to disguise the word ‘viagra’	body
WE_HONOR_ALL	Claims to honor removal requests	body
WEIRD_PORT	Uses non-standard port number for HTTP	uri
WEIRD_QUOTING	Weird repeated double-quotation marks	body
WHILE_YOU_SLEEP	While you Sleep	body
WHY_PAY_MORE	Why Pay More?	body
WHY_WAIT	What are you waiting for	body
WITH_LC_SMTP	Received line contains spam-sign (lowercase smtp)	header
WRINKLES	Removes Wrinkles	body
X_AUTH_WARN_FAKED	X-Authentication-Warning header looks faked	header
X_IP	Message has X-IP header	header
X_LIBRARY	Message has X-Library header	header
X_MAILER_SPAM	X-Mailer: header is bulk email fingerprint	header
X_MESSAGE_FLAG_ODD	Message has X-Message-flag header (odd case)	header
X_MESSAGE_INFO	Bulk email fingerprint (X-Message-Info) found	header
X_MIME_AUTOCONVERTED	Message has X-MIME-Autoconverted "Yes" header	header
X_MSMAIL_PRIORITY_HIGH	Sent with ‘X-Msmail-Priority’ set to high	header
X_ORIG_IP_NOT_IPV4	X-Originating-IP doesn’t look like IPv4 address	header
X_PRIORITY_CC	Cc: after X-Priority: (bulk email fingerprint)	header
X_PRIORITY_HIGH	Sent with ‘X-Priority’ set to high	header
YAHOO_DRS_REDIR	Has Yahoo Redirect URI	uri
YAHOO_RD_REDIR	Has Yahoo Redirect URI	uri
YOU_CAN_SEARCH	You can search for anyone	body

Die vollständige Auflistung aller Test der aktuellen Spamassassin-Version und früherer Versionen finden sich bei Spamassassin.

Ajaxified Webmail-Zugriff

Andi — Mon, 20 Nov 2006 22:58:33 +0000

Schon vor gut 1 1/2 Jahren startete das Projekt roundcube mit der Umsetzung eines Webmail-Clients, der die einfachen Zugriff über jeden Webbrowser mit dem Komfort & den Features einer Offline-eMail-Anwendung kombiniert.
Möglich macht dies der konsequente Einsatz von AJAX-Technologie, wodurch das bei älteren Vertretern (wie z.B. Horde) übliche andauernde Neuladen kompletter Seiten und den damit verzögerten Arbeitsablauf ausgleicht.
Obwohl die Versionsnummer mit 0.1-beta2 noch sehr niedrig angesiedelt ist, und sich das Team mit der Veröffentlichung neuer Meilensteine einige Zeit lässt, lohnt sich vor allem der Blick auf den aktuellen Entwicklersnapshot per SVN.
Hier finden sich zumeist wesentlich mehr implementierte Funktionen als in den mit ’stable’ deklarierten Versionen – und trotz Dev-Status lassen sich die SVN-Versionen meist ohne Probleme einsetzen.
roundcube eignet sich für alle Server, die Zugriff über IMAP bieten und stellt dem Nutzer bisher u.a. Ordnermanipulationen, MIME-Unterstützung, Adressbuch, Drag’n'Drop, Suche, Rechtschreibprüfung etc. an.
Nach der Installation kann z.B. die Webmail-Funktion von Plesk von Horde auf roundcube „umgebogen“ werden. Der einfachste Weg besteht in einer Anpassung der Apache-Konfiguration von Plesk. Bei Debian befinden sich die Einträge in /etc/apache/conf.d/zz010_psa_httpd.conf
Dort finden sich sowohl für http- als auch für https-Zugriff auf webmail.domain.de Einträge, die auf Horde verweisen: DocumentRoot /usr/share/psa/horde, sowie die Freigaben des PHP-openBaseDir. Diese Verweise müssen einfach auf den Ordner von roundcube geändert werden (z.B. /usr/share/roundcube), und schon kann der übliche Webmail-Account von Plesk mit roundcube genutzt werden.

NiX-Spam in Spamassassin einbinden

Andi — Thu, 16 Nov 2006 22:19:51 +0000

Neben der Erkennung von Spam über die herkömmlichen Regelsets von Spamassassin, dem Selbsttraining mittels Bayes und dem Abgleich bei bekannten Anti-Spam-Netzwerken wie razor2 oder pyzor, bietet es sich an, den Mailverkehr auch gegen die NiX-Spam-Liste des iX-Teams aus dem Hause Heise abzuprüfen.
NiX-Spam bietet eine ständig erweiterte Hash-Datenbank alter und neuer Spaminhalte. Mittels eines einfachen Plugins können wir aus Mails, die Spamassassin durchlaufen, einen Hash-Abgleich mit der online verfügbaren NiX-Spam-Liste durchführen lassen.

Zur Installation (Spamassassin 3.1 aufwärts unter Linux):

Den Inhalt von ixhash.pm per copy-paste in eine Datei ixhash.pm überführen, diese laden wir in ein für Spamassassin zugreifbares Verzeichnis auf dem Server (der Einfachhalt halber nehmen wir /etc/mail/spamassassin)
Die Einträge aus ixhash.cf in eine Datei ixhash.cf übernehmen und diese auf dem Server in /etc/mail/spamassassin ablegen.
Die erste Zeile von ixhash.cf an die lokalen Gegebenheiten (Pfad) anpassen.
Soweit war’s das, zum Testen spamassassin -D < /eine/nachricht ausführen (eine/nachricht sollte ein eMail-File sein). Wenn alles korrekt läuft sollten auf STDERR einige Nachrichten mit IXHASH auftauchen, die anzeigen, dass das Plugin aktiv ist.

Mit diesen wenigen Schritten kann die Erkennungsrate von Spamassassin nochmals gesteigert werden; die NiX-Spam-Liste ist ferner gegen deutsche Spam-Angriffe besser ausgerüstet, als manche andere Hash-Liste.

Die Dateien:

ixhash.cf:


  loadplugin    Mail::SpamAssassin::Plugin::iXhash /path/to/iXhash.pm
# This makes DNS queries time out after 10 seconds (2x default)
  ixhash_timeout    10

# This list uses iX Magazine's spam as datasource.
  body          IXHASH eval:ixhashtest('ix.dnsbl.manitu.net')
  describe      IXHASH This mail has been classified as spam @ iX Magazine, Germany
  tflags        IXHASH net
  score         IXHASH 1.5

# This list comes in @ spamtraps run by LogIn & Solutions AG, Germany
# Manually verified stuff
  body          LOGINHASH1 eval:ixhashtest('nospam.login-solutions.de')
  describe      LOGINHASH1 mail has been classified as spam @ LogIn&Solutions AG, Germany
  tflags        LOGINHASH1 net
  score         LOGINHASH1 1.5

# This list contains hashes from Mails classified as spam at a larger company based in Germany
# Lots of stuff, but automatically categorized and contributed
  body          LOGINHASH2 eval:ixhashtest('nospam.login-solutions.ag')
  describe      LOGINHASH2 mail has been classified as spam @ unknown company, Germany
  tflags        LOGINHASH2 net
  score         LOGINHASH2 1.5

ixhash.pm:


=head1 NAME

Mail::SpamAssassin::Plugin::iXhash - compute fuzzy checksums from mail bodies and compare to known spam ones via DNS

=head1 SYNOPSIS
  loadplugin    Mail::SpamAssassin::Plugin::iXhash /path/to/iXhash.pm
  ixhash_timeout        10
  body          IXHASH eval:ixhashtest('ix.dnsbl.manitu.net')
  describe      IXHASH This mail has been classified as spam @ iX Magazine, Germany
  tflags        IXHASH net
  score         IXHASH 1.5

=head1 DESCRIPTION

iXhash.pm is a plugin for SpamAssassin 3.1.0 and up. It takes the body of a mail, strips parts from it and then computes a hash value from the rest.
These values will then be looked up via DNS. 
This plugin is based on parts of the procmail-based project 'NiX Spam', developed by Bert Ungerer.(un@ix.de)
For more information see http://www.heise.de/ix/nixspam/. The procmail code producing the hashes only can be found here:
ftp://ftp.ix.de/pub/ix/ix_listings/2004/05/checksums

Parts of the code were submitted via heise forum by 'kungfuhasi'
See http://www.heise.de/ix/foren/go.shtml?read=1&msg_id=7246759&forum_id=48292.

Martin Blapp (mb@imp.ch) found and solved a problem occuring on Perl 5.8.7. Thanks a lot!

Further improvements (DNS timeouts) by Dallas Engelken (dallase@uribl.com) - see comments for details. 

=cut

package Mail::SpamAssassin::Plugin::iXhash;
use strict;
use Mail::SpamAssassin;
use Mail::SpamAssassin::Plugin;
use Mail::SpamAssassin::Util;
use Digest::MD5 qw(md5 md5_hex md5_base64);
use Net::DNS;
use Net::DNS::Resolver;
# Locale - this was on Bert's wishlist
use POSIX qw(locale_h);
setlocale(LC_CTYPE, "de_DE.ISO8859-1");
# LC_CTYPE now "Deutsch, Deutschland, codeset ISO 8859-1"
# Maybe not appropriate for spam that is neither German nor English

use vars qw(@ISA);
@ISA = qw(Mail::SpamAssassin::Plugin);
sub dbg { Mail::SpamAssassin::dbg (@_); }
sub new {
        my ($class, $mailsa, $server) = @_;
        $class = ref($class) || $class;
        my $self = $class->SUPER::new($mailsa);
        bless ($self, $class);
        $self->set_config($mailsa->{conf});
        $self->register_eval_rule ("ixhashtest");
        return $self;
}


sub set_config {
        my ($self, $conf) = @_;
        my @cmds = ();
        # implements ixhash_timeout config option - by dallase@uribl.com
        push(@cmds, {
                setting => 'ixhash_timeout',
                default => 5,
                type => $Mail::SpamAssassin::Conf::CONF_TYPE_NUMERIC,
        });
        $conf->{parser}->register_commands(\@cmds);
}


sub ixhashtest {
        my ($self, $permsgstatus,$muell,$dnsserver) = @_;
        dbg("IXHASH: IxHash querying Server $dnsserver");
        my ($digest,$answer,$ixdigest,$body) = "";
        my @body = $permsgstatus->{msg}->get_body();
        my $resolver = Net::DNS::Resolver->new;
        my $body_copy = "";
        foreach (@body) {
                $body .= join "", @$_;
        }
        my $rr;
        my $hits = 0;
        # alarm the dns query - dallase@uribl.com
        # --------------------------------------------------------------------------
        # here we implement proper alarms, ala Pyzor, Razor2 plugins. 
        # keep the alarm as $oldalarm, so we dont loose the timeout-child alarm
        # see http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3828#c123
        my $oldalarm = 0;
        my $timeout = $permsgstatus->{main}->{conf}->{'ixhash_timeout'} || 5;
        eval {
                Mail::SpamAssassin::Util::trap_sigalrm_fully(sub { die "ixhash timeout reached"; });
        $oldalarm = alarm($timeout);
        
        #-----------------------------------------------------------------------
        # Creation of hash # 1 if following conditions are met:
        # - mail contains at least 16 spaces or tabs 
        # - mail consists of at least 2 lines
      # NB:  Edit this if you want to minimize FPs at the cost of not checking shorter mails.
      # FP ratio will be the higher the shorter the mails are 
        if (($body =~ /([\s\t].+?){16,}/ ) && ($body =~ /.*$.*/)){
                # Copy $body into $body_copy - thanks to J. Stehle for pointing this out
                $body_copy = $body;
                # All space class chars just one time
                # Do this in two steps to avoid Perl segfaults
                # if there are more than 2.600 identical chars to be replaced
                # Step One
                $body_copy =~ s/([[:space:]]{100})(?:\1+)/$1/g;
                # Step Two
                $body_copy =~ s/([[:space:]])(?:\1+)/$1/g;
                # remove graph class chars and some specials
                $body_copy =~ s/[[:graph:]]+//go;
                # Create actual digest
                $digest = md5_hex($body_copy);
                dbg ("IXHASH: Computed hash-value $digest via method 1");
                dbg ("IXHASH: Now checking $digest.$dnsserver");
                # Now check via DNS query
                $answer = $resolver->search($digest.'.'.$dnsserver, "A", "IN");
                if ($answer) {
                        foreach $rr ($answer->answer) {
                                next unless $rr->type eq "A";
                                dbg ("IXHASH: Received reply from $dnsserver:". $rr->address);
                                $hits = 1 if $rr->address;
                        }
                }
        }
        # End of computing hash #1 
        #---------------------------------------------------------------------
        
        
        #---------------------------------------------------------------------
        # Creation of hash # 1 if mail contains at least 3 of the following characters:
        # '[<>()|@*'!?,]' or the combination of ':/'
        # (To match something like "Already seen?  http:/host.domain.tld/")
        # edit this if you want to minimize FPs (i.e. make sure that short emails are not checked)
        # 
        if ($body =~ /((([<>\(\)\|@\*'!?,])|(:\/)).*?){3,}/m ) {
                $body_copy = $body;
                # remove redundant stuff
                $body_copy =~ s/[[:cntrl:][:alnum:]%&#;=]+//g;
                # replace '_' with '.'
                $body_copy =~ tr/_/./;
                # replace duplicate chars. This too suffers from a bug in perl
                # so we do it in two steps
                # Step One
                $body_copy =~ s/([[:print:]]{100})(?:\1+)/$1/g;
                # Step Two
                $body_copy =~ s/([[:print:]])(?:\1+)/$1/g;
                # Computing hash...
                $digest = md5_hex($body_copy);
                dbg ("IXHASH: Computed hash-value $digest via method 2");
                dbg ("IXHASH: Now checking $digest.$dnsserver");
                # Now check via DNS query
                $answer = $resolver->search($digest.'.'.$dnsserver, "A", "IN");
                if ($answer) {
                        foreach $rr ($answer->answer) {
                                next unless $rr->type eq "A";
                                dbg ("IXHASH: Received reply from $dnsserver:". $rr->address);
                                $hits = 1 if $rr->address;
                        }
                }
        }

        # End of computing hash #2 
        #-----------------------------------------------------------------------
        
        
        #-----------------------------------------------------------------------
        # Compute hash # 3 if 
        # - there are at least 8 non-empty characters in the body
        # - neither hash #1 nor hash #2 have been computed
        if (($body =~ /[\S]{8,}/) and (length($digest) < 32)) {
                $body_copy = $body;
                $body_copy =~ s/[[:cntrl:][:space:]=]+//g;
                # replace duplicate chars. This too suffers from a bug in perl
                # so we do it in two steps
                # Step One
                $body_copy =~ s/([[:print:]]{100})(?:\1+)/$1/g;
                # Step Two
                $body_copy =~ s/([[:graph:]])(?:\1+)/$1/g;
                # Computing actual hash
                $digest = md5_hex($body_copy);
                dbg ("IXHASH: Computed hash-value $digest via method 3");
                dbg ("IXHASH: Now checking $digest.$dnsserver");
                # Check via DNS
                $answer = $resolver->search($digest.'.'.$dnsserver, "A", "IN");
                if ($answer) {
                        foreach $rr ($answer->answer) {
                                next unless $rr->type eq "A";
                                dbg ("IXHASH: Received reply from $dnsserver:". $rr->address);
                                $hits = 1 if $rr->address;
                        }
                }
        }
        if (defined $oldalarm) {
                alarm $oldalarm;  $oldalarm = undef;
        }
}; # End of sub ixhashtest

# Error handling - parto of Dallas' code
if ($@ =~ m/timeout/) {
        dbg("IXHASH: $timeout second timeout exceeded while checking $digest.$dnsserver");
}

return $hits;

}
1;

Mehr Hinweise finden sich im Spamassassin-Wiki.