]> git.proxmox.com Git - proxmox-spamassassin.git/blame - sa-updates/72_active.cf
projects / proxmox-spamassassin.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bump version to 3.4.6-3
[proxmox-spamassassin.git] / sa-updates / 72_active.cf
CommitLineData
b780ea8d
SI		 1# SpamAssassin rules file
2#
3# Please don't modify this file as your changes will be overwritten with
4# the next update. Use /etc/mail/spamassassin/local.cf instead.
5# See 'perldoc Mail::SpamAssassin::Conf' for details.
6#
7# <@LICENSE>
8# Licensed to the Apache Software Foundation (ASF) under one or more
9# contributor license agreements. See the NOTICE file distributed with
10# this work for additional information regarding copyright ownership.
11# The ASF licenses this file to you under the Apache License, Version 2.0
12# (the "License"); you may not use this file except in compliance with
13# the License. You may obtain a copy of the License at:
14#
15# http://www.apache.org/licenses/LICENSE-2.0
16#
17# Unless required by applicable law or agreed to in writing, software
18# distributed under the License is distributed on an "AS IS" BASIS,
19# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20# See the License for the specific language governing permissions and
21# limitations under the License.
22# </@LICENSE>
23#
24###########################################################################
25
cabe596e 26require_version 3.004006
b780ea8d
SI		 27
28##{ ACCT_PHISHING_MANY
29
30meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY
31describe ACCT_PHISHING_MANY Phishing for account information
32#score ACCT_PHISHING_MANY 3.000 # limit
33##} ACCT_PHISHING_MANY
34
35##{ AC_BR_BONANZA
36
37rawbody AC_BR_BONANZA /(?:<br>\s*){30}/i
38describe AC_BR_BONANZA Too many newlines in a row... spammy template
39#score AC_BR_BONANZA 0.001
40tflags AC_BR_BONANZA publish
41##} AC_BR_BONANZA
42
43##{ AC_DIV_BONANZA
44
45rawbody AC_DIV_BONANZA /(?:<div>(?:\s*<\/div>)?\s*){10}/i
46describe AC_DIV_BONANZA Too many divs in a row... spammy template
47#score AC_DIV_BONANZA 0.001
48tflags AC_DIV_BONANZA publish
49##} AC_DIV_BONANZA
50
51##{ AC_FROM_MANY_DOTS
52
53meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP
54#score AC_FROM_MANY_DOTS 3.000 # limit
55describe AC_FROM_MANY_DOTS Multiple periods in From user name
56tflags AC_FROM_MANY_DOTS publish
57##} AC_FROM_MANY_DOTS
58
59##{ AC_HTML_NONSENSE_TAGS
60
61rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/
62describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam
63#score AC_HTML_NONSENSE_TAGS 2.0
64tflags AC_HTML_NONSENSE_TAGS publish
65##} AC_HTML_NONSENSE_TAGS
66
67##{ AC_POST_EXTRAS
68
69meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID
70describe AC_POST_EXTRAS Suspicious URL
71#score AC_POST_EXTRAS 2.500 # limit
72tflags AC_POST_EXTRAS publish
73##} AC_POST_EXTRAS
74
75##{ AC_SPAMMY_URI_PATTERNS1
76
77meta AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI)
78describe AC_SPAMMY_URI_PATTERNS1 link combos match highly spammy template
79#score AC_SPAMMY_URI_PATTERNS1 4.0
80tflags AC_SPAMMY_URI_PATTERNS1 publish
81##} AC_SPAMMY_URI_PATTERNS1
82
83##{ AC_SPAMMY_URI_PATTERNS10
84
85meta AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI
86describe AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template
87#score AC_SPAMMY_URI_PATTERNS10 4.0
88tflags AC_SPAMMY_URI_PATTERNS10 publish
89##} AC_SPAMMY_URI_PATTERNS10
90
91##{ AC_SPAMMY_URI_PATTERNS11
92
93meta AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI
94describe AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template
95#score AC_SPAMMY_URI_PATTERNS11 4.0
96tflags AC_SPAMMY_URI_PATTERNS11 publish
97##} AC_SPAMMY_URI_PATTERNS11
98
99##{ AC_SPAMMY_URI_PATTERNS12
100
101meta AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI)
102describe AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template
103#score AC_SPAMMY_URI_PATTERNS12 4.0
104tflags AC_SPAMMY_URI_PATTERNS12 publish
105##} AC_SPAMMY_URI_PATTERNS12
106
107##{ AC_SPAMMY_URI_PATTERNS2
108
109meta AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI)
110describe AC_SPAMMY_URI_PATTERNS2 link combos match highly spammy template
111#score AC_SPAMMY_URI_PATTERNS2 4.0
112tflags AC_SPAMMY_URI_PATTERNS2 publish
113##} AC_SPAMMY_URI_PATTERNS2
114
115##{ AC_SPAMMY_URI_PATTERNS3
116
117meta AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI)
118describe AC_SPAMMY_URI_PATTERNS3 link combos match highly spammy template
119#score AC_SPAMMY_URI_PATTERNS3 4.0
120tflags AC_SPAMMY_URI_PATTERNS3 publish
121##} AC_SPAMMY_URI_PATTERNS3
122
123##{ AC_SPAMMY_URI_PATTERNS4
124
125meta AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI
126describe AC_SPAMMY_URI_PATTERNS4 link combos match highly spammy template
127#score AC_SPAMMY_URI_PATTERNS4 4.0
128tflags AC_SPAMMY_URI_PATTERNS4 publish
129##} AC_SPAMMY_URI_PATTERNS4
130
131##{ AC_SPAMMY_URI_PATTERNS8
132
133meta AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI
134describe AC_SPAMMY_URI_PATTERNS8 link combos match highly spammy template
135#score AC_SPAMMY_URI_PATTERNS8 4.0
136tflags AC_SPAMMY_URI_PATTERNS8 publish
137##} AC_SPAMMY_URI_PATTERNS8
138
139##{ AC_SPAMMY_URI_PATTERNS9
140
141meta AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI))
142describe AC_SPAMMY_URI_PATTERNS9 link combos match highly spammy template
143#score AC_SPAMMY_URI_PATTERNS9 4.0
144tflags AC_SPAMMY_URI_PATTERNS9 publish
145##} AC_SPAMMY_URI_PATTERNS9
146
147##{ ADMAIL
148
149meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS
150describe ADMAIL "admail" and variants
151tflags ADMAIL publish
152##} ADMAIL
153
154##{ ADMITS_SPAM
155
156meta ADMITS_SPAM __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB
157describe ADMITS_SPAM Admits this is an ad
158tflags ADMITS_SPAM publish
159##} ADMITS_SPAM
160
46cfc9e2
SI		 161##{ ADULT_DATING_COMPANY
162
163meta ADULT_DATING_COMPANY __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO
164#score ADULT_DATING_COMPANY 10.000 # limit
165tflags ADULT_DATING_COMPANY publish
166##} ADULT_DATING_COMPANY
167
b780ea8d
SI		 168##{ ADVANCE_FEE_2_NEW_FORM
169
170meta ADVANCE_FEE_2_NEW_FORM (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__FROM_LOWER && !__HAS_X_LOOP
171describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form
172#score ADVANCE_FEE_2_NEW_FORM 2.000 # limit
173tflags ADVANCE_FEE_2_NEW_FORM publish
174##} ADVANCE_FEE_2_NEW_FORM
175
176##{ ADVANCE_FEE_2_NEW_FRM_MNY
177
178meta ADVANCE_FEE_2_NEW_FRM_MNY (__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP
179describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money
180#score ADVANCE_FEE_2_NEW_FRM_MNY 2.500
181tflags ADVANCE_FEE_2_NEW_FRM_MNY publish
182##} ADVANCE_FEE_2_NEW_FRM_MNY
183
184##{ ADVANCE_FEE_2_NEW_MONEY
185
186meta ADVANCE_FEE_2_NEW_MONEY (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
187describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
188#score ADVANCE_FEE_2_NEW_MONEY 2.000 # limit
189tflags ADVANCE_FEE_2_NEW_MONEY publish
190##} ADVANCE_FEE_2_NEW_MONEY
191
192##{ ADVANCE_FEE_3_NEW
193
194meta ADVANCE_FEE_3_NEW (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG && !__BUGGED_IMG
195describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419)
196#score ADVANCE_FEE_3_NEW 3.5 # limit
197tflags ADVANCE_FEE_3_NEW publish
198##} ADVANCE_FEE_3_NEW
199
200##{ ADVANCE_FEE_3_NEW_FORM
201
202meta ADVANCE_FEE_3_NEW_FORM (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__THREADED && !__HAS_SENDER && !__FROM_LOWER && !__HAS_X_LOOP
203describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form
204tflags ADVANCE_FEE_3_NEW_FORM publish
205##} ADVANCE_FEE_3_NEW_FORM
206
207##{ ADVANCE_FEE_3_NEW_FRM_MNY
208
209meta ADVANCE_FEE_3_NEW_FRM_MNY (__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP
210describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money
211tflags ADVANCE_FEE_3_NEW_FRM_MNY publish
212##} ADVANCE_FEE_3_NEW_FRM_MNY
213
214##{ ADVANCE_FEE_3_NEW_MONEY
215
216meta ADVANCE_FEE_3_NEW_MONEY (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
217describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
218tflags ADVANCE_FEE_3_NEW_MONEY publish
219##} ADVANCE_FEE_3_NEW_MONEY
220
221##{ ADVANCE_FEE_4_NEW
222
223meta ADVANCE_FEE_4_NEW (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__HAS_X_LOOP && !__BUGGED_IMG
224describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419)
225tflags ADVANCE_FEE_4_NEW publish
226##} ADVANCE_FEE_4_NEW
227
228##{ ADVANCE_FEE_4_NEW_FORM
229
230meta ADVANCE_FEE_4_NEW_FORM (__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM)
231describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form
232tflags ADVANCE_FEE_4_NEW_FORM publish
233##} ADVANCE_FEE_4_NEW_FORM
234
235##{ ADVANCE_FEE_4_NEW_FRM_MNY
236
237meta ADVANCE_FEE_4_NEW_FRM_MNY (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY)
238describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money
239tflags ADVANCE_FEE_4_NEW_FRM_MNY publish
240##} ADVANCE_FEE_4_NEW_FRM_MNY
241
242##{ ADVANCE_FEE_4_NEW_MONEY
243
244meta ADVANCE_FEE_4_NEW_MONEY (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
245describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money
246tflags ADVANCE_FEE_4_NEW_MONEY publish
247##} ADVANCE_FEE_4_NEW_MONEY
248
249##{ ADVANCE_FEE_5_NEW
250
251meta ADVANCE_FEE_5_NEW (__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY) && !__BUGGED_IMG
252describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419)
253tflags ADVANCE_FEE_5_NEW publish
254##} ADVANCE_FEE_5_NEW
255
256##{ ADVANCE_FEE_5_NEW_FORM
257
258meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM
259describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form
260tflags ADVANCE_FEE_5_NEW_FORM publish
261##} ADVANCE_FEE_5_NEW_FORM
262
263##{ ADVANCE_FEE_5_NEW_FRM_MNY
264
265meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY
266describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money
267tflags ADVANCE_FEE_5_NEW_FRM_MNY publish
268##} ADVANCE_FEE_5_NEW_FRM_MNY
269
270##{ ADVANCE_FEE_5_NEW_MONEY
271
272meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE && !__BUGGED_IMG
273describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
274tflags ADVANCE_FEE_5_NEW_MONEY publish
275##} ADVANCE_FEE_5_NEW_MONEY
276
277##{ AD_PREFS
278
279body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i
280describe AD_PREFS Advertising preferences
281#score AD_PREFS 0.500 # limit
282tflags AD_PREFS publish
283##} AD_PREFS
284
285##{ ALIBABA_IMG_NOT_RCVD_ALI
286
287meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE
288#score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit
289describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba
290tflags ALIBABA_IMG_NOT_RCVD_ALI publish
291##} ALIBABA_IMG_NOT_RCVD_ALI
292
293##{ AMAZON_IMG_NOT_RCVD_AMZN
294
46cfc9e2 295meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST && !__URI_PRODUCT_AMAZON && !__HAS_ERRORS_TO
b780ea8d
SI		 296#score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit
297describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon
298tflags AMAZON_IMG_NOT_RCVD_AMZN publish
299##} AMAZON_IMG_NOT_RCVD_AMZN
300
301##{ APOSTROPHE_FROM
302
303header APOSTROPHE_FROM From:addr =~ /'/
304describe APOSTROPHE_FROM From address contains an apostrophe
305##} APOSTROPHE_FROM
306
307##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
308
309if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
310 meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
311 describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto
312# score APP_DEVELOPMENT_FREEM 3.500 # limit
313 tflags APP_DEVELOPMENT_FREEM publish
314endif
315##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
316
317##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
318
319if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
320 meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE
321 describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS
322# score APP_DEVELOPMENT_NORDNS 2.000 # limit
323 tflags APP_DEVELOPMENT_NORDNS publish
324endif
325##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
326
327##{ AXB_XMAILER_MIMEOLE_OL_024C2
328
329meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2)
330describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
331##} AXB_XMAILER_MIMEOLE_OL_024C2
332
333##{ AXB_XMAILER_MIMEOLE_OL_1ECD5
334
335meta AXB_XMAILER_MIMEOLE_OL_1ECD5 (__AXB_XM_OL_1ECD5 && __AXB_MO_OL_1ECD5)
336describe AXB_XMAILER_MIMEOLE_OL_1ECD5 Yet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD5
337
338##{ BANKING_LAWS
339
340body BANKING_LAWS /banking laws/i
341describe BANKING_LAWS Talks about banking laws
342##} BANKING_LAWS
343
344##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
345
346ifplugin Mail::SpamAssassin::Plugin::MIMEEval
347body BASE64_LENGTH_78_79 eval:check_base64_length('78','79')
348endif
349##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
350
351##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
352
353ifplugin Mail::SpamAssassin::Plugin::MIMEEval
354describe BASE64_LENGTH_79_INF base64 encoded email part uses line length of 78 or 79 characters
355body BASE64_LENGTH_79_INF eval:check_base64_length('79')
356describe BASE64_LENGTH_79_INF base64 encoded email part uses line length greater than 79 characters
357endif
358##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
359
360##{ BIGNUM_EMAILS_FREEM
361
362meta BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS_FREEM
363describe BIGNUM_EMAILS_FREEM Lots of email addresses/leads, free email account
364#score BIGNUM_EMAILS_FREEM 3.00 # limit
365tflags BIGNUM_EMAILS_FREEM publish
366##} BIGNUM_EMAILS_FREEM
367
368##{ BIGNUM_EMAILS_MANY
369
370meta BIGNUM_EMAILS_MANY __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER
371describe BIGNUM_EMAILS_MANY Lots of email addresses/leads, over and over
372#score BIGNUM_EMAILS_MANY 3.00 # limit
373tflags BIGNUM_EMAILS_MANY publish
374##} BIGNUM_EMAILS_MANY
375
376##{ BITCOIN_BOMB
377
378meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01
379describe BITCOIN_BOMB BitCoin + bomb
380#score BITCOIN_BOMB 3.000 # limit
381tflags BITCOIN_BOMB publish
382##} BITCOIN_BOMB
383
384##{ BITCOIN_DEADLINE
385
386meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01
387describe BITCOIN_DEADLINE BitCoin with a deadline
388#score BITCOIN_DEADLINE 3.000 # limit
389tflags BITCOIN_DEADLINE publish
390##} BITCOIN_DEADLINE
391
392##{ BITCOIN_EXTORT_01
393
394meta BITCOIN_EXTORT_01 (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA )
395describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin
396#score BITCOIN_EXTORT_01 5.000 # limit
397tflags BITCOIN_EXTORT_01 publish
398##} BITCOIN_EXTORT_01
399
400##{ BITCOIN_EXTORT_02
401
402meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY
403describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin
404#score BITCOIN_EXTORT_02 5.000 # limit
405tflags BITCOIN_EXTORT_02 publish
406##} BITCOIN_EXTORT_02
407
408##{ BITCOIN_IMGUR
409
410meta BITCOIN_IMGUR __BITCOIN_IMGUR
411describe BITCOIN_IMGUR Bitcoin + hosted image
412#score BITCOIN_IMGUR 3.500 # limit
413tflags BITCOIN_IMGUR publish
414##} BITCOIN_IMGUR
415
416##{ BITCOIN_MALF_HTML
417
418meta BITCOIN_MALF_HTML HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID)
419describe BITCOIN_MALF_HTML Bitcoin + malformed HTML
420#score BITCOIN_MALF_HTML 3.500 # limit
421##} BITCOIN_MALF_HTML
422
423##{ BITCOIN_MALWARE
424
425meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED
426describe BITCOIN_MALWARE BitCoin + malware bragging
427#score BITCOIN_MALWARE 3.500 # limit
428tflags BITCOIN_MALWARE publish
429##} BITCOIN_MALWARE
430
431##{ BITCOIN_OBFU_SUBJ
432
433meta BITCOIN_OBFU_SUBJ __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI
434describe BITCOIN_OBFU_SUBJ Bitcoin + obfuscated subject
435#score BITCOIN_OBFU_SUBJ 3.500 # limit
436tflags BITCOIN_OBFU_SUBJ publish
437##} BITCOIN_OBFU_SUBJ
438
439##{ BITCOIN_ONAN
440
441meta BITCOIN_ONAN __BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01
442describe BITCOIN_ONAN BitCoin + [censored]
443#score BITCOIN_ONAN 3.000 # limit
444tflags BITCOIN_ONAN publish
445##} BITCOIN_ONAN
446
447##{ BITCOIN_PAY_ME
448
449meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01
450describe BITCOIN_PAY_ME Pay me via BitCoin
451#score BITCOIN_PAY_ME 3.000 # limit
452tflags BITCOIN_PAY_ME publish
453##} BITCOIN_PAY_ME
454
455##{ BITCOIN_SPAM_01
456
457meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG
458describe BITCOIN_SPAM_01 BitCoin spam pattern 01
459#score BITCOIN_SPAM_01 2.500 # limit
460tflags BITCOIN_SPAM_01 publish
461##} BITCOIN_SPAM_01
462
463##{ BITCOIN_SPAM_02
464
465meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID
466describe BITCOIN_SPAM_02 BitCoin spam pattern 02
467#score BITCOIN_SPAM_02 2.500 # limit
468tflags BITCOIN_SPAM_02 publish
469##} BITCOIN_SPAM_02
470
471##{ BITCOIN_SPAM_03
472
473meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ
474describe BITCOIN_SPAM_03 BitCoin spam pattern 03
475#score BITCOIN_SPAM_03 2.500 # limit
476tflags BITCOIN_SPAM_03 publish
477##} BITCOIN_SPAM_03
478
479##{ BITCOIN_SPAM_04
480
481meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto
482describe BITCOIN_SPAM_04 BitCoin spam pattern 04
483#score BITCOIN_SPAM_04 1.500 # limit
484tflags BITCOIN_SPAM_04 publish
485##} BITCOIN_SPAM_04
486
487##{ BITCOIN_SPAM_05
488
489meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO
490describe BITCOIN_SPAM_05 BitCoin spam pattern 05
491#score BITCOIN_SPAM_05 2.500 # limit
492tflags BITCOIN_SPAM_05 net publish
493##} BITCOIN_SPAM_05
494
495##{ BITCOIN_SPAM_06
496
497meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET
498describe BITCOIN_SPAM_06 BitCoin spam pattern 06
499#score BITCOIN_SPAM_06 1.500 # limit
500tflags BITCOIN_SPAM_06 publish
501##} BITCOIN_SPAM_06
502
503##{ BITCOIN_SPAM_07
504
505meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS
506describe BITCOIN_SPAM_07 BitCoin spam pattern 07
507#score BITCOIN_SPAM_07 3.500 # limit
508tflags BITCOIN_SPAM_07 publish
509##} BITCOIN_SPAM_07
510
511##{ BITCOIN_SPAM_08
512
513meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ
514describe BITCOIN_SPAM_08 BitCoin spam pattern 08
515#score BITCOIN_SPAM_08 2.500 # limit
516tflags BITCOIN_SPAM_08 publish
517##} BITCOIN_SPAM_08
518
519##{ BITCOIN_SPAM_09
520
521meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU )
522describe BITCOIN_SPAM_09 BitCoin spam pattern 09
523#score BITCOIN_SPAM_09 1.500 # limit
524tflags BITCOIN_SPAM_09 publish
525##} BITCOIN_SPAM_09
526
527##{ BITCOIN_SPAM_10
528
529meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 )
530describe BITCOIN_SPAM_10 BitCoin spam pattern 10
531#score BITCOIN_SPAM_10 2.500 # limit
532tflags BITCOIN_SPAM_10 publish
533##} BITCOIN_SPAM_10
534
535##{ BITCOIN_SPAM_11
536
537meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU
538describe BITCOIN_SPAM_11 BitCoin spam pattern 11
539#score BITCOIN_SPAM_11 2.500 # limit
540tflags BITCOIN_SPAM_11 publish
541##} BITCOIN_SPAM_11
542
543##{ BITCOIN_SPAM_12
544
545meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY
546describe BITCOIN_SPAM_12 BitCoin spam pattern 12
547#score BITCOIN_SPAM_12 2.500 # limit
548tflags BITCOIN_SPAM_12 publish
549##} BITCOIN_SPAM_12
550
551##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
552
553if (version >= 3.004001)
554ifplugin Mail::SpamAssassin::Plugin::AskDNS
555meta BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID
556tflags BITCOIN_SPF_ONLYALL net publish
557describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF
558#score BITCOIN_SPF_ONLYALL 2.0 # limit
559endif
560endif
561##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
562
563##{ BITCOIN_WFH_01
564
565meta BITCOIN_WFH_01 __BITCOIN_WFH_01
566describe BITCOIN_WFH_01 Work-from-Home + bitcoin
567tflags BITCOIN_WFH_01 publish
568##} BITCOIN_WFH_01
569
570##{ BITCOIN_XPRIO
571
572meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY
573describe BITCOIN_XPRIO Bitcoin + priority
574#score BITCOIN_XPRIO 2.500 # limit
575##} BITCOIN_XPRIO
576
577##{ BITCOIN_YOUR_INFO
578
579meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01
580describe BITCOIN_YOUR_INFO BitCoin with your personal info
581#score BITCOIN_YOUR_INFO 3.000 # limit
582tflags BITCOIN_YOUR_INFO publish
583##} BITCOIN_YOUR_INFO
584
b780ea8d
SI		 585##{ BODY_SINGLE_URI
586
587meta BODY_SINGLE_URI __BODY_SINGLE_URI && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP && !__VIA_ML
588describe BODY_SINGLE_URI Message body is only a URI
589#score BODY_SINGLE_URI 2.500 # limit
590##} BODY_SINGLE_URI
591
b780ea8d
SI		 592##{ BODY_URI_ONLY
593
594meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV
595describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image
596#score BODY_URI_ONLY 3.000 # limit
597tflags BODY_URI_ONLY publish
598##} BODY_URI_ONLY
599
600##{ BOGUS_MIME_VERSION
601
602meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 || __MALF_MIME_VER
603#score BOGUS_MIME_VERSION 3.500 # limit
604describe BOGUS_MIME_VERSION Mime version header is bogus
605tflags BOGUS_MIME_VERSION publish
606##} BOGUS_MIME_VERSION
607
608##{ BOGUS_MSM_HDRS
609
610meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS
611describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers
612#score BOGUS_MSM_HDRS 3.000 # limit
613tflags BOGUS_MSM_HDRS publish
614##} BOGUS_MSM_HDRS
615
616##{ BOMB_FREEM
617
618meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto
619describe BOMB_FREEM Bomb + freemail
620#score BOMB_FREEM 2.000 # limit
621tflags BOMB_FREEM publish
622##} BOMB_FREEM
623
624##{ BOMB_MONEY
625
626meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW )
627describe BOMB_MONEY Bomb + money: bomb threat?
628#score BOMB_MONEY 2.500 # limit
629tflags BOMB_MONEY publish
630##} BOMB_MONEY
631
632##{ BTC_ORG
633
634describe BTC_ORG Bitcoin wallet ID + unusual header
635#score BTC_ORG 2.500 # limit
636##} BTC_ORG
637
638##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM)
639
640if !plugin(Mail::SpamAssassin::Plugin::DKIM)
641 meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST
642endif
643##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM)
644
645##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM
646
647ifplugin Mail::SpamAssassin::Plugin::DKIM
648 meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED
649endif
650##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM
651
b780ea8d
SI		 652##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
653
654if (version >= 3.004002)
655ifplugin Mail::SpamAssassin::Plugin::WLBLEval
656meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD
657tflags BULK_RE_SUSP_NTLD publish
658describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
659#score BULK_RE_SUSP_NTLD 1.0 # limit
660endif
661endif
662##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
663
664##{ CANT_SEE_AD
665
666meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB
667describe CANT_SEE_AD You really want to see our spam.
668#score CANT_SEE_AD 2.500 # limit
669tflags CANT_SEE_AD publish
670##} CANT_SEE_AD
671
46cfc9e2
SI		 672##{ CK_HELO_GENERIC
673
674header CK_HELO_GENERIC X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
675describe CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR
676#score CK_HELO_GENERIC 0.25
677##} CK_HELO_GENERIC
678
b780ea8d
SI		 679##{ CN_B2B_SPAMMER
680
681body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i
682describe CN_B2B_SPAMMER Chinese company introducing itself
683tflags CN_B2B_SPAMMER publish
684##} CN_B2B_SPAMMER
685
686##{ COMMENT_GIBBERISH
687
688meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT
689describe COMMENT_GIBBERISH Nonsense in long HTML comment
690#score COMMENT_GIBBERISH 1.50 # limit
691tflags COMMENT_GIBBERISH publish
692##} COMMENT_GIBBERISH
693
694##{ COMPENSATION
695
696describe COMPENSATION "Compensation"
697#score COMPENSATION 1.50 # limit
698##} COMPENSATION
699
700##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
701
702if !plugin(Mail::SpamAssassin::Plugin::DKIM)
703 meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD
704endif
705##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
706
707##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
708
709ifplugin Mail::SpamAssassin::Plugin::DKIM
710 meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE
711endif
712##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
713
714##{ CONTENT_AFTER_HTML
715
716meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !__RCD_RDNS_MTA_MESSY && !__URI_DOTGOV
717describe CONTENT_AFTER_HTML More content after HTML close tag
718#score CONTENT_AFTER_HTML 2.500 # limit
719tflags CONTENT_AFTER_HTML publish
720##} CONTENT_AFTER_HTML
721
722##{ CORRUPT_FROM_LINE_IN_HDRS
723
724meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
725describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers
726tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
727#score CORRUPT_FROM_LINE_IN_HDRS 0.001
728##} CORRUPT_FROM_LINE_IN_HDRS
729
730##{ CTE_8BIT_MISMATCH
731
732meta CTE_8BIT_MISMATCH (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS)
733describe CTE_8BIT_MISMATCH Header says 7bits but body disagrees
734#score CTE_8BIT_MISMATCH 1
735tflags CTE_8BIT_MISMATCH publish
736##} CTE_8BIT_MISMATCH
737
738##{ CTYPE_001C_A
739
740meta CTYPE_001C_A (0) # obsolete
741##} CTYPE_001C_A
742
743##{ CTYPE_001C_B
744
745header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
746##} CTYPE_001C_B
747
748##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
749
750ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
751mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
752describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc)
753endif
754##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
755
756##{ CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
757
758ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
759 meta CTYPE_NULL __CTYPE_NULL
760 describe CTYPE_NULL Malformed Content-Type header
761endif
762##} CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
763
764##{ CURR_PRICE
765
766body CURR_PRICE /\bCurrent Price:/
767##} CURR_PRICE
768
cabe596e
SI		 769##{ DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
770
771ifplugin Mail::SpamAssassin::Plugin::HeaderEval
772header DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920')
773describe DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date
774endif
775##} DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
776
b780ea8d
SI		 777##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
778
779if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
780 meta DAY_I_EARNED __DAY_I_EARNED >= 3
781# score DAY_I_EARNED 3.000 # limit
782 describe DAY_I_EARNED Work-at-home spam
783 tflags DAY_I_EARNED publish
784endif
785##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
786
787##{ DEAR_BENEFICIARY
788
789body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i
790describe DEAR_BENEFICIARY Dear Beneficiary:
791##} DEAR_BENEFICIARY
792
793##{ DEAR_WINNER
794
795body DEAR_WINNER /\bdear.{1,20}winner/i
796describe DEAR_WINNER Spam with generic salutation of "dear winner"
797##} DEAR_WINNER
798
46cfc9e2
SI		 799##{ DETAILS_OF_PRODUCT
800
801body DETAILS_OF_PRODUCT /(?:Please|kindly) (?:see|refer to|check(?: out)?) the (?:details of the product|(?:detailed |complete |specific )?product (?:details|information)) (below|following|that follow|in detail)|the following (?:(?:is the )?(?:detailed )?product information|is a brief introduction to (?:\w+\s){0,5}this product)|\bhere (is|are) some basic information about this|you can (?:\w+ )?understand our product/i
802#score DETAILS_OF_PRODUCT 1.250 # limit
803##} DETAILS_OF_PRODUCT
804
b780ea8d
SI		 805##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS
806
807ifplugin Mail::SpamAssassin::Plugin::AskDNS
808meta DKIMWL_BL __DKIMWL_WL_BL
809tflags DKIMWL_BL net publish
810describe DKIMWL_BL DKIMwl.org - Blocked sender
811#score DKIMWL_BL 3.0 # limit
812endif
813##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS
814
815##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS
816
817ifplugin Mail::SpamAssassin::Plugin::AskDNS
818meta DKIMWL_BLOCKED __DKIMWL_BLOCKED
819tflags DKIMWL_BLOCKED net publish
820describe DKIMWL_BLOCKED ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
821#score DKIMWL_BLOCKED 0.001 # limit
822endif
823##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS
824
825##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS
826
827ifplugin Mail::SpamAssassin::Plugin::AskDNS
828meta DKIMWL_WL_HIGH __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL)
829tflags DKIMWL_WL_HIGH net nice publish
830describe DKIMWL_WL_HIGH DKIMwl.org - High trust sender
831#score DKIMWL_WL_HIGH -3.0 # limit
832endif
833##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS
834
835##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS
836
837ifplugin Mail::SpamAssassin::Plugin::AskDNS
838meta DKIMWL_WL_MED __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL)
839tflags DKIMWL_WL_MED net nice publish
840describe DKIMWL_WL_MED DKIMwl.org - Medium trust sender
841#score DKIMWL_WL_MED -0.5 # limit
842endif
843##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS
844
845##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS
846
847ifplugin Mail::SpamAssassin::Plugin::AskDNS
848meta DKIMWL_WL_MEDHI __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL)
849tflags DKIMWL_WL_MEDHI net nice publish
850describe DKIMWL_WL_MEDHI DKIMwl.org - Medium-high trust sender
851#score DKIMWL_WL_MEDHI -1.0 # limit
852endif
853##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS
854
855##{ DOS_ANAL_SPAM_MAILER
856
857header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/
858describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam
859tflags DOS_ANAL_SPAM_MAILER publish
860##} DOS_ANAL_SPAM_MAILER
861
862##{ DOS_DEREK_AUG08
863
864meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10)
865##} DOS_DEREK_AUG08
866
867##{ DOS_FIX_MY_URI
868
869meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
870describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam
871##} DOS_FIX_MY_URI
872
873##{ DOS_HIGH_BAT_TO_MX
874
875meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA
876describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits
877##} DOS_HIGH_BAT_TO_MX
878
879##{ DOS_LET_GO_JOB
880
881meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
882describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough!
883##} DOS_LET_GO_JOB
884
885##{ DOS_OE_TO_MX
886
887meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
888describe DOS_OE_TO_MX Delivered direct to MX with OE headers
889##} DOS_OE_TO_MX
890
891##{ DOS_OE_TO_MX_IMAGE
892
893meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
894describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image
895##} DOS_OE_TO_MX_IMAGE
896
897##{ DOS_OUTLOOK_TO_MX
898
899meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE
900describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers
901##} DOS_OUTLOOK_TO_MX
902
903##{ DOS_RCVD_IP_TWICE_C
904
905header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/
906describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo)
907##} DOS_RCVD_IP_TWICE_C
908
909##{ DOS_STOCK_BAT
910
911meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)
912describe DOS_STOCK_BAT Probable pump and dump stock spam
913##} DOS_STOCK_BAT
914
915##{ DOS_STOCK_BAT2
916
917meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)
918##} DOS_STOCK_BAT2
919
920##{ DOS_URI_ASTERISK
921
922uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)}
923describe DOS_URI_ASTERISK Found an asterisk in a URI
924##} DOS_URI_ASTERISK
925
926##{ DOS_YOUR_PLACE
927
928meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))
929describe DOS_YOUR_PLACE Russian dating spam
930##} DOS_YOUR_PLACE
931
932##{ DOTGOV_IMAGE
933
934meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS
935describe DOTGOV_IMAGE .gov URI + hosted image
936#score DOTGOV_IMAGE 3.000 # limit
937tflags DOTGOV_IMAGE publish
938##} DOTGOV_IMAGE
939
940##{ DRUGS_HDIA
941
942header DRUGS_HDIA Subject =~ /\bhoodia\b/i
943describe DRUGS_HDIA Subject mentions "hoodia"
944##} DRUGS_HDIA
945
b780ea8d
SI		 946##{ DX_TEXT_02
947
948body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i
949describe DX_TEXT_02 "change your message stat"
950tflags DX_TEXT_02 publish
951##} DX_TEXT_02
952
953##{ DX_TEXT_03
954
955body DX_TEXT_03 /\b[A-Z]{3} Media (?:Group|Relations)\b/
956describe DX_TEXT_03 "XXX Media Group"
957tflags DX_TEXT_03 publish
958##} DX_TEXT_03
959
960##{ DYNAMIC_IMGUR
961
962meta DYNAMIC_IMGUR __DYNAMIC_IMGUR
963describe DYNAMIC_IMGUR dynamic IP + hosted image
964#score DYNAMIC_IMGUR 4.000 # limit
965tflags DYNAMIC_IMGUR publish
966##} DYNAMIC_IMGUR
967
968##{ DYN_RDNS_AND_INLINE_IMAGE
969
970meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
971describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS
972##} DYN_RDNS_AND_INLINE_IMAGE
973
974##{ DYN_RDNS_SHORT_HELO_HTML
975
976meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE)
977describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
978##} DYN_RDNS_SHORT_HELO_HTML
979
980##{ DYN_RDNS_SHORT_HELO_IMAGE
981
982meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
983describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image
984##} DYN_RDNS_SHORT_HELO_IMAGE
985
986##{ EBAY_IMG_NOT_RCVD_EBAY
987
988meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS
989#score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit
990describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay
991tflags EBAY_IMG_NOT_RCVD_EBAY publish
992##} EBAY_IMG_NOT_RCVD_EBAY
993
994##{ EMRCP
995
996body EMRCP /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i
997describe EMRCP "Excess Maximum Return Capital Profit" scam
998tflags EMRCP publish
999##} EMRCP
1000
1001##{ ENCRYPTED_MESSAGE
1002
1003meta ENCRYPTED_MESSAGE __CT_ENCRYPTED
1004describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam
1005#score ENCRYPTED_MESSAGE -1.000
1006tflags ENCRYPTED_MESSAGE nice publish
1007##} ENCRYPTED_MESSAGE
1008
1009##{ END_FUTURE_EMAILS
1010
1011describe END_FUTURE_EMAILS Spammy unsubscribe
1012#score END_FUTURE_EMAILS 2.500 # limit
1013##} END_FUTURE_EMAILS
1014
1015##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1016
1017if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1018 meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER
1019endif
1020##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1021
1022##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM
1023
1024ifplugin Mail::SpamAssassin::Plugin::DKIM
1025 meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED
1026endif
1027##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM
1028
1029##{ ENVFROM_GOOG_TRIX
1030
1031meta ENVFROM_GOOG_TRIX __ENVFROM_GOOG_TRIX_SPAMMY
1032describe ENVFROM_GOOG_TRIX From suspicious Google subdomain
1033#score ENVFROM_GOOG_TRIX 3.000 # limit
1034tflags ENVFROM_GOOG_TRIX publish
1035##} ENVFROM_GOOG_TRIX
1036
1037##{ EXCUSE_24
1038
1039body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i
1040describe EXCUSE_24 Claims you wanted this ad
1041##} EXCUSE_24
1042
1043##{ FAKE_REPLY_A1
1044
1045meta FAKE_REPLY_A1 (__SUBJ_RE && __MISSING_REPLY && __MISSING_REF && __BOTH_INR_AND_REF)
1046##} FAKE_REPLY_A1
1047
cabe596e
SI		 1048##{ FAKE_REPLY_B
1049
1050meta FAKE_REPLY_B (__SUBJ_RE && __MISSING_REPLY && __INR_AND_NO_REF)
1051##} FAKE_REPLY_B
1052
b780ea8d
SI		 1053##{ FAKE_REPLY_C
1054
1055meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)
1056##} FAKE_REPLY_C
1057
1058##{ FBI_MONEY
1059
1060meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY
1061describe FBI_MONEY The FBI wants to give you lots of money?
1062#score FBI_MONEY 2.00 # limit
1063tflags FBI_MONEY publish
1064##} FBI_MONEY
1065
1066##{ FBI_SPOOF
1067
1068meta FBI_SPOOF __FBI_SPOOF
1069describe FBI_SPOOF Claims to be FBI, but not from FBI domain
1070#score FBI_SPOOF 2.00 # limit
1071tflags FBI_SPOOF publish
1072##} FBI_SPOOF
1073
1074##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1075
1076ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1077 meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML
1078 describe FILL_THIS_FORM Fill in a form with personal information
1079 tflags FILL_THIS_FORM publish
1080endif
1081##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1082
1083##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1084
1085ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1086 meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY
1087 describe FILL_THIS_FORM_LONG Fill in a form with personal information
1088# score FILL_THIS_FORM_LONG 2.00 # limit
1089endif
1090##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1091
1092##{ FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1093
1094if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1095 meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX
1096 describe FONT_INVIS_DIRECT Invisible text + direct-to-MX
1097# score FONT_INVIS_DIRECT 3.500 # limit
1098 tflags FONT_INVIS_DIRECT publish
1099endif
1100##} FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1101
1102##{ FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1103
1104if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1105 meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID
1106 describe FONT_INVIS_DOTGOV Invisible text + .gov URI
1107# score FONT_INVIS_DOTGOV 3.500 # limit
1108 tflags FONT_INVIS_DOTGOV publish
1109endif
1110##} FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1111
1112##{ FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1113
1114if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1115 meta FONT_INVIS_HTML_NOHTML __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG
1116 describe FONT_INVIS_HTML_NOHTML Invisible text + malformed HTML
1117# score FONT_INVIS_HTML_NOHTML 3.000 # limit
1118 tflags FONT_INVIS_HTML_NOHTML publish
1119endif
1120##} FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1121
1122##{ FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1123
1124if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1125 meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET
1126 describe FONT_INVIS_LONG_LINE Invisible text + long lines
1127# score FONT_INVIS_LONG_LINE 3.000 # limit
1128 tflags FONT_INVIS_LONG_LINE publish
1129endif
1130##} FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1131
1132##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1133
1134if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1135 meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX
1136 describe FONT_INVIS_MSGID Invisible text + suspicious message ID
1137# score FONT_INVIS_MSGID 2.500 # limit
1138 tflags FONT_INVIS_MSGID publish
1139endif
1140##} FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1141
1142##{ FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1143
1144if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1145 meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER
1146 describe FONT_INVIS_NORDNS Invisible text + no rDNS
1147# score FONT_INVIS_NORDNS 2.500 # limit
1148 tflags FONT_INVIS_NORDNS publish
1149endif
1150##} FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1151
1152##{ FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1153
1154if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1155 meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS
1156 describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI
1157# score FONT_INVIS_POSTEXTRAS 3.500 # limit
1158 tflags FONT_INVIS_POSTEXTRAS publish
1159endif
1160##} FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1161
1162##{ FORGED_SPF_HELO
1163
1164meta FORGED_SPF_HELO __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS
1165##} FORGED_SPF_HELO
1166
1167##{ FORM_FRAUD
1168
1169meta FORM_FRAUD (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK
1170describe FORM_FRAUD Fill a form and a fraud phrase
1171#score FORM_FRAUD 1.000 # limit
1172tflags FORM_FRAUD publish
1173##} FORM_FRAUD
1174
1175##{ FORM_FRAUD_3
1176
1177meta FORM_FRAUD_3 (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED
1178describe FORM_FRAUD_3 Fill a form and several fraud phrases
1179tflags FORM_FRAUD_3 publish
1180##} FORM_FRAUD_3
1181
1182##{ FORM_FRAUD_5
1183
1184meta FORM_FRAUD_5 (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE
1185describe FORM_FRAUD_5 Fill a form and many fraud phrases
1186tflags FORM_FRAUD_5 publish
1187##} FORM_FRAUD_5
1188
1189##{ FORM_LOW_CONTRAST
1190
1191meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL
1192describe FORM_LOW_CONTRAST Fill in a form with hidden text
1193#score FORM_LOW_CONTRAST 2.500 # Limit
1194tflags FORM_LOW_CONTRAST publish
1195##} FORM_LOW_CONTRAST
1196
1197##{ FOUND_YOU
1198
1199meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO
1200#score FOUND_YOU 3.25 # limit
1201describe FOUND_YOU I found you...
1202tflags FOUND_YOU publish
1203##} FOUND_YOU
1204
1205##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
1206
1207ifplugin Mail::SpamAssassin::Plugin::FreeMail
1208 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
1209 if (version >= 3.004000)
1210 meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS
1211 describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different
1212# score FREEMAIL_FORGED_FROMDOMAIN 0.25
1213 tflags FREEMAIL_FORGED_FROMDOMAIN publish
1214endif
1215endif
1216endif
1217##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
1218
1219##{ FREEMAIL_WFH_01
1220
1221meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01
1222describe FREEMAIL_WFH_01 Work-from-Home + freemail
1223tflags FREEMAIL_WFH_01 publish
1224##} FREEMAIL_WFH_01
1225
1226##{ FREEM_FRNUM_UNICD_EMPTY
1227
1228meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY
1229describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body
1230#score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit
1231tflags FREEM_FRNUM_UNICD_EMPTY publish
1232##} FREEM_FRNUM_UNICD_EMPTY
1233
1234##{ FRNAME_IN_MSG_XPRIO_NO_SUB
1235
1236meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED
1237describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject
1238#score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit
1239tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish
1240##} FRNAME_IN_MSG_XPRIO_NO_SUB
1241
cabe596e
SI		 1242##{ FROMSPACE
1243
1244describe FROMSPACE Idiosyncratic "From" header format
1245header FROMSPACE From:raw =~ /^\s?\"\s/
1246##} FROMSPACE
1247
b780ea8d
SI		 1248##{ FROM_2_EMAILS_SHORT
1249
1250meta FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF)
1251describe FROM_2_EMAILS_SHORT Short body and From looks like 2 different emails
1252#score FROM_2_EMAILS_SHORT 3.0 # limit
1253##} FROM_2_EMAILS_SHORT
1254
1255##{ FROM_ADDR_WS
1256
1257meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL
1258describe FROM_ADDR_WS Malformed From address
1259#score FROM_ADDR_WS 3.000 # limit
1260tflags FROM_ADDR_WS publish
1261##} FROM_ADDR_WS
1262
1263##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1264
1265if (version >= 3.004002)
1266ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1267meta FROM_BANK_NOAUTH __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU)
1268tflags FROM_BANK_NOAUTH publish net
1269describe FROM_BANK_NOAUTH From Bank domain but no SPF or DKIM
1270#score FROM_BANK_NOAUTH 1.0 # limit
1271endif
1272endif
1273##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1274
1275##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1276
1277if (version >= 3.004001)
1278ifplugin Mail::SpamAssassin::Plugin::AskDNS
1279meta FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED
1280describe FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
1281tflags FROM_FMBLA_NDBLOCKED net publish
1282#score FROM_FMBLA_NDBLOCKED 0.001 # limit
1283endif
1284endif
1285##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1286
1287##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1288
1289if (version >= 3.004001)
1290ifplugin Mail::SpamAssassin::Plugin::AskDNS
1291meta FROM_FMBLA_NEWDOM __FROM_FMBLA_NEWDOM
1292describe FROM_FMBLA_NEWDOM From domain was registered in last 7 days
1293tflags FROM_FMBLA_NEWDOM net
1294#score FROM_FMBLA_NEWDOM 1.5 # limit
1295endif
1296endif
1297##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1298
1299##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1300
1301if (version >= 3.004001)
1302ifplugin Mail::SpamAssassin::Plugin::AskDNS
1303meta FROM_FMBLA_NEWDOM14 __FROM_FMBLA_NEWDOM14
1304describe FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days
1305tflags FROM_FMBLA_NEWDOM14 publish net
1306#score FROM_FMBLA_NEWDOM14 1.0 # limit
1307endif
1308endif
1309##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1310
1311##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1312
1313if (version >= 3.004001)
1314ifplugin Mail::SpamAssassin::Plugin::AskDNS
1315meta FROM_FMBLA_NEWDOM28 __FROM_FMBLA_NEWDOM28
1316describe FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28 days
1317tflags FROM_FMBLA_NEWDOM28 net publish
1318#score FROM_FMBLA_NEWDOM28 0.8 # limit
1319endif
1320endif
1321##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1322
1323##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1324
1325if (version >= 3.004002)
1326ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1327meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV
1328tflags FROM_GOV_DKIM_AU net nice publish
1329describe FROM_GOV_DKIM_AU From Government address and DKIM signed
1330#score FROM_GOV_DKIM_AU -1.0 # limit
1331endif
1332endif
1333##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1334
1335##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1336
1337if (version >= 3.004002)
1338ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1339meta FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU
1340tflags FROM_GOV_REPLYTO_FREEMAIL net publish
1341describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL
1342#score FROM_GOV_REPLYTO_FREEMAIL 2.0
1343endif
1344endif
1345##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1346
1347##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1348
1349if (version >= 3.004002)
1350ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1351meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED)
1352tflags FROM_GOV_SPOOF net publish
1353describe FROM_GOV_SPOOF From Government domain but matches SPOOFED
1354#score FROM_GOV_SPOOF 1.0 # limit
1355endif
1356endif
1357##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1358
1359##{ FROM_IN_TO_AND_SUBJ
1360
1361meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID
1362describe FROM_IN_TO_AND_SUBJ From address is in To and Subject
1363tflags FROM_IN_TO_AND_SUBJ publish
1364##} FROM_IN_TO_AND_SUBJ
1365
1366##{ FROM_MISSPACED
1367
1368meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
1369describe FROM_MISSPACED From: missing whitespace
1370#score FROM_MISSPACED 2.00
1371##} FROM_MISSPACED
1372
1373##{ FROM_MISSP_DYNIP
1374
1375meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC
1376describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS
1377##} FROM_MISSP_DYNIP
1378
1379##{ FROM_MISSP_EH_MATCH
1380
1381meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
1382describe FROM_MISSP_EH_MATCH From misspaced, matches envelope
1383#score FROM_MISSP_EH_MATCH 2.00 # max
1384##} FROM_MISSP_EH_MATCH
1385
1386##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
1387
1388ifplugin Mail::SpamAssassin::Plugin::FreeMail
1389 meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA
1390 describe FROM_MISSP_FREEMAIL From misspaced + freemail provider
1391endif
1392##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
1393
1394##{ FROM_MISSP_MSFT
1395
1396meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
1397describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
1398##} FROM_MISSP_MSFT
1399
46cfc9e2
SI		 1400##{ FROM_MISSP_PHISH
1401
1402meta FROM_MISSP_PHISH __FROM_MISSP_PHISH && !__DOS_HAS_LIST_UNSUB
1403describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish
1404#score FROM_MISSP_PHISH 3.500 # limit
1405##} FROM_MISSP_PHISH
1406
b780ea8d
SI		 1407##{ FROM_MISSP_REPLYTO
1408
1409meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB
1410describe FROM_MISSP_REPLYTO From misspaced, has Reply-To
1411#score FROM_MISSP_REPLYTO 2.500 # limit
1412##} FROM_MISSP_REPLYTO
1413
1414##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
1415
1416ifplugin Mail::SpamAssassin::Plugin::SPF
1417 meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL)
1418 tflags FROM_MISSP_SPF_FAIL net
1419# score FROM_MISSP_SPF_FAIL 2.00 # limit
1420endif
1421##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
1422
1423##{ FROM_MISSP_TO_UNDISC
1424
1425meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED)
1426describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed
1427##} FROM_MISSP_TO_UNDISC
1428
1429##{ FROM_MISSP_USER
1430
1431meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER)
1432describe FROM_MISSP_USER From misspaced, from "User"
1433##} FROM_MISSP_USER
1434
1435##{ FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
1436
1437if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
1438 meta FROM_MULTI_NORDNS __FROM_MULTI_NORDNS
1439 describe FROM_MULTI_NORDNS Multiple From addresses + no rDNS
1440endif
1441##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
1442
46cfc9e2
SI		 1443##{ FROM_NAME_EQ_TO_G_DRIVE
1444
1445meta FROM_NAME_EQ_TO_G_DRIVE !__SHORT_BODY_G_DRIVE_DYN && __SHORT_BODY_G_DRIVE && (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2)
1446describe FROM_NAME_EQ_TO_G_DRIVE From:name equals To:addr and GDRIVE link
1447#score FROM_NAME_EQ_TO_G_DRIVE 1.5 # limit
1448##} FROM_NAME_EQ_TO_G_DRIVE
1449
b780ea8d
SI		 1450##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1451
1452if (version >= 3.004001)
1453ifplugin Mail::SpamAssassin::Plugin::AskDNS
1454meta FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN
1455describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID
1456#score FROM_NEWDOM_BTC 2.0 # limit
1457tflags FROM_NEWDOM_BTC net
1458endif
1459endif
1460##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1461
1462##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1463
1464if (version >= 3.004002)
1465ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1466meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY
1467tflags FROM_NTLD_LINKBAIT publish
1468describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
1469#score FROM_NTLD_LINKBAIT 2.0 # limit
1470endif
1471endif
1472##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1473
1474##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1475
1476if (version >= 3.004002)
1477ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1478meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD
1479tflags FROM_NTLD_REPLY_FREEMAIL publish
1480describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
1481#score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit
1482endif
1483endif
1484##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1485
1486##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1487
1488if (version >= 3.004001)
1489ifplugin Mail::SpamAssassin::Plugin::AskDNS
1490meta FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN
1491describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain
1492#score FROM_NUMBERO_NEWDOMAIN 2.0 # limit
1493tflags FROM_NUMBERO_NEWDOMAIN net publish
1494endif
1495endif
1496##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1497
1498##{ FROM_NUMERIC_TLD
1499
1500header FROM_NUMERIC_TLD From:addr =~ /\.\d+$/
1501describe FROM_NUMERIC_TLD From: address has numeric TLD
1502#score FROM_NUMERIC_TLD 3.000 # limit
1503##} FROM_NUMERIC_TLD
1504
1505##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1506
1507if (version >= 3.004002)
1508ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1509meta FROM_PAYPAL_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED)
1510tflags FROM_PAYPAL_SPOOF publish net
1511describe FROM_PAYPAL_SPOOF From PayPal domain but matches SPOOFED
1512#score FROM_PAYPAL_SPOOF 1.6 # limit
1513endif
1514endif
1515##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1516
1517##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1518
1519if (version >= 3.004002)
1520ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1521meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD
1522tflags FROM_SUSPICIOUS_NTLD publish
1523describe FROM_SUSPICIOUS_NTLD From abused NTLD
1524#score FROM_SUSPICIOUS_NTLD 0.5 # limit
1525endif
1526endif
1527##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1528
1529##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1530
1531if (version >= 3.004002)
1532ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1533meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST
1534tflags FROM_SUSPICIOUS_NTLD_FP publish
1535describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD
1536#score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit
1537endif
1538endif
1539##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1540
b780ea8d
SI		 1541##{ FROM_WSP_TRAIL
1542
1543header FROM_WSP_TRAIL From:raw =~ /< [^>]* \s > [^<>]* \z/xm
1544describe FROM_WSP_TRAIL Trailing whitespace before '>' in From header field
1545##} FROM_WSP_TRAIL
1546
1547##{ FSL_BULK_SIG
1548
1549meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP_MESSY
1550describe FSL_BULK_SIG Bulk signature with no Unsubscribe
1551#score FSL_BULK_SIG 3.000 # limit
1552tflags FSL_BULK_SIG net publish
1553##} FSL_BULK_SIG
1554
1555##{ FSL_CTYPE_WIN1251
1556
1557header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/
1558describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
1559##} FSL_CTYPE_WIN1251
1560
1561##{ FSL_FAKE_HOTMAIL_RVCD
1562
1563header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/
1564##} FSL_FAKE_HOTMAIL_RVCD
1565
1566##{ FSL_HELO_BARE_IP_1
1567
1568meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED
1569##} FSL_HELO_BARE_IP_1
1570
1571##{ FSL_HELO_DEVICE
1572
1573header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i
1574##} FSL_HELO_DEVICE
1575
46cfc9e2
SI		 1576##{ FSL_HELO_FAKE
1577
1578header FSL_HELO_FAKE X-Spam-Relays-External =~ /\bhelo=(?:yandex.ru|(?:hotmail|gmail|google|yahoo|msn|microsoft)\.com)\b/i
1579##} FSL_HELO_FAKE
1580
b780ea8d
SI		 1581##{ FSL_HELO_NON_FQDN_1
1582
1583header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i
1584##} FSL_HELO_NON_FQDN_1
1585
1586##{ FSL_HELO_SETUP
1587
1588header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i
1589##} FSL_HELO_SETUP
1590
1591##{ FSL_INTERIA_ABUSE
1592
1593uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/
1594##} FSL_INTERIA_ABUSE
1595
1596##{ FSL_NEW_HELO_USER
1597
1598meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3)
1599describe FSL_NEW_HELO_USER Spam's using Helo and User
1600#score FSL_NEW_HELO_USER 2.0
1601tflags FSL_NEW_HELO_USER publish
1602##} FSL_NEW_HELO_USER
1603
1604##{ FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1605
1606ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1607 body FUZZY_AMAZON /(?:^|\W)(?=<A>)(?!amazon)<A><M><A><Z><O><N>(?:$|\W)/i
1608 describe FUZZY_AMAZON Obfuscated "amazon"
1609 tflags FUZZY_AMAZON publish
1610endif
1611##} FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1612
1613##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1614
1615ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1616 body FUZZY_ANDROID /(?=<A>)(?!android)<A><N><D><R><O><I><D>/i
1617 describe FUZZY_ANDROID Obfuscated "android"
1618 tflags FUZZY_ANDROID publish
1619endif
1620##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1621
1622##{ FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1623
1624ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1625 body FUZZY_APPLE /(?:^|\W)(?=<A>)(?!appl[ey])<A><P><P><L><E>(?:$|\W)/i
1626 describe FUZZY_APPLE Obfuscated "apple"
1627 tflags FUZZY_APPLE publish
1628endif
1629##} FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1630
1631##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1632
1633ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1634 body FUZZY_BITCOIN /(?=<B>)(?!bit[-\s]?coin)<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
1635 describe FUZZY_BITCOIN Obfuscated "Bitcoin"
1636 tflags FUZZY_BITCOIN publish
1637endif
1638##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1639
1640##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1641
1642ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1643 body FUZZY_BROWSER /(?=<B>)(?!browser)<B><R><O><W><S><E><R>/i
1644 describe FUZZY_BROWSER Obfuscated "browser"
1645 tflags FUZZY_BROWSER publish
1646endif
1647##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1648
1649##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1650
1651ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1652 meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET
1653 describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet"
1654 tflags FUZZY_BTC_WALLET publish
1655endif
1656##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1657
1658##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1659
1660ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1661 body FUZZY_CLICK_HERE /(?=<C>)(?!click(?:\s|&nbsp;)here)<C><WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i
1662 describe FUZZY_CLICK_HERE Obfuscated "click here"
1663 tflags FUZZY_CLICK_HERE publish
1664endif
1665##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1666
1667##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1668
1669ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1670 meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML
1671 describe FUZZY_DR_OZ Obfuscated Doctor Oz
1672 tflags FUZZY_DR_OZ publish
1673endif
1674##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1675
1676##{ FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1677
1678ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1679 body FUZZY_FACEBOOK /(?=<F>)(?!fa[ck]ebook)<F><A><C><E><B><O><O><K>/i
1680 describe FUZZY_FACEBOOK Obfuscated "facebook"
1681 tflags FUZZY_FACEBOOK publish
1682endif
1683##} FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1684
1685##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1686
1687ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1688 body FUZZY_IMPORTANT /(?=<I>)(?!important)<I>(?:<M>|<N>)<P><O><R><T><A><N><T>/i
1689 describe FUZZY_IMPORTANT Obfuscated "important"
1690 tflags FUZZY_IMPORTANT publish
1691endif
1692##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1693
1694##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1695
1696ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1697body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i
1698describe FUZZY_MERIDIA Obfuscation of the word "meridia"
1699endif
1700##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1701
1702##{ FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1703
1704ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1705 body FUZZY_MICROSOFT /(?=<M>)(?!microsoft)<M><I><C><R><O><S><O><F><T>/i
1706 describe FUZZY_MICROSOFT Obfuscated "microsoft"
1707 tflags FUZZY_MICROSOFT publish
1708endif
1709##} FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1710
1711##{ FUZZY_MONERO
1712
1713meta FUZZY_MONERO __FUZZY_MONERO
1714describe FUZZY_MONERO Obfuscated "Monero"
1715tflags FUZZY_MONERO publish
1716##} FUZZY_MONERO
1717
1718##{ FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1719
1720ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1721 body FUZZY_NORTON /(?:^|\W)(?=<N>)(?!norton)<N><O><R><T><O><N>(?:$|\W)/i
1722 describe FUZZY_NORTON Obfuscated "norton"
1723 tflags FUZZY_NORTON publish
1724endif
1725##} FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1726
1727##{ FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1728
1729ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1730 body FUZZY_OVERSTOCK /(?:^|\W)(?=<O>)(?!over[-\s]?stock)<O><V><E><R>[-\s]?<S><T><O><C><K>(?:$|\W)/i
1731 describe FUZZY_OVERSTOCK Obfuscated "overstock"
1732 tflags FUZZY_OVERSTOCK publish
1733endif
1734##} FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1735
1736##{ FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1737
1738ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1739 body FUZZY_PAYPAL /(?:^|\W)(?=<P>)(?!pay[-\s]?pal)<P><A><Y>[-\s]?<P><A><L>(?:$|\W)/i
1740 describe FUZZY_PAYPAL Obfuscated "paypal"
1741 tflags FUZZY_PAYPAL publish
1742endif
1743##} FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1744
1745##{ FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1746
1747ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1748 meta FUZZY_PORN __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT )
1749 describe FUZZY_PORN Obfuscated "Pornography" or "Pornographic"
1750 tflags FUZZY_PORN publish
1751endif
1752##} FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1753
1754##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1755
1756ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1757 body FUZZY_PRIVACY /(?=<P>)(?!privacy)<P><R><I><V><A><C><Y>/i
1758 describe FUZZY_PRIVACY Obfuscated "privacy"
1759 tflags FUZZY_PRIVACY publish
1760endif
1761##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1762
1763##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1764
1765ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1766 body FUZZY_PROMOTION /(?=<P>)(?!promotion)<P><R><O><M><O><T><I><O><N>/i
1767 describe FUZZY_PROMOTION Obfuscated "promotion"
1768 tflags FUZZY_PROMOTION publish
1769endif
1770##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1771
1772##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1773
1774ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1775 body FUZZY_SAVINGS /(?=<S>)(?!savings)<S><A><V><I><N><G><S>/i
1776 describe FUZZY_SAVINGS Obfuscated "savings"
1777 tflags FUZZY_SAVINGS publish
1778endif
1779##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1780
1781##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1782
1783ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1784 body FUZZY_SECURITY /(?=<S>)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)<S><E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i
1785 describe FUZZY_SECURITY Obfuscated "security"
1786 tflags FUZZY_SECURITY publish
1787endif
1788##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1789
1790##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1791
1792ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1793 body FUZZY_UNSUBSCRIBE /(?=<U>)(?!unsubscribe)<U><N><S><U><B><S><C><R><I><B><E>/i
1794 describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe"
1795 tflags FUZZY_UNSUBSCRIBE publish
1796endif
1797##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1798
1799##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1800
1801ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1802 body FUZZY_WALLET /(?=<W>)(?!wallet)<W><A><L><L><E><T>/i
1803 describe FUZZY_WALLET Obfuscated "Wallet"
1804 tflags FUZZY_WALLET publish
1805endif
1806##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1807
1808##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1809
1810if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1811 meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
1812 describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto
1813# score GAPPY_SALES_LEADS_FREEM 3.500 # limit
1814 tflags GAPPY_SALES_LEADS_FREEM publish
1815endif
1816##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1817
1818##{ GB_FAKE_RF_SHORT
1819
1820meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __PDS_URISHORTENER )
1821describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener
1822#score GB_FAKE_RF_SHORT 2.000 # limit
1823tflags GB_FAKE_RF_SHORT publish
1824##} GB_FAKE_RF_SHORT
1825
1826##{ GB_FORGED_MUA_POSTFIX
1827
1828meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 )
1829describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers
1830tflags GB_FORGED_MUA_POSTFIX publish
1831#score GB_FORGED_MUA_POSTFIX 2.0 # limit
1832##} GB_FORGED_MUA_POSTFIX
1833
1834##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
1835
1836ifplugin Mail::SpamAssassin::Plugin::FreeMail
1837 meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe )
1838 describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails
1839# score GB_FREEMAIL_DISPTO 0.50 # limit
1840 tflags GB_FREEMAIL_DISPTO publish
1841endif
1842##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
1843
1844##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
1845
1846ifplugin Mail::SpamAssassin::Plugin::FreeMail
1847 meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM )
1848 describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail
1849# score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit
1850 tflags GB_FREEMAIL_DISPTO_NOTFREEM publish
1851endif
1852##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
1853
1854##{ GB_GOOGLE_OBFUR
1855
1856uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/
1857describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect
1858#score GB_GOOGLE_OBFUR 0.75 # limit
1859tflags GB_GOOGLE_OBFUR publish
1860##} GB_GOOGLE_OBFUR
1861
b780ea8d
SI		 1862##{ GEO_QUERY_STRING
1863
1864uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
1865##} GEO_QUERY_STRING
1866
1867##{ GOOGLE_DOCS_PHISH
1868
1869meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2)
1870describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form
1871#score GOOGLE_DOCS_PHISH 3.00 # limit
1872tflags GOOGLE_DOCS_PHISH publish
1873##} GOOGLE_DOCS_PHISH
1874
1875##{ GOOGLE_DOCS_PHISH_MANY
1876
1877meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
1878describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form
1879#score GOOGLE_DOCS_PHISH_MANY 4.00 # limit
1880tflags GOOGLE_DOCS_PHISH_MANY publish
1881##} GOOGLE_DOCS_PHISH_MANY
1882
1883##{ GOOGLE_DOC_SUSP
1884
1885meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG
1886describe GOOGLE_DOC_SUSP Suspicious use of Google Docs
1887#score GOOGLE_DOC_SUSP 3.000 # limit
1888tflags GOOGLE_DOC_SUSP publish
1889##} GOOGLE_DOC_SUSP
1890
1891##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1892
1893if (version >= 3.004002)
1894ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1895meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
1896tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish
1897describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD
1898#score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
1899endif
1900endif
1901##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1902
1903##{ GOOG_MALWARE_DNLD
1904
1905meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD
1906describe GOOG_MALWARE_DNLD File download via Google - Malware?
1907#score GOOG_MALWARE_DNLD 5.000 # limit
1908tflags GOOG_MALWARE_DNLD publish
1909##} GOOG_MALWARE_DNLD
1910
1911##{ GOOG_REDIR_DOCUSIGN
1912
1913uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i
1914describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing
1915tflags GOOG_REDIR_DOCUSIGN publish
1916##} GOOG_REDIR_DOCUSIGN
1917
1918##{ GOOG_REDIR_NORDNS
1919
1920meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE
1921describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS
1922##} GOOG_REDIR_NORDNS
1923
1924##{ GOOG_REDIR_SHORT
1925
1926meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512
1927describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message
1928tflags GOOG_REDIR_SHORT publish
1929##} GOOG_REDIR_SHORT
1930
46cfc9e2
SI		 1931##{ GOOG_STO_EMAIL_PHISH
1932
1933meta GOOG_STO_EMAIL_PHISH __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT)
1934describe GOOG_STO_EMAIL_PHISH Possible phishing with google hosted content URI having email address
1935#score GOOG_STO_EMAIL_PHISH 3.00 # limit
1936tflags GOOG_STO_EMAIL_PHISH publish
1937##} GOOG_STO_EMAIL_PHISH
1938
b780ea8d
SI		 1939##{ GOOG_STO_HTML_PHISH
1940
1941meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH
1942describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL
1943#score GOOG_STO_HTML_PHISH 3.00 # limit
1944tflags GOOG_STO_HTML_PHISH publish
1945##} GOOG_STO_HTML_PHISH
1946
1947##{ GOOG_STO_HTML_PHISH_MANY
1948
1949meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
1950describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL
1951#score GOOG_STO_HTML_PHISH_MANY 4.00 # limit
1952tflags GOOG_STO_HTML_PHISH_MANY publish
1953##} GOOG_STO_HTML_PHISH_MANY
1954
1955##{ GOOG_STO_IMG_HTML
1956
1957meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY
1958describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL
1959#score GOOG_STO_IMG_HTML 3.000 # limit
1960tflags GOOG_STO_IMG_HTML publish
1961##} GOOG_STO_IMG_HTML
1962
1963##{ GOOG_STO_IMG_NOHTML
1964
1965meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY
1966describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL
1967#score GOOG_STO_IMG_NOHTML 2.500 # limit
1968tflags GOOG_STO_IMG_NOHTML publish
1969##} GOOG_STO_IMG_NOHTML
1970
1971##{ GOOG_STO_NOIMG_HTML
1972
1973meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY
1974describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL
1975#score GOOG_STO_NOIMG_HTML 3.000 # limit
1976tflags GOOG_STO_NOIMG_HTML publish
1977##} GOOG_STO_NOIMG_HTML
1978
1979##{ HAS_X_NO_RELAY
1980
1981meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1
1982describe HAS_X_NO_RELAY Has spammy header
1983#score HAS_X_NO_RELAY 2.500 # limit
1984tflags HAS_X_NO_RELAY publish
1985##} HAS_X_NO_RELAY
1986
1987##{ HAS_X_OUTGOING_SPAM_STAT
1988
46cfc9e2 1989meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO
b780ea8d 1990describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results?
46cfc9e2 1991#score HAS_X_OUTGOING_SPAM_STAT 2.000 # limit
b780ea8d
SI		 1992tflags HAS_X_OUTGOING_SPAM_STAT publish
1993##} HAS_X_OUTGOING_SPAM_STAT
1994
1995##{ HDRS_LCASE
1996
1997describe HDRS_LCASE Odd capitalization of message header
1998#score HDRS_LCASE 0.10 # limit
1999##} HDRS_LCASE
2000
2001##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2002
2003if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2004 meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
2005endif
2006##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2007
2008##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
2009
2010ifplugin Mail::SpamAssassin::Plugin::FreeMail
2011 meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
2012endif
2013##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
2014
2015##{ HDRS_LCASE_IMGONLY
2016
2017meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN
2018describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML
2019#score HDRS_LCASE_IMGONLY 0.10 # limit
2020##} HDRS_LCASE_IMGONLY
2021
2022##{ HDRS_MISSP
2023
2024meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY)
2025describe HDRS_MISSP Misspaced headers
2026#score HDRS_MISSP 2.500 # limit
2027tflags HDRS_MISSP publish
2028##} HDRS_MISSP
2029
2030##{ HDR_ORDER_FTSDMCXX_001C
2031
2032meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
2033describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant)
2034##} HDR_ORDER_FTSDMCXX_001C
2035
2036##{ HDR_ORDER_FTSDMCXX_BAT
2037
2038meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
2039describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant)
2040##} HDR_ORDER_FTSDMCXX_BAT
2041
2042##{ HDR_ORDER_FTSDMCXX_DIRECT
2043
2044meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML
2045describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX
2046#score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit
2047tflags HDR_ORDER_FTSDMCXX_DIRECT publish
2048##} HDR_ORDER_FTSDMCXX_DIRECT
2049
2050##{ HDR_ORDER_FTSDMCXX_NORDNS
2051
2052meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED
2053describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS
2054#score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit
2055tflags HDR_ORDER_FTSDMCXX_NORDNS publish
2056##} HDR_ORDER_FTSDMCXX_NORDNS
2057
2058##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2059
2060ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2061header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999')
2062describe HEADER_COUNT_SUBJECT Multiple Subject headers found
2063endif
2064##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2065
2066##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
2067
2068ifplugin Mail::SpamAssassin::Plugin::FreeMail
2069 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2070 if (version >= 3.004000)
2071 header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains()
2072 describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different
2073# score HEADER_FROM_DIFFERENT_DOMAINS 0.25
2074 tflags HEADER_FROM_DIFFERENT_DOMAINS publish
2075endif
2076endif
2077endif
2078##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
2079
2080##{ HELO_FRIEND
2081
2082header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
2083##} HELO_FRIEND
2084
b780ea8d
SI		 2085##{ HELO_LH_LD
2086
2087header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
2088##} HELO_LH_LD
2089
2090##{ HELO_LOCALHOST
2091
2092header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
2093##} HELO_LOCALHOST
2094
b780ea8d
SI		 2095##{ HELO_NO_DOMAIN
2096
2097meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST
2098describe HELO_NO_DOMAIN Relay reports its domain incorrectly
2099tflags HELO_NO_DOMAIN publish
2100##} HELO_NO_DOMAIN
2101
2102##{ HELO_OEM
2103
2104header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
2105##} HELO_OEM
2106
2107##{ HEXHASH_WORD
2108
2109meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER
2110describe HEXHASH_WORD Multiple instances of word + hexadecimal hash
2111#score HEXHASH_WORD 3.000 # limit
2112tflags HEXHASH_WORD publish
2113##} HEXHASH_WORD
2114
2115##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2116
2117ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2118mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/
2119#score HK_CTE_RAW 2
2120tflags HK_CTE_RAW publish
2121endif
2122##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2123
2124##{ HK_LOTTO
2125
2126meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT
2127#score HK_LOTTO 1
2128##} HK_LOTTO
2129
2130##{ HK_NAME_DRUGS
2131
2132header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi
2133describe HK_NAME_DRUGS From name contains drugs
2134#score HK_NAME_DRUGS 2
2135##} HK_NAME_DRUGS
2136
2137##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2138
2139ifplugin Mail::SpamAssassin::Plugin::FreeMail
2140if (version >= 3.004000)
2141 meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
2142# score HK_NAME_FM_MR_MRS 1.5
2143endif
2144endif
2145##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2146
2147##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2148
2149ifplugin Mail::SpamAssassin::Plugin::FreeMail
2150if (version >= 3.004000)
2151 meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM
2152# score HK_NAME_MR_MRS 1.0
2153endif
2154endif
2155##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2156
2157##{ HK_RANDOM_ENVFROM
2158
46cfc9e2 2159header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
b780ea8d
SI		 2160describe HK_RANDOM_ENVFROM Envelope sender username looks random
2161#score HK_RANDOM_ENVFROM 1
2162tflags HK_RANDOM_ENVFROM publish
2163##} HK_RANDOM_ENVFROM
2164
2165##{ HK_RANDOM_FROM
2166
46cfc9e2 2167header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
b780ea8d
SI		 2168describe HK_RANDOM_FROM From username looks random
2169#score HK_RANDOM_FROM 1
2170tflags HK_RANDOM_FROM publish
2171##} HK_RANDOM_FROM
2172
2173##{ HK_RANDOM_REPLYTO
2174
46cfc9e2 2175header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
b780ea8d
SI		 2176describe HK_RANDOM_REPLYTO Reply-To username looks random
2177#score HK_RANDOM_REPLYTO 1
2178tflags HK_RANDOM_REPLYTO publish
2179##} HK_RANDOM_REPLYTO
2180
2181##{ HK_RCVD_IP_MULTICAST
2182
2183header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./
2184#score HK_RCVD_IP_MULTICAST 2
2185tflags HK_RCVD_IP_MULTICAST publish
2186##} HK_RCVD_IP_MULTICAST
2187
2188##{ HK_SCAM
2189
2190meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25
2191#score HK_SCAM 2
2192tflags HK_SCAM publish
2193##} HK_SCAM
2194
2195##{ HK_WIN
2196
2197meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2)
2198#score HK_WIN 1
2199##} HK_WIN
2200
2201##{ HOSTED_IMG_DIRECT_MX
2202
2203meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS
2204#score HOSTED_IMG_DIRECT_MX 3.500 # limit
46cfc9e2 2205describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx
b780ea8d
SI		 2206tflags HOSTED_IMG_DIRECT_MX publish
2207##} HOSTED_IMG_DIRECT_MX
2208
2209##{ HOSTED_IMG_DQ_UNSUB
2210
2211meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB
2212#score HOSTED_IMG_DQ_UNSUB 3.500 # limit
2213describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm site, IP addr unsub link
2214tflags HOSTED_IMG_DQ_UNSUB publish
2215##} HOSTED_IMG_DQ_UNSUB
2216
2217##{ HOSTED_IMG_FREEM
2218
2219meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED
2220#score HOSTED_IMG_FREEM 3.500 # limit
46cfc9e2 2221describe HOSTED_IMG_FREEM Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to
b780ea8d
SI		 2222tflags HOSTED_IMG_FREEM publish
2223##} HOSTED_IMG_FREEM
2224
2225##{ HOSTED_IMG_MULTI
2226
2227meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS
2228#score HOSTED_IMG_MULTI 3.000 # limit
46cfc9e2 2229describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected
b780ea8d
SI		 2230tflags HOSTED_IMG_MULTI publish
2231##} HOSTED_IMG_MULTI
2232
2233##{ HOSTED_IMG_MULTI_PUB_01
2234
2235meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF
2236describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site
2237#score HOSTED_IMG_MULTI_PUB_01 3.000 # limit
2238tflags HOSTED_IMG_MULTI_PUB_01 publish
2239##} HOSTED_IMG_MULTI_PUB_01
2240
2241##{ HTML_ENTITY_ASCII
2242
2243meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP
2244describe HTML_ENTITY_ASCII Obfuscated ASCII
2245#score HTML_ENTITY_ASCII 3.000 # limit
2246tflags HTML_ENTITY_ASCII publish
2247##} HTML_ENTITY_ASCII
2248
2249##{ HTML_ENTITY_ASCII_TINY
2250
2251meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_MINFP && __HTML_FONT_TINY_01
2252describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts
2253#score HTML_ENTITY_ASCII_TINY 3.000 # limit
2254tflags HTML_ENTITY_ASCII_TINY publish
2255##} HTML_ENTITY_ASCII_TINY
2256
46cfc9e2
SI		 2257##{ HTML_FONT_TINY_NORDNS
2258
2259meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_01 && __RDNS_NONE
2260describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
2261#score HTML_FONT_TINY_NORDNS 1.500 # limit
2262##} HTML_FONT_TINY_NORDNS
2263
b780ea8d
SI		 2264##{ HTML_OFF_PAGE
2265
2266meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS
2267describe HTML_OFF_PAGE HTML element rendered well off the displayed page
2268#score HTML_OFF_PAGE 3.000 # limit
2269tflags HTML_OFF_PAGE publish
2270##} HTML_OFF_PAGE
2271
2272##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2273
2274if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2275 meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY
2276 describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments
2277# score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit
2278 tflags HTML_SHRT_CMNT_OBFU_MANY publish
2279endif
2280##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2281
2282##{ HTML_SINGLET_MANY
2283
2284meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP
2285describe HTML_SINGLET_MANY Many single-letter HTML format blocks
2286#score HTML_SINGLET_MANY 2.500 # limit
2287tflags HTML_SINGLET_MANY publish
2288##} HTML_SINGLET_MANY
2289
46cfc9e2
SI		 2290##{ HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
2291
2292ifplugin Mail::SpamAssassin::Plugin::HTMLEval
2293 meta HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY
2294 describe HTML_TAG_BALANCE_CENTER Malformatted HTML
2295endif
2296##} HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
2297
b780ea8d
SI		 2298##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2299
2300if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2301 meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID
2302 describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation?
2303# score HTML_TEXT_INVISIBLE_FONT 2.000 # limit
2304 tflags HTML_TEXT_INVISIBLE_FONT publish
2305endif
2306##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2307
2308##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2309
2310if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2311 meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX
2312 describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs
2313# score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit
2314 tflags HTML_TEXT_INVISIBLE_STYLE publish
2315endif
2316##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2317
2318##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2319
2320ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2321body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
2322endif
2323##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2324
2325##{ IMG_ONLY_FM_DOM_INFO
2326
2327meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO
2328describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain
2329#score IMG_ONLY_FM_DOM_INFO 2.500 # limit
2330tflags IMG_ONLY_FM_DOM_INFO publish
2331##} IMG_ONLY_FM_DOM_INFO
2332
2333##{ JH_SPAMMY_HEADERS
2334
2335meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN
2336describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam
2337#score JH_SPAMMY_HEADERS 3.500 # limit
2338tflags JH_SPAMMY_HEADERS publish
2339##} JH_SPAMMY_HEADERS
2340
2341##{ JH_SPAMMY_PATTERN01
2342
2343rawbody JH_SPAMMY_PATTERN01 m;<img src=['"](https?://[^'"]{1,80}/)C([^/.]{1,30}\.jpg)['"]>.{0,200}<img src="\1U\2";ism
2344describe JH_SPAMMY_PATTERN01 Unusual pattern seen in spam campaign
2345#score JH_SPAMMY_PATTERN01 3.000 # limit
2346tflags JH_SPAMMY_PATTERN01 publish
2347##} JH_SPAMMY_PATTERN01
2348
2349##{ JH_SPAMMY_PATTERN02
2350
2351rawbody JH_SPAMMY_PATTERN02 m;<img [^>]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}<a href="\1t=c\2".{0,200}<a href="\1t=u\2";ism
2352describe JH_SPAMMY_PATTERN02 Unusual pattern seen in spam campaign
2353#score JH_SPAMMY_PATTERN02 3.000 # limit
2354tflags JH_SPAMMY_PATTERN02 publish
2355##} JH_SPAMMY_PATTERN02
2356
2357##{ JM_I_FEEL_LUCKY
2358
2359uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/
2360tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign
2361##} JM_I_FEEL_LUCKY
2362
2363##{ JM_RCVD_QMAILV1
2364
2365header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/
2366##} JM_RCVD_QMAILV1
2367
2368##{ JM_TORA_XM
2369
2370meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
2371##} JM_TORA_XM
2372
2373##{ KB_DATE_CONTAINS_TAB
2374
2375meta KB_DATE_CONTAINS_TAB __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB
2376#score KB_DATE_CONTAINS_TAB 0.5
2377##} KB_DATE_CONTAINS_TAB
2378
2379##{ KB_FAKED_THE_BAT
2380
2381meta KB_FAKED_THE_BAT (__THEBAT_MUA && KB_DATE_CONTAINS_TAB)
2382##} KB_FAKED_THE_BAT
2383
2384##{ KB_RATWARE_BOUNDARY
2385
2386meta KB_RATWARE_BOUNDARY __RATWARE_BOUND_A || __RATWARE_BOUND_B
2387##} KB_RATWARE_BOUNDARY
2388
2389##{ KB_RATWARE_MSGID
2390
2391meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA)
2392##} KB_RATWARE_MSGID
2393
2394##{ KB_RATWARE_OUTLOOK_08
2395
2396header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # "
2397##} KB_RATWARE_OUTLOOK_08
2398
2399##{ KB_RATWARE_OUTLOOK_12
2400
2401header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # "
2402##} KB_RATWARE_OUTLOOK_12
2403
2404##{ KB_RATWARE_OUTLOOK_16
2405
2406header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # "
2407##} KB_RATWARE_OUTLOOK_16
2408
2409##{ KB_RATWARE_OUTLOOK_MID
2410
2411header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi
2412##} KB_RATWARE_OUTLOOK_MID
2413
2414##{ KHOP_FAKE_EBAY
2415
2416meta KHOP_FAKE_EBAY __EBAY_ADDRESS && !__NOT_SPOOFED
2417describe KHOP_FAKE_EBAY Sender falsely claims to be from eBay
2418##} KHOP_FAKE_EBAY
2419
2420##{ KHOP_HELO_FCRDNS
2421
2422meta KHOP_HELO_FCRDNS __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT)
2423describe KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
2424#score KHOP_HELO_FCRDNS 0.4 # 20090603
2425##} KHOP_HELO_FCRDNS
2426
46cfc9e2
SI		 2427##{ LINKEDIN_IMG_NOT_RCVD_LNKN
2428
2429meta LINKEDIN_IMG_NOT_RCVD_LNKN __LINKED_IMG_NOT_RCVD_LINK && !__LUNSUB_BEFORE_SUBJDT
2430#score LINKEDIN_IMG_NOT_RCVD_LNKN 2.500 # limit
2431describe LINKEDIN_IMG_NOT_RCVD_LNKN Linkedin hosted image but message not from Linkedin
2432tflags LINKEDIN_IMG_NOT_RCVD_LNKN publish
2433##} LINKEDIN_IMG_NOT_RCVD_LNKN
2434
b780ea8d
SI		 2435##{ LIST_PRTL_PUMPDUMP
2436
2437meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS
2438describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump
2439#score LIST_PRTL_PUMPDUMP 2.000 # limit
2440tflags LIST_PRTL_PUMPDUMP publish
2441##} LIST_PRTL_PUMPDUMP
2442
2443##{ LIST_PRTL_SAME_USER
2444
2445meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO
2446describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same
2447#score LIST_PRTL_SAME_USER 3.000 # limit
2448tflags LIST_PRTL_SAME_USER publish
2449##} LIST_PRTL_SAME_USER
2450
2451##{ LIVEFILESTORE
2452
2453uri LIVEFILESTORE m~livefilestore.com/~
2454##} LIVEFILESTORE
2455
2456##{ LONG_HEX_URI
2457
2458meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024
2459describe LONG_HEX_URI Very long purely hexadecimal URI
2460#score LONG_HEX_URI 3.000 # limit
2461tflags LONG_HEX_URI publish
2462##} LONG_HEX_URI
2463
2464##{ LONG_IMG_URI
2465
2466meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO
2467describe LONG_IMG_URI Image URI with very long path component - web bug?
2468#score LONG_IMG_URI 3.000 # limit
2469tflags LONG_IMG_URI publish
2470##} LONG_IMG_URI
2471
2472##{ LONG_INVISIBLE_TEXT
2473
2474describe LONG_INVISIBLE_TEXT Long block of hidden text - bayes poison?
2475#score LONG_INVISIBLE_TEXT 3.000 # limit
2476tflags LONG_INVISIBLE_TEXT publish
2477##} LONG_INVISIBLE_TEXT
2478
2479##{ LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2480
2481if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2482 meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV
2483endif
2484##} LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2485
2486##{ LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2487
2488if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2489 meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 )
2490endif
2491##} LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2492
2493##{ LONG_TERM_PRICE
2494
2495body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i
2496##} LONG_TERM_PRICE
2497
2498##{ LOOPHOLE_1
2499
2500body LOOPHOLE_1 /loop-?hole in the banking/i
2501describe LOOPHOLE_1 A loop hole in the banking laws?
2502##} LOOPHOLE_1
2503
2504##{ LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2505
2506if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2507 meta LOTS_OF_MONEY 0
2508endif
2509##} LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2510
2511##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2512
2513ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2514 meta LOTS_OF_MONEY (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05) && !__TRAVEL_ITINERARY
2515 describe LOTS_OF_MONEY Huge... sums of money
2516# score LOTS_OF_MONEY 0.01
2517 tflags LOTS_OF_MONEY publish
2518endif
2519##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2520
2521##{ LOTTERY_1
2522
2523meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ)
2524##} LOTTERY_1
2525
2526##{ LOTTERY_PH_004470
2527
2528meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY)
2529##} LOTTERY_PH_004470
2530
2531##{ LOTTO_AGENT
2532
2533meta LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD
2534describe LOTTO_AGENT Claims Agent
2535#score LOTTO_AGENT 1.50 # limit
2536##} LOTTO_AGENT
2537
2538##{ LUCRATIVE
2539
2540meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED
2541describe LUCRATIVE Make lots of money!
2542#score LUCRATIVE 2.00 # limit
2543tflags LUCRATIVE publish
2544##} LUCRATIVE
2545
2546##{ L_SPAM_TOOL_13
2547
2548header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
2549##} L_SPAM_TOOL_13
2550
b780ea8d
SI		 2551##{ MALF_HTML_B64
2552
2553meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG
2554describe MALF_HTML_B64 Malformatted base64-encoded HTML content
2555#score MALF_HTML_B64 3.500 # limit
2556tflags MALF_HTML_B64 publish
2557##} MALF_HTML_B64
2558
2559##{ MALWARE_NORDNS
2560
2561meta MALWARE_NORDNS __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
2562describe MALWARE_NORDNS Malware bragging + no rDNS
2563#score MALWARE_NORDNS 3.500 # limit
2564tflags MALWARE_NORDNS publish
2565##} MALWARE_NORDNS
2566
2567##{ MALWARE_PASSWORD
2568
2569meta MALWARE_PASSWORD __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
2570describe MALWARE_PASSWORD Malware bragging + "password"
2571#score MALWARE_PASSWORD 3.500 # limit
2572tflags MALWARE_PASSWORD publish
2573##} MALWARE_PASSWORD
2574
2575##{ MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2576
2577ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2578 meta MALW_ATTACH __MALW_ATTACH && !__HAS_THREAD_INDEX
2579 describe MALW_ATTACH Attachment filename suspicious, probable malware exploit
2580 tflags MALW_ATTACH publish
2581endif
2582##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2583
2584##{ MANY_HDRS_LCASE
2585
2586describe MANY_HDRS_LCASE Odd capitalization of multiple message headers
2587#score MANY_HDRS_LCASE 0.10 # limit
2588##} MANY_HDRS_LCASE
2589
2590##{ MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2591
2592if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2593 meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
2594endif
2595##} MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2596
2597##{ MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
2598
2599ifplugin Mail::SpamAssassin::Plugin::FreeMail
2600 meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
2601endif
2602##} MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
2603
2604##{ MANY_SPAN_IN_TEXT
2605
2606meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML
2607describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text
2608tflags MANY_SPAN_IN_TEXT publish
2609##} MANY_SPAN_IN_TEXT
2610
2611##{ MAY_BE_FORGED
2612
2613meta MAY_BE_FORGED __MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML
2614describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP
2615##} MAY_BE_FORGED
2616
2617##{ MID_DEGREES
2618
2619header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
2620##} MID_DEGREES
2621
2622##{ MILLION_HUNDRED
2623
2624body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i
2625describe MILLION_HUNDRED Million "One to Nine" Hundred
2626tflags MILLION_HUNDRED publish
2627##} MILLION_HUNDRED
2628
2629##{ MILLION_USD
2630
2631body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i
2632describe MILLION_USD Talks about millions of dollars
2633#score MILLION_USD 2
2634##} MILLION_USD
2635
2636##{ MIMEOLE_DIRECT_TO_MX
2637
2638meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS
2639describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX
2640#score MIMEOLE_DIRECT_TO_MX 2.000 # limit
2641tflags MIMEOLE_DIRECT_TO_MX publish
2642##} MIMEOLE_DIRECT_TO_MX
2643
2644##{ MIME_BOUND_EQ_REL
2645
2646header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s
2647##} MIME_BOUND_EQ_REL
2648
2649##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2650
2651ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2652 meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128
2653# score MIME_NO_TEXT 2.00 # limit
2654 describe MIME_NO_TEXT No (properly identified) text body parts
2655 tflags MIME_NO_TEXT publish
2656endif
2657##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2658
2659##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2660
2661ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2662 meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA)
2663 describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP
2664endif
2665##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2666
2667##{ MIXED_AREA_CASE
2668
2669meta MIXED_AREA_CASE __MIXED_AREA_CASE
2670describe MIXED_AREA_CASE Has area tag in mixed case
2671#score MIXED_AREA_CASE 2.500 # limit
2672tflags MIXED_AREA_CASE publish
2673##} MIXED_AREA_CASE
2674
2675##{ MIXED_CENTER_CASE
2676
2677meta MIXED_CENTER_CASE __MIXED_CENTER_CASE
2678describe MIXED_CENTER_CASE Has center tag in mixed case
2679#score MIXED_CENTER_CASE 2.500 # limit
2680tflags MIXED_CENTER_CASE publish
2681##} MIXED_CENTER_CASE
2682
b780ea8d
SI		 2683##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2684
2685if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2686 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2687 meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) )
2688 describe MIXED_ES Too many es are not es
2689 tflags MIXED_ES publish
2690# lang pl score MIXED_ES 0.01
2691# lang cz score MIXED_ES 0.01
2692# lang sk score MIXED_ES 0.01
2693# lang hr score MIXED_ES 0.01
2694# lang el score MIXED_ES 0.01
2695endif
2696endif
2697##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2698
2699##{ MIXED_FONT_CASE
2700
2701meta MIXED_FONT_CASE __MIXED_FONT_CASE
2702describe MIXED_FONT_CASE Has font tag in mixed case
2703#score MIXED_FONT_CASE 2.500 # limit
2704tflags MIXED_FONT_CASE publish
2705##} MIXED_FONT_CASE
2706
2707##{ MIXED_HREF_CASE
2708
2709meta MIXED_HREF_CASE __MIXED_HREF_CASE_JH
2710describe MIXED_HREF_CASE Has href in mixed case
2711#score MIXED_HREF_CASE 2.000 # limit
2712tflags MIXED_HREF_CASE publish
2713##} MIXED_HREF_CASE
2714
2715##{ MIXED_IMG_CASE
2716
2717meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL
2718describe MIXED_IMG_CASE Has img tag in mixed case
2719#score MIXED_IMG_CASE 3.000 # limit
2720tflags MIXED_IMG_CASE publish
2721##} MIXED_IMG_CASE
2722
2723##{ MONERO_DEADLINE
2724
2725meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01
2726describe MONERO_DEADLINE Monero cryptocurrency with a deadline
2727#score MONERO_DEADLINE 3.000 # limit
2728tflags MONERO_DEADLINE publish
2729##} MONERO_DEADLINE
2730
2731##{ MONERO_EXTORT_01
2732
2733meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY
2734describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency
2735#score MONERO_EXTORT_01 5.000 # limit
2736tflags MONERO_EXTORT_01 publish
2737##} MONERO_EXTORT_01
2738
2739##{ MONERO_MALWARE
2740
2741meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01
2742describe MONERO_MALWARE Monero cryptocurrency + malware bragging
2743#score MONERO_MALWARE 3.500 # limit
2744tflags MONERO_MALWARE publish
2745##} MONERO_MALWARE
2746
2747##{ MONERO_PAY_ME
2748
2749meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01
2750describe MONERO_PAY_ME Pay me via Monero cryptocurrency
2751#score MONERO_PAY_ME 3.000 # limit
2752tflags MONERO_PAY_ME publish
2753##} MONERO_PAY_ME
2754
2755##{ MONEY_ATM_CARD
2756
2757meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE
2758describe MONEY_ATM_CARD Lots of money on an ATM card
2759##} MONEY_ATM_CARD
2760
2761##{ MONEY_FORM
2762
2763meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP
2764describe MONEY_FORM Lots of money if you fill out a form
2765##} MONEY_FORM
2766
2767##{ MONEY_FORM_SHORT
2768
2769meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD
2770describe MONEY_FORM_SHORT Lots of money if you fill out a short form
2771#score MONEY_FORM_SHORT 2.500 # limit
2772##} MONEY_FORM_SHORT
2773
2774##{ MONEY_FRAUD_3
2775
2776meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
2777describe MONEY_FRAUD_3 Lots of money and several fraud phrases
2778tflags MONEY_FRAUD_3 publish
2779##} MONEY_FRAUD_3
2780
2781##{ MONEY_FRAUD_5
2782
2783meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
2784describe MONEY_FRAUD_5 Lots of money and many fraud phrases
2785tflags MONEY_FRAUD_5 publish
2786##} MONEY_FRAUD_5
2787
2788##{ MONEY_FRAUD_8
2789
2790meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG
2791describe MONEY_FRAUD_8 Lots of money and very many fraud phrases
2792tflags MONEY_FRAUD_8 publish
2793##} MONEY_FRAUD_8
2794
2795##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2796
2797ifplugin Mail::SpamAssassin::Plugin::FreeMail
2798 meta MONEY_FREEMAIL_REPTO __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID
2799 describe MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
2800# score MONEY_FREEMAIL_REPTO 3.000 # limit
2801 tflags MONEY_FREEMAIL_REPTO publish
2802endif
2803##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2804
2805##{ MONEY_FROM_41
2806
2807meta MONEY_FROM_41 __MONEY_FROM_41
2808describe MONEY_FROM_41 Lots of money from Africa
2809#score MONEY_FROM_41 2.00 # limit
2810##} MONEY_FROM_41
2811
2812##{ MONEY_FROM_MISSP
2813
2814meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP
2815describe MONEY_FROM_MISSP Lots of money and misspaced From
2816#score MONEY_FROM_MISSP 2.000 # limit
2817##} MONEY_FROM_MISSP
2818
2819##{ MONEY_NOHTML
2820
2821meta MONEY_NOHTML LOTS_OF_MONEY && __CT_TEXT_PLAIN
2822describe MONEY_NOHTML Lots of money in plain text
2823#score MONEY_NOHTML 2.500 # limit
2824##} MONEY_NOHTML
2825
2826##{ MSGID_DOLLARS_URI_IMG
2827
2828meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW
2829describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image
2830#score MSGID_DOLLARS_URI_IMG 3.000 # limit
2831tflags MSGID_DOLLARS_URI_IMG publish
2832##} MSGID_DOLLARS_URI_IMG
2833
2834##{ MSGID_HDR_MALF
2835
2836meta MSGID_HDR_MALF __HAS_MESSAGEID
2837describe MSGID_HDR_MALF Has invalid message ID header
2838#score MSGID_HDR_MALF 3.500 # limit
2839tflags MSGID_HDR_MALF publish
2840##} MSGID_HDR_MALF
2841
2842##{ MSGID_MULTIPLE_AT
2843
2844header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/
2845describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters
2846#score MSGID_MULTIPLE_AT 0.001
2847##} MSGID_MULTIPLE_AT
2848
46cfc9e2 2849##{ MSGID_WSP_TRAIL
b780ea8d 2850
46cfc9e2
SI		 2851header MSGID_WSP_TRAIL Message-ID:raw =~ /< [^>]* \s > [^<>]* \z/xm
2852describe MSGID_WSP_TRAIL Trailing whitespace before '>' in Message-ID header
2853##} MSGID_WSP_TRAIL
b780ea8d
SI		 2854
2855##{ MSMAIL_PRI_ABNORMAL
2856
2857meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH
2858describe MSMAIL_PRI_ABNORMAL Email priority often abused
2859#score MSMAIL_PRI_ABNORMAL 1.500 # limit
2860##} MSMAIL_PRI_ABNORMAL
2861
2862##{ MSM_PRIO_REPTO
2863
2864meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH
2865describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject
2866#score MSM_PRIO_REPTO 2.500 # limit
2867tflags MSM_PRIO_REPTO publish
2868##} MSM_PRIO_REPTO
2869
2870##{ MSOE_MID_WRONG_CASE
2871
2872meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
2873##} MSOE_MID_WRONG_CASE
2874
2875##{ NAME_EMAIL_DIFF
2876
2877meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
2878describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address
2879##} NAME_EMAIL_DIFF
2880
2881##{ NA_DOLLARS
2882
2883body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i
2884describe NA_DOLLARS Talks about a million North American dollars
2885#score NA_DOLLARS 1.5
2886##} NA_DOLLARS
2887
2888##{ NEWEGG_IMG_NOT_RCVD_NEGG
2889
2890meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG
2891#score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit
2892describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg
2893tflags NEWEGG_IMG_NOT_RCVD_NEGG publish
2894##} NEWEGG_IMG_NOT_RCVD_NEGG
2895
2896##{ NICE_REPLY_A
2897
2898meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF)
2899describe NICE_REPLY_A Looks like a legit reply (A)
2900tflags NICE_REPLY_A nice
2901##} NICE_REPLY_A
2902
b780ea8d
SI		 2903##{ NOT_SPAM
2904
2905body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i
2906describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not!
2907tflags NOT_SPAM publish
2908##} NOT_SPAM
2909
2910##{ NO_FM_NAME_IP_HOSTN
2911
2912meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT
2913describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address
2914#score NO_FM_NAME_IP_HOSTN 2.500 # limit
2915tflags NO_FM_NAME_IP_HOSTN publish
2916##} NO_FM_NAME_IP_HOSTN
2917
2918##{ NSL_RCVD_FROM_USER
2919
2920header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
2921describe NSL_RCVD_FROM_USER Received from User
2922##} NSL_RCVD_FROM_USER
2923
2924##{ NSL_RCVD_HELO_USER
2925
2926header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
2927describe NSL_RCVD_HELO_USER Received from HELO User
2928##} NSL_RCVD_HELO_USER
2929
2930##{ NULL_IN_BODY
2931
2932full NULL_IN_BODY /\x00/
2933describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message
2934##} NULL_IN_BODY
2935
2936##{ NUMBEREND_LINKBAIT
2937
2938meta NUMBEREND_LINKBAIT __NUMBEREND_TLD && __LCL__KAM_BODY_LENGTH_LT_1024 && __BODY_URI_ONLY
2939describe NUMBEREND_LINKBAIT Domain ends in a large number and very short body with link
2940#score NUMBEREND_LINKBAIT 1.0 # limit
2941##} NUMBEREND_LINKBAIT
2942
2943##{ OBFU_BITCOIN
2944
2945meta OBFU_BITCOIN __OBFU_BITCOIN
2946describe OBFU_BITCOIN Obfuscated BitCoin references
2947#score OBFU_BITCOIN 3.000 # limit
2948tflags OBFU_BITCOIN publish
2949##} OBFU_BITCOIN
2950
2951##{ OBFU_JVSCR_ESC
2952
2953rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i
2954describe OBFU_JVSCR_ESC Injects content using obfuscated javascript
2955tflags OBFU_JVSCR_ESC publish
2956##} OBFU_JVSCR_ESC
2957
2958##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2959
2960ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2961 mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
2962 describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type
2963 tflags OBFU_TEXT_ATTACH publish
2964endif
2965##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2966
2967##{ OBFU_UNSUB_UL
2968
2969meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI
2970describe OBFU_UNSUB_UL Obfuscated unsubscribe text
2971tflags OBFU_UNSUB_UL publish
2972##} OBFU_UNSUB_UL
2973
2974##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2975
2976ifplugin Mail::SpamAssassin::Plugin::FreeMail
2977 meta ODD_FREEM_REPTO __freemail_mailreplyto
2978 describe ODD_FREEM_REPTO Has unusual reply-to header
2979# score ODD_FREEM_REPTO 3.000 # limit
2980 tflags ODD_FREEM_REPTO publish
2981endif
2982##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2983
2984##{ OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
2985
2986if (version >= 3.004002)
2987ifplugin Mail::SpamAssassin::Plugin::WLBLEval
2988meta OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
2989describe OFFER_ONLY_AMERICA Offer only available to US
2990#score OFFER_ONLY_AMERICA 2.0 # limit
2991endif
2992endif
2993##} OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
2994
46cfc9e2
SI		 2995##{ ONLINE_MKTG_CNSLT
2996
2997body ONLINE_MKTG_CNSLT /\bonline marketing consultant\b/i
2998##} ONLINE_MKTG_CNSLT
2999
b780ea8d
SI		 3000##{ ORDER_TODAY
3001
3002meta ORDER_TODAY __ORDER_TODAY && (__HTML_IMG_ONLY || __ALIBABA_IMG_NOT_RCVD_ALI || __TO_NO_BRKTS_NORDNS_HTML)
3003describe ORDER_TODAY Get your order in now!
3004#score ORDER_TODAY 2.500 # limit
3005##} ORDER_TODAY
3006
3007##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3008
3009ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3010meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
3011describe PART_CID_STOCK Has a spammy image attachment (by Content-ID)
3012endif
3013##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3014
3015##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3016
3017ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3018meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
3019describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
3020endif
3021##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3022
b780ea8d
SI		 3023##{ PDS_BTC_ID
3024
3025meta PDS_BTC_ID __PDS_BTC_ID
3026describe PDS_BTC_ID FP reduced Bitcoin ID
3027#score PDS_BTC_ID 0.5
3028##} PDS_BTC_ID
3029
3030##{ PDS_BTC_MSGID
3031
3032meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2
3033describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2
3034#score PDS_BTC_MSGID 1.0
3035##} PDS_BTC_MSGID
3036
46cfc9e2
SI		 3037##{ PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3038
3039if (version >= 3.004002)
3040ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3041meta PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD )
3042describe PDS_BTC_NTLD Bitcoin suspect NTLD
3043#score PDS_BTC_NTLD 2.0 # limit
3044endif
3045endif
3046##} PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3047
b780ea8d
SI		 3048##{ PDS_DBL_URL_TNB_RUNON
3049
3050meta PDS_DBL_URL_TNB_RUNON __TO_NO_BRKTS_FROM_RUNON && __PDS_DOUBLE_URL
3051describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon
3052#score PDS_DBL_URL_TNB_RUNON 2.0
3053##} PDS_DBL_URL_TNB_RUNON
3054
b780ea8d
SI		 3055##{ PDS_FRNOM_TODOM_DBL_URL
3056
3057meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL
3058describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL
3059#score PDS_FRNOM_TODOM_DBL_URL 1.5
3060##} PDS_FRNOM_TODOM_DBL_URL
3061
3062##{ PDS_FRNOM_TODOM_NAKED_TO
3063
3064meta PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN
3065describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain
3066#score PDS_FRNOM_TODOM_NAKED_TO 1.5
3067##} PDS_FRNOM_TODOM_NAKED_TO
3068
b780ea8d
SI		 3069##{ PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3070
3071ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3072if (version >= 3.004000)
3073meta PDS_FROM_2_EMAILS_SHRTNER (__PDS_URISHORTENER || __URL_SHORTENER) && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY
3074describe PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener
3075#score PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit
3076endif
3077endif
3078##} PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3079
3080##{ PDS_FROM_NAME_TO_DOMAIN
3081
3082meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN
3083#score PDS_FROM_NAME_TO_DOMAIN 2.0
3084describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain
3085##} PDS_FROM_NAME_TO_DOMAIN
3086
3087##{ PDS_HELO_SPF_FAIL
3088
3089meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE
3090describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF
3091#score PDS_HELO_SPF_FAIL 2.0
3092tflags PDS_HELO_SPF_FAIL net
3093##} PDS_HELO_SPF_FAIL
3094
46cfc9e2 3095##{ PDS_HP_HELO_NORDNS
cabe596e 3096
46cfc9e2
SI		 3097meta PDS_HP_HELO_NORDNS RDNS_NONE && __HELO_HIGHPROFILE
3098describe PDS_HP_HELO_NORDNS High profile HELO with no sender rDNS
3099#score PDS_HP_HELO_NORDNS 1.0
3100##} PDS_HP_HELO_NORDNS
b780ea8d
SI		 3101
3102##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3103
3104if (version >= 3.004002)
3105ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3106header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
3107#score PDS_OTHER_BAD_TLD 2.0
3108describe PDS_OTHER_BAD_TLD Untrustworthy TLDs
3109endif
3110endif
3111##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3112
46cfc9e2
SI		 3113##{ PDS_PHPEXP_BOT
3114
3115meta PDS_PHPEXP_BOT __SENDER_BOT && (__PDS_TONAME_EQ_TOLOCAL + __NAKED_TO >= 1) && (__PDS_PHP_EVAL2 + __PDS_PHP_EVAL1 + T_PDS_X_PHP_WP_EXP + __PDS_X_PHP_WELLKNOWN >= 1)
3116describe PDS_PHPEXP_BOT PHP exploit bot sender
3117#score PDS_PHPEXP_BOT 1.5
3118##} PDS_PHPEXP_BOT
3119
3120##{ PDS_PHP_EVAL
3121
3122meta PDS_PHP_EVAL __PDS_PHP_EVAL1
3123describe PDS_PHP_EVAL PHP header shows eval'd code
3124#score PDS_PHP_EVAL 1.5
3125##} PDS_PHP_EVAL
3126
3127##{ PDS_RDNS_DYNAMIC_FP
3128
3129meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA
3130#score PDS_RDNS_DYNAMIC_FP 0.01
3131describe PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps
3132##} PDS_RDNS_DYNAMIC_FP
3133
cabe596e 3134##{ PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
b780ea8d
SI		 3135
3136ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3137if (version >= 3.004000)
cabe596e
SI		 3138meta PDS_SHORTFWD_URISHRT_FP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __PDS_MSG_512
3139describe PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener
3140#score PDS_SHORTFWD_URISHRT_FP 1.5 # limit
b780ea8d
SI		 3141endif
3142endif
cabe596e 3143##} PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
b780ea8d 3144
46cfc9e2 3145##{ PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
b780ea8d
SI		 3146
3147ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3148if (version >= 3.004000)
46cfc9e2
SI		 3149meta PDS_SHORTFWD_URISHRT_QP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !PDS_SHORTFWD_URISHRT_FP
3150describe PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener
3151#score PDS_SHORTFWD_URISHRT_QP 1.5 # limit
b780ea8d
SI		 3152endif
3153endif
46cfc9e2 3154##} PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
b780ea8d
SI		 3155
3156##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3157
3158ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3159if (version >= 3.004000)
3160meta PDS_TINYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJ_SHORT && __PDS_MSG_1024
3161describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener
3162#score PDS_TINYSUBJ_URISHRT 1.5 # limit
3163endif
3164endif
3165##} PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3166
3167##{ PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
3168
3169meta PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE FREEMAIL_FORGED_REPLYTO && __PDS_TONAME_EQ_TOLOCAL
3170describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TOLOCAL
3171#score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit
3172##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
3173
3174##{ PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
3175
3176meta PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE __PDS_TONAME_EQ_TOLOCAL && __HDRS_LCASE
3177describe PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers
3178#score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 2.0 # limit
3179##} PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
3180
b780ea8d
SI		 3181##{ PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
3182
3183if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
3184 meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER
3185 describe PDS_TO_EQ_FROM_NAME From: name same as To: address
3186endif
3187##} PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
3188
b780ea8d
SI		 3189##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3190
3191ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3192 meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER
3193 describe PHISH_ATTACH Attachment filename suspicious, probable phishing
3194 tflags PHISH_ATTACH publish
3195endif
3196##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3197
3198##{ PHISH_AZURE_CLOUDAPP
3199
3200uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i
3201describe PHISH_AZURE_CLOUDAPP Link to known phishing web application
3202#score PHISH_AZURE_CLOUDAPP 3.500
3203tflags PHISH_AZURE_CLOUDAPP publish
3204##} PHISH_AZURE_CLOUDAPP
3205
3206##{ PHISH_FBASEAPP
3207
3208meta PHISH_FBASEAPP __PHISH_FBASE_01
3209describe PHISH_FBASEAPP Probable phishing via hosted web app
3210#score PHISH_FBASEAPP 3.000 # limit
3211tflags PHISH_FBASEAPP publish
3212##} PHISH_FBASEAPP
3213
3214##{ PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3215
3216if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3217 meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF
3218 describe PHOTO_EDITING_DIRECT Image editing service, direct to MX
3219# score PHOTO_EDITING_DIRECT 3.000 # limit
3220endif
3221##} PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3222
3223##{ PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3224
3225if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3226 meta PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
3227 describe PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto
3228# score PHOTO_EDITING_FREEM 3.750 # limit
3229endif
3230##} PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3231
3232##{ PHP_NOVER_MUA
3233
3234describe PHP_NOVER_MUA Mail from PHP with no version number
3235#score PHP_NOVER_MUA 3.000 # limit
3236tflags PHP_NOVER_MUA publish
3237##} PHP_NOVER_MUA
3238
3239##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3240
3241if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3242 meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
3243endif
3244##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3245
3246##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
3247
3248ifplugin Mail::SpamAssassin::Plugin::DKIM
3249 meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
3250endif
3251##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
3252
3253##{ PHP_ORIG_SCRIPT
3254
3255meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER
3256describe PHP_ORIG_SCRIPT Sent by bot & other signs
3257#score PHP_ORIG_SCRIPT 2.500 # limit
3258tflags PHP_ORIG_SCRIPT publish
3259##} PHP_ORIG_SCRIPT
3260
46cfc9e2
SI		 3261##{ PHP_ORIG_SCRIPT_EVAL
3262
3263meta PHP_ORIG_SCRIPT_EVAL __PHP_ORIG_SCRIPT_EVAL
3264describe PHP_ORIG_SCRIPT_EVAL From suspicious PHP source
3265#score PHP_ORIG_SCRIPT_EVAL 3.000 # limit
3266##} PHP_ORIG_SCRIPT_EVAL
3267
b780ea8d
SI		 3268##{ PHP_SCRIPT
3269
3270meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT
3271describe PHP_SCRIPT Sent by PHP script
3272#score PHP_SCRIPT 2.500 # limit
3273tflags PHP_SCRIPT publish
3274##} PHP_SCRIPT
3275
3276##{ PHP_SCRIPT_MUA
3277
3278meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA
3279describe PHP_SCRIPT_MUA Sent by PHP script, no version number
3280#score PHP_SCRIPT_MUA 2.000 # limit
3281tflags PHP_SCRIPT_MUA publish
3282##} PHP_SCRIPT_MUA
3283
46cfc9e2
SI		 3284##{ POSSIBLE_APPLE_PHISH_02
3285
3286meta POSSIBLE_APPLE_PHISH_02 (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE)
3287describe POSSIBLE_APPLE_PHISH_02 Claims to be from apple but not processed by any apple MTA
3288tflags POSSIBLE_APPLE_PHISH_02 publish
3289##} POSSIBLE_APPLE_PHISH_02
3290
3291##{ POSSIBLE_EBAY_PHISH_02
3292
3293meta POSSIBLE_EBAY_PHISH_02 (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY)
3294describe POSSIBLE_EBAY_PHISH_02 Claims to be from ebay but not processed by any ebay MTA
3295tflags POSSIBLE_EBAY_PHISH_02 publish
3296##} POSSIBLE_EBAY_PHISH_02
3297
3298##{ POSSIBLE_PAYPAL_PHISH_01
3299
3300meta POSSIBLE_PAYPAL_PHISH_01 (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF)
3301describe POSSIBLE_PAYPAL_PHISH_01 Claims to be from paypal but has non-paypal from email address
3302tflags POSSIBLE_PAYPAL_PHISH_01 publish
3303##} POSSIBLE_PAYPAL_PHISH_01
3304
3305##{ POSSIBLE_PAYPAL_PHISH_02
3306
3307meta POSSIBLE_PAYPAL_PHISH_02 (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL)
3308describe POSSIBLE_PAYPAL_PHISH_02 Claims to be from paypal but not processed by any paypal MTA
3309tflags POSSIBLE_PAYPAL_PHISH_02 publish
3310##} POSSIBLE_PAYPAL_PHISH_02
3311
b780ea8d
SI		 3312##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3313
3314ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3315 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3316 body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal()
3317 describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't
3318# score PP_MIME_FAKE_ASCII_TEXT 1.0
3319 tflags PP_MIME_FAKE_ASCII_TEXT publish
3320endif
3321endif
3322##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3323
3324##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3325
3326ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3327 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3328 body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02)
3329 describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes
3330# score PP_TOO_MUCH_UNICODE02 0.5
3331 tflags PP_TOO_MUCH_UNICODE02 publish
3332endif
3333endif
3334##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3335
3336##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3337
3338ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3339 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3340 body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05)
3341 describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes
3342# score PP_TOO_MUCH_UNICODE05 1.0
3343 tflags PP_TOO_MUCH_UNICODE05 publish
3344endif
3345endif
3346##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3347
3348##{ PUMPDUMP
3349
3350meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI
3351describe PUMPDUMP Pump-and-dump stock scam phrase
3352#score PUMPDUMP 1.000 # limit
3353tflags PUMPDUMP publish
3354##} PUMPDUMP
3355
3356##{ PUMPDUMP_MULTI
3357
3358meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
3359describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases
3360#score PUMPDUMP_MULTI 3.500 # limit
3361tflags PUMPDUMP_MULTI publish
3362##} PUMPDUMP_MULTI
3363
3364##{ PUMPDUMP_TIP
3365
3366meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP
3367describe PUMPDUMP_TIP Pump-and-dump stock tip
3368tflags PUMPDUMP_TIP publish
3369##} PUMPDUMP_TIP
3370
3371##{ RAND_HEADER_LIST_SPOOF
3372
3373meta RAND_HEADER_LIST_SPOOF __RAND_HEADER && __LIST_PARTIAL
3374describe RAND_HEADER_LIST_SPOOF Random gibberish message header(s) + pretending to be a mailing list
3375#score RAND_HEADER_LIST_SPOOF 3.000 # limit
3376tflags RAND_HEADER_LIST_SPOOF publish
3377##} RAND_HEADER_LIST_SPOOF
3378
3379##{ RAND_HEADER_MANY
3380
3381meta RAND_HEADER_MANY __RAND_HEADER_2
3382describe RAND_HEADER_MANY Multiple random gibberish message headers
3383#score RAND_HEADER_MANY 3.000 # limit
3384tflags RAND_HEADER_MANY publish
3385##} RAND_HEADER_MANY
3386
3387##{ RAND_MKTG_HEADER
3388
3389meta RAND_MKTG_HEADER __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST
3390describe RAND_MKTG_HEADER Has partially-randomized marketing/tracking header(s)
3391#score RAND_MKTG_HEADER 2.000 # limit
3392tflags RAND_MKTG_HEADER publish
3393##} RAND_MKTG_HEADER
3394
3395##{ RATWARE_NO_RDNS
3396
3397meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF
3398describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS
3399#score RATWARE_NO_RDNS 3.000 # limit
3400##} RATWARE_NO_RDNS
3401
3402##{ RCVD_BAD_ID
3403
3404header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/
3405describe RCVD_BAD_ID Received header contains id field with bad characters
3406##} RCVD_BAD_ID
3407
3408##{ RCVD_DBL_DQ
3409
3410header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/
3411describe RCVD_DBL_DQ Malformatted message header
3412tflags RCVD_DBL_DQ publish
3413##} RCVD_DBL_DQ
3414
3415##{ RCVD_DOTEDU_SHORT
3416
46cfc9e2 3417meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !ALL_TRUSTED && !__FS_SUBJ_RE && !__HAS_LIST_ID
b780ea8d 3418describe RCVD_DOTEDU_SHORT Via .edu MTA + short message
46cfc9e2 3419#score RCVD_DOTEDU_SHORT 1.500 # limit
b780ea8d
SI		 3420tflags RCVD_DOTEDU_SHORT publish
3421##} RCVD_DOTEDU_SHORT
3422
3423##{ RCVD_DOTEDU_SUSP_URI
3424
3425meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI
3426describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI
3427#score RCVD_DOTEDU_SUSP_URI 3.000 # limit
3428tflags RCVD_DOTEDU_SUSP_URI publish
3429##} RCVD_DOTEDU_SUSP_URI
3430
3431##{ RCVD_FORGED_WROTE
3432
3433header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
3434describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
3435##} RCVD_FORGED_WROTE
3436
3437##{ RCVD_FORGED_WROTE2
3438
3439header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
3440##} RCVD_FORGED_WROTE2
3441
3442##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
3443
3444ifplugin Mail::SpamAssassin::Plugin::DNSEval
3445header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3')
3446describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record
3447tflags RCVD_IN_IADB_DK net nice
3448endif
3449##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
3450
3451##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3452
3453ifplugin Mail::SpamAssassin::Plugin::DNSEval
3454header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10')
3455describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in
3456tflags RCVD_IN_IADB_DOPTIN net nice
3457endif
3458##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3459
3460##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3461
3462ifplugin Mail::SpamAssassin::Plugin::DNSEval
3463header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9')
3464describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time
3465tflags RCVD_IN_IADB_DOPTIN_GT50 net nice
3466endif
3467##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3468
3469##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3470
3471ifplugin Mail::SpamAssassin::Plugin::DNSEval
3472header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8')
3473describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time
3474tflags RCVD_IN_IADB_DOPTIN_LT50 net nice
3475endif
3476##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3477
3478##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
3479
3480ifplugin Mail::SpamAssassin::Plugin::DNSEval
3481header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1')
3482describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database
3483tflags RCVD_IN_IADB_EDDB net nice
3484endif
3485##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
3486
3487##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
3488
3489ifplugin Mail::SpamAssassin::Plugin::DNSEval
3490header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2')
3491describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance
3492tflags RCVD_IN_IADB_EPIA net nice
3493endif
3494##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
3495
3496##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3497
3498ifplugin Mail::SpamAssassin::Plugin::DNSEval
3499header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103')
3500describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail
3501tflags RCVD_IN_IADB_GOODMAIL net nice
3502endif
3503##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3504
3505##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
3506
3507ifplugin Mail::SpamAssassin::Plugin::DNSEval
3508header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$')
3509describe RCVD_IN_IADB_LISTED Participates in the IADB system
3510tflags RCVD_IN_IADB_LISTED net nice
3511endif
3512##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
3513
3514##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
3515
3516ifplugin Mail::SpamAssassin::Plugin::DNSEval
3517header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4')
3518describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in
3519tflags RCVD_IN_IADB_LOOSE net nice
3520endif
3521##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
3522
3523##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3524
3525ifplugin Mail::SpamAssassin::Plugin::DNSEval
3526header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10')
3527describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law
3528tflags RCVD_IN_IADB_MI_CPEAR net nice
3529endif
3530##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3531
3532##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3533
3534ifplugin Mail::SpamAssassin::Plugin::DNSEval
3535header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10')
3536describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days
3537tflags RCVD_IN_IADB_MI_CPR_30 net nice
3538endif
3539##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3540
3541##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3542
3543ifplugin Mail::SpamAssassin::Plugin::DNSEval
3544header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10')
3545describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR
3546tflags RCVD_IN_IADB_MI_CPR_MAT net nice
3547endif
3548##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3549
3550##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3551
3552ifplugin Mail::SpamAssassin::Plugin::DNSEval
3553header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100')
3554describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in
3555tflags RCVD_IN_IADB_ML_DOPTIN net nice
3556endif
3557##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3558
3559##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3560
3561ifplugin Mail::SpamAssassin::Plugin::DNSEval
3562header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0')
3563describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place
3564tflags RCVD_IN_IADB_NOCONTROL net nice
3565endif
3566##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3567
3568##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
3569
3570ifplugin Mail::SpamAssassin::Plugin::DNSEval
3571header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200')
3572describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only
3573tflags RCVD_IN_IADB_OOO net nice
3574endif
3575##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
3576
3577##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3578
3579ifplugin Mail::SpamAssassin::Plugin::DNSEval
3580header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7')
3581describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in
3582tflags RCVD_IN_IADB_OPTIN net nice
3583endif
3584##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3585
3586##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3587
3588ifplugin Mail::SpamAssassin::Plugin::DNSEval
3589header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6')
3590describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time
3591tflags RCVD_IN_IADB_OPTIN_GT50 net nice
3592endif
3593##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3594
3595##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3596
3597ifplugin Mail::SpamAssassin::Plugin::DNSEval
3598header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5')
3599describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time
3600tflags RCVD_IN_IADB_OPTIN_LT50 net nice
3601endif
3602##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3603
3604##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
3605
3606ifplugin Mail::SpamAssassin::Plugin::DNSEval
3607header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1')
3608describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only
3609tflags RCVD_IN_IADB_OPTOUTONLY net nice
3610endif
3611##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
3612
3613##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
3614
3615ifplugin Mail::SpamAssassin::Plugin::DNSEval
3616header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4')
3617describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record
3618tflags RCVD_IN_IADB_RDNS net nice
3619endif
3620##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
3621
3622##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
3623
3624ifplugin Mail::SpamAssassin::Plugin::DNSEval
3625header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2')
3626describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record
3627tflags RCVD_IN_IADB_SENDERID net nice
3628endif
3629##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
3630
3631##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
3632
3633ifplugin Mail::SpamAssassin::Plugin::DNSEval
3634header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1')
3635describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record
3636tflags RCVD_IN_IADB_SPF net nice
3637endif
3638##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
3639
3640##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3641
3642ifplugin Mail::SpamAssassin::Plugin::DNSEval
3643header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2')
3644describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups
3645tflags RCVD_IN_IADB_UNVERIFIED_1 net nice
3646endif
3647##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3648
3649##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3650
3651ifplugin Mail::SpamAssassin::Plugin::DNSEval
3652header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3')
3653describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out
3654tflags RCVD_IN_IADB_UNVERIFIED_2 net nice
3655endif
3656##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3657
3658##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3659
3660ifplugin Mail::SpamAssassin::Plugin::DNSEval
3661header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10')
3662describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law
3663tflags RCVD_IN_IADB_UT_CPEAR net nice
3664endif
3665##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3666
3667##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3668
3669ifplugin Mail::SpamAssassin::Plugin::DNSEval
3670header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10')
3671describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days
3672tflags RCVD_IN_IADB_UT_CPR_30 net nice
3673endif
3674##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3675
3676##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3677
3678ifplugin Mail::SpamAssassin::Plugin::DNSEval
3679header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10')
3680describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR
3681tflags RCVD_IN_IADB_UT_CPR_MAT net nice
3682endif
3683##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3684
3685##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3686
3687ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3688header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
3689describe RCVD_IN_PSBL Received via a relay in PSBL
3690tflags RCVD_IN_PSBL net
3691endif
3692##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3693
3694##{ RCVD_MAIL_COM
3695
3696header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
3697describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
3698##} RCVD_MAIL_COM
3699
3700##{ RDNS_LOCALHOST
3701
3702header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
3703describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
3704##} RDNS_LOCALHOST
3705
3706##{ RDNS_NUM_TLD_ATCHNX
3707
3708meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT
3709describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment
3710#score RDNS_NUM_TLD_ATCHNX 3.000 # limit
3711tflags RDNS_NUM_TLD_ATCHNX publish
3712##} RDNS_NUM_TLD_ATCHNX
3713
3714##{ RDNS_NUM_TLD_XM
3715
3716meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY)
3717describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers
3718#score RDNS_NUM_TLD_XM 3.000 # limit
3719tflags RDNS_NUM_TLD_XM publish
3720##} RDNS_NUM_TLD_XM
3721
3722##{ READY_TO_SHIP
3723
46cfc9e2 3724body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock)|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|store)|just arrived in our warehouse|we will (?:contact the (?:warehouse|logistics) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our warehouse)/i
cabe596e 3725#score READY_TO_SHIP 1.250 # limit
b780ea8d
SI		 3726##} READY_TO_SHIP
3727
46cfc9e2
SI		 3728##{ REPLYTO_EMPTY
3729
3730header REPLYTO_EMPTY Reply-To =~ /<>/
3731describe REPLYTO_EMPTY Reply-To undeliverable
3732##} REPLYTO_EMPTY
3733
b780ea8d
SI		 3734##{ REPLYTO_WITHOUT_TO_CC
3735
3736meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS)
3737##} REPLYTO_WITHOUT_TO_CC
3738
3739##{ REPTO_419_FRAUD
3740
46cfc9e2 3741header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:speakers)\@012\.net\.il|(?:mail)\@101private\.com|(?:(?:alfredcheuk002|fbi_1234|longchii|mavis_wanczyk|qfdonation))\@126\.com|(?:(?:a(?:aronmichaels005|lfredcheuk_yuchow)|ehagler|google_promoaward0?|istarsolar|joeblp|microsoft(?:_office16|award01)|panyawein|wong(?:_shiu(?:09|2016)|shiu_ki)))\@163\.com|(?:(?:navas1|ray\-thomas7h))\@1email\.eu|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:(?:mr\.tonyelumelu|r(?:emittancedept001|ussia2018worldcuplotto5)))\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:info)\@aidakj\.com|(?:(?:a\.aktr|c(?:arlos\.adan|entralbank_malaysia2)|infovsa|maria\.louge|sarahjiwooali|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:adainis|jessikasingh|travisalex))\@aliyun\.com|(?:(?:director|info))\@anletco-jp\.com|(?:(?:deanie_ron|m(?:softgbcmanager|undo\.europe)|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:institutionaldepartment)\@aol\.nl|(?:deajohn)\@arubacloub\.com|(?:djohns)\@arubacloud\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:garry\.quinlan)\@australiamail\.com|(?:(?:traoreahmed|zetiaziz))\@barid\.com|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:noreply\.fujvfes)\@bibliothequegaillard\.com|(?:costruire)\@bigmat\.it|(?:alerts\-noreply)\@bis\.org|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:executivedirector)\@box\.az|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:drbenardsani\.nnpc)\@bsgcpk\.com|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:rim43505)\@cantv\.net|(?:duncanttodd)\@centrum\.cz|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|fbipayment(?:50|600)|harunajim667|ralphwjohnson))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:dmalpasswb|re(?:covered\-tax|em(?:2018|alhashimi|hashimi2020))))\@daum\.net|(?:rex)\@departmentofsecretary\.com|(?:blythemasters)\@digitalassetholding\.org|(?:(?:diplomaticagent11|jentwistle90))\@diplomats\.com|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:(?:herrick01|rogersteare02))\@e1\.ru|(?:olga\.ingrif)\@ecb-securities\.com|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:no\-reply)\@economizar-na-web\.com\.br|(?:(?:denbrink|kathy_gerald1965|megaclaimcenter))\@email\.com|(?:johnkadiri)\@englandmail\.com|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|claimdpts|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:(?:jeferrey|yakuyaya77))\@financier\.com|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:notice)\@fnb\.co\.za|(?:info)\@fnconsultant\.biz|(?:(?:atmofficeauthoriza|captain\.lucasadam|e(?:golan2|u_payment)|gella1|k(?:aith\-angel|ossihpilip202)|pchwinningoffice1953|qatardonations16|smadartsadik|tepnherve00|worldauthorization))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:o(?:ctaviancm|rlando\.bloom))\@gmx\.co\.uk|(?:(?:a(?:hmet\.broker|lliance\.consultant)|f(?:aridaomar|er3nrod1512)|johnson\.douglas|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:joxford)\@gmx\.us|(?:ben\.malbon)\@googlefps\.co\.uk|(?:m\.johnson10012)\@googlemail\.com|(?:larrypage)\@gpa-team\.com|(?:ceo)\@gpromo-team\.com|(?:sundarpichai)\@gpromoteam\.com|(?:sundarpichai)\@gpromoteamuk\.com|(?:garreth\.webb)\@grossfitconsultancy\.biz|(?:irenegeorgiadou)\@hellenicbankcy\.com|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:williamsdavid_3r)\@hotmail\.co\.uk|(?:christgoldwilliams)\@hotmail\.fr|(?:douglasflint)\@hsbcbank\.group|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:victorwang67)\@imail\.com|(?:01)\@imf-org\.org|(?:chrisdodgshun)\@inbound\.plus|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:janetyellenoffice|off(?:er2021|iceme)))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:sgt\.dave)\@inmano\.com|(?:baankston)\@instruction\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:wbuk0[13])\@katamail\.com|(?:(?:ditmereduart|europsenderscouriers|lewiscarl))\@keemail\.me|(?:mikiwilliams)\@knol-power\.nl|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:philiphampton)\@lec20\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:deqishanmedical1)\@localnet\.com|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:fanliangjen)\@mail\.china\.com|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|eddy_haryono|ghazal\-a|info\.federalreserve\.org|kateclough1|mriamchombo1968|nancyvee80|ren\.deqi212))\@mail\.com|(?:williamsdawson)\@mail\.com\.tr|(?:(?:ayishagddafio|david\.onyeoma\.74|hmtreasyru\.ng|sambo_dasuki))\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:brantwbishop)\@mailbox\.org|(?:epowerball)\@mailbox\.sk|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:rbi\-e)\@mit\.tc|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:paul\.chang)\@msn\.com|(?:enquiry)\@multiplysearch\.com|(?:cadpayout01)\@my\.com|(?:(?:contactmee|ministersoffinance))\@mynet\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:zenith)\@nmk\.ugu\.pl|(?:maxedwards)\@octopusinvestment\.co\.uk|(?:lindsaytrembley)\@oimail\.com|(?:googleclaims111)\@one\.lt|(?:accountingdrg)\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:(?:castorock|infobiz2|jarramos|mrsalice09))\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:servicio\.correo)\@orange\.fr|(?:turkish\-air)\@outlook\.com\.tr|(?:(?:ahmed3khan|dpt_transferunionwestern|mr\.onyeadams|rohitjain0))\@outlook\.fr|(?:m\.khan1)\@outlook\.sa|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:info)\@phillipsmorgan\.co\.za|(?:wood)\@poczta\.onet\.eu|(?:m(?:aryjosen|boyaeth))\@post\.com|(?:united\.globeawardoffice)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:jamesmr\.monday)\@rocketmail\.com|(?:(?:g(?:loriacmackenzie001|mackenzie001)|monicatorres001|wanczykmavis101))\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:info)\@roycockrum\.org|(?:mrs\.rachel2013)\@safe-mail\.net|(?:vera)\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:peterddeng)\@secsuremailer\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:swat)\@sltdchambers\.com|(?:(?:dycheseaan|sean(?:dyyches|sdychh)))\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:contact\.hmrc\.gov\.uk)\@sudhisalooja\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:xiankailu)\@taiyaubank-hk\.com|(?:mhua)\@tbochk\.com|(?:veronicabright)\@terra\.com\.pe|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:zimcargoservicehelpdesks)\@tlen\.pl|(?:drew)\@ton\.net\.ru|(?:itpark01)\@tpg\.com\.au|(?:bobby\.william)\@tradent\.net|(?:info)\@treasury-departmentdc\.twomini\.com|(?:info)\@treasury-usa\.3eeweb\.com|(?:info)\@un-grant\.info|(?:(?:b(?:lueskyanimatedfilm|rown\.monica_l)|info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:bmuczdh)\@virgilio\.it|(?:itgiix)\@visa\.com|(?:vankoning)\@volny\.cz|(?:holt1231)\@w\.cn|(?:infos)\@walmart\.com|(?:daydreamin)\@wanadoo\.fr|(?:(?:foreignoperationmanager|mr\.(?:ikokuoya|olicadams)))\@web\.cg|(?:weboffice05)\@web\.de|(?:b(?:\-calebfirm2007|oriscaleb121))\@webmail\.co\.za|(?:(?:frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:grahamjoneschambers)\@wildblue\.net|(?:e\.shaw)\@wilmagroup\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:stephaniehans\.euromillionlottery)\@yahoo\.be|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|bobwatson92|fundyawa2014|j(?:effwilliam207|oe_modisen)|lloydsbanksb|owengreen70|rebeccajoe98|samue95))\@yahoo\.co\.uk|(?:(?:changgordon(?:61|946)|lordsmartin|revlarrutycoker2015|thomaspeter227|zhu\.shumin))\@yahoo\.com\.hk|(?:imf_office_agent)\@yahoo\.com\.my|(?:(?:dr\.pauljames110|jessicp1))\@yahoo\.com\.sg|(?:boa2cb)\@yahoo\.com\.vn|(?:(?:contactus88\-00|jflangvm5nshyazyo7si6jfuqah6jsldw2kw6c2t|lmj82717|m(?:r\.angelabenjamin|srangelabne32)))\@yahoo\.es|(?:(?:charlinebebe22|fortinsandrine|rita_will001))\@yahoo\.fr|(?:maktoum\.shasher)\@yahoo\.pt|(?:ukdebtmanagement5)\@yahool\.com|(?:dr\.amelia\.george1)\@yandex\.ru|(?:jayanderson)\@yccaifuu\.com|(?:(?:alfred_cheuk_chow|friedrich_mayrh1|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|feliciamagi|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:(?:asiafoundationorg\.hr|jefflindsay))\@zoho\.com|(?:laprimitivaes)\@zohomail\.eu)$/i
b780ea8d
SI		 3742describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox
3743#score REPTO_419_FRAUD 3.000
3744tflags REPTO_419_FRAUD publish
3745##} REPTO_419_FRAUD
3746
3747##{ REPTO_419_FRAUD_AOL
3748
46cfc9e2 3749header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:\.dordevicii|aromartins|f\.2[06]|ljaber111|meliageorge|n(?:d(?:_bley|rew_hans)|ttilimarim)|rthur\.alan)|b(?:aanidleewy|claimdept|rownchurchill2)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|ristinabruno38|ustom_service58)|d(?:avid(?:\.kms|opatry)|hodgkins001|ianwaynie|onald_anderson44)|e(?:ng(?:joej|r\.abdulla)|ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|i(?:sarobinson5\.0|zcarroll101)|orrainewirangee)|m(?:_l\.wanczyk62|aviswanczyk[do]|rs(?:isabelladzsesszika|safiagaddafi))|no(?:rmapatto|tification\.notification)|p(?:a(?:tricia(?:\.hans|hans)|ulpollard2)|eterwong345|otfolio\.management)|r(?:achel_wat2|oyalpalace2018)|s(?:afiiagadafi|gt\.gillianj200|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|w(?:attson\.renwick|ebank244|issam\.haddad|u\.xiabk)|yurdaaytarkan5|zeti\.aziz))\@aol\.com$/i
b780ea8d
SI		 3750describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox
3751#score REPTO_419_FRAUD_AOL 3.000
3752tflags REPTO_419_FRAUD_AOL publish
3753##} REPTO_419_FRAUD_AOL
3754
3755##{ REPTO_419_FRAUD_AOL_LOOSE
3756
3757meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL
3758describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3759#score REPTO_419_FRAUD_AOL_LOOSE 1.000
3760tflags REPTO_419_FRAUD_AOL_LOOSE publish
3761##} REPTO_419_FRAUD_AOL_LOOSE
3762
3763##{ REPTO_419_FRAUD_CNS
3764
cabe596e 3765header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|legacylawfirmdakar|m(?:iguel\-pinto|orrisherb)|owenschamber|santiagosegur|t(?:eo\.westin|he\.trustees1?|rustees202000)|westernunion1659))\@consultant\.com$/i
b780ea8d
SI		 3766describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox
3767#score REPTO_419_FRAUD_CNS 3.000
3768tflags REPTO_419_FRAUD_CNS publish
3769##} REPTO_419_FRAUD_CNS
3770
3771##{ REPTO_419_FRAUD_GM
3772
46cfc9e2 3773header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|41speedlinkdelivery|7912richardtony|a(?:b(?:d97412345|u(?:lkareem461|shadi0004))|c(?:aalzz11|count\.optionsmr\.jonasarmstrong|e(?:alss11|cere001))|d(?:esilgon77|iallo\.boa)|erofilxeport|gent\.laryedwad|isha(?:1976algaddafi|gaddafiaam)|jaminamo|l(?:\.jo60691737|a(?:n\.austin(?:041|223)|scramac)|ber\.yang222|ex(?:ander(?:daisy911|peterson4499)|hoffman3319|smithznn)|ghafrij13|hajarb|lenholden121|nizmaria|ure\.wawrenka1472)|m(?:b\.w\.stuart\.symington|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|tasomda))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|itaminarnguessan|n(?:a(?:choihkkic|llee091|sigurlaug458)|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|r(?:adka01|chibaldhamble|thur11alan)|s(?:h(?:0611jnag|westwood7)|ianbae1010|sistance7agent)|t(?:m(?:mastercard41|office929)|tohlawoffice\.tg)|w1614860|yevayawovi190|zi(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50)))|b(?:a(?:lla250abc|nk(?:centralasiahalobca34|ingcentralng)|ochang7a|r(?:bersmadar75|r(?:\.(?:charles(?:1954|office)|martinrichard)|ister(?:\.fidelisokafor|lordruben94)|ubenjames)|teld\.huisman01))|bongo593|c0996013|e(?:linekra1|n(?:ezero392|jaminsarah195))|i(?:anigercash|ll(?:\.lawrence0747|fhome))|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:a(?:ndy\.heavenscenttt|volpaul55)|endalaporte112|ianmoynih00)|uff(?:ettwarrene21|ookj))|c(?:a(?:ixaseguros9810001|mluba2017|r(?:eisu98|l(?:os\.s\.helux|thomos)|twrighttownhomesllc))|bnatm847|claimsa|e(?:li(?:cerez|neroullier(?:200|nm))|ntraltrustlltd)|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:esluenga01|tonnewmanus1)))|e(?:mchung1011|nchung1011)|i(?:enk(?:raymond|wongp)|mwiakim))|iticonsultantjohncg0|kruger00017|l(?:a(?:im(?:adviser11|officeadm)|xtonpaul00)|s79408)|o(?:l(?:\.(?:ahmedmarani|fakhrialsalabi(?:01)?|hmedismari)|abdullahassi|edavid77032|husseinharmuchc(?:cj|j)|inchrisweir50|mohmanairf|o(?:mbasjuan53|nelsaad00))|mpensationcommitteboard|n(?:sult(?:ancy64|matthias|sto\.u)|tact(?:\.kolason|ad00[04]))|operation612)|pt\.eugenebarash|r(?:a(?:bbechambers|wfordgillies1)|ist(?:bru(?:05|n05)|i1537bru))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|iel(?:35508109|zulu11)|nydan24532)|v(?:i(?:d(?:\.loanfirm18|ibe718|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98)|ychan1970))|c(?:layconsult|ole77032)|e(?:btm123|n(?:iwalts|nis(?:clark659|quaid888))|partmentofstate(?:123|321)|tlefeckhardd)|hill27676|i(?:ane\.s\.wojcicki|gitalassetholding|p(?:francis1|lomat(?:\.john\.clerke|sshenry)))|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.(?:meirh|wilsonpaul02)|abodid|davidrhama221|j(?:amesdee|oesimon77)|kennedyuzo|meier\.heidi?|o(?:vieogor1|wenfrederick))|u(?:a1155a|nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|d(?:runity|winfreeman22)|fcc\.financial\.dept|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|otocashoffice1?)|m(?:2keld|ailpostlink09|efiele(?:328|g757)|ilyrichmond391)|r(?:enakgeorge123|ioncarter\.private)|ssexlss1|vgpatmow)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49(?:666|966)|k49666)|j569282|l(?:556249|aurentdz40|uhmann\.dn)|mb\.agent|o(?:ropunionbank|undations\.west)|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|isca(?:mendoza960|samendoza))|k(?:j(?:ane984|wangg)|laurarivera)))|bbankny\.gov|e(?:derick\.colemanesq|elottosweepstake51))|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|rielkalia1102)|r(?:ethbull112016|yakinson121))|bill4880|e(?:n(?:\.ahmedmsksi|eral(?:abdulrazak|williamstony990))|orgekwame481|r(?:aldjhjh11|tjanvlieghe787))|g780904|i(?:idp955|lbert12oook)|kwasiiwusu1\.persona|l(?:enmoore0011|oriachow5052)|o(?:glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219)|vgodwinemefiele111)|r(?:ace(?:jackmanwoods|obia001)|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:old\.dia1100|ryebert101|twellbdaniel)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:a(?:dofficecentre0210|therbrooeke101)|cto(?:alon|r(?:castillos653|scastillo6))|lpdesk47321)|gold8080|heba\.hhassan207|i(?:ldad837|toshurui)|klee\.mike|o(?:lsemeyerole6|nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|trryt34|uichmh)|i(?:1955smael|amannjejosonn|bed627|n(?:fo(?:\.(?:abogadosmfontana|g00gleclaim|questiondesk|ulmusau)|64240|98cbnoffice7|a(?:prl06|sminternationalpk)|dessk\.dfwairportonline|fdrserve)|gridrolle2|t(?:ernationallppp1|linvestorsfirm))|smailtarkan533|terryoffice)|j(?:35809121|a(?:6002932|888179|cobmaseon5995|m(?:alpriv8un|es(?:husmansdesk2240|okoh82))|nusensecureprivate|sonyeungchiwai|vierlesme001)|b5406424|c2222222rrr|e(?:ff(?:deandk2|erydean1960)|nniannjhsonn|ssikasingh4)|imyang977|k3311131|mpowellfr|o(?:e(?:dward023|kendal540|lmodisen)|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|tanko214|uba234|walterlove2010)|monkzza|n(?:esandassociates68|monkssa)|s(?:ephacevedo024|ianeangenor)|y(?:ce00011|mrskone5))|rawlings007|s4fernado|uliet\.le(?:222|e2222)|w6935997)|k(?:a(?:lstromjames3|malnizar000|rabo\.ramala39|t(?:ebaronbarr|hilittman7|jamess043|rinaziako56))|e(?:lsawamelia55|n(?:mck(?:ay1980|enziejr)|nedy\.sawadogo19))|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28)|wasiowusug)|l(?:a(?:r(?:ateambo|rytoms200)|ursent892|wrencefoundation30)|blackshirepm|e(?:ndfair\.co\.uk1|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|li(?:ane\.bettencourt1945|ianchrstph)|n(?:elink008|glung104)|xiung(?:l48|9))|john6132|o(?:g(?:anntomas|eengen)|rrainewirengee|ttyoffice1|u(?:ghreymargaret67|isdreyfusmargarita5))|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ck(?:enzbezos|oliver324)|incare655|jor(?:dennishornbeck53|townsend01)|k(?:altschmidt|toumsheikhhasher)|n(?:duesq58|fran630|uelfranco(?:727|foundation0))|r(?:cusdembialomr|i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|nacoleman84|opabl26)|k(?:roth456|uses200)|y(?:franson56|jify00aaz01))|s(?:onmanny05|pencer5151)|t(?:hewriaanza|twilly3)|u(?:noveutileina|rhinck11?)|viswanczyk(?:1(?:19|987)|4(?:89|5)|775|foundation45|k112|zz)|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|engeoffrey|l(?:lagolan|vidabullock5)|nnss01)|gfrederick80|husameddine|i(?:c(?:he(?:alwuu002|lintagro)|paulla|w954)|k(?:edawson1960s|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|nfin\.gv|ss(?:\.melisa\.mehmett|boteogottai|yaelronen))|jminabii|k(?:ent7117|untjoro52)|lbriggs08860|m(?:1086771|argaritalouisdreyfus)|nmalarge|o(?:ham(?:edabdul1717|madraqab00)|rienkal30)|r(?:\.(?:justinmaxwell09|lusee|wlsonkabore)|7672900|cjames001|d517341|ericfranck|fabianchukwu|hanimuhammad627|jamesmc6|martine80|paulfrank01|r(?:echardthomas|ichardanthony1)|s(?:\.(?:biyufungchi16|janetolsen?|olsenjanett|patarkatsishvili|susanread12)|a(?:ishaalqadafi1976|ngela454)|g(?:ezeria|racewoods70)|h(?:amima60|ristinemadeleine)|j(?:ackman123|lleach)|maureens847|nicolefr1marios|r(?:obinsanders185|uthsmith9900)|s(?:arahbenjamin103|ophiac)|veraaellen)|tomcrist\.ca)|s(?:agent02|golaan4|smadar44)|twvvv|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter(?:2017|968))|obuyuki\.hirano128|tawdglobal)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|hallkenneth1|liviemorgan4|marinyandeng|nufoundationclaims|pcwkdw|swald\.l(?:\.lewis|ewwis)|vieogor1)|p(?:\.compton101|a(?:storfrancesco1|trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018)|ymentofficer14)|brookk0|e(?:130304|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|h(?:\.cbnl|illip\.richead218)|i(?:eterstevens511|lz37754)|o(?:lloke|wellmrwilliam)|r(?:esleybathini1|o(?:1nvstream|cessing2013general))|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymond(?:aba200|damon15))|e(?:beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n2214)|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.(?:jamesabel1|mikedadax)|ernestcebi|frankjackson91))|i(?:ch(?:ard(?:lustig4u|w(?:ahl511|illis815))|lawandds)|tawilliams4141)|josh200000|o(?:berthanandez6655|naldmorris786|s(?:a\.gomes0044|e(?:kipkalya934|tam00)))|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ssiaworldcuppromo|thmporat1\"))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1|ydouthiebaconsultant)|g\.offiice\.group|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|e(?:ikhalmaktoum79|ry(?:\.gtl131|etr03))|inawatrathaksin93)|i(?:lverlakeconsultant|mlkheng5)|krause680|l5342743|o(?:fia\.adams201|u(?:rcingloggs|thwsltd))|peelman1972|rfredericodehernandez|sdt224|tephentam1(?:47|6)|u(?:iyang(?:\.boc|02)|leiman\.cbnn|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|w(?:eeneyjohnson384|islottnl))|t(?:a(?:mmy21gill|y(?:ebsouami0|lorcathy362))|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|bigbiglottowinning77|odorosloannis9|resawilliams7661?|smithfm124))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|c(?:hrist1995|rist(?:52|donation12|foundation99|world)))|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|ransfermoney21\.2|tkhan69s)|u(?:babankbjplc|dregwqr|kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|sdepartmentofjustice80)|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|d232633|i(?:elandherzog\.sw\.herad16|ge122|ll(?:clark2618|iamrobert3852|update123))|kfinancialservice|orldbankregionalmanageroffice|u(?:\.office212|mt722)|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974)|z(?:enithbankplconline98|kiaslan1963|minhong65)))\@gmail\.com$/i
b780ea8d
SI		 3774describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox
3775#score REPTO_419_FRAUD_GM 3.000
3776tflags REPTO_419_FRAUD_GM publish
3777##} REPTO_419_FRAUD_GM
3778
3779##{ REPTO_419_FRAUD_GM_LOOSE
3780
3781meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM
3782describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3783#score REPTO_419_FRAUD_GM_LOOSE 1.000
3784tflags REPTO_419_FRAUD_GM_LOOSE publish
3785##} REPTO_419_FRAUD_GM_LOOSE
3786
3787##{ REPTO_419_FRAUD_HM
3788
46cfc9e2 3789header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|nikal01|zezul\.idrisazezulidris)|benarnault0|c(?:ecilekaramoko123|hoi21)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|fanliangjen2|gen\.dmathokdiigwol|infos(?:43|8)|katabettencourt2018|l(?:\.b120k|e(?:a_edem|wisarm44)|imfu201677|ulihongm)|m(?:cliffmomah998|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.roselinejac|elizabetmk|helenbgeorge|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|p(?:atrickmullinfinaceservs|owen10001)|s(?:ajda\.andleeb|gthansencs|tephenbettinger|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
b780ea8d
SI		 3790describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox
3791#score REPTO_419_FRAUD_HM 3.000
3792tflags REPTO_419_FRAUD_HM publish
3793##} REPTO_419_FRAUD_HM
3794
3795##{ REPTO_419_FRAUD_OL
3796
3797header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:a(?:23423|lexandermason)|brahamwilliamsonrpsltduk|l(?:bertchebe|exw113)|ndrew(?:_hai|gamble7)|utoresponds)|b(?:a(?:r(?:bayo_jacobs|claysplc2016)|sidris)|etty\.c_investment|illgfile203|riam8molefe)|c(?:bforeignremitdept|harlie\.j\.goodmand|o(?:l\.(?:airforce\.saadwarfali|warfalisaadairforce)|mpensationfunding))|d(?:eborahleeconsult|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020)|g(?:20compessdesk|eoffreynicolas\.esq|ilbertowosukk)|huyennvoha|j(?:ackson4steve|e(?:anedo1?|ssicameir30))|k(?:aujong|kkunited1)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|gbplc3|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|bryandavisuk44|jonah\.ot|mduku|s(?:\.coraluttah|_elizabeth20|michelleallison|roseallen)|vitaloadams)|spvt2020)|p(?:aul(?:\.walter120|blakey05)|hilcohen0012)|qanejmhffgg|r(?:c19691|ichardwahlfreegrant)|s(?:aaman10|gi2019|ilverlakeconsultantllc|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019|reff11)|unvanzyl_mrs|winuklotocash2018))\@outlook\.com$/i
3798describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox
3799#score REPTO_419_FRAUD_OL 3.000
3800tflags REPTO_419_FRAUD_OL publish
3801##} REPTO_419_FRAUD_OL
3802
3803##{ REPTO_419_FRAUD_PM
3804
3805header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|v\.brianpierre|wraggsmk|yihsbltan|ziraatbankasi))\@protonmail\.com$/i
3806describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox
3807#score REPTO_419_FRAUD_PM 3.000
3808tflags REPTO_419_FRAUD_PM publish
3809##} REPTO_419_FRAUD_PM
3810
3811##{ REPTO_419_FRAUD_QQ
3812
3813header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1(?:731419584|821317384)|2(?:0(?:32508290|90641921)|3(?:72948239|89029403|97857528)|751232036)|3(?:323469072|523284224)|a(?:gent(?:markruben_fbi|promofficer)|kia\.j55)|claimoffice1|dennisonctrenton|l\.valiant|peterwong20177|s(?:abrinacrawford000|hu60w)|treasury_deptment0|wang_cjianlin))\@qq\.com$/i
3814describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox
3815#score REPTO_419_FRAUD_QQ 3.000
3816tflags REPTO_419_FRAUD_QQ publish
3817##} REPTO_419_FRAUD_QQ
3818
3819##{ REPTO_419_FRAUD_YH
3820
46cfc9e2 3821header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|gaaintl\-4g5ee\.w3|l(?:berts\.odia|esiakalina2006)|mbassador\.l|nn(?:awax48|hester\.usa4))|b(?:a(?:che\.delfine|nk\.phbng14|rr(?:\.thomasclark|ister\.(?:dennis11|marcus)|lawrencefubara39|william_davies))|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.(?:aroline90|coulibaly2)|a(?:binet_maitre_emmanuel_patris|mpbellwilliamms)|h(?:arlesscharf112|hoy\.t|im\.w|jackson65)|juan852|o(?:llins(?:mattew32|wayne84)|mpliment\.sseason|ntelamine)|ythiamiller\.un10)|d(?:hamilton9099|i(?:aanesoto190|plomaticagent180)|r(?:\.aminramli|_raymondfung|victorobaji))|e(?:dwarddawson|ricalbert24)|f(?:aizaadama2016|bicompensation_funds|ederal\.r73|id00180)|g(?:ov\.ukmessageboard|raham\.eddie2016|uesfilet1336523)|harry1vans|i(?:\.project33411|befranfgnfmf|nfo(?:111mail|bank1|money)|project32411)|j(?:\.edwards228|a(?:ckson\.davis915|ne(?:_ooparah|temoon150))|essica\.p_family|inping\.tw|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:elvinmark629|im(?:\.leang2018?|leang(?:575|90))|yle_grubbe)|l(?:e(?:a_edem13|ge331|hman(?:909|bila))|i(?:m_kaan|sarobinson_555|uhngbin)|y_cheapiseth(?:11|2019))|m(?:arie_avis12|d(?:\.ps|zsesszika672)|elissalewis(?:10001|4004)|iss\.zarryb|o(?:hammedaahil46|keye79)|r(?:kellyayi62|s(?:\.esthernicolas|isabella\.dzesszikan|themo))|s\.gracie_olakun|unny(?:\.sopheap207|_sopheap30))|n(?:adhowc|estordaniel2|orahuz1960)|o(?:fficial_franksylvester88|legkozyrev1|mranshaalan52)|p(?:a(?:ckerkelvin|yus123x)|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|i(?:chard\.w94|taadamsw10)|o(?:b(?:ertbailey2004|orts20)|se(?:mary\.3as|richard655)))|s(?:amthong4040|igurlauganna34|leo25|mith(?:\.dr|colin767)|opheap\.munny|pwalker101|sgt\.bethany|tevecox\.98)|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|u(?:butu16|kdebtmanagement5)|vanserge2001|will(?:clark0010|iamsimon(?:22|521))|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
b780ea8d
SI		 3822describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox
3823#score REPTO_419_FRAUD_YH 3.000
3824tflags REPTO_419_FRAUD_YH publish
3825##} REPTO_419_FRAUD_YH
3826
3827##{ REPTO_419_FRAUD_YH_LOOSE
3828
3829meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH
3830describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3831#score REPTO_419_FRAUD_YH_LOOSE 1.000
3832tflags REPTO_419_FRAUD_YH_LOOSE publish
3833##} REPTO_419_FRAUD_YH_LOOSE
3834
3835##{ REPTO_419_FRAUD_YJ
3836
3837header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73|n(?:gelinarichardson01|ita(?:kirkweeks45|usarpac)))|b(?:a(?:lmaa1115|rrevansthomas213)|ealife4god|gsblcagent|nchmclaw)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc|ssicajlavoie|velynjoshua56)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|ktbradley|oneygram100|rs_chen_00001)|nikbnson1|o(?:fficialinfoemail|livia_mabor)|pamgells|r(?:acheljude000|eplykasikorn|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i
3838describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox
3839#score REPTO_419_FRAUD_YJ 3.000
3840tflags REPTO_419_FRAUD_YJ publish
3841##} REPTO_419_FRAUD_YJ
3842
3843##{ REPTO_419_FRAUD_YN
3844
46cfc9e2 3845header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lsharibi|m(?:andarandle|g3333txx101)|na\.mariposa|wesome\.mariacarmen)|b(?:ayemahama|igghandgrant|radely\.j)|clemlau|diezanimadueke|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments|uzhongjun\.director)|g(?:\.anniversary(?:101)?|add4fi\.aisha)|hhalesbbanddd?|irenaa\.georgiadou|j(?:efrey(?:\-dean|\.dean11)|o(?:hnnicholsonjr|seph\-scott2k5)|uliet\.lee2222)|kenhamberlet|l(?:es20sc|otointernational\.elgordo)|m(?:a(?:hama\.baye|rcarmenguty)|fdpm|ohamed\.bennani|r(?:\-(?:jos\.martins|robert\-patrick\.patrick)|\.kongkea|akram\.elkerrami|spercy))|nokiahouse1[03]|olivia\.mabor|p(?:aragonloansinc|hilipfen778|ri(?:ncedarren0244|vatemail24)|ullmanrb)|rich(?:ard\.wahl|lawands)|skyeloanand\.financelimited|t(?:\.baloyi|an\.sung|omss\.smith|resor\.mambo)|w(?:b\.foundation|ill(?:1amsmarg1|iamsimon1960))|za\.dc2016))\@yandex\.com$/i
b780ea8d
SI		 3846describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox
3847#score REPTO_419_FRAUD_YN 3.000
3848tflags REPTO_419_FRAUD_YN publish
3849##} REPTO_419_FRAUD_YN
3850
3851##{ RISK_FREE
3852
3853meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH
3854describe RISK_FREE No risk!
3855##} RISK_FREE
3856
3857##{ SB_GIF_AND_NO_URIS
3858
3859meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
3860##} SB_GIF_AND_NO_URIS
3861
46cfc9e2
SI		 3862##{ SCC_NEWBIE_HASBEENS
3863
3864describe SCC_NEWBIE_HASBEENS Abused gTLDs seen in spam from Google Apps.
3865header SCC_NEWBIE_HASBEENS X-Beenthere =~ /\.(today|online|monster)/
3866##} SCC_NEWBIE_HASBEENS
3867
3868##{ SCRIPT_GIBBERISH
3869
3870meta SCRIPT_GIBBERISH __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META
3871describe SCRIPT_GIBBERISH Nonsense in HTML <SCRIPT> tag
3872##} SCRIPT_GIBBERISH
3873
b780ea8d
SI		 3874##{ SENDGRID_REDIR
3875
3876meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS
3877describe SENDGRID_REDIR Redirect URI via Sendgrid
3878#score SENDGRID_REDIR 1.500 # limit
3879tflags SENDGRID_REDIR publish
3880##} SENDGRID_REDIR
3881
3882##{ SENDGRID_REDIR_PHISH
3883
3884meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH
3885describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs
3886#score SENDGRID_REDIR_PHISH 3.500 # limit
3887tflags SENDGRID_REDIR_PHISH publish
3888##} SENDGRID_REDIR_PHISH
3889
3890##{ SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3891
3892if (version >= 3.004002)
3893ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3894meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)
3895tflags SEO_SUSP_NTLD publish
3896describe SEO_SUSP_NTLD SEO offer from suspicious TLD
3897#score SEO_SUSP_NTLD 1.2 # limit
3898endif
3899endif
3900##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3901
3902##{ SERGIO_SUBJECT_VIAGRA01
3903
3904header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i
3905describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject
3906##} SERGIO_SUBJECT_VIAGRA01
3907
3908##{ SHOPIFY_IMG_NOT_RCVD_SFY
3909
3910meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK
3911#score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit
3912describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify
3913tflags SHOPIFY_IMG_NOT_RCVD_SFY publish
3914##} SHOPIFY_IMG_NOT_RCVD_SFY
3915
46cfc9e2
SI		 3916##{ SHORTENED_URL_SRC
3917
3918rawbody SHORTENED_URL_SRC /<[^>]{1,99}\ssrc=\W?https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}/
3919##} SHORTENED_URL_SRC
3920
b780ea8d
SI		 3921##{ SHORTENER_SHORT_IMG
3922
3923meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1
3924describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener
3925#score SHORTENER_SHORT_IMG 2.500 # limit
3926tflags SHORTENER_SHORT_IMG publish
3927##} SHORTENER_SHORT_IMG
3928
3929##{ SHORTENER_SHORT_SUBJ
3930
3931meta SHORTENER_SHORT_SUBJ __SHORTENER_SHORT_SUBJ && !__DOS_HAS_LIST_UNSUB && !__HAS_LIST_ID && !__HDR_RCVD_GOOGLE && !__XPRIO
3932describe SHORTENER_SHORT_SUBJ URL shortener (avoiding URIBL?) + short subject
3933#score SHORTENER_SHORT_SUBJ 3.000 # limit
3934##} SHORTENER_SHORT_SUBJ
3935
46cfc9e2
SI		 3936##{ SHORT_BODY_G_DRIVE_DYN
3937
3938meta SHORT_BODY_G_DRIVE_DYN __SHORT_BODY_G_DRIVE_DYN
3939describe SHORT_BODY_G_DRIVE_DYN Short body with Google Drive link and dynamic looking sender
3940#score SHORT_BODY_G_DRIVE_DYN 1.5 # limit
3941##} SHORT_BODY_G_DRIVE_DYN
3942
b780ea8d
SI		 3943##{ SHORT_HELO_AND_INLINE_IMAGE
3944
3945meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
3946describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
3947##} SHORT_HELO_AND_INLINE_IMAGE
3948
3949##{ SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3950
3951if (version >= 3.004002)
3952ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3953meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
3954tflags SHORT_IMG_SUSP_NTLD publish
3955describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD
3956#score SHORT_IMG_SUSP_NTLD 1.5 # limit
3957endif
3958endif
3959##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3960
3961##{ SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3962
3963ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3964if (version >= 3.004000)
3965meta SHORT_SHORTNER __PDS_MSG_512 && (__PDS_URISHORTENER || __URL_SHORTENER) && !DRUGS_ERECTILE
3966describe SHORT_SHORTNER Short body with little more than a link to a shortener
3967#score SHORT_SHORTNER 2.0 # limit
3968endif
3969endif
3970##} SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3971
3972##{ SHORT_TERM_PRICE
3973
3974body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
3975##} SHORT_TERM_PRICE
3976
3977##{ SINGLETS_LOW_CONTRAST
3978
3979meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP
3980describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text
3981tflags SINGLETS_LOW_CONTRAST publish
3982##} SINGLETS_LOW_CONTRAST
3983
3984##{ SPAMMY_XMAILER
3985
3986meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
3987describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
3988##} SPAMMY_XMAILER
3989
3990##{ SPOOFED_FREEMAIL
3991
3992meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE
3993#score SPOOFED_FREEMAIL 2.000 # limit
3994tflags SPOOFED_FREEMAIL net
3995##} SPOOFED_FREEMAIL
3996
3997##{ SPOOFED_FREEMAIL_NO_RDNS
3998
3999meta SPOOFED_FREEMAIL_NO_RDNS __SPOOFED_FREEMAIL && __RDNS_NONE
4000describe SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
4001#score SPOOFED_FREEMAIL_NO_RDNS 1.5
4002##} SPOOFED_FREEMAIL_NO_RDNS
4003
4004##{ SPOOFED_FREEM_REPTO
4005
4006meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX
4007describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to
4008#score SPOOFED_FREEM_REPTO 2.500
4009tflags SPOOFED_FREEM_REPTO net publish
4010##} SPOOFED_FREEM_REPTO
4011
4012##{ SPOOFED_FREEM_REPTO_CHN
4013
4014meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM
4015describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to
4016#score SPOOFED_FREEM_REPTO_CHN 3.500
4017tflags SPOOFED_FREEM_REPTO_CHN net publish
4018##} SPOOFED_FREEM_REPTO_CHN
4019
4020##{ SPOOFED_FREEM_REPTO_RUS
4021
4022meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM
4023describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to
4024#score SPOOFED_FREEM_REPTO_RUS 3.500
4025tflags SPOOFED_FREEM_REPTO_RUS net publish
4026##} SPOOFED_FREEM_REPTO_RUS
4027
4028##{ SPOOF_GMAIL_MID
4029
46cfc9e2 4030meta SPOOF_GMAIL_MID SPOOFED_FREEMAIL && __PDS_SPOOF_GMAIL_MID
b780ea8d
SI		 4031#score SPOOF_GMAIL_MID 1.5
4032describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...
4033##} SPOOF_GMAIL_MID
4034
4035##{ STATIC_XPRIO_OLE
4036
4037meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE
4038describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE
4039#score STATIC_XPRIO_OLE 2.000 # limit
4040tflags STATIC_XPRIO_OLE publish
4041##} STATIC_XPRIO_OLE
4042
4043##{ STOCK_IMG_CTYPE
4044
4045meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)
4046describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header
4047##} STOCK_IMG_CTYPE
4048
4049##{ STOCK_IMG_HDR_FROM
4050
4051meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
4052describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
4053##} STOCK_IMG_HDR_FROM
4054
4055##{ STOCK_IMG_HTML
4056
4057meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
4058describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML
4059##} STOCK_IMG_HTML
4060
4061##{ STOCK_IMG_OUTLOOK
4062
4063meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)
4064describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features
4065##} STOCK_IMG_OUTLOOK
4066
4067##{ STOCK_LOW_CONTRAST
4068
4069meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG
4070describe STOCK_LOW_CONTRAST Stocks + hidden text
4071#score STOCK_LOW_CONTRAST 2.500 # limit
4072tflags STOCK_LOW_CONTRAST publish
4073##} STOCK_LOW_CONTRAST
4074
4075##{ STOCK_PRICES
4076
4077meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
4078##} STOCK_PRICES
4079
4080##{ STOCK_TIP
4081
4082meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS
4083describe STOCK_TIP Stock tips
4084#score STOCK_TIP 3.000 # limit
4085tflags STOCK_TIP publish
4086##} STOCK_TIP
4087
4088##{ STOX_AND_PRICE
4089
4090meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE
4091##} STOX_AND_PRICE
4092
4093##{ STOX_REPLY_TYPE
4094
4095header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/
4096##} STOX_REPLY_TYPE
4097
4098##{ STOX_REPLY_TYPE_WITHOUT_QUOTES
4099
4100meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE))
4101##} STOX_REPLY_TYPE_WITHOUT_QUOTES
4102
4103##{ SUBJECT_NEEDS_ENCODING
4104
4105meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME
4106describe SUBJECT_NEEDS_ENCODING Subject is encoded but does not specify the encoding
4107##} SUBJECT_NEEDS_ENCODING
4108
4109##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
4110
4111ifplugin Mail::SpamAssassin::Plugin::DKIM
4112 meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER
4113 describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers
4114endif
4115##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
4116
4117##{ SUBJ_UNNEEDED_HTML
4118
4119meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML
4120describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject:
4121##} SUBJ_UNNEEDED_HTML
4122
4123##{ SYSADMIN
4124
4125meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS
4126describe SYSADMIN Supposedly from your IT department
4127#score SYSADMIN 3.500 # limit
4128tflags SYSADMIN publish
4129##} SYSADMIN
4130
46cfc9e2
SI		 4131##{ TAGSTAT_IMG_NOT_RCVD_TGST
4132
4133meta TAGSTAT_IMG_NOT_RCVD_TGST __TAGSTAT_IMG_NOT_RCVD_TGST
4134#score TAGSTAT_IMG_NOT_RCVD_TGST 2.000 # limit
4135describe TAGSTAT_IMG_NOT_RCVD_TGST Tagstat hosted image but message not from Tagstat
4136tflags TAGSTAT_IMG_NOT_RCVD_TGST publish
4137##} TAGSTAT_IMG_NOT_RCVD_TGST
4138
b780ea8d
SI		 4139##{ TBIRD_SUSP_MIME_BDRY
4140
4141meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
4142describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary
4143##} TBIRD_SUSP_MIME_BDRY
4144
4145##{ TEQF_USR_IMAGE
4146
4147meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH
4148describe TEQF_USR_IMAGE To and from user nearly same + image
4149tflags TEQF_USR_IMAGE publish
4150##} TEQF_USR_IMAGE
4151
4152##{ TEQF_USR_MSGID_HEX
4153
4154meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2
4155describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID
4156tflags TEQF_USR_MSGID_HEX publish
4157##} TEQF_USR_MSGID_HEX
4158
4159##{ TEQF_USR_MSGID_MALF
4160
4161meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2
4162describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID
4163tflags TEQF_USR_MSGID_MALF publish
4164##} TEQF_USR_MSGID_MALF
4165
4166##{ THEBAT_UNREG
4167
4168header THEBAT_UNREG X-Mailer =~ /^The Bat! .{0,20} UNREG$/
4169##} THEBAT_UNREG
4170
4171##{ THIS_AD
4172
4173meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD
4174describe THIS_AD "This ad" and variants
4175tflags THIS_AD publish
4176##} THIS_AD
4177
4178##{ THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4179
4180if (version >= 3.004002)
4181ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4182meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM
4183tflags THIS_IS_ADV_SUSP_NTLD publish
4184describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD
4185#score THIS_IS_ADV_SUSP_NTLD 1.5 # limit
4186endif
4187endif
4188##} THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4189
4190##{ TONLINE_FAKE_DKIM
4191
4192meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS
4193describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM
4194#score TONLINE_FAKE_DKIM 3.000 # limit
4195tflags TONLINE_FAKE_DKIM publish
4196##} TONLINE_FAKE_DKIM
4197
b780ea8d
SI		 4198##{ TO_EQ_FM_DIRECT_MX
4199
4200meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED
4201describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
4202#score TO_EQ_FM_DIRECT_MX 2.500 # limit
4203tflags TO_EQ_FM_DIRECT_MX publish
4204##} TO_EQ_FM_DIRECT_MX
4205
4206##{ TO_EQ_FM_DOM_HTML_IMG
4207
4208meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD
4209describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link
4210##} TO_EQ_FM_DOM_HTML_IMG
4211
b780ea8d
SI		 4212##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4213
4214ifplugin Mail::SpamAssassin::Plugin::SPF
4215 meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
4216 describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed
4217 tflags TO_EQ_FM_DOM_SPF_FAIL net
4218endif
4219##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4220
4221##{ TO_EQ_FM_HTML_ONLY
4222
4223meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER
4224describe TO_EQ_FM_HTML_ONLY To == From and HTML only
4225##} TO_EQ_FM_HTML_ONLY
4226
4227##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4228
4229ifplugin Mail::SpamAssassin::Plugin::SPF
4230 meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
4231 describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed
4232 tflags TO_EQ_FM_SPF_FAIL net
4233endif
4234##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4235
4236##{ TO_IN_SUBJ
4237
4238meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW
4239describe TO_IN_SUBJ To address is in Subject
4240tflags TO_IN_SUBJ publish
4241#score TO_IN_SUBJ 0.1
4242##} TO_IN_SUBJ
4243
4244##{ TO_NAME_SUBJ_NO_RDNS
4245
4246meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE
4247describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS
4248#score TO_NAME_SUBJ_NO_RDNS 3.000 # limit
4249tflags TO_NAME_SUBJ_NO_RDNS publish
4250##} TO_NAME_SUBJ_NO_RDNS
4251
4252##{ TO_NO_BRKTS_FROM_MSSP
4253
4254meta TO_NO_BRKTS_FROM_MSSP __TO_NO_BRKTS_FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__TO___LOWER && !__BUGGED_IMG && !__SUBJECT_ENCODED_QP && !__VIA_ML && !__FR_SPACING_8 && !__TAG_EXISTS_CENTER && !__RCVD_ZIXMAIL && !__RP_MATCHES_RCVD && !__HAS_SENDER
4255#score TO_NO_BRKTS_FROM_MSSP 2.50 # max
4256describe TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems
4257##} TO_NO_BRKTS_FROM_MSSP
4258
4259##{ TO_NO_BRKTS_HTML_IMG
4260
4261meta TO_NO_BRKTS_HTML_IMG __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE
4262describe TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image
4263#score TO_NO_BRKTS_HTML_IMG 2.000 # limit
4264tflags TO_NO_BRKTS_HTML_IMG publish
4265##} TO_NO_BRKTS_HTML_IMG
4266
4267##{ TO_NO_BRKTS_HTML_ONLY
4268
4269meta TO_NO_BRKTS_HTML_ONLY __TO_NO_BRKTS_HTML_ONLY && !RDNS_NONE && !__MIME_QP && !__MSGID_JAVAMAIL && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 && !__VIA_ML && !__MSGID_BEFORE_RECEIVED && !__MIME_BASE64 && !__RCD_RDNS_MAIL_MESSY && !__COMMENT_EXISTS && !LOTS_OF_MONEY && !__TAG_EXISTS_CENTER && !__UPPERCASE_URI && !__UNSUB_LINK && !__RCD_RDNS_MX_MESSY && !__DKIM_EXISTS && !__BUGGED_IMG && !__FM_TO_ALL_NUMS && !__URI_12LTRDOM && !__RDNS_NO_SUBDOM && !__HDRS_LCASE && !__LCL__ENV_AND_HDR_FROM_MATCH
4270#score TO_NO_BRKTS_HTML_ONLY 2.00 # limit
4271describe TO_NO_BRKTS_HTML_ONLY To: lacks brackets and HTML only
4272tflags TO_NO_BRKTS_HTML_ONLY publish
4273##} TO_NO_BRKTS_HTML_ONLY
4274
4275##{ TO_NO_BRKTS_MSFT
4276
4277meta TO_NO_BRKTS_MSFT __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD
4278describe TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool
4279#score TO_NO_BRKTS_MSFT 2.50 # limit
4280##} TO_NO_BRKTS_MSFT
4281
4282##{ TO_NO_BRKTS_NORDNS_HTML
4283
4284meta TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__TAG_EXISTS_CENTER && !__LONGLINE && !__DKIM_EXISTS
4285#score TO_NO_BRKTS_NORDNS_HTML 2.00 # limit
4286describe TO_NO_BRKTS_NORDNS_HTML To: lacks brackets and no rDNS and HTML only
4287tflags TO_NO_BRKTS_NORDNS_HTML publish
4288##} TO_NO_BRKTS_NORDNS_HTML
4289
4290##{ TO_NO_BRKTS_PCNT
4291
4292meta TO_NO_BRKTS_PCNT __TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS && !__KHOP_NO_FULL_NAME && !__THREADED
4293describe TO_NO_BRKTS_PCNT To: lacks brackets + percentage
4294#score TO_NO_BRKTS_PCNT 2.50 # limit
4295tflags TO_NO_BRKTS_PCNT publish
4296##} TO_NO_BRKTS_PCNT
4297
4298##{ TO_TOO_MANY_WFH_01
4299
4300meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01
4301describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients
4302tflags TO_TOO_MANY_WFH_01 publish
4303##} TO_TOO_MANY_WFH_01
4304
46cfc9e2
SI		 4305##{ TRANSFORM_LIFE
4306
4307meta TRANSFORM_LIFE __TRANSFORM_LIFE && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_X_MAILER && !__VIA_ML
4308describe TRANSFORM_LIFE Transform your life!
4309#score TRANSFORM_LIFE 2.500 # limit
4310##} TRANSFORM_LIFE
4311
b780ea8d
SI		 4312##{ TT_MSGID_TRUNC
4313
4314header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/
4315describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits
4316##} TT_MSGID_TRUNC
4317
4318##{ TT_OBSCURED_VALIUM
4319
4320meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
4321describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject
4322##} TT_OBSCURED_VALIUM
4323
4324##{ TT_OBSCURED_VIAGRA
4325
4326meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
4327describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject
4328##} TT_OBSCURED_VIAGRA
4329
4330##{ TVD_ACT_193
4331
4332body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i
4333describe TVD_ACT_193 Message refers to an act passed in the 1930s
4334##} TVD_ACT_193
4335
4336##{ TVD_APPROVED
4337
4338body TVD_APPROVED /you.{1,2}re .{0,20}approved/i
4339describe TVD_APPROVED Body states that the recipient has been approved
4340##} TVD_APPROVED
4341
4342##{ TVD_DEAR_HOMEOWNER
4343
4344body TVD_DEAR_HOMEOWNER /^dear homeowner/i
4345describe TVD_DEAR_HOMEOWNER Spam with generic salutation of "dear homeowner"
4346##} TVD_DEAR_HOMEOWNER
4347
4348##{ TVD_EB_PHISH
4349
4350meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP
4351##} TVD_EB_PHISH
4352
4353##{ TVD_ENVFROM_APOST
4354
4355header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/
4356describe TVD_ENVFROM_APOST Envelope From contains single-quote
4357##} TVD_ENVFROM_APOST
4358
4359##{ TVD_FINGER_02
4360
4361header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i
4362##} TVD_FINGER_02
4363
4364##{ TVD_FLOAT_GENERAL
4365
4366rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i
4367describe TVD_FLOAT_GENERAL Message uses CSS float style
4368##} TVD_FLOAT_GENERAL
4369
4370##{ TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4371
4372ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4373body TVD_FUZZY_DEGREE /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i
4374describe TVD_FUZZY_DEGREE Obfuscation of the word "degree"
4375endif
4376##} TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4377
4378##{ TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4379
4380ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4381body TVD_FUZZY_FINANCE /(?!finance)<F><I><N><A><N><C><E>/i
4382describe TVD_FUZZY_FINANCE Obfuscation of the word "finance"
4383endif
4384##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4385
4386##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4387
4388ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4389body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i
4390describe TVD_FUZZY_FIXED_RATE Obfuscation of the phrase "fixed rate"
4391endif
4392##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4393
4394##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4395
4396ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4397body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i
4398describe TVD_FUZZY_MICROCAP Obfuscation of the word "micro-cap"
4399endif
4400##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4401
4402##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4403
4404ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4405body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i
4406describe TVD_FUZZY_PHARMACEUTICAL Obfuscation of the word "pharmaceutical"
4407endif
4408##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4409
4410##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4411
4412ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4413body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symboo?l)<S><Y><M><B><O><L>/i
4414describe TVD_FUZZY_SYMBOL Obfuscation of the word "symbol"
4415endif
4416##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4417
4418##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4419
4420ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4421mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/
4422describe TVD_FW_GRAPHIC_NAME_LONG Long image attachment name
4423endif
4424##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4425
4426##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4427
4428ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4429mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/
4430describe TVD_FW_GRAPHIC_NAME_MID Medium sized image attachment name
4431endif
4432##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4433
4434##{ TVD_INCREASE_SIZE
4435
4436body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i
4437describe TVD_INCREASE_SIZE Advertising for penis enlargement
4438##} TVD_INCREASE_SIZE
4439
b780ea8d
SI		 4440##{ TVD_LINK_SAVE
4441
4442body TVD_LINK_SAVE /\blink to save\b/i
4443describe TVD_LINK_SAVE Spam with the text "link to save"
4444##} TVD_LINK_SAVE
4445
4446##{ TVD_PH_BODY_ACCOUNTS_PRE
4447
4448meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE
4449describe TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts suspended", "account credited", "account verification"
4450##} TVD_PH_BODY_ACCOUNTS_PRE
4451
46cfc9e2
SI		 4452##{ TVD_PH_BODY_META
4453
4454meta TVD_PH_BODY_META __TVD_PH_BODY_META
4455##} TVD_PH_BODY_META
4456
b780ea8d
SI		 4457##{ TVD_PH_REC
4458
4459body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i
4460describe TVD_PH_REC Message includes a phrase commonly used in phishing mails
4461##} TVD_PH_REC
4462
4463##{ TVD_PH_SEC
4464
4465body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i
4466describe TVD_PH_SEC Message includes a phrase commonly used in phishing mails
4467##} TVD_PH_SEC
4468
4469##{ TVD_PP_PHISH
4470
4471meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP
4472##} TVD_PP_PHISH
4473
4474##{ TVD_QUAL_MEDS
4475
4476body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i
4477describe TVD_QUAL_MEDS The body matches phrases such as "quality meds" or "quality medication"
4478##} TVD_QUAL_MEDS
4479
4480##{ TVD_RATWARE_CB
4481
4482header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i
4483describe TVD_RATWARE_CB Content-Type header that is commonly indicative of ratware
4484##} TVD_RATWARE_CB
4485
4486##{ TVD_RATWARE_CB_2
4487
4488header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/
4489describe TVD_RATWARE_CB_2 Content-Type header that is commonly indicative of ratware
4490##} TVD_RATWARE_CB_2
4491
4492##{ TVD_RATWARE_MSGID_02
4493
4494header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/
4495describe TVD_RATWARE_MSGID_02 Ratware with a Message-ID header that is entirely lower-case
4496##} TVD_RATWARE_MSGID_02
4497
4498##{ TVD_RCVD_IP
4499
4500header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
4501describe TVD_RCVD_IP Message was received from an IP address
4502##} TVD_RCVD_IP
4503
4504##{ TVD_RCVD_IP4
4505
4506header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/
4507describe TVD_RCVD_IP4 Message was received from an IPv4 address
4508##} TVD_RCVD_IP4
4509
4510##{ TVD_RCVD_SPACE_BRACKET
4511
4512header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!unix)[^\[\]]*\s/i
4513##} TVD_RCVD_SPACE_BRACKET
4514
4515##{ TVD_SECTION
4516
4517body TVD_SECTION /\bSection (?:27A|21B)/i
4518describe TVD_SECTION References to specific legal codes
4519##} TVD_SECTION
4520
4521##{ TVD_SILLY_URI_OBFU
4522
4523body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i
4524describe TVD_SILLY_URI_OBFU URI obfuscation that can fool a URIBL or a uri rule
4525##} TVD_SILLY_URI_OBFU
4526
4527##{ TVD_SPACED_SUBJECT_WORD3
4528
4529header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/
4530describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace
4531##} TVD_SPACED_SUBJECT_WORD3
4532
4533##{ TVD_SPACE_ENCODED
4534
4535meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM
4536#score TVD_SPACE_ENCODED 2.500 # limit
4537describe TVD_SPACE_ENCODED Space ratio & encoded subject
4538##} TVD_SPACE_ENCODED
4539
4540##{ TVD_SPACE_RATIO_MINFP
4541
4542meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL
4543#score TVD_SPACE_RATIO_MINFP 2.500 # limit
4544describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?)
4545##} TVD_SPACE_RATIO_MINFP
4546
4547##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval
4548
4549ifplugin Mail::SpamAssassin::Plugin::BodyEval
4550body TVD_STOCK1 eval:check_stock_info('2')
4551describe TVD_STOCK1 Spam related to stock trading
4552endif
4553##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval
4554
4555##{ TVD_SUBJ_ACC_NUM
4556
4557header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/
4558describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference
4559##} TVD_SUBJ_ACC_NUM
4560
4561##{ TVD_SUBJ_FINGER_03
4562
4563header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/
4564describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *"
4565##} TVD_SUBJ_FINGER_03
4566
4567##{ TVD_SUBJ_NUM_OBFU_MINFP
4568
4569meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO
4570##} TVD_SUBJ_NUM_OBFU_MINFP
4571
4572##{ TVD_SUBJ_OWE
4573
4574header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i
4575describe TVD_SUBJ_OWE Subject line states that the recipieint is in debt
4576##} TVD_SUBJ_OWE
4577
4578##{ TVD_SUBJ_WIPE_DEBT
4579
4580header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i
4581describe TVD_SUBJ_WIPE_DEBT Spam advertising a way to eliminate debt
4582##} TVD_SUBJ_WIPE_DEBT
4583
4584##{ TVD_VISIT_PHARMA
4585
4586body TVD_VISIT_PHARMA /Online Ph.rmacy/i
4587describe TVD_VISIT_PHARMA Body mentions online pharmacy
4588##} TVD_VISIT_PHARMA
4589
4590##{ TVD_VIS_HIDDEN
4591
4592rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i
4593describe TVD_VIS_HIDDEN Invisible textarea HTML tags
4594##} TVD_VIS_HIDDEN
4595
4596##{ TW_GIBBERISH_MANY
4597
4598meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20
4599describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters
4600#score TW_GIBBERISH_MANY 2.000 # limit
4601tflags TW_GIBBERISH_MANY publish
4602##} TW_GIBBERISH_MANY
4603
4604##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4605
4606ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4607 meta T_ACH_CANCELLED_EXE __ACH_CANCELLED_EXE
4608 describe T_ACH_CANCELLED_EXE "ACH cancelled" probable malware
4609endif
4610##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4611
4612##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4613
4614if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4615 meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON
4616 describe T_ANY_PILL_PRICE Prices for pills
4617endif
4618##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4619
4620##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4621
4622ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4623 mimeheader T_CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/
4624 describe T_CDISP_SZ_MANY Suspicious MIME header
4625# score T_CDISP_SZ_MANY 2.0 # limit
4626endif
4627##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4628
b780ea8d
SI		 4629##{ T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4630
4631ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4632header T_DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef')
4633describe T_DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date
4634endif
4635##} T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4636
4637##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4638
4639ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4640 meta T_DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT)
4641 describe T_DOC_ATTACH_NO_EXT Document attachment with suspicious name
4642endif
4643##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4644
4645##{ T_DOS_OUTLOOK_TO_MX_IMAGE
4646
4647meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
4648describe T_DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image
4649##} T_DOS_OUTLOOK_TO_MX_IMAGE
4650
4651##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4652
4653ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4654 mimeheader T_DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/
4655 describe T_DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus
4656# score T_DOS_ZIP_HARDCORE 2.5
4657endif
4658##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4659
4660##{ T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4661
4662ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4663if (version >= 3.004000)
4664meta T_DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && (__PDS_URISHORTENER || __URL_SHORTENER) && DRUGS_ERECTILE
4665describe T_DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with T_URL_SHORTENER
4666#score T_DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit
4667endif
4668endif
4669##} T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4670
4671##{ T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4672
4673ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4674 meta T_FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO
4675 describe T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
4676endif
4677##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4678
4679##{ T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4680
4681ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4682 meta T_FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE
4683 describe T_FILL_THIS_FORM_LOAN Answer loan question(s)
4684# score T_FILL_THIS_FORM_LOAN 2.0
4685endif
4686##} T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4687
4688##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4689
4690ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4691 meta T_FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL
4692 describe T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
4693# score T_FILL_THIS_FORM_SHORT 1.00 # limit
4694endif
4695##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4696
4697##{ T_FORGED_RELAY_MUA_TO_MX
4698
4699header T_FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/
4700##} T_FORGED_RELAY_MUA_TO_MX
4701
4702##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4703
4704ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4705 meta T_FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K
4706 describe T_FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam
4707endif
4708##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4709
4710##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail
4711
4712ifplugin Mail::SpamAssassin::Plugin::FreeMail
4713 meta T_FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF
4714 describe T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail
4715endif
4716##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail
4717
4718##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
4719
4720ifplugin Mail::SpamAssassin::Plugin::FreeMail
4721 meta T_FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED
4722 describe T_FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden
4723endif
4724##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
4725
4726##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail
4727
4728ifplugin Mail::SpamAssassin::Plugin::FreeMail
4729 meta T_FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF
4730 describe T_FREEMAIL_RVW_ATTCH Please review attached document, from freemail
4731endif
4732##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail
4733
4734##{ T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4735
4736ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4737meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO
4738describe T_FROMNAME_EQUALS_TO From:name matches To:
4739#score T_FROMNAME_EQUALS_TO 1.0
4740tflags T_FROMNAME_EQUALS_TO publish
4741endif
4742##} T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4743
4744##{ T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4745
4746ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4747meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD)
4748describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email
4749#score T_FROMNAME_SPOOFED_EMAIL 0.3
4750tflags T_FROMNAME_SPOOFED_EMAIL publish
4751endif
4752##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4753
4754##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4755
4756if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4757 meta T_FROM_MULTI_SHORT_IMG __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY
4758 describe T_FROM_MULTI_SHORT_IMG Multiple From addresses + short message with image
4759endif
4760##} T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4761
4762##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4763
4764ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4765 body T_FUZZY_OPTOUT /(?:$|\W)(?=<O>)(?!opt[-\s]?out)<O><P><T>[-\s]?<O><U><T>(?:$|\W)/i
4766 describe T_FUZZY_OPTOUT Obfuscated opt-out text
4767endif
4768##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4769
4770##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4771
4772ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4773body T_FUZZY_SPRM /<inter W1><post P2><S><P><U><R><M>/i
4774endif
4775##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4776
4777##{ T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4778
4779ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4780 meta T_FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM
4781 describe T_FUZZY_WELLSFARGO Obfuscated "Wells Fargo"
4782endif
4783##} T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4784
4785##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4786
4787ifplugin Mail::SpamAssassin::Plugin::FreeMail
4788 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4789 meta T_GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO )
4790 describe T_GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains
4791# score T_GB_FREEM_FROM_NOT_REPLY 1.500 # limit
4792 tflags T_GB_FREEM_FROM_NOT_REPLY publish
4793endif
4794endif
4795##} T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4796
4797##{ T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4798
4799ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4800 meta T_GB_FROMNAME_SPOOFED_EMAIL_IP ( T_FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED )
4801 describe T_GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip
4802# score T_GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit
4803 tflags T_GB_FROMNAME_SPOOFED_EMAIL_IP publish
4804endif
4805##} T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4806
4807##{ T_GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
4808
4809if (version >= 3.004003)
4810 ifplugin Mail::SpamAssassin::Plugin::HashBL
4811 body T_GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b')
4812 tflags T_GB_HASHBL_BTC net
4813 describe T_GB_HASHBL_BTC Message contains BTC address found on BTCBL
4814# score T_GB_HASHBL_BTC 5.0 # limit
4815endif
4816endif
4817##} T_GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
4818
4819##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4820
4821ifplugin Mail::SpamAssassin::Plugin::FreeMail
4822if (version >= 3.004000)
4823 meta T_HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM
4824# score T_HK_NAME_FM_FROM 1.5
4825endif
4826endif
4827##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4828
4829##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4830
4831ifplugin Mail::SpamAssassin::Plugin::FreeMail
4832if (version >= 3.004000)
4833 meta T_HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM
4834# score T_HK_NAME_FROM 1.0
4835endif
4836endif
4837##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4838
4839##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4840
4841ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4842meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN
4843endif
4844##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4845
4846##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4847
4848ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4849 meta T_HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02
4850 describe T_HTML_ATTACH HTML attachment to bypass scanning?
4851endif
4852##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4853
b780ea8d
SI		 4854##{ T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4855
4856ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4857 meta T_ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT
4858 describe T_ISO_ATTACH ISO attachment - possible malware delivery
4859# score T_ISO_ATTACH 3.000 # limit
4860endif
4861##} T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4862
4863##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4864
4865ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4866meta T_KAM_HTML_FONT_INVALID __KAM_HTML_FONT_INVALID
4867describe T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML
4868#score T_KAM_HTML_FONT_INVALID 0.1
4869endif
4870##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4871
4872##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4873
4874if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4875 meta T_LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3
4876 describe T_LARGE_PCT_AFTER_MANY Many large percentages after...
4877endif
4878##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4879
4880##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4881
4882ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4883body T_LFUZ_PWRMALE /<inter W1><post P2><P><O><W><E><R><M><A><L><E>/i
4884endif
4885##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4886
4887##{ T_LOTTO_AGENT_FM
4888
4889header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
4890describe T_LOTTO_AGENT_FM Claims Agent
4891##} T_LOTTO_AGENT_FM
4892
4893##{ T_LOTTO_AGENT_RPLY
4894
4895meta T_LOTTO_AGENT_RPLY __LOTTO_AGENT_RPLY && !__TO_YOUR_ORG
4896describe T_LOTTO_AGENT_RPLY Claims Agent
4897##} T_LOTTO_AGENT_RPLY
4898
4899##{ T_LOTTO_URI
4900
4901uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i
4902describe T_LOTTO_URI Claims Department URL
4903##} T_LOTTO_URI
4904
4905##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4906
4907if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4908 meta T_MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2
4909 describe T_MANY_PILL_PRICE Prices for many pills
4910endif
4911##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4912
4913##{ T_MIME_MALF if (version >= 3.004000)
4914
4915if (version >= 3.004000)
4916 meta T_MIME_MALF __MIME_MALF && !ALL_TRUSTED
4917 describe T_MIME_MALF Malformed MIME: headers in body
4918# score T_MIME_MALF 2.00 # limit
4919endif
4920##} T_MIME_MALF if (version >= 3.004000)
4921
4922##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4923
4924ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4925 meta T_MONEY_PERCENT LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY)
4926 describe T_MONEY_PERCENT X% of a lot of money for you
4927endif
4928##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4929
4930##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4931
4932ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4933 meta T_OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH)
4934 describe T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
4935endif
4936##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4937
4938##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4939
4940ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4941 mimeheader T_OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i
4942 describe T_OBFU_DOC_ATTACH MS Document attachment with generic MIME type
4943endif
4944##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4945
4946##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4947
4948ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4949 mimeheader T_OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i
4950 describe T_OBFU_GIF_ATTACH GIF attachment with generic MIME type
4951endif
4952##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4953
4954##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4955
4956ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4957 mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.html?\b,i
4958 describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type
4959endif
4960##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4961
4962##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4963
4964ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4965 meta T_OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02
4966 describe T_OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware
4967endif
4968##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4969
4970##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4971
4972ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4973 mimeheader T_OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i
4974 describe T_OBFU_JPG_ATTACH JPG attachment with generic MIME type
4975endif
4976##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4977
4978##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4979
4980ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4981 mimeheader T_OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i
4982 describe T_OBFU_PDF_ATTACH PDF attachment with generic MIME type
4983endif
4984##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4985
4986##{ T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4987
4988ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4989 meta T_PDS_BTC_AHACKER ( __PDS_BTC_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON )
4990 describe T_PDS_BTC_AHACKER Bitcoin Hacker
4991# score T_PDS_BTC_AHACKER 3.0 # limit
4992endif
4993##} T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4994
4995##{ T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4996
4997ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4998 meta T_PDS_BTC_HACKER ( __PDS_BTC_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM )
4999 describe T_PDS_BTC_HACKER Bitcoin Hacker
5000# score T_PDS_BTC_HACKER 2.0 # limit
5001endif
5002##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5003
46cfc9e2 5004##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
b780ea8d 5005
b780ea8d 5006ifplugin Mail::SpamAssassin::Plugin::WLBLEval
46cfc9e2
SI		 5007if (version >= 3.004000)
5008meta T_PDS_EMPTYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJECT_EMPTY && __PDS_MSG_1024
5009describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener
5010#score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit
b780ea8d
SI		 5011endif
5012endif
46cfc9e2 5013##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
b780ea8d
SI		 5014
5015##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5016
5017ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5018if (version >= 3.004000)
5019meta T_PDS_FREEMAIL_REPLYTO_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
5020describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener
5021#score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit
5022endif
5023endif
5024##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5025
46cfc9e2
SI		 5026##{ T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
5027
5028if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
5029 meta T_PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS
5030 describe T_PDS_FROM_2_EMAILS From header has multiple different addresses
5031# score T_PDS_FROM_2_EMAILS 3.500 # limit
5032endif
5033##} T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
5034
b780ea8d
SI		 5035##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5036
5037ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5038 meta T_PDS_LTC_AHACKER ( __PDS_LITECOIN_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON )
5039 describe T_PDS_LTC_AHACKER Litecoin Hacker
5040# score T_PDS_LTC_AHACKER 3.0 # limit
5041endif
5042##} T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5043
5044##{ T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5045
5046ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5047 meta T_PDS_LTC_HACKER ( __PDS_LITECOIN_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM )
5048 describe T_PDS_LTC_HACKER Litecoin Hacker
5049# score T_PDS_LTC_HACKER 2.0 # limit
5050endif
5051##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5052
46cfc9e2
SI		 5053##{ T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5054
5055ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5056if (version >= 3.004000)
5057meta T_PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
5058describe T_PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME
5059#score T_PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit
5060endif
5061endif
5062##} T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5063
b780ea8d
SI		 5064##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5065
5066if (version >= 3.004002)
5067ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5068header T_PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO')
5069#score T_PDS_PRO_TLD 1.0
5070describe T_PDS_PRO_TLD .pro TLD
5071endif
5072endif
5073##} T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5074
5075##{ T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5076
5077ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5078if (version >= 3.004000)
5079meta T_PDS_SHORTFWD_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
5080describe T_PDS_SHORTFWD_URISHRT Threaded email with URI shortener
5081#score T_PDS_SHORTFWD_URISHRT 1.5 # limit
5082endif
5083endif
5084##} T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5085
46cfc9e2 5086##{ T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
b780ea8d
SI		 5087
5088ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5089if (version >= 3.004000)
46cfc9e2
SI		 5090meta T_PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
5091describe T_PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP)
5092#score T_PDS_SHORT_SPOOFED_URL 2.0
b780ea8d
SI		 5093endif
5094endif
46cfc9e2 5095##} T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
cabe596e
SI		 5096
5097##{ T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5098
5099ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5100if (version >= 3.004000)
5101meta T_PDS_URISHRT_LOCALPART_SUBJ LOCALPART_IN_SUBJECT && (__PDS_URISHORTENER || __URL_SHORTENER) && __PDS_MSG_1024
5102describe T_PDS_URISHRT_LOCALPART_SUBJ Localpart of To in subject
5103#score T_PDS_URISHRT_LOCALPART_SUBJ 1.0
5104endif
5105endif
5106##} T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
b780ea8d 5107
46cfc9e2
SI		 5108##{ T_PDS_X_PHP_WP_EXP
5109
5110meta T_PDS_X_PHP_WP_EXP (__PDS_X_PHP_WPCONTENT || __PDS_X_PHP_WPINCLUDES || __PDS_X_PHP_WPADMIN || __PDS_X_PHP_WPJS)
5111describe T_PDS_X_PHP_WP_EXP X-PHP-Script shows sent from a Wordpress PHP script where you would not expect one
5112#score T_PDS_X_PHP_WP_EXP 1.5
5113##} T_PDS_X_PHP_WP_EXP
5114
b780ea8d
SI		 5115##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5116
5117ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5118 meta T_REMOTE_IMAGE __REMOTE_IMAGE
5119 describe T_REMOTE_IMAGE Message contains an external image
5120endif
5121##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5122
5123##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5124
5125if (version >= 3.004002)
5126ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5127meta T_SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR
5128describe T_SENT_TO_EMAIL_ADDR Email was sent to email address
5129#score T_SENT_TO_EMAIL_ADDR 2.0 # limit
5130endif
5131endif
5132##} T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5133
5134##{ T_SHARE_50_50
5135
5136meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY
5137describe T_SHARE_50_50 Share the money 50/50
5138##} T_SHARE_50_50
5139
5140##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5141
5142if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5143 meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK
5144 describe T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX
5145# score T_STY_INVIS_DIRECT 2.500 # limit
5146endif
5147##} T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5148
5149##{ T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5150
5151if (version >= 3.004002)
5152ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5153meta T_SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
5154describe T_SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money
5155#score T_SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit
5156endif
5157endif
5158##} T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5159
5160##{ T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5161
5162ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5163if (version >= 3.004000)
5164meta T_TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT
5165describe T_TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local
5166#score T_TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit
5167endif
5168endif
5169##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5170
46cfc9e2
SI		 5171##{ T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5172
5173ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5174if (version >= 3.004000)
5175meta T_TONOM_EQ_TOLOC_SHRT_SHRTNER __PDS_URISHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024
5176describe T_TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local
5177#score T_TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit
5178endif
5179endif
5180##} T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5181
b780ea8d
SI		 5182##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5183
5184ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5185body T_TVD_FUZZY_SECTOR /(?!sector)<S><E><C><T><O><R>/i
5186endif
5187##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5188
5189##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5190
5191ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5192body T_TVD_FUZZY_SECURITIES /<inter W2><post P2>(?!securities)(?!security,? es)<S><E><C><U><R><I><T><I><E><S>/i
5193endif
5194##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5195
5196##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5197
5198ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5199mimeheader T_TVD_FW_GRAPHIC_ID2 Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/
5200endif
5201##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5202
5203##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5204
5205ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5206body T_TVD_MIME_EPI eval:check_msg_parse_flags('mime_epilogue_exists')
5207endif
5208##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5209
5210##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5211
5212ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5213body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers')
5214endif
5215##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5216
5217##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5218
5219ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5220 meta T_WON_MONEY_ATTACH __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH)
5221 describe T_WON_MONEY_ATTACH You won lots of money! See attachment.
5222endif
5223##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5224
5225##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5226
5227ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5228 meta T_WON_NBDY_ATTACH __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH)
5229 describe T_WON_NBDY_ATTACH You won lots of money! See attachment.
5230endif
5231##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5232
5233##{ T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5234
5235if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5236 meta T_ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID
5237 describe T_ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion
5238# score T_ZW_OBFU_BITCOIN 2.500 # limit
5239endif
5240##} T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5241
5242##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5243
5244if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5245 meta T_ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto
5246 describe T_ZW_OBFU_FREEM Obfuscated text + freemail
5247# score T_ZW_OBFU_FREEM 2.000 # limit
5248endif
5249##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5250
5251##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5252
5253if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5254 meta T_ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ
5255 describe T_ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject
5256# score T_ZW_OBFU_FROMTOSUBJ 2.000 # limit
5257endif
5258##} T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5259
5260##{ UC_GIBBERISH_OBFU
5261
5262meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED
5263describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word"
5264#score UC_GIBBERISH_OBFU 3.000 # Limit
5265tflags UC_GIBBERISH_OBFU publish
5266##} UC_GIBBERISH_OBFU
5267
5268##{ UNDISC_FREEM
5269
5270meta UNDISC_FREEM __UNDISC_FREEM
5271describe UNDISC_FREEM Undisclosed recipients + freemail reply-to
5272tflags UNDISC_FREEM publish
5273##} UNDISC_FREEM
5274
5275##{ UNDISC_MONEY
5276
5277meta UNDISC_MONEY __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH
5278describe UNDISC_MONEY Undisclosed recipients + money/fraud signs
5279tflags UNDISC_MONEY publish
5280##} UNDISC_MONEY
5281
5282##{ UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5283
5284if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5285 meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32
5286 describe UNICODE_OBFU_ASC Obfuscating text with unicode
5287# score UNICODE_OBFU_ASC 2.500 # limit
5288 tflags UNICODE_OBFU_ASC publish
5289endif
5290##} UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5291
5292##{ UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5293
5294if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5295 meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS
5296 describe UNICODE_OBFU_ZW Obfuscating text with hidden characters
5297# score UNICODE_OBFU_ZW 3.500 # limit
5298 tflags UNICODE_OBFU_ZW publish
5299endif
5300##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5301
b780ea8d
SI		 5302##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5303
5304ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5305urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2
5306body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB')
5307describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
5308tflags URIBL_RHS_DOB net
5309endif
5310##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5311
5312##{ URI_ADOBESPARK
5313
5314meta URI_ADOBESPARK __URI_ADOBESPARK
5315#score URI_ADOBESPARK 3.500 # limit
5316tflags URI_ADOBESPARK publish
5317##} URI_ADOBESPARK
5318
5319##{ URI_AZURE_CLOUDAPP
5320
5321meta URI_AZURE_CLOUDAPP __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE
5322describe URI_AZURE_CLOUDAPP Link to hosted azure web application, possible phishing
5323#score URI_AZURE_CLOUDAPP 3.000 # limit
5324tflags URI_AZURE_CLOUDAPP publish
5325##} URI_AZURE_CLOUDAPP
5326
5327##{ URI_DASHGOVEDU
5328
5329meta URI_DASHGOVEDU __URI_DASHGOVEDU
5330describe URI_DASHGOVEDU Suspicious domain name
5331#score URI_DASHGOVEDU 3.500 # limit
5332tflags URI_DASHGOVEDU publish
5333##} URI_DASHGOVEDU
5334
5335##{ URI_DATA
5336
5337meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB
5338describe URI_DATA "data:" URI - possible malware or phish
5339#score URI_DATA 3.250 # limit
5340tflags URI_DATA publish
5341##} URI_DATA
5342
46cfc9e2 5343##{ URI_DEOBFU_INSTR
b780ea8d 5344
46cfc9e2
SI		 5345meta URI_DEOBFU_INSTR __URI_DEOBFU_INSTR && !__MSGID_OK_HOST
5346describe URI_DEOBFU_INSTR How to deobfuscate this URI
5347##} URI_DEOBFU_INSTR
b780ea8d
SI		 5348
5349##{ URI_DOTEDU
5350
5351meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK
5352describe URI_DOTEDU Has .edu URI
5353#score URI_DOTEDU 2.000 # limit
5354tflags URI_DOTEDU publish
5355##} URI_DOTEDU
5356
5357##{ URI_DOTEDU_ENTITY
5358
5359meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO
5360describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content
5361#score URI_DOTEDU_ENTITY 3.000 # limit
5362tflags URI_DOTEDU_ENTITY publish
5363##} URI_DOTEDU_ENTITY
5364
5365##{ URI_DOTTY_HEX
5366
5367meta URI_DOTTY_HEX __URI_DOTTY_HEX
5368describe URI_DOTTY_HEX Suspicious URI format
5369tflags URI_DOTTY_HEX publish
5370##} URI_DOTTY_HEX
5371
5372##{ URI_DQ_UNSUB
5373
5374meta URI_DQ_UNSUB __URI_DQ_UNSUB
5375describe URI_DQ_UNSUB IP-address unsubscribe URI
5376tflags URI_DQ_UNSUB publish
5377##} URI_DQ_UNSUB
5378
5379##{ URI_FIREBASEAPP
5380
5381meta URI_FIREBASEAPP __URI_FIREBASEAPP || __URI_WEBAPP
5382describe URI_FIREBASEAPP Link to hosted firebase web application, possible phishing
5383#score URI_FIREBASEAPP 3.000 # limit
5384tflags URI_FIREBASEAPP publish
5385##} URI_FIREBASEAPP
5386
5387##{ URI_GOOGLE_PROXY
5388
5389meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE && !__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID
5390describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy?
5391tflags URI_GOOGLE_PROXY publish
5392##} URI_GOOGLE_PROXY
5393
5394##{ URI_GOOG_STO_SPAMMY
5395
46cfc9e2 5396uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:1tactc1200|5a70f8147b2241c|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|a(?:1discover|d(?:t100visa|vanced1500)|geless(?:brain|t001)|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|tividade|udio0254)|b(?:337276797de5b3|7772dcb|ath(?:and777|bhow98|dfgdfgdfh|rooomlki)|cvncv7845|d(?:fbgverhg|sgbsehtth|thdethydeth)|e(?:dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ueprintms0?)|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader0[48])))|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf)|rrectskin|verageinsu)|reative14141)|d(?:e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy0icits)|trega)|rec(?:01tions|tiledysfunction)|talsprcious|vent(?:0saves01?|save010?)|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|luster|old(?:ii00215|trust00)|r(?:fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1|protection7))|ympro22)|h(?:dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rply(?:24701|y0012))|ome(?:9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|le(?:0(?:1ed|541)|24700|77en|health475)|ttress0707)|e(?:dica(?:lsupplies|r(?:0085|123n|df747))|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|len(?:hsances?|shsance0s)|o(?:n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho01to001|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:adclub11|grow101|n(?:ewlaemailved|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|ingsevent)|ylife004)|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|outhbeach(?:001|skin)|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:lescope001|rminix0909)|h(?:e(?:photostick2804|rasleeves|unbreakable)|opinall)|innitus(?:102|new911)|o(?:enailfungus|pinal)|r(?:a(?:balhos|nslato10)|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|sbmosquito)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ightloss(?:005|newketo)|llgrove90)|i(?:fibooster|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|zantacdedzef))/;i
b780ea8d
SI		 5397describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage
5398#score URI_GOOG_STO_SPAMMY 3.000
5399tflags URI_GOOG_STO_SPAMMY publish
5400##} URI_GOOG_STO_SPAMMY
5401
5402##{ URI_HEX_IP
5403
5404meta URI_HEX_IP __URI_HEX_IP
5405#score URI_HEX_IP 2.500 # limit
5406describe URI_HEX_IP URI with hex-encoded IP-address host
5407tflags URI_HEX_IP publish
5408##} URI_HEX_IP
5409
5410##{ URI_IMG_WP_REDIR
5411
5412meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR
5413#score URI_IMG_WP_REDIR 3.000 # limit
5414describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy
5415tflags URI_IMG_WP_REDIR publish
5416##} URI_IMG_WP_REDIR
5417
5418##{ URI_LONG_REPEAT
5419
5420meta URI_LONG_REPEAT __URI_LONG_REPEAT
5421describe URI_LONG_REPEAT Very long identical host+domain
5422#score URI_LONG_REPEAT 2.500 # limit
5423tflags URI_LONG_REPEAT publish
5424##} URI_LONG_REPEAT
5425
5426##{ URI_MALWARE_SCMS
5427
5428uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i
5429describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file)
5430tflags URI_MALWARE_SCMS publish
5431##} URI_MALWARE_SCMS
5432
5433##{ URI_ONLY_MSGID_MALF
5434
5435 meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW
5436 tflags URI_ONLY_MSGID_MALF net
5437 meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO
5438describe URI_ONLY_MSGID_MALF URI only + malformed message ID
5439#score URI_ONLY_MSGID_MALF 2.000 # limit
5440tflags URI_ONLY_MSGID_MALF publish
5441##} URI_ONLY_MSGID_MALF
5442
5443##{ URI_OPTOUT_3LD
5444
5445uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i
5446describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname
5447#score URI_OPTOUT_3LD 2.000 # limit
5448tflags URI_OPTOUT_3LD publish
5449##} URI_OPTOUT_3LD
5450
5451##{ URI_OPTOUT_USME
5452
5453uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i
5454describe URI_OPTOUT_USME Opt-out URI, unusual TLD
5455tflags URI_OPTOUT_USME publish
5456##} URI_OPTOUT_USME
5457
5458##{ URI_PHISH
5459
5460describe URI_PHISH Phishing using web form
5461#score URI_PHISH 4.00 # limit
5462tflags URI_PHISH publish
5463##} URI_PHISH
5464
5465##{ URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5466
5467if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5468 meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT
5469endif
5470##} URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5471
5472##{ URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5473
5474ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5475 meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT
5476endif
5477##} URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5478
5479##{ URI_PHP_REDIR
5480
5481meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA
5482#score URI_PHP_REDIR 3.500 # limit
5483describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation)
5484tflags URI_PHP_REDIR publish
5485##} URI_PHP_REDIR
5486
5487##{ URI_TRY_3LD
5488
cabe596e 5489meta URI_TRY_3LD __URI_TRY_3LD && !__HAS_ERRORS_TO && !__HDR_RCVD_ALIBABA && !__HDR_CASE_REVERSED && !__XM_EC_MESSENGER && !__CHARITY && !__URI_DOTEDU
b780ea8d
SI		 5490describe URI_TRY_3LD "Try it" URI, suspicious hostname
5491#score URI_TRY_3LD 2.000 # limit
5492tflags URI_TRY_3LD publish
5493##} URI_TRY_3LD
5494
5495##{ URI_TRY_USME
5496
5497meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS
5498describe URI_TRY_USME "Try it" URI, unusual TLD
cabe596e 5499#score URI_TRY_USME 2.000 # limit
b780ea8d
SI		 5500tflags URI_TRY_USME publish
5501##} URI_TRY_USME
5502
5503##{ URI_WPADMIN
5504
5505meta URI_WPADMIN __URI_WPADMIN
5506describe URI_WPADMIN WordPress login/admin URI, possible phishing
5507tflags URI_WPADMIN publish
5508##} URI_WPADMIN
5509
5510##{ URI_WP_DIRINDEX
5511
5512meta URI_WP_DIRINDEX __URI_WPDIRINDEX
5513describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware
5514#score URI_WP_DIRINDEX 3.500 # limit
5515tflags URI_WP_DIRINDEX publish
5516##} URI_WP_DIRINDEX
5517
5518##{ URI_WP_HACKED
5519
5520meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED
5521describe URI_WP_HACKED URI for compromised WordPress site, possible malware
5522#score URI_WP_HACKED 3.500 # limit
5523tflags URI_WP_HACKED publish
5524##} URI_WP_HACKED
5525
5526##{ URI_WP_HACKED_2
5527
5528meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1
5529describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware
5530#score URI_WP_HACKED_2 2.500 # limit
5531tflags URI_WP_HACKED_2 publish
5532##} URI_WP_HACKED_2
5533
5534##{ USB_DRIVES
5535
5536meta USB_DRIVES __SUBJ_USB_DRIVES
5537describe USB_DRIVES Trying to sell custom USB flash drives
5538#score USB_DRIVES 2.000 # limit
5539tflags USB_DRIVES publish
5540##} USB_DRIVES
5541
5542##{ VFY_ACCT_NORDNS
5543
5544meta VFY_ACCT_NORDNS __VFY_ACCT_NORDNS && !__STY_INVIS_MANY
5545describe VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA - probable phishing
5546#score VFY_ACCT_NORDNS 3.000 # limit
5547tflags VFY_ACCT_NORDNS publish
5548##} VFY_ACCT_NORDNS
5549
5550##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5551
5552if (version >= 3.004002)
5553ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5554meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD
5555tflags VPS_NO_NTLD publish
5556describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD
5557#score VPS_NO_NTLD 1.0 # limit
5558endif
5559endif
5560##} VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5561
5562##{ WALMART_IMG_NOT_RCVD_WAL
5563
5564meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS
5565#score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit
5566describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart
5567tflags WALMART_IMG_NOT_RCVD_WAL publish
5568##} WALMART_IMG_NOT_RCVD_WAL
5569
5570##{ WANT_TO_ORDER
5571
46cfc9e2
SI		 5572body WANT_TO_ORDER /you (?:(?:would )?like|want|are interested|need|wish)(?: to| in)? (?:plac(?:e|ing) an order|order(?:ing)? (?:for )?(?:this|it|now|today|our \w+)|take one (?:or two )?(?:today|now))\b/i
5573#score WANT_TO_ORDER 2.750 # limit
b780ea8d
SI		 5574##} WANT_TO_ORDER
5575
b780ea8d
SI		 5576##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5577
5578if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5579 meta WORD_INVIS __WORD_INVIS_MINFP && !WORD_INVIS_MANY
5580 describe WORD_INVIS A hidden word
5581# score WORD_INVIS 3.000 # limit
5582 tflags WORD_INVIS publish
5583endif
5584##} WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5585
5586##{ WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5587
5588if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5589 meta WORD_INVIS_MANY __WORD_INVIS_2
5590 describe WORD_INVIS_MANY Multiple individual hidden words
5591# score WORD_INVIS_MANY 3.000 # limit
5592 tflags WORD_INVIS_MANY publish
5593endif
5594##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5595
5596##{ XFER_LOTSA_MONEY
5597
5598meta XFER_LOTSA_MONEY __XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFO
5599describe XFER_LOTSA_MONEY Transfer a lot of money
5600#score XFER_LOTSA_MONEY 1.000 # limit
5601##} XFER_LOTSA_MONEY
5602
5603##{ XM_DIGITS_ONLY
5604
5605meta XM_DIGITS_ONLY __XM_DIGITS_ONLY
5606describe XM_DIGITS_ONLY X-Mailer malformed
5607#score XM_DIGITS_ONLY 3.000 # limit
5608tflags XM_DIGITS_ONLY publish
5609##} XM_DIGITS_ONLY
5610
b780ea8d
SI		 5611##{ XM_PHPMAILER_FORGED
5612
5613meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED
5614describe XM_PHPMAILER_FORGED Apparently forged header
5615tflags XM_PHPMAILER_FORGED publish
5616##} XM_PHPMAILER_FORGED
5617
5618##{ XM_RANDOM
5619
46cfc9e2 5620meta XM_RANDOM __XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLY && !__XM_ASPQMAIL && !__XM_VERY_LONG
b780ea8d 5621describe XM_RANDOM X-Mailer apparently random
46cfc9e2 5622#score XM_RANDOM 2.500 # limit
b780ea8d
SI		 5623tflags XM_RANDOM publish
5624##} XM_RANDOM
5625
5626##{ XM_RECPTID
5627
5628meta XM_RECPTID __HAS_XM_RECPTID && !__TAG_EXISTS_SCRIPT && !__REPLYTO_NOREPLY && !__ENVFROM_AMAZONSES && !__DOS_DIRECT_TO_MX && !__FRAUD_PTX
5629describe XM_RECPTID Has spammy message header
5630#score XM_RECPTID 3.000 # limit
5631##} XM_RECPTID
5632
5633##{ XPRIO
5634
5635describe XPRIO Has X-Priority header
5636#score XPRIO 2.250 # limit
5637tflags XPRIO publish
5638##} XPRIO
5639
5640##{ XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5641
5642if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5643 meta XPRIO __XPRIO_MINFP
5644endif
5645##} XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5646
5647##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM
5648
5649ifplugin Mail::SpamAssassin::Plugin::DKIM
5650 tflags XPRIO net
5651endif
5652##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM
5653
5654##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF)
5655
5656ifplugin Mail::SpamAssassin::Plugin::DKIM
5657if !plugin(Mail::SpamAssassin::Plugin::SPF)
5658 meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE
5659endif
5660endif
5661##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF)
5662
5663##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF
5664
5665ifplugin Mail::SpamAssassin::Plugin::DKIM
5666 ifplugin Mail::SpamAssassin::Plugin::SPF
5667 meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS
5668endif
5669endif
5670##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF
5671
5672##{ XPRIO_SHORT_SUBJ
5673
5674meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF
5675describe XPRIO_SHORT_SUBJ Has X Priority header + short subject
5676#score XPRIO_SHORT_SUBJ 2.500 # limit
5677tflags XPRIO_SHORT_SUBJ publish
5678##} XPRIO_SHORT_SUBJ
5679
5680##{ XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5681
5682ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5683if (version >= 3.004000)
5684meta XPRIO_URL_SHORTNER __XPRIO_MINFP && __PDS_URISHORTENER
5685describe XPRIO_URL_SHORTNER X-Priority header and short URL
5686#score XPRIO_URL_SHORTNER 1.0 # limit
5687endif
5688endif
5689##} XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5690
5691##{ X_MAILER_CME_6543_MSN
5692
5693header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/
5694##} X_MAILER_CME_6543_MSN
5695
5696##{ YOUR_DELIVERY_ADDRESS
5697
46cfc9e2 5698body YOUR_DELIVERY_ADDRESS /(?:(?:respond|reply|answer) (?:to )?(?:our|this) ?e?mail (?:[\w,]+\s){0,10}(?:with|and send(?: us)?)|we need to know|let us know|(?:send|provide|tell|inform)(?: us)?(?: of)?|confirm|indicate)(?: t?he (?:order )?quantity and)? (?:your |the )?(?:detailed |specific )?(?:(?:delivery |shipping |mailing |shipment |receiving )?address(?:\s?[,.;]|(?: and| so)? we| if you)|address (?:for|of) (?:shipping|delivery|shipment))/i
cabe596e 5699#score YOUR_DELIVERY_ADDRESS 1.250 # limit
b780ea8d
SI		 5700##} YOUR_DELIVERY_ADDRESS
5701
5702##{ YOU_INHERIT
5703
5704meta YOU_INHERIT __YOU_INHERIT
5705describe YOU_INHERIT Discussing your inheritance
5706##} YOU_INHERIT
5707
5708##{ bayes_ignore_header_sandbox
5709
5710bayes_ignore_header X-ACL-Warn
5711bayes_ignore_header X-Alimail-AntiSpam
5712bayes_ignore_header X-Amavis-Modified
5713bayes_ignore_header X-Anti-Spam
5714bayes_ignore_header X-Anti-Virus
5715bayes_ignore_header X-Anti-Virus-Version
5716bayes_ignore_header X-AntiAbuse
5717bayes_ignore_header X-Antispam
5718bayes_ignore_header X-Antivirus
5719bayes_ignore_header X-Antivirus-Code
5720bayes_ignore_header X-Antivirus-Status
5721bayes_ignore_header X-Antivirus-Version
5722bayes_ignore_header x-aol-global-disposition
5723bayes_ignore_header X-ASF-Spam-Status
5724bayes_ignore_header X-ASG-Debug-ID
5725bayes_ignore_header X-ASG-Orig-Subj
5726bayes_ignore_header X-ASG-Recipient-Whitelist
5727bayes_ignore_header X-ASG-Tag
5728bayes_ignore_header X-Assp-Version
5729bayes_ignore_header X-Authority-Analysis
5730bayes_ignore_header X-Authvirus
5731bayes_ignore_header X-Auto-Response-Suppress
5732bayes_ignore_header X-AV-Do-Run
5733bayes_ignore_header X-AV-Status
5734bayes_ignore_header x-avast-antispam
5735bayes_ignore_header X-Backend
5736bayes_ignore_header X-Barracuda-Apparent-Source-IP
5737bayes_ignore_header X-Barracuda-Bayes
5738bayes_ignore_header X-Barracuda-BBL-IP
5739bayes_ignore_header X-Barracuda-BRTS-Status
5740bayes_ignore_header X-Barracuda-BRTS-URL-Found
5741bayes_ignore_header X-Barracuda-Connect
5742bayes_ignore_header X-Barracuda-Encrypted
5743bayes_ignore_header X-Barracuda-Envelope-From
5744bayes_ignore_header X-Barracuda-Fingerprint-Found
5745bayes_ignore_header X-Barracuda-Orig-Rcpt
5746bayes_ignore_header X-Barracuda-RBL-IP
5747bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder
5748bayes_ignore_header X-Barracuda-Spam-Report
5749bayes_ignore_header X-Barracuda-Spam-Score
5750bayes_ignore_header X-Barracuda-Spam-Status
5751bayes_ignore_header X-Barracuda-Start-Time
5752bayes_ignore_header X-Barracuda-UID
5753bayes_ignore_header X-Barracuda-URL
5754bayes_ignore_header X-Barracuda-Virus-Alert
5755bayes_ignore_header X-Bayes-Prob
5756bayes_ignore_header X-Bayesian-Result
5757bayes_ignore_header X-BitDefender-Spam
5758bayes_ignore_header X-BitDefender-SpamStamp
5759bayes_ignore_header X-BL
5760bayes_ignore_header X-Bogosity
5761bayes_ignore_header X-Boxtrapper
5762bayes_ignore_header X-Brightmail-Tracker
5763bayes_ignore_header X-BTI-AntiSpam
5764bayes_ignore_header X-Bugzilla-Version
5765bayes_ignore_header X-CanIt-Geo
5766bayes_ignore_header X-Canit-Stats-ID
5767bayes_ignore_header X-CanItPRO-Stream
5768bayes_ignore_header X-Clapf-spamicity
5769bayes_ignore_header X-Cloud-Security
5770bayes_ignore_header X-CM-Score
5771bayes_ignore_header X-CMAE-Analysis
5772bayes_ignore_header X-CMAE-Match
5773bayes_ignore_header X-CMAE-Score
5774bayes_ignore_header X-CMAE-Verdict
5775bayes_ignore_header X-CNFS-Analysis
5776bayes_ignore_header X-Company
5777bayes_ignore_header X-Coremail-Antispam
5778bayes_ignore_header X-CRM114-CacheID
5779bayes_ignore_header X-CRM114-Status
5780bayes_ignore_header X-CRM114-Version
5781bayes_ignore_header X-CT-Spam
5782bayes_ignore_header X-CTCH-SenderID
5783bayes_ignore_header X-CTCH-SenderID-TotalBulk
5784bayes_ignore_header X-CTCH-SenderID-TotalConfirmed
5785bayes_ignore_header X-CTCH-SenderID-TotalMessages
5786bayes_ignore_header X-CTCH-SenderID-TotalRecipients
5787bayes_ignore_header X-CTCH-SenderID-TotalSpam
5788bayes_ignore_header X-CTCH-SenderID-TotalSuspected
5789bayes_ignore_header X-CTCH-SenderID-TotalVirus
5790bayes_ignore_header X-CTCH-Spam
5791bayes_ignore_header X-CTCH-VOD
5792bayes_ignore_header X-Drweb-SpamState
5793bayes_ignore_header X-DSPAM-Confidence
5794bayes_ignore_header X-DSPAM-Factors
5795bayes_ignore_header X-DSPAM-Improbability
5796bayes_ignore_header X-DSPAM-Probability
5797bayes_ignore_header X-DSPAM-Processed
5798bayes_ignore_header X-DSPAM-Result
5799bayes_ignore_header X-DSPAM-Signature
5800bayes_ignore_header x-eavas
5801bayes_ignore_header x-eavas-action
5802bayes_ignore_header x-eavas-eavasid
5803bayes_ignore_header X-Enigmail-Version
5804bayes_ignore_header X-EsetId
5805bayes_ignore_header X-EsetResult
5806bayes_ignore_header X-Exchange-Antispam-Report
5807bayes_ignore_header X-ExtloopSabreCommercials1
5808bayes_ignore_header X-EYOU-SPAMVALUE
5809bayes_ignore_header X-FB-OUTBOUND-SPAM
5810bayes_ignore_header X-FEAS-SBL
5811bayes_ignore_header X-FILTER-SCORE
5812bayes_ignore_header X-Forefront-Antispam-Report
5813bayes_ignore_header X-Forefront-PRVS
5814bayes_ignore_header X-Fuglu-Spamstatus
5815bayes_ignore_header X-Fuglu-Suspect
5816bayes_ignore_header X-getmail-filter-classifier
5817bayes_ignore_header X-GFIME-MASPAM
5818bayes_ignore_header X-Gmane-NNTP-Posting-Host
5819bayes_ignore_header X-GMX-Antispam
5820bayes_ignore_header X-GMX-Antivirus
5821bayes_ignore_header X-He-Spam
5822bayes_ignore_header X-hMailServer-Spam
5823bayes_ignore_header X-IAS
5824bayes_ignore_header X-iGspam-global
5825bayes_ignore_header X-Injected-Via-Gmane
5826bayes_ignore_header X-Interia-Antivirus
5827bayes_ignore_header X-IP-Spam-Verdict
5828bayes_ignore_header X-Ironport
5829bayes_ignore_header X-IronPort-Anti-Spam-Filtered
5830bayes_ignore_header X-IronPort-Anti-Spam-Result
5831bayes_ignore_header X-IronPort-AV
5832bayes_ignore_header X-Ironport-HAT
5833bayes_ignore_header X-Ironport-HOSTNAME
5834bayes_ignore_header X-Ironport-LNR
5835bayes_ignore_header X-Ironport-MessageFilter
5836bayes_ignore_header X-Ironport-MFP
5837bayes_ignore_header X-Ironport-MID
5838bayes_ignore_header X-IronPort-Outgoing-Antispam
5839bayes_ignore_header X-Ironport-RIF
5840bayes_ignore_header X-Ironport-SBRS
5841bayes_ignore_header X-Ironport-SENDER
5842bayes_ignore_header X-Ironport-SUBJECT
5843bayes_ignore_header X-Junk-Score
5844bayes_ignore_header X-Junkmail
5845bayes_ignore_header X-KLMS-AntiPhishing
5846bayes_ignore_header X-Klms-Antispam
5847bayes_ignore_header X-KLMS-AntiSpam-Info
5848bayes_ignore_header X-KLMS-AntiSpam-Interceptor-Info
5849bayes_ignore_header X-KLMS-AntiSpam-Lua-Profiles
5850bayes_ignore_header X-KLMS-AntiSpam-Method
5851bayes_ignore_header X-KLMS-AntiSpam-Moebius-Timestamps
5852bayes_ignore_header X-KLMS-AntiSpam-Rate
5853bayes_ignore_header X-KLMS-AntiSpam-Status
5854bayes_ignore_header X-KLMS-AntiSpam-Version
5855bayes_ignore_header X-KLMS-AntiVirus
5856bayes_ignore_header X-KLMS-AntiVirus-Status
5857bayes_ignore_header X-KLMS-Message-Action
5858bayes_ignore_header X-KLMS-Rule-ID
5859bayes_ignore_header X-KMail-EncryptionState
5860bayes_ignore_header X-KMail-MDN-Sent
5861bayes_ignore_header X-KMail-SignatureState
5862bayes_ignore_header X-MailCleaner-SpamChec
5863bayes_ignore_header X-MailCleaner-SpamCheck
5864bayes_ignore_header X-MailFoundry
5865bayes_ignore_header X-MDMailLookup-Result
5866bayes_ignore_header X-ME-Bayesian
5867bayes_ignore_header X-ME-Content
5868bayes_ignore_header X-MessageFilter
5869bayes_ignore_header X-Microsoft-Antispam
5870bayes_ignore_header X-Mlf-Version
5871bayes_ignore_header X-MXScan-AntiSpam
5872bayes_ignore_header X-MXScan-AntiVirus
5873bayes_ignore_header X-MXScan-Country-Sequence
5874bayes_ignore_header X-MXScan-License
5875bayes_ignore_header X-MXScan-Msgid
5876bayes_ignore_header X-MXScan-ProcessingTime
5877bayes_ignore_header X-MXScan-Scan
5878bayes_ignore_header X-NAI-Spam-Flag
5879bayes_ignore_header X-NAI-Spam-Rules
5880bayes_ignore_header X-NAI-Spam-Score
5881bayes_ignore_header X-NAI-Spam-Threshold
5882bayes_ignore_header X-NetStation-Status
5883bayes_ignore_header X-OVH-SPAMCAUSE
5884bayes_ignore_header X-OVH-SPAMCAUSE:
5885bayes_ignore_header X-OVH-SPAMSCORE
5886bayes_ignore_header X-OVH-SPAMSTATE
5887bayes_ignore_header X-PerlMx-Spam
5888bayes_ignore_header X-PerlMx-Virus-Scanned
5889bayes_ignore_header X-PFSI-Info
5890bayes_ignore_header X-PMX-Spam
5891bayes_ignore_header X-PMX-Version
5892bayes_ignore_header X-Policy-Service
5893bayes_ignore_header X-policyd-weight
5894bayes_ignore_header X-PreRBLs
5895bayes_ignore_header X-Probable-Spam
5896bayes_ignore_header X-PROLinux-SpamCheck
5897bayes_ignore_header X-Proofpoint-Spam-Reason
5898bayes_ignore_header X-Proofpoint-Virus-Version
5899bayes_ignore_header x-purgate-eavas: clean
5900bayes_ignore_header x-purgate-id
5901bayes_ignore_header x-purgate-size
5902bayes_ignore_header x-purgate-type
5903bayes_ignore_header X-Qmail-Scanner-Diagnostics
5904bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status
5905bayes_ignore_header X-Quarantine-ID
5906bayes_ignore_header X-RSpam-Report
5907bayes_ignore_header X-SA-Do-Not-Run
5908bayes_ignore_header X-SA-Exim-Version
5909bayes_ignore_header X-Scanned-by
5910bayes_ignore_header X-SmarterMail-CustomSpamHeader
5911bayes_ignore_header X-Spam
5912bayes_ignore_header X-Spam-Action
5913bayes_ignore_header X-SPAM-AISP
5914bayes_ignore_header X-Spam-Check-By
5915bayes_ignore_header X-Spam-Checker-Version
5916bayes_ignore_header X-Spam-CMAE-Analysis
5917bayes_ignore_header X-Spam-CMAESCORE
5918bayes_ignore_header X-Spam-CTCH-RefID
5919bayes_ignore_header X-Spam-Flag
5920bayes_ignore_header X-Spam-Level
5921bayes_ignore_header X-Spam-Processed
5922bayes_ignore_header X-Spam-Report
5923bayes_ignore_header X-Spam-Scanned
5924bayes_ignore_header X-Spam-Score
5925bayes_ignore_header X-Spam-Score-Int
5926bayes_ignore_header X-Spam-SmartLearn
5927bayes_ignore_header X-Spam-Status
5928bayes_ignore_header X-Spam-Threshold
5929bayes_ignore_header X-Spam_bar
5930bayes_ignore_header X-Spambayes-Classification
5931bayes_ignore_header X-SpamExperts-Domain
5932bayes_ignore_header X-SpamExperts-Outgoing-Class
5933bayes_ignore_header X-SpamExperts-Outgoing-Evidence
5934bayes_ignore_header X-SpamExperts-Username
5935bayes_ignore_header X-Spamfilter-host
5936bayes_ignore_header X-Spamina-Bogosity
5937bayes_ignore_header X-Spamina-Spam-Report
5938bayes_ignore_header X-Spamina-Spam-Score
5939bayes_ignore_header X-SpamInfo
5940bayes_ignore_header X-Spamsave
5941bayes_ignore_header X-SpamTest-Group-ID
5942bayes_ignore_header X-SpamTest-Info
5943bayes_ignore_header X-SpamTest-Method
5944bayes_ignore_header X-SpamTest-Rate
5945bayes_ignore_header X-SpamTest-SPF
5946bayes_ignore_header X-SpamTest-Status
5947bayes_ignore_header X-SpamTest-Status-Extended
5948bayes_ignore_header X-SPF-Scan-By
5949bayes_ignore_header X-STA-Metric
5950bayes_ignore_header X-STA-NotSpam
5951bayes_ignore_header X-STA-Spam
5952bayes_ignore_header X-StarScan-Version
5953bayes_ignore_header X-SurGATE-Result
5954bayes_ignore_header X-SWITCHham-Score
5955bayes_ignore_header X-UI-Filterresults
5956bayes_ignore_header X-UI-Loop
5957bayes_ignore_header X-UI-Out-Filterresults
5958bayes_ignore_header X-Univie-Spam-Checker-Version
5959bayes_ignore_header X-Univie-Virus-Scan
5960bayes_ignore_header X-Virus
5961bayes_ignore_header X-Virus-Checker-Version
5962bayes_ignore_header X-Virus-Scanned
5963bayes_ignore_header X-Virus-Scanner-Result
5964bayes_ignore_header X-Virus-Scanner-Version
5965bayes_ignore_header X-Virus-Status
5966bayes_ignore_header X-VirusChecked
5967bayes_ignore_header X-VR-SCORE
5968bayes_ignore_header X-VR-SPAMCAUSE
5969bayes_ignore_header X-VR-STATUS
5970bayes_ignore_header X-WatchGuard-Mail-Client-IP
5971bayes_ignore_header X-WatchGuard-Mail-From
5972bayes_ignore_header X-WatchGuard-Mail-Recipients
5973bayes_ignore_header X-WatchGuard-Spam-ID
5974bayes_ignore_header X-WatchGuard-Spam-Score
5975bayes_ignore_header X-Whitelist-Domain
5976bayes_ignore_header X-WUM-CCI
5977bayes_ignore_header X_CMAE_Category##} bayes_ignore_header_sandbox
5978
5979##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
5980
5981if (version >= 3.004001)
5982ifplugin Mail::SpamAssassin::Plugin::AskDNS
5983askdns __FROM_FMBLA_NEWDOM _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/
5984askdns __FROM_FMBLA_NEWDOM14 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.14$/
5985askdns __FROM_FMBLA_NEWDOM28 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.28$/
5986askdns __FROM_FMBLA_NDBLOCKED _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/
5987reuse FROM_FMBLA_NEWDOM
5988reuse FROM_FMBLA_NEWDOM14
5989reuse FROM_FMBLA_NEWDOM28
5990reuse FROM_FMBLA_NDBLOCKED
5991reuse __PDS_NEWDOMAIN
5992reuse FROM_NUMBERO_NEWDOMAIN
5993reuse FROM_NEWDOM_BTC
5994askdns __PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/
5995reuse BITCOIN_SPF_ONLYALL
5996endif
5997endif
5998##} if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
5999
6000##{ if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox
6001
6002if (version >= 3.004002)
6003ifplugin Mail::SpamAssassin::Plugin::WLBLEval
6004enlist_addrlist (PAYPAL) *@paypal.com *@paypal.co.uk *@paypal.de *@paypal.com.au *@paypal.it
6005enlist_addrlist (PAYPAL) *@paypal.es *@paypal.fr *@paypal.de *@paypal.com.hk
6006enlist_addrlist (PAYPAL) *@*.paypal.com *@*.paypal.co.uk
6007reuse __FROM_ADDRLIST_PAYPAL
6008reuse FROM_PAYPAL_SPOOF
6009enlist_addrlist (BANKS) *@abbey.co.uk *@abbey.com *@abbeyinternational.com *@abbeyinternational.co.uk *@abbeynational.com *@abbeynational.co.uk
6010enlist_addrlist (BANKS) *@allianceleicester.com *@allianceleicester.co.uk *@alliance-leicester.com *@alliance-leicester.co.uk
6011enlist_addrlist (BANKS) *@bankofamerica.com *@bankofamerica.co.uk
6012enlist_addrlist (BANKS) *@barclaycard.com *@barclays.com
6013enlist_addrlist (BANKS) *@citibank.com
6014enlist_addrlist (BANKS) *@firstdirect.com *@firstdirect.co.uk
6015enlist_addrlist (BANKS) *@halifax.com *@halifax.co.uk *@halifax-online.co.uk *@halifax-online.com
6016enlist_addrlist (BANKS) *@hbos.com *@hbos.co.uk
6017enlist_addrlist (BANKS) *@hsbc.com *@hsbc.co.uk *@hsbc.hk *@hsbcgroup.com *@hsbcgroup.co.uk
6018enlist_addrlist (BANKS) *@lloydstsb.com *@lloydstsb.co.uk *@lloyds.com
6019enlist_addrlist (BANKS) *@mbna.com
6020enlist_addrlist (BANKS) *@nationwide.com *@nationwide.co.uk
6021enlist_addrlist (BANKS) *@natwest.com *@natwest.co.uk
6022enlist_addrlist (BANKS) *@santander.com *@santander.co.uk
6023enlist_addrlist (BANKS) *@standardbank.co.za
6024enlist_addrlist (BANKS) *@ybonline.co.uk *@ybonline.com
6025reuse __FROM_ADDRLIST_BANKS
6026reuse FROM_BANK_NOAUTH
6027enlist_addrlist (GOV) *@*.gov
6028enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk
6029reuse __FROM_ADDRLIST_GOV
6030reuse FROM_GOV_SPOOF
6031reuse FROM_GOV_DKIM_AU
6032reuse FROM_GOV_REPLYTO_FREEMAIL
6033enlist_addrlist (SUSP_NTLD) *@*.icu
6034enlist_addrlist (SUSP_NTLD) *@*.online
6035enlist_addrlist (SUSP_NTLD) *@*.work
6036enlist_addrlist (SUSP_NTLD) *@*.date
6037enlist_addrlist (SUSP_NTLD) *@*.top
6038enlist_addrlist (SUSP_NTLD) *@*.fun
6039enlist_addrlist (SUSP_NTLD) *@*.life
6040enlist_addrlist (SUSP_NTLD) *@*.review
6041enlist_addrlist (SUSP_NTLD) *@*.xyz
6042enlist_addrlist (SUSP_NTLD) *@*.bid
6043enlist_addrlist (SUSP_NTLD) *@*.stream
6044enlist_addrlist (SUSP_NTLD) *@*.site
6045enlist_addrlist (SUSP_NTLD) *@*.space
6046enlist_addrlist (SUSP_NTLD) *@*.gdn
6047enlist_addrlist (SUSP_NTLD) *@*.click
6048enlist_addrlist (SUSP_NTLD) *@*.world
6049enlist_addrlist (SUSP_NTLD) *@*.fit
6050enlist_addrlist (SUSP_NTLD) *@*.ooo
6051enlist_addrlist (SUSP_NTLD) *@*.faith
6052enlist_addrlist (SUSP_NTLD) *@*.buzz
6053enlist_addrlist (SUSP_NTLD) *@*.trade
6054enlist_addrlist (SUSP_NTLD) *@*.cyou
6055enlist_addrlist (SUSP_NTLD) *@*.vip
6056enlist_uri_host (SUSP_URI_NTLD) icu
6057enlist_uri_host (SUSP_URI_NTLD) online
6058enlist_uri_host (SUSP_URI_NTLD) work
6059enlist_uri_host (SUSP_URI_NTLD) date
6060enlist_uri_host (SUSP_URI_NTLD) top
6061enlist_uri_host (SUSP_URI_NTLD) fun
6062enlist_uri_host (SUSP_URI_NTLD) life
6063enlist_uri_host (SUSP_URI_NTLD) review
6064enlist_uri_host (SUSP_URI_NTLD) xyz
6065enlist_uri_host (SUSP_URI_NTLD) bid
6066enlist_uri_host (SUSP_URI_NTLD) stream
6067enlist_uri_host (SUSP_URI_NTLD) site
6068enlist_uri_host (SUSP_URI_NTLD) space
6069enlist_uri_host (SUSP_URI_NTLD) gdn
6070enlist_uri_host (SUSP_URI_NTLD) click
6071enlist_uri_host (SUSP_URI_NTLD) world
6072enlist_uri_host (SUSP_URI_NTLD) fit
6073enlist_uri_host (SUSP_URI_NTLD) ooo
6074enlist_uri_host (SUSP_URI_NTLD) faith
6075enlist_uri_host (SUSP_URI_NTLD) buzz
6076enlist_uri_host (SUSP_URI_NTLD) trade
6077enlist_uri_host (SUSP_URI_NTLD) cyou
6078enlist_uri_host (SUSP_URI_NTLD) vip
6079enlist_uri_host (SUSP_URI_NTLD_PRO) pro
6080reuse __FROM_ADDRLIST_SUSPNTLD
6081reuse __REPLYTO_ADDRLIST_SUSPNTLD
6082reuse FROM_SUSPICIOUS_NTLD
6083reuse GOOGLE_DRIVE_REPLY_BAD_NTLD
6084reuse VPS_NO_NTLD
6085endif
6086endif
6087##} if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox
6088
6089##{ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox
6090
6091if (version >= 3.004003)
6092 ifplugin Mail::SpamAssassin::Plugin::HashBL
6093 priority T_GB_HASHBL_BTC -100
6094 reuse T_GB_HASHBL_BTC
6095endif
6096endif
6097##} if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox
6098
6099##{ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6100
6101if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6102 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6103 replace_tag lcase_e (?:e|\xc3[\xa8\xa9\xaa\xab]|\xc4[\x93\x95\x97\x99\x9b]|\xc8[\x85\x87\x80]|\xcf\xb5|\xd0\xb5|\xd1[\x90\x91\x94\xb3]|\xd2[\xbc\xbd\xbe\xbf]|\xd3[\x07\xa9\xab])
6104 replace_rules __E_LIKE_LETTER
6105endif
6106endif
6107##} if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6108
6109##{ ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6110
6111ifplugin Mail::SpamAssassin::Plugin::AskDNS
6112askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/
6113reuse __DKIMWL_FREEMAIL
6114askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/
6115reuse __DKIMWL_BULKMAIL
6116askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/
6117reuse __DKIMWL_WL_HI
6118askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/
6119reuse __DKIMWL_WL_MEDHI
6120askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/
6121reuse __DKIMWL_WL_MED
6122askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/
6123reuse __DKIMWL_WL_BL
6124askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/
6125reuse __DKIMWL_BLOCKED
6126reuse DKIMWL_WL_HIGH
6127reuse DKIMWL_WL_MEDHI
6128reuse DKIMWL_WL_MED
6129reuse DKIMWL_BL
6130reuse DKIMWL_BLOCKED
6131askdns __HELO_DNS _LASTEXTERNALHELO_ A /./
6132endif
6133##} ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6134
6135##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox
6136
6137ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
6138reuse RCVD_IN_PSBL
6139endif
6140##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox
6141
6142##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox
6143
6144ifplugin Mail::SpamAssassin::Plugin::DNSEval
6145reuse RCVD_IN_IADB_LISTED
6146reuse RCVD_IN_IADB_EDDB
6147reuse RCVD_IN_IADB_EPIA
6148reuse RCVD_IN_IADB_SPF
6149reuse RCVD_IN_IADB_SENDERID
6150reuse RCVD_IN_IADB_DK
6151reuse RCVD_IN_IADB_RDNS
6152reuse RCVD_IN_IADB_GOODMAIL
6153reuse RCVD_IN_IADB_NOCONTROL
6154reuse RCVD_IN_IADB_OPTOUTONLY
6155reuse RCVD_IN_IADB_UNVERIFIED_1
6156reuse RCVD_IN_IADB_UNVERIFIED_2
6157reuse RCVD_IN_IADB_LOOSE
6158reuse RCVD_IN_IADB_OPTIN_LT50
6159reuse RCVD_IN_IADB_OPTIN_GT50
6160reuse RCVD_IN_IADB_OPTIN
6161reuse RCVD_IN_IADB_DOPTIN_LT50
6162reuse RCVD_IN_IADB_DOPTIN_GT50
6163reuse RCVD_IN_IADB_DOPTIN
6164reuse RCVD_IN_IADB_ML_DOPTIN
6165reuse RCVD_IN_IADB_OOO
6166reuse RCVD_IN_IADB_MI_CPEAR
6167reuse RCVD_IN_IADB_UT_CPEAR
6168reuse RCVD_IN_IADB_MI_CPR_30
6169reuse RCVD_IN_IADB_UT_CPR_30
6170reuse RCVD_IN_IADB_MI_CPR_MAT
6171reuse RCVD_IN_IADB_UT_CPR_MAT
6172endif
6173##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox
6174
6175##{ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox
6176
6177ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
6178fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de
6179fns_ignore_headers List-Id
6180fns_check 1
6181reuse __PLUGIN_FROMNAME_SPOOF
6182reuse __PLUGIN_FROMNAME_EQUALS_TO
6183endif
6184##} ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox
6185
6186##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6187
6188ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6189replace_rules T_FUZZY_SPRM
6190replace_rules FUZZY_MERIDIA
6191replace_rules TVD_FUZZY_PHARMACEUTICAL
6192replace_rules TVD_FUZZY_SYMBOL
6193replace_rules T_TVD_FUZZY_SECURITIES
6194replace_rules TVD_FUZZY_FINANCE
6195replace_rules TVD_FUZZY_FIXED_RATE
6196replace_rules TVD_FUZZY_MICROCAP
6197replace_rules T_TVD_FUZZY_SECTOR
6198replace_rules TVD_FUZZY_DEGREE
6199 replace_rules __COPY_PASTE_EN
6200 replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?)
6201 replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3}
6202 replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s)
6203 replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?)
6204 replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])?
6205 replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100}))
6206 replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100})
6207 replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))?
6208 replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])?
6209 replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)?
6210 replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3}
6211 replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3}
6212 replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d)
6213 replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3}
6214 replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)?
6215 replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15})
6216 replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names?
6217 replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER>
6218 replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>)
6219 replace_rules __FILL_THIS_FORM_LONG1
6220 replace_rules __FILL_THIS_FORM_LONG2
6221 replace_rules __FILL_THIS_FORM_PARTIAL
6222 replace_rules __FILL_THIS_FORM_PARTIAL_RAW
6223 replace_rules __FILL_THIS_FORM_SHORT1
6224 replace_rules __FILL_THIS_FORM_SHORT2
6225 replace_rules __FILL_THIS_FORM_LOAN1
6226 replace_rules __FILL_THIS_FORM_FRAUD_PHISH1
6227 replace_tag CURRENCY (?:[\(\[]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|usd|USD|CAD|GBP|=[Aa][34]|\xa3|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS?)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]\)]?)
6228 replace_tag GB_UK \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b
6229 replace_tag NUM_NOT_DATE [1-9](?!\d\d\d\.\d\d\.\d\d\s)(?!\d?\.\d\d?\.\d\d\d\d\s)
6230 replace_tag NUM_NOT_DATE_IP <NUM_NOT_DATE>(?!\d{0,2}(?:\.0|\.[1-2]\d{0,2}){3}(?:\D|$))
6231 replace_rules __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04
6232 replace_tag PERCENT \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent)
6233 replace_rules __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS
6234 replace_rules T_FUZZY_OPTOUT
6235 replace_rules __FRT_PRICE
6236 replace_rules FUZZY_UNSUBSCRIBE
6237 replace_rules FUZZY_ANDROID
6238 replace_rules FUZZY_PROMOTION
6239 replace_rules FUZZY_PRIVACY
6240 replace_rules FUZZY_BROWSER
6241 replace_rules FUZZY_SAVINGS
6242 replace_rules FUZZY_IMPORTANT
6243 replace_rules FUZZY_SECURITY
6244 replace_rules __FUZZY_DR_OZ
6245 replace_rules FUZZY_CLICK_HERE
6246 replace_rules FUZZY_BITCOIN
6247 replace_rules __BITCOIN
6248 replace_rules FUZZY_WALLET
6249 replace_rules __FUZZY_MONERO
6250 replace_rules __FUZZY_WELLSFARGO_BODY
6251 replace_rules __FUZZY_WELLSFARGO_FROM
6252 replace_rules __FUZZY_PORN
6253 replace_rules FUZZY_AMAZON
6254 replace_rules FUZZY_APPLE
6255 replace_rules FUZZY_MICROSOFT
6256 replace_rules FUZZY_FACEBOOK
6257 replace_rules FUZZY_PAYPAL
6258 replace_rules FUZZY_NORTON
6259 replace_rules FUZZY_OVERSTOCK
6260 replace_rules __MY_VICTIM
6261 replace_rules __MY_MALWARE
6262 replace_rules __PAY_ME
6263 replace_rules __YOUR_PASSWORD
6264 replace_rules __YOUR_WEBCAM
6265 replace_rules __YOUR_ONAN
6266 replace_rules __YOUR_PERSONAL
6267 replace_rules __HOURS_DEADLINE
6268 replace_rules __EXPLOSIVE_DEVICE
6269replace_rules T_LFUZ_PWRMALE
6270 replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE
6271 reuse T_PDS_BTC_AHACKER
6272 reuse T_PDS_BTC_HACKER
6273 reuse T_PDS_LTC_AHACKER
6274 reuse T_PDS_LTC_HACKER
6275endif
6276##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6277
6278##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox
6279
6280ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
6281reuse URIBL_RHS_DOB
6282endif
6283##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox
6284
6285##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox
6286
6287ifplugin Mail::SpamAssassin::Plugin::WLBLEval
6288if (version >= 3.004000)
6289enlist_uri_host (PDS_CASHSHORTENER) cutpaid.com
6290enlist_uri_host (PDS_CASHSHORTENER) caat.site
6291enlist_uri_host (PDS_CASHSHORTENER) triabicia.com
6292enlist_uri_host (PDS_CASHSHORTENER) 2xs.io
6293enlist_uri_host (PDS_CASHSHORTENER) ocest.site
6294enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz
6295enlist_uri_host (PDS_CASHSHORTENER) waar.site
6296enlist_uri_host (PDS_CASHSHORTENER) cpmlink.net
6297enlist_uri_host (PDS_CASHSHORTENER) cowner.net
6298enlist_uri_host (PDS_CASHSHORTENER) adfoc.us
6299enlist_uri_host (PDS_CASHSHORTENER) shrinkhere.xyz
6300enlist_uri_host (PDS_CASHSHORTENER) gurl.pw
6301enlist_uri_host (PDS_CASHSHORTENER) shortearn.eu
6302enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz
6303enlist_uri_host (PDS_CASHSHORTENER) libittarc.com
6304enlist_uri_host (PDS_CASHSHORTENER) pc.cd
6305enlist_uri_host (PDS_CASHSHORTENER) fc.lc
6306enlist_uri_host (PDS_CASHSHORTENER) dares.xyz
6307enlist_uri_host (PDS_CASHSHORTENER) trendlouds.com
6308enlist_uri_host (PDS_CASHSHORTENER) yogaf.xyz
6309enlist_uri_host (PDS_CASHSHORTENER) cobs.xyz
6310enlist_uri_host (PDS_CASHSHORTENER) olnew.xyz
6311enlist_uri_host (PDS_CASHSHORTENER) cleft.xyz
6312enlist_uri_host (PDS_CASHSHORTENER) 7r6.com
6313enlist_uri_host (PDS_CASHSHORTENER) mitly.us
6314enlist_uri_host (PDS_CASHSHORTENER) kutpay.com
6315enlist_uri_host (PDS_CASHSHORTENER) gsurl.me
6316enlist_uri_host (PDS_CASHSHORTENER) gurl.ly
6317enlist_uri_host (PDS_CASHSHORTENER) gsurl.in
6318enlist_uri_host (PDS_CASHSHORTENER) acitoate.com
6319enlist_uri_host (PDS_CASHSHORTENER) aclabink.com
6320enlist_uri_host (PDS_CASHSHORTENER) activeation.com
6321enlist_uri_host (PDS_CASHSHORTENER) activeterium.com
6322enlist_uri_host (PDS_CASHSHORTENER) adflyforum.com
6323enlist_uri_host (PDS_CASHSHORTENER) adflymail.com
6324enlist_uri_host (PDS_CASHSHORTENER) adult.xyz
6325enlist_uri_host (PDS_CASHSHORTENER) agileurbia.com
6326enlist_uri_host (PDS_CASHSHORTENER) atomcurve.com
6327enlist_uri_host (PDS_CASHSHORTENER) ay.gy
6328enlist_uri_host (PDS_CASHSHORTENER) battleate.com
6329enlist_uri_host (PDS_CASHSHORTENER) biastonu.com
6330enlist_uri_host (PDS_CASHSHORTENER) bitigee.com
6331enlist_uri_host (PDS_CASHSHORTENER) briskrange.com
6332enlist_uri_host (PDS_CASHSHORTENER) brisktopia.com
6333enlist_uri_host (PDS_CASHSHORTENER) casualient.com
6334enlist_uri_host (PDS_CASHSHORTENER) clesolea.com
6335enlist_uri_host (PDS_CASHSHORTENER) code404.biz
6336enlist_uri_host (PDS_CASHSHORTENER) coginator.com
6337enlist_uri_host (PDS_CASHSHORTENER) cogismith.com
6338enlist_uri_host (PDS_CASHSHORTENER) covelign.com
6339enlist_uri_host (PDS_CASHSHORTENER) crefranek.com
6340enlist_uri_host (PDS_CASHSHORTENER) dashsphere.com
6341enlist_uri_host (PDS_CASHSHORTENER) dataurbia.com
6342enlist_uri_host (PDS_CASHSHORTENER) deciomm.com
6343enlist_uri_host (PDS_CASHSHORTENER) ducolomal.com
6344enlist_uri_host (PDS_CASHSHORTENER) east-jones.com
6345enlist_uri_host (PDS_CASHSHORTENER) ecleneue.com
6346enlist_uri_host (PDS_CASHSHORTENER) ellevolaw.com
6347enlist_uri_host (PDS_CASHSHORTENER) endroudo.com
6348enlist_uri_host (PDS_CASHSHORTENER) eunsetee.com
6349enlist_uri_host (PDS_CASHSHORTENER) fainbory.com
6350enlist_uri_host (PDS_CASHSHORTENER) fasttory.com
6351enlist_uri_host (PDS_CASHSHORTENER) fawright.com
6352enlist_uri_host (PDS_CASHSHORTENER) flyserve.co
6353enlist_uri_host (PDS_CASHSHORTENER) greponozy.com
6354enlist_uri_host (PDS_CASHSHORTENER) homoluath.com
6355enlist_uri_host (PDS_CASHSHORTENER) hopigrarn.com
6356enlist_uri_host (PDS_CASHSHORTENER) infopade.com
6357enlist_uri_host (PDS_CASHSHORTENER) j.gs
6358enlist_uri_host (PDS_CASHSHORTENER) kaitect.com
6359enlist_uri_host (PDS_CASHSHORTENER) kializer.com
6360enlist_uri_host (PDS_CASHSHORTENER) kibuilder.com
6361enlist_uri_host (PDS_CASHSHORTENER) kimechanic.com
6362enlist_uri_host (PDS_CASHSHORTENER) kudoflow.com
6363enlist_uri_host (PDS_CASHSHORTENER) legeerook.com
6364enlist_uri_host (PDS_CASHSHORTENER) libittarc.com
6365enlist_uri_host (PDS_CASHSHORTENER) linkjaunt.com
6366enlist_uri_host (PDS_CASHSHORTENER) locinealy.com
6367enlist_uri_host (PDS_CASHSHORTENER) maetrimal.com
6368enlist_uri_host (PDS_CASHSHORTENER) metastead.com
6369enlist_uri_host (PDS_CASHSHORTENER) mmoity.com
6370enlist_uri_host (PDS_CASHSHORTENER) mondoagram.com
6371enlist_uri_host (PDS_CASHSHORTENER) neswery.com
6372enlist_uri_host (PDS_CASHSHORTENER) nimbleinity.com
6373enlist_uri_host (PDS_CASHSHORTENER) onisedeo.com
6374enlist_uri_host (PDS_CASHSHORTENER) optitopt.com
6375enlist_uri_host (PDS_CASHSHORTENER) picocurl.com
6376enlist_uri_host (PDS_CASHSHORTENER) pladollmo.com
6377enlist_uri_host (PDS_CASHSHORTENER) preofery.com
6378enlist_uri_host (PDS_CASHSHORTENER) prereheus.com
6379enlist_uri_host (PDS_CASHSHORTENER) q.gs
6380enlist_uri_host (PDS_CASHSHORTENER) quainator.com
6381enlist_uri_host (PDS_CASHSHORTENER) quamiller.com
6382enlist_uri_host (PDS_CASHSHORTENER) queuecosm.bid
6383enlist_uri_host (PDS_CASHSHORTENER) raboninco.com
6384enlist_uri_host (PDS_CASHSHORTENER) rapidteria.com
6385enlist_uri_host (PDS_CASHSHORTENER) rapidtory.com
6386enlist_uri_host (PDS_CASHSHORTENER) sapolatsu.com
6387enlist_uri_host (PDS_CASHSHORTENER) scapognel.com
6388enlist_uri_host (PDS_CASHSHORTENER) simizer.com
6389enlist_uri_host (PDS_CASHSHORTENER) skamaker.com
6390enlist_uri_host (PDS_CASHSHORTENER) skamason.com
6391enlist_uri_host (PDS_CASHSHORTENER) sluppend.com
6392enlist_uri_host (PDS_CASHSHORTENER) sprysphere.com
6393enlist_uri_host (PDS_CASHSHORTENER) streamvoyage.com
6394enlist_uri_host (PDS_CASHSHORTENER) swarife.com
6395enlist_uri_host (PDS_CASHSHORTENER) swiftation.com
6396enlist_uri_host (PDS_CASHSHORTENER) swifttopia.com
6397enlist_uri_host (PDS_CASHSHORTENER) techigo.com
6398enlist_uri_host (PDS_CASHSHORTENER) threadsphere.bid
6399enlist_uri_host (PDS_CASHSHORTENER) tinyical.com
6400enlist_uri_host (PDS_CASHSHORTENER) tonancos.com
6401enlist_uri_host (PDS_CASHSHORTENER) triabicia.com
6402enlist_uri_host (PDS_CASHSHORTENER) turboagram.com
6403enlist_uri_host (PDS_CASHSHORTENER) twineer.com
6404enlist_uri_host (PDS_CASHSHORTENER) twiriock.com
6405enlist_uri_host (PDS_CASHSHORTENER) userlab66.com
6406enlist_uri_host (PDS_CASHSHORTENER) vaugette.com
6407enlist_uri_host (PDS_CASHSHORTENER) velocicosm.com
6408enlist_uri_host (PDS_CASHSHORTENER) velociterium.com
6409enlist_uri_host (PDS_CASHSHORTENER) viahold.com
6410enlist_uri_host (PDS_CASHSHORTENER) vializer.com
6411enlist_uri_host (PDS_CASHSHORTENER) viwright.com
6412enlist_uri_host (PDS_CASHSHORTENER) whareotiv.com
6413enlist_uri_host (PDS_CASHSHORTENER) wirecellar.com
6414enlist_uri_host (PDS_CASHSHORTENER) x19.biz
6415enlist_uri_host (PDS_CASHSHORTENER) x19network.com
6416enlist_uri_host (PDS_CASHSHORTENER) yabuilder.com
6417enlist_uri_host (PDS_CASHSHORTENER) yamechanic.com
6418enlist_uri_host (PDS_CASHSHORTENER) yoalizer.com
6419enlist_uri_host (PDS_CASHSHORTENER) yobuilder.com
6420enlist_uri_host (PDS_CASHSHORTENER) yoineer.com
6421enlist_uri_host (PDS_CASHSHORTENER) yoitect.com
6422enlist_uri_host (PDS_CASHSHORTENER) zipansion.com
6423enlist_uri_host (PDS_CASHSHORTENER) zipteria.com
6424enlist_uri_host (PDS_CASHSHORTENER) zipvale.com
6425enlist_uri_host (PDS_URISHORTENER) owl.li
6426enlist_uri_host (PDS_URISHORTENER) formspring.me
6427enlist_uri_host (PDS_URISHORTENER) cc.uz
6428enlist_uri_host (PDS_URISHORTENER) back.ly
6429enlist_uri_host (PDS_URISHORTENER) surl.me
6430enlist_uri_host (PDS_URISHORTENER) mysp.ac
6431enlist_uri_host (PDS_URISHORTENER) s.apache.org
6432enlist_uri_host (PDS_URISHORTENER) 0rz.tw
6433enlist_uri_host (PDS_URISHORTENER) 1l2.us
6434enlist_uri_host (PDS_URISHORTENER) 1link.in
6435enlist_uri_host (PDS_URISHORTENER) 1u.ro
6436enlist_uri_host (PDS_URISHORTENER) 1url.com
6437enlist_uri_host (PDS_URISHORTENER) 2.gp
6438enlist_uri_host (PDS_URISHORTENER) 2.ly
6439enlist_uri_host (PDS_URISHORTENER) 2big.at
6440enlist_uri_host (PDS_URISHORTENER) 2chap.it
6441enlist_uri_host (PDS_URISHORTENER) 2pl.us
6442enlist_uri_host (PDS_URISHORTENER) 2su.de
6443enlist_uri_host (PDS_URISHORTENER) 2tu.us
6444enlist_uri_host (PDS_URISHORTENER) 2ze.us
6445enlist_uri_host (PDS_URISHORTENER) 3.ly
6446enlist_uri_host (PDS_URISHORTENER) 301.to
6447enlist_uri_host (PDS_URISHORTENER) 301url.com
6448enlist_uri_host (PDS_URISHORTENER) 307.to
6449enlist_uri_host (PDS_URISHORTENER) 4ms.me
6450enlist_uri_host (PDS_URISHORTENER) 4sq.com
6451enlist_uri_host (PDS_URISHORTENER) 4url.cc
6452enlist_uri_host (PDS_URISHORTENER) 6url.com
6453enlist_uri_host (PDS_URISHORTENER) 7.ly
6454enlist_uri_host (PDS_URISHORTENER) 9mp.com
6455enlist_uri_host (PDS_URISHORTENER) a.gd
6456enlist_uri_host (PDS_URISHORTENER) a.gg
6457enlist_uri_host (PDS_URISHORTENER) a.nf
6458enlist_uri_host (PDS_URISHORTENER) a2a.me
6459enlist_uri_host (PDS_URISHORTENER) a2n.eu
6460enlist_uri_host (PDS_URISHORTENER) aa.cx
6461enlist_uri_host (PDS_URISHORTENER) abbr.com
6462enlist_uri_host (PDS_URISHORTENER) abcurl.net
6463enlist_uri_host (PDS_URISHORTENER) abe5.com
6464enlist_uri_host (PDS_URISHORTENER) access.im
6465enlist_uri_host (PDS_URISHORTENER) ad.vu
6466enlist_uri_host (PDS_URISHORTENER) adf.ly
6467enlist_uri_host (PDS_URISHORTENER) adjix.com
6468enlist_uri_host (PDS_URISHORTENER) afx.cc
6469enlist_uri_host (PDS_URISHORTENER) all.fuseurl.com
6470enlist_uri_host (PDS_URISHORTENER) alturl.com
6471enlist_uri_host (PDS_URISHORTENER) amzn.com
6472enlist_uri_host (PDS_URISHORTENER) amzn.to
6473enlist_uri_host (PDS_URISHORTENER) ar.gy
6474enlist_uri_host (PDS_URISHORTENER) arm.in
6475enlist_uri_host (PDS_URISHORTENER) arst.ch
6476enlist_uri_host (PDS_URISHORTENER) asso.in
6477enlist_uri_host (PDS_URISHORTENER) atu.ca
6478enlist_uri_host (PDS_URISHORTENER) aurls.info
6479enlist_uri_host (PDS_URISHORTENER) awe.sm
6480enlist_uri_host (PDS_URISHORTENER) ayl.lv
6481enlist_uri_host (PDS_URISHORTENER) azc.cc
6482enlist_uri_host (PDS_URISHORTENER) azqq.com
6483enlist_uri_host (PDS_URISHORTENER) b23.ru
6484enlist_uri_host (PDS_URISHORTENER) b2l.me
6485enlist_uri_host (PDS_URISHORTENER) b65.com
6486enlist_uri_host (PDS_URISHORTENER) b65.us
6487enlist_uri_host (PDS_URISHORTENER) bacn.me
6488enlist_uri_host (PDS_URISHORTENER) bcool.bz
6489enlist_uri_host (PDS_URISHORTENER) beam.to
6490enlist_uri_host (PDS_URISHORTENER) bgl.me
6491enlist_uri_host (PDS_URISHORTENER) binged.it
6492enlist_uri_host (PDS_URISHORTENER) bit.do
6493enlist_uri_host (PDS_URISHORTENER) bit.ly
6494enlist_uri_host (PDS_URISHORTENER) bitly.com
6495enlist_uri_host (PDS_URISHORTENER) bizj.us
6496enlist_uri_host (PDS_URISHORTENER) bkite.com
6497enlist_uri_host (PDS_URISHORTENER) blippr.com
6498enlist_uri_host (PDS_URISHORTENER) bloat.me
6499enlist_uri_host (PDS_URISHORTENER) blu.cc
6500enlist_uri_host (PDS_URISHORTENER) bon.no
6501enlist_uri_host (PDS_URISHORTENER) bravo.ly
6502enlist_uri_host (PDS_URISHORTENER) bsa.ly
6503enlist_uri_host (PDS_URISHORTENER) bt.io
6504enlist_uri_host (PDS_URISHORTENER) budurl.com
6505enlist_uri_host (PDS_URISHORTENER) buff.ly
6506enlist_uri_host (PDS_URISHORTENER) buk.me
6507enlist_uri_host (PDS_URISHORTENER) burnurl.com
6508enlist_uri_host (PDS_URISHORTENER) c-o.in
6509enlist_uri_host (PDS_URISHORTENER) c.shamekh.ws
6510enlist_uri_host (PDS_URISHORTENER) canurl.com
6511enlist_uri_host (PDS_URISHORTENER) cd4.me
6512enlist_uri_host (PDS_URISHORTENER) chilp.it
6513enlist_uri_host (PDS_URISHORTENER) chopd.it
6514enlist_uri_host (PDS_URISHORTENER) chpt.me
6515enlist_uri_host (PDS_URISHORTENER) chs.mx
6516enlist_uri_host (PDS_URISHORTENER) chzb.gr
6517enlist_uri_host (PDS_URISHORTENER) cl.lk
6518enlist_uri_host (PDS_URISHORTENER) cl.ly
6519enlist_uri_host (PDS_URISHORTENER) clck.ru
6520enlist_uri_host (PDS_URISHORTENER) cli.gs
6521enlist_uri_host (PDS_URISHORTENER) cliccami.info
6522enlist_uri_host (PDS_URISHORTENER) clickthru.ca
6523enlist_uri_host (PDS_URISHORTENER) clipurl.us
6524enlist_uri_host (PDS_URISHORTENER) clk.my
6525enlist_uri_host (PDS_URISHORTENER) cloaky.de
6526enlist_uri_host (PDS_URISHORTENER) clop.in
6527enlist_uri_host (PDS_URISHORTENER) clp.ly
6528enlist_uri_host (PDS_URISHORTENER) coge.la
6529enlist_uri_host (PDS_URISHORTENER) cokeurl.com
6530enlist_uri_host (PDS_URISHORTENER) conta.cc
6531enlist_uri_host (PDS_URISHORTENER) cort.as
6532enlist_uri_host (PDS_URISHORTENER) cot.ag
6533enlist_uri_host (PDS_URISHORTENER) crks.me
6534enlist_uri_host (PDS_URISHORTENER) crum.pl
6535enlist_uri_host (PDS_URISHORTENER) ctvr.us
6536enlist_uri_host (PDS_URISHORTENER) curio.us
6537enlist_uri_host (PDS_URISHORTENER) cuthut.com
6538enlist_uri_host (PDS_URISHORTENER) cutt.us
6539enlist_uri_host (PDS_URISHORTENER) cuturl.com
6540enlist_uri_host (PDS_URISHORTENER) cuturls.com
6541enlist_uri_host (PDS_URISHORTENER) dai.ly
6542enlist_uri_host (PDS_URISHORTENER) db.tt
6543enlist_uri_host (PDS_URISHORTENER) dealspl.us
6544enlist_uri_host (PDS_URISHORTENER) decenturl.com
6545enlist_uri_host (PDS_URISHORTENER) df9.net
6546enlist_uri_host (PDS_URISHORTENER) dfl8.me
6547enlist_uri_host (PDS_URISHORTENER) digbig.com
6548enlist_uri_host (PDS_URISHORTENER) digg.com
6549enlist_uri_host (PDS_URISHORTENER) digipills.com
6550enlist_uri_host (PDS_URISHORTENER) digs.by
6551enlist_uri_host (PDS_URISHORTENER) disq.us
6552enlist_uri_host (PDS_URISHORTENER) dld.bz
6553enlist_uri_host (PDS_URISHORTENER) dlvr.it
6554enlist_uri_host (PDS_URISHORTENER) dn.vc
6555enlist_uri_host (PDS_URISHORTENER) do.my
6556enlist_uri_host (PDS_URISHORTENER) doi.org
6557enlist_uri_host (PDS_URISHORTENER) doiop.com
6558enlist_uri_host (PDS_URISHORTENER) dopen.us
6559enlist_uri_host (PDS_URISHORTENER) dr.tl
6560enlist_uri_host (PDS_URISHORTENER) drudge.tw
6561enlist_uri_host (PDS_URISHORTENER) durl.me
6562enlist_uri_host (PDS_URISHORTENER) durl.us
6563enlist_uri_host (PDS_URISHORTENER) dvlr.it
6564enlist_uri_host (PDS_URISHORTENER) dwarfurl.com
6565enlist_uri_host (PDS_URISHORTENER) easyuri.com
6566enlist_uri_host (PDS_URISHORTENER) easyurl.net
6567enlist_uri_host (PDS_URISHORTENER) eca.sh
6568enlist_uri_host (PDS_URISHORTENER) eclurl.com
6569enlist_uri_host (PDS_URISHORTENER) eepurl.com
6570enlist_uri_host (PDS_URISHORTENER) eezurl.com
6571enlist_uri_host (PDS_URISHORTENER) eweri.com
6572enlist_uri_host (PDS_URISHORTENER) ewerl.com
6573enlist_uri_host (PDS_URISHORTENER) ezurl.eu
6574enlist_uri_host (PDS_URISHORTENER) fa.by
6575enlist_uri_host (PDS_URISHORTENER) faceto.us
6576enlist_uri_host (PDS_URISHORTENER) fav.me
6577enlist_uri_host (PDS_URISHORTENER) fb.me
6578enlist_uri_host (PDS_URISHORTENER) fbshare.me
6579enlist_uri_host (PDS_URISHORTENER) ff.im
6580enlist_uri_host (PDS_URISHORTENER) fff.to
6581enlist_uri_host (PDS_URISHORTENER) fhurl.com
6582enlist_uri_host (PDS_URISHORTENER) fire.to
6583enlist_uri_host (PDS_URISHORTENER) firsturl.de
6584enlist_uri_host (PDS_URISHORTENER) firsturl.net
6585enlist_uri_host (PDS_URISHORTENER) flic.kr
6586enlist_uri_host (PDS_URISHORTENER) flingk.com
6587enlist_uri_host (PDS_URISHORTENER) flq.us
6588enlist_uri_host (PDS_URISHORTENER) fly2.ws
6589enlist_uri_host (PDS_URISHORTENER) fon.gs
6590enlist_uri_host (PDS_URISHORTENER) foxyurl.com
6591enlist_uri_host (PDS_URISHORTENER) freak.to
6592enlist_uri_host (PDS_URISHORTENER) fur.ly
6593enlist_uri_host (PDS_URISHORTENER) fuseurl.com
6594enlist_uri_host (PDS_URISHORTENER) fuzzy.to
6595enlist_uri_host (PDS_URISHORTENER) fwd4.me
6596enlist_uri_host (PDS_URISHORTENER) fwdurl.net
6597enlist_uri_host (PDS_URISHORTENER) fwib.net
6598enlist_uri_host (PDS_URISHORTENER) g.ro.lt
6599enlist_uri_host (PDS_URISHORTENER) g8l.us
6600enlist_uri_host (PDS_URISHORTENER) get-shorty.com
6601enlist_uri_host (PDS_URISHORTENER) get-url.com
6602enlist_uri_host (PDS_URISHORTENER) get.sh
6603enlist_uri_host (PDS_URISHORTENER) geturl.us
6604enlist_uri_host (PDS_URISHORTENER) gg.gg
6605enlist_uri_host (PDS_URISHORTENER) gi.vc
6606enlist_uri_host (PDS_URISHORTENER) gizmo.do
6607enlist_uri_host (PDS_URISHORTENER) gkurl.us
6608enlist_uri_host (PDS_URISHORTENER) gl.am
6609enlist_uri_host (PDS_URISHORTENER) go.9nl.com
6610enlist_uri_host (PDS_URISHORTENER) go.ign.com
6611enlist_uri_host (PDS_URISHORTENER) go.to
6612enlist_uri_host (PDS_URISHORTENER) go.usa.gov
6613enlist_uri_host (PDS_URISHORTENER) go2.me
6614enlist_uri_host (PDS_URISHORTENER) gog.li
6615enlist_uri_host (PDS_URISHORTENER) golmao.com
6616enlist_uri_host (PDS_URISHORTENER) goo.gl
6617enlist_uri_host (PDS_URISHORTENER) goo.io
6618enlist_uri_host (PDS_URISHORTENER) good.ly
6619enlist_uri_host (PDS_URISHORTENER) goshrink.com
6620enlist_uri_host (PDS_URISHORTENER) gplus.to
6621enlist_uri_host (PDS_URISHORTENER) gri.ms
6622enlist_uri_host (PDS_URISHORTENER) gurl.es
6623enlist_uri_host (PDS_URISHORTENER) hao.jp
6624enlist_uri_host (PDS_URISHORTENER) hellotxt.com
6625enlist_uri_host (PDS_URISHORTENER) hex.io
6626enlist_uri_host (PDS_URISHORTENER) hiderefer.com
6627enlist_uri_host (PDS_URISHORTENER) hmm.ph
6628enlist_uri_host (PDS_URISHORTENER) hop.im
6629enlist_uri_host (PDS_URISHORTENER) hop.kz
6630enlist_uri_host (PDS_URISHORTENER) hopclicks.com
6631enlist_uri_host (PDS_URISHORTENER) hotredirect.com
6632enlist_uri_host (PDS_URISHORTENER) hotshorturl.com
6633enlist_uri_host (PDS_URISHORTENER) href.in
6634enlist_uri_host (PDS_URISHORTENER) hsblinks.com
6635enlist_uri_host (PDS_URISHORTENER) ht.ly
6636enlist_uri_host (PDS_URISHORTENER) htxt.it
6637enlist_uri_host (PDS_URISHORTENER) hub.am
6638enlist_uri_host (PDS_URISHORTENER) huff.to
6639enlist_uri_host (PDS_URISHORTENER) hugeurl.com
6640enlist_uri_host (PDS_URISHORTENER) hulu.com
6641enlist_uri_host (PDS_URISHORTENER) hurl.it
6642enlist_uri_host (PDS_URISHORTENER) hurl.me
6643enlist_uri_host (PDS_URISHORTENER) hurl.no
6644enlist_uri_host (PDS_URISHORTENER) hurl.ws
6645enlist_uri_host (PDS_URISHORTENER) icanhaz.com
6646enlist_uri_host (PDS_URISHORTENER) icio.us
6647enlist_uri_host (PDS_URISHORTENER) idek.net
6648enlist_uri_host (PDS_URISHORTENER) ikr.me
6649enlist_uri_host (PDS_URISHORTENER) ilix.in
6650enlist_uri_host (PDS_URISHORTENER) inx.lv
6651enlist_uri_host (PDS_URISHORTENER) ir.pe
6652enlist_uri_host (PDS_URISHORTENER) irt.me
6653enlist_uri_host (PDS_URISHORTENER) is.gd
6654enlist_uri_host (PDS_URISHORTENER) iscool.net
6655enlist_uri_host (PDS_URISHORTENER) it2.in
6656enlist_uri_host (PDS_URISHORTENER) ito.mx
6657enlist_uri_host (PDS_URISHORTENER) its.my
6658enlist_uri_host (PDS_URISHORTENER) itsy.it
6659enlist_uri_host (PDS_URISHORTENER) ix.lt
6660enlist_uri_host (PDS_URISHORTENER) j.mp
6661enlist_uri_host (PDS_URISHORTENER) j2j.de
6662enlist_uri_host (PDS_URISHORTENER) jdem.cz
6663enlist_uri_host (PDS_URISHORTENER) jijr.com
6664enlist_uri_host (PDS_URISHORTENER) just.as
6665enlist_uri_host (PDS_URISHORTENER) k.vu
6666enlist_uri_host (PDS_URISHORTENER) k6.kz
6667enlist_uri_host (PDS_URISHORTENER) ketkp.in
6668enlist_uri_host (PDS_URISHORTENER) kisa.ch
6669enlist_uri_host (PDS_URISHORTENER) kissa.be
6670enlist_uri_host (PDS_URISHORTENER) kl.am
6671enlist_uri_host (PDS_URISHORTENER) klck.me
6672enlist_uri_host (PDS_URISHORTENER) kore.us
6673enlist_uri_host (PDS_URISHORTENER) korta.nu
6674enlist_uri_host (PDS_URISHORTENER) kots.nu
6675enlist_uri_host (PDS_URISHORTENER) krunchd.com
6676enlist_uri_host (PDS_URISHORTENER) krz.ch
6677enlist_uri_host (PDS_URISHORTENER) ktzr.us
6678enlist_uri_host (PDS_URISHORTENER) kxk.me
6679enlist_uri_host (PDS_URISHORTENER) l.hh.de
6680enlist_uri_host (PDS_URISHORTENER) l.pr
6681enlist_uri_host (PDS_URISHORTENER) l9k.net
6682enlist_uri_host (PDS_URISHORTENER) lat.ms
6683enlist_uri_host (PDS_URISHORTENER) liip.to
6684enlist_uri_host (PDS_URISHORTENER) liltext.com
6685enlist_uri_host (PDS_URISHORTENER) lin.cr
6686enlist_uri_host (PDS_URISHORTENER) lin.io
6687enlist_uri_host (PDS_URISHORTENER) linkbee.com
6688enlist_uri_host (PDS_URISHORTENER) linkbun.ch
6689enlist_uri_host (PDS_URISHORTENER) linkee.com
6690enlist_uri_host (PDS_URISHORTENER) linkgap.com
6691enlist_uri_host (PDS_URISHORTENER) linkslice.com
6692enlist_uri_host (PDS_URISHORTENER) linxfix.de
6693enlist_uri_host (PDS_URISHORTENER) liteurl.net
6694enlist_uri_host (PDS_URISHORTENER) liurl.cn
6695enlist_uri_host (PDS_URISHORTENER) livesi.de
6696enlist_uri_host (PDS_URISHORTENER) lix.in
6697enlist_uri_host (PDS_URISHORTENER) lk.ht
6698enlist_uri_host (PDS_URISHORTENER) ln-s.net
6699enlist_uri_host (PDS_URISHORTENER) ln-s.ru
6700enlist_uri_host (PDS_URISHORTENER) lnk.by
6701enlist_uri_host (PDS_URISHORTENER) lnk.gd
6702enlist_uri_host (PDS_URISHORTENER) lnk.in
6703enlist_uri_host (PDS_URISHORTENER) lnk.ly
6704enlist_uri_host (PDS_URISHORTENER) lnk.ms
6705enlist_uri_host (PDS_URISHORTENER) lnk.sk
6706enlist_uri_host (PDS_URISHORTENER) lnkd.in
6707enlist_uri_host (PDS_URISHORTENER) lnkurl.com
6708enlist_uri_host (PDS_URISHORTENER) loopt.us
6709enlist_uri_host (PDS_URISHORTENER) lost.in
6710enlist_uri_host (PDS_URISHORTENER) lru.jp
6711enlist_uri_host (PDS_URISHORTENER) lt.tl
6712enlist_uri_host (PDS_URISHORTENER) lu.to
6713enlist_uri_host (PDS_URISHORTENER) lurl.no
6714enlist_uri_host (PDS_URISHORTENER) macte.ch
6715enlist_uri_host (PDS_URISHORTENER) mash.to
6716enlist_uri_host (PDS_URISHORTENER) mavrev.com
6717enlist_uri_host (PDS_URISHORTENER) mcaf.ee
6718enlist_uri_host (PDS_URISHORTENER) memurl.com
6719enlist_uri_host (PDS_URISHORTENER) merky.de
6720enlist_uri_host (PDS_URISHORTENER) metamark.net
6721enlist_uri_host (PDS_URISHORTENER) migre.me
6722enlist_uri_host (PDS_URISHORTENER) min2.me
6723enlist_uri_host (PDS_URISHORTENER) minilien.com
6724enlist_uri_host (PDS_URISHORTENER) minilink.org
6725enlist_uri_host (PDS_URISHORTENER) miniurl.com
6726enlist_uri_host (PDS_URISHORTENER) minurl.fr
6727enlist_uri_host (PDS_URISHORTENER) mke.me
6728enlist_uri_host (PDS_URISHORTENER) moby.to
6729enlist_uri_host (PDS_URISHORTENER) moourl.com
6730enlist_uri_host (PDS_URISHORTENER) mrte.ch
6731enlist_uri_host (PDS_URISHORTENER) msg.sg
6732enlist_uri_host (PDS_URISHORTENER) murl.kz
6733enlist_uri_host (PDS_URISHORTENER) mv2.me
6734enlist_uri_host (PDS_URISHORTENER) myloc.me
6735enlist_uri_host (PDS_URISHORTENER) mysp.in
6736enlist_uri_host (PDS_URISHORTENER) myurl.in
6737enlist_uri_host (PDS_URISHORTENER) myurl.si
6738enlist_uri_host (PDS_URISHORTENER) n.pr
6739enlist_uri_host (PDS_URISHORTENER) nanoref.com
6740enlist_uri_host (PDS_URISHORTENER) nanourl.se
6741enlist_uri_host (PDS_URISHORTENER) nbc.co
6742enlist_uri_host (PDS_URISHORTENER) nblo.gs
6743enlist_uri_host (PDS_URISHORTENER) nbx.ch
6744enlist_uri_host (PDS_URISHORTENER) ncane.com
6745enlist_uri_host (PDS_URISHORTENER) ndurl.com
6746enlist_uri_host (PDS_URISHORTENER) ne1.net
6747enlist_uri_host (PDS_URISHORTENER) netnet.me
6748enlist_uri_host (PDS_URISHORTENER) netshortcut.com
6749enlist_uri_host (PDS_URISHORTENER) ni.to
6750enlist_uri_host (PDS_URISHORTENER) nig.gr
6751enlist_uri_host (PDS_URISHORTENER) nm.ly
6752enlist_uri_host (PDS_URISHORTENER) nn.nf
6753enlist_uri_host (PDS_URISHORTENER) not.my
6754enlist_uri_host (PDS_URISHORTENER) notlong.com
6755enlist_uri_host (PDS_URISHORTENER) nsfw.in
6756enlist_uri_host (PDS_URISHORTENER) nutshellurl.com
6757enlist_uri_host (PDS_URISHORTENER) nxy.in
6758enlist_uri_host (PDS_URISHORTENER) nyti.ms
6759enlist_uri_host (PDS_URISHORTENER) o-x.fr
6760enlist_uri_host (PDS_URISHORTENER) o.ly
6761enlist_uri_host (PDS_URISHORTENER) oboeyasui.com
6762enlist_uri_host (PDS_URISHORTENER) oc1.us
6763enlist_uri_host (PDS_URISHORTENER) offur.com
6764enlist_uri_host (PDS_URISHORTENER) ofl.me
6765enlist_uri_host (PDS_URISHORTENER) om.ly
6766enlist_uri_host (PDS_URISHORTENER) omf.gd
6767enlist_uri_host (PDS_URISHORTENER) omoikane.net
6768enlist_uri_host (PDS_URISHORTENER) on.cnn.com
6769enlist_uri_host (PDS_URISHORTENER) on.mktw.net
6770enlist_uri_host (PDS_URISHORTENER) onecent.us
6771enlist_uri_host (PDS_URISHORTENER) onforb.es
6772enlist_uri_host (PDS_URISHORTENER) onion.com
6773enlist_uri_host (PDS_URISHORTENER) onsaas.info
6774enlist_uri_host (PDS_URISHORTENER) ooqx.com
6775enlist_uri_host (PDS_URISHORTENER) oreil.ly
6776enlist_uri_host (PDS_URISHORTENER) orz.se
6777enlist_uri_host (PDS_URISHORTENER) ow.ly
6778enlist_uri_host (PDS_URISHORTENER) oxyz.info
6779enlist_uri_host (PDS_URISHORTENER) p.ly
6780enlist_uri_host (PDS_URISHORTENER) p8g.tw
6781enlist_uri_host (PDS_URISHORTENER) parv.us
6782enlist_uri_host (PDS_URISHORTENER) paulding.net
6783enlist_uri_host (PDS_URISHORTENER) pduda.mobi
6784enlist_uri_host (PDS_URISHORTENER) peaurl.com
6785enlist_uri_host (PDS_URISHORTENER) pendek.in
6786enlist_uri_host (PDS_URISHORTENER) pep.si
6787enlist_uri_host (PDS_URISHORTENER) pic.gd
6788enlist_uri_host (PDS_URISHORTENER) piko.me
6789enlist_uri_host (PDS_URISHORTENER) ping.fm
6790enlist_uri_host (PDS_URISHORTENER) piurl.com
6791enlist_uri_host (PDS_URISHORTENER) pli.gs
6792enlist_uri_host (PDS_URISHORTENER) plumurl.com
6793enlist_uri_host (PDS_URISHORTENER) plurl.me
6794enlist_uri_host (PDS_URISHORTENER) pnt.me
6795enlist_uri_host (PDS_URISHORTENER) politi.co
6796enlist_uri_host (PDS_URISHORTENER) poll.fm
6797enlist_uri_host (PDS_URISHORTENER) pop.ly
6798enlist_uri_host (PDS_URISHORTENER) poprl.com
6799enlist_uri_host (PDS_URISHORTENER) post.ly
6800enlist_uri_host (PDS_URISHORTENER) posted.at
6801enlist_uri_host (PDS_URISHORTENER) pp.gg
6802enlist_uri_host (PDS_URISHORTENER) profile.to
6803enlist_uri_host (PDS_URISHORTENER) pt2.me
6804enlist_uri_host (PDS_URISHORTENER) ptiturl.com
6805enlist_uri_host (PDS_URISHORTENER) pub.vitrue.com
6806enlist_uri_host (PDS_URISHORTENER) puke.it
6807enlist_uri_host (PDS_URISHORTENER) pysper.com
6808enlist_uri_host (PDS_URISHORTENER) qik.li
6809enlist_uri_host (PDS_URISHORTENER) qlnk.net
6810enlist_uri_host (PDS_URISHORTENER) qoiob.com
6811enlist_uri_host (PDS_URISHORTENER) qr.cx
6812enlist_uri_host (PDS_URISHORTENER) qte.me
6813enlist_uri_host (PDS_URISHORTENER) qu.tc
6814enlist_uri_host (PDS_URISHORTENER) quickurl.co.uk
6815enlist_uri_host (PDS_URISHORTENER) qurl.com
6816enlist_uri_host (PDS_URISHORTENER) qurlyq.com
6817enlist_uri_host (PDS_URISHORTENER) quu.nu
6818enlist_uri_host (PDS_URISHORTENER) qux.in
6819enlist_uri_host (PDS_URISHORTENER) qy.fi
6820enlist_uri_host (PDS_URISHORTENER) r.im
6821enlist_uri_host (PDS_URISHORTENER) rb6.me
6822enlist_uri_host (PDS_URISHORTENER) rde.me
6823enlist_uri_host (PDS_URISHORTENER) read.bi
6824enlist_uri_host (PDS_URISHORTENER) readthis.ca
6825enlist_uri_host (PDS_URISHORTENER) reallytinyurl.com
6826enlist_uri_host (PDS_URISHORTENER) redir.ec
6827enlist_uri_host (PDS_URISHORTENER) redirects.ca
6828enlist_uri_host (PDS_URISHORTENER) redirx.com
6829enlist_uri_host (PDS_URISHORTENER) relyt.us
6830enlist_uri_host (PDS_URISHORTENER) retwt.me
6831enlist_uri_host (PDS_URISHORTENER) ri.ms
6832enlist_uri_host (PDS_URISHORTENER) rickroll.it
6833enlist_uri_host (PDS_URISHORTENER) rivva.de
6834enlist_uri_host (PDS_URISHORTENER) riz.gd
6835enlist_uri_host (PDS_URISHORTENER) rly.cc
6836enlist_uri_host (PDS_URISHORTENER) rnk.me
6837enlist_uri_host (PDS_URISHORTENER) rsmonkey.com
6838enlist_uri_host (PDS_URISHORTENER) rt.nu
6839enlist_uri_host (PDS_URISHORTENER) ru.ly
6840enlist_uri_host (PDS_URISHORTENER) rubyurl.com
6841enlist_uri_host (PDS_URISHORTENER) rurl.org
6842enlist_uri_host (PDS_URISHORTENER) rww.tw
6843enlist_uri_host (PDS_URISHORTENER) s.gnoss.us
6844enlist_uri_host (PDS_URISHORTENER) s3nt.com
6845enlist_uri_host (PDS_URISHORTENER) s4c.in
6846enlist_uri_host (PDS_URISHORTENER) s7y.us
6847enlist_uri_host (PDS_URISHORTENER) safe.mn
6848enlist_uri_host (PDS_URISHORTENER) safelinks.ru
6849enlist_uri_host (PDS_URISHORTENER) sai.ly
6850enlist_uri_host (PDS_URISHORTENER) sameurl.com
6851enlist_uri_host (PDS_URISHORTENER) sdut.us
6852enlist_uri_host (PDS_URISHORTENER) sed.cx
6853enlist_uri_host (PDS_URISHORTENER) sfu.ca
6854enlist_uri_host (PDS_URISHORTENER) shadyurl.com
6855enlist_uri_host (PDS_URISHORTENER) shar.es
6856enlist_uri_host (PDS_URISHORTENER) shim.net
6857enlist_uri_host (PDS_URISHORTENER) shink.de
6858enlist_uri_host (PDS_URISHORTENER) shorl.com
6859enlist_uri_host (PDS_URISHORTENER) short.ie
6860enlist_uri_host (PDS_URISHORTENER) short.to
6861enlist_uri_host (PDS_URISHORTENER) shorten.ws
6862enlist_uri_host (PDS_URISHORTENER) shortenurl.com
6863enlist_uri_host (PDS_URISHORTENER) shorterlink.com
6864enlist_uri_host (PDS_URISHORTENER) shortio.com
6865enlist_uri_host (PDS_URISHORTENER) shortlinks.co.uk
6866enlist_uri_host (PDS_URISHORTENER) shortly.nl
6867enlist_uri_host (PDS_URISHORTENER) shortn.me
6868enlist_uri_host (PDS_URISHORTENER) shortna.me
6869enlist_uri_host (PDS_URISHORTENER) shortr.me
6870enlist_uri_host (PDS_URISHORTENER) shorturl.com
6871enlist_uri_host (PDS_URISHORTENER) shortz.me
6872enlist_uri_host (PDS_URISHORTENER) shoturl.us
6873enlist_uri_host (PDS_URISHORTENER) shout.to
6874enlist_uri_host (PDS_URISHORTENER) show.my
6875enlist_uri_host (PDS_URISHORTENER) shredu
6876enlist_uri_host (PDS_URISHORTENER) shredurl.com
6877enlist_uri_host (PDS_URISHORTENER) shrinkify.com
6878enlist_uri_host (PDS_URISHORTENER) shrinkr.com
6879enlist_uri_host (PDS_URISHORTENER) shrinkster.com
6880enlist_uri_host (PDS_URISHORTENER) shrinkurl.us
6881enlist_uri_host (PDS_URISHORTENER) shrt.fr
6882enlist_uri_host (PDS_URISHORTENER) shrt.st
6883enlist_uri_host (PDS_URISHORTENER) shrt.ws
6884enlist_uri_host (PDS_URISHORTENER) shrten.com
6885enlist_uri_host (PDS_URISHORTENER) shrtl.com
6886enlist_uri_host (PDS_URISHORTENER) shrtn.com
6887enlist_uri_host (PDS_URISHORTENER) shrtnd.com
6888enlist_uri_host (PDS_URISHORTENER) shrunkin.com
6889enlist_uri_host (PDS_URISHORTENER) shurl.net
6890enlist_uri_host (PDS_URISHORTENER) shw.me
6891enlist_uri_host (PDS_URISHORTENER) simurl.com
6892enlist_uri_host (PDS_URISHORTENER) simurl.net
6893enlist_uri_host (PDS_URISHORTENER) simurl.org
6894enlist_uri_host (PDS_URISHORTENER) simurl.us
6895enlist_uri_host (PDS_URISHORTENER) sitelutions.com
6896enlist_uri_host (PDS_URISHORTENER) siteo.us
6897enlist_uri_host (PDS_URISHORTENER) sl.ly
6898enlist_uri_host (PDS_URISHORTENER) slate.me
6899enlist_uri_host (PDS_URISHORTENER) slidesha.re
6900enlist_uri_host (PDS_URISHORTENER) slki.ru
6901enlist_uri_host (PDS_URISHORTENER) smallr.com
6902enlist_uri_host (PDS_URISHORTENER) smallr.net
6903enlist_uri_host (PDS_URISHORTENER) smarturl.it
6904enlist_uri_host (PDS_URISHORTENER) smfu.in
6905enlist_uri_host (PDS_URISHORTENER) smsh.me
6906enlist_uri_host (PDS_URISHORTENER) smurl.com
6907enlist_uri_host (PDS_URISHORTENER) smurl.name
6908enlist_uri_host (PDS_URISHORTENER) sn.im
6909enlist_uri_host (PDS_URISHORTENER) sn.vc
6910enlist_uri_host (PDS_URISHORTENER) snadr.it
6911enlist_uri_host (PDS_URISHORTENER) snipie.com
6912enlist_uri_host (PDS_URISHORTENER) snipr.com
6913enlist_uri_host (PDS_URISHORTENER) snipurl.com
6914enlist_uri_host (PDS_URISHORTENER) snkr.me
6915enlist_uri_host (PDS_URISHORTENER) snurl.com
6916enlist_uri_host (PDS_URISHORTENER) soo.gd
6917enlist_uri_host (PDS_URISHORTENER) song.ly
6918enlist_uri_host (PDS_URISHORTENER) sp2.ro
6919enlist_uri_host (PDS_URISHORTENER) spedr.com
6920enlist_uri_host (PDS_URISHORTENER) sqze.it
6921enlist_uri_host (PDS_URISHORTENER) srnk.net
6922enlist_uri_host (PDS_URISHORTENER) srs.li
6923enlist_uri_host (PDS_URISHORTENER) starturl.com
6924enlist_uri_host (PDS_URISHORTENER) stickurl.com
6925enlist_uri_host (PDS_URISHORTENER) stpmvt.com
6926enlist_uri_host (PDS_URISHORTENER) sturly.com
6927enlist_uri_host (PDS_URISHORTENER) su.pr
6928enlist_uri_host (PDS_URISHORTENER) surl.co.uk
6929enlist_uri_host (PDS_URISHORTENER) surl.hu
6930enlist_uri_host (PDS_URISHORTENER) surl.it
6931enlist_uri_host (PDS_URISHORTENER) t.cn
6932enlist_uri_host (PDS_URISHORTENER) t.co
6933enlist_uri_host (PDS_URISHORTENER) t.lh.com
6934enlist_uri_host (PDS_URISHORTENER) ta.gd
6935enlist_uri_host (PDS_URISHORTENER) takemyfile.com
6936enlist_uri_host (PDS_URISHORTENER) tbd.ly
6937enlist_uri_host (PDS_URISHORTENER) tcrn.ch
6938enlist_uri_host (PDS_URISHORTENER) tgr.me
6939enlist_uri_host (PDS_URISHORTENER) tgr.ph
6940enlist_uri_host (PDS_URISHORTENER) th8.us
6941enlist_uri_host (PDS_URISHORTENER) thecow.me
6942enlist_uri_host (PDS_URISHORTENER) thrdl.es
6943enlist_uri_host (PDS_URISHORTENER) tighturl.com
6944enlist_uri_host (PDS_URISHORTENER) timesurl.at
6945enlist_uri_host (PDS_URISHORTENER) tini.us
6946enlist_uri_host (PDS_URISHORTENER) tiniuri.com
6947enlist_uri_host (PDS_URISHORTENER) tiny.cc
6948enlist_uri_host (PDS_URISHORTENER) tiny.ly
6949enlist_uri_host (PDS_URISHORTENER) tiny.pl
6950enlist_uri_host (PDS_URISHORTENER) tinyarro.ws
6951enlist_uri_host (PDS_URISHORTENER) tinylink.com
6952enlist_uri_host (PDS_URISHORTENER) tinylink.in
6953enlist_uri_host (PDS_URISHORTENER) tinypl.us
6954enlist_uri_host (PDS_URISHORTENER) tinysong.com
6955enlist_uri_host (PDS_URISHORTENER) tinytw.it
6956enlist_uri_host (PDS_URISHORTENER) tinyuri.ca
6957enlist_uri_host (PDS_URISHORTENER) tinyurl.com
6958enlist_uri_host (PDS_URISHORTENER) tk.
6959enlist_uri_host (PDS_URISHORTENER) tl.gd
6960enlist_uri_host (PDS_URISHORTENER) tllg.net
6961enlist_uri_host (PDS_URISHORTENER) tmi.me
6962enlist_uri_host (PDS_URISHORTENER) tncr.ws
6963enlist_uri_host (PDS_URISHORTENER) tnij.org
6964enlist_uri_host (PDS_URISHORTENER) tnw.to
6965enlist_uri_host (PDS_URISHORTENER) tny.com
6966enlist_uri_host (PDS_URISHORTENER) to.
6967enlist_uri_host (PDS_URISHORTENER) to.je
6968enlist_uri_host (PDS_URISHORTENER) to.ly
6969enlist_uri_host (PDS_URISHORTENER) to.vg
6970enlist_uri_host (PDS_URISHORTENER) togoto.us
6971enlist_uri_host (PDS_URISHORTENER) totc.us
6972enlist_uri_host (PDS_URISHORTENER) toysr.us
6973enlist_uri_host (PDS_URISHORTENER) tpm.ly
6974enlist_uri_host (PDS_URISHORTENER) tr.im
6975enlist_uri_host (PDS_URISHORTENER) tr.my
6976enlist_uri_host (PDS_URISHORTENER) tra.kz
6977enlist_uri_host (PDS_URISHORTENER) traceurl.com
6978enlist_uri_host (PDS_URISHORTENER) trackurl.it
6979enlist_uri_host (PDS_URISHORTENER) trcb.me
6980enlist_uri_host (PDS_URISHORTENER) trg.li
6981enlist_uri_host (PDS_URISHORTENER) trib.al
6982enlist_uri_host (PDS_URISHORTENER) trick.ly
6983enlist_uri_host (PDS_URISHORTENER) trii.us
6984enlist_uri_host (PDS_URISHORTENER) trim.li
6985enlist_uri_host (PDS_URISHORTENER) trumpink.lt
6986enlist_uri_host (PDS_URISHORTENER) trunc.it
6987enlist_uri_host (PDS_URISHORTENER) truncurl.com
6988enlist_uri_host (PDS_URISHORTENER) tsort.us
6989enlist_uri_host (PDS_URISHORTENER) tubeurl.com
6990enlist_uri_host (PDS_URISHORTENER) turo.us
6991enlist_uri_host (PDS_URISHORTENER) tw0.us
6992enlist_uri_host (PDS_URISHORTENER) tw1.us
6993enlist_uri_host (PDS_URISHORTENER) tw2.us
6994enlist_uri_host (PDS_URISHORTENER) tw5.us
6995enlist_uri_host (PDS_URISHORTENER) tw6.us
6996enlist_uri_host (PDS_URISHORTENER) tw8.us
6997enlist_uri_host (PDS_URISHORTENER) tw9.us
6998enlist_uri_host (PDS_URISHORTENER) twa.lk
6999enlist_uri_host (PDS_URISHORTENER) tweet.me
7000enlist_uri_host (PDS_URISHORTENER) tweetburner.com
7001enlist_uri_host (PDS_URISHORTENER) tweetl.com
7002enlist_uri_host (PDS_URISHORTENER) twhub.com
7003enlist_uri_host (PDS_URISHORTENER) twi.gy
7004enlist_uri_host (PDS_URISHORTENER) twip.us
7005enlist_uri_host (PDS_URISHORTENER) twirl.at
7006enlist_uri_host (PDS_URISHORTENER) twit.ac
7007enlist_uri_host (PDS_URISHORTENER) twitclicks.com
7008enlist_uri_host (PDS_URISHORTENER) twitterurl.net
7009enlist_uri_host (PDS_URISHORTENER) twitterurl.org
7010enlist_uri_host (PDS_URISHORTENER) twitthis.com
7011enlist_uri_host (PDS_URISHORTENER) twittu.ms
7012enlist_uri_host (PDS_URISHORTENER) twiturl.de
7013enlist_uri_host (PDS_URISHORTENER) twitzap.com
7014enlist_uri_host (PDS_URISHORTENER) twlv.net
7015enlist_uri_host (PDS_URISHORTENER) twtr.us
7016enlist_uri_host (PDS_URISHORTENER) twurl.cc
7017enlist_uri_host (PDS_URISHORTENER) twurl.nl
7018enlist_uri_host (PDS_URISHORTENER) u.mavrev.com
7019enlist_uri_host (PDS_URISHORTENER) u.nu
7020enlist_uri_host (PDS_URISHORTENER) u76.org
7021enlist_uri_host (PDS_URISHORTENER) ub0.cc
7022enlist_uri_host (PDS_URISHORTENER) uiop.me
7023enlist_uri_host (PDS_URISHORTENER) ulimit.com
7024enlist_uri_host (PDS_URISHORTENER) ulu.lu
7025enlist_uri_host (PDS_URISHORTENER) unfaker.it
7026enlist_uri_host (PDS_URISHORTENER) updating.me
7027enlist_uri_host (PDS_URISHORTENER) u.to
7028enlist_uri_host (PDS_URISHORTENER) ur.ly
7029enlist_uri_host (PDS_URISHORTENER) ur1.ca
7030enlist_uri_host (PDS_URISHORTENER) urizy.com
7031enlist_uri_host (PDS_URISHORTENER) url.ag
7032enlist_uri_host (PDS_URISHORTENER) url.az
7033enlist_uri_host (PDS_URISHORTENER) url.co.uk
7034enlist_uri_host (PDS_URISHORTENER) url.go.it
7035enlist_uri_host (PDS_URISHORTENER) url.ie
7036enlist_uri_host (PDS_URISHORTENER) url.inc-x.eu
7037enlist_uri_host (PDS_URISHORTENER) url.lotpatrol.com
7038enlist_uri_host (PDS_URISHORTENER) url360.me
7039enlist_uri_host (PDS_URISHORTENER) url4.eu
7040enlist_uri_host (PDS_URISHORTENER) urlao.com
7041enlist_uri_host (PDS_URISHORTENER) urlbee.com
7042enlist_uri_host (PDS_URISHORTENER) urlborg.com
7043enlist_uri_host (PDS_URISHORTENER) urlbrief.com
7044enlist_uri_host (PDS_URISHORTENER) urlcorta.es
7045enlist_uri_host (PDS_URISHORTENER) urlcover.com
7046enlist_uri_host (PDS_URISHORTENER) urlcut.com
7047enlist_uri_host (PDS_URISHORTENER) urlcutter.com
7048enlist_uri_host (PDS_URISHORTENER) urlenco.de
7049enlist_uri_host (PDS_URISHORTENER) urlg.info
7050enlist_uri_host (PDS_URISHORTENER) urlhawk.com
7051enlist_uri_host (PDS_URISHORTENER) urli.nl
7052enlist_uri_host (PDS_URISHORTENER) urlin.it
7053enlist_uri_host (PDS_URISHORTENER) urlkiss.com
7054enlist_uri_host (PDS_URISHORTENER) urloo.com
7055enlist_uri_host (PDS_URISHORTENER) urlpire.com
7056enlist_uri_host (PDS_URISHORTENER) urls.im
7057enlist_uri_host (PDS_URISHORTENER) urlshorteningservicefortwitter.com
7058enlist_uri_host (PDS_URISHORTENER) urltea.com
7059enlist_uri_host (PDS_URISHORTENER) urlu.ms
7060enlist_uri_host (PDS_URISHORTENER) urlvi.b
7061enlist_uri_host (PDS_URISHORTENER) urlvi.be
7062enlist_uri_host (PDS_URISHORTENER) urlx.ie
7063enlist_uri_host (PDS_URISHORTENER) urlz.at
7064enlist_uri_host (PDS_URISHORTENER) urlzen.com
7065enlist_uri_host (PDS_URISHORTENER) usat.ly
7066enlist_uri_host (PDS_URISHORTENER) use.my
7067enlist_uri_host (PDS_URISHORTENER) uservoice.com
7068enlist_uri_host (PDS_URISHORTENER) ustre.am
7069enlist_uri_host (PDS_URISHORTENER) vado.it
7070enlist_uri_host (PDS_URISHORTENER) vb.ly
7071enlist_uri_host (PDS_URISHORTENER) vdirect.com
7072enlist_uri_host (PDS_URISHORTENER) vgn.am
7073enlist_uri_host (PDS_URISHORTENER) vi.ly
7074enlist_uri_host (PDS_URISHORTENER) viigo.im
7075enlist_uri_host (PDS_URISHORTENER) virl.com
7076enlist_uri_host (PDS_URISHORTENER) vl.am
7077enlist_uri_host (PDS_URISHORTENER) vm.lc
7078enlist_uri_host (PDS_URISHORTENER) voizle.com
7079enlist_uri_host (PDS_URISHORTENER) vtc.es
7080enlist_uri_host (PDS_URISHORTENER) w0r.me
7081enlist_uri_host (PDS_URISHORTENER) w33.us
7082enlist_uri_host (PDS_URISHORTENER) w34.us
7083enlist_uri_host (PDS_URISHORTENER) w3t.org
7084enlist_uri_host (PDS_URISHORTENER) w55.de
7085enlist_uri_host (PDS_URISHORTENER) wa9.la
7086enlist_uri_host (PDS_URISHORTENER) wapo.st
7087enlist_uri_host (PDS_URISHORTENER) wapurl.co.uk
7088enlist_uri_host (PDS_URISHORTENER) webalias.com
7089enlist_uri_host (PDS_URISHORTENER) welcome.to
7090enlist_uri_host (PDS_URISHORTENER) wh.gov
7091enlist_uri_host (PDS_URISHORTENER) widg.me
7092enlist_uri_host (PDS_URISHORTENER) wipi.es
7093enlist_uri_host (PDS_URISHORTENER) wkrg.com
7094enlist_uri_host (PDS_URISHORTENER) woo.ly
7095enlist_uri_host (PDS_URISHORTENER) wp.me
7096enlist_uri_host (PDS_URISHORTENER) x.co
7097enlist_uri_host (PDS_URISHORTENER) x.hypem.com
7098enlist_uri_host (PDS_URISHORTENER) x.se
7099enlist_uri_host (PDS_URISHORTENER) x.vu
7100enlist_uri_host (PDS_URISHORTENER) xeeurl.com
7101enlist_uri_host (PDS_URISHORTENER) xil.in
7102enlist_uri_host (PDS_URISHORTENER) xlurl.de
7103enlist_uri_host (PDS_URISHORTENER) xn--1ci.ws
7104enlist_uri_host (PDS_URISHORTENER) xn--3fi.ws
7105enlist_uri_host (PDS_URISHORTENER) xn--5gi.ws
7106enlist_uri_host (PDS_URISHORTENER) xn--9gi.ws
7107enlist_uri_host (PDS_URISHORTENER) xn--bih.ws
7108enlist_uri_host (PDS_URISHORTENER) xn--cwg.ws
7109enlist_uri_host (PDS_URISHORTENER) xn--egi.ws
7110enlist_uri_host (PDS_URISHORTENER) xn--fwg.ws
7111enlist_uri_host (PDS_URISHORTENER) xn--hgi.ws
7112enlist_uri_host (PDS_URISHORTENER) xn--l3h.ws
7113enlist_uri_host (PDS_URISHORTENER) xn--odi.ws
7114enlist_uri_host (PDS_URISHORTENER) xn--ogi.ws
7115enlist_uri_host (PDS_URISHORTENER) xn--rei.ws
7116enlist_uri_host (PDS_URISHORTENER) xn--vgi.ws
7117enlist_uri_host (PDS_URISHORTENER) xr.com
7118enlist_uri_host (PDS_URISHORTENER) xrl.in
7119enlist_uri_host (PDS_URISHORTENER) xrl.us
7120enlist_uri_host (PDS_URISHORTENER) xrt.me
7121enlist_uri_host (PDS_URISHORTENER) xurl.es
7122enlist_uri_host (PDS_URISHORTENER) xurl.jp
7123enlist_uri_host (PDS_URISHORTENER) xxsurl.de
7124enlist_uri_host (PDS_URISHORTENER) xzb.cc
7125enlist_uri_host (PDS_URISHORTENER) y.ahoo.it
7126enlist_uri_host (PDS_URISHORTENER) yatuc.com
7127enlist_uri_host (PDS_URISHORTENER) ye-s.com
7128enlist_uri_host (PDS_URISHORTENER) ye.pe
7129enlist_uri_host (PDS_URISHORTENER) yep.it
7130enlist_uri_host (PDS_URISHORTENER) yfrog.com
7131enlist_uri_host (PDS_URISHORTENER) yhoo.it
7132enlist_uri_host (PDS_URISHORTENER) yiyd.com
7133enlist_uri_host (PDS_URISHORTENER) yuarel.com
7134enlist_uri_host (PDS_URISHORTENER) z.pe
7135enlist_uri_host (PDS_URISHORTENER) z0p.de
7136enlist_uri_host (PDS_URISHORTENER) zapt.in
7137enlist_uri_host (PDS_URISHORTENER) zi.ma
7138enlist_uri_host (PDS_URISHORTENER) zi.me
7139enlist_uri_host (PDS_URISHORTENER) zi.mu
7140enlist_uri_host (PDS_URISHORTENER) zi.pe
7141enlist_uri_host (PDS_URISHORTENER) zip.li
7142enlist_uri_host (PDS_URISHORTENER) zipmyurl.com
7143enlist_uri_host (PDS_URISHORTENER) zite.to
7144enlist_uri_host (PDS_URISHORTENER) zootit.com
7145enlist_uri_host (PDS_URISHORTENER) zud.me
7146enlist_uri_host (PDS_URISHORTENER) zurl.ws
7147enlist_uri_host (PDS_URISHORTENER) zz.gd
7148enlist_uri_host (PDS_URISHORTENER) zzang.kr
7149enlist_uri_host (PDS_URISHORTENER) t.ly
7150enlist_uri_host (PDS_URISHORTENER) wow.link
7151enlist_uri_host (PDS_URISHORTENER) twixar.me
7152enlist_uri_host (PDS_URISHORTENER) lnk.cm
7153enlist_uri_host (PDS_URISHORTENER) rb.gy
7154enlist_uri_host (PDS_URISHORTENER) gplinks.in
7155enlist_uri_host (PDS_URISHORTENER) utfg.sk
7156enlist_uri_host (PDS_URISHORTENER) um.lk
7157enlist_uri_host (PDS_URISHORTENER) xn--vi8hiv.ws
7158enlist_uri_host (PDS_URISHORTENER) ouo.io
7159enlist_uri_host (PDS_URISHORTENER) mmo.tc
7160enlist_uri_host (PDS_URISHORTENER) pvp.tc
7161enlist_uri_host (PDS_URISHORTENER) ko.tc
7162enlist_uri_host (PDS_URISHORTENER) m2.tc
7163enlist_uri_host (PDS_URISHORTENER) sro.tc
7164enlist_uri_host (PDS_URISHORTENER) heg.tc
7165enlist_uri_host (PDS_URISHORTENER) fn.tc
7166enlist_uri_host (PDS_URISHORTENER) lol.tc
7167enlist_uri_host (PDS_URISHORTENER) tek.link
7168enlist_uri_host (PDS_URISHORTENER) tr.im
7169enlist_uri_host (PDS_URISHORTENER) cutwin.biz
7170enlist_uri_host (PDS_URISHORTENER) urlzs.com
7171enlist_uri_host (PDS_URISHORTENER) qqc.co
7172enlist_uri_host (PDS_URISHORTENER) yyv.co
7173enlist_uri_host (PDS_URISHORTENER) erq.io
7174enlist_uri_host (PDS_URISHORTENER) yko.io
7175enlist_uri_host (PDS_URISHORTENER) poweredbysecurity.online
7176enlist_uri_host (PDS_URISHORTENER) poweredbysecurity.org
7177enlist_uri_host (PDS_URISHORTENER) poweredbydialup.online
7178enlist_uri_host (PDS_URISHORTENER) poweredbydialup.club
7179enlist_uri_host (PDS_URISHORTENER) canadianlumberjacks.online
7180enlist_uri_host (PDS_URISHORTENER) canadianlumberjacks.club
7181enlist_uri_host (PDS_URISHORTENER) packetlivesmatter.online
7182enlist_uri_host (PDS_URISHORTENER) packetlivesmatter.club
7183enlist_uri_host (PDS_URISHORTENER) amishprincess.com
7184enlist_uri_host (PDS_URISHORTENER) poweredbydialup.org
7185enlist_uri_host (PDS_URISHORTENER) amishdatacenter.com
7186enlist_uri_host (PDS_URISHORTENER) youtubeshort.pro
7187enlist_uri_host (PDS_URISHORTENER) catsnthing.com
7188enlist_uri_host (PDS_URISHORTENER) youtubeshort.watch
7189enlist_uri_host (PDS_URISHORTENER) yourtube.site
7190enlist_uri_host (PDS_URISHORTENER) catsnthings.fun
7191enlist_uri_host (PDS_URISHORTENER) curiouscat.club
7192enlist_uri_host (PDS_URISHORTENER) crabrave.pw
7193enlist_uri_host (PDS_URISHORTENER) fortnitechat.site
7194enlist_uri_host (PDS_URISHORTENER) fortnight.space
7195enlist_uri_host (PDS_URISHORTENER) disçordapp.com
7196enlist_uri_host (PDS_URISHORTENER) freegiftcards.co
7197enlist_uri_host (PDS_URISHORTENER) minecräft.com
7198enlist_uri_host (PDS_URISHORTENER) stopify.co
7199enlist_uri_host (PDS_URISHORTENER) spottyfly.com
7200enlist_uri_host (PDS_URISHORTENER) bmwforum.co
7201enlist_uri_host (PDS_URISHORTENER) grabify.link
7202enlist_uri_host (PDS_URISHORTENER) joinmy.site
7203enlist_uri_host (PDS_URISHORTENER) youshouldclick.us
7204reuse T_PDS_SHORTFWD_URISHRT
7205endif
7206endif
7207##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox
7208
7209##{ redirector_pattern_sandbox
7210
7211redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i
7212redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
7213redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i
7214redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i
7215redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i
7216redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i
7217redirector_pattern m'^https?:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i
7218redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i
7219##} redirector_pattern_sandbox
7220
7221##{ reuse_sandbox
7222
7223reuse T_PDS_HIDDEN_UK_BUSINESSLOAN
7224reuse T_PDS_DOUBLE_URL
7225reuse T_PDS_DBL_URL_LINKBAIT
7226reuse PDS_DBL_URL_TNB_RUNON
7227reuse T_PDS_DBL_URL_ILLEGAL_CHARS
7228reuse FROM_2_EMAILS_SHORT
7229reuse T_SHORT_BODY_QUOTE
7230reuse T_BODY_QUOTE_MALF_MSGID
7231reuse SPOOFED_FREEMAIL_NO_RDNS
7232reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN
7233reuse PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
46cfc9e2 7234reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT
b780ea8d 7235reuse PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
46cfc9e2 7236reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT
b780ea8d
SI		 7237reuse T_PDS_LITECOIN_ID
7238reuse PDS_BTC_ID
7239reuse PDS_BTC_MSGID
7240reuse __PDS_GOOGLE_DRIVE_SHARE_1
7241reuse __PDS_GOOGLE_DRIVE_SHARE_2
7242reuse __PDS_GOOGLE_DRIVE_SHARE_3
7243reuse __PDS_GOOGLE_DRIVE_SHARE
7244reuse T_GOOGLE_DRIVE_DEAR_SOMETHING
7245reuse __PDS_GOOGLE_DRIVE_FILE
7246reuse __SHORT_BODY_G_DRIVE
7247reuse __SHORT_BODY_G_DRIVE_DYN
46cfc9e2
SI		 7248reuse SHORT_BODY_G_DRIVE_DYN
7249reuse FROM_NAME_EQ_TO_G_DRIVE
b780ea8d
SI		 7250##} reuse_sandbox
7251
7252
7253uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i
7254
7255uri __128_HEX_URI m,/[0-9a-f]{128},
7256
7257uri __128_LC_URI m;[/?][a-z]{128,}$;
7258
7259uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i
7260
7261uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i
7262
7263meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
7264
7265uri __64_ANY_URI m;[/?]\w{64,}$;i
7266
7267body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i
7268
7269body __ACCESS_REVOKE /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i
7270
7271body __ACCESS_SUSPENDED /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i
7272tflags __ACCESS_SUSPENDED multiple maxhits=2
7273
7274body __ACCOUNT_DISRUPT /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)? )?(?:shut ?down|suspension|locking|termination|expiration)|will terminate (?:your|its) service)\b/i
7275tflags __ACCOUNT_DISRUPT multiple maxhits=2
7276
7277body __ACCOUNT_ERROR /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i
7278
7279body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i
7280
7281body __ACCOUNT_SECURE /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i
7282
7283body __ACCOUNT_UPGRADE /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i
7284
7285meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY
7286
7287meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3
7288
7289body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
7290
7291body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i
7292
7293body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
7294
7295body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i
7296
7297ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7298 meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH
7299endif
7300
7301uri __AC_1SEQC_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/C\//
7302
7303uri __AC_1SEQV_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/V\//
7304
7305uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/
7306
7307header __AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/
7308
7309meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO
7310
7311rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i
7312
7313uri __AC_LAND_URI /\/land\//
7314
7315uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/
7316
7317uri __AC_MHDSEQ_URI /\/mhd[a-z0-9]{20,}/
7318
7319uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/
7320
7321uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(:?php|html)\b/
7322
7323uri __AC_OUTI_URI /\/outi\b/
7324
7325uri __AC_OUTL_URI /\/outl\b/
7326
7327uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\//
7328
7329uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9.]+\/top\//
7330
7331uri __AC_POSTHTMLEXTRAS /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i
7332
7333uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i
7334
7335meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS)
7336
7337uri __AC_PUNCTNUMS_URI /\.com\/[A-Za-z+=\/.?_-]{4,}[0-9]{9,12}[a-z0-9]{1,2}[A-Za-z+=\/.?_-]+[0-9]{7,9}[A-Za-z+=\/.?_-]{6,}[0-9]{7,9}\b/
7338
7339uri __AC_REPORT_URI /\/report\//
7340
7341uri __AC_RMOVE_URI /\/r\/move\/[0-9]+\//
7342
7343rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
7344
7345uri __AC_UHDSEQ_URI /\/uhd[a-z0-9]{20,}/
7346
7347uri __AC_UNSUB_URI /\/unsub\//
7348
7349body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i
7350
7351body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i
7352
46cfc9e2
SI		 7353body __ADULTDATINGCOMPANY_BODY /\bAdultDatingCompany\b/i
7354
7355header __ADULTDATINGCOMPANY_FROM From:name =~ /\bAdultDatingCompany\b/i
7356
7357header __ADULTDATINGCOMPANY_REPTO Reply-To:name =~ /\bAdultDatingCompany\b/i
7358
b780ea8d
SI		 7359meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD
7360
7361meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
7362
7363meta __ADVANCE_FEE_2_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
7364
7365meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
7366
7367meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD
7368
7369meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
7370
7371meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
7372
7373meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
7374
7375meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD
7376
7377meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
7378
7379meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
7380
7381meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
7382
7383meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD
7384
7385meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
7386
7387meta __ADVANCE_FEE_5_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
7388
7389meta __ADVANCE_FEE_5_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
7390
7391body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/
7392
7393body __AFF_LOTTERY /(?:lottery|winner)/i
7394
7395meta __AFRICAN_STATE (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION)
7396
7397body __AFR_UNION /\bafrican\sunion\b/i
7398
7399body __AGREED_RATIO /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i
7400
7401meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA
7402
7403header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/
7404
46cfc9e2 7405meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO
b780ea8d
SI		 7406
7407body __AM_DYING /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i
7408
7409ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7410mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /\bimage\//i
7411endif
7412
7413if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7414 meta __ANY_TEXT_ATTACH 0
7415endif
7416
7417ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7418 mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
7419endif
7420
7421ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7422mimeheader __ANY_TEXT_ATTACH_DOC Content-Type =~ /text\/\w+/i
7423endif
7424
7425if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7426 body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i
7427 tflags __APP_DEVELOPMENT multiple maxhits=6
7428endif
7429
7430if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7431 meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5
7432endif
7433
7434body __ATM_CARD /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa|issue\s(?:(?:to|for)\s)?you\sa)[\s\(](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s\)]card/i
7435
46cfc9e2
SI		 7436ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7437 meta __ATTACH_MSO_MHTML __TEXT_XML_MT && __MSO_THEME_MT && __X_MSO_MT
7438endif
7439
b780ea8d
SI		 7440if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7441 meta __ATTACH_NAME_NO_EXT 0
7442endif
7443
7444ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7445 mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i
7446endif
7447
7448body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i
7449
7450body __AUTO_ACCIDENT /auto(?:mobile)? accident/i
7451
7452header __AXB_MO_OL_024C2 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/
7453
7454header __AXB_MO_OL_1ECD5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1081/
7455
7456header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/
7457
7458header __AXB_XM_OL_1ECD5 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1081/
7459
7460body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i
7461
7462body __BANK_DRAFT /\bbank\sdraft/i
7463
7464body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i
7465
7466body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i
7467
7468body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i
7469
7470body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]{2,}k?|k))\s(?:(?!and|or|your|place|baby|suspicious|supportive|subpoenaed)\w+\s)?(?:e-?mail(?:(?![-:.\)\>\]])s?|\saddresses)|fax numbers|leads|names)\b/i
7471tflags __BIGNUM_EMAILS multiple maxhits=5
7472
7473meta __BIGNUM_EMAILS_3 __BIGNUM_EMAILS > 2
7474
7475meta __BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS && __freemail_hdr_replyto
7476
7477if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7478 body __BITCOIN /\bB[-\s]?i[-\s]?t[-\s]?c[-\s]?o[-\s]?i[-\s]?n\b/i
7479endif
7480
7481ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7482 body __BITCOIN /<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
7483endif
7484
7485body __BITCOIN_ID /\b(?<!=)(?:[13](?:(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){29,34}|[a-km-zA-HJ-NP-Z1-9]{29,34})|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90}|b[-_=\s]c[-_=\s]1(?:[-_=\s][acdefghjklmnpqrstuvwxyz234567890]){30,90})\b/
7486
7487meta __BITCOIN_IMGUR __IMGUR_IMG && __BITCOIN
7488
7489meta __BITCOIN_OBFU_SUBJ __BITCOIN && __SUBJ_OBFU_PUNCT
7490
7491meta __BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF
7492
7493meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL
7494
7495meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM
7496
7497meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01
7498
7499meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID)
7500
7501meta __BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI)
7502
7503meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1)
7504
7505body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s
7506
7507body __BODY_TEXT_LINE /^\s*\S/
7508tflags __BODY_TEXT_LINE multiple maxhits=3
7509
7510meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE
7511
46cfc9e2
SI		 7512body __BODY_XHTML /<x-html>/i
7513
b780ea8d
SI		 7514if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7515 full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/
7516 tflags __BOGUS_MIME_HDR multiple maxhits=8
7517endif
7518
7519if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7520 meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7
7521endif
7522
7523header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/
7524
7525meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX
7526
7527body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i
7528
7529meta __BOTH_INR_AND_REF (__XM_BALSA || __XM_CALYPSO || __XM_FORTE || __XM_MHE || __XM_SQRLMAIL || __XM_SYLPHEED || __THEBAT_MUA || __XM_VM || __XM_XIMEVOL || __UA_KMAIL || __UA_MOZ5 || __UA_OPERA7)
7530
7531body __BTC_OBFU_2 /\b\W{0,10}b(?!it[-\s]?coin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i
7532
7533body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i
7534
7535if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7536 body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
7537endif
7538
7539body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i
7540
7541rawbody __BUGGED_IMG m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i
7542
7543body __BURKINA_FASO /\bburkina\s?faso\b/i
7544
7545body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i
7546
7547body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i
7548
7549body __CAN_HELP /\bcan help\b/i
7550
7551body __CASHPRZ /cash prize of/
7552
7553body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i
7554
7555body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i
7556tflags __CLEAN_MAILBOX multiple maxhits=2
7557
7558rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im
7559
7560body __COMPENSATION /\b(?:compensat(?:e|ion)|recompensed?|ausgleich)\b/i
7561
7562body __CONTACT_ATTY /\bcontact(?:er)?\s(?:my|(?:de\s)?mon)\s(?:barrister|attou?rney|lawyer|avocat|gestionnaire)\b/i
7563
7564body __CONTACT_YOU /\b(?:contact(?:ing)\syou|vous\scontacter?)\b/i
7565
7566rawbody __CONTENT_AFTER_HTML /<\/html>\s*[a-z0-9]/i
7567
7568if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7569 body __COPY_PASTE_EN /Copy (and|\+|\&) paste/i
7570endif
7571
7572ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7573 body __COPY_PASTE_EN /<C><O><P><Y> (?:<A><N><D>|\+|\&) <P><A><S><T><E>/i
7574endif
7575
7576body __COURIER /\bcourier\s(?:company|service)\b/i
7577
7578header __CR_IN_SUBJ Subject:raw =~ /\015/
7579
7580header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i
7581
7582header __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i
7583
7584if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7585 meta __CTYPE_NULL 0
7586endif
7587
7588ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7589 mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/
7590endif
7591
7592ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7593mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s
7594endif
7595
7596header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
7597
7598ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7599mimeheader __CT_UTF7 Content-Type =~ /\bcharset=.?utf-7\b/i
7600endif
7601
7602header __DATE_LOWER ALL =~ /date:\s\S{5}/
7603
7604if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7605 body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i
7606 tflags __DAY_I_EARNED multiple maxhits=4
7607endif
7608
7609body __DBLCLAIM /avoid double claiming/
7610
7611body __DEAD_PARENT /\b(?:my|meu)\s(?:(?:deceased|dead)\s(?:father|mother|husband)|(?:father|dad|mother|mom|husband|marido)(?:'?s)?\s(?:death|died|passed\saway|murder|was\s(?:killed|murdered|poisoned)|faleceu))/i
7612
7613body __DEAL /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i
7614
7615body __DECEASED /\b(?:the|my|your|der|du|le|meu?)\s(?:deceased|late|verstorbenen|d(?:i|e|=E9|[\xe9]|[\xc3][\xa9])funto?|d(?:e|=E9|[\xe9]|[\xc3][\xa9])nt|falecido)\b/i
7616
7617body __DESTROY_ME /\b(?:destroy|hunt|quemar)\sm[eyi]\b/i
7618
7619body __DESTROY_YOU /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i
7620
7621body __DIED_IN /\bdied\sin\b/i
7622
7623body __DIPLOMATIC /\bdiplomatic\b/i
7624
7625ifplugin Mail::SpamAssassin::Plugin::AskDNS
7626tflags __DKIMWL_BLOCKED net
7627endif
7628
7629ifplugin Mail::SpamAssassin::Plugin::AskDNS
7630tflags __DKIMWL_BULKMAIL net
7631endif
7632
7633ifplugin Mail::SpamAssassin::Plugin::AskDNS
7634tflags __DKIMWL_FREEMAIL net
7635endif
7636
7637ifplugin Mail::SpamAssassin::Plugin::AskDNS
7638tflags __DKIMWL_WL_BL net
7639endif
7640
7641ifplugin Mail::SpamAssassin::Plugin::AskDNS
7642tflags __DKIMWL_WL_HI net
7643endif
7644
7645ifplugin Mail::SpamAssassin::Plugin::AskDNS
7646tflags __DKIMWL_WL_MED net
7647endif
7648
7649ifplugin Mail::SpamAssassin::Plugin::AskDNS
7650tflags __DKIMWL_WL_MEDHI net
7651endif
7652
7653header __DKIM_EXISTS exists:DKIM-Signature
7654tflags __DKIM_EXISTS nice
7655
7656body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i
7657
7658if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7659 meta __DOC_ATTACH 0
7660endif
7661
7662ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7663 meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2)
7664endif
7665
7666if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7667 meta __DOC_ATTACH_FN1 0
7668endif
7669
7670ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7671 mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
7672endif
7673
7674if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7675 meta __DOC_ATTACH_FN2 0
7676endif
7677
7678ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7679 mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i
7680endif
7681
7682if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7683 meta __DOC_ATTACH_MT 0
7684endif
7685
7686ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7687 mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i
7688endif
7689
7690body __DORMANT_ACCT /\b(?:(?:dormant|abandoned|left\s?over)\s(?:account|fund|transaction|sum|deposit)|fonds\sdorment)/i
7691
7692body __DOS_BODY_FRI /\bfri(?:day)?\b/i
7693
7694body __DOS_BODY_MON /\bmon(?:day)?\b/i
7695
7696body __DOS_BODY_SAT /\bsat(?:day)?\b/i
7697
7698body __DOS_BODY_STOCK /\bstock\b/i
7699
7700body __DOS_BODY_SUN /\bsun(?:day)?\b/i
7701
7702body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i
7703
7704body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB|PK)\b/
7705
7706body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i
7707
7708body __DOS_BODY_WED /\bwed(?:nesday)?\b/i
7709
7710body __DOS_COMING_TO_YOUR_PLACE /I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/
7711
7712body __DOS_CORRESPOND_EMAIL /correspond with me using my email/
7713
7714meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
7715
7716meta __DOS_DIRECT_TO_MX_UNTRUSTED __DOS_DIRECT_TO_MX && !ALL_TRUSTED
7717
7718body __DOS_DROP_ME_A_LINE /Drop me a line at/
7719
7720body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/
7721
7722body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i
7723
7724uri __DOS_HAS_ANY_URI /^\w+:\/\//
7725
7726header __DOS_HAS_LIST_ID exists:List-ID
7727
7728header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe
7729
7730header __DOS_HAS_MAILING_LIST exists:Mailing-List
7731
7732body __DOS_HI /^Hi,$/
7733
7734body __DOS_I_AM_25 /I a.?m 25/
7735
7736body __DOS_I_DRIVE_A /I drive a/
7737
7738body __DOS_LET_GO_JOB /I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/
7739
7740body __DOS_LINK /\blink\b/
7741
7742body __DOS_MEET_EACH_OTHER /(?:meet each other|[Mm]ay ?be we can meet)/
7743
7744header __DOS_MSGID_DIGITS10 Message-ID =~ /<1[013-9]\d{8}\@.*>/
7745
7746header __DOS_MSGID_DIGITS9 Message-ID =~ /<\d{9}\@.*>/
7747
7748body __DOS_MY_OLD_JOB /my old job/
7749
7750body __DOS_PERSONAL_EMAIL /personal email at/
7751
7752header __DOS_RCVD_FRI Received =~ / Fri, /
7753
7754header __DOS_RCVD_MON Received =~ / Mon, /
7755
7756header __DOS_RCVD_SAT Received =~ / Sat, /
7757
7758header __DOS_RCVD_SUN Received =~ / Sun, /
7759
7760header __DOS_RCVD_THU Received =~ / Thu, /
7761
7762header __DOS_RCVD_TUE Received =~ / Tue, /
7763
7764header __DOS_RCVD_WED Received =~ / Wed, /
7765
7766meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE)
7767
7768meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON)
7769
7770meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN)
7771
7772header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s
7773
7774header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/
7775
7776body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i
7777
7778body __DOS_STRONG_CF /\bstrong cash flow/i
7779
7780body __DOS_TAKING_HOME /Taking home \d (?:digit level|figures) in \d{1,2} months/
7781
7782body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/
7783
7784meta __DOTGOV_IMAGE __URI_DOTGOV && __REMOTE_IMAGE
7785
7786meta __DYNAMIC_IMGUR __IMGUR_IMG && __RDNS_DYNAMIC_IPADDR
7787
7788body __EARLY_DEMISE /\buntimely\sdeath\b/i
7789
7790header __EBAY_ADDRESS From:addr =~ /[\@.]ebay\.\w\w\w?(?:\.\w\w)?$/i
7791
7792meta __EBAY_IMG_NOT_RCVD_EBAY __URI_IMG_EBAY && !__HDR_RCVD_EBAY
7793
7794meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY
7795
46cfc9e2 7796meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ) > 3)
b780ea8d
SI		 7797
7798meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE
7799
7800body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i
7801
7802header __ENVFROM_AMAZONSES EnvelopeFrom =~ /\@amazonses\.com$/
7803
7804header __ENVFROM_GOOG_TRIX EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/
7805
7806meta __ENVFROM_GOOG_TRIX_SPAMMY __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR )
7807
7808if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7809 meta __EXE_ATTACH 0
7810endif
7811
7812ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7813 mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i
7814endif
7815
7816if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7817 body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i
7818endif
7819
7820ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7821 body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i
7822endif
7823
7824meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE + __PAXFUL + __HUSH_HUSH) > 3
7825
7826body __EX_CUSTOMER /\b(?:(?:dead|deceased|late|verstorbenen|death\sof\sthe)\s(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|depositor|mr\.|kunde|engr?\.?)|titulaire\sdu\scompte\sest\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|invest[eo]r\sdied|(?:e|=E9|[\xe9]|[\xc3][\xa9])tranger\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|mr\.|kunde|engr?\.?)\s(?:[a-z]{1,10}\s)?(?:dead|deceased|verstorbenen))/i
7827
7828if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7829 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7830 body __E_LIKE_LETTER /<lcase_e>/
7831 tflags __E_LIKE_LETTER multiple maxhits=320
7832endif
7833endif
7834
7835body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i
7836
7837body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/
7838
7839rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m
7840
7841header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/
7842
7843header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i
7844
7845header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov /
7846
7847meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO
7848
7849body __FB_COST /\bcost\b/i
7850
7851body __FB_NUM_PERCNT /\d\s?\%/
7852
7853body __FB_S_PRICE /pri{1,2}c[a-z]?e/i
7854
7855body __FB_S_STOCK /\bstock/i
7856
7857body __FB_TOUR /\btour/i
7858
7859body __FEES /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer|keeping)[\s\w]{0,15}\s(?:fee|charge)s?\b/i
7860
7861body __FIFTY_FIFTY /\b(?:50|fifty)(?:%?[\/:]50%?|%|\spercent)/i
7862
7863if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7864 meta __FILL_THIS_FORM 0
7865endif
7866
7867ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7868 meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4)
7869endif
7870
7871if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7872 meta __FILL_THIS_FORM_FRAUD_PHISH 0
7873endif
7874
7875ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7876 meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH)
7877endif
7878
7879if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7880 meta __FILL_THIS_FORM_FRAUD_PHISH1 0
7881endif
7882
7883ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7884 body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
7885endif
7886
7887if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7888 meta __FILL_THIS_FORM_LOAN 0
7889endif
7890
7891ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7892 meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1
7893endif
7894
7895if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7896 meta __FILL_THIS_FORM_LOAN1 0
7897endif
7898
7899ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7900 body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
7901endif
7902
7903if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7904 meta __FILL_THIS_FORM_LONG 0
7905endif
7906
7907ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7908 meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2
7909endif
7910
7911if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7912 meta __FILL_THIS_FORM_LONG1 0
7913endif
7914
7915ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7916 body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
7917endif
7918
7919if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7920 meta __FILL_THIS_FORM_LONG2 0
7921endif
7922
7923ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7924 body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
7925endif
7926
7927if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7928 meta __FILL_THIS_FORM_PARTIAL 0
7929endif
7930
7931ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7932 body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im
7933 tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5
7934endif
7935
7936if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7937 meta __FILL_THIS_FORM_PARTIAL_RAW 0
7938endif
7939
7940ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7941 rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20|&nbsp;|<\/\w+>){0,4}$)/im
7942 tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5
7943endif
7944
7945if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7946 meta __FILL_THIS_FORM_SHORT 0
7947endif
7948
7949ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7950 meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2)
7951endif
7952
7953if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7954 meta __FILL_THIS_FORM_SHORT1 0
7955endif
7956
7957ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7958 body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
7959endif
7960
7961if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7962 meta __FILL_THIS_FORM_SHORT2 0
7963endif
7964
7965ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7966 body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
7967endif
7968
7969header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/
7970
7971if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7972 meta __FM_MY_PRICE __FB_S_PRICE
7973endif
7974
7975ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7976 meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE)
7977endif
7978
7979meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS
7980
7981if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7982 rawbody __FONT_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i
7983 tflags __FONT_INVIS multiple maxhits=11
7984endif
7985
7986if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7987 meta __FONT_INVIS_10 __FONT_INVIS > 10
7988endif
7989
7990if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7991 meta __FONT_INVIS_2 __FONT_INVIS > 2
7992endif
7993
7994if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7995 meta __FONT_INVIS_5 __FONT_INVIS > 5
7996endif
7997
7998if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7999 meta __FONT_INVIS_CENTER __FONT_INVIS && __TAG_EXISTS_CENTER
8000endif
8001
8002if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8003 meta __FONT_INVIS_DIRECT __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
8004endif
8005
8006if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8007 meta __FONT_INVIS_DOTGOV __FONT_INVIS && __URI_DOTGOV
8008endif
8009
8010if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8011 meta __FONT_INVIS_HTML_NOHTML __FONT_INVIS && HTML_MIME_NO_HTML_TAG
8012endif
8013
8014if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8015 meta __FONT_INVIS_LONG_LINE __FONT_INVIS && __LONGLINE
8016endif
8017
8018if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8019 meta __FONT_INVIS_MANY __FONT_INVIS_2
8020endif
8021
8022if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8023 meta __FONT_INVIS_MSGID __FONT_INVIS && __MSGID_OK_HOST
8024endif
8025
8026if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8027 meta __FONT_INVIS_NORDNS __FONT_INVIS && __RDNS_NONE
8028endif
8029
8030if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8031 meta __FONT_INVIS_SINGLET __FONT_INVIS && __HTML_SINGLET
8032endif
8033
8034header __FORGED_MUA_POSTFIX0 User-Agent =~ /Postfix/
8035
8036header __FORGED_MUA_POSTFIX1 X-Mailer =~ /Postfix/
8037
8038meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D
8039describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam
8040
8041meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1)
8042
8043meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
8044
8045meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
8046
8047meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP
8048
8049if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8050 body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i
8051 tflags __FOR_SALE_LTP multiple maxhits=11
8052endif
8053
8054if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8055 meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10
8056endif
8057
8058if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8059 body __FOR_SALE_NET /00\.? NET/i
8060 tflags __FOR_SALE_NET multiple maxhits=11
8061endif
8062
8063if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8064 meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10
8065endif
8066
8067if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8068 body __FOR_SALE_OBO /\bor best offer\b/i
8069 tflags __FOR_SALE_OBO multiple maxhits=6
8070endif
8071
8072if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8073 meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5
8074endif
8075
8076if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8077 body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i
8078 tflags __FOR_SALE_PRC_100K multiple maxhits=11
8079endif
8080
8081if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8082 meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5
8083endif
8084
8085if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8086 body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i
8087 tflags __FOR_SALE_PRC_10K multiple maxhits=11
8088endif
8089
8090if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8091 meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10
8092endif
8093
8094if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8095 body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i
8096 tflags __FOR_SALE_PRC_1K multiple maxhits=11
8097endif
8098
8099if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8100 meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10
8101endif
8102
8103if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8104 rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m
8105 tflags __FOR_SALE_PRC_EOL multiple maxhits=11
8106endif
8107
8108if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8109 meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10
8110endif
8111
8112if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8113 meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20
8114endif
8115
8116body __FOUND_YOU /\b(?:I|we)\sfound\syour?\b/i
8117
8118body __FRAUD /\b(?:de)?fraud/i
8119
8120body __FRAUD_IOV /\b(?:no risks?|risky?[- ]{0,3}free|free of risks?|100% safe|v\S{1,3}llig Risikofrei ist)\b/i
8121
8122body __FRAUD_PTX /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|poison(?:e?d)?|kill(?:ed|ing|ers)\b[^.]{0,99}\b(?:war veterans|rebels?)|les tueurs)\b/i
8123
8124body __FRAUD_XWW /\b(?:honest(?:ly)?\sco(?:-?operat(?:e|ion)|llaborat(?:e|ion))|ehrliche\szusammenarbeit|sichere [kc]o+p[eo]ration|col+aboration\swith\sme)\b/i
8125
8126ifplugin Mail::SpamAssassin::Plugin::FreeMail
8127 header __FREEMAIL_DISPTO eval:check_freemail_header('Disposition-Notification-To')
8128endif
8129
8130ifplugin Mail::SpamAssassin::Plugin::FreeMail
8131 meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
8132endif
8133
8134meta __FREEMAIL_WFH_01 (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01
8135
8136meta __FREEM_FRNUM_UNICD_EMPTY FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY
8137
8138if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
8139 meta __FROM_41_FREEMAIL 0
8140endif
8141
8142ifplugin Mail::SpamAssassin::Plugin::FreeMail
8143 meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
8144 describe __FROM_41_FREEMAIL Sent from Africa + freemail provider
8145endif
8146
8147if (version >= 3.004002)
8148ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8149header __FROM_ADDRLIST_BANKS eval:check_from_in_list('BANKS')
8150endif
8151endif
8152
8153if (version >= 3.004002)
8154ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8155header __FROM_ADDRLIST_GOV eval:check_from_in_list('GOV')
8156endif
8157endif
8158
8159if (version >= 3.004002)
8160ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8161header __FROM_ADDRLIST_PAYPAL eval:check_from_in_list('PAYPAL')
8162endif
8163endif
8164
8165if (version >= 3.004002)
8166ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8167header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD')
8168endif
8169endif
8170
8171header __FROM_ADDR_WS From:addr =~ /\s/
8172
8173header __FROM_ADMIN From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
8174
8175header __FROM_ALL_HEX From:addr =~ /^(?!(?:19|20)\d\d[01]\d[0-3]\d)(?![0-9a-f]*[a-f]{3})[0-9a-f]+\@/
8176
8177header __FROM_ALL_NUMS From:addr =~ /^\d+@/
8178
46cfc9e2
SI		 8179header __FROM_AMEX From =~ /american\s?express/i
8180
8181header __FROM_ASB_BANK From:addr =~ /\basb\.co\.nz$/i
8182
8183header __FROM_BANK_LOOSE From =~ /ban(?:k|co)/i
8184
8185header __FROM_CHASE From:addr =~ /chase(?:2?-?paymentech)\.com$/i
8186
8187header __FROM_CMNWLTH_BANK From:addr =~ /\bcommonwealth\.com\.au$/i
8188
b780ea8d
SI		 8189header __FROM_DNS From =~ /(?<![^\w.-])dns(?:admin)?\@/i
8190
8191meta __FROM_DOM_ADMIN __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
8192
8193header __FROM_DOM_INFO From:addr =~ /\.info$/i
8194
8195header __FROM_EBAY From:addr =~ /\@ebay\.com$/i
8196
46cfc9e2
SI		 8197header __FROM_EBAY_LOOSE From =~ /\be-?bay\b/i
8198
8199header __FROM_EQ_ORG_1 ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism
8200
b780ea8d
SI		 8201ifplugin Mail::SpamAssassin::Plugin::FreeMail
8202 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
8203 header __FROM_EQ_REPLY eval:check_fromname_equals_replyto()
8204endif
8205endif
8206
8207if (version >= 3.004001)
8208ifplugin Mail::SpamAssassin::Plugin::AskDNS
8209tflags __FROM_FMBLA_NDBLOCKED net
8210endif
8211endif
8212
8213if (version >= 3.004001)
8214ifplugin Mail::SpamAssassin::Plugin::AskDNS
8215tflags __FROM_FMBLA_NEWDOM net
8216endif
8217endif
8218
8219if (version >= 3.004001)
8220ifplugin Mail::SpamAssassin::Plugin::AskDNS
8221tflags __FROM_FMBLA_NEWDOM14 net
8222endif
8223endif
8224
8225if (version >= 3.004001)
8226ifplugin Mail::SpamAssassin::Plugin::AskDNS
8227tflags __FROM_FMBLA_NEWDOM28 net
8228endif
8229endif
8230
8231header __FROM_FULL_NAME From:name =~ /^[^a-z[:punct:][:cntrl:]\d\s][^[:punct:][:cntrl:]\d\s]*[[:punct:]\s]+[^a-z[:punct:][:cntrl:]\d\s]/
8232tflags __FROM_FULL_NAME nice
8233
46cfc9e2
SI		 8234header __FROM_HSBC From:addr =~ /\bhsbc\.co\.uk$/i
8235
b780ea8d
SI		 8236header __FROM_INFO From =~ /(?<![^\w.-])info\@/i
8237
46cfc9e2
SI		 8238header __FROM_LLOYDSTSB From:addr =~ /\blloyds(?:tsb)\.(?:co\.uk|com)$/i
8239
b780ea8d
SI		 8240header __FROM_LOWER ALL =~ /from:\s\S{5}/
8241
8242header __FROM_MISSPACED From =~ /^\s*"[^"]*"</
8243
8244meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH
8245
8246if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
8247 meta __FROM_MISSP_FREEMAIL 0
8248endif
8249
8250ifplugin Mail::SpamAssassin::Plugin::FreeMail
8251 meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
8252endif
8253
46cfc9e2
SI		 8254meta __FROM_MISSP_PHISH __FROM_MISSPACED && (__FROM_ASB_BANK || __FROM_AMEX || __FROM_BANK_LOOSE || __FROM_CHASE || __FROM_CMNWLTH_BANK || __FROM_EBAY_LOOSE || __FROM_HSBC || __FROM_LLOYDSTSB || __FROM_PAYPAL_LOOSE || __FROM_WELLSFARGO || __FROM_WESTERNUNION)
8255
b780ea8d
SI		 8256meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO
8257
8258if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
8259 meta __FROM_MULTI_NORDNS __PDS_FROM_2_EMAILS && __RDNS_NONE
8260endif
8261
8262if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
8263 meta __FROM_MULTI_SHORT_IMG __PDS_FROM_2_EMAILS && (HTML_IMAGE_ONLY_16 || HTML_SHORT_LINK_IMG_2 || __HTML_IMG_ONLY)
8264endif
8265
46cfc9e2
SI		 8266header __FROM_NAME_APPLECOM From:name =~ /\bapple\.com\b/i
8267
8268header __FROM_NAME_EBAYCOM From:name =~ /\bebay\.com\b/i
8269
b780ea8d
SI		 8270full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm
8271
46cfc9e2
SI		 8272header __FROM_NAME_PAYPALCOM From:name =~ /\bpaypal\.com\b/i
8273
b780ea8d
SI		 8274header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i
8275
46cfc9e2
SI		 8276header __FROM_PAYPAL_LOOSE From =~ /paypal/i
8277
b780ea8d
SI		 8278header __FROM_RUNON From =~ /\S+<\w+/
8279
8280header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/
8281
8282header __FROM_WEB_DAEMON From:addr =~ /(?:apache|www|web|tomcat|\biis\b).*\@/i
8283
46cfc9e2
SI		 8284header __FROM_WELLSFARGO From:addr =~ /wellsfargo\.com$/i
8285
8286header __FROM_WESTERNUNION From:addr =~ /westernunion\.com$/i
8287
b780ea8d
SI		 8288header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/
8289
8290if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8291 meta __FRT_PRICE 0
8292endif
8293
8294ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8295 body __FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i
8296endif
8297
8298rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i
8299
8300header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe
8301
8302header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i
8303
b780ea8d
SI		 8304header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i
8305
8306header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i
8307
8308header __FSL_HELO_USER_3 Received =~ /(?:eh|he)lo(?:=|\s)User\)/i
8309
8310header __FSL_RELAY_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com\.? /i
8311
8312header __FS_SUBJ_RE Subject =~ /^Re: /
8313
8314ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8315 body __FUZZY_DR_OZ /(?=<D>)(?!(?-i:D(?:r.|octor)(?:\s|&nbsp;)Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i
8316endif
8317
8318if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8319 meta __FUZZY_MONERO 0
8320endif
8321
8322ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8323 body __FUZZY_MONERO /(?=<M>)(?!monero)<M><O><N><E><R><O>/i
8324endif
8325
8326ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8327 body __FUZZY_PORN /(?=<P>)(?!pornograph?(?:y|i[ca]|er))<P><O><R><N><O><G><R><A><P><H>?(?:<Y>|<I><C>|<E><R>)/i
8328endif
8329
8330ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8331 body __FUZZY_WELLSFARGO_BODY /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i
8332endif
8333
8334ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8335 header __FUZZY_WELLSFARGO_FROM From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i
8336endif
8337
8338if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8339 body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i
8340 tflags __GAPPY_SALES_LEADS multiple maxhits=3
8341endif
8342
8343if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8344 meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2
8345endif
8346
46cfc9e2 8347header __GB_FAKE_RF Subject =~ /(Fw|Re)\:{1,2}[\W+]/i
b780ea8d
SI		 8348
8349body __GHANA /\bghana\b/i
8350
8351ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8352mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i
8353endif
8354
8355body __GIVE_MONEY /\b(?:(?:give\syou\s(?:this\s)?(?:money|fund|inheritance))|(?:donated?\s(?:\w\+\s){0,3}(?:the\ssum\sof|(?:(?:the|this|some)\s(?:money|funds?|inheritance)|to\s)(?:you|(?:(?:the|a)\s)?church|charit(?:y|ies)|humanit\w+|needy|poor|orphan(?:age)?s?|philanthropists\?)))|de vous donner cet argent|faire don de la somme|voudrais en faire don|tego funduszu do dom(?:=F3|[\xf3])w (?:dziecka|wdowy))\b/i
8356
8357meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST)
8358
8359meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
8360
8361meta __GOOGLE_DOC_SUSP __URI_GOOGLE_DOC && (__HAS_DOMAINKEY_SIG || __RDNS_NONE || __SYSADMIN || __STY_INVIS || LOTS_OF_MONEY || __XFER_MONEY || __ADVANCE_FEE_2_NEW) && !ALL_TRUSTED
8362
8363uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i
8364
8365uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i
8366
8367meta __GOOG_STO_HTML_PHISH __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
8368
8369meta __GOOG_STO_IMG_HTML_1 __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML
8370
8371meta __GOOG_STO_IMG_NOHTML __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML
8372
8373meta __GOOG_STO_NOIMG_HTML !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML
8374
8375body __HAS_ANY_EMAIL /\w@\S+\.\w/
8376
8377uri __HAS_ANY_URI /^\w+:\/\//
8378
8379header __HAS_CAMPAIGNID exists:X-Campaignid
8380
8381header __HAS_CID exists:X-CID
8382
8383header __HAS_COMPLAINT_TO exists:Complaint-To
8384
8385header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature
8386
8387describe __HAS_HREF Has an anchor tag with a href attribute in non-quoted line
8388rawbody __HAS_HREF /^[^>].*?<a href=/im
8389tflags __HAS_HREF multiple maxhits=100
8390
8391describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case
8392rawbody __HAS_HREF_ONECASE /^[^>].*?<(a href|A HREF)=/m
8393tflags __HAS_HREF_ONECASE multiple maxhits=100
8394
8395describe __HAS_IMG_SRC Has an img tag on a non-quoted line
8396rawbody __HAS_IMG_SRC /^[^>].*?<img src=/im
8397tflags __HAS_IMG_SRC multiple maxhits=100
8398
8399rawbody __HAS_IMG_SRC_DATA /^[^>].*?<img src=['"]data/im
8400
8401describe __HAS_IMG_SRC_ONECASE Has an img tag on a non-quoted line with consistent case
8402rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(img src|IMG SRC)=/m
8403tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100
8404
8405header __HAS_LIST_OPEN exists:List-Open
8406
8407header __HAS_LOGID exists:logid
8408
8409header __HAS_MESSAGEID exists:MessageID
8410
8411header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script
8412
8413header __HAS_PHP_SCRIPT exists:X-PHP-Script
8414
8415header __HAS_THREAD_INDEX exists:Thread-Index
8416
8417header __HAS_TRACKING_CODE exists:Tracking-Code
8418
8419body __HAS_WON_01 /\bque ha ganado\b/i
8420
8421header __HAS_XM_LID exists:X-Mailer-LID
8422
8423header __HAS_XM_RECPTID exists:X-Mailer-RecptId
8424
8425header __HAS_XM_SENTBY exists:X-Mailer-Sent-By
8426
8427header __HAS_XM_SID exists:X-Mailer-SID
8428
8429header __HAS_X_EBSERVER exists:X-EBSERVER
8430
8431header __HAS_X_LETTER exists:X-Letter
8432
8433header __HAS_X_NO_RELAY exists:X-No-Relay
8434
8435header __HAS_X_OUTGOING_SPAM_STAT exists:X-OutGoing-Spam-Status
8436
8437header __HAS_X_SOURCE_DIR exists:X-Source-Dir
8438
8439header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm
8440tflags __HDRS_LCASE multiple maxhits=3
8441
8442meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH
8443
8444header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism
8445
cabe596e
SI		 8446header __HDR_CASE_REVERSED ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m
8447tflags __HDR_CASE_REVERSED multiple maxhits=4
8448
b780ea8d
SI		 8449header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s
8450
8451header __HDR_RCVD_ALIBABA X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/
8452
8453header __HDR_RCVD_AMAZON X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/
8454
46cfc9e2
SI		 8455header __HDR_RCVD_AMAZON_HELO X-Spam-Relays-External =~ /\srdns=\shelo=[^.]+\.smtp-out\.amazonses\.com\s/
8456
8457header __HDR_RCVD_APPLE X-Spam-Relays-External =~ /\srdns=\S+\.apple\.com\s/
8458
b780ea8d
SI		 8459header __HDR_RCVD_EBAY X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/
8460
8461header __HDR_RCVD_GOOGLE X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/
8462
8463header __HDR_RCVD_KEEPA X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/
8464
46cfc9e2
SI		 8465header __HDR_RCVD_LINKEDIN X-Spam-Relays-External =~ /\srdns=\S+\.linkedin\.com\s/
8466
b780ea8d
SI		 8467header __HDR_RCVD_NEWEGG X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/
8468
46cfc9e2
SI		 8469header __HDR_RCVD_PAYPAL X-Spam-Relays-External =~ /\srdns=\S+\.paypal\.com\s/
8470
b780ea8d
SI		 8471header __HDR_RCVD_SHOPIFY X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/
8472
46cfc9e2
SI		 8473header __HDR_RCVD_TAGSTAT X-Spam-Relays-External =~ /\srdns=\S+\.tagstat\.com\s/
8474
b780ea8d
SI		 8475header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/
8476
8477header __HDR_RCVD_WALMART X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/
8478
8479ifplugin Mail::SpamAssassin::Plugin::AskDNS
8480tflags __HELO_DNS net
8481endif
8482
8483header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i
8484
b780ea8d
SI		 8485header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/
8486
8487header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /
8488
8489body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
8490tflags __HEXHASHWORD_S2EU multiple maxhits=4
8491
8492body __HK_LOTTO_2 /\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i
8493
8494body __HK_LOTTO_BALLOT /\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i
8495
8496body __HK_LOTTO_STAATS /\bstaatsloteri/i
8497
8498ifplugin Mail::SpamAssassin::Plugin::FreeMail
8499if (version >= 3.004000)
8500 header __HK_NAME_FROM From:name =~ /^FROM\b/mi
8501endif
8502endif
8503
8504ifplugin Mail::SpamAssassin::Plugin::FreeMail
8505if (version >= 3.004000)
8506 header __HK_NAME_MR_MRS From:name =~ /^M(?:RS?|ISS)\b/mi
8507endif
8508endif
8509
8510body __HK_SCAM_N15 /\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i
8511
8512body __HK_SCAM_N16 /\b(?:arrangement secret|secret arrangement)\b/i
8513
8514body __HK_SCAM_N2 /\bnext of kin\b/i
8515
8516body __HK_SCAM_N3 /\bdirect telephone numbers?\b/i
8517
8518body __HK_SCAM_N8 /\byour compensation\b/i
8519
8520body __HK_SCAM_S1 /pay you the sum of/i
8521
8522body __HK_SCAM_S15 /(?:discovered a dormant account|can you be my partner)/i
8523
8524body __HK_SCAM_S25 /\bbank (?:in|of) ghana/i
8525
8526ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8527mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
8528endif
8529
8530ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8531mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
8532endif
8533
46cfc9e2 8534meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT)
b780ea8d 8535
46cfc9e2 8536meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT)
b780ea8d 8537
46cfc9e2 8538meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_WP_REDIR || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT)
b780ea8d 8539
46cfc9e2 8540meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG + __URI_IMG_CHANNYPIC + __URI_IMG_TOPHATTER + __URI_IMG_GBTCDN + __URI_IMG_LINKEDIN + __URI_IMG_TUMBLR + __URI_IMG_TAGSTAT) > 1
b780ea8d
SI		 8541
8542if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8543 body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
8544endif
8545
8546ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8547 body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
8548endif
8549
8550rawbody __HS_QUOTE /^> /
8551
8552header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/
8553
8554if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8555 meta __HTML_ATTACH_01 0
8556endif
8557
8558ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8559 mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.html?\b,i
8560endif
8561
8562if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8563 meta __HTML_ATTACH_02 0
8564endif
8565
8566ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8567 mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i
8568endif
8569
8570rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i
8571
8572meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML
8573
8574if !plugin(Mail::SpamAssassin::Plugin::DKIM)
8575 meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN
8576endif
8577
8578ifplugin Mail::SpamAssassin::Plugin::DKIM
8579 meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID
8580endif
8581
8582rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i
8583
8584rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i
8585
8586if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8587 rawbody __HTML_SHRT_CMNT_OBFU /\w<!--\s*\w+\s*-->\w/
8588 tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10
8589endif
8590
8591if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8592 meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE
8593endif
8594
8595rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i
8596tflags __HTML_SINGLET multiple maxhits=21
8597
8598meta __HTML_SINGLET_10 __HTML_SINGLET > 10
8599
8600meta __HTML_SINGLET_MANY __HTML_SINGLET > 20
8601
8602ifplugin Mail::SpamAssassin::Plugin::HTMLEval
8603 body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0')
8604endif
8605
8606body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i
8607
8608uri __IMGUR_IMG m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i
8609tflags __IMGUR_IMG multiple maxhits=4
8610
8611meta __IMGUR_IMG_2 __IMGUR_IMG == 2
8612
8613meta __IMGUR_IMG_3 __IMGUR_IMG == 3
8614
8615if !plugin(Mail::SpamAssassin::Plugin::ImageInfo)
8616 meta __IMG_LE_300K 0
8617endif
8618
8619ifplugin Mail::SpamAssassin::Plugin::ImageInfo
8620 body __IMG_LE_300K eval:pixel_coverage('all',62500,300000)
8621endif
8622
8623body __INHERIT_PMT /\binheritance\spayment\s/i
8624
cabe596e
SI		 8625meta __INR_AND_NO_REF (__XM_IMAIL || __XM_APPLEMAIL || __XM_COMMUNIG || __XM_EDMAX || __XM_ELM || __XM_EMUMAIL || __XM_EXMH || __XM_LOTUSN || __XM_MAILCITY || __XM_MAILSMITH || __XM_MSCDO || __XM_MSOUT || __XM_MIMETOOLS || __XM_OPERA6 || __XM_PEGASUS || __XM_QUALCOM || __UA_IMP || __UA_MSOEMAC || __UA_MSENTOUR || __UA_OPERA7)
8626
b780ea8d
SI		 8627body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i
8628
8629body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i
8630
8631body __INVEST_MONEY /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i
8632
8633header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/
8634
8635if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8636 meta __ISO_ATTACH 0
8637endif
8638
8639ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8640 mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i
8641endif
8642
8643if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8644 meta __ISO_ATTACH_MT 0
8645endif
8646
8647ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8648 mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i
8649endif
8650
8651body __IS_LEGAL /\b(?:(?:(this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i
8652
8653body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i
8654
8655body __I_INHERIT /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i
8656
8657body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i
8658
8659header __JM_REACTOR_DATE Date =~ / \+0000$/
8660
8661ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8662 mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i
8663endif
8664
8665ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8666mimeheader __KAM_BLOCK_UTF7_2 Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i
8667endif
8668
8669ifplugin Mail::SpamAssassin::Plugin::BodyEval
8670 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8671 body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024')
8672 describe __KAM_BODY_LENGTH_LT_1024 The length of the body of the email is less than 1024 bytes.
8673endif
8674endif
8675
8676ifplugin Mail::SpamAssassin::Plugin::BodyEval
8677 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8678 body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128')
8679 describe __KAM_BODY_LENGTH_LT_128 The length of the body of the email is less than 128 bytes.
8680endif
8681endif
8682
8683ifplugin Mail::SpamAssassin::Plugin::BodyEval
8684 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8685 body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256')
8686 describe __KAM_BODY_LENGTH_LT_256 The length of the body of the email is less than 256 bytes.
8687endif
8688endif
8689
8690ifplugin Mail::SpamAssassin::Plugin::BodyEval
8691 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8692 body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512')
8693 describe __KAM_BODY_LENGTH_LT_512 The length of the body of the email is less than 512 bytes.
8694endif
8695endif
8696
8697if !plugin(Mail::SpamAssassin::Plugin::HTMLEval)
8698meta __KAM_HTML_FONT_INVALID 0
8699endif
8700
8701ifplugin Mail::SpamAssassin::Plugin::HTMLEval
8702body __KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color')
8703endif
8704
8705body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
8706
8707header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/
8708
8709header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/
8710
8711meta __KHOP_NO_FULL_NAME !(__NOT_A_PERSON || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME)
8712
8713if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
8714 meta __LARGE_PERCENT_AFTER 0
8715endif
8716
8717if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8718 body __LARGE_PERCENT_AFTER /\d{3}% after/i
8719 tflags __LARGE_PERCENT_AFTER multiple maxhits=4
8720endif
8721
8722if !plugin(Mail::SpamAssassin::Plugin::HeaderEval)
8723 meta __LCL__ENV_AND_HDR_FROM_MATCH 0
8724endif
8725
8726ifplugin Mail::SpamAssassin::Plugin::HeaderEval
8727 meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH
8728endif
8729
8730if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
8731 meta __LCL__KAM_BODY_LENGTH_LT_1024 0
8732endif
8733
8734ifplugin Mail::SpamAssassin::Plugin::BodyEval
8735if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
8736 meta __LCL__KAM_BODY_LENGTH_LT_1024 0
8737endif
8738endif
8739
8740ifplugin Mail::SpamAssassin::Plugin::BodyEval
8741 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8742 meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024
8743endif
8744endif
8745
8746if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
8747 meta __LCL__KAM_BODY_LENGTH_LT_128 0
8748endif
8749
8750ifplugin Mail::SpamAssassin::Plugin::BodyEval
8751if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
8752 meta __LCL__KAM_BODY_LENGTH_LT_128 0
8753endif
8754endif
8755
8756ifplugin Mail::SpamAssassin::Plugin::BodyEval
8757 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8758 meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128
8759endif
8760endif
8761
8762if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
8763 meta __LCL__KAM_BODY_LENGTH_LT_512 0
8764endif
8765
8766ifplugin Mail::SpamAssassin::Plugin::BodyEval
8767if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
8768 meta __LCL__KAM_BODY_LENGTH_LT_512 0
8769endif
8770endif
8771
8772ifplugin Mail::SpamAssassin::Plugin::BodyEval
8773 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8774 meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512
8775endif
8776endif
8777
46cfc9e2
SI		 8778meta __LINKED_IMG_NOT_RCVD_LINK __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN
8779
b780ea8d
SI		 8780meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID
8781
8782meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1
8783
8784meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR
8785
8786body __LITECOIN_ID /\b(?<!=)[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b/
8787
8788uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i
8789
8790body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i
8791tflags __LOCK_MAILBOX multiple maxhits=2
8792
8793full __LONGLINE /^[^\r\n]{998}/m
8794
8795rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i
8796
8797if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8798 meta __LONG_STY_INVIS __STY_INVIS && __LONGLINE
8799endif
8800
8801if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8802 meta __LOTSA_MONEY_00 0
8803endif
8804
8805ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8806 body __LOTSA_MONEY_00 /<CURRENCY>[\s\.]?<NUM_NOT_DATE>[\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/
8807endif
8808
8809if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8810 meta __LOTSA_MONEY_01 0
8811endif
8812
8813ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8814 body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo](?<!\.00)\b/
8815endif
8816
8817if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8818 meta __LOTSA_MONEY_02 0
8819endif
8820
8821ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8822 body __LOTSA_MONEY_02 /(?<![-\d])<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo][\)\]\(]?\s?(?:<CURRENCY>|Pounds|(?i:dollars?|bucks))\b/
8823endif
8824
8825if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8826 meta __LOTSA_MONEY_03 0
8827endif
8828
8829ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8830 body __LOTSA_MONEY_03 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)<NUM_NOT_DATE>[\d.,\sOo]{0,5}[\)\]]?\s?(?i:M(?i:il+)?\b|mil+(?i:io|<O>)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/
8831endif
8832
8833if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8834 meta __LOTSA_MONEY_04 0
8835endif
8836
8837ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8838 body __LOTSA_MONEY_04 /(?:(?<![-\d])<NUM_NOT_DATE>[\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|mill<O>n|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|\bbucks|USD|GBP|<GB_UK>\spounds?|(?:<GB_UK>\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i
8839endif
8840
8841if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8842 meta __LOTSA_MONEY_05 0
8843endif
8844
8845ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8846 body __LOTSA_MONEY_05 /(?:(?:sum|value|amount)\sof\s)<NUM_NOT_DATE_IP>[\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i
8847endif
8848
8849meta __LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2
8850
8851body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i
8852
8853body __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i
8854
8855uri __LOTTO_ADMITS_3 /lott+ery/i
8856
8857meta __LOTTO_AGENT __LOTTO_AGENT_01 || __LOTTO_AGENT_02
8858
8859body __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(?<!memory\s)grants?(?!\smanager))\s?(?:agent|manager|officer|secretary|director|mgr\b)/i
8860
8861body __LOTTO_AGENT_02 /\blot+ery[^\.]{1,40} ticket agent/i
8862
8863header __LOTTO_AGENT_RPLY Reply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
8864
8865if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8866 meta __LOTTO_ATTACH_1 0
8867endif
8868
8869ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8870 mimeheader __LOTTO_ATTACH_1 Content-Type =~ /lott(?:o|ery)/i
8871endif
8872
8873if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8874 meta __LOTTO_ATTACH_2 0
8875endif
8876
8877ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8878 mimeheader __LOTTO_ATTACH_2 Content-Disposition =~ /lott(?:o|ery)/i
8879endif
8880
8881body __LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)(?:\s(?:rem+it+ance|settlement|payment|award))+|payment|award|compensation|lot+ery)(?:\s\w+)?\s?(?:department|dept|unit|group|committee|bureau)/i
8882
8883body __LOTTO_RELATED /\b(?:lot+(?:o|ery)|sweepstakes)\s(?:prize|draw(?:s|ing)?|(?:ge)?win(?:n?er|n?ing)?|jackpot+|award|fund|com+it+e+|com+is+ion|guild|promotion|promocao|program|day|online|company|(?:in)?corporat|agent|co[-,]?ordinator|team)/i
8884
8885body __LOTTO_VERIFY /\bpromo\sverification/i
8886
8887body __LOTTO_WINNINGS /\b(?:claim|process(?:ing)?|transfert?(?:\s\w+)?|redeem|payment|virement|zahlung|reivindicar|demandar|remise)\s(?:(?:[a-z]{1,5}\s)?(?:your|of|the|this|de|ihrer|seu|tu)\s)+(?:win+ings?|money|(?:cash\s)?prize|award|f[ou]nds?|grant|gewinne|premio|gain)\b/i
8888
8889body __LOTTO_WIN_01 /\bwin+ing\s(?:prize|number|notification|draw|check|cheque|details|information|payment)/i
8890
8891if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8892 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8893 body __LOWER_E /e/
8894 tflags __LOWER_E multiple maxhits=230
8895endif
8896endif
8897
8898body __LUCKY_WINNER /\b(?:lucky|gl.cklich(?:en)?|afortunados)\s(?:(?:ge)?win+ers?|ganador(?:es)?|individuals?)\b/i
8899
8900body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i
8901
46cfc9e2
SI		 8902header __LUNSUB_BEFORE_SUBJDT ALL =~ /^List-unsubscribe: (?:[^\n]+\n){1,40}^(?:Subject|Date): /ism
8903
b780ea8d
SI		 8904rawbody __L_BODY_8BITS /[\x80-\xff]/
8905
8906header __L_CTE_7BIT Content-Transfer-Encoding =~ /^7bit$/
8907
8908body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i
8909
8910body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i
8911
8912header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
8913
8914body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i
8915
8916body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i
8917
8918uri __MAIL_LINK /\?.{0,200}\w\@[\w-]{1,20}.\w\w\w?\b/i
8919tflags __MAIL_LINK nice
8920
8921body __MAKE_XTRA_DOLLAR /\bmake an extra dollar\b/i
8922
8923header __MALF_MIME_VER MIME-Version =~ /^1\.0\S/
8924
8925meta __MALWARE_NORDNS __MY_MALWARE && __RDNS_NONE
8926
8927meta __MALWARE_PASSWORD __MY_MALWARE && __PASSWORD
8928
8929ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8930 meta __MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02
8931endif
8932
8933if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8934 meta __MALW_ATTACH_01_01 0
8935endif
8936
8937ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8938 mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]+|\*(?:\d+\*)?=(?:UTF-8'')?\S+)\.SettingContent-ms\b/i
8939endif
8940
8941if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8942 meta __MALW_ATTACH_01_02 0
8943endif
8944
8945ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8946 mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i
8947endif
8948
8949if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8950 meta __MALW_ATTACH_02_01 0
8951endif
8952
8953ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
cabe596e 8954 mimeheader __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:invoice|statement|payment(?: advice)?|(?:[.,_]|%C2%B7|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i
b780ea8d
SI		 8955endif
8956
8957if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8958 meta __MALW_ATTACH_02_02 0
8959endif
8960
8961ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
cabe596e 8962 mimeheader __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|statement|payment(?: advice)?|(?:[.,_]|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i
b780ea8d
SI		 8963endif
8964
8965meta __MANY_HDRS_LCASE __HDRS_LCASE > 1
8966
8967meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4)
8968
8969header __MAY_BE_FORGED Received =~ /\(may be forged\)/
8970
8971header __MID_START_001C Message-ID =~ /^<000001c/
8972
8973body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i
8974
8975header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
8976
8977meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX
8978
8979header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/
8980
8981if !((version >= 3.004000))
8982 meta __MIME_CTYPE_IN_BODY 0
8983endif
8984
8985if (version >= 3.004000)
8986 body __MIME_CTYPE_IN_BODY /^Content-Type:\s/
8987endif
8988
8989if !((version >= 3.004000))
8990 meta __MIME_MALF 0
8991endif
8992
8993if (version >= 3.004000)
8994 meta __MIME_MALF __CTYPE_MULTIPART_ANY && __MIME_CTYPE_IN_BODY
8995endif
8996
8997if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8998 meta __MIME_NO_TEXT 0
8999endif
9000
9001ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9002 meta __MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH)
9003endif
9004
9005ifplugin Mail::SpamAssassin::Plugin::MIMEEval
9006 rawbody __MIME_QPC eval:check_for_mime('mime_qp_count')
9007endif
9008
9009header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET]
9010
9011header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET]
9012
9013rawbody __MIXED_AREA_CASE /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/
9014
9015rawbody __MIXED_CENTER_CASE /<(?!CENTER|center)[Cc][Ee][Nn][Tt][Ee][Rr]>/
9016
9017rawbody __MIXED_FONT_CASE /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/
9018
9019rawbody __MIXED_HREF_CASE_JH /<[Aa](?i:rea)?\s+(?!HREF|href)[Hh][Rr][Ee][Ff]=/
9020
9021rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/
9022
9023header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
9024
9025meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO)
9026
9027body __MONERO_CURNCY /Monero \(XMR\)/
9028
9029body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/
9030
9031meta __MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD
9032
9033meta __MONEY_FORM LOTS_OF_MONEY && __FILL_THIS_FORM
9034
9035meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT
9036
9037meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
9038
9039meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
9040
9041meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8)
9042
9043ifplugin Mail::SpamAssassin::Plugin::FreeMail
9044 meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto
9045endif
9046
9047meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY
9048
9049body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i
9050
9051meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE
9052
9053header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i
9054
9055header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/
9056
9057header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/
9058
9059header __MSGID_JAVAMAIL Message-ID =~ /\.JavaMail\./
9060tflags __MSGID_JAVAMAIL nice
9061
9062header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/
9063tflags __MSGID_LIST nice
9064
b780ea8d
SI		 9065header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m
9066
9067meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL
9068
9069header __MSMAIL_PRI_HIGH X-MSMail-Priority =~ /^(?:high|urgent)$/i
9070
9071header __MSMAIL_PRI_NORMAL X-MSMail-Priority =~ /^normal$/i
9072
9073meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT
9074
9075header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: /
9076
46cfc9e2
SI		 9077ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9078 mimeheader __MSO_THEME_MT Content-Type =~ m,\bapplication/vnd.ms-officetheme\b,i
9079endif
9080
b780ea8d
SI		 9081header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/
9082
9083header __MUA_TBIRD User-Agent =~ /^Mozilla\/(.*) Thunderbird/
9084
9085body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i
9086
9087if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9088 body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s|background\s|hidden\s)?)(?:mal+ware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it|backdoor|(?:sneaky\s|hidden\s|malicious\s)+(?:app|stuff))|(?:application|mal+ware)[^\.]{1,30}(?:enable[sd]|allow(?:s|ed))\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|mal+ware)\s)+giv(?:es|ing)\sme)\b/i
9089endif
9090
9091ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9092 body __MY_MALWARE /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s|<B><A><C><K><G><R><O><U><N><D>\s|<H><I><D><D><E><N>\s)?)(?:<M><A><L>+<W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>|<B><A><C><K><D><O><O><R>|(?:<S><N><E><A><K><Y>\s|<H><I><D><D><E><N>\s|<M><A><L><I><C><I><O><U><S>\s)+(?:<A><P><P>|<S><T><U><F><F>))|(?:<A><P><P><L><I><C><A><T><I><O><N>|<M><A><L>+<W><A><R><E>)[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>(?:<S>|<E><D>))\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L>+<W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i
9093endif
9094
9095if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9096 body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i
9097endif
9098
9099ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9100 body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i
9101endif
9102
9103header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
9104
9105meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
9106
9107header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i
9108
9109header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/
9110
9111meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG
9112
9113body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i
9114
9115body __NIGERIA /\bnigeria\b/i
9116
9117meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO
9118tflags __NOT_A_PERSON nice
9119
9120body __NOT_DEAD_YET /\b(?:will\sinherit|que\sherede|your\sdeath|your?\sbeing\sdead)\b/i
9121
9122body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i
9123
9124tflags __NOT_SPOOFED nice
9125
9126if !(!plugin(Mail::SpamAssassin::Plugin::DKIM))
9127if !plugin(Mail::SpamAssassin::Plugin::SPF)
9128 meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF
9129endif
9130endif
9131
9132if !(!plugin(Mail::SpamAssassin::Plugin::DKIM))
9133 ifplugin Mail::SpamAssassin::Plugin::SPF
9134 meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF
9135endif
9136endif
9137
9138if !plugin(Mail::SpamAssassin::Plugin::DKIM)
9139if !plugin(Mail::SpamAssassin::Plugin::SPF)
9140 meta __NOT_SPOOFED __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, no SPF.
9141endif
9142endif
9143
9144if !plugin(Mail::SpamAssassin::Plugin::DKIM)
9145 ifplugin Mail::SpamAssassin::Plugin::SPF
9146 meta __NOT_SPOOFED SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, yes SPF
9147endif
9148endif
9149
9150meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS)
9151
9152header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./
9153describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8
9154
9155header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./
9156describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8
9157
9158header __NUMBEREND_TLD From:addr =~ /\@[a-z]{2,}[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i
9159
9160header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i
9161
9162header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/
9163
9164if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9165 meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
9166endif
9167
9168ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9169 meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
9170endif
9171
9172if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9173 meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
9174endif
9175
9176ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9177 meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
9178endif
9179
9180body __OBFU_UNSUB_UL /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/
9181
9182if !plugin(Mail::SpamAssassin::Plugin::ImageInfo)
9183 meta __ONE_IMG 0
9184endif
9185
9186ifplugin Mail::SpamAssassin::Plugin::ImageInfo
9187 body __ONE_IMG eval:image_count('all',1,1)
9188endif
9189
9190header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./
9191
9192body __ORDER_TODAY /\border (?:it|one|yours|this) (?:today|now|right\saway)\b/i
9193
9194body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i
9195
9196ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9197mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/
9198endif
9199
9200ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9201mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/
9202endif
9203
9204ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9205mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/
9206endif
9207
9208ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9209mimeheader __PART_STOCK_CL Content-Location =~ /./
9210endif
9211
9212body __PASSIVE_INCOME /\bpassive income\b/i
9213
9214body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i
9215
9216body __PASSWORD_EXP_CLUMSY /\bpassword is due for expiration yesterday\b/i
9217
9218body __PASSWORD_UPGRADE /\bpassword upgrade\b/i
9219
9220body __PAXFUL /\bp-?a+-?x+-?f-?u+-?l\b/i
9221
9222if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9223 body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\s(?:to\s)?me|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche)|my bribe(?:ry)?)\b/i
9224endif
9225
9226ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9227 body __PAY_ME /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s(?:<T><O>\s)?<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>|<M><Y> <B><R><I><B><E>(?:<R><Y>)?))[\s\.,]/i
9228endif
9229
9230body __PAY_YOU /\bpay\syou\b/
9231
9232if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9233 meta __PCT_FOR_YOU 0
9234endif
9235
9236ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9237 meta __PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50
9238endif
9239
9240if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9241 meta __PCT_FOR_YOU_1 0
9242endif
9243
9244ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9245 body __PCT_FOR_YOU_1 /<PERCENT>[\s)]{0,3}(?:(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?|(?:[^\s.]{1,15}\s)?an uns beide)/i
9246endif
9247
9248if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9249 meta __PCT_FOR_YOU_2 0
9250endif
9251
9252ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9253 body __PCT_FOR_YOU_2 /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s<PERCENT>/i
9254endif
9255
9256if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9257 meta __PCT_FOR_YOU_3 0
9258endif
9259
9260ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9261 body __PCT_FOR_YOU_3 /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?<!by\s)(?<!up\sto\s)<PERCENT>/i
9262endif
9263
9264if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9265 meta __PCT_OF_PMTS 0
9266endif
9267
9268ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9269 body __PCT_OF_PMTS /<PERCENT>[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i
9270endif
9271
9272if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
9273 meta __PDF_ATTACH 0
9274endif
9275
9276ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9277 meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2)
9278endif
9279
9280if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
9281 meta __PDF_ATTACH_FN1 0
9282endif
9283
9284ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9285 mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i
9286endif
9287
9288if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
9289 meta __PDF_ATTACH_FN2 0
9290endif
9291
9292ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9293 mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i
9294endif
9295
9296if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
9297 meta __PDF_ATTACH_MT 0
9298endif
9299
9300ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9301 mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i
9302endif
9303
9304ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9305 header __PDS_BTC_ANON From:name =~ /\bAnon/
9306endif
9307
9308ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9309 meta __PDS_BTC_BADFROM ( __PDS_BTC_HACKER || __PDS_BTC_PIRATE )
9310endif
9311
9312ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9313 header __PDS_BTC_HACKER From:name =~ /h<A>ck<E>r/i
9314endif
9315
9316meta __PDS_BTC_ID ( __BITCOIN_ID && !__URL_BTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG)
9317
9318ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9319 header __PDS_BTC_PIRATE From:name =~ /p<I>r<A>t<E>/i
9320endif
9321
9322ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9323if (version >= 3.004000)
9324header __PDS_CASHSHORTENER eval:check_uri_host_listed('PDS_CASHSHORTENER')
9325endif
9326endif
9327
9328uri __PDS_DOUBLE_URL m;https?://[\S]+(?:\?|=)https?://[\S]+[\w]+$;
9329
9330if (version >= 3.004002)
9331ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9332body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i
9333endif
9334endif
9335
9336if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
9337 header __PDS_FROM_2_EMAILS From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
9338endif
9339
9340header __PDS_FROM_GMAIL From:addr =~ /\@g(?:oogle)?mail\.com$/i
9341
9342header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\nTo:[^\n]+\@\1/ism
9343
9344header __PDS_GMAIL_MID Message-Id =~ /\@mail.gmail.com>$/
9345
46cfc9e2
SI		 9346uri __PDS_GOOGLE_DRIVE_FILE /\/drive\.google\.com\/file/i
9347
b780ea8d
SI		 9348meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2)
9349
9350header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/
9351
9352header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/
9353
9354header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/
9355
9356ifplugin Mail::SpamAssassin::Plugin::AskDNS
9357meta __PDS_HP_HELO_NODNS (__HELO_HIGHPROFILE && !__HELO_DNS)
9358tflags __PDS_HP_HELO_NODNS net
9359endif
9360
9361ifplugin Mail::SpamAssassin::Plugin::HTMLEval
9362meta __PDS_HTML_LENGTH_1024 __HTML_LENGTH_0000_1024
9363endif
9364
9365ifplugin Mail::SpamAssassin::Plugin::HTMLEval
9366meta __PDS_HTML_LENGTH_2048 __HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 || __HTML_LENGTH_1536_2048
9367endif
9368
9369meta __PDS_LITECOIN_ID (__LITECOIN_ID && !__URL_LTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG)
9370
9371meta __PDS_MSG_1024 (__KAM_BODY_LENGTH_LT_1024 || __PDS_HTML_LENGTH_1024)
9372
9373meta __PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512)
9374
9375if (version >= 3.004001)
9376ifplugin Mail::SpamAssassin::Plugin::AskDNS
9377meta __PDS_NEWDOMAIN (__FROM_FMBLA_NEWDOM || __FROM_FMBLA_NEWDOM14 || __FROM_FMBLA_NEWDOM28)
9378tflags __PDS_NEWDOMAIN net
9379endif
9380endif
9381
9382if (version >= 3.004002)
9383ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9384body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States|USA)/i
9385endif
9386endif
9387
46cfc9e2
SI		 9388header __PDS_PHP_EVAL1 X-PHP-Originating-Script =~ /eval..'d code/i
9389
9390header __PDS_PHP_EVAL2 X-PHP-Originating-Script =~ /runtime-created function/
9391
b780ea8d
SI		 9392if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
9393 meta __PDS_QP_1024 0
9394endif
9395
9396ifplugin Mail::SpamAssassin::Plugin::MIMEEval
9397 meta __PDS_QP_1024 (__MIME_QPC > 0) && (__MIME_QPC < 1024)
9398endif
9399
9400if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
9401 meta __PDS_QP_128 0
9402endif
9403
9404ifplugin Mail::SpamAssassin::Plugin::MIMEEval
9405 meta __PDS_QP_128 (__MIME_QPC > 0) && (__MIME_QPC < 128)
9406endif
9407
9408if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
9409 meta __PDS_QP_512 0
9410endif
9411
9412ifplugin Mail::SpamAssassin::Plugin::MIMEEval
9413 meta __PDS_QP_512 (__MIME_QPC > 0) && (__MIME_QPC < 512)
9414endif
9415
9416if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
9417 meta __PDS_QP_64 0
9418endif
9419
9420ifplugin Mail::SpamAssassin::Plugin::MIMEEval
9421 meta __PDS_QP_64 (__MIME_QPC > 0) && (__MIME_QPC < 64)
9422endif
9423
9424header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(mta|mail|mx|smtp)\b\S* /i
9425
9426if (version >= 3.004002)
9427ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9428body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i
9429endif
9430endif
9431
9432if (version >= 3.004002)
9433ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9434body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
9435endif
9436endif
9437
9438if (version >= 3.004002)
9439ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9440body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i
9441endif
9442endif
9443
9444ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9445if (version >= 3.004000)
9446meta __PDS_SHORT_URL __SHORT_URL && !__URL_SHORTENER && !__PDS_URISHORTENER && !ALL_TRUSTED
9447endif
9448endif
9449
9450if (version >= 3.004001)
9451ifplugin Mail::SpamAssassin::Plugin::AskDNS
9452tflags __PDS_SPF_ONLYALL net
9453endif
9454endif
9455
46cfc9e2
SI		 9456meta __PDS_SPOOF_GMAIL_MID __PDS_FROM_GMAIL && !__PDS_GMAIL_MID && !__FSL_RELAY_GOOGLE
9457
b780ea8d
SI		 9458header __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? <?\1\@/
9459
9460if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
9461 header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
9462endif
9463
9464if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
9465 header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism
9466endif
9467
9468ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9469if (version >= 3.004000)
9470meta __PDS_TO_SUBJ_URISHRT __TO_IN_SUBJ && (__PDS_URISHORTENER || __URL_SHORTENER) && __PDS_MSG_1024
9471endif
9472endif
9473
9474ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9475if (version >= 3.004000)
9476header __PDS_URISHORTENER eval:check_uri_host_listed('PDS_URISHORTENER')
9477endif
9478endif
9479
46cfc9e2
SI		 9480header __PDS_X_PHP_WELLKNOWN X-PHP-Script =~ m;/\.well-known/;
9481
9482header __PDS_X_PHP_WPADMIN X-PHP-Script =~ m;/wp-admin/(?:css|themes|js|images|user|maint)/[\S]+\.php for;i
9483
9484header __PDS_X_PHP_WPCONTENT X-PHP-Script =~ m;/wp-content/(?:themes|uploads)/[\S]+\.php for;i
9485
9486header __PDS_X_PHP_WPINCLUDES X-PHP-Script =~ m;/wp-includes/(?:css|fonts|js|pomo|Text|theme-compat)/[\S]+\.php for;i
9487
9488header __PDS_X_PHP_WPJS X-PHP-Script =~ m;/js/[\S]+\.php for;i
9489
b780ea8d
SI		 9490meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0
9491
9492body __PENDING_MESSAGES /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i
9493
9494body __PERFECT_BINARY /\bperfect binary option\b/i
9495
9496ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9497 mimeheader __PHISH_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
9498endif
9499
9500ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9501 mimeheader __PHISH_ATTACH_01_02 Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
9502endif
9503
9504meta __PHISH_FBASE_01 (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK
9505
9506if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9507 body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i
9508 tflags __PHOTO_RETOUCHING multiple maxhits=5
9509endif
9510
9511header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/
9512
9513meta __PHP_MUA __PHP_MUA_1 || __PHP_MUA_2
9514
9515header __PHP_MUA_1 X-Mailer =~ /^PHP\s?v?\/?\d\./
9516
9517header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/
9518
9519header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/
9520
46cfc9e2
SI		 9521header __PHP_ORIG_SCRIPT_EVAL X-PHP-Originating-Script =~ /\beval\b.*\bcode\b/i
9522
b780ea8d
SI		 9523meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B)
9524
9525if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
9526 meta __PILL_PRICE_01 0
9527endif
9528
9529if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9530 body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i
9531 tflags __PILL_PRICE_01 multiple maxhits=3
9532endif
9533
9534if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
9535 meta __PILL_PRICE_02 0
9536endif
9537
9538if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9539 body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i
9540 tflags __PILL_PRICE_02 multiple maxhits=3
9541endif
9542
9543body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i
9544
9545ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
9546header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
9547endif
9548
9549ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
9550header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
9551endif
9552
9553uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf|\.svg)[^?]{4}(?:\?[^?]{1,5})?$;i
9554
9555body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i
9556
9557body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i
9558
9559body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i
9560
9561body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i
9562
9563body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i
9564
9565body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i
9566
9567body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i
9568
9569body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i
9570
9571body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i
9572
9573body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i
9574
9575body __RANDOM_PICK /\b(?:random(?:ly)?\s(?:\w+\s)?(?:select(?:ion|ed)|pick(?:ed)?|computer)|(?:select|pick)ed\s(?:at\s)?random(?:ly)?|(?:esco(?:g|lh)idos|seleccion) (?:aleatoria(?:mente)?|al azar))\b/i
9576
9577header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent|Tracking-Code)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism
9578tflags __RAND_HEADER multiple maxhits=4
9579
9580meta __RAND_HEADER_2 __RAND_HEADER > 1
9581
9582header __RAND_MKTG_HEADER ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:EBS|(?:Tracking|Subscriber|Delivery|Customer|Campaign)-[DSU]?id):/ism
9583
9584header __RATWARE_BOUND_A ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # "
9585
9586header __RATWARE_BOUND_B ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # "
9587
9588header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i
9589tflags __RCD_RDNS_MAIL nice
9590
9591header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i
9592tflags __RCD_RDNS_MAIL_MESSY nice
9593
9594header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i
9595tflags __RCD_RDNS_MTA nice
9596
9597header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i
9598tflags __RCD_RDNS_MTA_MESSY nice
9599
9600header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i
9601tflags __RCD_RDNS_MX nice
9602
9603header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/
9604tflags __RCD_RDNS_MX_MESSY nice
9605
9606header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i
9607tflags __RCD_RDNS_OB nice
9608
9609header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i
9610tflags __RCD_RDNS_SMTP nice
9611
9612header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/
9613tflags __RCD_RDNS_SMTP_MESSY nice
9614
46cfc9e2 9615header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\srdns=\S+\.edu\s/i
b780ea8d
SI		 9616
9617meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 )
9618
9619meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI )
9620
46cfc9e2 9621header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i
b780ea8d
SI		 9622
9623header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net /
9624
9625header __RDNS_LONG X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/
9626
9627header __RDNS_NO_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ /
9628
9629header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/
9630
9631header __RDNS_SHORT X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} /
9632
9633body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i
9634
9635header __RELAY_THRU_WWW Received =~ /from (?:[^ \@]+\@)?www\./
9636
9637body __RELEASE_MESSAGES /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|unreceived|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i
9638
9639ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
9640 meta __REMOTE_IMAGE (__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH)
9641endif
9642
9643if (version >= 3.004002)
9644ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9645header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD')
9646endif
9647endif
9648
9649header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i
9650
46cfc9e2 9651header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|brownchurchill|c(?:hanprivacy|ristinabruno|ustom_service)|d(?:hodgkins|onald_anderson)|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|izcarroll)|m_l\.wanczyk|p(?:aulpollard|eterwong)|r(?:achel_wat|oyalpalace)|s(?:gt\.gillianj|pwalker)|usembassy|webank|yurdaaytarkan))\d+\@aol\.com$/i
b780ea8d 9652
46cfc9e2 9653header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:a(?:bu(?:lkareem|shadi)|c(?:aalzz|e(?:alss|cere))|desilgon|l(?:an\.austin|ber\.yang|ex(?:ander(?:daisy|peterson)|hoffman)|ghafrij|lenholden|ure\.wawrenka)|m(?:ericadeliverycomapny|inaltwaijiri)|n(?:dyfox|na(?:llee|sigurlaug))|radka|s(?:hwestwood|ianbae)|tm(?:mastercard|office)|yevayawovi|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|r(?:\.charles|isterlordruben)|teld\.huisman))|bongo|e(?:linekra|n(?:ezero|jaminsarah))|ill\.lawrence|mwautomobile|oarddept|r(?:avolpaul|endalaporte|ianmoynih)|uffettwarrene)|c(?:a(?:mluba|reisu)|bnatm|elineroullier|h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|la(?:imadviser|xtonpaul)|o(?:l(?:\.fakhrialsalabi|inchrisweir|o(?:mbasjuan|nelsaad))|n(?:sultancy|tactad)|operation)|r(?:awfordgillies|istbrun?)|ustomerservicelacaixa)|d(?:a(?:nielzulu|v(?:i(?:d(?:\.loanfirm|ibe|larbi|pere|ramirez\.luis)|scarolyn|yax)|ychan))|e(?:btm|nnis(?:clark|quaid)|partmentofstate)|ipfrancis|minique|ona(?:ldwilliam|tionhelpercare)|r(?:\.wilsonpaul|davidrhama|joesimon|ovieogor)|unsilva)|e(?:benezero|christina|dwinfreeman|l(?:i(?:bethgomez|sabethmaria|zabethedw)|otocashoffice)|m(?:ailpostlink|efieleg?|ilyrichmond)|renakgeorge|ssexlss)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|laurentdz|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|kjane))|eelottosweepstake)|ulanlan)|g(?:00gleggewinner|a(?:brielkalia|ryakinson)|bill|e(?:neralwilliamstony|orgekwame|r(?:aldjhjh|tjanvlieghe))|iidp|l(?:enmoore|oriachow)|o(?:o(?:golteam|oglegwiinner)|vgodwinemefiele)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:old\.dia|ryebert)|sh(?:imyreem|mireem))|e(?:a(?:dofficecentre|therbrooeke)|ctor(?:castillos|scastillo))|gold|heba\.hhassan|ildad|o(?:lsemeyerole|nmackjohn|rnbeckmajordennis|seoky)|trryt)|i(?:bed|n(?:fo(?:98cbnoffice|aprl)|gridrolle|ternationallppp)|smailtarkan)|j(?:a(?:cobmaseon|mes(?:husmansdesk|okoh)|vierlesme)|e(?:ff(?:deandk|erydean)|ssikasingh)|imyang|o(?:e(?:dward|kendal)|hn(?:griffn|r(?:awlings|oxfordjr)|sonwilson|tanko|uba|walterlove|a)|nesandassociates|sephacevedo|ymrskone)|rawlings|uliet\.lee?)|k(?:a(?:lstromjames|malnizar|rabo\.ramala|t(?:hilittman|jamess|rinaziako))|e(?:lsawamelia|n(?:mckay|nedy\.sawadogo))|halidbuhazza|kasbu|rnkl|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:ndfair\.co\.uk|rynne(?:0west|west))|i(?:amfinchus|liane\.bettencourt|n(?:elink|glung)|xiungl?)|john|o(?:ttyoffice|u(?:ghreymargaret|isdreyfusmargarita))|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:ckoliver|incare|jor(?:dennishornbeck|townsend)|n(?:duesq|fran|uelfranco(?:foundation)?)|r(?:i(?:ahhills|nacoleman|opabl)|k(?:roth|uses)|y(?:franson|jify00aaz))|s(?:onmanny|pencer)|ttwilly|urhinck|viswanczyk(?:(?:foundation|k))?)|c\.cheadychang|dredban|e(?:lvidabullock|nnss)|gfrederick|i(?:c(?:healwuu|w)|khai(?:\.fridman|lfridm))|k(?:ent|untjoro)|o(?:ham(?:edabdul|madraqab)|rienkal)|r(?:\.justinmaxwell|cjames|hanimuhammad|jamesmc|martine|paulfrank|richardanthony|s(?:\.(?:biyufungchi|susanread)|a(?:ishaalqadafi|ngela)|gracewoods|hamima|jackman|maureens|r(?:obinsanders|uthsmith)|sarahbenjamin))|s(?:agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth|liviemorgan|vieogor)|p(?:\.compton|a(?:storfrancesco|ul(?:eed|n)|ymentofficer)|brookk|eter(?:\.waddell|guggi|kenin|stephen)|hillip\.richead|ieterstevens|resleybathini)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymond(?:aba|damon))|e(?:beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|frankjackson))|i(?:chardw(?:ahl|illis)|tawilliams)|o(?:berthanandez|naldmorris|s(?:a\.gomes|e(?:kipkalya|tam)))|t\.rev\.ericmark)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cottpeters|e(?:cretservicce|rgeantrobertbrown)|h(?:anemissler|e(?:ikhalmaktoum|ry(?:\.gtl|etr))|inawatrathaksin)|imlkheng|krause|ofia\.adams|peelman|sdt|tephentam|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:ay(?:ebsouami|lorcathy)|erryparkins|h(?:ailandbankoffice|e(?:ara\.choy|bigbiglottowinning|odorosloannis|resawilliams|smithfm))|imothymetheny|lyerdonald|o(?:mc(?:hrist|rist(?:(?:donation|foundation))?)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:marukareem|n(?:claimedfunds|itednation(?:organization|s))|sdepartmentofjustice)|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut))|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|i(?:elandherzog\.sw\.herad|ge|ll(?:clark|iamrobert|update))|u(?:\.office|mt)|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo)|z(?:enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i
b780ea8d 9654
46cfc9e2 9655header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|gaaintl\-4g5ee\.w|lesiakalina|nn(?:awax|hester\.usa))|b(?:a(?:nk\.phbng|rr(?:ister\.dennis|lawrencefubara))|en(?:jaminb|nicholas)|riceangela)|c(?:\.(?:aroline|coulibaly)|h(?:arlesscharf|jackson)|juan|ollins(?:mattew|wayne)|ythiamiller\.un)|d(?:hamilton|i(?:aanesoto|plomaticagent))|ericalbert|f(?:aizaadama|ederal\.r)|graham\.eddie|infobank|j(?:\.edwards|a(?:ckson\.davis|netemoon)|kimyong)|k(?:elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|ge|hman)|isarobinson_|y_cheapiseth)|m(?:arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye)|rkellyayi|unny(?:\.sopheap|_sopheap))|n(?:estordaniel|orahuz)|o(?:fficial_franksylvester|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|i(?:chard\.w|taadamsw)|o(?:b(?:ertbailey|orts)|serichard))|s(?:amthong|igurlauganna|leo|mithcolin|pwalker|tevecox\.)|tylerhess\.|u(?:butu|kdebtmanagement)|vanserge|will(?:clark|iamsimon)|xianglongdai))\d+\@yahoo\.com$/i
b780ea8d
SI		 9656
9657header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i
9658
9659header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i
9660
9661if !((version >= 3.003000))
9662 meta __RP_MATCHES_RCVD 0
9663endif
9664
9665if (version >= 3.003000)
9666if !plugin(Mail::SpamAssassin::Plugin::WLBLEval)
9667 meta __RP_MATCHES_RCVD 0
9668endif
9669endif
9670
9671if (version >= 3.003000)
9672ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9673 header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
9674endif
9675endif
9676
9677body __SCAM /\bscam(?:m?e[dr])?s?\b/i
9678
46cfc9e2
SI		 9679rawbody __SCRIPT_GIBBERISH /<script>[^;<]{100}/im
9680
9681body __SCRIPT_TAG_IN_BODY /<script>/i
9682
b780ea8d
SI		 9683body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i
9684
9685header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i
9686tflags __SENDER_BOT nice
9687
9688uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=,
9689
9690meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH
9691
9692meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || T_FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )
9693
9694body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i
9695
9696meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY
9697
9698meta __SHORTENER_SHORT_SUBJ __URL_SHORTENER && __SUBJ_SHORT
9699
46cfc9e2
SI		 9700meta __SHORT_BODY_G_DRIVE __BODY_URI_ONLY && __LCL__KAM_BODY_LENGTH_LT_512 && __PDS_GOOGLE_DRIVE_FILE
9701
9702meta __SHORT_BODY_G_DRIVE_DYN __SHORT_BODY_G_DRIVE && (RDNS_DYNAMIC || HELO_DYNAMIC_IPADDR || HELO_DYNAMIC_HCC || FSL_HELO_NON_FQDN_1)
9703
b780ea8d
SI		 9704uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/
9705
9706body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/
9707tflags __SINGLE_WORD_LINE multiple maxhits=2
9708
9709header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/
9710
9711header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i
9712
9713rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/
9714tflags __SPAN_BEG_TEXT multiple maxhits=5
9715
9716rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/
9717tflags __SPAN_END_TEXT multiple maxhits=5
9718
9719if !plugin(Mail::SpamAssassin::Plugin::SPF)
9720 meta __SPF_FULL_PASS 0
9721endif
9722
9723ifplugin Mail::SpamAssassin::Plugin::SPF
9724 meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS)
9725 tflags __SPF_FULL_PASS net
9726endif
9727
9728if !plugin(Mail::SpamAssassin::Plugin::SPF)
9729 meta __SPF_RANDOM_SENDER 0
9730endif
9731
9732ifplugin Mail::SpamAssassin::Plugin::SPF
9733 meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS)
9734 tflags __SPF_RANDOM_SENDER net
9735endif
9736
9737meta __SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM
9738tflags __SPOOFED_FREEMAIL net
9739
9740meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO
9741tflags __SPOOFED_FREEM_REPTO net
9742
9743rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
9744
9745meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE
9746
9747body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i
9748
9749body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i
9750
9751if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9752 rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i
9753 tflags __STY_INVIS multiple maxhits=6
9754endif
9755
9756if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9757 meta __STY_INVIS_1 __STY_INVIS == 1
9758endif
9759
9760if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
46cfc9e2 9761 meta __STY_INVIS_1_MINFP __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID
b780ea8d
SI		 9762endif
9763
9764if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9765 meta __STY_INVIS_2 __STY_INVIS > 1
9766endif
9767
9768if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9769 meta __STY_INVIS_3 __STY_INVIS > 2
9770endif
9771
9772if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9773 meta __STY_INVIS_DIRECT __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
9774endif
9775
9776if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9777 meta __STY_INVIS_MANY __STY_INVIS > 5
9778endif
9779
9780header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/
9781
9782meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY
9783
9784header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
9785
9786meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU
9787
9788header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/
9789tflags __SUBJ_BROKEN_WORD multiple maxhits=2
9790
9791meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
9792
9793header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ism
9794
9795header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
9796
9797header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
9798
9799header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism
9800
9801header __SUBJ_NOT_SHORT Subject =~ /^.{16}/
9802
9803header __SUBJ_OBFU_PUNCT Subject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/i
9804tflags __SUBJ_OBFU_PUNCT multiple maxhits=4
9805
9806header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/
9807
9808header __SUBJ_SHORT Subject =~ /^.{0,8}$/
9809
9810header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i
9811tflags __SUBJ_UNNEEDED_HTML multiple maxhits=3
9812
9813header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/
9814
9815body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i
9816tflags __SUBSCRIPTION_INFO nice
9817
9818body __SUM_OF_FUND /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i
9819
9820body __SURVEY /\bsurvey\b/i
9821
9822body __SURVIVORS /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i
9823
9824body __SUSPICION_LOGIN /\bsuspicion login\b/i
9825
9826body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i
9827
46cfc9e2
SI		 9828meta __TAGSTAT_IMG_NOT_RCVD_TGST __URI_IMG_TAGSTAT && !__HDR_RCVD_TAGSTAT
9829
b780ea8d
SI		 9830header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
9831
9832rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m
9833tflags __TENWORD_GIBBERISH multiple maxhits=21
9834
46cfc9e2
SI		 9835ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9836 mimeheader __TEXT_XML_MT Content-Type =~ m,\btext/xml\b,i
9837endif
9838
b780ea8d
SI		 9839body __THEY_INHERIT /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i
9840
9841body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i
9842
9843meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF)
9844tflags __THREADED nice
9845
9846header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$,
9847
9848header __TO_ALL_NUMS To:addr =~ /^\d+@/
9849
9850meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX
9851
9852meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE
9853
b780ea8d
SI		 9854if !plugin(Mail::SpamAssassin::Plugin::SPF)
9855 meta __TO_EQ_FM_DOM_SPF_FAIL 0
9856endif
9857
9858ifplugin Mail::SpamAssassin::Plugin::SPF
9859 meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL
9860 tflags __TO_EQ_FM_DOM_SPF_FAIL net
9861endif
9862
9863meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY
9864
9865if !plugin(Mail::SpamAssassin::Plugin::SPF)
9866 meta __TO_EQ_FM_SPF_FAIL 0
9867endif
9868
9869ifplugin Mail::SpamAssassin::Plugin::SPF
9870 meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL
9871 tflags __TO_EQ_FM_SPF_FAIL net
9872endif
9873
9874meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
9875describe __TO_EQ_FROM To: same as From:
9876
9877header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
9878
9879header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
9880
9881meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)
9882describe __TO_EQ_FROM_DOM To: domain same as From: domain
9883
9884header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism
9885
9886header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism
9887
9888meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
9889describe __TO_EQ_FROM_USR To: username same as From: username
9890
9891header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
9892
9893header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
9894
9895meta __TO_EQ_FROM_USR_NN (__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
9896describe __TO_EQ_FROM_USR_NN To: username same as From: username sans trailing nums
9897
9898header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
9899
9900header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
9901
9902meta __TO_EQ_FROM_USR_NN_MINFP __TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED
9903
9904meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3)
9905
9906header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/
9907
9908if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
9909 meta __TO_NO_BRKTS_FREEMAIL 0
9910endif
9911
9912ifplugin Mail::SpamAssassin::Plugin::FreeMail
9913 meta __TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
9914endif
9915
9916meta __TO_NO_BRKTS_FROM_RUNON __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON
9917
9918meta __TO_NO_BRKTS_HTML_IMG __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG
9919
9920meta __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY
9921
9922meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
9923
9924meta __TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_HTML_ONLY && RDNS_NONE
9925
9926meta __TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT
9927
9928meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01
9929
9930header __TO_UNDISCLOSED To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i
9931
9932header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/
9933
9934body __TO_YOUR_ACCT /\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/i
9935
9936body __TO_YOUR_ORG /\b(?:to|for) your organi[sz]ation\b/i
9937
9938header __TO___LOWER ALL =~ /to:\s\S{5}/
9939
9940body __TRANSFORM_LIFE /\b(transform|change) your (?:daily )?life(?:style)?\b/i
9941
9942body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i
9943
9944body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i
9945
9946body __TRAVEL_ITINERARY /(?:travel|ticketed|your|current) itinerary/i
9947
9948meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2
9949
9950body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i
9951
9952body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i
9953
9954body __TRTMT_DEFILED /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i
9955
9956body __TRUNK_BOX /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i
9957
9958body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i
9959
9960header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i
9961
9962header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i
9963
9964header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/
9965
9966header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/
9967
9968header __TT_VALIUM Subject =~ /VALIUM/i
9969
9970header __TT_VIAGRA Subject =~ /VIAGRA/i
9971
9972ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9973mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/
9974endif
9975
9976ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9977mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i
9978endif
9979
9980ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9981mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i
9982endif
9983
9984ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9985mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i
9986endif
9987
9988ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9989mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/
9990endif
9991
9992body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i
9993
9994body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i
9995
9996body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i
9997
9998body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i
9999
10000body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i
10001
10002body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i
10003
10004body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i
10005
10006body __TVD_PH_BODY_08 /\bmultiple password failures/i
10007
10008body __TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i
10009
10010body __TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i
10011
10012meta __TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08
10013
10014header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i
10015
10016header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i
10017
10018header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i
10019
10020header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i
10021
10022header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i
10023
10024header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i
10025
10026header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i
10027
10028header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i
10029
10030header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i
10031
10032header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i
10033
10034header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i
10035
10036header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i
10037
10038header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i
10039
10040header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i
10041
10042header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i
10043
10044header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i
10045
10046header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i
10047
10048header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i
10049
10050header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i
10051
10052header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i
10053
10054meta __TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST
10055
10056meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED)
10057
10058if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
10059 meta __TVD_SPACE_RATIO 0
10060endif
10061
10062header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i
10063
10064meta __T_PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512 || __PDS_QP_512)
10065
10066header __UA_GNUS User-Agent =~ /^Gnus/
10067
cabe596e
SI		 10068header __UA_IMP User-Agent =~ /^Internet Messaging Program/
10069
b780ea8d
SI		 10070header __UA_KMAIL User-Agent =~ /^KMail/
10071
10072header __UA_KNODE User-Agent =~ /^KNode/
10073
10074header __UA_MOZ5 User-Agent =~ /^Mozilla\/5/
10075
cabe596e
SI		 10076header __UA_MSENTOUR User-Agent =~ /^Microsoft-Entourage/
10077
b780ea8d
SI		 10078header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/
10079
10080header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/
10081
10082header __UA_MUTT User-Agent =~ /^Mutt/
10083
10084header __UA_OPERA7 User-Agent =~ /^Opera7/
10085
10086header __UA_PAN User-Agent =~ /^Pan/
10087
10088header __UA_XNEWS User-Agent =~ /^Xnews/
10089
10090body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/
10091tflags __UC_GIBB_OBFU multiple maxhits=2
10092
10093body __UN /\bunited\snations?\b/i
10094
10095meta __UNDISC_FREEM __TO_UNDISCLOSED && __freemail_replyto
10096
10097meta __UNDISC_MONEY __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY)
10098
10099if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10100 body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i
10101 tflags __UNICODE_OBFU_ASC multiple maxhits=10
10102endif
10103
10104if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10105 meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9
10106endif
10107
10108if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10109 body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i
10110 tflags __UNICODE_OBFU_ZW multiple maxhits=10
10111endif
10112
10113if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10114 meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9
10115endif
10116
10117if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10118 meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1
10119endif
10120
10121if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10122 meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2
10123endif
10124
10125if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10126 meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4
10127endif
10128
10129body __UNSUB_EMAIL /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i
10130tflags __UNSUB_EMAIL nice
10131
10132uri __UNSUB_LINK /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i
10133tflags __UNSUB_LINK nice
10134
10135body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i
10136
10137uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/
10138
10139uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i
10140
10141uri __URI_ADOBESPARK m,https?://branchlink\.adobespark\.com/,i
10142
10143uri __URI_AZURE_CLOUDAPP m,://(?:[^./]+\.)+cloudapp\.azure\.com/,
10144
10145uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i
10146
10147uri __URI_DATA /^data:(?!image\/)[a-z]/i
10148
10149uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i
10150
46cfc9e2 10151body __URI_DEOBFU_INSTR /(?:delete|remove|take\sout)(?:\sthe)?\sspaces/i
b780ea8d
SI		 10152
10153uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i
10154
10155meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW
10156
10157uri __URI_DOTGOV m;^https?://(?:[^./]+\.)+gov/;i
10158
10159uri __URI_DOTTY_HEX /(?:\.[0-9a-f]{2}){30}/
10160
10161uri __URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i
10162
10163uri __URI_FIREBASEAPP m,://[^./]+\.firebaseapp\.com/,
10164
10165uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i
10166
10167uri __URI_GOOGLE_DRV m,^https?://(?:drive\.google|googledrive)\.com/,i
10168
10169uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i
10170
46cfc9e2
SI		 10171uri __URI_GOOG_STO_EMAIL m;^https?://(?:firebase)?storage\.googleapis\.com/.*[a-z0-9]@(?:[a-z0-9]{2,20}\.){1,3}[a-z]{2,3}$;i
10172
b780ea8d
SI		 10173uri __URI_GOOG_STO_HTML m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i
10174tflags __URI_GOOG_STO_HTML multiple maxhits=5
10175
46cfc9e2 10176uri __URI_GOOG_STO_IMG m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,i
b780ea8d
SI		 10177tflags __URI_GOOG_STO_IMG multiple maxhits=5
10178
10179uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i
10180
10181uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png),i
10182
46cfc9e2 10183uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?(?:images|media)-amazon\.com/.*\.(?:png|gif|jpe?g)$,i
b780ea8d
SI		 10184
10185uri __URI_IMG_CHANNYPIC m,://www\.channypicture\.com/pic/,i
10186
10187uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i
10188
cabe596e
SI		 10189uri __URI_IMG_GBTCDN m;://des\.gbtcdn\.com/storage/store/[0-9a-f/]{30,}\.(?:png|gif|jpe?g)$;i
10190
b780ea8d
SI		 10191uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i
10192
46cfc9e2
SI		 10193uri __URI_IMG_LINKEDIN m;://media-exp\d\.licdn\.com/dms/image/;i
10194
b780ea8d
SI		 10195uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i
10196
10197uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png),i
10198
10199uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i
10200
46cfc9e2
SI		 10201uri __URI_IMG_TAGSTAT m;://i\d+\.tagstat\.com/.+\.(?:jpe?g|gif|png);i
10202
cabe596e
SI		 10203uri __URI_IMG_TOPHATTER m;://images\.tophatter\.com/[0-9a-f]{30,}/;i
10204
46cfc9e2
SI		 10205uri __URI_IMG_TUMBLR m;://\d+\.media\.tumblr\.com/.+\.(?:jpe?g|gif|png);i
10206
b780ea8d
SI		 10207uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i
10208
10209uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i
10210
10211uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i
10212
10213uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i
10214
10215uri __URI_LONG_REPEAT m;(?:://|@)(?:\w+\.)*(\w{10,}\.)\1;i
10216
10217uri __URI_MAILTO /^mailto:/i
10218tflags __URI_MAILTO multiple maxhits=16
10219
10220uri __URI_MONERO /buy-monero/i
10221
10222meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2
10223
10224meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH)
10225
10226uri __URI_PHP_REDIR m;/redirect\.php\?;i
10227
46cfc9e2
SI		 10228uri __URI_PRODUCT_AMAZON m,://www\.amazon\.(?:com|co\.uk|[a-z][a-z])/dp/[a-z0-9]{10}/,i
10229
cabe596e
SI		 10230uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob)\w)[^.]*\.[^/]+\.(?:com|net)\b,i
10231
b780ea8d
SI		 10232uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i
10233
10234uri __URI_WEBAPP m,://[^./]+\.web\.app/,
10235
10236uri __URI_WPADMIN m,/wp-admin/\w+/,i
10237
10238uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i
10239
10240uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i
10241
10242uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i
10243
10244uri __URL_BTC_ID m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$);
10245
10246uri __URL_LTC_ID m;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/|$);
10247
10248uri __URL_SHORTENER /^https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}\/?/
10249
10250header __USING_VERP1 Return-Path =~ /[+-].*=/
10251
10252header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i
10253tflags __VACATION nice
10254
46cfc9e2 10255body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i
b780ea8d
SI		 10256tflags __VALIDATE_MAILBOX multiple maxhits=2
10257
10258body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i
10259
10260body __VERIFY_ACCOUNT /(?:confirm|updated?|verif(?:y|ied)) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i
10261tflags __VERIFY_ACCOUNT multiple maxhits=2
10262
10263meta __VFY_ACCT_NORDNS __VERIFY_ACCOUNT && __RDNS_NONE
10264
10265if (version >= 3.004002)
10266ifplugin Mail::SpamAssassin::Plugin::WLBLEval
10267header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i
10268endif
10269endif
10270
10271meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART
10272
10273body __WEBMAIL_ACCT /\byour web ?mail account/i
10274
10275body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i
10276
10277meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2
10278
10279body __WIDOW /\b(?:widow(?:e[rd])'?s?|veuve)\b/i
10280
10281body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i
10282
10283body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i
10284
10285body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i
10286
10287if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10288 rawbody __WORD_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}</i
10289 tflags __WORD_INVIS multiple maxhits=6
10290endif
10291
10292if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10293 meta __WORD_INVIS_2 __WORD_INVIS > 1
10294endif
10295
10296if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10297 meta __WORD_INVIS_5 __WORD_INVIS > 5
10298endif
10299
10300if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10301 meta __WORD_INVIS_MINFP __WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID
10302endif
10303
10304header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/
10305
10306meta __XFER_LOTSA_MONEY __XFER_MONEY && LOTS_OF_MONEY
10307
10308meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY)
10309
10310header __XM_APPLEMAIL X-Mailer =~ /^Apple Mail/
10311
46cfc9e2
SI		 10312header __XM_ASPQMAIL X-Mailer =~ /^AspQMail/
10313
b780ea8d
SI		 10314header __XM_BALSA X-Mailer =~ /^Balsa \d/
10315
10316header __XM_CALYPSO X-Mailer =~ /^Calypso/
10317
cabe596e
SI		 10318header __XM_COMMUNIG X-Mailer =~ /^CommuniGate/
10319
b780ea8d
SI		 10320header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/
10321
cabe596e
SI		 10322header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/
10323
10324header __XM_EDMAX X-Mailer =~ /^EdMax/
10325
10326header __XM_ELM X-Mailer =~ /^ELM/
10327
10328header __XM_EMUMAIL X-Mailer =~ /^EMUmail/
10329
10330header __XM_EXMH X-Mailer =~ /^exmh/
10331
b780ea8d
SI		 10332header __XM_FORTE X-Mailer =~ /^Forte Agent \d/
10333
10334header __XM_GNUS X-Mailer =~ /^Gnus v/
10335
cabe596e
SI		 10336header __XM_IMAIL X-Mailer =~ /^<IMail v\d/
10337
10338header __XM_LOTUSN X-Mailer =~ /^Lotus Notes/
10339
10340header __XM_MAILCITY X-Mailer =~ /^MailCity Service/
b780ea8d 10341
cabe596e 10342header __XM_MAILSMITH X-Mailer =~ /^Mailsmith /
b780ea8d
SI		 10343
10344header __XM_MHE X-Mailer =~ /^mh-e \d/
10345
cabe596e
SI		 10346header __XM_MIMETOOLS X-Mailer =~ /^MIME-tools \d/i
10347
b780ea8d
SI		 10348header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/
10349
cabe596e
SI		 10350header __XM_MSCDO X-Mailer =~ /^Microsoft CDO/
10351
b780ea8d
SI		 10352header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/
10353
10354header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/
10355
cabe596e
SI		 10356header __XM_MSOUT X-Mailer =~ /^Microsoft Outlook[, ]?\s?[BIC]/ #Build, IMO, CWS
10357
b780ea8d
SI		 10358header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
10359
10360header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
10361
10362header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/
10363
10364header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/
10365
10366header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/
10367
10368header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
10369
cabe596e
SI		 10370header __XM_OPERA6 X-Mailer =~ /^Opera 6/
10371
b780ea8d
SI		 10372header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/
10373
cabe596e
SI		 10374header __XM_PEGASUS X-Mailer =~ /^Pegasus Mail/
10375
b780ea8d
SI		 10376header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/
10377
cabe596e
SI		 10378header __XM_QUALCOM X-Mailer =~ /^QUALCOMM Windows Eudora/
10379
b780ea8d
SI		 10380header __XM_RANDOM X-Mailer =~ /q(?!q?mail|boxmail|\d|[-\w]*=+;)[^u]/i
10381
10382header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/
10383
10384header __XM_SQRLMAIL X-Mailer =~ /^SquirrelMail/
10385
10386header __XM_SYLPHEED X-Mailer =~ /^Sylpheed/
10387
10388header __XM_UC_ONLY X-Mailer =~ /^[^a-z]+$/
10389
46cfc9e2
SI		 10390header __XM_VERY_LONG X-Mailer =~ /.{50}/
10391
b780ea8d
SI		 10392header __XM_VM X-Mailer =~ /^VM \d/
10393
10394header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/
10395
10396header __XM_XIMEVOL X-Mailer =~ /^Ximian Evolution/
10397
10398meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS
10399
10400meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT
10401
46cfc9e2
SI		 10402ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
10403 mimeheader __X_MSO_MT Content-Type =~ m,\bapplication/x-mso\b,i
10404endif
10405
b780ea8d
SI		 10406body __YOUR_BANK /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i
10407
10408body __YOUR_CONSIGNMENT /\b(?:received?|pa(?:y|id)|sen[dt]|h[oe]ld|delay(?:ed)?|impound(?:ed)?|released?|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/i
10409
10410body __YOUR_FUND /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|f\su\sn\sd|payment|geld)\b/i
10411
10412if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
10413 body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i
10414endif
10415
10416ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
10417 body __YOUR_ONAN /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M>+<A>+<S>+<T>+(?:<U>|<R>)+<B>+<A>+<T>+(?:<I><O><N>|<I><N><G>|<E>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>|(?:<P><L><E><A><S><U><R>(?:<E>|<I><N><G>)|<S><A><T><I><S><F><Y>(?:<I><N><G>)?)\s<Y><O><U><R><S><E><L><F>)/i
10418endif
10419
10420if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
10421 body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i
10422endif
10423
10424ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
10425 body __YOUR_PASSWORD /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<A><C><C><O><U><N><T>\s|<E>-?<M><A><I><L>\s)?(?:<P><A><S><S>[-\s_]?<W><O><R><D>|<P><S><W><D>\s)/i
10426endif
10427
10428body __YOUR_PERM /\byour\spermission\b/i
10429
10430if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
10431 body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i
10432endif
10433
10434ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
10435 body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i
10436endif
10437
10438body __YOUR_PROFIT /\byour?\sprofit/i
10439
10440if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
10441 body __YOUR_WEBCAM /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i
10442endif
10443
10444ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
10445 body __YOUR_WEBCAM /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>|<A><N><D>|<O><N>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>|<M><I><C><R><O><P><H><O><N><E>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s|<Y><O><U><R>\s)<C><A><M><E><R>+<A>/i
10446endif
10447
10448body __YOU_ASSIST /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i
10449
10450body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inherit+ance\b/i
10451
10452meta __YOU_WON __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY))
10453
10454body __YOU_WON_01 /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i
10455
10456body __YOU_WON_02 /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i
10457
10458body __YOU_WON_03 /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/i
10459
10460body __YOU_WON_04 /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i
10461
10462body __YOU_WON_05 /\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i
10463
10464if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
10465 meta __ZIP_ATTACH_MT 0
10466endif
10467
10468ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
10469 mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i
10470endif
10471
10472if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
10473 meta __ZIP_ATTACH_NOFN 0
10474endif
10475
10476ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
10477 mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i
10478endif
10479
10480ifplugin Mail::SpamAssassin::Plugin::FreeMail
10481 header __freemail_mailreplyto eval:check_freemail_header('Mail-Reply-To')
10482endif
10483
10484body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i
10485
10486body __hk_win_0 /\byour? e-?mail just w[oi]n/i
10487
10488body __hk_win_2 /\battn.{0,10}winner/i
10489
10490body __hk_win_3 /\bhappily aa?nnounce/i
10491
10492body __hk_win_4 /\bpleas(?:ure|ed) to inform/i
10493
10494body __hk_win_5 /\b(?:notice the|your) winning/i
10495
10496body __hk_win_7 /\bcongratulations? to your/i
10497
10498body __hk_win_8 /\bunexpected luck/i
10499
10500body __hk_win_9 /\blucky (?:nl )number/i
10501
10502body __hk_win_a /\bwinning (?:e-?mail|numbers|information)/i
10503
10504body __hk_win_b /\byour e-?mail (?:address )?(?:has )?w[io]n/i
10505
10506body __hk_win_c /\bune adresse e-?mail sur internet/i
10507
10508body __hk_win_d /\bcategory (?:\S{0,5} )?winner of our/i
10509
10510body __hk_win_i /\bfunds? transfer/i
10511
10512body __hk_win_j /\b(?:winning|ready for|sum) pay ?out/i
10513
10514body __hk_win_l /\b(?:make|file) (?:for )?your claim/i
10515
10516body __hk_win_m /\br.clamation de votre prix/i
10517
10518body __hk_win_n /\bcollect your prize/i
10519
10520body __hk_win_o /\bclarification and procedure/i
10521
10522ifplugin Mail::SpamAssassin::Plugin::FreeMail
10523header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr')
10524endif
SA for PMG