Import into repo

10_whitelist.cf

@@ -0,0 +1,41 @@
+# Whitelist rules
+
+# SOSDG/AHBL rules
+whitelist_from_rcvd *@ahbl.org		sosdg.org
+whitelist_from_rcvd *@sosdg.org		sosdg.org
+whitelist_from_rcvd *@2mbit.com		sosdg.org
+whitelist_from_rcvd *@lists.sosdg.org	sosdg.org
+
+# Mailing Lists
+whitelist_from_rcvd *@freelists.org	iquest.net
+whitelist_from_rcvd *@spam-l.com	mfn.org
+whitelist_from_rcvd *@spam-l.com	spam-l.com
+whitelist_from_rcvd *@spam-l.com	gas-net.org
+whitelist_from_rcvd *@nanog.org		nanog.org
+whitelist_from_rcvd *@merit.edu		nanog.org
+whitelist_from_rcvd *@spammers.dontlike.us	domainmail.org
+
+# SOSDG/AHBL friends and whitehat providers
+whitelist_from_rcvd *@wiztech.biz	sosdg.org
+whitelist_from_rcvd *@lists.wiztech.biz	sosdg.org
+
+#DomainTools
+whitelist_from_rcvd *@domaintools.com nameintel.com
+
+#Bethesda emails from amazonses
+whitelist_from_rcvd *@bethesda.net amazonses.com
+
+#Hubspot
+whitelist_from_rcvd *@*.hubspot.com hubspot.com
+whitelist_from_rcvd *@*.hubspot.com hubspotemail.net
+
+#Known good ecommerce sites and associated companies
+whitelist_from_rcvd *@obtainsurplus.com obtainium.biz
+whitelist_from_rcvd *@obtainium.biz obtainium.biz
+whitelist_from_rcvd *@reuseum.com obtainium.biz
+whitelist_from_rcvd *@reuseum.org obtainium.biz
+whitelist_from_rcvd *@reuseum.com reuseum.com
+whitelist_from_rcvd *@reuseum.org reuseum.com
+whitelist_from_rcvd *@bigcommerce.com bigcommerce.com
+whitelist_from_rcvd *@salesandorders.com outlook.com
+whitelist_from_rcvd *@sixbitsoftware.com emailsrvr.com

20_known_abusers.cf

@@ -0,0 +1,56 @@
+# Known Richard Scoville, Mike McAllister mail froms used to harass people
+blacklist_from therealkmanhere@gmail.com
+blacklist_from canadiantaxman.ca@gmail.com
+blacklist_from DarrellLarose.ca@gmail.com
+blacklist_from canadiantaxman.ca@gmail.com
+blacklist_from dioguardi.taxlaw@gmail.com
+blacklist_from CanadianISPExec@gmail.com
+blacklist_from keithcp1@gmail.com
+blacklist_from peter.m.taticek@gmail.com
+blacklist_from susanwigle@gmail.com
+blacklist_from thefreespeechstore@gmail.com
+blacklist_from canadianisp.ca@gmail.com
+blacklist_from *@freespeechstore.com
+blacklist_from *@thefreespeechstore.com
+blacklist_from brian.brielle.bruns@gmail.com
+blacklist_from stay.clear.ntuit@gmail.com
+blacklist_from justcanadian242@googlemail.com
+blacklist_from ceo.freespeechstore@gmail.com
+blacklist_from davidnbrown80.mesa@gmail.com
+
+
+# Known addresses of Jamie Baillie mail froms used to harass and mailbomb providers
+blacklist_from theusenet@yahoo.ca
+blacklist_from *@darkshado.ca
+blacklist_from nanaestalkers@yahoo.ca
+
+# Andrew Stephens many sock puppets (See NANAE flood)
+blacklist_from wiomoudr@anonymbox.com
+blacklist_from johnwilliams7896897@gmail.com
+blacklist_from timrobbins1957@gmail.com
+blacklist_from canspamrules@gmail.com
+blacklist_from suebarrymorestrikesagain@gmail.com
+blacklist_from stephensboy@gmail.com
+blacklist_from edataking@gmail.com 
+blacklist_from verumtruth@gmail.com
+
+
+# Known spammed tinyurl.com links that abuse@ has not acted on
+uri			SOSDG_SPAMMED_TINYURL1	/tinyurl.com\/(free-speech-store|bruns-kirch-ahbl-abuse|Ottawa-Three-Plus-Some)/i
+describe	SOSDG_SPAMMED_TINYURL1	"Scoville/McAllister spammed tinyurl.com link"
+score		SOSDG_SPAMMED_TINYURL1		2.0
+
+# Known spammed alturl.com links that abuse@ has not acted on
+uri			SOSDG_SPAMMED_ALTURL1	/alturl.com\/zm639/i
+describe	SOSDG_SPAMMED_ALTURL1	"Scoville/McAllister spammed alturl.com link"
+score		SOSDG_SPAMMED_ALTURL1	2.0
+
+# Known spammed Google Groups posting hashes from Scoville/McAllister
+uri			SOSDG_SPAMMED_GOOGLEGRPS1	/groups.google.com\/.*\/(f3accf97cdf69d0d|229fb46bf323d091|f3accf97cdf69d0d)/i
+describe	SOSDG_SPAMMED_GOOGLEGRPS1	"Scoville/McAllister spammed Google Groups articles"
+score		SOSDG_SPAMMED_GOOGLEGRPS1	2.0
+
+# Richard Scoville's Pay-Per-Libel website, used in spam runs
+uri			SOSDG_SPAMMED_SCOVILLE1	/(freespeechstore.com|thefreespeechstore.com)/i
+describe	SOSDG_SPAMMED_SCOVILLE1	"Richard Scoville's FreeSpeechStore website spammed"
+score		SOSDG_SPAMMED_SCOVILLE1	2.0

25_spam_from.cf

@@ -0,0 +1 @@
+blacklist_from robsavage19@hotmail.com

30_virus.cf

@@ -0,0 +1,17 @@
+# Subject: Your wife photos attached
+header		SOSDG_VIRUS_WIFE1	Subject =~ /your (wife|wifes|wife's) (photo|photos) attached/i
+describe	SOSDG_VIRUS_WIFE1	Subject is common virus/trojan sign
+score		SOSDG_VIRUS_WIFE1	3.0
+
+body		__LOCKY_TEST1		/I am sending copies of the documents as attachments/i
+body		__LOCKY_TEST2		/Thank you very much for your reply/i
+body		__LOCKY_TEST3		/I have attached the financial report you requested./i
+body		__LOCKY_TEST4		/I am sending you the invoice you requested/i
+body		__LOCKY_TEST5		/Attached please find the documents you requested/i
+body		__LOCKY_TEST6		/wrong data file you received from me/i
+body		__LOCKY_TEST7		/attached is concerned with the company database/i
+
+mimeheader	__ZIP_ATTACHED		Content-Type =~ /zip/i
+meta		SOSDG_LOCKY_RANSOMWARE1	(( __LOCKY_TEST1 + __LOCKY_TEST2 + __LOCKY_TEST3 + __LOCKY_TEST4 + __LOCKY_TEST5 + __LOCKY_TEST6 + __LOCKY_TEST7 + __ZIP_ATTACHED ) > 1)
+score		SOSDG_LOCKY_RANSOMWARE1	4.0
+describe	SOSDG_LOCKY_RANSOMWARE1	Common patterns for Locky ransomware

40_spam_patterns.cf

@@ -0,0 +1,32 @@
+# Spam Patterns
+
+#body	 __VERT_SPAM_PILL1	/_{1,3}(v|c|l)_{0,3}/i
+#body	 __VERT_SPAM_PILL2	/_{1,3}(i|e)_{0,3}/i
+#body	 __VERT_SPAM_PILL3	/_{1,3}(a|v)_{0,3}/i
+#body	 __VERT_SPAM_PILL4	/_{1,3}(g|l|i)_{0,3}/i
+#body	 __VERT_SPAM_PILL5	/_{1,3}(r|i|t)_{0,3}/i
+#body	 __VERT_SPAM_PILL6	/_{1,3}(a|s|r)_{0,3}/i
+#meta		SOSDG_VERT_PILL_SPAM_PATTERN	((__VERT_SPAM_PILL1 + __VERT_SPAM_PILL2 + __VERT_SPAM_PILL3 + __VERT_SPAM_PILL4 + __VERT_SPAM_PILL5 + __VERT_SPAM_PILL6) > 4)
+#describe	SOSDG_VERT_PILL_SPAM_PATTERN	Pill spam with vertical text
+#score		SOSDG_VERT_PILL_SPAM_PATTERN	3.0
+
+
+body		SOSDG_WE_ARE_NOT_SPAM1	/ We are not spammer./
+describe	SOSDG_WE_ARE_NOT_SPAM1	'We are not spam' match
+score		SOSDG_WE_ARE_NOT_SPAM1	3.0
+
+body		SOSDG_BRING_EMAIL1	/We can bring you more business and find new clients by our email services/
+describe	SOSDG_BRING_EMAIL1	Bring business by email match
+score		SOSDG_BRING_EMAIL1	2.0
+
+body		SOSDG_PAYPAL_SCAM1	/We emailed you a little while ago to ask for your help resolving/
+describe	SOSDG_PAYPAL_SCAM1	Paypal scam match
+score		SOSDG_PAYPAL_SCAM1	4.0
+
+body		SOSDG_KNOWN_SPAMPHONE1	/877-228-1545/
+describe	SOSDG_KNOWN_SPAMPHONE1	Known spam phone number - 877-228-1545
+score		SOSDG_KNOWN_SPAMPHONE1	4.0
+
+body		SOSDG_PAYPAL_SCAM1	/Its important your happy and not bothered/
+describe	SOSDG_PAYPAL_SCAM1	Spam wording match
+score		SOSDG_PAYPAL_SCAM1	4.0

build.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+VERSION=34
+TAR=`which tar`
+MYSQL=`which mysql`
+EPOCH=`date +%s`
+TARBALL="${VERSION}.tar.gz"
+SHA1SUM=`which sha1sum`
+DNSUSER="brielle"
+DNSDOMAIN="*.3.sa.sosdg.org"
+DNSDB="ns1-powerdns"
+DNSTABLE="records"
+
+${TAR} zvcf ../../${TARBALL} --exclude-vcs --exclude='*.sh' * ;\
+${SHA1SUM} ../../${TARBALL} > ../../${TARBALL}.sha1
+
+#echo -n "Mysql password: "
+#stty -echo
+#read password
+#stty echo
+
+#DNSSOA=`echo "SELECT content FROM ${DNSTABLE} WHERE domain_id='4'
+#		AND name='sosdg.org' AND type='SOA'" |\
+#		${MYSQL} --user=${DNSUSER} --password=$password ${DNSDB}`
+
+#DNSSOA2=( ${DNSSOA// / } )
+#NEW_SOA="${DNSSOA2[1]} ${DNSSOA2[2]} $((${DNSSOA2[3]}+1)) ${DNSSOA2[4]} ${DNSSOA2[5]} ${DNSSOA2[6]} ${DNSSOA2[7]}"
+
+
+#echo "UPDATE ${DNSTABLE} SET content='${VERSION}', change_date='${EPOCH}'
+#		WHERE name='${DNSDOMAIN}' AND type='TXT'" |\
+#		${MYSQL} --user=${DNSUSER} --password=$password ${DNSDB}
+#
+#echo "UPDATE ${DNSTABLE} SET content='${NEW_SOA}', change_date='${EPOCH}'
+#		WHERE domain_id='4' AND name='sosdg.org' AND type='SOA'" |\
+#		${MYSQL} --user=${DNSUSER} --password=$password ${DNSDB}
+
+#unset password