]> git.proxmox.com Git - proxmox-spamassassin.git/blame - sa-updates/72_active.cf
projects / proxmox-spamassassin.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bump version to 4.0.1-1
[proxmox-spamassassin.git] / sa-updates / 72_active.cf
CommitLineData
b780ea8d
SI		 1# SpamAssassin rules file
2#
3# Please don't modify this file as your changes will be overwritten with
4# the next update. Use /etc/mail/spamassassin/local.cf instead.
5# See 'perldoc Mail::SpamAssassin::Conf' for details.
6#
7# <@LICENSE>
8# Licensed to the Apache Software Foundation (ASF) under one or more
9# contributor license agreements. See the NOTICE file distributed with
10# this work for additional information regarding copyright ownership.
11# The ASF licenses this file to you under the Apache License, Version 2.0
12# (the "License"); you may not use this file except in compliance with
13# the License. You may obtain a copy of the License at:
14#
15# http://www.apache.org/licenses/LICENSE-2.0
16#
17# Unless required by applicable law or agreed to in writing, software
18# distributed under the License is distributed on an "AS IS" BASIS,
19# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20# See the License for the specific language governing permissions and
21# limitations under the License.
22# </@LICENSE>
23#
24###########################################################################
25
54c714b2 26require_version 4.000001
21dcadbf
SI		 27
28##{ ACCT_PHISHING_MANY
29
30meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY
31describe ACCT_PHISHING_MANY Phishing for account information
32#score ACCT_PHISHING_MANY 3.000 # limit
33##} ACCT_PHISHING_MANY
b780ea8d 34
b780ea8d
SI		 35##{ AC_BR_BONANZA
36
37rawbody AC_BR_BONANZA /(?:<br>\s*){30}/i
38describe AC_BR_BONANZA Too many newlines in a row... spammy template
39#score AC_BR_BONANZA 0.001
40tflags AC_BR_BONANZA publish
41##} AC_BR_BONANZA
42
43##{ AC_DIV_BONANZA
44
45rawbody AC_DIV_BONANZA /(?:<div>(?:\s*<\/div>)?\s*){10}/i
46describe AC_DIV_BONANZA Too many divs in a row... spammy template
47#score AC_DIV_BONANZA 0.001
48tflags AC_DIV_BONANZA publish
49##} AC_DIV_BONANZA
50
51##{ AC_FROM_MANY_DOTS
52
53meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP
151f49fd 54#score AC_FROM_MANY_DOTS 2.500 # limit
b780ea8d
SI		 55describe AC_FROM_MANY_DOTS Multiple periods in From user name
56tflags AC_FROM_MANY_DOTS publish
57##} AC_FROM_MANY_DOTS
58
59##{ AC_HTML_NONSENSE_TAGS
60
61rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/
62describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam
63#score AC_HTML_NONSENSE_TAGS 2.0
64tflags AC_HTML_NONSENSE_TAGS publish
65##} AC_HTML_NONSENSE_TAGS
66
67##{ AC_POST_EXTRAS
68
69meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID
70describe AC_POST_EXTRAS Suspicious URL
71#score AC_POST_EXTRAS 2.500 # limit
72tflags AC_POST_EXTRAS publish
73##} AC_POST_EXTRAS
74
75##{ AC_SPAMMY_URI_PATTERNS1
76
77meta AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI)
78describe AC_SPAMMY_URI_PATTERNS1 link combos match highly spammy template
79#score AC_SPAMMY_URI_PATTERNS1 4.0
80tflags AC_SPAMMY_URI_PATTERNS1 publish
81##} AC_SPAMMY_URI_PATTERNS1
82
83##{ AC_SPAMMY_URI_PATTERNS10
84
85meta AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI
86describe AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template
87#score AC_SPAMMY_URI_PATTERNS10 4.0
88tflags AC_SPAMMY_URI_PATTERNS10 publish
89##} AC_SPAMMY_URI_PATTERNS10
90
91##{ AC_SPAMMY_URI_PATTERNS11
92
93meta AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI
94describe AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template
95#score AC_SPAMMY_URI_PATTERNS11 4.0
96tflags AC_SPAMMY_URI_PATTERNS11 publish
97##} AC_SPAMMY_URI_PATTERNS11
98
99##{ AC_SPAMMY_URI_PATTERNS12
100
101meta AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI)
102describe AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template
103#score AC_SPAMMY_URI_PATTERNS12 4.0
104tflags AC_SPAMMY_URI_PATTERNS12 publish
105##} AC_SPAMMY_URI_PATTERNS12
106
107##{ AC_SPAMMY_URI_PATTERNS2
108
109meta AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI)
110describe AC_SPAMMY_URI_PATTERNS2 link combos match highly spammy template
111#score AC_SPAMMY_URI_PATTERNS2 4.0
112tflags AC_SPAMMY_URI_PATTERNS2 publish
113##} AC_SPAMMY_URI_PATTERNS2
114
115##{ AC_SPAMMY_URI_PATTERNS3
116
117meta AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI)
118describe AC_SPAMMY_URI_PATTERNS3 link combos match highly spammy template
119#score AC_SPAMMY_URI_PATTERNS3 4.0
120tflags AC_SPAMMY_URI_PATTERNS3 publish
121##} AC_SPAMMY_URI_PATTERNS3
122
123##{ AC_SPAMMY_URI_PATTERNS4
124
125meta AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI
126describe AC_SPAMMY_URI_PATTERNS4 link combos match highly spammy template
127#score AC_SPAMMY_URI_PATTERNS4 4.0
128tflags AC_SPAMMY_URI_PATTERNS4 publish
129##} AC_SPAMMY_URI_PATTERNS4
130
131##{ AC_SPAMMY_URI_PATTERNS8
132
133meta AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI
134describe AC_SPAMMY_URI_PATTERNS8 link combos match highly spammy template
135#score AC_SPAMMY_URI_PATTERNS8 4.0
136tflags AC_SPAMMY_URI_PATTERNS8 publish
137##} AC_SPAMMY_URI_PATTERNS8
138
139##{ AC_SPAMMY_URI_PATTERNS9
140
141meta AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI))
142describe AC_SPAMMY_URI_PATTERNS9 link combos match highly spammy template
143#score AC_SPAMMY_URI_PATTERNS9 4.0
144tflags AC_SPAMMY_URI_PATTERNS9 publish
145##} AC_SPAMMY_URI_PATTERNS9
146
147##{ ADMAIL
148
149meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS
150describe ADMAIL "admail" and variants
151tflags ADMAIL publish
152##} ADMAIL
153
154##{ ADMITS_SPAM
155
156meta ADMITS_SPAM __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB
157describe ADMITS_SPAM Admits this is an ad
158tflags ADMITS_SPAM publish
159##} ADMITS_SPAM
160
46cfc9e2
SI		 161##{ ADULT_DATING_COMPANY
162
163meta ADULT_DATING_COMPANY __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO
164#score ADULT_DATING_COMPANY 10.000 # limit
165tflags ADULT_DATING_COMPANY publish
166##} ADULT_DATING_COMPANY
167
b780ea8d
SI		 168##{ ADVANCE_FEE_2_NEW_FORM
169
170meta ADVANCE_FEE_2_NEW_FORM (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__FROM_LOWER && !__HAS_X_LOOP
171describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form
172#score ADVANCE_FEE_2_NEW_FORM 2.000 # limit
173tflags ADVANCE_FEE_2_NEW_FORM publish
174##} ADVANCE_FEE_2_NEW_FORM
175
176##{ ADVANCE_FEE_2_NEW_FRM_MNY
177
178meta ADVANCE_FEE_2_NEW_FRM_MNY (__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP
179describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money
180#score ADVANCE_FEE_2_NEW_FRM_MNY 2.500
181tflags ADVANCE_FEE_2_NEW_FRM_MNY publish
182##} ADVANCE_FEE_2_NEW_FRM_MNY
183
184##{ ADVANCE_FEE_2_NEW_MONEY
185
186meta ADVANCE_FEE_2_NEW_MONEY (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
187describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
188#score ADVANCE_FEE_2_NEW_MONEY 2.000 # limit
189tflags ADVANCE_FEE_2_NEW_MONEY publish
190##} ADVANCE_FEE_2_NEW_MONEY
191
192##{ ADVANCE_FEE_3_NEW
193
194meta ADVANCE_FEE_3_NEW (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG && !__BUGGED_IMG
195describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419)
196#score ADVANCE_FEE_3_NEW 3.5 # limit
197tflags ADVANCE_FEE_3_NEW publish
198##} ADVANCE_FEE_3_NEW
199
200##{ ADVANCE_FEE_3_NEW_FORM
201
202meta ADVANCE_FEE_3_NEW_FORM (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__THREADED && !__HAS_SENDER && !__FROM_LOWER && !__HAS_X_LOOP
203describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form
204tflags ADVANCE_FEE_3_NEW_FORM publish
205##} ADVANCE_FEE_3_NEW_FORM
206
207##{ ADVANCE_FEE_3_NEW_FRM_MNY
208
209meta ADVANCE_FEE_3_NEW_FRM_MNY (__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP
210describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money
211tflags ADVANCE_FEE_3_NEW_FRM_MNY publish
212##} ADVANCE_FEE_3_NEW_FRM_MNY
213
214##{ ADVANCE_FEE_3_NEW_MONEY
215
216meta ADVANCE_FEE_3_NEW_MONEY (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
217describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
218tflags ADVANCE_FEE_3_NEW_MONEY publish
219##} ADVANCE_FEE_3_NEW_MONEY
220
221##{ ADVANCE_FEE_4_NEW
222
223meta ADVANCE_FEE_4_NEW (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__HAS_X_LOOP && !__BUGGED_IMG
224describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419)
225tflags ADVANCE_FEE_4_NEW publish
226##} ADVANCE_FEE_4_NEW
227
228##{ ADVANCE_FEE_4_NEW_FORM
229
230meta ADVANCE_FEE_4_NEW_FORM (__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM)
231describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form
232tflags ADVANCE_FEE_4_NEW_FORM publish
233##} ADVANCE_FEE_4_NEW_FORM
234
235##{ ADVANCE_FEE_4_NEW_FRM_MNY
236
237meta ADVANCE_FEE_4_NEW_FRM_MNY (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY)
238describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money
239tflags ADVANCE_FEE_4_NEW_FRM_MNY publish
240##} ADVANCE_FEE_4_NEW_FRM_MNY
241
242##{ ADVANCE_FEE_4_NEW_MONEY
243
244meta ADVANCE_FEE_4_NEW_MONEY (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
245describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money
246tflags ADVANCE_FEE_4_NEW_MONEY publish
247##} ADVANCE_FEE_4_NEW_MONEY
248
249##{ ADVANCE_FEE_5_NEW
250
251meta ADVANCE_FEE_5_NEW (__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY) && !__BUGGED_IMG
252describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419)
253tflags ADVANCE_FEE_5_NEW publish
254##} ADVANCE_FEE_5_NEW
255
256##{ ADVANCE_FEE_5_NEW_FORM
257
258meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM
259describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form
260tflags ADVANCE_FEE_5_NEW_FORM publish
261##} ADVANCE_FEE_5_NEW_FORM
262
263##{ ADVANCE_FEE_5_NEW_FRM_MNY
264
265meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY
266describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money
267tflags ADVANCE_FEE_5_NEW_FRM_MNY publish
268##} ADVANCE_FEE_5_NEW_FRM_MNY
269
270##{ ADVANCE_FEE_5_NEW_MONEY
271
272meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE && !__BUGGED_IMG
273describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
274tflags ADVANCE_FEE_5_NEW_MONEY publish
275##} ADVANCE_FEE_5_NEW_MONEY
276
277##{ AD_PREFS
278
279body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i
280describe AD_PREFS Advertising preferences
281#score AD_PREFS 0.500 # limit
282tflags AD_PREFS publish
283##} AD_PREFS
284
285##{ ALIBABA_IMG_NOT_RCVD_ALI
286
287meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE
288#score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit
289describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba
290tflags ALIBABA_IMG_NOT_RCVD_ALI publish
291##} ALIBABA_IMG_NOT_RCVD_ALI
292
293##{ AMAZON_IMG_NOT_RCVD_AMZN
294
46cfc9e2 295meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST && !__URI_PRODUCT_AMAZON && !__HAS_ERRORS_TO
b780ea8d
SI		 296#score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit
297describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon
298tflags AMAZON_IMG_NOT_RCVD_AMZN publish
299##} AMAZON_IMG_NOT_RCVD_AMZN
300
301##{ APOSTROPHE_FROM
302
303header APOSTROPHE_FROM From:addr =~ /'/
304describe APOSTROPHE_FROM From address contains an apostrophe
305##} APOSTROPHE_FROM
306
307##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
308
309if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
310 meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
311 describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto
312# score APP_DEVELOPMENT_FREEM 3.500 # limit
313 tflags APP_DEVELOPMENT_FREEM publish
314endif
315##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
316
317##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
318
319if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
320 meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE
321 describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS
322# score APP_DEVELOPMENT_NORDNS 2.000 # limit
323 tflags APP_DEVELOPMENT_NORDNS publish
324endif
325##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
326
327##{ AXB_XMAILER_MIMEOLE_OL_024C2
328
329meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2)
330describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
331##} AXB_XMAILER_MIMEOLE_OL_024C2
332
b780ea8d
SI		 333##{ BANKING_LAWS
334
335body BANKING_LAWS /banking laws/i
336describe BANKING_LAWS Talks about banking laws
337##} BANKING_LAWS
338
339##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
340
341ifplugin Mail::SpamAssassin::Plugin::MIMEEval
342body BASE64_LENGTH_78_79 eval:check_base64_length('78','79')
343endif
344##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
345
346##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
347
348ifplugin Mail::SpamAssassin::Plugin::MIMEEval
349describe BASE64_LENGTH_79_INF base64 encoded email part uses line length of 78 or 79 characters
350body BASE64_LENGTH_79_INF eval:check_base64_length('79')
351describe BASE64_LENGTH_79_INF base64 encoded email part uses line length greater than 79 characters
352endif
353##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
354
31955ede
SI		 355##{ BEBEE_IMG_NOT_RCVD_BB
356
357meta BEBEE_IMG_NOT_RCVD_BB __BEBEE_IMG_NOT_RCVD_BB
358#score BEBEE_IMG_NOT_RCVD_BB 2.000 # limit
359describe BEBEE_IMG_NOT_RCVD_BB Bebee hosted image but message not from Bebee
360tflags BEBEE_IMG_NOT_RCVD_BB publish
361##} BEBEE_IMG_NOT_RCVD_BB
362
b780ea8d
SI		 363##{ BIGNUM_EMAILS_FREEM
364
365meta BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS_FREEM
366describe BIGNUM_EMAILS_FREEM Lots of email addresses/leads, free email account
367#score BIGNUM_EMAILS_FREEM 3.00 # limit
368tflags BIGNUM_EMAILS_FREEM publish
369##} BIGNUM_EMAILS_FREEM
370
371##{ BIGNUM_EMAILS_MANY
372
373meta BIGNUM_EMAILS_MANY __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER
374describe BIGNUM_EMAILS_MANY Lots of email addresses/leads, over and over
375#score BIGNUM_EMAILS_MANY 3.00 # limit
376tflags BIGNUM_EMAILS_MANY publish
377##} BIGNUM_EMAILS_MANY
378
54c714b2
SI		 379##{ BILLION_OVERLAP
380
381meta BILLION_OVERLAP (BILLION_DOLLARS + T_US_DOLLARS_3 >= 2)
382#score BILLION_OVERLAP -1.0
383describe BILLION_OVERLAP Reducing score for overlap of similar rules
384##} BILLION_OVERLAP
385
b780ea8d
SI		 386##{ BITCOIN_BOMB
387
388meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01
389describe BITCOIN_BOMB BitCoin + bomb
390#score BITCOIN_BOMB 3.000 # limit
391tflags BITCOIN_BOMB publish
392##} BITCOIN_BOMB
393
394##{ BITCOIN_DEADLINE
395
396meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01
397describe BITCOIN_DEADLINE BitCoin with a deadline
398#score BITCOIN_DEADLINE 3.000 # limit
399tflags BITCOIN_DEADLINE publish
400##} BITCOIN_DEADLINE
401
402##{ BITCOIN_EXTORT_01
403
404meta BITCOIN_EXTORT_01 (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA )
405describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin
406#score BITCOIN_EXTORT_01 5.000 # limit
407tflags BITCOIN_EXTORT_01 publish
408##} BITCOIN_EXTORT_01
409
410##{ BITCOIN_EXTORT_02
411
412meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY
413describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin
414#score BITCOIN_EXTORT_02 5.000 # limit
415tflags BITCOIN_EXTORT_02 publish
416##} BITCOIN_EXTORT_02
417
418##{ BITCOIN_IMGUR
419
420meta BITCOIN_IMGUR __BITCOIN_IMGUR
421describe BITCOIN_IMGUR Bitcoin + hosted image
422#score BITCOIN_IMGUR 3.500 # limit
423tflags BITCOIN_IMGUR publish
424##} BITCOIN_IMGUR
425
b780ea8d
SI		 426##{ BITCOIN_MALWARE
427
428meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED
429describe BITCOIN_MALWARE BitCoin + malware bragging
430#score BITCOIN_MALWARE 3.500 # limit
431tflags BITCOIN_MALWARE publish
432##} BITCOIN_MALWARE
433
434##{ BITCOIN_OBFU_SUBJ
435
436meta BITCOIN_OBFU_SUBJ __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI
437describe BITCOIN_OBFU_SUBJ Bitcoin + obfuscated subject
438#score BITCOIN_OBFU_SUBJ 3.500 # limit
439tflags BITCOIN_OBFU_SUBJ publish
440##} BITCOIN_OBFU_SUBJ
441
442##{ BITCOIN_ONAN
443
444meta BITCOIN_ONAN __BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01
445describe BITCOIN_ONAN BitCoin + [censored]
446#score BITCOIN_ONAN 3.000 # limit
447tflags BITCOIN_ONAN publish
448##} BITCOIN_ONAN
449
450##{ BITCOIN_PAY_ME
451
452meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01
453describe BITCOIN_PAY_ME Pay me via BitCoin
454#score BITCOIN_PAY_ME 3.000 # limit
455tflags BITCOIN_PAY_ME publish
456##} BITCOIN_PAY_ME
457
458##{ BITCOIN_SPAM_01
459
460meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG
461describe BITCOIN_SPAM_01 BitCoin spam pattern 01
462#score BITCOIN_SPAM_01 2.500 # limit
463tflags BITCOIN_SPAM_01 publish
464##} BITCOIN_SPAM_01
465
466##{ BITCOIN_SPAM_02
467
468meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID
469describe BITCOIN_SPAM_02 BitCoin spam pattern 02
470#score BITCOIN_SPAM_02 2.500 # limit
471tflags BITCOIN_SPAM_02 publish
472##} BITCOIN_SPAM_02
473
474##{ BITCOIN_SPAM_03
475
476meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ
477describe BITCOIN_SPAM_03 BitCoin spam pattern 03
478#score BITCOIN_SPAM_03 2.500 # limit
479tflags BITCOIN_SPAM_03 publish
480##} BITCOIN_SPAM_03
481
482##{ BITCOIN_SPAM_04
483
484meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto
485describe BITCOIN_SPAM_04 BitCoin spam pattern 04
486#score BITCOIN_SPAM_04 1.500 # limit
487tflags BITCOIN_SPAM_04 publish
488##} BITCOIN_SPAM_04
489
490##{ BITCOIN_SPAM_05
491
492meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO
493describe BITCOIN_SPAM_05 BitCoin spam pattern 05
494#score BITCOIN_SPAM_05 2.500 # limit
495tflags BITCOIN_SPAM_05 net publish
496##} BITCOIN_SPAM_05
497
498##{ BITCOIN_SPAM_06
499
500meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET
501describe BITCOIN_SPAM_06 BitCoin spam pattern 06
502#score BITCOIN_SPAM_06 1.500 # limit
503tflags BITCOIN_SPAM_06 publish
504##} BITCOIN_SPAM_06
505
506##{ BITCOIN_SPAM_07
507
508meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS
509describe BITCOIN_SPAM_07 BitCoin spam pattern 07
510#score BITCOIN_SPAM_07 3.500 # limit
511tflags BITCOIN_SPAM_07 publish
512##} BITCOIN_SPAM_07
513
514##{ BITCOIN_SPAM_08
515
516meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ
517describe BITCOIN_SPAM_08 BitCoin spam pattern 08
518#score BITCOIN_SPAM_08 2.500 # limit
519tflags BITCOIN_SPAM_08 publish
520##} BITCOIN_SPAM_08
521
522##{ BITCOIN_SPAM_09
523
524meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU )
525describe BITCOIN_SPAM_09 BitCoin spam pattern 09
526#score BITCOIN_SPAM_09 1.500 # limit
527tflags BITCOIN_SPAM_09 publish
528##} BITCOIN_SPAM_09
529
530##{ BITCOIN_SPAM_10
531
532meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 )
533describe BITCOIN_SPAM_10 BitCoin spam pattern 10
534#score BITCOIN_SPAM_10 2.500 # limit
535tflags BITCOIN_SPAM_10 publish
536##} BITCOIN_SPAM_10
537
538##{ BITCOIN_SPAM_11
539
540meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU
541describe BITCOIN_SPAM_11 BitCoin spam pattern 11
542#score BITCOIN_SPAM_11 2.500 # limit
543tflags BITCOIN_SPAM_11 publish
544##} BITCOIN_SPAM_11
545
546##{ BITCOIN_SPAM_12
547
548meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY
549describe BITCOIN_SPAM_12 BitCoin spam pattern 12
550#score BITCOIN_SPAM_12 2.500 # limit
551tflags BITCOIN_SPAM_12 publish
552##} BITCOIN_SPAM_12
553
554##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
555
556if (version >= 3.004001)
557ifplugin Mail::SpamAssassin::Plugin::AskDNS
558meta BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID
559tflags BITCOIN_SPF_ONLYALL net publish
560describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF
561#score BITCOIN_SPF_ONLYALL 2.0 # limit
562endif
563endif
564##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
565
151f49fd
SI		 566##{ BITCOIN_TOEQFM
567
568meta BITCOIN_TOEQFM __BITCOIN_TOEQFM
569describe BITCOIN_TOEQFM Bitcoin + To same as From
570#score BITCOIN_TOEQFM 3.500 # limit
571##} BITCOIN_TOEQFM
572
573##{ BITCOIN_VISTA
574
575meta BITCOIN_VISTA __BITCOIN && __VISTA_MSGID
576describe BITCOIN_VISTA Bitcoin + old MSFT msgid format
577#score BITCOIN_VISTA 3.500 # limit
578##} BITCOIN_VISTA
579
b780ea8d
SI		 580##{ BITCOIN_WFH_01
581
582meta BITCOIN_WFH_01 __BITCOIN_WFH_01
583describe BITCOIN_WFH_01 Work-from-Home + bitcoin
584tflags BITCOIN_WFH_01 publish
585##} BITCOIN_WFH_01
586
587##{ BITCOIN_XPRIO
588
589meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY
590describe BITCOIN_XPRIO Bitcoin + priority
591#score BITCOIN_XPRIO 2.500 # limit
592##} BITCOIN_XPRIO
593
594##{ BITCOIN_YOUR_INFO
595
596meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01
597describe BITCOIN_YOUR_INFO BitCoin with your personal info
598#score BITCOIN_YOUR_INFO 3.000 # limit
599tflags BITCOIN_YOUR_INFO publish
600##} BITCOIN_YOUR_INFO
601
b780ea8d
SI		 602##{ BODY_URI_ONLY
603
604meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV
605describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image
606#score BODY_URI_ONLY 3.000 # limit
607tflags BODY_URI_ONLY publish
608##} BODY_URI_ONLY
609
610##{ BOGUS_MIME_VERSION
611
612meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 || __MALF_MIME_VER
613#score BOGUS_MIME_VERSION 3.500 # limit
614describe BOGUS_MIME_VERSION Mime version header is bogus
615tflags BOGUS_MIME_VERSION publish
616##} BOGUS_MIME_VERSION
617
618##{ BOGUS_MSM_HDRS
619
620meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS
621describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers
622#score BOGUS_MSM_HDRS 3.000 # limit
623tflags BOGUS_MSM_HDRS publish
624##} BOGUS_MSM_HDRS
625
626##{ BOMB_FREEM
627
628meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto
629describe BOMB_FREEM Bomb + freemail
630#score BOMB_FREEM 2.000 # limit
631tflags BOMB_FREEM publish
632##} BOMB_FREEM
633
634##{ BOMB_MONEY
635
636meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW )
637describe BOMB_MONEY Bomb + money: bomb threat?
638#score BOMB_MONEY 2.500 # limit
639tflags BOMB_MONEY publish
640##} BOMB_MONEY
641
642##{ BTC_ORG
643
644describe BTC_ORG Bitcoin wallet ID + unusual header
645#score BTC_ORG 2.500 # limit
646##} BTC_ORG
647
648##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM)
649
650if !plugin(Mail::SpamAssassin::Plugin::DKIM)
651 meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST
652endif
653##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM)
654
655##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM
656
657ifplugin Mail::SpamAssassin::Plugin::DKIM
658 meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED
659endif
660##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM
661
b780ea8d
SI		 662##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
663
664if (version >= 3.004002)
665ifplugin Mail::SpamAssassin::Plugin::WLBLEval
666meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD
667tflags BULK_RE_SUSP_NTLD publish
668describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
669#score BULK_RE_SUSP_NTLD 1.0 # limit
670endif
671endif
672##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
673
674##{ CANT_SEE_AD
675
676meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB
677describe CANT_SEE_AD You really want to see our spam.
678#score CANT_SEE_AD 2.500 # limit
679tflags CANT_SEE_AD publish
680##} CANT_SEE_AD
681
46cfc9e2
SI		 682##{ CK_HELO_GENERIC
683
684header CK_HELO_GENERIC X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
685describe CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR
686#score CK_HELO_GENERIC 0.25
687##} CK_HELO_GENERIC
688
b780ea8d
SI		 689##{ CN_B2B_SPAMMER
690
691body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i
692describe CN_B2B_SPAMMER Chinese company introducing itself
693tflags CN_B2B_SPAMMER publish
694##} CN_B2B_SPAMMER
695
696##{ COMMENT_GIBBERISH
697
698meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT
699describe COMMENT_GIBBERISH Nonsense in long HTML comment
700#score COMMENT_GIBBERISH 1.50 # limit
701tflags COMMENT_GIBBERISH publish
702##} COMMENT_GIBBERISH
703
fc5290a3
SI		 704##{ COMPENSATION
705
706describe COMPENSATION "Compensation"
707#score COMPENSATION 1.50 # limit
708##} COMPENSATION
709
710##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
711
712if !plugin(Mail::SpamAssassin::Plugin::DKIM)
713 meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD
714endif
715##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
716
717##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
718
719ifplugin Mail::SpamAssassin::Plugin::DKIM
720 meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE
721endif
722##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
723
b780ea8d
SI		 724##{ CONTENT_AFTER_HTML
725
dfdd1e08
SI		 726meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && (__L_CTE_8BIT || __RDNS_NUMERIC_TLD || __HTML_TAG_BALANCE_CENTER || __STY_INVIS_MANY || __TO_EQ_FROM_USR || __TO_EQ_FROM_USR_2 || __KAM_HTML_FONT_INVALID || __SUBJECT_ENCODED_B64 )
727describe CONTENT_AFTER_HTML More content after HTML close tag + other spam signs
b780ea8d
SI		 728#score CONTENT_AFTER_HTML 2.500 # limit
729tflags CONTENT_AFTER_HTML publish
730##} CONTENT_AFTER_HTML
731
dfdd1e08
SI		 732##{ CONTENT_AFTER_HTML_WEAK
733
734meta CONTENT_AFTER_HTML_WEAK __CONTENT_AFTER_HTML && !CONTENT_AFTER_HTML && !__CT_TEXT_PLAIN && !__BOUNCE_FROM_DAEMON && !__MSGID_OK_HEX && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !MAILING_LIST_MULTI && !__HAS_CID && !__URI_DOTGOV
735describe CONTENT_AFTER_HTML_WEAK More content after HTML close tag
736#score CONTENT_AFTER_HTML_WEAK 1.500 # limit
737tflags CONTENT_AFTER_HTML_WEAK publish
738##} CONTENT_AFTER_HTML_WEAK
739
b780ea8d
SI		 740##{ CORRUPT_FROM_LINE_IN_HDRS
741
742meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
743describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers
744tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
745#score CORRUPT_FROM_LINE_IN_HDRS 0.001
746##} CORRUPT_FROM_LINE_IN_HDRS
747
748##{ CTE_8BIT_MISMATCH
749
750meta CTE_8BIT_MISMATCH (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS)
751describe CTE_8BIT_MISMATCH Header says 7bits but body disagrees
752#score CTE_8BIT_MISMATCH 1
753tflags CTE_8BIT_MISMATCH publish
754##} CTE_8BIT_MISMATCH
755
756##{ CTYPE_001C_A
757
758meta CTYPE_001C_A (0) # obsolete
759##} CTYPE_001C_A
760
761##{ CTYPE_001C_B
762
763header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
764##} CTYPE_001C_B
765
766##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
767
768ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
769mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
770describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc)
771endif
772##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
773
b780ea8d
SI		 774##{ CURR_PRICE
775
776body CURR_PRICE /\bCurrent Price:/
777##} CURR_PRICE
778
779##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
780
781if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
782 meta DAY_I_EARNED __DAY_I_EARNED >= 3
783# score DAY_I_EARNED 3.000 # limit
784 describe DAY_I_EARNED Work-at-home spam
785 tflags DAY_I_EARNED publish
786endif
787##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
788
789##{ DEAR_BENEFICIARY
790
791body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i
792describe DEAR_BENEFICIARY Dear Beneficiary:
793##} DEAR_BENEFICIARY
794
54c714b2
SI		 795##{ DEAR_NOBODY
796
797rawbody DEAR_NOBODY /^\s*Dear\b[^a-zA-Z]{1,70}\n/mi
798describe DEAR_NOBODY Message contains Dear but with no name
799##} DEAR_NOBODY
800
b780ea8d
SI		 801##{ DEAR_WINNER
802
803body DEAR_WINNER /\bdear.{1,20}winner/i
804describe DEAR_WINNER Spam with generic salutation of "dear winner"
805##} DEAR_WINNER
806
807##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS
808
809ifplugin Mail::SpamAssassin::Plugin::AskDNS
810meta DKIMWL_BL __DKIMWL_WL_BL
811tflags DKIMWL_BL net publish
812describe DKIMWL_BL DKIMwl.org - Blocked sender
813#score DKIMWL_BL 3.0 # limit
814endif
815##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS
816
817##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS
818
819ifplugin Mail::SpamAssassin::Plugin::AskDNS
820meta DKIMWL_BLOCKED __DKIMWL_BLOCKED
821tflags DKIMWL_BLOCKED net publish
822describe DKIMWL_BLOCKED ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
823#score DKIMWL_BLOCKED 0.001 # limit
824endif
825##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS
826
827##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS
828
829ifplugin Mail::SpamAssassin::Plugin::AskDNS
830meta DKIMWL_WL_HIGH __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL)
831tflags DKIMWL_WL_HIGH net nice publish
832describe DKIMWL_WL_HIGH DKIMwl.org - High trust sender
833#score DKIMWL_WL_HIGH -3.0 # limit
834endif
835##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS
836
837##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS
838
839ifplugin Mail::SpamAssassin::Plugin::AskDNS
840meta DKIMWL_WL_MED __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL)
841tflags DKIMWL_WL_MED net nice publish
842describe DKIMWL_WL_MED DKIMwl.org - Medium trust sender
843#score DKIMWL_WL_MED -0.5 # limit
844endif
845##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS
846
847##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS
848
849ifplugin Mail::SpamAssassin::Plugin::AskDNS
850meta DKIMWL_WL_MEDHI __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL)
851tflags DKIMWL_WL_MEDHI net nice publish
852describe DKIMWL_WL_MEDHI DKIMwl.org - Medium-high trust sender
853#score DKIMWL_WL_MEDHI -1.0 # limit
854endif
855##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS
856
857##{ DOS_ANAL_SPAM_MAILER
858
859header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/
860describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam
861tflags DOS_ANAL_SPAM_MAILER publish
862##} DOS_ANAL_SPAM_MAILER
863
864##{ DOS_DEREK_AUG08
865
866meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10)
867##} DOS_DEREK_AUG08
868
869##{ DOS_FIX_MY_URI
870
871meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
872describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam
873##} DOS_FIX_MY_URI
874
875##{ DOS_HIGH_BAT_TO_MX
876
877meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA
878describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits
879##} DOS_HIGH_BAT_TO_MX
880
881##{ DOS_LET_GO_JOB
882
883meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
884describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough!
885##} DOS_LET_GO_JOB
886
887##{ DOS_OE_TO_MX
888
889meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
890describe DOS_OE_TO_MX Delivered direct to MX with OE headers
891##} DOS_OE_TO_MX
892
893##{ DOS_OE_TO_MX_IMAGE
894
895meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
896describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image
897##} DOS_OE_TO_MX_IMAGE
898
899##{ DOS_OUTLOOK_TO_MX
900
901meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE
902describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers
903##} DOS_OUTLOOK_TO_MX
904
905##{ DOS_RCVD_IP_TWICE_C
906
907header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/
908describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo)
909##} DOS_RCVD_IP_TWICE_C
910
911##{ DOS_STOCK_BAT
912
913meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)
914describe DOS_STOCK_BAT Probable pump and dump stock spam
915##} DOS_STOCK_BAT
916
917##{ DOS_STOCK_BAT2
918
919meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)
920##} DOS_STOCK_BAT2
921
922##{ DOS_URI_ASTERISK
923
924uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)}
925describe DOS_URI_ASTERISK Found an asterisk in a URI
926##} DOS_URI_ASTERISK
927
928##{ DOS_YOUR_PLACE
929
930meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))
931describe DOS_YOUR_PLACE Russian dating spam
932##} DOS_YOUR_PLACE
933
934##{ DOTGOV_IMAGE
935
936meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS
937describe DOTGOV_IMAGE .gov URI + hosted image
938#score DOTGOV_IMAGE 3.000 # limit
939tflags DOTGOV_IMAGE publish
940##} DOTGOV_IMAGE
941
942##{ DRUGS_HDIA
943
944header DRUGS_HDIA Subject =~ /\bhoodia\b/i
945describe DRUGS_HDIA Subject mentions "hoodia"
946##} DRUGS_HDIA
947
151f49fd
SI		 948##{ DSN_NO_MIMEVERSION
949
950meta DSN_NO_MIMEVERSION (__BOUNCE_RPATH_NULL && !__MIME_VERSION)
951describe DSN_NO_MIMEVERSION Return-Path <> and no MIME-Version: header
952#score DSN_NO_MIMEVERSION 2
953##} DSN_NO_MIMEVERSION
954
b780ea8d
SI		 955##{ DX_TEXT_02
956
957body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i
958describe DX_TEXT_02 "change your message stat"
959tflags DX_TEXT_02 publish
960##} DX_TEXT_02
961
962##{ DX_TEXT_03
963
964body DX_TEXT_03 /\b[A-Z]{3} Media (?:Group|Relations)\b/
965describe DX_TEXT_03 "XXX Media Group"
966tflags DX_TEXT_03 publish
967##} DX_TEXT_03
968
969##{ DYNAMIC_IMGUR
970
971meta DYNAMIC_IMGUR __DYNAMIC_IMGUR
972describe DYNAMIC_IMGUR dynamic IP + hosted image
973#score DYNAMIC_IMGUR 4.000 # limit
974tflags DYNAMIC_IMGUR publish
975##} DYNAMIC_IMGUR
976
977##{ DYN_RDNS_AND_INLINE_IMAGE
978
979meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
980describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS
981##} DYN_RDNS_AND_INLINE_IMAGE
982
983##{ DYN_RDNS_SHORT_HELO_HTML
984
985meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE)
986describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
987##} DYN_RDNS_SHORT_HELO_HTML
988
989##{ DYN_RDNS_SHORT_HELO_IMAGE
990
991meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
992describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image
993##} DYN_RDNS_SHORT_HELO_IMAGE
994
995##{ EBAY_IMG_NOT_RCVD_EBAY
996
997meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS
998#score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit
999describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay
1000tflags EBAY_IMG_NOT_RCVD_EBAY publish
1001##} EBAY_IMG_NOT_RCVD_EBAY
1002
1003##{ EMRCP
1004
1005body EMRCP /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i
1006describe EMRCP "Excess Maximum Return Capital Profit" scam
1007tflags EMRCP publish
1008##} EMRCP
1009
1010##{ ENCRYPTED_MESSAGE
1011
1012meta ENCRYPTED_MESSAGE __CT_ENCRYPTED
1013describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam
1014#score ENCRYPTED_MESSAGE -1.000
1015tflags ENCRYPTED_MESSAGE nice publish
1016##} ENCRYPTED_MESSAGE
1017
1018##{ END_FUTURE_EMAILS
1019
1020describe END_FUTURE_EMAILS Spammy unsubscribe
1021#score END_FUTURE_EMAILS 2.500 # limit
1022##} END_FUTURE_EMAILS
1023
1024##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1025
1026if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1027 meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER
1028endif
1029##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1030
1031##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM
1032
1033ifplugin Mail::SpamAssassin::Plugin::DKIM
1034 meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED
1035endif
1036##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM
1037
1038##{ ENVFROM_GOOG_TRIX
1039
1040meta ENVFROM_GOOG_TRIX __ENVFROM_GOOG_TRIX_SPAMMY
1041describe ENVFROM_GOOG_TRIX From suspicious Google subdomain
1042#score ENVFROM_GOOG_TRIX 3.000 # limit
1043tflags ENVFROM_GOOG_TRIX publish
1044##} ENVFROM_GOOG_TRIX
1045
1046##{ EXCUSE_24
1047
1048body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i
1049describe EXCUSE_24 Claims you wanted this ad
1050##} EXCUSE_24
1051
31955ede 1052##{ FACEBOOK_IMG_NOT_RCVD_FB
b780ea8d 1053
31955ede
SI		 1054meta FACEBOOK_IMG_NOT_RCVD_FB __FACEBOOK_IMG_NOT_RCVD_FB && !__VIA_ML && !__ONE_IMG && !__RCD_RDNS_SMTP
1055#score FACEBOOK_IMG_NOT_RCVD_FB 2.000 # limit
1056describe FACEBOOK_IMG_NOT_RCVD_FB Facebook hosted image but message not from Facebook
1057tflags FACEBOOK_IMG_NOT_RCVD_FB publish
1058##} FACEBOOK_IMG_NOT_RCVD_FB
cabe596e 1059
b780ea8d
SI		 1060##{ FAKE_REPLY_C
1061
1062meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)
1063##} FAKE_REPLY_C
1064
1065##{ FBI_MONEY
1066
1067meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY
1068describe FBI_MONEY The FBI wants to give you lots of money?
1069#score FBI_MONEY 2.00 # limit
1070tflags FBI_MONEY publish
1071##} FBI_MONEY
1072
1073##{ FBI_SPOOF
1074
1075meta FBI_SPOOF __FBI_SPOOF
1076describe FBI_SPOOF Claims to be FBI, but not from FBI domain
1077#score FBI_SPOOF 2.00 # limit
1078tflags FBI_SPOOF publish
1079##} FBI_SPOOF
1080
1081##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1082
1083ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1084 meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML
1085 describe FILL_THIS_FORM Fill in a form with personal information
1086 tflags FILL_THIS_FORM publish
1087endif
1088##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1089
54c714b2
SI		 1090##{ FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1091
1092ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1093 meta FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE
1094 describe FILL_THIS_FORM_LOAN Answer loan question(s)
1095# score FILL_THIS_FORM_LOAN 2.0
1096endif
1097##} FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1098
b780ea8d
SI		 1099##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1100
1101ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1102 meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY
1103 describe FILL_THIS_FORM_LONG Fill in a form with personal information
1104# score FILL_THIS_FORM_LONG 2.00 # limit
1105endif
1106##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1107
1108##{ FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1109
1110if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1111 meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX
1112 describe FONT_INVIS_DIRECT Invisible text + direct-to-MX
1113# score FONT_INVIS_DIRECT 3.500 # limit
1114 tflags FONT_INVIS_DIRECT publish
1115endif
1116##} FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1117
1118##{ FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1119
1120if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1121 meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID
1122 describe FONT_INVIS_DOTGOV Invisible text + .gov URI
1123# score FONT_INVIS_DOTGOV 3.500 # limit
1124 tflags FONT_INVIS_DOTGOV publish
1125endif
1126##} FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1127
1128##{ FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1129
1130if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1131 meta FONT_INVIS_HTML_NOHTML __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG
1132 describe FONT_INVIS_HTML_NOHTML Invisible text + malformed HTML
1133# score FONT_INVIS_HTML_NOHTML 3.000 # limit
1134 tflags FONT_INVIS_HTML_NOHTML publish
1135endif
1136##} FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1137
1138##{ FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1139
1140if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1141 meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET
1142 describe FONT_INVIS_LONG_LINE Invisible text + long lines
1143# score FONT_INVIS_LONG_LINE 3.000 # limit
1144 tflags FONT_INVIS_LONG_LINE publish
1145endif
1146##} FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1147
1148##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1149
1150if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
31955ede 1151 meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX && !__RCD_RDNS_MTA
b780ea8d
SI		 1152 describe FONT_INVIS_MSGID Invisible text + suspicious message ID
1153# score FONT_INVIS_MSGID 2.500 # limit
1154 tflags FONT_INVIS_MSGID publish
1155endif
1156##} FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1157
1158##{ FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1159
1160if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1161 meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER
1162 describe FONT_INVIS_NORDNS Invisible text + no rDNS
1163# score FONT_INVIS_NORDNS 2.500 # limit
1164 tflags FONT_INVIS_NORDNS publish
1165endif
1166##} FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1167
1168##{ FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1169
1170if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1171 meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS
1172 describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI
1173# score FONT_INVIS_POSTEXTRAS 3.500 # limit
1174 tflags FONT_INVIS_POSTEXTRAS publish
1175endif
1176##} FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1177
1178##{ FORGED_SPF_HELO
1179
1180meta FORGED_SPF_HELO __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS
1181##} FORGED_SPF_HELO
1182
1183##{ FORM_FRAUD
1184
1185meta FORM_FRAUD (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK
1186describe FORM_FRAUD Fill a form and a fraud phrase
1187#score FORM_FRAUD 1.000 # limit
1188tflags FORM_FRAUD publish
1189##} FORM_FRAUD
1190
1191##{ FORM_FRAUD_3
1192
1193meta FORM_FRAUD_3 (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED
1194describe FORM_FRAUD_3 Fill a form and several fraud phrases
1195tflags FORM_FRAUD_3 publish
1196##} FORM_FRAUD_3
1197
1198##{ FORM_FRAUD_5
1199
1200meta FORM_FRAUD_5 (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE
1201describe FORM_FRAUD_5 Fill a form and many fraud phrases
1202tflags FORM_FRAUD_5 publish
1203##} FORM_FRAUD_5
1204
b780ea8d
SI		 1205##{ FOUND_YOU
1206
1207meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO
1208#score FOUND_YOU 3.25 # limit
1209describe FOUND_YOU I found you...
1210tflags FOUND_YOU publish
1211##} FOUND_YOU
1212
1213##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
1214
1215ifplugin Mail::SpamAssassin::Plugin::FreeMail
1216 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
1217 if (version >= 3.004000)
1218 meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS
1219 describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different
1220# score FREEMAIL_FORGED_FROMDOMAIN 0.25
1221 tflags FREEMAIL_FORGED_FROMDOMAIN publish
1222endif
1223endif
1224endif
1225##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
1226
1227##{ FREEMAIL_WFH_01
1228
1229meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01
1230describe FREEMAIL_WFH_01 Work-from-Home + freemail
1231tflags FREEMAIL_WFH_01 publish
1232##} FREEMAIL_WFH_01
1233
1234##{ FREEM_FRNUM_UNICD_EMPTY
1235
1236meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY
1237describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body
1238#score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit
1239tflags FREEM_FRNUM_UNICD_EMPTY publish
1240##} FREEM_FRNUM_UNICD_EMPTY
1241
1242##{ FRNAME_IN_MSG_XPRIO_NO_SUB
1243
1244meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED
1245describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject
1246#score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit
1247tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish
1248##} FRNAME_IN_MSG_XPRIO_NO_SUB
1249
b780ea8d
SI		 1250##{ FROM_ADDR_WS
1251
1252meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL
1253describe FROM_ADDR_WS Malformed From address
1254#score FROM_ADDR_WS 3.000 # limit
1255tflags FROM_ADDR_WS publish
1256##} FROM_ADDR_WS
1257
1258##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1259
1260if (version >= 3.004002)
1261ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1262meta FROM_BANK_NOAUTH __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU)
1263tflags FROM_BANK_NOAUTH publish net
1264describe FROM_BANK_NOAUTH From Bank domain but no SPF or DKIM
1265#score FROM_BANK_NOAUTH 1.0 # limit
1266endif
1267endif
1268##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1269
1270##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1271
1272if (version >= 3.004001)
1273ifplugin Mail::SpamAssassin::Plugin::AskDNS
1274meta FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED
1275describe FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
1276tflags FROM_FMBLA_NDBLOCKED net publish
1277#score FROM_FMBLA_NDBLOCKED 0.001 # limit
1278endif
1279endif
1280##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1281
1282##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1283
1284if (version >= 3.004001)
1285ifplugin Mail::SpamAssassin::Plugin::AskDNS
1286meta FROM_FMBLA_NEWDOM __FROM_FMBLA_NEWDOM
1287describe FROM_FMBLA_NEWDOM From domain was registered in last 7 days
1288tflags FROM_FMBLA_NEWDOM net
1289#score FROM_FMBLA_NEWDOM 1.5 # limit
1290endif
1291endif
1292##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1293
1294##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1295
1296if (version >= 3.004001)
1297ifplugin Mail::SpamAssassin::Plugin::AskDNS
1298meta FROM_FMBLA_NEWDOM14 __FROM_FMBLA_NEWDOM14
1299describe FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days
1300tflags FROM_FMBLA_NEWDOM14 publish net
1301#score FROM_FMBLA_NEWDOM14 1.0 # limit
1302endif
1303endif
1304##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1305
1306##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1307
1308if (version >= 3.004001)
1309ifplugin Mail::SpamAssassin::Plugin::AskDNS
1310meta FROM_FMBLA_NEWDOM28 __FROM_FMBLA_NEWDOM28
1311describe FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28 days
1312tflags FROM_FMBLA_NEWDOM28 net publish
1313#score FROM_FMBLA_NEWDOM28 0.8 # limit
1314endif
1315endif
1316##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1317
1318##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1319
1320if (version >= 3.004002)
1321ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1322meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV
1323tflags FROM_GOV_DKIM_AU net nice publish
1324describe FROM_GOV_DKIM_AU From Government address and DKIM signed
1325#score FROM_GOV_DKIM_AU -1.0 # limit
1326endif
1327endif
1328##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1329
1330##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1331
1332if (version >= 3.004002)
1333ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1334meta FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU
1335tflags FROM_GOV_REPLYTO_FREEMAIL net publish
1336describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL
1337#score FROM_GOV_REPLYTO_FREEMAIL 2.0
1338endif
1339endif
1340##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1341
1342##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1343
1344if (version >= 3.004002)
1345ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1346meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED)
1347tflags FROM_GOV_SPOOF net publish
1348describe FROM_GOV_SPOOF From Government domain but matches SPOOFED
1349#score FROM_GOV_SPOOF 1.0 # limit
1350endif
1351endif
1352##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1353
1354##{ FROM_IN_TO_AND_SUBJ
1355
1356meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID
1357describe FROM_IN_TO_AND_SUBJ From address is in To and Subject
1358tflags FROM_IN_TO_AND_SUBJ publish
1359##} FROM_IN_TO_AND_SUBJ
1360
1361##{ FROM_MISSPACED
1362
1363meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
1364describe FROM_MISSPACED From: missing whitespace
1365#score FROM_MISSPACED 2.00
1366##} FROM_MISSPACED
1367
fc5290a3
SI		 1368##{ FROM_MISSP_DYNIP
1369
1370meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC
1371describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS
1372##} FROM_MISSP_DYNIP
1373
b780ea8d
SI		 1374##{ FROM_MISSP_EH_MATCH
1375
1376meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
1377describe FROM_MISSP_EH_MATCH From misspaced, matches envelope
1378#score FROM_MISSP_EH_MATCH 2.00 # max
1379##} FROM_MISSP_EH_MATCH
1380
1381##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
1382
1383ifplugin Mail::SpamAssassin::Plugin::FreeMail
1384 meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA
1385 describe FROM_MISSP_FREEMAIL From misspaced + freemail provider
1386endif
1387##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
1388
1389##{ FROM_MISSP_MSFT
1390
1391meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
1392describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
1393##} FROM_MISSP_MSFT
1394
151f49fd
SI		 1395##{ FROM_MISSP_PHISH
1396
1397meta FROM_MISSP_PHISH __FROM_MISSP_PHISH && !__DOS_HAS_LIST_UNSUB
1398describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish
1399#score FROM_MISSP_PHISH 3.500 # limit
1400##} FROM_MISSP_PHISH
1401
b780ea8d
SI		 1402##{ FROM_MISSP_REPLYTO
1403
1404meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB
1405describe FROM_MISSP_REPLYTO From misspaced, has Reply-To
1406#score FROM_MISSP_REPLYTO 2.500 # limit
1407##} FROM_MISSP_REPLYTO
1408
1409##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
1410
1411ifplugin Mail::SpamAssassin::Plugin::SPF
1412 meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL)
1413 tflags FROM_MISSP_SPF_FAIL net
1414# score FROM_MISSP_SPF_FAIL 2.00 # limit
1415endif
1416##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
1417
151f49fd
SI		 1418##{ FROM_MISSP_TO_UNDISC
1419
1420meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED)
1421describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed
1422##} FROM_MISSP_TO_UNDISC
1423
b780ea8d
SI		 1424##{ FROM_MISSP_USER
1425
1426meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER)
1427describe FROM_MISSP_USER From misspaced, from "User"
1428##} FROM_MISSP_USER
1429
151f49fd 1430##{ FROM_MISSP_XPRIO
fc5290a3 1431
151f49fd
SI		 1432meta FROM_MISSP_XPRIO (__XPRIO && __FROM_MISSPACED) && !__LYRIS_EZLM_REMAILER
1433describe FROM_MISSP_XPRIO Misspaced FROM + X-Priority
1434#score FROM_MISSP_XPRIO 2.500 # limit
1435##} FROM_MISSP_XPRIO
fc5290a3 1436
b780ea8d
SI		 1437##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1438
1439if (version >= 3.004001)
1440ifplugin Mail::SpamAssassin::Plugin::AskDNS
1441meta FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN
1442describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID
1443#score FROM_NEWDOM_BTC 2.0 # limit
1444tflags FROM_NEWDOM_BTC net
1445endif
1446endif
1447##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1448
1449##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1450
1451if (version >= 3.004002)
1452ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1453meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY
1454tflags FROM_NTLD_LINKBAIT publish
1455describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
1456#score FROM_NTLD_LINKBAIT 2.0 # limit
1457endif
1458endif
1459##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1460
1461##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1462
1463if (version >= 3.004002)
1464ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1465meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD
1466tflags FROM_NTLD_REPLY_FREEMAIL publish
1467describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
1468#score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit
1469endif
1470endif
1471##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1472
1473##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1474
1475if (version >= 3.004001)
1476ifplugin Mail::SpamAssassin::Plugin::AskDNS
1477meta FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN
1478describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain
1479#score FROM_NUMBERO_NEWDOMAIN 2.0 # limit
1480tflags FROM_NUMBERO_NEWDOMAIN net publish
1481endif
1482endif
1483##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1484
b780ea8d
SI		 1485##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1486
1487if (version >= 3.004002)
1488ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1489meta FROM_PAYPAL_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED)
1490tflags FROM_PAYPAL_SPOOF publish net
1491describe FROM_PAYPAL_SPOOF From PayPal domain but matches SPOOFED
1492#score FROM_PAYPAL_SPOOF 1.6 # limit
1493endif
1494endif
1495##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1496
1497##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1498
1499if (version >= 3.004002)
1500ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1501meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD
1502tflags FROM_SUSPICIOUS_NTLD publish
1503describe FROM_SUSPICIOUS_NTLD From abused NTLD
1504#score FROM_SUSPICIOUS_NTLD 0.5 # limit
1505endif
1506endif
1507##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1508
1509##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1510
1511if (version >= 3.004002)
1512ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1513meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST
1514tflags FROM_SUSPICIOUS_NTLD_FP publish
1515describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD
1516#score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit
1517endif
1518endif
1519##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1520
21dcadbf
SI		 1521##{ FROM_UNBAL1
1522
1523header FROM_UNBAL1 From:raw =~ / < [^>]* $/xm
1524describe FROM_UNBAL1 From with unbalanced angle brackets, '>' missing
1525##} FROM_UNBAL1
1526
fc5290a3
SI		 1527##{ FROM_WSP_TRAIL
1528
1529header FROM_WSP_TRAIL From:raw =~ /< [^>]* \s > [^<>]* \z/xm
1530describe FROM_WSP_TRAIL Trailing whitespace before '>' in From header field
1531##} FROM_WSP_TRAIL
1532
b780ea8d
SI		 1533##{ FSL_BULK_SIG
1534
31955ede 1535meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__USING_VERP1 && !__KAM_BODY_LENGTH_LT_128
b780ea8d 1536describe FSL_BULK_SIG Bulk signature with no Unsubscribe
31955ede 1537#score FSL_BULK_SIG 2.500 # limit
b780ea8d
SI		 1538tflags FSL_BULK_SIG net publish
1539##} FSL_BULK_SIG
1540
1541##{ FSL_CTYPE_WIN1251
1542
1543header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/
1544describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
1545##} FSL_CTYPE_WIN1251
1546
1547##{ FSL_FAKE_HOTMAIL_RVCD
1548
1549header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/
1550##} FSL_FAKE_HOTMAIL_RVCD
1551
1552##{ FSL_HELO_BARE_IP_1
1553
1554meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED
1555##} FSL_HELO_BARE_IP_1
1556
1557##{ FSL_HELO_DEVICE
1558
1559header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i
1560##} FSL_HELO_DEVICE
1561
1562##{ FSL_HELO_NON_FQDN_1
1563
1564header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i
1565##} FSL_HELO_NON_FQDN_1
1566
1567##{ FSL_HELO_SETUP
1568
1569header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i
1570##} FSL_HELO_SETUP
1571
1572##{ FSL_INTERIA_ABUSE
1573
1574uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/
1575##} FSL_INTERIA_ABUSE
1576
1577##{ FSL_NEW_HELO_USER
1578
1579meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3)
1580describe FSL_NEW_HELO_USER Spam's using Helo and User
1581#score FSL_NEW_HELO_USER 2.0
1582tflags FSL_NEW_HELO_USER publish
1583##} FSL_NEW_HELO_USER
1584
1585##{ FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1586
1587ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1588 body FUZZY_AMAZON /(?:^|\W)(?=<A>)(?!amazon)<A><M><A><Z><O><N>(?:$|\W)/i
1589 describe FUZZY_AMAZON Obfuscated "amazon"
1590 tflags FUZZY_AMAZON publish
1591endif
1592##} FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1593
1594##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1595
1596ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1597 body FUZZY_ANDROID /(?=<A>)(?!android)<A><N><D><R><O><I><D>/i
1598 describe FUZZY_ANDROID Obfuscated "android"
1599 tflags FUZZY_ANDROID publish
1600endif
1601##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1602
1603##{ FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1604
1605ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1606 body FUZZY_APPLE /(?:^|\W)(?=<A>)(?!appl[ey])<A><P><P><L><E>(?:$|\W)/i
1607 describe FUZZY_APPLE Obfuscated "apple"
1608 tflags FUZZY_APPLE publish
1609endif
1610##} FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1611
1612##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1613
1614ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1615 body FUZZY_BITCOIN /(?=<B>)(?!bit[-\s]?coin)<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
1616 describe FUZZY_BITCOIN Obfuscated "Bitcoin"
1617 tflags FUZZY_BITCOIN publish
1618endif
1619##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1620
1621##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1622
1623ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1624 body FUZZY_BROWSER /(?=<B>)(?!browser)<B><R><O><W><S><E><R>/i
1625 describe FUZZY_BROWSER Obfuscated "browser"
1626 tflags FUZZY_BROWSER publish
1627endif
1628##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1629
1630##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1631
1632ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1633 meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET
1634 describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet"
1635 tflags FUZZY_BTC_WALLET publish
1636endif
1637##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1638
1639##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1640
1641ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1642 body FUZZY_CLICK_HERE /(?=<C>)(?!click(?:\s|&nbsp;)here)<C><WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i
1643 describe FUZZY_CLICK_HERE Obfuscated "click here"
1644 tflags FUZZY_CLICK_HERE publish
1645endif
1646##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1647
1648##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1649
1650ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1651 meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML
1652 describe FUZZY_DR_OZ Obfuscated Doctor Oz
1653 tflags FUZZY_DR_OZ publish
1654endif
1655##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1656
1657##{ FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1658
1659ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1660 body FUZZY_FACEBOOK /(?=<F>)(?!fa[ck]ebook)<F><A><C><E><B><O><O><K>/i
1661 describe FUZZY_FACEBOOK Obfuscated "facebook"
1662 tflags FUZZY_FACEBOOK publish
1663endif
1664##} FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1665
1666##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1667
1668ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1669 body FUZZY_IMPORTANT /(?=<I>)(?!important)<I>(?:<M>|<N>)<P><O><R><T><A><N><T>/i
1670 describe FUZZY_IMPORTANT Obfuscated "important"
1671 tflags FUZZY_IMPORTANT publish
1672endif
1673##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1674
1675##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1676
1677ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1678body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i
1679describe FUZZY_MERIDIA Obfuscation of the word "meridia"
1680endif
1681##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1682
1683##{ FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1684
1685ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1686 body FUZZY_MICROSOFT /(?=<M>)(?!microsoft)<M><I><C><R><O><S><O><F><T>/i
1687 describe FUZZY_MICROSOFT Obfuscated "microsoft"
1688 tflags FUZZY_MICROSOFT publish
1689endif
1690##} FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1691
1692##{ FUZZY_MONERO
1693
1694meta FUZZY_MONERO __FUZZY_MONERO
1695describe FUZZY_MONERO Obfuscated "Monero"
1696tflags FUZZY_MONERO publish
1697##} FUZZY_MONERO
1698
1699##{ FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1700
1701ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1702 body FUZZY_NORTON /(?:^|\W)(?=<N>)(?!norton)<N><O><R><T><O><N>(?:$|\W)/i
1703 describe FUZZY_NORTON Obfuscated "norton"
1704 tflags FUZZY_NORTON publish
1705endif
1706##} FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1707
1708##{ FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1709
1710ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1711 body FUZZY_OVERSTOCK /(?:^|\W)(?=<O>)(?!over[-\s]?stock)<O><V><E><R>[-\s]?<S><T><O><C><K>(?:$|\W)/i
1712 describe FUZZY_OVERSTOCK Obfuscated "overstock"
1713 tflags FUZZY_OVERSTOCK publish
1714endif
1715##} FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1716
1717##{ FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1718
1719ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1720 body FUZZY_PAYPAL /(?:^|\W)(?=<P>)(?!pay[-\s]?pal)<P><A><Y>[-\s]?<P><A><L>(?:$|\W)/i
1721 describe FUZZY_PAYPAL Obfuscated "paypal"
1722 tflags FUZZY_PAYPAL publish
1723endif
1724##} FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1725
1726##{ FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1727
1728ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1729 meta FUZZY_PORN __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT )
1730 describe FUZZY_PORN Obfuscated "Pornography" or "Pornographic"
1731 tflags FUZZY_PORN publish
1732endif
1733##} FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1734
1735##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1736
1737ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1738 body FUZZY_PRIVACY /(?=<P>)(?!privacy)<P><R><I><V><A><C><Y>/i
1739 describe FUZZY_PRIVACY Obfuscated "privacy"
1740 tflags FUZZY_PRIVACY publish
1741endif
1742##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1743
1744##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1745
1746ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1747 body FUZZY_PROMOTION /(?=<P>)(?!promotion)<P><R><O><M><O><T><I><O><N>/i
1748 describe FUZZY_PROMOTION Obfuscated "promotion"
1749 tflags FUZZY_PROMOTION publish
1750endif
1751##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1752
1753##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1754
1755ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1756 body FUZZY_SAVINGS /(?=<S>)(?!savings)<S><A><V><I><N><G><S>/i
1757 describe FUZZY_SAVINGS Obfuscated "savings"
1758 tflags FUZZY_SAVINGS publish
1759endif
1760##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1761
1762##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1763
1764ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1765 body FUZZY_SECURITY /(?=<S>)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)<S><E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i
1766 describe FUZZY_SECURITY Obfuscated "security"
1767 tflags FUZZY_SECURITY publish
1768endif
1769##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1770
151f49fd
SI		 1771##{ FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1772
1773ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1774 meta FUZZY_TRUSTWALLET __FUZZY_TRUSTWALLET_BODY || __FUZZY_TRUSTWALLET_FROM
1775 describe FUZZY_TRUSTWALLET Obfuscated "Trust Wallet", probable phishing
1776 tflags FUZZY_TRUSTWALLET publish
1777endif
1778##} FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1779
b780ea8d
SI		 1780##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1781
1782ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1783 body FUZZY_UNSUBSCRIBE /(?=<U>)(?!unsubscribe)<U><N><S><U><B><S><C><R><I><B><E>/i
1784 describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe"
1785 tflags FUZZY_UNSUBSCRIBE publish
1786endif
1787##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1788
1789##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1790
1791ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1792 body FUZZY_WALLET /(?=<W>)(?!wallet)<W><A><L><L><E><T>/i
1793 describe FUZZY_WALLET Obfuscated "Wallet"
1794 tflags FUZZY_WALLET publish
1795endif
1796##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1797
151f49fd
SI		 1798##{ FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1799
1800ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1801 meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM
1802 describe FUZZY_WELLSFARGO Obfuscated "Wells Fargo"
1803 tflags FUZZY_WELLSFARGO publish
1804endif
1805##} FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1806
b780ea8d
SI		 1807##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1808
1809if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1810 meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
1811 describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto
1812# score GAPPY_SALES_LEADS_FREEM 3.500 # limit
1813 tflags GAPPY_SALES_LEADS_FREEM publish
1814endif
1815##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1816
151f49fd 1817##{ GB_BITCOIN_CP
dfdd1e08 1818
151f49fd
SI		 1819meta GB_BITCOIN_CP ( __GB_BITCOIN_CP_DE || __GB_BITCOIN_CP_ES || __GB_BITCOIN_CP_EN || __GB_BITCOIN_CP_FR || __GB_BITCOIN_CP_IT || __GB_BITCOIN_CP_NL || __GB_BITCOIN_CP_SE )
1820describe GB_BITCOIN_CP Localized Bitcoin scam
1821#score GB_BITCOIN_CP 3.0 # limit
1822##} GB_BITCOIN_CP
dfdd1e08
SI		 1823
1824##{ GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
1825
1826if (version >= 4.000000)
1827if can(Mail::SpamAssassin::Conf::feature_capture_rules)
1828 meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI )
1829 describe GB_CUSTOM_HTM_URI Custom html uri
1830# score GB_CUSTOM_HTM_URI 1.500 # limit
1831 tflags GB_CUSTOM_HTM_URI publish
1832endif
1833endif
1834##} GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
1835
b780ea8d
SI		 1836##{ GB_FAKE_RF_SHORT
1837
dfdd1e08 1838meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __URL_SHORTENER )
b780ea8d
SI		 1839describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener
1840#score GB_FAKE_RF_SHORT 2.000 # limit
1841tflags GB_FAKE_RF_SHORT publish
1842##} GB_FAKE_RF_SHORT
1843
1844##{ GB_FORGED_MUA_POSTFIX
1845
1846meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 )
1847describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers
1848tflags GB_FORGED_MUA_POSTFIX publish
1849#score GB_FORGED_MUA_POSTFIX 2.0 # limit
1850##} GB_FORGED_MUA_POSTFIX
1851
1852##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
1853
1854ifplugin Mail::SpamAssassin::Plugin::FreeMail
1855 meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe )
1856 describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails
1857# score GB_FREEMAIL_DISPTO 0.50 # limit
1858 tflags GB_FREEMAIL_DISPTO publish
1859endif
1860##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
1861
1862##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
1863
1864ifplugin Mail::SpamAssassin::Plugin::FreeMail
1865 meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM )
1866 describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail
1867# score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit
1868 tflags GB_FREEMAIL_DISPTO_NOTFREEM publish
1869endif
1870##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
1871
1872##{ GB_GOOGLE_OBFUR
1873
151f49fd 1874uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.[a-z]{2,3}\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=(?:[0-9])*\&(?:cad=rja\&uact=[0-9]+\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(?:&usg=.{1,50})?/
b780ea8d
SI		 1875describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect
1876#score GB_GOOGLE_OBFUR 0.75 # limit
1877tflags GB_GOOGLE_OBFUR publish
1878##} GB_GOOGLE_OBFUR
1879
dfdd1e08
SI		 1880##{ GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
1881
1882if (version >= 3.004003)
1883 ifplugin Mail::SpamAssassin::Plugin::HashBL
1884 body GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,62})\b')
1885 tflags GB_HASHBL_BTC net publish
1886 describe GB_HASHBL_BTC Message contains BTC address found on BTCBL
1887# score GB_HASHBL_BTC 5.0 # limit
1888endif
1889endif
1890##} GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
1891
b780ea8d
SI		 1892##{ GEO_QUERY_STRING
1893
1894uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
1895##} GEO_QUERY_STRING
1896
1897##{ GOOGLE_DOCS_PHISH
1898
1899meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2)
1900describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form
1901#score GOOGLE_DOCS_PHISH 3.00 # limit
1902tflags GOOGLE_DOCS_PHISH publish
1903##} GOOGLE_DOCS_PHISH
1904
1905##{ GOOGLE_DOCS_PHISH_MANY
1906
1907meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
1908describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form
1909#score GOOGLE_DOCS_PHISH_MANY 4.00 # limit
1910tflags GOOGLE_DOCS_PHISH_MANY publish
1911##} GOOGLE_DOCS_PHISH_MANY
1912
1913##{ GOOGLE_DOC_SUSP
1914
1915meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG
1916describe GOOGLE_DOC_SUSP Suspicious use of Google Docs
1917#score GOOGLE_DOC_SUSP 3.000 # limit
1918tflags GOOGLE_DOC_SUSP publish
1919##} GOOGLE_DOC_SUSP
1920
1921##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1922
1923if (version >= 3.004002)
1924ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1925meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
1926tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish
1927describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD
1928#score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
1929endif
1930endif
1931##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1932
1933##{ GOOG_MALWARE_DNLD
1934
1935meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD
1936describe GOOG_MALWARE_DNLD File download via Google - Malware?
1937#score GOOG_MALWARE_DNLD 5.000 # limit
1938tflags GOOG_MALWARE_DNLD publish
1939##} GOOG_MALWARE_DNLD
1940
1941##{ GOOG_REDIR_DOCUSIGN
1942
1943uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i
1944describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing
1945tflags GOOG_REDIR_DOCUSIGN publish
1946##} GOOG_REDIR_DOCUSIGN
1947
21dcadbf
SI		 1948##{ GOOG_REDIR_HTML_ONLY
1949
1950meta GOOG_REDIR_HTML_ONLY (__GOOG_REDIR && MIME_HTML_ONLY) && !RDNS_NONE && !__LCL__KAM_BODY_LENGTH_LT_512
1951describe GOOG_REDIR_HTML_ONLY Google redirect to obscure spamvertised website + HTML only
1952#score GOOG_REDIR_HTML_ONLY 2.000 # limit
1953##} GOOG_REDIR_HTML_ONLY
1954
b780ea8d
SI		 1955##{ GOOG_REDIR_NORDNS
1956
1957meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE
1958describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS
1959##} GOOG_REDIR_NORDNS
1960
1961##{ GOOG_REDIR_SHORT
1962
1963meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512
1964describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message
1965tflags GOOG_REDIR_SHORT publish
1966##} GOOG_REDIR_SHORT
1967
46cfc9e2
SI		 1968##{ GOOG_STO_EMAIL_PHISH
1969
1970meta GOOG_STO_EMAIL_PHISH __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT)
1971describe GOOG_STO_EMAIL_PHISH Possible phishing with google hosted content URI having email address
1972#score GOOG_STO_EMAIL_PHISH 3.00 # limit
1973tflags GOOG_STO_EMAIL_PHISH publish
1974##} GOOG_STO_EMAIL_PHISH
1975
b780ea8d
SI		 1976##{ GOOG_STO_HTML_PHISH
1977
1978meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH
1979describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL
1980#score GOOG_STO_HTML_PHISH 3.00 # limit
1981tflags GOOG_STO_HTML_PHISH publish
1982##} GOOG_STO_HTML_PHISH
1983
1984##{ GOOG_STO_HTML_PHISH_MANY
1985
1986meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
1987describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL
1988#score GOOG_STO_HTML_PHISH_MANY 4.00 # limit
1989tflags GOOG_STO_HTML_PHISH_MANY publish
1990##} GOOG_STO_HTML_PHISH_MANY
1991
1992##{ GOOG_STO_IMG_HTML
1993
1994meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY
1995describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL
1996#score GOOG_STO_IMG_HTML 3.000 # limit
1997tflags GOOG_STO_IMG_HTML publish
1998##} GOOG_STO_IMG_HTML
1999
2000##{ GOOG_STO_IMG_NOHTML
2001
2002meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY
2003describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL
2004#score GOOG_STO_IMG_NOHTML 2.500 # limit
2005tflags GOOG_STO_IMG_NOHTML publish
2006##} GOOG_STO_IMG_NOHTML
2007
2008##{ GOOG_STO_NOIMG_HTML
2009
2010meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY
2011describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL
2012#score GOOG_STO_NOIMG_HTML 3.000 # limit
2013tflags GOOG_STO_NOIMG_HTML publish
2014##} GOOG_STO_NOIMG_HTML
2015
2016##{ HAS_X_NO_RELAY
2017
2018meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1
2019describe HAS_X_NO_RELAY Has spammy header
2020#score HAS_X_NO_RELAY 2.500 # limit
2021tflags HAS_X_NO_RELAY publish
2022##} HAS_X_NO_RELAY
2023
2024##{ HAS_X_OUTGOING_SPAM_STAT
2025
46cfc9e2 2026meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO
b780ea8d 2027describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results?
46cfc9e2 2028#score HAS_X_OUTGOING_SPAM_STAT 2.000 # limit
b780ea8d
SI		 2029tflags HAS_X_OUTGOING_SPAM_STAT publish
2030##} HAS_X_OUTGOING_SPAM_STAT
2031
54c714b2
SI		 2032##{ HDRS_LCASE
2033
2034describe HDRS_LCASE Odd capitalization of message header
2035#score HDRS_LCASE 0.10 # limit
2036##} HDRS_LCASE
2037
2038##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2039
2040if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2041 meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
2042endif
2043##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2044
2045##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
2046
2047ifplugin Mail::SpamAssassin::Plugin::FreeMail
2048 meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
2049endif
2050##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
2051
151f49fd
SI		 2052##{ HDRS_LCASE_IMGONLY
2053
2054meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN
2055describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML
2056#score HDRS_LCASE_IMGONLY 0.10 # limit
2057##} HDRS_LCASE_IMGONLY
2058
b780ea8d
SI		 2059##{ HDRS_MISSP
2060
2061meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY)
2062describe HDRS_MISSP Misspaced headers
2063#score HDRS_MISSP 2.500 # limit
2064tflags HDRS_MISSP publish
2065##} HDRS_MISSP
2066
2067##{ HDR_ORDER_FTSDMCXX_001C
2068
2069meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
2070describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant)
2071##} HDR_ORDER_FTSDMCXX_001C
2072
2073##{ HDR_ORDER_FTSDMCXX_BAT
2074
2075meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
2076describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant)
2077##} HDR_ORDER_FTSDMCXX_BAT
2078
2079##{ HDR_ORDER_FTSDMCXX_DIRECT
2080
2081meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML
2082describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX
2083#score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit
2084tflags HDR_ORDER_FTSDMCXX_DIRECT publish
2085##} HDR_ORDER_FTSDMCXX_DIRECT
2086
2087##{ HDR_ORDER_FTSDMCXX_NORDNS
2088
2089meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED
2090describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS
2091#score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit
2092tflags HDR_ORDER_FTSDMCXX_NORDNS publish
2093##} HDR_ORDER_FTSDMCXX_NORDNS
2094
2095##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2096
2097ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2098header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999')
2099describe HEADER_COUNT_SUBJECT Multiple Subject headers found
2100endif
2101##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2102
2103##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
2104
2105ifplugin Mail::SpamAssassin::Plugin::FreeMail
2106 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2107 if (version >= 3.004000)
2108 header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains()
2109 describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different
2110# score HEADER_FROM_DIFFERENT_DOMAINS 0.25
2111 tflags HEADER_FROM_DIFFERENT_DOMAINS publish
2112endif
2113endif
2114endif
2115##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
2116
2117##{ HELO_FRIEND
2118
2119header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
2120##} HELO_FRIEND
2121
b780ea8d
SI		 2122##{ HELO_LH_LD
2123
2124header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
2125##} HELO_LH_LD
2126
2127##{ HELO_LOCALHOST
2128
2129header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
2130##} HELO_LOCALHOST
2131
b780ea8d
SI		 2132##{ HELO_NO_DOMAIN
2133
2134meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST
2135describe HELO_NO_DOMAIN Relay reports its domain incorrectly
2136tflags HELO_NO_DOMAIN publish
2137##} HELO_NO_DOMAIN
2138
2139##{ HELO_OEM
2140
2141header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
2142##} HELO_OEM
2143
2144##{ HEXHASH_WORD
2145
2146meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER
2147describe HEXHASH_WORD Multiple instances of word + hexadecimal hash
2148#score HEXHASH_WORD 3.000 # limit
2149tflags HEXHASH_WORD publish
2150##} HEXHASH_WORD
2151
2152##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2153
2154ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2155mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/
2156#score HK_CTE_RAW 2
2157tflags HK_CTE_RAW publish
2158endif
2159##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2160
2161##{ HK_LOTTO
2162
2163meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT
2164#score HK_LOTTO 1
2165##} HK_LOTTO
2166
2167##{ HK_NAME_DRUGS
2168
151f49fd 2169header HK_NAME_DRUGS From:name =~ /(?:viagra|\bcialis|cialis\b)/mi
b780ea8d
SI		 2170describe HK_NAME_DRUGS From name contains drugs
2171#score HK_NAME_DRUGS 2
2172##} HK_NAME_DRUGS
2173
151f49fd
SI		 2174##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2175
2176ifplugin Mail::SpamAssassin::Plugin::FreeMail
2177if (version >= 3.004000)
2178 meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
2179# score HK_NAME_FM_MR_MRS 1.5
2180endif
2181endif
2182##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2183
b780ea8d
SI		 2184##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2185
2186ifplugin Mail::SpamAssassin::Plugin::FreeMail
2187if (version >= 3.004000)
2188 meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM
2189# score HK_NAME_MR_MRS 1.0
2190endif
2191endif
2192##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2193
2194##{ HK_RANDOM_ENVFROM
2195
54c714b2 2196header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
b780ea8d
SI		 2197describe HK_RANDOM_ENVFROM Envelope sender username looks random
2198#score HK_RANDOM_ENVFROM 1
2199tflags HK_RANDOM_ENVFROM publish
2200##} HK_RANDOM_ENVFROM
2201
2202##{ HK_RANDOM_FROM
2203
54c714b2 2204header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
b780ea8d
SI		 2205describe HK_RANDOM_FROM From username looks random
2206#score HK_RANDOM_FROM 1
2207tflags HK_RANDOM_FROM publish
2208##} HK_RANDOM_FROM
2209
2210##{ HK_RANDOM_REPLYTO
2211
54c714b2 2212header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mc(?:b|g)r|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
b780ea8d
SI		 2213describe HK_RANDOM_REPLYTO Reply-To username looks random
2214#score HK_RANDOM_REPLYTO 1
2215tflags HK_RANDOM_REPLYTO publish
2216##} HK_RANDOM_REPLYTO
2217
2218##{ HK_RCVD_IP_MULTICAST
2219
2220header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./
2221#score HK_RCVD_IP_MULTICAST 2
2222tflags HK_RCVD_IP_MULTICAST publish
2223##} HK_RCVD_IP_MULTICAST
2224
2225##{ HK_SCAM
2226
2227meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25
2228#score HK_SCAM 2
2229tflags HK_SCAM publish
2230##} HK_SCAM
2231
54c714b2
SI		 2232##{ HK_WIN
2233
2234meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2)
2235#score HK_WIN 1
2236##} HK_WIN
2237
b780ea8d
SI		 2238##{ HOSTED_IMG_DIRECT_MX
2239
151f49fd 2240meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS && !__HDR_RCVD_AMAZON
b780ea8d 2241#score HOSTED_IMG_DIRECT_MX 3.500 # limit
46cfc9e2 2242describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx
b780ea8d
SI		 2243tflags HOSTED_IMG_DIRECT_MX publish
2244##} HOSTED_IMG_DIRECT_MX
2245
2246##{ HOSTED_IMG_DQ_UNSUB
2247
2248meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB
2249#score HOSTED_IMG_DQ_UNSUB 3.500 # limit
2250describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm site, IP addr unsub link
2251tflags HOSTED_IMG_DQ_UNSUB publish
2252##} HOSTED_IMG_DQ_UNSUB
2253
2254##{ HOSTED_IMG_FREEM
2255
2256meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED
2257#score HOSTED_IMG_FREEM 3.500 # limit
46cfc9e2 2258describe HOSTED_IMG_FREEM Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to
b780ea8d
SI		 2259tflags HOSTED_IMG_FREEM publish
2260##} HOSTED_IMG_FREEM
2261
2262##{ HOSTED_IMG_MULTI
2263
151f49fd 2264meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS && !__RCD_RDNS_MAIL
b780ea8d 2265#score HOSTED_IMG_MULTI 3.000 # limit
46cfc9e2 2266describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected
b780ea8d
SI		 2267tflags HOSTED_IMG_MULTI publish
2268##} HOSTED_IMG_MULTI
2269
2270##{ HOSTED_IMG_MULTI_PUB_01
2271
31955ede 2272meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF && !__HAS_IN_REPLY_TO
b780ea8d
SI		 2273describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site
2274#score HOSTED_IMG_MULTI_PUB_01 3.000 # limit
2275tflags HOSTED_IMG_MULTI_PUB_01 publish
2276##} HOSTED_IMG_MULTI_PUB_01
2277
151f49fd
SI		 2278##{ HREF_EMPTY_NORDNS
2279
2280meta HREF_EMPTY_NORDNS __HREF_EMPTY_NORDNS
2281describe HREF_EMPTY_NORDNS Empty href + no rDNS
2282#score HREF_EMPTY_NORDNS 2.500 # limit
2283tflags HREF_EMPTY_NORDNS publish
2284##} HREF_EMPTY_NORDNS
2285
2286##{ HREF_EMPTY_PHPMAIL
2287
2288meta HREF_EMPTY_PHPMAIL __HREF_EMPTY_PHPMAIL
2289describe HREF_EMPTY_PHPMAIL Empty href + PHP Mailer
2290#score HREF_EMPTY_PHPMAIL 2.500 # limit
2291tflags HREF_EMPTY_PHPMAIL publish
2292##} HREF_EMPTY_PHPMAIL
2293
2294##{ HREF_EMPTY_XANTIABUSE
2295
2296meta HREF_EMPTY_XANTIABUSE __HREF_EMPTY_XANTIABUSE
2297describe HREF_EMPTY_XANTIABUSE Empty href + X-AntiAbuse
2298#score HREF_EMPTY_XANTIABUSE 2.500 # limit
2299tflags HREF_EMPTY_XANTIABUSE publish
2300##} HREF_EMPTY_XANTIABUSE
2301
2302##{ HREF_EMPTY_XAUTHED
2303
2304meta HREF_EMPTY_XAUTHED __HREF_EMPTY_XAUTHED
2305describe HREF_EMPTY_XAUTHED Empty href + X-Authenticated-Sender
2306#score HREF_EMPTY_XAUTHED 2.500 # limit
2307tflags HREF_EMPTY_XAUTHED publish
2308##} HREF_EMPTY_XAUTHED
2309
2310##{ HTML_BADATTR
2311
2312describe HTML_BADATTR Illegal char in HTML attribute name
2313rawbody HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(?:src|href)\s*\=/
2314#score HTML_BADATTR 1
2315tflags HTML_BADATTR publish
2316##} HTML_BADATTR
2317
b780ea8d
SI		 2318##{ HTML_ENTITY_ASCII
2319
2320meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP
2321describe HTML_ENTITY_ASCII Obfuscated ASCII
2322#score HTML_ENTITY_ASCII 3.000 # limit
2323tflags HTML_ENTITY_ASCII publish
2324##} HTML_ENTITY_ASCII
2325
2326##{ HTML_ENTITY_ASCII_TINY
2327
31955ede 2328meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_TINY && !__HAS_IN_REPLY_TO
b780ea8d
SI		 2329describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts
2330#score HTML_ENTITY_ASCII_TINY 3.000 # limit
2331tflags HTML_ENTITY_ASCII_TINY publish
2332##} HTML_ENTITY_ASCII_TINY
2333
46cfc9e2
SI		 2334##{ HTML_FONT_TINY_NORDNS
2335
31955ede 2336meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_NORDNS && !__HAS_CID
46cfc9e2 2337describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
31955ede 2338#score HTML_FONT_TINY_NORDNS 2.000 # limit
46cfc9e2
SI		 2339##} HTML_FONT_TINY_NORDNS
2340
b780ea8d
SI		 2341##{ HTML_OFF_PAGE
2342
2343meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS
2344describe HTML_OFF_PAGE HTML element rendered well off the displayed page
2345#score HTML_OFF_PAGE 3.000 # limit
2346tflags HTML_OFF_PAGE publish
2347##} HTML_OFF_PAGE
2348
2349##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2350
2351if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2352 meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY
2353 describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments
2354# score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit
2355 tflags HTML_SHRT_CMNT_OBFU_MANY publish
2356endif
2357##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2358
2359##{ HTML_SINGLET_MANY
2360
2361meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP
2362describe HTML_SINGLET_MANY Many single-letter HTML format blocks
2363#score HTML_SINGLET_MANY 2.500 # limit
2364tflags HTML_SINGLET_MANY publish
2365##} HTML_SINGLET_MANY
2366
2367##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2368
2369if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2370 meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID
2371 describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation?
2372# score HTML_TEXT_INVISIBLE_FONT 2.000 # limit
2373 tflags HTML_TEXT_INVISIBLE_FONT publish
2374endif
2375##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2376
2377##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2378
2379if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2380 meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX
2381 describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs
2382# score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit
2383 tflags HTML_TEXT_INVISIBLE_STYLE publish
2384endif
2385##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2386
2387##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2388
2389ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2390body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
2391endif
2392##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2393
2394##{ IMG_ONLY_FM_DOM_INFO
2395
2396meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO
2397describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain
2398#score IMG_ONLY_FM_DOM_INFO 2.500 # limit
2399tflags IMG_ONLY_FM_DOM_INFO publish
2400##} IMG_ONLY_FM_DOM_INFO
2401
2402##{ JH_SPAMMY_HEADERS
2403
2404meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN
2405describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam
2406#score JH_SPAMMY_HEADERS 3.500 # limit
2407tflags JH_SPAMMY_HEADERS publish
2408##} JH_SPAMMY_HEADERS
2409
2410##{ JH_SPAMMY_PATTERN01
2411
2412rawbody JH_SPAMMY_PATTERN01 m;<img src=['"](https?://[^'"]{1,80}/)C([^/.]{1,30}\.jpg)['"]>.{0,200}<img src="\1U\2";ism
2413describe JH_SPAMMY_PATTERN01 Unusual pattern seen in spam campaign
2414#score JH_SPAMMY_PATTERN01 3.000 # limit
2415tflags JH_SPAMMY_PATTERN01 publish
2416##} JH_SPAMMY_PATTERN01
2417
2418##{ JH_SPAMMY_PATTERN02
2419
2420rawbody JH_SPAMMY_PATTERN02 m;<img [^>]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}<a href="\1t=c\2".{0,200}<a href="\1t=u\2";ism
2421describe JH_SPAMMY_PATTERN02 Unusual pattern seen in spam campaign
2422#score JH_SPAMMY_PATTERN02 3.000 # limit
2423tflags JH_SPAMMY_PATTERN02 publish
2424##} JH_SPAMMY_PATTERN02
2425
2426##{ JM_I_FEEL_LUCKY
2427
2428uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/
2429tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign
2430##} JM_I_FEEL_LUCKY
2431
2432##{ JM_RCVD_QMAILV1
2433
2434header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/
2435##} JM_RCVD_QMAILV1
2436
2437##{ JM_TORA_XM
2438
2439meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
2440##} JM_TORA_XM
2441
2442##{ KB_DATE_CONTAINS_TAB
2443
2444meta KB_DATE_CONTAINS_TAB __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB
2445#score KB_DATE_CONTAINS_TAB 0.5
2446##} KB_DATE_CONTAINS_TAB
2447
2448##{ KB_FAKED_THE_BAT
2449
2450meta KB_FAKED_THE_BAT (__THEBAT_MUA && KB_DATE_CONTAINS_TAB)
2451##} KB_FAKED_THE_BAT
2452
2453##{ KB_RATWARE_BOUNDARY
2454
2455meta KB_RATWARE_BOUNDARY __RATWARE_BOUND_A || __RATWARE_BOUND_B
2456##} KB_RATWARE_BOUNDARY
2457
2458##{ KB_RATWARE_MSGID
2459
2460meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA)
2461##} KB_RATWARE_MSGID
2462
2463##{ KB_RATWARE_OUTLOOK_08
2464
2465header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # "
2466##} KB_RATWARE_OUTLOOK_08
2467
2468##{ KB_RATWARE_OUTLOOK_12
2469
2470header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # "
2471##} KB_RATWARE_OUTLOOK_12
2472
2473##{ KB_RATWARE_OUTLOOK_16
2474
2475header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # "
2476##} KB_RATWARE_OUTLOOK_16
2477
2478##{ KB_RATWARE_OUTLOOK_MID
2479
2480header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi
2481##} KB_RATWARE_OUTLOOK_MID
2482
151f49fd
SI		 2483##{ KHOP_FAKE_EBAY
2484
2485meta KHOP_FAKE_EBAY __EBAY_ADDRESS && !__NOT_SPOOFED
2486describe KHOP_FAKE_EBAY Sender falsely claims to be from eBay
2487##} KHOP_FAKE_EBAY
2488
b780ea8d
SI		 2489##{ KHOP_HELO_FCRDNS
2490
2491meta KHOP_HELO_FCRDNS __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT)
2492describe KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
2493#score KHOP_HELO_FCRDNS 0.4 # 20090603
2494##} KHOP_HELO_FCRDNS
2495
46cfc9e2
SI		 2496##{ LINKEDIN_IMG_NOT_RCVD_LNKN
2497
2498meta LINKEDIN_IMG_NOT_RCVD_LNKN __LINKED_IMG_NOT_RCVD_LINK && !__LUNSUB_BEFORE_SUBJDT
2499#score LINKEDIN_IMG_NOT_RCVD_LNKN 2.500 # limit
2500describe LINKEDIN_IMG_NOT_RCVD_LNKN Linkedin hosted image but message not from Linkedin
2501tflags LINKEDIN_IMG_NOT_RCVD_LNKN publish
2502##} LINKEDIN_IMG_NOT_RCVD_LNKN
2503
b780ea8d
SI		 2504##{ LIST_PRTL_PUMPDUMP
2505
2506meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS
2507describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump
2508#score LIST_PRTL_PUMPDUMP 2.000 # limit
2509tflags LIST_PRTL_PUMPDUMP publish
2510##} LIST_PRTL_PUMPDUMP
2511
2512##{ LIST_PRTL_SAME_USER
2513
2514meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO
2515describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same
2516#score LIST_PRTL_SAME_USER 3.000 # limit
2517tflags LIST_PRTL_SAME_USER publish
2518##} LIST_PRTL_SAME_USER
2519
2520##{ LIVEFILESTORE
2521
2522uri LIVEFILESTORE m~livefilestore.com/~
2523##} LIVEFILESTORE
2524
2525##{ LONG_HEX_URI
2526
2527meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024
2528describe LONG_HEX_URI Very long purely hexadecimal URI
2529#score LONG_HEX_URI 3.000 # limit
2530tflags LONG_HEX_URI publish
2531##} LONG_HEX_URI
2532
2533##{ LONG_IMG_URI
2534
2535meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO
2536describe LONG_IMG_URI Image URI with very long path component - web bug?
2537#score LONG_IMG_URI 3.000 # limit
2538tflags LONG_IMG_URI publish
2539##} LONG_IMG_URI
2540
2541##{ LONG_INVISIBLE_TEXT
2542
2543describe LONG_INVISIBLE_TEXT Long block of hidden text - bayes poison?
2544#score LONG_INVISIBLE_TEXT 3.000 # limit
2545tflags LONG_INVISIBLE_TEXT publish
2546##} LONG_INVISIBLE_TEXT
2547
2548##{ LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2549
2550if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2551 meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV
2552endif
2553##} LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2554
2555##{ LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2556
2557if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2558 meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 )
2559endif
2560##} LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2561
2562##{ LONG_TERM_PRICE
2563
151f49fd 2564body LONG_TERM_PRICE /long\W+term\W+(?:target|projected)(?:\W+price)?/i
b780ea8d
SI		 2565##} LONG_TERM_PRICE
2566
2567##{ LOOPHOLE_1
2568
2569body LOOPHOLE_1 /loop-?hole in the banking/i
2570describe LOOPHOLE_1 A loop hole in the banking laws?
2571##} LOOPHOLE_1
2572
2573##{ LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2574
2575if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2576 meta LOTS_OF_MONEY 0
2577endif
2578##} LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2579
2580##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2581
2582ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2583 meta LOTS_OF_MONEY (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05) && !__TRAVEL_ITINERARY
2584 describe LOTS_OF_MONEY Huge... sums of money
2585# score LOTS_OF_MONEY 0.01
2586 tflags LOTS_OF_MONEY publish
2587endif
2588##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2589
2590##{ LOTTERY_1
2591
2592meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ)
2593##} LOTTERY_1
2594
2595##{ LOTTERY_PH_004470
2596
2597meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY)
2598##} LOTTERY_PH_004470
2599
54c714b2
SI		 2600##{ LOTTO_AGENT
2601
2602meta LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD
2603describe LOTTO_AGENT Claims Agent
2604#score LOTTO_AGENT 1.50 # limit
2605##} LOTTO_AGENT
2606
2607##{ LOTTO_DEPT
2608
2609meta LOTTO_DEPT __LOTTO_DEPT && !__COMMENT_EXISTS && !__HAS_IN_REPLY_TO && !__THREADED && !__VIA_ML && !__TO_YOUR_ORG && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT
2610describe LOTTO_DEPT Claims Department
2611#score LOTTO_DEPT 2.00 # limit
2612##} LOTTO_DEPT
2613
b780ea8d
SI		 2614##{ LUCRATIVE
2615
2616meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED
2617describe LUCRATIVE Make lots of money!
2618#score LUCRATIVE 2.00 # limit
2619tflags LUCRATIVE publish
2620##} LUCRATIVE
2621
2622##{ L_SPAM_TOOL_13
2623
2624header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
2625##} L_SPAM_TOOL_13
2626
151f49fd
SI		 2627##{ MALFORMED_FREEMAIL
2628
2629meta MALFORMED_FREEMAIL (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM
2630describe MALFORMED_FREEMAIL Bad headers on message from free email service
2631##} MALFORMED_FREEMAIL
2632
b780ea8d
SI		 2633##{ MALF_HTML_B64
2634
2635meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG
2636describe MALF_HTML_B64 Malformatted base64-encoded HTML content
2637#score MALF_HTML_B64 3.500 # limit
2638tflags MALF_HTML_B64 publish
2639##} MALF_HTML_B64
2640
2641##{ MALWARE_NORDNS
2642
2643meta MALWARE_NORDNS __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
2644describe MALWARE_NORDNS Malware bragging + no rDNS
2645#score MALWARE_NORDNS 3.500 # limit
2646tflags MALWARE_NORDNS publish
2647##} MALWARE_NORDNS
2648
2649##{ MALWARE_PASSWORD
2650
2651meta MALWARE_PASSWORD __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
2652describe MALWARE_PASSWORD Malware bragging + "password"
2653#score MALWARE_PASSWORD 3.500 # limit
2654tflags MALWARE_PASSWORD publish
2655##} MALWARE_PASSWORD
2656
2657##{ MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2658
2659ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2660 meta MALW_ATTACH __MALW_ATTACH && !__HAS_THREAD_INDEX
2661 describe MALW_ATTACH Attachment filename suspicious, probable malware exploit
2662 tflags MALW_ATTACH publish
2663endif
2664##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2665
151f49fd
SI		 2666##{ MANY_HDRS_LCASE
2667
2668describe MANY_HDRS_LCASE Odd capitalization of multiple message headers
2669#score MANY_HDRS_LCASE 0.10 # limit
2670##} MANY_HDRS_LCASE
2671
2672##{ MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2673
2674if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2675 meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
2676endif
2677##} MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2678
2679##{ MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
2680
2681ifplugin Mail::SpamAssassin::Plugin::FreeMail
2682 meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
2683endif
2684##} MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
2685
b780ea8d
SI		 2686##{ MANY_SPAN_IN_TEXT
2687
2688meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML
2689describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text
2690tflags MANY_SPAN_IN_TEXT publish
2691##} MANY_SPAN_IN_TEXT
2692
151f49fd
SI		 2693##{ MANY_SUBDOM
2694
2695meta MANY_SUBDOM __MANY_SUBDOM && !__JM_REACTOR_DATE && !__UNSUB_LINK && !__VIA_ML && !NO_RELAYS && !__UPPERCASE_URI && !__MIME_QP
2696describe MANY_SUBDOM Lots and lots of subdomain parts in a URI
2697##} MANY_SUBDOM
2698
2699##{ MAY_BE_FORGED
2700
2701meta MAY_BE_FORGED __MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML
2702describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP
2703##} MAY_BE_FORGED
2704
b780ea8d
SI		 2705##{ MID_DEGREES
2706
2707header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
2708##} MID_DEGREES
2709
2710##{ MILLION_HUNDRED
2711
2712body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i
2713describe MILLION_HUNDRED Million "One to Nine" Hundred
2714tflags MILLION_HUNDRED publish
2715##} MILLION_HUNDRED
2716
dfdd1e08
SI		 2717##{ MILLION_USD
2718
2719body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i
2720describe MILLION_USD Talks about millions of dollars
2721#score MILLION_USD 2
2722##} MILLION_USD
2723
b780ea8d
SI		 2724##{ MIMEOLE_DIRECT_TO_MX
2725
2726meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS
2727describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX
2728#score MIMEOLE_DIRECT_TO_MX 2.000 # limit
2729tflags MIMEOLE_DIRECT_TO_MX publish
2730##} MIMEOLE_DIRECT_TO_MX
2731
2732##{ MIME_BOUND_EQ_REL
2733
2734header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s
2735##} MIME_BOUND_EQ_REL
2736
2737##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2738
2739ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2740 meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128
2741# score MIME_NO_TEXT 2.00 # limit
2742 describe MIME_NO_TEXT No (properly identified) text body parts
2743 tflags MIME_NO_TEXT publish
2744endif
2745##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2746
2747##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2748
2749ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2750 meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA)
2751 describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP
2752endif
2753##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2754
2755##{ MIXED_AREA_CASE
2756
2757meta MIXED_AREA_CASE __MIXED_AREA_CASE
2758describe MIXED_AREA_CASE Has area tag in mixed case
2759#score MIXED_AREA_CASE 2.500 # limit
2760tflags MIXED_AREA_CASE publish
2761##} MIXED_AREA_CASE
2762
2763##{ MIXED_CENTER_CASE
2764
2765meta MIXED_CENTER_CASE __MIXED_CENTER_CASE
2766describe MIXED_CENTER_CASE Has center tag in mixed case
2767#score MIXED_CENTER_CASE 2.500 # limit
2768tflags MIXED_CENTER_CASE publish
2769##} MIXED_CENTER_CASE
2770
54c714b2
SI		 2771##{ MIXED_CTYPE_CASE
2772
2773header MIXED_CTYPE_CASE Content-Type =~ m;^(?i:text/)(?!html|HTML)[Hh][Tt][Mm][Ll];
2774##} MIXED_CTYPE_CASE
2775
b780ea8d
SI		 2776##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2777
2778if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2779 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2780 meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) )
2781 describe MIXED_ES Too many es are not es
2782 tflags MIXED_ES publish
2783# lang pl score MIXED_ES 0.01
2784# lang cz score MIXED_ES 0.01
2785# lang sk score MIXED_ES 0.01
2786# lang hr score MIXED_ES 0.01
2787# lang el score MIXED_ES 0.01
2788endif
2789endif
2790##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2791
2792##{ MIXED_FONT_CASE
2793
2794meta MIXED_FONT_CASE __MIXED_FONT_CASE
2795describe MIXED_FONT_CASE Has font tag in mixed case
2796#score MIXED_FONT_CASE 2.500 # limit
2797tflags MIXED_FONT_CASE publish
2798##} MIXED_FONT_CASE
2799
2800##{ MIXED_HREF_CASE
2801
151f49fd 2802meta MIXED_HREF_CASE __MIXED_HREF_CASE && !__LYRIS_EZLM_REMAILER && !__HAS_LIST_ID
b780ea8d
SI		 2803describe MIXED_HREF_CASE Has href in mixed case
2804#score MIXED_HREF_CASE 2.000 # limit
2805tflags MIXED_HREF_CASE publish
2806##} MIXED_HREF_CASE
2807
2808##{ MIXED_IMG_CASE
2809
2810meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL
2811describe MIXED_IMG_CASE Has img tag in mixed case
2812#score MIXED_IMG_CASE 3.000 # limit
2813tflags MIXED_IMG_CASE publish
2814##} MIXED_IMG_CASE
2815
2816##{ MONERO_DEADLINE
2817
2818meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01
2819describe MONERO_DEADLINE Monero cryptocurrency with a deadline
2820#score MONERO_DEADLINE 3.000 # limit
2821tflags MONERO_DEADLINE publish
2822##} MONERO_DEADLINE
2823
2824##{ MONERO_EXTORT_01
2825
2826meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY
2827describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency
2828#score MONERO_EXTORT_01 5.000 # limit
2829tflags MONERO_EXTORT_01 publish
2830##} MONERO_EXTORT_01
2831
2832##{ MONERO_MALWARE
2833
2834meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01
2835describe MONERO_MALWARE Monero cryptocurrency + malware bragging
2836#score MONERO_MALWARE 3.500 # limit
2837tflags MONERO_MALWARE publish
2838##} MONERO_MALWARE
2839
2840##{ MONERO_PAY_ME
2841
2842meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01
2843describe MONERO_PAY_ME Pay me via Monero cryptocurrency
2844#score MONERO_PAY_ME 3.000 # limit
2845tflags MONERO_PAY_ME publish
2846##} MONERO_PAY_ME
2847
dfdd1e08
SI		 2848##{ MONEY_ATM_CARD
2849
2850meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE
2851describe MONEY_ATM_CARD Lots of money on an ATM card
2852##} MONEY_ATM_CARD
2853
54c714b2
SI		 2854##{ MONEY_BARRISTER
2855
2856meta MONEY_BARRISTER __BARRISTER && LOTS_OF_MONEY
2857describe MONEY_BARRISTER Lots of money from a UK lawyer
2858#score MONEY_BARRISTER 1.000 # limit
2859##} MONEY_BARRISTER
2860
b780ea8d
SI		 2861##{ MONEY_FORM
2862
2863meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP
2864describe MONEY_FORM Lots of money if you fill out a form
2865##} MONEY_FORM
2866
2867##{ MONEY_FORM_SHORT
2868
2869meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD
2870describe MONEY_FORM_SHORT Lots of money if you fill out a short form
2871#score MONEY_FORM_SHORT 2.500 # limit
2872##} MONEY_FORM_SHORT
2873
2874##{ MONEY_FRAUD_3
2875
2876meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
2877describe MONEY_FRAUD_3 Lots of money and several fraud phrases
2878tflags MONEY_FRAUD_3 publish
2879##} MONEY_FRAUD_3
2880
2881##{ MONEY_FRAUD_5
2882
2883meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
2884describe MONEY_FRAUD_5 Lots of money and many fraud phrases
2885tflags MONEY_FRAUD_5 publish
2886##} MONEY_FRAUD_5
2887
2888##{ MONEY_FRAUD_8
2889
2890meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG
2891describe MONEY_FRAUD_8 Lots of money and very many fraud phrases
2892tflags MONEY_FRAUD_8 publish
2893##} MONEY_FRAUD_8
2894
2895##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2896
2897ifplugin Mail::SpamAssassin::Plugin::FreeMail
2898 meta MONEY_FREEMAIL_REPTO __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID
2899 describe MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
2900# score MONEY_FREEMAIL_REPTO 3.000 # limit
2901 tflags MONEY_FREEMAIL_REPTO publish
2902endif
2903##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2904
fc5290a3
SI		 2905##{ MONEY_FROM_41
2906
2907meta MONEY_FROM_41 __MONEY_FROM_41
2908describe MONEY_FROM_41 Lots of money from Africa
2909#score MONEY_FROM_41 2.00 # limit
2910##} MONEY_FROM_41
2911
b780ea8d
SI		 2912##{ MONEY_FROM_MISSP
2913
2914meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP
2915describe MONEY_FROM_MISSP Lots of money and misspaced From
2916#score MONEY_FROM_MISSP 2.000 # limit
2917##} MONEY_FROM_MISSP
2918
151f49fd
SI		 2919##{ MONEY_NOHTML
2920
2921meta MONEY_NOHTML LOTS_OF_MONEY && __CT_TEXT_PLAIN
2922describe MONEY_NOHTML Lots of money in plain text
2923#score MONEY_NOHTML 2.500 # limit
2924##} MONEY_NOHTML
2925
b780ea8d
SI		 2926##{ MSGID_DOLLARS_URI_IMG
2927
2928meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW
2929describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image
2930#score MSGID_DOLLARS_URI_IMG 3.000 # limit
2931tflags MSGID_DOLLARS_URI_IMG publish
2932##} MSGID_DOLLARS_URI_IMG
2933
2934##{ MSGID_HDR_MALF
2935
2936meta MSGID_HDR_MALF __HAS_MESSAGEID
2937describe MSGID_HDR_MALF Has invalid message ID header
2938#score MSGID_HDR_MALF 3.500 # limit
2939tflags MSGID_HDR_MALF publish
2940##} MSGID_HDR_MALF
2941
2942##{ MSGID_MULTIPLE_AT
2943
2944header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/
2945describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters
2946#score MSGID_MULTIPLE_AT 0.001
2947##} MSGID_MULTIPLE_AT
2948
151f49fd 2949##{ MSGID_NOFQDN1
b780ea8d 2950
151f49fd
SI		 2951meta MSGID_NOFQDN1 __MSGID_NOFQDN1
2952describe MSGID_NOFQDN1 Message-ID with no domain name
2953##} MSGID_NOFQDN1
b780ea8d
SI		 2954
2955##{ MSM_PRIO_REPTO
2956
2957meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH
2958describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject
2959#score MSM_PRIO_REPTO 2.500 # limit
2960tflags MSM_PRIO_REPTO publish
2961##} MSM_PRIO_REPTO
2962
2963##{ MSOE_MID_WRONG_CASE
2964
2965meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
2966##} MSOE_MID_WRONG_CASE
2967
b780ea8d
SI		 2968##{ NA_DOLLARS
2969
2970body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i
2971describe NA_DOLLARS Talks about a million North American dollars
2972#score NA_DOLLARS 1.5
2973##} NA_DOLLARS
2974
2975##{ NEWEGG_IMG_NOT_RCVD_NEGG
2976
2977meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG
2978#score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit
2979describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg
2980tflags NEWEGG_IMG_NOT_RCVD_NEGG publish
2981##} NEWEGG_IMG_NOT_RCVD_NEGG
2982
31955ede
SI		 2983##{ NEW_PRODUCTS
2984
2985meta NEW_PRODUCTS __NEW_PRODUCTS && !__STY_INVIS_MANY
2986#score NEW_PRODUCTS 1.250 # limit
2987tflags NEW_PRODUCTS publish
2988##} NEW_PRODUCTS
2989
b780ea8d
SI		 2990##{ NICE_REPLY_A
2991
2992meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF)
2993describe NICE_REPLY_A Looks like a legit reply (A)
2994tflags NICE_REPLY_A nice
2995##} NICE_REPLY_A
2996
b780ea8d
SI		 2997##{ NOT_SPAM
2998
2999body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i
3000describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not!
3001tflags NOT_SPAM publish
3002##} NOT_SPAM
3003
3004##{ NO_FM_NAME_IP_HOSTN
3005
3006meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT
3007describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address
3008#score NO_FM_NAME_IP_HOSTN 2.500 # limit
3009tflags NO_FM_NAME_IP_HOSTN publish
3010##} NO_FM_NAME_IP_HOSTN
3011
3012##{ NSL_RCVD_FROM_USER
3013
3014header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
3015describe NSL_RCVD_FROM_USER Received from User
3016##} NSL_RCVD_FROM_USER
3017
3018##{ NSL_RCVD_HELO_USER
3019
3020header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
3021describe NSL_RCVD_HELO_USER Received from HELO User
3022##} NSL_RCVD_HELO_USER
3023
3024##{ NULL_IN_BODY
3025
3026full NULL_IN_BODY /\x00/
3027describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message
3028##} NULL_IN_BODY
3029
b780ea8d
SI		 3030##{ OBFU_BITCOIN
3031
3032meta OBFU_BITCOIN __OBFU_BITCOIN
3033describe OBFU_BITCOIN Obfuscated BitCoin references
3034#score OBFU_BITCOIN 3.000 # limit
3035tflags OBFU_BITCOIN publish
3036##} OBFU_BITCOIN
3037
3038##{ OBFU_JVSCR_ESC
3039
3040rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i
3041describe OBFU_JVSCR_ESC Injects content using obfuscated javascript
3042tflags OBFU_JVSCR_ESC publish
3043##} OBFU_JVSCR_ESC
3044
3045##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3046
3047ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3048 mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
3049 describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type
3050 tflags OBFU_TEXT_ATTACH publish
3051endif
3052##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3053
3054##{ OBFU_UNSUB_UL
3055
3056meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI
3057describe OBFU_UNSUB_UL Obfuscated unsubscribe text
3058tflags OBFU_UNSUB_UL publish
3059##} OBFU_UNSUB_UL
3060
3061##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
3062
3063ifplugin Mail::SpamAssassin::Plugin::FreeMail
3064 meta ODD_FREEM_REPTO __freemail_mailreplyto
3065 describe ODD_FREEM_REPTO Has unusual reply-to header
3066# score ODD_FREEM_REPTO 3.000 # limit
3067 tflags ODD_FREEM_REPTO publish
3068endif
3069##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
3070
b780ea8d
SI		 3071##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3072
3073ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3074meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
3075describe PART_CID_STOCK Has a spammy image attachment (by Content-ID)
3076endif
3077##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3078
3079##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3080
3081ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3082meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
3083describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
3084endif
3085##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3086
151f49fd 3087##{ PDS_BAD_THREAD_QP_64
dfdd1e08 3088
151f49fd
SI		 3089meta PDS_BAD_THREAD_QP_64 __PDS_QP_64 && __HAS_THREAD_INDEX && !__THREAD_INDEX_GOOD
3090describe PDS_BAD_THREAD_QP_64 Bad thread header - short QP
3091#score PDS_BAD_THREAD_QP_64 1.0
3092##} PDS_BAD_THREAD_QP_64
dfdd1e08 3093
b780ea8d
SI		 3094##{ PDS_BTC_ID
3095
3096meta PDS_BTC_ID __PDS_BTC_ID
3097describe PDS_BTC_ID FP reduced Bitcoin ID
3098#score PDS_BTC_ID 0.5
3099##} PDS_BTC_ID
3100
3101##{ PDS_BTC_MSGID
3102
3103meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2
3104describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2
3105#score PDS_BTC_MSGID 1.0
3106##} PDS_BTC_MSGID
3107
3108##{ PDS_DBL_URL_TNB_RUNON
3109
3110meta PDS_DBL_URL_TNB_RUNON __TO_NO_BRKTS_FROM_RUNON && __PDS_DOUBLE_URL
3111describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon
3112#score PDS_DBL_URL_TNB_RUNON 2.0
3113##} PDS_DBL_URL_TNB_RUNON
3114
fc5290a3 3115##{ PDS_FRNOM_TODOM_DBL_URL
b780ea8d 3116
54c714b2 3117meta PDS_FRNOM_TODOM_DBL_URL T_PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL
fc5290a3
SI		 3118describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL
3119#score PDS_FRNOM_TODOM_DBL_URL 1.5
3120##} PDS_FRNOM_TODOM_DBL_URL
21dcadbf 3121
b780ea8d
SI		 3122##{ PDS_HELO_SPF_FAIL
3123
3124meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE
3125describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF
3126#score PDS_HELO_SPF_FAIL 2.0
3127tflags PDS_HELO_SPF_FAIL net
3128##} PDS_HELO_SPF_FAIL
3129
151f49fd 3130##{ PDS_HP_HELO_NORDNS
46cfc9e2 3131
151f49fd
SI		 3132meta PDS_HP_HELO_NORDNS RDNS_NONE && __HELO_HIGHPROFILE
3133describe PDS_HP_HELO_NORDNS High profile HELO with no sender rDNS
3134#score PDS_HP_HELO_NORDNS 1.0
3135##} PDS_HP_HELO_NORDNS
46cfc9e2 3136
151f49fd 3137##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
21dcadbf 3138
151f49fd
SI		 3139if (version >= 3.004002)
3140ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3141header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
3142#score PDS_OTHER_BAD_TLD 2.0
3143describe PDS_OTHER_BAD_TLD Untrustworthy TLDs
3144endif
3145endif
3146##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3147
54c714b2
SI		 3148##{ PDS_PHPEXP_BOT
3149
3150meta PDS_PHPEXP_BOT __SENDER_BOT && (__PDS_TONAME_EQ_TOLOCAL + __NAKED_TO >= 1) && (__PDS_PHP_EVAL2 + __PDS_PHP_EVAL1 + T_PDS_X_PHP_WP_EXP + __PDS_X_PHP_WELLKNOWN >= 1)
3151describe PDS_PHPEXP_BOT PHP exploit bot sender
3152#score PDS_PHPEXP_BOT 1.5
3153##} PDS_PHPEXP_BOT
3154
151f49fd
SI		 3155##{ PDS_PHP_EVAL
3156
3157meta PDS_PHP_EVAL __PDS_PHP_EVAL1
3158describe PDS_PHP_EVAL PHP header shows eval'd code
3159#score PDS_PHP_EVAL 1.5
3160##} PDS_PHP_EVAL
3161
b780ea8d
SI		 3162##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3163
3164ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3165 meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER
3166 describe PHISH_ATTACH Attachment filename suspicious, probable phishing
3167 tflags PHISH_ATTACH publish
3168endif
3169##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3170
3171##{ PHISH_AZURE_CLOUDAPP
3172
3173uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i
3174describe PHISH_AZURE_CLOUDAPP Link to known phishing web application
3175#score PHISH_AZURE_CLOUDAPP 3.500
3176tflags PHISH_AZURE_CLOUDAPP publish
3177##} PHISH_AZURE_CLOUDAPP
3178
3179##{ PHISH_FBASEAPP
3180
3181meta PHISH_FBASEAPP __PHISH_FBASE_01
3182describe PHISH_FBASEAPP Probable phishing via hosted web app
3183#score PHISH_FBASEAPP 3.000 # limit
3184tflags PHISH_FBASEAPP publish
3185##} PHISH_FBASEAPP
3186
54c714b2
SI		 3187##{ PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3188
3189if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3190 meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF
3191 describe PHOTO_EDITING_DIRECT Image editing service, direct to MX
3192# score PHOTO_EDITING_DIRECT 3.000 # limit
3193endif
3194##} PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3195
b780ea8d
SI		 3196##{ PHP_NOVER_MUA
3197
3198describe PHP_NOVER_MUA Mail from PHP with no version number
3199#score PHP_NOVER_MUA 3.000 # limit
3200tflags PHP_NOVER_MUA publish
3201##} PHP_NOVER_MUA
3202
3203##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3204
3205if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3206 meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
3207endif
3208##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3209
3210##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
3211
3212ifplugin Mail::SpamAssassin::Plugin::DKIM
3213 meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
3214endif
3215##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
3216
3217##{ PHP_ORIG_SCRIPT
3218
3219meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER
3220describe PHP_ORIG_SCRIPT Sent by bot & other signs
3221#score PHP_ORIG_SCRIPT 2.500 # limit
3222tflags PHP_ORIG_SCRIPT publish
3223##} PHP_ORIG_SCRIPT
3224
151f49fd
SI		 3225##{ PHP_ORIG_SCRIPT_EVAL
3226
3227meta PHP_ORIG_SCRIPT_EVAL __PHP_ORIG_SCRIPT_EVAL
3228describe PHP_ORIG_SCRIPT_EVAL From suspicious PHP source
3229#score PHP_ORIG_SCRIPT_EVAL 3.000 # limit
3230##} PHP_ORIG_SCRIPT_EVAL
3231
b780ea8d
SI		 3232##{ PHP_SCRIPT
3233
3234meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT
3235describe PHP_SCRIPT Sent by PHP script
3236#score PHP_SCRIPT 2.500 # limit
3237tflags PHP_SCRIPT publish
3238##} PHP_SCRIPT
3239
3240##{ PHP_SCRIPT_MUA
3241
3242meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA
3243describe PHP_SCRIPT_MUA Sent by PHP script, no version number
3244#score PHP_SCRIPT_MUA 2.000 # limit
3245tflags PHP_SCRIPT_MUA publish
3246##} PHP_SCRIPT_MUA
3247
46cfc9e2
SI		 3248##{ POSSIBLE_APPLE_PHISH_02
3249
3250meta POSSIBLE_APPLE_PHISH_02 (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE)
3251describe POSSIBLE_APPLE_PHISH_02 Claims to be from apple but not processed by any apple MTA
3252tflags POSSIBLE_APPLE_PHISH_02 publish
3253##} POSSIBLE_APPLE_PHISH_02
3254
3255##{ POSSIBLE_EBAY_PHISH_02
3256
3257meta POSSIBLE_EBAY_PHISH_02 (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY)
3258describe POSSIBLE_EBAY_PHISH_02 Claims to be from ebay but not processed by any ebay MTA
3259tflags POSSIBLE_EBAY_PHISH_02 publish
3260##} POSSIBLE_EBAY_PHISH_02
3261
3262##{ POSSIBLE_PAYPAL_PHISH_01
3263
3264meta POSSIBLE_PAYPAL_PHISH_01 (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF)
3265describe POSSIBLE_PAYPAL_PHISH_01 Claims to be from paypal but has non-paypal from email address
3266tflags POSSIBLE_PAYPAL_PHISH_01 publish
3267##} POSSIBLE_PAYPAL_PHISH_01
3268
3269##{ POSSIBLE_PAYPAL_PHISH_02
3270
3271meta POSSIBLE_PAYPAL_PHISH_02 (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL)
3272describe POSSIBLE_PAYPAL_PHISH_02 Claims to be from paypal but not processed by any paypal MTA
3273tflags POSSIBLE_PAYPAL_PHISH_02 publish
3274##} POSSIBLE_PAYPAL_PHISH_02
3275
b780ea8d
SI		 3276##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3277
3278ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3279 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3280 body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal()
3281 describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't
3282# score PP_MIME_FAKE_ASCII_TEXT 1.0
3283 tflags PP_MIME_FAKE_ASCII_TEXT publish
3284endif
3285endif
3286##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3287
3288##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3289
3290ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3291 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3292 body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02)
3293 describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes
3294# score PP_TOO_MUCH_UNICODE02 0.5
3295 tflags PP_TOO_MUCH_UNICODE02 publish
3296endif
3297endif
3298##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3299
3300##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3301
3302ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3303 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3304 body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05)
3305 describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes
3306# score PP_TOO_MUCH_UNICODE05 1.0
3307 tflags PP_TOO_MUCH_UNICODE05 publish
3308endif
3309endif
3310##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3311
3312##{ PUMPDUMP
3313
3314meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI
3315describe PUMPDUMP Pump-and-dump stock scam phrase
3316#score PUMPDUMP 1.000 # limit
3317tflags PUMPDUMP publish
3318##} PUMPDUMP
3319
3320##{ PUMPDUMP_MULTI
3321
3322meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
3323describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases
3324#score PUMPDUMP_MULTI 3.500 # limit
3325tflags PUMPDUMP_MULTI publish
3326##} PUMPDUMP_MULTI
3327
3328##{ PUMPDUMP_TIP
3329
3330meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP
3331describe PUMPDUMP_TIP Pump-and-dump stock tip
3332tflags PUMPDUMP_TIP publish
3333##} PUMPDUMP_TIP
3334
3335##{ RAND_HEADER_LIST_SPOOF
3336
3337meta RAND_HEADER_LIST_SPOOF __RAND_HEADER && __LIST_PARTIAL
3338describe RAND_HEADER_LIST_SPOOF Random gibberish message header(s) + pretending to be a mailing list
3339#score RAND_HEADER_LIST_SPOOF 3.000 # limit
3340tflags RAND_HEADER_LIST_SPOOF publish
3341##} RAND_HEADER_LIST_SPOOF
3342
3343##{ RAND_HEADER_MANY
3344
3345meta RAND_HEADER_MANY __RAND_HEADER_2
3346describe RAND_HEADER_MANY Multiple random gibberish message headers
3347#score RAND_HEADER_MANY 3.000 # limit
3348tflags RAND_HEADER_MANY publish
3349##} RAND_HEADER_MANY
3350
3351##{ RAND_MKTG_HEADER
3352
3353meta RAND_MKTG_HEADER __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST
3354describe RAND_MKTG_HEADER Has partially-randomized marketing/tracking header(s)
3355#score RAND_MKTG_HEADER 2.000 # limit
3356tflags RAND_MKTG_HEADER publish
3357##} RAND_MKTG_HEADER
3358
3359##{ RATWARE_NO_RDNS
3360
3361meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF
3362describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS
3363#score RATWARE_NO_RDNS 3.000 # limit
3364##} RATWARE_NO_RDNS
3365
3366##{ RCVD_BAD_ID
3367
3368header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/
3369describe RCVD_BAD_ID Received header contains id field with bad characters
3370##} RCVD_BAD_ID
3371
3372##{ RCVD_DBL_DQ
3373
3374header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/
3375describe RCVD_DBL_DQ Malformatted message header
3376tflags RCVD_DBL_DQ publish
3377##} RCVD_DBL_DQ
3378
3379##{ RCVD_DOTEDU_SHORT
3380
46cfc9e2 3381meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !ALL_TRUSTED && !__FS_SUBJ_RE && !__HAS_LIST_ID
b780ea8d 3382describe RCVD_DOTEDU_SHORT Via .edu MTA + short message
46cfc9e2 3383#score RCVD_DOTEDU_SHORT 1.500 # limit
b780ea8d
SI		 3384tflags RCVD_DOTEDU_SHORT publish
3385##} RCVD_DOTEDU_SHORT
3386
3387##{ RCVD_DOTEDU_SUSP_URI
3388
3389meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI
3390describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI
3391#score RCVD_DOTEDU_SUSP_URI 3.000 # limit
3392tflags RCVD_DOTEDU_SUSP_URI publish
3393##} RCVD_DOTEDU_SUSP_URI
3394
3395##{ RCVD_FORGED_WROTE
3396
3397header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
3398describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
3399##} RCVD_FORGED_WROTE
3400
3401##{ RCVD_FORGED_WROTE2
3402
3403header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
3404##} RCVD_FORGED_WROTE2
3405
151f49fd
SI		 3406##{ RCVD_IN_IADB_COURT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3407
3408ifplugin Mail::SpamAssassin::Plugin::DNSEval
3409header RCVD_IN_IADB_COURT eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.130')
3410describe RCVD_IN_IADB_COURT IADB: Court-ordered email
3411tflags RCVD_IN_IADB_COURT net nice
3412endif
3413##} RCVD_IN_IADB_COURT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3414
b780ea8d
SI		 3415##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
3416
3417ifplugin Mail::SpamAssassin::Plugin::DNSEval
3418header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3')
3419describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record
3420tflags RCVD_IN_IADB_DK net nice
3421endif
3422##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
3423
3424##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3425
3426ifplugin Mail::SpamAssassin::Plugin::DNSEval
3427header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10')
3428describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in
3429tflags RCVD_IN_IADB_DOPTIN net nice
3430endif
3431##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3432
3433##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3434
3435ifplugin Mail::SpamAssassin::Plugin::DNSEval
3436header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9')
3437describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time
3438tflags RCVD_IN_IADB_DOPTIN_GT50 net nice
3439endif
3440##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3441
3442##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3443
3444ifplugin Mail::SpamAssassin::Plugin::DNSEval
3445header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8')
3446describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time
3447tflags RCVD_IN_IADB_DOPTIN_LT50 net nice
3448endif
3449##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3450
3451##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
3452
3453ifplugin Mail::SpamAssassin::Plugin::DNSEval
3454header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1')
3455describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database
3456tflags RCVD_IN_IADB_EDDB net nice
3457endif
3458##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
3459
3460##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
3461
3462ifplugin Mail::SpamAssassin::Plugin::DNSEval
3463header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2')
3464describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance
3465tflags RCVD_IN_IADB_EPIA net nice
3466endif
3467##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
3468
3469##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3470
3471ifplugin Mail::SpamAssassin::Plugin::DNSEval
3472header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103')
3473describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail
3474tflags RCVD_IN_IADB_GOODMAIL net nice
3475endif
3476##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3477
151f49fd
SI		 3478##{ RCVD_IN_IADB_LEG_MAND ifplugin Mail::SpamAssassin::Plugin::DNSEval
3479
3480ifplugin Mail::SpamAssassin::Plugin::DNSEval
3481header RCVD_IN_IADB_LEG_MAND eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.120')
3482describe RCVD_IN_IADB_LEG_MAND IADB: Legally mandated email
3483tflags RCVD_IN_IADB_LEG_MAND net nice
3484endif
3485##} RCVD_IN_IADB_LEG_MAND ifplugin Mail::SpamAssassin::Plugin::DNSEval
3486
b780ea8d
SI		 3487##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
3488
3489ifplugin Mail::SpamAssassin::Plugin::DNSEval
3490header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$')
3491describe RCVD_IN_IADB_LISTED Participates in the IADB system
3492tflags RCVD_IN_IADB_LISTED net nice
3493endif
3494##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
3495
3496##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
3497
3498ifplugin Mail::SpamAssassin::Plugin::DNSEval
3499header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4')
3500describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in
3501tflags RCVD_IN_IADB_LOOSE net nice
3502endif
3503##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
3504
3505##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3506
3507ifplugin Mail::SpamAssassin::Plugin::DNSEval
3508header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10')
3509describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law
3510tflags RCVD_IN_IADB_MI_CPEAR net nice
3511endif
3512##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3513
3514##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3515
3516ifplugin Mail::SpamAssassin::Plugin::DNSEval
3517header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10')
3518describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days
3519tflags RCVD_IN_IADB_MI_CPR_30 net nice
3520endif
3521##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3522
3523##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3524
3525ifplugin Mail::SpamAssassin::Plugin::DNSEval
3526header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10')
3527describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR
3528tflags RCVD_IN_IADB_MI_CPR_MAT net nice
3529endif
3530##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3531
3532##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3533
3534ifplugin Mail::SpamAssassin::Plugin::DNSEval
3535header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100')
3536describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in
3537tflags RCVD_IN_IADB_ML_DOPTIN net nice
3538endif
3539##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3540
3541##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3542
3543ifplugin Mail::SpamAssassin::Plugin::DNSEval
3544header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0')
3545describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place
3546tflags RCVD_IN_IADB_NOCONTROL net nice
3547endif
3548##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3549
3550##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
3551
3552ifplugin Mail::SpamAssassin::Plugin::DNSEval
3553header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200')
3554describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only
3555tflags RCVD_IN_IADB_OOO net nice
3556endif
3557##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
3558
3559##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3560
3561ifplugin Mail::SpamAssassin::Plugin::DNSEval
3562header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7')
3563describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in
3564tflags RCVD_IN_IADB_OPTIN net nice
3565endif
3566##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3567
3568##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3569
3570ifplugin Mail::SpamAssassin::Plugin::DNSEval
3571header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6')
3572describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time
3573tflags RCVD_IN_IADB_OPTIN_GT50 net nice
3574endif
3575##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3576
3577##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3578
3579ifplugin Mail::SpamAssassin::Plugin::DNSEval
3580header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5')
3581describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time
3582tflags RCVD_IN_IADB_OPTIN_LT50 net nice
3583endif
3584##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3585
3586##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
3587
3588ifplugin Mail::SpamAssassin::Plugin::DNSEval
3589header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1')
3590describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only
3591tflags RCVD_IN_IADB_OPTOUTONLY net nice
3592endif
3593##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
3594
3595##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
3596
3597ifplugin Mail::SpamAssassin::Plugin::DNSEval
3598header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4')
3599describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record
3600tflags RCVD_IN_IADB_RDNS net nice
3601endif
3602##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
3603
3604##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
3605
3606ifplugin Mail::SpamAssassin::Plugin::DNSEval
3607header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2')
3608describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record
3609tflags RCVD_IN_IADB_SENDERID net nice
3610endif
3611##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
3612
3613##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
3614
3615ifplugin Mail::SpamAssassin::Plugin::DNSEval
3616header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1')
3617describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record
3618tflags RCVD_IN_IADB_SPF net nice
3619endif
3620##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
3621
3622##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3623
3624ifplugin Mail::SpamAssassin::Plugin::DNSEval
3625header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2')
3626describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups
3627tflags RCVD_IN_IADB_UNVERIFIED_1 net nice
3628endif
3629##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3630
3631##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3632
3633ifplugin Mail::SpamAssassin::Plugin::DNSEval
3634header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3')
3635describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out
3636tflags RCVD_IN_IADB_UNVERIFIED_2 net nice
3637endif
3638##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3639
3640##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3641
3642ifplugin Mail::SpamAssassin::Plugin::DNSEval
3643header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10')
3644describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law
3645tflags RCVD_IN_IADB_UT_CPEAR net nice
3646endif
3647##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3648
3649##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3650
3651ifplugin Mail::SpamAssassin::Plugin::DNSEval
3652header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10')
3653describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days
3654tflags RCVD_IN_IADB_UT_CPR_30 net nice
3655endif
3656##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3657
3658##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3659
3660ifplugin Mail::SpamAssassin::Plugin::DNSEval
3661header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10')
3662describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR
3663tflags RCVD_IN_IADB_UT_CPR_MAT net nice
3664endif
3665##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3666
3667##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3668
3669ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3670header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
3671describe RCVD_IN_PSBL Received via a relay in PSBL
3672tflags RCVD_IN_PSBL net
3673endif
3674##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3675
3676##{ RCVD_MAIL_COM
3677
3678header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
3679describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
3680##} RCVD_MAIL_COM
3681
3682##{ RDNS_LOCALHOST
3683
3684header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
3685describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
3686##} RDNS_LOCALHOST
3687
3688##{ RDNS_NUM_TLD_ATCHNX
3689
3690meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT
3691describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment
3692#score RDNS_NUM_TLD_ATCHNX 3.000 # limit
3693tflags RDNS_NUM_TLD_ATCHNX publish
3694##} RDNS_NUM_TLD_ATCHNX
3695
3696##{ RDNS_NUM_TLD_XM
3697
3698meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY)
3699describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers
3700#score RDNS_NUM_TLD_XM 3.000 # limit
3701tflags RDNS_NUM_TLD_XM publish
3702##} RDNS_NUM_TLD_XM
3703
b780ea8d
SI		 3704##{ REPLYTO_WITHOUT_TO_CC
3705
3706meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS)
3707##} REPLYTO_WITHOUT_TO_CC
3708
3709##{ REPTO_419_FRAUD
3710
54c714b2 3711header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:attorneygeorgewalter|jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:jessica)\@cadencebankdept\.us|(?:judith_faulkner63)\@cash4u\.com|(?:cbn)\@cbofficialmail\.cf|(?:201(?:47237|5(?:5765|648[48])))\@ce\.pucmm\.edu\.do|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:investmentfince\.com|lottery(?:\.support|usa\.com)|sama_williams|warren_edward))\@cpn\.it|(?:(?:angelicainiguez|brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|m(?:hzitafrank0|ynewmission)|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:info)\@dieterchwarz-charity\.com|(?:blythemasters)\@digitalassetholding\.org|(?:jorgezalesky)\@diplomats\.com|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:health\-support)\@drjohnashworthherbalmeds\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.in(?:structor|tructor)|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@emteslastock\.com|(?:info)\@euro-pinnacle\.com|(?:(?:a(?:bogado\.antoniopaco|dvancedsegurosespana)|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|w(?:alter_anderson|esternunionrespond)))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:jacek_urbanski)\@irishdoorsystemsltd\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:contactme)\@jimmyofficial\.info|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|lotteryusa\.com|paulagonzalez|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:bjic)\@mail2one\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|johnkofithomas|kateclough1|mriamchombo1968|philiproger101))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:benoitdageville2023|nancytseling|reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:info)\@officepch\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:info)\@onlinepch\.com|(?:dieterbe451)\@onmail\.com|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:info)\@ousos-elearning\.com|(?:schaeffler(?:ariaelisabeth|mariaelisabeth))\@outlook\.de|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:support)\@piraeusegrecebnk\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|noelldosi|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:trust\-wallet)\@redirectionsdepartment\.xyz|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:(?:deputygov_kuben|rcassim\.sarb))\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:olena\.shevchenko)\@shumejda\.co\.uk|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:david\.r\.malpass|info\.(?:clev\.frb|imfamerica)|kristinewellensteinn|policyaddmin\.file))\@usa\.com|(?:team)\@veraphanteepsuwan\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:(?:laprimitivaes|robert166003))\@zohomail\.eu)$/i
b780ea8d
SI		 3712describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox
3713#score REPTO_419_FRAUD 3.000
3714tflags REPTO_419_FRAUD publish
3715##} REPTO_419_FRAUD
3716
3717##{ REPTO_419_FRAUD_AOL
3718
151f49fd 3719header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:brajjohn|f\.2[06]|gneselizabethgiftfoundationssss|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie)|e(?:ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|info\.dieter_charity|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|isarobinson5\.0|orrainewirangee|ynnpage44)|m(?:_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|officework172|p(?:aulpollard2|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|wattson\.renwick|yurdaaytarkan5))\@aol\.com$/i
b780ea8d
SI		 3720describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox
3721#score REPTO_419_FRAUD_AOL 3.000
3722tflags REPTO_419_FRAUD_AOL publish
3723##} REPTO_419_FRAUD_AOL
3724
3725##{ REPTO_419_FRAUD_AOL_LOOSE
3726
3727meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL
3728describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3729#score REPTO_419_FRAUD_AOL_LOOSE 1.000
3730tflags REPTO_419_FRAUD_AOL_LOOSE publish
3731##} REPTO_419_FRAUD_AOL_LOOSE
3732
3733##{ REPTO_419_FRAUD_CNS
3734
fc5290a3 3735header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|lottomaxclaims7|morrisherb|pchonline|t(?:eo\.westin|he\.trustees1|rustees202000)|westernuniopayment\.agent0018))\@consultant\.com$/i
b780ea8d
SI		 3736describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox
3737#score REPTO_419_FRAUD_CNS 3.000
3738tflags REPTO_419_FRAUD_CNS publish
3739##} REPTO_419_FRAUD_CNS
3740
3741##{ REPTO_419_FRAUD_GM
3742
54c714b2 3743header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|1magnumsecuritiesllc|7912richardtony|9porssts9|a(?:\.wafager1|12udubello|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976(?:algaddafi|gaddafi25)|gaddafi(?:aam|sdaughter))|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|icedoris0000|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|phabankofgreecerepublic|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|t(?:mcarddepartment0024|tohlawoffice\.tg)|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195)|tsyholden940)|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:1nicele|a(?:pinolly|rtwrighttownhomesllc)|claimsa|e(?:da\.ogada77|licerez)|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavis(?:donation1|foundation0101)))|u(?:nninghammrssharonloren|stomerservicelacaixa2))|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|h(?:lexpresscompany176|sdevice)|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick|rhamahassan22)|u(?:breuilgmbh|nsilva58|stinmoskovitz\.2facebook)|v\.metus|willslevens)|e(?:benezero392|christina937|d(?:mundventura689|runity)|l(?:i(?:bethgomez(?:175|499)|sabeth(?:gmuer11|maria600)|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|ngr\.des01|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|rahwasam101|tme\.mehmed001)|b(?:589767|lott47)|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:es(?:\.connelly2|patrickconnolly(?:5050|4))|iscamendoza960)|k(?:j(?:ane984|ody2|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|i(?:idp955|ocastano21)|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen|w522834)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy)|uperthilbigbeate|zimissa03)|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321)|ritagetrustbank1985)|g(?:8669000|old8080)|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|b(?:ed627|rahimelizabeth654)|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|marviswanczyk360|orangedor|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|t(?:ech4st255|tcuckk))|gridrolle2)|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|nietaylor242|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:a(?:haskel19|thanhaskel377)|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|yce00011)|rawlings007|s4fernado|u(?:liewatson975|sticellawgroup)|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|r(?:istinewellenstein024|nkl1109)|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west(?:2289|5412)))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|s(?:arbn01|chantal86)|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt|zerfexi)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:aniekreiss1971|lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ntonjustin98|ss(?:\.(?:aminaibrahim|melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati|rstephen16)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee|tonyelumelu60)|cjames001|d517341|eric(?:franck|schmid4002)|georgeemera|hanimuhammad627|jamesmc6|morgangomez56|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|marinakuznetsov|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:ishaalqadafi1976|ngela454|shaalqaddfi117)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|m(?:a(?:riaelizabethscheffle98|ureens847|yaoliver31)|ugan)|r(?:eem362|obinsanders185|uthsmith9900)|sar(?:ahbenjamin103|iamirahwulu)|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffi(?:c(?:e(?:\.012123|emaill0002|rricherd876|windowterms)|ialserviceuae)|zielllk)|hallkenneth1|lenasheve73|marinyandeng|nufoundationclaims|pcwkdw|rabankheadofficelometogo1985|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|ndingredirections|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|o(?:lloke|usazgullaume)|r(?:imecapitalfianceltd|o1nvstream)|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nchoscozfifa|rfiafarfask7)|cott(?:henryjames91|peters7989)|e(?:cretservicce[789]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler(?:2009|3))|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|p(?:a(?:cex\.inititative|gentrose)|eelman1972)|t(?:anleyjohn1469|e(?:phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|e(?:nreyrosilvana54|rryparkins11)|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|robins777|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:ba\.bankofaffican|derleyen52|kponguko|marukareem8|n(?:claimedfunds554|ited(?:bankforafrica\.plc102|nation(?:organization70|s(?:8182|councilrefunds))))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|johannes271|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett(?:398|2))|b(?:271981|6159980)|c5000dle|ellensteinfoundation251|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|inglukshinawtra|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i
b780ea8d
SI		 3744describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox
3745#score REPTO_419_FRAUD_GM 3.000
3746tflags REPTO_419_FRAUD_GM publish
3747##} REPTO_419_FRAUD_GM
3748
3749##{ REPTO_419_FRAUD_GM_LOOSE
3750
3751meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM
3752describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3753#score REPTO_419_FRAUD_GM_LOOSE 1.000
3754tflags REPTO_419_FRAUD_GM_LOOSE publish
3755##} REPTO_419_FRAUD_GM_LOOSE
3756
3757##{ REPTO_419_FRAUD_HM
3758
54c714b2 3759header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:ealings100|l13139|r\.dukanalycoulibaly)|egorbunova22|f(?:axttransfer\.skyebk\.service\.care\.th|ridmanmikhail511)|infos(?:43|8)|jacques\.bouchex|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|m(?:oneygrampayfund|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|tuboardgntdirector|ulaimaninfante)|t(?:a(?:baka_williamshsbbc|shacap)|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
b780ea8d
SI		 3760describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox
3761#score REPTO_419_FRAUD_HM 3.000
3762tflags REPTO_419_FRAUD_HM publish
3763##} REPTO_419_FRAUD_HM
3764
3765##{ REPTO_419_FRAUD_OL
3766
54c714b2 3767header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:a(?:rrmarkphillip|sidris)|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn|rancescogaetano01)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|k(?:aujong|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:\.olhaoschad|_elizabeth20|michelleallison|roseallen))|spvt2020)|olhalytvynenko20|philcohen0012|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i
b780ea8d
SI		 3768describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox
3769#score REPTO_419_FRAUD_OL 3.000
3770tflags REPTO_419_FRAUD_OL publish
3771##} REPTO_419_FRAUD_OL
3772
3773##{ REPTO_419_FRAUD_PM
3774
dfdd1e08 3775header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|the\.trustees1|v\.brianpierre|yihsbltan|ziraatbankasi))\@protonmail\.com$/i
b780ea8d
SI		 3776describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox
3777#score REPTO_419_FRAUD_PM 3.000
3778tflags REPTO_419_FRAUD_PM publish
3779##} REPTO_419_FRAUD_PM
3780
3781##{ REPTO_419_FRAUD_QQ
3782
31955ede 3783header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1731419584|2(?:032508290|3(?:72948239|89029403|97857528))|3523284224|akia\.j55|l\.valiant|peterwong20177|qatarfoundation01|wang_cjianlin))\@qq\.com$/i
b780ea8d
SI		 3784describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox
3785#score REPTO_419_FRAUD_QQ 3.000
3786tflags REPTO_419_FRAUD_QQ publish
3787##} REPTO_419_FRAUD_QQ
3788
3789##{ REPTO_419_FRAUD_YH
3790
54c714b2 3791header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|e(?:linekra1144|n(?:jaminb34|nicholas22))|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:biorahkenneth8|legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|o(?:ftc2|pheap\.munny)|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
b780ea8d
SI		 3792describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox
3793#score REPTO_419_FRAUD_YH 3.000
3794tflags REPTO_419_FRAUD_YH publish
3795##} REPTO_419_FRAUD_YH
3796
3797##{ REPTO_419_FRAUD_YH_LOOSE
3798
3799meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH
3800describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3801#score REPTO_419_FRAUD_YH_LOOSE 1.000
3802tflags REPTO_419_FRAUD_YH_LOOSE publish
3803##} REPTO_419_FRAUD_YH_LOOSE
3804
3805##{ REPTO_419_FRAUD_YJ
3806
151f49fd 3807header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|officefile_0112|r(?:acheljude000|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i
b780ea8d
SI		 3808describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox
3809#score REPTO_419_FRAUD_YJ 3.000
3810tflags REPTO_419_FRAUD_YJ publish
3811##} REPTO_419_FRAUD_YJ
3812
3813##{ REPTO_419_FRAUD_YN
3814
dfdd1e08 3815header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lhashimi123|m(?:andarandle|g3333txx101)|n(?:a\.mariposa|n(?:acooper2019|zainab))|wesome\.mariacarmen)|c(?:harles\.kable|lemlau)|de(?:edee\-paul|jongpeter|ptoversea)|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments)|gadd4fi\.aisha|h(?:ashimireem|halesbbanddd?)|joseph\-scott2k5|l(?:es20sc|otointernational\.elgordo)|m(?:arcarmenguty|fdpm|r(?:\.kongkea|akram\.elkerrami|spercy))|p(?:aragonloansinc|rincedarren0244)|rich(?:ard\.wahl|lawands)|tresor\.mambo|w(?:b\.foundation|ill(?:1amsmarg1|iam(?:simon1960|wilbert1)))|za\.dc2016))\@yandex\.com$/i
b780ea8d
SI		 3816describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox
3817#score REPTO_419_FRAUD_YN 3.000
3818tflags REPTO_419_FRAUD_YN publish
3819##} REPTO_419_FRAUD_YN
3820
151f49fd
SI		 3821##{ RISK_FREE
3822
3823meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH
3824describe RISK_FREE No risk!
3825##} RISK_FREE
3826
b780ea8d
SI		 3827##{ SB_GIF_AND_NO_URIS
3828
3829meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
3830##} SB_GIF_AND_NO_URIS
3831
fc5290a3 3832##{ SCC_BODY_SINGLE_WORD
dfdd1e08 3833
151f49fd
SI		 3834meta SCC_BODY_SINGLE_WORD T_SCC_BODY_TEXT_LINE < 2 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1)
3835describe SCC_BODY_SINGLE_WORD Message body seems like one word
fc5290a3
SI		 3836##} SCC_BODY_SINGLE_WORD
3837
54c714b2 3838##{ SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
151f49fd 3839
54c714b2
SI		 3840ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3841meta SCC_BOGUS_CTE_1 __SCC_BOGUS_CTE_1
3842describe SCC_BOGUS_CTE_1 Bogus Content-Transfer-Encoding header
3843tflags SCC_BOGUS_CTE_1 publish
3844endif
3845##} SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
151f49fd 3846
fc5290a3
SI		 3847##{ SCC_CANSPAM_1
3848
3849describe SCC_CANSPAM_1 Interesting compliance language
3850body SCC_CANSPAM_1 /The advertiser does not manage your subscription/
3851##} SCC_CANSPAM_1
3852
3853##{ SCC_CANSPAM_2
3854
3855describe SCC_CANSPAM_2 Interesting compliance language
3856body SCC_CANSPAM_2 /you may unsubscribe by clicking here or by writing to/
3857##} SCC_CANSPAM_2
dfdd1e08 3858
dfdd1e08
SI		 3859##{ SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3860
3861ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3862describe SCC_CTMPP Uncommon Content-Type
3863meta SCC_CTMPP __SCC_CTMPP
3864tflags SCC_CTMPP publish
3865endif
3866##} SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3867
3868##{ SCC_ISEMM_LID_1
3869
3870describe SCC_ISEMM_LID_1 Fingerprint of a particular spammer using an old spamware
3871header SCC_ISEMM_LID_1 X-Mailer-LID =~ /54,55,56,58,53/
3872tflags SCC_ISEMM_LID_1 publish
3873#score SCC_ISEMM_LID_1 3.5
3874##} SCC_ISEMM_LID_1
3875
fc5290a3
SI		 3876##{ SCC_ISEMM_LID_1A
3877
3878describe SCC_ISEMM_LID_1A Fingerprint of a particular spammer using an old spamware
3879header SCC_ISEMM_LID_1A X-Mailer-LID =~ /54,55,56,/
3880tflags SCC_ISEMM_LID_1A publish
3881#score SCC_ISEMM_LID_1A 3.5
3882##} SCC_ISEMM_LID_1A
3883
dfdd1e08
SI		 3884##{ SCC_ISEMM_LID_1B
3885
3886describe SCC_ISEMM_LID_1B Genericized spammer fingerprint
151f49fd 3887header SCC_ISEMM_LID_1B X-Mailer-LID =~ /(?:[56][0-9],)+/
dfdd1e08
SI		 3888tflags SCC_ISEMM_LID_1B publish
3889#score SCC_ISEMM_LID_1B 1.5
3890##} SCC_ISEMM_LID_1B
3891
fc5290a3
SI		 3892##{ SCC_SPAMMER_ADDR_2
3893
3894describe SCC_SPAMMER_ADDR_2 Fingerprint of a particular spammer
3895body SCC_SPAMMER_ADDR_2 /6130 W Flamingo Rd/
3896##} SCC_SPAMMER_ADDR_2
3897
dfdd1e08
SI		 3898##{ SCC_SPECIAL_GUID
3899
3900describe SCC_SPECIAL_GUID Unique in a similar way
151f49fd 3901rawbody SCC_SPECIAL_GUID /^[[:xdigit:]]{8}-[[:xdigit:]]{4}-([[:xdigit:]]{3})-\1-[[:xdigit:]]{12}$/m
dfdd1e08
SI		 3902tflags SCC_SPECIAL_GUID publish multiple maxhits=15
3903##} SCC_SPECIAL_GUID
46cfc9e2 3904
b780ea8d
SI		 3905##{ SENDGRID_REDIR_PHISH
3906
3907meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH
3908describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs
3909#score SENDGRID_REDIR_PHISH 3.500 # limit
3910tflags SENDGRID_REDIR_PHISH publish
3911##} SENDGRID_REDIR_PHISH
3912
3913##{ SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3914
3915if (version >= 3.004002)
3916ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3917meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)
3918tflags SEO_SUSP_NTLD publish
3919describe SEO_SUSP_NTLD SEO offer from suspicious TLD
3920#score SEO_SUSP_NTLD 1.2 # limit
3921endif
3922endif
3923##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3924
b780ea8d
SI		 3925##{ SHOPIFY_IMG_NOT_RCVD_SFY
3926
3927meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK
3928#score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit
3929describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify
3930tflags SHOPIFY_IMG_NOT_RCVD_SFY publish
3931##} SHOPIFY_IMG_NOT_RCVD_SFY
3932
54c714b2
SI		 3933##{ SHORTENED_URL_SRC
3934
3935rawbody SHORTENED_URL_SRC /<[^>]{1,99}\ssrc=\W?https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}/
3936##} SHORTENED_URL_SRC
3937
b780ea8d
SI		 3938##{ SHORTENER_SHORT_IMG
3939
3940meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1
3941describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener
3942#score SHORTENER_SHORT_IMG 2.500 # limit
3943tflags SHORTENER_SHORT_IMG publish
3944##} SHORTENER_SHORT_IMG
3945
b780ea8d
SI		 3946##{ SHORT_HELO_AND_INLINE_IMAGE
3947
3948meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
3949describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
3950##} SHORT_HELO_AND_INLINE_IMAGE
3951
3952##{ SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3953
3954if (version >= 3.004002)
3955ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3956meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
3957tflags SHORT_IMG_SUSP_NTLD publish
3958describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD
3959#score SHORT_IMG_SUSP_NTLD 1.5 # limit
3960endif
3961endif
3962##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3963
151f49fd
SI		 3964##{ SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3965
3966ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3967if (version >= 3.004000)
3968meta SHORT_SHORTNER __PDS_MSG_512 && __URL_SHORTENER && !DRUGS_ERECTILE
3969describe SHORT_SHORTNER Short body with little more than a link to a shortener
3970#score SHORT_SHORTNER 2.0 # limit
3971endif
3972endif
3973##} SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3974
b780ea8d
SI		 3975##{ SHORT_TERM_PRICE
3976
151f49fd 3977body SHORT_TERM_PRICE /short\W+term\W+(?:target|projected)(?:\W+price)?/i
b780ea8d
SI		 3978##} SHORT_TERM_PRICE
3979
151f49fd
SI		 3980##{ SHY_OBFU_EXPIRE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
3981
3982ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
3983 meta SHY_OBFU_EXPIRE __SHY_OBFU_EXPIRE
3984 describe SHY_OBFU_EXPIRE Obfuscation, probable phishing
3985# score SHY_OBFU_EXPIRE 4.000 # limit
3986 tflags SHY_OBFU_EXPIRE publish
3987endif
3988##} SHY_OBFU_EXPIRE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
3989
3990##{ SHY_OBFU_PASSWORD ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
3991
3992ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
3993 meta SHY_OBFU_PASSWORD __SHY_OBFU_PASSWORD
3994 describe SHY_OBFU_PASSWORD Obfuscation, probable phishing
3995# score SHY_OBFU_PASSWORD 4.000 # limit
3996 tflags SHY_OBFU_PASSWORD publish
3997endif
3998##} SHY_OBFU_PASSWORD ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
3999
b780ea8d
SI		 4000##{ SPAMMY_XMAILER
4001
4002meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
4003describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
4004##} SPAMMY_XMAILER
4005
151f49fd
SI		 4006##{ SPAM_CWINDOWSNET
4007
54c714b2 4008uri SPAM_CWINDOWSNET m;^https?://(?=[^/]+\.(?:blob|web)\.core\.windows\.net)(?:(?:aaaa(?:aahadii5[89]|bbbbcdertfer(?:131|34))|b(?:9jwpncnsz2cg5bpbojgl|bbbccccddester61|c(?:kfomepldjxbehakdmem|nejjdolasiejdbcdhc)|dkbazmjnlvajmjjszdc|fnrikamdplejxxhd|ulkma(?:ilmanager(?:im|snrperk|m)|nhegeteam))|c(?:alivokavoaka|hfkeodlemajchebdhxdh|j(?:dejcpmalxokejcbdhsjd|flzpmidhwbcxhejdk)|n(?:djekdomalsijebqqhzs|fjelmsplekxjbshdje|rdnahxbhdjoalxkejd))|d(?:f(?:jmteeymhimuokqbwio|keoledjxbdheuakje)|hjepmalqkdbxheuajd|j(?:f(?:lepma(?:hxbdhasjdk|skdjxbhduejdkz)|oemapxkejxbdhed)|k(?:foepaljdhxvsgqhse|rolemalxjebehsyejd))|lrmeclforjbxheajsbdhe|sfgdfgsdfg)|e(?:6tidwa3xtdxsxrv6fevh|fnzewdwwwxdormvkltxqj|riogsnkdqsdqsd32l|wialtlgncnagaebsuohhsz)|f(?:j(?:flzpcmlrnxheilsdejdl|romlfjdhxbcgdyejhdh)|lropmedjxbexbdzhsd|mdplenxyejxbqgesk|pmrlcnruhwvxcsdrzt)|greatetchtoaitechnologyh|h(?:ckrpmzlcxrjzhxbejakdlem|djeialqmeporutncdbhqs)|jc(?:hdiepmaldiejxbhs|k(?:diemaoslejxbqhas|rmlzsxbhejalselma)|lrfpemdlxbehaksme|rkeldoeamdloruxbdhe)|kcleo(?:dmalejdbshekdje|maplejwbahqegsv)|l(?:djebxueomrplcnbsgxve|inkbulkmailpromanager)|mvkcjoigfks|n(?:6w479nhk1tkyo6u1p844s|ckfomeldncejdjsbdhjdxbd|fnybcmyhaaphiglbzra)|o(?:ovgienjzlmmfkmwoyep|penbankstonecdn)|relashwpakcbe2cjehsed|shdkrodmpcndjshedg|u(?:lqdjksdsdsd3sd|rqjlnefdqsdfik2k)|xbvomrplzncxhrbdgsd|z(?:ahriiana59|c2mjw9btnqfgw6ps7ex)))\.(?:blob|web)\.core\.windows\.net/;i
151f49fd
SI		 4009describe SPAM_CWINDOWSNET Link to known hosted spam or phishing content
4010#score SPAM_CWINDOWSNET 3.500
4011tflags SPAM_CWINDOWSNET publish
4012##} SPAM_CWINDOWSNET
4013
b780ea8d
SI		 4014##{ SPOOFED_FREEMAIL
4015
4016meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE
4017#score SPOOFED_FREEMAIL 2.000 # limit
4018tflags SPOOFED_FREEMAIL net
4019##} SPOOFED_FREEMAIL
4020
4021##{ SPOOFED_FREEMAIL_NO_RDNS
4022
4023meta SPOOFED_FREEMAIL_NO_RDNS __SPOOFED_FREEMAIL && __RDNS_NONE
4024describe SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
4025#score SPOOFED_FREEMAIL_NO_RDNS 1.5
4026##} SPOOFED_FREEMAIL_NO_RDNS
4027
4028##{ SPOOFED_FREEM_REPTO
4029
4030meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX
4031describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to
4032#score SPOOFED_FREEM_REPTO 2.500
4033tflags SPOOFED_FREEM_REPTO net publish
4034##} SPOOFED_FREEM_REPTO
4035
4036##{ SPOOFED_FREEM_REPTO_CHN
4037
4038meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM
4039describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to
4040#score SPOOFED_FREEM_REPTO_CHN 3.500
4041tflags SPOOFED_FREEM_REPTO_CHN net publish
4042##} SPOOFED_FREEM_REPTO_CHN
4043
4044##{ SPOOFED_FREEM_REPTO_RUS
4045
4046meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM
4047describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to
4048#score SPOOFED_FREEM_REPTO_RUS 3.500
4049tflags SPOOFED_FREEM_REPTO_RUS net publish
4050##} SPOOFED_FREEM_REPTO_RUS
4051
4052##{ SPOOF_GMAIL_MID
4053
46cfc9e2 4054meta SPOOF_GMAIL_MID SPOOFED_FREEMAIL && __PDS_SPOOF_GMAIL_MID
b780ea8d
SI		 4055#score SPOOF_GMAIL_MID 1.5
4056describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...
4057##} SPOOF_GMAIL_MID
4058
4059##{ STATIC_XPRIO_OLE
4060
4061meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE
4062describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE
4063#score STATIC_XPRIO_OLE 2.000 # limit
4064tflags STATIC_XPRIO_OLE publish
4065##} STATIC_XPRIO_OLE
4066
4067##{ STOCK_IMG_CTYPE
4068
4069meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)
4070describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header
4071##} STOCK_IMG_CTYPE
4072
4073##{ STOCK_IMG_HDR_FROM
4074
4075meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
4076describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
4077##} STOCK_IMG_HDR_FROM
4078
4079##{ STOCK_IMG_HTML
4080
4081meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
4082describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML
4083##} STOCK_IMG_HTML
4084
4085##{ STOCK_IMG_OUTLOOK
4086
4087meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)
4088describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features
4089##} STOCK_IMG_OUTLOOK
4090
b780ea8d
SI		 4091##{ STOCK_PRICES
4092
4093meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
4094##} STOCK_PRICES
4095
4096##{ STOCK_TIP
4097
4098meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS
4099describe STOCK_TIP Stock tips
4100#score STOCK_TIP 3.000 # limit
4101tflags STOCK_TIP publish
4102##} STOCK_TIP
4103
4104##{ STOX_AND_PRICE
4105
4106meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE
4107##} STOX_AND_PRICE
4108
4109##{ STOX_REPLY_TYPE
4110
4111header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/
4112##} STOX_REPLY_TYPE
4113
4114##{ STOX_REPLY_TYPE_WITHOUT_QUOTES
4115
4116meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE))
4117##} STOX_REPLY_TYPE_WITHOUT_QUOTES
4118
4119##{ SUBJECT_NEEDS_ENCODING
4120
4121meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME
31955ede 4122describe SUBJECT_NEEDS_ENCODING Subject includes non-encoded illegal characters
b780ea8d
SI		 4123##} SUBJECT_NEEDS_ENCODING
4124
31955ede
SI		 4125##{ SUBJ_BRKN_WORDNUMS
4126
4127#score SUBJ_BRKN_WORDNUMS 1.500 # limit
4128describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers
4129##} SUBJ_BRKN_WORDNUMS
4130
4131##{ SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
4132
4133if !plugin(Mail::SpamAssassin::Plugin::DKIM)
4134 meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS
4135endif
4136##} SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
4137
b780ea8d
SI		 4138##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
4139
4140ifplugin Mail::SpamAssassin::Plugin::DKIM
4141 meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER
b780ea8d
SI		 4142endif
4143##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
4144
54c714b2
SI		 4145##{ SUBJ_UNNEEDED_HTML
4146
4147meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML
4148describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject:
4149##} SUBJ_UNNEEDED_HTML
4150
fc5290a3
SI		 4151##{ SUSP_UTF8_WORD_FROM
4152
4153meta SUSP_UTF8_WORD_FROM __4BYTE_UTF8_WORD_FROM
4154describe SUSP_UTF8_WORD_FROM Word in From name using only suspicious UTF-8 characters
4155#score SUSP_UTF8_WORD_FROM 2.000 # limit
4156##} SUSP_UTF8_WORD_FROM
4157
54c714b2 4158##{ SUSP_UTF8_WORD_SUBJ
fc5290a3 4159
54c714b2
SI		 4160meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ
4161describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters
4162#score SUSP_UTF8_WORD_SUBJ 2.000 # limit
4163##} SUSP_UTF8_WORD_SUBJ
fc5290a3 4164
b780ea8d
SI		 4165##{ SYSADMIN
4166
4167meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS
4168describe SYSADMIN Supposedly from your IT department
4169#score SYSADMIN 3.500 # limit
4170tflags SYSADMIN publish
4171##} SYSADMIN
4172
46cfc9e2
SI		 4173##{ TAGSTAT_IMG_NOT_RCVD_TGST
4174
4175meta TAGSTAT_IMG_NOT_RCVD_TGST __TAGSTAT_IMG_NOT_RCVD_TGST
4176#score TAGSTAT_IMG_NOT_RCVD_TGST 2.000 # limit
4177describe TAGSTAT_IMG_NOT_RCVD_TGST Tagstat hosted image but message not from Tagstat
4178tflags TAGSTAT_IMG_NOT_RCVD_TGST publish
4179##} TAGSTAT_IMG_NOT_RCVD_TGST
4180
31955ede
SI		 4181##{ TARINGANET_IMG_NOT_RCVD_TN
4182
4183meta TARINGANET_IMG_NOT_RCVD_TN __TARINGANET_IMG_NOT_RCVD_TN
4184#score TARINGANET_IMG_NOT_RCVD_TN 2.000 # limit
4185describe TARINGANET_IMG_NOT_RCVD_TN media.taringa.net hosted image but message not from taringa.net
4186tflags TARINGANET_IMG_NOT_RCVD_TN publish
4187##} TARINGANET_IMG_NOT_RCVD_TN
4188
b780ea8d
SI		 4189##{ TBIRD_SUSP_MIME_BDRY
4190
4191meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
4192describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary
4193##} TBIRD_SUSP_MIME_BDRY
4194
4195##{ TEQF_USR_IMAGE
4196
4197meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH
4198describe TEQF_USR_IMAGE To and from user nearly same + image
4199tflags TEQF_USR_IMAGE publish
4200##} TEQF_USR_IMAGE
4201
4202##{ TEQF_USR_MSGID_HEX
4203
4204meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2
4205describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID
4206tflags TEQF_USR_MSGID_HEX publish
4207##} TEQF_USR_MSGID_HEX
4208
4209##{ TEQF_USR_MSGID_MALF
4210
4211meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2
4212describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID
4213tflags TEQF_USR_MSGID_MALF publish
4214##} TEQF_USR_MSGID_MALF
4215
4216##{ THEBAT_UNREG
4217
4218header THEBAT_UNREG X-Mailer =~ /^The Bat! .{0,20} UNREG$/
4219##} THEBAT_UNREG
4220
4221##{ THIS_AD
4222
4223meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD
4224describe THIS_AD "This ad" and variants
4225tflags THIS_AD publish
4226##} THIS_AD
4227
4228##{ THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4229
4230if (version >= 3.004002)
4231ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4232meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM
4233tflags THIS_IS_ADV_SUSP_NTLD publish
4234describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD
4235#score THIS_IS_ADV_SUSP_NTLD 1.5 # limit
4236endif
4237endif
4238##} THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4239
4240##{ TONLINE_FAKE_DKIM
4241
4242meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS
4243describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM
4244#score TONLINE_FAKE_DKIM 3.000 # limit
4245tflags TONLINE_FAKE_DKIM publish
4246##} TONLINE_FAKE_DKIM
4247
b780ea8d
SI		 4248##{ TO_EQ_FM_DIRECT_MX
4249
4250meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED
4251describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
4252#score TO_EQ_FM_DIRECT_MX 2.500 # limit
4253tflags TO_EQ_FM_DIRECT_MX publish
4254##} TO_EQ_FM_DIRECT_MX
4255
fc5290a3
SI		 4256##{ TO_EQ_FM_DOM_HTML_IMG
4257
4258meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD
4259describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link
4260##} TO_EQ_FM_DOM_HTML_IMG
4261
54c714b2
SI		 4262##{ TO_EQ_FM_DOM_HTML_ONLY
4263
4264meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX
4265describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only
4266##} TO_EQ_FM_DOM_HTML_ONLY
4267
b780ea8d
SI		 4268##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4269
4270ifplugin Mail::SpamAssassin::Plugin::SPF
4271 meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
4272 describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed
4273 tflags TO_EQ_FM_DOM_SPF_FAIL net
4274endif
4275##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4276
151f49fd
SI		 4277##{ TO_EQ_FM_HTML_ONLY
4278
4279meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER
4280describe TO_EQ_FM_HTML_ONLY To == From and HTML only
4281##} TO_EQ_FM_HTML_ONLY
4282
b780ea8d
SI		 4283##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4284
4285ifplugin Mail::SpamAssassin::Plugin::SPF
4286 meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
4287 describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed
4288 tflags TO_EQ_FM_SPF_FAIL net
4289endif
4290##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4291
4292##{ TO_IN_SUBJ
4293
4294meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW
4295describe TO_IN_SUBJ To address is in Subject
4296tflags TO_IN_SUBJ publish
4297#score TO_IN_SUBJ 0.1
4298##} TO_IN_SUBJ
4299
4300##{ TO_NAME_SUBJ_NO_RDNS
4301
4302meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE
4303describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS
4304#score TO_NAME_SUBJ_NO_RDNS 3.000 # limit
4305tflags TO_NAME_SUBJ_NO_RDNS publish
4306##} TO_NAME_SUBJ_NO_RDNS
4307
4308##{ TO_NO_BRKTS_FROM_MSSP
4309
4310meta TO_NO_BRKTS_FROM_MSSP __TO_NO_BRKTS_FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__TO___LOWER && !__BUGGED_IMG && !__SUBJECT_ENCODED_QP && !__VIA_ML && !__FR_SPACING_8 && !__TAG_EXISTS_CENTER && !__RCVD_ZIXMAIL && !__RP_MATCHES_RCVD && !__HAS_SENDER
4311#score TO_NO_BRKTS_FROM_MSSP 2.50 # max
4312describe TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems
4313##} TO_NO_BRKTS_FROM_MSSP
4314
4315##{ TO_NO_BRKTS_HTML_IMG
4316
4317meta TO_NO_BRKTS_HTML_IMG __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE
4318describe TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image
4319#score TO_NO_BRKTS_HTML_IMG 2.000 # limit
4320tflags TO_NO_BRKTS_HTML_IMG publish
4321##} TO_NO_BRKTS_HTML_IMG
4322
4323##{ TO_NO_BRKTS_HTML_ONLY
4324
4325meta TO_NO_BRKTS_HTML_ONLY __TO_NO_BRKTS_HTML_ONLY && !RDNS_NONE && !__MIME_QP && !__MSGID_JAVAMAIL && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 && !__VIA_ML && !__MSGID_BEFORE_RECEIVED && !__MIME_BASE64 && !__RCD_RDNS_MAIL_MESSY && !__COMMENT_EXISTS && !LOTS_OF_MONEY && !__TAG_EXISTS_CENTER && !__UPPERCASE_URI && !__UNSUB_LINK && !__RCD_RDNS_MX_MESSY && !__DKIM_EXISTS && !__BUGGED_IMG && !__FM_TO_ALL_NUMS && !__URI_12LTRDOM && !__RDNS_NO_SUBDOM && !__HDRS_LCASE && !__LCL__ENV_AND_HDR_FROM_MATCH
4326#score TO_NO_BRKTS_HTML_ONLY 2.00 # limit
4327describe TO_NO_BRKTS_HTML_ONLY To: lacks brackets and HTML only
4328tflags TO_NO_BRKTS_HTML_ONLY publish
4329##} TO_NO_BRKTS_HTML_ONLY
4330
4331##{ TO_NO_BRKTS_MSFT
4332
4333meta TO_NO_BRKTS_MSFT __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD
4334describe TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool
4335#score TO_NO_BRKTS_MSFT 2.50 # limit
4336##} TO_NO_BRKTS_MSFT
4337
4338##{ TO_NO_BRKTS_NORDNS_HTML
4339
4340meta TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__TAG_EXISTS_CENTER && !__LONGLINE && !__DKIM_EXISTS
4341#score TO_NO_BRKTS_NORDNS_HTML 2.00 # limit
4342describe TO_NO_BRKTS_NORDNS_HTML To: lacks brackets and no rDNS and HTML only
4343tflags TO_NO_BRKTS_NORDNS_HTML publish
4344##} TO_NO_BRKTS_NORDNS_HTML
4345
4346##{ TO_NO_BRKTS_PCNT
4347
4348meta TO_NO_BRKTS_PCNT __TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS && !__KHOP_NO_FULL_NAME && !__THREADED
4349describe TO_NO_BRKTS_PCNT To: lacks brackets + percentage
4350#score TO_NO_BRKTS_PCNT 2.50 # limit
4351tflags TO_NO_BRKTS_PCNT publish
4352##} TO_NO_BRKTS_PCNT
4353
4354##{ TO_TOO_MANY_WFH_01
4355
4356meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01
4357describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients
4358tflags TO_TOO_MANY_WFH_01 publish
4359##} TO_TOO_MANY_WFH_01
4360
b780ea8d
SI		 4361##{ TT_MSGID_TRUNC
4362
4363header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/
4364describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits
4365##} TT_MSGID_TRUNC
4366
4367##{ TT_OBSCURED_VALIUM
4368
4369meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
4370describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject
4371##} TT_OBSCURED_VALIUM
4372
4373##{ TT_OBSCURED_VIAGRA
4374
4375meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
4376describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject
4377##} TT_OBSCURED_VIAGRA
4378
4379##{ TVD_ACT_193
4380
4381body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i
4382describe TVD_ACT_193 Message refers to an act passed in the 1930s
4383##} TVD_ACT_193
4384
4385##{ TVD_APPROVED
4386
4387body TVD_APPROVED /you.{1,2}re .{0,20}approved/i
4388describe TVD_APPROVED Body states that the recipient has been approved
4389##} TVD_APPROVED
4390
4391##{ TVD_DEAR_HOMEOWNER
4392
4393body TVD_DEAR_HOMEOWNER /^dear homeowner/i
4394describe TVD_DEAR_HOMEOWNER Spam with generic salutation of "dear homeowner"
4395##} TVD_DEAR_HOMEOWNER
4396
4397##{ TVD_EB_PHISH
4398
4399meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP
4400##} TVD_EB_PHISH
4401
4402##{ TVD_ENVFROM_APOST
4403
4404header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/
4405describe TVD_ENVFROM_APOST Envelope From contains single-quote
4406##} TVD_ENVFROM_APOST
4407
4408##{ TVD_FINGER_02
4409
4410header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i
4411##} TVD_FINGER_02
4412
4413##{ TVD_FLOAT_GENERAL
4414
4415rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i
4416describe TVD_FLOAT_GENERAL Message uses CSS float style
4417##} TVD_FLOAT_GENERAL
4418
4419##{ TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4420
4421ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4422body TVD_FUZZY_DEGREE /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i
4423describe TVD_FUZZY_DEGREE Obfuscation of the word "degree"
4424endif
4425##} TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4426
4427##{ TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4428
4429ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4430body TVD_FUZZY_FINANCE /(?!finance)<F><I><N><A><N><C><E>/i
4431describe TVD_FUZZY_FINANCE Obfuscation of the word "finance"
4432endif
4433##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4434
4435##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4436
4437ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4438body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i
4439describe TVD_FUZZY_FIXED_RATE Obfuscation of the phrase "fixed rate"
4440endif
4441##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4442
4443##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4444
4445ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4446body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i
4447describe TVD_FUZZY_MICROCAP Obfuscation of the word "micro-cap"
4448endif
4449##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4450
4451##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4452
4453ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4454body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i
4455describe TVD_FUZZY_PHARMACEUTICAL Obfuscation of the word "pharmaceutical"
4456endif
4457##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4458
4459##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4460
4461ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4462body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symboo?l)<S><Y><M><B><O><L>/i
4463describe TVD_FUZZY_SYMBOL Obfuscation of the word "symbol"
4464endif
4465##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4466
4467##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4468
4469ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4470mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/
4471describe TVD_FW_GRAPHIC_NAME_LONG Long image attachment name
4472endif
4473##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4474
4475##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4476
4477ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4478mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/
4479describe TVD_FW_GRAPHIC_NAME_MID Medium sized image attachment name
4480endif
4481##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4482
4483##{ TVD_INCREASE_SIZE
4484
4485body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i
4486describe TVD_INCREASE_SIZE Advertising for penis enlargement
4487##} TVD_INCREASE_SIZE
4488
b780ea8d
SI		 4489##{ TVD_LINK_SAVE
4490
4491body TVD_LINK_SAVE /\blink to save\b/i
4492describe TVD_LINK_SAVE Spam with the text "link to save"
4493##} TVD_LINK_SAVE
4494
4495##{ TVD_PH_BODY_ACCOUNTS_PRE
4496
4497meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE
4498describe TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts suspended", "account credited", "account verification"
4499##} TVD_PH_BODY_ACCOUNTS_PRE
4500
4501##{ TVD_PH_REC
4502
4503body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i
4504describe TVD_PH_REC Message includes a phrase commonly used in phishing mails
4505##} TVD_PH_REC
4506
4507##{ TVD_PH_SEC
4508
4509body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i
4510describe TVD_PH_SEC Message includes a phrase commonly used in phishing mails
4511##} TVD_PH_SEC
4512
4513##{ TVD_PP_PHISH
4514
4515meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP
4516##} TVD_PP_PHISH
4517
4518##{ TVD_QUAL_MEDS
4519
4520body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i
4521describe TVD_QUAL_MEDS The body matches phrases such as "quality meds" or "quality medication"
4522##} TVD_QUAL_MEDS
4523
4524##{ TVD_RATWARE_CB
4525
4526header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i
4527describe TVD_RATWARE_CB Content-Type header that is commonly indicative of ratware
4528##} TVD_RATWARE_CB
4529
4530##{ TVD_RATWARE_CB_2
4531
4532header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/
4533describe TVD_RATWARE_CB_2 Content-Type header that is commonly indicative of ratware
4534##} TVD_RATWARE_CB_2
4535
4536##{ TVD_RATWARE_MSGID_02
4537
4538header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/
4539describe TVD_RATWARE_MSGID_02 Ratware with a Message-ID header that is entirely lower-case
4540##} TVD_RATWARE_MSGID_02
4541
4542##{ TVD_RCVD_IP
4543
4544header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
4545describe TVD_RCVD_IP Message was received from an IP address
4546##} TVD_RCVD_IP
4547
4548##{ TVD_RCVD_IP4
4549
4550header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/
4551describe TVD_RCVD_IP4 Message was received from an IPv4 address
4552##} TVD_RCVD_IP4
4553
4554##{ TVD_RCVD_SPACE_BRACKET
4555
4556header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!unix)[^\[\]]*\s/i
4557##} TVD_RCVD_SPACE_BRACKET
4558
4559##{ TVD_SECTION
4560
4561body TVD_SECTION /\bSection (?:27A|21B)/i
4562describe TVD_SECTION References to specific legal codes
4563##} TVD_SECTION
4564
4565##{ TVD_SILLY_URI_OBFU
4566
4567body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i
4568describe TVD_SILLY_URI_OBFU URI obfuscation that can fool a URIBL or a uri rule
4569##} TVD_SILLY_URI_OBFU
4570
4571##{ TVD_SPACED_SUBJECT_WORD3
4572
4573header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/
4574describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace
4575##} TVD_SPACED_SUBJECT_WORD3
4576
151f49fd
SI		 4577##{ TVD_SPACE_ENCODED
4578
4579meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM
4580#score TVD_SPACE_ENCODED 2.500 # limit
4581describe TVD_SPACE_ENCODED Space ratio & encoded subject
4582##} TVD_SPACE_ENCODED
fc5290a3 4583
151f49fd
SI		 4584##{ TVD_SPACE_RATIO_MINFP
4585
4586meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL
4587#score TVD_SPACE_RATIO_MINFP 2.500 # limit
4588describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?)
4589##} TVD_SPACE_RATIO_MINFP
fc5290a3 4590
b780ea8d
SI		 4591##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval
4592
4593ifplugin Mail::SpamAssassin::Plugin::BodyEval
4594body TVD_STOCK1 eval:check_stock_info('2')
4595describe TVD_STOCK1 Spam related to stock trading
4596endif
4597##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval
4598
4599##{ TVD_SUBJ_ACC_NUM
4600
4601header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/
4602describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference
4603##} TVD_SUBJ_ACC_NUM
4604
4605##{ TVD_SUBJ_FINGER_03
4606
4607header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/
4608describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *"
4609##} TVD_SUBJ_FINGER_03
4610
151f49fd
SI		 4611##{ TVD_SUBJ_NUM_OBFU_MINFP
4612
4613meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO
4614##} TVD_SUBJ_NUM_OBFU_MINFP
4615
b780ea8d
SI		 4616##{ TVD_SUBJ_OWE
4617
4618header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i
4619describe TVD_SUBJ_OWE Subject line states that the recipieint is in debt
4620##} TVD_SUBJ_OWE
4621
4622##{ TVD_SUBJ_WIPE_DEBT
4623
4624header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i
4625describe TVD_SUBJ_WIPE_DEBT Spam advertising a way to eliminate debt
4626##} TVD_SUBJ_WIPE_DEBT
4627
4628##{ TVD_VISIT_PHARMA
4629
4630body TVD_VISIT_PHARMA /Online Ph.rmacy/i
4631describe TVD_VISIT_PHARMA Body mentions online pharmacy
4632##} TVD_VISIT_PHARMA
4633
4634##{ TVD_VIS_HIDDEN
4635
4636rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i
4637describe TVD_VIS_HIDDEN Invisible textarea HTML tags
4638##} TVD_VIS_HIDDEN
4639
4640##{ TW_GIBBERISH_MANY
4641
4642meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20
4643describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters
4644#score TW_GIBBERISH_MANY 2.000 # limit
4645tflags TW_GIBBERISH_MANY publish
4646##} TW_GIBBERISH_MANY
4647
4648##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4649
4650ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4651 meta T_ACH_CANCELLED_EXE __ACH_CANCELLED_EXE
4652 describe T_ACH_CANCELLED_EXE "ACH cancelled" probable malware
4653endif
4654##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4655
dfdd1e08
SI		 4656##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4657
4658if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4659 meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON
4660 describe T_ANY_PILL_PRICE Prices for pills
4661endif
4662##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4663
b780ea8d
SI		 4664##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4665
4666ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4667 mimeheader T_CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/
4668 describe T_CDISP_SZ_MANY Suspicious MIME header
4669# score T_CDISP_SZ_MANY 2.0 # limit
4670endif
4671##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4672
151f49fd
SI		 4673##{ T_CTE_BAS64 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4674
4675ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4676 meta T_CTE_BAS64 __CTE_BAS64
4677 describe T_CTE_BAS64 Malformated Content-Type-Encoding
4678# score T_CTE_BAS64 2.000 # limit
4679 tflags T_CTE_BAS64 publish
4680endif
4681##} T_CTE_BAS64 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4682
dfdd1e08
SI		 4683##{ T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4684
4685ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4686 meta T_CTYPE_NULL __CTYPE_NULL
4687 describe T_CTYPE_NULL Malformed Content-Type header
4688endif
4689##} T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4690
31955ede
SI		 4691##{ T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4692
4693ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4694header T_DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920')
4695describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date
4696endif
4697##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4698
54c714b2
SI		 4699##{ T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4700
4701ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4702header T_DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef')
4703describe T_DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date
4704endif
4705##} T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4706
b780ea8d
SI		 4707##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4708
4709ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4710 meta T_DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT)
4711 describe T_DOC_ATTACH_NO_EXT Document attachment with suspicious name
4712endif
4713##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4714
4715##{ T_DOS_OUTLOOK_TO_MX_IMAGE
4716
4717meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
4718describe T_DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image
4719##} T_DOS_OUTLOOK_TO_MX_IMAGE
4720
4721##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4722
4723ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4724 mimeheader T_DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/
4725 describe T_DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus
4726# score T_DOS_ZIP_HARDCORE 2.5
4727endif
4728##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4729
4730##{ T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4731
4732ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4733if (version >= 3.004000)
dfdd1e08 4734meta T_DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && __URL_SHORTENER && DRUGS_ERECTILE
b780ea8d
SI		 4735describe T_DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with T_URL_SHORTENER
4736#score T_DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit
4737endif
4738endif
4739##} T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4740
4741##{ T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4742
4743ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4744 meta T_FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO
4745 describe T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
4746endif
4747##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4748
b780ea8d
SI		 4749##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4750
4751ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4752 meta T_FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL
4753 describe T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
4754# score T_FILL_THIS_FORM_SHORT 1.00 # limit
4755endif
4756##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4757
b780ea8d
SI		 4758##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4759
4760ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4761 meta T_FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K
4762 describe T_FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam
4763endif
4764##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4765
4766##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail
4767
4768ifplugin Mail::SpamAssassin::Plugin::FreeMail
4769 meta T_FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF
4770 describe T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail
4771endif
4772##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail
4773
dfdd1e08
SI		 4774##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
4775
4776ifplugin Mail::SpamAssassin::Plugin::FreeMail
4777 meta T_FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED
4778 describe T_FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden
4779endif
4780##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
4781
b780ea8d
SI		 4782##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail
4783
4784ifplugin Mail::SpamAssassin::Plugin::FreeMail
4785 meta T_FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF
4786 describe T_FREEMAIL_RVW_ATTCH Please review attached document, from freemail
4787endif
4788##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail
4789
4790##{ T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4791
4792ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4793meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO
4794describe T_FROMNAME_EQUALS_TO From:name matches To:
4795#score T_FROMNAME_EQUALS_TO 1.0
4796tflags T_FROMNAME_EQUALS_TO publish
4797endif
4798##} T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4799
4800##{ T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4801
4802ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4803meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD)
4804describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email
4805#score T_FROMNAME_SPOOFED_EMAIL 0.3
4806tflags T_FROMNAME_SPOOFED_EMAIL publish
4807endif
4808##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4809
151f49fd
SI		 4810##{ T_FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4811
4812if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4813 meta T_FROM_MULTI_NORDNS __FROM_MULTI_NORDNS
4814 describe T_FROM_MULTI_NORDNS Multiple From addresses + no rDNS
4815endif
4816##} T_FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4817
b780ea8d
SI		 4818##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4819
4820if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4821 meta T_FROM_MULTI_SHORT_IMG __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY
4822 describe T_FROM_MULTI_SHORT_IMG Multiple From addresses + short message with image
4823endif
4824##} T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4825
4826##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4827
4828ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4829 body T_FUZZY_OPTOUT /(?:$|\W)(?=<O>)(?!opt[-\s]?out)<O><P><T>[-\s]?<O><U><T>(?:$|\W)/i
4830 describe T_FUZZY_OPTOUT Obfuscated opt-out text
4831endif
4832##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4833
4834##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4835
4836ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4837body T_FUZZY_SPRM /<inter W1><post P2><S><P><U><R><M>/i
4838endif
4839##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4840
b780ea8d
SI		 4841##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4842
4843ifplugin Mail::SpamAssassin::Plugin::FreeMail
4844 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4845 meta T_GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO )
4846 describe T_GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains
4847# score T_GB_FREEM_FROM_NOT_REPLY 1.500 # limit
4848 tflags T_GB_FREEM_FROM_NOT_REPLY publish
4849endif
4850endif
4851##} T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4852
4853##{ T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4854
4855ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4856 meta T_GB_FROMNAME_SPOOFED_EMAIL_IP ( T_FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED )
4857 describe T_GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip
4858# score T_GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit
4859 tflags T_GB_FROMNAME_SPOOFED_EMAIL_IP publish
4860endif
4861##} T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4862
fc5290a3
SI		 4863##{ T_GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
4864
4865if (version >= 4.000000)
4866if can(Mail::SpamAssassin::Conf::feature_capture_rules)
4867 uri T_GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i
4868 describe T_GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse
4869# score T_GB_STORAGE_GOOGLE_EMAIL 2.000 # limit
4870 tflags T_GB_STORAGE_GOOGLE_EMAIL publish
4871endif
4872endif
4873##} T_GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
4874
31955ede
SI		 4875##{ T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail
4876
4877ifplugin Mail::SpamAssassin::Plugin::FreeMail
dfdd1e08 4878 meta T_GB_WEBFORM ( ( __XMAIL_CODEIGN || __XMAIL_PHPMAIL ) && __URL_SHORTENER && FREEMAIL_FROM )
31955ede
SI		 4879 describe T_GB_WEBFORM Webform with url shortener
4880# score T_GB_WEBFORM 1.500 # limit
4881endif
4882##} T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail
4883
fc5290a3
SI		 4884##{ T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
4885
4886if (version >= 4.000000)
4887if can(Mail::SpamAssassin::Conf::feature_capture_rules)
4888 uri T_GB_YOUTUBE_EMAIL m|^https?://(?:www\.)?youtube\.com/attribution_link\?.{20,256}/%{GB_TO_ADDR}|i
4889 describe T_GB_YOUTUBE_EMAIL Youtube attribution links abuse
4890# score T_GB_YOUTUBE_EMAIL 2.000 # limit
4891endif
4892endif
4893##} T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
4894
b780ea8d
SI		 4895##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4896
4897ifplugin Mail::SpamAssassin::Plugin::FreeMail
4898if (version >= 3.004000)
4899 meta T_HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM
4900# score T_HK_NAME_FM_FROM 1.5
4901endif
4902endif
4903##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4904
4905##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4906
4907ifplugin Mail::SpamAssassin::Plugin::FreeMail
4908if (version >= 3.004000)
4909 meta T_HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM
4910# score T_HK_NAME_FROM 1.0
4911endif
4912endif
4913##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4914
dfdd1e08
SI		 4915##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4916
4917ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4918meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN
4919endif
4920##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4921
b780ea8d
SI		 4922##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4923
4924ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4925 meta T_HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02
4926 describe T_HTML_ATTACH HTML attachment to bypass scanning?
4927endif
4928##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4929
fc5290a3
SI		 4930##{ T_HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4931
4932ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4933 meta T_HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY
4934 describe T_HTML_TAG_BALANCE_CENTER Malformatted HTML
4935endif
4936##} T_HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4937
b780ea8d
SI		 4938##{ T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4939
4940ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4941 meta T_ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT
4942 describe T_ISO_ATTACH ISO attachment - possible malware delivery
4943# score T_ISO_ATTACH 3.000 # limit
4944endif
4945##} T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4946
4947##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4948
4949ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4950meta T_KAM_HTML_FONT_INVALID __KAM_HTML_FONT_INVALID
4951describe T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML
4952#score T_KAM_HTML_FONT_INVALID 0.1
4953endif
4954##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4955
4956##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4957
4958if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4959 meta T_LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3
4960 describe T_LARGE_PCT_AFTER_MANY Many large percentages after...
4961endif
4962##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4963
4964##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4965
4966ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4967body T_LFUZ_PWRMALE /<inter W1><post P2><P><O><W><E><R><M><A><L><E>/i
4968endif
4969##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4970
4971##{ T_LOTTO_AGENT_FM
4972
4973header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
4974describe T_LOTTO_AGENT_FM Claims Agent
4975##} T_LOTTO_AGENT_FM
4976
4977##{ T_LOTTO_AGENT_RPLY
4978
4979meta T_LOTTO_AGENT_RPLY __LOTTO_AGENT_RPLY && !__TO_YOUR_ORG
4980describe T_LOTTO_AGENT_RPLY Claims Agent
4981##} T_LOTTO_AGENT_RPLY
4982
4983##{ T_LOTTO_URI
4984
4985uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i
4986describe T_LOTTO_URI Claims Department URL
4987##} T_LOTTO_URI
4988
4989##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4990
4991if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4992 meta T_MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2
4993 describe T_MANY_PILL_PRICE Prices for many pills
4994endif
4995##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4996
4997##{ T_MIME_MALF if (version >= 3.004000)
4998
4999if (version >= 3.004000)
5000 meta T_MIME_MALF __MIME_MALF && !ALL_TRUSTED
5001 describe T_MIME_MALF Malformed MIME: headers in body
5002# score T_MIME_MALF 2.00 # limit
5003endif
5004##} T_MIME_MALF if (version >= 3.004000)
5005
5006##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5007
5008ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5009 meta T_MONEY_PERCENT LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY)
5010 describe T_MONEY_PERCENT X% of a lot of money for you
5011endif
5012##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5013
5014##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5015
5016ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5017 meta T_OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH)
5018 describe T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
5019endif
5020##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5021
5022##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5023
5024ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5025 mimeheader T_OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i
5026 describe T_OBFU_DOC_ATTACH MS Document attachment with generic MIME type
5027endif
5028##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5029
5030##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5031
5032ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5033 mimeheader T_OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i
5034 describe T_OBFU_GIF_ATTACH GIF attachment with generic MIME type
5035endif
5036##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5037
5038##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5039
5040ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
151f49fd 5041 mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.[a-z]?html?\b,i
b780ea8d
SI		 5042 describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type
5043endif
5044##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5045
5046##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5047
5048ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5049 meta T_OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02
5050 describe T_OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware
5051endif
5052##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5053
5054##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5055
5056ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5057 mimeheader T_OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i
5058 describe T_OBFU_JPG_ATTACH JPG attachment with generic MIME type
5059endif
5060##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5061
5062##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5063
5064ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5065 mimeheader T_OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i
5066 describe T_OBFU_PDF_ATTACH PDF attachment with generic MIME type
5067endif
5068##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5069
dfdd1e08
SI		 5070##{ T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5071
5072if (version >= 3.004002)
5073ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5074meta T_OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
5075describe T_OFFER_ONLY_AMERICA Offer only available to US
5076#score T_OFFER_ONLY_AMERICA 2.0 # limit
5077endif
5078endif
5079##} T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5080
b780ea8d
SI		 5081##{ T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5082
5083ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5084 meta T_PDS_BTC_AHACKER ( __PDS_BTC_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON )
5085 describe T_PDS_BTC_AHACKER Bitcoin Hacker
5086# score T_PDS_BTC_AHACKER 3.0 # limit
5087endif
5088##} T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5089
5090##{ T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5091
5092ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5093 meta T_PDS_BTC_HACKER ( __PDS_BTC_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM )
5094 describe T_PDS_BTC_HACKER Bitcoin Hacker
5095# score T_PDS_BTC_HACKER 2.0 # limit
5096endif
5097##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5098
fc5290a3
SI		 5099##{ T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5100
5101if (version >= 3.004002)
5102ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5103meta T_PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD )
5104describe T_PDS_BTC_NTLD Bitcoin suspect NTLD
5105#score T_PDS_BTC_NTLD 2.0 # limit
5106endif
5107endif
5108##} T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5109
54c714b2
SI		 5110##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5111
5112ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5113if (version >= 3.004000)
5114meta T_PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024
5115describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener
5116#score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit
5117endif
5118endif
5119##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5120
5121##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5122
5123ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5124if (version >= 3.004000)
5125meta T_PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
5126describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener
5127#score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit
5128endif
5129endif
5130##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5131
21dcadbf 5132##{ T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
31955ede 5133
21dcadbf
SI		 5134if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
5135 meta T_PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS
5136 describe T_PDS_FROM_2_EMAILS From header has multiple different addresses
5137# score T_PDS_FROM_2_EMAILS 3.500 # limit
31955ede 5138endif
21dcadbf 5139##} T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
31955ede 5140
fc5290a3
SI		 5141##{ T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5142
5143ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5144if (version >= 3.004000)
5145meta T_PDS_FROM_2_EMAILS_SHRTNER __URL_SHORTENER && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY
5146describe T_PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener
5147#score T_PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit
5148endif
5149endif
5150##} T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5151
54c714b2
SI		 5152##{ T_PDS_FROM_NAME_TO_DOMAIN
5153
5154meta T_PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN
5155#score T_PDS_FROM_NAME_TO_DOMAIN 2.0
5156describe T_PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain
5157##} T_PDS_FROM_NAME_TO_DOMAIN
5158
b780ea8d
SI		 5159##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5160
5161ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5162 meta T_PDS_LTC_AHACKER ( __PDS_LITECOIN_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON )
5163 describe T_PDS_LTC_AHACKER Litecoin Hacker
5164# score T_PDS_LTC_AHACKER 3.0 # limit
5165endif
5166##} T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5167
5168##{ T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5169
5170ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5171 meta T_PDS_LTC_HACKER ( __PDS_LITECOIN_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM )
5172 describe T_PDS_LTC_HACKER Litecoin Hacker
5173# score T_PDS_LTC_HACKER 2.0 # limit
5174endif
5175##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5176
fc5290a3
SI		 5177##{ T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5178
5179ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5180if (version >= 3.004000)
5181meta T_PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
5182describe T_PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME
5183#score T_PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit
5184endif
5185endif
5186##} T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5187
b780ea8d
SI		 5188##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5189
5190if (version >= 3.004002)
5191ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5192header T_PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO')
5193#score T_PDS_PRO_TLD 1.0
5194describe T_PDS_PRO_TLD .pro TLD
5195endif
5196endif
5197##} T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5198
5199##{ T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5200
5201ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5202if (version >= 3.004000)
dfdd1e08 5203meta T_PDS_SHORTFWD_URISHRT __URL_SHORTENER && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
b780ea8d
SI		 5204describe T_PDS_SHORTFWD_URISHRT Threaded email with URI shortener
5205#score T_PDS_SHORTFWD_URISHRT 1.5 # limit
5206endif
5207endif
5208##} T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5209
31955ede
SI		 5210##{ T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5211
5212ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5213if (version >= 3.004000)
dfdd1e08 5214meta T_PDS_SHORTFWD_URISHRT_FP __URL_SHORTENER && __HS_SUBJ_RE_FW && __PDS_MSG_512
31955ede
SI		 5215describe T_PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener
5216#score T_PDS_SHORTFWD_URISHRT_FP 1.5 # limit
5217endif
5218endif
5219##} T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5220
5221##{ T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5222
5223ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5224if (version >= 3.004000)
dfdd1e08 5225meta T_PDS_SHORTFWD_URISHRT_QP __URL_SHORTENER && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !T_PDS_SHORTFWD_URISHRT_FP
31955ede
SI		 5226describe T_PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener
5227#score T_PDS_SHORTFWD_URISHRT_QP 1.5 # limit
5228endif
5229endif
5230##} T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5231
fc5290a3 5232##{ T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
b780ea8d 5233
fc5290a3
SI		 5234ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5235if (version >= 3.004000)
5236meta T_PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
5237describe T_PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP)
5238#score T_PDS_SHORT_SPOOFED_URL 2.0
b780ea8d 5239endif
fc5290a3
SI		 5240endif
5241##} T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5242
54c714b2
SI		 5243##{ T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5244
5245ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5246if (version >= 3.004000)
5247meta T_PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024
5248describe T_PDS_TINYSUBJ_URISHRT Short subject with URL shortener
5249#score T_PDS_TINYSUBJ_URISHRT 1.5 # limit
5250endif
5251endif
5252##} T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5253
151f49fd 5254##{ T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
fc5290a3 5255
151f49fd
SI		 5256if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
5257 meta T_PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER
5258 describe T_PDS_TO_EQ_FROM_NAME From: name same as To: address
fc5290a3 5259endif
151f49fd 5260##} T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
cabe596e
SI		 5261
5262##{ T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5263
5264ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5265if (version >= 3.004000)
dfdd1e08 5266meta T_PDS_URISHRT_LOCALPART_SUBJ LOCALPART_IN_SUBJECT && __URL_SHORTENER && __PDS_MSG_1024
cabe596e
SI		 5267describe T_PDS_URISHRT_LOCALPART_SUBJ Localpart of To in subject
5268#score T_PDS_URISHRT_LOCALPART_SUBJ 1.0
5269endif
5270endif
5271##} T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
b780ea8d 5272
54c714b2 5273##{ T_PDS_X_PHP_WP_EXP
dfdd1e08 5274
54c714b2
SI		 5275meta T_PDS_X_PHP_WP_EXP (__PDS_X_PHP_WPCONTENT || __PDS_X_PHP_WPINCLUDES || __PDS_X_PHP_WPADMIN || __PDS_X_PHP_WPJS)
5276describe T_PDS_X_PHP_WP_EXP X-PHP-Script shows sent from a Wordpress PHP script where you would not expect one
5277#score T_PDS_X_PHP_WP_EXP 1.5
5278##} T_PDS_X_PHP_WP_EXP
dfdd1e08
SI		 5279
5280##{ T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
46cfc9e2 5281
dfdd1e08
SI		 5282if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5283 meta T_PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
5284 describe T_PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto
5285# score T_PHOTO_EDITING_FREEM 3.750 # limit
5286endif
5287##} T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
46cfc9e2 5288
b780ea8d
SI		 5289##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5290
5291ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5292 meta T_REMOTE_IMAGE __REMOTE_IMAGE
5293 describe T_REMOTE_IMAGE Message contains an external image
5294endif
5295##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5296
fc5290a3
SI		 5297##{ T_SCC_BODY_TEXT_LINE
5298
151f49fd
SI		 5299meta T_SCC_BODY_TEXT_LINE __SCC_BODY_TEXT_LINE_FULL - __SCC_SUBJECT_HAS_NON_SPACE
5300tflags T_SCC_BODY_TEXT_LINE nice
fc5290a3
SI		 5301##} T_SCC_BODY_TEXT_LINE
5302
b780ea8d
SI		 5303##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5304
5305if (version >= 3.004002)
5306ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5307meta T_SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR
5308describe T_SENT_TO_EMAIL_ADDR Email was sent to email address
5309#score T_SENT_TO_EMAIL_ADDR 2.0 # limit
5310endif
5311endif
5312##} T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5313
5314##{ T_SHARE_50_50
5315
5316meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY
5317describe T_SHARE_50_50 Share the money 50/50
5318##} T_SHARE_50_50
5319
5320##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5321
5322if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
151f49fd 5323 meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK && !__USING_VERP1 && !__HAS_X_ENTITY_ID && !__RCD_RDNS_SMTP_MESSY && !__RDNS_STATIC
b780ea8d
SI		 5324 describe T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX
5325# score T_STY_INVIS_DIRECT 2.500 # limit
5326endif
5327##} T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5328
5329##{ T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5330
5331if (version >= 3.004002)
5332ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5333meta T_SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
5334describe T_SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money
5335#score T_SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit
5336endif
5337endif
5338##} T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5339
5340##{ T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5341
5342ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5343if (version >= 3.004000)
5344meta T_TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT
5345describe T_TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local
5346#score T_TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit
5347endif
5348endif
5349##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5350
fc5290a3
SI		 5351##{ T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5352
5353ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5354if (version >= 3.004000)
5355meta T_TONOM_EQ_TOLOC_SHRT_SHRTNER __URL_SHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024
5356describe T_TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local
5357#score T_TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit
5358endif
5359endif
5360##} T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5361
b780ea8d
SI		 5362##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5363
5364ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5365body T_TVD_FUZZY_SECTOR /(?!sector)<S><E><C><T><O><R>/i
5366endif
5367##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5368
5369##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5370
5371ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5372body T_TVD_FUZZY_SECURITIES /<inter W2><post P2>(?!securities)(?!security,? es)<S><E><C><U><R><I><T><I><E><S>/i
5373endif
5374##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5375
5376##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5377
5378ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5379mimeheader T_TVD_FW_GRAPHIC_ID2 Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/
5380endif
5381##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5382
5383##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5384
5385ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5386body T_TVD_MIME_EPI eval:check_msg_parse_flags('mime_epilogue_exists')
5387endif
5388##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5389
5390##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5391
5392ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5393body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers')
5394endif
5395##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5396
54c714b2
SI		 5397##{ T_US_DOLLARS_3
5398
5399body T_US_DOLLARS_3 /(?:\$|usd).?\d{1,3}[,.]\d{3}[,.]\d{3}(?:[,.]\d\d)?/i
5400describe T_US_DOLLARS_3 Mentions millions of $ ($NN,NNN,NNN.NN)
5401#score T_US_DOLLARS_3 2.0
5402##} T_US_DOLLARS_3
5403
b780ea8d
SI		 5404##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5405
5406ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5407 meta T_WON_MONEY_ATTACH __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH)
5408 describe T_WON_MONEY_ATTACH You won lots of money! See attachment.
5409endif
5410##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5411
5412##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5413
5414ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5415 meta T_WON_NBDY_ATTACH __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH)
5416 describe T_WON_NBDY_ATTACH You won lots of money! See attachment.
5417endif
5418##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5419
fc5290a3
SI		 5420##{ T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5421
5422ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5423if (version >= 3.004000)
5424meta T_XPRIO_URL_SHORTNER __XPRIO_MINFP && __URL_SHORTENER
5425describe T_XPRIO_URL_SHORTNER X-Priority header and short URL
5426#score T_XPRIO_URL_SHORTNER 1.0 # limit
5427endif
5428endif
5429##} T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5430
b780ea8d
SI		 5431##{ T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5432
5433if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5434 meta T_ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID
5435 describe T_ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion
5436# score T_ZW_OBFU_BITCOIN 2.500 # limit
5437endif
5438##} T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5439
dfdd1e08
SI		 5440##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5441
5442if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5443 meta T_ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto
5444 describe T_ZW_OBFU_FREEM Obfuscated text + freemail
5445# score T_ZW_OBFU_FREEM 2.000 # limit
5446endif
5447##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5448
b780ea8d
SI		 5449##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5450
5451if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5452 meta T_ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ
5453 describe T_ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject
5454# score T_ZW_OBFU_FROMTOSUBJ 2.000 # limit
5455endif
5456##} T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5457
5458##{ UC_GIBBERISH_OBFU
5459
5460meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED
5461describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word"
5462#score UC_GIBBERISH_OBFU 3.000 # Limit
5463tflags UC_GIBBERISH_OBFU publish
5464##} UC_GIBBERISH_OBFU
5465
5466##{ UNDISC_FREEM
5467
5468meta UNDISC_FREEM __UNDISC_FREEM
5469describe UNDISC_FREEM Undisclosed recipients + freemail reply-to
5470tflags UNDISC_FREEM publish
5471##} UNDISC_FREEM
5472
5473##{ UNDISC_MONEY
5474
5475meta UNDISC_MONEY __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH
5476describe UNDISC_MONEY Undisclosed recipients + money/fraud signs
5477tflags UNDISC_MONEY publish
5478##} UNDISC_MONEY
5479
5480##{ UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5481
5482if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5483 meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32
5484 describe UNICODE_OBFU_ASC Obfuscating text with unicode
5485# score UNICODE_OBFU_ASC 2.500 # limit
5486 tflags UNICODE_OBFU_ASC publish
5487endif
5488##} UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5489
5490##{ UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5491
5492if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5493 meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS
5494 describe UNICODE_OBFU_ZW Obfuscating text with hidden characters
5495# score UNICODE_OBFU_ZW 3.500 # limit
5496 tflags UNICODE_OBFU_ZW publish
5497endif
5498##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5499
151f49fd
SI		 5500##{ UNICODE_OBFU_ZW_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5501
5502if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5503 meta UNICODE_OBFU_ZW_MANY __UNICODE_OBFU_ZW_10 && !__RCD_RDNS_MAIL_MESSY
5504 describe UNICODE_OBFU_ZW_MANY Heavily obfuscating text with hidden characters
5505# score UNICODE_OBFU_ZW_MANY 3.000 # limit
5506 tflags UNICODE_OBFU_ZW_MANY publish
5507endif
5508##} UNICODE_OBFU_ZW_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5509
dfdd1e08
SI		 5510##{ UNSUB_GOOG_FORM
5511
5512meta UNSUB_GOOG_FORM __UNSUB_GOOG_FORM
5513describe UNSUB_GOOG_FORM Unsubscribe via Google Docs form
5514#score UNSUB_GOOG_FORM 2.500 # limit
5515tflags UNSUB_GOOG_FORM publish
5516##} UNSUB_GOOG_FORM
5517
b780ea8d
SI		 5518##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5519
5520ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5521urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2
5522body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB')
5523describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
5524tflags URIBL_RHS_DOB net
5525endif
5526##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5527
5528##{ URI_ADOBESPARK
5529
5530meta URI_ADOBESPARK __URI_ADOBESPARK
5531#score URI_ADOBESPARK 3.500 # limit
5532tflags URI_ADOBESPARK publish
5533##} URI_ADOBESPARK
5534
5535##{ URI_AZURE_CLOUDAPP
5536
5537meta URI_AZURE_CLOUDAPP __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE
5538describe URI_AZURE_CLOUDAPP Link to hosted azure web application, possible phishing
5539#score URI_AZURE_CLOUDAPP 3.000 # limit
5540tflags URI_AZURE_CLOUDAPP publish
5541##} URI_AZURE_CLOUDAPP
5542
54c714b2
SI		 5543##{ URI_CLOUDFLAREIPFS
5544
5545meta URI_CLOUDFLAREIPFS __URI_CLOUDFLAREIPFS
5546describe URI_CLOUDFLAREIPFS References Interplanetary File System PtP content via CloudFlare, likely phishing
5547#score URI_CLOUDFLAREIPFS 2.500 # limit
5548tflags URI_CLOUDFLAREIPFS publish
5549##} URI_CLOUDFLAREIPFS
5550
b780ea8d
SI		 5551##{ URI_DASHGOVEDU
5552
5553meta URI_DASHGOVEDU __URI_DASHGOVEDU
5554describe URI_DASHGOVEDU Suspicious domain name
5555#score URI_DASHGOVEDU 3.500 # limit
5556tflags URI_DASHGOVEDU publish
5557##} URI_DASHGOVEDU
5558
5559##{ URI_DATA
5560
5561meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB
5562describe URI_DATA "data:" URI - possible malware or phish
5563#score URI_DATA 3.250 # limit
5564tflags URI_DATA publish
5565##} URI_DATA
5566
b780ea8d
SI		 5567##{ URI_DOTEDU
5568
5569meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK
5570describe URI_DOTEDU Has .edu URI
5571#score URI_DOTEDU 2.000 # limit
5572tflags URI_DOTEDU publish
5573##} URI_DOTEDU
5574
5575##{ URI_DOTEDU_ENTITY
5576
5577meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO
5578describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content
5579#score URI_DOTEDU_ENTITY 3.000 # limit
5580tflags URI_DOTEDU_ENTITY publish
5581##} URI_DOTEDU_ENTITY
5582
5583##{ URI_DOTTY_HEX
5584
5585meta URI_DOTTY_HEX __URI_DOTTY_HEX
5586describe URI_DOTTY_HEX Suspicious URI format
5587tflags URI_DOTTY_HEX publish
5588##} URI_DOTTY_HEX
5589
5590##{ URI_DQ_UNSUB
5591
5592meta URI_DQ_UNSUB __URI_DQ_UNSUB
5593describe URI_DQ_UNSUB IP-address unsubscribe URI
5594tflags URI_DQ_UNSUB publish
5595##} URI_DQ_UNSUB
5596
5597##{ URI_FIREBASEAPP
5598
5599meta URI_FIREBASEAPP __URI_FIREBASEAPP || __URI_WEBAPP
5600describe URI_FIREBASEAPP Link to hosted firebase web application, possible phishing
5601#score URI_FIREBASEAPP 3.000 # limit
5602tflags URI_FIREBASEAPP publish
5603##} URI_FIREBASEAPP
5604
5605##{ URI_GOOGLE_PROXY
5606
5607meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE && !__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID
5608describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy?
5609tflags URI_GOOGLE_PROXY publish
5610##} URI_GOOGLE_PROXY
5611
5612##{ URI_GOOG_STO_SPAMMY
5613
54c714b2 5614uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:0(?:48dg9hjdjsr68rr409tdu516yts8d4s1yteq560dht|584d8aab5db65a3970e|ca91f665e5e9e3bff16)|1(?:479______00\-\-074\-4\-\-\-\-\-\-\-_\-\-\-\-\-\-0894_________\-\-\-\-\-\-\-\-\-______09|f28eb9c708059ce7b58|tactc1200)|2(?:024usa|2accc831928fe7a6d19)|3e6fc78af3b63110d89b|4(?:30bc3a2d98b15a0c58bf8df8f938d|hs3rzdz_r_us\-east\-1)|5(?:34c4e7320793c473d0b|a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|89azr4etr0t6k5jdh4rg9e8udo40kdj1h56gd4xd165jhkd5j04yd156j02|9c32d4d56b8ac7eb1296|a(?:1discover|4301cda1e5c450bab01|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|6fa8ec81224238ce57a|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|linkmanager|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|urankdmeksjsed|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|159310a731c3ae80e0c|ac2a3ca82cd6a5f4896|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|lqjxjdxesmapldjehahnse|msksjskeoncbvevde|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|il(?:bd667477388299_747472|trk___newyear2024___g089dh4fg16qs804dsd1jh6g5sq)|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|k_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|p_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|s____mailpro\-holiday2024__9s8h7140q6h84e6hs84g6s85d403|w_4098fae4grhtejy9r80t4qt1z984ui94yuiopoikjhnbvx\-\-\-2024|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:___mailpro__evolution\-unitedstate_____78f40x1fg0|a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|bd_____mail___29302939298882777231|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:ch________frebulkmnge________teamtechbuy|lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:_bulk_click\-mail_oldfrom_9898409486498904948904548094804864xx|bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i
b780ea8d
SI		 5615describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage
5616#score URI_GOOG_STO_SPAMMY 3.000
5617tflags URI_GOOG_STO_SPAMMY publish
5618##} URI_GOOG_STO_SPAMMY
5619
5620##{ URI_HEX_IP
5621
5622meta URI_HEX_IP __URI_HEX_IP
5623#score URI_HEX_IP 2.500 # limit
5624describe URI_HEX_IP URI with hex-encoded IP-address host
5625tflags URI_HEX_IP publish
5626##} URI_HEX_IP
5627
151f49fd
SI		 5628##{ URI_IMG_CWINDOWSNET
5629
5630meta URI_IMG_CWINDOWSNET __URI_IMG_CWINDOWSNET && !__RCD_RDNS_SMTP && !__REPTO_QUOTE && !__URI_DOTEDU
5631#score URI_IMG_CWINDOWSNET 3.500 # limit
5632describe URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure infra, possible phishing
5633tflags URI_IMG_CWINDOWSNET publish
5634##} URI_IMG_CWINDOWSNET
5635
b780ea8d
SI		 5636##{ URI_IMG_WP_REDIR
5637
5638meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR
5639#score URI_IMG_WP_REDIR 3.000 # limit
5640describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy
5641tflags URI_IMG_WP_REDIR publish
5642##} URI_IMG_WP_REDIR
5643
5644##{ URI_LONG_REPEAT
5645
5646meta URI_LONG_REPEAT __URI_LONG_REPEAT
31955ede 5647describe URI_LONG_REPEAT Long identical host+domain
b780ea8d
SI		 5648#score URI_LONG_REPEAT 2.500 # limit
5649tflags URI_LONG_REPEAT publish
5650##} URI_LONG_REPEAT
5651
54c714b2
SI		 5652##{ URI_MALWARE_BH
5653
5654uri URI_MALWARE_BH /\.\w{2,4}\/[\d\w]{8}\/index\.html/i
5655describe URI_MALWARE_BH Possible BlackHole malware links / phishing
5656#score URI_MALWARE_BH 1.0 # limit
5657##} URI_MALWARE_BH
5658
b780ea8d
SI		 5659##{ URI_MALWARE_SCMS
5660
5661uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i
5662describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file)
5663tflags URI_MALWARE_SCMS publish
5664##} URI_MALWARE_SCMS
5665
5666##{ URI_ONLY_MSGID_MALF
5667
5668 meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW
5669 tflags URI_ONLY_MSGID_MALF net
5670 meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO
5671describe URI_ONLY_MSGID_MALF URI only + malformed message ID
5672#score URI_ONLY_MSGID_MALF 2.000 # limit
5673tflags URI_ONLY_MSGID_MALF publish
5674##} URI_ONLY_MSGID_MALF
5675
5676##{ URI_OPTOUT_3LD
5677
5678uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i
5679describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname
5680#score URI_OPTOUT_3LD 2.000 # limit
5681tflags URI_OPTOUT_3LD publish
5682##} URI_OPTOUT_3LD
5683
5684##{ URI_OPTOUT_USME
5685
5686uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i
5687describe URI_OPTOUT_USME Opt-out URI, unusual TLD
5688tflags URI_OPTOUT_USME publish
5689##} URI_OPTOUT_USME
5690
5691##{ URI_PHISH
5692
5693describe URI_PHISH Phishing using web form
5694#score URI_PHISH 4.00 # limit
5695tflags URI_PHISH publish
5696##} URI_PHISH
5697
5698##{ URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5699
5700if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5701 meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT
5702endif
5703##} URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5704
5705##{ URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5706
5707ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5708 meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT
5709endif
5710##} URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5711
5712##{ URI_PHP_REDIR
5713
5714meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA
5715#score URI_PHP_REDIR 3.500 # limit
5716describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation)
5717tflags URI_PHP_REDIR publish
5718##} URI_PHP_REDIR
5719
5720##{ URI_TRY_3LD
5721
dfdd1e08 5722meta URI_TRY_3LD __URI_TRY_3LD && !__HAS_ERRORS_TO && !__HDR_RCVD_ALIBABA && !__HDR_CASE_REVERSED && !__XM_EC_MESSENGER && !__CHARITY && !__URI_DOTEDU && !__HAS_X_REF && !__HDR_RCVD_APPLE
b780ea8d
SI		 5723describe URI_TRY_3LD "Try it" URI, suspicious hostname
5724#score URI_TRY_3LD 2.000 # limit
5725tflags URI_TRY_3LD publish
5726##} URI_TRY_3LD
5727
5728##{ URI_TRY_USME
5729
5730meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS
5731describe URI_TRY_USME "Try it" URI, unusual TLD
cabe596e 5732#score URI_TRY_USME 2.000 # limit
b780ea8d
SI		 5733tflags URI_TRY_USME publish
5734##} URI_TRY_USME
5735
5736##{ URI_WPADMIN
5737
5738meta URI_WPADMIN __URI_WPADMIN
5739describe URI_WPADMIN WordPress login/admin URI, possible phishing
5740tflags URI_WPADMIN publish
5741##} URI_WPADMIN
5742
5743##{ URI_WP_DIRINDEX
5744
5745meta URI_WP_DIRINDEX __URI_WPDIRINDEX
5746describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware
5747#score URI_WP_DIRINDEX 3.500 # limit
5748tflags URI_WP_DIRINDEX publish
5749##} URI_WP_DIRINDEX
5750
5751##{ URI_WP_HACKED
5752
5753meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED
5754describe URI_WP_HACKED URI for compromised WordPress site, possible malware
5755#score URI_WP_HACKED 3.500 # limit
5756tflags URI_WP_HACKED publish
5757##} URI_WP_HACKED
5758
5759##{ URI_WP_HACKED_2
5760
5761meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1
5762describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware
5763#score URI_WP_HACKED_2 2.500 # limit
5764tflags URI_WP_HACKED_2 publish
5765##} URI_WP_HACKED_2
5766
5767##{ USB_DRIVES
5768
5769meta USB_DRIVES __SUBJ_USB_DRIVES
5770describe USB_DRIVES Trying to sell custom USB flash drives
5771#score USB_DRIVES 2.000 # limit
5772tflags USB_DRIVES publish
5773##} USB_DRIVES
5774
5775##{ VFY_ACCT_NORDNS
5776
5777meta VFY_ACCT_NORDNS __VFY_ACCT_NORDNS && !__STY_INVIS_MANY
5778describe VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA - probable phishing
5779#score VFY_ACCT_NORDNS 3.000 # limit
5780tflags VFY_ACCT_NORDNS publish
5781##} VFY_ACCT_NORDNS
5782
151f49fd
SI		 5783##{ VISTA_COST
5784
5785meta VISTA_COST __VISTA_COST && !__DOS_HAS_LIST_UNSUB
5786describe VISTA_COST Old MSFT msgid format + "cost"
5787#score VISTA_COST 2.500 # limit
5788tflags VISTA_COST publish
5789##} VISTA_COST
5790
5791##{ VISTA_TONOM_EQ_TOLOC
5792
5793meta VISTA_TONOM_EQ_TOLOC __VISTA_TONOM_EQ_TOLOC && !__MSOE_MID_WRONG_CASE
5794describe VISTA_TONOM_EQ_TOLOC Old MSFT msgid format + To display name = username
5795#score VISTA_TONOM_EQ_TOLOC 2.500 # limit
5796tflags VISTA_TONOM_EQ_TOLOC publish
5797##} VISTA_TONOM_EQ_TOLOC
5798
b780ea8d
SI		 5799##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5800
5801if (version >= 3.004002)
5802ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5803meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD
5804tflags VPS_NO_NTLD publish
5805describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD
5806#score VPS_NO_NTLD 1.0 # limit
5807endif
5808endif
5809##} VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5810
5811##{ WALMART_IMG_NOT_RCVD_WAL
5812
5813meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS
5814#score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit
5815describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart
5816tflags WALMART_IMG_NOT_RCVD_WAL publish
5817##} WALMART_IMG_NOT_RCVD_WAL
5818
151f49fd
SI		 5819##{ WIKI_IMG
5820
5821uri WIKI_IMG m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),i
5822describe WIKI_IMG Image from wikipedia
5823##} WIKI_IMG
5824
b780ea8d
SI		 5825##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5826
5827if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5828 meta WORD_INVIS __WORD_INVIS_MINFP && !WORD_INVIS_MANY
5829 describe WORD_INVIS A hidden word
5830# score WORD_INVIS 3.000 # limit
5831 tflags WORD_INVIS publish
5832endif
5833##} WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5834
5835##{ WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5836
5837if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5838 meta WORD_INVIS_MANY __WORD_INVIS_2
5839 describe WORD_INVIS_MANY Multiple individual hidden words
5840# score WORD_INVIS_MANY 3.000 # limit
5841 tflags WORD_INVIS_MANY publish
5842endif
5843##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5844
151f49fd
SI		 5845##{ XFER_LOTSA_MONEY
5846
5847meta XFER_LOTSA_MONEY __XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFO
5848describe XFER_LOTSA_MONEY Transfer a lot of money
5849#score XFER_LOTSA_MONEY 1.000 # limit
5850##} XFER_LOTSA_MONEY
5851
b780ea8d
SI		 5852##{ XM_DIGITS_ONLY
5853
5854meta XM_DIGITS_ONLY __XM_DIGITS_ONLY
5855describe XM_DIGITS_ONLY X-Mailer malformed
5856#score XM_DIGITS_ONLY 3.000 # limit
5857tflags XM_DIGITS_ONLY publish
5858##} XM_DIGITS_ONLY
5859
54c714b2
SI		 5860##{ XM_LIGHT_HEAVY
5861
5862meta XM_LIGHT_HEAVY __XM_LIGHT_HEAVY && !__HAS_X_BEEN_THERE
5863describe XM_LIGHT_HEAVY Special edition of a MUA
5864#score XM_LIGHT_HEAVY 2.500 # limit
5865##} XM_LIGHT_HEAVY
5866
b780ea8d
SI		 5867##{ XM_PHPMAILER_FORGED
5868
5869meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED
5870describe XM_PHPMAILER_FORGED Apparently forged header
5871tflags XM_PHPMAILER_FORGED publish
5872##} XM_PHPMAILER_FORGED
5873
5874##{ XM_RANDOM
5875
46cfc9e2 5876meta XM_RANDOM __XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLY && !__XM_ASPQMAIL && !__XM_VERY_LONG
b780ea8d 5877describe XM_RANDOM X-Mailer apparently random
46cfc9e2 5878#score XM_RANDOM 2.500 # limit
b780ea8d
SI		 5879tflags XM_RANDOM publish
5880##} XM_RANDOM
5881
151f49fd
SI		 5882##{ XM_RECPTID
5883
5884meta XM_RECPTID __HAS_XM_RECPTID && !__TAG_EXISTS_SCRIPT && !__REPLYTO_NOREPLY && !__ENVFROM_AMAZONSES && !__DOS_DIRECT_TO_MX && !__FRAUD_PTX
5885describe XM_RECPTID Has spammy message header
5886#score XM_RECPTID 3.000 # limit
5887##} XM_RECPTID
5888
b780ea8d
SI		 5889##{ XPRIO
5890
5891describe XPRIO Has X-Priority header
5892#score XPRIO 2.250 # limit
5893tflags XPRIO publish
5894##} XPRIO
5895
5896##{ XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5897
5898if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5899 meta XPRIO __XPRIO_MINFP
5900endif
5901##} XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5902
5903##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM
5904
5905ifplugin Mail::SpamAssassin::Plugin::DKIM
5906 tflags XPRIO net
5907endif
5908##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM
5909
5910##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF)
5911
5912ifplugin Mail::SpamAssassin::Plugin::DKIM
5913if !plugin(Mail::SpamAssassin::Plugin::SPF)
31955ede 5914 meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE
b780ea8d
SI		 5915endif
5916endif
5917##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF)
5918
5919##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF
5920
5921ifplugin Mail::SpamAssassin::Plugin::DKIM
5922 ifplugin Mail::SpamAssassin::Plugin::SPF
31955ede 5923 meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS
b780ea8d
SI		 5924endif
5925endif
5926##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF
5927
5928##{ XPRIO_SHORT_SUBJ
5929
5930meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF
5931describe XPRIO_SHORT_SUBJ Has X Priority header + short subject
5932#score XPRIO_SHORT_SUBJ 2.500 # limit
5933tflags XPRIO_SHORT_SUBJ publish
5934##} XPRIO_SHORT_SUBJ
5935
151f49fd
SI		 5936##{ XPRIO_VISTA
5937
5938meta XPRIO_VISTA __XPRIO_VISTA && !__BITCOIN && !__TO_TOO_MANY
5939describe XPRIO_VISTA X-Priority + old MSFT msgid format
5940#score XPRIO_VISTA 2.500 # limit
5941tflags XPRIO_VISTA publish
5942##} XPRIO_VISTA
5943
b780ea8d
SI		 5944##{ X_MAILER_CME_6543_MSN
5945
5946header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/
5947##} X_MAILER_CME_6543_MSN
5948
b780ea8d
SI		 5949##{ YOU_INHERIT
5950
5951meta YOU_INHERIT __YOU_INHERIT
5952describe YOU_INHERIT Discussing your inheritance
5953##} YOU_INHERIT
5954
5955##{ bayes_ignore_header_sandbox
5956
21dcadbf
SI		 5957bayes_ignore_header ARC-Authentication-Results
5958bayes_ignore_header ARC-Message-Signature
5959bayes_ignore_header ARC-Seal
5960bayes_ignore_header Authentication-Results
5961bayes_ignore_header Auto-Submitted
5962bayes_ignore_header Autocrypt
5963bayes_ignore_header CTCH-SenderID-TotalSpam
5964bayes_ignore_header IronPort-SDR
5965bayes_ignore_header List-Archive
5966bayes_ignore_header List-Help
5967bayes_ignore_header List-Id
5968bayes_ignore_header List-Post
5969bayes_ignore_header List-Subscribe
5970bayes_ignore_header List-Unsubscribe
5971bayes_ignore_header Mailing-List
5972bayes_ignore_header Precedence
5973bayes_ignore_header Received-SPF
5974bayes_ignore_header suggested_attachment_session_id
b780ea8d
SI		 5975bayes_ignore_header X-ACL-Warn
5976bayes_ignore_header X-Alimail-AntiSpam
5977bayes_ignore_header X-Amavis-Modified
5978bayes_ignore_header X-Anti-Spam
5979bayes_ignore_header X-Anti-Virus
5980bayes_ignore_header X-Anti-Virus-Version
5981bayes_ignore_header X-AntiAbuse
5982bayes_ignore_header X-Antispam
5983bayes_ignore_header X-Antivirus
5984bayes_ignore_header X-Antivirus-Code
5985bayes_ignore_header X-Antivirus-Status
5986bayes_ignore_header X-Antivirus-Version
5987bayes_ignore_header x-aol-global-disposition
5988bayes_ignore_header X-ASF-Spam-Status
5989bayes_ignore_header X-ASG-Debug-ID
5990bayes_ignore_header X-ASG-Orig-Subj
5991bayes_ignore_header X-ASG-Recipient-Whitelist
5992bayes_ignore_header X-ASG-Tag
5993bayes_ignore_header X-Assp-Version
21dcadbf 5994bayes_ignore_header X-Attachment-Id
b780ea8d
SI		 5995bayes_ignore_header X-Authority-Analysis
5996bayes_ignore_header X-Authvirus
5997bayes_ignore_header X-Auto-Response-Suppress
5998bayes_ignore_header X-AV-Do-Run
5999bayes_ignore_header X-AV-Status
6000bayes_ignore_header x-avast-antispam
6001bayes_ignore_header X-Backend
6002bayes_ignore_header X-Barracuda-Apparent-Source-IP
6003bayes_ignore_header X-Barracuda-Bayes
6004bayes_ignore_header X-Barracuda-BBL-IP
6005bayes_ignore_header X-Barracuda-BRTS-Status
6006bayes_ignore_header X-Barracuda-BRTS-URL-Found
6007bayes_ignore_header X-Barracuda-Connect
6008bayes_ignore_header X-Barracuda-Encrypted
6009bayes_ignore_header X-Barracuda-Envelope-From
6010bayes_ignore_header X-Barracuda-Fingerprint-Found
6011bayes_ignore_header X-Barracuda-Orig-Rcpt
6012bayes_ignore_header X-Barracuda-RBL-IP
6013bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder
6014bayes_ignore_header X-Barracuda-Spam-Report
6015bayes_ignore_header X-Barracuda-Spam-Score
6016bayes_ignore_header X-Barracuda-Spam-Status
6017bayes_ignore_header X-Barracuda-Start-Time
6018bayes_ignore_header X-Barracuda-UID
6019bayes_ignore_header X-Barracuda-URL
6020bayes_ignore_header X-Barracuda-Virus-Alert
6021bayes_ignore_header X-Bayes-Prob
6022bayes_ignore_header X-Bayesian-Result
21dcadbf 6023bayes_ignore_header X-BeenThere
b780ea8d
SI		 6024bayes_ignore_header X-BitDefender-Spam
6025bayes_ignore_header X-BitDefender-SpamStamp
6026bayes_ignore_header X-BL
6027bayes_ignore_header X-Bogosity
6028bayes_ignore_header X-Boxtrapper
6029bayes_ignore_header X-Brightmail-Tracker
6030bayes_ignore_header X-BTI-AntiSpam
6031bayes_ignore_header X-Bugzilla-Version
6032bayes_ignore_header X-CanIt-Geo
6033bayes_ignore_header X-Canit-Stats-ID
6034bayes_ignore_header X-CanItPRO-Stream
6035bayes_ignore_header X-Clapf-spamicity
21dcadbf 6036bayes_ignore_header X-ClientProxiedBy
b780ea8d
SI		 6037bayes_ignore_header X-Cloud-Security
6038bayes_ignore_header X-CM-Score
6039bayes_ignore_header X-CMAE-Analysis
6040bayes_ignore_header X-CMAE-Match
6041bayes_ignore_header X-CMAE-Score
6042bayes_ignore_header X-CMAE-Verdict
6043bayes_ignore_header X-CNFS-Analysis
6044bayes_ignore_header X-Company
21dcadbf 6045bayes_ignore_header X-Complaints-To
b780ea8d
SI		 6046bayes_ignore_header X-Coremail-Antispam
6047bayes_ignore_header X-CRM114-CacheID
6048bayes_ignore_header X-CRM114-Status
6049bayes_ignore_header X-CRM114-Version
6050bayes_ignore_header X-CT-Spam
6051bayes_ignore_header X-CTCH-SenderID
6052bayes_ignore_header X-CTCH-SenderID-TotalBulk
6053bayes_ignore_header X-CTCH-SenderID-TotalConfirmed
6054bayes_ignore_header X-CTCH-SenderID-TotalMessages
6055bayes_ignore_header X-CTCH-SenderID-TotalRecipients
6056bayes_ignore_header X-CTCH-SenderID-TotalSpam
6057bayes_ignore_header X-CTCH-SenderID-TotalSuspected
6058bayes_ignore_header X-CTCH-SenderID-TotalVirus
6059bayes_ignore_header X-CTCH-Spam
6060bayes_ignore_header X-CTCH-VOD
21dcadbf 6061bayes_ignore_header X-Delivered-To
b780ea8d
SI		 6062bayes_ignore_header X-Drweb-SpamState
6063bayes_ignore_header X-DSPAM-Confidence
6064bayes_ignore_header X-DSPAM-Factors
6065bayes_ignore_header X-DSPAM-Improbability
6066bayes_ignore_header X-DSPAM-Probability
6067bayes_ignore_header X-DSPAM-Processed
6068bayes_ignore_header X-DSPAM-Result
6069bayes_ignore_header X-DSPAM-Signature
6070bayes_ignore_header x-eavas
6071bayes_ignore_header x-eavas-action
6072bayes_ignore_header x-eavas-eavasid
6073bayes_ignore_header X-Enigmail-Version
6074bayes_ignore_header X-EsetId
6075bayes_ignore_header X-EsetResult
6076bayes_ignore_header X-Exchange-Antispam-Report
21dcadbf 6077bayes_ignore_header X-Exchange-Antispam-Report-CFA-Test
b780ea8d
SI		 6078bayes_ignore_header X-ExtloopSabreCommercials1
6079bayes_ignore_header X-EYOU-SPAMVALUE
6080bayes_ignore_header X-FB-OUTBOUND-SPAM
6081bayes_ignore_header X-FEAS-SBL
6082bayes_ignore_header X-FILTER-SCORE
6083bayes_ignore_header X-Forefront-Antispam-Report
21dcadbf 6084bayes_ignore_header X-Forefront-Antispam-Report-Untrusted
b780ea8d 6085bayes_ignore_header X-Forefront-PRVS
21dcadbf 6086bayes_ignore_header X-Freemail-From
b780ea8d
SI		 6087bayes_ignore_header X-Fuglu-Spamstatus
6088bayes_ignore_header X-Fuglu-Suspect
6089bayes_ignore_header X-getmail-filter-classifier
6090bayes_ignore_header X-GFIME-MASPAM
21dcadbf 6091bayes_ignore_header X-Gm-Message-State
b780ea8d
SI		 6092bayes_ignore_header X-Gmane-NNTP-Posting-Host
6093bayes_ignore_header X-GMX-Antispam
6094bayes_ignore_header X-GMX-Antivirus
21dcadbf 6095bayes_ignore_header X-Google-DKIM-Signature
b780ea8d
SI		 6096bayes_ignore_header X-He-Spam
6097bayes_ignore_header X-hMailServer-Spam
6098bayes_ignore_header X-IAS
6099bayes_ignore_header X-iGspam-global
6100bayes_ignore_header X-Injected-Via-Gmane
6101bayes_ignore_header X-Interia-Antivirus
6102bayes_ignore_header X-IP-Spam-Verdict
6103bayes_ignore_header X-Ironport
6104bayes_ignore_header X-IronPort-Anti-Spam-Filtered
6105bayes_ignore_header X-IronPort-Anti-Spam-Result
6106bayes_ignore_header X-IronPort-AV
6107bayes_ignore_header X-Ironport-HAT
6108bayes_ignore_header X-Ironport-HOSTNAME
6109bayes_ignore_header X-Ironport-LNR
6110bayes_ignore_header X-Ironport-MessageFilter
6111bayes_ignore_header X-Ironport-MFP
6112bayes_ignore_header X-Ironport-MID
6113bayes_ignore_header X-IronPort-Outgoing-Antispam
6114bayes_ignore_header X-Ironport-RIF
6115bayes_ignore_header X-Ironport-SBRS
6116bayes_ignore_header X-Ironport-SENDER
6117bayes_ignore_header X-Ironport-SUBJECT
6118bayes_ignore_header X-Junk-Score
6119bayes_ignore_header X-Junkmail
21dcadbf 6120bayes_ignore_header X-Klms-Anti
b780ea8d
SI		 6121bayes_ignore_header X-KLMS-AntiPhishing
6122bayes_ignore_header X-Klms-Antispam
6123bayes_ignore_header X-KLMS-AntiSpam-Info
6124bayes_ignore_header X-KLMS-AntiSpam-Interceptor-Info
6125bayes_ignore_header X-KLMS-AntiSpam-Lua-Profiles
6126bayes_ignore_header X-KLMS-AntiSpam-Method
6127bayes_ignore_header X-KLMS-AntiSpam-Moebius-Timestamps
6128bayes_ignore_header X-KLMS-AntiSpam-Rate
6129bayes_ignore_header X-KLMS-AntiSpam-Status
6130bayes_ignore_header X-KLMS-AntiSpam-Version
6131bayes_ignore_header X-KLMS-AntiVirus
6132bayes_ignore_header X-KLMS-AntiVirus-Status
6133bayes_ignore_header X-KLMS-Message-Action
6134bayes_ignore_header X-KLMS-Rule-ID
6135bayes_ignore_header X-KMail-EncryptionState
6136bayes_ignore_header X-KMail-MDN-Sent
6137bayes_ignore_header X-KMail-SignatureState
21dcadbf
SI		 6138bayes_ignore_header X-Kse-Anti
6139bayes_ignore_header X-Loom-IP
b780ea8d
SI		 6140bayes_ignore_header X-MailCleaner-SpamChec
6141bayes_ignore_header X-MailCleaner-SpamCheck
6142bayes_ignore_header X-MailFoundry
21dcadbf
SI		 6143bayes_ignore_header X-Mailman-Version
6144bayes_ignore_header X-MDAV-Processed
b780ea8d
SI		 6145bayes_ignore_header X-MDMailLookup-Result
6146bayes_ignore_header X-ME-Bayesian
6147bayes_ignore_header X-ME-Content
6148bayes_ignore_header X-MessageFilter
21dcadbf
SI		 6149bayes_ignore_header x-microsoft-antispam
6150bayes_ignore_header X-Microsoft-Antispam-Message-Info
6151bayes_ignore_header X-Microsoft-Antispam-Message-Info-Original
6152bayes_ignore_header X-Microsoft-Antispam-Untrusted
6153bayes_ignore_header X-Microsoft-Exchange-Diagnostics
b780ea8d 6154bayes_ignore_header X-Mlf-Version
21dcadbf
SI		 6155bayes_ignore_header X-Mozilla-Keys
6156bayes_ignore_header X-Mozilla-Status
6157bayes_ignore_header X-Mozilla-Status2
6158bayes_ignore_header x-ms-exchange-antispam-messagedata
6159bayes_ignore_header x-ms-exchange-antispam-messagedata-0
6160bayes_ignore_header X-MS-Exchange-CrossTenant-AuthAs
6161bayes_ignore_header X-MS-Exchange-CrossTenant-AuthSource
6162bayes_ignore_header X-MS-Exchange-CrossTenant-FromEntityHeader
6163bayes_ignore_header x-ms-exchange-crosstenant-id
6164bayes_ignore_header x-ms-exchange-crosstenant-network-message-id
6165bayes_ignore_header X-MS-Exchange-CrossTenant-OriginalArrivalTime
6166bayes_ignore_header x-ms-exchange-crosstenant-rms-persistedconsumerorg
6167bayes_ignore_header X-MS-Exchange-CrossTenant-userprincipalname
6168bayes_ignore_header x-ms-exchange-slblob-mailprops
6169bayes_ignore_header X-MS-Exchange-Transport-CrossTenantHeadersStamped
6170bayes_ignore_header x-ms-office365-filtering-correlation-id
6171bayes_ignore_header X-MS-TrafficTypeDiagnostic
6172bayes_ignore_header X-MSFBL
6173bayes_ignore_header X-MSMail-Priority
b780ea8d
SI		 6174bayes_ignore_header X-MXScan-AntiSpam
6175bayes_ignore_header X-MXScan-AntiVirus
6176bayes_ignore_header X-MXScan-Country-Sequence
6177bayes_ignore_header X-MXScan-License
6178bayes_ignore_header X-MXScan-Msgid
6179bayes_ignore_header X-MXScan-ProcessingTime
6180bayes_ignore_header X-MXScan-Scan
6181bayes_ignore_header X-NAI-Spam-Flag
6182bayes_ignore_header X-NAI-Spam-Rules
6183bayes_ignore_header X-NAI-Spam-Score
6184bayes_ignore_header X-NAI-Spam-Threshold
6185bayes_ignore_header X-NetStation-Status
21dcadbf
SI		 6186bayes_ignore_header X-No-Relay
6187bayes_ignore_header X-OriginatorOrg
b780ea8d
SI		 6188bayes_ignore_header X-OVH-SPAMCAUSE
6189bayes_ignore_header X-OVH-SPAMCAUSE:
6190bayes_ignore_header X-OVH-SPAMSCORE
6191bayes_ignore_header X-OVH-SPAMSTATE
6192bayes_ignore_header X-PerlMx-Spam
6193bayes_ignore_header X-PerlMx-Virus-Scanned
6194bayes_ignore_header X-PFSI-Info
6195bayes_ignore_header X-PMX-Spam
6196bayes_ignore_header X-PMX-Version
6197bayes_ignore_header X-Policy-Service
6198bayes_ignore_header X-policyd-weight
6199bayes_ignore_header X-PreRBLs
6200bayes_ignore_header X-Probable-Spam
6201bayes_ignore_header X-PROLinux-SpamCheck
6202bayes_ignore_header X-Proofpoint-Spam-Reason
6203bayes_ignore_header X-Proofpoint-Virus-Version
21dcadbf 6204bayes_ignore_header X-Provags-ID
b780ea8d
SI		 6205bayes_ignore_header x-purgate-eavas: clean
6206bayes_ignore_header x-purgate-id
6207bayes_ignore_header x-purgate-size
6208bayes_ignore_header x-purgate-type
6209bayes_ignore_header X-Qmail-Scanner-Diagnostics
6210bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status
6211bayes_ignore_header X-Quarantine-ID
21dcadbf 6212bayes_ignore_header X-Received
b780ea8d
SI		 6213bayes_ignore_header X-RSpam-Report
6214bayes_ignore_header X-SA-Do-Not-Run
6215bayes_ignore_header X-SA-Exim-Version
6216bayes_ignore_header X-Scanned-by
21dcadbf
SI		 6217bayes_ignore_header X-ServerMaster-MailScanner
6218bayes_ignore_header X-SG-EID
6219bayes_ignore_header X-SG-ID
b780ea8d
SI		 6220bayes_ignore_header X-SmarterMail-CustomSpamHeader
6221bayes_ignore_header X-Spam
6222bayes_ignore_header X-Spam-Action
6223bayes_ignore_header X-SPAM-AISP
6224bayes_ignore_header X-Spam-Check-By
6225bayes_ignore_header X-Spam-Checker-Version
6226bayes_ignore_header X-Spam-CMAE-Analysis
6227bayes_ignore_header X-Spam-CMAESCORE
6228bayes_ignore_header X-Spam-CTCH-RefID
6229bayes_ignore_header X-Spam-Flag
6230bayes_ignore_header X-Spam-Level
6231bayes_ignore_header X-Spam-Processed
6232bayes_ignore_header X-Spam-Report
6233bayes_ignore_header X-Spam-Scanned
6234bayes_ignore_header X-Spam-Score
6235bayes_ignore_header X-Spam-Score-Int
6236bayes_ignore_header X-Spam-SmartLearn
6237bayes_ignore_header X-Spam-Status
6238bayes_ignore_header X-Spam-Threshold
6239bayes_ignore_header X-Spam_bar
6240bayes_ignore_header X-Spambayes-Classification
6241bayes_ignore_header X-SpamExperts-Domain
6242bayes_ignore_header X-SpamExperts-Outgoing-Class
6243bayes_ignore_header X-SpamExperts-Outgoing-Evidence
6244bayes_ignore_header X-SpamExperts-Username
6245bayes_ignore_header X-Spamfilter-host
6246bayes_ignore_header X-Spamina-Bogosity
6247bayes_ignore_header X-Spamina-Spam-Report
6248bayes_ignore_header X-Spamina-Spam-Score
6249bayes_ignore_header X-SpamInfo
6250bayes_ignore_header X-Spamsave
6251bayes_ignore_header X-SpamTest-Group-ID
6252bayes_ignore_header X-SpamTest-Info
6253bayes_ignore_header X-SpamTest-Method
6254bayes_ignore_header X-SpamTest-Rate
6255bayes_ignore_header X-SpamTest-SPF
6256bayes_ignore_header X-SpamTest-Status
6257bayes_ignore_header X-SpamTest-Status-Extended
6258bayes_ignore_header X-SPF-Scan-By
6259bayes_ignore_header X-STA-Metric
6260bayes_ignore_header X-STA-NotSpam
6261bayes_ignore_header X-STA-Spam
6262bayes_ignore_header X-StarScan-Version
6263bayes_ignore_header X-SurGATE-Result
6264bayes_ignore_header X-SWITCHham-Score
6265bayes_ignore_header X-UI-Filterresults
6266bayes_ignore_header X-UI-Loop
6267bayes_ignore_header X-UI-Out-Filterresults
6268bayes_ignore_header X-Univie-Spam-Checker-Version
6269bayes_ignore_header X-Univie-Virus-Scan
6270bayes_ignore_header X-Virus
6271bayes_ignore_header X-Virus-Checker-Version
6272bayes_ignore_header X-Virus-Scanned
6273bayes_ignore_header X-Virus-Scanner-Result
6274bayes_ignore_header X-Virus-Scanner-Version
6275bayes_ignore_header X-Virus-Status
6276bayes_ignore_header X-VirusChecked
6277bayes_ignore_header X-VR-SCORE
6278bayes_ignore_header X-VR-SPAMCAUSE
6279bayes_ignore_header X-VR-STATUS
6280bayes_ignore_header X-WatchGuard-Mail-Client-IP
6281bayes_ignore_header X-WatchGuard-Mail-From
6282bayes_ignore_header X-WatchGuard-Mail-Recipients
6283bayes_ignore_header X-WatchGuard-Spam-ID
6284bayes_ignore_header X-WatchGuard-Spam-Score
6285bayes_ignore_header X-Whitelist-Domain
6286bayes_ignore_header X-WUM-CCI
21dcadbf
SI		 6287bayes_ignore_header X_CMAE_Category
6288##} bayes_ignore_header_sandbox
b780ea8d
SI		 6289
6290##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6291
6292if (version >= 3.004001)
6293ifplugin Mail::SpamAssassin::Plugin::AskDNS
6294askdns __FROM_FMBLA_NEWDOM _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/
6295askdns __FROM_FMBLA_NEWDOM14 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.14$/
6296askdns __FROM_FMBLA_NEWDOM28 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.28$/
6297askdns __FROM_FMBLA_NDBLOCKED _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/
6298reuse FROM_FMBLA_NEWDOM
6299reuse FROM_FMBLA_NEWDOM14
6300reuse FROM_FMBLA_NEWDOM28
6301reuse FROM_FMBLA_NDBLOCKED
6302reuse __PDS_NEWDOMAIN
6303reuse FROM_NUMBERO_NEWDOMAIN
6304reuse FROM_NEWDOM_BTC
6305askdns __PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/
6306reuse BITCOIN_SPF_ONLYALL
6307endif
6308endif
6309##} if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6310
6311##{ if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox
6312
6313if (version >= 3.004002)
6314ifplugin Mail::SpamAssassin::Plugin::WLBLEval
6315enlist_addrlist (PAYPAL) *@paypal.com *@paypal.co.uk *@paypal.de *@paypal.com.au *@paypal.it
6316enlist_addrlist (PAYPAL) *@paypal.es *@paypal.fr *@paypal.de *@paypal.com.hk
6317enlist_addrlist (PAYPAL) *@*.paypal.com *@*.paypal.co.uk
6318reuse __FROM_ADDRLIST_PAYPAL
6319reuse FROM_PAYPAL_SPOOF
6320enlist_addrlist (BANKS) *@abbey.co.uk *@abbey.com *@abbeyinternational.com *@abbeyinternational.co.uk *@abbeynational.com *@abbeynational.co.uk
6321enlist_addrlist (BANKS) *@allianceleicester.com *@allianceleicester.co.uk *@alliance-leicester.com *@alliance-leicester.co.uk
6322enlist_addrlist (BANKS) *@bankofamerica.com *@bankofamerica.co.uk
6323enlist_addrlist (BANKS) *@barclaycard.com *@barclays.com
6324enlist_addrlist (BANKS) *@citibank.com
6325enlist_addrlist (BANKS) *@firstdirect.com *@firstdirect.co.uk
6326enlist_addrlist (BANKS) *@halifax.com *@halifax.co.uk *@halifax-online.co.uk *@halifax-online.com
6327enlist_addrlist (BANKS) *@hbos.com *@hbos.co.uk
6328enlist_addrlist (BANKS) *@hsbc.com *@hsbc.co.uk *@hsbc.hk *@hsbcgroup.com *@hsbcgroup.co.uk
6329enlist_addrlist (BANKS) *@lloydstsb.com *@lloydstsb.co.uk *@lloyds.com
6330enlist_addrlist (BANKS) *@mbna.com
6331enlist_addrlist (BANKS) *@nationwide.com *@nationwide.co.uk
6332enlist_addrlist (BANKS) *@natwest.com *@natwest.co.uk
6333enlist_addrlist (BANKS) *@santander.com *@santander.co.uk
6334enlist_addrlist (BANKS) *@standardbank.co.za
6335enlist_addrlist (BANKS) *@ybonline.co.uk *@ybonline.com
6336reuse __FROM_ADDRLIST_BANKS
6337reuse FROM_BANK_NOAUTH
6338enlist_addrlist (GOV) *@*.gov
6339enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk
6340reuse __FROM_ADDRLIST_GOV
6341reuse FROM_GOV_SPOOF
6342reuse FROM_GOV_DKIM_AU
6343reuse FROM_GOV_REPLYTO_FREEMAIL
6344enlist_addrlist (SUSP_NTLD) *@*.icu
6345enlist_addrlist (SUSP_NTLD) *@*.online
6346enlist_addrlist (SUSP_NTLD) *@*.work
6347enlist_addrlist (SUSP_NTLD) *@*.date
6348enlist_addrlist (SUSP_NTLD) *@*.top
6349enlist_addrlist (SUSP_NTLD) *@*.fun
6350enlist_addrlist (SUSP_NTLD) *@*.life
6351enlist_addrlist (SUSP_NTLD) *@*.review
b780ea8d
SI		 6352enlist_addrlist (SUSP_NTLD) *@*.bid
6353enlist_addrlist (SUSP_NTLD) *@*.stream
b780ea8d
SI		 6354enlist_addrlist (SUSP_NTLD) *@*.gdn
6355enlist_addrlist (SUSP_NTLD) *@*.click
6356enlist_addrlist (SUSP_NTLD) *@*.world
6357enlist_addrlist (SUSP_NTLD) *@*.fit
6358enlist_addrlist (SUSP_NTLD) *@*.ooo
6359enlist_addrlist (SUSP_NTLD) *@*.faith
6360enlist_addrlist (SUSP_NTLD) *@*.buzz
6361enlist_addrlist (SUSP_NTLD) *@*.trade
6362enlist_addrlist (SUSP_NTLD) *@*.cyou
6363enlist_addrlist (SUSP_NTLD) *@*.vip
6364enlist_uri_host (SUSP_URI_NTLD) icu
6365enlist_uri_host (SUSP_URI_NTLD) online
6366enlist_uri_host (SUSP_URI_NTLD) work
6367enlist_uri_host (SUSP_URI_NTLD) date
6368enlist_uri_host (SUSP_URI_NTLD) top
6369enlist_uri_host (SUSP_URI_NTLD) fun
6370enlist_uri_host (SUSP_URI_NTLD) life
6371enlist_uri_host (SUSP_URI_NTLD) review
b780ea8d
SI		 6372enlist_uri_host (SUSP_URI_NTLD) bid
6373enlist_uri_host (SUSP_URI_NTLD) stream
b780ea8d
SI		 6374enlist_uri_host (SUSP_URI_NTLD) gdn
6375enlist_uri_host (SUSP_URI_NTLD) click
6376enlist_uri_host (SUSP_URI_NTLD) world
6377enlist_uri_host (SUSP_URI_NTLD) fit
6378enlist_uri_host (SUSP_URI_NTLD) ooo
6379enlist_uri_host (SUSP_URI_NTLD) faith
6380enlist_uri_host (SUSP_URI_NTLD) buzz
6381enlist_uri_host (SUSP_URI_NTLD) trade
6382enlist_uri_host (SUSP_URI_NTLD) cyou
6383enlist_uri_host (SUSP_URI_NTLD) vip
6384enlist_uri_host (SUSP_URI_NTLD_PRO) pro
6385reuse __FROM_ADDRLIST_SUSPNTLD
6386reuse __REPLYTO_ADDRLIST_SUSPNTLD
6387reuse FROM_SUSPICIOUS_NTLD
6388reuse GOOGLE_DRIVE_REPLY_BAD_NTLD
6389reuse VPS_NO_NTLD
6390endif
6391endif
6392##} if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox
6393
6394##{ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox
6395
6396if (version >= 3.004003)
6397 ifplugin Mail::SpamAssassin::Plugin::HashBL
dfdd1e08
SI		 6398 priority GB_HASHBL_BTC -100
6399 reuse GB_HASHBL_BTC
b780ea8d
SI		 6400endif
6401endif
6402##} if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox
6403
6404##{ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6405
6406if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6407 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6408 replace_tag lcase_e (?:e|\xc3[\xa8\xa9\xaa\xab]|\xc4[\x93\x95\x97\x99\x9b]|\xc8[\x85\x87\x80]|\xcf\xb5|\xd0\xb5|\xd1[\x90\x91\x94\xb3]|\xd2[\xbc\xbd\xbe\xbf]|\xd3[\x07\xa9\xab])
6409 replace_rules __E_LIKE_LETTER
6410endif
6411endif
6412##} if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6413
6414##{ ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6415
6416ifplugin Mail::SpamAssassin::Plugin::AskDNS
6417askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/
6418reuse __DKIMWL_FREEMAIL
6419askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/
6420reuse __DKIMWL_BULKMAIL
6421askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/
6422reuse __DKIMWL_WL_HI
6423askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/
6424reuse __DKIMWL_WL_MEDHI
6425askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/
6426reuse __DKIMWL_WL_MED
6427askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/
6428reuse __DKIMWL_WL_BL
6429askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/
6430reuse __DKIMWL_BLOCKED
6431reuse DKIMWL_WL_HIGH
6432reuse DKIMWL_WL_MEDHI
6433reuse DKIMWL_WL_MED
6434reuse DKIMWL_BL
6435reuse DKIMWL_BLOCKED
6436askdns __HELO_DNS _LASTEXTERNALHELO_ A /./
6437endif
6438##} ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6439
6440##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox
6441
6442ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
6443reuse RCVD_IN_PSBL
6444endif
6445##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox
6446
6447##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox
6448
6449ifplugin Mail::SpamAssassin::Plugin::DNSEval
6450reuse RCVD_IN_IADB_LISTED
6451reuse RCVD_IN_IADB_EDDB
6452reuse RCVD_IN_IADB_EPIA
6453reuse RCVD_IN_IADB_SPF
6454reuse RCVD_IN_IADB_SENDERID
6455reuse RCVD_IN_IADB_DK
6456reuse RCVD_IN_IADB_RDNS
6457reuse RCVD_IN_IADB_GOODMAIL
6458reuse RCVD_IN_IADB_NOCONTROL
6459reuse RCVD_IN_IADB_OPTOUTONLY
6460reuse RCVD_IN_IADB_UNVERIFIED_1
6461reuse RCVD_IN_IADB_UNVERIFIED_2
6462reuse RCVD_IN_IADB_LOOSE
6463reuse RCVD_IN_IADB_OPTIN_LT50
6464reuse RCVD_IN_IADB_OPTIN_GT50
6465reuse RCVD_IN_IADB_OPTIN
6466reuse RCVD_IN_IADB_DOPTIN_LT50
6467reuse RCVD_IN_IADB_DOPTIN_GT50
6468reuse RCVD_IN_IADB_DOPTIN
6469reuse RCVD_IN_IADB_ML_DOPTIN
6470reuse RCVD_IN_IADB_OOO
151f49fd
SI		 6471reuse RCVD_IN_IADB_LEG_MAND
6472reuse RCVD_IN_IADB_COURT
b780ea8d
SI		 6473reuse RCVD_IN_IADB_MI_CPEAR
6474reuse RCVD_IN_IADB_UT_CPEAR
6475reuse RCVD_IN_IADB_MI_CPR_30
6476reuse RCVD_IN_IADB_UT_CPR_30
6477reuse RCVD_IN_IADB_MI_CPR_MAT
6478reuse RCVD_IN_IADB_UT_CPR_MAT
6479endif
6480##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox
6481
6482##{ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox
6483
6484ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
6485fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de
6486fns_ignore_headers List-Id
6487fns_check 1
6488reuse __PLUGIN_FROMNAME_SPOOF
6489reuse __PLUGIN_FROMNAME_EQUALS_TO
6490endif
6491##} ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox
6492
6493##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6494
6495ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6496replace_rules T_FUZZY_SPRM
6497replace_rules FUZZY_MERIDIA
6498replace_rules TVD_FUZZY_PHARMACEUTICAL
6499replace_rules TVD_FUZZY_SYMBOL
6500replace_rules T_TVD_FUZZY_SECURITIES
6501replace_rules TVD_FUZZY_FINANCE
6502replace_rules TVD_FUZZY_FIXED_RATE
6503replace_rules TVD_FUZZY_MICROCAP
6504replace_rules T_TVD_FUZZY_SECTOR
6505replace_rules TVD_FUZZY_DEGREE
6506 replace_rules __COPY_PASTE_EN
6507 replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?)
6508 replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3}
6509 replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s)
6510 replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?)
6511 replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])?
6512 replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100}))
6513 replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100})
6514 replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))?
6515 replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])?
6516 replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)?
6517 replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3}
6518 replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3}
6519 replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d)
6520 replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3}
6521 replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)?
6522 replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15})
6523 replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names?
6524 replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER>
6525 replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>)
6526 replace_rules __FILL_THIS_FORM_LONG1
6527 replace_rules __FILL_THIS_FORM_LONG2
6528 replace_rules __FILL_THIS_FORM_PARTIAL
6529 replace_rules __FILL_THIS_FORM_PARTIAL_RAW
6530 replace_rules __FILL_THIS_FORM_SHORT1
6531 replace_rules __FILL_THIS_FORM_SHORT2
6532 replace_rules __FILL_THIS_FORM_LOAN1
6533 replace_rules __FILL_THIS_FORM_FRAUD_PHISH1
6534 replace_tag CURRENCY (?:[\(\[]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|usd|USD|CAD|GBP|=[Aa][34]|\xa3|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS?)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]\)]?)
6535 replace_tag GB_UK \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b
6536 replace_tag NUM_NOT_DATE [1-9](?!\d\d\d\.\d\d\.\d\d\s)(?!\d?\.\d\d?\.\d\d\d\d\s)
6537 replace_tag NUM_NOT_DATE_IP <NUM_NOT_DATE>(?!\d{0,2}(?:\.0|\.[1-2]\d{0,2}){3}(?:\D|$))
6538 replace_rules __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04
6539 replace_tag PERCENT \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent)
6540 replace_rules __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS
6541 replace_rules T_FUZZY_OPTOUT
6542 replace_rules __FRT_PRICE
6543 replace_rules FUZZY_UNSUBSCRIBE
6544 replace_rules FUZZY_ANDROID
6545 replace_rules FUZZY_PROMOTION
6546 replace_rules FUZZY_PRIVACY
6547 replace_rules FUZZY_BROWSER
6548 replace_rules FUZZY_SAVINGS
6549 replace_rules FUZZY_IMPORTANT
6550 replace_rules FUZZY_SECURITY
6551 replace_rules __FUZZY_DR_OZ
6552 replace_rules FUZZY_CLICK_HERE
6553 replace_rules FUZZY_BITCOIN
6554 replace_rules __BITCOIN
6555 replace_rules FUZZY_WALLET
6556 replace_rules __FUZZY_MONERO
6557 replace_rules __FUZZY_WELLSFARGO_BODY
6558 replace_rules __FUZZY_WELLSFARGO_FROM
6559 replace_rules __FUZZY_PORN
6560 replace_rules FUZZY_AMAZON
6561 replace_rules FUZZY_APPLE
6562 replace_rules FUZZY_MICROSOFT
6563 replace_rules FUZZY_FACEBOOK
6564 replace_rules FUZZY_PAYPAL
6565 replace_rules FUZZY_NORTON
6566 replace_rules FUZZY_OVERSTOCK
151f49fd
SI		 6567 replace_rules __FUZZY_TRUSTWALLET_BODY
6568 replace_rules __FUZZY_TRUSTWALLET_FROM
b780ea8d
SI		 6569 replace_rules __MY_VICTIM
6570 replace_rules __MY_MALWARE
6571 replace_rules __PAY_ME
6572 replace_rules __YOUR_PASSWORD
6573 replace_rules __YOUR_WEBCAM
6574 replace_rules __YOUR_ONAN
6575 replace_rules __YOUR_PERSONAL
6576 replace_rules __HOURS_DEADLINE
6577 replace_rules __EXPLOSIVE_DEVICE
151f49fd
SI		 6578 replace_tag SHY (?:=ad|[\xc2][\xad]|[\xad]|&\#xad;|&\#173;|&shy;)
6579 replace_rules __SHY_OBFU_PASSWORD
6580 replace_rules __SHY_OBFU_EXPIRE
b780ea8d
SI		 6581replace_rules T_LFUZ_PWRMALE
6582 replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE
6583 reuse T_PDS_BTC_AHACKER
6584 reuse T_PDS_BTC_HACKER
6585 reuse T_PDS_LTC_AHACKER
6586 reuse T_PDS_LTC_HACKER
6587endif
6588##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6589
6590##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox
6591
6592ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
6593reuse URIBL_RHS_DOB
6594endif
6595##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox
6596
6597##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox
6598
6599ifplugin Mail::SpamAssassin::Plugin::WLBLEval
6600if (version >= 3.004000)
6601enlist_uri_host (PDS_CASHSHORTENER) cutpaid.com
6602enlist_uri_host (PDS_CASHSHORTENER) caat.site
6603enlist_uri_host (PDS_CASHSHORTENER) triabicia.com
6604enlist_uri_host (PDS_CASHSHORTENER) 2xs.io
6605enlist_uri_host (PDS_CASHSHORTENER) ocest.site
6606enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz
6607enlist_uri_host (PDS_CASHSHORTENER) waar.site
6608enlist_uri_host (PDS_CASHSHORTENER) cpmlink.net
6609enlist_uri_host (PDS_CASHSHORTENER) cowner.net
6610enlist_uri_host (PDS_CASHSHORTENER) adfoc.us
6611enlist_uri_host (PDS_CASHSHORTENER) shrinkhere.xyz
6612enlist_uri_host (PDS_CASHSHORTENER) gurl.pw
6613enlist_uri_host (PDS_CASHSHORTENER) shortearn.eu
6614enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz
6615enlist_uri_host (PDS_CASHSHORTENER) libittarc.com
6616enlist_uri_host (PDS_CASHSHORTENER) pc.cd
6617enlist_uri_host (PDS_CASHSHORTENER) fc.lc
6618enlist_uri_host (PDS_CASHSHORTENER) dares.xyz
6619enlist_uri_host (PDS_CASHSHORTENER) trendlouds.com
6620enlist_uri_host (PDS_CASHSHORTENER) yogaf.xyz
6621enlist_uri_host (PDS_CASHSHORTENER) cobs.xyz
6622enlist_uri_host (PDS_CASHSHORTENER) olnew.xyz
6623enlist_uri_host (PDS_CASHSHORTENER) cleft.xyz
6624enlist_uri_host (PDS_CASHSHORTENER) 7r6.com
6625enlist_uri_host (PDS_CASHSHORTENER) mitly.us
6626enlist_uri_host (PDS_CASHSHORTENER) kutpay.com
6627enlist_uri_host (PDS_CASHSHORTENER) gsurl.me
6628enlist_uri_host (PDS_CASHSHORTENER) gurl.ly
6629enlist_uri_host (PDS_CASHSHORTENER) gsurl.in
6630enlist_uri_host (PDS_CASHSHORTENER) acitoate.com
6631enlist_uri_host (PDS_CASHSHORTENER) aclabink.com
6632enlist_uri_host (PDS_CASHSHORTENER) activeation.com
6633enlist_uri_host (PDS_CASHSHORTENER) activeterium.com
6634enlist_uri_host (PDS_CASHSHORTENER) adflyforum.com
6635enlist_uri_host (PDS_CASHSHORTENER) adflymail.com
6636enlist_uri_host (PDS_CASHSHORTENER) adult.xyz
6637enlist_uri_host (PDS_CASHSHORTENER) agileurbia.com
6638enlist_uri_host (PDS_CASHSHORTENER) atomcurve.com
6639enlist_uri_host (PDS_CASHSHORTENER) ay.gy
6640enlist_uri_host (PDS_CASHSHORTENER) battleate.com
6641enlist_uri_host (PDS_CASHSHORTENER) biastonu.com
6642enlist_uri_host (PDS_CASHSHORTENER) bitigee.com
6643enlist_uri_host (PDS_CASHSHORTENER) briskrange.com
6644enlist_uri_host (PDS_CASHSHORTENER) brisktopia.com
6645enlist_uri_host (PDS_CASHSHORTENER) casualient.com
6646enlist_uri_host (PDS_CASHSHORTENER) clesolea.com
6647enlist_uri_host (PDS_CASHSHORTENER) code404.biz
6648enlist_uri_host (PDS_CASHSHORTENER) coginator.com
6649enlist_uri_host (PDS_CASHSHORTENER) cogismith.com
6650enlist_uri_host (PDS_CASHSHORTENER) covelign.com
6651enlist_uri_host (PDS_CASHSHORTENER) crefranek.com
6652enlist_uri_host (PDS_CASHSHORTENER) dashsphere.com
6653enlist_uri_host (PDS_CASHSHORTENER) dataurbia.com
6654enlist_uri_host (PDS_CASHSHORTENER) deciomm.com
6655enlist_uri_host (PDS_CASHSHORTENER) ducolomal.com
6656enlist_uri_host (PDS_CASHSHORTENER) east-jones.com
6657enlist_uri_host (PDS_CASHSHORTENER) ecleneue.com
6658enlist_uri_host (PDS_CASHSHORTENER) ellevolaw.com
6659enlist_uri_host (PDS_CASHSHORTENER) endroudo.com
6660enlist_uri_host (PDS_CASHSHORTENER) eunsetee.com
6661enlist_uri_host (PDS_CASHSHORTENER) fainbory.com
6662enlist_uri_host (PDS_CASHSHORTENER) fasttory.com
6663enlist_uri_host (PDS_CASHSHORTENER) fawright.com
6664enlist_uri_host (PDS_CASHSHORTENER) flyserve.co
6665enlist_uri_host (PDS_CASHSHORTENER) greponozy.com
6666enlist_uri_host (PDS_CASHSHORTENER) homoluath.com
6667enlist_uri_host (PDS_CASHSHORTENER) hopigrarn.com
6668enlist_uri_host (PDS_CASHSHORTENER) infopade.com
6669enlist_uri_host (PDS_CASHSHORTENER) j.gs
6670enlist_uri_host (PDS_CASHSHORTENER) kaitect.com
6671enlist_uri_host (PDS_CASHSHORTENER) kializer.com
6672enlist_uri_host (PDS_CASHSHORTENER) kibuilder.com
6673enlist_uri_host (PDS_CASHSHORTENER) kimechanic.com
6674enlist_uri_host (PDS_CASHSHORTENER) kudoflow.com
6675enlist_uri_host (PDS_CASHSHORTENER) legeerook.com
6676enlist_uri_host (PDS_CASHSHORTENER) libittarc.com
6677enlist_uri_host (PDS_CASHSHORTENER) linkjaunt.com
6678enlist_uri_host (PDS_CASHSHORTENER) locinealy.com
6679enlist_uri_host (PDS_CASHSHORTENER) maetrimal.com
6680enlist_uri_host (PDS_CASHSHORTENER) metastead.com
6681enlist_uri_host (PDS_CASHSHORTENER) mmoity.com
6682enlist_uri_host (PDS_CASHSHORTENER) mondoagram.com
6683enlist_uri_host (PDS_CASHSHORTENER) neswery.com
6684enlist_uri_host (PDS_CASHSHORTENER) nimbleinity.com
6685enlist_uri_host (PDS_CASHSHORTENER) onisedeo.com
6686enlist_uri_host (PDS_CASHSHORTENER) optitopt.com
6687enlist_uri_host (PDS_CASHSHORTENER) picocurl.com
6688enlist_uri_host (PDS_CASHSHORTENER) pladollmo.com
6689enlist_uri_host (PDS_CASHSHORTENER) preofery.com
6690enlist_uri_host (PDS_CASHSHORTENER) prereheus.com
6691enlist_uri_host (PDS_CASHSHORTENER) q.gs
6692enlist_uri_host (PDS_CASHSHORTENER) quainator.com
6693enlist_uri_host (PDS_CASHSHORTENER) quamiller.com
6694enlist_uri_host (PDS_CASHSHORTENER) queuecosm.bid
6695enlist_uri_host (PDS_CASHSHORTENER) raboninco.com
6696enlist_uri_host (PDS_CASHSHORTENER) rapidteria.com
6697enlist_uri_host (PDS_CASHSHORTENER) rapidtory.com
6698enlist_uri_host (PDS_CASHSHORTENER) sapolatsu.com
6699enlist_uri_host (PDS_CASHSHORTENER) scapognel.com
6700enlist_uri_host (PDS_CASHSHORTENER) simizer.com
6701enlist_uri_host (PDS_CASHSHORTENER) skamaker.com
6702enlist_uri_host (PDS_CASHSHORTENER) skamason.com
6703enlist_uri_host (PDS_CASHSHORTENER) sluppend.com
6704enlist_uri_host (PDS_CASHSHORTENER) sprysphere.com
6705enlist_uri_host (PDS_CASHSHORTENER) streamvoyage.com
6706enlist_uri_host (PDS_CASHSHORTENER) swarife.com
6707enlist_uri_host (PDS_CASHSHORTENER) swiftation.com
6708enlist_uri_host (PDS_CASHSHORTENER) swifttopia.com
6709enlist_uri_host (PDS_CASHSHORTENER) techigo.com
6710enlist_uri_host (PDS_CASHSHORTENER) threadsphere.bid
6711enlist_uri_host (PDS_CASHSHORTENER) tinyical.com
6712enlist_uri_host (PDS_CASHSHORTENER) tonancos.com
6713enlist_uri_host (PDS_CASHSHORTENER) triabicia.com
6714enlist_uri_host (PDS_CASHSHORTENER) turboagram.com
6715enlist_uri_host (PDS_CASHSHORTENER) twineer.com
6716enlist_uri_host (PDS_CASHSHORTENER) twiriock.com
6717enlist_uri_host (PDS_CASHSHORTENER) userlab66.com
6718enlist_uri_host (PDS_CASHSHORTENER) vaugette.com
6719enlist_uri_host (PDS_CASHSHORTENER) velocicosm.com
6720enlist_uri_host (PDS_CASHSHORTENER) velociterium.com
6721enlist_uri_host (PDS_CASHSHORTENER) viahold.com
6722enlist_uri_host (PDS_CASHSHORTENER) vializer.com
6723enlist_uri_host (PDS_CASHSHORTENER) viwright.com
6724enlist_uri_host (PDS_CASHSHORTENER) whareotiv.com
6725enlist_uri_host (PDS_CASHSHORTENER) wirecellar.com
6726enlist_uri_host (PDS_CASHSHORTENER) x19.biz
6727enlist_uri_host (PDS_CASHSHORTENER) x19network.com
6728enlist_uri_host (PDS_CASHSHORTENER) yabuilder.com
6729enlist_uri_host (PDS_CASHSHORTENER) yamechanic.com
6730enlist_uri_host (PDS_CASHSHORTENER) yoalizer.com
6731enlist_uri_host (PDS_CASHSHORTENER) yobuilder.com
6732enlist_uri_host (PDS_CASHSHORTENER) yoineer.com
6733enlist_uri_host (PDS_CASHSHORTENER) yoitect.com
6734enlist_uri_host (PDS_CASHSHORTENER) zipansion.com
6735enlist_uri_host (PDS_CASHSHORTENER) zipteria.com
6736enlist_uri_host (PDS_CASHSHORTENER) zipvale.com
b780ea8d
SI		 6737reuse T_PDS_SHORTFWD_URISHRT
6738endif
6739endif
6740##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox
6741
6742##{ redirector_pattern_sandbox
6743
6744redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i
6745redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
6746redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i
6747redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i
6748redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i
6749redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i
6750redirector_pattern m'^https?:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i
6751redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i
6752##} redirector_pattern_sandbox
6753
6754##{ reuse_sandbox
6755
6756reuse T_PDS_HIDDEN_UK_BUSINESSLOAN
6757reuse T_PDS_DOUBLE_URL
6758reuse T_PDS_DBL_URL_LINKBAIT
6759reuse PDS_DBL_URL_TNB_RUNON
6760reuse T_PDS_DBL_URL_ILLEGAL_CHARS
151f49fd 6761reuse T_FROM_2_EMAILS_SHORT
b780ea8d
SI		 6762reuse T_SHORT_BODY_QUOTE
6763reuse T_BODY_QUOTE_MALF_MSGID
6764reuse SPOOFED_FREEMAIL_NO_RDNS
6765reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN
54c714b2 6766reuse T_PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
46cfc9e2 6767reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT
151f49fd 6768reuse T_PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
fc5290a3 6769reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT
b780ea8d
SI		 6770reuse T_PDS_LITECOIN_ID
6771reuse PDS_BTC_ID
6772reuse PDS_BTC_MSGID
6773reuse __PDS_GOOGLE_DRIVE_SHARE_1
6774reuse __PDS_GOOGLE_DRIVE_SHARE_2
6775reuse __PDS_GOOGLE_DRIVE_SHARE_3
6776reuse __PDS_GOOGLE_DRIVE_SHARE
6777reuse T_GOOGLE_DRIVE_DEAR_SOMETHING
6778reuse __PDS_GOOGLE_DRIVE_FILE
6779reuse __SHORT_BODY_G_DRIVE
6780reuse __SHORT_BODY_G_DRIVE_DYN
31955ede
SI		 6781reuse T_SHORT_BODY_G_DRIVE_DYN
6782reuse T_FROM_NAME_EQ_TO_G_DRIVE
b780ea8d
SI		 6783##} reuse_sandbox
6784
6785
6786uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i
6787
6788uri __128_HEX_URI m,/[0-9a-f]{128},
6789
6790uri __128_LC_URI m;[/?][a-z]{128,}$;
6791
6792uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i
6793
6794uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i
6795
6796meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
6797
fc5290a3
SI		 6798header __4BYTE_UTF8_WORD_FROM From:name =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
6799
54c714b2
SI		 6800header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
6801
b780ea8d
SI		 6802uri __64_ANY_URI m;[/?]\w{64,}$;i
6803
6804body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i
6805
6806body __ACCESS_REVOKE /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i
6807
6808body __ACCESS_SUSPENDED /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i
6809tflags __ACCESS_SUSPENDED multiple maxhits=2
6810
6811body __ACCOUNT_DISRUPT /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)? )?(?:shut ?down|suspension|locking|termination|expiration)|will terminate (?:your|its) service)\b/i
6812tflags __ACCOUNT_DISRUPT multiple maxhits=2
6813
6814body __ACCOUNT_ERROR /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i
6815
6816body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i
6817
6818body __ACCOUNT_SECURE /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i
6819
6820body __ACCOUNT_UPGRADE /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i
6821
6822meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY
6823
6824meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3
6825
6826body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
6827
6828body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i
6829
6830body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
6831
6832body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i
6833
6834ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6835 meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH
6836endif
6837
6838uri __AC_1SEQC_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/C\//
6839
6840uri __AC_1SEQV_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/V\//
6841
6842uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/
6843
151f49fd 6844header __AC_FROM_MANY_DOTS From =~ /<(?!do\.not\.reply@)(?:\w{2,}\.){2,}\w+@/i
b780ea8d
SI		 6845
6846meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO
6847
6848rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i
6849
6850uri __AC_LAND_URI /\/land\//
6851
6852uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/
6853
6854uri __AC_MHDSEQ_URI /\/mhd[a-z0-9]{20,}/
6855
6856uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/
6857
151f49fd 6858uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(?:php|html)\b/
b780ea8d
SI		 6859
6860uri __AC_OUTI_URI /\/outi\b/
6861
6862uri __AC_OUTL_URI /\/outl\b/
6863
6864uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\//
6865
6866uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9.]+\/top\//
6867
6868uri __AC_POSTHTMLEXTRAS /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i
6869
6870uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i
6871
6872meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS)
6873
6874uri __AC_PUNCTNUMS_URI /\.com\/[A-Za-z+=\/.?_-]{4,}[0-9]{9,12}[a-z0-9]{1,2}[A-Za-z+=\/.?_-]+[0-9]{7,9}[A-Za-z+=\/.?_-]{6,}[0-9]{7,9}\b/
6875
6876uri __AC_REPORT_URI /\/report\//
6877
6878uri __AC_RMOVE_URI /\/r\/move\/[0-9]+\//
6879
31955ede 6880rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
b780ea8d
SI		 6881
6882uri __AC_UHDSEQ_URI /\/uhd[a-z0-9]{20,}/
6883
6884uri __AC_UNSUB_URI /\/unsub\//
6885
6886body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i
6887
6888body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i
6889
46cfc9e2
SI		 6890body __ADULTDATINGCOMPANY_BODY /\bAdultDatingCompany\b/i
6891
6892header __ADULTDATINGCOMPANY_FROM From:name =~ /\bAdultDatingCompany\b/i
6893
6894header __ADULTDATINGCOMPANY_REPTO Reply-To:name =~ /\bAdultDatingCompany\b/i
6895
54c714b2 6896meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD
b780ea8d
SI		 6897
6898meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
6899
6900meta __ADVANCE_FEE_2_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
6901
6902meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
6903
54c714b2 6904meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD
b780ea8d
SI		 6905
6906meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
6907
6908meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
6909
6910meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
6911
54c714b2 6912meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD
b780ea8d
SI		 6913
6914meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
6915
6916meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
6917
6918meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
6919
54c714b2 6920meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD
b780ea8d
SI		 6921
6922meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
6923
6924meta __ADVANCE_FEE_5_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
6925
6926meta __ADVANCE_FEE_5_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
6927
6928body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/
6929
6930body __AFF_LOTTERY /(?:lottery|winner)/i
6931
6932meta __AFRICAN_STATE (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION)
6933
6934body __AFR_UNION /\bafrican\sunion\b/i
6935
6936body __AGREED_RATIO /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i
6937
6938meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA
6939
6940header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/
6941
46cfc9e2 6942meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO
b780ea8d
SI		 6943
6944body __AM_DYING /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i
6945
6946ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6947mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /\bimage\//i
6948endif
6949
6950if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6951 meta __ANY_TEXT_ATTACH 0
6952endif
6953
6954ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6955 mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
6956endif
6957
6958ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6959mimeheader __ANY_TEXT_ATTACH_DOC Content-Type =~ /text\/\w+/i
6960endif
6961
6962if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6963 body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i
6964 tflags __APP_DEVELOPMENT multiple maxhits=6
6965endif
6966
6967if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6968 meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5
6969endif
6970
6971body __ATM_CARD /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa|issue\s(?:(?:to|for)\s)?you\sa)[\s\(](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s\)]card/i
6972
46cfc9e2
SI		 6973ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6974 meta __ATTACH_MSO_MHTML __TEXT_XML_MT && __MSO_THEME_MT && __X_MSO_MT
6975endif
6976
b780ea8d
SI		 6977if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6978 meta __ATTACH_NAME_NO_EXT 0
6979endif
6980
6981ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6982 mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i
6983endif
6984
6985body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i
6986
6987body __AUTO_ACCIDENT /auto(?:mobile)? accident/i
6988
6989header __AXB_MO_OL_024C2 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/
6990
b780ea8d
SI		 6991header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/
6992
b780ea8d
SI		 6993body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i
6994
6995body __BANK_DRAFT /\bbank\sdraft/i
6996
6997body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i
6998
31955ede
SI		 6999meta __BEBEE_IMG_NOT_RCVD_BB __URI_IMG_BEBEE && !__HDR_RCVD_BEBEE
7000
b780ea8d
SI		 7001body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i
7002
7003body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i
7004
7005body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]{2,}k?|k))\s(?:(?!and|or|your|place|baby|suspicious|supportive|subpoenaed)\w+\s)?(?:e-?mail(?:(?![-:.\)\>\]])s?|\saddresses)|fax numbers|leads|names)\b/i
7006tflags __BIGNUM_EMAILS multiple maxhits=5
7007
7008meta __BIGNUM_EMAILS_3 __BIGNUM_EMAILS > 2
7009
7010meta __BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS && __freemail_hdr_replyto
7011
7012if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7013 body __BITCOIN /\bB[-\s]?i[-\s]?t[-\s]?c[-\s]?o[-\s]?i[-\s]?n\b/i
7014endif
7015
7016ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7017 body __BITCOIN /<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
7018endif
7019
7020body __BITCOIN_ID /\b(?<!=)(?:[13](?:(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){29,34}|[a-km-zA-HJ-NP-Z1-9]{29,34})|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90}|b[-_=\s]c[-_=\s]1(?:[-_=\s][acdefghjklmnpqrstuvwxyz234567890]){30,90})\b/
7021
7022meta __BITCOIN_IMGUR __IMGUR_IMG && __BITCOIN
7023
7024meta __BITCOIN_OBFU_SUBJ __BITCOIN && __SUBJ_OBFU_PUNCT
7025
7026meta __BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF
7027
7028meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL
7029
7030meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM
7031
151f49fd
SI		 7032meta __BITCOIN_TOEQFM __BITCOIN && __TO_EQ_FROM
7033
b780ea8d
SI		 7034meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01
7035
7036meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID)
7037
b780ea8d
SI		 7038body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s
7039
7040body __BODY_TEXT_LINE /^\s*\S/
7041tflags __BODY_TEXT_LINE multiple maxhits=3
7042
7043meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE
7044
7045if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7046 full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/
7047 tflags __BOGUS_MIME_HDR multiple maxhits=8
7048endif
7049
7050if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7051 meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7
7052endif
7053
7054header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/
7055
7056meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX
7057
7058body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i
7059
7060meta __BOTH_INR_AND_REF (__XM_BALSA || __XM_CALYPSO || __XM_FORTE || __XM_MHE || __XM_SQRLMAIL || __XM_SYLPHEED || __THEBAT_MUA || __XM_VM || __XM_XIMEVOL || __UA_KMAIL || __UA_MOZ5 || __UA_OPERA7)
7061
7062body __BTC_OBFU_2 /\b\W{0,10}b(?!it[-\s]?coin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i
7063
7064body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i
7065
7066if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7067 body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
7068endif
7069
7070body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i
7071
7072rawbody __BUGGED_IMG m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i
7073
7074body __BURKINA_FASO /\bburkina\s?faso\b/i
7075
7076body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i
7077
7078body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i
7079
7080body __CAN_HELP /\bcan help\b/i
7081
7082body __CASHPRZ /cash prize of/
7083
7084body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i
7085
7086body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i
7087tflags __CLEAN_MAILBOX multiple maxhits=2
7088
7089rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im
7090
7091body __COMPENSATION /\b(?:compensat(?:e|ion)|recompensed?|ausgleich)\b/i
7092
7093body __CONTACT_ATTY /\bcontact(?:er)?\s(?:my|(?:de\s)?mon)\s(?:barrister|attou?rney|lawyer|avocat|gestionnaire)\b/i
7094
7095body __CONTACT_YOU /\b(?:contact(?:ing)\syou|vous\scontacter?)\b/i
7096
7097rawbody __CONTENT_AFTER_HTML /<\/html>\s*[a-z0-9]/i
7098
151f49fd
SI		 7099body __COPY_PASTE_DE /Kopieren Sie es und f(?:\xfc|\xc3\xbc)gen Sie es ein|Kopieren \& Einf(?:\xfc|\xc3\xbc)gen/i
7100
b780ea8d 7101if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
151f49fd 7102 body __COPY_PASTE_EN /Copy (?:and|\+|\&) paste/i
b780ea8d
SI		 7103endif
7104
7105ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7106 body __COPY_PASTE_EN /<C><O><P><Y> (?:<A><N><D>|\+|\&) <P><A><S><T><E>/i
7107endif
7108
151f49fd
SI		 7109body __COPY_PASTE_ES /copiarlo y pegarlo/i
7110
7111body __COPY_PASTE_FR /le copier (?:et le|\+) coller/i
7112
7113body __COPY_PASTE_IT /copiar?lo (?:e|\&) incollar?lo/i
7114
7115body __COPY_PASTE_NL /kopieer en plak het/i
7116
7117body __COPY_PASTE_SE /kopiera den och klistra in/i
7118
b780ea8d
SI		 7119body __COURIER /\bcourier\s(?:company|service)\b/i
7120
7121header __CR_IN_SUBJ Subject:raw =~ /\015/
7122
151f49fd
SI		 7123if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7124 meta __CTE_BAS64 0
7125endif
7126
7127ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7128 mimeheader __CTE_BAS64 Content-Transfer-Encoding =~ /\bbas64\b/i
7129endif
7130
b780ea8d
SI		 7131header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i
7132
7133header __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i
7134
7135if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7136 meta __CTYPE_NULL 0
7137endif
7138
7139ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7140 mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/
7141endif
7142
7143ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7144mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s
7145endif
7146
7147header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
7148
7149ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7150mimeheader __CT_UTF7 Content-Type =~ /\bcharset=.?utf-7\b/i
7151endif
7152
151f49fd 7153header __DATE_LOWER ALL =~ /date: \S{5}/
b780ea8d
SI		 7154
7155if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7156 body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i
7157 tflags __DAY_I_EARNED multiple maxhits=4
7158endif
7159
7160body __DBLCLAIM /avoid double claiming/
7161
7162body __DEAD_PARENT /\b(?:my|meu)\s(?:(?:deceased|dead)\s(?:father|mother|husband)|(?:father|dad|mother|mom|husband|marido)(?:'?s)?\s(?:death|died|passed\saway|murder|was\s(?:killed|murdered|poisoned)|faleceu))/i
7163
7164body __DEAL /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i
7165
7166body __DECEASED /\b(?:the|my|your|der|du|le|meu?)\s(?:deceased|late|verstorbenen|d(?:i|e|=E9|[\xe9]|[\xc3][\xa9])funto?|d(?:e|=E9|[\xe9]|[\xc3][\xa9])nt|falecido)\b/i
7167
7168body __DESTROY_ME /\b(?:destroy|hunt|quemar)\sm[eyi]\b/i
7169
7170body __DESTROY_YOU /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i
7171
7172body __DIED_IN /\bdied\sin\b/i
7173
7174body __DIPLOMATIC /\bdiplomatic\b/i
7175
7176ifplugin Mail::SpamAssassin::Plugin::AskDNS
7177tflags __DKIMWL_BLOCKED net
7178endif
7179
7180ifplugin Mail::SpamAssassin::Plugin::AskDNS
7181tflags __DKIMWL_BULKMAIL net
7182endif
7183
7184ifplugin Mail::SpamAssassin::Plugin::AskDNS
7185tflags __DKIMWL_FREEMAIL net
7186endif
7187
7188ifplugin Mail::SpamAssassin::Plugin::AskDNS
7189tflags __DKIMWL_WL_BL net
7190endif
7191
7192ifplugin Mail::SpamAssassin::Plugin::AskDNS
7193tflags __DKIMWL_WL_HI net
7194endif
7195
7196ifplugin Mail::SpamAssassin::Plugin::AskDNS
7197tflags __DKIMWL_WL_MED net
7198endif
7199
7200ifplugin Mail::SpamAssassin::Plugin::AskDNS
7201tflags __DKIMWL_WL_MEDHI net
7202endif
7203
7204header __DKIM_EXISTS exists:DKIM-Signature
7205tflags __DKIM_EXISTS nice
7206
7207body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i
7208
7209if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7210 meta __DOC_ATTACH 0
7211endif
7212
7213ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7214 meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2)
7215endif
7216
7217if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7218 meta __DOC_ATTACH_FN1 0
7219endif
7220
7221ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7222 mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
7223endif
7224
7225if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7226 meta __DOC_ATTACH_FN2 0
7227endif
7228
7229ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7230 mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i
7231endif
7232
7233if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7234 meta __DOC_ATTACH_MT 0
7235endif
7236
7237ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7238 mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i
7239endif
7240
7241body __DORMANT_ACCT /\b(?:(?:dormant|abandoned|left\s?over)\s(?:account|fund|transaction|sum|deposit)|fonds\sdorment)/i
7242
7243body __DOS_BODY_FRI /\bfri(?:day)?\b/i
7244
7245body __DOS_BODY_MON /\bmon(?:day)?\b/i
7246
7247body __DOS_BODY_SAT /\bsat(?:day)?\b/i
7248
7249body __DOS_BODY_STOCK /\bstock\b/i
7250
7251body __DOS_BODY_SUN /\bsun(?:day)?\b/i
7252
7253body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i
7254
7255body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB|PK)\b/
7256
7257body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i
7258
7259body __DOS_BODY_WED /\bwed(?:nesday)?\b/i
7260
7261body __DOS_COMING_TO_YOUR_PLACE /I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/
7262
7263body __DOS_CORRESPOND_EMAIL /correspond with me using my email/
7264
7265meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
7266
7267meta __DOS_DIRECT_TO_MX_UNTRUSTED __DOS_DIRECT_TO_MX && !ALL_TRUSTED
7268
7269body __DOS_DROP_ME_A_LINE /Drop me a line at/
7270
7271body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/
7272
7273body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i
7274
7275uri __DOS_HAS_ANY_URI /^\w+:\/\//
7276
7277header __DOS_HAS_LIST_ID exists:List-ID
7278
7279header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe
7280
7281header __DOS_HAS_MAILING_LIST exists:Mailing-List
7282
7283body __DOS_HI /^Hi,$/
7284
7285body __DOS_I_AM_25 /I a.?m 25/
7286
7287body __DOS_I_DRIVE_A /I drive a/
7288
7289body __DOS_LET_GO_JOB /I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/
7290
7291body __DOS_LINK /\blink\b/
7292
7293body __DOS_MEET_EACH_OTHER /(?:meet each other|[Mm]ay ?be we can meet)/
7294
7295header __DOS_MSGID_DIGITS10 Message-ID =~ /<1[013-9]\d{8}\@.*>/
7296
7297header __DOS_MSGID_DIGITS9 Message-ID =~ /<\d{9}\@.*>/
7298
7299body __DOS_MY_OLD_JOB /my old job/
7300
7301body __DOS_PERSONAL_EMAIL /personal email at/
7302
7303header __DOS_RCVD_FRI Received =~ / Fri, /
7304
7305header __DOS_RCVD_MON Received =~ / Mon, /
7306
7307header __DOS_RCVD_SAT Received =~ / Sat, /
7308
7309header __DOS_RCVD_SUN Received =~ / Sun, /
7310
7311header __DOS_RCVD_THU Received =~ / Thu, /
7312
7313header __DOS_RCVD_TUE Received =~ / Tue, /
7314
7315header __DOS_RCVD_WED Received =~ / Wed, /
7316
7317meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE)
7318
7319meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON)
7320
7321meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN)
7322
7323header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s
7324
7325header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/
7326
7327body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i
7328
7329body __DOS_STRONG_CF /\bstrong cash flow/i
7330
7331body __DOS_TAKING_HOME /Taking home \d (?:digit level|figures) in \d{1,2} months/
7332
7333body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/
7334
7335meta __DOTGOV_IMAGE __URI_DOTGOV && __REMOTE_IMAGE
7336
7337meta __DYNAMIC_IMGUR __IMGUR_IMG && __RDNS_DYNAMIC_IPADDR
7338
7339body __EARLY_DEMISE /\buntimely\sdeath\b/i
7340
151f49fd
SI		 7341header __EBAY_ADDRESS From:addr =~ /[\@.]ebay\.\w\w\w?(?:\.\w\w)?$/i
7342
b780ea8d
SI		 7343meta __EBAY_IMG_NOT_RCVD_EBAY __URI_IMG_EBAY && !__HDR_RCVD_EBAY
7344
7345meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY
7346
46cfc9e2 7347meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ) > 3)
b780ea8d
SI		 7348
7349meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE
7350
7351body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i
7352
151f49fd
SI		 7353header __ENVFROM_AMAZONSES EnvelopeFrom =~ /\@amazonses\.com$/
7354
b780ea8d
SI		 7355header __ENVFROM_GOOG_TRIX EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/
7356
7357meta __ENVFROM_GOOG_TRIX_SPAMMY __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR )
7358
7359if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7360 meta __EXE_ATTACH 0
7361endif
7362
7363ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7364 mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i
7365endif
7366
7367if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7368 body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i
7369endif
7370
7371ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7372 body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i
7373endif
7374
7375meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE + __PAXFUL + __HUSH_HUSH) > 3
7376
7377body __EX_CUSTOMER /\b(?:(?:dead|deceased|late|verstorbenen|death\sof\sthe)\s(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|depositor|mr\.|kunde|engr?\.?)|titulaire\sdu\scompte\sest\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|invest[eo]r\sdied|(?:e|=E9|[\xe9]|[\xc3][\xa9])tranger\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|mr\.|kunde|engr?\.?)\s(?:[a-z]{1,10}\s)?(?:dead|deceased|verstorbenen))/i
7378
7379if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7380 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7381 body __E_LIKE_LETTER /<lcase_e>/
7382 tflags __E_LIKE_LETTER multiple maxhits=320
7383endif
7384endif
7385
31955ede
SI		 7386meta __FACEBOOK_IMG_NOT_RCVD_FB __URI_IMG_FACEBOOK && !__HDR_RCVD_FACEBOOK
7387
b780ea8d
SI		 7388body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i
7389
7390body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/
7391
7392rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m
7393
7394header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/
7395
7396header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i
7397
7398header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov /
7399
7400meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO
7401
7402body __FB_COST /\bcost\b/i
7403
7404body __FB_NUM_PERCNT /\d\s?\%/
7405
7406body __FB_S_PRICE /pri{1,2}c[a-z]?e/i
7407
7408body __FB_S_STOCK /\bstock/i
7409
7410body __FB_TOUR /\btour/i
7411
7412body __FEES /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer|keeping)[\s\w]{0,15}\s(?:fee|charge)s?\b/i
7413
7414body __FIFTY_FIFTY /\b(?:50|fifty)(?:%?[\/:]50%?|%|\spercent)/i
7415
7416if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7417 meta __FILL_THIS_FORM 0
7418endif
7419
7420ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7421 meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4)
7422endif
7423
7424if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7425 meta __FILL_THIS_FORM_FRAUD_PHISH 0
7426endif
7427
7428ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7429 meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH)
7430endif
7431
7432if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7433 meta __FILL_THIS_FORM_FRAUD_PHISH1 0
7434endif
7435
7436ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7437 body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
7438endif
7439
7440if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7441 meta __FILL_THIS_FORM_LOAN 0
7442endif
7443
7444ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7445 meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1
7446endif
7447
7448if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7449 meta __FILL_THIS_FORM_LOAN1 0
7450endif
7451
7452ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7453 body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
7454endif
7455
7456if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7457 meta __FILL_THIS_FORM_LONG 0
7458endif
7459
7460ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7461 meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2
7462endif
7463
7464if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7465 meta __FILL_THIS_FORM_LONG1 0
7466endif
7467
7468ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7469 body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
7470endif
7471
7472if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7473 meta __FILL_THIS_FORM_LONG2 0
7474endif
7475
7476ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7477 body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
7478endif
7479
7480if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7481 meta __FILL_THIS_FORM_PARTIAL 0
7482endif
7483
7484ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7485 body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im
7486 tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5
7487endif
7488
7489if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7490 meta __FILL_THIS_FORM_PARTIAL_RAW 0
7491endif
7492
7493ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7494 rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20|&nbsp;|<\/\w+>){0,4}$)/im
7495 tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5
7496endif
7497
7498if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7499 meta __FILL_THIS_FORM_SHORT 0
7500endif
7501
7502ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7503 meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2)
7504endif
7505
7506if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7507 meta __FILL_THIS_FORM_SHORT1 0
7508endif
7509
7510ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7511 body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
7512endif
7513
7514if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7515 meta __FILL_THIS_FORM_SHORT2 0
7516endif
7517
7518ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7519 body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
7520endif
7521
7522header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/
7523
7524if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7525 meta __FM_MY_PRICE __FB_S_PRICE
7526endif
7527
7528ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7529 meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE)
7530endif
7531
7532meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS
7533
7534if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7535 rawbody __FONT_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i
7536 tflags __FONT_INVIS multiple maxhits=11
7537endif
7538
7539if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7540 meta __FONT_INVIS_10 __FONT_INVIS > 10
7541endif
7542
7543if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7544 meta __FONT_INVIS_2 __FONT_INVIS > 2
7545endif
7546
7547if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7548 meta __FONT_INVIS_5 __FONT_INVIS > 5
7549endif
7550
7551if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7552 meta __FONT_INVIS_CENTER __FONT_INVIS && __TAG_EXISTS_CENTER
7553endif
7554
7555if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7556 meta __FONT_INVIS_DIRECT __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
7557endif
7558
7559if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7560 meta __FONT_INVIS_DOTGOV __FONT_INVIS && __URI_DOTGOV
7561endif
7562
7563if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7564 meta __FONT_INVIS_HTML_NOHTML __FONT_INVIS && HTML_MIME_NO_HTML_TAG
7565endif
7566
7567if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7568 meta __FONT_INVIS_LONG_LINE __FONT_INVIS && __LONGLINE
7569endif
7570
7571if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7572 meta __FONT_INVIS_MANY __FONT_INVIS_2
7573endif
7574
7575if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7576 meta __FONT_INVIS_MSGID __FONT_INVIS && __MSGID_OK_HOST
7577endif
7578
7579if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7580 meta __FONT_INVIS_NORDNS __FONT_INVIS && __RDNS_NONE
7581endif
7582
7583if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7584 meta __FONT_INVIS_SINGLET __FONT_INVIS && __HTML_SINGLET
7585endif
7586
7587header __FORGED_MUA_POSTFIX0 User-Agent =~ /Postfix/
7588
7589header __FORGED_MUA_POSTFIX1 X-Mailer =~ /Postfix/
7590
31955ede
SI		 7591header __FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/
7592
b780ea8d
SI		 7593meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D
7594describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam
7595
54c714b2 7596meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1)
b780ea8d 7597
54c714b2 7598meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
b780ea8d 7599
54c714b2 7600meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
b780ea8d 7601
b780ea8d
SI		 7602if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7603 body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i
7604 tflags __FOR_SALE_LTP multiple maxhits=11
7605endif
7606
7607if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7608 meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10
7609endif
7610
7611if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7612 body __FOR_SALE_NET /00\.? NET/i
7613 tflags __FOR_SALE_NET multiple maxhits=11
7614endif
7615
7616if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7617 meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10
7618endif
7619
7620if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7621 body __FOR_SALE_OBO /\bor best offer\b/i
7622 tflags __FOR_SALE_OBO multiple maxhits=6
7623endif
7624
7625if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7626 meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5
7627endif
7628
7629if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7630 body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i
7631 tflags __FOR_SALE_PRC_100K multiple maxhits=11
7632endif
7633
7634if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7635 meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5
7636endif
7637
7638if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7639 body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i
7640 tflags __FOR_SALE_PRC_10K multiple maxhits=11
7641endif
7642
7643if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7644 meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10
7645endif
7646
7647if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7648 body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i
7649 tflags __FOR_SALE_PRC_1K multiple maxhits=11
7650endif
7651
7652if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7653 meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10
7654endif
7655
7656if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7657 rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m
7658 tflags __FOR_SALE_PRC_EOL multiple maxhits=11
7659endif
7660
7661if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7662 meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10
7663endif
7664
7665if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7666 meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20
7667endif
7668
7669body __FOUND_YOU /\b(?:I|we)\sfound\syour?\b/i
7670
7671body __FRAUD /\b(?:de)?fraud/i
7672
7673body __FRAUD_IOV /\b(?:no risks?|risky?[- ]{0,3}free|free of risks?|100% safe|v\S{1,3}llig Risikofrei ist)\b/i
7674
7675body __FRAUD_PTX /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|poison(?:e?d)?|kill(?:ed|ing|ers)\b[^.]{0,99}\b(?:war veterans|rebels?)|les tueurs)\b/i
7676
7677body __FRAUD_XWW /\b(?:honest(?:ly)?\sco(?:-?operat(?:e|ion)|llaborat(?:e|ion))|ehrliche\szusammenarbeit|sichere [kc]o+p[eo]ration|col+aboration\swith\sme)\b/i
7678
7679ifplugin Mail::SpamAssassin::Plugin::FreeMail
7680 header __FREEMAIL_DISPTO eval:check_freemail_header('Disposition-Notification-To')
7681endif
7682
7683ifplugin Mail::SpamAssassin::Plugin::FreeMail
7684 meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
7685endif
7686
7687meta __FREEMAIL_WFH_01 (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01
7688
7689meta __FREEM_FRNUM_UNICD_EMPTY FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY
7690
7691if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
7692 meta __FROM_41_FREEMAIL 0
7693endif
7694
7695ifplugin Mail::SpamAssassin::Plugin::FreeMail
7696 meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
7697 describe __FROM_41_FREEMAIL Sent from Africa + freemail provider
7698endif
7699
7700if (version >= 3.004002)
7701ifplugin Mail::SpamAssassin::Plugin::WLBLEval
7702header __FROM_ADDRLIST_BANKS eval:check_from_in_list('BANKS')
7703endif
7704endif
7705
7706if (version >= 3.004002)
7707ifplugin Mail::SpamAssassin::Plugin::WLBLEval
7708header __FROM_ADDRLIST_GOV eval:check_from_in_list('GOV')
7709endif
7710endif
7711
7712if (version >= 3.004002)
7713ifplugin Mail::SpamAssassin::Plugin::WLBLEval
7714header __FROM_ADDRLIST_PAYPAL eval:check_from_in_list('PAYPAL')
7715endif
7716endif
7717
7718if (version >= 3.004002)
7719ifplugin Mail::SpamAssassin::Plugin::WLBLEval
7720header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD')
7721endif
7722endif
7723
7724header __FROM_ADDR_WS From:addr =~ /\s/
7725
7726header __FROM_ADMIN From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
7727
7728header __FROM_ALL_HEX From:addr =~ /^(?!(?:19|20)\d\d[01]\d[0-3]\d)(?![0-9a-f]*[a-f]{3})[0-9a-f]+\@/
7729
7730header __FROM_ALL_NUMS From:addr =~ /^\d+@/
7731
151f49fd
SI		 7732header __FROM_AMEX From =~ /american\s?express/i
7733
7734header __FROM_ASB_BANK From:addr =~ /\basb\.co\.nz$/i
7735
7736header __FROM_BANK_LOOSE From =~ /ban(?:k|co)/i
7737
7738header __FROM_CHASE From:addr =~ /chase(?:2?-?paymentech)\.com$/i
7739
7740header __FROM_CMNWLTH_BANK From:addr =~ /\bcommonwealth\.com\.au$/i
7741
b780ea8d
SI		 7742header __FROM_DNS From =~ /(?<![^\w.-])dns(?:admin)?\@/i
7743
7744meta __FROM_DOM_ADMIN __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
7745
7746header __FROM_DOM_INFO From:addr =~ /\.info$/i
7747
7748header __FROM_EBAY From:addr =~ /\@ebay\.com$/i
7749
151f49fd
SI		 7750header __FROM_EBAY_LOOSE From =~ /\be-?bay\b/i
7751
46cfc9e2
SI		 7752header __FROM_EQ_ORG_1 ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism
7753
b780ea8d
SI		 7754ifplugin Mail::SpamAssassin::Plugin::FreeMail
7755 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
7756 header __FROM_EQ_REPLY eval:check_fromname_equals_replyto()
7757endif
7758endif
7759
7760if (version >= 3.004001)
7761ifplugin Mail::SpamAssassin::Plugin::AskDNS
7762tflags __FROM_FMBLA_NDBLOCKED net
7763endif
7764endif
7765
7766if (version >= 3.004001)
7767ifplugin Mail::SpamAssassin::Plugin::AskDNS
7768tflags __FROM_FMBLA_NEWDOM net
7769endif
7770endif
7771
7772if (version >= 3.004001)
7773ifplugin Mail::SpamAssassin::Plugin::AskDNS
7774tflags __FROM_FMBLA_NEWDOM14 net
7775endif
7776endif
7777
7778if (version >= 3.004001)
7779ifplugin Mail::SpamAssassin::Plugin::AskDNS
7780tflags __FROM_FMBLA_NEWDOM28 net
7781endif
7782endif
7783
7784header __FROM_FULL_NAME From:name =~ /^[^a-z[:punct:][:cntrl:]\d\s][^[:punct:][:cntrl:]\d\s]*[[:punct:]\s]+[^a-z[:punct:][:cntrl:]\d\s]/
7785tflags __FROM_FULL_NAME nice
7786
151f49fd
SI		 7787header __FROM_HSBC From:addr =~ /\bhsbc\.co\.uk$/i
7788
b780ea8d
SI		 7789header __FROM_INFO From =~ /(?<![^\w.-])info\@/i
7790
151f49fd
SI		 7791header __FROM_LLOYDSTSB From:addr =~ /\blloyds(?:tsb)\.(?:co\.uk|com)$/i
7792
7793header __FROM_LOWER ALL =~ /from: \S{5}/
b780ea8d
SI		 7794
7795header __FROM_MISSPACED From =~ /^\s*"[^"]*"</
7796
7797meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH
7798
7799if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
7800 meta __FROM_MISSP_FREEMAIL 0
7801endif
7802
7803ifplugin Mail::SpamAssassin::Plugin::FreeMail
7804 meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
7805endif
7806
151f49fd
SI		 7807meta __FROM_MISSP_PHISH __FROM_MISSPACED && (__FROM_ASB_BANK || __FROM_AMEX || __FROM_BANK_LOOSE || __FROM_CHASE || __FROM_CMNWLTH_BANK || __FROM_EBAY_LOOSE || __FROM_HSBC || __FROM_LLOYDSTSB || __FROM_PAYPAL_LOOSE || __FROM_WELLSFARGO || __FROM_WESTERNUNION)
7808
b780ea8d
SI		 7809meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO
7810
7811if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
7812 meta __FROM_MULTI_NORDNS __PDS_FROM_2_EMAILS && __RDNS_NONE
7813endif
7814
7815if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
7816 meta __FROM_MULTI_SHORT_IMG __PDS_FROM_2_EMAILS && (HTML_IMAGE_ONLY_16 || HTML_SHORT_LINK_IMG_2 || __HTML_IMG_ONLY)
7817endif
7818
46cfc9e2
SI		 7819header __FROM_NAME_APPLECOM From:name =~ /\bapple\.com\b/i
7820
7821header __FROM_NAME_EBAYCOM From:name =~ /\bebay\.com\b/i
7822
b780ea8d
SI		 7823full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm
7824
46cfc9e2
SI		 7825header __FROM_NAME_PAYPALCOM From:name =~ /\bpaypal\.com\b/i
7826
b780ea8d
SI		 7827header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i
7828
151f49fd
SI		 7829header __FROM_PAYPAL_LOOSE From =~ /paypal/i
7830
b780ea8d
SI		 7831header __FROM_RUNON From =~ /\S+<\w+/
7832
7833header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/
7834
7835header __FROM_WEB_DAEMON From:addr =~ /(?:apache|www|web|tomcat|\biis\b).*\@/i
7836
151f49fd
SI		 7837header __FROM_WELLSFARGO From:addr =~ /wellsfargo\.com$/i
7838
7839header __FROM_WESTERNUNION From:addr =~ /westernunion\.com$/i
7840
b780ea8d
SI		 7841header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/
7842
7843if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7844 meta __FRT_PRICE 0
7845endif
7846
7847ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7848 body __FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i
7849endif
7850
7851rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i
7852
7853header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe
7854
7855header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i
7856
b780ea8d
SI		 7857header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i
7858
7859header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i
7860
7861header __FSL_HELO_USER_3 Received =~ /(?:eh|he)lo(?:=|\s)User\)/i
7862
7863header __FSL_RELAY_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com\.? /i
7864
7865header __FS_SUBJ_RE Subject =~ /^Re: /
7866
7867ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7868 body __FUZZY_DR_OZ /(?=<D>)(?!(?-i:D(?:r.|octor)(?:\s|&nbsp;)Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i
7869endif
7870
7871if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7872 meta __FUZZY_MONERO 0
7873endif
7874
7875ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7876 body __FUZZY_MONERO /(?=<M>)(?!monero)<M><O><N><E><R><O>/i
7877endif
7878
7879ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7880 body __FUZZY_PORN /(?=<P>)(?!pornograph?(?:y|i[ca]|er))<P><O><R><N><O><G><R><A><P><H>?(?:<Y>|<I><C>|<E><R>)/i
7881endif
7882
7883ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
151f49fd
SI		 7884 body __FUZZY_TRUSTWALLET_BODY /(?=<T>)(?!Trust[-\s]?Wallet)<T><R><U><S><T>[-\s]*<W><A><L><L><E><T>/i
7885endif
7886
7887ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7888 header __FUZZY_TRUSTWALLET_FROM From =~ /(?=<T>)(?!Trust[-\s]?Wallet)<T><R><U><S><T>[-\s]*<W><A><L><L><E><T>/i
7889endif
7890
7891ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7892 body __FUZZY_WELLSFARGO_BODY /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>\S{0,2}[-\s]?<F><A><R><G><O>/i
b780ea8d
SI		 7893endif
7894
7895ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
151f49fd 7896 header __FUZZY_WELLSFARGO_FROM From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>\S{0,2}[-\s]?<F><A><R><G><O>/i
b780ea8d
SI		 7897endif
7898
7899if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7900 body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i
7901 tflags __GAPPY_SALES_LEADS multiple maxhits=3
7902endif
7903
7904if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7905 meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2
7906endif
7907
151f49fd
SI		 7908meta __GB_BITCOIN_CP_DE ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_DE )
7909describe __GB_BITCOIN_CP_DE German Bitcoin scam
7910
7911meta __GB_BITCOIN_CP_EN ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_EN )
7912describe __GB_BITCOIN_CP_EN English Bitcoin scam
7913
7914meta __GB_BITCOIN_CP_ES ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_ES )
7915describe __GB_BITCOIN_CP_ES Spanish Bitcoin scam
7916
7917meta __GB_BITCOIN_CP_FR ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_FR )
7918describe __GB_BITCOIN_CP_FR French Bitcoin scam
7919
7920meta __GB_BITCOIN_CP_IT ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_IT )
7921describe __GB_BITCOIN_CP_IT Italian Bitcoin scam
7922
7923meta __GB_BITCOIN_CP_NL ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_NL )
7924describe __GB_BITCOIN_CP_NL Dutch Bitcoin scam
7925
7926meta __GB_BITCOIN_CP_SE ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_SE )
7927describe __GB_BITCOIN_CP_SE Swedish Bitcoin scam
7928
dfdd1e08
SI		 7929if (version >= 4.000000)
7930if can(Mail::SpamAssassin::Conf::feature_capture_rules)
fc5290a3 7931 uri __GB_CUSTOM_HTM_URI0 m;^https?://.{10,128}(?:\.html?|\.php|\/)?(?:\#|\?&e=)%{GB_TO_ADDR};i
dfdd1e08
SI		 7932endif
7933endif
7934
7935if (version >= 4.000000)
7936if can(Mail::SpamAssassin::Conf::feature_capture_rules)
7937 uri __GB_CUSTOM_HTM_URI1 m|^https?://.{10,64}\=https?://.{4,64}\#%{GB_TO_ADDR}|i
7938endif
7939endif
7940
7941if (version >= 4.000000)
7942if can(Mail::SpamAssassin::Conf::feature_capture_rules)
fc5290a3 7943 uri __GB_CUSTOM_HTM_URI2 m;^https?://.{10,256}(?:\/\?)?(?:(?<!blocker)email=|audit\#|wapp\#)%{GB_TO_ADDR};i
dfdd1e08
SI		 7944endif
7945endif
7946
7947if (version >= 4.000000)
7948if can(Mail::SpamAssassin::Conf::feature_capture_rules)
7949 uri __GB_DRUPAL_URI m|^https?://.{10,64}/default/files/(?:\@)?\#%{GB_TO_ADDR}|i
7950endif
7951endif
7952
151f49fd 7953header __GB_FAKE_RF Subject =~ /(?:Fw|Re)\:{1,2}[\W+]/i
b780ea8d 7954
dfdd1e08
SI		 7955if (version >= 4.000000)
7956if can(Mail::SpamAssassin::Conf::feature_capture_rules)
7957 header __GB_TO_ADDR To:addr =~ /(?<GB_TO_ADDR>.*)/
7958endif
7959endif
31955ede 7960
b780ea8d
SI		 7961body __GHANA /\bghana\b/i
7962
7963ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7964mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i
7965endif
7966
7967body __GIVE_MONEY /\b(?:(?:give\syou\s(?:this\s)?(?:money|fund|inheritance))|(?:donated?\s(?:\w\+\s){0,3}(?:the\ssum\sof|(?:(?:the|this|some)\s(?:money|funds?|inheritance)|to\s)(?:you|(?:(?:the|a)\s)?church|charit(?:y|ies)|humanit\w+|needy|poor|orphan(?:age)?s?|philanthropists\?)))|de vous donner cet argent|faire don de la somme|voudrais en faire don|tego funduszu do dom(?:=F3|[\xf3])w (?:dziecka|wdowy))\b/i
7968
7969meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST)
7970
7971meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
7972
7973meta __GOOGLE_DOC_SUSP __URI_GOOGLE_DOC && (__HAS_DOMAINKEY_SIG || __RDNS_NONE || __SYSADMIN || __STY_INVIS || LOTS_OF_MONEY || __XFER_MONEY || __ADVANCE_FEE_2_NEW) && !ALL_TRUSTED
7974
7975uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i
7976
7977uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i
7978
7979meta __GOOG_STO_HTML_PHISH __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
7980
7981meta __GOOG_STO_IMG_HTML_1 __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML
7982
7983meta __GOOG_STO_IMG_NOHTML __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML
7984
7985meta __GOOG_STO_NOIMG_HTML !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML
7986
7987body __HAS_ANY_EMAIL /\w@\S+\.\w/
7988
7989uri __HAS_ANY_URI /^\w+:\/\//
7990
7991header __HAS_CAMPAIGNID exists:X-Campaignid
7992
7993header __HAS_CID exists:X-CID
7994
7995header __HAS_COMPLAINT_TO exists:Complaint-To
7996
7997header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature
7998
7999describe __HAS_HREF Has an anchor tag with a href attribute in non-quoted line
8000rawbody __HAS_HREF /^[^>].*?<a href=/im
8001tflags __HAS_HREF multiple maxhits=100
8002
8003describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case
151f49fd 8004rawbody __HAS_HREF_ONECASE /^[^>].*?<(?:a href|A HREF)=/m
b780ea8d
SI		 8005tflags __HAS_HREF_ONECASE multiple maxhits=100
8006
8007describe __HAS_IMG_SRC Has an img tag on a non-quoted line
8008rawbody __HAS_IMG_SRC /^[^>].*?<img src=/im
8009tflags __HAS_IMG_SRC multiple maxhits=100
8010
8011rawbody __HAS_IMG_SRC_DATA /^[^>].*?<img src=['"]data/im
8012
8013describe __HAS_IMG_SRC_ONECASE Has an img tag on a non-quoted line with consistent case
151f49fd 8014rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(?:img src|IMG SRC)=/m
b780ea8d
SI		 8015tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100
8016
8017header __HAS_LIST_OPEN exists:List-Open
8018
8019header __HAS_LOGID exists:logid
8020
8021header __HAS_MESSAGEID exists:MessageID
8022
8023header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script
8024
8025header __HAS_PHP_SCRIPT exists:X-PHP-Script
8026
8027header __HAS_THREAD_INDEX exists:Thread-Index
8028
8029header __HAS_TRACKING_CODE exists:Tracking-Code
8030
8031body __HAS_WON_01 /\bque ha ganado\b/i
8032
8033header __HAS_XM_LID exists:X-Mailer-LID
8034
8035header __HAS_XM_RECPTID exists:X-Mailer-RecptId
8036
8037header __HAS_XM_SENTBY exists:X-Mailer-Sent-By
8038
8039header __HAS_XM_SID exists:X-Mailer-SID
8040
151f49fd
SI		 8041header __HAS_X_ANTIABUSE exists:X-AntiAbuse
8042
8043header __HAS_X_AUTHED_SENDER exists:X-Authenticated-Sender
8044
b780ea8d
SI		 8045header __HAS_X_EBSERVER exists:X-EBSERVER
8046
151f49fd
SI		 8047header __HAS_X_ENTITY_ID exists:X-Entity-ID
8048
b780ea8d
SI		 8049header __HAS_X_LETTER exists:X-Letter
8050
8051header __HAS_X_NO_RELAY exists:X-No-Relay
8052
8053header __HAS_X_OUTGOING_SPAM_STAT exists:X-OutGoing-Spam-Status
8054
31955ede
SI		 8055header __HAS_X_SENDER exists:X-Sender
8056
b780ea8d
SI		 8057header __HAS_X_SOURCE_DIR exists:X-Source-Dir
8058
8059header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm
8060tflags __HDRS_LCASE multiple maxhits=3
8061
8062meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH
8063
8064header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism
8065
cabe596e
SI		 8066header __HDR_CASE_REVERSED ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m
8067tflags __HDR_CASE_REVERSED multiple maxhits=4
8068
31955ede
SI		 8069header __HDR_ENVFROM_SHOPIFY X-Spam-Relays-External =~ /\shelo=\S+\.mailer\.shopify\.com\s(?:[^\]\s]+\s)*envfrom=\S+\.shopifyemail\.com\s/
8070
b780ea8d
SI		 8071header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s
8072
8073header __HDR_RCVD_ALIBABA X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/
8074
8075header __HDR_RCVD_AMAZON X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/
8076
46cfc9e2
SI		 8077header __HDR_RCVD_AMAZON_HELO X-Spam-Relays-External =~ /\srdns=\shelo=[^.]+\.smtp-out\.amazonses\.com\s/
8078
8079header __HDR_RCVD_APPLE X-Spam-Relays-External =~ /\srdns=\S+\.apple\.com\s/
8080
31955ede
SI		 8081header __HDR_RCVD_BEBEE X-Spam-Relays-External =~ /\srdns=\S+\.bebee\.com\s/
8082
b780ea8d
SI		 8083header __HDR_RCVD_EBAY X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/
8084
31955ede
SI		 8085header __HDR_RCVD_FACEBOOK X-Spam-Relays-External =~ /\srdns=\S+\.facebook\.com\s/
8086
b780ea8d
SI		 8087header __HDR_RCVD_GOOGLE X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/
8088
8089header __HDR_RCVD_KEEPA X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/
8090
46cfc9e2
SI		 8091header __HDR_RCVD_LINKEDIN X-Spam-Relays-External =~ /\srdns=\S+\.linkedin\.com\s/
8092
b780ea8d
SI		 8093header __HDR_RCVD_NEWEGG X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/
8094
46cfc9e2
SI		 8095header __HDR_RCVD_PAYPAL X-Spam-Relays-External =~ /\srdns=\S+\.paypal\.com\s/
8096
b780ea8d
SI		 8097header __HDR_RCVD_SHOPIFY X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/
8098
46cfc9e2
SI		 8099header __HDR_RCVD_TAGSTAT X-Spam-Relays-External =~ /\srdns=\S+\.tagstat\.com\s/
8100
31955ede
SI		 8101header __HDR_RCVD_TARINGANET X-Spam-Relays-External =~ /\srdns=\S+\.taringa\.net\s/
8102
b780ea8d
SI		 8103header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/
8104
8105header __HDR_RCVD_WALMART X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/
8106
8107ifplugin Mail::SpamAssassin::Plugin::AskDNS
8108tflags __HELO_DNS net
8109endif
8110
8111header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i
8112
b780ea8d
SI		 8113header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/
8114
8115header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /
8116
8117body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
8118tflags __HEXHASHWORD_S2EU multiple maxhits=4
8119
8120body __HK_LOTTO_2 /\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i
8121
8122body __HK_LOTTO_BALLOT /\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i
8123
8124body __HK_LOTTO_STAATS /\bstaatsloteri/i
8125
8126ifplugin Mail::SpamAssassin::Plugin::FreeMail
8127if (version >= 3.004000)
8128 header __HK_NAME_FROM From:name =~ /^FROM\b/mi
8129endif
8130endif
8131
8132ifplugin Mail::SpamAssassin::Plugin::FreeMail
8133if (version >= 3.004000)
8134 header __HK_NAME_MR_MRS From:name =~ /^M(?:RS?|ISS)\b/mi
8135endif
8136endif
8137
8138body __HK_SCAM_N15 /\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i
8139
8140body __HK_SCAM_N16 /\b(?:arrangement secret|secret arrangement)\b/i
8141
8142body __HK_SCAM_N2 /\bnext of kin\b/i
8143
8144body __HK_SCAM_N3 /\bdirect telephone numbers?\b/i
8145
8146body __HK_SCAM_N8 /\byour compensation\b/i
8147
8148body __HK_SCAM_S1 /pay you the sum of/i
8149
8150body __HK_SCAM_S15 /(?:discovered a dormant account|can you be my partner)/i
8151
8152body __HK_SCAM_S25 /\bbank (?:in|of) ghana/i
8153
8154ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8155mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
8156endif
8157
8158ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8159mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
8160endif
8161
31955ede 8162meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && __URI_HOSTED_IMG
b780ea8d 8163
31955ede 8164meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && __URI_HOSTED_IMG
b780ea8d 8165
31955ede 8166meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && __URI_HOSTED_IMG
b780ea8d 8167
151f49fd 8168meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG + __URI_IMG_CHANNYPIC + __URI_IMG_TOPHATTER + __URI_IMG_GBTCDN + __URI_IMG_LINKEDIN + __URI_IMG_TUMBLR + __URI_IMG_TAGSTAT + __URI_IMG_FACEBOOK + __URI_IMG_TARINGANET + __URI_IMG_BEBEE + __URI_IMG_EFUSERASSETS + __URI_IMG_IMGBOX_THUMB + __URI_IMG_500PXORG + __URI_IMG_WIXMP + __URI_IMG_POSTIMGCC + __URI_IMG_GTRACING + __URI_IMG_JOOMCDN + __URI_IMG_DHRESOURCE + __URI_IMG_CWINDOWSNET) > 1
b780ea8d
SI		 8169
8170if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
151f49fd 8171 body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(?:\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
b780ea8d
SI		 8172endif
8173
8174ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
151f49fd 8175 body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(?:\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
b780ea8d
SI		 8176endif
8177
151f49fd
SI		 8178rawbody __HREF_EMPTY /href=""/
8179
8180meta __HREF_EMPTY_NORDNS __HREF_EMPTY && __RDNS_NONE
8181
8182meta __HREF_EMPTY_PHPMAIL __HREF_EMPTY && (__PHPMAILER_MUA || __XMAIL_PHPMAIL)
8183
8184meta __HREF_EMPTY_XANTIABUSE __HREF_EMPTY && __HAS_X_ANTIABUSE
8185
8186meta __HREF_EMPTY_XAUTHED __HREF_EMPTY && __HAS_X_AUTHED_SENDER
8187
b780ea8d
SI		 8188rawbody __HS_QUOTE /^> /
8189
8190header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/
8191
8192if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8193 meta __HTML_ATTACH_01 0
8194endif
8195
8196ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
151f49fd 8197 mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.[a-z]?html?\b,i
b780ea8d
SI		 8198endif
8199
8200if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8201 meta __HTML_ATTACH_02 0
8202endif
8203
8204ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
151f49fd 8205 mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.[a-z]?html?\b,i
b780ea8d
SI		 8206endif
8207
8208rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i
8209
8210meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML
8211
31955ede 8212meta __HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII && (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT)
b780ea8d
SI		 8213
8214rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i
8215
31955ede
SI		 8216rawbody __HTML_FONT_TINY_02 /<font\s[^>]{0,80}size\s*=\s*["']?-(?:[2-9]|[1-9]\d+)["']?[^>]{0,80}>/i
8217
8218meta __HTML_FONT_TINY_NORDNS (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT) && __RDNS_NONE
8219
b780ea8d
SI		 8220rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i
8221
8222if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8223 rawbody __HTML_SHRT_CMNT_OBFU /\w<!--\s*\w+\s*-->\w/
8224 tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10
8225endif
8226
8227if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8228 meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE
8229endif
8230
8231rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i
8232tflags __HTML_SINGLET multiple maxhits=21
8233
b780ea8d
SI		 8234meta __HTML_SINGLET_MANY __HTML_SINGLET > 20
8235
8236ifplugin Mail::SpamAssassin::Plugin::HTMLEval
8237 body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0')
8238endif
8239
8240body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i
8241
8242uri __IMGUR_IMG m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i
8243tflags __IMGUR_IMG multiple maxhits=4
8244
8245meta __IMGUR_IMG_2 __IMGUR_IMG == 2
8246
8247meta __IMGUR_IMG_3 __IMGUR_IMG == 3
8248
8249if !plugin(Mail::SpamAssassin::Plugin::ImageInfo)
8250 meta __IMG_LE_300K 0
8251endif
8252
8253ifplugin Mail::SpamAssassin::Plugin::ImageInfo
8254 body __IMG_LE_300K eval:pixel_coverage('all',62500,300000)
8255endif
8256
8257body __INHERIT_PMT /\binheritance\spayment\s/i
8258
8259body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i
8260
8261body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i
8262
8263body __INVEST_MONEY /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i
8264
8265header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/
8266
8267if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8268 meta __ISO_ATTACH 0
8269endif
8270
8271ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8272 mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i
8273endif
8274
8275if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8276 meta __ISO_ATTACH_MT 0
8277endif
8278
8279ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8280 mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i
8281endif
8282
151f49fd 8283body __IS_LEGAL /\b(?:(?:(?:this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i
b780ea8d
SI		 8284
8285body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i
8286
8287body __I_INHERIT /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i
8288
8289body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i
8290
8291header __JM_REACTOR_DATE Date =~ / \+0000$/
8292
8293ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8294 mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i
8295endif
8296
8297ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8298mimeheader __KAM_BLOCK_UTF7_2 Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i
8299endif
8300
8301ifplugin Mail::SpamAssassin::Plugin::BodyEval
8302 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8303 body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024')
8304 describe __KAM_BODY_LENGTH_LT_1024 The length of the body of the email is less than 1024 bytes.
8305endif
8306endif
8307
8308ifplugin Mail::SpamAssassin::Plugin::BodyEval
8309 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8310 body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128')
8311 describe __KAM_BODY_LENGTH_LT_128 The length of the body of the email is less than 128 bytes.
8312endif
8313endif
8314
8315ifplugin Mail::SpamAssassin::Plugin::BodyEval
8316 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8317 body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256')
8318 describe __KAM_BODY_LENGTH_LT_256 The length of the body of the email is less than 256 bytes.
8319endif
8320endif
8321
8322ifplugin Mail::SpamAssassin::Plugin::BodyEval
8323 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8324 body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512')
8325 describe __KAM_BODY_LENGTH_LT_512 The length of the body of the email is less than 512 bytes.
8326endif
8327endif
8328
8329if !plugin(Mail::SpamAssassin::Plugin::HTMLEval)
8330meta __KAM_HTML_FONT_INVALID 0
8331endif
8332
8333ifplugin Mail::SpamAssassin::Plugin::HTMLEval
8334body __KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color')
8335endif
8336
151f49fd 8337body __KAM_LOTTO2 /(?:(?:ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
b780ea8d
SI		 8338
8339header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/
8340
8341header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/
8342
8343meta __KHOP_NO_FULL_NAME !(__NOT_A_PERSON || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME)
8344
8345if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
8346 meta __LARGE_PERCENT_AFTER 0
8347endif
8348
8349if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8350 body __LARGE_PERCENT_AFTER /\d{3}% after/i
8351 tflags __LARGE_PERCENT_AFTER multiple maxhits=4
8352endif
8353
8354if !plugin(Mail::SpamAssassin::Plugin::HeaderEval)
8355 meta __LCL__ENV_AND_HDR_FROM_MATCH 0
8356endif
8357
8358ifplugin Mail::SpamAssassin::Plugin::HeaderEval
8359 meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH
8360endif
8361
8362if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
8363 meta __LCL__KAM_BODY_LENGTH_LT_1024 0
8364endif
8365
8366ifplugin Mail::SpamAssassin::Plugin::BodyEval
8367if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
8368 meta __LCL__KAM_BODY_LENGTH_LT_1024 0
8369endif
8370endif
8371
8372ifplugin Mail::SpamAssassin::Plugin::BodyEval
8373 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8374 meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024
8375endif
8376endif
8377
8378if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
8379 meta __LCL__KAM_BODY_LENGTH_LT_128 0
8380endif
8381
8382ifplugin Mail::SpamAssassin::Plugin::BodyEval
8383if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
8384 meta __LCL__KAM_BODY_LENGTH_LT_128 0
8385endif
8386endif
8387
8388ifplugin Mail::SpamAssassin::Plugin::BodyEval
8389 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8390 meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128
8391endif
8392endif
8393
8394if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
8395 meta __LCL__KAM_BODY_LENGTH_LT_512 0
8396endif
8397
8398ifplugin Mail::SpamAssassin::Plugin::BodyEval
8399if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
8400 meta __LCL__KAM_BODY_LENGTH_LT_512 0
8401endif
8402endif
8403
8404ifplugin Mail::SpamAssassin::Plugin::BodyEval
8405 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8406 meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512
8407endif
8408endif
8409
46cfc9e2
SI		 8410meta __LINKED_IMG_NOT_RCVD_LINK __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN
8411
b780ea8d
SI		 8412meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID
8413
8414meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1
8415
8416meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR
8417
8418body __LITECOIN_ID /\b(?<!=)[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b/
8419
8420uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i
8421
8422body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i
8423tflags __LOCK_MAILBOX multiple maxhits=2
8424
8425full __LONGLINE /^[^\r\n]{998}/m
8426
8427rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i
8428
8429if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
54c714b2 8430 meta __LONG_STY_INVIS __STY_INVIS_2 && __LONGLINE
b780ea8d
SI		 8431endif
8432
8433if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8434 meta __LOTSA_MONEY_00 0
8435endif
8436
8437ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8438 body __LOTSA_MONEY_00 /<CURRENCY>[\s\.]?<NUM_NOT_DATE>[\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/
8439endif
8440
8441if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8442 meta __LOTSA_MONEY_01 0
8443endif
8444
8445ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8446 body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo](?<!\.00)\b/
8447endif
8448
8449if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8450 meta __LOTSA_MONEY_02 0
8451endif
8452
8453ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8454 body __LOTSA_MONEY_02 /(?<![-\d])<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo][\)\]\(]?\s?(?:<CURRENCY>|Pounds|(?i:dollars?|bucks))\b/
8455endif
8456
8457if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8458 meta __LOTSA_MONEY_03 0
8459endif
8460
8461ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8462 body __LOTSA_MONEY_03 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)<NUM_NOT_DATE>[\d.,\sOo]{0,5}[\)\]]?\s?(?i:M(?i:il+)?\b|mil+(?i:io|<O>)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/
8463endif
8464
8465if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8466 meta __LOTSA_MONEY_04 0
8467endif
8468
8469ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8470 body __LOTSA_MONEY_04 /(?:(?<![-\d])<NUM_NOT_DATE>[\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|mill<O>n|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|\bbucks|USD|GBP|<GB_UK>\spounds?|(?:<GB_UK>\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i
8471endif
8472
8473if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8474 meta __LOTSA_MONEY_05 0
8475endif
8476
8477ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8478 body __LOTSA_MONEY_05 /(?:(?:sum|value|amount)\sof\s)<NUM_NOT_DATE_IP>[\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i
8479endif
8480
8481meta __LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2
8482
8483body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i
8484
8485body __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i
8486
8487uri __LOTTO_ADMITS_3 /lott+ery/i
8488
8489meta __LOTTO_AGENT __LOTTO_AGENT_01 || __LOTTO_AGENT_02
8490
8491body __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(?<!memory\s)grants?(?!\smanager))\s?(?:agent|manager|officer|secretary|director|mgr\b)/i
8492
8493body __LOTTO_AGENT_02 /\blot+ery[^\.]{1,40} ticket agent/i
8494
8495header __LOTTO_AGENT_RPLY Reply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
8496
8497if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8498 meta __LOTTO_ATTACH_1 0
8499endif
8500
8501ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8502 mimeheader __LOTTO_ATTACH_1 Content-Type =~ /lott(?:o|ery)/i
8503endif
8504
8505if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8506 meta __LOTTO_ATTACH_2 0
8507endif
8508
8509ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8510 mimeheader __LOTTO_ATTACH_2 Content-Disposition =~ /lott(?:o|ery)/i
8511endif
8512
8513body __LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)(?:\s(?:rem+it+ance|settlement|payment|award))+|payment|award|compensation|lot+ery)(?:\s\w+)?\s?(?:department|dept|unit|group|committee|bureau)/i
8514
8515body __LOTTO_RELATED /\b(?:lot+(?:o|ery)|sweepstakes)\s(?:prize|draw(?:s|ing)?|(?:ge)?win(?:n?er|n?ing)?|jackpot+|award|fund|com+it+e+|com+is+ion|guild|promotion|promocao|program|day|online|company|(?:in)?corporat|agent|co[-,]?ordinator|team)/i
8516
8517body __LOTTO_VERIFY /\bpromo\sverification/i
8518
8519body __LOTTO_WINNINGS /\b(?:claim|process(?:ing)?|transfert?(?:\s\w+)?|redeem|payment|virement|zahlung|reivindicar|demandar|remise)\s(?:(?:[a-z]{1,5}\s)?(?:your|of|the|this|de|ihrer|seu|tu)\s)+(?:win+ings?|money|(?:cash\s)?prize|award|f[ou]nds?|grant|gewinne|premio|gain)\b/i
8520
8521body __LOTTO_WIN_01 /\bwin+ing\s(?:prize|number|notification|draw|check|cheque|details|information|payment)/i
8522
8523if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8524 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8525 body __LOWER_E /e/
8526 tflags __LOWER_E multiple maxhits=230
8527endif
8528endif
8529
8530body __LUCKY_WINNER /\b(?:lucky|gl.cklich(?:en)?|afortunados)\s(?:(?:ge)?win+ers?|ganador(?:es)?|individuals?)\b/i
8531
8532body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i
8533
fc5290a3 8534header __LUNSUB_BEFORE_SUBJDT ALL =~ /^List-unsubscribe: (?:[^\n]+\n+){1,40}^(?:Subject|Date): /ism
46cfc9e2 8535
b780ea8d
SI		 8536rawbody __L_BODY_8BITS /[\x80-\xff]/
8537
8538header __L_CTE_7BIT Content-Transfer-Encoding =~ /^7bit$/
8539
dfdd1e08
SI		 8540header __L_CTE_8BIT Content-Transfer-Encoding =~ /^8bit$/
8541
b780ea8d
SI		 8542body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i
8543
8544body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i
8545
8546header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
8547
8548body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i
8549
8550body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i
8551
8552uri __MAIL_LINK /\?.{0,200}\w\@[\w-]{1,20}.\w\w\w?\b/i
8553tflags __MAIL_LINK nice
8554
8555body __MAKE_XTRA_DOLLAR /\bmake an extra dollar\b/i
8556
8557header __MALF_MIME_VER MIME-Version =~ /^1\.0\S/
8558
8559meta __MALWARE_NORDNS __MY_MALWARE && __RDNS_NONE
8560
8561meta __MALWARE_PASSWORD __MY_MALWARE && __PASSWORD
8562
8563ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8564 meta __MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02
8565endif
8566
8567if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8568 meta __MALW_ATTACH_01_01 0
8569endif
8570
8571ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8572 mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]+|\*(?:\d+\*)?=(?:UTF-8'')?\S+)\.SettingContent-ms\b/i
8573endif
8574
8575if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8576 meta __MALW_ATTACH_01_02 0
8577endif
8578
8579ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8580 mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i
8581endif
8582
8583if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8584 meta __MALW_ATTACH_02_01 0
8585endif
8586
8587ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
cabe596e 8588 mimeheader __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:invoice|statement|payment(?: advice)?|(?:[.,_]|%C2%B7|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i
b780ea8d
SI		 8589endif
8590
8591if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8592 meta __MALW_ATTACH_02_02 0
8593endif
8594
8595ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
cabe596e 8596 mimeheader __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|statement|payment(?: advice)?|(?:[.,_]|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i
b780ea8d
SI		 8597endif
8598
8599meta __MANY_HDRS_LCASE __HDRS_LCASE > 1
8600
8601meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4)
8602
151f49fd
SI		 8603uri __MANY_SUBDOM m;^https?://(?:[^\./]{1,30}\.){6};i
8604
8605header __MAY_BE_FORGED Received =~ /\(may be forged\)/
8606
b780ea8d
SI		 8607header __MID_START_001C Message-ID =~ /^<000001c/
8608
8609body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i
8610
8611header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
8612
8613meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX
8614
8615header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/
8616
8617if !((version >= 3.004000))
8618 meta __MIME_CTYPE_IN_BODY 0
8619endif
8620
8621if (version >= 3.004000)
8622 body __MIME_CTYPE_IN_BODY /^Content-Type:\s/
8623endif
8624
8625if !((version >= 3.004000))
8626 meta __MIME_MALF 0
8627endif
8628
8629if (version >= 3.004000)
8630 meta __MIME_MALF __CTYPE_MULTIPART_ANY && __MIME_CTYPE_IN_BODY
8631endif
8632
8633if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8634 meta __MIME_NO_TEXT 0
8635endif
8636
8637ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8638 meta __MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH)
8639endif
8640
8641ifplugin Mail::SpamAssassin::Plugin::MIMEEval
8642 rawbody __MIME_QPC eval:check_for_mime('mime_qp_count')
8643endif
8644
8645header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET]
8646
8647header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET]
8648
8649rawbody __MIXED_AREA_CASE /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/
8650
8651rawbody __MIXED_CENTER_CASE /<(?!CENTER|center)[Cc][Ee][Nn][Tt][Ee][Rr]>/
8652
8653rawbody __MIXED_FONT_CASE /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/
8654
151f49fd
SI		 8655describe __MIXED_HREF_CASE Has anchor tags with mixed-up cases in non-quoted lines
8656meta __MIXED_HREF_CASE __HAS_HREF - __HAS_HREF_ONECASE > 0
b780ea8d
SI		 8657
8658rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/
8659
8660header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
8661
8662meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO)
8663
8664body __MONERO_CURNCY /Monero \(XMR\)/
8665
8666body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/
8667
dfdd1e08
SI		 8668meta __MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD
8669
b780ea8d
SI		 8670meta __MONEY_FORM LOTS_OF_MONEY && __FILL_THIS_FORM
8671
8672meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT
8673
54c714b2 8674meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
b780ea8d 8675
54c714b2 8676meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
b780ea8d 8677
54c714b2 8678meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8)
b780ea8d
SI		 8679
8680ifplugin Mail::SpamAssassin::Plugin::FreeMail
8681 meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto
8682endif
8683
fc5290a3
SI		 8684meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY
8685
b780ea8d
SI		 8686body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i
8687
8688meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE
8689
8690header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i
8691
8692header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/
8693
8694header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/
8695
8696header __MSGID_JAVAMAIL Message-ID =~ /\.JavaMail\./
8697tflags __MSGID_JAVAMAIL nice
8698
8699header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/
8700tflags __MSGID_LIST nice
8701
151f49fd 8702header __MSGID_NOFQDN1 Message-ID =~ /<[^\@]*>/m
b780ea8d 8703
151f49fd 8704header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m
b780ea8d
SI		 8705
8706meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT
8707
8708header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: /
8709
46cfc9e2
SI		 8710ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8711 mimeheader __MSO_THEME_MT Content-Type =~ m,\bapplication/vnd.ms-officetheme\b,i
8712endif
8713
b780ea8d
SI		 8714header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/
8715
151f49fd 8716header __MUA_TBIRD User-Agent =~ /^Mozilla\/.* Thunderbird/
b780ea8d
SI		 8717
8718body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i
8719
8720if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8721 body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s|background\s|hidden\s)?)(?:mal+ware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it|backdoor|(?:sneaky\s|hidden\s|malicious\s)+(?:app|stuff))|(?:application|mal+ware)[^\.]{1,30}(?:enable[sd]|allow(?:s|ed))\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|mal+ware)\s)+giv(?:es|ing)\sme)\b/i
8722endif
8723
8724ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8725 body __MY_MALWARE /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s|<B><A><C><K><G><R><O><U><N><D>\s|<H><I><D><D><E><N>\s)?)(?:<M><A><L>+<W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>|<B><A><C><K><D><O><O><R>|(?:<S><N><E><A><K><Y>\s|<H><I><D><D><E><N>\s|<M><A><L><I><C><I><O><U><S>\s)+(?:<A><P><P>|<S><T><U><F><F>))|(?:<A><P><P><L><I><C><A><T><I><O><N>|<M><A><L>+<W><A><R><E>)[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>(?:<S>|<E><D>))\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L>+<W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i
8726endif
8727
8728if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8729 body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i
8730endif
8731
8732ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8733 body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i
8734endif
8735
8736header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
8737
8738meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
8739
8740header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i
8741
8742header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/
8743
8744meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG
8745
31955ede
SI		 8746body __NEW_PRODUCTS /\bhere are new products|\b(?:Our company|we) (?:has |have )?(?:(?:recently|just|newly) (?:introduce|release|launche)[ds](?: a| our| the)? (?:new|(?:\w+\s){1,5}below)|a new (?!cat\s|kitten\s|dog\s|puppy\s|pet\s|baby\s|child\s|boy\s|girl\s)(?:\w+\s){1,5} here)|recently,? our company (?:launch|releas)ed|\bI want to recommend a new (?:\w+ ){1,5}(?:we|our)\b|latest version of our (?:stock|product)|\b(?:our|a) new (?:\w+ ){1,3}has (?:recently|just) been released/i
8747
b780ea8d
SI		 8748body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i
8749
8750body __NIGERIA /\bnigeria\b/i
8751
8752meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO
8753tflags __NOT_A_PERSON nice
8754
8755body __NOT_DEAD_YET /\b(?:will\sinherit|que\sherede|your\sdeath|your?\sbeing\sdead)\b/i
8756
8757body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i
8758
8759tflags __NOT_SPOOFED nice
8760
8761if !(!plugin(Mail::SpamAssassin::Plugin::DKIM))
8762if !plugin(Mail::SpamAssassin::Plugin::SPF)
8763 meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF
8764endif
8765endif
8766
8767if !(!plugin(Mail::SpamAssassin::Plugin::DKIM))
8768 ifplugin Mail::SpamAssassin::Plugin::SPF
8769 meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF
8770endif
8771endif
8772
8773if !plugin(Mail::SpamAssassin::Plugin::DKIM)
8774if !plugin(Mail::SpamAssassin::Plugin::SPF)
8775 meta __NOT_SPOOFED __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, no SPF.
8776endif
8777endif
8778
8779if !plugin(Mail::SpamAssassin::Plugin::DKIM)
8780 ifplugin Mail::SpamAssassin::Plugin::SPF
8781 meta __NOT_SPOOFED SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, yes SPF
8782endif
8783endif
8784
8785meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS)
8786
8787header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./
8788describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8
8789
8790header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./
8791describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8
8792
151f49fd 8793header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(?:\.[a-z]{2,4})?\.[a-z]+$/i
b780ea8d
SI		 8794
8795header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/
8796
8797if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8798 meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
8799endif
8800
8801ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8802 meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
8803endif
8804
8805if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8806 meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
8807endif
8808
8809ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8810 meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
8811endif
8812
8813body __OBFU_UNSUB_UL /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/
8814
8815if !plugin(Mail::SpamAssassin::Plugin::ImageInfo)
8816 meta __ONE_IMG 0
8817endif
8818
8819ifplugin Mail::SpamAssassin::Plugin::ImageInfo
8820 body __ONE_IMG eval:image_count('all',1,1)
8821endif
8822
8823header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./
8824
b780ea8d
SI		 8825body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i
8826
8827ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8828mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/
8829endif
8830
8831ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8832mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/
8833endif
8834
8835ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8836mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/
8837endif
8838
8839ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8840mimeheader __PART_STOCK_CL Content-Location =~ /./
8841endif
8842
8843body __PASSIVE_INCOME /\bpassive income\b/i
8844
8845body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i
8846
8847body __PASSWORD_EXP_CLUMSY /\bpassword is due for expiration yesterday\b/i
8848
8849body __PASSWORD_UPGRADE /\bpassword upgrade\b/i
8850
8851body __PAXFUL /\bp-?a+-?x+-?f-?u+-?l\b/i
8852
8853if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8854 body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\s(?:to\s)?me|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche)|my bribe(?:ry)?)\b/i
8855endif
8856
8857ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8858 body __PAY_ME /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s(?:<T><O>\s)?<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>|<M><Y> <B><R><I><B><E>(?:<R><Y>)?))[\s\.,]/i
8859endif
8860
8861body __PAY_YOU /\bpay\syou\b/
8862
8863if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8864 meta __PCT_FOR_YOU 0
8865endif
8866
8867ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8868 meta __PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50
8869endif
8870
8871if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8872 meta __PCT_FOR_YOU_1 0
8873endif
8874
8875ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8876 body __PCT_FOR_YOU_1 /<PERCENT>[\s)]{0,3}(?:(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?|(?:[^\s.]{1,15}\s)?an uns beide)/i
8877endif
8878
8879if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8880 meta __PCT_FOR_YOU_2 0
8881endif
8882
8883ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8884 body __PCT_FOR_YOU_2 /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s<PERCENT>/i
8885endif
8886
8887if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8888 meta __PCT_FOR_YOU_3 0
8889endif
8890
8891ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8892 body __PCT_FOR_YOU_3 /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?<!by\s)(?<!up\sto\s)<PERCENT>/i
8893endif
8894
8895if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8896 meta __PCT_OF_PMTS 0
8897endif
8898
8899ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8900 body __PCT_OF_PMTS /<PERCENT>[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i
8901endif
8902
8903if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8904 meta __PDF_ATTACH 0
8905endif
8906
8907ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8908 meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2)
8909endif
8910
8911if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8912 meta __PDF_ATTACH_FN1 0
8913endif
8914
8915ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8916 mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i
8917endif
8918
8919if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8920 meta __PDF_ATTACH_FN2 0
8921endif
8922
8923ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8924 mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i
8925endif
8926
8927if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8928 meta __PDF_ATTACH_MT 0
8929endif
8930
8931ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8932 mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i
8933endif
8934
8935ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8936 header __PDS_BTC_ANON From:name =~ /\bAnon/
8937endif
8938
8939ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8940 meta __PDS_BTC_BADFROM ( __PDS_BTC_HACKER || __PDS_BTC_PIRATE )
8941endif
8942
8943ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8944 header __PDS_BTC_HACKER From:name =~ /h<A>ck<E>r/i
8945endif
8946
8947meta __PDS_BTC_ID ( __BITCOIN_ID && !__URL_BTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG)
8948
8949ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8950 header __PDS_BTC_PIRATE From:name =~ /p<I>r<A>t<E>/i
8951endif
8952
8953ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8954if (version >= 3.004000)
8955header __PDS_CASHSHORTENER eval:check_uri_host_listed('PDS_CASHSHORTENER')
8956endif
8957endif
8958
8959uri __PDS_DOUBLE_URL m;https?://[\S]+(?:\?|=)https?://[\S]+[\w]+$;
8960
8961if (version >= 3.004002)
8962ifplugin Mail::SpamAssassin::Plugin::WLBLEval
151f49fd 8963body __PDS_EXPIRATION_NOTICE /\bexpiration (?:notice|alert|date)\b/i
b780ea8d
SI		 8964endif
8965endif
8966
8967if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
8968 header __PDS_FROM_2_EMAILS From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
8969endif
8970
8971header __PDS_FROM_GMAIL From:addr =~ /\@g(?:oogle)?mail\.com$/i
8972
fc5290a3 8973header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\n+To:[^\n]+\@\1/ism
b780ea8d
SI		 8974
8975header __PDS_GMAIL_MID Message-Id =~ /\@mail.gmail.com>$/
8976
8977meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2)
8978
8979header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/
8980
8981header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/
8982
8983header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/
8984
8985ifplugin Mail::SpamAssassin::Plugin::AskDNS
8986meta __PDS_HP_HELO_NODNS (__HELO_HIGHPROFILE && !__HELO_DNS)
8987tflags __PDS_HP_HELO_NODNS net
8988endif
8989
8990ifplugin Mail::SpamAssassin::Plugin::HTMLEval
8991meta __PDS_HTML_LENGTH_1024 __HTML_LENGTH_0000_1024
8992endif
8993
8994ifplugin Mail::SpamAssassin::Plugin::HTMLEval
8995meta __PDS_HTML_LENGTH_2048 __HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 || __HTML_LENGTH_1536_2048
8996endif
8997
8998meta __PDS_LITECOIN_ID (__LITECOIN_ID && !__URL_LTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG)
8999
9000meta __PDS_MSG_1024 (__KAM_BODY_LENGTH_LT_1024 || __PDS_HTML_LENGTH_1024)
9001
9002meta __PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512)
9003
9004if (version >= 3.004001)
9005ifplugin Mail::SpamAssassin::Plugin::AskDNS
9006meta __PDS_NEWDOMAIN (__FROM_FMBLA_NEWDOM || __FROM_FMBLA_NEWDOM14 || __FROM_FMBLA_NEWDOM28)
9007tflags __PDS_NEWDOMAIN net
9008endif
9009endif
9010
9011if (version >= 3.004002)
9012ifplugin Mail::SpamAssassin::Plugin::WLBLEval
151f49fd 9013body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (?:United States|USA)/i
b780ea8d
SI		 9014endif
9015endif
9016
151f49fd
SI		 9017header __PDS_PHP_EVAL1 X-PHP-Originating-Script =~ /eval..'d code/i
9018
54c714b2
SI		 9019header __PDS_PHP_EVAL2 X-PHP-Originating-Script =~ /runtime-created function/
9020
b780ea8d
SI		 9021if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
9022 meta __PDS_QP_1024 0
9023endif
9024
9025ifplugin Mail::SpamAssassin::Plugin::MIMEEval
9026 meta __PDS_QP_1024 (__MIME_QPC > 0) && (__MIME_QPC < 1024)
9027endif
9028
9029if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
9030 meta __PDS_QP_128 0
9031endif
9032
9033ifplugin Mail::SpamAssassin::Plugin::MIMEEval
9034 meta __PDS_QP_128 (__MIME_QPC > 0) && (__MIME_QPC < 128)
9035endif
9036
9037if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
9038 meta __PDS_QP_512 0
9039endif
9040
9041ifplugin Mail::SpamAssassin::Plugin::MIMEEval
9042 meta __PDS_QP_512 (__MIME_QPC > 0) && (__MIME_QPC < 512)
9043endif
9044
9045if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
9046 meta __PDS_QP_64 0
9047endif
9048
9049ifplugin Mail::SpamAssassin::Plugin::MIMEEval
9050 meta __PDS_QP_64 (__MIME_QPC > 0) && (__MIME_QPC < 64)
9051endif
9052
151f49fd 9053header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:mta|mail|mx|smtp)\b\S* /i
b780ea8d
SI		 9054
9055if (version >= 3.004002)
9056ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9057body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i
9058endif
9059endif
9060
9061if (version >= 3.004002)
9062ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9063body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
9064endif
9065endif
9066
9067if (version >= 3.004002)
9068ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9069body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i
9070endif
9071endif
9072
9073ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9074if (version >= 3.004000)
dfdd1e08 9075meta __PDS_SHORT_URL __SHORT_URL && !__URL_SHORTENER && !ALL_TRUSTED
b780ea8d
SI		 9076endif
9077endif
9078
9079if (version >= 3.004001)
9080ifplugin Mail::SpamAssassin::Plugin::AskDNS
9081tflags __PDS_SPF_ONLYALL net
9082endif
9083endif
9084
46cfc9e2
SI		 9085meta __PDS_SPOOF_GMAIL_MID __PDS_FROM_GMAIL && !__PDS_GMAIL_MID && !__FSL_RELAY_GOOGLE
9086
b780ea8d
SI		 9087header __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? <?\1\@/
9088
9089if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
151f49fd 9090 header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
b780ea8d
SI		 9091endif
9092
9093if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
151f49fd 9094 header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n+(?:[^\n]{1,100}\n+)*To: (?:[^\n<]{0,80}<)?(\1)>?/ism
b780ea8d
SI		 9095endif
9096
9097ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9098if (version >= 3.004000)
dfdd1e08 9099meta __PDS_TO_SUBJ_URISHRT __TO_IN_SUBJ && __URL_SHORTENER && __PDS_MSG_1024
b780ea8d
SI		 9100endif
9101endif
9102
9103ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9104if (version >= 3.004000)
dfdd1e08 9105meta __PDS_URISHORTENER __URL_SHORTENER
b780ea8d
SI		 9106endif
9107endif
9108
54c714b2
SI		 9109header __PDS_X_PHP_WELLKNOWN X-PHP-Script =~ m;/\.well-known/;
9110
9111header __PDS_X_PHP_WPADMIN X-PHP-Script =~ m;/wp-admin/(?:css|themes|js|images|user|maint)/[\S]+\.php for;i
9112
9113header __PDS_X_PHP_WPCONTENT X-PHP-Script =~ m;/wp-content/(?:themes|uploads)/[\S]+\.php for;i
9114
9115header __PDS_X_PHP_WPINCLUDES X-PHP-Script =~ m;/wp-includes/(?:css|fonts|js|pomo|Text|theme-compat)/[\S]+\.php for;i
9116
9117header __PDS_X_PHP_WPJS X-PHP-Script =~ m;/js/[\S]+\.php for;i
9118
b780ea8d
SI		 9119meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0
9120
9121body __PENDING_MESSAGES /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i
9122
9123body __PERFECT_BINARY /\bperfect binary option\b/i
9124
9125ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9126 mimeheader __PHISH_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
9127endif
9128
9129ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9130 mimeheader __PHISH_ATTACH_01_02 Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
9131endif
9132
9133meta __PHISH_FBASE_01 (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK
9134
9135if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9136 body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i
9137 tflags __PHOTO_RETOUCHING multiple maxhits=5
9138endif
9139
9140header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/
9141
9142meta __PHP_MUA __PHP_MUA_1 || __PHP_MUA_2
9143
9144header __PHP_MUA_1 X-Mailer =~ /^PHP\s?v?\/?\d\./
9145
9146header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/
9147
9148header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/
9149
151f49fd
SI		 9150header __PHP_ORIG_SCRIPT_EVAL X-PHP-Originating-Script =~ /\beval\b.*\bcode\b/i
9151
b780ea8d
SI		 9152meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B)
9153
9154if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
9155 meta __PILL_PRICE_01 0
9156endif
9157
9158if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9159 body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i
9160 tflags __PILL_PRICE_01 multiple maxhits=3
9161endif
9162
9163if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
9164 meta __PILL_PRICE_02 0
9165endif
9166
9167if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9168 body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i
9169 tflags __PILL_PRICE_02 multiple maxhits=3
9170endif
9171
9172body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i
9173
9174ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
9175header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
9176endif
9177
9178ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
9179header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
9180endif
9181
9182uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf|\.svg)[^?]{4}(?:\?[^?]{1,5})?$;i
9183
9184body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i
9185
9186body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i
9187
9188body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i
9189
9190body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i
9191
9192body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i
9193
9194body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i
9195
9196body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i
9197
151f49fd 9198body __PUMPDUMP_08 /\b(?:sto[ck]{2}|sotk) of the year/i
b780ea8d
SI		 9199
9200body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i
9201
9202body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i
9203
9204body __RANDOM_PICK /\b(?:random(?:ly)?\s(?:\w+\s)?(?:select(?:ion|ed)|pick(?:ed)?|computer)|(?:select|pick)ed\s(?:at\s)?random(?:ly)?|(?:esco(?:g|lh)idos|seleccion) (?:aleatoria(?:mente)?|al azar))\b/i
9205
9206header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent|Tracking-Code)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism
9207tflags __RAND_HEADER multiple maxhits=4
9208
9209meta __RAND_HEADER_2 __RAND_HEADER > 1
9210
9211header __RAND_MKTG_HEADER ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:EBS|(?:Tracking|Subscriber|Delivery|Customer|Campaign)-[DSU]?id):/ism
9212
9213header __RATWARE_BOUND_A ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # "
9214
9215header __RATWARE_BOUND_B ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # "
9216
9217header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i
9218tflags __RCD_RDNS_MAIL nice
9219
9220header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i
9221tflags __RCD_RDNS_MAIL_MESSY nice
9222
9223header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i
9224tflags __RCD_RDNS_MTA nice
9225
9226header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i
9227tflags __RCD_RDNS_MTA_MESSY nice
9228
9229header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i
9230tflags __RCD_RDNS_MX nice
9231
9232header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/
9233tflags __RCD_RDNS_MX_MESSY nice
9234
9235header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i
9236tflags __RCD_RDNS_OB nice
9237
9238header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i
9239tflags __RCD_RDNS_SMTP nice
9240
9241header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/
9242tflags __RCD_RDNS_SMTP_MESSY nice
9243
46cfc9e2 9244header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\srdns=\S+\.edu\s/i
b780ea8d
SI		 9245
9246meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 )
9247
9248meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI )
9249
46cfc9e2 9250header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i
b780ea8d
SI		 9251
9252header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net /
9253
9254header __RDNS_LONG X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/
9255
9256header __RDNS_NO_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ /
9257
9258header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/
9259
9260header __RDNS_SHORT X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} /
9261
9262body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i
9263
9264header __RELAY_THRU_WWW Received =~ /from (?:[^ \@]+\@)?www\./
9265
9266body __RELEASE_MESSAGES /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|unreceived|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i
9267
9268ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
9269 meta __REMOTE_IMAGE (__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH)
9270endif
9271
9272if (version >= 3.004002)
9273ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9274header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD')
9275endif
9276endif
9277
151f49fd
SI		 9278header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i
9279
dfdd1e08 9280header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|c(?:hanprivacy|laimdept|ristinabruno|ustom_service)|dhodgkins|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|ynnpage)|m(?:_l\.wanczyk|asayohara|rsjanetedwards)|officework|paulpollard|royalpalace|spwalker|usembassy|yurdaaytarkan))\d+\@aol\.com$/i
b780ea8d 9281
54c714b2 9282header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|isha1976gaddafi|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|icedoris|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug)|thonyjblinken)|office1office|radka|shwestwood|tmcarddepartment|ustinbillmark|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|rister(?:clarkephillips|lordruben)|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah)|tsyholden)|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:eda\.ogada|h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|rist(?:brun?|davis|ydavis(?:donation|foundation))|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:nnisclark|partmentofstate)|hlexpresscompany|minique|ona(?:ldwilliam|tionhelpercare)|r(?:davidrhama|rhamahassan)|unsilva)|e(?:benezero|christina|dmundventura|l(?:i(?:bethgomez|sabeth(?:gmuer|maria)|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|ngr\.des|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|rahwasam|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:es(?:\.connelly|patrickconnolly)|iscamendoza)|k(?:j(?:ane|ody)|linpiesie)))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|rciavincent)|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|i(?:idp|ocastano)|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem)|zimissa)|e(?:atherbrooeke|ctor(?:castillos|scastillo)|lengiggs|ritagetrustbank)|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:b(?:ed|rahimelizabeth)|mfdeputyoff|n(?:fo\.(?:annedouglas|marviswanczyk)|gridrolle)|rvinekim|smail(?:eman|tarkan))|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|nietaylor|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:a(?:haskel|thanhaskel)|hugo)|seph(?:acevedo|babatunde|ichael)|vannyanderson)|rawlings|uliewatson)|k(?:a(?:l(?:iaksandr|tschmidtdavid)|malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|r(?:istinewellenstein|nkl)|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|nelink|sa(?:milner|robin))|john|oughreymargaret|s(?:arbn|chantal)|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:ahhills|opabl)|kroth|shalh|tinamayer|y(?:franson|josen))|u(?:hin|rhinck)|viswan(?:czyk(?:(?:foundation|k))?)?)|brons|c\.cheadychang|dredban|el(?:aniekreiss|vidabullock)|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ntonjustin|ss\.yasmineibrahim)|k(?:ent|untjoro)|mrstephen|oham(?:edabdul|m(?:daljililati|edshamekh))|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell|tonyelumelu)|cjames|ericschmid|hanimuhammad|jamesmc|morgangomez|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela|shaalqaddfi)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|jackman|lisamilner|ma(?:riaelizabethscheffle|ureens|yaoliver)|r(?:eem|obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|ffice(?:emaill|rricherd)|hallkenneth|lenasheve|rabankheadofficelometogo|xfaminternationa)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:alyh|beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|icha(?:miller|rdw(?:ahl|illis))|main|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark|uddicklana)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cott(?:henryjames|peters)|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|op(?:adam|hiajesse)|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|e(?:nreyrosilvana|rryparkins)|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|robins|zimpro)|shikazusendo))|u(?:derleyen|marukareem|n(?:claimedfunds|ited(?:bankforafrica\.plc|nation(?:organization|s)))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut)|johannes)|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|ellensteinfoundation|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|o(?:ngkm|usefzongo))|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i
b780ea8d 9283
54c714b2 9284header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|ilmohammed|lesiakalina|nnhester\.usa)|b(?:ank\.phbng|e(?:linekra|n(?:jaminb|nicholas))|riceangela)|c(?:\.aroline|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|dhamilton|e(?:denvictor|ricalbert)|federal\.r|j(?:a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye))|o(?:biorahkenneth|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|o(?:bertbailey|serichard))|s(?:amthong|igurlauganna|leo|oftc|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i
b780ea8d
SI		 9285
9286header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i
9287
9288header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i
9289
9290if !((version >= 3.003000))
9291 meta __RP_MATCHES_RCVD 0
9292endif
9293
9294if (version >= 3.003000)
9295if !plugin(Mail::SpamAssassin::Plugin::WLBLEval)
9296 meta __RP_MATCHES_RCVD 0
9297endif
9298endif
9299
9300if (version >= 3.003000)
9301ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9302 header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
9303endif
9304endif
9305
9306body __SCAM /\bscam(?:m?e[dr])?s?\b/i
9307
151f49fd
SI		 9308body __SCC_BODY_TEXT_LINE_FULL /^\s*\S/
9309tflags __SCC_BODY_TEXT_LINE_FULL multiple maxhits=3
fc5290a3 9310
dfdd1e08
SI		 9311ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9312mimeheader __SCC_BOGUS_CTE_1 Content-Transfer-Encoding =~ /^Hexa/i
9313endif
46cfc9e2 9314
dfdd1e08
SI		 9315ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9316mimeheader __SCC_CTMPP Content-Type =~ /multipart\/parallel/
9317endif
46cfc9e2 9318
151f49fd 9319header __SCC_SUBJECT_HAS_NON_SPACE Subject =~ /\S/
fc5290a3 9320
b780ea8d
SI		 9321body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i
9322
9323header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i
9324tflags __SENDER_BOT nice
9325
9326uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=,
9327
31955ede 9328meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || __FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )
b780ea8d
SI		 9329
9330body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i
9331
31955ede 9332meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY && !__HDR_ENVFROM_SHOPIFY
46cfc9e2 9333
b780ea8d
SI		 9334uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/
9335
151f49fd
SI		 9336ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9337 rawbody __SHY_OBFU_EXPIRE /e(?!xpire)<SHY>{0,3}x<SHY>{0,3}p<SHY>{0,3}i<SHY>{0,3}r<SHY>{0,3}e/i
9338endif
9339
9340ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9341 rawbody __SHY_OBFU_PASSWORD /p(?!assword)<SHY>{0,3}a<SHY>{0,3}s<SHY>{0,3}s<SHY>{0,3}w<SHY>{0,3}o<SHY>{0,3}r<SHY>{0,3}d/i
9342endif
9343
b780ea8d
SI		 9344body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/
9345tflags __SINGLE_WORD_LINE multiple maxhits=2
9346
9347header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/
9348
9349header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i
9350
9351rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/
9352tflags __SPAN_BEG_TEXT multiple maxhits=5
9353
9354rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/
9355tflags __SPAN_END_TEXT multiple maxhits=5
9356
9357if !plugin(Mail::SpamAssassin::Plugin::SPF)
9358 meta __SPF_FULL_PASS 0
9359endif
9360
9361ifplugin Mail::SpamAssassin::Plugin::SPF
9362 meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS)
9363 tflags __SPF_FULL_PASS net
9364endif
9365
9366if !plugin(Mail::SpamAssassin::Plugin::SPF)
9367 meta __SPF_RANDOM_SENDER 0
9368endif
9369
9370ifplugin Mail::SpamAssassin::Plugin::SPF
9371 meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS)
9372 tflags __SPF_RANDOM_SENDER net
9373endif
9374
9375meta __SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM
9376tflags __SPOOFED_FREEMAIL net
9377
9378meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO
9379tflags __SPOOFED_FREEM_REPTO net
9380
9381rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
9382
9383meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE
9384
9385body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i
9386
9387body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i
9388
9389if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9390 rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i
9391 tflags __STY_INVIS multiple maxhits=6
9392endif
9393
9394if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9395 meta __STY_INVIS_1 __STY_INVIS == 1
9396endif
9397
9398if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
46cfc9e2 9399 meta __STY_INVIS_1_MINFP __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID
b780ea8d
SI		 9400endif
9401
9402if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9403 meta __STY_INVIS_2 __STY_INVIS > 1
9404endif
9405
9406if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9407 meta __STY_INVIS_3 __STY_INVIS > 2
9408endif
9409
9410if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9411 meta __STY_INVIS_DIRECT __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
9412endif
9413
9414if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9415 meta __STY_INVIS_MANY __STY_INVIS > 5
9416endif
9417
9418header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/
9419
9420meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY
9421
9422header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
9423
9424meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU
9425
9426header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/
9427tflags __SUBJ_BROKEN_WORD multiple maxhits=2
9428
9429meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
9430
151f49fd 9431 header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*Subject: [^\n]{0,100}\1[>,:\s\n]/ism
b780ea8d 9432
151f49fd 9433header __SUBJ_HAS_TO_1 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n+(?:[^\n]{1,200}\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism
b780ea8d 9434
151f49fd 9435header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism
b780ea8d 9436
151f49fd 9437header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n+)*To: [^\n]{0,100}\1[^a-z0-9.]/ism
b780ea8d
SI		 9438
9439header __SUBJ_NOT_SHORT Subject =~ /^.{16}/
9440
9441header __SUBJ_OBFU_PUNCT Subject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/i
9442tflags __SUBJ_OBFU_PUNCT multiple maxhits=4
9443
9444header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/
9445
9446header __SUBJ_SHORT Subject =~ /^.{0,8}$/
9447
54c714b2
SI		 9448header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i
9449tflags __SUBJ_UNNEEDED_HTML multiple maxhits=3
9450
b780ea8d
SI		 9451header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/
9452
9453body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i
9454tflags __SUBSCRIPTION_INFO nice
9455
9456body __SUM_OF_FUND /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i
9457
9458body __SURVEY /\bsurvey\b/i
9459
9460body __SURVIVORS /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i
9461
9462body __SUSPICION_LOGIN /\bsuspicion login\b/i
9463
9464body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i
9465
46cfc9e2
SI		 9466meta __TAGSTAT_IMG_NOT_RCVD_TGST __URI_IMG_TAGSTAT && !__HDR_RCVD_TAGSTAT
9467
31955ede
SI		 9468meta __TARINGANET_IMG_NOT_RCVD_TN __URI_IMG_TARINGANET && !__HDR_RCVD_TARINGANET
9469
b780ea8d
SI		 9470header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
9471
9472rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m
9473tflags __TENWORD_GIBBERISH multiple maxhits=21
9474
46cfc9e2
SI		 9475ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9476 mimeheader __TEXT_XML_MT Content-Type =~ m,\btext/xml\b,i
9477endif
9478
b780ea8d
SI		 9479body __THEY_INHERIT /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i
9480
9481body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i
9482
9483meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF)
9484tflags __THREADED nice
9485
151f49fd 9486header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[A-Za-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$,
b780ea8d
SI		 9487
9488header __TO_ALL_NUMS To:addr =~ /^\d+@/
9489
9490meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX
9491
fc5290a3
SI		 9492meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE
9493
54c714b2
SI		 9494meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY
9495
b780ea8d
SI		 9496if !plugin(Mail::SpamAssassin::Plugin::SPF)
9497 meta __TO_EQ_FM_DOM_SPF_FAIL 0
9498endif
9499
9500ifplugin Mail::SpamAssassin::Plugin::SPF
9501 meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL
9502 tflags __TO_EQ_FM_DOM_SPF_FAIL net
9503endif
9504
151f49fd
SI		 9505meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY
9506
b780ea8d
SI		 9507if !plugin(Mail::SpamAssassin::Plugin::SPF)
9508 meta __TO_EQ_FM_SPF_FAIL 0
9509endif
9510
9511ifplugin Mail::SpamAssassin::Plugin::SPF
9512 meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL
9513 tflags __TO_EQ_FM_SPF_FAIL net
9514endif
9515
9516meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
9517describe __TO_EQ_FROM To: same as From:
9518
151f49fd 9519header __TO_EQ_FROM_1 ALL =~ /\nFrom: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To: (?:[^\n]{0,80}<)?\1[>,\s\n]/ism
b780ea8d 9520
151f49fd 9521header __TO_EQ_FROM_2 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From: (?:[^\n]{0,80}<)?\1[>,\s\n]/ism
b780ea8d
SI		 9522
9523meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)
9524describe __TO_EQ_FROM_DOM To: domain same as From: domain
9525
151f49fd 9526header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom: [^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To: [^\n]+@\1[>,\s\n]/ism
b780ea8d 9527
151f49fd 9528header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo: [^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From: [^\n]+@\1[>,\s\n]/ism
b780ea8d
SI		 9529
9530meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
9531describe __TO_EQ_FROM_USR To: username same as From: username
9532
fc5290a3 9533header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
b780ea8d 9534
fc5290a3 9535header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
b780ea8d
SI		 9536
9537meta __TO_EQ_FROM_USR_NN (__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
9538describe __TO_EQ_FROM_USR_NN To: username same as From: username sans trailing nums
9539
fc5290a3 9540header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
b780ea8d 9541
fc5290a3 9542header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
b780ea8d
SI		 9543
9544meta __TO_EQ_FROM_USR_NN_MINFP __TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED
9545
9546meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3)
9547
9548header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/
9549
9550if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
9551 meta __TO_NO_BRKTS_FREEMAIL 0
9552endif
9553
9554ifplugin Mail::SpamAssassin::Plugin::FreeMail
9555 meta __TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
9556endif
9557
9558meta __TO_NO_BRKTS_FROM_RUNON __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON
9559
9560meta __TO_NO_BRKTS_HTML_IMG __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG
9561
9562meta __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY
9563
9564meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
9565
9566meta __TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_HTML_ONLY && RDNS_NONE
9567
9568meta __TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT
9569
151f49fd
SI		 9570header __TO_TOO_MANY To =~ /(?:,[^,]{1,90}){30}/
9571
b780ea8d
SI		 9572meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01
9573
9574header __TO_UNDISCLOSED To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i
9575
9576header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/
9577
9578body __TO_YOUR_ACCT /\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/i
9579
9580body __TO_YOUR_ORG /\b(?:to|for) your organi[sz]ation\b/i
9581
151f49fd 9582header __TO___LOWER ALL =~ /to: \S{5}/
b780ea8d 9583
151f49fd 9584body __TRANSFORM_LIFE /\b(?:transform|change) your (?:daily )?life(?:style)?\b/i
b780ea8d
SI		 9585
9586body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i
9587
9588body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i
9589
9590body __TRAVEL_ITINERARY /(?:travel|ticketed|your|current) itinerary/i
9591
9592meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2
9593
9594body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i
9595
9596body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i
9597
9598body __TRTMT_DEFILED /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i
9599
9600body __TRUNK_BOX /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i
9601
9602body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i
9603
9604header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i
9605
9606header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i
9607
151f49fd 9608header __TT_OBSCURED_VALIUM Subject =~ /(?:v|V|\\\/)(?:a|A|\(a\)|4|@)(?:l|L|\|)(?:i|I|1|\xef|\|)(?:u|U|\(u\))(?:m|M)/
b780ea8d 9609
151f49fd 9610header __TT_OBSCURED_VIAGRA Subject =~ /(?:v|V|\\\/)(?:i|I|1|\xef|\|)(?:a|A|\(a\)|4|@)(?:g|G)(?:r|R)(?:a|A|\(a\)|4|@)/
b780ea8d
SI		 9611
9612header __TT_VALIUM Subject =~ /VALIUM/i
9613
9614header __TT_VIAGRA Subject =~ /VIAGRA/i
9615
9616ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9617mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/
9618endif
9619
9620ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9621mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i
9622endif
9623
9624ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9625mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i
9626endif
9627
9628ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9629mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i
9630endif
9631
9632ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9633mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/
9634endif
9635
9636body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i
9637
9638body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i
9639
9640body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i
9641
9642body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i
9643
9644body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i
9645
9646body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i
9647
9648body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i
9649
9650body __TVD_PH_BODY_08 /\bmultiple password failures/i
9651
9652body __TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i
9653
9654body __TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i
9655
9656meta __TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08
9657
9658header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i
9659
9660header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i
9661
9662header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i
9663
9664header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i
9665
9666header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i
9667
9668header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i
9669
9670header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i
9671
9672header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i
9673
9674header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i
9675
9676header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i
9677
9678header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i
9679
9680header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i
9681
9682header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i
9683
9684header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i
9685
9686header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i
9687
9688header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i
9689
9690header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i
9691
9692header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i
9693
9694header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i
9695
9696header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i
9697
9698meta __TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST
9699
fc5290a3
SI		 9700meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED)
9701
b780ea8d
SI		 9702if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
9703 meta __TVD_SPACE_RATIO 0
9704endif
9705
9706header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i
9707
9708meta __T_PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512 || __PDS_QP_512)
9709
9710header __UA_GNUS User-Agent =~ /^Gnus/
9711
9712header __UA_KMAIL User-Agent =~ /^KMail/
9713
9714header __UA_KNODE User-Agent =~ /^KNode/
9715
9716header __UA_MOZ5 User-Agent =~ /^Mozilla\/5/
9717
9718header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/
9719
9720header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/
9721
9722header __UA_MUTT User-Agent =~ /^Mutt/
9723
9724header __UA_OPERA7 User-Agent =~ /^Opera7/
9725
9726header __UA_PAN User-Agent =~ /^Pan/
9727
9728header __UA_XNEWS User-Agent =~ /^Xnews/
9729
9730body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/
9731tflags __UC_GIBB_OBFU multiple maxhits=2
9732
9733body __UN /\bunited\snations?\b/i
9734
9735meta __UNDISC_FREEM __TO_UNDISCLOSED && __freemail_replyto
9736
9737meta __UNDISC_MONEY __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY)
9738
9739if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9740 body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i
9741 tflags __UNICODE_OBFU_ASC multiple maxhits=10
9742endif
9743
9744if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9745 meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9
9746endif
9747
9748if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9749 body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i
9750 tflags __UNICODE_OBFU_ZW multiple maxhits=10
9751endif
9752
9753if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9754 meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9
9755endif
9756
9757if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9758 meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1
9759endif
9760
9761if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9762 meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2
9763endif
9764
9765if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9766 meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4
9767endif
9768
9769body __UNSUB_EMAIL /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i
9770tflags __UNSUB_EMAIL nice
9771
dfdd1e08
SI		 9772body __UNSUB_GOOG_FORM m,Unsub?sc?ribe\s<?https?://docs\.google\.com/forms/,i
9773
b780ea8d
SI		 9774uri __UNSUB_LINK /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i
9775tflags __UNSUB_LINK nice
9776
9777body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i
9778
9779uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/
9780
9781uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i
9782
9783uri __URI_ADOBESPARK m,https?://branchlink\.adobespark\.com/,i
9784
9785uri __URI_AZURE_CLOUDAPP m,://(?:[^./]+\.)+cloudapp\.azure\.com/,
9786
54c714b2
SI		 9787uri __URI_CLOUDFLAREIPFS m,://cloudflare-ipfs\.com/ipfs/,i
9788
b780ea8d
SI		 9789uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i
9790
9791uri __URI_DATA /^data:(?!image\/)[a-z]/i
9792
9793uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i
9794
b780ea8d
SI		 9795uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i
9796
9797meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW
9798
9799uri __URI_DOTGOV m;^https?://(?:[^./]+\.)+gov/;i
9800
9801uri __URI_DOTTY_HEX /(?:\.[0-9a-f]{2}){30}/
9802
9803uri __URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i
9804
9805uri __URI_FIREBASEAPP m,://[^./]+\.firebaseapp\.com/,
9806
9807uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i
9808
9809uri __URI_GOOGLE_DRV m,^https?://(?:drive\.google|googledrive)\.com/,i
9810
9811uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i
9812
46cfc9e2
SI		 9813uri __URI_GOOG_STO_EMAIL m;^https?://(?:firebase)?storage\.googleapis\.com/.*[a-z0-9]@(?:[a-z0-9]{2,20}\.){1,3}[a-z]{2,3}$;i
9814
b780ea8d
SI		 9815uri __URI_GOOG_STO_HTML m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i
9816tflags __URI_GOOG_STO_HTML multiple maxhits=5
9817
46cfc9e2 9818uri __URI_GOOG_STO_IMG m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,i
b780ea8d
SI		 9819tflags __URI_GOOG_STO_IMG multiple maxhits=5
9820
9821uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i
9822
151f49fd 9823meta __URI_HOSTED_IMG ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT || __URI_IMG_FACEBOOK || __URI_IMG_TARINGANET || __URI_IMG_BEBEE || __URI_IMG_EFUSERASSETS || __URI_IMG_IMGBOX_THUMB || __URI_IMG_500PXORG || __URI_IMG_WIXMP || __URI_IMG_POSTIMGCC || __URI_IMG_GTRACING || __URI_IMG_JOOMCDN || __URI_IMG_DHRESOURCE || __URI_IMG_CWINDOWSNET)
b780ea8d 9824
31955ede
SI		 9825uri __URI_IMG_500PXORG m;://drscdn\.500px\.org/photo/;i
9826
9827uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png|webp),i
9828
9829uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?(?:images|media)-amazon\.com/.*\.(?:png|gif|jpe?g|webp)$,i
9830
9831uri __URI_IMG_BEBEE m;://contents\.bebee\.com/users/.+\.(?:jpe?g|gif|png|webp);i
b780ea8d
SI		 9832
9833uri __URI_IMG_CHANNYPIC m,://www\.channypicture\.com/pic/,i
9834
151f49fd
SI		 9835uri __URI_IMG_CWINDOWSNET m;://[^.]{12,}\.(?:blob|web)\.core\.windows\.net/.+\.(?:jpe?g|gif|png|webp);i
9836
31955ede
SI		 9837uri __URI_IMG_DHRESOURCE m;://www\.dhresource\.com/.+\.(?:jpe?g|gif|png|webp);i
9838
b780ea8d
SI		 9839uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i
9840
31955ede
SI		 9841uri __URI_IMG_EFUSERASSETS m;://\d+\.efuserassets\.com/\d+/.+\.(?:jpe?g|gif|png|webp);i
9842
151f49fd 9843uri __URI_IMG_FACEBOOK m;://(?:[^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i
31955ede
SI		 9844
9845uri __URI_IMG_GBTCDN m;://des\.gbtcdn\.com/storage/store/[0-9a-f/]{30,}\.(?:png|gif|jpe?g|webp)$;i
9846
31955ede
SI		 9847uri __URI_IMG_GTRACING m;://shopify\.gtracing\.com/img/.+\.(?:jpe?g|gif|png|webp);i
9848
9849uri __URI_IMG_IMGBOX_THUMB m;://thumbs\d*\.imgbox\.com/.+\.(?:jpe?g|gif|png|webp);i
cabe596e 9850
b780ea8d 9851uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i
31955ede 9852uri __URI_IMG_JOOMCDN m;://img\.joomcdn\.net/.+\.(?:jpe?g|gif|png|webp);i
b780ea8d 9853
46cfc9e2
SI		 9854uri __URI_IMG_LINKEDIN m;://media-exp\d\.licdn\.com/dms/image/;i
9855
b780ea8d
SI		 9856uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i
9857
31955ede
SI		 9858uri __URI_IMG_POSTIMGCC m;://i\.postimg\.cc/.+\.(?:jpe?g|gif|png|webp);i
9859
9860uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png|webp),i
b780ea8d
SI		 9861
9862uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i
9863
31955ede
SI		 9864uri __URI_IMG_TAGSTAT m;://i\d+\.tagstat\.com/.+\.(?:jpe?g|gif|png|webp);i
9865
9866uri __URI_IMG_TARINGANET m;://media\.taringa\.net/knn/;i
46cfc9e2 9867
cabe596e
SI		 9868uri __URI_IMG_TOPHATTER m;://images\.tophatter\.com/[0-9a-f]{30,}/;i
9869
31955ede 9870uri __URI_IMG_TUMBLR m;://\d+\.media\.tumblr\.com/.+\.(?:jpe?g|gif|png|webp);i
46cfc9e2 9871
b780ea8d
SI		 9872uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i
9873
9874uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i
9875
31955ede
SI		 9876uri __URI_IMG_WIXMP m;://images-wixmp-[0-9a-f]{20,}\.wixmp\.com/;i
9877
b780ea8d
SI		 9878uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i
9879
9880uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i
9881
31955ede 9882uri __URI_LONG_REPEAT m;(?:://|@)(?:\w+\.)*(\w{7,}\.)\1;i
b780ea8d
SI		 9883
9884uri __URI_MAILTO /^mailto:/i
9885tflags __URI_MAILTO multiple maxhits=16
9886
9887uri __URI_MONERO /buy-monero/i
9888
9889meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2
9890
9891meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH)
9892
9893uri __URI_PHP_REDIR m;/redirect\.php\?;i
9894
46cfc9e2
SI		 9895uri __URI_PRODUCT_AMAZON m,://www\.amazon\.(?:com|co\.uk|[a-z][a-z])/dp/[a-z0-9]{10}/,i
9896
54c714b2 9897uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act(?!ion)|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob|images?|photos?)\w)[^.]*\.(?:(?!list-manage|lt\.)[^/.]+\.)+(?:com|net)\b,i
cabe596e 9898
b780ea8d
SI		 9899uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i
9900
9901uri __URI_WEBAPP m,://[^./]+\.web\.app/,
9902
9903uri __URI_WPADMIN m,/wp-admin/\w+/,i
9904
9905uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i
9906
9907uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i
9908
9909uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i
9910
9911uri __URL_BTC_ID m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$);
9912
9913uri __URL_LTC_ID m;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/|$);
9914
b780ea8d
SI		 9915header __USING_VERP1 Return-Path =~ /[+-].*=/
9916
9917header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i
9918tflags __VACATION nice
9919
151f49fd 9920body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (?:\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i
b780ea8d
SI		 9921tflags __VALIDATE_MAILBOX multiple maxhits=2
9922
9923body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i
9924
9925body __VERIFY_ACCOUNT /(?:confirm|updated?|verif(?:y|ied)) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i
9926tflags __VERIFY_ACCOUNT multiple maxhits=2
9927
9928meta __VFY_ACCT_NORDNS __VERIFY_ACCOUNT && __RDNS_NONE
9929
151f49fd
SI		 9930meta __VISTA_COST __VISTA_MSGID && __FB_COST
9931
9932meta __VISTA_TONOM_EQ_TOLOC __VISTA_MSGID && __PDS_TONAME_EQ_TOLOCAL
9933
b780ea8d
SI		 9934if (version >= 3.004002)
9935ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9936header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i
9937endif
9938endif
9939
9940meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART
9941
9942body __WEBMAIL_ACCT /\byour web ?mail account/i
9943
9944body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i
9945
9946meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2
9947
9948body __WIDOW /\b(?:widow(?:e[rd])'?s?|veuve)\b/i
9949
9950body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i
9951
9952body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i
9953
9954body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i
9955
9956if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9957 rawbody __WORD_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}</i
9958 tflags __WORD_INVIS multiple maxhits=6
9959endif
9960
9961if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9962 meta __WORD_INVIS_2 __WORD_INVIS > 1
9963endif
9964
9965if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9966 meta __WORD_INVIS_5 __WORD_INVIS > 5
9967endif
9968
9969if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9970 meta __WORD_INVIS_MINFP __WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID
9971endif
9972
9973header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/
9974
151f49fd
SI		 9975meta __XFER_LOTSA_MONEY __XFER_MONEY && LOTS_OF_MONEY
9976
b780ea8d
SI		 9977meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY)
9978
31955ede
SI		 9979ifplugin Mail::SpamAssassin::Plugin::FreeMail
9980 header __XMAIL_CODEIGN X-Mailer =~ /CodeIgniter/
9981endif
9982
9983ifplugin Mail::SpamAssassin::Plugin::FreeMail
9984 header __XMAIL_PHPMAIL X-Mailer =~ /PHPMailer/
9985endif
9986
fc5290a3
SI		 9987header __XM_APPLEMAIL X-Mailer =~ /^Apple Mail/
9988
46cfc9e2
SI		 9989header __XM_ASPQMAIL X-Mailer =~ /^AspQMail/
9990
b780ea8d
SI		 9991header __XM_BALSA X-Mailer =~ /^Balsa \d/
9992
9993header __XM_CALYPSO X-Mailer =~ /^Calypso/
9994
9995header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/
9996
cabe596e
SI		 9997header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/
9998
b780ea8d
SI		 9999header __XM_FORTE X-Mailer =~ /^Forte Agent \d/
10000
10001header __XM_GNUS X-Mailer =~ /^Gnus v/
10002
54c714b2
SI		 10003header __XM_LIGHT_HEAVY X-Mailer =~ /\b(?:light|(?<!::)lite|standard|business|pro(?:fessional)?|educational|personal)\b/i
10004
b780ea8d
SI		 10005header __XM_MHE X-Mailer =~ /^mh-e \d/
10006
10007header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/
10008
10009header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/
10010
10011header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/
10012
10013header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
10014
10015header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
10016
10017header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/
10018
10019header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/
10020
10021header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/
10022
10023header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
10024
10025header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/
10026
10027header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/
10028
dfdd1e08 10029header __XM_RANDOM X-Mailer =~ /q(?!(?:q|box|i\s)?mail|\d|[-\w]*=+;)[^u]/i
b780ea8d
SI		 10030
10031header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/
10032
10033header __XM_SQRLMAIL X-Mailer =~ /^SquirrelMail/
10034
10035header __XM_SYLPHEED X-Mailer =~ /^Sylpheed/
10036
10037header __XM_UC_ONLY X-Mailer =~ /^[^a-z]+$/
10038
46cfc9e2
SI		 10039header __XM_VERY_LONG X-Mailer =~ /.{50}/
10040
b780ea8d
SI		 10041header __XM_VM X-Mailer =~ /^VM \d/
10042
10043header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/
10044
10045header __XM_XIMEVOL X-Mailer =~ /^Ximian Evolution/
10046
31955ede 10047meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS && !__HAS_X_SENDER
b780ea8d
SI		 10048
10049meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT
10050
151f49fd
SI		 10051meta __XPRIO_VISTA __XPRIO_MINFP && __VISTA_MSGID
10052
46cfc9e2
SI		 10053ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
10054 mimeheader __X_MSO_MT Content-Type =~ m,\bapplication/x-mso\b,i
10055endif
10056
b780ea8d
SI		 10057body __YOUR_BANK /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i
10058
10059body __YOUR_CONSIGNMENT /\b(?:received?|pa(?:y|id)|sen[dt]|h[oe]ld|delay(?:ed)?|impound(?:ed)?|released?|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/i
10060
10061body __YOUR_FUND /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|f\su\sn\sd|payment|geld)\b/i
10062
10063if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
10064 body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i
10065endif
10066
10067ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
10068 body __YOUR_ONAN /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M>+<A>+<S>+<T>+(?:<U>|<R>)+<B>+<A>+<T>+(?:<I><O><N>|<I><N><G>|<E>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>|(?:<P><L><E><A><S><U><R>(?:<E>|<I><N><G>)|<S><A><T><I><S><F><Y>(?:<I><N><G>)?)\s<Y><O><U><R><S><E><L><F>)/i
10069endif
10070
10071if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
10072 body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i
10073endif
10074
10075ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
10076 body __YOUR_PASSWORD /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<A><C><C><O><U><N><T>\s|<E>-?<M><A><I><L>\s)?(?:<P><A><S><S>[-\s_]?<W><O><R><D>|<P><S><W><D>\s)/i
10077endif
10078
10079body __YOUR_PERM /\byour\spermission\b/i
10080
10081if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
10082 body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i
10083endif
10084
10085ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
10086 body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i
10087endif
10088
10089body __YOUR_PROFIT /\byour?\sprofit/i
10090
10091if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
10092 body __YOUR_WEBCAM /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i
10093endif
10094
10095ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
10096 body __YOUR_WEBCAM /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>|<A><N><D>|<O><N>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>|<M><I><C><R><O><P><H><O><N><E>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s|<Y><O><U><R>\s)<C><A><M><E><R>+<A>/i
10097endif
10098
10099body __YOU_ASSIST /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i
10100
10101body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inherit+ance\b/i
10102
10103meta __YOU_WON __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY))
10104
10105body __YOU_WON_01 /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i
10106
10107body __YOU_WON_02 /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i
10108
10109body __YOU_WON_03 /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/i
10110
10111body __YOU_WON_04 /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i
10112
10113body __YOU_WON_05 /\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i
10114
10115if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
10116 meta __ZIP_ATTACH_MT 0
10117endif
10118
10119ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
10120 mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i
10121endif
10122
10123if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
10124 meta __ZIP_ATTACH_NOFN 0
10125endif
10126
10127ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
10128 mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i
10129endif
10130
10131ifplugin Mail::SpamAssassin::Plugin::FreeMail
10132 header __freemail_mailreplyto eval:check_freemail_header('Mail-Reply-To')
10133endif
10134
10135body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i
10136
54c714b2
SI		 10137body __hk_win_0 /\byour? e-?mail just w[oi]n/i
10138
10139body __hk_win_2 /\battn.{0,10}winner/i
10140
10141body __hk_win_3 /\bhappily aa?nnounce/i
10142
10143body __hk_win_4 /\bpleas(?:ure|ed) to inform/i
10144
10145body __hk_win_5 /\b(?:notice the|your) winning/i
10146
10147body __hk_win_7 /\bcongratulations? to your/i
10148
10149body __hk_win_8 /\bunexpected luck/i
10150
10151body __hk_win_9 /\blucky (?:nl )number/i
10152
10153body __hk_win_a /\bwinning (?:e-?mail|numbers|information)/i
10154
10155body __hk_win_b /\byour e-?mail (?:address )?(?:has )?w[io]n/i
10156
10157body __hk_win_c /\bune adresse e-?mail sur internet/i
10158
10159body __hk_win_d /\bcategory (?:\S{0,5} )?winner of our/i
10160
10161body __hk_win_i /\bfunds? transfer/i
10162
10163body __hk_win_j /\b(?:winning|ready for|sum) pay ?out/i
10164
10165body __hk_win_l /\b(?:make|file) (?:for )?your claim/i
10166
10167body __hk_win_m /\br.clamation de votre prix/i
10168
10169body __hk_win_n /\bcollect your prize/i
10170
10171body __hk_win_o /\bclarification and procedure/i
10172
b780ea8d
SI		 10173ifplugin Mail::SpamAssassin::Plugin::FreeMail
10174header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr')
10175endif
SA for PMG