# ************************************************************************ # French high-efficiency rules # Rules for targetting french spams # by Maxime Ritter : airmax AT netlibre DOT info # # $Id: french_rules.cf,v 1.17 2006/07/13 09:55:56 airmax Exp airmax $ # # More info on my website (I hope so) : http://maxime.ritter.eu.org # # Install them in order to be used after SARE rules, in case you install both # 'cos I change score for some rules which are inadequate for french mails, # and french people. # But use them in order to appear BEFORE my personnal mails. # Best way to install both is of course to use rule-get : # http://maxime.ritter.eu.org/rule-get # # These rules should be added to the SA release IMHO (SA developpers # are allowed to do so). # ************************************************************************ # # In french words, I use a "." in regex whenever there is an accent. # for example /téléphone/i would become /t.l.phone/i # This allows to catch both "é" and "e", as well as "*" and other # bad characters seen sometimes in spam (probably due to a broken # spamware). # Why not targeted by URBL ? uri LE_DRUIDE /http:\/\/www\.warezfr\.com/ score LE_DRUIDE 4.0 describe LE_DRUIDE Ton warez, c'est DTC. Merci. ##### # Axipub -> DTC !! header FR_POPLIST X-Mailer =~ /POPLIST SENDER/ describe FR_POPLIST X-Mailer is a common french spamware score FR_POPLIST 1.2 header FR_REPLY_TO_POPLIST Reply-To =~ /envoi\@poplist.net/ describe FR_REPLY_TO_POPLIST Reply-To set to known spammers score FR_REPLY_TO_POPLIST 1.2 header FR_RCVD_AXI Received =~ /axicli.com/ describe FR_RCVD_AXI Received via a known spamware relay score FR_RCVD_AXI 2.0 uri FR_AXIPUB /www\.axipub\.com/ describe FR_AXIPUB Link to a known french spammer score FR_AXIPUB 2.0 ##### # J'aime pas les micro-casques header FR_COMPAQ From =~ /\@compaqnet.fr/ describe FR_COMPAQ From: is a known french spammers site score FR_COMPAQ 3.0 header FR_DOPOST X-Mailer =~ /DOPOST/ describe FR_DOPOST X-Mailer is a common french spamware score FR_DOPOST 2.0 ###### # I don't want any ratware, thanks ! # (i can write my own in less then a few hours :-))) ) body FR_PROSPECTION /\blogiciels? de prospection.{0,8} (e-?)?mail\b/i describe FR_PROSPECTION Speaks about Ratware in French lang fr describe FR_PROSPECTION Parle de logiciel de prospection body FR_ROBOT_EMAIL /\brobot(s)? (e-?)?mail\b/i describe FR_ROBOT_EMAIL Speaks about Ratware in French lang fr describe FR_ROBOT_EMAIL Parle d'un robot à méls ###### # Sorry, not interested body FR_GRATUIT /\b(?:100 ?%|enti.rement|TOTALLEMENT|complet.ment) GRATUIT\b/i describe FR_GRATUIT Something Completely Free ? (in French) lang fr describe FR_GRATUIT Parle de quelquechose complètement gratuit. body FR_FREE_TRIAL /\b(?:test|essa[iy]).{0,20} gratuit(?:\b|ement\b)/i describe FR_FREE_TRIAL French: free trial (Try my anti-spam before) lang fr describe FR_FREE_TRIAL Francais: test gratuit body FR_FAIRE_ARGENT /\bfai[tr]es? ((tr.s )?rapidemment )?de l'argent/i describe FR_FAIRE_ARGENT Make money Fast, in French lang fr describe FR_FAIRE_ARGENT Faire de l'argent, en Français body FR_REMISE /\bprofiter (?:d'une|de (la|notre)) (?:offre|remise|promo(tion)?)s?\b/i describe FR_REMISE Give some discount price, in french lang fr describe FR_REMISE Parle de promotion, en Français ##### # Porn body FR_SEXE_GRATUIT /\bsexe gratuit\b/i describe FR_SEXE_GRATUIT Free sex in French... lang fr describe FR_SEXE_GRATUIT Parle de sexe grauit body FR_PORN_EJAC /\b.jac(?:ulation|')? faciale\b/i describe FR_PORN_EJAC French porn content lang fr describe FR_PORN_EJAC Contenu pornographique français ##### # Agrandisseurs de pénis (Penis enlargement) body FR_ENLARGE_PENIS_1 /\bagrandissement (permanent)? du p.nis\b/i describe FR_ENLARGE_PENIS_1 Penis enlargement (in french) lang fr describe FR_ENLARGE_PENIS_1 Parle d'agrandir son pénis (en Francais) body FR_ENLARGE_PENIS_2 /\b(?:Gu.ri(?:t|son de)|soigne) l'impuissance\b/i describe FR_ENLARGE_PENIS_2 Penis enlargement (in french) lang fr describe FR_ENLARGE_PENIS_2 Guérison de l'impuisance (en Francais) body FR_ENLARGE_PENIS_3 /\b(?:Gu.ri(?:t|son de)|soigne) l'.jaculation pr.coce\b/i describe FR_ENLARGE_PENIS_3 Penis enlargement (in french) lang fr describe FR_ENLARGE_PENIS_3 Guérison de l'éjaculation précoce (en Francais) body FR_ENLARGE_PENIS_4 /\bAugmentation .{0,50}(?:volume|intensit.) .{0,30}de l'.jaculation\b/i describe FR_ENLARGE_PENIS_4 Ejaculation improvement (in french) lang fr describe FR_ENLARGE_PENIS_4 Améliore l'éjaculation (en Francais) body FR_ENLARGE_PENIS_5 /\b(Agrandir|Augmenter) .{2,20} p.nis\b/i describe FR_ENLARGE_PENIS_5 Another penis enlargemnt (in french) lang fr describe FR_ENLARGE_PENIS_5 Agrandir un pénis (en Français) ##### # Payements body FR_CB /\b(?:ni|sans|pas de) (num.ros? de )?(?:(carte (?:bleue|bancaire))|CB)\b/i describe FR_CB Doesn't require a credit card, in French lang fr describe FR_CB Parle de quelquechose ne nécessitant pas de CB (en Français) ##### # French spammers like the phone. body FR_TELEPHONE /\b(?:ni |sans |pas d(?:e |'?))(?:(?:appels?|num.ros?( de)?)( t.l.phon(iqu)?es?)?|appels?) (avec )?surtax.s?\b/i describe FR_TELEPHONE Pas de numéro de téléphone surtaxé lang fr describe FR_TELEPHONE Pas de numéro de téléphone surtaxé ### # Seen On Tv ? What does it prove ? body FR_VU_TV_NATION /\bVU . LA (?:T\.?V\.?|t.l.(vision)?) Nation(n)?ale/i describe FR_VU_TV_NATION Seen on national TV (french). lang fr describe FR_VU_TV_NATION Vu a la télé nationale en Francais. score FR_VU_TV_NATION 2 # Nobody in France speaks speaks about "national TV" (We prefer to speak about "big # chanels" or just "seen on TV"). Only translated spams do. Dont know for Québec and # other french speaking countries. (mais ça m'intéresse, si tu est Canadien, Suisse, # Belge, Africain ou autre, n'hésites pas a m'envoyer un mail). body __FR_VU_TV /\bVU . LA (?:T\.?V\.?|t.l.(vision)?)/i meta FR_VU_TV (__FR_VU_TV && ! FR_VU_TV_NATION) describe FR_VU_TV Seen on TV (french). lang fr describe FR_VU_TV Vu a la télé en Francais. ### # Excuse me for writing this rule, but I don't like the spam body FR_EXCUSE_1 /\bSi ces? (?:message|(e-?)?mail|m.l|courriel|courrier(s? .l.ctroniques?)?)s? (?:vous a (:?importun.|d.rang.)|ne vous concerne pas).?(?: .{1,10})? (?:nous vous prions (sinc.rement) de nous en excuser|veuillez (:?accepter|recevoir) toutes (:?nos|mes) excuses)/i describe FR_EXCUSE_1 French: Excuses for sending the mail (1). lang fr describe FR_EXCUSE_1 Francais: Quand on s'excuse pour envoyer un mail, vaux mieux s'abstenir de l'envoyer (1). body FR_EXCUSE_2 /\bEn nous excusant du d.rangement en cas d.{1,3}erreur/i describe FR_EXCUSE_2 French: Excuses for sending the mail (2). lang fr describe FR_EXCUSE_2 Francais: Quand on s'excuse pour envoyer un mail, vaux mieux s'abstenir de l'envoyer (2). body FR_NOT_SPAM /\bCe(?:ci|s? (?:message|(e-?)?mail|m.l|courriel|courrier(s? .l.ctroniques?)?)s?) n.{0,3}est pas (?:du|un) spam/i describe FR_NOT_SPAM French: claims it is not a spam lang fr describe FR_NOT_SPAM Francais: prétends ne pas être un spam ### # Please read ? body FR_SVP_LISEZ /\b(?:(S(\.)?V(\.)?P(\.)?)|(s'il vous plait))(,)? lise[zr] ce/i describe FR_SVP_LISEZ Please read, in french lang fr describe FR_SVP_LISEZ SVP Liser ceci, en français #### # Excuses #Claims it is not a chain letter... body FR_CHAINE_LETTRES /\bPAS UNE CHA.NE DE LETTRES\b/i describe FR_CHAINE_LETTRES Claims it is not a chain letter, in French lang fr describe FR_CHAINE_LETTRES Affirme que ce n'est pas une chaine de lettres, en Français # Last sending ... body FR_DERNIERE /\bderni.re fois que je (vous )?l'( )?envoie\b/i describe FR_DERNIERE Last sending, in french lang fr describe FR_DERNIERE Dernier envoi, en Français # # French MUA nice rules # =-=-=-=-=-=-=-=-=-=-= # Not french specific, but usually people who can speak/write english # don't use them (Caramail s*cks more than a lot if you don't use theirs # chats (in french only), Voila is also a search engine with *very* bad # results with anything other than french). # #### # This webmail sucks (http://looking-glass.teaser.fr/~at/mx/caramail.html # and http://solutions.journaldunet.com/0301/030120_caramail.shtml) but # is very popular in France. header __USER_AGENT_CARASUCKS X-Mailer =~ /^LycosMail/ header __LYCOS_HAS_XOIP X-Originating-IP =~ /^\[[0-9]/ meta MAILER_CARASUCKS (__USER_AGENT_CARASUCKS && __LYCOS_HAS_XOIP) describe MAILER_CARASUCKS French Caramail/Lycos webmail service score MAILER_CARASUCKS -2 tflags MAILER_CARASUCKS nice # Another webmail (Voila, Oléane & Orange, and maybe others France Télécom subsidiaries) # This one also sucks a lot. header __VOILA_API X-XaM3-API-Version =~ /^[0-9]/ header __HAS_SENDER_IP X-SenderIP =~ /^[0-9]/ meta MAILER_VOILA (__HAS_SENDER_IP && __VOILA_API) describe MAILER_VOILA X-Mailer from a non-spam MUA (Voila) lang fr describe MAILER_VOILA X-mailer provennant d'un MUA non-spammer (Voila) score MAILER_VOILA -2.5 tflags MAILER_VOILA nice # # The 2 latest rules aren't french specific, but it is more likely to # see them in french spams. # #### # What is this is stupid ratware which sends all his messsages with the same # Message-ID ? # This Message-ID looks like been written by some French speaker (truc muche) header STUPID_RATWARE Message-ID =~ /15885111555trucmuche\@cu.com/ describe STUPID_RATWARE Known evil Message-ID lang fr describe STUPID_RATWARE Message-ID connu score STUPID_RATWARE 4.0 #### # some boundaries, only used in some french spams header FR_BOUND_RAT Content-Type =~ /boundary=\"--=\d{4}-[a-z]{4}-\d{4}-[a-z]{4}\"/ describe FR_BOUND_RAT Boundaries only used in some french spams lang fr describe FR_BOUND_RAT Contient des frontières MIME écrites d'une manière très utilisée par spammeur français. # TODO : update these descriptions, they suck ! # # ************************************************************************** # Less efficient french rules # Those rules are also very helpful, but they might also match some # legitimate mails, such as newsletters. # # These rules (or some of them) might be added to the SA distribution. # ************************************************************************** # ###### # nice spammers are happy to put a nice tag header FR_PUB_TAG Subject =~ "/.?PUB.?\b/" describe FR_PUB_TAG French advertisement tag found in subject score FR_PUB_TAG 1.5 lang fr describe FR_PUB_TAG Balise PUB trouvé dans le sujet. # Remarquez que cela ne matche en aucun cas PUBLIC ou PUBLIER, du fait # que la règle nécessite un espace, au moins comme deuxième caractère. #### Those people are the biggest liers I have ever seen uri FR_SPAMSITE_CHARTER /www\.charter\.fr/ describe FR_SPAMSITE_CHARTER Link to a spam site (Charter.fr). lang fr describe FR_SPAMSITE_CHARTER Url vers le site d'un spammeur (Charter.fr). score FR_SPAMSITE_CHARTER 3.5 # I know it belongs to LDCOM/9Tél. I also know they host a lot of spammers. # I also know they don't repond to abuse. So they deserve this rule. header FR_SPAMSITE_GAOLAND Received =~/\.rev\.gaoland\.net/ describe FR_SPAMSITE_GAOLAND Received via a known spam site (gaoland). lang fr describe FR_SPAMSITE_GAOLAND Recu à travers les serveurs d'un spammeur (gaoland). score FR_SPAMSITE_GAOLAND 2.5 uri FR_SPAMSITE_HALIMI /www\.cyberprospection\.com/ describe FR_SPAMSITE_HALIMI Link to famous French Spammer (Fabrice Halimi) lang fr describe FR_SPAMSITE_HALIMI Lien vers le célèbre spammeur Fabrice Halimi score FR_SPAMSITE_HALIMI 4.5 body FR_NOM_DOMAINE /\bnoms? de domaines?/i describe FR_NOM_DOMAINE Domain name, in French. lang fr describe FR_NOM_DOMAINE Parle de noms de domaines # This one is more or less funny. The real spamvertised site is hidden, you don't see it # but there is a hidden frame which allows him to cheat with a visit counter of his # sponsor. uri FR_FUNNY_SPAMMER /www\.mailler\.free\.fr/ describe FR_FUNNY_SPAMMER Hidden banner spamvertising lang fr describe FR_FUNNY_SPAMMER Apparemment une blague, en fait une bannière cachée score FR_FUNNY_SPAMMER 3.5 # note : is this rule really usefull as of SA 3.0 ? #### # I dont use a mouse for reading mails body FR_CLIC_ICI /\bClique[rz] ici\b/i describe FR_CLIC_ICI Click here, in french lang fr describe FR_CLIC_ICI Demande de cliquer 'ici', en Francais body FR_CLIC_LIEN /\b(?:Clique[rz] sur|suive[rz]) [cl]e lien\b/i describe FR_CLIC_LIEN Click on the link, in french lang fr describe FR_CLIC_LIEN Demande de cliquer sur un lien, en Francais score FR_CLIC_LIEN 2.0 body __CLIC_SUR /\bClique[rz] sur\b/i meta CLIC_SUR (__CLIC_SUR && ! FR_CLIC_LIEN) describe CLIC_SUR Asks to click on something, in French lang fr describe CLIC_SUR Demande de cliquer sur quelquechose en Francais body FR_AUDIOTEL /\b0.?8.?9.?2(.?[0-9]){6}\b/ describe FR_AUDIOTEL French premium rate call lang fr describe FR_AUDIOTEL Numéro de téléphone Audiotel body FR_CALL_PRICE /[0-9] ?(?:.|Eur(?:os|\.)?) ?(?:\/|par) ?(?:min(?:\.|ute)?|appel)\b/i describe FR_CALL_PRICE Gives the price of a phone call (in french) lang fr describe FR_CALL_PRICE Donne le prix d'un appel téléphonique en Français body FR_NUMERO_VERT /\bNum.ro vert\b/i describe FR_NUMERO_VERT Free call (in french) lang fr describe FR_NUMERO_VERT Parle d'un numéro vert (en français) ##### # Why would I want to unsubscribe ? body FR_UNSUB_1 /\b(?:(?:se|vous) (?:retirer|d.sinscrire)( simplement)? de|.tre (?:retir.|supprim.) de|quitter|sortir de) (?:la|notre|cette|ces|nos) (?:listes?|base de donn.es|publipostage|mailings?(-listes?)?)\b/i describe FR_UNSUB_1 Gives instructions for unsubscribing in French lang fr describe FR_UNSUB_1 Donne des instructions pour se désabonner en Français body FR_UNSUB_2 /\bplus recevoir (?:ce |ces |d'autres |mes |l(a|es) |nos |aucun(e?s)? |d(?:e|')).{0,15}(?:newsletter|offre|info(rmation)?|messages?|proposition|(e-?)?mail|m.l|courriel|courrier(s? .l.ctroniques?)?)s?\b/i describe FR_UNSUB_2 Gives instructions for unsubscribing in French lang fr describe FR_UNSUB_2 Donne des instructions pour se désabonner en Français body FR_UNSUB_3 /\b(?:(e-?)?mail|m.l|courriel|courrier( .l.ctronique)?) .{0,15}(?:objet|sujet|contenant) .{0,15}(?:Stop|.Non.|unsubscribe|d.sabonnement)\b/i describe FR_UNSUB_3 Gives instructions for unsubscribing in French lang fr describe FR_UNSUB_3 Donne des instructions pour se désabonner en Français body FR_UNSUB_4 /\bretirer votre adresse.{0,15} de (?:la|cette|notres?|nos) (?:listes?|mailing|base de donn.es||publipostage|mailings?(-listes?)?)\b/i describe FR_UNSUB_4 Gives instructions for unsubscribing in French lang fr describe FR_UNSUB_4 Donne des instructions pour se désabonner en Français body FR_UNSUB_5 /\bnous le (?:retourner|renvoyer) avec (?:en |comme |l' ?)objet .?(?:remove|d.sinscription|unsubscribe|d.sabonnement).?\b/i describe FR_UNSUB_5 Gives instructions for unsubscribing in French lang fr describe FR_UNSUB_5 Donne des instructions pour se désabonner en Français body FR_UNSUB_6 /\bPour vous d.sinscrire,? merci de (?:vous rendre|cliquer) ici/ describe FR_UNSUB_6 Gives instructions for unsubscribing in French lang fr describe FR_UNSUB_6 Donne des instructions pour se désabonner en Français ##### # Gives a very stupid reason body FR_REASON_1 /\bVous recevez cet?(te)? (?:(e-?)?mail|m.l|courriel|courrier( .l.ctronique)?) car vous vous .tes inscrit.{0,15} (?:la|notre|cette|ces|nos) (?:listes?|base de donn.es|publipostage|mailings?(-listes?)?)\b/i describe FR_REASON_1 French: gives a reason for sending this mail (1) lang fr describe FR_REASON_1 Francais: donne une raison pour l'envoi du mail (1) body FR_REASON_2 /\bVous recevez cet?(te)? (?:(e-?)?mail|m.l|courriel|courrier( .l.ctronique)?) car vous (?:vous .tes|avez .t.) inscrit.{0,40} (?:un tiers|quelqu.un) .{0,30} (?:la|notre|cette|ces|nos) (?:listes?|base de donn.es|publipostage|mailings?(-listes?)?)\b/i describe FR_REASON_2 French: gives a reason for sending this mail (2) lang fr describe FR_REASON_2 Francais: donne une raison pour l'envoi du mail (2) score FR_REASON_2 2.0 body FR_REASON_3 /\bVous recevez cet?(te)? (?:(e-?)?mail|m.l|courriel|courrier( .l.ctronique)?) car quelqu.un .{0,3}probablement vous.{0,30} inscrit.{0,6} (?:la|notre|cette|ces|nos) (?:listes?|base de donn.es|publipostage|mailings?(-listes?)?)\b/i describe FR_REASON_3 French: gives a reason for sending this mail (3) lang fr describe FR_REASON_3 Francais: donne une raison pour l'envoi du mail (3) score FR_REASON_3 0.5 body FR_REASON_4 /\bvous recevez cette lettre d.information.? (?:c.est|parce) que vous avez (d.j. )utilis. nos services de commande ou de mailing\b/i describe FR_REASON_4 French: gives a reason for sending this mail (4) lang fr describe FR_REASON_4 Francais: donne une raison pour l'envoi du mail (4) uri FR_REMOVE_PAGE /^https?:\/\/[^\/]+\/.*?desinscription/ describe FR_REMOVE_PAGE URL of page called "desinscription" lang de describe FR_REMOVE_PAGE Hyperlink einer Seite, die "desinscription" heißt lang es describe FR_REMOVE_PAGE URL of page called "desinscription" lang fr describe FR_REMOVE_PAGE Contient une URL pointant sur une page de nom "desinscription" lang it describe FR_REMOVE_PAGE Contiene un URL in cui compare 'remove' lang sk describe FR_REMOVE_PAGE URL stránky s názvom "desinscription" # L'IMP de Free, avec les RBLs et tout ça devient un danger public... header __IMP_UA User-Agent =~ /^Internet Messaging Program \(IMP\) \d/ header __IMP_RECEIVED Received =~ /\(IMP\) with HTTP/ meta __IMP (__IMP_UA && __IMP_RECEIVED) header __FREE_MAIL From =~ /\@free.fr/i header __FREE_RCVD Received =~ /imp[1-9]\-[a-z]\.free\.fr/ meta FREE_IMP __FREE_RCVD && __IMP score FREE_IMP -2.0 describe FREE_IMP Utilise la webmail de Free.fr tflags FREE_IMP nice header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.') header __RCVD_IN_DYNABLOCK eval:check_rbl('sorbs-notfirsthop', 'dnsbl.sorbs.net.', '127.0.0.10') meta RCVD_IN_SORBS (__RCVD_IN_SORBS && ! FREE_IMP ) meta RCVD_IN_DYNABLOCK (__RCVD_IN_DYNABLOCK && ! FREE_IMP ) header __NO_REAL_NAME From =~ /^["\s]*\?\s*$/ meta NO_REAL_NAME (__NO_REAL_NAME && ! (FREE_IMP && __FREE_MAIL) ) # Legit Newsletter (Carpediem) header __CD_MAILER X-Mailer =~ /CD-Mailer/ header __HTTPS Received =~ /https.carpediem.fr/ uri __DERNIERE_NVL /vu.derniere-nouvelle.com/ meta CARPEDIEM ( __CD_MAILER && __HTTPS && __DERNIERE_NVL ) score CARPEDIEM -3.0 tflags CARPEDIEM nice # From 70_sare_header.cf header __SARE_FROM_FREE From =~ /\bf.?r.?e.?e\b/i header __SARE_FROM_FREE_EFAX From =~ /freehelp\@mail\.efax\.com/ header __SARE_FROM_FREE_24FUN From =~ /info\@24fun\.com/i header __SARE_FROM_FREE_ECARD From =~ /Free Electronic Greeting Card/i meta SARE_FROM_FREE ( __SARE_FROM_FREE && !__FREE_MAIL && __MR_LEGIT_FREE && !ADDR_FREE && !__SARE_FROM_FREE_EFAX && !__SARE_FROM_FREE_24FUN && !__SARE_FROM_FREE_ECARD ) describe SARE_FROM_FREE Sender name includes word suggesting spammer score SARE_FROM_FREE 0.878 # From 70_sare_header.cf # Removes free inside this regex, cause it's already present in SARE_FROM_FREE, # and badly matches free.fr adresses header __SARE_FROM_SPAM_WORD3 From =~ /(?:auto|daily|deal|direct|dr\.|guaranteeds|health|info|platinum|promo|promotion|reward|single|special|training)/i describe SARE_FROM_SPAM_WORD3 From address suggests this may be spam lang fr describe SARE_FROM_SPAM_WORD3 L'adresse de l'expéditeur suggère un possible spam score SARE_FROM_SPAM_WORD3 0.100 # # against SARE stupid rules #=-=-=-=-=-=-=-=-=-=-=-=-=-= # Voilà is too famous here ! score SARE_FREE_WEBM_FrVoila 0 score SARE_FREE_WEBM_FrYahoo 0 # Removing Foxmail, which isn't a bulk mailer, but very used in France header SARE_XMAIL_BULK3 X-Mailer =~ /UnityMail/i describe SARE_XMAIL_BULK3 Uses bulk mailer used by spammers score SARE_XMAIL_BULK3 0.117 # French polititian who does spamming (and not opt-in as he claims) body FR_SARKOZY /Nicolas Sarkozy/i describe FR_SARKOZY N. Sarkozy utilise l'envoi en masse d'email de maniere illicite pour sa campagne score FR_SARKOZY 0.01