]>
Commit | Line | Data |
---|---|---|
b780ea8d SI |
1 | # SpamAssassin rules file |
2 | # | |
3 | # Please don't modify this file as your changes will be overwritten with | |
4 | # the next update. Use /etc/mail/spamassassin/local.cf instead. | |
5 | # See 'perldoc Mail::SpamAssassin::Conf' for details. | |
6 | # | |
7 | # <@LICENSE> | |
8 | # Licensed to the Apache Software Foundation (ASF) under one or more | |
9 | # contributor license agreements. See the NOTICE file distributed with | |
10 | # this work for additional information regarding copyright ownership. | |
11 | # The ASF licenses this file to you under the Apache License, Version 2.0 | |
12 | # (the "License"); you may not use this file except in compliance with | |
13 | # the License. You may obtain a copy of the License at: | |
14 | # | |
15 | # http://www.apache.org/licenses/LICENSE-2.0 | |
16 | # | |
17 | # Unless required by applicable law or agreed to in writing, software | |
18 | # distributed under the License is distributed on an "AS IS" BASIS, | |
19 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
20 | # See the License for the specific language governing permissions and | |
21 | # limitations under the License. | |
22 | # </@LICENSE> | |
23 | # | |
24 | ########################################################################### | |
25 | ||
26 | require_version 3.004005 | |
27 | ||
28 | ##{ ACCT_PHISHING_MANY | |
29 | ||
30 | meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY | |
31 | describe ACCT_PHISHING_MANY Phishing for account information | |
32 | #score ACCT_PHISHING_MANY 3.000 # limit | |
33 | ##} ACCT_PHISHING_MANY | |
34 | ||
35 | ##{ AC_BR_BONANZA | |
36 | ||
37 | rawbody AC_BR_BONANZA /(?:<br>\s*){30}/i | |
38 | describe AC_BR_BONANZA Too many newlines in a row... spammy template | |
39 | #score AC_BR_BONANZA 0.001 | |
40 | tflags AC_BR_BONANZA publish | |
41 | ##} AC_BR_BONANZA | |
42 | ||
43 | ##{ AC_DIV_BONANZA | |
44 | ||
45 | rawbody AC_DIV_BONANZA /(?:<div>(?:\s*<\/div>)?\s*){10}/i | |
46 | describe AC_DIV_BONANZA Too many divs in a row... spammy template | |
47 | #score AC_DIV_BONANZA 0.001 | |
48 | tflags AC_DIV_BONANZA publish | |
49 | ##} AC_DIV_BONANZA | |
50 | ||
51 | ##{ AC_FROM_MANY_DOTS | |
52 | ||
53 | meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP | |
54 | #score AC_FROM_MANY_DOTS 3.000 # limit | |
55 | describe AC_FROM_MANY_DOTS Multiple periods in From user name | |
56 | tflags AC_FROM_MANY_DOTS publish | |
57 | ##} AC_FROM_MANY_DOTS | |
58 | ||
59 | ##{ AC_HTML_NONSENSE_TAGS | |
60 | ||
61 | rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/ | |
62 | describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam | |
63 | #score AC_HTML_NONSENSE_TAGS 2.0 | |
64 | tflags AC_HTML_NONSENSE_TAGS publish | |
65 | ##} AC_HTML_NONSENSE_TAGS | |
66 | ||
67 | ##{ AC_POST_EXTRAS | |
68 | ||
69 | meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID | |
70 | describe AC_POST_EXTRAS Suspicious URL | |
71 | #score AC_POST_EXTRAS 2.500 # limit | |
72 | tflags AC_POST_EXTRAS publish | |
73 | ##} AC_POST_EXTRAS | |
74 | ||
75 | ##{ AC_SPAMMY_URI_PATTERNS1 | |
76 | ||
77 | meta AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI) | |
78 | describe AC_SPAMMY_URI_PATTERNS1 link combos match highly spammy template | |
79 | #score AC_SPAMMY_URI_PATTERNS1 4.0 | |
80 | tflags AC_SPAMMY_URI_PATTERNS1 publish | |
81 | ##} AC_SPAMMY_URI_PATTERNS1 | |
82 | ||
83 | ##{ AC_SPAMMY_URI_PATTERNS10 | |
84 | ||
85 | meta AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI | |
86 | describe AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template | |
87 | #score AC_SPAMMY_URI_PATTERNS10 4.0 | |
88 | tflags AC_SPAMMY_URI_PATTERNS10 publish | |
89 | ##} AC_SPAMMY_URI_PATTERNS10 | |
90 | ||
91 | ##{ AC_SPAMMY_URI_PATTERNS11 | |
92 | ||
93 | meta AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI | |
94 | describe AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template | |
95 | #score AC_SPAMMY_URI_PATTERNS11 4.0 | |
96 | tflags AC_SPAMMY_URI_PATTERNS11 publish | |
97 | ##} AC_SPAMMY_URI_PATTERNS11 | |
98 | ||
99 | ##{ AC_SPAMMY_URI_PATTERNS12 | |
100 | ||
101 | meta AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI) | |
102 | describe AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template | |
103 | #score AC_SPAMMY_URI_PATTERNS12 4.0 | |
104 | tflags AC_SPAMMY_URI_PATTERNS12 publish | |
105 | ##} AC_SPAMMY_URI_PATTERNS12 | |
106 | ||
107 | ##{ AC_SPAMMY_URI_PATTERNS2 | |
108 | ||
109 | meta AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI) | |
110 | describe AC_SPAMMY_URI_PATTERNS2 link combos match highly spammy template | |
111 | #score AC_SPAMMY_URI_PATTERNS2 4.0 | |
112 | tflags AC_SPAMMY_URI_PATTERNS2 publish | |
113 | ##} AC_SPAMMY_URI_PATTERNS2 | |
114 | ||
115 | ##{ AC_SPAMMY_URI_PATTERNS3 | |
116 | ||
117 | meta AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI) | |
118 | describe AC_SPAMMY_URI_PATTERNS3 link combos match highly spammy template | |
119 | #score AC_SPAMMY_URI_PATTERNS3 4.0 | |
120 | tflags AC_SPAMMY_URI_PATTERNS3 publish | |
121 | ##} AC_SPAMMY_URI_PATTERNS3 | |
122 | ||
123 | ##{ AC_SPAMMY_URI_PATTERNS4 | |
124 | ||
125 | meta AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI | |
126 | describe AC_SPAMMY_URI_PATTERNS4 link combos match highly spammy template | |
127 | #score AC_SPAMMY_URI_PATTERNS4 4.0 | |
128 | tflags AC_SPAMMY_URI_PATTERNS4 publish | |
129 | ##} AC_SPAMMY_URI_PATTERNS4 | |
130 | ||
131 | ##{ AC_SPAMMY_URI_PATTERNS8 | |
132 | ||
133 | meta AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI | |
134 | describe AC_SPAMMY_URI_PATTERNS8 link combos match highly spammy template | |
135 | #score AC_SPAMMY_URI_PATTERNS8 4.0 | |
136 | tflags AC_SPAMMY_URI_PATTERNS8 publish | |
137 | ##} AC_SPAMMY_URI_PATTERNS8 | |
138 | ||
139 | ##{ AC_SPAMMY_URI_PATTERNS9 | |
140 | ||
141 | meta AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI)) | |
142 | describe AC_SPAMMY_URI_PATTERNS9 link combos match highly spammy template | |
143 | #score AC_SPAMMY_URI_PATTERNS9 4.0 | |
144 | tflags AC_SPAMMY_URI_PATTERNS9 publish | |
145 | ##} AC_SPAMMY_URI_PATTERNS9 | |
146 | ||
147 | ##{ ADMAIL | |
148 | ||
149 | meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS | |
150 | describe ADMAIL "admail" and variants | |
151 | tflags ADMAIL publish | |
152 | ##} ADMAIL | |
153 | ||
154 | ##{ ADMITS_SPAM | |
155 | ||
156 | meta ADMITS_SPAM __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB | |
157 | describe ADMITS_SPAM Admits this is an ad | |
158 | tflags ADMITS_SPAM publish | |
159 | ##} ADMITS_SPAM | |
160 | ||
161 | ##{ ADVANCE_FEE_2_NEW_FORM | |
162 | ||
163 | meta ADVANCE_FEE_2_NEW_FORM (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__FROM_LOWER && !__HAS_X_LOOP | |
164 | describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form | |
165 | #score ADVANCE_FEE_2_NEW_FORM 2.000 # limit | |
166 | tflags ADVANCE_FEE_2_NEW_FORM publish | |
167 | ##} ADVANCE_FEE_2_NEW_FORM | |
168 | ||
169 | ##{ ADVANCE_FEE_2_NEW_FRM_MNY | |
170 | ||
171 | meta ADVANCE_FEE_2_NEW_FRM_MNY (__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP | |
172 | describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money | |
173 | #score ADVANCE_FEE_2_NEW_FRM_MNY 2.500 | |
174 | tflags ADVANCE_FEE_2_NEW_FRM_MNY publish | |
175 | ##} ADVANCE_FEE_2_NEW_FRM_MNY | |
176 | ||
177 | ##{ ADVANCE_FEE_2_NEW_MONEY | |
178 | ||
179 | meta ADVANCE_FEE_2_NEW_MONEY (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG | |
180 | describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money | |
181 | #score ADVANCE_FEE_2_NEW_MONEY 2.000 # limit | |
182 | tflags ADVANCE_FEE_2_NEW_MONEY publish | |
183 | ##} ADVANCE_FEE_2_NEW_MONEY | |
184 | ||
185 | ##{ ADVANCE_FEE_3_NEW | |
186 | ||
187 | meta ADVANCE_FEE_3_NEW (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG && !__BUGGED_IMG | |
188 | describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419) | |
189 | #score ADVANCE_FEE_3_NEW 3.5 # limit | |
190 | tflags ADVANCE_FEE_3_NEW publish | |
191 | ##} ADVANCE_FEE_3_NEW | |
192 | ||
193 | ##{ ADVANCE_FEE_3_NEW_FORM | |
194 | ||
195 | meta ADVANCE_FEE_3_NEW_FORM (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__THREADED && !__HAS_SENDER && !__FROM_LOWER && !__HAS_X_LOOP | |
196 | describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form | |
197 | tflags ADVANCE_FEE_3_NEW_FORM publish | |
198 | ##} ADVANCE_FEE_3_NEW_FORM | |
199 | ||
200 | ##{ ADVANCE_FEE_3_NEW_FRM_MNY | |
201 | ||
202 | meta ADVANCE_FEE_3_NEW_FRM_MNY (__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP | |
203 | describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money | |
204 | tflags ADVANCE_FEE_3_NEW_FRM_MNY publish | |
205 | ##} ADVANCE_FEE_3_NEW_FRM_MNY | |
206 | ||
207 | ##{ ADVANCE_FEE_3_NEW_MONEY | |
208 | ||
209 | meta ADVANCE_FEE_3_NEW_MONEY (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG | |
210 | describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money | |
211 | tflags ADVANCE_FEE_3_NEW_MONEY publish | |
212 | ##} ADVANCE_FEE_3_NEW_MONEY | |
213 | ||
214 | ##{ ADVANCE_FEE_4_NEW | |
215 | ||
216 | meta ADVANCE_FEE_4_NEW (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__HAS_X_LOOP && !__BUGGED_IMG | |
217 | describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419) | |
218 | tflags ADVANCE_FEE_4_NEW publish | |
219 | ##} ADVANCE_FEE_4_NEW | |
220 | ||
221 | ##{ ADVANCE_FEE_4_NEW_FORM | |
222 | ||
223 | meta ADVANCE_FEE_4_NEW_FORM (__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) | |
224 | describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form | |
225 | tflags ADVANCE_FEE_4_NEW_FORM publish | |
226 | ##} ADVANCE_FEE_4_NEW_FORM | |
227 | ||
228 | ##{ ADVANCE_FEE_4_NEW_FRM_MNY | |
229 | ||
230 | meta ADVANCE_FEE_4_NEW_FRM_MNY (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) | |
231 | describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money | |
232 | tflags ADVANCE_FEE_4_NEW_FRM_MNY publish | |
233 | ##} ADVANCE_FEE_4_NEW_FRM_MNY | |
234 | ||
235 | ##{ ADVANCE_FEE_4_NEW_MONEY | |
236 | ||
237 | meta ADVANCE_FEE_4_NEW_MONEY (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG | |
238 | describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money | |
239 | tflags ADVANCE_FEE_4_NEW_MONEY publish | |
240 | ##} ADVANCE_FEE_4_NEW_MONEY | |
241 | ||
242 | ##{ ADVANCE_FEE_5_NEW | |
243 | ||
244 | meta ADVANCE_FEE_5_NEW (__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY) && !__BUGGED_IMG | |
245 | describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419) | |
246 | tflags ADVANCE_FEE_5_NEW publish | |
247 | ##} ADVANCE_FEE_5_NEW | |
248 | ||
249 | ##{ ADVANCE_FEE_5_NEW_FORM | |
250 | ||
251 | meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM | |
252 | describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form | |
253 | tflags ADVANCE_FEE_5_NEW_FORM publish | |
254 | ##} ADVANCE_FEE_5_NEW_FORM | |
255 | ||
256 | ##{ ADVANCE_FEE_5_NEW_FRM_MNY | |
257 | ||
258 | meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY | |
259 | describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money | |
260 | tflags ADVANCE_FEE_5_NEW_FRM_MNY publish | |
261 | ##} ADVANCE_FEE_5_NEW_FRM_MNY | |
262 | ||
263 | ##{ ADVANCE_FEE_5_NEW_MONEY | |
264 | ||
265 | meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE && !__BUGGED_IMG | |
266 | describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money | |
267 | tflags ADVANCE_FEE_5_NEW_MONEY publish | |
268 | ##} ADVANCE_FEE_5_NEW_MONEY | |
269 | ||
270 | ##{ AD_PREFS | |
271 | ||
272 | body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i | |
273 | describe AD_PREFS Advertising preferences | |
274 | #score AD_PREFS 0.500 # limit | |
275 | tflags AD_PREFS publish | |
276 | ##} AD_PREFS | |
277 | ||
278 | ##{ ALIBABA_IMG_NOT_RCVD_ALI | |
279 | ||
280 | meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE | |
281 | #score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit | |
282 | describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba | |
283 | tflags ALIBABA_IMG_NOT_RCVD_ALI publish | |
284 | ##} ALIBABA_IMG_NOT_RCVD_ALI | |
285 | ||
286 | ##{ AMAZON_IMG_NOT_RCVD_AMZN | |
287 | ||
288 | meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST | |
289 | #score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit | |
290 | describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon | |
291 | tflags AMAZON_IMG_NOT_RCVD_AMZN publish | |
292 | ##} AMAZON_IMG_NOT_RCVD_AMZN | |
293 | ||
294 | ##{ APOSTROPHE_FROM | |
295 | ||
296 | header APOSTROPHE_FROM From:addr =~ /'/ | |
297 | describe APOSTROPHE_FROM From address contains an apostrophe | |
298 | ##} APOSTROPHE_FROM | |
299 | ||
300 | ##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
301 | ||
302 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
303 | meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) | |
304 | describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto | |
305 | # score APP_DEVELOPMENT_FREEM 3.500 # limit | |
306 | tflags APP_DEVELOPMENT_FREEM publish | |
307 | endif | |
308 | ##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
309 | ||
310 | ##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
311 | ||
312 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
313 | meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE | |
314 | describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS | |
315 | # score APP_DEVELOPMENT_NORDNS 2.000 # limit | |
316 | tflags APP_DEVELOPMENT_NORDNS publish | |
317 | endif | |
318 | ##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
319 | ||
320 | ##{ AXB_XMAILER_MIMEOLE_OL_024C2 | |
321 | ||
322 | meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2) | |
323 | describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait | |
324 | ##} AXB_XMAILER_MIMEOLE_OL_024C2 | |
325 | ||
326 | ##{ AXB_XMAILER_MIMEOLE_OL_1ECD5 | |
327 | ||
328 | meta AXB_XMAILER_MIMEOLE_OL_1ECD5 (__AXB_XM_OL_1ECD5 && __AXB_MO_OL_1ECD5) | |
329 | describe AXB_XMAILER_MIMEOLE_OL_1ECD5 Yet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD5 | |
330 | ||
331 | ##{ BANKING_LAWS | |
332 | ||
333 | body BANKING_LAWS /banking laws/i | |
334 | describe BANKING_LAWS Talks about banking laws | |
335 | ##} BANKING_LAWS | |
336 | ||
337 | ##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
338 | ||
339 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
340 | body BASE64_LENGTH_78_79 eval:check_base64_length('78','79') | |
341 | endif | |
342 | ##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
343 | ||
344 | ##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
345 | ||
346 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
347 | describe BASE64_LENGTH_79_INF base64 encoded email part uses line length of 78 or 79 characters | |
348 | body BASE64_LENGTH_79_INF eval:check_base64_length('79') | |
349 | describe BASE64_LENGTH_79_INF base64 encoded email part uses line length greater than 79 characters | |
350 | endif | |
351 | ##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
352 | ||
353 | ##{ BIGNUM_EMAILS_FREEM | |
354 | ||
355 | meta BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS_FREEM | |
356 | describe BIGNUM_EMAILS_FREEM Lots of email addresses/leads, free email account | |
357 | #score BIGNUM_EMAILS_FREEM 3.00 # limit | |
358 | tflags BIGNUM_EMAILS_FREEM publish | |
359 | ##} BIGNUM_EMAILS_FREEM | |
360 | ||
361 | ##{ BIGNUM_EMAILS_MANY | |
362 | ||
363 | meta BIGNUM_EMAILS_MANY __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER | |
364 | describe BIGNUM_EMAILS_MANY Lots of email addresses/leads, over and over | |
365 | #score BIGNUM_EMAILS_MANY 3.00 # limit | |
366 | tflags BIGNUM_EMAILS_MANY publish | |
367 | ##} BIGNUM_EMAILS_MANY | |
368 | ||
369 | ##{ BITCOIN_BOMB | |
370 | ||
371 | meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01 | |
372 | describe BITCOIN_BOMB BitCoin + bomb | |
373 | #score BITCOIN_BOMB 3.000 # limit | |
374 | tflags BITCOIN_BOMB publish | |
375 | ##} BITCOIN_BOMB | |
376 | ||
377 | ##{ BITCOIN_DEADLINE | |
378 | ||
379 | meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01 | |
380 | describe BITCOIN_DEADLINE BitCoin with a deadline | |
381 | #score BITCOIN_DEADLINE 3.000 # limit | |
382 | tflags BITCOIN_DEADLINE publish | |
383 | ##} BITCOIN_DEADLINE | |
384 | ||
385 | ##{ BITCOIN_EXTORT_01 | |
386 | ||
387 | meta BITCOIN_EXTORT_01 (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA ) | |
388 | describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin | |
389 | #score BITCOIN_EXTORT_01 5.000 # limit | |
390 | tflags BITCOIN_EXTORT_01 publish | |
391 | ##} BITCOIN_EXTORT_01 | |
392 | ||
393 | ##{ BITCOIN_EXTORT_02 | |
394 | ||
395 | meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY | |
396 | describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin | |
397 | #score BITCOIN_EXTORT_02 5.000 # limit | |
398 | tflags BITCOIN_EXTORT_02 publish | |
399 | ##} BITCOIN_EXTORT_02 | |
400 | ||
401 | ##{ BITCOIN_IMGUR | |
402 | ||
403 | meta BITCOIN_IMGUR __BITCOIN_IMGUR | |
404 | describe BITCOIN_IMGUR Bitcoin + hosted image | |
405 | #score BITCOIN_IMGUR 3.500 # limit | |
406 | tflags BITCOIN_IMGUR publish | |
407 | ##} BITCOIN_IMGUR | |
408 | ||
409 | ##{ BITCOIN_MALF_HTML | |
410 | ||
411 | meta BITCOIN_MALF_HTML HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID) | |
412 | describe BITCOIN_MALF_HTML Bitcoin + malformed HTML | |
413 | #score BITCOIN_MALF_HTML 3.500 # limit | |
414 | ##} BITCOIN_MALF_HTML | |
415 | ||
416 | ##{ BITCOIN_MALWARE | |
417 | ||
418 | meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED | |
419 | describe BITCOIN_MALWARE BitCoin + malware bragging | |
420 | #score BITCOIN_MALWARE 3.500 # limit | |
421 | tflags BITCOIN_MALWARE publish | |
422 | ##} BITCOIN_MALWARE | |
423 | ||
424 | ##{ BITCOIN_OBFU_SUBJ | |
425 | ||
426 | meta BITCOIN_OBFU_SUBJ __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI | |
427 | describe BITCOIN_OBFU_SUBJ Bitcoin + obfuscated subject | |
428 | #score BITCOIN_OBFU_SUBJ 3.500 # limit | |
429 | tflags BITCOIN_OBFU_SUBJ publish | |
430 | ##} BITCOIN_OBFU_SUBJ | |
431 | ||
432 | ##{ BITCOIN_ONAN | |
433 | ||
434 | meta BITCOIN_ONAN __BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01 | |
435 | describe BITCOIN_ONAN BitCoin + [censored] | |
436 | #score BITCOIN_ONAN 3.000 # limit | |
437 | tflags BITCOIN_ONAN publish | |
438 | ##} BITCOIN_ONAN | |
439 | ||
440 | ##{ BITCOIN_PAY_ME | |
441 | ||
442 | meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01 | |
443 | describe BITCOIN_PAY_ME Pay me via BitCoin | |
444 | #score BITCOIN_PAY_ME 3.000 # limit | |
445 | tflags BITCOIN_PAY_ME publish | |
446 | ##} BITCOIN_PAY_ME | |
447 | ||
448 | ##{ BITCOIN_SPAM_01 | |
449 | ||
450 | meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG | |
451 | describe BITCOIN_SPAM_01 BitCoin spam pattern 01 | |
452 | #score BITCOIN_SPAM_01 2.500 # limit | |
453 | tflags BITCOIN_SPAM_01 publish | |
454 | ##} BITCOIN_SPAM_01 | |
455 | ||
456 | ##{ BITCOIN_SPAM_02 | |
457 | ||
458 | meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID | |
459 | describe BITCOIN_SPAM_02 BitCoin spam pattern 02 | |
460 | #score BITCOIN_SPAM_02 2.500 # limit | |
461 | tflags BITCOIN_SPAM_02 publish | |
462 | ##} BITCOIN_SPAM_02 | |
463 | ||
464 | ##{ BITCOIN_SPAM_03 | |
465 | ||
466 | meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ | |
467 | describe BITCOIN_SPAM_03 BitCoin spam pattern 03 | |
468 | #score BITCOIN_SPAM_03 2.500 # limit | |
469 | tflags BITCOIN_SPAM_03 publish | |
470 | ##} BITCOIN_SPAM_03 | |
471 | ||
472 | ##{ BITCOIN_SPAM_04 | |
473 | ||
474 | meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto | |
475 | describe BITCOIN_SPAM_04 BitCoin spam pattern 04 | |
476 | #score BITCOIN_SPAM_04 1.500 # limit | |
477 | tflags BITCOIN_SPAM_04 publish | |
478 | ##} BITCOIN_SPAM_04 | |
479 | ||
480 | ##{ BITCOIN_SPAM_05 | |
481 | ||
482 | meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO | |
483 | describe BITCOIN_SPAM_05 BitCoin spam pattern 05 | |
484 | #score BITCOIN_SPAM_05 2.500 # limit | |
485 | tflags BITCOIN_SPAM_05 net publish | |
486 | ##} BITCOIN_SPAM_05 | |
487 | ||
488 | ##{ BITCOIN_SPAM_06 | |
489 | ||
490 | meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET | |
491 | describe BITCOIN_SPAM_06 BitCoin spam pattern 06 | |
492 | #score BITCOIN_SPAM_06 1.500 # limit | |
493 | tflags BITCOIN_SPAM_06 publish | |
494 | ##} BITCOIN_SPAM_06 | |
495 | ||
496 | ##{ BITCOIN_SPAM_07 | |
497 | ||
498 | meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS | |
499 | describe BITCOIN_SPAM_07 BitCoin spam pattern 07 | |
500 | #score BITCOIN_SPAM_07 3.500 # limit | |
501 | tflags BITCOIN_SPAM_07 publish | |
502 | ##} BITCOIN_SPAM_07 | |
503 | ||
504 | ##{ BITCOIN_SPAM_08 | |
505 | ||
506 | meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ | |
507 | describe BITCOIN_SPAM_08 BitCoin spam pattern 08 | |
508 | #score BITCOIN_SPAM_08 2.500 # limit | |
509 | tflags BITCOIN_SPAM_08 publish | |
510 | ##} BITCOIN_SPAM_08 | |
511 | ||
512 | ##{ BITCOIN_SPAM_09 | |
513 | ||
514 | meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU ) | |
515 | describe BITCOIN_SPAM_09 BitCoin spam pattern 09 | |
516 | #score BITCOIN_SPAM_09 1.500 # limit | |
517 | tflags BITCOIN_SPAM_09 publish | |
518 | ##} BITCOIN_SPAM_09 | |
519 | ||
520 | ##{ BITCOIN_SPAM_10 | |
521 | ||
522 | meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 ) | |
523 | describe BITCOIN_SPAM_10 BitCoin spam pattern 10 | |
524 | #score BITCOIN_SPAM_10 2.500 # limit | |
525 | tflags BITCOIN_SPAM_10 publish | |
526 | ##} BITCOIN_SPAM_10 | |
527 | ||
528 | ##{ BITCOIN_SPAM_11 | |
529 | ||
530 | meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU | |
531 | describe BITCOIN_SPAM_11 BitCoin spam pattern 11 | |
532 | #score BITCOIN_SPAM_11 2.500 # limit | |
533 | tflags BITCOIN_SPAM_11 publish | |
534 | ##} BITCOIN_SPAM_11 | |
535 | ||
536 | ##{ BITCOIN_SPAM_12 | |
537 | ||
538 | meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY | |
539 | describe BITCOIN_SPAM_12 BitCoin spam pattern 12 | |
540 | #score BITCOIN_SPAM_12 2.500 # limit | |
541 | tflags BITCOIN_SPAM_12 publish | |
542 | ##} BITCOIN_SPAM_12 | |
543 | ||
544 | ##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
545 | ||
546 | if (version >= 3.004001) | |
547 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
548 | meta BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID | |
549 | tflags BITCOIN_SPF_ONLYALL net publish | |
550 | describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF | |
551 | #score BITCOIN_SPF_ONLYALL 2.0 # limit | |
552 | endif | |
553 | endif | |
554 | ##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
555 | ||
556 | ##{ BITCOIN_WFH_01 | |
557 | ||
558 | meta BITCOIN_WFH_01 __BITCOIN_WFH_01 | |
559 | describe BITCOIN_WFH_01 Work-from-Home + bitcoin | |
560 | tflags BITCOIN_WFH_01 publish | |
561 | ##} BITCOIN_WFH_01 | |
562 | ||
563 | ##{ BITCOIN_XPRIO | |
564 | ||
565 | meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY | |
566 | describe BITCOIN_XPRIO Bitcoin + priority | |
567 | #score BITCOIN_XPRIO 2.500 # limit | |
568 | ##} BITCOIN_XPRIO | |
569 | ||
570 | ##{ BITCOIN_YOUR_INFO | |
571 | ||
572 | meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01 | |
573 | describe BITCOIN_YOUR_INFO BitCoin with your personal info | |
574 | #score BITCOIN_YOUR_INFO 3.000 # limit | |
575 | tflags BITCOIN_YOUR_INFO publish | |
576 | ##} BITCOIN_YOUR_INFO | |
577 | ||
578 | ##{ BODY_EMPTY | |
579 | ||
580 | meta BODY_EMPTY __EMPTY_BODY && !ALL_TRUSTED && !__MIME_ATTACHMENT && !__HAS_THREAD_INDEX && !__TO_EQ_FROM_DOM && !NO_RELAYS && !__PDF_ATTACH && !__HDR_RCVD_GOOGLE && !__MSGID_APPLEMAIL && !__XM_IPHONEMAIL | |
581 | describe BODY_EMPTY No body text in message | |
582 | #score BODY_EMPTY 2.00 # limit | |
583 | ##} BODY_EMPTY | |
584 | ||
585 | ##{ BODY_SINGLE_URI | |
586 | ||
587 | meta BODY_SINGLE_URI __BODY_SINGLE_URI && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP && !__VIA_ML | |
588 | describe BODY_SINGLE_URI Message body is only a URI | |
589 | #score BODY_SINGLE_URI 2.500 # limit | |
590 | ##} BODY_SINGLE_URI | |
591 | ||
592 | ##{ BODY_SINGLE_WORD | |
593 | ||
594 | meta BODY_SINGLE_WORD __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP | |
595 | describe BODY_SINGLE_WORD Message body is only one word (no spaces) | |
596 | #score BODY_SINGLE_WORD 2.500 # limit | |
597 | ##} BODY_SINGLE_WORD | |
598 | ||
599 | ##{ BODY_URI_ONLY | |
600 | ||
601 | meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV | |
602 | describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image | |
603 | #score BODY_URI_ONLY 3.000 # limit | |
604 | tflags BODY_URI_ONLY publish | |
605 | ##} BODY_URI_ONLY | |
606 | ||
607 | ##{ BOGUS_MIME_VERSION | |
608 | ||
609 | meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 || __MALF_MIME_VER | |
610 | #score BOGUS_MIME_VERSION 3.500 # limit | |
611 | describe BOGUS_MIME_VERSION Mime version header is bogus | |
612 | tflags BOGUS_MIME_VERSION publish | |
613 | ##} BOGUS_MIME_VERSION | |
614 | ||
615 | ##{ BOGUS_MSM_HDRS | |
616 | ||
617 | meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS | |
618 | describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers | |
619 | #score BOGUS_MSM_HDRS 3.000 # limit | |
620 | tflags BOGUS_MSM_HDRS publish | |
621 | ##} BOGUS_MSM_HDRS | |
622 | ||
623 | ##{ BOMB_FREEM | |
624 | ||
625 | meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto | |
626 | describe BOMB_FREEM Bomb + freemail | |
627 | #score BOMB_FREEM 2.000 # limit | |
628 | tflags BOMB_FREEM publish | |
629 | ##} BOMB_FREEM | |
630 | ||
631 | ##{ BOMB_MONEY | |
632 | ||
633 | meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW ) | |
634 | describe BOMB_MONEY Bomb + money: bomb threat? | |
635 | #score BOMB_MONEY 2.500 # limit | |
636 | tflags BOMB_MONEY publish | |
637 | ##} BOMB_MONEY | |
638 | ||
639 | ##{ BTC_ORG | |
640 | ||
641 | describe BTC_ORG Bitcoin wallet ID + unusual header | |
642 | #score BTC_ORG 2.500 # limit | |
643 | ##} BTC_ORG | |
644 | ||
645 | ##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
646 | ||
647 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
648 | meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST | |
649 | endif | |
650 | ##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
651 | ||
652 | ##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM | |
653 | ||
654 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
655 | meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED | |
656 | endif | |
657 | ##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM | |
658 | ||
659 | ##{ BUG6152_INVALID_DATE_TZ_ABSURD | |
660 | ||
661 | header BUG6152_INVALID_DATE_TZ_ABSURD Date =~ /[-+](?!(?:0\d|1[0-4])(?:[03]0|[14]5))\d{4}/ | |
662 | ##} BUG6152_INVALID_DATE_TZ_ABSURD | |
663 | ||
664 | ##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
665 | ||
666 | if (version >= 3.004002) | |
667 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
668 | meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD | |
669 | tflags BULK_RE_SUSP_NTLD publish | |
670 | describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD | |
671 | #score BULK_RE_SUSP_NTLD 1.0 # limit | |
672 | endif | |
673 | endif | |
674 | ##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
675 | ||
676 | ##{ CANT_SEE_AD | |
677 | ||
678 | meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB | |
679 | describe CANT_SEE_AD You really want to see our spam. | |
680 | #score CANT_SEE_AD 2.500 # limit | |
681 | tflags CANT_SEE_AD publish | |
682 | ##} CANT_SEE_AD | |
683 | ||
684 | ##{ CK_HELO_GENERIC | |
685 | ||
686 | header CK_HELO_GENERIC X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /i | |
687 | describe CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR | |
688 | #score CK_HELO_GENERIC 0.25 | |
689 | ##} CK_HELO_GENERIC | |
690 | ||
691 | ##{ CN_B2B_SPAMMER | |
692 | ||
693 | body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i | |
694 | describe CN_B2B_SPAMMER Chinese company introducing itself | |
695 | tflags CN_B2B_SPAMMER publish | |
696 | ##} CN_B2B_SPAMMER | |
697 | ||
698 | ##{ COMMENT_GIBBERISH | |
699 | ||
700 | meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT | |
701 | describe COMMENT_GIBBERISH Nonsense in long HTML comment | |
702 | #score COMMENT_GIBBERISH 1.50 # limit | |
703 | tflags COMMENT_GIBBERISH publish | |
704 | ##} COMMENT_GIBBERISH | |
705 | ||
706 | ##{ COMPENSATION | |
707 | ||
708 | describe COMPENSATION "Compensation" | |
709 | #score COMPENSATION 1.50 # limit | |
710 | ##} COMPENSATION | |
711 | ||
712 | ##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
713 | ||
714 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
715 | meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD | |
716 | endif | |
717 | ##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
718 | ||
719 | ##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM | |
720 | ||
721 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
722 | meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE | |
723 | endif | |
724 | ##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM | |
725 | ||
726 | ##{ CONTENT_AFTER_HTML | |
727 | ||
728 | meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !__RCD_RDNS_MTA_MESSY && !__URI_DOTGOV | |
729 | describe CONTENT_AFTER_HTML More content after HTML close tag | |
730 | #score CONTENT_AFTER_HTML 2.500 # limit | |
731 | tflags CONTENT_AFTER_HTML publish | |
732 | ##} CONTENT_AFTER_HTML | |
733 | ||
734 | ##{ CORRUPT_FROM_LINE_IN_HDRS | |
735 | ||
736 | meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS) | |
737 | describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers | |
738 | tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish | |
739 | #score CORRUPT_FROM_LINE_IN_HDRS 0.001 | |
740 | ##} CORRUPT_FROM_LINE_IN_HDRS | |
741 | ||
742 | ##{ CTE_8BIT_MISMATCH | |
743 | ||
744 | meta CTE_8BIT_MISMATCH (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS) | |
745 | describe CTE_8BIT_MISMATCH Header says 7bits but body disagrees | |
746 | #score CTE_8BIT_MISMATCH 1 | |
747 | tflags CTE_8BIT_MISMATCH publish | |
748 | ##} CTE_8BIT_MISMATCH | |
749 | ||
750 | ##{ CTYPE_001C_A | |
751 | ||
752 | meta CTYPE_001C_A (0) # obsolete | |
753 | ##} CTYPE_001C_A | |
754 | ||
755 | ##{ CTYPE_001C_B | |
756 | ||
757 | header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/ | |
758 | ##} CTYPE_001C_B | |
759 | ||
760 | ##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
761 | ||
762 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
763 | mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s | |
764 | describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc) | |
765 | endif | |
766 | ##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
767 | ||
768 | ##{ CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
769 | ||
770 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
771 | meta CTYPE_NULL __CTYPE_NULL | |
772 | describe CTYPE_NULL Malformed Content-Type header | |
773 | endif | |
774 | ##} CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
775 | ||
776 | ##{ CURR_PRICE | |
777 | ||
778 | body CURR_PRICE /\bCurrent Price:/ | |
779 | ##} CURR_PRICE | |
780 | ||
781 | ##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
782 | ||
783 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
784 | meta DAY_I_EARNED __DAY_I_EARNED >= 3 | |
785 | # score DAY_I_EARNED 3.000 # limit | |
786 | describe DAY_I_EARNED Work-at-home spam | |
787 | tflags DAY_I_EARNED publish | |
788 | endif | |
789 | ##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
790 | ||
791 | ##{ DEAR_BENEFICIARY | |
792 | ||
793 | body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i | |
794 | describe DEAR_BENEFICIARY Dear Beneficiary: | |
795 | ##} DEAR_BENEFICIARY | |
796 | ||
797 | ##{ DEAR_WINNER | |
798 | ||
799 | body DEAR_WINNER /\bdear.{1,20}winner/i | |
800 | describe DEAR_WINNER Spam with generic salutation of "dear winner" | |
801 | ##} DEAR_WINNER | |
802 | ||
803 | ##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
804 | ||
805 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
806 | meta DKIMWL_BL __DKIMWL_WL_BL | |
807 | tflags DKIMWL_BL net publish | |
808 | describe DKIMWL_BL DKIMwl.org - Blocked sender | |
809 | #score DKIMWL_BL 3.0 # limit | |
810 | endif | |
811 | ##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
812 | ||
813 | ##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
814 | ||
815 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
816 | meta DKIMWL_BLOCKED __DKIMWL_BLOCKED | |
817 | tflags DKIMWL_BLOCKED net publish | |
818 | describe DKIMWL_BLOCKED ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. | |
819 | #score DKIMWL_BLOCKED 0.001 # limit | |
820 | endif | |
821 | ##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
822 | ||
823 | ##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
824 | ||
825 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
826 | meta DKIMWL_WL_HIGH __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL) | |
827 | tflags DKIMWL_WL_HIGH net nice publish | |
828 | describe DKIMWL_WL_HIGH DKIMwl.org - High trust sender | |
829 | #score DKIMWL_WL_HIGH -3.0 # limit | |
830 | endif | |
831 | ##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
832 | ||
833 | ##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
834 | ||
835 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
836 | meta DKIMWL_WL_MED __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) | |
837 | tflags DKIMWL_WL_MED net nice publish | |
838 | describe DKIMWL_WL_MED DKIMwl.org - Medium trust sender | |
839 | #score DKIMWL_WL_MED -0.5 # limit | |
840 | endif | |
841 | ##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
842 | ||
843 | ##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
844 | ||
845 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
846 | meta DKIMWL_WL_MEDHI __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) | |
847 | tflags DKIMWL_WL_MEDHI net nice publish | |
848 | describe DKIMWL_WL_MEDHI DKIMwl.org - Medium-high trust sender | |
849 | #score DKIMWL_WL_MEDHI -1.0 # limit | |
850 | endif | |
851 | ##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
852 | ||
853 | ##{ DOS_ANAL_SPAM_MAILER | |
854 | ||
855 | header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/ | |
856 | describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam | |
857 | tflags DOS_ANAL_SPAM_MAILER publish | |
858 | ##} DOS_ANAL_SPAM_MAILER | |
859 | ||
860 | ##{ DOS_DEREK_AUG08 | |
861 | ||
862 | meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10) | |
863 | ##} DOS_DEREK_AUG08 | |
864 | ||
865 | ##{ DOS_FIX_MY_URI | |
866 | ||
867 | meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK | |
868 | describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam | |
869 | ##} DOS_FIX_MY_URI | |
870 | ||
871 | ##{ DOS_HIGH_BAT_TO_MX | |
872 | ||
873 | meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA | |
874 | describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits | |
875 | ##} DOS_HIGH_BAT_TO_MX | |
876 | ||
877 | ##{ DOS_LET_GO_JOB | |
878 | ||
879 | meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME | |
880 | describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough! | |
881 | ##} DOS_LET_GO_JOB | |
882 | ||
883 | ##{ DOS_OE_TO_MX | |
884 | ||
885 | meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE | |
886 | describe DOS_OE_TO_MX Delivered direct to MX with OE headers | |
887 | ##} DOS_OE_TO_MX | |
888 | ||
889 | ##{ DOS_OE_TO_MX_IMAGE | |
890 | ||
891 | meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH | |
892 | describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image | |
893 | ##} DOS_OE_TO_MX_IMAGE | |
894 | ||
895 | ##{ DOS_OUTLOOK_TO_MX | |
896 | ||
897 | meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE | |
898 | describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers | |
899 | ##} DOS_OUTLOOK_TO_MX | |
900 | ||
901 | ##{ DOS_RCVD_IP_TWICE_C | |
902 | ||
903 | header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/ | |
904 | describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo) | |
905 | ##} DOS_RCVD_IP_TWICE_C | |
906 | ||
907 | ##{ DOS_STOCK_BAT | |
908 | ||
909 | meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS) | |
910 | describe DOS_STOCK_BAT Probable pump and dump stock spam | |
911 | ##} DOS_STOCK_BAT | |
912 | ||
913 | ##{ DOS_STOCK_BAT2 | |
914 | ||
915 | meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2) | |
916 | ##} DOS_STOCK_BAT2 | |
917 | ||
918 | ##{ DOS_URI_ASTERISK | |
919 | ||
920 | uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)} | |
921 | describe DOS_URI_ASTERISK Found an asterisk in a URI | |
922 | ##} DOS_URI_ASTERISK | |
923 | ||
924 | ##{ DOS_YOUR_PLACE | |
925 | ||
926 | meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL)) | |
927 | describe DOS_YOUR_PLACE Russian dating spam | |
928 | ##} DOS_YOUR_PLACE | |
929 | ||
930 | ##{ DOTGOV_IMAGE | |
931 | ||
932 | meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS | |
933 | describe DOTGOV_IMAGE .gov URI + hosted image | |
934 | #score DOTGOV_IMAGE 3.000 # limit | |
935 | tflags DOTGOV_IMAGE publish | |
936 | ##} DOTGOV_IMAGE | |
937 | ||
938 | ##{ DRUGS_HDIA | |
939 | ||
940 | header DRUGS_HDIA Subject =~ /\bhoodia\b/i | |
941 | describe DRUGS_HDIA Subject mentions "hoodia" | |
942 | ##} DRUGS_HDIA | |
943 | ||
944 | ##{ DSN_NO_MIMEVERSION | |
945 | ||
946 | meta DSN_NO_MIMEVERSION (__BOUNCE_RPATH_NULL && !__MIME_VERSION) | |
947 | describe DSN_NO_MIMEVERSION Return-Path <> and no MIME-Version: header | |
948 | #score DSN_NO_MIMEVERSION 2 | |
949 | ##} DSN_NO_MIMEVERSION | |
950 | ||
951 | ##{ DX_TEXT_02 | |
952 | ||
953 | body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i | |
954 | describe DX_TEXT_02 "change your message stat" | |
955 | tflags DX_TEXT_02 publish | |
956 | ##} DX_TEXT_02 | |
957 | ||
958 | ##{ DX_TEXT_03 | |
959 | ||
960 | body DX_TEXT_03 /\b[A-Z]{3} Media (?:Group|Relations)\b/ | |
961 | describe DX_TEXT_03 "XXX Media Group" | |
962 | tflags DX_TEXT_03 publish | |
963 | ##} DX_TEXT_03 | |
964 | ||
965 | ##{ DYNAMIC_IMGUR | |
966 | ||
967 | meta DYNAMIC_IMGUR __DYNAMIC_IMGUR | |
968 | describe DYNAMIC_IMGUR dynamic IP + hosted image | |
969 | #score DYNAMIC_IMGUR 4.000 # limit | |
970 | tflags DYNAMIC_IMGUR publish | |
971 | ##} DYNAMIC_IMGUR | |
972 | ||
973 | ##{ DYN_RDNS_AND_INLINE_IMAGE | |
974 | ||
975 | meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) | |
976 | describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS | |
977 | ##} DYN_RDNS_AND_INLINE_IMAGE | |
978 | ||
979 | ##{ DYN_RDNS_SHORT_HELO_HTML | |
980 | ||
981 | meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE) | |
982 | describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML | |
983 | ##} DYN_RDNS_SHORT_HELO_HTML | |
984 | ||
985 | ##{ DYN_RDNS_SHORT_HELO_IMAGE | |
986 | ||
987 | meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) | |
988 | describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image | |
989 | ##} DYN_RDNS_SHORT_HELO_IMAGE | |
990 | ||
991 | ##{ EBAY_IMG_NOT_RCVD_EBAY | |
992 | ||
993 | meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS | |
994 | #score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit | |
995 | describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay | |
996 | tflags EBAY_IMG_NOT_RCVD_EBAY publish | |
997 | ##} EBAY_IMG_NOT_RCVD_EBAY | |
998 | ||
999 | ##{ EMRCP | |
1000 | ||
1001 | body EMRCP /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i | |
1002 | describe EMRCP "Excess Maximum Return Capital Profit" scam | |
1003 | tflags EMRCP publish | |
1004 | ##} EMRCP | |
1005 | ||
1006 | ##{ ENCRYPTED_MESSAGE | |
1007 | ||
1008 | meta ENCRYPTED_MESSAGE __CT_ENCRYPTED | |
1009 | describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam | |
1010 | #score ENCRYPTED_MESSAGE -1.000 | |
1011 | tflags ENCRYPTED_MESSAGE nice publish | |
1012 | ##} ENCRYPTED_MESSAGE | |
1013 | ||
1014 | ##{ END_FUTURE_EMAILS | |
1015 | ||
1016 | describe END_FUTURE_EMAILS Spammy unsubscribe | |
1017 | #score END_FUTURE_EMAILS 2.500 # limit | |
1018 | ##} END_FUTURE_EMAILS | |
1019 | ||
1020 | ##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
1021 | ||
1022 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
1023 | meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER | |
1024 | endif | |
1025 | ##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
1026 | ||
1027 | ##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM | |
1028 | ||
1029 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
1030 | meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED | |
1031 | endif | |
1032 | ##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM | |
1033 | ||
1034 | ##{ ENVFROM_GOOG_TRIX | |
1035 | ||
1036 | meta ENVFROM_GOOG_TRIX __ENVFROM_GOOG_TRIX_SPAMMY | |
1037 | describe ENVFROM_GOOG_TRIX From suspicious Google subdomain | |
1038 | #score ENVFROM_GOOG_TRIX 3.000 # limit | |
1039 | tflags ENVFROM_GOOG_TRIX publish | |
1040 | ##} ENVFROM_GOOG_TRIX | |
1041 | ||
1042 | ##{ EXCUSE_24 | |
1043 | ||
1044 | body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i | |
1045 | describe EXCUSE_24 Claims you wanted this ad | |
1046 | ##} EXCUSE_24 | |
1047 | ||
1048 | ##{ FAKE_REPLY_A1 | |
1049 | ||
1050 | meta FAKE_REPLY_A1 (__SUBJ_RE && __MISSING_REPLY && __MISSING_REF && __BOTH_INR_AND_REF) | |
1051 | ##} FAKE_REPLY_A1 | |
1052 | ||
1053 | ##{ FAKE_REPLY_C | |
1054 | ||
1055 | meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF) | |
1056 | ##} FAKE_REPLY_C | |
1057 | ||
1058 | ##{ FBI_MONEY | |
1059 | ||
1060 | meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY | |
1061 | describe FBI_MONEY The FBI wants to give you lots of money? | |
1062 | #score FBI_MONEY 2.00 # limit | |
1063 | tflags FBI_MONEY publish | |
1064 | ##} FBI_MONEY | |
1065 | ||
1066 | ##{ FBI_SPOOF | |
1067 | ||
1068 | meta FBI_SPOOF __FBI_SPOOF | |
1069 | describe FBI_SPOOF Claims to be FBI, but not from FBI domain | |
1070 | #score FBI_SPOOF 2.00 # limit | |
1071 | tflags FBI_SPOOF publish | |
1072 | ##} FBI_SPOOF | |
1073 | ||
1074 | ##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1075 | ||
1076 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1077 | meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML | |
1078 | describe FILL_THIS_FORM Fill in a form with personal information | |
1079 | tflags FILL_THIS_FORM publish | |
1080 | endif | |
1081 | ##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1082 | ||
1083 | ##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1084 | ||
1085 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1086 | meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY | |
1087 | describe FILL_THIS_FORM_LONG Fill in a form with personal information | |
1088 | # score FILL_THIS_FORM_LONG 2.00 # limit | |
1089 | endif | |
1090 | ##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1091 | ||
1092 | ##{ FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1093 | ||
1094 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1095 | meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX | |
1096 | describe FONT_INVIS_DIRECT Invisible text + direct-to-MX | |
1097 | # score FONT_INVIS_DIRECT 3.500 # limit | |
1098 | tflags FONT_INVIS_DIRECT publish | |
1099 | endif | |
1100 | ##} FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1101 | ||
1102 | ##{ FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1103 | ||
1104 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1105 | meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID | |
1106 | describe FONT_INVIS_DOTGOV Invisible text + .gov URI | |
1107 | # score FONT_INVIS_DOTGOV 3.500 # limit | |
1108 | tflags FONT_INVIS_DOTGOV publish | |
1109 | endif | |
1110 | ##} FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1111 | ||
1112 | ##{ FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1113 | ||
1114 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1115 | meta FONT_INVIS_HTML_NOHTML __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG | |
1116 | describe FONT_INVIS_HTML_NOHTML Invisible text + malformed HTML | |
1117 | # score FONT_INVIS_HTML_NOHTML 3.000 # limit | |
1118 | tflags FONT_INVIS_HTML_NOHTML publish | |
1119 | endif | |
1120 | ##} FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1121 | ||
1122 | ##{ FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1123 | ||
1124 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1125 | meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET | |
1126 | describe FONT_INVIS_LONG_LINE Invisible text + long lines | |
1127 | # score FONT_INVIS_LONG_LINE 3.000 # limit | |
1128 | tflags FONT_INVIS_LONG_LINE publish | |
1129 | endif | |
1130 | ##} FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1131 | ||
1132 | ##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1133 | ||
1134 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1135 | meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX | |
1136 | describe FONT_INVIS_MSGID Invisible text + suspicious message ID | |
1137 | # score FONT_INVIS_MSGID 2.500 # limit | |
1138 | tflags FONT_INVIS_MSGID publish | |
1139 | endif | |
1140 | ##} FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1141 | ||
1142 | ##{ FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1143 | ||
1144 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1145 | meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER | |
1146 | describe FONT_INVIS_NORDNS Invisible text + no rDNS | |
1147 | # score FONT_INVIS_NORDNS 2.500 # limit | |
1148 | tflags FONT_INVIS_NORDNS publish | |
1149 | endif | |
1150 | ##} FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1151 | ||
1152 | ##{ FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1153 | ||
1154 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1155 | meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS | |
1156 | describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI | |
1157 | # score FONT_INVIS_POSTEXTRAS 3.500 # limit | |
1158 | tflags FONT_INVIS_POSTEXTRAS publish | |
1159 | endif | |
1160 | ##} FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1161 | ||
1162 | ##{ FORGED_SPF_HELO | |
1163 | ||
1164 | meta FORGED_SPF_HELO __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS | |
1165 | ##} FORGED_SPF_HELO | |
1166 | ||
1167 | ##{ FORM_FRAUD | |
1168 | ||
1169 | meta FORM_FRAUD (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK | |
1170 | describe FORM_FRAUD Fill a form and a fraud phrase | |
1171 | #score FORM_FRAUD 1.000 # limit | |
1172 | tflags FORM_FRAUD publish | |
1173 | ##} FORM_FRAUD | |
1174 | ||
1175 | ##{ FORM_FRAUD_3 | |
1176 | ||
1177 | meta FORM_FRAUD_3 (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED | |
1178 | describe FORM_FRAUD_3 Fill a form and several fraud phrases | |
1179 | tflags FORM_FRAUD_3 publish | |
1180 | ##} FORM_FRAUD_3 | |
1181 | ||
1182 | ##{ FORM_FRAUD_5 | |
1183 | ||
1184 | meta FORM_FRAUD_5 (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE | |
1185 | describe FORM_FRAUD_5 Fill a form and many fraud phrases | |
1186 | tflags FORM_FRAUD_5 publish | |
1187 | ##} FORM_FRAUD_5 | |
1188 | ||
1189 | ##{ FORM_LOW_CONTRAST | |
1190 | ||
1191 | meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL | |
1192 | describe FORM_LOW_CONTRAST Fill in a form with hidden text | |
1193 | #score FORM_LOW_CONTRAST 2.500 # Limit | |
1194 | tflags FORM_LOW_CONTRAST publish | |
1195 | ##} FORM_LOW_CONTRAST | |
1196 | ||
1197 | ##{ FOUND_YOU | |
1198 | ||
1199 | meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO | |
1200 | #score FOUND_YOU 3.25 # limit | |
1201 | describe FOUND_YOU I found you... | |
1202 | tflags FOUND_YOU publish | |
1203 | ##} FOUND_YOU | |
1204 | ||
1205 | ##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) | |
1206 | ||
1207 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1208 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
1209 | if (version >= 3.004000) | |
1210 | meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS | |
1211 | describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different | |
1212 | # score FREEMAIL_FORGED_FROMDOMAIN 0.25 | |
1213 | tflags FREEMAIL_FORGED_FROMDOMAIN publish | |
1214 | endif | |
1215 | endif | |
1216 | endif | |
1217 | ##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) | |
1218 | ||
1219 | ##{ FREEMAIL_WFH_01 | |
1220 | ||
1221 | meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01 | |
1222 | describe FREEMAIL_WFH_01 Work-from-Home + freemail | |
1223 | tflags FREEMAIL_WFH_01 publish | |
1224 | ##} FREEMAIL_WFH_01 | |
1225 | ||
1226 | ##{ FREEM_FRNUM_UNICD_EMPTY | |
1227 | ||
1228 | meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY | |
1229 | describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body | |
1230 | #score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit | |
1231 | tflags FREEM_FRNUM_UNICD_EMPTY publish | |
1232 | ##} FREEM_FRNUM_UNICD_EMPTY | |
1233 | ||
1234 | ##{ FRNAME_IN_MSG_XPRIO_NO_SUB | |
1235 | ||
1236 | meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED | |
1237 | describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject | |
1238 | #score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit | |
1239 | tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish | |
1240 | ##} FRNAME_IN_MSG_XPRIO_NO_SUB | |
1241 | ||
1242 | ##{ FROM_2_EMAILS_SHORT | |
1243 | ||
1244 | meta FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) | |
1245 | describe FROM_2_EMAILS_SHORT Short body and From looks like 2 different emails | |
1246 | #score FROM_2_EMAILS_SHORT 3.0 # limit | |
1247 | ##} FROM_2_EMAILS_SHORT | |
1248 | ||
1249 | ##{ FROM_ADDR_WS | |
1250 | ||
1251 | meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL | |
1252 | describe FROM_ADDR_WS Malformed From address | |
1253 | #score FROM_ADDR_WS 3.000 # limit | |
1254 | tflags FROM_ADDR_WS publish | |
1255 | ##} FROM_ADDR_WS | |
1256 | ||
1257 | ##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1258 | ||
1259 | if (version >= 3.004002) | |
1260 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1261 | meta FROM_BANK_NOAUTH __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU) | |
1262 | tflags FROM_BANK_NOAUTH publish net | |
1263 | describe FROM_BANK_NOAUTH From Bank domain but no SPF or DKIM | |
1264 | #score FROM_BANK_NOAUTH 1.0 # limit | |
1265 | endif | |
1266 | endif | |
1267 | ##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1268 | ||
1269 | ##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1270 | ||
1271 | if (version >= 3.004001) | |
1272 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1273 | meta FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED | |
1274 | describe FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. | |
1275 | tflags FROM_FMBLA_NDBLOCKED net publish | |
1276 | #score FROM_FMBLA_NDBLOCKED 0.001 # limit | |
1277 | endif | |
1278 | endif | |
1279 | ##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1280 | ||
1281 | ##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1282 | ||
1283 | if (version >= 3.004001) | |
1284 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1285 | meta FROM_FMBLA_NEWDOM __FROM_FMBLA_NEWDOM | |
1286 | describe FROM_FMBLA_NEWDOM From domain was registered in last 7 days | |
1287 | tflags FROM_FMBLA_NEWDOM net | |
1288 | #score FROM_FMBLA_NEWDOM 1.5 # limit | |
1289 | endif | |
1290 | endif | |
1291 | ##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1292 | ||
1293 | ##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1294 | ||
1295 | if (version >= 3.004001) | |
1296 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1297 | meta FROM_FMBLA_NEWDOM14 __FROM_FMBLA_NEWDOM14 | |
1298 | describe FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days | |
1299 | tflags FROM_FMBLA_NEWDOM14 publish net | |
1300 | #score FROM_FMBLA_NEWDOM14 1.0 # limit | |
1301 | endif | |
1302 | endif | |
1303 | ##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1304 | ||
1305 | ##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1306 | ||
1307 | if (version >= 3.004001) | |
1308 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1309 | meta FROM_FMBLA_NEWDOM28 __FROM_FMBLA_NEWDOM28 | |
1310 | describe FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28 days | |
1311 | tflags FROM_FMBLA_NEWDOM28 net publish | |
1312 | #score FROM_FMBLA_NEWDOM28 0.8 # limit | |
1313 | endif | |
1314 | endif | |
1315 | ##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1316 | ||
1317 | ##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1318 | ||
1319 | if (version >= 3.004002) | |
1320 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1321 | meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV | |
1322 | tflags FROM_GOV_DKIM_AU net nice publish | |
1323 | describe FROM_GOV_DKIM_AU From Government address and DKIM signed | |
1324 | #score FROM_GOV_DKIM_AU -1.0 # limit | |
1325 | endif | |
1326 | endif | |
1327 | ##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1328 | ||
1329 | ##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1330 | ||
1331 | if (version >= 3.004002) | |
1332 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1333 | meta FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU | |
1334 | tflags FROM_GOV_REPLYTO_FREEMAIL net publish | |
1335 | describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL | |
1336 | #score FROM_GOV_REPLYTO_FREEMAIL 2.0 | |
1337 | endif | |
1338 | endif | |
1339 | ##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1340 | ||
1341 | ##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1342 | ||
1343 | if (version >= 3.004002) | |
1344 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1345 | meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED) | |
1346 | tflags FROM_GOV_SPOOF net publish | |
1347 | describe FROM_GOV_SPOOF From Government domain but matches SPOOFED | |
1348 | #score FROM_GOV_SPOOF 1.0 # limit | |
1349 | endif | |
1350 | endif | |
1351 | ##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1352 | ||
1353 | ##{ FROM_IN_TO_AND_SUBJ | |
1354 | ||
1355 | meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID | |
1356 | describe FROM_IN_TO_AND_SUBJ From address is in To and Subject | |
1357 | tflags FROM_IN_TO_AND_SUBJ publish | |
1358 | ##} FROM_IN_TO_AND_SUBJ | |
1359 | ||
1360 | ##{ FROM_MISSPACED | |
1361 | ||
1362 | meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA | |
1363 | describe FROM_MISSPACED From: missing whitespace | |
1364 | #score FROM_MISSPACED 2.00 | |
1365 | ##} FROM_MISSPACED | |
1366 | ||
1367 | ##{ FROM_MISSP_DYNIP | |
1368 | ||
1369 | meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC | |
1370 | describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS | |
1371 | ##} FROM_MISSP_DYNIP | |
1372 | ||
1373 | ##{ FROM_MISSP_EH_MATCH | |
1374 | ||
1375 | meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA | |
1376 | describe FROM_MISSP_EH_MATCH From misspaced, matches envelope | |
1377 | #score FROM_MISSP_EH_MATCH 2.00 # max | |
1378 | ##} FROM_MISSP_EH_MATCH | |
1379 | ||
1380 | ##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1381 | ||
1382 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1383 | meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA | |
1384 | describe FROM_MISSP_FREEMAIL From misspaced + freemail provider | |
1385 | endif | |
1386 | ##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1387 | ||
1388 | ##{ FROM_MISSP_MSFT | |
1389 | ||
1390 | meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) | |
1391 | describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool | |
1392 | ##} FROM_MISSP_MSFT | |
1393 | ||
1394 | ##{ FROM_MISSP_REPLYTO | |
1395 | ||
1396 | meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB | |
1397 | describe FROM_MISSP_REPLYTO From misspaced, has Reply-To | |
1398 | #score FROM_MISSP_REPLYTO 2.500 # limit | |
1399 | ##} FROM_MISSP_REPLYTO | |
1400 | ||
1401 | ##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
1402 | ||
1403 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
1404 | meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL) | |
1405 | tflags FROM_MISSP_SPF_FAIL net | |
1406 | # score FROM_MISSP_SPF_FAIL 2.00 # limit | |
1407 | endif | |
1408 | ##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
1409 | ||
1410 | ##{ FROM_MISSP_TO_UNDISC | |
1411 | ||
1412 | meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED) | |
1413 | describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed | |
1414 | ##} FROM_MISSP_TO_UNDISC | |
1415 | ||
1416 | ##{ FROM_MISSP_USER | |
1417 | ||
1418 | meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) | |
1419 | describe FROM_MISSP_USER From misspaced, from "User" | |
1420 | ##} FROM_MISSP_USER | |
1421 | ||
1422 | ##{ FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
1423 | ||
1424 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
1425 | meta FROM_MULTI_NORDNS __FROM_MULTI_NORDNS | |
1426 | describe FROM_MULTI_NORDNS Multiple From addresses + no rDNS | |
1427 | endif | |
1428 | ##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
1429 | ||
1430 | ##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1431 | ||
1432 | if (version >= 3.004001) | |
1433 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1434 | meta FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN | |
1435 | describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID | |
1436 | #score FROM_NEWDOM_BTC 2.0 # limit | |
1437 | tflags FROM_NEWDOM_BTC net | |
1438 | endif | |
1439 | endif | |
1440 | ##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1441 | ||
1442 | ##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1443 | ||
1444 | if (version >= 3.004002) | |
1445 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1446 | meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY | |
1447 | tflags FROM_NTLD_LINKBAIT publish | |
1448 | describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI | |
1449 | #score FROM_NTLD_LINKBAIT 2.0 # limit | |
1450 | endif | |
1451 | endif | |
1452 | ##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1453 | ||
1454 | ##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1455 | ||
1456 | if (version >= 3.004002) | |
1457 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1458 | meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD | |
1459 | tflags FROM_NTLD_REPLY_FREEMAIL publish | |
1460 | describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL | |
1461 | #score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit | |
1462 | endif | |
1463 | endif | |
1464 | ##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1465 | ||
1466 | ##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1467 | ||
1468 | if (version >= 3.004001) | |
1469 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1470 | meta FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN | |
1471 | describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain | |
1472 | #score FROM_NUMBERO_NEWDOMAIN 2.0 # limit | |
1473 | tflags FROM_NUMBERO_NEWDOMAIN net publish | |
1474 | endif | |
1475 | endif | |
1476 | ##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1477 | ||
1478 | ##{ FROM_NUMERIC_TLD | |
1479 | ||
1480 | header FROM_NUMERIC_TLD From:addr =~ /\.\d+$/ | |
1481 | describe FROM_NUMERIC_TLD From: address has numeric TLD | |
1482 | #score FROM_NUMERIC_TLD 3.000 # limit | |
1483 | ##} FROM_NUMERIC_TLD | |
1484 | ||
1485 | ##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1486 | ||
1487 | if (version >= 3.004002) | |
1488 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1489 | meta FROM_PAYPAL_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED) | |
1490 | tflags FROM_PAYPAL_SPOOF publish net | |
1491 | describe FROM_PAYPAL_SPOOF From PayPal domain but matches SPOOFED | |
1492 | #score FROM_PAYPAL_SPOOF 1.6 # limit | |
1493 | endif | |
1494 | endif | |
1495 | ##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1496 | ||
1497 | ##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1498 | ||
1499 | if (version >= 3.004002) | |
1500 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1501 | meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD | |
1502 | tflags FROM_SUSPICIOUS_NTLD publish | |
1503 | describe FROM_SUSPICIOUS_NTLD From abused NTLD | |
1504 | #score FROM_SUSPICIOUS_NTLD 0.5 # limit | |
1505 | endif | |
1506 | endif | |
1507 | ##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1508 | ||
1509 | ##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1510 | ||
1511 | if (version >= 3.004002) | |
1512 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1513 | meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST | |
1514 | tflags FROM_SUSPICIOUS_NTLD_FP publish | |
1515 | describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD | |
1516 | #score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit | |
1517 | endif | |
1518 | endif | |
1519 | ##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1520 | ||
1521 | ##{ FROM_WEBSITE | |
1522 | ||
1523 | header FROM_WEBSITE From:raw =~ m'\b(?:f|ht)tps?://[^\s"</\@]{3,60}\.\w\w'i | |
1524 | describe FROM_WEBSITE Sender name appears to be a link | |
1525 | ##} FROM_WEBSITE | |
1526 | ||
1527 | ##{ FROM_WSP_TRAIL | |
1528 | ||
1529 | header FROM_WSP_TRAIL From:raw =~ /< [^>]* \s > [^<>]* \z/xm | |
1530 | describe FROM_WSP_TRAIL Trailing whitespace before '>' in From header field | |
1531 | ##} FROM_WSP_TRAIL | |
1532 | ||
1533 | ##{ FSL_BULK_SIG | |
1534 | ||
1535 | meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP_MESSY | |
1536 | describe FSL_BULK_SIG Bulk signature with no Unsubscribe | |
1537 | #score FSL_BULK_SIG 3.000 # limit | |
1538 | tflags FSL_BULK_SIG net publish | |
1539 | ##} FSL_BULK_SIG | |
1540 | ||
1541 | ##{ FSL_CTYPE_WIN1251 | |
1542 | ||
1543 | header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/ | |
1544 | describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam | |
1545 | ##} FSL_CTYPE_WIN1251 | |
1546 | ||
1547 | ##{ FSL_FAKE_HOTMAIL_RVCD | |
1548 | ||
1549 | header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/ | |
1550 | ##} FSL_FAKE_HOTMAIL_RVCD | |
1551 | ||
1552 | ##{ FSL_HELO_BARE_IP_1 | |
1553 | ||
1554 | meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED | |
1555 | ##} FSL_HELO_BARE_IP_1 | |
1556 | ||
1557 | ##{ FSL_HELO_DEVICE | |
1558 | ||
1559 | header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i | |
1560 | ##} FSL_HELO_DEVICE | |
1561 | ||
1562 | ##{ FSL_HELO_NON_FQDN_1 | |
1563 | ||
1564 | header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i | |
1565 | ##} FSL_HELO_NON_FQDN_1 | |
1566 | ||
1567 | ##{ FSL_HELO_SETUP | |
1568 | ||
1569 | header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i | |
1570 | ##} FSL_HELO_SETUP | |
1571 | ||
1572 | ##{ FSL_INTERIA_ABUSE | |
1573 | ||
1574 | uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/ | |
1575 | ##} FSL_INTERIA_ABUSE | |
1576 | ||
1577 | ##{ FSL_NEW_HELO_USER | |
1578 | ||
1579 | meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3) | |
1580 | describe FSL_NEW_HELO_USER Spam's using Helo and User | |
1581 | #score FSL_NEW_HELO_USER 2.0 | |
1582 | tflags FSL_NEW_HELO_USER publish | |
1583 | ##} FSL_NEW_HELO_USER | |
1584 | ||
1585 | ##{ FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1586 | ||
1587 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1588 | body FUZZY_AMAZON /(?:^|\W)(?=<A>)(?!amazon)<A><M><A><Z><O><N>(?:$|\W)/i | |
1589 | describe FUZZY_AMAZON Obfuscated "amazon" | |
1590 | tflags FUZZY_AMAZON publish | |
1591 | endif | |
1592 | ##} FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1593 | ||
1594 | ##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1595 | ||
1596 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1597 | body FUZZY_ANDROID /(?=<A>)(?!android)<A><N><D><R><O><I><D>/i | |
1598 | describe FUZZY_ANDROID Obfuscated "android" | |
1599 | tflags FUZZY_ANDROID publish | |
1600 | endif | |
1601 | ##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1602 | ||
1603 | ##{ FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1604 | ||
1605 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1606 | body FUZZY_APPLE /(?:^|\W)(?=<A>)(?!appl[ey])<A><P><P><L><E>(?:$|\W)/i | |
1607 | describe FUZZY_APPLE Obfuscated "apple" | |
1608 | tflags FUZZY_APPLE publish | |
1609 | endif | |
1610 | ##} FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1611 | ||
1612 | ##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1613 | ||
1614 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1615 | body FUZZY_BITCOIN /(?=<B>)(?!bit[-\s]?coin)<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i | |
1616 | describe FUZZY_BITCOIN Obfuscated "Bitcoin" | |
1617 | tflags FUZZY_BITCOIN publish | |
1618 | endif | |
1619 | ##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1620 | ||
1621 | ##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1622 | ||
1623 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1624 | body FUZZY_BROWSER /(?=<B>)(?!browser)<B><R><O><W><S><E><R>/i | |
1625 | describe FUZZY_BROWSER Obfuscated "browser" | |
1626 | tflags FUZZY_BROWSER publish | |
1627 | endif | |
1628 | ##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1629 | ||
1630 | ##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1631 | ||
1632 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1633 | meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET | |
1634 | describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet" | |
1635 | tflags FUZZY_BTC_WALLET publish | |
1636 | endif | |
1637 | ##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1638 | ||
1639 | ##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1640 | ||
1641 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1642 | body FUZZY_CLICK_HERE /(?=<C>)(?!click(?:\s| )here)<C><WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i | |
1643 | describe FUZZY_CLICK_HERE Obfuscated "click here" | |
1644 | tflags FUZZY_CLICK_HERE publish | |
1645 | endif | |
1646 | ##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1647 | ||
1648 | ##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1649 | ||
1650 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1651 | meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML | |
1652 | describe FUZZY_DR_OZ Obfuscated Doctor Oz | |
1653 | tflags FUZZY_DR_OZ publish | |
1654 | endif | |
1655 | ##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1656 | ||
1657 | ##{ FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1658 | ||
1659 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1660 | body FUZZY_FACEBOOK /(?=<F>)(?!fa[ck]ebook)<F><A><C><E><B><O><O><K>/i | |
1661 | describe FUZZY_FACEBOOK Obfuscated "facebook" | |
1662 | tflags FUZZY_FACEBOOK publish | |
1663 | endif | |
1664 | ##} FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1665 | ||
1666 | ##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1667 | ||
1668 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1669 | body FUZZY_IMPORTANT /(?=<I>)(?!important)<I>(?:<M>|<N>)<P><O><R><T><A><N><T>/i | |
1670 | describe FUZZY_IMPORTANT Obfuscated "important" | |
1671 | tflags FUZZY_IMPORTANT publish | |
1672 | endif | |
1673 | ##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1674 | ||
1675 | ##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1676 | ||
1677 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1678 | body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i | |
1679 | describe FUZZY_MERIDIA Obfuscation of the word "meridia" | |
1680 | endif | |
1681 | ##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1682 | ||
1683 | ##{ FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1684 | ||
1685 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1686 | body FUZZY_MICROSOFT /(?=<M>)(?!microsoft)<M><I><C><R><O><S><O><F><T>/i | |
1687 | describe FUZZY_MICROSOFT Obfuscated "microsoft" | |
1688 | tflags FUZZY_MICROSOFT publish | |
1689 | endif | |
1690 | ##} FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1691 | ||
1692 | ##{ FUZZY_MONERO | |
1693 | ||
1694 | meta FUZZY_MONERO __FUZZY_MONERO | |
1695 | describe FUZZY_MONERO Obfuscated "Monero" | |
1696 | tflags FUZZY_MONERO publish | |
1697 | ##} FUZZY_MONERO | |
1698 | ||
1699 | ##{ FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1700 | ||
1701 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1702 | body FUZZY_NORTON /(?:^|\W)(?=<N>)(?!norton)<N><O><R><T><O><N>(?:$|\W)/i | |
1703 | describe FUZZY_NORTON Obfuscated "norton" | |
1704 | tflags FUZZY_NORTON publish | |
1705 | endif | |
1706 | ##} FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1707 | ||
1708 | ##{ FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1709 | ||
1710 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1711 | body FUZZY_OVERSTOCK /(?:^|\W)(?=<O>)(?!over[-\s]?stock)<O><V><E><R>[-\s]?<S><T><O><C><K>(?:$|\W)/i | |
1712 | describe FUZZY_OVERSTOCK Obfuscated "overstock" | |
1713 | tflags FUZZY_OVERSTOCK publish | |
1714 | endif | |
1715 | ##} FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1716 | ||
1717 | ##{ FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1718 | ||
1719 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1720 | body FUZZY_PAYPAL /(?:^|\W)(?=<P>)(?!pay[-\s]?pal)<P><A><Y>[-\s]?<P><A><L>(?:$|\W)/i | |
1721 | describe FUZZY_PAYPAL Obfuscated "paypal" | |
1722 | tflags FUZZY_PAYPAL publish | |
1723 | endif | |
1724 | ##} FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1725 | ||
1726 | ##{ FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1727 | ||
1728 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1729 | meta FUZZY_PORN __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT ) | |
1730 | describe FUZZY_PORN Obfuscated "Pornography" or "Pornographic" | |
1731 | tflags FUZZY_PORN publish | |
1732 | endif | |
1733 | ##} FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1734 | ||
1735 | ##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1736 | ||
1737 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1738 | body FUZZY_PRIVACY /(?=<P>)(?!privacy)<P><R><I><V><A><C><Y>/i | |
1739 | describe FUZZY_PRIVACY Obfuscated "privacy" | |
1740 | tflags FUZZY_PRIVACY publish | |
1741 | endif | |
1742 | ##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1743 | ||
1744 | ##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1745 | ||
1746 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1747 | body FUZZY_PROMOTION /(?=<P>)(?!promotion)<P><R><O><M><O><T><I><O><N>/i | |
1748 | describe FUZZY_PROMOTION Obfuscated "promotion" | |
1749 | tflags FUZZY_PROMOTION publish | |
1750 | endif | |
1751 | ##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1752 | ||
1753 | ##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1754 | ||
1755 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1756 | body FUZZY_SAVINGS /(?=<S>)(?!savings)<S><A><V><I><N><G><S>/i | |
1757 | describe FUZZY_SAVINGS Obfuscated "savings" | |
1758 | tflags FUZZY_SAVINGS publish | |
1759 | endif | |
1760 | ##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1761 | ||
1762 | ##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1763 | ||
1764 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1765 | body FUZZY_SECURITY /(?=<S>)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)<S><E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i | |
1766 | describe FUZZY_SECURITY Obfuscated "security" | |
1767 | tflags FUZZY_SECURITY publish | |
1768 | endif | |
1769 | ##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1770 | ||
1771 | ##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1772 | ||
1773 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1774 | body FUZZY_UNSUBSCRIBE /(?=<U>)(?!unsubscribe)<U><N><S><U><B><S><C><R><I><B><E>/i | |
1775 | describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe" | |
1776 | tflags FUZZY_UNSUBSCRIBE publish | |
1777 | endif | |
1778 | ##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1779 | ||
1780 | ##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1781 | ||
1782 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1783 | body FUZZY_WALLET /(?=<W>)(?!wallet)<W><A><L><L><E><T>/i | |
1784 | describe FUZZY_WALLET Obfuscated "Wallet" | |
1785 | tflags FUZZY_WALLET publish | |
1786 | endif | |
1787 | ##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1788 | ||
1789 | ##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1790 | ||
1791 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1792 | meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) | |
1793 | describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto | |
1794 | # score GAPPY_SALES_LEADS_FREEM 3.500 # limit | |
1795 | tflags GAPPY_SALES_LEADS_FREEM publish | |
1796 | endif | |
1797 | ##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1798 | ||
1799 | ##{ GB_FAKE_RF_SHORT | |
1800 | ||
1801 | meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __PDS_URISHORTENER ) | |
1802 | describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener | |
1803 | #score GB_FAKE_RF_SHORT 2.000 # limit | |
1804 | tflags GB_FAKE_RF_SHORT publish | |
1805 | ##} GB_FAKE_RF_SHORT | |
1806 | ||
1807 | ##{ GB_FORGED_MUA_POSTFIX | |
1808 | ||
1809 | meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 ) | |
1810 | describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers | |
1811 | tflags GB_FORGED_MUA_POSTFIX publish | |
1812 | #score GB_FORGED_MUA_POSTFIX 2.0 # limit | |
1813 | ##} GB_FORGED_MUA_POSTFIX | |
1814 | ||
1815 | ##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1816 | ||
1817 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1818 | meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe ) | |
1819 | describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails | |
1820 | # score GB_FREEMAIL_DISPTO 0.50 # limit | |
1821 | tflags GB_FREEMAIL_DISPTO publish | |
1822 | endif | |
1823 | ##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1824 | ||
1825 | ##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1826 | ||
1827 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1828 | meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM ) | |
1829 | describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail | |
1830 | # score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit | |
1831 | tflags GB_FREEMAIL_DISPTO_NOTFREEM publish | |
1832 | endif | |
1833 | ##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1834 | ||
1835 | ##{ GB_GOOGLE_OBFUR | |
1836 | ||
1837 | uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/ | |
1838 | describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect | |
1839 | #score GB_GOOGLE_OBFUR 0.75 # limit | |
1840 | tflags GB_GOOGLE_OBFUR publish | |
1841 | ##} GB_GOOGLE_OBFUR | |
1842 | ||
1843 | ##{ GB_GOOGLE_OBFUS | |
1844 | ||
1845 | uri GB_GOOGLE_OBFUS /^https:\/\/www\.google\.([a-z]{2,3})\/search\?ei=.{1,50}\&gs_l=.{1,20}/ | |
1846 | describe GB_GOOGLE_OBFUS Obfuscate url through Google search | |
1847 | #score GB_GOOGLE_OBFUS 0.75 # limit | |
1848 | ##} GB_GOOGLE_OBFUS | |
1849 | ||
1850 | ##{ GEO_QUERY_STRING | |
1851 | ||
1852 | uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i | |
1853 | ##} GEO_QUERY_STRING | |
1854 | ||
1855 | ##{ GOOGLE_DOCS_PHISH | |
1856 | ||
1857 | meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2) | |
1858 | describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form | |
1859 | #score GOOGLE_DOCS_PHISH 3.00 # limit | |
1860 | tflags GOOGLE_DOCS_PHISH publish | |
1861 | ##} GOOGLE_DOCS_PHISH | |
1862 | ||
1863 | ##{ GOOGLE_DOCS_PHISH_MANY | |
1864 | ||
1865 | meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) | |
1866 | describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form | |
1867 | #score GOOGLE_DOCS_PHISH_MANY 4.00 # limit | |
1868 | tflags GOOGLE_DOCS_PHISH_MANY publish | |
1869 | ##} GOOGLE_DOCS_PHISH_MANY | |
1870 | ||
1871 | ##{ GOOGLE_DOC_SUSP | |
1872 | ||
1873 | meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG | |
1874 | describe GOOGLE_DOC_SUSP Suspicious use of Google Docs | |
1875 | #score GOOGLE_DOC_SUSP 3.000 # limit | |
1876 | tflags GOOGLE_DOC_SUSP publish | |
1877 | ##} GOOGLE_DOC_SUSP | |
1878 | ||
1879 | ##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1880 | ||
1881 | if (version >= 3.004002) | |
1882 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1883 | meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD | |
1884 | tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish | |
1885 | describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD | |
1886 | #score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit | |
1887 | endif | |
1888 | endif | |
1889 | ##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1890 | ||
1891 | ##{ GOOG_MALWARE_DNLD | |
1892 | ||
1893 | meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD | |
1894 | describe GOOG_MALWARE_DNLD File download via Google - Malware? | |
1895 | #score GOOG_MALWARE_DNLD 5.000 # limit | |
1896 | tflags GOOG_MALWARE_DNLD publish | |
1897 | ##} GOOG_MALWARE_DNLD | |
1898 | ||
1899 | ##{ GOOG_REDIR_DOCUSIGN | |
1900 | ||
1901 | uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i | |
1902 | describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing | |
1903 | tflags GOOG_REDIR_DOCUSIGN publish | |
1904 | ##} GOOG_REDIR_DOCUSIGN | |
1905 | ||
1906 | ##{ GOOG_REDIR_NORDNS | |
1907 | ||
1908 | meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE | |
1909 | describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS | |
1910 | ##} GOOG_REDIR_NORDNS | |
1911 | ||
1912 | ##{ GOOG_REDIR_SHORT | |
1913 | ||
1914 | meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 | |
1915 | describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message | |
1916 | tflags GOOG_REDIR_SHORT publish | |
1917 | ##} GOOG_REDIR_SHORT | |
1918 | ||
1919 | ##{ GOOG_STO_HTML_PHISH | |
1920 | ||
1921 | meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH | |
1922 | describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL | |
1923 | #score GOOG_STO_HTML_PHISH 3.00 # limit | |
1924 | tflags GOOG_STO_HTML_PHISH publish | |
1925 | ##} GOOG_STO_HTML_PHISH | |
1926 | ||
1927 | ##{ GOOG_STO_HTML_PHISH_MANY | |
1928 | ||
1929 | meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) | |
1930 | describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL | |
1931 | #score GOOG_STO_HTML_PHISH_MANY 4.00 # limit | |
1932 | tflags GOOG_STO_HTML_PHISH_MANY publish | |
1933 | ##} GOOG_STO_HTML_PHISH_MANY | |
1934 | ||
1935 | ##{ GOOG_STO_IMG_HTML | |
1936 | ||
1937 | meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY | |
1938 | describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL | |
1939 | #score GOOG_STO_IMG_HTML 3.000 # limit | |
1940 | tflags GOOG_STO_IMG_HTML publish | |
1941 | ##} GOOG_STO_IMG_HTML | |
1942 | ||
1943 | ##{ GOOG_STO_IMG_NOHTML | |
1944 | ||
1945 | meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY | |
1946 | describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL | |
1947 | #score GOOG_STO_IMG_NOHTML 2.500 # limit | |
1948 | tflags GOOG_STO_IMG_NOHTML publish | |
1949 | ##} GOOG_STO_IMG_NOHTML | |
1950 | ||
1951 | ##{ GOOG_STO_NOIMG_HTML | |
1952 | ||
1953 | meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY | |
1954 | describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL | |
1955 | #score GOOG_STO_NOIMG_HTML 3.000 # limit | |
1956 | tflags GOOG_STO_NOIMG_HTML publish | |
1957 | ##} GOOG_STO_NOIMG_HTML | |
1958 | ||
1959 | ##{ HAS_X_NO_RELAY | |
1960 | ||
1961 | meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1 | |
1962 | describe HAS_X_NO_RELAY Has spammy header | |
1963 | #score HAS_X_NO_RELAY 2.500 # limit | |
1964 | tflags HAS_X_NO_RELAY publish | |
1965 | ##} HAS_X_NO_RELAY | |
1966 | ||
1967 | ##{ HAS_X_OUTGOING_SPAM_STAT | |
1968 | ||
1969 | meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD | |
1970 | describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results? | |
1971 | #score HAS_X_OUTGOING_SPAM_STAT 3.000 # limit | |
1972 | tflags HAS_X_OUTGOING_SPAM_STAT publish | |
1973 | ##} HAS_X_OUTGOING_SPAM_STAT | |
1974 | ||
1975 | ##{ HDRS_LCASE | |
1976 | ||
1977 | describe HDRS_LCASE Odd capitalization of message header | |
1978 | #score HDRS_LCASE 0.10 # limit | |
1979 | ##} HDRS_LCASE | |
1980 | ||
1981 | ##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
1982 | ||
1983 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
1984 | meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO | |
1985 | endif | |
1986 | ##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
1987 | ||
1988 | ##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1989 | ||
1990 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1991 | meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO | |
1992 | endif | |
1993 | ##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1994 | ||
1995 | ##{ HDRS_LCASE_IMGONLY | |
1996 | ||
1997 | meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN | |
1998 | describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML | |
1999 | #score HDRS_LCASE_IMGONLY 0.10 # limit | |
2000 | ##} HDRS_LCASE_IMGONLY | |
2001 | ||
2002 | ##{ HDRS_MISSP | |
2003 | ||
2004 | meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY) | |
2005 | describe HDRS_MISSP Misspaced headers | |
2006 | #score HDRS_MISSP 2.500 # limit | |
2007 | tflags HDRS_MISSP publish | |
2008 | ##} HDRS_MISSP | |
2009 | ||
2010 | ##{ HDR_ORDER_FTSDMCXX_001C | |
2011 | ||
2012 | meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C) | |
2013 | describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant) | |
2014 | ##} HDR_ORDER_FTSDMCXX_001C | |
2015 | ||
2016 | ##{ HDR_ORDER_FTSDMCXX_BAT | |
2017 | ||
2018 | meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY) | |
2019 | describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant) | |
2020 | ##} HDR_ORDER_FTSDMCXX_BAT | |
2021 | ||
2022 | ##{ HDR_ORDER_FTSDMCXX_DIRECT | |
2023 | ||
2024 | meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML | |
2025 | describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX | |
2026 | #score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit | |
2027 | tflags HDR_ORDER_FTSDMCXX_DIRECT publish | |
2028 | ##} HDR_ORDER_FTSDMCXX_DIRECT | |
2029 | ||
2030 | ##{ HDR_ORDER_FTSDMCXX_NORDNS | |
2031 | ||
2032 | meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED | |
2033 | describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS | |
2034 | #score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit | |
2035 | tflags HDR_ORDER_FTSDMCXX_NORDNS publish | |
2036 | ##} HDR_ORDER_FTSDMCXX_NORDNS | |
2037 | ||
2038 | ##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
2039 | ||
2040 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
2041 | header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999') | |
2042 | describe HEADER_COUNT_SUBJECT Multiple Subject headers found | |
2043 | endif | |
2044 | ##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
2045 | ||
2046 | ##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) | |
2047 | ||
2048 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2049 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
2050 | if (version >= 3.004000) | |
2051 | header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains() | |
2052 | describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different | |
2053 | # score HEADER_FROM_DIFFERENT_DOMAINS 0.25 | |
2054 | tflags HEADER_FROM_DIFFERENT_DOMAINS publish | |
2055 | endif | |
2056 | endif | |
2057 | endif | |
2058 | ##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) | |
2059 | ||
2060 | ##{ HELO_FRIEND | |
2061 | ||
2062 | header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i | |
2063 | ##} HELO_FRIEND | |
2064 | ||
2065 | ##{ HELO_LH_HOME | |
2066 | ||
2067 | header HELO_LH_HOME X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i | |
2068 | ##} HELO_LH_HOME | |
2069 | ||
2070 | ##{ HELO_LH_LD | |
2071 | ||
2072 | header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i | |
2073 | ##} HELO_LH_LD | |
2074 | ||
2075 | ##{ HELO_LOCALHOST | |
2076 | ||
2077 | header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i | |
2078 | ##} HELO_LOCALHOST | |
2079 | ||
2080 | ##{ HELO_MISC_IP | |
2081 | ||
2082 | meta HELO_MISC_IP (__HELO_MISC_IP && !HELO_DYNAMIC_IPADDR && !HELO_DYNAMIC_IPADDR2 && !HELO_DYNAMIC_SPLIT_IP && !HELO_DYNAMIC_HCC && !HELO_DYNAMIC_DIALIN && ((TVD_RCVD_IP4 + TVD_RCVD_IP + __FSL_HELO_BARE_IP_2) <2)) | |
2083 | describe HELO_MISC_IP Looking for more Dynamic IP Relays | |
2084 | #score HELO_MISC_IP 0.25 | |
2085 | ##} HELO_MISC_IP | |
2086 | ||
2087 | ##{ HELO_NO_DOMAIN | |
2088 | ||
2089 | meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST | |
2090 | describe HELO_NO_DOMAIN Relay reports its domain incorrectly | |
2091 | tflags HELO_NO_DOMAIN publish | |
2092 | ##} HELO_NO_DOMAIN | |
2093 | ||
2094 | ##{ HELO_OEM | |
2095 | ||
2096 | header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i | |
2097 | ##} HELO_OEM | |
2098 | ||
2099 | ##{ HEXHASH_WORD | |
2100 | ||
2101 | meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER | |
2102 | describe HEXHASH_WORD Multiple instances of word + hexadecimal hash | |
2103 | #score HEXHASH_WORD 3.000 # limit | |
2104 | tflags HEXHASH_WORD publish | |
2105 | ##} HEXHASH_WORD | |
2106 | ||
2107 | ##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2108 | ||
2109 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2110 | mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/ | |
2111 | #score HK_CTE_RAW 2 | |
2112 | tflags HK_CTE_RAW publish | |
2113 | endif | |
2114 | ##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2115 | ||
2116 | ##{ HK_LOTTO | |
2117 | ||
2118 | meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT | |
2119 | #score HK_LOTTO 1 | |
2120 | ##} HK_LOTTO | |
2121 | ||
2122 | ##{ HK_NAME_DRUGS | |
2123 | ||
2124 | header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi | |
2125 | describe HK_NAME_DRUGS From name contains drugs | |
2126 | #score HK_NAME_DRUGS 2 | |
2127 | ##} HK_NAME_DRUGS | |
2128 | ||
2129 | ##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
2130 | ||
2131 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2132 | if (version >= 3.004000) | |
2133 | meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM | |
2134 | # score HK_NAME_FM_MR_MRS 1.5 | |
2135 | endif | |
2136 | endif | |
2137 | ##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
2138 | ||
2139 | ##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
2140 | ||
2141 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2142 | if (version >= 3.004000) | |
2143 | meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM | |
2144 | # score HK_NAME_MR_MRS 1.0 | |
2145 | endif | |
2146 | endif | |
2147 | ##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
2148 | ||
2149 | ##{ HK_RANDOM_ENVFROM | |
2150 | ||
2151 | header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi | |
2152 | describe HK_RANDOM_ENVFROM Envelope sender username looks random | |
2153 | #score HK_RANDOM_ENVFROM 1 | |
2154 | tflags HK_RANDOM_ENVFROM publish | |
2155 | ##} HK_RANDOM_ENVFROM | |
2156 | ||
2157 | ##{ HK_RANDOM_FROM | |
2158 | ||
2159 | header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi | |
2160 | describe HK_RANDOM_FROM From username looks random | |
2161 | #score HK_RANDOM_FROM 1 | |
2162 | tflags HK_RANDOM_FROM publish | |
2163 | ##} HK_RANDOM_FROM | |
2164 | ||
2165 | ##{ HK_RANDOM_REPLYTO | |
2166 | ||
2167 | header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi | |
2168 | describe HK_RANDOM_REPLYTO Reply-To username looks random | |
2169 | #score HK_RANDOM_REPLYTO 1 | |
2170 | tflags HK_RANDOM_REPLYTO publish | |
2171 | ##} HK_RANDOM_REPLYTO | |
2172 | ||
2173 | ##{ HK_RCVD_IP_MULTICAST | |
2174 | ||
2175 | header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./ | |
2176 | #score HK_RCVD_IP_MULTICAST 2 | |
2177 | tflags HK_RCVD_IP_MULTICAST publish | |
2178 | ##} HK_RCVD_IP_MULTICAST | |
2179 | ||
2180 | ##{ HK_SCAM | |
2181 | ||
2182 | meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25 | |
2183 | #score HK_SCAM 2 | |
2184 | tflags HK_SCAM publish | |
2185 | ##} HK_SCAM | |
2186 | ||
2187 | ##{ HK_WIN | |
2188 | ||
2189 | meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2) | |
2190 | #score HK_WIN 1 | |
2191 | ##} HK_WIN | |
2192 | ||
2193 | ##{ HOSTED_IMG_DIRECT_MX | |
2194 | ||
2195 | meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS | |
2196 | #score HOSTED_IMG_DIRECT_MX 3.500 # limit | |
2197 | describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm site, message direct-to-mx | |
2198 | tflags HOSTED_IMG_DIRECT_MX publish | |
2199 | ##} HOSTED_IMG_DIRECT_MX | |
2200 | ||
2201 | ##{ HOSTED_IMG_DQ_UNSUB | |
2202 | ||
2203 | meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB | |
2204 | #score HOSTED_IMG_DQ_UNSUB 3.500 # limit | |
2205 | describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm site, IP addr unsub link | |
2206 | tflags HOSTED_IMG_DQ_UNSUB publish | |
2207 | ##} HOSTED_IMG_DQ_UNSUB | |
2208 | ||
2209 | ##{ HOSTED_IMG_FREEM | |
2210 | ||
2211 | meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED | |
2212 | #score HOSTED_IMG_FREEM 3.500 # limit | |
2213 | describe HOSTED_IMG_FREEM Image hosted at large ecomm site or redirected, freemail from or reply-to | |
2214 | tflags HOSTED_IMG_FREEM publish | |
2215 | ##} HOSTED_IMG_FREEM | |
2216 | ||
2217 | ##{ HOSTED_IMG_MULTI | |
2218 | ||
2219 | meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS | |
2220 | #score HOSTED_IMG_MULTI 3.000 # limit | |
2221 | describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm sites or redirected | |
2222 | tflags HOSTED_IMG_MULTI publish | |
2223 | ##} HOSTED_IMG_MULTI | |
2224 | ||
2225 | ##{ HOSTED_IMG_MULTI_PUB_01 | |
2226 | ||
2227 | meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF | |
2228 | describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site | |
2229 | #score HOSTED_IMG_MULTI_PUB_01 3.000 # limit | |
2230 | tflags HOSTED_IMG_MULTI_PUB_01 publish | |
2231 | ##} HOSTED_IMG_MULTI_PUB_01 | |
2232 | ||
2233 | ##{ HTML_ENTITY_ASCII | |
2234 | ||
2235 | meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP | |
2236 | describe HTML_ENTITY_ASCII Obfuscated ASCII | |
2237 | #score HTML_ENTITY_ASCII 3.000 # limit | |
2238 | tflags HTML_ENTITY_ASCII publish | |
2239 | ##} HTML_ENTITY_ASCII | |
2240 | ||
2241 | ##{ HTML_ENTITY_ASCII_TINY | |
2242 | ||
2243 | meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_MINFP && __HTML_FONT_TINY_01 | |
2244 | describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts | |
2245 | #score HTML_ENTITY_ASCII_TINY 3.000 # limit | |
2246 | tflags HTML_ENTITY_ASCII_TINY publish | |
2247 | ##} HTML_ENTITY_ASCII_TINY | |
2248 | ||
2249 | ##{ HTML_OFF_PAGE | |
2250 | ||
2251 | meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS | |
2252 | describe HTML_OFF_PAGE HTML element rendered well off the displayed page | |
2253 | #score HTML_OFF_PAGE 3.000 # limit | |
2254 | tflags HTML_OFF_PAGE publish | |
2255 | ##} HTML_OFF_PAGE | |
2256 | ||
2257 | ##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2258 | ||
2259 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2260 | meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY | |
2261 | describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments | |
2262 | # score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit | |
2263 | tflags HTML_SHRT_CMNT_OBFU_MANY publish | |
2264 | endif | |
2265 | ##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2266 | ||
2267 | ##{ HTML_SINGLET_MANY | |
2268 | ||
2269 | meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP | |
2270 | describe HTML_SINGLET_MANY Many single-letter HTML format blocks | |
2271 | #score HTML_SINGLET_MANY 2.500 # limit | |
2272 | tflags HTML_SINGLET_MANY publish | |
2273 | ##} HTML_SINGLET_MANY | |
2274 | ||
2275 | ##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2276 | ||
2277 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2278 | meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID | |
2279 | describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation? | |
2280 | # score HTML_TEXT_INVISIBLE_FONT 2.000 # limit | |
2281 | tflags HTML_TEXT_INVISIBLE_FONT publish | |
2282 | endif | |
2283 | ##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2284 | ||
2285 | ##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2286 | ||
2287 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2288 | meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX | |
2289 | describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs | |
2290 | # score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit | |
2291 | tflags HTML_TEXT_INVISIBLE_STYLE publish | |
2292 | endif | |
2293 | ##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2294 | ||
2295 | ##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch | |
2296 | ||
2297 | ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch | |
2298 | body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10') | |
2299 | endif | |
2300 | ##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch | |
2301 | ||
2302 | ##{ IMG_ONLY_FM_DOM_INFO | |
2303 | ||
2304 | meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO | |
2305 | describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain | |
2306 | #score IMG_ONLY_FM_DOM_INFO 2.500 # limit | |
2307 | tflags IMG_ONLY_FM_DOM_INFO publish | |
2308 | ##} IMG_ONLY_FM_DOM_INFO | |
2309 | ||
2310 | ##{ JH_SPAMMY_HEADERS | |
2311 | ||
2312 | meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN | |
2313 | describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam | |
2314 | #score JH_SPAMMY_HEADERS 3.500 # limit | |
2315 | tflags JH_SPAMMY_HEADERS publish | |
2316 | ##} JH_SPAMMY_HEADERS | |
2317 | ||
2318 | ##{ JH_SPAMMY_PATTERN01 | |
2319 | ||
2320 | rawbody JH_SPAMMY_PATTERN01 m;<img src=['"](https?://[^'"]{1,80}/)C([^/.]{1,30}\.jpg)['"]>.{0,200}<img src="\1U\2";ism | |
2321 | describe JH_SPAMMY_PATTERN01 Unusual pattern seen in spam campaign | |
2322 | #score JH_SPAMMY_PATTERN01 3.000 # limit | |
2323 | tflags JH_SPAMMY_PATTERN01 publish | |
2324 | ##} JH_SPAMMY_PATTERN01 | |
2325 | ||
2326 | ##{ JH_SPAMMY_PATTERN02 | |
2327 | ||
2328 | rawbody JH_SPAMMY_PATTERN02 m;<img [^>]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}<a href="\1t=c\2".{0,200}<a href="\1t=u\2";ism | |
2329 | describe JH_SPAMMY_PATTERN02 Unusual pattern seen in spam campaign | |
2330 | #score JH_SPAMMY_PATTERN02 3.000 # limit | |
2331 | tflags JH_SPAMMY_PATTERN02 publish | |
2332 | ##} JH_SPAMMY_PATTERN02 | |
2333 | ||
2334 | ##{ JM_I_FEEL_LUCKY | |
2335 | ||
2336 | uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/ | |
2337 | tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign | |
2338 | ##} JM_I_FEEL_LUCKY | |
2339 | ||
2340 | ##{ JM_RCVD_QMAILV1 | |
2341 | ||
2342 | header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/ | |
2343 | ##} JM_RCVD_QMAILV1 | |
2344 | ||
2345 | ##{ JM_TORA_XM | |
2346 | ||
2347 | meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO) | |
2348 | ##} JM_TORA_XM | |
2349 | ||
2350 | ##{ KB_DATE_CONTAINS_TAB | |
2351 | ||
2352 | meta KB_DATE_CONTAINS_TAB __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB | |
2353 | #score KB_DATE_CONTAINS_TAB 0.5 | |
2354 | ##} KB_DATE_CONTAINS_TAB | |
2355 | ||
2356 | ##{ KB_FAKED_THE_BAT | |
2357 | ||
2358 | meta KB_FAKED_THE_BAT (__THEBAT_MUA && KB_DATE_CONTAINS_TAB) | |
2359 | ##} KB_FAKED_THE_BAT | |
2360 | ||
2361 | ##{ KB_RATWARE_BOUNDARY | |
2362 | ||
2363 | meta KB_RATWARE_BOUNDARY __RATWARE_BOUND_A || __RATWARE_BOUND_B | |
2364 | ##} KB_RATWARE_BOUNDARY | |
2365 | ||
2366 | ##{ KB_RATWARE_MSGID | |
2367 | ||
2368 | meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA) | |
2369 | ##} KB_RATWARE_MSGID | |
2370 | ||
2371 | ##{ KB_RATWARE_OUTLOOK_08 | |
2372 | ||
2373 | header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # " | |
2374 | ##} KB_RATWARE_OUTLOOK_08 | |
2375 | ||
2376 | ##{ KB_RATWARE_OUTLOOK_12 | |
2377 | ||
2378 | header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " | |
2379 | ##} KB_RATWARE_OUTLOOK_12 | |
2380 | ||
2381 | ##{ KB_RATWARE_OUTLOOK_16 | |
2382 | ||
2383 | header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " | |
2384 | ##} KB_RATWARE_OUTLOOK_16 | |
2385 | ||
2386 | ##{ KB_RATWARE_OUTLOOK_MID | |
2387 | ||
2388 | header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi | |
2389 | ##} KB_RATWARE_OUTLOOK_MID | |
2390 | ||
2391 | ##{ KHOP_FAKE_EBAY | |
2392 | ||
2393 | meta KHOP_FAKE_EBAY __EBAY_ADDRESS && !__NOT_SPOOFED | |
2394 | describe KHOP_FAKE_EBAY Sender falsely claims to be from eBay | |
2395 | ##} KHOP_FAKE_EBAY | |
2396 | ||
2397 | ##{ KHOP_HELO_FCRDNS | |
2398 | ||
2399 | meta KHOP_HELO_FCRDNS __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT) | |
2400 | describe KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS | |
2401 | #score KHOP_HELO_FCRDNS 0.4 # 20090603 | |
2402 | ##} KHOP_HELO_FCRDNS | |
2403 | ||
2404 | ##{ LIST_PRTL_PUMPDUMP | |
2405 | ||
2406 | meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS | |
2407 | describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump | |
2408 | #score LIST_PRTL_PUMPDUMP 2.000 # limit | |
2409 | tflags LIST_PRTL_PUMPDUMP publish | |
2410 | ##} LIST_PRTL_PUMPDUMP | |
2411 | ||
2412 | ##{ LIST_PRTL_SAME_USER | |
2413 | ||
2414 | meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO | |
2415 | describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same | |
2416 | #score LIST_PRTL_SAME_USER 3.000 # limit | |
2417 | tflags LIST_PRTL_SAME_USER publish | |
2418 | ##} LIST_PRTL_SAME_USER | |
2419 | ||
2420 | ##{ LIVEFILESTORE | |
2421 | ||
2422 | uri LIVEFILESTORE m~livefilestore.com/~ | |
2423 | ##} LIVEFILESTORE | |
2424 | ||
2425 | ##{ LONG_HEX_URI | |
2426 | ||
2427 | meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024 | |
2428 | describe LONG_HEX_URI Very long purely hexadecimal URI | |
2429 | #score LONG_HEX_URI 3.000 # limit | |
2430 | tflags LONG_HEX_URI publish | |
2431 | ##} LONG_HEX_URI | |
2432 | ||
2433 | ##{ LONG_IMG_URI | |
2434 | ||
2435 | meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO | |
2436 | describe LONG_IMG_URI Image URI with very long path component - web bug? | |
2437 | #score LONG_IMG_URI 3.000 # limit | |
2438 | tflags LONG_IMG_URI publish | |
2439 | ##} LONG_IMG_URI | |
2440 | ||
2441 | ##{ LONG_INVISIBLE_TEXT | |
2442 | ||
2443 | describe LONG_INVISIBLE_TEXT Long block of hidden text - bayes poison? | |
2444 | #score LONG_INVISIBLE_TEXT 3.000 # limit | |
2445 | tflags LONG_INVISIBLE_TEXT publish | |
2446 | ##} LONG_INVISIBLE_TEXT | |
2447 | ||
2448 | ##{ LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
2449 | ||
2450 | if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
2451 | meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV | |
2452 | endif | |
2453 | ##} LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
2454 | ||
2455 | ##{ LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2456 | ||
2457 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2458 | meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 ) | |
2459 | endif | |
2460 | ##} LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2461 | ||
2462 | ##{ LONG_TERM_PRICE | |
2463 | ||
2464 | body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i | |
2465 | ##} LONG_TERM_PRICE | |
2466 | ||
2467 | ##{ LOOPHOLE_1 | |
2468 | ||
2469 | body LOOPHOLE_1 /loop-?hole in the banking/i | |
2470 | describe LOOPHOLE_1 A loop hole in the banking laws? | |
2471 | ##} LOOPHOLE_1 | |
2472 | ||
2473 | ##{ LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
2474 | ||
2475 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
2476 | meta LOTS_OF_MONEY 0 | |
2477 | endif | |
2478 | ##} LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
2479 | ||
2480 | ##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2481 | ||
2482 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2483 | meta LOTS_OF_MONEY (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05) && !__TRAVEL_ITINERARY | |
2484 | describe LOTS_OF_MONEY Huge... sums of money | |
2485 | # score LOTS_OF_MONEY 0.01 | |
2486 | tflags LOTS_OF_MONEY publish | |
2487 | endif | |
2488 | ##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2489 | ||
2490 | ##{ LOTTERY_1 | |
2491 | ||
2492 | meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ) | |
2493 | ##} LOTTERY_1 | |
2494 | ||
2495 | ##{ LOTTERY_PH_004470 | |
2496 | ||
2497 | meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY) | |
2498 | ##} LOTTERY_PH_004470 | |
2499 | ||
2500 | ##{ LOTTO_AGENT | |
2501 | ||
2502 | meta LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD | |
2503 | describe LOTTO_AGENT Claims Agent | |
2504 | #score LOTTO_AGENT 1.50 # limit | |
2505 | ##} LOTTO_AGENT | |
2506 | ||
2507 | ##{ LUCRATIVE | |
2508 | ||
2509 | meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED | |
2510 | describe LUCRATIVE Make lots of money! | |
2511 | #score LUCRATIVE 2.00 # limit | |
2512 | tflags LUCRATIVE publish | |
2513 | ##} LUCRATIVE | |
2514 | ||
2515 | ##{ L_SPAM_TOOL_13 | |
2516 | ||
2517 | header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/ | |
2518 | ##} L_SPAM_TOOL_13 | |
2519 | ||
2520 | ##{ MALFORMED_FREEMAIL | |
2521 | ||
2522 | meta MALFORMED_FREEMAIL (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM | |
2523 | describe MALFORMED_FREEMAIL Bad headers on message from free email service | |
2524 | ##} MALFORMED_FREEMAIL | |
2525 | ||
2526 | ##{ MALF_HTML_B64 | |
2527 | ||
2528 | meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG | |
2529 | describe MALF_HTML_B64 Malformatted base64-encoded HTML content | |
2530 | #score MALF_HTML_B64 3.500 # limit | |
2531 | tflags MALF_HTML_B64 publish | |
2532 | ##} MALF_HTML_B64 | |
2533 | ||
2534 | ##{ MALWARE_NORDNS | |
2535 | ||
2536 | meta MALWARE_NORDNS __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 | |
2537 | describe MALWARE_NORDNS Malware bragging + no rDNS | |
2538 | #score MALWARE_NORDNS 3.500 # limit | |
2539 | tflags MALWARE_NORDNS publish | |
2540 | ##} MALWARE_NORDNS | |
2541 | ||
2542 | ##{ MALWARE_PASSWORD | |
2543 | ||
2544 | meta MALWARE_PASSWORD __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 | |
2545 | describe MALWARE_PASSWORD Malware bragging + "password" | |
2546 | #score MALWARE_PASSWORD 3.500 # limit | |
2547 | tflags MALWARE_PASSWORD publish | |
2548 | ##} MALWARE_PASSWORD | |
2549 | ||
2550 | ##{ MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2551 | ||
2552 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2553 | meta MALW_ATTACH __MALW_ATTACH && !__HAS_THREAD_INDEX | |
2554 | describe MALW_ATTACH Attachment filename suspicious, probable malware exploit | |
2555 | tflags MALW_ATTACH publish | |
2556 | endif | |
2557 | ##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2558 | ||
2559 | ##{ MANY_HDRS_LCASE | |
2560 | ||
2561 | describe MANY_HDRS_LCASE Odd capitalization of multiple message headers | |
2562 | #score MANY_HDRS_LCASE 0.10 # limit | |
2563 | ##} MANY_HDRS_LCASE | |
2564 | ||
2565 | ##{ MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
2566 | ||
2567 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
2568 | meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE | |
2569 | endif | |
2570 | ##} MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
2571 | ||
2572 | ##{ MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2573 | ||
2574 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2575 | meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE | |
2576 | endif | |
2577 | ##} MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2578 | ||
2579 | ##{ MANY_SPAN_IN_TEXT | |
2580 | ||
2581 | meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML | |
2582 | describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text | |
2583 | tflags MANY_SPAN_IN_TEXT publish | |
2584 | ##} MANY_SPAN_IN_TEXT | |
2585 | ||
2586 | ##{ MAY_BE_FORGED | |
2587 | ||
2588 | meta MAY_BE_FORGED __MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML | |
2589 | describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP | |
2590 | ##} MAY_BE_FORGED | |
2591 | ||
2592 | ##{ MID_DEGREES | |
2593 | ||
2594 | header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/ | |
2595 | ##} MID_DEGREES | |
2596 | ||
2597 | ##{ MILLION_HUNDRED | |
2598 | ||
2599 | body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i | |
2600 | describe MILLION_HUNDRED Million "One to Nine" Hundred | |
2601 | tflags MILLION_HUNDRED publish | |
2602 | ##} MILLION_HUNDRED | |
2603 | ||
2604 | ##{ MILLION_USD | |
2605 | ||
2606 | body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i | |
2607 | describe MILLION_USD Talks about millions of dollars | |
2608 | #score MILLION_USD 2 | |
2609 | ##} MILLION_USD | |
2610 | ||
2611 | ##{ MIMEOLE_DIRECT_TO_MX | |
2612 | ||
2613 | meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS | |
2614 | describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX | |
2615 | #score MIMEOLE_DIRECT_TO_MX 2.000 # limit | |
2616 | tflags MIMEOLE_DIRECT_TO_MX publish | |
2617 | ##} MIMEOLE_DIRECT_TO_MX | |
2618 | ||
2619 | ##{ MIME_BOUND_EQ_REL | |
2620 | ||
2621 | header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s | |
2622 | ##} MIME_BOUND_EQ_REL | |
2623 | ||
2624 | ##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2625 | ||
2626 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2627 | meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128 | |
2628 | # score MIME_NO_TEXT 2.00 # limit | |
2629 | describe MIME_NO_TEXT No (properly identified) text body parts | |
2630 | tflags MIME_NO_TEXT publish | |
2631 | endif | |
2632 | ##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2633 | ||
2634 | ##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2635 | ||
2636 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2637 | meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA) | |
2638 | describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP | |
2639 | endif | |
2640 | ##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2641 | ||
2642 | ##{ MIXED_AREA_CASE | |
2643 | ||
2644 | meta MIXED_AREA_CASE __MIXED_AREA_CASE | |
2645 | describe MIXED_AREA_CASE Has area tag in mixed case | |
2646 | #score MIXED_AREA_CASE 2.500 # limit | |
2647 | tflags MIXED_AREA_CASE publish | |
2648 | ##} MIXED_AREA_CASE | |
2649 | ||
2650 | ##{ MIXED_CENTER_CASE | |
2651 | ||
2652 | meta MIXED_CENTER_CASE __MIXED_CENTER_CASE | |
2653 | describe MIXED_CENTER_CASE Has center tag in mixed case | |
2654 | #score MIXED_CENTER_CASE 2.500 # limit | |
2655 | tflags MIXED_CENTER_CASE publish | |
2656 | ##} MIXED_CENTER_CASE | |
2657 | ||
2658 | ##{ MIXED_CTYPE_CASE | |
2659 | ||
2660 | header MIXED_CTYPE_CASE Content-Type =~ m;^(?i:text/)(?!html|HTML)[Hh][Tt][Mm][Ll]; | |
2661 | ##} MIXED_CTYPE_CASE | |
2662 | ||
2663 | ##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2664 | ||
2665 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2666 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2667 | meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) ) | |
2668 | describe MIXED_ES Too many es are not es | |
2669 | tflags MIXED_ES publish | |
2670 | # lang pl score MIXED_ES 0.01 | |
2671 | # lang cz score MIXED_ES 0.01 | |
2672 | # lang sk score MIXED_ES 0.01 | |
2673 | # lang hr score MIXED_ES 0.01 | |
2674 | # lang el score MIXED_ES 0.01 | |
2675 | endif | |
2676 | endif | |
2677 | ##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2678 | ||
2679 | ##{ MIXED_FONT_CASE | |
2680 | ||
2681 | meta MIXED_FONT_CASE __MIXED_FONT_CASE | |
2682 | describe MIXED_FONT_CASE Has font tag in mixed case | |
2683 | #score MIXED_FONT_CASE 2.500 # limit | |
2684 | tflags MIXED_FONT_CASE publish | |
2685 | ##} MIXED_FONT_CASE | |
2686 | ||
2687 | ##{ MIXED_HREF_CASE | |
2688 | ||
2689 | meta MIXED_HREF_CASE __MIXED_HREF_CASE_JH | |
2690 | describe MIXED_HREF_CASE Has href in mixed case | |
2691 | #score MIXED_HREF_CASE 2.000 # limit | |
2692 | tflags MIXED_HREF_CASE publish | |
2693 | ##} MIXED_HREF_CASE | |
2694 | ||
2695 | ##{ MIXED_IMG_CASE | |
2696 | ||
2697 | meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL | |
2698 | describe MIXED_IMG_CASE Has img tag in mixed case | |
2699 | #score MIXED_IMG_CASE 3.000 # limit | |
2700 | tflags MIXED_IMG_CASE publish | |
2701 | ##} MIXED_IMG_CASE | |
2702 | ||
2703 | ##{ MONERO_DEADLINE | |
2704 | ||
2705 | meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01 | |
2706 | describe MONERO_DEADLINE Monero cryptocurrency with a deadline | |
2707 | #score MONERO_DEADLINE 3.000 # limit | |
2708 | tflags MONERO_DEADLINE publish | |
2709 | ##} MONERO_DEADLINE | |
2710 | ||
2711 | ##{ MONERO_EXTORT_01 | |
2712 | ||
2713 | meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY | |
2714 | describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency | |
2715 | #score MONERO_EXTORT_01 5.000 # limit | |
2716 | tflags MONERO_EXTORT_01 publish | |
2717 | ##} MONERO_EXTORT_01 | |
2718 | ||
2719 | ##{ MONERO_MALWARE | |
2720 | ||
2721 | meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01 | |
2722 | describe MONERO_MALWARE Monero cryptocurrency + malware bragging | |
2723 | #score MONERO_MALWARE 3.500 # limit | |
2724 | tflags MONERO_MALWARE publish | |
2725 | ##} MONERO_MALWARE | |
2726 | ||
2727 | ##{ MONERO_PAY_ME | |
2728 | ||
2729 | meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01 | |
2730 | describe MONERO_PAY_ME Pay me via Monero cryptocurrency | |
2731 | #score MONERO_PAY_ME 3.000 # limit | |
2732 | tflags MONERO_PAY_ME publish | |
2733 | ##} MONERO_PAY_ME | |
2734 | ||
2735 | ##{ MONEY_ATM_CARD | |
2736 | ||
2737 | meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE | |
2738 | describe MONEY_ATM_CARD Lots of money on an ATM card | |
2739 | ##} MONEY_ATM_CARD | |
2740 | ||
2741 | ##{ MONEY_FORM | |
2742 | ||
2743 | meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP | |
2744 | describe MONEY_FORM Lots of money if you fill out a form | |
2745 | ##} MONEY_FORM | |
2746 | ||
2747 | ##{ MONEY_FORM_SHORT | |
2748 | ||
2749 | meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD | |
2750 | describe MONEY_FORM_SHORT Lots of money if you fill out a short form | |
2751 | #score MONEY_FORM_SHORT 2.500 # limit | |
2752 | ##} MONEY_FORM_SHORT | |
2753 | ||
2754 | ##{ MONEY_FRAUD_3 | |
2755 | ||
2756 | meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE | |
2757 | describe MONEY_FRAUD_3 Lots of money and several fraud phrases | |
2758 | tflags MONEY_FRAUD_3 publish | |
2759 | ##} MONEY_FRAUD_3 | |
2760 | ||
2761 | ##{ MONEY_FRAUD_5 | |
2762 | ||
2763 | meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE | |
2764 | describe MONEY_FRAUD_5 Lots of money and many fraud phrases | |
2765 | tflags MONEY_FRAUD_5 publish | |
2766 | ##} MONEY_FRAUD_5 | |
2767 | ||
2768 | ##{ MONEY_FRAUD_8 | |
2769 | ||
2770 | meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG | |
2771 | describe MONEY_FRAUD_8 Lots of money and very many fraud phrases | |
2772 | tflags MONEY_FRAUD_8 publish | |
2773 | ##} MONEY_FRAUD_8 | |
2774 | ||
2775 | ##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2776 | ||
2777 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2778 | meta MONEY_FREEMAIL_REPTO __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID | |
2779 | describe MONEY_FREEMAIL_REPTO Lots of money from someone using free email? | |
2780 | # score MONEY_FREEMAIL_REPTO 3.000 # limit | |
2781 | tflags MONEY_FREEMAIL_REPTO publish | |
2782 | endif | |
2783 | ##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2784 | ||
2785 | ##{ MONEY_FROM_41 | |
2786 | ||
2787 | meta MONEY_FROM_41 __MONEY_FROM_41 | |
2788 | describe MONEY_FROM_41 Lots of money from Africa | |
2789 | #score MONEY_FROM_41 2.00 # limit | |
2790 | ##} MONEY_FROM_41 | |
2791 | ||
2792 | ##{ MONEY_FROM_MISSP | |
2793 | ||
2794 | meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP | |
2795 | describe MONEY_FROM_MISSP Lots of money and misspaced From | |
2796 | #score MONEY_FROM_MISSP 2.000 # limit | |
2797 | ##} MONEY_FROM_MISSP | |
2798 | ||
2799 | ##{ MONEY_NOHTML | |
2800 | ||
2801 | meta MONEY_NOHTML LOTS_OF_MONEY && __CT_TEXT_PLAIN | |
2802 | describe MONEY_NOHTML Lots of money in plain text | |
2803 | #score MONEY_NOHTML 2.500 # limit | |
2804 | ##} MONEY_NOHTML | |
2805 | ||
2806 | ##{ MSGID_DOLLARS_URI_IMG | |
2807 | ||
2808 | meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW | |
2809 | describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image | |
2810 | #score MSGID_DOLLARS_URI_IMG 3.000 # limit | |
2811 | tflags MSGID_DOLLARS_URI_IMG publish | |
2812 | ##} MSGID_DOLLARS_URI_IMG | |
2813 | ||
2814 | ##{ MSGID_HDR_MALF | |
2815 | ||
2816 | meta MSGID_HDR_MALF __HAS_MESSAGEID | |
2817 | describe MSGID_HDR_MALF Has invalid message ID header | |
2818 | #score MSGID_HDR_MALF 3.500 # limit | |
2819 | tflags MSGID_HDR_MALF publish | |
2820 | ##} MSGID_HDR_MALF | |
2821 | ||
2822 | ##{ MSGID_MULTIPLE_AT | |
2823 | ||
2824 | header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/ | |
2825 | describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters | |
2826 | #score MSGID_MULTIPLE_AT 0.001 | |
2827 | ##} MSGID_MULTIPLE_AT | |
2828 | ||
2829 | ##{ MSGID_NOFQDN1 | |
2830 | ||
2831 | meta MSGID_NOFQDN1 __MSGID_NOFQDN1 | |
2832 | describe MSGID_NOFQDN1 Message-ID with no domain name | |
2833 | ##} MSGID_NOFQDN1 | |
2834 | ||
2835 | ##{ MSMAIL_PRI_ABNORMAL | |
2836 | ||
2837 | meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH | |
2838 | describe MSMAIL_PRI_ABNORMAL Email priority often abused | |
2839 | #score MSMAIL_PRI_ABNORMAL 1.500 # limit | |
2840 | ##} MSMAIL_PRI_ABNORMAL | |
2841 | ||
2842 | ##{ MSM_PRIO_REPTO | |
2843 | ||
2844 | meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH | |
2845 | describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject | |
2846 | #score MSM_PRIO_REPTO 2.500 # limit | |
2847 | tflags MSM_PRIO_REPTO publish | |
2848 | ##} MSM_PRIO_REPTO | |
2849 | ||
2850 | ##{ MSOE_MID_WRONG_CASE | |
2851 | ||
2852 | meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106) | |
2853 | ##} MSOE_MID_WRONG_CASE | |
2854 | ||
2855 | ##{ NAME_EMAIL_DIFF | |
2856 | ||
2857 | meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL | |
2858 | describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address | |
2859 | ##} NAME_EMAIL_DIFF | |
2860 | ||
2861 | ##{ NA_DOLLARS | |
2862 | ||
2863 | body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i | |
2864 | describe NA_DOLLARS Talks about a million North American dollars | |
2865 | #score NA_DOLLARS 1.5 | |
2866 | ##} NA_DOLLARS | |
2867 | ||
2868 | ##{ NEWEGG_IMG_NOT_RCVD_NEGG | |
2869 | ||
2870 | meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG | |
2871 | #score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit | |
2872 | describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg | |
2873 | tflags NEWEGG_IMG_NOT_RCVD_NEGG publish | |
2874 | ##} NEWEGG_IMG_NOT_RCVD_NEGG | |
2875 | ||
2876 | ##{ NICE_REPLY_A | |
2877 | ||
2878 | meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF) | |
2879 | describe NICE_REPLY_A Looks like a legit reply (A) | |
2880 | tflags NICE_REPLY_A nice | |
2881 | ##} NICE_REPLY_A | |
2882 | ||
2883 | ##{ NORDNS_LOW_CONTRAST | |
2884 | ||
2885 | meta NORDNS_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __RDNS_NONE) && !ALL_TRUSTED && !__HAS_CID | |
2886 | describe NORDNS_LOW_CONTRAST No rDNS + hidden text | |
2887 | #score NORDNS_LOW_CONTRAST 2.500 # limit | |
2888 | ##} NORDNS_LOW_CONTRAST | |
2889 | ||
2890 | ##{ NOT_SPAM | |
2891 | ||
2892 | body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i | |
2893 | describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not! | |
2894 | tflags NOT_SPAM publish | |
2895 | ##} NOT_SPAM | |
2896 | ||
2897 | ##{ NO_FM_NAME_IP_HOSTN | |
2898 | ||
2899 | meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT | |
2900 | describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address | |
2901 | #score NO_FM_NAME_IP_HOSTN 2.500 # limit | |
2902 | tflags NO_FM_NAME_IP_HOSTN publish | |
2903 | ##} NO_FM_NAME_IP_HOSTN | |
2904 | ||
2905 | ##{ NSL_RCVD_FROM_USER | |
2906 | ||
2907 | header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/ | |
2908 | describe NSL_RCVD_FROM_USER Received from User | |
2909 | ##} NSL_RCVD_FROM_USER | |
2910 | ||
2911 | ##{ NSL_RCVD_HELO_USER | |
2912 | ||
2913 | header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i | |
2914 | describe NSL_RCVD_HELO_USER Received from HELO User | |
2915 | ##} NSL_RCVD_HELO_USER | |
2916 | ||
2917 | ##{ NULL_IN_BODY | |
2918 | ||
2919 | full NULL_IN_BODY /\x00/ | |
2920 | describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message | |
2921 | ##} NULL_IN_BODY | |
2922 | ||
2923 | ##{ NUMBEREND_LINKBAIT | |
2924 | ||
2925 | meta NUMBEREND_LINKBAIT __NUMBEREND_TLD && __LCL__KAM_BODY_LENGTH_LT_1024 && __BODY_URI_ONLY | |
2926 | describe NUMBEREND_LINKBAIT Domain ends in a large number and very short body with link | |
2927 | #score NUMBEREND_LINKBAIT 1.0 # limit | |
2928 | ##} NUMBEREND_LINKBAIT | |
2929 | ||
2930 | ##{ OBFU_BITCOIN | |
2931 | ||
2932 | meta OBFU_BITCOIN __OBFU_BITCOIN | |
2933 | describe OBFU_BITCOIN Obfuscated BitCoin references | |
2934 | #score OBFU_BITCOIN 3.000 # limit | |
2935 | tflags OBFU_BITCOIN publish | |
2936 | ##} OBFU_BITCOIN | |
2937 | ||
2938 | ##{ OBFU_JVSCR_ESC | |
2939 | ||
2940 | rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i | |
2941 | describe OBFU_JVSCR_ESC Injects content using obfuscated javascript | |
2942 | tflags OBFU_JVSCR_ESC publish | |
2943 | ##} OBFU_JVSCR_ESC | |
2944 | ||
2945 | ##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2946 | ||
2947 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2948 | mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i | |
2949 | describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type | |
2950 | tflags OBFU_TEXT_ATTACH publish | |
2951 | endif | |
2952 | ##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2953 | ||
2954 | ##{ OBFU_UNSUB_UL | |
2955 | ||
2956 | meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI | |
2957 | describe OBFU_UNSUB_UL Obfuscated unsubscribe text | |
2958 | tflags OBFU_UNSUB_UL publish | |
2959 | ##} OBFU_UNSUB_UL | |
2960 | ||
2961 | ##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2962 | ||
2963 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2964 | meta ODD_FREEM_REPTO __freemail_mailreplyto | |
2965 | describe ODD_FREEM_REPTO Has unusual reply-to header | |
2966 | # score ODD_FREEM_REPTO 3.000 # limit | |
2967 | tflags ODD_FREEM_REPTO publish | |
2968 | endif | |
2969 | ##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2970 | ||
2971 | ##{ OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
2972 | ||
2973 | if (version >= 3.004002) | |
2974 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
2975 | meta OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA | |
2976 | describe OFFER_ONLY_AMERICA Offer only available to US | |
2977 | #score OFFER_ONLY_AMERICA 2.0 # limit | |
2978 | endif | |
2979 | endif | |
2980 | ##} OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
2981 | ||
2982 | ##{ ONLINE_MKTG_CNSLT | |
2983 | ||
2984 | body ONLINE_MKTG_CNSLT /\bonline marketing consultant\b/i | |
2985 | ##} ONLINE_MKTG_CNSLT | |
2986 | ||
2987 | ##{ ORDER_TODAY | |
2988 | ||
2989 | meta ORDER_TODAY __ORDER_TODAY && (__HTML_IMG_ONLY || __ALIBABA_IMG_NOT_RCVD_ALI || __TO_NO_BRKTS_NORDNS_HTML) | |
2990 | describe ORDER_TODAY Get your order in now! | |
2991 | #score ORDER_TODAY 2.500 # limit | |
2992 | ##} ORDER_TODAY | |
2993 | ||
2994 | ##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2995 | ||
2996 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2997 | meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F) | |
2998 | describe PART_CID_STOCK Has a spammy image attachment (by Content-ID) | |
2999 | endif | |
3000 | ##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3001 | ||
3002 | ##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3003 | ||
3004 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3005 | meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS) | |
3006 | describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific) | |
3007 | endif | |
3008 | ##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3009 | ||
3010 | ##{ PDS_BAD_THREAD_QP_64 | |
3011 | ||
3012 | meta PDS_BAD_THREAD_QP_64 __PDS_QP_64 && __HAS_THREAD_INDEX && !__THREAD_INDEX_GOOD | |
3013 | describe PDS_BAD_THREAD_QP_64 Bad thread header - short QP | |
3014 | #score PDS_BAD_THREAD_QP_64 1.0 | |
3015 | ##} PDS_BAD_THREAD_QP_64 | |
3016 | ||
3017 | ##{ PDS_BTC_ID | |
3018 | ||
3019 | meta PDS_BTC_ID __PDS_BTC_ID | |
3020 | describe PDS_BTC_ID FP reduced Bitcoin ID | |
3021 | #score PDS_BTC_ID 0.5 | |
3022 | ##} PDS_BTC_ID | |
3023 | ||
3024 | ##{ PDS_BTC_MSGID | |
3025 | ||
3026 | meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2 | |
3027 | describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2 | |
3028 | #score PDS_BTC_MSGID 1.0 | |
3029 | ##} PDS_BTC_MSGID | |
3030 | ||
3031 | ##{ PDS_DBL_URL_TNB_RUNON | |
3032 | ||
3033 | meta PDS_DBL_URL_TNB_RUNON __TO_NO_BRKTS_FROM_RUNON && __PDS_DOUBLE_URL | |
3034 | describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon | |
3035 | #score PDS_DBL_URL_TNB_RUNON 2.0 | |
3036 | ##} PDS_DBL_URL_TNB_RUNON | |
3037 | ||
3038 | ##{ PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3039 | ||
3040 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3041 | if (version >= 3.004000) | |
3042 | meta PDS_EMPTYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJECT_EMPTY && __PDS_MSG_1024 | |
3043 | describe PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener | |
3044 | #score PDS_EMPTYSUBJ_URISHRT 1.5 # limit | |
3045 | endif | |
3046 | endif | |
3047 | ##} PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3048 | ||
3049 | ##{ PDS_FRNOM_TODOM_DBL_URL | |
3050 | ||
3051 | meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL | |
3052 | describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL | |
3053 | #score PDS_FRNOM_TODOM_DBL_URL 1.5 | |
3054 | ##} PDS_FRNOM_TODOM_DBL_URL | |
3055 | ||
3056 | ##{ PDS_FRNOM_TODOM_NAKED_TO | |
3057 | ||
3058 | meta PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN | |
3059 | describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain | |
3060 | #score PDS_FRNOM_TODOM_NAKED_TO 1.5 | |
3061 | ##} PDS_FRNOM_TODOM_NAKED_TO | |
3062 | ||
3063 | ##{ PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
3064 | ||
3065 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
3066 | meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS | |
3067 | describe PDS_FROM_2_EMAILS From header has multiple different addresses | |
3068 | # score PDS_FROM_2_EMAILS 3.500 # limit | |
3069 | endif | |
3070 | ##} PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
3071 | ||
3072 | ##{ PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3073 | ||
3074 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3075 | if (version >= 3.004000) | |
3076 | meta PDS_FROM_2_EMAILS_SHRTNER (__PDS_URISHORTENER || __URL_SHORTENER) && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY | |
3077 | describe PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener | |
3078 | #score PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit | |
3079 | endif | |
3080 | endif | |
3081 | ##} PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3082 | ||
3083 | ##{ PDS_FROM_NAME_TO_DOMAIN | |
3084 | ||
3085 | meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN | |
3086 | #score PDS_FROM_NAME_TO_DOMAIN 2.0 | |
3087 | describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain | |
3088 | ##} PDS_FROM_NAME_TO_DOMAIN | |
3089 | ||
3090 | ##{ PDS_HELO_SPF_FAIL | |
3091 | ||
3092 | meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE | |
3093 | describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF | |
3094 | #score PDS_HELO_SPF_FAIL 2.0 | |
3095 | tflags PDS_HELO_SPF_FAIL net | |
3096 | ##} PDS_HELO_SPF_FAIL | |
3097 | ||
3098 | ##{ PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3099 | ||
3100 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3101 | if (version >= 3.004000) | |
3102 | meta PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) | |
3103 | describe PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME | |
3104 | #score PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit | |
3105 | endif | |
3106 | endif | |
3107 | ##} PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3108 | ||
3109 | ##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3110 | ||
3111 | if (version >= 3.004002) | |
3112 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3113 | header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD') | |
3114 | #score PDS_OTHER_BAD_TLD 2.0 | |
3115 | describe PDS_OTHER_BAD_TLD Untrustworthy TLDs | |
3116 | endif | |
3117 | endif | |
3118 | ##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3119 | ||
3120 | ##{ PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3121 | ||
3122 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3123 | if (version >= 3.004000) | |
3124 | meta PDS_SHORTFWD_URISHRT_QP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !T_PDS_SHORTFWD_URISHRT_FP | |
3125 | describe PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener | |
3126 | #score PDS_SHORTFWD_URISHRT_QP 1.5 # limit | |
3127 | endif | |
3128 | endif | |
3129 | ##} PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3130 | ||
3131 | ##{ PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3132 | ||
3133 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3134 | if (version >= 3.004000) | |
3135 | meta PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) | |
3136 | describe PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP) | |
3137 | #score PDS_SHORT_SPOOFED_URL 2.0 | |
3138 | endif | |
3139 | endif | |
3140 | ##} PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3141 | ||
3142 | ##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3143 | ||
3144 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3145 | if (version >= 3.004000) | |
3146 | meta PDS_TINYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJ_SHORT && __PDS_MSG_1024 | |
3147 | describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener | |
3148 | #score PDS_TINYSUBJ_URISHRT 1.5 # limit | |
3149 | endif | |
3150 | endif | |
3151 | ##} PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3152 | ||
3153 | ##{ PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE | |
3154 | ||
3155 | meta PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE FREEMAIL_FORGED_REPLYTO && __PDS_TONAME_EQ_TOLOCAL | |
3156 | describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TOLOCAL | |
3157 | #score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit | |
3158 | ##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE | |
3159 | ||
3160 | ##{ PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE | |
3161 | ||
3162 | meta PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE __PDS_TONAME_EQ_TOLOCAL && __HDRS_LCASE | |
3163 | describe PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers | |
3164 | #score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 2.0 # limit | |
3165 | ##} PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE | |
3166 | ||
3167 | ##{ PDS_TONAME_EQ_TOLOCAL_SHORT | |
3168 | ||
3169 | meta PDS_TONAME_EQ_TOLOCAL_SHORT __PDS_TONAME_EQ_TOLOCAL && __KAM_BODY_LENGTH_LT_512 | |
3170 | describe PDS_TONAME_EQ_TOLOCAL_SHORT Short body with To: name matches everything in local email | |
3171 | #score PDS_TONAME_EQ_TOLOCAL_SHORT 2.0 # limit | |
3172 | ##} PDS_TONAME_EQ_TOLOCAL_SHORT | |
3173 | ||
3174 | ##{ PDS_TONAME_EQ_TOLOCAL_VSHORT | |
3175 | ||
3176 | meta PDS_TONAME_EQ_TOLOCAL_VSHORT __KAM_BODY_LENGTH_LT_128 && __PDS_TONAME_EQ_TOLOCAL | |
3177 | describe PDS_TONAME_EQ_TOLOCAL_VSHORT Very short body and From looks like 2 different emails | |
3178 | #score PDS_TONAME_EQ_TOLOCAL_VSHORT 1.0 # limit | |
3179 | ##} PDS_TONAME_EQ_TOLOCAL_VSHORT | |
3180 | ||
3181 | ##{ PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
3182 | ||
3183 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
3184 | meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER | |
3185 | describe PDS_TO_EQ_FROM_NAME From: name same as To: address | |
3186 | endif | |
3187 | ##} PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
3188 | ||
3189 | ##{ PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3190 | ||
3191 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3192 | if (version >= 3.004000) | |
3193 | meta PDS_URISHRT_LOCALPART_SUBJ LOCALPART_IN_SUBJECT && (__PDS_URISHORTENER || __URL_SHORTENER) && __PDS_MSG_1024 | |
3194 | describe PDS_URISHRT_LOCALPART_SUBJ Localpart of To in subject | |
3195 | #score PDS_URISHRT_LOCALPART_SUBJ 1.0 | |
3196 | endif | |
3197 | endif | |
3198 | ##} PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3199 | ||
3200 | ##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3201 | ||
3202 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3203 | meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER | |
3204 | describe PHISH_ATTACH Attachment filename suspicious, probable phishing | |
3205 | tflags PHISH_ATTACH publish | |
3206 | endif | |
3207 | ##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3208 | ||
3209 | ##{ PHISH_AZURE_CLOUDAPP | |
3210 | ||
3211 | uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i | |
3212 | describe PHISH_AZURE_CLOUDAPP Link to known phishing web application | |
3213 | #score PHISH_AZURE_CLOUDAPP 3.500 | |
3214 | tflags PHISH_AZURE_CLOUDAPP publish | |
3215 | ##} PHISH_AZURE_CLOUDAPP | |
3216 | ||
3217 | ##{ PHISH_FBASEAPP | |
3218 | ||
3219 | meta PHISH_FBASEAPP __PHISH_FBASE_01 | |
3220 | describe PHISH_FBASEAPP Probable phishing via hosted web app | |
3221 | #score PHISH_FBASEAPP 3.000 # limit | |
3222 | tflags PHISH_FBASEAPP publish | |
3223 | ##} PHISH_FBASEAPP | |
3224 | ||
3225 | ##{ PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
3226 | ||
3227 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
3228 | meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF | |
3229 | describe PHOTO_EDITING_DIRECT Image editing service, direct to MX | |
3230 | # score PHOTO_EDITING_DIRECT 3.000 # limit | |
3231 | endif | |
3232 | ##} PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
3233 | ||
3234 | ##{ PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
3235 | ||
3236 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
3237 | meta PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) | |
3238 | describe PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto | |
3239 | # score PHOTO_EDITING_FREEM 3.750 # limit | |
3240 | endif | |
3241 | ##} PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
3242 | ||
3243 | ##{ PHP_NOVER_MUA | |
3244 | ||
3245 | describe PHP_NOVER_MUA Mail from PHP with no version number | |
3246 | #score PHP_NOVER_MUA 3.000 # limit | |
3247 | tflags PHP_NOVER_MUA publish | |
3248 | ##} PHP_NOVER_MUA | |
3249 | ||
3250 | ##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
3251 | ||
3252 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
3253 | meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH | |
3254 | endif | |
3255 | ##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
3256 | ||
3257 | ##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM | |
3258 | ||
3259 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
3260 | meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH | |
3261 | endif | |
3262 | ##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM | |
3263 | ||
3264 | ##{ PHP_ORIG_SCRIPT | |
3265 | ||
3266 | meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER | |
3267 | describe PHP_ORIG_SCRIPT Sent by bot & other signs | |
3268 | #score PHP_ORIG_SCRIPT 2.500 # limit | |
3269 | tflags PHP_ORIG_SCRIPT publish | |
3270 | ##} PHP_ORIG_SCRIPT | |
3271 | ||
3272 | ##{ PHP_SCRIPT | |
3273 | ||
3274 | meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT | |
3275 | describe PHP_SCRIPT Sent by PHP script | |
3276 | #score PHP_SCRIPT 2.500 # limit | |
3277 | tflags PHP_SCRIPT publish | |
3278 | ##} PHP_SCRIPT | |
3279 | ||
3280 | ##{ PHP_SCRIPT_MUA | |
3281 | ||
3282 | meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA | |
3283 | describe PHP_SCRIPT_MUA Sent by PHP script, no version number | |
3284 | #score PHP_SCRIPT_MUA 2.000 # limit | |
3285 | tflags PHP_SCRIPT_MUA publish | |
3286 | ##} PHP_SCRIPT_MUA | |
3287 | ||
3288 | ##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) | |
3289 | ||
3290 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
3291 | if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) | |
3292 | body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal() | |
3293 | describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't | |
3294 | # score PP_MIME_FAKE_ASCII_TEXT 1.0 | |
3295 | tflags PP_MIME_FAKE_ASCII_TEXT publish | |
3296 | endif | |
3297 | endif | |
3298 | ##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) | |
3299 | ||
3300 | ##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3301 | ||
3302 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
3303 | if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3304 | body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02) | |
3305 | describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes | |
3306 | # score PP_TOO_MUCH_UNICODE02 0.5 | |
3307 | tflags PP_TOO_MUCH_UNICODE02 publish | |
3308 | endif | |
3309 | endif | |
3310 | ##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3311 | ||
3312 | ##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3313 | ||
3314 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
3315 | if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3316 | body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05) | |
3317 | describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes | |
3318 | # score PP_TOO_MUCH_UNICODE05 1.0 | |
3319 | tflags PP_TOO_MUCH_UNICODE05 publish | |
3320 | endif | |
3321 | endif | |
3322 | ##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3323 | ||
3324 | ##{ PUMPDUMP | |
3325 | ||
3326 | meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI | |
3327 | describe PUMPDUMP Pump-and-dump stock scam phrase | |
3328 | #score PUMPDUMP 1.000 # limit | |
3329 | tflags PUMPDUMP publish | |
3330 | ##} PUMPDUMP | |
3331 | ||
3332 | ##{ PUMPDUMP_MULTI | |
3333 | ||
3334 | meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1 | |
3335 | describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases | |
3336 | #score PUMPDUMP_MULTI 3.500 # limit | |
3337 | tflags PUMPDUMP_MULTI publish | |
3338 | ##} PUMPDUMP_MULTI | |
3339 | ||
3340 | ##{ PUMPDUMP_TIP | |
3341 | ||
3342 | meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP | |
3343 | describe PUMPDUMP_TIP Pump-and-dump stock tip | |
3344 | tflags PUMPDUMP_TIP publish | |
3345 | ##} PUMPDUMP_TIP | |
3346 | ||
3347 | ##{ RAND_HEADER_LIST_SPOOF | |
3348 | ||
3349 | meta RAND_HEADER_LIST_SPOOF __RAND_HEADER && __LIST_PARTIAL | |
3350 | describe RAND_HEADER_LIST_SPOOF Random gibberish message header(s) + pretending to be a mailing list | |
3351 | #score RAND_HEADER_LIST_SPOOF 3.000 # limit | |
3352 | tflags RAND_HEADER_LIST_SPOOF publish | |
3353 | ##} RAND_HEADER_LIST_SPOOF | |
3354 | ||
3355 | ##{ RAND_HEADER_MANY | |
3356 | ||
3357 | meta RAND_HEADER_MANY __RAND_HEADER_2 | |
3358 | describe RAND_HEADER_MANY Multiple random gibberish message headers | |
3359 | #score RAND_HEADER_MANY 3.000 # limit | |
3360 | tflags RAND_HEADER_MANY publish | |
3361 | ##} RAND_HEADER_MANY | |
3362 | ||
3363 | ##{ RAND_MKTG_HEADER | |
3364 | ||
3365 | meta RAND_MKTG_HEADER __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST | |
3366 | describe RAND_MKTG_HEADER Has partially-randomized marketing/tracking header(s) | |
3367 | #score RAND_MKTG_HEADER 2.000 # limit | |
3368 | tflags RAND_MKTG_HEADER publish | |
3369 | ##} RAND_MKTG_HEADER | |
3370 | ||
3371 | ##{ RATWARE_NO_RDNS | |
3372 | ||
3373 | meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF | |
3374 | describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS | |
3375 | #score RATWARE_NO_RDNS 3.000 # limit | |
3376 | ##} RATWARE_NO_RDNS | |
3377 | ||
3378 | ##{ RCVD_BAD_ID | |
3379 | ||
3380 | header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/ | |
3381 | describe RCVD_BAD_ID Received header contains id field with bad characters | |
3382 | ##} RCVD_BAD_ID | |
3383 | ||
3384 | ##{ RCVD_DBL_DQ | |
3385 | ||
3386 | header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/ | |
3387 | describe RCVD_DBL_DQ Malformatted message header | |
3388 | tflags RCVD_DBL_DQ publish | |
3389 | ##} RCVD_DBL_DQ | |
3390 | ||
3391 | ##{ RCVD_DOTEDU_SHORT | |
3392 | ||
3393 | meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !__FS_SUBJ_RE && !__HAS_LIST_ID | |
3394 | describe RCVD_DOTEDU_SHORT Via .edu MTA + short message | |
3395 | #score RCVD_DOTEDU_SHORT 2.500 # limit | |
3396 | tflags RCVD_DOTEDU_SHORT publish | |
3397 | ##} RCVD_DOTEDU_SHORT | |
3398 | ||
3399 | ##{ RCVD_DOTEDU_SUSP_URI | |
3400 | ||
3401 | meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI | |
3402 | describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI | |
3403 | #score RCVD_DOTEDU_SUSP_URI 3.000 # limit | |
3404 | tflags RCVD_DOTEDU_SUSP_URI publish | |
3405 | ##} RCVD_DOTEDU_SUSP_URI | |
3406 | ||
3407 | ##{ RCVD_FORGED_WROTE | |
3408 | ||
3409 | header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/ | |
3410 | describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam) | |
3411 | ##} RCVD_FORGED_WROTE | |
3412 | ||
3413 | ##{ RCVD_FORGED_WROTE2 | |
3414 | ||
3415 | header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s | |
3416 | ##} RCVD_FORGED_WROTE2 | |
3417 | ||
3418 | ##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3419 | ||
3420 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3421 | header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3') | |
3422 | describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record | |
3423 | tflags RCVD_IN_IADB_DK net nice | |
3424 | endif | |
3425 | ##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3426 | ||
3427 | ##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3428 | ||
3429 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3430 | header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10') | |
3431 | describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in | |
3432 | tflags RCVD_IN_IADB_DOPTIN net nice | |
3433 | endif | |
3434 | ##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3435 | ||
3436 | ##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3437 | ||
3438 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3439 | header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9') | |
3440 | describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time | |
3441 | tflags RCVD_IN_IADB_DOPTIN_GT50 net nice | |
3442 | endif | |
3443 | ##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3444 | ||
3445 | ##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3446 | ||
3447 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3448 | header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8') | |
3449 | describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time | |
3450 | tflags RCVD_IN_IADB_DOPTIN_LT50 net nice | |
3451 | endif | |
3452 | ##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3453 | ||
3454 | ##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3455 | ||
3456 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3457 | header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1') | |
3458 | describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database | |
3459 | tflags RCVD_IN_IADB_EDDB net nice | |
3460 | endif | |
3461 | ##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3462 | ||
3463 | ##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3464 | ||
3465 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3466 | header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2') | |
3467 | describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance | |
3468 | tflags RCVD_IN_IADB_EPIA net nice | |
3469 | endif | |
3470 | ##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3471 | ||
3472 | ##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3473 | ||
3474 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3475 | header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103') | |
3476 | describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail | |
3477 | tflags RCVD_IN_IADB_GOODMAIL net nice | |
3478 | endif | |
3479 | ##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3480 | ||
3481 | ##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3482 | ||
3483 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3484 | header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$') | |
3485 | describe RCVD_IN_IADB_LISTED Participates in the IADB system | |
3486 | tflags RCVD_IN_IADB_LISTED net nice | |
3487 | endif | |
3488 | ##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3489 | ||
3490 | ##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3491 | ||
3492 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3493 | header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4') | |
3494 | describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in | |
3495 | tflags RCVD_IN_IADB_LOOSE net nice | |
3496 | endif | |
3497 | ##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3498 | ||
3499 | ##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3500 | ||
3501 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3502 | header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10') | |
3503 | describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law | |
3504 | tflags RCVD_IN_IADB_MI_CPEAR net nice | |
3505 | endif | |
3506 | ##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3507 | ||
3508 | ##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3509 | ||
3510 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3511 | header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10') | |
3512 | describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days | |
3513 | tflags RCVD_IN_IADB_MI_CPR_30 net nice | |
3514 | endif | |
3515 | ##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3516 | ||
3517 | ##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3518 | ||
3519 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3520 | header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10') | |
3521 | describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR | |
3522 | tflags RCVD_IN_IADB_MI_CPR_MAT net nice | |
3523 | endif | |
3524 | ##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3525 | ||
3526 | ##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3527 | ||
3528 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3529 | header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100') | |
3530 | describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in | |
3531 | tflags RCVD_IN_IADB_ML_DOPTIN net nice | |
3532 | endif | |
3533 | ##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3534 | ||
3535 | ##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3536 | ||
3537 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3538 | header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0') | |
3539 | describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place | |
3540 | tflags RCVD_IN_IADB_NOCONTROL net nice | |
3541 | endif | |
3542 | ##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3543 | ||
3544 | ##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3545 | ||
3546 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3547 | header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200') | |
3548 | describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only | |
3549 | tflags RCVD_IN_IADB_OOO net nice | |
3550 | endif | |
3551 | ##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3552 | ||
3553 | ##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3554 | ||
3555 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3556 | header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7') | |
3557 | describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in | |
3558 | tflags RCVD_IN_IADB_OPTIN net nice | |
3559 | endif | |
3560 | ##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3561 | ||
3562 | ##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3563 | ||
3564 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3565 | header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6') | |
3566 | describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time | |
3567 | tflags RCVD_IN_IADB_OPTIN_GT50 net nice | |
3568 | endif | |
3569 | ##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3570 | ||
3571 | ##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3572 | ||
3573 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3574 | header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5') | |
3575 | describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time | |
3576 | tflags RCVD_IN_IADB_OPTIN_LT50 net nice | |
3577 | endif | |
3578 | ##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3579 | ||
3580 | ##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3581 | ||
3582 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3583 | header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1') | |
3584 | describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only | |
3585 | tflags RCVD_IN_IADB_OPTOUTONLY net nice | |
3586 | endif | |
3587 | ##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3588 | ||
3589 | ##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3590 | ||
3591 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3592 | header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4') | |
3593 | describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record | |
3594 | tflags RCVD_IN_IADB_RDNS net nice | |
3595 | endif | |
3596 | ##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3597 | ||
3598 | ##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3599 | ||
3600 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3601 | header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2') | |
3602 | describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record | |
3603 | tflags RCVD_IN_IADB_SENDERID net nice | |
3604 | endif | |
3605 | ##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3606 | ||
3607 | ##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3608 | ||
3609 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3610 | header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1') | |
3611 | describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record | |
3612 | tflags RCVD_IN_IADB_SPF net nice | |
3613 | endif | |
3614 | ##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3615 | ||
3616 | ##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3617 | ||
3618 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3619 | header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2') | |
3620 | describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups | |
3621 | tflags RCVD_IN_IADB_UNVERIFIED_1 net nice | |
3622 | endif | |
3623 | ##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3624 | ||
3625 | ##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3626 | ||
3627 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3628 | header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3') | |
3629 | describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out | |
3630 | tflags RCVD_IN_IADB_UNVERIFIED_2 net nice | |
3631 | endif | |
3632 | ##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3633 | ||
3634 | ##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3635 | ||
3636 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3637 | header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10') | |
3638 | describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law | |
3639 | tflags RCVD_IN_IADB_UT_CPEAR net nice | |
3640 | endif | |
3641 | ##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3642 | ||
3643 | ##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3644 | ||
3645 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3646 | header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10') | |
3647 | describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days | |
3648 | tflags RCVD_IN_IADB_UT_CPR_30 net nice | |
3649 | endif | |
3650 | ##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3651 | ||
3652 | ##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3653 | ||
3654 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3655 | header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10') | |
3656 | describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR | |
3657 | tflags RCVD_IN_IADB_UT_CPR_MAT net nice | |
3658 | endif | |
3659 | ##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3660 | ||
3661 | ##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # { | |
3662 | ||
3663 | ifplugin Mail::SpamAssassin::Plugin::DNSEval # { | |
3664 | header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.') | |
3665 | describe RCVD_IN_PSBL Received via a relay in PSBL | |
3666 | tflags RCVD_IN_PSBL net | |
3667 | endif | |
3668 | ##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # { | |
3669 | ||
3670 | ##{ RCVD_MAIL_COM | |
3671 | ||
3672 | header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is | |
3673 | describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com) | |
3674 | ##} RCVD_MAIL_COM | |
3675 | ||
3676 | ##{ RDNS_LOCALHOST | |
3677 | ||
3678 | header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i | |
3679 | describe RDNS_LOCALHOST Sender's public rDNS is "localhost" | |
3680 | ##} RDNS_LOCALHOST | |
3681 | ||
3682 | ##{ RDNS_NUM_TLD_ATCHNX | |
3683 | ||
3684 | meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT | |
3685 | describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment | |
3686 | #score RDNS_NUM_TLD_ATCHNX 3.000 # limit | |
3687 | tflags RDNS_NUM_TLD_ATCHNX publish | |
3688 | ##} RDNS_NUM_TLD_ATCHNX | |
3689 | ||
3690 | ##{ RDNS_NUM_TLD_XM | |
3691 | ||
3692 | meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY) | |
3693 | describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers | |
3694 | #score RDNS_NUM_TLD_XM 3.000 # limit | |
3695 | tflags RDNS_NUM_TLD_XM publish | |
3696 | ##} RDNS_NUM_TLD_XM | |
3697 | ||
3698 | ##{ READY_TO_SHIP | |
3699 | ||
3700 | body READY_TO_SHIP /(?:in our (?:stock|warehouse)(?: today)?[.,] Ready (?:to (?:be )?|for )+ship|ready for shipping (?:in|from) our warehouse)/i | |
3701 | #score READY_TO_SHIP 1.500 # limit | |
3702 | ##} READY_TO_SHIP | |
3703 | ||
3704 | ##{ REPLYTO_EMPTY | |
3705 | ||
3706 | header REPLYTO_EMPTY Reply-To =~ /<>/ | |
3707 | describe REPLYTO_EMPTY Reply-To undeliverable | |
3708 | ##} REPLYTO_EMPTY | |
3709 | ||
3710 | ##{ REPLYTO_WITHOUT_TO_CC | |
3711 | ||
3712 | meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS) | |
3713 | ##} REPLYTO_WITHOUT_TO_CC | |
3714 | ||
3715 | ##{ REPTO_419_FRAUD | |
3716 | ||
3717 | header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:speakers)\@012\.net\.il|(?:mail)\@101private\.com|(?:(?:alfredcheuk002|fbi_1234|longchii|mavis_wanczyk|qfdonation))\@126\.com|(?:(?:a(?:aronmichaels005|lfredcheuk_yuchow)|ehagler|google_promoaward0?|istarsolar|joeblp|microsoft(?:_office16|award01)|panyawein|wong(?:_shiu(?:09|2016)|shiu_ki)))\@163\.com|(?:(?:navas1|ray\-thomas7h))\@1email\.eu|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:(?:mr\.tonyelumelu|r(?:emittancedept001|ussia2018worldcuplotto5)))\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:info)\@aidakj\.com|(?:(?:a\.aktr|c(?:arlos\.adan|entralbank_malaysia2)|infovsa|maria\.louge|sarahjiwooali|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:adainis|jessikasingh|travisalex))\@aliyun\.com|(?:(?:director|info))\@anletco-jp\.com|(?:(?:deanie_ron|m(?:softgbcmanager|undo\.europe)|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:institutionaldepartment)\@aol\.nl|(?:deajohn)\@arubacloub\.com|(?:djohns)\@arubacloud\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:garry\.quinlan)\@australiamail\.com|(?:(?:traoreahmed|zetiaziz))\@barid\.com|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:noreply\.fujvfes)\@bibliothequegaillard\.com|(?:costruire)\@bigmat\.it|(?:alerts\-noreply)\@bis\.org|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:executivedirector)\@box\.az|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:drbenardsani\.nnpc)\@bsgcpk\.com|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:rim43505)\@cantv\.net|(?:duncanttodd)\@centrum\.cz|(?:(?:contact\.roycockrumgrantoffice|fbipayment(?:50|600)|harunajim667|ralphwjohnson))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:dmalpasswb|re(?:covered\-tax|em(?:2018|alhashimi|hashimi2020))))\@daum\.net|(?:rex)\@departmentofsecretary\.com|(?:blythemasters)\@digitalassetholding\.org|(?:(?:diplomaticagent11|jentwistle90))\@diplomats\.com|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:(?:herrick01|rogersteare02))\@e1\.ru|(?:olga\.ingrif)\@ecb-securities\.com|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:no\-reply)\@economizar-na-web\.com\.br|(?:(?:denbrink|kathy_gerald1965|megaclaimcenter))\@email\.com|(?:johnkadiri)\@englandmail\.com|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|claimdpts|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:(?:jeferrey|yakuyaya77))\@financier\.com|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:notice)\@fnb\.co\.za|(?:info)\@fnconsultant\.biz|(?:(?:atmofficeauthoriza|captain\.lucasadam|e(?:golan2|u_payment)|gella1|k(?:aith\-angel|ossihpilip202)|pchwinningoffice1953|qatardonations16|smadartsadik|tepnherve00|worldauthorization))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:o(?:ctaviancm|rlando\.bloom))\@gmx\.co\.uk|(?:(?:a(?:hmet\.broker|lliance\.consultant)|f(?:aridaomar|er3nrod1512)|johnson\.douglas|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:joxford)\@gmx\.us|(?:ben\.malbon)\@googlefps\.co\.uk|(?:m\.johnson10012)\@googlemail\.com|(?:larrypage)\@gpa-team\.com|(?:ceo)\@gpromo-team\.com|(?:sundarpichai)\@gpromoteam\.com|(?:sundarpichai)\@gpromoteamuk\.com|(?:garreth\.webb)\@grossfitconsultancy\.biz|(?:irenegeorgiadou)\@hellenicbankcy\.com|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:williamsdavid_3r)\@hotmail\.co\.uk|(?:christgoldwilliams)\@hotmail\.fr|(?:douglasflint)\@hsbcbank\.group|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:victorwang67)\@imail\.com|(?:01)\@imf-org\.org|(?:chrisdodgshun)\@inbound\.plus|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:janetyellenoffice|off(?:er2021|iceme)))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:sgt\.dave)\@inmano\.com|(?:baankston)\@instruction\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:wbuk0[13])\@katamail\.com|(?:(?:ditmereduart|europsenderscouriers|lewiscarl))\@keemail\.me|(?:mikiwilliams)\@knol-power\.nl|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:philiphampton)\@lec20\.com|(?:ecowascourt)\@legislator\.com|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:deqishanmedical1)\@localnet\.com|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:fanliangjen)\@mail\.china\.com|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|eddy_haryono|ghazal\-a|info\.federalreserve\.org|kateclough1|mriamchombo1968|nancyvee80|ren\.deqi212))\@mail\.com|(?:williamsdawson)\@mail\.com\.tr|(?:(?:ayishagddafio|david\.onyeoma\.74|hmtreasyru\.ng|sambo_dasuki))\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:brantwbishop)\@mailbox\.org|(?:epowerball)\@mailbox\.sk|(?:johannreimann)\@memeware\.net|(?:miguel)\@miguel-sanchez\.com|(?:rbi\-e)\@mit\.tc|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:paul\.chang)\@msn\.com|(?:enquiry)\@multiplysearch\.com|(?:cadpayout01)\@my\.com|(?:(?:contactmee|ministersoffinance))\@mynet\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:jessicahunt1960)\@net-c\.com|(?:zenith)\@nmk\.ugu\.pl|(?:maxedwards)\@octopusinvestment\.co\.uk|(?:lindsaytrembley)\@oimail\.com|(?:googleclaims111)\@one\.lt|(?:accountingdrg)\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:(?:castorock|infobiz2|jarramos|mrsalice09))\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:servicio\.correo)\@orange\.fr|(?:turkish\-air)\@outlook\.com\.tr|(?:(?:ahmed3khan|dpt_transferunionwestern|mr\.onyeadams|rohitjain0))\@outlook\.fr|(?:m\.khan1)\@outlook\.sa|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:info)\@phillipsmorgan\.co\.za|(?:wood)\@poczta\.onet\.eu|(?:m(?:aryjosen|boyaeth))\@post\.com|(?:united\.globeawardoffice)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:jamesmr\.monday)\@rocketmail\.com|(?:(?:g(?:loriacmackenzie001|mackenzie001)|monicatorres001|wanczykmavis101))\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:info)\@roycockrum\.org|(?:mrs\.rachel2013)\@safe-mail\.net|(?:vera)\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:peterddeng)\@secsuremailer\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:swat)\@sltdchambers\.com|(?:(?:dycheseaan|sean(?:dyyches|sdychh)))\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:contact\.hmrc\.gov\.uk)\@sudhisalooja\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:xiankailu)\@taiyaubank-hk\.com|(?:mhua)\@tbochk\.com|(?:veronicabright)\@terra\.com\.pe|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:zimcargoservicehelpdesks)\@tlen\.pl|(?:drew)\@ton\.net\.ru|(?:itpark01)\@tpg\.com\.au|(?:bobby\.william)\@tradent\.net|(?:info)\@treasury-departmentdc\.twomini\.com|(?:info)\@treasury-usa\.3eeweb\.com|(?:info)\@un-grant\.info|(?:(?:b(?:lueskyanimatedfilm|rown\.monica_l)|info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:bmuczdh)\@virgilio\.it|(?:itgiix)\@visa\.com|(?:vankoning)\@volny\.cz|(?:holt1231)\@w\.cn|(?:infos)\@walmart\.com|(?:daydreamin)\@wanadoo\.fr|(?:(?:foreignoperationmanager|mr\.(?:ikokuoya|olicadams)))\@web\.cg|(?:weboffice05)\@web\.de|(?:b(?:\-calebfirm2007|oriscaleb121))\@webmail\.co\.za|(?:(?:frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:grahamjoneschambers)\@wildblue\.net|(?:e\.shaw)\@wilmagroup\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:stephaniehans\.euromillionlottery)\@yahoo\.be|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|bobwatson92|fundyawa2014|j(?:effwilliam207|oe_modisen)|lloydsbanksb|owengreen70|rebeccajoe98|samue95))\@yahoo\.co\.uk|(?:(?:changgordon(?:61|946)|lordsmartin|revlarrutycoker2015|thomaspeter227|zhu\.shumin))\@yahoo\.com\.hk|(?:imf_office_agent)\@yahoo\.com\.my|(?:(?:dr\.pauljames110|jessicp1))\@yahoo\.com\.sg|(?:boa2cb)\@yahoo\.com\.vn|(?:(?:contactus88\-00|jflangvm5nshyazyo7si6jfuqah6jsldw2kw6c2t|lmj82717|m(?:r\.angelabenjamin|srangelabne32)))\@yahoo\.es|(?:(?:charlinebebe22|fortinsandrine|rita_will001))\@yahoo\.fr|(?:maktoum\.shasher)\@yahoo\.pt|(?:ukdebtmanagement5)\@yahool\.com|(?:dr\.amelia\.george1)\@yandex\.ru|(?:jayanderson)\@yccaifuu\.com|(?:(?:alfred_cheuk_chow|friedrich_mayrh1|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|feliciamagi|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:(?:asiafoundationorg\.hr|jefflindsay))\@zoho\.com|(?:laprimitivaes)\@zohomail\.eu)$/i | |
3718 | describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox | |
3719 | #score REPTO_419_FRAUD 3.000 | |
3720 | tflags REPTO_419_FRAUD publish | |
3721 | ##} REPTO_419_FRAUD | |
3722 | ||
3723 | ##{ REPTO_419_FRAUD_AOL | |
3724 | ||
3725 | header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:\.dordevicii|aromartins|f\.2[06]|ljaber111|meliageorge|n(?:d(?:_bley|rew_hans)|ttilimarim)|rthur\.alan)|b(?:aanidleewy|claimdept|rownchurchill2)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|ristinabruno38|ustom_service58)|d(?:avid(?:\.kms|opatry)|hodgkins001|ianwaynie|onald_anderson44)|e(?:ng(?:joej|r\.abdulla)|ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|i(?:sarobinson5\.0|zcarroll101)|orrainewirangee)|m(?:_l\.wanczyk62|aviswanczyk[do]|rs(?:isabelladzsesszika|safiagaddafi))|no(?:rmapatto|tification\.notification)|p(?:a(?:tricia(?:\.hans|hans)|ulpollard2)|eterwong345|otfolio\.management)|r(?:achel_wat2|oyalpalace2018)|s(?:afiiagadafi|gt\.gillianj200|ovchan|pwalker721|taatsloterijnederlands)|usembassy330|w(?:attson\.renwick|ebank244|issam\.haddad|u\.xiabk)|zeti\.aziz))\@aol\.com$/i | |
3726 | describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox | |
3727 | #score REPTO_419_FRAUD_AOL 3.000 | |
3728 | tflags REPTO_419_FRAUD_AOL publish | |
3729 | ##} REPTO_419_FRAUD_AOL | |
3730 | ||
3731 | ##{ REPTO_419_FRAUD_AOL_LOOSE | |
3732 | ||
3733 | meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL | |
3734 | describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox | |
3735 | #score REPTO_419_FRAUD_AOL_LOOSE 1.000 | |
3736 | tflags REPTO_419_FRAUD_AOL_LOOSE publish | |
3737 | ##} REPTO_419_FRAUD_AOL_LOOSE | |
3738 | ||
3739 | ##{ REPTO_419_FRAUD_CNS | |
3740 | ||
3741 | header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|legacylawfirmdakar|m(?:iguel\-pinto|orrisherb)|owenschamber|santiagosegur|t(?:eo\.westin|he\.trustees1?)|westernunion1659))\@consultant\.com$/i | |
3742 | describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox | |
3743 | #score REPTO_419_FRAUD_CNS 3.000 | |
3744 | tflags REPTO_419_FRAUD_CNS publish | |
3745 | ##} REPTO_419_FRAUD_CNS | |
3746 | ||
3747 | ##{ REPTO_419_FRAUD_GM | |
3748 | ||
3749 | header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|41speedlinkdelivery|7912richardtony|a(?:bu(?:lkareem461|shadi0004)|c(?:aalzz11|count\.optionsmr\.jonasarmstrong|e(?:alss11|cere001))|d(?:esilgon77|iallo\.boa)|erofilxeport|gent\.laryedwad|isha(?:1976algaddafi|gaddafiaam)|jaminamo|l(?:\.jo60691737|a(?:n\.austin(?:041|223)|scramac)|ber\.yang222|ex(?:ander(?:daisy911|peterson4499)|hoffman3319|smithznn)|ghafrij13|hajarb|lenholden121|nizmaria|ure\.wawrenka1472)|m(?:b\.w\.stuart\.symington|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|tasomda))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|itaminarnguessan|n(?:a(?:choihkkic|llee091|sigurlaug458)|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|r(?:adka01|chibaldhamble|thur11alan)|s(?:h(?:0611jnag|westwood7)|ianbae1010|sistance7agent)|t(?:m(?:mastercard41|office929)|tohlawoffice\.tg)|w1614860|yevayawovi190|zi(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50)))|b(?:a(?:lla250abc|nk(?:centralasiahalobca34|ingcentralng)|ochang7a|r(?:bersmadar75|r(?:\.(?:charles(?:1954|office)|martinrichard)|ister(?:\.fidelisokafor|lordruben94)|ubenjames)|teld\.huisman01))|bongo593|c0996013|e(?:linekra1|n(?:ezero392|jaminsarah195))|i(?:anigercash|ll(?:\.lawrence0747|fhome))|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:a(?:ndy\.heavenscenttt|volpaul55)|endalaporte112|ianmoynih00)|uff(?:ettwarrene21|ookj))|c(?:a(?:ixaseguros9810001|mluba2017|r(?:eisu98|l(?:os\.s\.helux|thomos)|twrighttownhomesllc))|bnatm847|claimsa|e(?:li(?:cerez|neroullier(?:200|nm))|ntraltrustlltd)|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:esluenga01|tonnewmanus1)))|e(?:mchung1011|nchung1011)|i(?:enkraymond|mwiakim))|iticonsultantjohncg0|kruger00017|l(?:a(?:im(?:adviser11|officeadm)|xtonpaul00)|s79408)|o(?:l(?:\.(?:ahmedmarani|fakhrialsalabi(?:01)?|hmedismari)|abdullahassi|edavid77032|husseinharmuchc(?:cj|j)|inchrisweir50|mohmanairf|o(?:mbasjuan53|nelsaad00))|mpensationcommitteboard|n(?:sult(?:ancy64|matthias|sto\.u)|tact(?:\.kolason|ad00[04]))|operation612)|pt\.eugenebarash|r(?:a(?:bbechambers|wfordgillies1)|ist(?:bru(?:05|n05)|i1537bru))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|iel(?:35508109|zulu11)|nydan24532)|v(?:i(?:d(?:\.loanfirm18|ibe718|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98)|ychan1970))|c(?:layconsult|ole77032)|e(?:btm123|n(?:iwalts|nis(?:clark659|quaid888))|partmentofstate(?:123|321)|tlefeckhardd)|hill27676|i(?:ane\.s\.wojcicki|gitalassetholding|p(?:francis1|lomat(?:\.john\.clerke|sshenry)))|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.(?:meirh|wilsonpaul02)|abodid|davidrhama221|j(?:amesdee|oesimon77)|kennedyuzo|meier\.heidi?|o(?:vieogor1|wenfrederick))|u(?:a1155a|nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|d(?:runity|winfreeman22)|fcc\.financial\.dept|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|otocashoffice1?)|m(?:2keld|ailpostlink09|efiele(?:328|g757)|ilyrichmond391)|renakgeorge123|ssexlss1|vgpatmow)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49(?:666|966)|k49666)|j569282|l(?:556249|aurentdz40|uhmann\.dn)|mb\.agent|o(?:ropunionbank|undations\.west)|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|isca(?:mendoza960|samendoza))|k(?:jwangg|laurarivera)))|bbankny\.gov|e(?:derick\.colemanesq|elottosweepstake51))|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|rielkalia1102)|r(?:ethbull112016|yakinson121))|bill4880|e(?:n(?:\.ahmedmsksi|eral(?:abdulrazak|williamstony990))|orgekwame481|r(?:aldjhjh11|tjanvlieghe787))|g780904|i(?:idp955|lbert12oook)|kwasiiwusu1\.persona|l(?:enmoore0011|oriachow5052)|o(?:glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219)|vgodwinemefiele111)|r(?:ace(?:jackmanwoods|obia001)|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:old\.dia1100|ryebert101|twellbdaniel)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:a(?:dofficecentre0210|therbrooeke101)|cto(?:alon|r(?:castillos653|scastillo6))|lpdesk47321)|gold8080|heba\.hhassan207|i(?:ldad837|toshurui)|klee\.mike|o(?:lsemeyerole6|nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|trryt34|uichmh)|i(?:1955smael|amannjejosonn|bed627|n(?:fo(?:\.(?:abogadosmfontana|g00gleclaim|questiondesk|ulmusau)|64240|98cbnoffice7|aprl06|fdrserve)|gridrolle2|t(?:ernationallppp1|linvestorsfirm))|terryoffice)|j(?:35809121|a(?:888179|cobmaseon5995|m(?:alpriv8un|es(?:husmansdesk2240|okoh82))|nusensecureprivate|sonyeungchiwai|vierlesme001)|b5406424|c2222222rrr|e(?:ff(?:deandk2|erydean1960)|nniannjhsonn|ssikasingh4)|imyang977|k3311131|mpowellfr|o(?:e(?:dward023|kendal540|lmodisen)|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|tanko214|uba234|walterlove2010)|monkzza|n(?:esandassociates68|monkssa)|s(?:ephacevedo024|ianeangenor)|y(?:ce00011|mrskone5))|rawlings007|s4fernado|uliet\.le(?:222|e2222)|w6935997)|k(?:a(?:lstromjames3|malnizar000|rabo\.ramala39|t(?:ebaronbarr|hilittman7|jamess043|rinaziako56))|e(?:lsawamelia55|n(?:mck(?:ay1980|enziejr)|nedy\.sawadogo19))|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28)|wasiowusug)|l(?:a(?:r(?:ateambo|rytoms200)|ursent892|wrencefoundation30)|blackshirepm|e(?:ndfair\.co\.uk1|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|li(?:ane\.bettencourt1945|ianchrstph)|n(?:elink008|glung104)|xiung(?:l48|9))|john6132|o(?:g(?:anntomas|eengen)|ttyoffice1|u(?:ghreymargaret67|isdreyfusmargarita5))|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ck(?:enzbezos|oliver324)|incare655|jor(?:dennishornbeck53|townsend01)|k(?:altschmidt|toumsheikhhasher)|nuelfranco(?:727|foundation0)|r(?:cusdembialomr|i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|nacoleman84|opabl26)|k(?:roth456|uses200)|y(?:franson56|jify00aaz01))|s(?:onmanny05|pencer5151)|t(?:hewriaanza|twilly3)|u(?:noveutileina|rhinck11?)|viswanczyk(?:1(?:19|987)|4(?:89|5)|775|foundation45|k112|zz)|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|engeoffrey|l(?:lagolan|vidabullock5)|nnss01)|gfrederick80|husameddine|i(?:c(?:he(?:alwuu002|lintagro)|paulla|w954)|k(?:edawson1960s|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|nfin\.gv|ss(?:\.melisa\.mehmett|boteogottai|yaelronen))|jminabii|k(?:ent7117|untjoro52)|lbriggs08860|m(?:1086771|argaritalouisdreyfus)|nmalarge|o(?:ham(?:edabdul1717|madraqab00)|rienkal30)|r(?:\.(?:justinmaxwell09|lusee|wlsonkabore)|7672900|cjames001|d517341|ericfranck|fabianchukwu|hanimuhammad627|jamesmc6|martine80|paulfrank01|r(?:echardthomas|ichardanthony1)|s(?:\.(?:biyufungchi16|janetolsen?|olsenjanett|patarkatsishvili|susanread12)|a(?:ishaalqadafi1976|ngela454)|g(?:ezeria|racewoods70)|h(?:amima60|ristinemadeleine)|j(?:ackman123|lleach)|maureens847|nicolefr1marios|r(?:obinsanders185|uthsmith9900)|s(?:arahbenjamin103|ophiac)|veraaellen)|tomcrist\.ca)|s(?:agent02|golaan4|smadar44)|twvvv|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter(?:2017|968))|obuyuki\.hirano128|tawdglobal)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|liviemorgan4|marinyandeng|nufoundationclaims|pcwkdw|swald\.l(?:\.lewis|ewwis)|vieogor1)|p(?:\.compton101|a(?:storfrancesco1|trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018)|ymentofficer14)|brookk0|e(?:130304|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|h(?:\.cbnl|illip\.richead218)|ieterstevens511|o(?:lloke|wellmrwilliam)|r(?:esleybathini1|o(?:1nvstream|cessing2013general))|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymond(?:aba200|damon15))|e(?:beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n2214)|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.(?:jamesabel1|mikedadax)|ernestcebi|frankjackson91))|i(?:ch(?:ard(?:lustig4u|w(?:ahl511|illis815))|lawandds)|tawilliams4141)|josh200000|o(?:berthanandez6655|naldmorris786|s(?:a\.gomes0044|e(?:kipkalya934|tam00)))|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ssiaworldcuppromo|thmporat1\"))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1|ydouthiebaconsultant)|g\.offiice\.group|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|e(?:ikhalmaktoum79|ry(?:\.gtl131|etr03))|inawatrathaksin93)|i(?:lverlakeconsultant|mlkheng5)|krause680|l5342743|o(?:fia\.adams201|u(?:rcingloggs|thwsltd))|peelman1972|rfredericodehernandez|sdt224|tephentam1(?:47|6)|u(?:iyang(?:\.boc|02)|leiman\.cbnn|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|w(?:eeneyjohnson384|islottnl))|t(?:a(?:mmy21gill|y(?:ebsouami0|lorcathy362))|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|bigbiglottowinning77|odorosloannis9|resawilliams7661?|smithfm124))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|c(?:hrist1995|rist(?:52|donation12|foundation99|world)))|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|ransfermoney21\.2|tkhan69s)|u(?:babankbjplc|dregwqr|kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|sdepartmentofjustice80)|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61)|b(?:271981|6159980)|d232633|i(?:ge122|ll(?:iamrobert3852|update123))|kfinancialservice|orldbankregionalmanageroffice|u(?:\.office212|mt722)|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974)|z(?:enithbankplconline98|kiaslan1963|minhong65)))\@gmail\.com$/i | |
3750 | describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox | |
3751 | #score REPTO_419_FRAUD_GM 3.000 | |
3752 | tflags REPTO_419_FRAUD_GM publish | |
3753 | ##} REPTO_419_FRAUD_GM | |
3754 | ||
3755 | ##{ REPTO_419_FRAUD_GM_LOOSE | |
3756 | ||
3757 | meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM | |
3758 | describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox | |
3759 | #score REPTO_419_FRAUD_GM_LOOSE 1.000 | |
3760 | tflags REPTO_419_FRAUD_GM_LOOSE publish | |
3761 | ##} REPTO_419_FRAUD_GM_LOOSE | |
3762 | ||
3763 | ##{ REPTO_419_FRAUD_HM | |
3764 | ||
3765 | header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|nikal01|zezul\.idrisazezulidris)|benarnault0|c(?:ecilekaramoko123|hoi21)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|fanliangjen2|gen\.dmathokdiigwol|katabettencourt2018|l(?:\.b120k|e(?:a_edem|wisarm44)|imfu201677|ulihongm)|m(?:cliffmomah998|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.roselinejac|elizabetmk|helenbgeorge|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|patrickmullinfinaceservs|s(?:ajda\.andleeb|gthansencs|tephenbettinger|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i | |
3766 | describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox | |
3767 | #score REPTO_419_FRAUD_HM 3.000 | |
3768 | tflags REPTO_419_FRAUD_HM publish | |
3769 | ##} REPTO_419_FRAUD_HM | |
3770 | ||
3771 | ##{ REPTO_419_FRAUD_OL | |
3772 | ||
3773 | header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:a(?:23423|lexandermason)|brahamwilliamsonrpsltduk|l(?:bertchebe|exw113)|ndrew(?:_hai|gamble7)|utoresponds)|b(?:a(?:r(?:bayo_jacobs|claysplc2016)|sidris)|etty\.c_investment|illgfile203|riam8molefe)|c(?:bforeignremitdept|harlie\.j\.goodmand|o(?:l\.(?:airforce\.saadwarfali|warfalisaadairforce)|mpensationfunding))|d(?:eborahleeconsult|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020)|g(?:20compessdesk|eoffreynicolas\.esq|ilbertowosukk)|huyennvoha|j(?:ackson4steve|e(?:anedo1?|ssicameir30))|k(?:aujong|kkunited1)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|gbplc3|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|bryandavisuk44|jonah\.ot|mduku|s(?:\.coraluttah|_elizabeth20|michelleallison|roseallen)|vitaloadams)|spvt2020)|p(?:aul(?:\.walter120|blakey05)|hilcohen0012)|qanejmhffgg|r(?:c19691|ichardwahlfreegrant)|s(?:aaman10|gi2019|ilverlakeconsultantllc|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019|reff11)|unvanzyl_mrs|winuklotocash2018))\@outlook\.com$/i | |
3774 | describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox | |
3775 | #score REPTO_419_FRAUD_OL 3.000 | |
3776 | tflags REPTO_419_FRAUD_OL publish | |
3777 | ##} REPTO_419_FRAUD_OL | |
3778 | ||
3779 | ##{ REPTO_419_FRAUD_PM | |
3780 | ||
3781 | header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|v\.brianpierre|wraggsmk|yihsbltan|ziraatbankasi))\@protonmail\.com$/i | |
3782 | describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox | |
3783 | #score REPTO_419_FRAUD_PM 3.000 | |
3784 | tflags REPTO_419_FRAUD_PM publish | |
3785 | ##} REPTO_419_FRAUD_PM | |
3786 | ||
3787 | ##{ REPTO_419_FRAUD_QQ | |
3788 | ||
3789 | header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1(?:731419584|821317384)|2(?:0(?:32508290|90641921)|3(?:72948239|89029403|97857528)|751232036)|3(?:323469072|523284224)|a(?:gent(?:markruben_fbi|promofficer)|kia\.j55)|claimoffice1|dennisonctrenton|l\.valiant|peterwong20177|s(?:abrinacrawford000|hu60w)|treasury_deptment0|wang_cjianlin))\@qq\.com$/i | |
3790 | describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox | |
3791 | #score REPTO_419_FRAUD_QQ 3.000 | |
3792 | tflags REPTO_419_FRAUD_QQ publish | |
3793 | ##} REPTO_419_FRAUD_QQ | |
3794 | ||
3795 | ##{ REPTO_419_FRAUD_YH | |
3796 | ||
3797 | header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|gaaintl\-4g5ee\.w3|l(?:berts\.odia|esiakalina2006)|mbassador\.l|nn(?:awax48|hester\.usa4))|b(?:a(?:che\.delfine|nk\.phbng14|rr(?:\.thomasclark|ister\.(?:dennis11|marcus)|lawrencefubara39|william_davies))|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.(?:aroline90|coulibaly2)|a(?:binet_maitre_emmanuel_patris|mpbellwilliamms)|h(?:arlesscharf112|hoy\.t|im\.w|jackson65)|juan852|o(?:llins(?:mattew32|wayne84)|mpliment\.sseason|ntelamine)|ythiamiller\.un10)|d(?:hamilton9099|i(?:aanesoto190|plomaticagent180)|r(?:\.aminramli|victorobaji))|edwarddawson|f(?:aizaadama2016|bicompensation_funds|ederal\.r73|id00180)|g(?:ov\.ukmessageboard|raham\.eddie2016|uesfilet1336523)|harry1vans|i(?:\.project33411|befranfgnfmf|nfo(?:111mail|bank1|money)|project32411)|j(?:\.edwards228|a(?:ckson\.davis915|ne(?:_ooparah|temoon150))|essica\.p_family|inping\.tw|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:elvinmark629|im(?:\.leang2018?|leang(?:575|90))|yle_grubbe)|l(?:e(?:a_edem13|ge331|hman(?:909|bila))|i(?:m_kaan|sarobinson_555|uhngbin)|y_cheapiseth(?:11|2019))|m(?:arie_avis12|d(?:\.ps|zsesszika672)|elissalewis(?:10001|4004)|iss\.zarryb|o(?:hammedaahil46|keye79)|r(?:kellyayi62|s(?:\.esthernicolas|isabella\.dzesszikan|themo))|s\.gracie_olakun|unny(?:\.sopheap207|_sopheap30))|n(?:adhowc|estordaniel2|orahuz1960)|o(?:fficial_franksylvester88|legkozyrev1|mranshaalan52)|p(?:a(?:ckerkelvin|yus123x)|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|i(?:chard\.w94|taadamsw10)|o(?:b(?:ertbailey2004|orts20)|se(?:mary\.3as|richard655)))|s(?:amthong4040|igurlauganna34|leo25|mith(?:\.dr|colin767)|opheap\.munny|pwalker101|sgt\.bethany|tevecox\.98)|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|u(?:butu16|kdebtmanagement5)|vanserge2001|will(?:clark0010|iamsimon(?:22|521))|xianglongdai60|zhaodonghk))\@yahoo\.com$/i | |
3798 | describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox | |
3799 | #score REPTO_419_FRAUD_YH 3.000 | |
3800 | tflags REPTO_419_FRAUD_YH publish | |
3801 | ##} REPTO_419_FRAUD_YH | |
3802 | ||
3803 | ##{ REPTO_419_FRAUD_YH_LOOSE | |
3804 | ||
3805 | meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH | |
3806 | describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox | |
3807 | #score REPTO_419_FRAUD_YH_LOOSE 1.000 | |
3808 | tflags REPTO_419_FRAUD_YH_LOOSE publish | |
3809 | ##} REPTO_419_FRAUD_YH_LOOSE | |
3810 | ||
3811 | ##{ REPTO_419_FRAUD_YJ | |
3812 | ||
3813 | header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73|n(?:gelinarichardson01|ita(?:kirkweeks45|usarpac)))|b(?:a(?:lmaa1115|rrevansthomas213)|ealife4god|gsblcagent|nchmclaw)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc|ssicajlavoie|velynjoshua56)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|ktbradley|oneygram100|rs_chen_00001)|nikbnson1|o(?:fficialinfoemail|livia_mabor)|pamgells|r(?:acheljude000|eplykasikorn|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i | |
3814 | describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox | |
3815 | #score REPTO_419_FRAUD_YJ 3.000 | |
3816 | tflags REPTO_419_FRAUD_YJ publish | |
3817 | ##} REPTO_419_FRAUD_YJ | |
3818 | ||
3819 | ##{ REPTO_419_FRAUD_YN | |
3820 | ||
3821 | header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lsharibi|m(?:andarandle|g3333txx101)|na\.mariposa|wesome\.mariacarmen)|b(?:ayemahama|igghandgrant|radely\.j)|clemlau|diezanimadueke|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments|uzhongjun\.director)|g(?:\.anniversary(?:101)?|add4fi\.aisha)|hhalesbbanddd?|irenaa\.georgiadou|j(?:efrey(?:\-dean|\.dean11)|o(?:hnnicholsonjr|seph\-scott2k5)|uliet\.lee2222)|kenhamberlet|l(?:es20sc|otointernational\.elgordo)|m(?:a(?:hama\.baye|rcarmenguty)|fdpm|ohamed\.bennani|r(?:\-(?:jos\.martins|robert\-patrick\.patrick)|\.kongkea|spercy))|nokiahouse1[03]|olivia\.mabor|p(?:aragonloansinc|hilipfen778|ri(?:ncedarren0244|vatemail24)|ullmanrb)|rich(?:ard\.wahl|lawands)|skyeloanand\.financelimited|t(?:\.baloyi|an\.sung|omss\.smith|resor\.mambo)|w(?:b\.foundation|ill(?:1amsmarg1|iamsimon1960))|za\.dc2016))\@yandex\.com$/i | |
3822 | describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox | |
3823 | #score REPTO_419_FRAUD_YN 3.000 | |
3824 | tflags REPTO_419_FRAUD_YN publish | |
3825 | ##} REPTO_419_FRAUD_YN | |
3826 | ||
3827 | ##{ RISK_FREE | |
3828 | ||
3829 | meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH | |
3830 | describe RISK_FREE No risk! | |
3831 | ##} RISK_FREE | |
3832 | ||
3833 | ##{ SB_GIF_AND_NO_URIS | |
3834 | ||
3835 | meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL) | |
3836 | ##} SB_GIF_AND_NO_URIS | |
3837 | ||
3838 | ##{ SENDGRID_REDIR | |
3839 | ||
3840 | meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS | |
3841 | describe SENDGRID_REDIR Redirect URI via Sendgrid | |
3842 | #score SENDGRID_REDIR 1.500 # limit | |
3843 | tflags SENDGRID_REDIR publish | |
3844 | ##} SENDGRID_REDIR | |
3845 | ||
3846 | ##{ SENDGRID_REDIR_PHISH | |
3847 | ||
3848 | meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH | |
3849 | describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs | |
3850 | #score SENDGRID_REDIR_PHISH 3.500 # limit | |
3851 | tflags SENDGRID_REDIR_PHISH publish | |
3852 | ##} SENDGRID_REDIR_PHISH | |
3853 | ||
3854 | ##{ SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3855 | ||
3856 | if (version >= 3.004002) | |
3857 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3858 | meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1) | |
3859 | tflags SEO_SUSP_NTLD publish | |
3860 | describe SEO_SUSP_NTLD SEO offer from suspicious TLD | |
3861 | #score SEO_SUSP_NTLD 1.2 # limit | |
3862 | endif | |
3863 | endif | |
3864 | ##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3865 | ||
3866 | ##{ SERGIO_SUBJECT_VIAGRA01 | |
3867 | ||
3868 | header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i | |
3869 | describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject | |
3870 | ##} SERGIO_SUBJECT_VIAGRA01 | |
3871 | ||
3872 | ##{ SHOPIFY_IMG_NOT_RCVD_SFY | |
3873 | ||
3874 | meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK | |
3875 | #score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit | |
3876 | describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify | |
3877 | tflags SHOPIFY_IMG_NOT_RCVD_SFY publish | |
3878 | ##} SHOPIFY_IMG_NOT_RCVD_SFY | |
3879 | ||
3880 | ##{ SHORTENER_SHORT_IMG | |
3881 | ||
3882 | meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1 | |
3883 | describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener | |
3884 | #score SHORTENER_SHORT_IMG 2.500 # limit | |
3885 | tflags SHORTENER_SHORT_IMG publish | |
3886 | ##} SHORTENER_SHORT_IMG | |
3887 | ||
3888 | ##{ SHORTENER_SHORT_SUBJ | |
3889 | ||
3890 | meta SHORTENER_SHORT_SUBJ __SHORTENER_SHORT_SUBJ && !__DOS_HAS_LIST_UNSUB && !__HAS_LIST_ID && !__HDR_RCVD_GOOGLE && !__XPRIO | |
3891 | describe SHORTENER_SHORT_SUBJ URL shortener (avoiding URIBL?) + short subject | |
3892 | #score SHORTENER_SHORT_SUBJ 3.000 # limit | |
3893 | ##} SHORTENER_SHORT_SUBJ | |
3894 | ||
3895 | ##{ SHORT_HELO_AND_INLINE_IMAGE | |
3896 | ||
3897 | meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH) | |
3898 | describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image | |
3899 | ##} SHORT_HELO_AND_INLINE_IMAGE | |
3900 | ||
3901 | ##{ SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3902 | ||
3903 | if (version >= 3.004002) | |
3904 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3905 | meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD | |
3906 | tflags SHORT_IMG_SUSP_NTLD publish | |
3907 | describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD | |
3908 | #score SHORT_IMG_SUSP_NTLD 1.5 # limit | |
3909 | endif | |
3910 | endif | |
3911 | ##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3912 | ||
3913 | ##{ SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3914 | ||
3915 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3916 | if (version >= 3.004000) | |
3917 | meta SHORT_SHORTNER __PDS_MSG_512 && (__PDS_URISHORTENER || __URL_SHORTENER) && !DRUGS_ERECTILE | |
3918 | describe SHORT_SHORTNER Short body with little more than a link to a shortener | |
3919 | #score SHORT_SHORTNER 2.0 # limit | |
3920 | endif | |
3921 | endif | |
3922 | ##} SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3923 | ||
3924 | ##{ SHORT_TERM_PRICE | |
3925 | ||
3926 | body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i | |
3927 | ##} SHORT_TERM_PRICE | |
3928 | ||
3929 | ##{ SINGLETS_LOW_CONTRAST | |
3930 | ||
3931 | meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP | |
3932 | describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text | |
3933 | tflags SINGLETS_LOW_CONTRAST publish | |
3934 | ##} SINGLETS_LOW_CONTRAST | |
3935 | ||
3936 | ##{ SPAMMY_XMAILER | |
3937 | ||
3938 | meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4) | |
3939 | describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham | |
3940 | ##} SPAMMY_XMAILER | |
3941 | ||
3942 | ##{ SPOOFED_FREEMAIL | |
3943 | ||
3944 | meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE | |
3945 | #score SPOOFED_FREEMAIL 2.000 # limit | |
3946 | tflags SPOOFED_FREEMAIL net | |
3947 | ##} SPOOFED_FREEMAIL | |
3948 | ||
3949 | ##{ SPOOFED_FREEMAIL_NO_RDNS | |
3950 | ||
3951 | meta SPOOFED_FREEMAIL_NO_RDNS __SPOOFED_FREEMAIL && __RDNS_NONE | |
3952 | describe SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS | |
3953 | #score SPOOFED_FREEMAIL_NO_RDNS 1.5 | |
3954 | ##} SPOOFED_FREEMAIL_NO_RDNS | |
3955 | ||
3956 | ##{ SPOOFED_FREEM_REPTO | |
3957 | ||
3958 | meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX | |
3959 | describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to | |
3960 | #score SPOOFED_FREEM_REPTO 2.500 | |
3961 | tflags SPOOFED_FREEM_REPTO net publish | |
3962 | ##} SPOOFED_FREEM_REPTO | |
3963 | ||
3964 | ##{ SPOOFED_FREEM_REPTO_CHN | |
3965 | ||
3966 | meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM | |
3967 | describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to | |
3968 | #score SPOOFED_FREEM_REPTO_CHN 3.500 | |
3969 | tflags SPOOFED_FREEM_REPTO_CHN net publish | |
3970 | ##} SPOOFED_FREEM_REPTO_CHN | |
3971 | ||
3972 | ##{ SPOOFED_FREEM_REPTO_RUS | |
3973 | ||
3974 | meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM | |
3975 | describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to | |
3976 | #score SPOOFED_FREEM_REPTO_RUS 3.500 | |
3977 | tflags SPOOFED_FREEM_REPTO_RUS net publish | |
3978 | ##} SPOOFED_FREEM_REPTO_RUS | |
3979 | ||
3980 | ##{ SPOOF_GMAIL_MID | |
3981 | ||
3982 | meta SPOOF_GMAIL_MID SPOOFED_FREEMAIL && __PDS_FROM_GMAIL && !__PDS_GMAIL_MID | |
3983 | #score SPOOF_GMAIL_MID 1.5 | |
3984 | describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be... | |
3985 | ##} SPOOF_GMAIL_MID | |
3986 | ||
3987 | ##{ STATIC_XPRIO_OLE | |
3988 | ||
3989 | meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE | |
3990 | describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE | |
3991 | #score STATIC_XPRIO_OLE 2.000 # limit | |
3992 | tflags STATIC_XPRIO_OLE publish | |
3993 | ##} STATIC_XPRIO_OLE | |
3994 | ||
3995 | ##{ STOCK_IMG_CTYPE | |
3996 | ||
3997 | meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY) | |
3998 | describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header | |
3999 | ##} STOCK_IMG_CTYPE | |
4000 | ||
4001 | ##{ STOCK_IMG_HDR_FROM | |
4002 | ||
4003 | meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY) | |
4004 | describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line | |
4005 | ##} STOCK_IMG_HDR_FROM | |
4006 | ||
4007 | ##{ STOCK_IMG_HTML | |
4008 | ||
4009 | meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY) | |
4010 | describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML | |
4011 | ##} STOCK_IMG_HTML | |
4012 | ||
4013 | ##{ STOCK_IMG_OUTLOOK | |
4014 | ||
4015 | meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048) | |
4016 | describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features | |
4017 | ##} STOCK_IMG_OUTLOOK | |
4018 | ||
4019 | ##{ STOCK_LOW_CONTRAST | |
4020 | ||
4021 | meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG | |
4022 | describe STOCK_LOW_CONTRAST Stocks + hidden text | |
4023 | #score STOCK_LOW_CONTRAST 2.500 # limit | |
4024 | tflags STOCK_LOW_CONTRAST publish | |
4025 | ##} STOCK_LOW_CONTRAST | |
4026 | ||
4027 | ##{ STOCK_PRICES | |
4028 | ||
4029 | meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE) | |
4030 | ##} STOCK_PRICES | |
4031 | ||
4032 | ##{ STOCK_TIP | |
4033 | ||
4034 | meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS | |
4035 | describe STOCK_TIP Stock tips | |
4036 | #score STOCK_TIP 3.000 # limit | |
4037 | tflags STOCK_TIP publish | |
4038 | ##} STOCK_TIP | |
4039 | ||
4040 | ##{ STOX_AND_PRICE | |
4041 | ||
4042 | meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE | |
4043 | ##} STOX_AND_PRICE | |
4044 | ||
4045 | ##{ STOX_REPLY_TYPE | |
4046 | ||
4047 | header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/ | |
4048 | ##} STOX_REPLY_TYPE | |
4049 | ||
4050 | ##{ STOX_REPLY_TYPE_WITHOUT_QUOTES | |
4051 | ||
4052 | meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE)) | |
4053 | ##} STOX_REPLY_TYPE_WITHOUT_QUOTES | |
4054 | ||
4055 | ##{ SUBJECT_NEEDS_ENCODING | |
4056 | ||
4057 | meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME | |
4058 | describe SUBJECT_NEEDS_ENCODING Subject is encoded but does not specify the encoding | |
4059 | ##} SUBJECT_NEEDS_ENCODING | |
4060 | ||
4061 | ##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM | |
4062 | ||
4063 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
4064 | meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER | |
4065 | describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers | |
4066 | endif | |
4067 | ##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM | |
4068 | ||
4069 | ##{ SUBJ_UNNEEDED_HTML | |
4070 | ||
4071 | meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML | |
4072 | describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject: | |
4073 | ##} SUBJ_UNNEEDED_HTML | |
4074 | ||
4075 | ##{ SYSADMIN | |
4076 | ||
4077 | meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS | |
4078 | describe SYSADMIN Supposedly from your IT department | |
4079 | #score SYSADMIN 3.500 # limit | |
4080 | tflags SYSADMIN publish | |
4081 | ##} SYSADMIN | |
4082 | ||
4083 | ##{ TBIRD_SUSP_MIME_BDRY | |
4084 | ||
4085 | meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z | |
4086 | describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary | |
4087 | ##} TBIRD_SUSP_MIME_BDRY | |
4088 | ||
4089 | ##{ TEQF_USR_IMAGE | |
4090 | ||
4091 | meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH | |
4092 | describe TEQF_USR_IMAGE To and from user nearly same + image | |
4093 | tflags TEQF_USR_IMAGE publish | |
4094 | ##} TEQF_USR_IMAGE | |
4095 | ||
4096 | ##{ TEQF_USR_MSGID_HEX | |
4097 | ||
4098 | meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2 | |
4099 | describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID | |
4100 | tflags TEQF_USR_MSGID_HEX publish | |
4101 | ##} TEQF_USR_MSGID_HEX | |
4102 | ||
4103 | ##{ TEQF_USR_MSGID_MALF | |
4104 | ||
4105 | meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2 | |
4106 | describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID | |
4107 | tflags TEQF_USR_MSGID_MALF publish | |
4108 | ##} TEQF_USR_MSGID_MALF | |
4109 | ||
4110 | ##{ THEBAT_UNREG | |
4111 | ||
4112 | header THEBAT_UNREG X-Mailer =~ /^The Bat! .{0,20} UNREG$/ | |
4113 | ##} THEBAT_UNREG | |
4114 | ||
4115 | ##{ THIS_AD | |
4116 | ||
4117 | meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD | |
4118 | describe THIS_AD "This ad" and variants | |
4119 | tflags THIS_AD publish | |
4120 | ##} THIS_AD | |
4121 | ||
4122 | ##{ THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4123 | ||
4124 | if (version >= 3.004002) | |
4125 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4126 | meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM | |
4127 | tflags THIS_IS_ADV_SUSP_NTLD publish | |
4128 | describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD | |
4129 | #score THIS_IS_ADV_SUSP_NTLD 1.5 # limit | |
4130 | endif | |
4131 | endif | |
4132 | ##} THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4133 | ||
4134 | ##{ TONLINE_FAKE_DKIM | |
4135 | ||
4136 | meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS | |
4137 | describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM | |
4138 | #score TONLINE_FAKE_DKIM 3.000 # limit | |
4139 | tflags TONLINE_FAKE_DKIM publish | |
4140 | ##} TONLINE_FAKE_DKIM | |
4141 | ||
4142 | ##{ TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
4143 | ||
4144 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4145 | if (version >= 3.004000) | |
4146 | meta TONOM_EQ_TOLOC_SHRT_SHRTNER __PDS_URISHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024 | |
4147 | describe TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local | |
4148 | #score TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit | |
4149 | endif | |
4150 | endif | |
4151 | ##} TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
4152 | ||
4153 | ##{ TO_EQ_FM_DIRECT_MX | |
4154 | ||
4155 | meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED | |
4156 | describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX | |
4157 | #score TO_EQ_FM_DIRECT_MX 2.500 # limit | |
4158 | tflags TO_EQ_FM_DIRECT_MX publish | |
4159 | ##} TO_EQ_FM_DIRECT_MX | |
4160 | ||
4161 | ##{ TO_EQ_FM_DOM_HTML_IMG | |
4162 | ||
4163 | meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD | |
4164 | describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link | |
4165 | ##} TO_EQ_FM_DOM_HTML_IMG | |
4166 | ||
4167 | ##{ TO_EQ_FM_DOM_HTML_ONLY | |
4168 | ||
4169 | meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX | |
4170 | describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only | |
4171 | ##} TO_EQ_FM_DOM_HTML_ONLY | |
4172 | ||
4173 | ##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
4174 | ||
4175 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
4176 | meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED | |
4177 | describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed | |
4178 | tflags TO_EQ_FM_DOM_SPF_FAIL net | |
4179 | endif | |
4180 | ##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
4181 | ||
4182 | ##{ TO_EQ_FM_HTML_ONLY | |
4183 | ||
4184 | meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER | |
4185 | describe TO_EQ_FM_HTML_ONLY To == From and HTML only | |
4186 | ##} TO_EQ_FM_HTML_ONLY | |
4187 | ||
4188 | ##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
4189 | ||
4190 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
4191 | meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED | |
4192 | describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed | |
4193 | tflags TO_EQ_FM_SPF_FAIL net | |
4194 | endif | |
4195 | ##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
4196 | ||
4197 | ##{ TO_IN_SUBJ | |
4198 | ||
4199 | meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW | |
4200 | describe TO_IN_SUBJ To address is in Subject | |
4201 | tflags TO_IN_SUBJ publish | |
4202 | #score TO_IN_SUBJ 0.1 | |
4203 | ##} TO_IN_SUBJ | |
4204 | ||
4205 | ##{ TO_NAME_SUBJ_NO_RDNS | |
4206 | ||
4207 | meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE | |
4208 | describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS | |
4209 | #score TO_NAME_SUBJ_NO_RDNS 3.000 # limit | |
4210 | tflags TO_NAME_SUBJ_NO_RDNS publish | |
4211 | ##} TO_NAME_SUBJ_NO_RDNS | |
4212 | ||
4213 | ##{ TO_NO_BRKTS_FROM_MSSP | |
4214 | ||
4215 | meta TO_NO_BRKTS_FROM_MSSP __TO_NO_BRKTS_FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__TO___LOWER && !__BUGGED_IMG && !__SUBJECT_ENCODED_QP && !__VIA_ML && !__FR_SPACING_8 && !__TAG_EXISTS_CENTER && !__RCVD_ZIXMAIL && !__RP_MATCHES_RCVD && !__HAS_SENDER | |
4216 | #score TO_NO_BRKTS_FROM_MSSP 2.50 # max | |
4217 | describe TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems | |
4218 | ##} TO_NO_BRKTS_FROM_MSSP | |
4219 | ||
4220 | ##{ TO_NO_BRKTS_HTML_IMG | |
4221 | ||
4222 | meta TO_NO_BRKTS_HTML_IMG __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE | |
4223 | describe TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image | |
4224 | #score TO_NO_BRKTS_HTML_IMG 2.000 # limit | |
4225 | tflags TO_NO_BRKTS_HTML_IMG publish | |
4226 | ##} TO_NO_BRKTS_HTML_IMG | |
4227 | ||
4228 | ##{ TO_NO_BRKTS_HTML_ONLY | |
4229 | ||
4230 | meta TO_NO_BRKTS_HTML_ONLY __TO_NO_BRKTS_HTML_ONLY && !RDNS_NONE && !__MIME_QP && !__MSGID_JAVAMAIL && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 && !__VIA_ML && !__MSGID_BEFORE_RECEIVED && !__MIME_BASE64 && !__RCD_RDNS_MAIL_MESSY && !__COMMENT_EXISTS && !LOTS_OF_MONEY && !__TAG_EXISTS_CENTER && !__UPPERCASE_URI && !__UNSUB_LINK && !__RCD_RDNS_MX_MESSY && !__DKIM_EXISTS && !__BUGGED_IMG && !__FM_TO_ALL_NUMS && !__URI_12LTRDOM && !__RDNS_NO_SUBDOM && !__HDRS_LCASE && !__LCL__ENV_AND_HDR_FROM_MATCH | |
4231 | #score TO_NO_BRKTS_HTML_ONLY 2.00 # limit | |
4232 | describe TO_NO_BRKTS_HTML_ONLY To: lacks brackets and HTML only | |
4233 | tflags TO_NO_BRKTS_HTML_ONLY publish | |
4234 | ##} TO_NO_BRKTS_HTML_ONLY | |
4235 | ||
4236 | ##{ TO_NO_BRKTS_MSFT | |
4237 | ||
4238 | meta TO_NO_BRKTS_MSFT __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD | |
4239 | describe TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool | |
4240 | #score TO_NO_BRKTS_MSFT 2.50 # limit | |
4241 | ##} TO_NO_BRKTS_MSFT | |
4242 | ||
4243 | ##{ TO_NO_BRKTS_NORDNS_HTML | |
4244 | ||
4245 | meta TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__TAG_EXISTS_CENTER && !__LONGLINE && !__DKIM_EXISTS | |
4246 | #score TO_NO_BRKTS_NORDNS_HTML 2.00 # limit | |
4247 | describe TO_NO_BRKTS_NORDNS_HTML To: lacks brackets and no rDNS and HTML only | |
4248 | tflags TO_NO_BRKTS_NORDNS_HTML publish | |
4249 | ##} TO_NO_BRKTS_NORDNS_HTML | |
4250 | ||
4251 | ##{ TO_NO_BRKTS_PCNT | |
4252 | ||
4253 | meta TO_NO_BRKTS_PCNT __TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS && !__KHOP_NO_FULL_NAME && !__THREADED | |
4254 | describe TO_NO_BRKTS_PCNT To: lacks brackets + percentage | |
4255 | #score TO_NO_BRKTS_PCNT 2.50 # limit | |
4256 | tflags TO_NO_BRKTS_PCNT publish | |
4257 | ##} TO_NO_BRKTS_PCNT | |
4258 | ||
4259 | ##{ TO_TOO_MANY_WFH_01 | |
4260 | ||
4261 | meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01 | |
4262 | describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients | |
4263 | tflags TO_TOO_MANY_WFH_01 publish | |
4264 | ##} TO_TOO_MANY_WFH_01 | |
4265 | ||
4266 | ##{ TRANSFORM_LIFE | |
4267 | ||
4268 | meta TRANSFORM_LIFE __TRANSFORM_LIFE && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_X_MAILER && !__VIA_ML | |
4269 | describe TRANSFORM_LIFE Transform your life! | |
4270 | #score TRANSFORM_LIFE 2.500 # limit | |
4271 | ##} TRANSFORM_LIFE | |
4272 | ||
4273 | ##{ TT_MSGID_TRUNC | |
4274 | ||
4275 | header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/ | |
4276 | describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits | |
4277 | ##} TT_MSGID_TRUNC | |
4278 | ||
4279 | ##{ TT_OBSCURED_VALIUM | |
4280 | ||
4281 | meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM | |
4282 | describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject | |
4283 | ##} TT_OBSCURED_VALIUM | |
4284 | ||
4285 | ##{ TT_OBSCURED_VIAGRA | |
4286 | ||
4287 | meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA | |
4288 | describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject | |
4289 | ##} TT_OBSCURED_VIAGRA | |
4290 | ||
4291 | ##{ TVD_ACT_193 | |
4292 | ||
4293 | body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i | |
4294 | describe TVD_ACT_193 Message refers to an act passed in the 1930s | |
4295 | ##} TVD_ACT_193 | |
4296 | ||
4297 | ##{ TVD_APPROVED | |
4298 | ||
4299 | body TVD_APPROVED /you.{1,2}re .{0,20}approved/i | |
4300 | describe TVD_APPROVED Body states that the recipient has been approved | |
4301 | ##} TVD_APPROVED | |
4302 | ||
4303 | ##{ TVD_DEAR_HOMEOWNER | |
4304 | ||
4305 | body TVD_DEAR_HOMEOWNER /^dear homeowner/i | |
4306 | describe TVD_DEAR_HOMEOWNER Spam with generic salutation of "dear homeowner" | |
4307 | ##} TVD_DEAR_HOMEOWNER | |
4308 | ||
4309 | ##{ TVD_EB_PHISH | |
4310 | ||
4311 | meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP | |
4312 | ##} TVD_EB_PHISH | |
4313 | ||
4314 | ##{ TVD_ENVFROM_APOST | |
4315 | ||
4316 | header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/ | |
4317 | describe TVD_ENVFROM_APOST Envelope From contains single-quote | |
4318 | ##} TVD_ENVFROM_APOST | |
4319 | ||
4320 | ##{ TVD_FINGER_02 | |
4321 | ||
4322 | header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i | |
4323 | ##} TVD_FINGER_02 | |
4324 | ||
4325 | ##{ TVD_FLOAT_GENERAL | |
4326 | ||
4327 | rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i | |
4328 | describe TVD_FLOAT_GENERAL Message uses CSS float style | |
4329 | ##} TVD_FLOAT_GENERAL | |
4330 | ||
4331 | ##{ TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4332 | ||
4333 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4334 | body TVD_FUZZY_DEGREE /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i | |
4335 | describe TVD_FUZZY_DEGREE Obfuscation of the word "degree" | |
4336 | endif | |
4337 | ##} TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4338 | ||
4339 | ##{ TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4340 | ||
4341 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4342 | body TVD_FUZZY_FINANCE /(?!finance)<F><I><N><A><N><C><E>/i | |
4343 | describe TVD_FUZZY_FINANCE Obfuscation of the word "finance" | |
4344 | endif | |
4345 | ##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4346 | ||
4347 | ##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4348 | ||
4349 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4350 | body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i | |
4351 | describe TVD_FUZZY_FIXED_RATE Obfuscation of the phrase "fixed rate" | |
4352 | endif | |
4353 | ##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4354 | ||
4355 | ##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4356 | ||
4357 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4358 | body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i | |
4359 | describe TVD_FUZZY_MICROCAP Obfuscation of the word "micro-cap" | |
4360 | endif | |
4361 | ##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4362 | ||
4363 | ##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4364 | ||
4365 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4366 | body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i | |
4367 | describe TVD_FUZZY_PHARMACEUTICAL Obfuscation of the word "pharmaceutical" | |
4368 | endif | |
4369 | ##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4370 | ||
4371 | ##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4372 | ||
4373 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4374 | body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symboo?l)<S><Y><M><B><O><L>/i | |
4375 | describe TVD_FUZZY_SYMBOL Obfuscation of the word "symbol" | |
4376 | endif | |
4377 | ##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4378 | ||
4379 | ##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4380 | ||
4381 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4382 | mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/ | |
4383 | describe TVD_FW_GRAPHIC_NAME_LONG Long image attachment name | |
4384 | endif | |
4385 | ##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4386 | ||
4387 | ##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4388 | ||
4389 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4390 | mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/ | |
4391 | describe TVD_FW_GRAPHIC_NAME_MID Medium sized image attachment name | |
4392 | endif | |
4393 | ##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4394 | ||
4395 | ##{ TVD_INCREASE_SIZE | |
4396 | ||
4397 | body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i | |
4398 | describe TVD_INCREASE_SIZE Advertising for penis enlargement | |
4399 | ##} TVD_INCREASE_SIZE | |
4400 | ||
4401 | ##{ TVD_IP_HEX | |
4402 | ||
4403 | uri TVD_IP_HEX m@^https?://(?:\d+\.){0,3}0x[0-9a-f]{2}@i | |
4404 | ##} TVD_IP_HEX | |
4405 | ||
4406 | ##{ TVD_IP_SING_HEX | |
4407 | ||
4408 | uri TVD_IP_SING_HEX m@^https?://0x[0-9a-f]+(?:[:/]|$)@i | |
4409 | ##} TVD_IP_SING_HEX | |
4410 | ||
4411 | ##{ TVD_LINK_SAVE | |
4412 | ||
4413 | body TVD_LINK_SAVE /\blink to save\b/i | |
4414 | describe TVD_LINK_SAVE Spam with the text "link to save" | |
4415 | ##} TVD_LINK_SAVE | |
4416 | ||
4417 | ##{ TVD_PH_BODY_ACCOUNTS_PRE | |
4418 | ||
4419 | meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE | |
4420 | describe TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts suspended", "account credited", "account verification" | |
4421 | ##} TVD_PH_BODY_ACCOUNTS_PRE | |
4422 | ||
4423 | ##{ TVD_PH_REC | |
4424 | ||
4425 | body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i | |
4426 | describe TVD_PH_REC Message includes a phrase commonly used in phishing mails | |
4427 | ##} TVD_PH_REC | |
4428 | ||
4429 | ##{ TVD_PH_SEC | |
4430 | ||
4431 | body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i | |
4432 | describe TVD_PH_SEC Message includes a phrase commonly used in phishing mails | |
4433 | ##} TVD_PH_SEC | |
4434 | ||
4435 | ##{ TVD_PP_PHISH | |
4436 | ||
4437 | meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP | |
4438 | ##} TVD_PP_PHISH | |
4439 | ||
4440 | ##{ TVD_QUAL_MEDS | |
4441 | ||
4442 | body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i | |
4443 | describe TVD_QUAL_MEDS The body matches phrases such as "quality meds" or "quality medication" | |
4444 | ##} TVD_QUAL_MEDS | |
4445 | ||
4446 | ##{ TVD_RATWARE_CB | |
4447 | ||
4448 | header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i | |
4449 | describe TVD_RATWARE_CB Content-Type header that is commonly indicative of ratware | |
4450 | ##} TVD_RATWARE_CB | |
4451 | ||
4452 | ##{ TVD_RATWARE_CB_2 | |
4453 | ||
4454 | header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/ | |
4455 | describe TVD_RATWARE_CB_2 Content-Type header that is commonly indicative of ratware | |
4456 | ##} TVD_RATWARE_CB_2 | |
4457 | ||
4458 | ##{ TVD_RATWARE_MSGID_02 | |
4459 | ||
4460 | header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/ | |
4461 | describe TVD_RATWARE_MSGID_02 Ratware with a Message-ID header that is entirely lower-case | |
4462 | ##} TVD_RATWARE_MSGID_02 | |
4463 | ||
4464 | ##{ TVD_RCVD_IP | |
4465 | ||
4466 | header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/ | |
4467 | describe TVD_RCVD_IP Message was received from an IP address | |
4468 | ##} TVD_RCVD_IP | |
4469 | ||
4470 | ##{ TVD_RCVD_IP4 | |
4471 | ||
4472 | header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/ | |
4473 | describe TVD_RCVD_IP4 Message was received from an IPv4 address | |
4474 | ##} TVD_RCVD_IP4 | |
4475 | ||
4476 | ##{ TVD_RCVD_SPACE_BRACKET | |
4477 | ||
4478 | header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!unix)[^\[\]]*\s/i | |
4479 | ##} TVD_RCVD_SPACE_BRACKET | |
4480 | ||
4481 | ##{ TVD_SECTION | |
4482 | ||
4483 | body TVD_SECTION /\bSection (?:27A|21B)/i | |
4484 | describe TVD_SECTION References to specific legal codes | |
4485 | ##} TVD_SECTION | |
4486 | ||
4487 | ##{ TVD_SILLY_URI_OBFU | |
4488 | ||
4489 | body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i | |
4490 | describe TVD_SILLY_URI_OBFU URI obfuscation that can fool a URIBL or a uri rule | |
4491 | ##} TVD_SILLY_URI_OBFU | |
4492 | ||
4493 | ##{ TVD_SPACED_SUBJECT_WORD3 | |
4494 | ||
4495 | header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/ | |
4496 | describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace | |
4497 | ##} TVD_SPACED_SUBJECT_WORD3 | |
4498 | ||
4499 | ##{ TVD_SPACE_ENCODED | |
4500 | ||
4501 | meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM | |
4502 | #score TVD_SPACE_ENCODED 2.500 # limit | |
4503 | describe TVD_SPACE_ENCODED Space ratio & encoded subject | |
4504 | ##} TVD_SPACE_ENCODED | |
4505 | ||
4506 | ##{ TVD_SPACE_RATIO_MINFP | |
4507 | ||
4508 | meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL | |
4509 | #score TVD_SPACE_RATIO_MINFP 2.500 # limit | |
4510 | describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?) | |
4511 | ##} TVD_SPACE_RATIO_MINFP | |
4512 | ||
4513 | ##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
4514 | ||
4515 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
4516 | body TVD_STOCK1 eval:check_stock_info('2') | |
4517 | describe TVD_STOCK1 Spam related to stock trading | |
4518 | endif | |
4519 | ##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
4520 | ||
4521 | ##{ TVD_SUBJ_ACC_NUM | |
4522 | ||
4523 | header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/ | |
4524 | describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference | |
4525 | ##} TVD_SUBJ_ACC_NUM | |
4526 | ||
4527 | ##{ TVD_SUBJ_FINGER_03 | |
4528 | ||
4529 | header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/ | |
4530 | describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *" | |
4531 | ##} TVD_SUBJ_FINGER_03 | |
4532 | ||
4533 | ##{ TVD_SUBJ_NUM_OBFU_MINFP | |
4534 | ||
4535 | meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO | |
4536 | ##} TVD_SUBJ_NUM_OBFU_MINFP | |
4537 | ||
4538 | ##{ TVD_SUBJ_OWE | |
4539 | ||
4540 | header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i | |
4541 | describe TVD_SUBJ_OWE Subject line states that the recipieint is in debt | |
4542 | ##} TVD_SUBJ_OWE | |
4543 | ||
4544 | ##{ TVD_SUBJ_WIPE_DEBT | |
4545 | ||
4546 | header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i | |
4547 | describe TVD_SUBJ_WIPE_DEBT Spam advertising a way to eliminate debt | |
4548 | ##} TVD_SUBJ_WIPE_DEBT | |
4549 | ||
4550 | ##{ TVD_VISIT_PHARMA | |
4551 | ||
4552 | body TVD_VISIT_PHARMA /Online Ph.rmacy/i | |
4553 | describe TVD_VISIT_PHARMA Body mentions online pharmacy | |
4554 | ##} TVD_VISIT_PHARMA | |
4555 | ||
4556 | ##{ TVD_VIS_HIDDEN | |
4557 | ||
4558 | rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i | |
4559 | describe TVD_VIS_HIDDEN Invisible textarea HTML tags | |
4560 | ##} TVD_VIS_HIDDEN | |
4561 | ||
4562 | ##{ TW_GIBBERISH_MANY | |
4563 | ||
4564 | meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20 | |
4565 | describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters | |
4566 | #score TW_GIBBERISH_MANY 2.000 # limit | |
4567 | tflags TW_GIBBERISH_MANY publish | |
4568 | ##} TW_GIBBERISH_MANY | |
4569 | ||
4570 | ##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4571 | ||
4572 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4573 | meta T_ACH_CANCELLED_EXE __ACH_CANCELLED_EXE | |
4574 | describe T_ACH_CANCELLED_EXE "ACH cancelled" probable malware | |
4575 | endif | |
4576 | ##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4577 | ||
4578 | ##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4579 | ||
4580 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4581 | meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON | |
4582 | describe T_ANY_PILL_PRICE Prices for pills | |
4583 | endif | |
4584 | ##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4585 | ||
4586 | ##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4587 | ||
4588 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4589 | mimeheader T_CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/ | |
4590 | describe T_CDISP_SZ_MANY Suspicious MIME header | |
4591 | # score T_CDISP_SZ_MANY 2.0 # limit | |
4592 | endif | |
4593 | ##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4594 | ||
4595 | ##{ T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
4596 | ||
4597 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
4598 | header T_DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920') | |
4599 | describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date | |
4600 | endif | |
4601 | ##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
4602 | ||
4603 | ##{ T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
4604 | ||
4605 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
4606 | header T_DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') | |
4607 | describe T_DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date | |
4608 | endif | |
4609 | ##} T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
4610 | ||
4611 | ##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4612 | ||
4613 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4614 | meta T_DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT) | |
4615 | describe T_DOC_ATTACH_NO_EXT Document attachment with suspicious name | |
4616 | endif | |
4617 | ##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4618 | ||
4619 | ##{ T_DOS_OUTLOOK_TO_MX_IMAGE | |
4620 | ||
4621 | meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH | |
4622 | describe T_DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image | |
4623 | ##} T_DOS_OUTLOOK_TO_MX_IMAGE | |
4624 | ||
4625 | ##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4626 | ||
4627 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4628 | mimeheader T_DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/ | |
4629 | describe T_DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus | |
4630 | # score T_DOS_ZIP_HARDCORE 2.5 | |
4631 | endif | |
4632 | ##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4633 | ||
4634 | ##{ T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
4635 | ||
4636 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4637 | if (version >= 3.004000) | |
4638 | meta T_DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && (__PDS_URISHORTENER || __URL_SHORTENER) && DRUGS_ERECTILE | |
4639 | describe T_DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with T_URL_SHORTENER | |
4640 | #score T_DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit | |
4641 | endif | |
4642 | endif | |
4643 | ##} T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
4644 | ||
4645 | ##{ T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4646 | ||
4647 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4648 | meta T_FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO | |
4649 | describe T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) | |
4650 | endif | |
4651 | ##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4652 | ||
4653 | ##{ T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4654 | ||
4655 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4656 | meta T_FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE | |
4657 | describe T_FILL_THIS_FORM_LOAN Answer loan question(s) | |
4658 | # score T_FILL_THIS_FORM_LOAN 2.0 | |
4659 | endif | |
4660 | ##} T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4661 | ||
4662 | ##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4663 | ||
4664 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4665 | meta T_FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL | |
4666 | describe T_FILL_THIS_FORM_SHORT Fill in a short form with personal information | |
4667 | # score T_FILL_THIS_FORM_SHORT 1.00 # limit | |
4668 | endif | |
4669 | ##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4670 | ||
4671 | ##{ T_FORGED_RELAY_MUA_TO_MX | |
4672 | ||
4673 | header T_FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/ | |
4674 | ##} T_FORGED_RELAY_MUA_TO_MX | |
4675 | ||
4676 | ##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
4677 | ||
4678 | ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
4679 | meta T_FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K | |
4680 | describe T_FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam | |
4681 | endif | |
4682 | ##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
4683 | ||
4684 | ##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4685 | ||
4686 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4687 | meta T_FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF | |
4688 | describe T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail | |
4689 | endif | |
4690 | ##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4691 | ||
4692 | ##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4693 | ||
4694 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4695 | meta T_FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED | |
4696 | describe T_FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden | |
4697 | endif | |
4698 | ##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4699 | ||
4700 | ##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4701 | ||
4702 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4703 | meta T_FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF | |
4704 | describe T_FREEMAIL_RVW_ATTCH Please review attached document, from freemail | |
4705 | endif | |
4706 | ##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4707 | ||
4708 | ##{ T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4709 | ||
4710 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4711 | meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO | |
4712 | describe T_FROMNAME_EQUALS_TO From:name matches To: | |
4713 | #score T_FROMNAME_EQUALS_TO 1.0 | |
4714 | tflags T_FROMNAME_EQUALS_TO publish | |
4715 | endif | |
4716 | ##} T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4717 | ||
4718 | ##{ T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4719 | ||
4720 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4721 | meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD) | |
4722 | describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email | |
4723 | #score T_FROMNAME_SPOOFED_EMAIL 0.3 | |
4724 | tflags T_FROMNAME_SPOOFED_EMAIL publish | |
4725 | endif | |
4726 | ##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4727 | ||
4728 | ##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
4729 | ||
4730 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
4731 | meta T_FROM_MULTI_SHORT_IMG __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY | |
4732 | describe T_FROM_MULTI_SHORT_IMG Multiple From addresses + short message with image | |
4733 | endif | |
4734 | ##} T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
4735 | ||
4736 | ##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4737 | ||
4738 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4739 | body T_FUZZY_OPTOUT /(?:$|\W)(?=<O>)(?!opt[-\s]?out)<O><P><T>[-\s]?<O><U><T>(?:$|\W)/i | |
4740 | describe T_FUZZY_OPTOUT Obfuscated opt-out text | |
4741 | endif | |
4742 | ##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4743 | ||
4744 | ##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4745 | ||
4746 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4747 | body T_FUZZY_SPRM /<inter W1><post P2><S><P><U><R><M>/i | |
4748 | endif | |
4749 | ##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4750 | ||
4751 | ##{ T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4752 | ||
4753 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4754 | meta T_FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM | |
4755 | describe T_FUZZY_WELLSFARGO Obfuscated "Wells Fargo" | |
4756 | endif | |
4757 | ##} T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4758 | ||
4759 | ##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4760 | ||
4761 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4762 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4763 | meta T_GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO ) | |
4764 | describe T_GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains | |
4765 | # score T_GB_FREEM_FROM_NOT_REPLY 1.500 # limit | |
4766 | tflags T_GB_FREEM_FROM_NOT_REPLY publish | |
4767 | endif | |
4768 | endif | |
4769 | ##} T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4770 | ||
4771 | ##{ T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4772 | ||
4773 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4774 | meta T_GB_FROMNAME_SPOOFED_EMAIL_IP ( T_FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED ) | |
4775 | describe T_GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip | |
4776 | # score T_GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit | |
4777 | tflags T_GB_FROMNAME_SPOOFED_EMAIL_IP publish | |
4778 | endif | |
4779 | ##} T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4780 | ||
4781 | ##{ T_GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL | |
4782 | ||
4783 | if (version >= 3.004003) | |
4784 | ifplugin Mail::SpamAssassin::Plugin::HashBL | |
4785 | body T_GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b') | |
4786 | tflags T_GB_HASHBL_BTC net | |
4787 | describe T_GB_HASHBL_BTC Message contains BTC address found on BTCBL | |
4788 | # score T_GB_HASHBL_BTC 5.0 # limit | |
4789 | endif | |
4790 | endif | |
4791 | ##} T_GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL | |
4792 | ||
4793 | ##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
4794 | ||
4795 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4796 | if (version >= 3.004000) | |
4797 | meta T_HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM | |
4798 | # score T_HK_NAME_FM_FROM 1.5 | |
4799 | endif | |
4800 | endif | |
4801 | ##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
4802 | ||
4803 | ##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
4804 | ||
4805 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4806 | if (version >= 3.004000) | |
4807 | meta T_HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM | |
4808 | # score T_HK_NAME_FROM 1.0 | |
4809 | endif | |
4810 | endif | |
4811 | ##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
4812 | ||
4813 | ##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4814 | ||
4815 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4816 | meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN | |
4817 | endif | |
4818 | ##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4819 | ||
4820 | ##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4821 | ||
4822 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4823 | meta T_HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02 | |
4824 | describe T_HTML_ATTACH HTML attachment to bypass scanning? | |
4825 | endif | |
4826 | ##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4827 | ||
4828 | ##{ T_HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4829 | ||
4830 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4831 | meta T_HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY | |
4832 | describe T_HTML_TAG_BALANCE_CENTER Malformatted HTML | |
4833 | endif | |
4834 | ##} T_HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4835 | ||
4836 | ##{ T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4837 | ||
4838 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4839 | meta T_ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT | |
4840 | describe T_ISO_ATTACH ISO attachment - possible malware delivery | |
4841 | # score T_ISO_ATTACH 3.000 # limit | |
4842 | endif | |
4843 | ##} T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4844 | ||
4845 | ##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4846 | ||
4847 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4848 | meta T_KAM_HTML_FONT_INVALID __KAM_HTML_FONT_INVALID | |
4849 | describe T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML | |
4850 | #score T_KAM_HTML_FONT_INVALID 0.1 | |
4851 | endif | |
4852 | ##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4853 | ||
4854 | ##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4855 | ||
4856 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4857 | meta T_LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3 | |
4858 | describe T_LARGE_PCT_AFTER_MANY Many large percentages after... | |
4859 | endif | |
4860 | ##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4861 | ||
4862 | ##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4863 | ||
4864 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4865 | body T_LFUZ_PWRMALE /<inter W1><post P2><P><O><W><E><R><M><A><L><E>/i | |
4866 | endif | |
4867 | ##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4868 | ||
4869 | ##{ T_LOTTO_AGENT_FM | |
4870 | ||
4871 | header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i | |
4872 | describe T_LOTTO_AGENT_FM Claims Agent | |
4873 | ##} T_LOTTO_AGENT_FM | |
4874 | ||
4875 | ##{ T_LOTTO_AGENT_RPLY | |
4876 | ||
4877 | meta T_LOTTO_AGENT_RPLY __LOTTO_AGENT_RPLY && !__TO_YOUR_ORG | |
4878 | describe T_LOTTO_AGENT_RPLY Claims Agent | |
4879 | ##} T_LOTTO_AGENT_RPLY | |
4880 | ||
4881 | ##{ T_LOTTO_URI | |
4882 | ||
4883 | uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i | |
4884 | describe T_LOTTO_URI Claims Department URL | |
4885 | ##} T_LOTTO_URI | |
4886 | ||
4887 | ##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4888 | ||
4889 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4890 | meta T_MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2 | |
4891 | describe T_MANY_PILL_PRICE Prices for many pills | |
4892 | endif | |
4893 | ##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4894 | ||
4895 | ##{ T_MIME_MALF if (version >= 3.004000) | |
4896 | ||
4897 | if (version >= 3.004000) | |
4898 | meta T_MIME_MALF __MIME_MALF && !ALL_TRUSTED | |
4899 | describe T_MIME_MALF Malformed MIME: headers in body | |
4900 | # score T_MIME_MALF 2.00 # limit | |
4901 | endif | |
4902 | ##} T_MIME_MALF if (version >= 3.004000) | |
4903 | ||
4904 | ##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4905 | ||
4906 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4907 | meta T_MONEY_PERCENT LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY) | |
4908 | describe T_MONEY_PERCENT X% of a lot of money for you | |
4909 | endif | |
4910 | ##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4911 | ||
4912 | ##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4913 | ||
4914 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4915 | meta T_OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH) | |
4916 | describe T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From | |
4917 | endif | |
4918 | ##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4919 | ||
4920 | ##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4921 | ||
4922 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4923 | mimeheader T_OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i | |
4924 | describe T_OBFU_DOC_ATTACH MS Document attachment with generic MIME type | |
4925 | endif | |
4926 | ##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4927 | ||
4928 | ##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4929 | ||
4930 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4931 | mimeheader T_OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i | |
4932 | describe T_OBFU_GIF_ATTACH GIF attachment with generic MIME type | |
4933 | endif | |
4934 | ##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4935 | ||
4936 | ##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4937 | ||
4938 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4939 | mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.html?\b,i | |
4940 | describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type | |
4941 | endif | |
4942 | ##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4943 | ||
4944 | ##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4945 | ||
4946 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4947 | meta T_OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02 | |
4948 | describe T_OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware | |
4949 | endif | |
4950 | ##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4951 | ||
4952 | ##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4953 | ||
4954 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4955 | mimeheader T_OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i | |
4956 | describe T_OBFU_JPG_ATTACH JPG attachment with generic MIME type | |
4957 | endif | |
4958 | ##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4959 | ||
4960 | ##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4961 | ||
4962 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4963 | mimeheader T_OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i | |
4964 | describe T_OBFU_PDF_ATTACH PDF attachment with generic MIME type | |
4965 | endif | |
4966 | ##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4967 | ||
4968 | ##{ T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4969 | ||
4970 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4971 | meta T_PDS_BTC_AHACKER ( __PDS_BTC_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) | |
4972 | describe T_PDS_BTC_AHACKER Bitcoin Hacker | |
4973 | # score T_PDS_BTC_AHACKER 3.0 # limit | |
4974 | endif | |
4975 | ##} T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4976 | ||
4977 | ##{ T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4978 | ||
4979 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4980 | meta T_PDS_BTC_HACKER ( __PDS_BTC_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) | |
4981 | describe T_PDS_BTC_HACKER Bitcoin Hacker | |
4982 | # score T_PDS_BTC_HACKER 2.0 # limit | |
4983 | endif | |
4984 | ##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4985 | ||
4986 | ##{ T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4987 | ||
4988 | if (version >= 3.004002) | |
4989 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4990 | meta T_PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD ) | |
4991 | describe T_PDS_BTC_NTLD Bitcoin suspect NTLD | |
4992 | #score T_PDS_BTC_NTLD 2.0 # limit | |
4993 | endif | |
4994 | endif | |
4995 | ##} T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4996 | ||
4997 | ##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
4998 | ||
4999 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5000 | if (version >= 3.004000) | |
5001 | meta T_PDS_FREEMAIL_REPLYTO_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 | |
5002 | describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener | |
5003 | #score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit | |
5004 | endif | |
5005 | endif | |
5006 | ##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5007 | ||
5008 | ##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5009 | ||
5010 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5011 | meta T_PDS_LTC_AHACKER ( __PDS_LITECOIN_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) | |
5012 | describe T_PDS_LTC_AHACKER Litecoin Hacker | |
5013 | # score T_PDS_LTC_AHACKER 3.0 # limit | |
5014 | endif | |
5015 | ##} T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5016 | ||
5017 | ##{ T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5018 | ||
5019 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5020 | meta T_PDS_LTC_HACKER ( __PDS_LITECOIN_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) | |
5021 | describe T_PDS_LTC_HACKER Litecoin Hacker | |
5022 | # score T_PDS_LTC_HACKER 2.0 # limit | |
5023 | endif | |
5024 | ##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5025 | ||
5026 | ##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5027 | ||
5028 | if (version >= 3.004002) | |
5029 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5030 | header T_PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO') | |
5031 | #score T_PDS_PRO_TLD 1.0 | |
5032 | describe T_PDS_PRO_TLD .pro TLD | |
5033 | endif | |
5034 | endif | |
5035 | ##} T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5036 | ||
5037 | ##{ T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5038 | ||
5039 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5040 | if (version >= 3.004000) | |
5041 | meta T_PDS_SHORTFWD_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 | |
5042 | describe T_PDS_SHORTFWD_URISHRT Threaded email with URI shortener | |
5043 | #score T_PDS_SHORTFWD_URISHRT 1.5 # limit | |
5044 | endif | |
5045 | endif | |
5046 | ##} T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5047 | ||
5048 | ##{ T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5049 | ||
5050 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5051 | if (version >= 3.004000) | |
5052 | meta T_PDS_SHORTFWD_URISHRT_FP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __PDS_MSG_512 | |
5053 | describe T_PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener | |
5054 | #score T_PDS_SHORTFWD_URISHRT_FP 1.5 # limit | |
5055 | endif | |
5056 | endif | |
5057 | ##} T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5058 | ||
5059 | ##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { | |
5060 | ||
5061 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { | |
5062 | meta T_REMOTE_IMAGE __REMOTE_IMAGE | |
5063 | describe T_REMOTE_IMAGE Message contains an external image | |
5064 | endif | |
5065 | ##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { | |
5066 | ||
5067 | ##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5068 | ||
5069 | if (version >= 3.004002) | |
5070 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5071 | meta T_SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR | |
5072 | describe T_SENT_TO_EMAIL_ADDR Email was sent to email address | |
5073 | #score T_SENT_TO_EMAIL_ADDR 2.0 # limit | |
5074 | endif | |
5075 | endif | |
5076 | ##} T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5077 | ||
5078 | ##{ T_SHARE_50_50 | |
5079 | ||
5080 | meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY | |
5081 | describe T_SHARE_50_50 Share the money 50/50 | |
5082 | ##} T_SHARE_50_50 | |
5083 | ||
5084 | ##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5085 | ||
5086 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5087 | meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK | |
5088 | describe T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX | |
5089 | # score T_STY_INVIS_DIRECT 2.500 # limit | |
5090 | endif | |
5091 | ##} T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5092 | ||
5093 | ##{ T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5094 | ||
5095 | if (version >= 3.004002) | |
5096 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5097 | meta T_SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD | |
5098 | describe T_SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money | |
5099 | #score T_SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit | |
5100 | endif | |
5101 | endif | |
5102 | ##} T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5103 | ||
5104 | ##{ T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5105 | ||
5106 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5107 | if (version >= 3.004000) | |
5108 | meta T_TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT | |
5109 | describe T_TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local | |
5110 | #score T_TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit | |
5111 | endif | |
5112 | endif | |
5113 | ##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5114 | ||
5115 | ##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5116 | ||
5117 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5118 | body T_TVD_FUZZY_SECTOR /(?!sector)<S><E><C><T><O><R>/i | |
5119 | endif | |
5120 | ##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5121 | ||
5122 | ##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5123 | ||
5124 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5125 | body T_TVD_FUZZY_SECURITIES /<inter W2><post P2>(?!securities)(?!security,? es)<S><E><C><U><R><I><T><I><E><S>/i | |
5126 | endif | |
5127 | ##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5128 | ||
5129 | ##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5130 | ||
5131 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5132 | mimeheader T_TVD_FW_GRAPHIC_ID2 Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/ | |
5133 | endif | |
5134 | ##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5135 | ||
5136 | ##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5137 | ||
5138 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5139 | body T_TVD_MIME_EPI eval:check_msg_parse_flags('mime_epilogue_exists') | |
5140 | endif | |
5141 | ##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5142 | ||
5143 | ##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5144 | ||
5145 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5146 | body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers') | |
5147 | endif | |
5148 | ##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5149 | ||
5150 | ##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5151 | ||
5152 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5153 | meta T_WON_MONEY_ATTACH __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH) | |
5154 | describe T_WON_MONEY_ATTACH You won lots of money! See attachment. | |
5155 | endif | |
5156 | ##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5157 | ||
5158 | ##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5159 | ||
5160 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5161 | meta T_WON_NBDY_ATTACH __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH) | |
5162 | describe T_WON_NBDY_ATTACH You won lots of money! See attachment. | |
5163 | endif | |
5164 | ##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5165 | ||
5166 | ##{ T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5167 | ||
5168 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5169 | meta T_ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID | |
5170 | describe T_ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion | |
5171 | # score T_ZW_OBFU_BITCOIN 2.500 # limit | |
5172 | endif | |
5173 | ##} T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5174 | ||
5175 | ##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5176 | ||
5177 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5178 | meta T_ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto | |
5179 | describe T_ZW_OBFU_FREEM Obfuscated text + freemail | |
5180 | # score T_ZW_OBFU_FREEM 2.000 # limit | |
5181 | endif | |
5182 | ##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5183 | ||
5184 | ##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5185 | ||
5186 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5187 | meta T_ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ | |
5188 | describe T_ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject | |
5189 | # score T_ZW_OBFU_FROMTOSUBJ 2.000 # limit | |
5190 | endif | |
5191 | ##} T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5192 | ||
5193 | ##{ UC_GIBBERISH_OBFU | |
5194 | ||
5195 | meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED | |
5196 | describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word" | |
5197 | #score UC_GIBBERISH_OBFU 3.000 # Limit | |
5198 | tflags UC_GIBBERISH_OBFU publish | |
5199 | ##} UC_GIBBERISH_OBFU | |
5200 | ||
5201 | ##{ UNDISC_FREEM | |
5202 | ||
5203 | meta UNDISC_FREEM __UNDISC_FREEM | |
5204 | describe UNDISC_FREEM Undisclosed recipients + freemail reply-to | |
5205 | tflags UNDISC_FREEM publish | |
5206 | ##} UNDISC_FREEM | |
5207 | ||
5208 | ##{ UNDISC_MONEY | |
5209 | ||
5210 | meta UNDISC_MONEY __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH | |
5211 | describe UNDISC_MONEY Undisclosed recipients + money/fraud signs | |
5212 | tflags UNDISC_MONEY publish | |
5213 | ##} UNDISC_MONEY | |
5214 | ||
5215 | ##{ UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5216 | ||
5217 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5218 | meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32 | |
5219 | describe UNICODE_OBFU_ASC Obfuscating text with unicode | |
5220 | # score UNICODE_OBFU_ASC 2.500 # limit | |
5221 | tflags UNICODE_OBFU_ASC publish | |
5222 | endif | |
5223 | ##} UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5224 | ||
5225 | ##{ UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5226 | ||
5227 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5228 | meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS | |
5229 | describe UNICODE_OBFU_ZW Obfuscating text with hidden characters | |
5230 | # score UNICODE_OBFU_ZW 3.500 # limit | |
5231 | tflags UNICODE_OBFU_ZW publish | |
5232 | endif | |
5233 | ##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5234 | ||
5235 | ##{ UPGRADE_MAILBOX | |
5236 | ||
5237 | meta UPGRADE_MAILBOX __UPGR_MAILBOX && __HTML_FONT_LOW_CONTRAST_MINFP | |
5238 | describe UPGRADE_MAILBOX Upgrade your mailbox! (phishing?) | |
5239 | ##} UPGRADE_MAILBOX | |
5240 | ||
5241 | ##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL | |
5242 | ||
5243 | ifplugin Mail::SpamAssassin::Plugin::URIDNSBL | |
5244 | urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2 | |
5245 | body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB') | |
5246 | describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) | |
5247 | tflags URIBL_RHS_DOB net | |
5248 | endif | |
5249 | ##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL | |
5250 | ||
5251 | ##{ URI_ADOBESPARK | |
5252 | ||
5253 | meta URI_ADOBESPARK __URI_ADOBESPARK | |
5254 | #score URI_ADOBESPARK 3.500 # limit | |
5255 | tflags URI_ADOBESPARK publish | |
5256 | ##} URI_ADOBESPARK | |
5257 | ||
5258 | ##{ URI_AZURE_CLOUDAPP | |
5259 | ||
5260 | meta URI_AZURE_CLOUDAPP __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE | |
5261 | describe URI_AZURE_CLOUDAPP Link to hosted azure web application, possible phishing | |
5262 | #score URI_AZURE_CLOUDAPP 3.000 # limit | |
5263 | tflags URI_AZURE_CLOUDAPP publish | |
5264 | ##} URI_AZURE_CLOUDAPP | |
5265 | ||
5266 | ##{ URI_DASHGOVEDU | |
5267 | ||
5268 | meta URI_DASHGOVEDU __URI_DASHGOVEDU | |
5269 | describe URI_DASHGOVEDU Suspicious domain name | |
5270 | #score URI_DASHGOVEDU 3.500 # limit | |
5271 | tflags URI_DASHGOVEDU publish | |
5272 | ##} URI_DASHGOVEDU | |
5273 | ||
5274 | ##{ URI_DATA | |
5275 | ||
5276 | meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB | |
5277 | describe URI_DATA "data:" URI - possible malware or phish | |
5278 | #score URI_DATA 3.250 # limit | |
5279 | tflags URI_DATA publish | |
5280 | ##} URI_DATA | |
5281 | ||
5282 | ##{ URI_DOTDOT_LOW_CNTRST | |
5283 | ||
5284 | meta URI_DOTDOT_LOW_CNTRST HTML_FONT_LOW_CONTRAST && __URI_DOM_DOTDOT | |
5285 | describe URI_DOTDOT_LOW_CNTRST Suspicious URI + hidden text | |
5286 | #score URI_DOTDOT_LOW_CNTRST 2.500 # limit | |
5287 | ##} URI_DOTDOT_LOW_CNTRST | |
5288 | ||
5289 | ##{ URI_DOTEDU | |
5290 | ||
5291 | meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK | |
5292 | describe URI_DOTEDU Has .edu URI | |
5293 | #score URI_DOTEDU 2.000 # limit | |
5294 | tflags URI_DOTEDU publish | |
5295 | ##} URI_DOTEDU | |
5296 | ||
5297 | ##{ URI_DOTEDU_ENTITY | |
5298 | ||
5299 | meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO | |
5300 | describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content | |
5301 | #score URI_DOTEDU_ENTITY 3.000 # limit | |
5302 | tflags URI_DOTEDU_ENTITY publish | |
5303 | ##} URI_DOTEDU_ENTITY | |
5304 | ||
5305 | ##{ URI_DOTTY_HEX | |
5306 | ||
5307 | meta URI_DOTTY_HEX __URI_DOTTY_HEX | |
5308 | describe URI_DOTTY_HEX Suspicious URI format | |
5309 | tflags URI_DOTTY_HEX publish | |
5310 | ##} URI_DOTTY_HEX | |
5311 | ||
5312 | ##{ URI_DQ_UNSUB | |
5313 | ||
5314 | meta URI_DQ_UNSUB __URI_DQ_UNSUB | |
5315 | describe URI_DQ_UNSUB IP-address unsubscribe URI | |
5316 | tflags URI_DQ_UNSUB publish | |
5317 | ##} URI_DQ_UNSUB | |
5318 | ||
5319 | ##{ URI_FIREBASEAPP | |
5320 | ||
5321 | meta URI_FIREBASEAPP __URI_FIREBASEAPP || __URI_WEBAPP | |
5322 | describe URI_FIREBASEAPP Link to hosted firebase web application, possible phishing | |
5323 | #score URI_FIREBASEAPP 3.000 # limit | |
5324 | tflags URI_FIREBASEAPP publish | |
5325 | ##} URI_FIREBASEAPP | |
5326 | ||
5327 | ##{ URI_GOOGLE_PROXY | |
5328 | ||
5329 | meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE && !__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID | |
5330 | describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy? | |
5331 | tflags URI_GOOGLE_PROXY publish | |
5332 | ##} URI_GOOGLE_PROXY | |
5333 | ||
5334 | ##{ URI_GOOG_STO_SPAMMY | |
5335 | ||
5336 | uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:1tactc1200|5a70f8147b2241c|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|a(?:d(?:t100visa|vanced1500)|lliedtrust7?|n(?:c77emen777|nutsegtsety|tidcfsdfzef)|pp(?:empresa|itausa)|tividade|udio0254)|b(?:337276797de5b3|7772dcb|ath(?:and777|dfgdfgdfh|rooomlki)|cvncv7845|d(?:fbgverhg|sgbsehtth|thdethydeth)|e(?:dvgervg|t(?:terbutter008|umpoiytre))|looodsugarerte|obby\-dependencies|r(?:ieanfrg|tghrh)|utterknife)|c(?:art\-checkout|bd(?:11gummies|gummty|kfgdfg)|dfeesde|jowa|o(?:mpr(?:essionsocks|ovanteanexo)|n(?:7cealed|defesf)|verageinsu)|reative14141)|d(?:e(?:nta77fend|rma(?:7correc7t|correctskin|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|recting77)|rtrebtgh747|zdzefef)|e(?:7co7verage|liminatorlower|ntrega|rectiledysfunction|xpertwindows|yesightmax)|f(?:d(?:128218622bd3f|fdfdzezr78|zdzelom)|habgfdgbfrtg|i(?:7542512|del(?:ityinsulife|ty(?:gbdtrbr|tyhjudtyu))|ghttinnitusnow|ltyredfezz|refig(?:22hting|hting)|xguca777)|la(?:shlight7fr7ee|tbelly)|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|ungusfghgh)|g(?:7oldco|fhfjgfhfg|hetiop|luster|oldii00215|r(?:fgrgrg|owplus11)|u(?:ardiao|mmzdfefzf|tterprotection7))|h(?:dfghbrh|e(?:art14141|rplyy0012)|ome(?:9865|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:7urance7net|t(?:a(?:0541|f(?:atioplo|gregrerg)|hard00021|nttranslator)|h(?:ard879477|eater001))|urancenet)|vest777in)|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:7rim|ghghgh|jkkfghk|oo7896|toto2323))|nef6565)|l(?:a(?:bcream|wncare3)|eaf7filt7er|i(?:berty77arran|fefiltrevdf)|ocaweb|umiagudiidd)|m(?:a(?:galu|le77en|ttress0707)|e(?:dica(?:lsupplies|r(?:0085|123n|df747))|llitox00545|t(?:abolismlos|f(?:85|dfvde)))|on(?:5g154g|t(?:ezuma001|zdzsds)))|n(?:badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld)|omeg(?:7aburn|a7burn)|p(?:ersonalized21|o(?:rtableheater7|vsedfzef)|r(?:intsvalentine|otectsecurity)|soidngf8147|ureplant7)|r(?:apidecision77|e(?:adclub11|n(?:ewlaemailved|walllll0065))|iverb1986srt4|oundupccancer)|s(?:a(?:mples7nuge7|vage72)|dfgwsd74fg|eniorserk77s|ignlaotrrmp|teelprobite77|ughdetged|zdzdzdzd)|t(?:acflashlight72|heunbreakable|r(?:abalhos|ugreen30)|unnifgdege)|u(?:berxlm|ltrahgt|sbmosquito)|v(?:e(?:7hicle7cov|hi7clesh7)|frgrerg|i(?:salander|vint0401)|szdefzsfzef)|w(?:4enmedicra8|alk(?:0015|ghghgh)|defgzegfze|e(?:bwhatsfotos|edkiller|llgrove90)|ifibooster)|xcbxcbopiaze|yusdgtduf777|zantacdedzef))/;i | |
5337 | describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage | |
5338 | #score URI_GOOG_STO_SPAMMY 3.000 | |
5339 | tflags URI_GOOG_STO_SPAMMY publish | |
5340 | ##} URI_GOOG_STO_SPAMMY | |
5341 | ||
5342 | ##{ URI_HEX_IP | |
5343 | ||
5344 | meta URI_HEX_IP __URI_HEX_IP | |
5345 | #score URI_HEX_IP 2.500 # limit | |
5346 | describe URI_HEX_IP URI with hex-encoded IP-address host | |
5347 | tflags URI_HEX_IP publish | |
5348 | ##} URI_HEX_IP | |
5349 | ||
5350 | ##{ URI_IMG_WP_REDIR | |
5351 | ||
5352 | meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR | |
5353 | #score URI_IMG_WP_REDIR 3.000 # limit | |
5354 | describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy | |
5355 | tflags URI_IMG_WP_REDIR publish | |
5356 | ##} URI_IMG_WP_REDIR | |
5357 | ||
5358 | ##{ URI_LONG_REPEAT | |
5359 | ||
5360 | meta URI_LONG_REPEAT __URI_LONG_REPEAT | |
5361 | describe URI_LONG_REPEAT Very long identical host+domain | |
5362 | #score URI_LONG_REPEAT 2.500 # limit | |
5363 | tflags URI_LONG_REPEAT publish | |
5364 | ##} URI_LONG_REPEAT | |
5365 | ||
5366 | ##{ URI_MALWARE_SCMS | |
5367 | ||
5368 | uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i | |
5369 | describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file) | |
5370 | tflags URI_MALWARE_SCMS publish | |
5371 | ##} URI_MALWARE_SCMS | |
5372 | ||
5373 | ##{ URI_ONLY_MSGID_MALF | |
5374 | ||
5375 | meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW | |
5376 | tflags URI_ONLY_MSGID_MALF net | |
5377 | meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO | |
5378 | describe URI_ONLY_MSGID_MALF URI only + malformed message ID | |
5379 | #score URI_ONLY_MSGID_MALF 2.000 # limit | |
5380 | tflags URI_ONLY_MSGID_MALF publish | |
5381 | ##} URI_ONLY_MSGID_MALF | |
5382 | ||
5383 | ##{ URI_OPTOUT_3LD | |
5384 | ||
5385 | uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i | |
5386 | describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname | |
5387 | #score URI_OPTOUT_3LD 2.000 # limit | |
5388 | tflags URI_OPTOUT_3LD publish | |
5389 | ##} URI_OPTOUT_3LD | |
5390 | ||
5391 | ##{ URI_OPTOUT_USME | |
5392 | ||
5393 | uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i | |
5394 | describe URI_OPTOUT_USME Opt-out URI, unusual TLD | |
5395 | tflags URI_OPTOUT_USME publish | |
5396 | ##} URI_OPTOUT_USME | |
5397 | ||
5398 | ##{ URI_PHISH | |
5399 | ||
5400 | describe URI_PHISH Phishing using web form | |
5401 | #score URI_PHISH 4.00 # limit | |
5402 | tflags URI_PHISH publish | |
5403 | ##} URI_PHISH | |
5404 | ||
5405 | ##{ URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
5406 | ||
5407 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
5408 | meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT | |
5409 | endif | |
5410 | ##} URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
5411 | ||
5412 | ##{ URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5413 | ||
5414 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5415 | meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT | |
5416 | endif | |
5417 | ##} URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5418 | ||
5419 | ##{ URI_PHP_REDIR | |
5420 | ||
5421 | meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA | |
5422 | #score URI_PHP_REDIR 3.500 # limit | |
5423 | describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation) | |
5424 | tflags URI_PHP_REDIR publish | |
5425 | ##} URI_PHP_REDIR | |
5426 | ||
5427 | ##{ URI_TRY_3LD | |
5428 | ||
5429 | uri URI_TRY_3LD m,^https?://(?:try|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!sub|turbotax)\w)[^.]*\.[^/]+\.(?:com|net)\b,i | |
5430 | describe URI_TRY_3LD "Try it" URI, suspicious hostname | |
5431 | #score URI_TRY_3LD 2.000 # limit | |
5432 | tflags URI_TRY_3LD publish | |
5433 | ##} URI_TRY_3LD | |
5434 | ||
5435 | ##{ URI_TRY_USME | |
5436 | ||
5437 | meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS | |
5438 | describe URI_TRY_USME "Try it" URI, unusual TLD | |
5439 | tflags URI_TRY_USME publish | |
5440 | ##} URI_TRY_USME | |
5441 | ||
5442 | ##{ URI_WPADMIN | |
5443 | ||
5444 | meta URI_WPADMIN __URI_WPADMIN | |
5445 | describe URI_WPADMIN WordPress login/admin URI, possible phishing | |
5446 | tflags URI_WPADMIN publish | |
5447 | ##} URI_WPADMIN | |
5448 | ||
5449 | ##{ URI_WP_DIRINDEX | |
5450 | ||
5451 | meta URI_WP_DIRINDEX __URI_WPDIRINDEX | |
5452 | describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware | |
5453 | #score URI_WP_DIRINDEX 3.500 # limit | |
5454 | tflags URI_WP_DIRINDEX publish | |
5455 | ##} URI_WP_DIRINDEX | |
5456 | ||
5457 | ##{ URI_WP_HACKED | |
5458 | ||
5459 | meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED | |
5460 | describe URI_WP_HACKED URI for compromised WordPress site, possible malware | |
5461 | #score URI_WP_HACKED 3.500 # limit | |
5462 | tflags URI_WP_HACKED publish | |
5463 | ##} URI_WP_HACKED | |
5464 | ||
5465 | ##{ URI_WP_HACKED_2 | |
5466 | ||
5467 | meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1 | |
5468 | describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware | |
5469 | #score URI_WP_HACKED_2 2.500 # limit | |
5470 | tflags URI_WP_HACKED_2 publish | |
5471 | ##} URI_WP_HACKED_2 | |
5472 | ||
5473 | ##{ USB_DRIVES | |
5474 | ||
5475 | meta USB_DRIVES __SUBJ_USB_DRIVES | |
5476 | describe USB_DRIVES Trying to sell custom USB flash drives | |
5477 | #score USB_DRIVES 2.000 # limit | |
5478 | tflags USB_DRIVES publish | |
5479 | ##} USB_DRIVES | |
5480 | ||
5481 | ##{ VFY_ACCT_NORDNS | |
5482 | ||
5483 | meta VFY_ACCT_NORDNS __VFY_ACCT_NORDNS && !__STY_INVIS_MANY | |
5484 | describe VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA - probable phishing | |
5485 | #score VFY_ACCT_NORDNS 3.000 # limit | |
5486 | tflags VFY_ACCT_NORDNS publish | |
5487 | ##} VFY_ACCT_NORDNS | |
5488 | ||
5489 | ##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5490 | ||
5491 | if (version >= 3.004002) | |
5492 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5493 | meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD | |
5494 | tflags VPS_NO_NTLD publish | |
5495 | describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD | |
5496 | #score VPS_NO_NTLD 1.0 # limit | |
5497 | endif | |
5498 | endif | |
5499 | ##} VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5500 | ||
5501 | ##{ WALMART_IMG_NOT_RCVD_WAL | |
5502 | ||
5503 | meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS | |
5504 | #score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit | |
5505 | describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart | |
5506 | tflags WALMART_IMG_NOT_RCVD_WAL publish | |
5507 | ##} WALMART_IMG_NOT_RCVD_WAL | |
5508 | ||
5509 | ##{ WANT_TO_ORDER | |
5510 | ||
5511 | body WANT_TO_ORDER /you (?:(?:would )?like|want)( to)? order (?:this|it|now|today)\b/i | |
5512 | #score WANT_TO_ORDER 1.500 # limit | |
5513 | ##} WANT_TO_ORDER | |
5514 | ||
5515 | ##{ WIKI_IMG | |
5516 | ||
5517 | uri WIKI_IMG m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),i | |
5518 | describe WIKI_IMG Image from wikipedia | |
5519 | ##} WIKI_IMG | |
5520 | ||
5521 | ##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5522 | ||
5523 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5524 | meta WORD_INVIS __WORD_INVIS_MINFP && !WORD_INVIS_MANY | |
5525 | describe WORD_INVIS A hidden word | |
5526 | # score WORD_INVIS 3.000 # limit | |
5527 | tflags WORD_INVIS publish | |
5528 | endif | |
5529 | ##} WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5530 | ||
5531 | ##{ WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5532 | ||
5533 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5534 | meta WORD_INVIS_MANY __WORD_INVIS_2 | |
5535 | describe WORD_INVIS_MANY Multiple individual hidden words | |
5536 | # score WORD_INVIS_MANY 3.000 # limit | |
5537 | tflags WORD_INVIS_MANY publish | |
5538 | endif | |
5539 | ##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5540 | ||
5541 | ##{ XFER_LOTSA_MONEY | |
5542 | ||
5543 | meta XFER_LOTSA_MONEY __XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFO | |
5544 | describe XFER_LOTSA_MONEY Transfer a lot of money | |
5545 | #score XFER_LOTSA_MONEY 1.000 # limit | |
5546 | ##} XFER_LOTSA_MONEY | |
5547 | ||
5548 | ##{ XM_DIGITS_ONLY | |
5549 | ||
5550 | meta XM_DIGITS_ONLY __XM_DIGITS_ONLY | |
5551 | describe XM_DIGITS_ONLY X-Mailer malformed | |
5552 | #score XM_DIGITS_ONLY 3.000 # limit | |
5553 | tflags XM_DIGITS_ONLY publish | |
5554 | ##} XM_DIGITS_ONLY | |
5555 | ||
5556 | ##{ XM_LIGHT_HEAVY | |
5557 | ||
5558 | meta XM_LIGHT_HEAVY __XM_LIGHT_HEAVY && !__HAS_X_BEEN_THERE | |
5559 | describe XM_LIGHT_HEAVY Special edition of a MUA | |
5560 | #score XM_LIGHT_HEAVY 2.500 # limit | |
5561 | ##} XM_LIGHT_HEAVY | |
5562 | ||
5563 | ##{ XM_PHPMAILER_FORGED | |
5564 | ||
5565 | meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED | |
5566 | describe XM_PHPMAILER_FORGED Apparently forged header | |
5567 | tflags XM_PHPMAILER_FORGED publish | |
5568 | ##} XM_PHPMAILER_FORGED | |
5569 | ||
5570 | ##{ XM_RANDOM | |
5571 | ||
5572 | meta XM_RANDOM __XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLY | |
5573 | describe XM_RANDOM X-Mailer apparently random | |
5574 | #score XM_RANDOM 3.000 # limit | |
5575 | tflags XM_RANDOM publish | |
5576 | ##} XM_RANDOM | |
5577 | ||
5578 | ##{ XM_RECPTID | |
5579 | ||
5580 | meta XM_RECPTID __HAS_XM_RECPTID && !__TAG_EXISTS_SCRIPT && !__REPLYTO_NOREPLY && !__ENVFROM_AMAZONSES && !__DOS_DIRECT_TO_MX && !__FRAUD_PTX | |
5581 | describe XM_RECPTID Has spammy message header | |
5582 | #score XM_RECPTID 3.000 # limit | |
5583 | ##} XM_RECPTID | |
5584 | ||
5585 | ##{ XPRIO | |
5586 | ||
5587 | describe XPRIO Has X-Priority header | |
5588 | #score XPRIO 2.250 # limit | |
5589 | tflags XPRIO publish | |
5590 | ##} XPRIO | |
5591 | ||
5592 | ##{ XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
5593 | ||
5594 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
5595 | meta XPRIO __XPRIO_MINFP | |
5596 | endif | |
5597 | ##} XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
5598 | ||
5599 | ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5600 | ||
5601 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5602 | tflags XPRIO net | |
5603 | endif | |
5604 | ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5605 | ||
5606 | ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
5607 | ||
5608 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5609 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
5610 | meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE | |
5611 | endif | |
5612 | endif | |
5613 | ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
5614 | ||
5615 | ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF | |
5616 | ||
5617 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5618 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
5619 | meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS | |
5620 | endif | |
5621 | endif | |
5622 | ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF | |
5623 | ||
5624 | ##{ XPRIO_SHORT_SUBJ | |
5625 | ||
5626 | meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF | |
5627 | describe XPRIO_SHORT_SUBJ Has X Priority header + short subject | |
5628 | #score XPRIO_SHORT_SUBJ 2.500 # limit | |
5629 | tflags XPRIO_SHORT_SUBJ publish | |
5630 | ##} XPRIO_SHORT_SUBJ | |
5631 | ||
5632 | ##{ XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5633 | ||
5634 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5635 | if (version >= 3.004000) | |
5636 | meta XPRIO_URL_SHORTNER __XPRIO_MINFP && __PDS_URISHORTENER | |
5637 | describe XPRIO_URL_SHORTNER X-Priority header and short URL | |
5638 | #score XPRIO_URL_SHORTNER 1.0 # limit | |
5639 | endif | |
5640 | endif | |
5641 | ##} XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5642 | ||
5643 | ##{ X_MAILER_CME_6543_MSN | |
5644 | ||
5645 | header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/ | |
5646 | ##} X_MAILER_CME_6543_MSN | |
5647 | ||
5648 | ##{ YOUR_DELIVERY_ADDRESS | |
5649 | ||
5650 | body YOUR_DELIVERY_ADDRESS /(?:respond|reply) (to )?(?:our|this) email (?:with|and send) your (?:(?:delivery |shipping )?address|address (?:for|of) shipping)/i | |
5651 | #score YOUR_DELIVERY_ADDRESS 1.500 # limit | |
5652 | ##} YOUR_DELIVERY_ADDRESS | |
5653 | ||
5654 | ##{ YOU_INHERIT | |
5655 | ||
5656 | meta YOU_INHERIT __YOU_INHERIT | |
5657 | describe YOU_INHERIT Discussing your inheritance | |
5658 | ##} YOU_INHERIT | |
5659 | ||
5660 | ##{ bayes_ignore_header_sandbox | |
5661 | ||
5662 | bayes_ignore_header X-ACL-Warn | |
5663 | bayes_ignore_header X-Alimail-AntiSpam | |
5664 | bayes_ignore_header X-Amavis-Modified | |
5665 | bayes_ignore_header X-Anti-Spam | |
5666 | bayes_ignore_header X-Anti-Virus | |
5667 | bayes_ignore_header X-Anti-Virus-Version | |
5668 | bayes_ignore_header X-AntiAbuse | |
5669 | bayes_ignore_header X-Antispam | |
5670 | bayes_ignore_header X-Antivirus | |
5671 | bayes_ignore_header X-Antivirus-Code | |
5672 | bayes_ignore_header X-Antivirus-Status | |
5673 | bayes_ignore_header X-Antivirus-Version | |
5674 | bayes_ignore_header x-aol-global-disposition | |
5675 | bayes_ignore_header X-ASF-Spam-Status | |
5676 | bayes_ignore_header X-ASG-Debug-ID | |
5677 | bayes_ignore_header X-ASG-Orig-Subj | |
5678 | bayes_ignore_header X-ASG-Recipient-Whitelist | |
5679 | bayes_ignore_header X-ASG-Tag | |
5680 | bayes_ignore_header X-Assp-Version | |
5681 | bayes_ignore_header X-Authority-Analysis | |
5682 | bayes_ignore_header X-Authvirus | |
5683 | bayes_ignore_header X-Auto-Response-Suppress | |
5684 | bayes_ignore_header X-AV-Do-Run | |
5685 | bayes_ignore_header X-AV-Status | |
5686 | bayes_ignore_header x-avast-antispam | |
5687 | bayes_ignore_header X-Backend | |
5688 | bayes_ignore_header X-Barracuda-Apparent-Source-IP | |
5689 | bayes_ignore_header X-Barracuda-Bayes | |
5690 | bayes_ignore_header X-Barracuda-BBL-IP | |
5691 | bayes_ignore_header X-Barracuda-BRTS-Status | |
5692 | bayes_ignore_header X-Barracuda-BRTS-URL-Found | |
5693 | bayes_ignore_header X-Barracuda-Connect | |
5694 | bayes_ignore_header X-Barracuda-Encrypted | |
5695 | bayes_ignore_header X-Barracuda-Envelope-From | |
5696 | bayes_ignore_header X-Barracuda-Fingerprint-Found | |
5697 | bayes_ignore_header X-Barracuda-Orig-Rcpt | |
5698 | bayes_ignore_header X-Barracuda-RBL-IP | |
5699 | bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder | |
5700 | bayes_ignore_header X-Barracuda-Spam-Report | |
5701 | bayes_ignore_header X-Barracuda-Spam-Score | |
5702 | bayes_ignore_header X-Barracuda-Spam-Status | |
5703 | bayes_ignore_header X-Barracuda-Start-Time | |
5704 | bayes_ignore_header X-Barracuda-UID | |
5705 | bayes_ignore_header X-Barracuda-URL | |
5706 | bayes_ignore_header X-Barracuda-Virus-Alert | |
5707 | bayes_ignore_header X-Bayes-Prob | |
5708 | bayes_ignore_header X-Bayesian-Result | |
5709 | bayes_ignore_header X-BitDefender-Spam | |
5710 | bayes_ignore_header X-BitDefender-SpamStamp | |
5711 | bayes_ignore_header X-BL | |
5712 | bayes_ignore_header X-Bogosity | |
5713 | bayes_ignore_header X-Boxtrapper | |
5714 | bayes_ignore_header X-Brightmail-Tracker | |
5715 | bayes_ignore_header X-BTI-AntiSpam | |
5716 | bayes_ignore_header X-Bugzilla-Version | |
5717 | bayes_ignore_header X-CanIt-Geo | |
5718 | bayes_ignore_header X-Canit-Stats-ID | |
5719 | bayes_ignore_header X-CanItPRO-Stream | |
5720 | bayes_ignore_header X-Clapf-spamicity | |
5721 | bayes_ignore_header X-Cloud-Security | |
5722 | bayes_ignore_header X-CM-Score | |
5723 | bayes_ignore_header X-CMAE-Analysis | |
5724 | bayes_ignore_header X-CMAE-Match | |
5725 | bayes_ignore_header X-CMAE-Score | |
5726 | bayes_ignore_header X-CMAE-Verdict | |
5727 | bayes_ignore_header X-CNFS-Analysis | |
5728 | bayes_ignore_header X-Company | |
5729 | bayes_ignore_header X-Coremail-Antispam | |
5730 | bayes_ignore_header X-CRM114-CacheID | |
5731 | bayes_ignore_header X-CRM114-Status | |
5732 | bayes_ignore_header X-CRM114-Version | |
5733 | bayes_ignore_header X-CT-Spam | |
5734 | bayes_ignore_header X-CTCH-SenderID | |
5735 | bayes_ignore_header X-CTCH-SenderID-TotalBulk | |
5736 | bayes_ignore_header X-CTCH-SenderID-TotalConfirmed | |
5737 | bayes_ignore_header X-CTCH-SenderID-TotalMessages | |
5738 | bayes_ignore_header X-CTCH-SenderID-TotalRecipients | |
5739 | bayes_ignore_header X-CTCH-SenderID-TotalSpam | |
5740 | bayes_ignore_header X-CTCH-SenderID-TotalSuspected | |
5741 | bayes_ignore_header X-CTCH-SenderID-TotalVirus | |
5742 | bayes_ignore_header X-CTCH-Spam | |
5743 | bayes_ignore_header X-CTCH-VOD | |
5744 | bayes_ignore_header X-Drweb-SpamState | |
5745 | bayes_ignore_header X-DSPAM-Confidence | |
5746 | bayes_ignore_header X-DSPAM-Factors | |
5747 | bayes_ignore_header X-DSPAM-Improbability | |
5748 | bayes_ignore_header X-DSPAM-Probability | |
5749 | bayes_ignore_header X-DSPAM-Processed | |
5750 | bayes_ignore_header X-DSPAM-Result | |
5751 | bayes_ignore_header X-DSPAM-Signature | |
5752 | bayes_ignore_header x-eavas | |
5753 | bayes_ignore_header x-eavas-action | |
5754 | bayes_ignore_header x-eavas-eavasid | |
5755 | bayes_ignore_header X-Enigmail-Version | |
5756 | bayes_ignore_header X-EsetId | |
5757 | bayes_ignore_header X-EsetResult | |
5758 | bayes_ignore_header X-Exchange-Antispam-Report | |
5759 | bayes_ignore_header X-ExtloopSabreCommercials1 | |
5760 | bayes_ignore_header X-EYOU-SPAMVALUE | |
5761 | bayes_ignore_header X-FB-OUTBOUND-SPAM | |
5762 | bayes_ignore_header X-FEAS-SBL | |
5763 | bayes_ignore_header X-FILTER-SCORE | |
5764 | bayes_ignore_header X-Forefront-Antispam-Report | |
5765 | bayes_ignore_header X-Forefront-PRVS | |
5766 | bayes_ignore_header X-Fuglu-Spamstatus | |
5767 | bayes_ignore_header X-Fuglu-Suspect | |
5768 | bayes_ignore_header X-getmail-filter-classifier | |
5769 | bayes_ignore_header X-GFIME-MASPAM | |
5770 | bayes_ignore_header X-Gmane-NNTP-Posting-Host | |
5771 | bayes_ignore_header X-GMX-Antispam | |
5772 | bayes_ignore_header X-GMX-Antivirus | |
5773 | bayes_ignore_header X-He-Spam | |
5774 | bayes_ignore_header X-hMailServer-Spam | |
5775 | bayes_ignore_header X-IAS | |
5776 | bayes_ignore_header X-iGspam-global | |
5777 | bayes_ignore_header X-Injected-Via-Gmane | |
5778 | bayes_ignore_header X-Interia-Antivirus | |
5779 | bayes_ignore_header X-IP-Spam-Verdict | |
5780 | bayes_ignore_header X-Ironport | |
5781 | bayes_ignore_header X-IronPort-Anti-Spam-Filtered | |
5782 | bayes_ignore_header X-IronPort-Anti-Spam-Result | |
5783 | bayes_ignore_header X-IronPort-AV | |
5784 | bayes_ignore_header X-Ironport-HAT | |
5785 | bayes_ignore_header X-Ironport-HOSTNAME | |
5786 | bayes_ignore_header X-Ironport-LNR | |
5787 | bayes_ignore_header X-Ironport-MessageFilter | |
5788 | bayes_ignore_header X-Ironport-MFP | |
5789 | bayes_ignore_header X-Ironport-MID | |
5790 | bayes_ignore_header X-IronPort-Outgoing-Antispam | |
5791 | bayes_ignore_header X-Ironport-RIF | |
5792 | bayes_ignore_header X-Ironport-SBRS | |
5793 | bayes_ignore_header X-Ironport-SENDER | |
5794 | bayes_ignore_header X-Ironport-SUBJECT | |
5795 | bayes_ignore_header X-Junk-Score | |
5796 | bayes_ignore_header X-Junkmail | |
5797 | bayes_ignore_header X-KLMS-AntiPhishing | |
5798 | bayes_ignore_header X-Klms-Antispam | |
5799 | bayes_ignore_header X-KLMS-AntiSpam-Info | |
5800 | bayes_ignore_header X-KLMS-AntiSpam-Interceptor-Info | |
5801 | bayes_ignore_header X-KLMS-AntiSpam-Lua-Profiles | |
5802 | bayes_ignore_header X-KLMS-AntiSpam-Method | |
5803 | bayes_ignore_header X-KLMS-AntiSpam-Moebius-Timestamps | |
5804 | bayes_ignore_header X-KLMS-AntiSpam-Rate | |
5805 | bayes_ignore_header X-KLMS-AntiSpam-Status | |
5806 | bayes_ignore_header X-KLMS-AntiSpam-Version | |
5807 | bayes_ignore_header X-KLMS-AntiVirus | |
5808 | bayes_ignore_header X-KLMS-AntiVirus-Status | |
5809 | bayes_ignore_header X-KLMS-Message-Action | |
5810 | bayes_ignore_header X-KLMS-Rule-ID | |
5811 | bayes_ignore_header X-KMail-EncryptionState | |
5812 | bayes_ignore_header X-KMail-MDN-Sent | |
5813 | bayes_ignore_header X-KMail-SignatureState | |
5814 | bayes_ignore_header X-MailCleaner-SpamChec | |
5815 | bayes_ignore_header X-MailCleaner-SpamCheck | |
5816 | bayes_ignore_header X-MailFoundry | |
5817 | bayes_ignore_header X-MDMailLookup-Result | |
5818 | bayes_ignore_header X-ME-Bayesian | |
5819 | bayes_ignore_header X-ME-Content | |
5820 | bayes_ignore_header X-MessageFilter | |
5821 | bayes_ignore_header X-Microsoft-Antispam | |
5822 | bayes_ignore_header X-Mlf-Version | |
5823 | bayes_ignore_header X-MXScan-AntiSpam | |
5824 | bayes_ignore_header X-MXScan-AntiVirus | |
5825 | bayes_ignore_header X-MXScan-Country-Sequence | |
5826 | bayes_ignore_header X-MXScan-License | |
5827 | bayes_ignore_header X-MXScan-Msgid | |
5828 | bayes_ignore_header X-MXScan-ProcessingTime | |
5829 | bayes_ignore_header X-MXScan-Scan | |
5830 | bayes_ignore_header X-NAI-Spam-Flag | |
5831 | bayes_ignore_header X-NAI-Spam-Rules | |
5832 | bayes_ignore_header X-NAI-Spam-Score | |
5833 | bayes_ignore_header X-NAI-Spam-Threshold | |
5834 | bayes_ignore_header X-NetStation-Status | |
5835 | bayes_ignore_header X-OVH-SPAMCAUSE | |
5836 | bayes_ignore_header X-OVH-SPAMCAUSE: | |
5837 | bayes_ignore_header X-OVH-SPAMSCORE | |
5838 | bayes_ignore_header X-OVH-SPAMSTATE | |
5839 | bayes_ignore_header X-PerlMx-Spam | |
5840 | bayes_ignore_header X-PerlMx-Virus-Scanned | |
5841 | bayes_ignore_header X-PFSI-Info | |
5842 | bayes_ignore_header X-PMX-Spam | |
5843 | bayes_ignore_header X-PMX-Version | |
5844 | bayes_ignore_header X-Policy-Service | |
5845 | bayes_ignore_header X-policyd-weight | |
5846 | bayes_ignore_header X-PreRBLs | |
5847 | bayes_ignore_header X-Probable-Spam | |
5848 | bayes_ignore_header X-PROLinux-SpamCheck | |
5849 | bayes_ignore_header X-Proofpoint-Spam-Reason | |
5850 | bayes_ignore_header X-Proofpoint-Virus-Version | |
5851 | bayes_ignore_header x-purgate-eavas: clean | |
5852 | bayes_ignore_header x-purgate-id | |
5853 | bayes_ignore_header x-purgate-size | |
5854 | bayes_ignore_header x-purgate-type | |
5855 | bayes_ignore_header X-Qmail-Scanner-Diagnostics | |
5856 | bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status | |
5857 | bayes_ignore_header X-Quarantine-ID | |
5858 | bayes_ignore_header X-RSpam-Report | |
5859 | bayes_ignore_header X-SA-Do-Not-Run | |
5860 | bayes_ignore_header X-SA-Exim-Version | |
5861 | bayes_ignore_header X-Scanned-by | |
5862 | bayes_ignore_header X-SmarterMail-CustomSpamHeader | |
5863 | bayes_ignore_header X-Spam | |
5864 | bayes_ignore_header X-Spam-Action | |
5865 | bayes_ignore_header X-SPAM-AISP | |
5866 | bayes_ignore_header X-Spam-Check-By | |
5867 | bayes_ignore_header X-Spam-Checker-Version | |
5868 | bayes_ignore_header X-Spam-CMAE-Analysis | |
5869 | bayes_ignore_header X-Spam-CMAESCORE | |
5870 | bayes_ignore_header X-Spam-CTCH-RefID | |
5871 | bayes_ignore_header X-Spam-Flag | |
5872 | bayes_ignore_header X-Spam-Level | |
5873 | bayes_ignore_header X-Spam-Processed | |
5874 | bayes_ignore_header X-Spam-Report | |
5875 | bayes_ignore_header X-Spam-Scanned | |
5876 | bayes_ignore_header X-Spam-Score | |
5877 | bayes_ignore_header X-Spam-Score-Int | |
5878 | bayes_ignore_header X-Spam-SmartLearn | |
5879 | bayes_ignore_header X-Spam-Status | |
5880 | bayes_ignore_header X-Spam-Threshold | |
5881 | bayes_ignore_header X-Spam_bar | |
5882 | bayes_ignore_header X-Spambayes-Classification | |
5883 | bayes_ignore_header X-SpamExperts-Domain | |
5884 | bayes_ignore_header X-SpamExperts-Outgoing-Class | |
5885 | bayes_ignore_header X-SpamExperts-Outgoing-Evidence | |
5886 | bayes_ignore_header X-SpamExperts-Username | |
5887 | bayes_ignore_header X-Spamfilter-host | |
5888 | bayes_ignore_header X-Spamina-Bogosity | |
5889 | bayes_ignore_header X-Spamina-Spam-Report | |
5890 | bayes_ignore_header X-Spamina-Spam-Score | |
5891 | bayes_ignore_header X-SpamInfo | |
5892 | bayes_ignore_header X-Spamsave | |
5893 | bayes_ignore_header X-SpamTest-Group-ID | |
5894 | bayes_ignore_header X-SpamTest-Info | |
5895 | bayes_ignore_header X-SpamTest-Method | |
5896 | bayes_ignore_header X-SpamTest-Rate | |
5897 | bayes_ignore_header X-SpamTest-SPF | |
5898 | bayes_ignore_header X-SpamTest-Status | |
5899 | bayes_ignore_header X-SpamTest-Status-Extended | |
5900 | bayes_ignore_header X-SPF-Scan-By | |
5901 | bayes_ignore_header X-STA-Metric | |
5902 | bayes_ignore_header X-STA-NotSpam | |
5903 | bayes_ignore_header X-STA-Spam | |
5904 | bayes_ignore_header X-StarScan-Version | |
5905 | bayes_ignore_header X-SurGATE-Result | |
5906 | bayes_ignore_header X-SWITCHham-Score | |
5907 | bayes_ignore_header X-UI-Filterresults | |
5908 | bayes_ignore_header X-UI-Loop | |
5909 | bayes_ignore_header X-UI-Out-Filterresults | |
5910 | bayes_ignore_header X-Univie-Spam-Checker-Version | |
5911 | bayes_ignore_header X-Univie-Virus-Scan | |
5912 | bayes_ignore_header X-Virus | |
5913 | bayes_ignore_header X-Virus-Checker-Version | |
5914 | bayes_ignore_header X-Virus-Scanned | |
5915 | bayes_ignore_header X-Virus-Scanner-Result | |
5916 | bayes_ignore_header X-Virus-Scanner-Version | |
5917 | bayes_ignore_header X-Virus-Status | |
5918 | bayes_ignore_header X-VirusChecked | |
5919 | bayes_ignore_header X-VR-SCORE | |
5920 | bayes_ignore_header X-VR-SPAMCAUSE | |
5921 | bayes_ignore_header X-VR-STATUS | |
5922 | bayes_ignore_header X-WatchGuard-Mail-Client-IP | |
5923 | bayes_ignore_header X-WatchGuard-Mail-From | |
5924 | bayes_ignore_header X-WatchGuard-Mail-Recipients | |
5925 | bayes_ignore_header X-WatchGuard-Spam-ID | |
5926 | bayes_ignore_header X-WatchGuard-Spam-Score | |
5927 | bayes_ignore_header X-Whitelist-Domain | |
5928 | bayes_ignore_header X-WUM-CCI | |
5929 | bayes_ignore_header X_CMAE_Category##} bayes_ignore_header_sandbox | |
5930 | ||
5931 | ##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox | |
5932 | ||
5933 | if (version >= 3.004001) | |
5934 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
5935 | askdns __FROM_FMBLA_NEWDOM _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/ | |
5936 | askdns __FROM_FMBLA_NEWDOM14 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.14$/ | |
5937 | askdns __FROM_FMBLA_NEWDOM28 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.28$/ | |
5938 | askdns __FROM_FMBLA_NDBLOCKED _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/ | |
5939 | reuse FROM_FMBLA_NEWDOM | |
5940 | reuse FROM_FMBLA_NEWDOM14 | |
5941 | reuse FROM_FMBLA_NEWDOM28 | |
5942 | reuse FROM_FMBLA_NDBLOCKED | |
5943 | reuse __PDS_NEWDOMAIN | |
5944 | reuse FROM_NUMBERO_NEWDOMAIN | |
5945 | reuse FROM_NEWDOM_BTC | |
5946 | askdns __PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/ | |
5947 | reuse BITCOIN_SPF_ONLYALL | |
5948 | endif | |
5949 | endif | |
5950 | ##} if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox | |
5951 | ||
5952 | ##{ if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox | |
5953 | ||
5954 | if (version >= 3.004002) | |
5955 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5956 | enlist_addrlist (PAYPAL) *@paypal.com *@paypal.co.uk *@paypal.de *@paypal.com.au *@paypal.it | |
5957 | enlist_addrlist (PAYPAL) *@paypal.es *@paypal.fr *@paypal.de *@paypal.com.hk | |
5958 | enlist_addrlist (PAYPAL) *@*.paypal.com *@*.paypal.co.uk | |
5959 | reuse __FROM_ADDRLIST_PAYPAL | |
5960 | reuse FROM_PAYPAL_SPOOF | |
5961 | enlist_addrlist (BANKS) *@abbey.co.uk *@abbey.com *@abbeyinternational.com *@abbeyinternational.co.uk *@abbeynational.com *@abbeynational.co.uk | |
5962 | enlist_addrlist (BANKS) *@allianceleicester.com *@allianceleicester.co.uk *@alliance-leicester.com *@alliance-leicester.co.uk | |
5963 | enlist_addrlist (BANKS) *@bankofamerica.com *@bankofamerica.co.uk | |
5964 | enlist_addrlist (BANKS) *@barclaycard.com *@barclays.com | |
5965 | enlist_addrlist (BANKS) *@citibank.com | |
5966 | enlist_addrlist (BANKS) *@firstdirect.com *@firstdirect.co.uk | |
5967 | enlist_addrlist (BANKS) *@halifax.com *@halifax.co.uk *@halifax-online.co.uk *@halifax-online.com | |
5968 | enlist_addrlist (BANKS) *@hbos.com *@hbos.co.uk | |
5969 | enlist_addrlist (BANKS) *@hsbc.com *@hsbc.co.uk *@hsbc.hk *@hsbcgroup.com *@hsbcgroup.co.uk | |
5970 | enlist_addrlist (BANKS) *@lloydstsb.com *@lloydstsb.co.uk *@lloyds.com | |
5971 | enlist_addrlist (BANKS) *@mbna.com | |
5972 | enlist_addrlist (BANKS) *@nationwide.com *@nationwide.co.uk | |
5973 | enlist_addrlist (BANKS) *@natwest.com *@natwest.co.uk | |
5974 | enlist_addrlist (BANKS) *@santander.com *@santander.co.uk | |
5975 | enlist_addrlist (BANKS) *@standardbank.co.za | |
5976 | enlist_addrlist (BANKS) *@ybonline.co.uk *@ybonline.com | |
5977 | reuse __FROM_ADDRLIST_BANKS | |
5978 | reuse FROM_BANK_NOAUTH | |
5979 | enlist_addrlist (GOV) *@*.gov | |
5980 | enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk | |
5981 | reuse __FROM_ADDRLIST_GOV | |
5982 | reuse FROM_GOV_SPOOF | |
5983 | reuse FROM_GOV_DKIM_AU | |
5984 | reuse FROM_GOV_REPLYTO_FREEMAIL | |
5985 | enlist_addrlist (SUSP_NTLD) *@*.icu | |
5986 | enlist_addrlist (SUSP_NTLD) *@*.online | |
5987 | enlist_addrlist (SUSP_NTLD) *@*.work | |
5988 | enlist_addrlist (SUSP_NTLD) *@*.date | |
5989 | enlist_addrlist (SUSP_NTLD) *@*.top | |
5990 | enlist_addrlist (SUSP_NTLD) *@*.fun | |
5991 | enlist_addrlist (SUSP_NTLD) *@*.life | |
5992 | enlist_addrlist (SUSP_NTLD) *@*.review | |
5993 | enlist_addrlist (SUSP_NTLD) *@*.xyz | |
5994 | enlist_addrlist (SUSP_NTLD) *@*.bid | |
5995 | enlist_addrlist (SUSP_NTLD) *@*.stream | |
5996 | enlist_addrlist (SUSP_NTLD) *@*.site | |
5997 | enlist_addrlist (SUSP_NTLD) *@*.space | |
5998 | enlist_addrlist (SUSP_NTLD) *@*.gdn | |
5999 | enlist_addrlist (SUSP_NTLD) *@*.click | |
6000 | enlist_addrlist (SUSP_NTLD) *@*.world | |
6001 | enlist_addrlist (SUSP_NTLD) *@*.fit | |
6002 | enlist_addrlist (SUSP_NTLD) *@*.ooo | |
6003 | enlist_addrlist (SUSP_NTLD) *@*.faith | |
6004 | enlist_addrlist (SUSP_NTLD) *@*.buzz | |
6005 | enlist_addrlist (SUSP_NTLD) *@*.trade | |
6006 | enlist_addrlist (SUSP_NTLD) *@*.cyou | |
6007 | enlist_addrlist (SUSP_NTLD) *@*.vip | |
6008 | enlist_uri_host (SUSP_URI_NTLD) icu | |
6009 | enlist_uri_host (SUSP_URI_NTLD) online | |
6010 | enlist_uri_host (SUSP_URI_NTLD) work | |
6011 | enlist_uri_host (SUSP_URI_NTLD) date | |
6012 | enlist_uri_host (SUSP_URI_NTLD) top | |
6013 | enlist_uri_host (SUSP_URI_NTLD) fun | |
6014 | enlist_uri_host (SUSP_URI_NTLD) life | |
6015 | enlist_uri_host (SUSP_URI_NTLD) review | |
6016 | enlist_uri_host (SUSP_URI_NTLD) xyz | |
6017 | enlist_uri_host (SUSP_URI_NTLD) bid | |
6018 | enlist_uri_host (SUSP_URI_NTLD) stream | |
6019 | enlist_uri_host (SUSP_URI_NTLD) site | |
6020 | enlist_uri_host (SUSP_URI_NTLD) space | |
6021 | enlist_uri_host (SUSP_URI_NTLD) gdn | |
6022 | enlist_uri_host (SUSP_URI_NTLD) click | |
6023 | enlist_uri_host (SUSP_URI_NTLD) world | |
6024 | enlist_uri_host (SUSP_URI_NTLD) fit | |
6025 | enlist_uri_host (SUSP_URI_NTLD) ooo | |
6026 | enlist_uri_host (SUSP_URI_NTLD) faith | |
6027 | enlist_uri_host (SUSP_URI_NTLD) buzz | |
6028 | enlist_uri_host (SUSP_URI_NTLD) trade | |
6029 | enlist_uri_host (SUSP_URI_NTLD) cyou | |
6030 | enlist_uri_host (SUSP_URI_NTLD) vip | |
6031 | enlist_uri_host (SUSP_URI_NTLD_PRO) pro | |
6032 | reuse __FROM_ADDRLIST_SUSPNTLD | |
6033 | reuse __REPLYTO_ADDRLIST_SUSPNTLD | |
6034 | reuse FROM_SUSPICIOUS_NTLD | |
6035 | reuse GOOGLE_DRIVE_REPLY_BAD_NTLD | |
6036 | reuse VPS_NO_NTLD | |
6037 | endif | |
6038 | endif | |
6039 | ##} if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox | |
6040 | ||
6041 | ##{ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox | |
6042 | ||
6043 | if (version >= 3.004003) | |
6044 | ifplugin Mail::SpamAssassin::Plugin::HashBL | |
6045 | priority T_GB_HASHBL_BTC -100 | |
6046 | reuse T_GB_HASHBL_BTC | |
6047 | endif | |
6048 | endif | |
6049 | ##} if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox | |
6050 | ||
6051 | ##{ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox | |
6052 | ||
6053 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
6054 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
6055 | replace_tag lcase_e (?:e|\xc3[\xa8\xa9\xaa\xab]|\xc4[\x93\x95\x97\x99\x9b]|\xc8[\x85\x87\x80]|\xcf\xb5|\xd0\xb5|\xd1[\x90\x91\x94\xb3]|\xd2[\xbc\xbd\xbe\xbf]|\xd3[\x07\xa9\xab]) | |
6056 | replace_rules __E_LIKE_LETTER | |
6057 | endif | |
6058 | endif | |
6059 | ##} if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox | |
6060 | ||
6061 | ##{ ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox | |
6062 | ||
6063 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
6064 | askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/ | |
6065 | reuse __DKIMWL_FREEMAIL | |
6066 | askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/ | |
6067 | reuse __DKIMWL_BULKMAIL | |
6068 | askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/ | |
6069 | reuse __DKIMWL_WL_HI | |
6070 | askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/ | |
6071 | reuse __DKIMWL_WL_MEDHI | |
6072 | askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/ | |
6073 | reuse __DKIMWL_WL_MED | |
6074 | askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/ | |
6075 | reuse __DKIMWL_WL_BL | |
6076 | askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/ | |
6077 | reuse __DKIMWL_BLOCKED | |
6078 | reuse DKIMWL_WL_HIGH | |
6079 | reuse DKIMWL_WL_MEDHI | |
6080 | reuse DKIMWL_WL_MED | |
6081 | reuse DKIMWL_BL | |
6082 | reuse DKIMWL_BLOCKED | |
6083 | askdns __HELO_DNS _LASTEXTERNALHELO_ A /./ | |
6084 | endif | |
6085 | ##} ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox | |
6086 | ||
6087 | ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox | |
6088 | ||
6089 | ifplugin Mail::SpamAssassin::Plugin::DNSEval # { | |
6090 | reuse RCVD_IN_PSBL | |
6091 | endif | |
6092 | ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox | |
6093 | ||
6094 | ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox | |
6095 | ||
6096 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
6097 | reuse RCVD_IN_IADB_LISTED | |
6098 | reuse RCVD_IN_IADB_EDDB | |
6099 | reuse RCVD_IN_IADB_EPIA | |
6100 | reuse RCVD_IN_IADB_SPF | |
6101 | reuse RCVD_IN_IADB_SENDERID | |
6102 | reuse RCVD_IN_IADB_DK | |
6103 | reuse RCVD_IN_IADB_RDNS | |
6104 | reuse RCVD_IN_IADB_GOODMAIL | |
6105 | reuse RCVD_IN_IADB_NOCONTROL | |
6106 | reuse RCVD_IN_IADB_OPTOUTONLY | |
6107 | reuse RCVD_IN_IADB_UNVERIFIED_1 | |
6108 | reuse RCVD_IN_IADB_UNVERIFIED_2 | |
6109 | reuse RCVD_IN_IADB_LOOSE | |
6110 | reuse RCVD_IN_IADB_OPTIN_LT50 | |
6111 | reuse RCVD_IN_IADB_OPTIN_GT50 | |
6112 | reuse RCVD_IN_IADB_OPTIN | |
6113 | reuse RCVD_IN_IADB_DOPTIN_LT50 | |
6114 | reuse RCVD_IN_IADB_DOPTIN_GT50 | |
6115 | reuse RCVD_IN_IADB_DOPTIN | |
6116 | reuse RCVD_IN_IADB_ML_DOPTIN | |
6117 | reuse RCVD_IN_IADB_OOO | |
6118 | reuse RCVD_IN_IADB_MI_CPEAR | |
6119 | reuse RCVD_IN_IADB_UT_CPEAR | |
6120 | reuse RCVD_IN_IADB_MI_CPR_30 | |
6121 | reuse RCVD_IN_IADB_UT_CPR_30 | |
6122 | reuse RCVD_IN_IADB_MI_CPR_MAT | |
6123 | reuse RCVD_IN_IADB_UT_CPR_MAT | |
6124 | endif | |
6125 | ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox | |
6126 | ||
6127 | ##{ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox | |
6128 | ||
6129 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
6130 | fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de | |
6131 | fns_ignore_headers List-Id | |
6132 | fns_check 1 | |
6133 | reuse __PLUGIN_FROMNAME_SPOOF | |
6134 | reuse __PLUGIN_FROMNAME_EQUALS_TO | |
6135 | endif | |
6136 | ##} ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox | |
6137 | ||
6138 | ##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox | |
6139 | ||
6140 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
6141 | replace_rules T_FUZZY_SPRM | |
6142 | replace_rules FUZZY_MERIDIA | |
6143 | replace_rules TVD_FUZZY_PHARMACEUTICAL | |
6144 | replace_rules TVD_FUZZY_SYMBOL | |
6145 | replace_rules T_TVD_FUZZY_SECURITIES | |
6146 | replace_rules TVD_FUZZY_FINANCE | |
6147 | replace_rules TVD_FUZZY_FIXED_RATE | |
6148 | replace_rules TVD_FUZZY_MICROCAP | |
6149 | replace_rules T_TVD_FUZZY_SECTOR | |
6150 | replace_rules TVD_FUZZY_DEGREE | |
6151 | replace_rules __COPY_PASTE_EN | |
6152 | replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?) | |
6153 | replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3} | |
6154 | replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s) | |
6155 | replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?) | |
6156 | replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])? | |
6157 | replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100})) | |
6158 | replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100}) | |
6159 | replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))? | |
6160 | replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])? | |
6161 | replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)? | |
6162 | replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3} | |
6163 | replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3} | |
6164 | replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d) | |
6165 | replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3} | |
6166 | replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)? | |
6167 | replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15}) | |
6168 | replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names? | |
6169 | replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER> | |
6170 | replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>) | |
6171 | replace_rules __FILL_THIS_FORM_LONG1 | |
6172 | replace_rules __FILL_THIS_FORM_LONG2 | |
6173 | replace_rules __FILL_THIS_FORM_PARTIAL | |
6174 | replace_rules __FILL_THIS_FORM_PARTIAL_RAW | |
6175 | replace_rules __FILL_THIS_FORM_SHORT1 | |
6176 | replace_rules __FILL_THIS_FORM_SHORT2 | |
6177 | replace_rules __FILL_THIS_FORM_LOAN1 | |
6178 | replace_rules __FILL_THIS_FORM_FRAUD_PHISH1 | |
6179 | replace_tag CURRENCY (?:[\(\[]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|usd|USD|CAD|GBP|=[Aa][34]|\xa3|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS?)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]\)]?) | |
6180 | replace_tag GB_UK \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b | |
6181 | replace_tag NUM_NOT_DATE [1-9](?!\d\d\d\.\d\d\.\d\d\s)(?!\d?\.\d\d?\.\d\d\d\d\s) | |
6182 | replace_tag NUM_NOT_DATE_IP <NUM_NOT_DATE>(?!\d{0,2}(?:\.0|\.[1-2]\d{0,2}){3}(?:\D|$)) | |
6183 | replace_rules __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04 | |
6184 | replace_tag PERCENT \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent) | |
6185 | replace_rules __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS | |
6186 | replace_rules T_FUZZY_OPTOUT | |
6187 | replace_rules __FRT_PRICE | |
6188 | replace_rules FUZZY_UNSUBSCRIBE | |
6189 | replace_rules FUZZY_ANDROID | |
6190 | replace_rules FUZZY_PROMOTION | |
6191 | replace_rules FUZZY_PRIVACY | |
6192 | replace_rules FUZZY_BROWSER | |
6193 | replace_rules FUZZY_SAVINGS | |
6194 | replace_rules FUZZY_IMPORTANT | |
6195 | replace_rules FUZZY_SECURITY | |
6196 | replace_rules __FUZZY_DR_OZ | |
6197 | replace_rules FUZZY_CLICK_HERE | |
6198 | replace_rules FUZZY_BITCOIN | |
6199 | replace_rules __BITCOIN | |
6200 | replace_rules FUZZY_WALLET | |
6201 | replace_rules __FUZZY_MONERO | |
6202 | replace_rules __FUZZY_WELLSFARGO_BODY | |
6203 | replace_rules __FUZZY_WELLSFARGO_FROM | |
6204 | replace_rules __FUZZY_PORN | |
6205 | replace_rules FUZZY_AMAZON | |
6206 | replace_rules FUZZY_APPLE | |
6207 | replace_rules FUZZY_MICROSOFT | |
6208 | replace_rules FUZZY_FACEBOOK | |
6209 | replace_rules FUZZY_PAYPAL | |
6210 | replace_rules FUZZY_NORTON | |
6211 | replace_rules FUZZY_OVERSTOCK | |
6212 | replace_rules __MY_VICTIM | |
6213 | replace_rules __MY_MALWARE | |
6214 | replace_rules __PAY_ME | |
6215 | replace_rules __YOUR_PASSWORD | |
6216 | replace_rules __YOUR_WEBCAM | |
6217 | replace_rules __YOUR_ONAN | |
6218 | replace_rules __YOUR_PERSONAL | |
6219 | replace_rules __HOURS_DEADLINE | |
6220 | replace_rules __EXPLOSIVE_DEVICE | |
6221 | replace_rules T_LFUZ_PWRMALE | |
6222 | replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE | |
6223 | reuse T_PDS_BTC_AHACKER | |
6224 | reuse T_PDS_BTC_HACKER | |
6225 | reuse T_PDS_LTC_AHACKER | |
6226 | reuse T_PDS_LTC_HACKER | |
6227 | endif | |
6228 | ##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox | |
6229 | ||
6230 | ##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox | |
6231 | ||
6232 | ifplugin Mail::SpamAssassin::Plugin::URIDNSBL | |
6233 | reuse URIBL_RHS_DOB | |
6234 | endif | |
6235 | ##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox | |
6236 | ||
6237 | ##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox | |
6238 | ||
6239 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
6240 | if (version >= 3.004000) | |
6241 | enlist_uri_host (PDS_CASHSHORTENER) cutpaid.com | |
6242 | enlist_uri_host (PDS_CASHSHORTENER) caat.site | |
6243 | enlist_uri_host (PDS_CASHSHORTENER) triabicia.com | |
6244 | enlist_uri_host (PDS_CASHSHORTENER) 2xs.io | |
6245 | enlist_uri_host (PDS_CASHSHORTENER) ocest.site | |
6246 | enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz | |
6247 | enlist_uri_host (PDS_CASHSHORTENER) waar.site | |
6248 | enlist_uri_host (PDS_CASHSHORTENER) cpmlink.net | |
6249 | enlist_uri_host (PDS_CASHSHORTENER) cowner.net | |
6250 | enlist_uri_host (PDS_CASHSHORTENER) adfoc.us | |
6251 | enlist_uri_host (PDS_CASHSHORTENER) shrinkhere.xyz | |
6252 | enlist_uri_host (PDS_CASHSHORTENER) gurl.pw | |
6253 | enlist_uri_host (PDS_CASHSHORTENER) shortearn.eu | |
6254 | enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz | |
6255 | enlist_uri_host (PDS_CASHSHORTENER) libittarc.com | |
6256 | enlist_uri_host (PDS_CASHSHORTENER) pc.cd | |
6257 | enlist_uri_host (PDS_CASHSHORTENER) fc.lc | |
6258 | enlist_uri_host (PDS_CASHSHORTENER) dares.xyz | |
6259 | enlist_uri_host (PDS_CASHSHORTENER) trendlouds.com | |
6260 | enlist_uri_host (PDS_CASHSHORTENER) yogaf.xyz | |
6261 | enlist_uri_host (PDS_CASHSHORTENER) cobs.xyz | |
6262 | enlist_uri_host (PDS_CASHSHORTENER) olnew.xyz | |
6263 | enlist_uri_host (PDS_CASHSHORTENER) cleft.xyz | |
6264 | enlist_uri_host (PDS_CASHSHORTENER) 7r6.com | |
6265 | enlist_uri_host (PDS_CASHSHORTENER) mitly.us | |
6266 | enlist_uri_host (PDS_CASHSHORTENER) kutpay.com | |
6267 | enlist_uri_host (PDS_CASHSHORTENER) gsurl.me | |
6268 | enlist_uri_host (PDS_CASHSHORTENER) gurl.ly | |
6269 | enlist_uri_host (PDS_CASHSHORTENER) gsurl.in | |
6270 | enlist_uri_host (PDS_CASHSHORTENER) acitoate.com | |
6271 | enlist_uri_host (PDS_CASHSHORTENER) aclabink.com | |
6272 | enlist_uri_host (PDS_CASHSHORTENER) activeation.com | |
6273 | enlist_uri_host (PDS_CASHSHORTENER) activeterium.com | |
6274 | enlist_uri_host (PDS_CASHSHORTENER) adflyforum.com | |
6275 | enlist_uri_host (PDS_CASHSHORTENER) adflymail.com | |
6276 | enlist_uri_host (PDS_CASHSHORTENER) adult.xyz | |
6277 | enlist_uri_host (PDS_CASHSHORTENER) agileurbia.com | |
6278 | enlist_uri_host (PDS_CASHSHORTENER) atomcurve.com | |
6279 | enlist_uri_host (PDS_CASHSHORTENER) ay.gy | |
6280 | enlist_uri_host (PDS_CASHSHORTENER) battleate.com | |
6281 | enlist_uri_host (PDS_CASHSHORTENER) biastonu.com | |
6282 | enlist_uri_host (PDS_CASHSHORTENER) bitigee.com | |
6283 | enlist_uri_host (PDS_CASHSHORTENER) briskrange.com | |
6284 | enlist_uri_host (PDS_CASHSHORTENER) brisktopia.com | |
6285 | enlist_uri_host (PDS_CASHSHORTENER) casualient.com | |
6286 | enlist_uri_host (PDS_CASHSHORTENER) clesolea.com | |
6287 | enlist_uri_host (PDS_CASHSHORTENER) code404.biz | |
6288 | enlist_uri_host (PDS_CASHSHORTENER) coginator.com | |
6289 | enlist_uri_host (PDS_CASHSHORTENER) cogismith.com | |
6290 | enlist_uri_host (PDS_CASHSHORTENER) covelign.com | |
6291 | enlist_uri_host (PDS_CASHSHORTENER) crefranek.com | |
6292 | enlist_uri_host (PDS_CASHSHORTENER) dashsphere.com | |
6293 | enlist_uri_host (PDS_CASHSHORTENER) dataurbia.com | |
6294 | enlist_uri_host (PDS_CASHSHORTENER) deciomm.com | |
6295 | enlist_uri_host (PDS_CASHSHORTENER) ducolomal.com | |
6296 | enlist_uri_host (PDS_CASHSHORTENER) east-jones.com | |
6297 | enlist_uri_host (PDS_CASHSHORTENER) ecleneue.com | |
6298 | enlist_uri_host (PDS_CASHSHORTENER) ellevolaw.com | |
6299 | enlist_uri_host (PDS_CASHSHORTENER) endroudo.com | |
6300 | enlist_uri_host (PDS_CASHSHORTENER) eunsetee.com | |
6301 | enlist_uri_host (PDS_CASHSHORTENER) fainbory.com | |
6302 | enlist_uri_host (PDS_CASHSHORTENER) fasttory.com | |
6303 | enlist_uri_host (PDS_CASHSHORTENER) fawright.com | |
6304 | enlist_uri_host (PDS_CASHSHORTENER) flyserve.co | |
6305 | enlist_uri_host (PDS_CASHSHORTENER) greponozy.com | |
6306 | enlist_uri_host (PDS_CASHSHORTENER) homoluath.com | |
6307 | enlist_uri_host (PDS_CASHSHORTENER) hopigrarn.com | |
6308 | enlist_uri_host (PDS_CASHSHORTENER) infopade.com | |
6309 | enlist_uri_host (PDS_CASHSHORTENER) j.gs | |
6310 | enlist_uri_host (PDS_CASHSHORTENER) kaitect.com | |
6311 | enlist_uri_host (PDS_CASHSHORTENER) kializer.com | |
6312 | enlist_uri_host (PDS_CASHSHORTENER) kibuilder.com | |
6313 | enlist_uri_host (PDS_CASHSHORTENER) kimechanic.com | |
6314 | enlist_uri_host (PDS_CASHSHORTENER) kudoflow.com | |
6315 | enlist_uri_host (PDS_CASHSHORTENER) legeerook.com | |
6316 | enlist_uri_host (PDS_CASHSHORTENER) libittarc.com | |
6317 | enlist_uri_host (PDS_CASHSHORTENER) linkjaunt.com | |
6318 | enlist_uri_host (PDS_CASHSHORTENER) locinealy.com | |
6319 | enlist_uri_host (PDS_CASHSHORTENER) maetrimal.com | |
6320 | enlist_uri_host (PDS_CASHSHORTENER) metastead.com | |
6321 | enlist_uri_host (PDS_CASHSHORTENER) mmoity.com | |
6322 | enlist_uri_host (PDS_CASHSHORTENER) mondoagram.com | |
6323 | enlist_uri_host (PDS_CASHSHORTENER) neswery.com | |
6324 | enlist_uri_host (PDS_CASHSHORTENER) nimbleinity.com | |
6325 | enlist_uri_host (PDS_CASHSHORTENER) onisedeo.com | |
6326 | enlist_uri_host (PDS_CASHSHORTENER) optitopt.com | |
6327 | enlist_uri_host (PDS_CASHSHORTENER) picocurl.com | |
6328 | enlist_uri_host (PDS_CASHSHORTENER) pladollmo.com | |
6329 | enlist_uri_host (PDS_CASHSHORTENER) preofery.com | |
6330 | enlist_uri_host (PDS_CASHSHORTENER) prereheus.com | |
6331 | enlist_uri_host (PDS_CASHSHORTENER) q.gs | |
6332 | enlist_uri_host (PDS_CASHSHORTENER) quainator.com | |
6333 | enlist_uri_host (PDS_CASHSHORTENER) quamiller.com | |
6334 | enlist_uri_host (PDS_CASHSHORTENER) queuecosm.bid | |
6335 | enlist_uri_host (PDS_CASHSHORTENER) raboninco.com | |
6336 | enlist_uri_host (PDS_CASHSHORTENER) rapidteria.com | |
6337 | enlist_uri_host (PDS_CASHSHORTENER) rapidtory.com | |
6338 | enlist_uri_host (PDS_CASHSHORTENER) sapolatsu.com | |
6339 | enlist_uri_host (PDS_CASHSHORTENER) scapognel.com | |
6340 | enlist_uri_host (PDS_CASHSHORTENER) simizer.com | |
6341 | enlist_uri_host (PDS_CASHSHORTENER) skamaker.com | |
6342 | enlist_uri_host (PDS_CASHSHORTENER) skamason.com | |
6343 | enlist_uri_host (PDS_CASHSHORTENER) sluppend.com | |
6344 | enlist_uri_host (PDS_CASHSHORTENER) sprysphere.com | |
6345 | enlist_uri_host (PDS_CASHSHORTENER) streamvoyage.com | |
6346 | enlist_uri_host (PDS_CASHSHORTENER) swarife.com | |
6347 | enlist_uri_host (PDS_CASHSHORTENER) swiftation.com | |
6348 | enlist_uri_host (PDS_CASHSHORTENER) swifttopia.com | |
6349 | enlist_uri_host (PDS_CASHSHORTENER) techigo.com | |
6350 | enlist_uri_host (PDS_CASHSHORTENER) threadsphere.bid | |
6351 | enlist_uri_host (PDS_CASHSHORTENER) tinyical.com | |
6352 | enlist_uri_host (PDS_CASHSHORTENER) tonancos.com | |
6353 | enlist_uri_host (PDS_CASHSHORTENER) triabicia.com | |
6354 | enlist_uri_host (PDS_CASHSHORTENER) turboagram.com | |
6355 | enlist_uri_host (PDS_CASHSHORTENER) twineer.com | |
6356 | enlist_uri_host (PDS_CASHSHORTENER) twiriock.com | |
6357 | enlist_uri_host (PDS_CASHSHORTENER) userlab66.com | |
6358 | enlist_uri_host (PDS_CASHSHORTENER) vaugette.com | |
6359 | enlist_uri_host (PDS_CASHSHORTENER) velocicosm.com | |
6360 | enlist_uri_host (PDS_CASHSHORTENER) velociterium.com | |
6361 | enlist_uri_host (PDS_CASHSHORTENER) viahold.com | |
6362 | enlist_uri_host (PDS_CASHSHORTENER) vializer.com | |
6363 | enlist_uri_host (PDS_CASHSHORTENER) viwright.com | |
6364 | enlist_uri_host (PDS_CASHSHORTENER) whareotiv.com | |
6365 | enlist_uri_host (PDS_CASHSHORTENER) wirecellar.com | |
6366 | enlist_uri_host (PDS_CASHSHORTENER) x19.biz | |
6367 | enlist_uri_host (PDS_CASHSHORTENER) x19network.com | |
6368 | enlist_uri_host (PDS_CASHSHORTENER) yabuilder.com | |
6369 | enlist_uri_host (PDS_CASHSHORTENER) yamechanic.com | |
6370 | enlist_uri_host (PDS_CASHSHORTENER) yoalizer.com | |
6371 | enlist_uri_host (PDS_CASHSHORTENER) yobuilder.com | |
6372 | enlist_uri_host (PDS_CASHSHORTENER) yoineer.com | |
6373 | enlist_uri_host (PDS_CASHSHORTENER) yoitect.com | |
6374 | enlist_uri_host (PDS_CASHSHORTENER) zipansion.com | |
6375 | enlist_uri_host (PDS_CASHSHORTENER) zipteria.com | |
6376 | enlist_uri_host (PDS_CASHSHORTENER) zipvale.com | |
6377 | enlist_uri_host (PDS_URISHORTENER) owl.li | |
6378 | enlist_uri_host (PDS_URISHORTENER) formspring.me | |
6379 | enlist_uri_host (PDS_URISHORTENER) cc.uz | |
6380 | enlist_uri_host (PDS_URISHORTENER) back.ly | |
6381 | enlist_uri_host (PDS_URISHORTENER) surl.me | |
6382 | enlist_uri_host (PDS_URISHORTENER) mysp.ac | |
6383 | enlist_uri_host (PDS_URISHORTENER) s.apache.org | |
6384 | enlist_uri_host (PDS_URISHORTENER) 0rz.tw | |
6385 | enlist_uri_host (PDS_URISHORTENER) 1l2.us | |
6386 | enlist_uri_host (PDS_URISHORTENER) 1link.in | |
6387 | enlist_uri_host (PDS_URISHORTENER) 1u.ro | |
6388 | enlist_uri_host (PDS_URISHORTENER) 1url.com | |
6389 | enlist_uri_host (PDS_URISHORTENER) 2.gp | |
6390 | enlist_uri_host (PDS_URISHORTENER) 2.ly | |
6391 | enlist_uri_host (PDS_URISHORTENER) 2big.at | |
6392 | enlist_uri_host (PDS_URISHORTENER) 2chap.it | |
6393 | enlist_uri_host (PDS_URISHORTENER) 2pl.us | |
6394 | enlist_uri_host (PDS_URISHORTENER) 2su.de | |
6395 | enlist_uri_host (PDS_URISHORTENER) 2tu.us | |
6396 | enlist_uri_host (PDS_URISHORTENER) 2ze.us | |
6397 | enlist_uri_host (PDS_URISHORTENER) 3.ly | |
6398 | enlist_uri_host (PDS_URISHORTENER) 301.to | |
6399 | enlist_uri_host (PDS_URISHORTENER) 301url.com | |
6400 | enlist_uri_host (PDS_URISHORTENER) 307.to | |
6401 | enlist_uri_host (PDS_URISHORTENER) 4ms.me | |
6402 | enlist_uri_host (PDS_URISHORTENER) 4sq.com | |
6403 | enlist_uri_host (PDS_URISHORTENER) 4url.cc | |
6404 | enlist_uri_host (PDS_URISHORTENER) 6url.com | |
6405 | enlist_uri_host (PDS_URISHORTENER) 7.ly | |
6406 | enlist_uri_host (PDS_URISHORTENER) 9mp.com | |
6407 | enlist_uri_host (PDS_URISHORTENER) a.gd | |
6408 | enlist_uri_host (PDS_URISHORTENER) a.gg | |
6409 | enlist_uri_host (PDS_URISHORTENER) a.nf | |
6410 | enlist_uri_host (PDS_URISHORTENER) a2a.me | |
6411 | enlist_uri_host (PDS_URISHORTENER) a2n.eu | |
6412 | enlist_uri_host (PDS_URISHORTENER) aa.cx | |
6413 | enlist_uri_host (PDS_URISHORTENER) abbr.com | |
6414 | enlist_uri_host (PDS_URISHORTENER) abcurl.net | |
6415 | enlist_uri_host (PDS_URISHORTENER) abe5.com | |
6416 | enlist_uri_host (PDS_URISHORTENER) access.im | |
6417 | enlist_uri_host (PDS_URISHORTENER) ad.vu | |
6418 | enlist_uri_host (PDS_URISHORTENER) adf.ly | |
6419 | enlist_uri_host (PDS_URISHORTENER) adjix.com | |
6420 | enlist_uri_host (PDS_URISHORTENER) afx.cc | |
6421 | enlist_uri_host (PDS_URISHORTENER) all.fuseurl.com | |
6422 | enlist_uri_host (PDS_URISHORTENER) alturl.com | |
6423 | enlist_uri_host (PDS_URISHORTENER) amzn.com | |
6424 | enlist_uri_host (PDS_URISHORTENER) amzn.to | |
6425 | enlist_uri_host (PDS_URISHORTENER) ar.gy | |
6426 | enlist_uri_host (PDS_URISHORTENER) arm.in | |
6427 | enlist_uri_host (PDS_URISHORTENER) arst.ch | |
6428 | enlist_uri_host (PDS_URISHORTENER) asso.in | |
6429 | enlist_uri_host (PDS_URISHORTENER) atu.ca | |
6430 | enlist_uri_host (PDS_URISHORTENER) aurls.info | |
6431 | enlist_uri_host (PDS_URISHORTENER) awe.sm | |
6432 | enlist_uri_host (PDS_URISHORTENER) ayl.lv | |
6433 | enlist_uri_host (PDS_URISHORTENER) azc.cc | |
6434 | enlist_uri_host (PDS_URISHORTENER) azqq.com | |
6435 | enlist_uri_host (PDS_URISHORTENER) b23.ru | |
6436 | enlist_uri_host (PDS_URISHORTENER) b2l.me | |
6437 | enlist_uri_host (PDS_URISHORTENER) b65.com | |
6438 | enlist_uri_host (PDS_URISHORTENER) b65.us | |
6439 | enlist_uri_host (PDS_URISHORTENER) bacn.me | |
6440 | enlist_uri_host (PDS_URISHORTENER) bcool.bz | |
6441 | enlist_uri_host (PDS_URISHORTENER) beam.to | |
6442 | enlist_uri_host (PDS_URISHORTENER) bgl.me | |
6443 | enlist_uri_host (PDS_URISHORTENER) binged.it | |
6444 | enlist_uri_host (PDS_URISHORTENER) bit.do | |
6445 | enlist_uri_host (PDS_URISHORTENER) bit.ly | |
6446 | enlist_uri_host (PDS_URISHORTENER) bitly.com | |
6447 | enlist_uri_host (PDS_URISHORTENER) bizj.us | |
6448 | enlist_uri_host (PDS_URISHORTENER) bkite.com | |
6449 | enlist_uri_host (PDS_URISHORTENER) blippr.com | |
6450 | enlist_uri_host (PDS_URISHORTENER) bloat.me | |
6451 | enlist_uri_host (PDS_URISHORTENER) blu.cc | |
6452 | enlist_uri_host (PDS_URISHORTENER) bon.no | |
6453 | enlist_uri_host (PDS_URISHORTENER) bravo.ly | |
6454 | enlist_uri_host (PDS_URISHORTENER) bsa.ly | |
6455 | enlist_uri_host (PDS_URISHORTENER) bt.io | |
6456 | enlist_uri_host (PDS_URISHORTENER) budurl.com | |
6457 | enlist_uri_host (PDS_URISHORTENER) buff.ly | |
6458 | enlist_uri_host (PDS_URISHORTENER) buk.me | |
6459 | enlist_uri_host (PDS_URISHORTENER) burnurl.com | |
6460 | enlist_uri_host (PDS_URISHORTENER) c-o.in | |
6461 | enlist_uri_host (PDS_URISHORTENER) c.shamekh.ws | |
6462 | enlist_uri_host (PDS_URISHORTENER) canurl.com | |
6463 | enlist_uri_host (PDS_URISHORTENER) cd4.me | |
6464 | enlist_uri_host (PDS_URISHORTENER) chilp.it | |
6465 | enlist_uri_host (PDS_URISHORTENER) chopd.it | |
6466 | enlist_uri_host (PDS_URISHORTENER) chpt.me | |
6467 | enlist_uri_host (PDS_URISHORTENER) chs.mx | |
6468 | enlist_uri_host (PDS_URISHORTENER) chzb.gr | |
6469 | enlist_uri_host (PDS_URISHORTENER) cl.lk | |
6470 | enlist_uri_host (PDS_URISHORTENER) cl.ly | |
6471 | enlist_uri_host (PDS_URISHORTENER) clck.ru | |
6472 | enlist_uri_host (PDS_URISHORTENER) cli.gs | |
6473 | enlist_uri_host (PDS_URISHORTENER) cliccami.info | |
6474 | enlist_uri_host (PDS_URISHORTENER) clickthru.ca | |
6475 | enlist_uri_host (PDS_URISHORTENER) clipurl.us | |
6476 | enlist_uri_host (PDS_URISHORTENER) clk.my | |
6477 | enlist_uri_host (PDS_URISHORTENER) cloaky.de | |
6478 | enlist_uri_host (PDS_URISHORTENER) clop.in | |
6479 | enlist_uri_host (PDS_URISHORTENER) clp.ly | |
6480 | enlist_uri_host (PDS_URISHORTENER) coge.la | |
6481 | enlist_uri_host (PDS_URISHORTENER) cokeurl.com | |
6482 | enlist_uri_host (PDS_URISHORTENER) conta.cc | |
6483 | enlist_uri_host (PDS_URISHORTENER) cort.as | |
6484 | enlist_uri_host (PDS_URISHORTENER) cot.ag | |
6485 | enlist_uri_host (PDS_URISHORTENER) crks.me | |
6486 | enlist_uri_host (PDS_URISHORTENER) crum.pl | |
6487 | enlist_uri_host (PDS_URISHORTENER) ctvr.us | |
6488 | enlist_uri_host (PDS_URISHORTENER) curio.us | |
6489 | enlist_uri_host (PDS_URISHORTENER) cuthut.com | |
6490 | enlist_uri_host (PDS_URISHORTENER) cutt.us | |
6491 | enlist_uri_host (PDS_URISHORTENER) cuturl.com | |
6492 | enlist_uri_host (PDS_URISHORTENER) cuturls.com | |
6493 | enlist_uri_host (PDS_URISHORTENER) dai.ly | |
6494 | enlist_uri_host (PDS_URISHORTENER) db.tt | |
6495 | enlist_uri_host (PDS_URISHORTENER) dealspl.us | |
6496 | enlist_uri_host (PDS_URISHORTENER) decenturl.com | |
6497 | enlist_uri_host (PDS_URISHORTENER) df9.net | |
6498 | enlist_uri_host (PDS_URISHORTENER) dfl8.me | |
6499 | enlist_uri_host (PDS_URISHORTENER) digbig.com | |
6500 | enlist_uri_host (PDS_URISHORTENER) digg.com | |
6501 | enlist_uri_host (PDS_URISHORTENER) digipills.com | |
6502 | enlist_uri_host (PDS_URISHORTENER) digs.by | |
6503 | enlist_uri_host (PDS_URISHORTENER) disq.us | |
6504 | enlist_uri_host (PDS_URISHORTENER) dld.bz | |
6505 | enlist_uri_host (PDS_URISHORTENER) dlvr.it | |
6506 | enlist_uri_host (PDS_URISHORTENER) dn.vc | |
6507 | enlist_uri_host (PDS_URISHORTENER) do.my | |
6508 | enlist_uri_host (PDS_URISHORTENER) doi.org | |
6509 | enlist_uri_host (PDS_URISHORTENER) doiop.com | |
6510 | enlist_uri_host (PDS_URISHORTENER) dopen.us | |
6511 | enlist_uri_host (PDS_URISHORTENER) dr.tl | |
6512 | enlist_uri_host (PDS_URISHORTENER) drudge.tw | |
6513 | enlist_uri_host (PDS_URISHORTENER) durl.me | |
6514 | enlist_uri_host (PDS_URISHORTENER) durl.us | |
6515 | enlist_uri_host (PDS_URISHORTENER) dvlr.it | |
6516 | enlist_uri_host (PDS_URISHORTENER) dwarfurl.com | |
6517 | enlist_uri_host (PDS_URISHORTENER) easyuri.com | |
6518 | enlist_uri_host (PDS_URISHORTENER) easyurl.net | |
6519 | enlist_uri_host (PDS_URISHORTENER) eca.sh | |
6520 | enlist_uri_host (PDS_URISHORTENER) eclurl.com | |
6521 | enlist_uri_host (PDS_URISHORTENER) eepurl.com | |
6522 | enlist_uri_host (PDS_URISHORTENER) eezurl.com | |
6523 | enlist_uri_host (PDS_URISHORTENER) eweri.com | |
6524 | enlist_uri_host (PDS_URISHORTENER) ewerl.com | |
6525 | enlist_uri_host (PDS_URISHORTENER) ezurl.eu | |
6526 | enlist_uri_host (PDS_URISHORTENER) fa.by | |
6527 | enlist_uri_host (PDS_URISHORTENER) faceto.us | |
6528 | enlist_uri_host (PDS_URISHORTENER) fav.me | |
6529 | enlist_uri_host (PDS_URISHORTENER) fb.me | |
6530 | enlist_uri_host (PDS_URISHORTENER) fbshare.me | |
6531 | enlist_uri_host (PDS_URISHORTENER) ff.im | |
6532 | enlist_uri_host (PDS_URISHORTENER) fff.to | |
6533 | enlist_uri_host (PDS_URISHORTENER) fhurl.com | |
6534 | enlist_uri_host (PDS_URISHORTENER) fire.to | |
6535 | enlist_uri_host (PDS_URISHORTENER) firsturl.de | |
6536 | enlist_uri_host (PDS_URISHORTENER) firsturl.net | |
6537 | enlist_uri_host (PDS_URISHORTENER) flic.kr | |
6538 | enlist_uri_host (PDS_URISHORTENER) flingk.com | |
6539 | enlist_uri_host (PDS_URISHORTENER) flq.us | |
6540 | enlist_uri_host (PDS_URISHORTENER) fly2.ws | |
6541 | enlist_uri_host (PDS_URISHORTENER) fon.gs | |
6542 | enlist_uri_host (PDS_URISHORTENER) foxyurl.com | |
6543 | enlist_uri_host (PDS_URISHORTENER) freak.to | |
6544 | enlist_uri_host (PDS_URISHORTENER) fur.ly | |
6545 | enlist_uri_host (PDS_URISHORTENER) fuseurl.com | |
6546 | enlist_uri_host (PDS_URISHORTENER) fuzzy.to | |
6547 | enlist_uri_host (PDS_URISHORTENER) fwd4.me | |
6548 | enlist_uri_host (PDS_URISHORTENER) fwdurl.net | |
6549 | enlist_uri_host (PDS_URISHORTENER) fwib.net | |
6550 | enlist_uri_host (PDS_URISHORTENER) g.ro.lt | |
6551 | enlist_uri_host (PDS_URISHORTENER) g8l.us | |
6552 | enlist_uri_host (PDS_URISHORTENER) get-shorty.com | |
6553 | enlist_uri_host (PDS_URISHORTENER) get-url.com | |
6554 | enlist_uri_host (PDS_URISHORTENER) get.sh | |
6555 | enlist_uri_host (PDS_URISHORTENER) geturl.us | |
6556 | enlist_uri_host (PDS_URISHORTENER) gg.gg | |
6557 | enlist_uri_host (PDS_URISHORTENER) gi.vc | |
6558 | enlist_uri_host (PDS_URISHORTENER) gizmo.do | |
6559 | enlist_uri_host (PDS_URISHORTENER) gkurl.us | |
6560 | enlist_uri_host (PDS_URISHORTENER) gl.am | |
6561 | enlist_uri_host (PDS_URISHORTENER) go.9nl.com | |
6562 | enlist_uri_host (PDS_URISHORTENER) go.ign.com | |
6563 | enlist_uri_host (PDS_URISHORTENER) go.to | |
6564 | enlist_uri_host (PDS_URISHORTENER) go.usa.gov | |
6565 | enlist_uri_host (PDS_URISHORTENER) go2.me | |
6566 | enlist_uri_host (PDS_URISHORTENER) gog.li | |
6567 | enlist_uri_host (PDS_URISHORTENER) golmao.com | |
6568 | enlist_uri_host (PDS_URISHORTENER) goo.gl | |
6569 | enlist_uri_host (PDS_URISHORTENER) goo.io | |
6570 | enlist_uri_host (PDS_URISHORTENER) good.ly | |
6571 | enlist_uri_host (PDS_URISHORTENER) goshrink.com | |
6572 | enlist_uri_host (PDS_URISHORTENER) gplus.to | |
6573 | enlist_uri_host (PDS_URISHORTENER) gri.ms | |
6574 | enlist_uri_host (PDS_URISHORTENER) gurl.es | |
6575 | enlist_uri_host (PDS_URISHORTENER) hao.jp | |
6576 | enlist_uri_host (PDS_URISHORTENER) hellotxt.com | |
6577 | enlist_uri_host (PDS_URISHORTENER) hex.io | |
6578 | enlist_uri_host (PDS_URISHORTENER) hiderefer.com | |
6579 | enlist_uri_host (PDS_URISHORTENER) hmm.ph | |
6580 | enlist_uri_host (PDS_URISHORTENER) hop.im | |
6581 | enlist_uri_host (PDS_URISHORTENER) hop.kz | |
6582 | enlist_uri_host (PDS_URISHORTENER) hopclicks.com | |
6583 | enlist_uri_host (PDS_URISHORTENER) hotredirect.com | |
6584 | enlist_uri_host (PDS_URISHORTENER) hotshorturl.com | |
6585 | enlist_uri_host (PDS_URISHORTENER) href.in | |
6586 | enlist_uri_host (PDS_URISHORTENER) hsblinks.com | |
6587 | enlist_uri_host (PDS_URISHORTENER) ht.ly | |
6588 | enlist_uri_host (PDS_URISHORTENER) htxt.it | |
6589 | enlist_uri_host (PDS_URISHORTENER) hub.am | |
6590 | enlist_uri_host (PDS_URISHORTENER) huff.to | |
6591 | enlist_uri_host (PDS_URISHORTENER) hugeurl.com | |
6592 | enlist_uri_host (PDS_URISHORTENER) hulu.com | |
6593 | enlist_uri_host (PDS_URISHORTENER) hurl.it | |
6594 | enlist_uri_host (PDS_URISHORTENER) hurl.me | |
6595 | enlist_uri_host (PDS_URISHORTENER) hurl.no | |
6596 | enlist_uri_host (PDS_URISHORTENER) hurl.ws | |
6597 | enlist_uri_host (PDS_URISHORTENER) icanhaz.com | |
6598 | enlist_uri_host (PDS_URISHORTENER) icio.us | |
6599 | enlist_uri_host (PDS_URISHORTENER) idek.net | |
6600 | enlist_uri_host (PDS_URISHORTENER) ikr.me | |
6601 | enlist_uri_host (PDS_URISHORTENER) ilix.in | |
6602 | enlist_uri_host (PDS_URISHORTENER) inx.lv | |
6603 | enlist_uri_host (PDS_URISHORTENER) ir.pe | |
6604 | enlist_uri_host (PDS_URISHORTENER) irt.me | |
6605 | enlist_uri_host (PDS_URISHORTENER) is.gd | |
6606 | enlist_uri_host (PDS_URISHORTENER) iscool.net | |
6607 | enlist_uri_host (PDS_URISHORTENER) it2.in | |
6608 | enlist_uri_host (PDS_URISHORTENER) ito.mx | |
6609 | enlist_uri_host (PDS_URISHORTENER) its.my | |
6610 | enlist_uri_host (PDS_URISHORTENER) itsy.it | |
6611 | enlist_uri_host (PDS_URISHORTENER) ix.lt | |
6612 | enlist_uri_host (PDS_URISHORTENER) j.mp | |
6613 | enlist_uri_host (PDS_URISHORTENER) j2j.de | |
6614 | enlist_uri_host (PDS_URISHORTENER) jdem.cz | |
6615 | enlist_uri_host (PDS_URISHORTENER) jijr.com | |
6616 | enlist_uri_host (PDS_URISHORTENER) just.as | |
6617 | enlist_uri_host (PDS_URISHORTENER) k.vu | |
6618 | enlist_uri_host (PDS_URISHORTENER) k6.kz | |
6619 | enlist_uri_host (PDS_URISHORTENER) ketkp.in | |
6620 | enlist_uri_host (PDS_URISHORTENER) kisa.ch | |
6621 | enlist_uri_host (PDS_URISHORTENER) kissa.be | |
6622 | enlist_uri_host (PDS_URISHORTENER) kl.am | |
6623 | enlist_uri_host (PDS_URISHORTENER) klck.me | |
6624 | enlist_uri_host (PDS_URISHORTENER) kore.us | |
6625 | enlist_uri_host (PDS_URISHORTENER) korta.nu | |
6626 | enlist_uri_host (PDS_URISHORTENER) kots.nu | |
6627 | enlist_uri_host (PDS_URISHORTENER) krunchd.com | |
6628 | enlist_uri_host (PDS_URISHORTENER) krz.ch | |
6629 | enlist_uri_host (PDS_URISHORTENER) ktzr.us | |
6630 | enlist_uri_host (PDS_URISHORTENER) kxk.me | |
6631 | enlist_uri_host (PDS_URISHORTENER) l.hh.de | |
6632 | enlist_uri_host (PDS_URISHORTENER) l.pr | |
6633 | enlist_uri_host (PDS_URISHORTENER) l9k.net | |
6634 | enlist_uri_host (PDS_URISHORTENER) lat.ms | |
6635 | enlist_uri_host (PDS_URISHORTENER) liip.to | |
6636 | enlist_uri_host (PDS_URISHORTENER) liltext.com | |
6637 | enlist_uri_host (PDS_URISHORTENER) lin.cr | |
6638 | enlist_uri_host (PDS_URISHORTENER) lin.io | |
6639 | enlist_uri_host (PDS_URISHORTENER) linkbee.com | |
6640 | enlist_uri_host (PDS_URISHORTENER) linkbun.ch | |
6641 | enlist_uri_host (PDS_URISHORTENER) linkee.com | |
6642 | enlist_uri_host (PDS_URISHORTENER) linkgap.com | |
6643 | enlist_uri_host (PDS_URISHORTENER) linkslice.com | |
6644 | enlist_uri_host (PDS_URISHORTENER) linxfix.de | |
6645 | enlist_uri_host (PDS_URISHORTENER) liteurl.net | |
6646 | enlist_uri_host (PDS_URISHORTENER) liurl.cn | |
6647 | enlist_uri_host (PDS_URISHORTENER) livesi.de | |
6648 | enlist_uri_host (PDS_URISHORTENER) lix.in | |
6649 | enlist_uri_host (PDS_URISHORTENER) lk.ht | |
6650 | enlist_uri_host (PDS_URISHORTENER) ln-s.net | |
6651 | enlist_uri_host (PDS_URISHORTENER) ln-s.ru | |
6652 | enlist_uri_host (PDS_URISHORTENER) lnk.by | |
6653 | enlist_uri_host (PDS_URISHORTENER) lnk.gd | |
6654 | enlist_uri_host (PDS_URISHORTENER) lnk.in | |
6655 | enlist_uri_host (PDS_URISHORTENER) lnk.ly | |
6656 | enlist_uri_host (PDS_URISHORTENER) lnk.ms | |
6657 | enlist_uri_host (PDS_URISHORTENER) lnk.sk | |
6658 | enlist_uri_host (PDS_URISHORTENER) lnkd.in | |
6659 | enlist_uri_host (PDS_URISHORTENER) lnkurl.com | |
6660 | enlist_uri_host (PDS_URISHORTENER) loopt.us | |
6661 | enlist_uri_host (PDS_URISHORTENER) lost.in | |
6662 | enlist_uri_host (PDS_URISHORTENER) lru.jp | |
6663 | enlist_uri_host (PDS_URISHORTENER) lt.tl | |
6664 | enlist_uri_host (PDS_URISHORTENER) lu.to | |
6665 | enlist_uri_host (PDS_URISHORTENER) lurl.no | |
6666 | enlist_uri_host (PDS_URISHORTENER) macte.ch | |
6667 | enlist_uri_host (PDS_URISHORTENER) mash.to | |
6668 | enlist_uri_host (PDS_URISHORTENER) mavrev.com | |
6669 | enlist_uri_host (PDS_URISHORTENER) mcaf.ee | |
6670 | enlist_uri_host (PDS_URISHORTENER) memurl.com | |
6671 | enlist_uri_host (PDS_URISHORTENER) merky.de | |
6672 | enlist_uri_host (PDS_URISHORTENER) metamark.net | |
6673 | enlist_uri_host (PDS_URISHORTENER) migre.me | |
6674 | enlist_uri_host (PDS_URISHORTENER) min2.me | |
6675 | enlist_uri_host (PDS_URISHORTENER) minilien.com | |
6676 | enlist_uri_host (PDS_URISHORTENER) minilink.org | |
6677 | enlist_uri_host (PDS_URISHORTENER) miniurl.com | |
6678 | enlist_uri_host (PDS_URISHORTENER) minurl.fr | |
6679 | enlist_uri_host (PDS_URISHORTENER) mke.me | |
6680 | enlist_uri_host (PDS_URISHORTENER) moby.to | |
6681 | enlist_uri_host (PDS_URISHORTENER) moourl.com | |
6682 | enlist_uri_host (PDS_URISHORTENER) mrte.ch | |
6683 | enlist_uri_host (PDS_URISHORTENER) msg.sg | |
6684 | enlist_uri_host (PDS_URISHORTENER) murl.kz | |
6685 | enlist_uri_host (PDS_URISHORTENER) mv2.me | |
6686 | enlist_uri_host (PDS_URISHORTENER) myloc.me | |
6687 | enlist_uri_host (PDS_URISHORTENER) mysp.in | |
6688 | enlist_uri_host (PDS_URISHORTENER) myurl.in | |
6689 | enlist_uri_host (PDS_URISHORTENER) myurl.si | |
6690 | enlist_uri_host (PDS_URISHORTENER) n.pr | |
6691 | enlist_uri_host (PDS_URISHORTENER) nanoref.com | |
6692 | enlist_uri_host (PDS_URISHORTENER) nanourl.se | |
6693 | enlist_uri_host (PDS_URISHORTENER) nbc.co | |
6694 | enlist_uri_host (PDS_URISHORTENER) nblo.gs | |
6695 | enlist_uri_host (PDS_URISHORTENER) nbx.ch | |
6696 | enlist_uri_host (PDS_URISHORTENER) ncane.com | |
6697 | enlist_uri_host (PDS_URISHORTENER) ndurl.com | |
6698 | enlist_uri_host (PDS_URISHORTENER) ne1.net | |
6699 | enlist_uri_host (PDS_URISHORTENER) netnet.me | |
6700 | enlist_uri_host (PDS_URISHORTENER) netshortcut.com | |
6701 | enlist_uri_host (PDS_URISHORTENER) ni.to | |
6702 | enlist_uri_host (PDS_URISHORTENER) nig.gr | |
6703 | enlist_uri_host (PDS_URISHORTENER) nm.ly | |
6704 | enlist_uri_host (PDS_URISHORTENER) nn.nf | |
6705 | enlist_uri_host (PDS_URISHORTENER) not.my | |
6706 | enlist_uri_host (PDS_URISHORTENER) notlong.com | |
6707 | enlist_uri_host (PDS_URISHORTENER) nsfw.in | |
6708 | enlist_uri_host (PDS_URISHORTENER) nutshellurl.com | |
6709 | enlist_uri_host (PDS_URISHORTENER) nxy.in | |
6710 | enlist_uri_host (PDS_URISHORTENER) nyti.ms | |
6711 | enlist_uri_host (PDS_URISHORTENER) o-x.fr | |
6712 | enlist_uri_host (PDS_URISHORTENER) o.ly | |
6713 | enlist_uri_host (PDS_URISHORTENER) oboeyasui.com | |
6714 | enlist_uri_host (PDS_URISHORTENER) oc1.us | |
6715 | enlist_uri_host (PDS_URISHORTENER) offur.com | |
6716 | enlist_uri_host (PDS_URISHORTENER) ofl.me | |
6717 | enlist_uri_host (PDS_URISHORTENER) om.ly | |
6718 | enlist_uri_host (PDS_URISHORTENER) omf.gd | |
6719 | enlist_uri_host (PDS_URISHORTENER) omoikane.net | |
6720 | enlist_uri_host (PDS_URISHORTENER) on.cnn.com | |
6721 | enlist_uri_host (PDS_URISHORTENER) on.mktw.net | |
6722 | enlist_uri_host (PDS_URISHORTENER) onecent.us | |
6723 | enlist_uri_host (PDS_URISHORTENER) onforb.es | |
6724 | enlist_uri_host (PDS_URISHORTENER) onion.com | |
6725 | enlist_uri_host (PDS_URISHORTENER) onsaas.info | |
6726 | enlist_uri_host (PDS_URISHORTENER) ooqx.com | |
6727 | enlist_uri_host (PDS_URISHORTENER) oreil.ly | |
6728 | enlist_uri_host (PDS_URISHORTENER) orz.se | |
6729 | enlist_uri_host (PDS_URISHORTENER) ow.ly | |
6730 | enlist_uri_host (PDS_URISHORTENER) oxyz.info | |
6731 | enlist_uri_host (PDS_URISHORTENER) p.ly | |
6732 | enlist_uri_host (PDS_URISHORTENER) p8g.tw | |
6733 | enlist_uri_host (PDS_URISHORTENER) parv.us | |
6734 | enlist_uri_host (PDS_URISHORTENER) paulding.net | |
6735 | enlist_uri_host (PDS_URISHORTENER) pduda.mobi | |
6736 | enlist_uri_host (PDS_URISHORTENER) peaurl.com | |
6737 | enlist_uri_host (PDS_URISHORTENER) pendek.in | |
6738 | enlist_uri_host (PDS_URISHORTENER) pep.si | |
6739 | enlist_uri_host (PDS_URISHORTENER) pic.gd | |
6740 | enlist_uri_host (PDS_URISHORTENER) piko.me | |
6741 | enlist_uri_host (PDS_URISHORTENER) ping.fm | |
6742 | enlist_uri_host (PDS_URISHORTENER) piurl.com | |
6743 | enlist_uri_host (PDS_URISHORTENER) pli.gs | |
6744 | enlist_uri_host (PDS_URISHORTENER) plumurl.com | |
6745 | enlist_uri_host (PDS_URISHORTENER) plurl.me | |
6746 | enlist_uri_host (PDS_URISHORTENER) pnt.me | |
6747 | enlist_uri_host (PDS_URISHORTENER) politi.co | |
6748 | enlist_uri_host (PDS_URISHORTENER) poll.fm | |
6749 | enlist_uri_host (PDS_URISHORTENER) pop.ly | |
6750 | enlist_uri_host (PDS_URISHORTENER) poprl.com | |
6751 | enlist_uri_host (PDS_URISHORTENER) post.ly | |
6752 | enlist_uri_host (PDS_URISHORTENER) posted.at | |
6753 | enlist_uri_host (PDS_URISHORTENER) pp.gg | |
6754 | enlist_uri_host (PDS_URISHORTENER) profile.to | |
6755 | enlist_uri_host (PDS_URISHORTENER) pt2.me | |
6756 | enlist_uri_host (PDS_URISHORTENER) ptiturl.com | |
6757 | enlist_uri_host (PDS_URISHORTENER) pub.vitrue.com | |
6758 | enlist_uri_host (PDS_URISHORTENER) puke.it | |
6759 | enlist_uri_host (PDS_URISHORTENER) pysper.com | |
6760 | enlist_uri_host (PDS_URISHORTENER) qik.li | |
6761 | enlist_uri_host (PDS_URISHORTENER) qlnk.net | |
6762 | enlist_uri_host (PDS_URISHORTENER) qoiob.com | |
6763 | enlist_uri_host (PDS_URISHORTENER) qr.cx | |
6764 | enlist_uri_host (PDS_URISHORTENER) qte.me | |
6765 | enlist_uri_host (PDS_URISHORTENER) qu.tc | |
6766 | enlist_uri_host (PDS_URISHORTENER) quickurl.co.uk | |
6767 | enlist_uri_host (PDS_URISHORTENER) qurl.com | |
6768 | enlist_uri_host (PDS_URISHORTENER) qurlyq.com | |
6769 | enlist_uri_host (PDS_URISHORTENER) quu.nu | |
6770 | enlist_uri_host (PDS_URISHORTENER) qux.in | |
6771 | enlist_uri_host (PDS_URISHORTENER) qy.fi | |
6772 | enlist_uri_host (PDS_URISHORTENER) r.im | |
6773 | enlist_uri_host (PDS_URISHORTENER) rb6.me | |
6774 | enlist_uri_host (PDS_URISHORTENER) rde.me | |
6775 | enlist_uri_host (PDS_URISHORTENER) read.bi | |
6776 | enlist_uri_host (PDS_URISHORTENER) readthis.ca | |
6777 | enlist_uri_host (PDS_URISHORTENER) reallytinyurl.com | |
6778 | enlist_uri_host (PDS_URISHORTENER) redir.ec | |
6779 | enlist_uri_host (PDS_URISHORTENER) redirects.ca | |
6780 | enlist_uri_host (PDS_URISHORTENER) redirx.com | |
6781 | enlist_uri_host (PDS_URISHORTENER) relyt.us | |
6782 | enlist_uri_host (PDS_URISHORTENER) retwt.me | |
6783 | enlist_uri_host (PDS_URISHORTENER) ri.ms | |
6784 | enlist_uri_host (PDS_URISHORTENER) rickroll.it | |
6785 | enlist_uri_host (PDS_URISHORTENER) rivva.de | |
6786 | enlist_uri_host (PDS_URISHORTENER) riz.gd | |
6787 | enlist_uri_host (PDS_URISHORTENER) rly.cc | |
6788 | enlist_uri_host (PDS_URISHORTENER) rnk.me | |
6789 | enlist_uri_host (PDS_URISHORTENER) rsmonkey.com | |
6790 | enlist_uri_host (PDS_URISHORTENER) rt.nu | |
6791 | enlist_uri_host (PDS_URISHORTENER) ru.ly | |
6792 | enlist_uri_host (PDS_URISHORTENER) rubyurl.com | |
6793 | enlist_uri_host (PDS_URISHORTENER) rurl.org | |
6794 | enlist_uri_host (PDS_URISHORTENER) rww.tw | |
6795 | enlist_uri_host (PDS_URISHORTENER) s.gnoss.us | |
6796 | enlist_uri_host (PDS_URISHORTENER) s3nt.com | |
6797 | enlist_uri_host (PDS_URISHORTENER) s4c.in | |
6798 | enlist_uri_host (PDS_URISHORTENER) s7y.us | |
6799 | enlist_uri_host (PDS_URISHORTENER) safe.mn | |
6800 | enlist_uri_host (PDS_URISHORTENER) safelinks.ru | |
6801 | enlist_uri_host (PDS_URISHORTENER) sai.ly | |
6802 | enlist_uri_host (PDS_URISHORTENER) sameurl.com | |
6803 | enlist_uri_host (PDS_URISHORTENER) sdut.us | |
6804 | enlist_uri_host (PDS_URISHORTENER) sed.cx | |
6805 | enlist_uri_host (PDS_URISHORTENER) sfu.ca | |
6806 | enlist_uri_host (PDS_URISHORTENER) shadyurl.com | |
6807 | enlist_uri_host (PDS_URISHORTENER) shar.es | |
6808 | enlist_uri_host (PDS_URISHORTENER) shim.net | |
6809 | enlist_uri_host (PDS_URISHORTENER) shink.de | |
6810 | enlist_uri_host (PDS_URISHORTENER) shorl.com | |
6811 | enlist_uri_host (PDS_URISHORTENER) short.ie | |
6812 | enlist_uri_host (PDS_URISHORTENER) short.to | |
6813 | enlist_uri_host (PDS_URISHORTENER) shorten.ws | |
6814 | enlist_uri_host (PDS_URISHORTENER) shortenurl.com | |
6815 | enlist_uri_host (PDS_URISHORTENER) shorterlink.com | |
6816 | enlist_uri_host (PDS_URISHORTENER) shortio.com | |
6817 | enlist_uri_host (PDS_URISHORTENER) shortlinks.co.uk | |
6818 | enlist_uri_host (PDS_URISHORTENER) shortly.nl | |
6819 | enlist_uri_host (PDS_URISHORTENER) shortn.me | |
6820 | enlist_uri_host (PDS_URISHORTENER) shortna.me | |
6821 | enlist_uri_host (PDS_URISHORTENER) shortr.me | |
6822 | enlist_uri_host (PDS_URISHORTENER) shorturl.com | |
6823 | enlist_uri_host (PDS_URISHORTENER) shortz.me | |
6824 | enlist_uri_host (PDS_URISHORTENER) shoturl.us | |
6825 | enlist_uri_host (PDS_URISHORTENER) shout.to | |
6826 | enlist_uri_host (PDS_URISHORTENER) show.my | |
6827 | enlist_uri_host (PDS_URISHORTENER) shredu | |
6828 | enlist_uri_host (PDS_URISHORTENER) shredurl.com | |
6829 | enlist_uri_host (PDS_URISHORTENER) shrinkify.com | |
6830 | enlist_uri_host (PDS_URISHORTENER) shrinkr.com | |
6831 | enlist_uri_host (PDS_URISHORTENER) shrinkster.com | |
6832 | enlist_uri_host (PDS_URISHORTENER) shrinkurl.us | |
6833 | enlist_uri_host (PDS_URISHORTENER) shrt.fr | |
6834 | enlist_uri_host (PDS_URISHORTENER) shrt.st | |
6835 | enlist_uri_host (PDS_URISHORTENER) shrt.ws | |
6836 | enlist_uri_host (PDS_URISHORTENER) shrten.com | |
6837 | enlist_uri_host (PDS_URISHORTENER) shrtl.com | |
6838 | enlist_uri_host (PDS_URISHORTENER) shrtn.com | |
6839 | enlist_uri_host (PDS_URISHORTENER) shrtnd.com | |
6840 | enlist_uri_host (PDS_URISHORTENER) shrunkin.com | |
6841 | enlist_uri_host (PDS_URISHORTENER) shurl.net | |
6842 | enlist_uri_host (PDS_URISHORTENER) shw.me | |
6843 | enlist_uri_host (PDS_URISHORTENER) simurl.com | |
6844 | enlist_uri_host (PDS_URISHORTENER) simurl.net | |
6845 | enlist_uri_host (PDS_URISHORTENER) simurl.org | |
6846 | enlist_uri_host (PDS_URISHORTENER) simurl.us | |
6847 | enlist_uri_host (PDS_URISHORTENER) sitelutions.com | |
6848 | enlist_uri_host (PDS_URISHORTENER) siteo.us | |
6849 | enlist_uri_host (PDS_URISHORTENER) sl.ly | |
6850 | enlist_uri_host (PDS_URISHORTENER) slate.me | |
6851 | enlist_uri_host (PDS_URISHORTENER) slidesha.re | |
6852 | enlist_uri_host (PDS_URISHORTENER) slki.ru | |
6853 | enlist_uri_host (PDS_URISHORTENER) smallr.com | |
6854 | enlist_uri_host (PDS_URISHORTENER) smallr.net | |
6855 | enlist_uri_host (PDS_URISHORTENER) smarturl.it | |
6856 | enlist_uri_host (PDS_URISHORTENER) smfu.in | |
6857 | enlist_uri_host (PDS_URISHORTENER) smsh.me | |
6858 | enlist_uri_host (PDS_URISHORTENER) smurl.com | |
6859 | enlist_uri_host (PDS_URISHORTENER) smurl.name | |
6860 | enlist_uri_host (PDS_URISHORTENER) sn.im | |
6861 | enlist_uri_host (PDS_URISHORTENER) sn.vc | |
6862 | enlist_uri_host (PDS_URISHORTENER) snadr.it | |
6863 | enlist_uri_host (PDS_URISHORTENER) snipie.com | |
6864 | enlist_uri_host (PDS_URISHORTENER) snipr.com | |
6865 | enlist_uri_host (PDS_URISHORTENER) snipurl.com | |
6866 | enlist_uri_host (PDS_URISHORTENER) snkr.me | |
6867 | enlist_uri_host (PDS_URISHORTENER) snurl.com | |
6868 | enlist_uri_host (PDS_URISHORTENER) soo.gd | |
6869 | enlist_uri_host (PDS_URISHORTENER) song.ly | |
6870 | enlist_uri_host (PDS_URISHORTENER) sp2.ro | |
6871 | enlist_uri_host (PDS_URISHORTENER) spedr.com | |
6872 | enlist_uri_host (PDS_URISHORTENER) sqze.it | |
6873 | enlist_uri_host (PDS_URISHORTENER) srnk.net | |
6874 | enlist_uri_host (PDS_URISHORTENER) srs.li | |
6875 | enlist_uri_host (PDS_URISHORTENER) starturl.com | |
6876 | enlist_uri_host (PDS_URISHORTENER) stickurl.com | |
6877 | enlist_uri_host (PDS_URISHORTENER) stpmvt.com | |
6878 | enlist_uri_host (PDS_URISHORTENER) sturly.com | |
6879 | enlist_uri_host (PDS_URISHORTENER) su.pr | |
6880 | enlist_uri_host (PDS_URISHORTENER) surl.co.uk | |
6881 | enlist_uri_host (PDS_URISHORTENER) surl.hu | |
6882 | enlist_uri_host (PDS_URISHORTENER) surl.it | |
6883 | enlist_uri_host (PDS_URISHORTENER) t.cn | |
6884 | enlist_uri_host (PDS_URISHORTENER) t.co | |
6885 | enlist_uri_host (PDS_URISHORTENER) t.lh.com | |
6886 | enlist_uri_host (PDS_URISHORTENER) ta.gd | |
6887 | enlist_uri_host (PDS_URISHORTENER) takemyfile.com | |
6888 | enlist_uri_host (PDS_URISHORTENER) tbd.ly | |
6889 | enlist_uri_host (PDS_URISHORTENER) tcrn.ch | |
6890 | enlist_uri_host (PDS_URISHORTENER) tgr.me | |
6891 | enlist_uri_host (PDS_URISHORTENER) tgr.ph | |
6892 | enlist_uri_host (PDS_URISHORTENER) th8.us | |
6893 | enlist_uri_host (PDS_URISHORTENER) thecow.me | |
6894 | enlist_uri_host (PDS_URISHORTENER) thrdl.es | |
6895 | enlist_uri_host (PDS_URISHORTENER) tighturl.com | |
6896 | enlist_uri_host (PDS_URISHORTENER) timesurl.at | |
6897 | enlist_uri_host (PDS_URISHORTENER) tini.us | |
6898 | enlist_uri_host (PDS_URISHORTENER) tiniuri.com | |
6899 | enlist_uri_host (PDS_URISHORTENER) tiny.cc | |
6900 | enlist_uri_host (PDS_URISHORTENER) tiny.ly | |
6901 | enlist_uri_host (PDS_URISHORTENER) tiny.pl | |
6902 | enlist_uri_host (PDS_URISHORTENER) tinyarro.ws | |
6903 | enlist_uri_host (PDS_URISHORTENER) tinylink.com | |
6904 | enlist_uri_host (PDS_URISHORTENER) tinylink.in | |
6905 | enlist_uri_host (PDS_URISHORTENER) tinypl.us | |
6906 | enlist_uri_host (PDS_URISHORTENER) tinysong.com | |
6907 | enlist_uri_host (PDS_URISHORTENER) tinytw.it | |
6908 | enlist_uri_host (PDS_URISHORTENER) tinyuri.ca | |
6909 | enlist_uri_host (PDS_URISHORTENER) tinyurl.com | |
6910 | enlist_uri_host (PDS_URISHORTENER) tk. | |
6911 | enlist_uri_host (PDS_URISHORTENER) tl.gd | |
6912 | enlist_uri_host (PDS_URISHORTENER) tllg.net | |
6913 | enlist_uri_host (PDS_URISHORTENER) tmi.me | |
6914 | enlist_uri_host (PDS_URISHORTENER) tncr.ws | |
6915 | enlist_uri_host (PDS_URISHORTENER) tnij.org | |
6916 | enlist_uri_host (PDS_URISHORTENER) tnw.to | |
6917 | enlist_uri_host (PDS_URISHORTENER) tny.com | |
6918 | enlist_uri_host (PDS_URISHORTENER) to. | |
6919 | enlist_uri_host (PDS_URISHORTENER) to.je | |
6920 | enlist_uri_host (PDS_URISHORTENER) to.ly | |
6921 | enlist_uri_host (PDS_URISHORTENER) to.vg | |
6922 | enlist_uri_host (PDS_URISHORTENER) togoto.us | |
6923 | enlist_uri_host (PDS_URISHORTENER) totc.us | |
6924 | enlist_uri_host (PDS_URISHORTENER) toysr.us | |
6925 | enlist_uri_host (PDS_URISHORTENER) tpm.ly | |
6926 | enlist_uri_host (PDS_URISHORTENER) tr.im | |
6927 | enlist_uri_host (PDS_URISHORTENER) tr.my | |
6928 | enlist_uri_host (PDS_URISHORTENER) tra.kz | |
6929 | enlist_uri_host (PDS_URISHORTENER) traceurl.com | |
6930 | enlist_uri_host (PDS_URISHORTENER) trackurl.it | |
6931 | enlist_uri_host (PDS_URISHORTENER) trcb.me | |
6932 | enlist_uri_host (PDS_URISHORTENER) trg.li | |
6933 | enlist_uri_host (PDS_URISHORTENER) trib.al | |
6934 | enlist_uri_host (PDS_URISHORTENER) trick.ly | |
6935 | enlist_uri_host (PDS_URISHORTENER) trii.us | |
6936 | enlist_uri_host (PDS_URISHORTENER) trim.li | |
6937 | enlist_uri_host (PDS_URISHORTENER) trumpink.lt | |
6938 | enlist_uri_host (PDS_URISHORTENER) trunc.it | |
6939 | enlist_uri_host (PDS_URISHORTENER) truncurl.com | |
6940 | enlist_uri_host (PDS_URISHORTENER) tsort.us | |
6941 | enlist_uri_host (PDS_URISHORTENER) tubeurl.com | |
6942 | enlist_uri_host (PDS_URISHORTENER) turo.us | |
6943 | enlist_uri_host (PDS_URISHORTENER) tw0.us | |
6944 | enlist_uri_host (PDS_URISHORTENER) tw1.us | |
6945 | enlist_uri_host (PDS_URISHORTENER) tw2.us | |
6946 | enlist_uri_host (PDS_URISHORTENER) tw5.us | |
6947 | enlist_uri_host (PDS_URISHORTENER) tw6.us | |
6948 | enlist_uri_host (PDS_URISHORTENER) tw8.us | |
6949 | enlist_uri_host (PDS_URISHORTENER) tw9.us | |
6950 | enlist_uri_host (PDS_URISHORTENER) twa.lk | |
6951 | enlist_uri_host (PDS_URISHORTENER) tweet.me | |
6952 | enlist_uri_host (PDS_URISHORTENER) tweetburner.com | |
6953 | enlist_uri_host (PDS_URISHORTENER) tweetl.com | |
6954 | enlist_uri_host (PDS_URISHORTENER) twhub.com | |
6955 | enlist_uri_host (PDS_URISHORTENER) twi.gy | |
6956 | enlist_uri_host (PDS_URISHORTENER) twip.us | |
6957 | enlist_uri_host (PDS_URISHORTENER) twirl.at | |
6958 | enlist_uri_host (PDS_URISHORTENER) twit.ac | |
6959 | enlist_uri_host (PDS_URISHORTENER) twitclicks.com | |
6960 | enlist_uri_host (PDS_URISHORTENER) twitterurl.net | |
6961 | enlist_uri_host (PDS_URISHORTENER) twitterurl.org | |
6962 | enlist_uri_host (PDS_URISHORTENER) twitthis.com | |
6963 | enlist_uri_host (PDS_URISHORTENER) twittu.ms | |
6964 | enlist_uri_host (PDS_URISHORTENER) twiturl.de | |
6965 | enlist_uri_host (PDS_URISHORTENER) twitzap.com | |
6966 | enlist_uri_host (PDS_URISHORTENER) twlv.net | |
6967 | enlist_uri_host (PDS_URISHORTENER) twtr.us | |
6968 | enlist_uri_host (PDS_URISHORTENER) twurl.cc | |
6969 | enlist_uri_host (PDS_URISHORTENER) twurl.nl | |
6970 | enlist_uri_host (PDS_URISHORTENER) u.mavrev.com | |
6971 | enlist_uri_host (PDS_URISHORTENER) u.nu | |
6972 | enlist_uri_host (PDS_URISHORTENER) u76.org | |
6973 | enlist_uri_host (PDS_URISHORTENER) ub0.cc | |
6974 | enlist_uri_host (PDS_URISHORTENER) uiop.me | |
6975 | enlist_uri_host (PDS_URISHORTENER) ulimit.com | |
6976 | enlist_uri_host (PDS_URISHORTENER) ulu.lu | |
6977 | enlist_uri_host (PDS_URISHORTENER) unfaker.it | |
6978 | enlist_uri_host (PDS_URISHORTENER) updating.me | |
6979 | enlist_uri_host (PDS_URISHORTENER) u.to | |
6980 | enlist_uri_host (PDS_URISHORTENER) ur.ly | |
6981 | enlist_uri_host (PDS_URISHORTENER) ur1.ca | |
6982 | enlist_uri_host (PDS_URISHORTENER) urizy.com | |
6983 | enlist_uri_host (PDS_URISHORTENER) url.ag | |
6984 | enlist_uri_host (PDS_URISHORTENER) url.az | |
6985 | enlist_uri_host (PDS_URISHORTENER) url.co.uk | |
6986 | enlist_uri_host (PDS_URISHORTENER) url.go.it | |
6987 | enlist_uri_host (PDS_URISHORTENER) url.ie | |
6988 | enlist_uri_host (PDS_URISHORTENER) url.inc-x.eu | |
6989 | enlist_uri_host (PDS_URISHORTENER) url.lotpatrol.com | |
6990 | enlist_uri_host (PDS_URISHORTENER) url360.me | |
6991 | enlist_uri_host (PDS_URISHORTENER) url4.eu | |
6992 | enlist_uri_host (PDS_URISHORTENER) urlao.com | |
6993 | enlist_uri_host (PDS_URISHORTENER) urlbee.com | |
6994 | enlist_uri_host (PDS_URISHORTENER) urlborg.com | |
6995 | enlist_uri_host (PDS_URISHORTENER) urlbrief.com | |
6996 | enlist_uri_host (PDS_URISHORTENER) urlcorta.es | |
6997 | enlist_uri_host (PDS_URISHORTENER) urlcover.com | |
6998 | enlist_uri_host (PDS_URISHORTENER) urlcut.com | |
6999 | enlist_uri_host (PDS_URISHORTENER) urlcutter.com | |
7000 | enlist_uri_host (PDS_URISHORTENER) urlenco.de | |
7001 | enlist_uri_host (PDS_URISHORTENER) urlg.info | |
7002 | enlist_uri_host (PDS_URISHORTENER) urlhawk.com | |
7003 | enlist_uri_host (PDS_URISHORTENER) urli.nl | |
7004 | enlist_uri_host (PDS_URISHORTENER) urlin.it | |
7005 | enlist_uri_host (PDS_URISHORTENER) urlkiss.com | |
7006 | enlist_uri_host (PDS_URISHORTENER) urloo.com | |
7007 | enlist_uri_host (PDS_URISHORTENER) urlpire.com | |
7008 | enlist_uri_host (PDS_URISHORTENER) urls.im | |
7009 | enlist_uri_host (PDS_URISHORTENER) urlshorteningservicefortwitter.com | |
7010 | enlist_uri_host (PDS_URISHORTENER) urltea.com | |
7011 | enlist_uri_host (PDS_URISHORTENER) urlu.ms | |
7012 | enlist_uri_host (PDS_URISHORTENER) urlvi.b | |
7013 | enlist_uri_host (PDS_URISHORTENER) urlvi.be | |
7014 | enlist_uri_host (PDS_URISHORTENER) urlx.ie | |
7015 | enlist_uri_host (PDS_URISHORTENER) urlz.at | |
7016 | enlist_uri_host (PDS_URISHORTENER) urlzen.com | |
7017 | enlist_uri_host (PDS_URISHORTENER) usat.ly | |
7018 | enlist_uri_host (PDS_URISHORTENER) use.my | |
7019 | enlist_uri_host (PDS_URISHORTENER) uservoice.com | |
7020 | enlist_uri_host (PDS_URISHORTENER) ustre.am | |
7021 | enlist_uri_host (PDS_URISHORTENER) vado.it | |
7022 | enlist_uri_host (PDS_URISHORTENER) vb.ly | |
7023 | enlist_uri_host (PDS_URISHORTENER) vdirect.com | |
7024 | enlist_uri_host (PDS_URISHORTENER) vgn.am | |
7025 | enlist_uri_host (PDS_URISHORTENER) vi.ly | |
7026 | enlist_uri_host (PDS_URISHORTENER) viigo.im | |
7027 | enlist_uri_host (PDS_URISHORTENER) virl.com | |
7028 | enlist_uri_host (PDS_URISHORTENER) vl.am | |
7029 | enlist_uri_host (PDS_URISHORTENER) vm.lc | |
7030 | enlist_uri_host (PDS_URISHORTENER) voizle.com | |
7031 | enlist_uri_host (PDS_URISHORTENER) vtc.es | |
7032 | enlist_uri_host (PDS_URISHORTENER) w0r.me | |
7033 | enlist_uri_host (PDS_URISHORTENER) w33.us | |
7034 | enlist_uri_host (PDS_URISHORTENER) w34.us | |
7035 | enlist_uri_host (PDS_URISHORTENER) w3t.org | |
7036 | enlist_uri_host (PDS_URISHORTENER) w55.de | |
7037 | enlist_uri_host (PDS_URISHORTENER) wa9.la | |
7038 | enlist_uri_host (PDS_URISHORTENER) wapo.st | |
7039 | enlist_uri_host (PDS_URISHORTENER) wapurl.co.uk | |
7040 | enlist_uri_host (PDS_URISHORTENER) webalias.com | |
7041 | enlist_uri_host (PDS_URISHORTENER) welcome.to | |
7042 | enlist_uri_host (PDS_URISHORTENER) wh.gov | |
7043 | enlist_uri_host (PDS_URISHORTENER) widg.me | |
7044 | enlist_uri_host (PDS_URISHORTENER) wipi.es | |
7045 | enlist_uri_host (PDS_URISHORTENER) wkrg.com | |
7046 | enlist_uri_host (PDS_URISHORTENER) woo.ly | |
7047 | enlist_uri_host (PDS_URISHORTENER) wp.me | |
7048 | enlist_uri_host (PDS_URISHORTENER) x.co | |
7049 | enlist_uri_host (PDS_URISHORTENER) x.hypem.com | |
7050 | enlist_uri_host (PDS_URISHORTENER) x.se | |
7051 | enlist_uri_host (PDS_URISHORTENER) x.vu | |
7052 | enlist_uri_host (PDS_URISHORTENER) xeeurl.com | |
7053 | enlist_uri_host (PDS_URISHORTENER) xil.in | |
7054 | enlist_uri_host (PDS_URISHORTENER) xlurl.de | |
7055 | enlist_uri_host (PDS_URISHORTENER) xn--1ci.ws | |
7056 | enlist_uri_host (PDS_URISHORTENER) xn--3fi.ws | |
7057 | enlist_uri_host (PDS_URISHORTENER) xn--5gi.ws | |
7058 | enlist_uri_host (PDS_URISHORTENER) xn--9gi.ws | |
7059 | enlist_uri_host (PDS_URISHORTENER) xn--bih.ws | |
7060 | enlist_uri_host (PDS_URISHORTENER) xn--cwg.ws | |
7061 | enlist_uri_host (PDS_URISHORTENER) xn--egi.ws | |
7062 | enlist_uri_host (PDS_URISHORTENER) xn--fwg.ws | |
7063 | enlist_uri_host (PDS_URISHORTENER) xn--hgi.ws | |
7064 | enlist_uri_host (PDS_URISHORTENER) xn--l3h.ws | |
7065 | enlist_uri_host (PDS_URISHORTENER) xn--odi.ws | |
7066 | enlist_uri_host (PDS_URISHORTENER) xn--ogi.ws | |
7067 | enlist_uri_host (PDS_URISHORTENER) xn--rei.ws | |
7068 | enlist_uri_host (PDS_URISHORTENER) xn--vgi.ws | |
7069 | enlist_uri_host (PDS_URISHORTENER) xr.com | |
7070 | enlist_uri_host (PDS_URISHORTENER) xrl.in | |
7071 | enlist_uri_host (PDS_URISHORTENER) xrl.us | |
7072 | enlist_uri_host (PDS_URISHORTENER) xrt.me | |
7073 | enlist_uri_host (PDS_URISHORTENER) xurl.es | |
7074 | enlist_uri_host (PDS_URISHORTENER) xurl.jp | |
7075 | enlist_uri_host (PDS_URISHORTENER) xxsurl.de | |
7076 | enlist_uri_host (PDS_URISHORTENER) xzb.cc | |
7077 | enlist_uri_host (PDS_URISHORTENER) y.ahoo.it | |
7078 | enlist_uri_host (PDS_URISHORTENER) yatuc.com | |
7079 | enlist_uri_host (PDS_URISHORTENER) ye-s.com | |
7080 | enlist_uri_host (PDS_URISHORTENER) ye.pe | |
7081 | enlist_uri_host (PDS_URISHORTENER) yep.it | |
7082 | enlist_uri_host (PDS_URISHORTENER) yfrog.com | |
7083 | enlist_uri_host (PDS_URISHORTENER) yhoo.it | |
7084 | enlist_uri_host (PDS_URISHORTENER) yiyd.com | |
7085 | enlist_uri_host (PDS_URISHORTENER) yuarel.com | |
7086 | enlist_uri_host (PDS_URISHORTENER) z.pe | |
7087 | enlist_uri_host (PDS_URISHORTENER) z0p.de | |
7088 | enlist_uri_host (PDS_URISHORTENER) zapt.in | |
7089 | enlist_uri_host (PDS_URISHORTENER) zi.ma | |
7090 | enlist_uri_host (PDS_URISHORTENER) zi.me | |
7091 | enlist_uri_host (PDS_URISHORTENER) zi.mu | |
7092 | enlist_uri_host (PDS_URISHORTENER) zi.pe | |
7093 | enlist_uri_host (PDS_URISHORTENER) zip.li | |
7094 | enlist_uri_host (PDS_URISHORTENER) zipmyurl.com | |
7095 | enlist_uri_host (PDS_URISHORTENER) zite.to | |
7096 | enlist_uri_host (PDS_URISHORTENER) zootit.com | |
7097 | enlist_uri_host (PDS_URISHORTENER) zud.me | |
7098 | enlist_uri_host (PDS_URISHORTENER) zurl.ws | |
7099 | enlist_uri_host (PDS_URISHORTENER) zz.gd | |
7100 | enlist_uri_host (PDS_URISHORTENER) zzang.kr | |
7101 | enlist_uri_host (PDS_URISHORTENER) t.ly | |
7102 | enlist_uri_host (PDS_URISHORTENER) wow.link | |
7103 | enlist_uri_host (PDS_URISHORTENER) twixar.me | |
7104 | enlist_uri_host (PDS_URISHORTENER) lnk.cm | |
7105 | enlist_uri_host (PDS_URISHORTENER) rb.gy | |
7106 | enlist_uri_host (PDS_URISHORTENER) gplinks.in | |
7107 | enlist_uri_host (PDS_URISHORTENER) utfg.sk | |
7108 | enlist_uri_host (PDS_URISHORTENER) um.lk | |
7109 | enlist_uri_host (PDS_URISHORTENER) xn--vi8hiv.ws | |
7110 | enlist_uri_host (PDS_URISHORTENER) ouo.io | |
7111 | enlist_uri_host (PDS_URISHORTENER) mmo.tc | |
7112 | enlist_uri_host (PDS_URISHORTENER) pvp.tc | |
7113 | enlist_uri_host (PDS_URISHORTENER) ko.tc | |
7114 | enlist_uri_host (PDS_URISHORTENER) m2.tc | |
7115 | enlist_uri_host (PDS_URISHORTENER) sro.tc | |
7116 | enlist_uri_host (PDS_URISHORTENER) heg.tc | |
7117 | enlist_uri_host (PDS_URISHORTENER) fn.tc | |
7118 | enlist_uri_host (PDS_URISHORTENER) lol.tc | |
7119 | enlist_uri_host (PDS_URISHORTENER) tek.link | |
7120 | enlist_uri_host (PDS_URISHORTENER) tr.im | |
7121 | enlist_uri_host (PDS_URISHORTENER) cutwin.biz | |
7122 | enlist_uri_host (PDS_URISHORTENER) urlzs.com | |
7123 | enlist_uri_host (PDS_URISHORTENER) qqc.co | |
7124 | enlist_uri_host (PDS_URISHORTENER) yyv.co | |
7125 | enlist_uri_host (PDS_URISHORTENER) erq.io | |
7126 | enlist_uri_host (PDS_URISHORTENER) yko.io | |
7127 | enlist_uri_host (PDS_URISHORTENER) poweredbysecurity.online | |
7128 | enlist_uri_host (PDS_URISHORTENER) poweredbysecurity.org | |
7129 | enlist_uri_host (PDS_URISHORTENER) poweredbydialup.online | |
7130 | enlist_uri_host (PDS_URISHORTENER) poweredbydialup.club | |
7131 | enlist_uri_host (PDS_URISHORTENER) canadianlumberjacks.online | |
7132 | enlist_uri_host (PDS_URISHORTENER) canadianlumberjacks.club | |
7133 | enlist_uri_host (PDS_URISHORTENER) packetlivesmatter.online | |
7134 | enlist_uri_host (PDS_URISHORTENER) packetlivesmatter.club | |
7135 | enlist_uri_host (PDS_URISHORTENER) amishprincess.com | |
7136 | enlist_uri_host (PDS_URISHORTENER) poweredbydialup.org | |
7137 | enlist_uri_host (PDS_URISHORTENER) amishdatacenter.com | |
7138 | enlist_uri_host (PDS_URISHORTENER) youtubeshort.pro | |
7139 | enlist_uri_host (PDS_URISHORTENER) catsnthing.com | |
7140 | enlist_uri_host (PDS_URISHORTENER) youtubeshort.watch | |
7141 | enlist_uri_host (PDS_URISHORTENER) yourtube.site | |
7142 | enlist_uri_host (PDS_URISHORTENER) catsnthings.fun | |
7143 | enlist_uri_host (PDS_URISHORTENER) curiouscat.club | |
7144 | enlist_uri_host (PDS_URISHORTENER) crabrave.pw | |
7145 | enlist_uri_host (PDS_URISHORTENER) fortnitechat.site | |
7146 | enlist_uri_host (PDS_URISHORTENER) fortnight.space | |
7147 | enlist_uri_host (PDS_URISHORTENER) disçordapp.com | |
7148 | enlist_uri_host (PDS_URISHORTENER) freegiftcards.co | |
7149 | enlist_uri_host (PDS_URISHORTENER) minecräft.com | |
7150 | enlist_uri_host (PDS_URISHORTENER) stopify.co | |
7151 | enlist_uri_host (PDS_URISHORTENER) spottyfly.com | |
7152 | enlist_uri_host (PDS_URISHORTENER) bmwforum.co | |
7153 | enlist_uri_host (PDS_URISHORTENER) grabify.link | |
7154 | enlist_uri_host (PDS_URISHORTENER) joinmy.site | |
7155 | enlist_uri_host (PDS_URISHORTENER) youshouldclick.us | |
7156 | reuse T_PDS_SHORTFWD_URISHRT | |
7157 | endif | |
7158 | endif | |
7159 | ##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox | |
7160 | ||
7161 | ##{ redirector_pattern_sandbox | |
7162 | ||
7163 | redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i | |
7164 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i | |
7165 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i | |
7166 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i | |
7167 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i | |
7168 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i | |
7169 | redirector_pattern m'^https?:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i | |
7170 | redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i | |
7171 | ##} redirector_pattern_sandbox | |
7172 | ||
7173 | ##{ reuse_sandbox | |
7174 | ||
7175 | reuse T_PDS_HIDDEN_UK_BUSINESSLOAN | |
7176 | reuse T_PDS_DOUBLE_URL | |
7177 | reuse T_PDS_DBL_URL_LINKBAIT | |
7178 | reuse PDS_DBL_URL_TNB_RUNON | |
7179 | reuse T_PDS_DBL_URL_ILLEGAL_CHARS | |
7180 | reuse FROM_2_EMAILS_SHORT | |
7181 | reuse T_SHORT_BODY_QUOTE | |
7182 | reuse T_BODY_QUOTE_MALF_MSGID | |
7183 | reuse SPOOFED_FREEMAIL_NO_RDNS | |
7184 | reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN | |
7185 | reuse PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE | |
7186 | reuse PDS_TONAME_EQ_TOLOCAL_SHORT | |
7187 | reuse PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE | |
7188 | reuse PDS_TONAME_EQ_TOLOCAL_VSHORT | |
7189 | reuse T_PDS_LITECOIN_ID | |
7190 | reuse PDS_BTC_ID | |
7191 | reuse PDS_BTC_MSGID | |
7192 | reuse __PDS_GOOGLE_DRIVE_SHARE_1 | |
7193 | reuse __PDS_GOOGLE_DRIVE_SHARE_2 | |
7194 | reuse __PDS_GOOGLE_DRIVE_SHARE_3 | |
7195 | reuse __PDS_GOOGLE_DRIVE_SHARE | |
7196 | reuse T_GOOGLE_DRIVE_DEAR_SOMETHING | |
7197 | reuse __PDS_GOOGLE_DRIVE_FILE | |
7198 | reuse __SHORT_BODY_G_DRIVE | |
7199 | reuse __SHORT_BODY_G_DRIVE_DYN | |
7200 | reuse T_SHORT_BODY_G_DRIVE_DYN | |
7201 | reuse T_FROM_NAME_EQ_TO_G_DRIVE | |
7202 | ##} reuse_sandbox | |
7203 | ||
7204 | ||
7205 | uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i | |
7206 | ||
7207 | uri __128_HEX_URI m,/[0-9a-f]{128}, | |
7208 | ||
7209 | uri __128_LC_URI m;[/?][a-z]{128,}$; | |
7210 | ||
7211 | uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i | |
7212 | ||
7213 | uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i | |
7214 | ||
7215 | meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI | |
7216 | ||
7217 | uri __64_ANY_URI m;[/?]\w{64,}$;i | |
7218 | ||
7219 | body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i | |
7220 | ||
7221 | body __ACCESS_REVOKE /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i | |
7222 | ||
7223 | body __ACCESS_SUSPENDED /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i | |
7224 | tflags __ACCESS_SUSPENDED multiple maxhits=2 | |
7225 | ||
7226 | body __ACCOUNT_DISRUPT /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)? )?(?:shut ?down|suspension|locking|termination|expiration)|will terminate (?:your|its) service)\b/i | |
7227 | tflags __ACCOUNT_DISRUPT multiple maxhits=2 | |
7228 | ||
7229 | body __ACCOUNT_ERROR /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i | |
7230 | ||
7231 | body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i | |
7232 | ||
7233 | body __ACCOUNT_SECURE /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i | |
7234 | ||
7235 | body __ACCOUNT_UPGRADE /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i | |
7236 | ||
7237 | meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY | |
7238 | ||
7239 | meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3 | |
7240 | ||
7241 | body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i | |
7242 | ||
7243 | body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i | |
7244 | ||
7245 | body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i | |
7246 | ||
7247 | body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i | |
7248 | ||
7249 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7250 | meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH | |
7251 | endif | |
7252 | ||
7253 | uri __AC_1SEQC_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/C\// | |
7254 | ||
7255 | uri __AC_1SEQV_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/V\// | |
7256 | ||
7257 | uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/ | |
7258 | ||
7259 | header __AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/ | |
7260 | ||
7261 | meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO | |
7262 | ||
7263 | rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i | |
7264 | ||
7265 | uri __AC_LAND_URI /\/land\// | |
7266 | ||
7267 | uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/ | |
7268 | ||
7269 | uri __AC_MHDSEQ_URI /\/mhd[a-z0-9]{20,}/ | |
7270 | ||
7271 | uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/ | |
7272 | ||
7273 | uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(:?php|html)\b/ | |
7274 | ||
7275 | uri __AC_OUTI_URI /\/outi\b/ | |
7276 | ||
7277 | uri __AC_OUTL_URI /\/outl\b/ | |
7278 | ||
7279 | uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\// | |
7280 | ||
7281 | uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9.]+\/top\// | |
7282 | ||
7283 | uri __AC_POSTHTMLEXTRAS /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i | |
7284 | ||
7285 | uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i | |
7286 | ||
7287 | meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS) | |
7288 | ||
7289 | uri __AC_PUNCTNUMS_URI /\.com\/[A-Za-z+=\/.?_-]{4,}[0-9]{9,12}[a-z0-9]{1,2}[A-Za-z+=\/.?_-]+[0-9]{7,9}[A-Za-z+=\/.?_-]{6,}[0-9]{7,9}\b/ | |
7290 | ||
7291 | uri __AC_REPORT_URI /\/report\// | |
7292 | ||
7293 | uri __AC_RMOVE_URI /\/r\/move\/[0-9]+\// | |
7294 | ||
7295 | rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i | |
7296 | ||
7297 | uri __AC_UHDSEQ_URI /\/uhd[a-z0-9]{20,}/ | |
7298 | ||
7299 | uri __AC_UNSUB_URI /\/unsub\// | |
7300 | ||
7301 | body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i | |
7302 | ||
7303 | body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i | |
7304 | ||
7305 | meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD | |
7306 | ||
7307 | meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW | |
7308 | ||
7309 | meta __ADVANCE_FEE_2_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW | |
7310 | ||
7311 | meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW | |
7312 | ||
7313 | meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD | |
7314 | ||
7315 | meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW | |
7316 | ||
7317 | meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW | |
7318 | ||
7319 | meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW | |
7320 | ||
7321 | meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD | |
7322 | ||
7323 | meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW | |
7324 | ||
7325 | meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW | |
7326 | ||
7327 | meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW | |
7328 | ||
7329 | meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD | |
7330 | ||
7331 | meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW | |
7332 | ||
7333 | meta __ADVANCE_FEE_5_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW | |
7334 | ||
7335 | meta __ADVANCE_FEE_5_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW | |
7336 | ||
7337 | body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/ | |
7338 | ||
7339 | body __AFF_LOTTERY /(?:lottery|winner)/i | |
7340 | ||
7341 | meta __AFRICAN_STATE (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION) | |
7342 | ||
7343 | body __AFR_UNION /\bafrican\sunion\b/i | |
7344 | ||
7345 | body __AGREED_RATIO /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i | |
7346 | ||
7347 | meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA | |
7348 | ||
7349 | header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/ | |
7350 | ||
7351 | meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON | |
7352 | ||
7353 | body __AM_DYING /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i | |
7354 | ||
7355 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7356 | mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /\bimage\//i | |
7357 | endif | |
7358 | ||
7359 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7360 | meta __ANY_TEXT_ATTACH 0 | |
7361 | endif | |
7362 | ||
7363 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7364 | mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i | |
7365 | endif | |
7366 | ||
7367 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7368 | mimeheader __ANY_TEXT_ATTACH_DOC Content-Type =~ /text\/\w+/i | |
7369 | endif | |
7370 | ||
7371 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7372 | body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i | |
7373 | tflags __APP_DEVELOPMENT multiple maxhits=6 | |
7374 | endif | |
7375 | ||
7376 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7377 | meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5 | |
7378 | endif | |
7379 | ||
7380 | body __ATM_CARD /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa|issue\s(?:(?:to|for)\s)?you\sa)[\s\(](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s\)]card/i | |
7381 | ||
7382 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7383 | meta __ATTACH_NAME_NO_EXT 0 | |
7384 | endif | |
7385 | ||
7386 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7387 | mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i | |
7388 | endif | |
7389 | ||
7390 | body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i | |
7391 | ||
7392 | body __AUTO_ACCIDENT /auto(?:mobile)? accident/i | |
7393 | ||
7394 | header __AXB_MO_OL_024C2 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/ | |
7395 | ||
7396 | header __AXB_MO_OL_1ECD5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1081/ | |
7397 | ||
7398 | header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/ | |
7399 | ||
7400 | header __AXB_XM_OL_1ECD5 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1081/ | |
7401 | ||
7402 | body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i | |
7403 | ||
7404 | body __BANK_DRAFT /\bbank\sdraft/i | |
7405 | ||
7406 | body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i | |
7407 | ||
7408 | body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i | |
7409 | ||
7410 | body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i | |
7411 | ||
7412 | body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]{2,}k?|k))\s(?:(?!and|or|your|place|baby|suspicious|supportive|subpoenaed)\w+\s)?(?:e-?mail(?:(?![-:.\)\>\]])s?|\saddresses)|fax numbers|leads|names)\b/i | |
7413 | tflags __BIGNUM_EMAILS multiple maxhits=5 | |
7414 | ||
7415 | meta __BIGNUM_EMAILS_3 __BIGNUM_EMAILS > 2 | |
7416 | ||
7417 | meta __BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS && __freemail_hdr_replyto | |
7418 | ||
7419 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7420 | body __BITCOIN /\bB[-\s]?i[-\s]?t[-\s]?c[-\s]?o[-\s]?i[-\s]?n\b/i | |
7421 | endif | |
7422 | ||
7423 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7424 | body __BITCOIN /<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i | |
7425 | endif | |
7426 | ||
7427 | body __BITCOIN_ID /\b(?<!=)(?:[13](?:(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){29,34}|[a-km-zA-HJ-NP-Z1-9]{29,34})|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90}|b[-_=\s]c[-_=\s]1(?:[-_=\s][acdefghjklmnpqrstuvwxyz234567890]){30,90})\b/ | |
7428 | ||
7429 | meta __BITCOIN_IMGUR __IMGUR_IMG && __BITCOIN | |
7430 | ||
7431 | meta __BITCOIN_OBFU_SUBJ __BITCOIN && __SUBJ_OBFU_PUNCT | |
7432 | ||
7433 | meta __BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF | |
7434 | ||
7435 | meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL | |
7436 | ||
7437 | meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM | |
7438 | ||
7439 | meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01 | |
7440 | ||
7441 | meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID) | |
7442 | ||
7443 | meta __BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI) | |
7444 | ||
7445 | meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1) | |
7446 | ||
7447 | body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s | |
7448 | ||
7449 | body __BODY_TEXT_LINE /^\s*\S/ | |
7450 | tflags __BODY_TEXT_LINE multiple maxhits=3 | |
7451 | ||
7452 | meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE | |
7453 | ||
7454 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7455 | full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/ | |
7456 | tflags __BOGUS_MIME_HDR multiple maxhits=8 | |
7457 | endif | |
7458 | ||
7459 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7460 | meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7 | |
7461 | endif | |
7462 | ||
7463 | header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/ | |
7464 | ||
7465 | meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX | |
7466 | ||
7467 | body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i | |
7468 | ||
7469 | meta __BOTH_INR_AND_REF (__XM_BALSA || __XM_CALYPSO || __XM_FORTE || __XM_MHE || __XM_SQRLMAIL || __XM_SYLPHEED || __THEBAT_MUA || __XM_VM || __XM_XIMEVOL || __UA_KMAIL || __UA_MOZ5 || __UA_OPERA7) | |
7470 | ||
7471 | body __BTC_OBFU_2 /\b\W{0,10}b(?!it[-\s]?coin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i | |
7472 | ||
7473 | body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i | |
7474 | ||
7475 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7476 | body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i | |
7477 | endif | |
7478 | ||
7479 | body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i | |
7480 | ||
7481 | rawbody __BUGGED_IMG m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i | |
7482 | ||
7483 | body __BURKINA_FASO /\bburkina\s?faso\b/i | |
7484 | ||
7485 | body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i | |
7486 | ||
7487 | body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i | |
7488 | ||
7489 | body __CAN_HELP /\bcan help\b/i | |
7490 | ||
7491 | body __CASHPRZ /cash prize of/ | |
7492 | ||
7493 | body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i | |
7494 | ||
7495 | body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i | |
7496 | tflags __CLEAN_MAILBOX multiple maxhits=2 | |
7497 | ||
7498 | rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im | |
7499 | ||
7500 | body __COMPENSATION /\b(?:compensat(?:e|ion)|recompensed?|ausgleich)\b/i | |
7501 | ||
7502 | body __CONTACT_ATTY /\bcontact(?:er)?\s(?:my|(?:de\s)?mon)\s(?:barrister|attou?rney|lawyer|avocat|gestionnaire)\b/i | |
7503 | ||
7504 | body __CONTACT_YOU /\b(?:contact(?:ing)\syou|vous\scontacter?)\b/i | |
7505 | ||
7506 | rawbody __CONTENT_AFTER_HTML /<\/html>\s*[a-z0-9]/i | |
7507 | ||
7508 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7509 | body __COPY_PASTE_EN /Copy (and|\+|\&) paste/i | |
7510 | endif | |
7511 | ||
7512 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7513 | body __COPY_PASTE_EN /<C><O><P><Y> (?:<A><N><D>|\+|\&) <P><A><S><T><E>/i | |
7514 | endif | |
7515 | ||
7516 | body __COURIER /\bcourier\s(?:company|service)\b/i | |
7517 | ||
7518 | header __CR_IN_SUBJ Subject:raw =~ /\015/ | |
7519 | ||
7520 | header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i | |
7521 | ||
7522 | header __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i | |
7523 | ||
7524 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7525 | meta __CTYPE_NULL 0 | |
7526 | endif | |
7527 | ||
7528 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7529 | mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/ | |
7530 | endif | |
7531 | ||
7532 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7533 | mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s | |
7534 | endif | |
7535 | ||
7536 | header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/ | |
7537 | ||
7538 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7539 | mimeheader __CT_UTF7 Content-Type =~ /\bcharset=.?utf-7\b/i | |
7540 | endif | |
7541 | ||
7542 | header __DATE_LOWER ALL =~ /date:\s\S{5}/ | |
7543 | ||
7544 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7545 | body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i | |
7546 | tflags __DAY_I_EARNED multiple maxhits=4 | |
7547 | endif | |
7548 | ||
7549 | body __DBLCLAIM /avoid double claiming/ | |
7550 | ||
7551 | body __DEAD_PARENT /\b(?:my|meu)\s(?:(?:deceased|dead)\s(?:father|mother|husband)|(?:father|dad|mother|mom|husband|marido)(?:'?s)?\s(?:death|died|passed\saway|murder|was\s(?:killed|murdered|poisoned)|faleceu))/i | |
7552 | ||
7553 | body __DEAL /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i | |
7554 | ||
7555 | body __DECEASED /\b(?:the|my|your|der|du|le|meu?)\s(?:deceased|late|verstorbenen|d(?:i|e|=E9|[\xe9]|[\xc3][\xa9])funto?|d(?:e|=E9|[\xe9]|[\xc3][\xa9])nt|falecido)\b/i | |
7556 | ||
7557 | body __DESTROY_ME /\b(?:destroy|hunt|quemar)\sm[eyi]\b/i | |
7558 | ||
7559 | body __DESTROY_YOU /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i | |
7560 | ||
7561 | body __DIED_IN /\bdied\sin\b/i | |
7562 | ||
7563 | body __DIPLOMATIC /\bdiplomatic\b/i | |
7564 | ||
7565 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7566 | tflags __DKIMWL_BLOCKED net | |
7567 | endif | |
7568 | ||
7569 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7570 | tflags __DKIMWL_BULKMAIL net | |
7571 | endif | |
7572 | ||
7573 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7574 | tflags __DKIMWL_FREEMAIL net | |
7575 | endif | |
7576 | ||
7577 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7578 | tflags __DKIMWL_WL_BL net | |
7579 | endif | |
7580 | ||
7581 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7582 | tflags __DKIMWL_WL_HI net | |
7583 | endif | |
7584 | ||
7585 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7586 | tflags __DKIMWL_WL_MED net | |
7587 | endif | |
7588 | ||
7589 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7590 | tflags __DKIMWL_WL_MEDHI net | |
7591 | endif | |
7592 | ||
7593 | header __DKIM_EXISTS exists:DKIM-Signature | |
7594 | tflags __DKIM_EXISTS nice | |
7595 | ||
7596 | body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i | |
7597 | ||
7598 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7599 | meta __DOC_ATTACH 0 | |
7600 | endif | |
7601 | ||
7602 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7603 | meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2) | |
7604 | endif | |
7605 | ||
7606 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7607 | meta __DOC_ATTACH_FN1 0 | |
7608 | endif | |
7609 | ||
7610 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7611 | mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i | |
7612 | endif | |
7613 | ||
7614 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7615 | meta __DOC_ATTACH_FN2 0 | |
7616 | endif | |
7617 | ||
7618 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7619 | mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i | |
7620 | endif | |
7621 | ||
7622 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7623 | meta __DOC_ATTACH_MT 0 | |
7624 | endif | |
7625 | ||
7626 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7627 | mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i | |
7628 | endif | |
7629 | ||
7630 | body __DORMANT_ACCT /\b(?:(?:dormant|abandoned|left\s?over)\s(?:account|fund|transaction|sum|deposit)|fonds\sdorment)/i | |
7631 | ||
7632 | body __DOS_BODY_FRI /\bfri(?:day)?\b/i | |
7633 | ||
7634 | body __DOS_BODY_MON /\bmon(?:day)?\b/i | |
7635 | ||
7636 | body __DOS_BODY_SAT /\bsat(?:day)?\b/i | |
7637 | ||
7638 | body __DOS_BODY_STOCK /\bstock\b/i | |
7639 | ||
7640 | body __DOS_BODY_SUN /\bsun(?:day)?\b/i | |
7641 | ||
7642 | body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i | |
7643 | ||
7644 | body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB|PK)\b/ | |
7645 | ||
7646 | body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i | |
7647 | ||
7648 | body __DOS_BODY_WED /\bwed(?:nesday)?\b/i | |
7649 | ||
7650 | body __DOS_COMING_TO_YOUR_PLACE /I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/ | |
7651 | ||
7652 | body __DOS_CORRESPOND_EMAIL /correspond with me using my email/ | |
7653 | ||
7654 | meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT | |
7655 | ||
7656 | meta __DOS_DIRECT_TO_MX_UNTRUSTED __DOS_DIRECT_TO_MX && !ALL_TRUSTED | |
7657 | ||
7658 | body __DOS_DROP_ME_A_LINE /Drop me a line at/ | |
7659 | ||
7660 | body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/ | |
7661 | ||
7662 | body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i | |
7663 | ||
7664 | uri __DOS_HAS_ANY_URI /^\w+:\/\// | |
7665 | ||
7666 | header __DOS_HAS_LIST_ID exists:List-ID | |
7667 | ||
7668 | header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe | |
7669 | ||
7670 | header __DOS_HAS_MAILING_LIST exists:Mailing-List | |
7671 | ||
7672 | body __DOS_HI /^Hi,$/ | |
7673 | ||
7674 | body __DOS_I_AM_25 /I a.?m 25/ | |
7675 | ||
7676 | body __DOS_I_DRIVE_A /I drive a/ | |
7677 | ||
7678 | body __DOS_LET_GO_JOB /I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/ | |
7679 | ||
7680 | body __DOS_LINK /\blink\b/ | |
7681 | ||
7682 | body __DOS_MEET_EACH_OTHER /(?:meet each other|[Mm]ay ?be we can meet)/ | |
7683 | ||
7684 | header __DOS_MSGID_DIGITS10 Message-ID =~ /<1[013-9]\d{8}\@.*>/ | |
7685 | ||
7686 | header __DOS_MSGID_DIGITS9 Message-ID =~ /<\d{9}\@.*>/ | |
7687 | ||
7688 | body __DOS_MY_OLD_JOB /my old job/ | |
7689 | ||
7690 | body __DOS_PERSONAL_EMAIL /personal email at/ | |
7691 | ||
7692 | header __DOS_RCVD_FRI Received =~ / Fri, / | |
7693 | ||
7694 | header __DOS_RCVD_MON Received =~ / Mon, / | |
7695 | ||
7696 | header __DOS_RCVD_SAT Received =~ / Sat, / | |
7697 | ||
7698 | header __DOS_RCVD_SUN Received =~ / Sun, / | |
7699 | ||
7700 | header __DOS_RCVD_THU Received =~ / Thu, / | |
7701 | ||
7702 | header __DOS_RCVD_TUE Received =~ / Tue, / | |
7703 | ||
7704 | header __DOS_RCVD_WED Received =~ / Wed, / | |
7705 | ||
7706 | meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE) | |
7707 | ||
7708 | meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON) | |
7709 | ||
7710 | meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN) | |
7711 | ||
7712 | header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s | |
7713 | ||
7714 | header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/ | |
7715 | ||
7716 | body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i | |
7717 | ||
7718 | body __DOS_STRONG_CF /\bstrong cash flow/i | |
7719 | ||
7720 | body __DOS_TAKING_HOME /Taking home \d (?:digit level|figures) in \d{1,2} months/ | |
7721 | ||
7722 | body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/ | |
7723 | ||
7724 | meta __DOTGOV_IMAGE __URI_DOTGOV && __REMOTE_IMAGE | |
7725 | ||
7726 | meta __DYNAMIC_IMGUR __IMGUR_IMG && __RDNS_DYNAMIC_IPADDR | |
7727 | ||
7728 | body __EARLY_DEMISE /\buntimely\sdeath\b/i | |
7729 | ||
7730 | header __EBAY_ADDRESS From:addr =~ /[\@.]ebay\.\w\w\w?(?:\.\w\w)?$/i | |
7731 | ||
7732 | meta __EBAY_IMG_NOT_RCVD_EBAY __URI_IMG_EBAY && !__HDR_RCVD_EBAY | |
7733 | ||
7734 | meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY | |
7735 | ||
7736 | meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 3) | |
7737 | ||
7738 | meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE | |
7739 | ||
7740 | body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i | |
7741 | ||
7742 | header __ENVFROM_AMAZONSES EnvelopeFrom =~ /\@amazonses\.com$/ | |
7743 | ||
7744 | header __ENVFROM_GOOG_TRIX EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/ | |
7745 | ||
7746 | meta __ENVFROM_GOOG_TRIX_SPAMMY __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR ) | |
7747 | ||
7748 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7749 | meta __EXE_ATTACH 0 | |
7750 | endif | |
7751 | ||
7752 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7753 | mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i | |
7754 | endif | |
7755 | ||
7756 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7757 | body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i | |
7758 | endif | |
7759 | ||
7760 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7761 | body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i | |
7762 | endif | |
7763 | ||
7764 | meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE + __PAXFUL + __HUSH_HUSH) > 3 | |
7765 | ||
7766 | body __EX_CUSTOMER /\b(?:(?:dead|deceased|late|verstorbenen|death\sof\sthe)\s(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|depositor|mr\.|kunde|engr?\.?)|titulaire\sdu\scompte\sest\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|invest[eo]r\sdied|(?:e|=E9|[\xe9]|[\xc3][\xa9])tranger\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|mr\.|kunde|engr?\.?)\s(?:[a-z]{1,10}\s)?(?:dead|deceased|verstorbenen))/i | |
7767 | ||
7768 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7769 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7770 | body __E_LIKE_LETTER /<lcase_e>/ | |
7771 | tflags __E_LIKE_LETTER multiple maxhits=320 | |
7772 | endif | |
7773 | endif | |
7774 | ||
7775 | body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i | |
7776 | ||
7777 | body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/ | |
7778 | ||
7779 | rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m | |
7780 | ||
7781 | header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/ | |
7782 | ||
7783 | header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i | |
7784 | ||
7785 | header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov / | |
7786 | ||
7787 | meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO | |
7788 | ||
7789 | body __FB_COST /\bcost\b/i | |
7790 | ||
7791 | body __FB_NUM_PERCNT /\d\s?\%/ | |
7792 | ||
7793 | body __FB_S_PRICE /pri{1,2}c[a-z]?e/i | |
7794 | ||
7795 | body __FB_S_STOCK /\bstock/i | |
7796 | ||
7797 | body __FB_TOUR /\btour/i | |
7798 | ||
7799 | body __FEES /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer|keeping)[\s\w]{0,15}\s(?:fee|charge)s?\b/i | |
7800 | ||
7801 | body __FIFTY_FIFTY /\b(?:50|fifty)(?:%?[\/:]50%?|%|\spercent)/i | |
7802 | ||
7803 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7804 | meta __FILL_THIS_FORM 0 | |
7805 | endif | |
7806 | ||
7807 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7808 | meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4) | |
7809 | endif | |
7810 | ||
7811 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7812 | meta __FILL_THIS_FORM_FRAUD_PHISH 0 | |
7813 | endif | |
7814 | ||
7815 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7816 | meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH) | |
7817 | endif | |
7818 | ||
7819 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7820 | meta __FILL_THIS_FORM_FRAUD_PHISH1 0 | |
7821 | endif | |
7822 | ||
7823 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7824 | body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i | |
7825 | endif | |
7826 | ||
7827 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7828 | meta __FILL_THIS_FORM_LOAN 0 | |
7829 | endif | |
7830 | ||
7831 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7832 | meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1 | |
7833 | endif | |
7834 | ||
7835 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7836 | meta __FILL_THIS_FORM_LOAN1 0 | |
7837 | endif | |
7838 | ||
7839 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7840 | body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i | |
7841 | endif | |
7842 | ||
7843 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7844 | meta __FILL_THIS_FORM_LONG 0 | |
7845 | endif | |
7846 | ||
7847 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7848 | meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2 | |
7849 | endif | |
7850 | ||
7851 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7852 | meta __FILL_THIS_FORM_LONG1 0 | |
7853 | endif | |
7854 | ||
7855 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7856 | body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i | |
7857 | endif | |
7858 | ||
7859 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7860 | meta __FILL_THIS_FORM_LONG2 0 | |
7861 | endif | |
7862 | ||
7863 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7864 | body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i | |
7865 | endif | |
7866 | ||
7867 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7868 | meta __FILL_THIS_FORM_PARTIAL 0 | |
7869 | endif | |
7870 | ||
7871 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7872 | body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im | |
7873 | tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5 | |
7874 | endif | |
7875 | ||
7876 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7877 | meta __FILL_THIS_FORM_PARTIAL_RAW 0 | |
7878 | endif | |
7879 | ||
7880 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7881 | rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20| |<\/\w+>){0,4}$)/im | |
7882 | tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5 | |
7883 | endif | |
7884 | ||
7885 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7886 | meta __FILL_THIS_FORM_SHORT 0 | |
7887 | endif | |
7888 | ||
7889 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7890 | meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2) | |
7891 | endif | |
7892 | ||
7893 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7894 | meta __FILL_THIS_FORM_SHORT1 0 | |
7895 | endif | |
7896 | ||
7897 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7898 | body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i | |
7899 | endif | |
7900 | ||
7901 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7902 | meta __FILL_THIS_FORM_SHORT2 0 | |
7903 | endif | |
7904 | ||
7905 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7906 | body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i | |
7907 | endif | |
7908 | ||
7909 | header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/ | |
7910 | ||
7911 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7912 | meta __FM_MY_PRICE __FB_S_PRICE | |
7913 | endif | |
7914 | ||
7915 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7916 | meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE) | |
7917 | endif | |
7918 | ||
7919 | meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS | |
7920 | ||
7921 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7922 | rawbody __FONT_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i | |
7923 | tflags __FONT_INVIS multiple maxhits=11 | |
7924 | endif | |
7925 | ||
7926 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7927 | meta __FONT_INVIS_10 __FONT_INVIS > 10 | |
7928 | endif | |
7929 | ||
7930 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7931 | meta __FONT_INVIS_2 __FONT_INVIS > 2 | |
7932 | endif | |
7933 | ||
7934 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7935 | meta __FONT_INVIS_5 __FONT_INVIS > 5 | |
7936 | endif | |
7937 | ||
7938 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7939 | meta __FONT_INVIS_CENTER __FONT_INVIS && __TAG_EXISTS_CENTER | |
7940 | endif | |
7941 | ||
7942 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7943 | meta __FONT_INVIS_DIRECT __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED | |
7944 | endif | |
7945 | ||
7946 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7947 | meta __FONT_INVIS_DOTGOV __FONT_INVIS && __URI_DOTGOV | |
7948 | endif | |
7949 | ||
7950 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7951 | meta __FONT_INVIS_HTML_NOHTML __FONT_INVIS && HTML_MIME_NO_HTML_TAG | |
7952 | endif | |
7953 | ||
7954 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7955 | meta __FONT_INVIS_LONG_LINE __FONT_INVIS && __LONGLINE | |
7956 | endif | |
7957 | ||
7958 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7959 | meta __FONT_INVIS_MANY __FONT_INVIS_2 | |
7960 | endif | |
7961 | ||
7962 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7963 | meta __FONT_INVIS_MSGID __FONT_INVIS && __MSGID_OK_HOST | |
7964 | endif | |
7965 | ||
7966 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7967 | meta __FONT_INVIS_NORDNS __FONT_INVIS && __RDNS_NONE | |
7968 | endif | |
7969 | ||
7970 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7971 | meta __FONT_INVIS_SINGLET __FONT_INVIS && __HTML_SINGLET | |
7972 | endif | |
7973 | ||
7974 | header __FORGED_MUA_POSTFIX0 User-Agent =~ /Postfix/ | |
7975 | ||
7976 | header __FORGED_MUA_POSTFIX1 X-Mailer =~ /Postfix/ | |
7977 | ||
7978 | meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D | |
7979 | describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam | |
7980 | ||
7981 | meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1) | |
7982 | ||
7983 | meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) | |
7984 | ||
7985 | meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) | |
7986 | ||
7987 | meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP | |
7988 | ||
7989 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7990 | body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i | |
7991 | tflags __FOR_SALE_LTP multiple maxhits=11 | |
7992 | endif | |
7993 | ||
7994 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7995 | meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10 | |
7996 | endif | |
7997 | ||
7998 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7999 | body __FOR_SALE_NET /00\.? NET/i | |
8000 | tflags __FOR_SALE_NET multiple maxhits=11 | |
8001 | endif | |
8002 | ||
8003 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8004 | meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10 | |
8005 | endif | |
8006 | ||
8007 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8008 | body __FOR_SALE_OBO /\bor best offer\b/i | |
8009 | tflags __FOR_SALE_OBO multiple maxhits=6 | |
8010 | endif | |
8011 | ||
8012 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8013 | meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5 | |
8014 | endif | |
8015 | ||
8016 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8017 | body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i | |
8018 | tflags __FOR_SALE_PRC_100K multiple maxhits=11 | |
8019 | endif | |
8020 | ||
8021 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8022 | meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5 | |
8023 | endif | |
8024 | ||
8025 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8026 | body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i | |
8027 | tflags __FOR_SALE_PRC_10K multiple maxhits=11 | |
8028 | endif | |
8029 | ||
8030 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8031 | meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10 | |
8032 | endif | |
8033 | ||
8034 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8035 | body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i | |
8036 | tflags __FOR_SALE_PRC_1K multiple maxhits=11 | |
8037 | endif | |
8038 | ||
8039 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8040 | meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10 | |
8041 | endif | |
8042 | ||
8043 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8044 | rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m | |
8045 | tflags __FOR_SALE_PRC_EOL multiple maxhits=11 | |
8046 | endif | |
8047 | ||
8048 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8049 | meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10 | |
8050 | endif | |
8051 | ||
8052 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8053 | meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20 | |
8054 | endif | |
8055 | ||
8056 | body __FOUND_YOU /\b(?:I|we)\sfound\syour?\b/i | |
8057 | ||
8058 | body __FRAUD /\b(?:de)?fraud/i | |
8059 | ||
8060 | body __FRAUD_IOV /\b(?:no risks?|risky?[- ]{0,3}free|free of risks?|100% safe|v\S{1,3}llig Risikofrei ist)\b/i | |
8061 | ||
8062 | body __FRAUD_PTX /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|poison(?:e?d)?|kill(?:ed|ing|ers)\b[^.]{0,99}\b(?:war veterans|rebels?)|les tueurs)\b/i | |
8063 | ||
8064 | body __FRAUD_XWW /\b(?:honest(?:ly)?\sco(?:-?operat(?:e|ion)|llaborat(?:e|ion))|ehrliche\szusammenarbeit|sichere [kc]o+p[eo]ration|col+aboration\swith\sme)\b/i | |
8065 | ||
8066 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8067 | header __FREEMAIL_DISPTO eval:check_freemail_header('Disposition-Notification-To') | |
8068 | endif | |
8069 | ||
8070 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8071 | meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) | |
8072 | endif | |
8073 | ||
8074 | meta __FREEMAIL_WFH_01 (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01 | |
8075 | ||
8076 | meta __FREEM_FRNUM_UNICD_EMPTY FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY | |
8077 | ||
8078 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
8079 | meta __FROM_41_FREEMAIL 0 | |
8080 | endif | |
8081 | ||
8082 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8083 | meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED | |
8084 | describe __FROM_41_FREEMAIL Sent from Africa + freemail provider | |
8085 | endif | |
8086 | ||
8087 | if (version >= 3.004002) | |
8088 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8089 | header __FROM_ADDRLIST_BANKS eval:check_from_in_list('BANKS') | |
8090 | endif | |
8091 | endif | |
8092 | ||
8093 | if (version >= 3.004002) | |
8094 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8095 | header __FROM_ADDRLIST_GOV eval:check_from_in_list('GOV') | |
8096 | endif | |
8097 | endif | |
8098 | ||
8099 | if (version >= 3.004002) | |
8100 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8101 | header __FROM_ADDRLIST_PAYPAL eval:check_from_in_list('PAYPAL') | |
8102 | endif | |
8103 | endif | |
8104 | ||
8105 | if (version >= 3.004002) | |
8106 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8107 | header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD') | |
8108 | endif | |
8109 | endif | |
8110 | ||
8111 | header __FROM_ADDR_WS From:addr =~ /\s/ | |
8112 | ||
8113 | header __FROM_ADMIN From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i | |
8114 | ||
8115 | header __FROM_ALL_HEX From:addr =~ /^(?!(?:19|20)\d\d[01]\d[0-3]\d)(?![0-9a-f]*[a-f]{3})[0-9a-f]+\@/ | |
8116 | ||
8117 | header __FROM_ALL_NUMS From:addr =~ /^\d+@/ | |
8118 | ||
8119 | header __FROM_DNS From =~ /(?<![^\w.-])dns(?:admin)?\@/i | |
8120 | ||
8121 | meta __FROM_DOM_ADMIN __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN | |
8122 | ||
8123 | header __FROM_DOM_INFO From:addr =~ /\.info$/i | |
8124 | ||
8125 | header __FROM_EBAY From:addr =~ /\@ebay\.com$/i | |
8126 | ||
8127 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8128 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
8129 | header __FROM_EQ_REPLY eval:check_fromname_equals_replyto() | |
8130 | endif | |
8131 | endif | |
8132 | ||
8133 | if (version >= 3.004001) | |
8134 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
8135 | tflags __FROM_FMBLA_NDBLOCKED net | |
8136 | endif | |
8137 | endif | |
8138 | ||
8139 | if (version >= 3.004001) | |
8140 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
8141 | tflags __FROM_FMBLA_NEWDOM net | |
8142 | endif | |
8143 | endif | |
8144 | ||
8145 | if (version >= 3.004001) | |
8146 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
8147 | tflags __FROM_FMBLA_NEWDOM14 net | |
8148 | endif | |
8149 | endif | |
8150 | ||
8151 | if (version >= 3.004001) | |
8152 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
8153 | tflags __FROM_FMBLA_NEWDOM28 net | |
8154 | endif | |
8155 | endif | |
8156 | ||
8157 | header __FROM_FULL_NAME From:name =~ /^[^a-z[:punct:][:cntrl:]\d\s][^[:punct:][:cntrl:]\d\s]*[[:punct:]\s]+[^a-z[:punct:][:cntrl:]\d\s]/ | |
8158 | tflags __FROM_FULL_NAME nice | |
8159 | ||
8160 | header __FROM_INFO From =~ /(?<![^\w.-])info\@/i | |
8161 | ||
8162 | header __FROM_LOWER ALL =~ /from:\s\S{5}/ | |
8163 | ||
8164 | header __FROM_MISSPACED From =~ /^\s*"[^"]*"</ | |
8165 | ||
8166 | meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH | |
8167 | ||
8168 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
8169 | meta __FROM_MISSP_FREEMAIL 0 | |
8170 | endif | |
8171 | ||
8172 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8173 | meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO) | |
8174 | endif | |
8175 | ||
8176 | meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO | |
8177 | ||
8178 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
8179 | meta __FROM_MULTI_NORDNS __PDS_FROM_2_EMAILS && __RDNS_NONE | |
8180 | endif | |
8181 | ||
8182 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
8183 | meta __FROM_MULTI_SHORT_IMG __PDS_FROM_2_EMAILS && (HTML_IMAGE_ONLY_16 || HTML_SHORT_LINK_IMG_2 || __HTML_IMG_ONLY) | |
8184 | endif | |
8185 | ||
8186 | full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm | |
8187 | ||
8188 | header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i | |
8189 | ||
8190 | header __FROM_RUNON From =~ /\S+<\w+/ | |
8191 | ||
8192 | header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/ | |
8193 | ||
8194 | header __FROM_WEB_DAEMON From:addr =~ /(?:apache|www|web|tomcat|\biis\b).*\@/i | |
8195 | ||
8196 | header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/ | |
8197 | ||
8198 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8199 | meta __FRT_PRICE 0 | |
8200 | endif | |
8201 | ||
8202 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8203 | body __FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i | |
8204 | endif | |
8205 | ||
8206 | rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i | |
8207 | ||
8208 | header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe | |
8209 | ||
8210 | header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i | |
8211 | ||
8212 | header __FSL_HELO_BARE_IP_2 X-Spam-Relays-Untrusted =~ /helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} /i | |
8213 | ||
8214 | header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i | |
8215 | ||
8216 | header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i | |
8217 | ||
8218 | header __FSL_HELO_USER_3 Received =~ /(?:eh|he)lo(?:=|\s)User\)/i | |
8219 | ||
8220 | header __FSL_RELAY_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com\.? /i | |
8221 | ||
8222 | header __FS_SUBJ_RE Subject =~ /^Re: / | |
8223 | ||
8224 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8225 | body __FUZZY_DR_OZ /(?=<D>)(?!(?-i:D(?:r.|octor)(?:\s| )Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i | |
8226 | endif | |
8227 | ||
8228 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8229 | meta __FUZZY_MONERO 0 | |
8230 | endif | |
8231 | ||
8232 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8233 | body __FUZZY_MONERO /(?=<M>)(?!monero)<M><O><N><E><R><O>/i | |
8234 | endif | |
8235 | ||
8236 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8237 | body __FUZZY_PORN /(?=<P>)(?!pornograph?(?:y|i[ca]|er))<P><O><R><N><O><G><R><A><P><H>?(?:<Y>|<I><C>|<E><R>)/i | |
8238 | endif | |
8239 | ||
8240 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8241 | body __FUZZY_WELLSFARGO_BODY /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i | |
8242 | endif | |
8243 | ||
8244 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8245 | header __FUZZY_WELLSFARGO_FROM From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i | |
8246 | endif | |
8247 | ||
8248 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8249 | body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i | |
8250 | tflags __GAPPY_SALES_LEADS multiple maxhits=3 | |
8251 | endif | |
8252 | ||
8253 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8254 | meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2 | |
8255 | endif | |
8256 | ||
8257 | header __GB_FAKE_RF Subject =~ /(Fw|Re)\:[a-z0-9\+]/i | |
8258 | ||
8259 | body __GHANA /\bghana\b/i | |
8260 | ||
8261 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8262 | mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i | |
8263 | endif | |
8264 | ||
8265 | body __GIVE_MONEY /\b(?:(?:give\syou\s(?:this\s)?(?:money|fund|inheritance))|(?:donated?\s(?:\w\+\s){0,3}(?:the\ssum\sof|(?:(?:the|this|some)\s(?:money|funds?|inheritance)|to\s)(?:you|(?:(?:the|a)\s)?church|charit(?:y|ies)|humanit\w+|needy|poor|orphan(?:age)?s?|philanthropists\?)))|de vous donner cet argent|faire don de la somme|voudrais en faire don|tego funduszu do dom(?:=F3|[\xf3])w (?:dziecka|wdowy))\b/i | |
8266 | ||
8267 | meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) | |
8268 | ||
8269 | meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY | |
8270 | ||
8271 | meta __GOOGLE_DOC_SUSP __URI_GOOGLE_DOC && (__HAS_DOMAINKEY_SIG || __RDNS_NONE || __SYSADMIN || __STY_INVIS || LOTS_OF_MONEY || __XFER_MONEY || __ADVANCE_FEE_2_NEW) && !ALL_TRUSTED | |
8272 | ||
8273 | uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i | |
8274 | ||
8275 | uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i | |
8276 | ||
8277 | meta __GOOG_STO_HTML_PHISH __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY | |
8278 | ||
8279 | meta __GOOG_STO_IMG_HTML_1 __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML | |
8280 | ||
8281 | meta __GOOG_STO_IMG_NOHTML __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML | |
8282 | ||
8283 | meta __GOOG_STO_NOIMG_HTML !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML | |
8284 | ||
8285 | body __HAS_ANY_EMAIL /\w@\S+\.\w/ | |
8286 | ||
8287 | uri __HAS_ANY_URI /^\w+:\/\// | |
8288 | ||
8289 | header __HAS_CAMPAIGNID exists:X-Campaignid | |
8290 | ||
8291 | header __HAS_CID exists:X-CID | |
8292 | ||
8293 | header __HAS_COMPLAINT_TO exists:Complaint-To | |
8294 | ||
8295 | header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature | |
8296 | ||
8297 | describe __HAS_HREF Has an anchor tag with a href attribute in non-quoted line | |
8298 | rawbody __HAS_HREF /^[^>].*?<a href=/im | |
8299 | tflags __HAS_HREF multiple maxhits=100 | |
8300 | ||
8301 | describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case | |
8302 | rawbody __HAS_HREF_ONECASE /^[^>].*?<(a href|A HREF)=/m | |
8303 | tflags __HAS_HREF_ONECASE multiple maxhits=100 | |
8304 | ||
8305 | describe __HAS_IMG_SRC Has an img tag on a non-quoted line | |
8306 | rawbody __HAS_IMG_SRC /^[^>].*?<img src=/im | |
8307 | tflags __HAS_IMG_SRC multiple maxhits=100 | |
8308 | ||
8309 | rawbody __HAS_IMG_SRC_DATA /^[^>].*?<img src=['"]data/im | |
8310 | ||
8311 | describe __HAS_IMG_SRC_ONECASE Has an img tag on a non-quoted line with consistent case | |
8312 | rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(img src|IMG SRC)=/m | |
8313 | tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100 | |
8314 | ||
8315 | header __HAS_LIST_OPEN exists:List-Open | |
8316 | ||
8317 | header __HAS_LOGID exists:logid | |
8318 | ||
8319 | header __HAS_MESSAGEID exists:MessageID | |
8320 | ||
8321 | header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script | |
8322 | ||
8323 | header __HAS_PHP_SCRIPT exists:X-PHP-Script | |
8324 | ||
8325 | header __HAS_THREAD_INDEX exists:Thread-Index | |
8326 | ||
8327 | header __HAS_TRACKING_CODE exists:Tracking-Code | |
8328 | ||
8329 | body __HAS_WON_01 /\bque ha ganado\b/i | |
8330 | ||
8331 | header __HAS_XM_LID exists:X-Mailer-LID | |
8332 | ||
8333 | header __HAS_XM_RECPTID exists:X-Mailer-RecptId | |
8334 | ||
8335 | header __HAS_XM_SENTBY exists:X-Mailer-Sent-By | |
8336 | ||
8337 | header __HAS_XM_SID exists:X-Mailer-SID | |
8338 | ||
8339 | header __HAS_X_EBSERVER exists:X-EBSERVER | |
8340 | ||
8341 | header __HAS_X_LETTER exists:X-Letter | |
8342 | ||
8343 | header __HAS_X_NO_RELAY exists:X-No-Relay | |
8344 | ||
8345 | header __HAS_X_OUTGOING_SPAM_STAT exists:X-OutGoing-Spam-Status | |
8346 | ||
8347 | header __HAS_X_SOURCE_DIR exists:X-Source-Dir | |
8348 | ||
8349 | header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm | |
8350 | tflags __HDRS_LCASE multiple maxhits=3 | |
8351 | ||
8352 | meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH | |
8353 | ||
8354 | header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism | |
8355 | ||
8356 | header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s | |
8357 | ||
8358 | header __HDR_RCVD_ALIBABA X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/ | |
8359 | ||
8360 | header __HDR_RCVD_AMAZON X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/ | |
8361 | ||
8362 | header __HDR_RCVD_EBAY X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/ | |
8363 | ||
8364 | header __HDR_RCVD_GOOGLE X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/ | |
8365 | ||
8366 | header __HDR_RCVD_KEEPA X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/ | |
8367 | ||
8368 | header __HDR_RCVD_NEWEGG X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/ | |
8369 | ||
8370 | header __HDR_RCVD_SHOPIFY X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/ | |
8371 | ||
8372 | header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/ | |
8373 | ||
8374 | header __HDR_RCVD_WALMART X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/ | |
8375 | ||
8376 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
8377 | tflags __HELO_DNS net | |
8378 | endif | |
8379 | ||
8380 | header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i | |
8381 | ||
8382 | header __HELO_MISC_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^a-z\?]\S{0,30}(?:\d{1,3}[^\d]){4}[^\]]+ auth= /i | |
8383 | ||
8384 | header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/ | |
8385 | ||
8386 | header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ / | |
8387 | ||
8388 | body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/ | |
8389 | tflags __HEXHASHWORD_S2EU multiple maxhits=4 | |
8390 | ||
8391 | body __HK_LOTTO_2 /\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i | |
8392 | ||
8393 | body __HK_LOTTO_BALLOT /\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i | |
8394 | ||
8395 | body __HK_LOTTO_STAATS /\bstaatsloteri/i | |
8396 | ||
8397 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8398 | if (version >= 3.004000) | |
8399 | header __HK_NAME_FROM From:name =~ /^FROM\b/mi | |
8400 | endif | |
8401 | endif | |
8402 | ||
8403 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8404 | if (version >= 3.004000) | |
8405 | header __HK_NAME_MR_MRS From:name =~ /^M(?:RS?|ISS)\b/mi | |
8406 | endif | |
8407 | endif | |
8408 | ||
8409 | body __HK_SCAM_N15 /\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i | |
8410 | ||
8411 | body __HK_SCAM_N16 /\b(?:arrangement secret|secret arrangement)\b/i | |
8412 | ||
8413 | body __HK_SCAM_N2 /\bnext of kin\b/i | |
8414 | ||
8415 | body __HK_SCAM_N3 /\bdirect telephone numbers?\b/i | |
8416 | ||
8417 | body __HK_SCAM_N8 /\byour compensation\b/i | |
8418 | ||
8419 | body __HK_SCAM_S1 /pay you the sum of/i | |
8420 | ||
8421 | body __HK_SCAM_S15 /(?:discovered a dormant account|can you be my partner)/i | |
8422 | ||
8423 | body __HK_SCAM_S25 /\bbank (?:in|of) ghana/i | |
8424 | ||
8425 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8426 | mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi | |
8427 | endif | |
8428 | ||
8429 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8430 | mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi | |
8431 | endif | |
8432 | ||
8433 | meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC) | |
8434 | ||
8435 | meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC) | |
8436 | ||
8437 | meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_WP_REDIR || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC) | |
8438 | ||
8439 | meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC) > 1 | |
8440 | ||
8441 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8442 | body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i | |
8443 | endif | |
8444 | ||
8445 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8446 | body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i | |
8447 | endif | |
8448 | ||
8449 | rawbody __HS_QUOTE /^> / | |
8450 | ||
8451 | header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/ | |
8452 | ||
8453 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8454 | meta __HTML_ATTACH_01 0 | |
8455 | endif | |
8456 | ||
8457 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8458 | mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.html?\b,i | |
8459 | endif | |
8460 | ||
8461 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8462 | meta __HTML_ATTACH_02 0 | |
8463 | endif | |
8464 | ||
8465 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8466 | mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i | |
8467 | endif | |
8468 | ||
8469 | rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i | |
8470 | ||
8471 | meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML | |
8472 | ||
8473 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
8474 | meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN | |
8475 | endif | |
8476 | ||
8477 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
8478 | meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID | |
8479 | endif | |
8480 | ||
8481 | rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i | |
8482 | ||
8483 | rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i | |
8484 | ||
8485 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8486 | rawbody __HTML_SHRT_CMNT_OBFU /\w<!--\s*\w+\s*-->\w/ | |
8487 | tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10 | |
8488 | endif | |
8489 | ||
8490 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8491 | meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE | |
8492 | endif | |
8493 | ||
8494 | rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i | |
8495 | tflags __HTML_SINGLET multiple maxhits=21 | |
8496 | ||
8497 | meta __HTML_SINGLET_10 __HTML_SINGLET > 10 | |
8498 | ||
8499 | meta __HTML_SINGLET_MANY __HTML_SINGLET > 20 | |
8500 | ||
8501 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
8502 | body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0') | |
8503 | endif | |
8504 | ||
8505 | body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i | |
8506 | ||
8507 | uri __IMGUR_IMG m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i | |
8508 | tflags __IMGUR_IMG multiple maxhits=4 | |
8509 | ||
8510 | meta __IMGUR_IMG_2 __IMGUR_IMG == 2 | |
8511 | ||
8512 | meta __IMGUR_IMG_3 __IMGUR_IMG == 3 | |
8513 | ||
8514 | if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) | |
8515 | meta __IMG_LE_300K 0 | |
8516 | endif | |
8517 | ||
8518 | ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
8519 | body __IMG_LE_300K eval:pixel_coverage('all',62500,300000) | |
8520 | endif | |
8521 | ||
8522 | body __INHERIT_PMT /\binheritance\spayment\s/i | |
8523 | ||
8524 | body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i | |
8525 | ||
8526 | body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i | |
8527 | ||
8528 | body __INVEST_MONEY /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i | |
8529 | ||
8530 | header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/ | |
8531 | ||
8532 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8533 | meta __ISO_ATTACH 0 | |
8534 | endif | |
8535 | ||
8536 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8537 | mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i | |
8538 | endif | |
8539 | ||
8540 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8541 | meta __ISO_ATTACH_MT 0 | |
8542 | endif | |
8543 | ||
8544 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8545 | mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i | |
8546 | endif | |
8547 | ||
8548 | body __IS_LEGAL /\b(?:(?:(this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i | |
8549 | ||
8550 | body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i | |
8551 | ||
8552 | body __I_INHERIT /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i | |
8553 | ||
8554 | body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i | |
8555 | ||
8556 | header __JM_REACTOR_DATE Date =~ / \+0000$/ | |
8557 | ||
8558 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8559 | mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i | |
8560 | endif | |
8561 | ||
8562 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8563 | mimeheader __KAM_BLOCK_UTF7_2 Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i | |
8564 | endif | |
8565 | ||
8566 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8567 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8568 | body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024') | |
8569 | describe __KAM_BODY_LENGTH_LT_1024 The length of the body of the email is less than 1024 bytes. | |
8570 | endif | |
8571 | endif | |
8572 | ||
8573 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8574 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8575 | body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128') | |
8576 | describe __KAM_BODY_LENGTH_LT_128 The length of the body of the email is less than 128 bytes. | |
8577 | endif | |
8578 | endif | |
8579 | ||
8580 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8581 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8582 | body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256') | |
8583 | describe __KAM_BODY_LENGTH_LT_256 The length of the body of the email is less than 256 bytes. | |
8584 | endif | |
8585 | endif | |
8586 | ||
8587 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8588 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8589 | body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512') | |
8590 | describe __KAM_BODY_LENGTH_LT_512 The length of the body of the email is less than 512 bytes. | |
8591 | endif | |
8592 | endif | |
8593 | ||
8594 | if !plugin(Mail::SpamAssassin::Plugin::HTMLEval) | |
8595 | meta __KAM_HTML_FONT_INVALID 0 | |
8596 | endif | |
8597 | ||
8598 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
8599 | body __KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color') | |
8600 | endif | |
8601 | ||
8602 | body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is | |
8603 | ||
8604 | header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/ | |
8605 | ||
8606 | header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/ | |
8607 | ||
8608 | meta __KHOP_NO_FULL_NAME !(__NOT_A_PERSON || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME) | |
8609 | ||
8610 | if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
8611 | meta __LARGE_PERCENT_AFTER 0 | |
8612 | endif | |
8613 | ||
8614 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8615 | body __LARGE_PERCENT_AFTER /\d{3}% after/i | |
8616 | tflags __LARGE_PERCENT_AFTER multiple maxhits=4 | |
8617 | endif | |
8618 | ||
8619 | if !plugin(Mail::SpamAssassin::Plugin::HeaderEval) | |
8620 | meta __LCL__ENV_AND_HDR_FROM_MATCH 0 | |
8621 | endif | |
8622 | ||
8623 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
8624 | meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH | |
8625 | endif | |
8626 | ||
8627 | if !plugin(Mail::SpamAssassin::Plugin::BodyEval) | |
8628 | meta __LCL__KAM_BODY_LENGTH_LT_1024 0 | |
8629 | endif | |
8630 | ||
8631 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8632 | if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) | |
8633 | meta __LCL__KAM_BODY_LENGTH_LT_1024 0 | |
8634 | endif | |
8635 | endif | |
8636 | ||
8637 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8638 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8639 | meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024 | |
8640 | endif | |
8641 | endif | |
8642 | ||
8643 | if !plugin(Mail::SpamAssassin::Plugin::BodyEval) | |
8644 | meta __LCL__KAM_BODY_LENGTH_LT_128 0 | |
8645 | endif | |
8646 | ||
8647 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8648 | if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) | |
8649 | meta __LCL__KAM_BODY_LENGTH_LT_128 0 | |
8650 | endif | |
8651 | endif | |
8652 | ||
8653 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8654 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8655 | meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128 | |
8656 | endif | |
8657 | endif | |
8658 | ||
8659 | if !plugin(Mail::SpamAssassin::Plugin::BodyEval) | |
8660 | meta __LCL__KAM_BODY_LENGTH_LT_512 0 | |
8661 | endif | |
8662 | ||
8663 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8664 | if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) | |
8665 | meta __LCL__KAM_BODY_LENGTH_LT_512 0 | |
8666 | endif | |
8667 | endif | |
8668 | ||
8669 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8670 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8671 | meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512 | |
8672 | endif | |
8673 | endif | |
8674 | ||
8675 | meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID | |
8676 | ||
8677 | meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1 | |
8678 | ||
8679 | meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR | |
8680 | ||
8681 | body __LITECOIN_ID /\b(?<!=)[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b/ | |
8682 | ||
8683 | uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i | |
8684 | ||
8685 | body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i | |
8686 | tflags __LOCK_MAILBOX multiple maxhits=2 | |
8687 | ||
8688 | full __LONGLINE /^[^\r\n]{998}/m | |
8689 | ||
8690 | rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i | |
8691 | ||
8692 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8693 | meta __LONG_STY_INVIS __STY_INVIS && __LONGLINE | |
8694 | endif | |
8695 | ||
8696 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8697 | meta __LOTSA_MONEY_00 0 | |
8698 | endif | |
8699 | ||
8700 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8701 | body __LOTSA_MONEY_00 /<CURRENCY>[\s\.]?<NUM_NOT_DATE>[\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/ | |
8702 | endif | |
8703 | ||
8704 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8705 | meta __LOTSA_MONEY_01 0 | |
8706 | endif | |
8707 | ||
8708 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8709 | body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo](?<!\.00)\b/ | |
8710 | endif | |
8711 | ||
8712 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8713 | meta __LOTSA_MONEY_02 0 | |
8714 | endif | |
8715 | ||
8716 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8717 | body __LOTSA_MONEY_02 /(?<![-\d])<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo][\)\]\(]?\s?(?:<CURRENCY>|Pounds|(?i:dollars?|bucks))\b/ | |
8718 | endif | |
8719 | ||
8720 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8721 | meta __LOTSA_MONEY_03 0 | |
8722 | endif | |
8723 | ||
8724 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8725 | body __LOTSA_MONEY_03 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)<NUM_NOT_DATE>[\d.,\sOo]{0,5}[\)\]]?\s?(?i:M(?i:il+)?\b|mil+(?i:io|<O>)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/ | |
8726 | endif | |
8727 | ||
8728 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8729 | meta __LOTSA_MONEY_04 0 | |
8730 | endif | |
8731 | ||
8732 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8733 | body __LOTSA_MONEY_04 /(?:(?<![-\d])<NUM_NOT_DATE>[\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|mill<O>n|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|\bbucks|USD|GBP|<GB_UK>\spounds?|(?:<GB_UK>\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i | |
8734 | endif | |
8735 | ||
8736 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8737 | meta __LOTSA_MONEY_05 0 | |
8738 | endif | |
8739 | ||
8740 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8741 | body __LOTSA_MONEY_05 /(?:(?:sum|value|amount)\sof\s)<NUM_NOT_DATE_IP>[\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i | |
8742 | endif | |
8743 | ||
8744 | meta __LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2 | |
8745 | ||
8746 | body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i | |
8747 | ||
8748 | body __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i | |
8749 | ||
8750 | uri __LOTTO_ADMITS_3 /lott+ery/i | |
8751 | ||
8752 | meta __LOTTO_AGENT __LOTTO_AGENT_01 || __LOTTO_AGENT_02 | |
8753 | ||
8754 | body __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(?<!memory\s)grants?(?!\smanager))\s?(?:agent|manager|officer|secretary|director|mgr\b)/i | |
8755 | ||
8756 | body __LOTTO_AGENT_02 /\blot+ery[^\.]{1,40} ticket agent/i | |
8757 | ||
8758 | header __LOTTO_AGENT_RPLY Reply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i | |
8759 | ||
8760 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8761 | meta __LOTTO_ATTACH_1 0 | |
8762 | endif | |
8763 | ||
8764 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8765 | mimeheader __LOTTO_ATTACH_1 Content-Type =~ /lott(?:o|ery)/i | |
8766 | endif | |
8767 | ||
8768 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8769 | meta __LOTTO_ATTACH_2 0 | |
8770 | endif | |
8771 | ||
8772 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8773 | mimeheader __LOTTO_ATTACH_2 Content-Disposition =~ /lott(?:o|ery)/i | |
8774 | endif | |
8775 | ||
8776 | body __LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)(?:\s(?:rem+it+ance|settlement|payment|award))+|payment|award|compensation|lot+ery)(?:\s\w+)?\s?(?:department|dept|unit|group|committee|bureau)/i | |
8777 | ||
8778 | body __LOTTO_RELATED /\b(?:lot+(?:o|ery)|sweepstakes)\s(?:prize|draw(?:s|ing)?|(?:ge)?win(?:n?er|n?ing)?|jackpot+|award|fund|com+it+e+|com+is+ion|guild|promotion|promocao|program|day|online|company|(?:in)?corporat|agent|co[-,]?ordinator|team)/i | |
8779 | ||
8780 | body __LOTTO_VERIFY /\bpromo\sverification/i | |
8781 | ||
8782 | body __LOTTO_WINNINGS /\b(?:claim|process(?:ing)?|transfert?(?:\s\w+)?|redeem|payment|virement|zahlung|reivindicar|demandar|remise)\s(?:(?:[a-z]{1,5}\s)?(?:your|of|the|this|de|ihrer|seu|tu)\s)+(?:win+ings?|money|(?:cash\s)?prize|award|f[ou]nds?|grant|gewinne|premio|gain)\b/i | |
8783 | ||
8784 | body __LOTTO_WIN_01 /\bwin+ing\s(?:prize|number|notification|draw|check|cheque|details|information|payment)/i | |
8785 | ||
8786 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8787 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8788 | body __LOWER_E /e/ | |
8789 | tflags __LOWER_E multiple maxhits=230 | |
8790 | endif | |
8791 | endif | |
8792 | ||
8793 | body __LUCKY_WINNER /\b(?:lucky|gl.cklich(?:en)?|afortunados)\s(?:(?:ge)?win+ers?|ganador(?:es)?|individuals?)\b/i | |
8794 | ||
8795 | body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i | |
8796 | ||
8797 | rawbody __L_BODY_8BITS /[\x80-\xff]/ | |
8798 | ||
8799 | header __L_CTE_7BIT Content-Transfer-Encoding =~ /^7bit$/ | |
8800 | ||
8801 | body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i | |
8802 | ||
8803 | body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i | |
8804 | ||
8805 | header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/ | |
8806 | ||
8807 | body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i | |
8808 | ||
8809 | body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i | |
8810 | ||
8811 | uri __MAIL_LINK /\?.{0,200}\w\@[\w-]{1,20}.\w\w\w?\b/i | |
8812 | tflags __MAIL_LINK nice | |
8813 | ||
8814 | body __MAKE_XTRA_DOLLAR /\bmake an extra dollar\b/i | |
8815 | ||
8816 | header __MALF_MIME_VER MIME-Version =~ /^1\.0\S/ | |
8817 | ||
8818 | meta __MALWARE_NORDNS __MY_MALWARE && __RDNS_NONE | |
8819 | ||
8820 | meta __MALWARE_PASSWORD __MY_MALWARE && __PASSWORD | |
8821 | ||
8822 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8823 | meta __MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02 | |
8824 | endif | |
8825 | ||
8826 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8827 | meta __MALW_ATTACH_01_01 0 | |
8828 | endif | |
8829 | ||
8830 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8831 | mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]+|\*(?:\d+\*)?=(?:UTF-8'')?\S+)\.SettingContent-ms\b/i | |
8832 | endif | |
8833 | ||
8834 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8835 | meta __MALW_ATTACH_01_02 0 | |
8836 | endif | |
8837 | ||
8838 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8839 | mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i | |
8840 | endif | |
8841 | ||
8842 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8843 | meta __MALW_ATTACH_02_01 0 | |
8844 | endif | |
8845 | ||
8846 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8847 | mimeheader __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:invoice|statement|(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|7z|rar|r17|gz)[";$]/i | |
8848 | endif | |
8849 | ||
8850 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8851 | meta __MALW_ATTACH_02_02 0 | |
8852 | endif | |
8853 | ||
8854 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8855 | mimeheader __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|statement|(?:\.|[\xc2][\xb7]|_)(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|7z|rar|r17|gz)[";$]/i | |
8856 | endif | |
8857 | ||
8858 | meta __MANY_HDRS_LCASE __HDRS_LCASE > 1 | |
8859 | ||
8860 | meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4) | |
8861 | ||
8862 | header __MAY_BE_FORGED Received =~ /\(may be forged\)/ | |
8863 | ||
8864 | header __MID_START_001C Message-ID =~ /^<000001c/ | |
8865 | ||
8866 | body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i | |
8867 | ||
8868 | header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/ | |
8869 | ||
8870 | meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX | |
8871 | ||
8872 | header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/ | |
8873 | ||
8874 | if !((version >= 3.004000)) | |
8875 | meta __MIME_CTYPE_IN_BODY 0 | |
8876 | endif | |
8877 | ||
8878 | if (version >= 3.004000) | |
8879 | body __MIME_CTYPE_IN_BODY /^Content-Type:\s/ | |
8880 | endif | |
8881 | ||
8882 | if !((version >= 3.004000)) | |
8883 | meta __MIME_MALF 0 | |
8884 | endif | |
8885 | ||
8886 | if (version >= 3.004000) | |
8887 | meta __MIME_MALF __CTYPE_MULTIPART_ANY && __MIME_CTYPE_IN_BODY | |
8888 | endif | |
8889 | ||
8890 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8891 | meta __MIME_NO_TEXT 0 | |
8892 | endif | |
8893 | ||
8894 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8895 | meta __MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH) | |
8896 | endif | |
8897 | ||
8898 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
8899 | rawbody __MIME_QPC eval:check_for_mime('mime_qp_count') | |
8900 | endif | |
8901 | ||
8902 | header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET] | |
8903 | ||
8904 | header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET] | |
8905 | ||
8906 | rawbody __MIXED_AREA_CASE /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/ | |
8907 | ||
8908 | rawbody __MIXED_CENTER_CASE /<(?!CENTER|center)[Cc][Ee][Nn][Tt][Ee][Rr]>/ | |
8909 | ||
8910 | rawbody __MIXED_FONT_CASE /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/ | |
8911 | ||
8912 | rawbody __MIXED_HREF_CASE_JH /<[Aa](?i:rea)?\s+(?!HREF|href)[Hh][Rr][Ee][Ff]=/ | |
8913 | ||
8914 | rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/ | |
8915 | ||
8916 | header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ | |
8917 | ||
8918 | meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO) | |
8919 | ||
8920 | body __MONERO_CURNCY /Monero \(XMR\)/ | |
8921 | ||
8922 | body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/ | |
8923 | ||
8924 | meta __MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD | |
8925 | ||
8926 | meta __MONEY_FORM LOTS_OF_MONEY && __FILL_THIS_FORM | |
8927 | ||
8928 | meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT | |
8929 | ||
8930 | meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) | |
8931 | ||
8932 | meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) | |
8933 | ||
8934 | meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8) | |
8935 | ||
8936 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8937 | meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto | |
8938 | endif | |
8939 | ||
8940 | meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY | |
8941 | ||
8942 | body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i | |
8943 | ||
8944 | meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE | |
8945 | ||
8946 | header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i | |
8947 | ||
8948 | header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/ | |
8949 | ||
8950 | header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/ | |
8951 | ||
8952 | header __MSGID_JAVAMAIL Message-ID =~ /\.JavaMail\./ | |
8953 | tflags __MSGID_JAVAMAIL nice | |
8954 | ||
8955 | header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/ | |
8956 | tflags __MSGID_LIST nice | |
8957 | ||
8958 | header __MSGID_NOFQDN1 Message-ID =~ /<[^\@]*>/m | |
8959 | ||
8960 | header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m | |
8961 | ||
8962 | meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL | |
8963 | ||
8964 | header __MSMAIL_PRI_HIGH X-MSMail-Priority =~ /^(?:high|urgent)$/i | |
8965 | ||
8966 | header __MSMAIL_PRI_NORMAL X-MSMail-Priority =~ /^normal$/i | |
8967 | ||
8968 | meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT | |
8969 | ||
8970 | header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: / | |
8971 | ||
8972 | header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/ | |
8973 | ||
8974 | header __MUA_TBIRD User-Agent =~ /^Mozilla\/(.*) Thunderbird/ | |
8975 | ||
8976 | body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i | |
8977 | ||
8978 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8979 | body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s|background\s|hidden\s)?)(?:mal+ware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it|backdoor|(?:sneaky\s|hidden\s|malicious\s)+(?:app|stuff))|(?:application|mal+ware)[^\.]{1,30}(?:enable[sd]|allow(?:s|ed))\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|mal+ware)\s)+giv(?:es|ing)\sme)\b/i | |
8980 | endif | |
8981 | ||
8982 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8983 | body __MY_MALWARE /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s|<B><A><C><K><G><R><O><U><N><D>\s|<H><I><D><D><E><N>\s)?)(?:<M><A><L>+<W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>|<B><A><C><K><D><O><O><R>|(?:<S><N><E><A><K><Y>\s|<H><I><D><D><E><N>\s|<M><A><L><I><C><I><O><U><S>\s)+(?:<A><P><P>|<S><T><U><F><F>))|(?:<A><P><P><L><I><C><A><T><I><O><N>|<M><A><L>+<W><A><R><E>)[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>(?:<S>|<E><D>))\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L>+<W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i | |
8984 | endif | |
8985 | ||
8986 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8987 | body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i | |
8988 | endif | |
8989 | ||
8990 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8991 | body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i | |
8992 | endif | |
8993 | ||
8994 | header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/ | |
8995 | ||
8996 | meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL | |
8997 | ||
8998 | header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i | |
8999 | ||
9000 | header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/ | |
9001 | ||
9002 | meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG | |
9003 | ||
9004 | body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i | |
9005 | ||
9006 | body __NIGERIA /\bnigeria\b/i | |
9007 | ||
9008 | meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO | |
9009 | tflags __NOT_A_PERSON nice | |
9010 | ||
9011 | body __NOT_DEAD_YET /\b(?:will\sinherit|que\sherede|your\sdeath|your?\sbeing\sdead)\b/i | |
9012 | ||
9013 | body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i | |
9014 | ||
9015 | tflags __NOT_SPOOFED nice | |
9016 | ||
9017 | if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) | |
9018 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9019 | meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF | |
9020 | endif | |
9021 | endif | |
9022 | ||
9023 | if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) | |
9024 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9025 | meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF | |
9026 | endif | |
9027 | endif | |
9028 | ||
9029 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
9030 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9031 | meta __NOT_SPOOFED __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, no SPF. | |
9032 | endif | |
9033 | endif | |
9034 | ||
9035 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
9036 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9037 | meta __NOT_SPOOFED SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, yes SPF | |
9038 | endif | |
9039 | endif | |
9040 | ||
9041 | meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS) | |
9042 | ||
9043 | header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./ | |
9044 | describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8 | |
9045 | ||
9046 | header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./ | |
9047 | describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8 | |
9048 | ||
9049 | header __NUMBEREND_TLD From:addr =~ /\@[a-z]{2,}[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i | |
9050 | ||
9051 | header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i | |
9052 | ||
9053 | header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/ | |
9054 | ||
9055 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9056 | meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) | |
9057 | endif | |
9058 | ||
9059 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9060 | meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) | |
9061 | endif | |
9062 | ||
9063 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9064 | meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) | |
9065 | endif | |
9066 | ||
9067 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9068 | meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) | |
9069 | endif | |
9070 | ||
9071 | body __OBFU_UNSUB_UL /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/ | |
9072 | ||
9073 | if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) | |
9074 | meta __ONE_IMG 0 | |
9075 | endif | |
9076 | ||
9077 | ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
9078 | body __ONE_IMG eval:image_count('all',1,1) | |
9079 | endif | |
9080 | ||
9081 | header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./ | |
9082 | ||
9083 | body __ORDER_TODAY /\border (?:it|one|yours|this) (?:today|now|right\saway)\b/i | |
9084 | ||
9085 | body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i | |
9086 | ||
9087 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9088 | mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/ | |
9089 | endif | |
9090 | ||
9091 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9092 | mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/ | |
9093 | endif | |
9094 | ||
9095 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9096 | mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/ | |
9097 | endif | |
9098 | ||
9099 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9100 | mimeheader __PART_STOCK_CL Content-Location =~ /./ | |
9101 | endif | |
9102 | ||
9103 | body __PASSIVE_INCOME /\bpassive income\b/i | |
9104 | ||
9105 | body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i | |
9106 | ||
9107 | body __PASSWORD_EXP_CLUMSY /\bpassword is due for expiration yesterday\b/i | |
9108 | ||
9109 | body __PASSWORD_UPGRADE /\bpassword upgrade\b/i | |
9110 | ||
9111 | body __PAXFUL /\bp-?a+-?x+-?f-?u+-?l\b/i | |
9112 | ||
9113 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9114 | body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\s(?:to\s)?me|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche)|my bribe(?:ry)?)\b/i | |
9115 | endif | |
9116 | ||
9117 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9118 | body __PAY_ME /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s(?:<T><O>\s)?<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>|<M><Y> <B><R><I><B><E>(?:<R><Y>)?))[\s\.,]/i | |
9119 | endif | |
9120 | ||
9121 | body __PAY_YOU /\bpay\syou\b/ | |
9122 | ||
9123 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9124 | meta __PCT_FOR_YOU 0 | |
9125 | endif | |
9126 | ||
9127 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9128 | meta __PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50 | |
9129 | endif | |
9130 | ||
9131 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9132 | meta __PCT_FOR_YOU_1 0 | |
9133 | endif | |
9134 | ||
9135 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9136 | body __PCT_FOR_YOU_1 /<PERCENT>[\s)]{0,3}(?:(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?|(?:[^\s.]{1,15}\s)?an uns beide)/i | |
9137 | endif | |
9138 | ||
9139 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9140 | meta __PCT_FOR_YOU_2 0 | |
9141 | endif | |
9142 | ||
9143 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9144 | body __PCT_FOR_YOU_2 /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s<PERCENT>/i | |
9145 | endif | |
9146 | ||
9147 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9148 | meta __PCT_FOR_YOU_3 0 | |
9149 | endif | |
9150 | ||
9151 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9152 | body __PCT_FOR_YOU_3 /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?<!by\s)(?<!up\sto\s)<PERCENT>/i | |
9153 | endif | |
9154 | ||
9155 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9156 | meta __PCT_OF_PMTS 0 | |
9157 | endif | |
9158 | ||
9159 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9160 | body __PCT_OF_PMTS /<PERCENT>[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i | |
9161 | endif | |
9162 | ||
9163 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
9164 | meta __PDF_ATTACH 0 | |
9165 | endif | |
9166 | ||
9167 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9168 | meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2) | |
9169 | endif | |
9170 | ||
9171 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
9172 | meta __PDF_ATTACH_FN1 0 | |
9173 | endif | |
9174 | ||
9175 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9176 | mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i | |
9177 | endif | |
9178 | ||
9179 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
9180 | meta __PDF_ATTACH_FN2 0 | |
9181 | endif | |
9182 | ||
9183 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9184 | mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i | |
9185 | endif | |
9186 | ||
9187 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
9188 | meta __PDF_ATTACH_MT 0 | |
9189 | endif | |
9190 | ||
9191 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9192 | mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i | |
9193 | endif | |
9194 | ||
9195 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9196 | header __PDS_BTC_ANON From:name =~ /\bAnon/ | |
9197 | endif | |
9198 | ||
9199 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9200 | meta __PDS_BTC_BADFROM ( __PDS_BTC_HACKER || __PDS_BTC_PIRATE ) | |
9201 | endif | |
9202 | ||
9203 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9204 | header __PDS_BTC_HACKER From:name =~ /h<A>ck<E>r/i | |
9205 | endif | |
9206 | ||
9207 | meta __PDS_BTC_ID ( __BITCOIN_ID && !__URL_BTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) | |
9208 | ||
9209 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9210 | header __PDS_BTC_PIRATE From:name =~ /p<I>r<A>t<E>/i | |
9211 | endif | |
9212 | ||
9213 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9214 | if (version >= 3.004000) | |
9215 | header __PDS_CASHSHORTENER eval:check_uri_host_listed('PDS_CASHSHORTENER') | |
9216 | endif | |
9217 | endif | |
9218 | ||
9219 | uri __PDS_DOUBLE_URL m;https?://[\S]+(?:\?|=)https?://[\S]+[\w]+$; | |
9220 | ||
9221 | if (version >= 3.004002) | |
9222 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9223 | body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i | |
9224 | endif | |
9225 | endif | |
9226 | ||
9227 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
9228 | header __PDS_FROM_2_EMAILS From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i | |
9229 | endif | |
9230 | ||
9231 | header __PDS_FROM_GMAIL From:addr =~ /\@g(?:oogle)?mail\.com$/i | |
9232 | ||
9233 | header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\nTo:[^\n]+\@\1/ism | |
9234 | ||
9235 | header __PDS_GMAIL_MID Message-Id =~ /\@mail.gmail.com>$/ | |
9236 | ||
9237 | meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2) | |
9238 | ||
9239 | header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/ | |
9240 | ||
9241 | header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/ | |
9242 | ||
9243 | header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/ | |
9244 | ||
9245 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
9246 | meta __PDS_HP_HELO_NODNS (__HELO_HIGHPROFILE && !__HELO_DNS) | |
9247 | tflags __PDS_HP_HELO_NODNS net | |
9248 | endif | |
9249 | ||
9250 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
9251 | meta __PDS_HTML_LENGTH_1024 __HTML_LENGTH_0000_1024 | |
9252 | endif | |
9253 | ||
9254 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
9255 | meta __PDS_HTML_LENGTH_2048 __HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 || __HTML_LENGTH_1536_2048 | |
9256 | endif | |
9257 | ||
9258 | meta __PDS_LITECOIN_ID (__LITECOIN_ID && !__URL_LTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) | |
9259 | ||
9260 | meta __PDS_MSG_1024 (__KAM_BODY_LENGTH_LT_1024 || __PDS_HTML_LENGTH_1024) | |
9261 | ||
9262 | meta __PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512) | |
9263 | ||
9264 | if (version >= 3.004001) | |
9265 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
9266 | meta __PDS_NEWDOMAIN (__FROM_FMBLA_NEWDOM || __FROM_FMBLA_NEWDOM14 || __FROM_FMBLA_NEWDOM28) | |
9267 | tflags __PDS_NEWDOMAIN net | |
9268 | endif | |
9269 | endif | |
9270 | ||
9271 | if (version >= 3.004002) | |
9272 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9273 | body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States|USA)/i | |
9274 | endif | |
9275 | endif | |
9276 | ||
9277 | if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) | |
9278 | meta __PDS_QP_1024 0 | |
9279 | endif | |
9280 | ||
9281 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
9282 | meta __PDS_QP_1024 (__MIME_QPC > 0) && (__MIME_QPC < 1024) | |
9283 | endif | |
9284 | ||
9285 | if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) | |
9286 | meta __PDS_QP_128 0 | |
9287 | endif | |
9288 | ||
9289 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
9290 | meta __PDS_QP_128 (__MIME_QPC > 0) && (__MIME_QPC < 128) | |
9291 | endif | |
9292 | ||
9293 | if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) | |
9294 | meta __PDS_QP_512 0 | |
9295 | endif | |
9296 | ||
9297 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
9298 | meta __PDS_QP_512 (__MIME_QPC > 0) && (__MIME_QPC < 512) | |
9299 | endif | |
9300 | ||
9301 | if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) | |
9302 | meta __PDS_QP_64 0 | |
9303 | endif | |
9304 | ||
9305 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
9306 | meta __PDS_QP_64 (__MIME_QPC > 0) && (__MIME_QPC < 64) | |
9307 | endif | |
9308 | ||
9309 | header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(mta|mail|mx|smtp)\b\S* /i | |
9310 | ||
9311 | if (version >= 3.004002) | |
9312 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9313 | body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i | |
9314 | endif | |
9315 | endif | |
9316 | ||
9317 | if (version >= 3.004002) | |
9318 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9319 | body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i | |
9320 | endif | |
9321 | endif | |
9322 | ||
9323 | if (version >= 3.004002) | |
9324 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9325 | body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i | |
9326 | endif | |
9327 | endif | |
9328 | ||
9329 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9330 | if (version >= 3.004000) | |
9331 | meta __PDS_SHORT_URL __SHORT_URL && !__URL_SHORTENER && !__PDS_URISHORTENER && !ALL_TRUSTED | |
9332 | endif | |
9333 | endif | |
9334 | ||
9335 | if (version >= 3.004001) | |
9336 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
9337 | tflags __PDS_SPF_ONLYALL net | |
9338 | endif | |
9339 | endif | |
9340 | ||
9341 | header __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? <?\1\@/ | |
9342 | ||
9343 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
9344 | header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism | |
9345 | endif | |
9346 | ||
9347 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
9348 | header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism | |
9349 | endif | |
9350 | ||
9351 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9352 | if (version >= 3.004000) | |
9353 | meta __PDS_TO_SUBJ_URISHRT __TO_IN_SUBJ && (__PDS_URISHORTENER || __URL_SHORTENER) && __PDS_MSG_1024 | |
9354 | endif | |
9355 | endif | |
9356 | ||
9357 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9358 | if (version >= 3.004000) | |
9359 | header __PDS_URISHORTENER eval:check_uri_host_listed('PDS_URISHORTENER') | |
9360 | endif | |
9361 | endif | |
9362 | ||
9363 | meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0 | |
9364 | ||
9365 | body __PENDING_MESSAGES /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i | |
9366 | ||
9367 | body __PERFECT_BINARY /\bperfect binary option\b/i | |
9368 | ||
9369 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9370 | mimeheader __PHISH_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i | |
9371 | endif | |
9372 | ||
9373 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9374 | mimeheader __PHISH_ATTACH_01_02 Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i | |
9375 | endif | |
9376 | ||
9377 | meta __PHISH_FBASE_01 (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK | |
9378 | ||
9379 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9380 | body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i | |
9381 | tflags __PHOTO_RETOUCHING multiple maxhits=5 | |
9382 | endif | |
9383 | ||
9384 | header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/ | |
9385 | ||
9386 | meta __PHP_MUA __PHP_MUA_1 || __PHP_MUA_2 | |
9387 | ||
9388 | header __PHP_MUA_1 X-Mailer =~ /^PHP\s?v?\/?\d\./ | |
9389 | ||
9390 | header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/ | |
9391 | ||
9392 | header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/ | |
9393 | ||
9394 | meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B) | |
9395 | ||
9396 | if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
9397 | meta __PILL_PRICE_01 0 | |
9398 | endif | |
9399 | ||
9400 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9401 | body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i | |
9402 | tflags __PILL_PRICE_01 multiple maxhits=3 | |
9403 | endif | |
9404 | ||
9405 | if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
9406 | meta __PILL_PRICE_02 0 | |
9407 | endif | |
9408 | ||
9409 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9410 | body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i | |
9411 | tflags __PILL_PRICE_02 multiple maxhits=3 | |
9412 | endif | |
9413 | ||
9414 | body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i | |
9415 | ||
9416 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
9417 | header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to() | |
9418 | endif | |
9419 | ||
9420 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
9421 | header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() | |
9422 | endif | |
9423 | ||
9424 | uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf|\.svg)[^?]{4}(?:\?[^?]{1,5})?$;i | |
9425 | ||
9426 | body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i | |
9427 | ||
9428 | body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i | |
9429 | ||
9430 | body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i | |
9431 | ||
9432 | body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i | |
9433 | ||
9434 | body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i | |
9435 | ||
9436 | body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i | |
9437 | ||
9438 | body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i | |
9439 | ||
9440 | body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i | |
9441 | ||
9442 | body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i | |
9443 | ||
9444 | body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i | |
9445 | ||
9446 | body __RANDOM_PICK /\b(?:random(?:ly)?\s(?:\w+\s)?(?:select(?:ion|ed)|pick(?:ed)?|computer)|(?:select|pick)ed\s(?:at\s)?random(?:ly)?|(?:esco(?:g|lh)idos|seleccion) (?:aleatoria(?:mente)?|al azar))\b/i | |
9447 | ||
9448 | header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent|Tracking-Code)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism | |
9449 | tflags __RAND_HEADER multiple maxhits=4 | |
9450 | ||
9451 | meta __RAND_HEADER_2 __RAND_HEADER > 1 | |
9452 | ||
9453 | header __RAND_MKTG_HEADER ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:EBS|(?:Tracking|Subscriber|Delivery|Customer|Campaign)-[DSU]?id):/ism | |
9454 | ||
9455 | header __RATWARE_BOUND_A ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # " | |
9456 | ||
9457 | header __RATWARE_BOUND_B ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # " | |
9458 | ||
9459 | header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i | |
9460 | tflags __RCD_RDNS_MAIL nice | |
9461 | ||
9462 | header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i | |
9463 | tflags __RCD_RDNS_MAIL_MESSY nice | |
9464 | ||
9465 | header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i | |
9466 | tflags __RCD_RDNS_MTA nice | |
9467 | ||
9468 | header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i | |
9469 | tflags __RCD_RDNS_MTA_MESSY nice | |
9470 | ||
9471 | header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i | |
9472 | tflags __RCD_RDNS_MX nice | |
9473 | ||
9474 | header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/ | |
9475 | tflags __RCD_RDNS_MX_MESSY nice | |
9476 | ||
9477 | header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i | |
9478 | tflags __RCD_RDNS_OB nice | |
9479 | ||
9480 | header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i | |
9481 | tflags __RCD_RDNS_SMTP nice | |
9482 | ||
9483 | header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/ | |
9484 | tflags __RCD_RDNS_SMTP_MESSY nice | |
9485 | ||
9486 | header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\.edu\s/i | |
9487 | ||
9488 | meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 ) | |
9489 | ||
9490 | meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI ) | |
9491 | ||
9492 | header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\.gov\s/i | |
9493 | ||
9494 | header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net / | |
9495 | ||
9496 | header __RDNS_LONG X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/ | |
9497 | ||
9498 | header __RDNS_NO_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ / | |
9499 | ||
9500 | header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/ | |
9501 | ||
9502 | header __RDNS_SHORT X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} / | |
9503 | ||
9504 | body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i | |
9505 | ||
9506 | header __RELAY_THRU_WWW Received =~ /from (?:[^ \@]+\@)?www\./ | |
9507 | ||
9508 | body __RELEASE_MESSAGES /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|unreceived|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i | |
9509 | ||
9510 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { | |
9511 | meta __REMOTE_IMAGE (__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH) | |
9512 | endif | |
9513 | ||
9514 | if (version >= 3.004002) | |
9515 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9516 | header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD') | |
9517 | endif | |
9518 | endif | |
9519 | ||
9520 | header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i | |
9521 | ||
9522 | header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|brownchurchill|c(?:hanprivacy|ristinabruno|ustom_service)|d(?:hodgkins|onald_anderson)|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|izcarroll)|m_l\.wanczyk|p(?:aulpollard|eterwong)|r(?:achel_wat|oyalpalace)|s(?:gt\.gillianj|pwalker)|usembassy|webank))\d+\@aol\.com$/i | |
9523 | ||
9524 | header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:a(?:bu(?:lkareem|shadi)|c(?:aalzz|e(?:alss|cere))|desilgon|l(?:an\.austin|ber\.yang|ex(?:ander(?:daisy|peterson)|hoffman)|ghafrij|lenholden|ure\.wawrenka)|m(?:ericadeliverycomapny|inaltwaijiri)|n(?:dyfox|na(?:llee|sigurlaug))|radka|s(?:hwestwood|ianbae)|tm(?:mastercard|office)|yevayawovi|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|r(?:\.charles|isterlordruben)|teld\.huisman))|bongo|e(?:linekra|n(?:ezero|jaminsarah))|ill\.lawrence|mwautomobile|oarddept|r(?:avolpaul|endalaporte|ianmoynih)|uffettwarrene)|c(?:a(?:mluba|reisu)|bnatm|elineroullier|h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|la(?:imadviser|xtonpaul)|o(?:l(?:\.fakhrialsalabi|inchrisweir|o(?:mbasjuan|nelsaad))|n(?:sultancy|tactad)|operation)|r(?:awfordgillies|istbrun?)|ustomerservicelacaixa)|d(?:a(?:nielzulu|v(?:i(?:d(?:\.loanfirm|ibe|larbi|pere|ramirez\.luis)|scarolyn|yax)|ychan))|e(?:btm|nnis(?:clark|quaid)|partmentofstate)|ipfrancis|ona(?:ldwilliam|tionhelpercare)|r(?:\.wilsonpaul|davidrhama|joesimon|ovieogor)|unsilva)|e(?:benezero|christina|dwinfreeman|l(?:i(?:bethgomez|sabethmaria|zabethedw)|otocashoffice)|m(?:ailpostlink|efieleg?|ilyrichmond)|renakgeorge|ssexlss)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|laurentdz|r(?:a(?:100dub|nc(?:espatrickconnolly|iscamendoza))|eelottosweepstake)|ulanlan)|g(?:00gleggewinner|a(?:brielkalia|ryakinson)|bill|e(?:neralwilliamstony|orgekwame|r(?:aldjhjh|tjanvlieghe))|iidp|l(?:enmoore|oriachow)|o(?:o(?:golteam|oglegwiinner)|vgodwinemefiele)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:old\.dia|ryebert)|sh(?:imyreem|mireem))|e(?:a(?:dofficecentre|therbrooeke)|ctor(?:castillos|scastillo))|gold|heba\.hhassan|ildad|o(?:lsemeyerole|nmackjohn|rnbeckmajordennis|seoky)|trryt)|i(?:bed|n(?:fo(?:98cbnoffice|aprl)|gridrolle|ternationallppp))|j(?:a(?:cobmaseon|mes(?:husmansdesk|okoh)|vierlesme)|e(?:ff(?:deandk|erydean)|ssikasingh)|imyang|o(?:e(?:dward|kendal)|hn(?:griffn|r(?:awlings|oxfordjr)|sonwilson|tanko|uba|walterlove|a)|nesandassociates|sephacevedo|ymrskone)|rawlings|uliet\.lee?)|k(?:a(?:lstromjames|malnizar|rabo\.ramala|t(?:hilittman|jamess|rinaziako))|e(?:lsawamelia|n(?:mckay|nedy\.sawadogo))|halidbuhazza|kasbu|rnkl|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:ndfair\.co\.uk|rynne(?:0west|west))|i(?:amfinchus|liane\.bettencourt|n(?:elink|glung)|xiungl?)|john|o(?:ttyoffice|u(?:ghreymargaret|isdreyfusmargarita))|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:ckoliver|incare|jor(?:dennishornbeck|townsend)|nuelfranco(?:foundation)?|r(?:i(?:ahhills|nacoleman|opabl)|k(?:roth|uses)|y(?:franson|jify00aaz))|s(?:onmanny|pencer)|ttwilly|urhinck|viswanczyk(?:(?:foundation|k))?)|c\.cheadychang|dredban|e(?:lvidabullock|nnss)|gfrederick|i(?:c(?:healwuu|w)|khai(?:\.fridman|lfridm))|k(?:ent|untjoro)|o(?:ham(?:edabdul|madraqab)|rienkal)|r(?:\.justinmaxwell|cjames|hanimuhammad|jamesmc|martine|paulfrank|richardanthony|s(?:\.(?:biyufungchi|susanread)|a(?:ishaalqadafi|ngela)|gracewoods|hamima|jackman|maureens|r(?:obinsanders|uthsmith)|sarahbenjamin))|s(?:agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|obuyuki\.hirano)|o(?:\.peace|fficerricherd|liviemorgan|vieogor)|p(?:\.compton|a(?:storfrancesco|ul(?:eed|n)|ymentofficer)|brookk|eter(?:\.waddell|guggi|kenin|stephen)|hillip\.richead|ieterstevens|resleybathini)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymond(?:aba|damon))|e(?:beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|frankjackson))|i(?:chardw(?:ahl|illis)|tawilliams)|o(?:berthanandez|naldmorris|s(?:a\.gomes|e(?:kipkalya|tam)))|t\.rev\.ericmark)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cottpeters|e(?:cretservicce|rgeantrobertbrown)|h(?:anemissler|e(?:ikhalmaktoum|ry(?:\.gtl|etr))|inawatrathaksin)|imlkheng|krause|ofia\.adams|peelman|sdt|tephentam|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:ay(?:ebsouami|lorcathy)|erryparkins|h(?:ailandbankoffice|e(?:ara\.choy|bigbiglottowinning|odorosloannis|resawilliams|smithfm))|imothymetheny|lyerdonald|o(?:mc(?:hrist|rist(?:(?:donation|foundation))?)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:marukareem|n(?:claimedfunds|itednation(?:organization|s))|sdepartmentofjustice)|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut))|w(?:a(?:dp|hlr(?:ichard)?|nczykm)|i(?:ge|ll(?:iamrobert|update))|u(?:\.office|mt)|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo)|z(?:enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i | |
9525 | ||
9526 | header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|gaaintl\-4g5ee\.w|lesiakalina|nn(?:awax|hester\.usa))|b(?:a(?:nk\.phbng|rr(?:ister\.dennis|lawrencefubara))|en(?:jaminb|nicholas)|riceangela)|c(?:\.(?:aroline|coulibaly)|h(?:arlesscharf|jackson)|juan|ollins(?:mattew|wayne)|ythiamiller\.un)|d(?:hamilton|i(?:aanesoto|plomaticagent))|f(?:aizaadama|ederal\.r)|graham\.eddie|infobank|j(?:\.edwards|a(?:ckson\.davis|netemoon)|kimyong)|k(?:elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|ge|hman)|isarobinson_|y_cheapiseth)|m(?:arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye)|rkellyayi|unny(?:\.sopheap|_sopheap))|n(?:estordaniel|orahuz)|o(?:fficial_franksylvester|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|i(?:chard\.w|taadamsw)|o(?:b(?:ertbailey|orts)|serichard))|s(?:amthong|igurlauganna|leo|mithcolin|pwalker|tevecox\.)|tylerhess\.|u(?:butu|kdebtmanagement)|vanserge|will(?:clark|iamsimon)|xianglongdai))\d+\@yahoo\.com$/i | |
9527 | ||
9528 | header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i | |
9529 | ||
9530 | header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i | |
9531 | ||
9532 | if !((version >= 3.003000)) | |
9533 | meta __RP_MATCHES_RCVD 0 | |
9534 | endif | |
9535 | ||
9536 | if (version >= 3.003000) | |
9537 | if !plugin(Mail::SpamAssassin::Plugin::WLBLEval) | |
9538 | meta __RP_MATCHES_RCVD 0 | |
9539 | endif | |
9540 | endif | |
9541 | ||
9542 | if (version >= 3.003000) | |
9543 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9544 | header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() | |
9545 | endif | |
9546 | endif | |
9547 | ||
9548 | body __SCAM /\bscam(?:m?e[dr])?s?\b/i | |
9549 | ||
9550 | body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i | |
9551 | ||
9552 | header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i | |
9553 | tflags __SENDER_BOT nice | |
9554 | ||
9555 | uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=, | |
9556 | ||
9557 | meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH | |
9558 | ||
9559 | meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || T_FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ ) | |
9560 | ||
9561 | body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i | |
9562 | ||
9563 | meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY | |
9564 | ||
9565 | meta __SHORTENER_SHORT_SUBJ __URL_SHORTENER && __SUBJ_SHORT | |
9566 | ||
9567 | uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/ | |
9568 | ||
9569 | body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/ | |
9570 | tflags __SINGLE_WORD_LINE multiple maxhits=2 | |
9571 | ||
9572 | header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/ | |
9573 | ||
9574 | header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i | |
9575 | ||
9576 | rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/ | |
9577 | tflags __SPAN_BEG_TEXT multiple maxhits=5 | |
9578 | ||
9579 | rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/ | |
9580 | tflags __SPAN_END_TEXT multiple maxhits=5 | |
9581 | ||
9582 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9583 | meta __SPF_FULL_PASS 0 | |
9584 | endif | |
9585 | ||
9586 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9587 | meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS) | |
9588 | tflags __SPF_FULL_PASS net | |
9589 | endif | |
9590 | ||
9591 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9592 | meta __SPF_RANDOM_SENDER 0 | |
9593 | endif | |
9594 | ||
9595 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9596 | meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS) | |
9597 | tflags __SPF_RANDOM_SENDER net | |
9598 | endif | |
9599 | ||
9600 | meta __SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM | |
9601 | tflags __SPOOFED_FREEMAIL net | |
9602 | ||
9603 | meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO | |
9604 | tflags __SPOOFED_FREEM_REPTO net | |
9605 | ||
9606 | rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i | |
9607 | ||
9608 | meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE | |
9609 | ||
9610 | body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i | |
9611 | ||
9612 | body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i | |
9613 | ||
9614 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9615 | rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i | |
9616 | tflags __STY_INVIS multiple maxhits=6 | |
9617 | endif | |
9618 | ||
9619 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9620 | meta __STY_INVIS_1 __STY_INVIS == 1 | |
9621 | endif | |
9622 | ||
9623 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9624 | meta __STY_INVIS_1_MINFP __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID && !__FROM_ADDRLIST_PAYPAL | |
9625 | endif | |
9626 | ||
9627 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9628 | meta __STY_INVIS_2 __STY_INVIS > 1 | |
9629 | endif | |
9630 | ||
9631 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9632 | meta __STY_INVIS_3 __STY_INVIS > 2 | |
9633 | endif | |
9634 | ||
9635 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9636 | meta __STY_INVIS_DIRECT __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED | |
9637 | endif | |
9638 | ||
9639 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9640 | meta __STY_INVIS_MANY __STY_INVIS > 5 | |
9641 | endif | |
9642 | ||
9643 | header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/ | |
9644 | ||
9645 | meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY | |
9646 | ||
9647 | header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i | |
9648 | ||
9649 | meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU | |
9650 | ||
9651 | header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/ | |
9652 | tflags __SUBJ_BROKEN_WORD multiple maxhits=2 | |
9653 | ||
9654 | meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN | |
9655 | ||
9656 | header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ism | |
9657 | ||
9658 | header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism | |
9659 | ||
9660 | header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism | |
9661 | ||
9662 | header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism | |
9663 | ||
9664 | header __SUBJ_NOT_SHORT Subject =~ /^.{16}/ | |
9665 | ||
9666 | header __SUBJ_OBFU_PUNCT Subject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/i | |
9667 | tflags __SUBJ_OBFU_PUNCT multiple maxhits=4 | |
9668 | ||
9669 | header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/ | |
9670 | ||
9671 | header __SUBJ_SHORT Subject =~ /^.{0,8}$/ | |
9672 | ||
9673 | header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i | |
9674 | tflags __SUBJ_UNNEEDED_HTML multiple maxhits=3 | |
9675 | ||
9676 | header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/ | |
9677 | ||
9678 | body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i | |
9679 | tflags __SUBSCRIPTION_INFO nice | |
9680 | ||
9681 | body __SUM_OF_FUND /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i | |
9682 | ||
9683 | body __SURVEY /\bsurvey\b/i | |
9684 | ||
9685 | body __SURVIVORS /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i | |
9686 | ||
9687 | body __SUSPICION_LOGIN /\bsuspicion login\b/i | |
9688 | ||
9689 | body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i | |
9690 | ||
9691 | header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/ | |
9692 | ||
9693 | rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m | |
9694 | tflags __TENWORD_GIBBERISH multiple maxhits=21 | |
9695 | ||
9696 | body __THEY_INHERIT /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i | |
9697 | ||
9698 | body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i | |
9699 | ||
9700 | meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF) | |
9701 | tflags __THREADED nice | |
9702 | ||
9703 | header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$, | |
9704 | ||
9705 | header __TO_ALL_NUMS To:addr =~ /^\d+@/ | |
9706 | ||
9707 | meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX | |
9708 | ||
9709 | meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE | |
9710 | ||
9711 | meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY | |
9712 | ||
9713 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9714 | meta __TO_EQ_FM_DOM_SPF_FAIL 0 | |
9715 | endif | |
9716 | ||
9717 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9718 | meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL | |
9719 | tflags __TO_EQ_FM_DOM_SPF_FAIL net | |
9720 | endif | |
9721 | ||
9722 | meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY | |
9723 | ||
9724 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9725 | meta __TO_EQ_FM_SPF_FAIL 0 | |
9726 | endif | |
9727 | ||
9728 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9729 | meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL | |
9730 | tflags __TO_EQ_FM_SPF_FAIL net | |
9731 | endif | |
9732 | ||
9733 | meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2) | |
9734 | describe __TO_EQ_FROM To: same as From: | |
9735 | ||
9736 | header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism | |
9737 | ||
9738 | header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism | |
9739 | ||
9740 | meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2) | |
9741 | describe __TO_EQ_FROM_DOM To: domain same as From: domain | |
9742 | ||
9743 | header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism | |
9744 | ||
9745 | header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism | |
9746 | ||
9747 | meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) | |
9748 | describe __TO_EQ_FROM_USR To: username same as From: username | |
9749 | ||
9750 | header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism | |
9751 | ||
9752 | header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism | |
9753 | ||
9754 | meta __TO_EQ_FROM_USR_NN (__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) | |
9755 | describe __TO_EQ_FROM_USR_NN To: username same as From: username sans trailing nums | |
9756 | ||
9757 | header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism | |
9758 | ||
9759 | header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism | |
9760 | ||
9761 | meta __TO_EQ_FROM_USR_NN_MINFP __TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED | |
9762 | ||
9763 | meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3) | |
9764 | ||
9765 | header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/ | |
9766 | ||
9767 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
9768 | meta __TO_NO_BRKTS_FREEMAIL 0 | |
9769 | endif | |
9770 | ||
9771 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
9772 | meta __TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO) | |
9773 | endif | |
9774 | ||
9775 | meta __TO_NO_BRKTS_FROM_RUNON __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON | |
9776 | ||
9777 | meta __TO_NO_BRKTS_HTML_IMG __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG | |
9778 | ||
9779 | meta __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY | |
9780 | ||
9781 | meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) | |
9782 | ||
9783 | meta __TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_HTML_ONLY && RDNS_NONE | |
9784 | ||
9785 | meta __TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT | |
9786 | ||
9787 | meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01 | |
9788 | ||
9789 | header __TO_UNDISCLOSED To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i | |
9790 | ||
9791 | header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/ | |
9792 | ||
9793 | body __TO_YOUR_ACCT /\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/i | |
9794 | ||
9795 | body __TO_YOUR_ORG /\b(?:to|for) your organi[sz]ation\b/i | |
9796 | ||
9797 | header __TO___LOWER ALL =~ /to:\s\S{5}/ | |
9798 | ||
9799 | body __TRANSFORM_LIFE /\b(transform|change) your (?:daily )?life(?:style)?\b/i | |
9800 | ||
9801 | body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i | |
9802 | ||
9803 | body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i | |
9804 | ||
9805 | body __TRAVEL_ITINERARY /(?:travel|ticketed|your|current) itinerary/i | |
9806 | ||
9807 | meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2 | |
9808 | ||
9809 | body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i | |
9810 | ||
9811 | body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i | |
9812 | ||
9813 | body __TRTMT_DEFILED /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i | |
9814 | ||
9815 | body __TRUNK_BOX /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i | |
9816 | ||
9817 | body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i | |
9818 | ||
9819 | header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i | |
9820 | ||
9821 | header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i | |
9822 | ||
9823 | header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/ | |
9824 | ||
9825 | header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/ | |
9826 | ||
9827 | header __TT_VALIUM Subject =~ /VALIUM/i | |
9828 | ||
9829 | header __TT_VIAGRA Subject =~ /VIAGRA/i | |
9830 | ||
9831 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9832 | mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/ | |
9833 | endif | |
9834 | ||
9835 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9836 | mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i | |
9837 | endif | |
9838 | ||
9839 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9840 | mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i | |
9841 | endif | |
9842 | ||
9843 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9844 | mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i | |
9845 | endif | |
9846 | ||
9847 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9848 | mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/ | |
9849 | endif | |
9850 | ||
9851 | body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i | |
9852 | ||
9853 | body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i | |
9854 | ||
9855 | body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i | |
9856 | ||
9857 | body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i | |
9858 | ||
9859 | body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i | |
9860 | ||
9861 | body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i | |
9862 | ||
9863 | body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i | |
9864 | ||
9865 | body __TVD_PH_BODY_08 /\bmultiple password failures/i | |
9866 | ||
9867 | body __TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i | |
9868 | ||
9869 | body __TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i | |
9870 | ||
9871 | meta __TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08 | |
9872 | ||
9873 | header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i | |
9874 | ||
9875 | header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i | |
9876 | ||
9877 | header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i | |
9878 | ||
9879 | header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i | |
9880 | ||
9881 | header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i | |
9882 | ||
9883 | header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i | |
9884 | ||
9885 | header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i | |
9886 | ||
9887 | header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i | |
9888 | ||
9889 | header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i | |
9890 | ||
9891 | header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i | |
9892 | ||
9893 | header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i | |
9894 | ||
9895 | header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i | |
9896 | ||
9897 | header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i | |
9898 | ||
9899 | header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i | |
9900 | ||
9901 | header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i | |
9902 | ||
9903 | header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i | |
9904 | ||
9905 | header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i | |
9906 | ||
9907 | header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i | |
9908 | ||
9909 | header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i | |
9910 | ||
9911 | header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i | |
9912 | ||
9913 | meta __TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST | |
9914 | ||
9915 | meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) | |
9916 | ||
9917 | if !plugin(Mail::SpamAssassin::Plugin::BodyEval) | |
9918 | meta __TVD_SPACE_RATIO 0 | |
9919 | endif | |
9920 | ||
9921 | header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i | |
9922 | ||
9923 | meta __T_PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512 || __PDS_QP_512) | |
9924 | ||
9925 | header __UA_GNUS User-Agent =~ /^Gnus/ | |
9926 | ||
9927 | header __UA_KMAIL User-Agent =~ /^KMail/ | |
9928 | ||
9929 | header __UA_KNODE User-Agent =~ /^KNode/ | |
9930 | ||
9931 | header __UA_MOZ5 User-Agent =~ /^Mozilla\/5/ | |
9932 | ||
9933 | header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/ | |
9934 | ||
9935 | header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/ | |
9936 | ||
9937 | header __UA_MUTT User-Agent =~ /^Mutt/ | |
9938 | ||
9939 | header __UA_OPERA7 User-Agent =~ /^Opera7/ | |
9940 | ||
9941 | header __UA_PAN User-Agent =~ /^Pan/ | |
9942 | ||
9943 | header __UA_XNEWS User-Agent =~ /^Xnews/ | |
9944 | ||
9945 | body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/ | |
9946 | tflags __UC_GIBB_OBFU multiple maxhits=2 | |
9947 | ||
9948 | body __UN /\bunited\snations?\b/i | |
9949 | ||
9950 | meta __UNDISC_FREEM __TO_UNDISCLOSED && __freemail_replyto | |
9951 | ||
9952 | meta __UNDISC_MONEY __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY) | |
9953 | ||
9954 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9955 | body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i | |
9956 | tflags __UNICODE_OBFU_ASC multiple maxhits=10 | |
9957 | endif | |
9958 | ||
9959 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9960 | meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9 | |
9961 | endif | |
9962 | ||
9963 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9964 | body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i | |
9965 | tflags __UNICODE_OBFU_ZW multiple maxhits=10 | |
9966 | endif | |
9967 | ||
9968 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9969 | meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9 | |
9970 | endif | |
9971 | ||
9972 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9973 | meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1 | |
9974 | endif | |
9975 | ||
9976 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9977 | meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2 | |
9978 | endif | |
9979 | ||
9980 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9981 | meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4 | |
9982 | endif | |
9983 | ||
9984 | body __UNSUB_EMAIL /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i | |
9985 | tflags __UNSUB_EMAIL nice | |
9986 | ||
9987 | uri __UNSUB_LINK /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i | |
9988 | tflags __UNSUB_LINK nice | |
9989 | ||
9990 | body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i | |
9991 | ||
9992 | uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/ | |
9993 | ||
9994 | uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i | |
9995 | ||
9996 | uri __URI_ADOBESPARK m,https?://branchlink\.adobespark\.com/,i | |
9997 | ||
9998 | uri __URI_AZURE_CLOUDAPP m,://(?:[^./]+\.)+cloudapp\.azure\.com/, | |
9999 | ||
10000 | uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i | |
10001 | ||
10002 | uri __URI_DATA /^data:(?!image\/)[a-z]/i | |
10003 | ||
10004 | uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i | |
10005 | ||
10006 | uri __URI_DOM_DOTDOT m,://[^/]+\.\., | |
10007 | ||
10008 | uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i | |
10009 | ||
10010 | meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW | |
10011 | ||
10012 | uri __URI_DOTGOV m;^https?://(?:[^./]+\.)+gov/;i | |
10013 | ||
10014 | uri __URI_DOTTY_HEX /(?:\.[0-9a-f]{2}){30}/ | |
10015 | ||
10016 | uri __URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i | |
10017 | ||
10018 | uri __URI_FIREBASEAPP m,://[^./]+\.firebaseapp\.com/, | |
10019 | ||
10020 | uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i | |
10021 | ||
10022 | uri __URI_GOOGLE_DRV m,^https?://(?:drive\.google|googledrive)\.com/,i | |
10023 | ||
10024 | uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i | |
10025 | ||
10026 | uri __URI_GOOG_STO_HTML m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i | |
10027 | tflags __URI_GOOG_STO_HTML multiple maxhits=5 | |
10028 | ||
10029 | uri __URI_GOOG_STO_IMG m,^https?://storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,i | |
10030 | tflags __URI_GOOG_STO_IMG multiple maxhits=5 | |
10031 | ||
10032 | uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i | |
10033 | ||
10034 | uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png),i | |
10035 | ||
10036 | uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?images-amazon\.com/,i | |
10037 | ||
10038 | uri __URI_IMG_CHANNYPIC m,://www\.channypicture\.com/pic/,i | |
10039 | ||
10040 | uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i | |
10041 | ||
10042 | uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i | |
10043 | ||
10044 | uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i | |
10045 | ||
10046 | uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png),i | |
10047 | ||
10048 | uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i | |
10049 | ||
10050 | uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i | |
10051 | ||
10052 | uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i | |
10053 | ||
10054 | uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i | |
10055 | ||
10056 | uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i | |
10057 | ||
10058 | uri __URI_LONG_REPEAT m;(?:://|@)(?:\w+\.)*(\w{10,}\.)\1;i | |
10059 | ||
10060 | uri __URI_MAILTO /^mailto:/i | |
10061 | tflags __URI_MAILTO multiple maxhits=16 | |
10062 | ||
10063 | uri __URI_MONERO /buy-monero/i | |
10064 | ||
10065 | meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2 | |
10066 | ||
10067 | meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) | |
10068 | ||
10069 | uri __URI_PHP_REDIR m;/redirect\.php\?;i | |
10070 | ||
10071 | uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i | |
10072 | ||
10073 | uri __URI_WEBAPP m,://[^./]+\.web\.app/, | |
10074 | ||
10075 | uri __URI_WPADMIN m,/wp-admin/\w+/,i | |
10076 | ||
10077 | uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i | |
10078 | ||
10079 | uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i | |
10080 | ||
10081 | uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i | |
10082 | ||
10083 | uri __URL_BTC_ID m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$); | |
10084 | ||
10085 | uri __URL_LTC_ID m;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/|$); | |
10086 | ||
10087 | uri __URL_SHORTENER /^https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}\/?/ | |
10088 | ||
10089 | header __USING_VERP1 Return-Path =~ /[+-].*=/ | |
10090 | ||
10091 | header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i | |
10092 | tflags __VACATION nice | |
10093 | ||
10094 | body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails))\b/i | |
10095 | tflags __VALIDATE_MAILBOX multiple maxhits=2 | |
10096 | ||
10097 | body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i | |
10098 | ||
10099 | body __VERIFY_ACCOUNT /(?:confirm|updated?|verif(?:y|ied)) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i | |
10100 | tflags __VERIFY_ACCOUNT multiple maxhits=2 | |
10101 | ||
10102 | meta __VFY_ACCT_NORDNS __VERIFY_ACCOUNT && __RDNS_NONE | |
10103 | ||
10104 | if (version >= 3.004002) | |
10105 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
10106 | header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i | |
10107 | endif | |
10108 | endif | |
10109 | ||
10110 | meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART | |
10111 | ||
10112 | body __WEBMAIL_ACCT /\byour web ?mail account/i | |
10113 | ||
10114 | body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i | |
10115 | ||
10116 | meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2 | |
10117 | ||
10118 | body __WIDOW /\b(?:widow(?:e[rd])'?s?|veuve)\b/i | |
10119 | ||
10120 | body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i | |
10121 | ||
10122 | body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i | |
10123 | ||
10124 | body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i | |
10125 | ||
10126 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10127 | rawbody __WORD_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}</i | |
10128 | tflags __WORD_INVIS multiple maxhits=6 | |
10129 | endif | |
10130 | ||
10131 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10132 | meta __WORD_INVIS_2 __WORD_INVIS > 1 | |
10133 | endif | |
10134 | ||
10135 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10136 | meta __WORD_INVIS_5 __WORD_INVIS > 5 | |
10137 | endif | |
10138 | ||
10139 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10140 | meta __WORD_INVIS_MINFP __WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID | |
10141 | endif | |
10142 | ||
10143 | header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/ | |
10144 | ||
10145 | meta __XFER_LOTSA_MONEY __XFER_MONEY && LOTS_OF_MONEY | |
10146 | ||
10147 | meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY) | |
10148 | ||
10149 | header __XM_APPLEMAIL X-Mailer =~ /^Apple Mail/ | |
10150 | ||
10151 | header __XM_BALSA X-Mailer =~ /^Balsa \d/ | |
10152 | ||
10153 | header __XM_CALYPSO X-Mailer =~ /^Calypso/ | |
10154 | ||
10155 | header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/ | |
10156 | ||
10157 | header __XM_FORTE X-Mailer =~ /^Forte Agent \d/ | |
10158 | ||
10159 | header __XM_GNUS X-Mailer =~ /^Gnus v/ | |
10160 | ||
10161 | header __XM_IPHONEMAIL X-Mailer =~ /^iPhone Mail \([0-9A-F]{4,8}\)/ | |
10162 | ||
10163 | header __XM_LIGHT_HEAVY X-Mailer =~ /\b(?:light|(?<!::)lite|standard|business|pro(?:fessional)?|educational|personal)\b/i | |
10164 | ||
10165 | header __XM_MHE X-Mailer =~ /^mh-e \d/ | |
10166 | ||
10167 | header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/ | |
10168 | ||
10169 | header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/ | |
10170 | ||
10171 | header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/ | |
10172 | ||
10173 | header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/ | |
10174 | ||
10175 | header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/ | |
10176 | ||
10177 | header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/ | |
10178 | ||
10179 | header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/ | |
10180 | ||
10181 | header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/ | |
10182 | ||
10183 | header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/ | |
10184 | ||
10185 | header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/ | |
10186 | ||
10187 | header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/ | |
10188 | ||
10189 | header __XM_RANDOM X-Mailer =~ /q(?!q?mail|boxmail|\d|[-\w]*=+;)[^u]/i | |
10190 | ||
10191 | header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/ | |
10192 | ||
10193 | header __XM_SQRLMAIL X-Mailer =~ /^SquirrelMail/ | |
10194 | ||
10195 | header __XM_SYLPHEED X-Mailer =~ /^Sylpheed/ | |
10196 | ||
10197 | header __XM_UC_ONLY X-Mailer =~ /^[^a-z]+$/ | |
10198 | ||
10199 | header __XM_VM X-Mailer =~ /^VM \d/ | |
10200 | ||
10201 | header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/ | |
10202 | ||
10203 | header __XM_XIMEVOL X-Mailer =~ /^Ximian Evolution/ | |
10204 | ||
10205 | meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS | |
10206 | ||
10207 | meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT | |
10208 | ||
10209 | body __YOUR_BANK /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i | |
10210 | ||
10211 | body __YOUR_CONSIGNMENT /\b(?:received?|pa(?:y|id)|sen[dt]|h[oe]ld|delay(?:ed)?|impound(?:ed)?|released?|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/i | |
10212 | ||
10213 | body __YOUR_FUND /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|f\su\sn\sd|payment|geld)\b/i | |
10214 | ||
10215 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
10216 | body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i | |
10217 | endif | |
10218 | ||
10219 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
10220 | body __YOUR_ONAN /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M>+<A>+<S>+<T>+(?:<U>|<R>)+<B>+<A>+<T>+(?:<I><O><N>|<I><N><G>|<E>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>|(?:<P><L><E><A><S><U><R>(?:<E>|<I><N><G>)|<S><A><T><I><S><F><Y>(?:<I><N><G>)?)\s<Y><O><U><R><S><E><L><F>)/i | |
10221 | endif | |
10222 | ||
10223 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
10224 | body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i | |
10225 | endif | |
10226 | ||
10227 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
10228 | body __YOUR_PASSWORD /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<A><C><C><O><U><N><T>\s|<E>-?<M><A><I><L>\s)?(?:<P><A><S><S>[-\s_]?<W><O><R><D>|<P><S><W><D>\s)/i | |
10229 | endif | |
10230 | ||
10231 | body __YOUR_PERM /\byour\spermission\b/i | |
10232 | ||
10233 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
10234 | body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i | |
10235 | endif | |
10236 | ||
10237 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
10238 | body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i | |
10239 | endif | |
10240 | ||
10241 | body __YOUR_PROFIT /\byour?\sprofit/i | |
10242 | ||
10243 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
10244 | body __YOUR_WEBCAM /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i | |
10245 | endif | |
10246 | ||
10247 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
10248 | body __YOUR_WEBCAM /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>|<A><N><D>|<O><N>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>|<M><I><C><R><O><P><H><O><N><E>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s|<Y><O><U><R>\s)<C><A><M><E><R>+<A>/i | |
10249 | endif | |
10250 | ||
10251 | body __YOU_ASSIST /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i | |
10252 | ||
10253 | body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inherit+ance\b/i | |
10254 | ||
10255 | meta __YOU_WON __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY)) | |
10256 | ||
10257 | body __YOU_WON_01 /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i | |
10258 | ||
10259 | body __YOU_WON_02 /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i | |
10260 | ||
10261 | body __YOU_WON_03 /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/i | |
10262 | ||
10263 | body __YOU_WON_04 /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i | |
10264 | ||
10265 | body __YOU_WON_05 /\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i | |
10266 | ||
10267 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
10268 | meta __ZIP_ATTACH_MT 0 | |
10269 | endif | |
10270 | ||
10271 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
10272 | mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i | |
10273 | endif | |
10274 | ||
10275 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
10276 | meta __ZIP_ATTACH_NOFN 0 | |
10277 | endif | |
10278 | ||
10279 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
10280 | mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i | |
10281 | endif | |
10282 | ||
10283 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
10284 | header __freemail_mailreplyto eval:check_freemail_header('Mail-Reply-To') | |
10285 | endif | |
10286 | ||
10287 | body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i | |
10288 | ||
10289 | body __hk_win_0 /\byour? e-?mail just w[oi]n/i | |
10290 | ||
10291 | body __hk_win_2 /\battn.{0,10}winner/i | |
10292 | ||
10293 | body __hk_win_3 /\bhappily aa?nnounce/i | |
10294 | ||
10295 | body __hk_win_4 /\bpleas(?:ure|ed) to inform/i | |
10296 | ||
10297 | body __hk_win_5 /\b(?:notice the|your) winning/i | |
10298 | ||
10299 | body __hk_win_7 /\bcongratulations? to your/i | |
10300 | ||
10301 | body __hk_win_8 /\bunexpected luck/i | |
10302 | ||
10303 | body __hk_win_9 /\blucky (?:nl )number/i | |
10304 | ||
10305 | body __hk_win_a /\bwinning (?:e-?mail|numbers|information)/i | |
10306 | ||
10307 | body __hk_win_b /\byour e-?mail (?:address )?(?:has )?w[io]n/i | |
10308 | ||
10309 | body __hk_win_c /\bune adresse e-?mail sur internet/i | |
10310 | ||
10311 | body __hk_win_d /\bcategory (?:\S{0,5} )?winner of our/i | |
10312 | ||
10313 | body __hk_win_i /\bfunds? transfer/i | |
10314 | ||
10315 | body __hk_win_j /\b(?:winning|ready for|sum) pay ?out/i | |
10316 | ||
10317 | body __hk_win_l /\b(?:make|file) (?:for )?your claim/i | |
10318 | ||
10319 | body __hk_win_m /\br.clamation de votre prix/i | |
10320 | ||
10321 | body __hk_win_n /\bcollect your prize/i | |
10322 | ||
10323 | body __hk_win_o /\bclarification and procedure/i | |
10324 | ||
10325 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
10326 | header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr') | |
10327 | endif |