# BRIAN HABERSTROH
#
# (Blue Star Media/Direct Diverse/DTN Management Group/Emperative Inc./
#  E360Insight/Gracie Media, Inc./Ice Water Media/Jonica Marketing/
#  Max Media, Inc./Mirato Media, LLC/News Bulletin Services, LLC/
#  PPPoX Pool/Prediction Media/Traffic Venture/Wright Computing)
#
#
#  Prior to 5/11/2004:
#   (Sendmails Corporation/Green Horse Corporation
#    Ian Schrager Hotels LLC/JumpDNS/Named Services)
#
#  6/10/2004:
#    Have hooked up with old ally Jonica Marketing, which
#    had an independent existence at one point.  However,
#    I am treating Jonica domains and netblocks as owned by/
#    operated by Haberstroh from here on.
#
#  6/12/2004:
#    Seriously hooked up with old ally Meditay, but Meditay
#    appears to still have an independent existence as well.
#    As such, Meditay IPs are not listed here, but in Meditay's
#    own recipe.  However, pattern matches should pick up Atriks
#    spam sent from Meditay IPs and referencing Meditay-registered
#    domains.  (Chances are Haberstroh is having Meditay and,
#    Jonica register domains for him instead of doing it under
#    his own business name.) :/
#
#  Current Patterns
#
#  Updated and verified 10/30/05
#

# Check FIRSTEXHELO and FIRSTEXHELOIP -- useful for Atriks,
# although not for many other spammers.
#
LOCALSCORE=0

:0
* ! FIRSTEXHELODOMAIN ?? ^example\.com$
* ? ${GREP} -i -x "${FIRSTEXHELODOMAIN}" ${TESTDOMAINS}
{
 :0
 * $ ${LOCALSCORE}^0
 * 1^0
 { LOCALSCORE=$= }
}

:0
* ! FROMDOMAIN ?? ^example\.com$
* ? ${GREP} -i -x "${FROMDOMAIN}" ${TESTDOMAINS}
{
 :0
 * $ ${LOCALSCORE}^0
 * 1^0
 { LOCALSCORE=$= }
}

:0
* ! REPLYTODOMAIN ?? ^example\.com$
* ? ${GREP} -i -x "${REPLYTODOMAIN}" ${TESTDOMAINS}
{
 :0
 * $ ${LOCALSCORE}^0
 * 1^0
 { LOCALSCORE=$= }
}

:0
* LOCALSCORE ?? 3
{
 LT3=yes

 SBLOG="C3R-${TESTNAME} (HELO/From/Reply-To domains)"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
}

# Prior to early May 2005, Atriks rotated its X-Mailer lines constantly.
# Currently it is using new X-Mailer lines, but doesn't appear to be
# rotating them as frequently as it used to. That makes a useful string
# to search for.

:0
* ^X-Mailer:( )*(2WinCash Retailer|\
                 Aloha Mailer V\.35|\
                 BlueSkyEsmtp \(Ver 6\.1\.4\)|\
                 DTAMKTPL ESMTP SERVER 6|\
                 eIns Mail Version 1\.1|\
                 Email-M Version 2\.1|\
                 EmailMMM Version 2\.2|\
                 fortyp|\
                 mail pro|\
                 MMI Version 2\.0|\
                 MT Mailer \(Ver\. 5\.0\)|\
                 MyWave ESMTP 2\.3\.1|\
                 NBS mAileR V2\.3|\
                 N\.B\.S\. V3\.3|\
                 NFL blast|\
                 Pro Mailer V1\.4|\
                 rapid mail x files v7|\
                 SMTP Server Version 5\.0|\
                 super duper v99\.9|\
                 vmail Version 5\.0|\
                 xmail v9\.1|\
                 xmail zebra 2\.0|\
                 x-mailer[0-9a-z][0-9a-z]|\
                 xtreme|\
                 xz mailer)([^0-9a-z]|$)
{
 LT3=yes

 SBLOG="C3R-${TESTNAME} (Pattern Match: X-Mailer)"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
}


# The Atriks software creats a highly noticeable header pattern which can be
# determined by a pattern match.  These recipes do that.
:0
* $ ! FIRSTEXDOMAIN ?? ${FROMDOMAIN}
* $ FIRSTEXHELODOMAIN ?? ${FROMDOMAIN}
* ^Errors-To:
* ^Reply-By:
* ^Importance: High$
* ^Sensitivity: Confidential$
* ^X-Message-Flag:
* ^Reply-To:
{
 LT3=yes

 SBLOG="C3R-${TESTNAME} (Pattern Match: Headers #1)"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
}

:0
* $ ! FIRSTEXDOMAIN ?? ${FROMDOMAIN}
* $ FIRSTEXHELODOMAIN ?? ${FROMDOMAIN}
* $ FIRSTEXHELODOMAIN ?? ${REPLYTODOMAIN}
* $ ! ^Received: from[^0-9a-z].*[^0-9a-z]${FIRSTEXIP}(.*$)+Received: from[^0-9a-z]
* $ ^Errors-to:.*[^0-9a-z]${FIRSTEXHELODOMAIN}
* $ ^Message-ID:.*[^0-9a-z]${FIRSTEXHELODOMAIN}
* ^Sensitivity:
* ^Importance:
{
 LT3=yes

 SBLOG="C3R-${TESTNAME} (Pattern Match: Headers #2)"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
}

:0
* $ ! FIRSTEXDOMAIN ?? ${FROMDOMAIN}
* $ ! FIRSTEXHELODOMAIN ?? ${FROMDOMAIN}
* $ MAILFROMDOMAIN ?? ${FROMDOMAIN}
* $ MAILFROMDOMAIN ?? ${REPLYTODOMAIN}
* $ MAILFROMDOMAIN ?? ${ERRORDOMAIN}
* $ ! ^Received: from[^0-9a-z].*[^0-9a-z]${FIRSTEXIP}(.*$)+Received: from[^0-9a-z]
* $ ^Message-ID:.*[^0-9a-z]${MAILFROMDOMAIN}
* ^Sensitivity:
* ^Importance:
{
 LT3=yes

 SBLOG="C3R-${TESTNAME} (Pattern Match: Headers #3)"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
}

:0
* $ ! FIRSTEXDOMAIN ?? ${FROMDOMAIN}
* $ FIRSTEXHELODOMAIN ?? ${FROMDOMAIN}
* $ MAILFROMDOMAIN ?? ${FROMDOMAIN}
* $ MAILFROMDOMAIN ?? ${REPLYTODOMAIN}
* $ MAILFROMDOMAIN ?? ${ERRORDOMAIN}
* $ ! ^Received: from[^0-9a-z].*[^0-9a-z]${FIRSTEXIP}(.*$)+Received: from[^0-9a-z]
* $ ^Message-ID:.*[^0-9a-z]${MAILFROMDOMAIN}
* ^Sensitivity: Personal$
* ^Importance: Normal$
* ^X-Message-flag: For Your Information$
{
 LT3=yes

 SBLOG="C3R-${TESTNAME} (Pattern Match: Headers #4)"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
}