# Copyright (c) 2005 Daryl C. W. O'Shea, DOS Technologies. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

loadplugin Mail::SpamAssassin::Plugin::WebRedirect /etc/mail/spamassassin/WebRedirect.pm

web_redirect_max_checks 		3

web_redirect_host			geocities.com *.geocities.com geocities.yahoo.com.??
web_redirect_host			tripod.com *.tripod.com tripod.lycos.com
web_redirect_host			spaces.msn.com
web_redirect_skip_host			example.com *.example.com


# Eval rules that test the HTTP status code returned

header		WEB_301			eval:WebRedirect_Status(301)
score		WEB_301			1.0
describe	WEB_301			Contains a web link that returns 301
tflags		WEB_301			net

header		WEB_302			eval:WebRedirect_Status(302)
score		WEB_302			1.0
describe	WEB_302			Contains a web link that returns 302
tflags		WEB_302			net

header		WEB_403			eval:WebRedirect_Status(403)
score		WEB_403			4.0
describe	WEB_403			Contains a web link that returns 403
tflags		WEB_403			net

header		WEB_404			eval:WebRedirect_Status(404)
score		WEB_404			2.5
describe	WEB_404			Contains a web link that returns 404
tflags		WEB_404			net


# Tests against plaintext found in web pages

header		WEB_HTTP_REDIR		Web-Redirect =~ /http-equiv="refresh".{0,100}url=/i
score		WEB_HTTP_REDIR		2.0
describe	WEB_HTTP_REDIR		A web link contains an http-equiv redirect
tflags		WEB_HTTP_REDIR		net

header		WEB_UNSUBSCRIBE		Web-Redirect =~ /\bunsubscribe?\b/i
score		WEB_UNSUBSCRIBE		2.5
describe	WEB_UNSUBSCRIBE		Contains a web link that mentions unsubscribing
tflags		WEB_UNSUBSCRIBE		net

header		WEB_SEXUAL		Web-Redirect =~ /\bsexual\b/
score		WEB_SEXUAL		0.5
describe	WEB_SEXUAL		Contains a Geocities link that mentions sexual
tflags		WEB_SEXUAL		net

header		WEB_RE_HTMLCRYPT	Web-Redirect =~ /\bHTMLCrypt\b/
score		WEB_RE_HTMLCRYPT	1.0
describe	WEB_RE_HTMLCRYPT	Contains a html redirect page with crypt in it!
tflags		WEB_RE_HTMLCRYPT	net

header		WEB_RE_DECRYPT		Web-Redirect =~ /Decrypt the HTML/
score		WEB_RE_DECRYPT		1.0
describe	WEB_RE_DECRYPT		Contains link to web page that decrypts itself
tflags		WEB_RE_DECRYPT		net

header		WEB_JS_ENCODE		Web-Redirect =~ /\bJScript\.Encode\b/
score		WEB_JS_ENCODE		3.0
describe	WEB_JS_ENCODE		Links to a Geocities page containing encoded data
tflags		WEB_JS_ENCODE		net

header		WEB_RE_ONLOAD_JS	Web-Redirect =~ /\bbody\s+onload\s*=\s*"javascript:location\.href='/
score		WEB_RE_ONLOAD_JS	1.0
describe	WEB_RE_ONLOAD_JS	Links to web page that redirects you upon loading
tflags		WEB_RE_ONLOAD_JS	net

header		WEB_RE_LOC_HREF		Web-Redirect =~ /\blocation\.href\s*=/
score		WEB_RE_LOC_HREF		4.0
describe	WEB_RE_LOC_HREF		Links to web page that contains 'location.href='
tflags		WEB_RE_LOC_HREF		net

header		WEB_RE_HOTLOG		Web-Redirect =~ /\bhotlog\.ru\b/
score		WEB_RE_HOTLOG		2.0
describe	WEB_RE_HOTLOG		Links to web page that uses hotlog.ru
tflags		WEB_RE_HOTLOG		net

header		WEB_ADULT		Web-Redirect =~ /\b(?:SEXUAL CONTENT WARNING|ADULTS ONLY)\b/
score		WEB_ADULT		2.0
describe	WEB_ADULT		Links to web page that contains adult content
tflags		WEB_ADULT		net

header		WEB_SUBSCRIBTION	Web-Redirect =~ /\bsubscribtion\b/
score		WEB_SUBSCRIBTION	2.0
describe	WEB_SUBSCRIBTION	Offers to stop your 'subscribtion'
tflags		WEB_SUBSCRIBTION	net

header		WEB_UNSUB_PHP		Web-Redirect =~ /\bunsubscribed.php\b/
score		WEB_UNSUB_PHP		2.0
describe	WEB_UNSUB_PHP		Links to site that contains 'unsubscribed.php'
tflags		WEB_UNSUB_PHP		net

header		WEB_SUBSCRIBED		Web-Redirect =~ /\byou\s+were\s+subscribed\b/
score		WEB_SUBSCRIBED		2.0
describe	WEB_SUBSCRIBED		Claims that you were subscribed to something
tflags		WEB_SUBSCRIBED		net

header		WEB_EXIT_SITE		Web-Redirect =~ /\bEXIT SITE\b/
score		WEB_EXIT_SITE		0.75
describe	WEB_EXIT_SITE		Links to a site that offers you to exit it
tflags		WEB_EXIT_SITE		net

header		WEB_LOC_HREF_ADD	Web-Redirect =~ /\blocation\."?\s*\+\s*"href\s*=/
score		WEB_LOC_HREF_ADD	4.0
describe	WEB_LOC_HREF_ADD	Page contains addition of 'location.' + 'href'
tflags		WEB_LOC_HREF_ADD	net

# http://spaces.msn.com/members/isidrolangham/
header          WEB_REPLICA_WATCH       Web-Redirect =~ /\bReplica-Watch-Store\b/
score           WEB_REPLICA_WATCH       3.0
describe        WEB_REPLICA_WATCH       Page contains 'Replica-Watch-Store'
tflags          WEB_REPLICA_WATCH       net


# Tests against decoded cyphertext found in web pages

header		WEB_ENRE_LOC_HREF	Web-Redirect-Encoded =~ /\blocation\.href\s*=/
score		WEB_ENRE_LOC_HREF	3.0
describe	WEB_ENRE_LOC_HREF	Web page contains encoded 'location.href='
tflags		WEB_ENRE_LOC_HREF	net

header		WEB_ENRE_ON_LOAD	Web-Redirect-Encoded =~ /\bbody\.onload\s*=/
score		WEB_ENRE_ON_LOAD	3.0
describe	WEB_ENRE_ON_LOAD	Linked web page contains encoded 'body.onload'
tflags		WEB_ENRE_ON_LOAD	net

header		WEB_ENRE_URI_ADD	Web-Redirect-Encoded =~ /\bprefix\s*\+\s*domain(?:_to)?\b/
score		WEB_ENRE_URI_ADD	1.0
describe	WEB_ENRE_URI_ADD	Page contains encoded addition of prefix + domain
tflags		WEB_ENRE_URI_ADD	net

header		WEB_ENCODED_DATA	Web-Redirect-Encoded !~ /^(?:---new-page---)*$/
score		WEB_ENCODED_DATA	2.0
describe	WEB_ENCODED_DATA	Links to a web page containing encoded data
tflags		WEB_ENCODED_DATA	net