]> git.proxmox.com Git - proxmox-spamassassin.git/blame - sa-updates/72_active.cf
projects / proxmox-spamassassin.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
update SpamAssassin signatures
[proxmox-spamassassin.git] / sa-updates / 72_active.cf
CommitLineData
b780ea8d
SI		 1# SpamAssassin rules file
2#
3# Please don't modify this file as your changes will be overwritten with
4# the next update. Use /etc/mail/spamassassin/local.cf instead.
5# See 'perldoc Mail::SpamAssassin::Conf' for details.
6#
7# <@LICENSE>
8# Licensed to the Apache Software Foundation (ASF) under one or more
9# contributor license agreements. See the NOTICE file distributed with
10# this work for additional information regarding copyright ownership.
11# The ASF licenses this file to you under the Apache License, Version 2.0
12# (the "License"); you may not use this file except in compliance with
13# the License. You may obtain a copy of the License at:
14#
15# http://www.apache.org/licenses/LICENSE-2.0
16#
17# Unless required by applicable law or agreed to in writing, software
18# distributed under the License is distributed on an "AS IS" BASIS,
19# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20# See the License for the specific language governing permissions and
21# limitations under the License.
22# </@LICENSE>
23#
24###########################################################################
25
26require_version 3.004005
27
28##{ ACCT_PHISHING_MANY
29
30meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY
31describe ACCT_PHISHING_MANY Phishing for account information
32#score ACCT_PHISHING_MANY 3.000 # limit
33##} ACCT_PHISHING_MANY
34
35##{ AC_BR_BONANZA
36
37rawbody AC_BR_BONANZA /(?:<br>\s*){30}/i
38describe AC_BR_BONANZA Too many newlines in a row... spammy template
39#score AC_BR_BONANZA 0.001
40tflags AC_BR_BONANZA publish
41##} AC_BR_BONANZA
42
43##{ AC_DIV_BONANZA
44
45rawbody AC_DIV_BONANZA /(?:<div>(?:\s*<\/div>)?\s*){10}/i
46describe AC_DIV_BONANZA Too many divs in a row... spammy template
47#score AC_DIV_BONANZA 0.001
48tflags AC_DIV_BONANZA publish
49##} AC_DIV_BONANZA
50
51##{ AC_FROM_MANY_DOTS
52
53meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP
54#score AC_FROM_MANY_DOTS 3.000 # limit
55describe AC_FROM_MANY_DOTS Multiple periods in From user name
56tflags AC_FROM_MANY_DOTS publish
57##} AC_FROM_MANY_DOTS
58
59##{ AC_HTML_NONSENSE_TAGS
60
61rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/
62describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam
63#score AC_HTML_NONSENSE_TAGS 2.0
64tflags AC_HTML_NONSENSE_TAGS publish
65##} AC_HTML_NONSENSE_TAGS
66
67##{ AC_POST_EXTRAS
68
69meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID
70describe AC_POST_EXTRAS Suspicious URL
71#score AC_POST_EXTRAS 2.500 # limit
72tflags AC_POST_EXTRAS publish
73##} AC_POST_EXTRAS
74
75##{ AC_SPAMMY_URI_PATTERNS1
76
77meta AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI)
78describe AC_SPAMMY_URI_PATTERNS1 link combos match highly spammy template
79#score AC_SPAMMY_URI_PATTERNS1 4.0
80tflags AC_SPAMMY_URI_PATTERNS1 publish
81##} AC_SPAMMY_URI_PATTERNS1
82
83##{ AC_SPAMMY_URI_PATTERNS10
84
85meta AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI
86describe AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template
87#score AC_SPAMMY_URI_PATTERNS10 4.0
88tflags AC_SPAMMY_URI_PATTERNS10 publish
89##} AC_SPAMMY_URI_PATTERNS10
90
91##{ AC_SPAMMY_URI_PATTERNS11
92
93meta AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI
94describe AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template
95#score AC_SPAMMY_URI_PATTERNS11 4.0
96tflags AC_SPAMMY_URI_PATTERNS11 publish
97##} AC_SPAMMY_URI_PATTERNS11
98
99##{ AC_SPAMMY_URI_PATTERNS12
100
101meta AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI)
102describe AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template
103#score AC_SPAMMY_URI_PATTERNS12 4.0
104tflags AC_SPAMMY_URI_PATTERNS12 publish
105##} AC_SPAMMY_URI_PATTERNS12
106
107##{ AC_SPAMMY_URI_PATTERNS2
108
109meta AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI)
110describe AC_SPAMMY_URI_PATTERNS2 link combos match highly spammy template
111#score AC_SPAMMY_URI_PATTERNS2 4.0
112tflags AC_SPAMMY_URI_PATTERNS2 publish
113##} AC_SPAMMY_URI_PATTERNS2
114
115##{ AC_SPAMMY_URI_PATTERNS3
116
117meta AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI)
118describe AC_SPAMMY_URI_PATTERNS3 link combos match highly spammy template
119#score AC_SPAMMY_URI_PATTERNS3 4.0
120tflags AC_SPAMMY_URI_PATTERNS3 publish
121##} AC_SPAMMY_URI_PATTERNS3
122
123##{ AC_SPAMMY_URI_PATTERNS4
124
125meta AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI
126describe AC_SPAMMY_URI_PATTERNS4 link combos match highly spammy template
127#score AC_SPAMMY_URI_PATTERNS4 4.0
128tflags AC_SPAMMY_URI_PATTERNS4 publish
129##} AC_SPAMMY_URI_PATTERNS4
130
131##{ AC_SPAMMY_URI_PATTERNS8
132
133meta AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI
134describe AC_SPAMMY_URI_PATTERNS8 link combos match highly spammy template
135#score AC_SPAMMY_URI_PATTERNS8 4.0
136tflags AC_SPAMMY_URI_PATTERNS8 publish
137##} AC_SPAMMY_URI_PATTERNS8
138
139##{ AC_SPAMMY_URI_PATTERNS9
140
141meta AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI))
142describe AC_SPAMMY_URI_PATTERNS9 link combos match highly spammy template
143#score AC_SPAMMY_URI_PATTERNS9 4.0
144tflags AC_SPAMMY_URI_PATTERNS9 publish
145##} AC_SPAMMY_URI_PATTERNS9
146
147##{ ADMAIL
148
149meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS
150describe ADMAIL "admail" and variants
151tflags ADMAIL publish
152##} ADMAIL
153
154##{ ADMITS_SPAM
155
156meta ADMITS_SPAM __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB
157describe ADMITS_SPAM Admits this is an ad
158tflags ADMITS_SPAM publish
159##} ADMITS_SPAM
160
161##{ ADVANCE_FEE_2_NEW_FORM
162
163meta ADVANCE_FEE_2_NEW_FORM (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__FROM_LOWER && !__HAS_X_LOOP
164describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form
165#score ADVANCE_FEE_2_NEW_FORM 2.000 # limit
166tflags ADVANCE_FEE_2_NEW_FORM publish
167##} ADVANCE_FEE_2_NEW_FORM
168
169##{ ADVANCE_FEE_2_NEW_FRM_MNY
170
171meta ADVANCE_FEE_2_NEW_FRM_MNY (__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP
172describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money
173#score ADVANCE_FEE_2_NEW_FRM_MNY 2.500
174tflags ADVANCE_FEE_2_NEW_FRM_MNY publish
175##} ADVANCE_FEE_2_NEW_FRM_MNY
176
177##{ ADVANCE_FEE_2_NEW_MONEY
178
179meta ADVANCE_FEE_2_NEW_MONEY (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
180describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
181#score ADVANCE_FEE_2_NEW_MONEY 2.000 # limit
182tflags ADVANCE_FEE_2_NEW_MONEY publish
183##} ADVANCE_FEE_2_NEW_MONEY
184
185##{ ADVANCE_FEE_3_NEW
186
187meta ADVANCE_FEE_3_NEW (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG && !__BUGGED_IMG
188describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419)
189#score ADVANCE_FEE_3_NEW 3.5 # limit
190tflags ADVANCE_FEE_3_NEW publish
191##} ADVANCE_FEE_3_NEW
192
193##{ ADVANCE_FEE_3_NEW_FORM
194
195meta ADVANCE_FEE_3_NEW_FORM (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__THREADED && !__HAS_SENDER && !__FROM_LOWER && !__HAS_X_LOOP
196describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form
197tflags ADVANCE_FEE_3_NEW_FORM publish
198##} ADVANCE_FEE_3_NEW_FORM
199
200##{ ADVANCE_FEE_3_NEW_FRM_MNY
201
202meta ADVANCE_FEE_3_NEW_FRM_MNY (__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP
203describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money
204tflags ADVANCE_FEE_3_NEW_FRM_MNY publish
205##} ADVANCE_FEE_3_NEW_FRM_MNY
206
207##{ ADVANCE_FEE_3_NEW_MONEY
208
209meta ADVANCE_FEE_3_NEW_MONEY (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
210describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
211tflags ADVANCE_FEE_3_NEW_MONEY publish
212##} ADVANCE_FEE_3_NEW_MONEY
213
214##{ ADVANCE_FEE_4_NEW
215
216meta ADVANCE_FEE_4_NEW (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__HAS_X_LOOP && !__BUGGED_IMG
217describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419)
218tflags ADVANCE_FEE_4_NEW publish
219##} ADVANCE_FEE_4_NEW
220
221##{ ADVANCE_FEE_4_NEW_FORM
222
223meta ADVANCE_FEE_4_NEW_FORM (__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM)
224describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form
225tflags ADVANCE_FEE_4_NEW_FORM publish
226##} ADVANCE_FEE_4_NEW_FORM
227
228##{ ADVANCE_FEE_4_NEW_FRM_MNY
229
230meta ADVANCE_FEE_4_NEW_FRM_MNY (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY)
231describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money
232tflags ADVANCE_FEE_4_NEW_FRM_MNY publish
233##} ADVANCE_FEE_4_NEW_FRM_MNY
234
235##{ ADVANCE_FEE_4_NEW_MONEY
236
237meta ADVANCE_FEE_4_NEW_MONEY (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
238describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money
239tflags ADVANCE_FEE_4_NEW_MONEY publish
240##} ADVANCE_FEE_4_NEW_MONEY
241
242##{ ADVANCE_FEE_5_NEW
243
244meta ADVANCE_FEE_5_NEW (__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY) && !__BUGGED_IMG
245describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419)
246tflags ADVANCE_FEE_5_NEW publish
247##} ADVANCE_FEE_5_NEW
248
249##{ ADVANCE_FEE_5_NEW_FORM
250
251meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM
252describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form
253tflags ADVANCE_FEE_5_NEW_FORM publish
254##} ADVANCE_FEE_5_NEW_FORM
255
256##{ ADVANCE_FEE_5_NEW_FRM_MNY
257
258meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY
259describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money
260tflags ADVANCE_FEE_5_NEW_FRM_MNY publish
261##} ADVANCE_FEE_5_NEW_FRM_MNY
262
263##{ ADVANCE_FEE_5_NEW_MONEY
264
265meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE && !__BUGGED_IMG
266describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
267tflags ADVANCE_FEE_5_NEW_MONEY publish
268##} ADVANCE_FEE_5_NEW_MONEY
269
270##{ AD_PREFS
271
272body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i
273describe AD_PREFS Advertising preferences
274#score AD_PREFS 0.500 # limit
275tflags AD_PREFS publish
276##} AD_PREFS
277
278##{ ALIBABA_IMG_NOT_RCVD_ALI
279
280meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE
281#score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit
282describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba
283tflags ALIBABA_IMG_NOT_RCVD_ALI publish
284##} ALIBABA_IMG_NOT_RCVD_ALI
285
286##{ AMAZON_IMG_NOT_RCVD_AMZN
287
288meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST
289#score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit
290describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon
291tflags AMAZON_IMG_NOT_RCVD_AMZN publish
292##} AMAZON_IMG_NOT_RCVD_AMZN
293
294##{ APOSTROPHE_FROM
295
296header APOSTROPHE_FROM From:addr =~ /'/
297describe APOSTROPHE_FROM From address contains an apostrophe
298##} APOSTROPHE_FROM
299
300##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
301
302if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
303 meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
304 describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto
305# score APP_DEVELOPMENT_FREEM 3.500 # limit
306 tflags APP_DEVELOPMENT_FREEM publish
307endif
308##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
309
310##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
311
312if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
313 meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE
314 describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS
315# score APP_DEVELOPMENT_NORDNS 2.000 # limit
316 tflags APP_DEVELOPMENT_NORDNS publish
317endif
318##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
319
320##{ AXB_XMAILER_MIMEOLE_OL_024C2
321
322meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2)
323describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
324##} AXB_XMAILER_MIMEOLE_OL_024C2
325
326##{ AXB_XMAILER_MIMEOLE_OL_1ECD5
327
328meta AXB_XMAILER_MIMEOLE_OL_1ECD5 (__AXB_XM_OL_1ECD5 && __AXB_MO_OL_1ECD5)
329describe AXB_XMAILER_MIMEOLE_OL_1ECD5 Yet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD5
330
331##{ BANKING_LAWS
332
333body BANKING_LAWS /banking laws/i
334describe BANKING_LAWS Talks about banking laws
335##} BANKING_LAWS
336
337##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
338
339ifplugin Mail::SpamAssassin::Plugin::MIMEEval
340body BASE64_LENGTH_78_79 eval:check_base64_length('78','79')
341endif
342##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
343
344##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
345
346ifplugin Mail::SpamAssassin::Plugin::MIMEEval
347describe BASE64_LENGTH_79_INF base64 encoded email part uses line length of 78 or 79 characters
348body BASE64_LENGTH_79_INF eval:check_base64_length('79')
349describe BASE64_LENGTH_79_INF base64 encoded email part uses line length greater than 79 characters
350endif
351##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
352
353##{ BIGNUM_EMAILS_FREEM
354
355meta BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS_FREEM
356describe BIGNUM_EMAILS_FREEM Lots of email addresses/leads, free email account
357#score BIGNUM_EMAILS_FREEM 3.00 # limit
358tflags BIGNUM_EMAILS_FREEM publish
359##} BIGNUM_EMAILS_FREEM
360
361##{ BIGNUM_EMAILS_MANY
362
363meta BIGNUM_EMAILS_MANY __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER
364describe BIGNUM_EMAILS_MANY Lots of email addresses/leads, over and over
365#score BIGNUM_EMAILS_MANY 3.00 # limit
366tflags BIGNUM_EMAILS_MANY publish
367##} BIGNUM_EMAILS_MANY
368
369##{ BITCOIN_BOMB
370
371meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01
372describe BITCOIN_BOMB BitCoin + bomb
373#score BITCOIN_BOMB 3.000 # limit
374tflags BITCOIN_BOMB publish
375##} BITCOIN_BOMB
376
377##{ BITCOIN_DEADLINE
378
379meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01
380describe BITCOIN_DEADLINE BitCoin with a deadline
381#score BITCOIN_DEADLINE 3.000 # limit
382tflags BITCOIN_DEADLINE publish
383##} BITCOIN_DEADLINE
384
385##{ BITCOIN_EXTORT_01
386
387meta BITCOIN_EXTORT_01 (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA )
388describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin
389#score BITCOIN_EXTORT_01 5.000 # limit
390tflags BITCOIN_EXTORT_01 publish
391##} BITCOIN_EXTORT_01
392
393##{ BITCOIN_EXTORT_02
394
395meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY
396describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin
397#score BITCOIN_EXTORT_02 5.000 # limit
398tflags BITCOIN_EXTORT_02 publish
399##} BITCOIN_EXTORT_02
400
401##{ BITCOIN_IMGUR
402
403meta BITCOIN_IMGUR __BITCOIN_IMGUR
404describe BITCOIN_IMGUR Bitcoin + hosted image
405#score BITCOIN_IMGUR 3.500 # limit
406tflags BITCOIN_IMGUR publish
407##} BITCOIN_IMGUR
408
409##{ BITCOIN_MALF_HTML
410
411meta BITCOIN_MALF_HTML HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID)
412describe BITCOIN_MALF_HTML Bitcoin + malformed HTML
413#score BITCOIN_MALF_HTML 3.500 # limit
414##} BITCOIN_MALF_HTML
415
416##{ BITCOIN_MALWARE
417
418meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED
419describe BITCOIN_MALWARE BitCoin + malware bragging
420#score BITCOIN_MALWARE 3.500 # limit
421tflags BITCOIN_MALWARE publish
422##} BITCOIN_MALWARE
423
424##{ BITCOIN_OBFU_SUBJ
425
426meta BITCOIN_OBFU_SUBJ __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI
427describe BITCOIN_OBFU_SUBJ Bitcoin + obfuscated subject
428#score BITCOIN_OBFU_SUBJ 3.500 # limit
429tflags BITCOIN_OBFU_SUBJ publish
430##} BITCOIN_OBFU_SUBJ
431
432##{ BITCOIN_ONAN
433
434meta BITCOIN_ONAN __BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01
435describe BITCOIN_ONAN BitCoin + [censored]
436#score BITCOIN_ONAN 3.000 # limit
437tflags BITCOIN_ONAN publish
438##} BITCOIN_ONAN
439
440##{ BITCOIN_PAY_ME
441
442meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01
443describe BITCOIN_PAY_ME Pay me via BitCoin
444#score BITCOIN_PAY_ME 3.000 # limit
445tflags BITCOIN_PAY_ME publish
446##} BITCOIN_PAY_ME
447
448##{ BITCOIN_SPAM_01
449
450meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG
451describe BITCOIN_SPAM_01 BitCoin spam pattern 01
452#score BITCOIN_SPAM_01 2.500 # limit
453tflags BITCOIN_SPAM_01 publish
454##} BITCOIN_SPAM_01
455
456##{ BITCOIN_SPAM_02
457
458meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID
459describe BITCOIN_SPAM_02 BitCoin spam pattern 02
460#score BITCOIN_SPAM_02 2.500 # limit
461tflags BITCOIN_SPAM_02 publish
462##} BITCOIN_SPAM_02
463
464##{ BITCOIN_SPAM_03
465
466meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ
467describe BITCOIN_SPAM_03 BitCoin spam pattern 03
468#score BITCOIN_SPAM_03 2.500 # limit
469tflags BITCOIN_SPAM_03 publish
470##} BITCOIN_SPAM_03
471
472##{ BITCOIN_SPAM_04
473
474meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto
475describe BITCOIN_SPAM_04 BitCoin spam pattern 04
476#score BITCOIN_SPAM_04 1.500 # limit
477tflags BITCOIN_SPAM_04 publish
478##} BITCOIN_SPAM_04
479
480##{ BITCOIN_SPAM_05
481
482meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO
483describe BITCOIN_SPAM_05 BitCoin spam pattern 05
484#score BITCOIN_SPAM_05 2.500 # limit
485tflags BITCOIN_SPAM_05 net publish
486##} BITCOIN_SPAM_05
487
488##{ BITCOIN_SPAM_06
489
490meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET
491describe BITCOIN_SPAM_06 BitCoin spam pattern 06
492#score BITCOIN_SPAM_06 1.500 # limit
493tflags BITCOIN_SPAM_06 publish
494##} BITCOIN_SPAM_06
495
496##{ BITCOIN_SPAM_07
497
498meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS
499describe BITCOIN_SPAM_07 BitCoin spam pattern 07
500#score BITCOIN_SPAM_07 3.500 # limit
501tflags BITCOIN_SPAM_07 publish
502##} BITCOIN_SPAM_07
503
504##{ BITCOIN_SPAM_08
505
506meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ
507describe BITCOIN_SPAM_08 BitCoin spam pattern 08
508#score BITCOIN_SPAM_08 2.500 # limit
509tflags BITCOIN_SPAM_08 publish
510##} BITCOIN_SPAM_08
511
512##{ BITCOIN_SPAM_09
513
514meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU )
515describe BITCOIN_SPAM_09 BitCoin spam pattern 09
516#score BITCOIN_SPAM_09 1.500 # limit
517tflags BITCOIN_SPAM_09 publish
518##} BITCOIN_SPAM_09
519
520##{ BITCOIN_SPAM_10
521
522meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 )
523describe BITCOIN_SPAM_10 BitCoin spam pattern 10
524#score BITCOIN_SPAM_10 2.500 # limit
525tflags BITCOIN_SPAM_10 publish
526##} BITCOIN_SPAM_10
527
528##{ BITCOIN_SPAM_11
529
530meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU
531describe BITCOIN_SPAM_11 BitCoin spam pattern 11
532#score BITCOIN_SPAM_11 2.500 # limit
533tflags BITCOIN_SPAM_11 publish
534##} BITCOIN_SPAM_11
535
536##{ BITCOIN_SPAM_12
537
538meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY
539describe BITCOIN_SPAM_12 BitCoin spam pattern 12
540#score BITCOIN_SPAM_12 2.500 # limit
541tflags BITCOIN_SPAM_12 publish
542##} BITCOIN_SPAM_12
543
544##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
545
546if (version >= 3.004001)
547ifplugin Mail::SpamAssassin::Plugin::AskDNS
548meta BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID
549tflags BITCOIN_SPF_ONLYALL net publish
550describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF
551#score BITCOIN_SPF_ONLYALL 2.0 # limit
552endif
553endif
554##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
555
556##{ BITCOIN_WFH_01
557
558meta BITCOIN_WFH_01 __BITCOIN_WFH_01
559describe BITCOIN_WFH_01 Work-from-Home + bitcoin
560tflags BITCOIN_WFH_01 publish
561##} BITCOIN_WFH_01
562
563##{ BITCOIN_XPRIO
564
565meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY
566describe BITCOIN_XPRIO Bitcoin + priority
567#score BITCOIN_XPRIO 2.500 # limit
568##} BITCOIN_XPRIO
569
570##{ BITCOIN_YOUR_INFO
571
572meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01
573describe BITCOIN_YOUR_INFO BitCoin with your personal info
574#score BITCOIN_YOUR_INFO 3.000 # limit
575tflags BITCOIN_YOUR_INFO publish
576##} BITCOIN_YOUR_INFO
577
578##{ BODY_EMPTY
579
580meta BODY_EMPTY __EMPTY_BODY && !ALL_TRUSTED && !__MIME_ATTACHMENT && !__HAS_THREAD_INDEX && !__TO_EQ_FROM_DOM && !NO_RELAYS && !__PDF_ATTACH && !__HDR_RCVD_GOOGLE && !__MSGID_APPLEMAIL && !__XM_IPHONEMAIL
581describe BODY_EMPTY No body text in message
582#score BODY_EMPTY 2.00 # limit
583##} BODY_EMPTY
584
585##{ BODY_SINGLE_URI
586
587meta BODY_SINGLE_URI __BODY_SINGLE_URI && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP && !__VIA_ML
588describe BODY_SINGLE_URI Message body is only a URI
589#score BODY_SINGLE_URI 2.500 # limit
590##} BODY_SINGLE_URI
591
592##{ BODY_SINGLE_WORD
593
594meta BODY_SINGLE_WORD __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP
595describe BODY_SINGLE_WORD Message body is only one word (no spaces)
596#score BODY_SINGLE_WORD 2.500 # limit
597##} BODY_SINGLE_WORD
598
599##{ BODY_URI_ONLY
600
601meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV
602describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image
603#score BODY_URI_ONLY 3.000 # limit
604tflags BODY_URI_ONLY publish
605##} BODY_URI_ONLY
606
607##{ BOGUS_MIME_VERSION
608
609meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 || __MALF_MIME_VER
610#score BOGUS_MIME_VERSION 3.500 # limit
611describe BOGUS_MIME_VERSION Mime version header is bogus
612tflags BOGUS_MIME_VERSION publish
613##} BOGUS_MIME_VERSION
614
615##{ BOGUS_MSM_HDRS
616
617meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS
618describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers
619#score BOGUS_MSM_HDRS 3.000 # limit
620tflags BOGUS_MSM_HDRS publish
621##} BOGUS_MSM_HDRS
622
623##{ BOMB_FREEM
624
625meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto
626describe BOMB_FREEM Bomb + freemail
627#score BOMB_FREEM 2.000 # limit
628tflags BOMB_FREEM publish
629##} BOMB_FREEM
630
631##{ BOMB_MONEY
632
633meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW )
634describe BOMB_MONEY Bomb + money: bomb threat?
635#score BOMB_MONEY 2.500 # limit
636tflags BOMB_MONEY publish
637##} BOMB_MONEY
638
639##{ BTC_ORG
640
641describe BTC_ORG Bitcoin wallet ID + unusual header
642#score BTC_ORG 2.500 # limit
643##} BTC_ORG
644
645##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM)
646
647if !plugin(Mail::SpamAssassin::Plugin::DKIM)
648 meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST
649endif
650##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM)
651
652##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM
653
654ifplugin Mail::SpamAssassin::Plugin::DKIM
655 meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED
656endif
657##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM
658
659##{ BUG6152_INVALID_DATE_TZ_ABSURD
660
661header BUG6152_INVALID_DATE_TZ_ABSURD Date =~ /[-+](?!(?:0\d|1[0-4])(?:[03]0|[14]5))\d{4}/
662##} BUG6152_INVALID_DATE_TZ_ABSURD
663
664##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
665
666if (version >= 3.004002)
667ifplugin Mail::SpamAssassin::Plugin::WLBLEval
668meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD
669tflags BULK_RE_SUSP_NTLD publish
670describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
671#score BULK_RE_SUSP_NTLD 1.0 # limit
672endif
673endif
674##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
675
676##{ CANT_SEE_AD
677
678meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB
679describe CANT_SEE_AD You really want to see our spam.
680#score CANT_SEE_AD 2.500 # limit
681tflags CANT_SEE_AD publish
682##} CANT_SEE_AD
683
684##{ CK_HELO_GENERIC
685
686header CK_HELO_GENERIC X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
687describe CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR
688#score CK_HELO_GENERIC 0.25
689##} CK_HELO_GENERIC
690
691##{ CN_B2B_SPAMMER
692
693body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i
694describe CN_B2B_SPAMMER Chinese company introducing itself
695tflags CN_B2B_SPAMMER publish
696##} CN_B2B_SPAMMER
697
698##{ COMMENT_GIBBERISH
699
700meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT
701describe COMMENT_GIBBERISH Nonsense in long HTML comment
702#score COMMENT_GIBBERISH 1.50 # limit
703tflags COMMENT_GIBBERISH publish
704##} COMMENT_GIBBERISH
705
706##{ COMPENSATION
707
708describe COMPENSATION "Compensation"
709#score COMPENSATION 1.50 # limit
710##} COMPENSATION
711
712##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
713
714if !plugin(Mail::SpamAssassin::Plugin::DKIM)
715 meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD
716endif
717##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
718
719##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
720
721ifplugin Mail::SpamAssassin::Plugin::DKIM
722 meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE
723endif
724##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
725
726##{ CONTENT_AFTER_HTML
727
728meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !__RCD_RDNS_MTA_MESSY && !__URI_DOTGOV
729describe CONTENT_AFTER_HTML More content after HTML close tag
730#score CONTENT_AFTER_HTML 2.500 # limit
731tflags CONTENT_AFTER_HTML publish
732##} CONTENT_AFTER_HTML
733
734##{ CORRUPT_FROM_LINE_IN_HDRS
735
736meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
737describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers
738tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
739#score CORRUPT_FROM_LINE_IN_HDRS 0.001
740##} CORRUPT_FROM_LINE_IN_HDRS
741
742##{ CTE_8BIT_MISMATCH
743
744meta CTE_8BIT_MISMATCH (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS)
745describe CTE_8BIT_MISMATCH Header says 7bits but body disagrees
746#score CTE_8BIT_MISMATCH 1
747tflags CTE_8BIT_MISMATCH publish
748##} CTE_8BIT_MISMATCH
749
750##{ CTYPE_001C_A
751
752meta CTYPE_001C_A (0) # obsolete
753##} CTYPE_001C_A
754
755##{ CTYPE_001C_B
756
757header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
758##} CTYPE_001C_B
759
760##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
761
762ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
763mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
764describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc)
765endif
766##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
767
768##{ CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
769
770ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
771 meta CTYPE_NULL __CTYPE_NULL
772 describe CTYPE_NULL Malformed Content-Type header
773endif
774##} CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
775
776##{ CURR_PRICE
777
778body CURR_PRICE /\bCurrent Price:/
779##} CURR_PRICE
780
781##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
782
783if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
784 meta DAY_I_EARNED __DAY_I_EARNED >= 3
785# score DAY_I_EARNED 3.000 # limit
786 describe DAY_I_EARNED Work-at-home spam
787 tflags DAY_I_EARNED publish
788endif
789##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
790
791##{ DEAR_BENEFICIARY
792
793body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i
794describe DEAR_BENEFICIARY Dear Beneficiary:
795##} DEAR_BENEFICIARY
796
797##{ DEAR_WINNER
798
799body DEAR_WINNER /\bdear.{1,20}winner/i
800describe DEAR_WINNER Spam with generic salutation of "dear winner"
801##} DEAR_WINNER
802
803##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS
804
805ifplugin Mail::SpamAssassin::Plugin::AskDNS
806meta DKIMWL_BL __DKIMWL_WL_BL
807tflags DKIMWL_BL net publish
808describe DKIMWL_BL DKIMwl.org - Blocked sender
809#score DKIMWL_BL 3.0 # limit
810endif
811##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS
812
813##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS
814
815ifplugin Mail::SpamAssassin::Plugin::AskDNS
816meta DKIMWL_BLOCKED __DKIMWL_BLOCKED
817tflags DKIMWL_BLOCKED net publish
818describe DKIMWL_BLOCKED ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
819#score DKIMWL_BLOCKED 0.001 # limit
820endif
821##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS
822
823##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS
824
825ifplugin Mail::SpamAssassin::Plugin::AskDNS
826meta DKIMWL_WL_HIGH __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL)
827tflags DKIMWL_WL_HIGH net nice publish
828describe DKIMWL_WL_HIGH DKIMwl.org - High trust sender
829#score DKIMWL_WL_HIGH -3.0 # limit
830endif
831##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS
832
833##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS
834
835ifplugin Mail::SpamAssassin::Plugin::AskDNS
836meta DKIMWL_WL_MED __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL)
837tflags DKIMWL_WL_MED net nice publish
838describe DKIMWL_WL_MED DKIMwl.org - Medium trust sender
839#score DKIMWL_WL_MED -0.5 # limit
840endif
841##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS
842
843##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS
844
845ifplugin Mail::SpamAssassin::Plugin::AskDNS
846meta DKIMWL_WL_MEDHI __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL)
847tflags DKIMWL_WL_MEDHI net nice publish
848describe DKIMWL_WL_MEDHI DKIMwl.org - Medium-high trust sender
849#score DKIMWL_WL_MEDHI -1.0 # limit
850endif
851##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS
852
853##{ DOS_ANAL_SPAM_MAILER
854
855header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/
856describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam
857tflags DOS_ANAL_SPAM_MAILER publish
858##} DOS_ANAL_SPAM_MAILER
859
860##{ DOS_DEREK_AUG08
861
862meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10)
863##} DOS_DEREK_AUG08
864
865##{ DOS_FIX_MY_URI
866
867meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
868describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam
869##} DOS_FIX_MY_URI
870
871##{ DOS_HIGH_BAT_TO_MX
872
873meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA
874describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits
875##} DOS_HIGH_BAT_TO_MX
876
877##{ DOS_LET_GO_JOB
878
879meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
880describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough!
881##} DOS_LET_GO_JOB
882
883##{ DOS_OE_TO_MX
884
885meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
886describe DOS_OE_TO_MX Delivered direct to MX with OE headers
887##} DOS_OE_TO_MX
888
889##{ DOS_OE_TO_MX_IMAGE
890
891meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
892describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image
893##} DOS_OE_TO_MX_IMAGE
894
895##{ DOS_OUTLOOK_TO_MX
896
897meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE
898describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers
899##} DOS_OUTLOOK_TO_MX
900
901##{ DOS_RCVD_IP_TWICE_C
902
903header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/
904describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo)
905##} DOS_RCVD_IP_TWICE_C
906
907##{ DOS_STOCK_BAT
908
909meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)
910describe DOS_STOCK_BAT Probable pump and dump stock spam
911##} DOS_STOCK_BAT
912
913##{ DOS_STOCK_BAT2
914
915meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)
916##} DOS_STOCK_BAT2
917
918##{ DOS_URI_ASTERISK
919
920uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)}
921describe DOS_URI_ASTERISK Found an asterisk in a URI
922##} DOS_URI_ASTERISK
923
924##{ DOS_YOUR_PLACE
925
926meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))
927describe DOS_YOUR_PLACE Russian dating spam
928##} DOS_YOUR_PLACE
929
930##{ DOTGOV_IMAGE
931
932meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS
933describe DOTGOV_IMAGE .gov URI + hosted image
934#score DOTGOV_IMAGE 3.000 # limit
935tflags DOTGOV_IMAGE publish
936##} DOTGOV_IMAGE
937
938##{ DRUGS_HDIA
939
940header DRUGS_HDIA Subject =~ /\bhoodia\b/i
941describe DRUGS_HDIA Subject mentions "hoodia"
942##} DRUGS_HDIA
943
944##{ DSN_NO_MIMEVERSION
945
946meta DSN_NO_MIMEVERSION (__BOUNCE_RPATH_NULL && !__MIME_VERSION)
947describe DSN_NO_MIMEVERSION Return-Path <> and no MIME-Version: header
948#score DSN_NO_MIMEVERSION 2
949##} DSN_NO_MIMEVERSION
950
951##{ DX_TEXT_02
952
953body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i
954describe DX_TEXT_02 "change your message stat"
955tflags DX_TEXT_02 publish
956##} DX_TEXT_02
957
958##{ DX_TEXT_03
959
960body DX_TEXT_03 /\b[A-Z]{3} Media (?:Group|Relations)\b/
961describe DX_TEXT_03 "XXX Media Group"
962tflags DX_TEXT_03 publish
963##} DX_TEXT_03
964
965##{ DYNAMIC_IMGUR
966
967meta DYNAMIC_IMGUR __DYNAMIC_IMGUR
968describe DYNAMIC_IMGUR dynamic IP + hosted image
969#score DYNAMIC_IMGUR 4.000 # limit
970tflags DYNAMIC_IMGUR publish
971##} DYNAMIC_IMGUR
972
973##{ DYN_RDNS_AND_INLINE_IMAGE
974
975meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
976describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS
977##} DYN_RDNS_AND_INLINE_IMAGE
978
979##{ DYN_RDNS_SHORT_HELO_HTML
980
981meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE)
982describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
983##} DYN_RDNS_SHORT_HELO_HTML
984
985##{ DYN_RDNS_SHORT_HELO_IMAGE
986
987meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
988describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image
989##} DYN_RDNS_SHORT_HELO_IMAGE
990
991##{ EBAY_IMG_NOT_RCVD_EBAY
992
993meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS
994#score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit
995describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay
996tflags EBAY_IMG_NOT_RCVD_EBAY publish
997##} EBAY_IMG_NOT_RCVD_EBAY
998
999##{ EMRCP
1000
1001body EMRCP /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i
1002describe EMRCP "Excess Maximum Return Capital Profit" scam
1003tflags EMRCP publish
1004##} EMRCP
1005
1006##{ ENCRYPTED_MESSAGE
1007
1008meta ENCRYPTED_MESSAGE __CT_ENCRYPTED
1009describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam
1010#score ENCRYPTED_MESSAGE -1.000
1011tflags ENCRYPTED_MESSAGE nice publish
1012##} ENCRYPTED_MESSAGE
1013
1014##{ END_FUTURE_EMAILS
1015
1016describe END_FUTURE_EMAILS Spammy unsubscribe
1017#score END_FUTURE_EMAILS 2.500 # limit
1018##} END_FUTURE_EMAILS
1019
1020##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1021
1022if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1023 meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER
1024endif
1025##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1026
1027##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM
1028
1029ifplugin Mail::SpamAssassin::Plugin::DKIM
1030 meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED
1031endif
1032##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM
1033
1034##{ ENVFROM_GOOG_TRIX
1035
1036meta ENVFROM_GOOG_TRIX __ENVFROM_GOOG_TRIX_SPAMMY
1037describe ENVFROM_GOOG_TRIX From suspicious Google subdomain
1038#score ENVFROM_GOOG_TRIX 3.000 # limit
1039tflags ENVFROM_GOOG_TRIX publish
1040##} ENVFROM_GOOG_TRIX
1041
1042##{ EXCUSE_24
1043
1044body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i
1045describe EXCUSE_24 Claims you wanted this ad
1046##} EXCUSE_24
1047
1048##{ FAKE_REPLY_A1
1049
1050meta FAKE_REPLY_A1 (__SUBJ_RE && __MISSING_REPLY && __MISSING_REF && __BOTH_INR_AND_REF)
1051##} FAKE_REPLY_A1
1052
1053##{ FAKE_REPLY_C
1054
1055meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)
1056##} FAKE_REPLY_C
1057
1058##{ FBI_MONEY
1059
1060meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY
1061describe FBI_MONEY The FBI wants to give you lots of money?
1062#score FBI_MONEY 2.00 # limit
1063tflags FBI_MONEY publish
1064##} FBI_MONEY
1065
1066##{ FBI_SPOOF
1067
1068meta FBI_SPOOF __FBI_SPOOF
1069describe FBI_SPOOF Claims to be FBI, but not from FBI domain
1070#score FBI_SPOOF 2.00 # limit
1071tflags FBI_SPOOF publish
1072##} FBI_SPOOF
1073
1074##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1075
1076ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1077 meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML
1078 describe FILL_THIS_FORM Fill in a form with personal information
1079 tflags FILL_THIS_FORM publish
1080endif
1081##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1082
1083##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1084
1085ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1086 meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY
1087 describe FILL_THIS_FORM_LONG Fill in a form with personal information
1088# score FILL_THIS_FORM_LONG 2.00 # limit
1089endif
1090##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1091
1092##{ FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1093
1094if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1095 meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX
1096 describe FONT_INVIS_DIRECT Invisible text + direct-to-MX
1097# score FONT_INVIS_DIRECT 3.500 # limit
1098 tflags FONT_INVIS_DIRECT publish
1099endif
1100##} FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1101
1102##{ FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1103
1104if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1105 meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID
1106 describe FONT_INVIS_DOTGOV Invisible text + .gov URI
1107# score FONT_INVIS_DOTGOV 3.500 # limit
1108 tflags FONT_INVIS_DOTGOV publish
1109endif
1110##} FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1111
1112##{ FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1113
1114if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1115 meta FONT_INVIS_HTML_NOHTML __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG
1116 describe FONT_INVIS_HTML_NOHTML Invisible text + malformed HTML
1117# score FONT_INVIS_HTML_NOHTML 3.000 # limit
1118 tflags FONT_INVIS_HTML_NOHTML publish
1119endif
1120##} FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1121
1122##{ FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1123
1124if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1125 meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET
1126 describe FONT_INVIS_LONG_LINE Invisible text + long lines
1127# score FONT_INVIS_LONG_LINE 3.000 # limit
1128 tflags FONT_INVIS_LONG_LINE publish
1129endif
1130##} FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1131
1132##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1133
1134if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1135 meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX
1136 describe FONT_INVIS_MSGID Invisible text + suspicious message ID
1137# score FONT_INVIS_MSGID 2.500 # limit
1138 tflags FONT_INVIS_MSGID publish
1139endif
1140##} FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1141
1142##{ FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1143
1144if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1145 meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER
1146 describe FONT_INVIS_NORDNS Invisible text + no rDNS
1147# score FONT_INVIS_NORDNS 2.500 # limit
1148 tflags FONT_INVIS_NORDNS publish
1149endif
1150##} FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1151
1152##{ FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1153
1154if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1155 meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS
1156 describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI
1157# score FONT_INVIS_POSTEXTRAS 3.500 # limit
1158 tflags FONT_INVIS_POSTEXTRAS publish
1159endif
1160##} FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1161
1162##{ FORGED_SPF_HELO
1163
1164meta FORGED_SPF_HELO __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS
1165##} FORGED_SPF_HELO
1166
1167##{ FORM_FRAUD
1168
1169meta FORM_FRAUD (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK
1170describe FORM_FRAUD Fill a form and a fraud phrase
1171#score FORM_FRAUD 1.000 # limit
1172tflags FORM_FRAUD publish
1173##} FORM_FRAUD
1174
1175##{ FORM_FRAUD_3
1176
1177meta FORM_FRAUD_3 (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED
1178describe FORM_FRAUD_3 Fill a form and several fraud phrases
1179tflags FORM_FRAUD_3 publish
1180##} FORM_FRAUD_3
1181
1182##{ FORM_FRAUD_5
1183
1184meta FORM_FRAUD_5 (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE
1185describe FORM_FRAUD_5 Fill a form and many fraud phrases
1186tflags FORM_FRAUD_5 publish
1187##} FORM_FRAUD_5
1188
1189##{ FORM_LOW_CONTRAST
1190
1191meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL
1192describe FORM_LOW_CONTRAST Fill in a form with hidden text
1193#score FORM_LOW_CONTRAST 2.500 # Limit
1194tflags FORM_LOW_CONTRAST publish
1195##} FORM_LOW_CONTRAST
1196
1197##{ FOUND_YOU
1198
1199meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO
1200#score FOUND_YOU 3.25 # limit
1201describe FOUND_YOU I found you...
1202tflags FOUND_YOU publish
1203##} FOUND_YOU
1204
1205##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
1206
1207ifplugin Mail::SpamAssassin::Plugin::FreeMail
1208 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
1209 if (version >= 3.004000)
1210 meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS
1211 describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different
1212# score FREEMAIL_FORGED_FROMDOMAIN 0.25
1213 tflags FREEMAIL_FORGED_FROMDOMAIN publish
1214endif
1215endif
1216endif
1217##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
1218
1219##{ FREEMAIL_WFH_01
1220
1221meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01
1222describe FREEMAIL_WFH_01 Work-from-Home + freemail
1223tflags FREEMAIL_WFH_01 publish
1224##} FREEMAIL_WFH_01
1225
1226##{ FREEM_FRNUM_UNICD_EMPTY
1227
1228meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY
1229describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body
1230#score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit
1231tflags FREEM_FRNUM_UNICD_EMPTY publish
1232##} FREEM_FRNUM_UNICD_EMPTY
1233
1234##{ FRNAME_IN_MSG_XPRIO_NO_SUB
1235
1236meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED
1237describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject
1238#score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit
1239tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish
1240##} FRNAME_IN_MSG_XPRIO_NO_SUB
1241
1242##{ FROM_2_EMAILS_SHORT
1243
1244meta FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF)
1245describe FROM_2_EMAILS_SHORT Short body and From looks like 2 different emails
1246#score FROM_2_EMAILS_SHORT 3.0 # limit
1247##} FROM_2_EMAILS_SHORT
1248
1249##{ FROM_ADDR_WS
1250
1251meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL
1252describe FROM_ADDR_WS Malformed From address
1253#score FROM_ADDR_WS 3.000 # limit
1254tflags FROM_ADDR_WS publish
1255##} FROM_ADDR_WS
1256
1257##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1258
1259if (version >= 3.004002)
1260ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1261meta FROM_BANK_NOAUTH __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU)
1262tflags FROM_BANK_NOAUTH publish net
1263describe FROM_BANK_NOAUTH From Bank domain but no SPF or DKIM
1264#score FROM_BANK_NOAUTH 1.0 # limit
1265endif
1266endif
1267##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1268
1269##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1270
1271if (version >= 3.004001)
1272ifplugin Mail::SpamAssassin::Plugin::AskDNS
1273meta FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED
1274describe FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
1275tflags FROM_FMBLA_NDBLOCKED net publish
1276#score FROM_FMBLA_NDBLOCKED 0.001 # limit
1277endif
1278endif
1279##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1280
1281##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1282
1283if (version >= 3.004001)
1284ifplugin Mail::SpamAssassin::Plugin::AskDNS
1285meta FROM_FMBLA_NEWDOM __FROM_FMBLA_NEWDOM
1286describe FROM_FMBLA_NEWDOM From domain was registered in last 7 days
1287tflags FROM_FMBLA_NEWDOM net
1288#score FROM_FMBLA_NEWDOM 1.5 # limit
1289endif
1290endif
1291##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1292
1293##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1294
1295if (version >= 3.004001)
1296ifplugin Mail::SpamAssassin::Plugin::AskDNS
1297meta FROM_FMBLA_NEWDOM14 __FROM_FMBLA_NEWDOM14
1298describe FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days
1299tflags FROM_FMBLA_NEWDOM14 publish net
1300#score FROM_FMBLA_NEWDOM14 1.0 # limit
1301endif
1302endif
1303##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1304
1305##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1306
1307if (version >= 3.004001)
1308ifplugin Mail::SpamAssassin::Plugin::AskDNS
1309meta FROM_FMBLA_NEWDOM28 __FROM_FMBLA_NEWDOM28
1310describe FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28 days
1311tflags FROM_FMBLA_NEWDOM28 net publish
1312#score FROM_FMBLA_NEWDOM28 0.8 # limit
1313endif
1314endif
1315##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1316
1317##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1318
1319if (version >= 3.004002)
1320ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1321meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV
1322tflags FROM_GOV_DKIM_AU net nice publish
1323describe FROM_GOV_DKIM_AU From Government address and DKIM signed
1324#score FROM_GOV_DKIM_AU -1.0 # limit
1325endif
1326endif
1327##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1328
1329##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1330
1331if (version >= 3.004002)
1332ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1333meta FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU
1334tflags FROM_GOV_REPLYTO_FREEMAIL net publish
1335describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL
1336#score FROM_GOV_REPLYTO_FREEMAIL 2.0
1337endif
1338endif
1339##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1340
1341##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1342
1343if (version >= 3.004002)
1344ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1345meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED)
1346tflags FROM_GOV_SPOOF net publish
1347describe FROM_GOV_SPOOF From Government domain but matches SPOOFED
1348#score FROM_GOV_SPOOF 1.0 # limit
1349endif
1350endif
1351##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1352
1353##{ FROM_IN_TO_AND_SUBJ
1354
1355meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID
1356describe FROM_IN_TO_AND_SUBJ From address is in To and Subject
1357tflags FROM_IN_TO_AND_SUBJ publish
1358##} FROM_IN_TO_AND_SUBJ
1359
1360##{ FROM_MISSPACED
1361
1362meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
1363describe FROM_MISSPACED From: missing whitespace
1364#score FROM_MISSPACED 2.00
1365##} FROM_MISSPACED
1366
1367##{ FROM_MISSP_DYNIP
1368
1369meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC
1370describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS
1371##} FROM_MISSP_DYNIP
1372
1373##{ FROM_MISSP_EH_MATCH
1374
1375meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
1376describe FROM_MISSP_EH_MATCH From misspaced, matches envelope
1377#score FROM_MISSP_EH_MATCH 2.00 # max
1378##} FROM_MISSP_EH_MATCH
1379
1380##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
1381
1382ifplugin Mail::SpamAssassin::Plugin::FreeMail
1383 meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA
1384 describe FROM_MISSP_FREEMAIL From misspaced + freemail provider
1385endif
1386##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
1387
1388##{ FROM_MISSP_MSFT
1389
1390meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
1391describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
1392##} FROM_MISSP_MSFT
1393
1394##{ FROM_MISSP_REPLYTO
1395
1396meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB
1397describe FROM_MISSP_REPLYTO From misspaced, has Reply-To
1398#score FROM_MISSP_REPLYTO 2.500 # limit
1399##} FROM_MISSP_REPLYTO
1400
1401##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
1402
1403ifplugin Mail::SpamAssassin::Plugin::SPF
1404 meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL)
1405 tflags FROM_MISSP_SPF_FAIL net
1406# score FROM_MISSP_SPF_FAIL 2.00 # limit
1407endif
1408##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
1409
1410##{ FROM_MISSP_TO_UNDISC
1411
1412meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED)
1413describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed
1414##} FROM_MISSP_TO_UNDISC
1415
1416##{ FROM_MISSP_USER
1417
1418meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER)
1419describe FROM_MISSP_USER From misspaced, from "User"
1420##} FROM_MISSP_USER
1421
1422##{ FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
1423
1424if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
1425 meta FROM_MULTI_NORDNS __FROM_MULTI_NORDNS
1426 describe FROM_MULTI_NORDNS Multiple From addresses + no rDNS
1427endif
1428##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
1429
1430##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1431
1432if (version >= 3.004001)
1433ifplugin Mail::SpamAssassin::Plugin::AskDNS
1434meta FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN
1435describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID
1436#score FROM_NEWDOM_BTC 2.0 # limit
1437tflags FROM_NEWDOM_BTC net
1438endif
1439endif
1440##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1441
1442##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1443
1444if (version >= 3.004002)
1445ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1446meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY
1447tflags FROM_NTLD_LINKBAIT publish
1448describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
1449#score FROM_NTLD_LINKBAIT 2.0 # limit
1450endif
1451endif
1452##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1453
1454##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1455
1456if (version >= 3.004002)
1457ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1458meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD
1459tflags FROM_NTLD_REPLY_FREEMAIL publish
1460describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
1461#score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit
1462endif
1463endif
1464##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1465
1466##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1467
1468if (version >= 3.004001)
1469ifplugin Mail::SpamAssassin::Plugin::AskDNS
1470meta FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN
1471describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain
1472#score FROM_NUMBERO_NEWDOMAIN 2.0 # limit
1473tflags FROM_NUMBERO_NEWDOMAIN net publish
1474endif
1475endif
1476##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1477
1478##{ FROM_NUMERIC_TLD
1479
1480header FROM_NUMERIC_TLD From:addr =~ /\.\d+$/
1481describe FROM_NUMERIC_TLD From: address has numeric TLD
1482#score FROM_NUMERIC_TLD 3.000 # limit
1483##} FROM_NUMERIC_TLD
1484
1485##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1486
1487if (version >= 3.004002)
1488ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1489meta FROM_PAYPAL_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED)
1490tflags FROM_PAYPAL_SPOOF publish net
1491describe FROM_PAYPAL_SPOOF From PayPal domain but matches SPOOFED
1492#score FROM_PAYPAL_SPOOF 1.6 # limit
1493endif
1494endif
1495##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1496
1497##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1498
1499if (version >= 3.004002)
1500ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1501meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD
1502tflags FROM_SUSPICIOUS_NTLD publish
1503describe FROM_SUSPICIOUS_NTLD From abused NTLD
1504#score FROM_SUSPICIOUS_NTLD 0.5 # limit
1505endif
1506endif
1507##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1508
1509##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1510
1511if (version >= 3.004002)
1512ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1513meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST
1514tflags FROM_SUSPICIOUS_NTLD_FP publish
1515describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD
1516#score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit
1517endif
1518endif
1519##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1520
1521##{ FROM_WEBSITE
1522
1523header FROM_WEBSITE From:raw =~ m'\b(?:f|ht)tps?://[^\s"</\@]{3,60}\.\w\w'i
1524describe FROM_WEBSITE Sender name appears to be a link
1525##} FROM_WEBSITE
1526
1527##{ FROM_WSP_TRAIL
1528
1529header FROM_WSP_TRAIL From:raw =~ /< [^>]* \s > [^<>]* \z/xm
1530describe FROM_WSP_TRAIL Trailing whitespace before '>' in From header field
1531##} FROM_WSP_TRAIL
1532
1533##{ FSL_BULK_SIG
1534
1535meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP_MESSY
1536describe FSL_BULK_SIG Bulk signature with no Unsubscribe
1537#score FSL_BULK_SIG 3.000 # limit
1538tflags FSL_BULK_SIG net publish
1539##} FSL_BULK_SIG
1540
1541##{ FSL_CTYPE_WIN1251
1542
1543header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/
1544describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
1545##} FSL_CTYPE_WIN1251
1546
1547##{ FSL_FAKE_HOTMAIL_RVCD
1548
1549header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/
1550##} FSL_FAKE_HOTMAIL_RVCD
1551
1552##{ FSL_HELO_BARE_IP_1
1553
1554meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED
1555##} FSL_HELO_BARE_IP_1
1556
1557##{ FSL_HELO_DEVICE
1558
1559header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i
1560##} FSL_HELO_DEVICE
1561
1562##{ FSL_HELO_NON_FQDN_1
1563
1564header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i
1565##} FSL_HELO_NON_FQDN_1
1566
1567##{ FSL_HELO_SETUP
1568
1569header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i
1570##} FSL_HELO_SETUP
1571
1572##{ FSL_INTERIA_ABUSE
1573
1574uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/
1575##} FSL_INTERIA_ABUSE
1576
1577##{ FSL_NEW_HELO_USER
1578
1579meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3)
1580describe FSL_NEW_HELO_USER Spam's using Helo and User
1581#score FSL_NEW_HELO_USER 2.0
1582tflags FSL_NEW_HELO_USER publish
1583##} FSL_NEW_HELO_USER
1584
1585##{ FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1586
1587ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1588 body FUZZY_AMAZON /(?:^|\W)(?=<A>)(?!amazon)<A><M><A><Z><O><N>(?:$|\W)/i
1589 describe FUZZY_AMAZON Obfuscated "amazon"
1590 tflags FUZZY_AMAZON publish
1591endif
1592##} FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1593
1594##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1595
1596ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1597 body FUZZY_ANDROID /(?=<A>)(?!android)<A><N><D><R><O><I><D>/i
1598 describe FUZZY_ANDROID Obfuscated "android"
1599 tflags FUZZY_ANDROID publish
1600endif
1601##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1602
1603##{ FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1604
1605ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1606 body FUZZY_APPLE /(?:^|\W)(?=<A>)(?!appl[ey])<A><P><P><L><E>(?:$|\W)/i
1607 describe FUZZY_APPLE Obfuscated "apple"
1608 tflags FUZZY_APPLE publish
1609endif
1610##} FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1611
1612##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1613
1614ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1615 body FUZZY_BITCOIN /(?=<B>)(?!bit[-\s]?coin)<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
1616 describe FUZZY_BITCOIN Obfuscated "Bitcoin"
1617 tflags FUZZY_BITCOIN publish
1618endif
1619##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1620
1621##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1622
1623ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1624 body FUZZY_BROWSER /(?=<B>)(?!browser)<B><R><O><W><S><E><R>/i
1625 describe FUZZY_BROWSER Obfuscated "browser"
1626 tflags FUZZY_BROWSER publish
1627endif
1628##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1629
1630##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1631
1632ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1633 meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET
1634 describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet"
1635 tflags FUZZY_BTC_WALLET publish
1636endif
1637##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1638
1639##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1640
1641ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1642 body FUZZY_CLICK_HERE /(?=<C>)(?!click(?:\s|&nbsp;)here)<C><WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i
1643 describe FUZZY_CLICK_HERE Obfuscated "click here"
1644 tflags FUZZY_CLICK_HERE publish
1645endif
1646##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1647
1648##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1649
1650ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1651 meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML
1652 describe FUZZY_DR_OZ Obfuscated Doctor Oz
1653 tflags FUZZY_DR_OZ publish
1654endif
1655##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1656
1657##{ FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1658
1659ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1660 body FUZZY_FACEBOOK /(?=<F>)(?!fa[ck]ebook)<F><A><C><E><B><O><O><K>/i
1661 describe FUZZY_FACEBOOK Obfuscated "facebook"
1662 tflags FUZZY_FACEBOOK publish
1663endif
1664##} FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1665
1666##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1667
1668ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1669 body FUZZY_IMPORTANT /(?=<I>)(?!important)<I>(?:<M>|<N>)<P><O><R><T><A><N><T>/i
1670 describe FUZZY_IMPORTANT Obfuscated "important"
1671 tflags FUZZY_IMPORTANT publish
1672endif
1673##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1674
1675##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1676
1677ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1678body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i
1679describe FUZZY_MERIDIA Obfuscation of the word "meridia"
1680endif
1681##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1682
1683##{ FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1684
1685ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1686 body FUZZY_MICROSOFT /(?=<M>)(?!microsoft)<M><I><C><R><O><S><O><F><T>/i
1687 describe FUZZY_MICROSOFT Obfuscated "microsoft"
1688 tflags FUZZY_MICROSOFT publish
1689endif
1690##} FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1691
1692##{ FUZZY_MONERO
1693
1694meta FUZZY_MONERO __FUZZY_MONERO
1695describe FUZZY_MONERO Obfuscated "Monero"
1696tflags FUZZY_MONERO publish
1697##} FUZZY_MONERO
1698
1699##{ FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1700
1701ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1702 body FUZZY_NORTON /(?:^|\W)(?=<N>)(?!norton)<N><O><R><T><O><N>(?:$|\W)/i
1703 describe FUZZY_NORTON Obfuscated "norton"
1704 tflags FUZZY_NORTON publish
1705endif
1706##} FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1707
1708##{ FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1709
1710ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1711 body FUZZY_OVERSTOCK /(?:^|\W)(?=<O>)(?!over[-\s]?stock)<O><V><E><R>[-\s]?<S><T><O><C><K>(?:$|\W)/i
1712 describe FUZZY_OVERSTOCK Obfuscated "overstock"
1713 tflags FUZZY_OVERSTOCK publish
1714endif
1715##} FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1716
1717##{ FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1718
1719ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1720 body FUZZY_PAYPAL /(?:^|\W)(?=<P>)(?!pay[-\s]?pal)<P><A><Y>[-\s]?<P><A><L>(?:$|\W)/i
1721 describe FUZZY_PAYPAL Obfuscated "paypal"
1722 tflags FUZZY_PAYPAL publish
1723endif
1724##} FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1725
1726##{ FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1727
1728ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1729 meta FUZZY_PORN __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT )
1730 describe FUZZY_PORN Obfuscated "Pornography" or "Pornographic"
1731 tflags FUZZY_PORN publish
1732endif
1733##} FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1734
1735##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1736
1737ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1738 body FUZZY_PRIVACY /(?=<P>)(?!privacy)<P><R><I><V><A><C><Y>/i
1739 describe FUZZY_PRIVACY Obfuscated "privacy"
1740 tflags FUZZY_PRIVACY publish
1741endif
1742##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1743
1744##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1745
1746ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1747 body FUZZY_PROMOTION /(?=<P>)(?!promotion)<P><R><O><M><O><T><I><O><N>/i
1748 describe FUZZY_PROMOTION Obfuscated "promotion"
1749 tflags FUZZY_PROMOTION publish
1750endif
1751##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1752
1753##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1754
1755ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1756 body FUZZY_SAVINGS /(?=<S>)(?!savings)<S><A><V><I><N><G><S>/i
1757 describe FUZZY_SAVINGS Obfuscated "savings"
1758 tflags FUZZY_SAVINGS publish
1759endif
1760##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1761
1762##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1763
1764ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1765 body FUZZY_SECURITY /(?=<S>)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)<S><E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i
1766 describe FUZZY_SECURITY Obfuscated "security"
1767 tflags FUZZY_SECURITY publish
1768endif
1769##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1770
1771##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1772
1773ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1774 body FUZZY_UNSUBSCRIBE /(?=<U>)(?!unsubscribe)<U><N><S><U><B><S><C><R><I><B><E>/i
1775 describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe"
1776 tflags FUZZY_UNSUBSCRIBE publish
1777endif
1778##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1779
1780##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1781
1782ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1783 body FUZZY_WALLET /(?=<W>)(?!wallet)<W><A><L><L><E><T>/i
1784 describe FUZZY_WALLET Obfuscated "Wallet"
1785 tflags FUZZY_WALLET publish
1786endif
1787##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1788
1789##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1790
1791if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1792 meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
1793 describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto
1794# score GAPPY_SALES_LEADS_FREEM 3.500 # limit
1795 tflags GAPPY_SALES_LEADS_FREEM publish
1796endif
1797##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1798
1799##{ GB_FAKE_RF_SHORT
1800
1801meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __PDS_URISHORTENER )
1802describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener
1803#score GB_FAKE_RF_SHORT 2.000 # limit
1804tflags GB_FAKE_RF_SHORT publish
1805##} GB_FAKE_RF_SHORT
1806
1807##{ GB_FORGED_MUA_POSTFIX
1808
1809meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 )
1810describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers
1811tflags GB_FORGED_MUA_POSTFIX publish
1812#score GB_FORGED_MUA_POSTFIX 2.0 # limit
1813##} GB_FORGED_MUA_POSTFIX
1814
1815##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
1816
1817ifplugin Mail::SpamAssassin::Plugin::FreeMail
1818 meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe )
1819 describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails
1820# score GB_FREEMAIL_DISPTO 0.50 # limit
1821 tflags GB_FREEMAIL_DISPTO publish
1822endif
1823##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
1824
1825##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
1826
1827ifplugin Mail::SpamAssassin::Plugin::FreeMail
1828 meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM )
1829 describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail
1830# score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit
1831 tflags GB_FREEMAIL_DISPTO_NOTFREEM publish
1832endif
1833##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
1834
1835##{ GB_GOOGLE_OBFUR
1836
1837uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/
1838describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect
1839#score GB_GOOGLE_OBFUR 0.75 # limit
1840tflags GB_GOOGLE_OBFUR publish
1841##} GB_GOOGLE_OBFUR
1842
1843##{ GB_GOOGLE_OBFUS
1844
1845uri GB_GOOGLE_OBFUS /^https:\/\/www\.google\.([a-z]{2,3})\/search\?ei=.{1,50}\&gs_l=.{1,20}/
1846describe GB_GOOGLE_OBFUS Obfuscate url through Google search
1847#score GB_GOOGLE_OBFUS 0.75 # limit
1848##} GB_GOOGLE_OBFUS
1849
1850##{ GEO_QUERY_STRING
1851
1852uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
1853##} GEO_QUERY_STRING
1854
1855##{ GOOGLE_DOCS_PHISH
1856
1857meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2)
1858describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form
1859#score GOOGLE_DOCS_PHISH 3.00 # limit
1860tflags GOOGLE_DOCS_PHISH publish
1861##} GOOGLE_DOCS_PHISH
1862
1863##{ GOOGLE_DOCS_PHISH_MANY
1864
1865meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
1866describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form
1867#score GOOGLE_DOCS_PHISH_MANY 4.00 # limit
1868tflags GOOGLE_DOCS_PHISH_MANY publish
1869##} GOOGLE_DOCS_PHISH_MANY
1870
1871##{ GOOGLE_DOC_SUSP
1872
1873meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG
1874describe GOOGLE_DOC_SUSP Suspicious use of Google Docs
1875#score GOOGLE_DOC_SUSP 3.000 # limit
1876tflags GOOGLE_DOC_SUSP publish
1877##} GOOGLE_DOC_SUSP
1878
1879##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1880
1881if (version >= 3.004002)
1882ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1883meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
1884tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish
1885describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD
1886#score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
1887endif
1888endif
1889##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1890
1891##{ GOOG_MALWARE_DNLD
1892
1893meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD
1894describe GOOG_MALWARE_DNLD File download via Google - Malware?
1895#score GOOG_MALWARE_DNLD 5.000 # limit
1896tflags GOOG_MALWARE_DNLD publish
1897##} GOOG_MALWARE_DNLD
1898
1899##{ GOOG_REDIR_DOCUSIGN
1900
1901uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i
1902describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing
1903tflags GOOG_REDIR_DOCUSIGN publish
1904##} GOOG_REDIR_DOCUSIGN
1905
1906##{ GOOG_REDIR_NORDNS
1907
1908meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE
1909describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS
1910##} GOOG_REDIR_NORDNS
1911
1912##{ GOOG_REDIR_SHORT
1913
1914meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512
1915describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message
1916tflags GOOG_REDIR_SHORT publish
1917##} GOOG_REDIR_SHORT
1918
1919##{ GOOG_STO_HTML_PHISH
1920
1921meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH
1922describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL
1923#score GOOG_STO_HTML_PHISH 3.00 # limit
1924tflags GOOG_STO_HTML_PHISH publish
1925##} GOOG_STO_HTML_PHISH
1926
1927##{ GOOG_STO_HTML_PHISH_MANY
1928
1929meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
1930describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL
1931#score GOOG_STO_HTML_PHISH_MANY 4.00 # limit
1932tflags GOOG_STO_HTML_PHISH_MANY publish
1933##} GOOG_STO_HTML_PHISH_MANY
1934
1935##{ GOOG_STO_IMG_HTML
1936
1937meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY
1938describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL
1939#score GOOG_STO_IMG_HTML 3.000 # limit
1940tflags GOOG_STO_IMG_HTML publish
1941##} GOOG_STO_IMG_HTML
1942
1943##{ GOOG_STO_IMG_NOHTML
1944
1945meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY
1946describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL
1947#score GOOG_STO_IMG_NOHTML 2.500 # limit
1948tflags GOOG_STO_IMG_NOHTML publish
1949##} GOOG_STO_IMG_NOHTML
1950
1951##{ GOOG_STO_NOIMG_HTML
1952
1953meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY
1954describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL
1955#score GOOG_STO_NOIMG_HTML 3.000 # limit
1956tflags GOOG_STO_NOIMG_HTML publish
1957##} GOOG_STO_NOIMG_HTML
1958
1959##{ HAS_X_NO_RELAY
1960
1961meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1
1962describe HAS_X_NO_RELAY Has spammy header
1963#score HAS_X_NO_RELAY 2.500 # limit
1964tflags HAS_X_NO_RELAY publish
1965##} HAS_X_NO_RELAY
1966
1967##{ HAS_X_OUTGOING_SPAM_STAT
1968
1969meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD
1970describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results?
1971#score HAS_X_OUTGOING_SPAM_STAT 3.000 # limit
1972tflags HAS_X_OUTGOING_SPAM_STAT publish
1973##} HAS_X_OUTGOING_SPAM_STAT
1974
1975##{ HDRS_LCASE
1976
1977describe HDRS_LCASE Odd capitalization of message header
1978#score HDRS_LCASE 0.10 # limit
1979##} HDRS_LCASE
1980
1981##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
1982
1983if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
1984 meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
1985endif
1986##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
1987
1988##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
1989
1990ifplugin Mail::SpamAssassin::Plugin::FreeMail
1991 meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
1992endif
1993##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
1994
1995##{ HDRS_LCASE_IMGONLY
1996
1997meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN
1998describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML
1999#score HDRS_LCASE_IMGONLY 0.10 # limit
2000##} HDRS_LCASE_IMGONLY
2001
2002##{ HDRS_MISSP
2003
2004meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY)
2005describe HDRS_MISSP Misspaced headers
2006#score HDRS_MISSP 2.500 # limit
2007tflags HDRS_MISSP publish
2008##} HDRS_MISSP
2009
2010##{ HDR_ORDER_FTSDMCXX_001C
2011
2012meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
2013describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant)
2014##} HDR_ORDER_FTSDMCXX_001C
2015
2016##{ HDR_ORDER_FTSDMCXX_BAT
2017
2018meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
2019describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant)
2020##} HDR_ORDER_FTSDMCXX_BAT
2021
2022##{ HDR_ORDER_FTSDMCXX_DIRECT
2023
2024meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML
2025describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX
2026#score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit
2027tflags HDR_ORDER_FTSDMCXX_DIRECT publish
2028##} HDR_ORDER_FTSDMCXX_DIRECT
2029
2030##{ HDR_ORDER_FTSDMCXX_NORDNS
2031
2032meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED
2033describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS
2034#score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit
2035tflags HDR_ORDER_FTSDMCXX_NORDNS publish
2036##} HDR_ORDER_FTSDMCXX_NORDNS
2037
2038##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2039
2040ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2041header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999')
2042describe HEADER_COUNT_SUBJECT Multiple Subject headers found
2043endif
2044##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2045
2046##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
2047
2048ifplugin Mail::SpamAssassin::Plugin::FreeMail
2049 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2050 if (version >= 3.004000)
2051 header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains()
2052 describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different
2053# score HEADER_FROM_DIFFERENT_DOMAINS 0.25
2054 tflags HEADER_FROM_DIFFERENT_DOMAINS publish
2055endif
2056endif
2057endif
2058##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
2059
2060##{ HELO_FRIEND
2061
2062header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
2063##} HELO_FRIEND
2064
2065##{ HELO_LH_HOME
2066
2067header HELO_LH_HOME X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
2068##} HELO_LH_HOME
2069
2070##{ HELO_LH_LD
2071
2072header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
2073##} HELO_LH_LD
2074
2075##{ HELO_LOCALHOST
2076
2077header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
2078##} HELO_LOCALHOST
2079
2080##{ HELO_MISC_IP
2081
2082meta HELO_MISC_IP (__HELO_MISC_IP && !HELO_DYNAMIC_IPADDR && !HELO_DYNAMIC_IPADDR2 && !HELO_DYNAMIC_SPLIT_IP && !HELO_DYNAMIC_HCC && !HELO_DYNAMIC_DIALIN && ((TVD_RCVD_IP4 + TVD_RCVD_IP + __FSL_HELO_BARE_IP_2) <2))
2083describe HELO_MISC_IP Looking for more Dynamic IP Relays
2084#score HELO_MISC_IP 0.25
2085##} HELO_MISC_IP
2086
2087##{ HELO_NO_DOMAIN
2088
2089meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST
2090describe HELO_NO_DOMAIN Relay reports its domain incorrectly
2091tflags HELO_NO_DOMAIN publish
2092##} HELO_NO_DOMAIN
2093
2094##{ HELO_OEM
2095
2096header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
2097##} HELO_OEM
2098
2099##{ HEXHASH_WORD
2100
2101meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER
2102describe HEXHASH_WORD Multiple instances of word + hexadecimal hash
2103#score HEXHASH_WORD 3.000 # limit
2104tflags HEXHASH_WORD publish
2105##} HEXHASH_WORD
2106
2107##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2108
2109ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2110mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/
2111#score HK_CTE_RAW 2
2112tflags HK_CTE_RAW publish
2113endif
2114##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2115
2116##{ HK_LOTTO
2117
2118meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT
2119#score HK_LOTTO 1
2120##} HK_LOTTO
2121
2122##{ HK_NAME_DRUGS
2123
2124header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi
2125describe HK_NAME_DRUGS From name contains drugs
2126#score HK_NAME_DRUGS 2
2127##} HK_NAME_DRUGS
2128
2129##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2130
2131ifplugin Mail::SpamAssassin::Plugin::FreeMail
2132if (version >= 3.004000)
2133 meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
2134# score HK_NAME_FM_MR_MRS 1.5
2135endif
2136endif
2137##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2138
2139##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2140
2141ifplugin Mail::SpamAssassin::Plugin::FreeMail
2142if (version >= 3.004000)
2143 meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM
2144# score HK_NAME_MR_MRS 1.0
2145endif
2146endif
2147##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2148
2149##{ HK_RANDOM_ENVFROM
2150
2151header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
2152describe HK_RANDOM_ENVFROM Envelope sender username looks random
2153#score HK_RANDOM_ENVFROM 1
2154tflags HK_RANDOM_ENVFROM publish
2155##} HK_RANDOM_ENVFROM
2156
2157##{ HK_RANDOM_FROM
2158
2159header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
2160describe HK_RANDOM_FROM From username looks random
2161#score HK_RANDOM_FROM 1
2162tflags HK_RANDOM_FROM publish
2163##} HK_RANDOM_FROM
2164
2165##{ HK_RANDOM_REPLYTO
2166
2167header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
2168describe HK_RANDOM_REPLYTO Reply-To username looks random
2169#score HK_RANDOM_REPLYTO 1
2170tflags HK_RANDOM_REPLYTO publish
2171##} HK_RANDOM_REPLYTO
2172
2173##{ HK_RCVD_IP_MULTICAST
2174
2175header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./
2176#score HK_RCVD_IP_MULTICAST 2
2177tflags HK_RCVD_IP_MULTICAST publish
2178##} HK_RCVD_IP_MULTICAST
2179
2180##{ HK_SCAM
2181
2182meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25
2183#score HK_SCAM 2
2184tflags HK_SCAM publish
2185##} HK_SCAM
2186
2187##{ HK_WIN
2188
2189meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2)
2190#score HK_WIN 1
2191##} HK_WIN
2192
2193##{ HOSTED_IMG_DIRECT_MX
2194
2195meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS
2196#score HOSTED_IMG_DIRECT_MX 3.500 # limit
2197describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm site, message direct-to-mx
2198tflags HOSTED_IMG_DIRECT_MX publish
2199##} HOSTED_IMG_DIRECT_MX
2200
2201##{ HOSTED_IMG_DQ_UNSUB
2202
2203meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB
2204#score HOSTED_IMG_DQ_UNSUB 3.500 # limit
2205describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm site, IP addr unsub link
2206tflags HOSTED_IMG_DQ_UNSUB publish
2207##} HOSTED_IMG_DQ_UNSUB
2208
2209##{ HOSTED_IMG_FREEM
2210
2211meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED
2212#score HOSTED_IMG_FREEM 3.500 # limit
2213describe HOSTED_IMG_FREEM Image hosted at large ecomm site or redirected, freemail from or reply-to
2214tflags HOSTED_IMG_FREEM publish
2215##} HOSTED_IMG_FREEM
2216
2217##{ HOSTED_IMG_MULTI
2218
2219meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS
2220#score HOSTED_IMG_MULTI 3.000 # limit
2221describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm sites or redirected
2222tflags HOSTED_IMG_MULTI publish
2223##} HOSTED_IMG_MULTI
2224
2225##{ HOSTED_IMG_MULTI_PUB_01
2226
2227meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF
2228describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site
2229#score HOSTED_IMG_MULTI_PUB_01 3.000 # limit
2230tflags HOSTED_IMG_MULTI_PUB_01 publish
2231##} HOSTED_IMG_MULTI_PUB_01
2232
2233##{ HTML_ENTITY_ASCII
2234
2235meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP
2236describe HTML_ENTITY_ASCII Obfuscated ASCII
2237#score HTML_ENTITY_ASCII 3.000 # limit
2238tflags HTML_ENTITY_ASCII publish
2239##} HTML_ENTITY_ASCII
2240
2241##{ HTML_ENTITY_ASCII_TINY
2242
2243meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_MINFP && __HTML_FONT_TINY_01
2244describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts
2245#score HTML_ENTITY_ASCII_TINY 3.000 # limit
2246tflags HTML_ENTITY_ASCII_TINY publish
2247##} HTML_ENTITY_ASCII_TINY
2248
2249##{ HTML_OFF_PAGE
2250
2251meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS
2252describe HTML_OFF_PAGE HTML element rendered well off the displayed page
2253#score HTML_OFF_PAGE 3.000 # limit
2254tflags HTML_OFF_PAGE publish
2255##} HTML_OFF_PAGE
2256
2257##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2258
2259if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2260 meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY
2261 describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments
2262# score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit
2263 tflags HTML_SHRT_CMNT_OBFU_MANY publish
2264endif
2265##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2266
2267##{ HTML_SINGLET_MANY
2268
2269meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP
2270describe HTML_SINGLET_MANY Many single-letter HTML format blocks
2271#score HTML_SINGLET_MANY 2.500 # limit
2272tflags HTML_SINGLET_MANY publish
2273##} HTML_SINGLET_MANY
2274
2275##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2276
2277if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2278 meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID
2279 describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation?
2280# score HTML_TEXT_INVISIBLE_FONT 2.000 # limit
2281 tflags HTML_TEXT_INVISIBLE_FONT publish
2282endif
2283##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2284
2285##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2286
2287if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2288 meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX
2289 describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs
2290# score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit
2291 tflags HTML_TEXT_INVISIBLE_STYLE publish
2292endif
2293##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2294
2295##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2296
2297ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2298body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
2299endif
2300##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2301
2302##{ IMG_ONLY_FM_DOM_INFO
2303
2304meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO
2305describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain
2306#score IMG_ONLY_FM_DOM_INFO 2.500 # limit
2307tflags IMG_ONLY_FM_DOM_INFO publish
2308##} IMG_ONLY_FM_DOM_INFO
2309
2310##{ JH_SPAMMY_HEADERS
2311
2312meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN
2313describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam
2314#score JH_SPAMMY_HEADERS 3.500 # limit
2315tflags JH_SPAMMY_HEADERS publish
2316##} JH_SPAMMY_HEADERS
2317
2318##{ JH_SPAMMY_PATTERN01
2319
2320rawbody JH_SPAMMY_PATTERN01 m;<img src=['"](https?://[^'"]{1,80}/)C([^/.]{1,30}\.jpg)['"]>.{0,200}<img src="\1U\2";ism
2321describe JH_SPAMMY_PATTERN01 Unusual pattern seen in spam campaign
2322#score JH_SPAMMY_PATTERN01 3.000 # limit
2323tflags JH_SPAMMY_PATTERN01 publish
2324##} JH_SPAMMY_PATTERN01
2325
2326##{ JH_SPAMMY_PATTERN02
2327
2328rawbody JH_SPAMMY_PATTERN02 m;<img [^>]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}<a href="\1t=c\2".{0,200}<a href="\1t=u\2";ism
2329describe JH_SPAMMY_PATTERN02 Unusual pattern seen in spam campaign
2330#score JH_SPAMMY_PATTERN02 3.000 # limit
2331tflags JH_SPAMMY_PATTERN02 publish
2332##} JH_SPAMMY_PATTERN02
2333
2334##{ JM_I_FEEL_LUCKY
2335
2336uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/
2337tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign
2338##} JM_I_FEEL_LUCKY
2339
2340##{ JM_RCVD_QMAILV1
2341
2342header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/
2343##} JM_RCVD_QMAILV1
2344
2345##{ JM_TORA_XM
2346
2347meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
2348##} JM_TORA_XM
2349
2350##{ KB_DATE_CONTAINS_TAB
2351
2352meta KB_DATE_CONTAINS_TAB __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB
2353#score KB_DATE_CONTAINS_TAB 0.5
2354##} KB_DATE_CONTAINS_TAB
2355
2356##{ KB_FAKED_THE_BAT
2357
2358meta KB_FAKED_THE_BAT (__THEBAT_MUA && KB_DATE_CONTAINS_TAB)
2359##} KB_FAKED_THE_BAT
2360
2361##{ KB_RATWARE_BOUNDARY
2362
2363meta KB_RATWARE_BOUNDARY __RATWARE_BOUND_A || __RATWARE_BOUND_B
2364##} KB_RATWARE_BOUNDARY
2365
2366##{ KB_RATWARE_MSGID
2367
2368meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA)
2369##} KB_RATWARE_MSGID
2370
2371##{ KB_RATWARE_OUTLOOK_08
2372
2373header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # "
2374##} KB_RATWARE_OUTLOOK_08
2375
2376##{ KB_RATWARE_OUTLOOK_12
2377
2378header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # "
2379##} KB_RATWARE_OUTLOOK_12
2380
2381##{ KB_RATWARE_OUTLOOK_16
2382
2383header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # "
2384##} KB_RATWARE_OUTLOOK_16
2385
2386##{ KB_RATWARE_OUTLOOK_MID
2387
2388header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi
2389##} KB_RATWARE_OUTLOOK_MID
2390
2391##{ KHOP_FAKE_EBAY
2392
2393meta KHOP_FAKE_EBAY __EBAY_ADDRESS && !__NOT_SPOOFED
2394describe KHOP_FAKE_EBAY Sender falsely claims to be from eBay
2395##} KHOP_FAKE_EBAY
2396
2397##{ KHOP_HELO_FCRDNS
2398
2399meta KHOP_HELO_FCRDNS __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT)
2400describe KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
2401#score KHOP_HELO_FCRDNS 0.4 # 20090603
2402##} KHOP_HELO_FCRDNS
2403
2404##{ LIST_PRTL_PUMPDUMP
2405
2406meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS
2407describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump
2408#score LIST_PRTL_PUMPDUMP 2.000 # limit
2409tflags LIST_PRTL_PUMPDUMP publish
2410##} LIST_PRTL_PUMPDUMP
2411
2412##{ LIST_PRTL_SAME_USER
2413
2414meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO
2415describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same
2416#score LIST_PRTL_SAME_USER 3.000 # limit
2417tflags LIST_PRTL_SAME_USER publish
2418##} LIST_PRTL_SAME_USER
2419
2420##{ LIVEFILESTORE
2421
2422uri LIVEFILESTORE m~livefilestore.com/~
2423##} LIVEFILESTORE
2424
2425##{ LONG_HEX_URI
2426
2427meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024
2428describe LONG_HEX_URI Very long purely hexadecimal URI
2429#score LONG_HEX_URI 3.000 # limit
2430tflags LONG_HEX_URI publish
2431##} LONG_HEX_URI
2432
2433##{ LONG_IMG_URI
2434
2435meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO
2436describe LONG_IMG_URI Image URI with very long path component - web bug?
2437#score LONG_IMG_URI 3.000 # limit
2438tflags LONG_IMG_URI publish
2439##} LONG_IMG_URI
2440
2441##{ LONG_INVISIBLE_TEXT
2442
2443describe LONG_INVISIBLE_TEXT Long block of hidden text - bayes poison?
2444#score LONG_INVISIBLE_TEXT 3.000 # limit
2445tflags LONG_INVISIBLE_TEXT publish
2446##} LONG_INVISIBLE_TEXT
2447
2448##{ LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2449
2450if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2451 meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV
2452endif
2453##} LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2454
2455##{ LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2456
2457if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2458 meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 )
2459endif
2460##} LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2461
2462##{ LONG_TERM_PRICE
2463
2464body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i
2465##} LONG_TERM_PRICE
2466
2467##{ LOOPHOLE_1
2468
2469body LOOPHOLE_1 /loop-?hole in the banking/i
2470describe LOOPHOLE_1 A loop hole in the banking laws?
2471##} LOOPHOLE_1
2472
2473##{ LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2474
2475if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2476 meta LOTS_OF_MONEY 0
2477endif
2478##} LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2479
2480##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2481
2482ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2483 meta LOTS_OF_MONEY (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05) && !__TRAVEL_ITINERARY
2484 describe LOTS_OF_MONEY Huge... sums of money
2485# score LOTS_OF_MONEY 0.01
2486 tflags LOTS_OF_MONEY publish
2487endif
2488##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2489
2490##{ LOTTERY_1
2491
2492meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ)
2493##} LOTTERY_1
2494
2495##{ LOTTERY_PH_004470
2496
2497meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY)
2498##} LOTTERY_PH_004470
2499
2500##{ LOTTO_AGENT
2501
2502meta LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD
2503describe LOTTO_AGENT Claims Agent
2504#score LOTTO_AGENT 1.50 # limit
2505##} LOTTO_AGENT
2506
2507##{ LUCRATIVE
2508
2509meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED
2510describe LUCRATIVE Make lots of money!
2511#score LUCRATIVE 2.00 # limit
2512tflags LUCRATIVE publish
2513##} LUCRATIVE
2514
2515##{ L_SPAM_TOOL_13
2516
2517header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
2518##} L_SPAM_TOOL_13
2519
2520##{ MALFORMED_FREEMAIL
2521
2522meta MALFORMED_FREEMAIL (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM
2523describe MALFORMED_FREEMAIL Bad headers on message from free email service
2524##} MALFORMED_FREEMAIL
2525
2526##{ MALF_HTML_B64
2527
2528meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG
2529describe MALF_HTML_B64 Malformatted base64-encoded HTML content
2530#score MALF_HTML_B64 3.500 # limit
2531tflags MALF_HTML_B64 publish
2532##} MALF_HTML_B64
2533
2534##{ MALWARE_NORDNS
2535
2536meta MALWARE_NORDNS __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
2537describe MALWARE_NORDNS Malware bragging + no rDNS
2538#score MALWARE_NORDNS 3.500 # limit
2539tflags MALWARE_NORDNS publish
2540##} MALWARE_NORDNS
2541
2542##{ MALWARE_PASSWORD
2543
2544meta MALWARE_PASSWORD __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
2545describe MALWARE_PASSWORD Malware bragging + "password"
2546#score MALWARE_PASSWORD 3.500 # limit
2547tflags MALWARE_PASSWORD publish
2548##} MALWARE_PASSWORD
2549
2550##{ MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2551
2552ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2553 meta MALW_ATTACH __MALW_ATTACH && !__HAS_THREAD_INDEX
2554 describe MALW_ATTACH Attachment filename suspicious, probable malware exploit
2555 tflags MALW_ATTACH publish
2556endif
2557##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2558
2559##{ MANY_HDRS_LCASE
2560
2561describe MANY_HDRS_LCASE Odd capitalization of multiple message headers
2562#score MANY_HDRS_LCASE 0.10 # limit
2563##} MANY_HDRS_LCASE
2564
2565##{ MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2566
2567if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2568 meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
2569endif
2570##} MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2571
2572##{ MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
2573
2574ifplugin Mail::SpamAssassin::Plugin::FreeMail
2575 meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
2576endif
2577##} MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
2578
2579##{ MANY_SPAN_IN_TEXT
2580
2581meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML
2582describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text
2583tflags MANY_SPAN_IN_TEXT publish
2584##} MANY_SPAN_IN_TEXT
2585
2586##{ MAY_BE_FORGED
2587
2588meta MAY_BE_FORGED __MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML
2589describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP
2590##} MAY_BE_FORGED
2591
2592##{ MID_DEGREES
2593
2594header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
2595##} MID_DEGREES
2596
2597##{ MILLION_HUNDRED
2598
2599body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i
2600describe MILLION_HUNDRED Million "One to Nine" Hundred
2601tflags MILLION_HUNDRED publish
2602##} MILLION_HUNDRED
2603
2604##{ MILLION_USD
2605
2606body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i
2607describe MILLION_USD Talks about millions of dollars
2608#score MILLION_USD 2
2609##} MILLION_USD
2610
2611##{ MIMEOLE_DIRECT_TO_MX
2612
2613meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS
2614describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX
2615#score MIMEOLE_DIRECT_TO_MX 2.000 # limit
2616tflags MIMEOLE_DIRECT_TO_MX publish
2617##} MIMEOLE_DIRECT_TO_MX
2618
2619##{ MIME_BOUND_EQ_REL
2620
2621header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s
2622##} MIME_BOUND_EQ_REL
2623
2624##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2625
2626ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2627 meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128
2628# score MIME_NO_TEXT 2.00 # limit
2629 describe MIME_NO_TEXT No (properly identified) text body parts
2630 tflags MIME_NO_TEXT publish
2631endif
2632##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2633
2634##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2635
2636ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2637 meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA)
2638 describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP
2639endif
2640##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2641
2642##{ MIXED_AREA_CASE
2643
2644meta MIXED_AREA_CASE __MIXED_AREA_CASE
2645describe MIXED_AREA_CASE Has area tag in mixed case
2646#score MIXED_AREA_CASE 2.500 # limit
2647tflags MIXED_AREA_CASE publish
2648##} MIXED_AREA_CASE
2649
2650##{ MIXED_CENTER_CASE
2651
2652meta MIXED_CENTER_CASE __MIXED_CENTER_CASE
2653describe MIXED_CENTER_CASE Has center tag in mixed case
2654#score MIXED_CENTER_CASE 2.500 # limit
2655tflags MIXED_CENTER_CASE publish
2656##} MIXED_CENTER_CASE
2657
2658##{ MIXED_CTYPE_CASE
2659
2660header MIXED_CTYPE_CASE Content-Type =~ m;^(?i:text/)(?!html|HTML)[Hh][Tt][Mm][Ll];
2661##} MIXED_CTYPE_CASE
2662
2663##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2664
2665if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2666 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2667 meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) )
2668 describe MIXED_ES Too many es are not es
2669 tflags MIXED_ES publish
2670# lang pl score MIXED_ES 0.01
2671# lang cz score MIXED_ES 0.01
2672# lang sk score MIXED_ES 0.01
2673# lang hr score MIXED_ES 0.01
2674# lang el score MIXED_ES 0.01
2675endif
2676endif
2677##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2678
2679##{ MIXED_FONT_CASE
2680
2681meta MIXED_FONT_CASE __MIXED_FONT_CASE
2682describe MIXED_FONT_CASE Has font tag in mixed case
2683#score MIXED_FONT_CASE 2.500 # limit
2684tflags MIXED_FONT_CASE publish
2685##} MIXED_FONT_CASE
2686
2687##{ MIXED_HREF_CASE
2688
2689meta MIXED_HREF_CASE __MIXED_HREF_CASE_JH
2690describe MIXED_HREF_CASE Has href in mixed case
2691#score MIXED_HREF_CASE 2.000 # limit
2692tflags MIXED_HREF_CASE publish
2693##} MIXED_HREF_CASE
2694
2695##{ MIXED_IMG_CASE
2696
2697meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL
2698describe MIXED_IMG_CASE Has img tag in mixed case
2699#score MIXED_IMG_CASE 3.000 # limit
2700tflags MIXED_IMG_CASE publish
2701##} MIXED_IMG_CASE
2702
2703##{ MONERO_DEADLINE
2704
2705meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01
2706describe MONERO_DEADLINE Monero cryptocurrency with a deadline
2707#score MONERO_DEADLINE 3.000 # limit
2708tflags MONERO_DEADLINE publish
2709##} MONERO_DEADLINE
2710
2711##{ MONERO_EXTORT_01
2712
2713meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY
2714describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency
2715#score MONERO_EXTORT_01 5.000 # limit
2716tflags MONERO_EXTORT_01 publish
2717##} MONERO_EXTORT_01
2718
2719##{ MONERO_MALWARE
2720
2721meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01
2722describe MONERO_MALWARE Monero cryptocurrency + malware bragging
2723#score MONERO_MALWARE 3.500 # limit
2724tflags MONERO_MALWARE publish
2725##} MONERO_MALWARE
2726
2727##{ MONERO_PAY_ME
2728
2729meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01
2730describe MONERO_PAY_ME Pay me via Monero cryptocurrency
2731#score MONERO_PAY_ME 3.000 # limit
2732tflags MONERO_PAY_ME publish
2733##} MONERO_PAY_ME
2734
2735##{ MONEY_ATM_CARD
2736
2737meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE
2738describe MONEY_ATM_CARD Lots of money on an ATM card
2739##} MONEY_ATM_CARD
2740
2741##{ MONEY_FORM
2742
2743meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP
2744describe MONEY_FORM Lots of money if you fill out a form
2745##} MONEY_FORM
2746
2747##{ MONEY_FORM_SHORT
2748
2749meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD
2750describe MONEY_FORM_SHORT Lots of money if you fill out a short form
2751#score MONEY_FORM_SHORT 2.500 # limit
2752##} MONEY_FORM_SHORT
2753
2754##{ MONEY_FRAUD_3
2755
2756meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
2757describe MONEY_FRAUD_3 Lots of money and several fraud phrases
2758tflags MONEY_FRAUD_3 publish
2759##} MONEY_FRAUD_3
2760
2761##{ MONEY_FRAUD_5
2762
2763meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
2764describe MONEY_FRAUD_5 Lots of money and many fraud phrases
2765tflags MONEY_FRAUD_5 publish
2766##} MONEY_FRAUD_5
2767
2768##{ MONEY_FRAUD_8
2769
2770meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG
2771describe MONEY_FRAUD_8 Lots of money and very many fraud phrases
2772tflags MONEY_FRAUD_8 publish
2773##} MONEY_FRAUD_8
2774
2775##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2776
2777ifplugin Mail::SpamAssassin::Plugin::FreeMail
2778 meta MONEY_FREEMAIL_REPTO __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID
2779 describe MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
2780# score MONEY_FREEMAIL_REPTO 3.000 # limit
2781 tflags MONEY_FREEMAIL_REPTO publish
2782endif
2783##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2784
2785##{ MONEY_FROM_41
2786
2787meta MONEY_FROM_41 __MONEY_FROM_41
2788describe MONEY_FROM_41 Lots of money from Africa
2789#score MONEY_FROM_41 2.00 # limit
2790##} MONEY_FROM_41
2791
2792##{ MONEY_FROM_MISSP
2793
2794meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP
2795describe MONEY_FROM_MISSP Lots of money and misspaced From
2796#score MONEY_FROM_MISSP 2.000 # limit
2797##} MONEY_FROM_MISSP
2798
2799##{ MONEY_NOHTML
2800
2801meta MONEY_NOHTML LOTS_OF_MONEY && __CT_TEXT_PLAIN
2802describe MONEY_NOHTML Lots of money in plain text
2803#score MONEY_NOHTML 2.500 # limit
2804##} MONEY_NOHTML
2805
2806##{ MSGID_DOLLARS_URI_IMG
2807
2808meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW
2809describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image
2810#score MSGID_DOLLARS_URI_IMG 3.000 # limit
2811tflags MSGID_DOLLARS_URI_IMG publish
2812##} MSGID_DOLLARS_URI_IMG
2813
2814##{ MSGID_HDR_MALF
2815
2816meta MSGID_HDR_MALF __HAS_MESSAGEID
2817describe MSGID_HDR_MALF Has invalid message ID header
2818#score MSGID_HDR_MALF 3.500 # limit
2819tflags MSGID_HDR_MALF publish
2820##} MSGID_HDR_MALF
2821
2822##{ MSGID_MULTIPLE_AT
2823
2824header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/
2825describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters
2826#score MSGID_MULTIPLE_AT 0.001
2827##} MSGID_MULTIPLE_AT
2828
2829##{ MSGID_NOFQDN1
2830
2831meta MSGID_NOFQDN1 __MSGID_NOFQDN1
2832describe MSGID_NOFQDN1 Message-ID with no domain name
2833##} MSGID_NOFQDN1
2834
2835##{ MSMAIL_PRI_ABNORMAL
2836
2837meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH
2838describe MSMAIL_PRI_ABNORMAL Email priority often abused
2839#score MSMAIL_PRI_ABNORMAL 1.500 # limit
2840##} MSMAIL_PRI_ABNORMAL
2841
2842##{ MSM_PRIO_REPTO
2843
2844meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH
2845describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject
2846#score MSM_PRIO_REPTO 2.500 # limit
2847tflags MSM_PRIO_REPTO publish
2848##} MSM_PRIO_REPTO
2849
2850##{ MSOE_MID_WRONG_CASE
2851
2852meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
2853##} MSOE_MID_WRONG_CASE
2854
2855##{ NAME_EMAIL_DIFF
2856
2857meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
2858describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address
2859##} NAME_EMAIL_DIFF
2860
2861##{ NA_DOLLARS
2862
2863body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i
2864describe NA_DOLLARS Talks about a million North American dollars
2865#score NA_DOLLARS 1.5
2866##} NA_DOLLARS
2867
2868##{ NEWEGG_IMG_NOT_RCVD_NEGG
2869
2870meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG
2871#score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit
2872describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg
2873tflags NEWEGG_IMG_NOT_RCVD_NEGG publish
2874##} NEWEGG_IMG_NOT_RCVD_NEGG
2875
2876##{ NICE_REPLY_A
2877
2878meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF)
2879describe NICE_REPLY_A Looks like a legit reply (A)
2880tflags NICE_REPLY_A nice
2881##} NICE_REPLY_A
2882
2883##{ NORDNS_LOW_CONTRAST
2884
2885meta NORDNS_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __RDNS_NONE) && !ALL_TRUSTED && !__HAS_CID
2886describe NORDNS_LOW_CONTRAST No rDNS + hidden text
2887#score NORDNS_LOW_CONTRAST 2.500 # limit
2888##} NORDNS_LOW_CONTRAST
2889
2890##{ NOT_SPAM
2891
2892body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i
2893describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not!
2894tflags NOT_SPAM publish
2895##} NOT_SPAM
2896
2897##{ NO_FM_NAME_IP_HOSTN
2898
2899meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT
2900describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address
2901#score NO_FM_NAME_IP_HOSTN 2.500 # limit
2902tflags NO_FM_NAME_IP_HOSTN publish
2903##} NO_FM_NAME_IP_HOSTN
2904
2905##{ NSL_RCVD_FROM_USER
2906
2907header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
2908describe NSL_RCVD_FROM_USER Received from User
2909##} NSL_RCVD_FROM_USER
2910
2911##{ NSL_RCVD_HELO_USER
2912
2913header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
2914describe NSL_RCVD_HELO_USER Received from HELO User
2915##} NSL_RCVD_HELO_USER
2916
2917##{ NULL_IN_BODY
2918
2919full NULL_IN_BODY /\x00/
2920describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message
2921##} NULL_IN_BODY
2922
2923##{ NUMBEREND_LINKBAIT
2924
2925meta NUMBEREND_LINKBAIT __NUMBEREND_TLD && __LCL__KAM_BODY_LENGTH_LT_1024 && __BODY_URI_ONLY
2926describe NUMBEREND_LINKBAIT Domain ends in a large number and very short body with link
2927#score NUMBEREND_LINKBAIT 1.0 # limit
2928##} NUMBEREND_LINKBAIT
2929
2930##{ OBFU_BITCOIN
2931
2932meta OBFU_BITCOIN __OBFU_BITCOIN
2933describe OBFU_BITCOIN Obfuscated BitCoin references
2934#score OBFU_BITCOIN 3.000 # limit
2935tflags OBFU_BITCOIN publish
2936##} OBFU_BITCOIN
2937
2938##{ OBFU_JVSCR_ESC
2939
2940rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i
2941describe OBFU_JVSCR_ESC Injects content using obfuscated javascript
2942tflags OBFU_JVSCR_ESC publish
2943##} OBFU_JVSCR_ESC
2944
2945##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2946
2947ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2948 mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
2949 describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type
2950 tflags OBFU_TEXT_ATTACH publish
2951endif
2952##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2953
2954##{ OBFU_UNSUB_UL
2955
2956meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI
2957describe OBFU_UNSUB_UL Obfuscated unsubscribe text
2958tflags OBFU_UNSUB_UL publish
2959##} OBFU_UNSUB_UL
2960
2961##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2962
2963ifplugin Mail::SpamAssassin::Plugin::FreeMail
2964 meta ODD_FREEM_REPTO __freemail_mailreplyto
2965 describe ODD_FREEM_REPTO Has unusual reply-to header
2966# score ODD_FREEM_REPTO 3.000 # limit
2967 tflags ODD_FREEM_REPTO publish
2968endif
2969##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2970
2971##{ OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
2972
2973if (version >= 3.004002)
2974ifplugin Mail::SpamAssassin::Plugin::WLBLEval
2975meta OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
2976describe OFFER_ONLY_AMERICA Offer only available to US
2977#score OFFER_ONLY_AMERICA 2.0 # limit
2978endif
2979endif
2980##} OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
2981
2982##{ ONLINE_MKTG_CNSLT
2983
2984body ONLINE_MKTG_CNSLT /\bonline marketing consultant\b/i
2985##} ONLINE_MKTG_CNSLT
2986
2987##{ ORDER_TODAY
2988
2989meta ORDER_TODAY __ORDER_TODAY && (__HTML_IMG_ONLY || __ALIBABA_IMG_NOT_RCVD_ALI || __TO_NO_BRKTS_NORDNS_HTML)
2990describe ORDER_TODAY Get your order in now!
2991#score ORDER_TODAY 2.500 # limit
2992##} ORDER_TODAY
2993
2994##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2995
2996ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2997meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
2998describe PART_CID_STOCK Has a spammy image attachment (by Content-ID)
2999endif
3000##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3001
3002##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3003
3004ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3005meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
3006describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
3007endif
3008##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3009
3010##{ PDS_BAD_THREAD_QP_64
3011
3012meta PDS_BAD_THREAD_QP_64 __PDS_QP_64 && __HAS_THREAD_INDEX && !__THREAD_INDEX_GOOD
3013describe PDS_BAD_THREAD_QP_64 Bad thread header - short QP
3014#score PDS_BAD_THREAD_QP_64 1.0
3015##} PDS_BAD_THREAD_QP_64
3016
3017##{ PDS_BTC_ID
3018
3019meta PDS_BTC_ID __PDS_BTC_ID
3020describe PDS_BTC_ID FP reduced Bitcoin ID
3021#score PDS_BTC_ID 0.5
3022##} PDS_BTC_ID
3023
3024##{ PDS_BTC_MSGID
3025
3026meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2
3027describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2
3028#score PDS_BTC_MSGID 1.0
3029##} PDS_BTC_MSGID
3030
3031##{ PDS_DBL_URL_TNB_RUNON
3032
3033meta PDS_DBL_URL_TNB_RUNON __TO_NO_BRKTS_FROM_RUNON && __PDS_DOUBLE_URL
3034describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon
3035#score PDS_DBL_URL_TNB_RUNON 2.0
3036##} PDS_DBL_URL_TNB_RUNON
3037
3038##{ PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3039
3040ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3041if (version >= 3.004000)
3042meta PDS_EMPTYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJECT_EMPTY && __PDS_MSG_1024
3043describe PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener
3044#score PDS_EMPTYSUBJ_URISHRT 1.5 # limit
3045endif
3046endif
3047##} PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3048
3049##{ PDS_FRNOM_TODOM_DBL_URL
3050
3051meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL
3052describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL
3053#score PDS_FRNOM_TODOM_DBL_URL 1.5
3054##} PDS_FRNOM_TODOM_DBL_URL
3055
3056##{ PDS_FRNOM_TODOM_NAKED_TO
3057
3058meta PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN
3059describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain
3060#score PDS_FRNOM_TODOM_NAKED_TO 1.5
3061##} PDS_FRNOM_TODOM_NAKED_TO
3062
3063##{ PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
3064
3065if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
3066 meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS
3067 describe PDS_FROM_2_EMAILS From header has multiple different addresses
3068# score PDS_FROM_2_EMAILS 3.500 # limit
3069endif
3070##} PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
3071
3072##{ PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3073
3074ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3075if (version >= 3.004000)
3076meta PDS_FROM_2_EMAILS_SHRTNER (__PDS_URISHORTENER || __URL_SHORTENER) && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY
3077describe PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener
3078#score PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit
3079endif
3080endif
3081##} PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3082
3083##{ PDS_FROM_NAME_TO_DOMAIN
3084
3085meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN
3086#score PDS_FROM_NAME_TO_DOMAIN 2.0
3087describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain
3088##} PDS_FROM_NAME_TO_DOMAIN
3089
3090##{ PDS_HELO_SPF_FAIL
3091
3092meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE
3093describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF
3094#score PDS_HELO_SPF_FAIL 2.0
3095tflags PDS_HELO_SPF_FAIL net
3096##} PDS_HELO_SPF_FAIL
3097
3098##{ PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3099
3100ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3101if (version >= 3.004000)
3102meta PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
3103describe PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME
3104#score PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit
3105endif
3106endif
3107##} PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3108
3109##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3110
3111if (version >= 3.004002)
3112ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3113header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
3114#score PDS_OTHER_BAD_TLD 2.0
3115describe PDS_OTHER_BAD_TLD Untrustworthy TLDs
3116endif
3117endif
3118##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3119
3120##{ PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3121
3122ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3123if (version >= 3.004000)
3124meta PDS_SHORTFWD_URISHRT_QP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !T_PDS_SHORTFWD_URISHRT_FP
3125describe PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener
3126#score PDS_SHORTFWD_URISHRT_QP 1.5 # limit
3127endif
3128endif
3129##} PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3130
3131##{ PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3132
3133ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3134if (version >= 3.004000)
3135meta PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
3136describe PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP)
3137#score PDS_SHORT_SPOOFED_URL 2.0
3138endif
3139endif
3140##} PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3141
3142##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3143
3144ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3145if (version >= 3.004000)
3146meta PDS_TINYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJ_SHORT && __PDS_MSG_1024
3147describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener
3148#score PDS_TINYSUBJ_URISHRT 1.5 # limit
3149endif
3150endif
3151##} PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3152
3153##{ PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
3154
3155meta PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE FREEMAIL_FORGED_REPLYTO && __PDS_TONAME_EQ_TOLOCAL
3156describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TOLOCAL
3157#score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit
3158##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
3159
3160##{ PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
3161
3162meta PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE __PDS_TONAME_EQ_TOLOCAL && __HDRS_LCASE
3163describe PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers
3164#score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 2.0 # limit
3165##} PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
3166
3167##{ PDS_TONAME_EQ_TOLOCAL_SHORT
3168
3169meta PDS_TONAME_EQ_TOLOCAL_SHORT __PDS_TONAME_EQ_TOLOCAL && __KAM_BODY_LENGTH_LT_512
3170describe PDS_TONAME_EQ_TOLOCAL_SHORT Short body with To: name matches everything in local email
3171#score PDS_TONAME_EQ_TOLOCAL_SHORT 2.0 # limit
3172##} PDS_TONAME_EQ_TOLOCAL_SHORT
3173
3174##{ PDS_TONAME_EQ_TOLOCAL_VSHORT
3175
3176meta PDS_TONAME_EQ_TOLOCAL_VSHORT __KAM_BODY_LENGTH_LT_128 && __PDS_TONAME_EQ_TOLOCAL
3177describe PDS_TONAME_EQ_TOLOCAL_VSHORT Very short body and From looks like 2 different emails
3178#score PDS_TONAME_EQ_TOLOCAL_VSHORT 1.0 # limit
3179##} PDS_TONAME_EQ_TOLOCAL_VSHORT
3180
3181##{ PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
3182
3183if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
3184 meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER
3185 describe PDS_TO_EQ_FROM_NAME From: name same as To: address
3186endif
3187##} PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
3188
3189##{ PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3190
3191ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3192if (version >= 3.004000)
3193meta PDS_URISHRT_LOCALPART_SUBJ LOCALPART_IN_SUBJECT && (__PDS_URISHORTENER || __URL_SHORTENER) && __PDS_MSG_1024
3194describe PDS_URISHRT_LOCALPART_SUBJ Localpart of To in subject
3195#score PDS_URISHRT_LOCALPART_SUBJ 1.0
3196endif
3197endif
3198##} PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3199
3200##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3201
3202ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3203 meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER
3204 describe PHISH_ATTACH Attachment filename suspicious, probable phishing
3205 tflags PHISH_ATTACH publish
3206endif
3207##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3208
3209##{ PHISH_AZURE_CLOUDAPP
3210
3211uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i
3212describe PHISH_AZURE_CLOUDAPP Link to known phishing web application
3213#score PHISH_AZURE_CLOUDAPP 3.500
3214tflags PHISH_AZURE_CLOUDAPP publish
3215##} PHISH_AZURE_CLOUDAPP
3216
3217##{ PHISH_FBASEAPP
3218
3219meta PHISH_FBASEAPP __PHISH_FBASE_01
3220describe PHISH_FBASEAPP Probable phishing via hosted web app
3221#score PHISH_FBASEAPP 3.000 # limit
3222tflags PHISH_FBASEAPP publish
3223##} PHISH_FBASEAPP
3224
3225##{ PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3226
3227if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3228 meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF
3229 describe PHOTO_EDITING_DIRECT Image editing service, direct to MX
3230# score PHOTO_EDITING_DIRECT 3.000 # limit
3231endif
3232##} PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3233
3234##{ PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3235
3236if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3237 meta PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
3238 describe PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto
3239# score PHOTO_EDITING_FREEM 3.750 # limit
3240endif
3241##} PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
3242
3243##{ PHP_NOVER_MUA
3244
3245describe PHP_NOVER_MUA Mail from PHP with no version number
3246#score PHP_NOVER_MUA 3.000 # limit
3247tflags PHP_NOVER_MUA publish
3248##} PHP_NOVER_MUA
3249
3250##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3251
3252if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3253 meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
3254endif
3255##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3256
3257##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
3258
3259ifplugin Mail::SpamAssassin::Plugin::DKIM
3260 meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
3261endif
3262##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
3263
3264##{ PHP_ORIG_SCRIPT
3265
3266meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER
3267describe PHP_ORIG_SCRIPT Sent by bot & other signs
3268#score PHP_ORIG_SCRIPT 2.500 # limit
3269tflags PHP_ORIG_SCRIPT publish
3270##} PHP_ORIG_SCRIPT
3271
3272##{ PHP_SCRIPT
3273
3274meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT
3275describe PHP_SCRIPT Sent by PHP script
3276#score PHP_SCRIPT 2.500 # limit
3277tflags PHP_SCRIPT publish
3278##} PHP_SCRIPT
3279
3280##{ PHP_SCRIPT_MUA
3281
3282meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA
3283describe PHP_SCRIPT_MUA Sent by PHP script, no version number
3284#score PHP_SCRIPT_MUA 2.000 # limit
3285tflags PHP_SCRIPT_MUA publish
3286##} PHP_SCRIPT_MUA
3287
3288##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3289
3290ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3291 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3292 body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal()
3293 describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't
3294# score PP_MIME_FAKE_ASCII_TEXT 1.0
3295 tflags PP_MIME_FAKE_ASCII_TEXT publish
3296endif
3297endif
3298##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3299
3300##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3301
3302ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3303 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3304 body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02)
3305 describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes
3306# score PP_TOO_MUCH_UNICODE02 0.5
3307 tflags PP_TOO_MUCH_UNICODE02 publish
3308endif
3309endif
3310##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3311
3312##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3313
3314ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3315 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3316 body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05)
3317 describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes
3318# score PP_TOO_MUCH_UNICODE05 1.0
3319 tflags PP_TOO_MUCH_UNICODE05 publish
3320endif
3321endif
3322##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3323
3324##{ PUMPDUMP
3325
3326meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI
3327describe PUMPDUMP Pump-and-dump stock scam phrase
3328#score PUMPDUMP 1.000 # limit
3329tflags PUMPDUMP publish
3330##} PUMPDUMP
3331
3332##{ PUMPDUMP_MULTI
3333
3334meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
3335describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases
3336#score PUMPDUMP_MULTI 3.500 # limit
3337tflags PUMPDUMP_MULTI publish
3338##} PUMPDUMP_MULTI
3339
3340##{ PUMPDUMP_TIP
3341
3342meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP
3343describe PUMPDUMP_TIP Pump-and-dump stock tip
3344tflags PUMPDUMP_TIP publish
3345##} PUMPDUMP_TIP
3346
3347##{ RAND_HEADER_LIST_SPOOF
3348
3349meta RAND_HEADER_LIST_SPOOF __RAND_HEADER && __LIST_PARTIAL
3350describe RAND_HEADER_LIST_SPOOF Random gibberish message header(s) + pretending to be a mailing list
3351#score RAND_HEADER_LIST_SPOOF 3.000 # limit
3352tflags RAND_HEADER_LIST_SPOOF publish
3353##} RAND_HEADER_LIST_SPOOF
3354
3355##{ RAND_HEADER_MANY
3356
3357meta RAND_HEADER_MANY __RAND_HEADER_2
3358describe RAND_HEADER_MANY Multiple random gibberish message headers
3359#score RAND_HEADER_MANY 3.000 # limit
3360tflags RAND_HEADER_MANY publish
3361##} RAND_HEADER_MANY
3362
3363##{ RAND_MKTG_HEADER
3364
3365meta RAND_MKTG_HEADER __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST
3366describe RAND_MKTG_HEADER Has partially-randomized marketing/tracking header(s)
3367#score RAND_MKTG_HEADER 2.000 # limit
3368tflags RAND_MKTG_HEADER publish
3369##} RAND_MKTG_HEADER
3370
3371##{ RATWARE_NO_RDNS
3372
3373meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF
3374describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS
3375#score RATWARE_NO_RDNS 3.000 # limit
3376##} RATWARE_NO_RDNS
3377
3378##{ RCVD_BAD_ID
3379
3380header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/
3381describe RCVD_BAD_ID Received header contains id field with bad characters
3382##} RCVD_BAD_ID
3383
3384##{ RCVD_DBL_DQ
3385
3386header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/
3387describe RCVD_DBL_DQ Malformatted message header
3388tflags RCVD_DBL_DQ publish
3389##} RCVD_DBL_DQ
3390
3391##{ RCVD_DOTEDU_SHORT
3392
3393meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !__FS_SUBJ_RE && !__HAS_LIST_ID
3394describe RCVD_DOTEDU_SHORT Via .edu MTA + short message
3395#score RCVD_DOTEDU_SHORT 2.500 # limit
3396tflags RCVD_DOTEDU_SHORT publish
3397##} RCVD_DOTEDU_SHORT
3398
3399##{ RCVD_DOTEDU_SUSP_URI
3400
3401meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI
3402describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI
3403#score RCVD_DOTEDU_SUSP_URI 3.000 # limit
3404tflags RCVD_DOTEDU_SUSP_URI publish
3405##} RCVD_DOTEDU_SUSP_URI
3406
3407##{ RCVD_FORGED_WROTE
3408
3409header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
3410describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
3411##} RCVD_FORGED_WROTE
3412
3413##{ RCVD_FORGED_WROTE2
3414
3415header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
3416##} RCVD_FORGED_WROTE2
3417
3418##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
3419
3420ifplugin Mail::SpamAssassin::Plugin::DNSEval
3421header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3')
3422describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record
3423tflags RCVD_IN_IADB_DK net nice
3424endif
3425##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
3426
3427##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3428
3429ifplugin Mail::SpamAssassin::Plugin::DNSEval
3430header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10')
3431describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in
3432tflags RCVD_IN_IADB_DOPTIN net nice
3433endif
3434##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3435
3436##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3437
3438ifplugin Mail::SpamAssassin::Plugin::DNSEval
3439header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9')
3440describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time
3441tflags RCVD_IN_IADB_DOPTIN_GT50 net nice
3442endif
3443##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3444
3445##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3446
3447ifplugin Mail::SpamAssassin::Plugin::DNSEval
3448header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8')
3449describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time
3450tflags RCVD_IN_IADB_DOPTIN_LT50 net nice
3451endif
3452##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3453
3454##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
3455
3456ifplugin Mail::SpamAssassin::Plugin::DNSEval
3457header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1')
3458describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database
3459tflags RCVD_IN_IADB_EDDB net nice
3460endif
3461##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
3462
3463##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
3464
3465ifplugin Mail::SpamAssassin::Plugin::DNSEval
3466header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2')
3467describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance
3468tflags RCVD_IN_IADB_EPIA net nice
3469endif
3470##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
3471
3472##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3473
3474ifplugin Mail::SpamAssassin::Plugin::DNSEval
3475header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103')
3476describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail
3477tflags RCVD_IN_IADB_GOODMAIL net nice
3478endif
3479##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3480
3481##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
3482
3483ifplugin Mail::SpamAssassin::Plugin::DNSEval
3484header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$')
3485describe RCVD_IN_IADB_LISTED Participates in the IADB system
3486tflags RCVD_IN_IADB_LISTED net nice
3487endif
3488##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
3489
3490##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
3491
3492ifplugin Mail::SpamAssassin::Plugin::DNSEval
3493header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4')
3494describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in
3495tflags RCVD_IN_IADB_LOOSE net nice
3496endif
3497##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
3498
3499##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3500
3501ifplugin Mail::SpamAssassin::Plugin::DNSEval
3502header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10')
3503describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law
3504tflags RCVD_IN_IADB_MI_CPEAR net nice
3505endif
3506##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3507
3508##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3509
3510ifplugin Mail::SpamAssassin::Plugin::DNSEval
3511header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10')
3512describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days
3513tflags RCVD_IN_IADB_MI_CPR_30 net nice
3514endif
3515##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3516
3517##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3518
3519ifplugin Mail::SpamAssassin::Plugin::DNSEval
3520header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10')
3521describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR
3522tflags RCVD_IN_IADB_MI_CPR_MAT net nice
3523endif
3524##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3525
3526##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3527
3528ifplugin Mail::SpamAssassin::Plugin::DNSEval
3529header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100')
3530describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in
3531tflags RCVD_IN_IADB_ML_DOPTIN net nice
3532endif
3533##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3534
3535##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3536
3537ifplugin Mail::SpamAssassin::Plugin::DNSEval
3538header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0')
3539describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place
3540tflags RCVD_IN_IADB_NOCONTROL net nice
3541endif
3542##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3543
3544##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
3545
3546ifplugin Mail::SpamAssassin::Plugin::DNSEval
3547header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200')
3548describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only
3549tflags RCVD_IN_IADB_OOO net nice
3550endif
3551##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
3552
3553##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3554
3555ifplugin Mail::SpamAssassin::Plugin::DNSEval
3556header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7')
3557describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in
3558tflags RCVD_IN_IADB_OPTIN net nice
3559endif
3560##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3561
3562##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3563
3564ifplugin Mail::SpamAssassin::Plugin::DNSEval
3565header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6')
3566describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time
3567tflags RCVD_IN_IADB_OPTIN_GT50 net nice
3568endif
3569##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3570
3571##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3572
3573ifplugin Mail::SpamAssassin::Plugin::DNSEval
3574header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5')
3575describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time
3576tflags RCVD_IN_IADB_OPTIN_LT50 net nice
3577endif
3578##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3579
3580##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
3581
3582ifplugin Mail::SpamAssassin::Plugin::DNSEval
3583header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1')
3584describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only
3585tflags RCVD_IN_IADB_OPTOUTONLY net nice
3586endif
3587##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
3588
3589##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
3590
3591ifplugin Mail::SpamAssassin::Plugin::DNSEval
3592header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4')
3593describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record
3594tflags RCVD_IN_IADB_RDNS net nice
3595endif
3596##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
3597
3598##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
3599
3600ifplugin Mail::SpamAssassin::Plugin::DNSEval
3601header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2')
3602describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record
3603tflags RCVD_IN_IADB_SENDERID net nice
3604endif
3605##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
3606
3607##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
3608
3609ifplugin Mail::SpamAssassin::Plugin::DNSEval
3610header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1')
3611describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record
3612tflags RCVD_IN_IADB_SPF net nice
3613endif
3614##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
3615
3616##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3617
3618ifplugin Mail::SpamAssassin::Plugin::DNSEval
3619header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2')
3620describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups
3621tflags RCVD_IN_IADB_UNVERIFIED_1 net nice
3622endif
3623##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3624
3625##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3626
3627ifplugin Mail::SpamAssassin::Plugin::DNSEval
3628header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3')
3629describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out
3630tflags RCVD_IN_IADB_UNVERIFIED_2 net nice
3631endif
3632##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3633
3634##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3635
3636ifplugin Mail::SpamAssassin::Plugin::DNSEval
3637header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10')
3638describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law
3639tflags RCVD_IN_IADB_UT_CPEAR net nice
3640endif
3641##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3642
3643##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3644
3645ifplugin Mail::SpamAssassin::Plugin::DNSEval
3646header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10')
3647describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days
3648tflags RCVD_IN_IADB_UT_CPR_30 net nice
3649endif
3650##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3651
3652##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3653
3654ifplugin Mail::SpamAssassin::Plugin::DNSEval
3655header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10')
3656describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR
3657tflags RCVD_IN_IADB_UT_CPR_MAT net nice
3658endif
3659##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3660
3661##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3662
3663ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3664header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
3665describe RCVD_IN_PSBL Received via a relay in PSBL
3666tflags RCVD_IN_PSBL net
3667endif
3668##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3669
3670##{ RCVD_MAIL_COM
3671
3672header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
3673describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
3674##} RCVD_MAIL_COM
3675
3676##{ RDNS_LOCALHOST
3677
3678header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
3679describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
3680##} RDNS_LOCALHOST
3681
3682##{ RDNS_NUM_TLD_ATCHNX
3683
3684meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT
3685describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment
3686#score RDNS_NUM_TLD_ATCHNX 3.000 # limit
3687tflags RDNS_NUM_TLD_ATCHNX publish
3688##} RDNS_NUM_TLD_ATCHNX
3689
3690##{ RDNS_NUM_TLD_XM
3691
3692meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY)
3693describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers
3694#score RDNS_NUM_TLD_XM 3.000 # limit
3695tflags RDNS_NUM_TLD_XM publish
3696##} RDNS_NUM_TLD_XM
3697
3698##{ READY_TO_SHIP
3699
3700body READY_TO_SHIP /(?:in our (?:stock|warehouse)(?: today)?[.,] Ready (?:to (?:be )?|for )+ship|ready for shipping (?:in|from) our warehouse)/i
3701#score READY_TO_SHIP 1.500 # limit
3702##} READY_TO_SHIP
3703
3704##{ REPLYTO_EMPTY
3705
3706header REPLYTO_EMPTY Reply-To =~ /<>/
3707describe REPLYTO_EMPTY Reply-To undeliverable
3708##} REPLYTO_EMPTY
3709
3710##{ REPLYTO_WITHOUT_TO_CC
3711
3712meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS)
3713##} REPLYTO_WITHOUT_TO_CC
3714
3715##{ REPTO_419_FRAUD
3716
3717header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:speakers)\@012\.net\.il|(?:mail)\@101private\.com|(?:(?:alfredcheuk002|fbi_1234|longchii|mavis_wanczyk|qfdonation))\@126\.com|(?:(?:a(?:aronmichaels005|lfredcheuk_yuchow)|ehagler|google_promoaward0?|istarsolar|joeblp|microsoft(?:_office16|award01)|panyawein|wong(?:_shiu(?:09|2016)|shiu_ki)))\@163\.com|(?:(?:navas1|ray\-thomas7h))\@1email\.eu|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:(?:mr\.tonyelumelu|r(?:emittancedept001|ussia2018worldcuplotto5)))\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:info)\@aidakj\.com|(?:(?:a\.aktr|c(?:arlos\.adan|entralbank_malaysia2)|infovsa|maria\.louge|sarahjiwooali|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:adainis|jessikasingh|travisalex))\@aliyun\.com|(?:(?:director|info))\@anletco-jp\.com|(?:(?:deanie_ron|m(?:softgbcmanager|undo\.europe)|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:institutionaldepartment)\@aol\.nl|(?:deajohn)\@arubacloub\.com|(?:djohns)\@arubacloud\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:garry\.quinlan)\@australiamail\.com|(?:(?:traoreahmed|zetiaziz))\@barid\.com|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:noreply\.fujvfes)\@bibliothequegaillard\.com|(?:costruire)\@bigmat\.it|(?:alerts\-noreply)\@bis\.org|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:executivedirector)\@box\.az|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:drbenardsani\.nnpc)\@bsgcpk\.com|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:rim43505)\@cantv\.net|(?:duncanttodd)\@centrum\.cz|(?:(?:contact\.roycockrumgrantoffice|fbipayment(?:50|600)|harunajim667|ralphwjohnson))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:dmalpasswb|re(?:covered\-tax|em(?:2018|alhashimi|hashimi2020))))\@daum\.net|(?:rex)\@departmentofsecretary\.com|(?:blythemasters)\@digitalassetholding\.org|(?:(?:diplomaticagent11|jentwistle90))\@diplomats\.com|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:(?:herrick01|rogersteare02))\@e1\.ru|(?:olga\.ingrif)\@ecb-securities\.com|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:no\-reply)\@economizar-na-web\.com\.br|(?:(?:denbrink|kathy_gerald1965|megaclaimcenter))\@email\.com|(?:johnkadiri)\@englandmail\.com|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|claimdpts|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:(?:jeferrey|yakuyaya77))\@financier\.com|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:notice)\@fnb\.co\.za|(?:info)\@fnconsultant\.biz|(?:(?:atmofficeauthoriza|captain\.lucasadam|e(?:golan2|u_payment)|gella1|k(?:aith\-angel|ossihpilip202)|pchwinningoffice1953|qatardonations16|smadartsadik|tepnherve00|worldauthorization))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:o(?:ctaviancm|rlando\.bloom))\@gmx\.co\.uk|(?:(?:a(?:hmet\.broker|lliance\.consultant)|f(?:aridaomar|er3nrod1512)|johnson\.douglas|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:joxford)\@gmx\.us|(?:ben\.malbon)\@googlefps\.co\.uk|(?:m\.johnson10012)\@googlemail\.com|(?:larrypage)\@gpa-team\.com|(?:ceo)\@gpromo-team\.com|(?:sundarpichai)\@gpromoteam\.com|(?:sundarpichai)\@gpromoteamuk\.com|(?:garreth\.webb)\@grossfitconsultancy\.biz|(?:irenegeorgiadou)\@hellenicbankcy\.com|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:williamsdavid_3r)\@hotmail\.co\.uk|(?:christgoldwilliams)\@hotmail\.fr|(?:douglasflint)\@hsbcbank\.group|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:victorwang67)\@imail\.com|(?:01)\@imf-org\.org|(?:chrisdodgshun)\@inbound\.plus|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:janetyellenoffice|off(?:er2021|iceme)))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:sgt\.dave)\@inmano\.com|(?:baankston)\@instruction\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:wbuk0[13])\@katamail\.com|(?:(?:ditmereduart|europsenderscouriers|lewiscarl))\@keemail\.me|(?:mikiwilliams)\@knol-power\.nl|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:philiphampton)\@lec20\.com|(?:ecowascourt)\@legislator\.com|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:deqishanmedical1)\@localnet\.com|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:fanliangjen)\@mail\.china\.com|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|eddy_haryono|ghazal\-a|info\.federalreserve\.org|kateclough1|mriamchombo1968|nancyvee80|ren\.deqi212))\@mail\.com|(?:williamsdawson)\@mail\.com\.tr|(?:(?:ayishagddafio|david\.onyeoma\.74|hmtreasyru\.ng|sambo_dasuki))\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:brantwbishop)\@mailbox\.org|(?:epowerball)\@mailbox\.sk|(?:johannreimann)\@memeware\.net|(?:miguel)\@miguel-sanchez\.com|(?:rbi\-e)\@mit\.tc|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:paul\.chang)\@msn\.com|(?:enquiry)\@multiplysearch\.com|(?:cadpayout01)\@my\.com|(?:(?:contactmee|ministersoffinance))\@mynet\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:jessicahunt1960)\@net-c\.com|(?:zenith)\@nmk\.ugu\.pl|(?:maxedwards)\@octopusinvestment\.co\.uk|(?:lindsaytrembley)\@oimail\.com|(?:googleclaims111)\@one\.lt|(?:accountingdrg)\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:(?:castorock|infobiz2|jarramos|mrsalice09))\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:servicio\.correo)\@orange\.fr|(?:turkish\-air)\@outlook\.com\.tr|(?:(?:ahmed3khan|dpt_transferunionwestern|mr\.onyeadams|rohitjain0))\@outlook\.fr|(?:m\.khan1)\@outlook\.sa|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:info)\@phillipsmorgan\.co\.za|(?:wood)\@poczta\.onet\.eu|(?:m(?:aryjosen|boyaeth))\@post\.com|(?:united\.globeawardoffice)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:jamesmr\.monday)\@rocketmail\.com|(?:(?:g(?:loriacmackenzie001|mackenzie001)|monicatorres001|wanczykmavis101))\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:info)\@roycockrum\.org|(?:mrs\.rachel2013)\@safe-mail\.net|(?:vera)\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:peterddeng)\@secsuremailer\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:swat)\@sltdchambers\.com|(?:(?:dycheseaan|sean(?:dyyches|sdychh)))\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:contact\.hmrc\.gov\.uk)\@sudhisalooja\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:xiankailu)\@taiyaubank-hk\.com|(?:mhua)\@tbochk\.com|(?:veronicabright)\@terra\.com\.pe|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:zimcargoservicehelpdesks)\@tlen\.pl|(?:drew)\@ton\.net\.ru|(?:itpark01)\@tpg\.com\.au|(?:bobby\.william)\@tradent\.net|(?:info)\@treasury-departmentdc\.twomini\.com|(?:info)\@treasury-usa\.3eeweb\.com|(?:info)\@un-grant\.info|(?:(?:b(?:lueskyanimatedfilm|rown\.monica_l)|info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:bmuczdh)\@virgilio\.it|(?:itgiix)\@visa\.com|(?:vankoning)\@volny\.cz|(?:holt1231)\@w\.cn|(?:infos)\@walmart\.com|(?:daydreamin)\@wanadoo\.fr|(?:(?:foreignoperationmanager|mr\.(?:ikokuoya|olicadams)))\@web\.cg|(?:weboffice05)\@web\.de|(?:b(?:\-calebfirm2007|oriscaleb121))\@webmail\.co\.za|(?:(?:frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:grahamjoneschambers)\@wildblue\.net|(?:e\.shaw)\@wilmagroup\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:stephaniehans\.euromillionlottery)\@yahoo\.be|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|bobwatson92|fundyawa2014|j(?:effwilliam207|oe_modisen)|lloydsbanksb|owengreen70|rebeccajoe98|samue95))\@yahoo\.co\.uk|(?:(?:changgordon(?:61|946)|lordsmartin|revlarrutycoker2015|thomaspeter227|zhu\.shumin))\@yahoo\.com\.hk|(?:imf_office_agent)\@yahoo\.com\.my|(?:(?:dr\.pauljames110|jessicp1))\@yahoo\.com\.sg|(?:boa2cb)\@yahoo\.com\.vn|(?:(?:contactus88\-00|jflangvm5nshyazyo7si6jfuqah6jsldw2kw6c2t|lmj82717|m(?:r\.angelabenjamin|srangelabne32)))\@yahoo\.es|(?:(?:charlinebebe22|fortinsandrine|rita_will001))\@yahoo\.fr|(?:maktoum\.shasher)\@yahoo\.pt|(?:ukdebtmanagement5)\@yahool\.com|(?:dr\.amelia\.george1)\@yandex\.ru|(?:jayanderson)\@yccaifuu\.com|(?:(?:alfred_cheuk_chow|friedrich_mayrh1|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|feliciamagi|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:(?:asiafoundationorg\.hr|jefflindsay))\@zoho\.com|(?:laprimitivaes)\@zohomail\.eu)$/i
3718describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox
3719#score REPTO_419_FRAUD 3.000
3720tflags REPTO_419_FRAUD publish
3721##} REPTO_419_FRAUD
3722
3723##{ REPTO_419_FRAUD_AOL
3724
3725header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:\.dordevicii|aromartins|f\.2[06]|ljaber111|meliageorge|n(?:d(?:_bley|rew_hans)|ttilimarim)|rthur\.alan)|b(?:aanidleewy|claimdept|rownchurchill2)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|ristinabruno38|ustom_service58)|d(?:avid(?:\.kms|opatry)|hodgkins001|ianwaynie|onald_anderson44)|e(?:ng(?:joej|r\.abdulla)|ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|i(?:sarobinson5\.0|zcarroll101)|orrainewirangee)|m(?:_l\.wanczyk62|aviswanczyk[do]|rs(?:isabelladzsesszika|safiagaddafi))|no(?:rmapatto|tification\.notification)|p(?:a(?:tricia(?:\.hans|hans)|ulpollard2)|eterwong345|otfolio\.management)|r(?:achel_wat2|oyalpalace2018)|s(?:afiiagadafi|gt\.gillianj200|ovchan|pwalker721|taatsloterijnederlands)|usembassy330|w(?:attson\.renwick|ebank244|issam\.haddad|u\.xiabk)|zeti\.aziz))\@aol\.com$/i
3726describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox
3727#score REPTO_419_FRAUD_AOL 3.000
3728tflags REPTO_419_FRAUD_AOL publish
3729##} REPTO_419_FRAUD_AOL
3730
3731##{ REPTO_419_FRAUD_AOL_LOOSE
3732
3733meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL
3734describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3735#score REPTO_419_FRAUD_AOL_LOOSE 1.000
3736tflags REPTO_419_FRAUD_AOL_LOOSE publish
3737##} REPTO_419_FRAUD_AOL_LOOSE
3738
3739##{ REPTO_419_FRAUD_CNS
3740
3741header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|legacylawfirmdakar|m(?:iguel\-pinto|orrisherb)|owenschamber|santiagosegur|t(?:eo\.westin|he\.trustees1?)|westernunion1659))\@consultant\.com$/i
3742describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox
3743#score REPTO_419_FRAUD_CNS 3.000
3744tflags REPTO_419_FRAUD_CNS publish
3745##} REPTO_419_FRAUD_CNS
3746
3747##{ REPTO_419_FRAUD_GM
3748
3749header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|41speedlinkdelivery|7912richardtony|a(?:bu(?:lkareem461|shadi0004)|c(?:aalzz11|count\.optionsmr\.jonasarmstrong|e(?:alss11|cere001))|d(?:esilgon77|iallo\.boa)|erofilxeport|gent\.laryedwad|isha(?:1976algaddafi|gaddafiaam)|jaminamo|l(?:\.jo60691737|a(?:n\.austin(?:041|223)|scramac)|ber\.yang222|ex(?:ander(?:daisy911|peterson4499)|hoffman3319|smithznn)|ghafrij13|hajarb|lenholden121|nizmaria|ure\.wawrenka1472)|m(?:b\.w\.stuart\.symington|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|tasomda))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|itaminarnguessan|n(?:a(?:choihkkic|llee091|sigurlaug458)|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|r(?:adka01|chibaldhamble|thur11alan)|s(?:h(?:0611jnag|westwood7)|ianbae1010|sistance7agent)|t(?:m(?:mastercard41|office929)|tohlawoffice\.tg)|w1614860|yevayawovi190|zi(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50)))|b(?:a(?:lla250abc|nk(?:centralasiahalobca34|ingcentralng)|ochang7a|r(?:bersmadar75|r(?:\.(?:charles(?:1954|office)|martinrichard)|ister(?:\.fidelisokafor|lordruben94)|ubenjames)|teld\.huisman01))|bongo593|c0996013|e(?:linekra1|n(?:ezero392|jaminsarah195))|i(?:anigercash|ll(?:\.lawrence0747|fhome))|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:a(?:ndy\.heavenscenttt|volpaul55)|endalaporte112|ianmoynih00)|uff(?:ettwarrene21|ookj))|c(?:a(?:ixaseguros9810001|mluba2017|r(?:eisu98|l(?:os\.s\.helux|thomos)|twrighttownhomesllc))|bnatm847|claimsa|e(?:li(?:cerez|neroullier(?:200|nm))|ntraltrustlltd)|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:esluenga01|tonnewmanus1)))|e(?:mchung1011|nchung1011)|i(?:enkraymond|mwiakim))|iticonsultantjohncg0|kruger00017|l(?:a(?:im(?:adviser11|officeadm)|xtonpaul00)|s79408)|o(?:l(?:\.(?:ahmedmarani|fakhrialsalabi(?:01)?|hmedismari)|abdullahassi|edavid77032|husseinharmuchc(?:cj|j)|inchrisweir50|mohmanairf|o(?:mbasjuan53|nelsaad00))|mpensationcommitteboard|n(?:sult(?:ancy64|matthias|sto\.u)|tact(?:\.kolason|ad00[04]))|operation612)|pt\.eugenebarash|r(?:a(?:bbechambers|wfordgillies1)|ist(?:bru(?:05|n05)|i1537bru))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|iel(?:35508109|zulu11)|nydan24532)|v(?:i(?:d(?:\.loanfirm18|ibe718|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98)|ychan1970))|c(?:layconsult|ole77032)|e(?:btm123|n(?:iwalts|nis(?:clark659|quaid888))|partmentofstate(?:123|321)|tlefeckhardd)|hill27676|i(?:ane\.s\.wojcicki|gitalassetholding|p(?:francis1|lomat(?:\.john\.clerke|sshenry)))|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.(?:meirh|wilsonpaul02)|abodid|davidrhama221|j(?:amesdee|oesimon77)|kennedyuzo|meier\.heidi?|o(?:vieogor1|wenfrederick))|u(?:a1155a|nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|d(?:runity|winfreeman22)|fcc\.financial\.dept|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|otocashoffice1?)|m(?:2keld|ailpostlink09|efiele(?:328|g757)|ilyrichmond391)|renakgeorge123|ssexlss1|vgpatmow)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49(?:666|966)|k49666)|j569282|l(?:556249|aurentdz40|uhmann\.dn)|mb\.agent|o(?:ropunionbank|undations\.west)|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|isca(?:mendoza960|samendoza))|k(?:jwangg|laurarivera)))|bbankny\.gov|e(?:derick\.colemanesq|elottosweepstake51))|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|rielkalia1102)|r(?:ethbull112016|yakinson121))|bill4880|e(?:n(?:\.ahmedmsksi|eral(?:abdulrazak|williamstony990))|orgekwame481|r(?:aldjhjh11|tjanvlieghe787))|g780904|i(?:idp955|lbert12oook)|kwasiiwusu1\.persona|l(?:enmoore0011|oriachow5052)|o(?:glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219)|vgodwinemefiele111)|r(?:ace(?:jackmanwoods|obia001)|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:old\.dia1100|ryebert101|twellbdaniel)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:a(?:dofficecentre0210|therbrooeke101)|cto(?:alon|r(?:castillos653|scastillo6))|lpdesk47321)|gold8080|heba\.hhassan207|i(?:ldad837|toshurui)|klee\.mike|o(?:lsemeyerole6|nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|trryt34|uichmh)|i(?:1955smael|amannjejosonn|bed627|n(?:fo(?:\.(?:abogadosmfontana|g00gleclaim|questiondesk|ulmusau)|64240|98cbnoffice7|aprl06|fdrserve)|gridrolle2|t(?:ernationallppp1|linvestorsfirm))|terryoffice)|j(?:35809121|a(?:888179|cobmaseon5995|m(?:alpriv8un|es(?:husmansdesk2240|okoh82))|nusensecureprivate|sonyeungchiwai|vierlesme001)|b5406424|c2222222rrr|e(?:ff(?:deandk2|erydean1960)|nniannjhsonn|ssikasingh4)|imyang977|k3311131|mpowellfr|o(?:e(?:dward023|kendal540|lmodisen)|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|tanko214|uba234|walterlove2010)|monkzza|n(?:esandassociates68|monkssa)|s(?:ephacevedo024|ianeangenor)|y(?:ce00011|mrskone5))|rawlings007|s4fernado|uliet\.le(?:222|e2222)|w6935997)|k(?:a(?:lstromjames3|malnizar000|rabo\.ramala39|t(?:ebaronbarr|hilittman7|jamess043|rinaziako56))|e(?:lsawamelia55|n(?:mck(?:ay1980|enziejr)|nedy\.sawadogo19))|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28)|wasiowusug)|l(?:a(?:r(?:ateambo|rytoms200)|ursent892|wrencefoundation30)|blackshirepm|e(?:ndfair\.co\.uk1|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|li(?:ane\.bettencourt1945|ianchrstph)|n(?:elink008|glung104)|xiung(?:l48|9))|john6132|o(?:g(?:anntomas|eengen)|ttyoffice1|u(?:ghreymargaret67|isdreyfusmargarita5))|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ck(?:enzbezos|oliver324)|incare655|jor(?:dennishornbeck53|townsend01)|k(?:altschmidt|toumsheikhhasher)|nuelfranco(?:727|foundation0)|r(?:cusdembialomr|i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|nacoleman84|opabl26)|k(?:roth456|uses200)|y(?:franson56|jify00aaz01))|s(?:onmanny05|pencer5151)|t(?:hewriaanza|twilly3)|u(?:noveutileina|rhinck11?)|viswanczyk(?:1(?:19|987)|4(?:89|5)|775|foundation45|k112|zz)|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|engeoffrey|l(?:lagolan|vidabullock5)|nnss01)|gfrederick80|husameddine|i(?:c(?:he(?:alwuu002|lintagro)|paulla|w954)|k(?:edawson1960s|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|nfin\.gv|ss(?:\.melisa\.mehmett|boteogottai|yaelronen))|jminabii|k(?:ent7117|untjoro52)|lbriggs08860|m(?:1086771|argaritalouisdreyfus)|nmalarge|o(?:ham(?:edabdul1717|madraqab00)|rienkal30)|r(?:\.(?:justinmaxwell09|lusee|wlsonkabore)|7672900|cjames001|d517341|ericfranck|fabianchukwu|hanimuhammad627|jamesmc6|martine80|paulfrank01|r(?:echardthomas|ichardanthony1)|s(?:\.(?:biyufungchi16|janetolsen?|olsenjanett|patarkatsishvili|susanread12)|a(?:ishaalqadafi1976|ngela454)|g(?:ezeria|racewoods70)|h(?:amima60|ristinemadeleine)|j(?:ackman123|lleach)|maureens847|nicolefr1marios|r(?:obinsanders185|uthsmith9900)|s(?:arahbenjamin103|ophiac)|veraaellen)|tomcrist\.ca)|s(?:agent02|golaan4|smadar44)|twvvv|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter(?:2017|968))|obuyuki\.hirano128|tawdglobal)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|liviemorgan4|marinyandeng|nufoundationclaims|pcwkdw|swald\.l(?:\.lewis|ewwis)|vieogor1)|p(?:\.compton101|a(?:storfrancesco1|trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018)|ymentofficer14)|brookk0|e(?:130304|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|h(?:\.cbnl|illip\.richead218)|ieterstevens511|o(?:lloke|wellmrwilliam)|r(?:esleybathini1|o(?:1nvstream|cessing2013general))|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymond(?:aba200|damon15))|e(?:beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n2214)|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.(?:jamesabel1|mikedadax)|ernestcebi|frankjackson91))|i(?:ch(?:ard(?:lustig4u|w(?:ahl511|illis815))|lawandds)|tawilliams4141)|josh200000|o(?:berthanandez6655|naldmorris786|s(?:a\.gomes0044|e(?:kipkalya934|tam00)))|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ssiaworldcuppromo|thmporat1\"))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1|ydouthiebaconsultant)|g\.offiice\.group|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|e(?:ikhalmaktoum79|ry(?:\.gtl131|etr03))|inawatrathaksin93)|i(?:lverlakeconsultant|mlkheng5)|krause680|l5342743|o(?:fia\.adams201|u(?:rcingloggs|thwsltd))|peelman1972|rfredericodehernandez|sdt224|tephentam1(?:47|6)|u(?:iyang(?:\.boc|02)|leiman\.cbnn|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|w(?:eeneyjohnson384|islottnl))|t(?:a(?:mmy21gill|y(?:ebsouami0|lorcathy362))|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|bigbiglottowinning77|odorosloannis9|resawilliams7661?|smithfm124))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|c(?:hrist1995|rist(?:52|donation12|foundation99|world)))|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|ransfermoney21\.2|tkhan69s)|u(?:babankbjplc|dregwqr|kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|sdepartmentofjustice80)|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61)|b(?:271981|6159980)|d232633|i(?:ge122|ll(?:iamrobert3852|update123))|kfinancialservice|orldbankregionalmanageroffice|u(?:\.office212|mt722)|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974)|z(?:enithbankplconline98|kiaslan1963|minhong65)))\@gmail\.com$/i
3750describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox
3751#score REPTO_419_FRAUD_GM 3.000
3752tflags REPTO_419_FRAUD_GM publish
3753##} REPTO_419_FRAUD_GM
3754
3755##{ REPTO_419_FRAUD_GM_LOOSE
3756
3757meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM
3758describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3759#score REPTO_419_FRAUD_GM_LOOSE 1.000
3760tflags REPTO_419_FRAUD_GM_LOOSE publish
3761##} REPTO_419_FRAUD_GM_LOOSE
3762
3763##{ REPTO_419_FRAUD_HM
3764
3765header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|nikal01|zezul\.idrisazezulidris)|benarnault0|c(?:ecilekaramoko123|hoi21)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|fanliangjen2|gen\.dmathokdiigwol|katabettencourt2018|l(?:\.b120k|e(?:a_edem|wisarm44)|imfu201677|ulihongm)|m(?:cliffmomah998|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.roselinejac|elizabetmk|helenbgeorge|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|patrickmullinfinaceservs|s(?:ajda\.andleeb|gthansencs|tephenbettinger|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
3766describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox
3767#score REPTO_419_FRAUD_HM 3.000
3768tflags REPTO_419_FRAUD_HM publish
3769##} REPTO_419_FRAUD_HM
3770
3771##{ REPTO_419_FRAUD_OL
3772
3773header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:a(?:23423|lexandermason)|brahamwilliamsonrpsltduk|l(?:bertchebe|exw113)|ndrew(?:_hai|gamble7)|utoresponds)|b(?:a(?:r(?:bayo_jacobs|claysplc2016)|sidris)|etty\.c_investment|illgfile203|riam8molefe)|c(?:bforeignremitdept|harlie\.j\.goodmand|o(?:l\.(?:airforce\.saadwarfali|warfalisaadairforce)|mpensationfunding))|d(?:eborahleeconsult|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020)|g(?:20compessdesk|eoffreynicolas\.esq|ilbertowosukk)|huyennvoha|j(?:ackson4steve|e(?:anedo1?|ssicameir30))|k(?:aujong|kkunited1)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|gbplc3|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|bryandavisuk44|jonah\.ot|mduku|s(?:\.coraluttah|_elizabeth20|michelleallison|roseallen)|vitaloadams)|spvt2020)|p(?:aul(?:\.walter120|blakey05)|hilcohen0012)|qanejmhffgg|r(?:c19691|ichardwahlfreegrant)|s(?:aaman10|gi2019|ilverlakeconsultantllc|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019|reff11)|unvanzyl_mrs|winuklotocash2018))\@outlook\.com$/i
3774describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox
3775#score REPTO_419_FRAUD_OL 3.000
3776tflags REPTO_419_FRAUD_OL publish
3777##} REPTO_419_FRAUD_OL
3778
3779##{ REPTO_419_FRAUD_PM
3780
3781header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|v\.brianpierre|wraggsmk|yihsbltan|ziraatbankasi))\@protonmail\.com$/i
3782describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox
3783#score REPTO_419_FRAUD_PM 3.000
3784tflags REPTO_419_FRAUD_PM publish
3785##} REPTO_419_FRAUD_PM
3786
3787##{ REPTO_419_FRAUD_QQ
3788
3789header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1(?:731419584|821317384)|2(?:0(?:32508290|90641921)|3(?:72948239|89029403|97857528)|751232036)|3(?:323469072|523284224)|a(?:gent(?:markruben_fbi|promofficer)|kia\.j55)|claimoffice1|dennisonctrenton|l\.valiant|peterwong20177|s(?:abrinacrawford000|hu60w)|treasury_deptment0|wang_cjianlin))\@qq\.com$/i
3790describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox
3791#score REPTO_419_FRAUD_QQ 3.000
3792tflags REPTO_419_FRAUD_QQ publish
3793##} REPTO_419_FRAUD_QQ
3794
3795##{ REPTO_419_FRAUD_YH
3796
3797header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|gaaintl\-4g5ee\.w3|l(?:berts\.odia|esiakalina2006)|mbassador\.l|nn(?:awax48|hester\.usa4))|b(?:a(?:che\.delfine|nk\.phbng14|rr(?:\.thomasclark|ister\.(?:dennis11|marcus)|lawrencefubara39|william_davies))|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.(?:aroline90|coulibaly2)|a(?:binet_maitre_emmanuel_patris|mpbellwilliamms)|h(?:arlesscharf112|hoy\.t|im\.w|jackson65)|juan852|o(?:llins(?:mattew32|wayne84)|mpliment\.sseason|ntelamine)|ythiamiller\.un10)|d(?:hamilton9099|i(?:aanesoto190|plomaticagent180)|r(?:\.aminramli|victorobaji))|edwarddawson|f(?:aizaadama2016|bicompensation_funds|ederal\.r73|id00180)|g(?:ov\.ukmessageboard|raham\.eddie2016|uesfilet1336523)|harry1vans|i(?:\.project33411|befranfgnfmf|nfo(?:111mail|bank1|money)|project32411)|j(?:\.edwards228|a(?:ckson\.davis915|ne(?:_ooparah|temoon150))|essica\.p_family|inping\.tw|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:elvinmark629|im(?:\.leang2018?|leang(?:575|90))|yle_grubbe)|l(?:e(?:a_edem13|ge331|hman(?:909|bila))|i(?:m_kaan|sarobinson_555|uhngbin)|y_cheapiseth(?:11|2019))|m(?:arie_avis12|d(?:\.ps|zsesszika672)|elissalewis(?:10001|4004)|iss\.zarryb|o(?:hammedaahil46|keye79)|r(?:kellyayi62|s(?:\.esthernicolas|isabella\.dzesszikan|themo))|s\.gracie_olakun|unny(?:\.sopheap207|_sopheap30))|n(?:adhowc|estordaniel2|orahuz1960)|o(?:fficial_franksylvester88|legkozyrev1|mranshaalan52)|p(?:a(?:ckerkelvin|yus123x)|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|i(?:chard\.w94|taadamsw10)|o(?:b(?:ertbailey2004|orts20)|se(?:mary\.3as|richard655)))|s(?:amthong4040|igurlauganna34|leo25|mith(?:\.dr|colin767)|opheap\.munny|pwalker101|sgt\.bethany|tevecox\.98)|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|u(?:butu16|kdebtmanagement5)|vanserge2001|will(?:clark0010|iamsimon(?:22|521))|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
3798describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox
3799#score REPTO_419_FRAUD_YH 3.000
3800tflags REPTO_419_FRAUD_YH publish
3801##} REPTO_419_FRAUD_YH
3802
3803##{ REPTO_419_FRAUD_YH_LOOSE
3804
3805meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH
3806describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3807#score REPTO_419_FRAUD_YH_LOOSE 1.000
3808tflags REPTO_419_FRAUD_YH_LOOSE publish
3809##} REPTO_419_FRAUD_YH_LOOSE
3810
3811##{ REPTO_419_FRAUD_YJ
3812
3813header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73|n(?:gelinarichardson01|ita(?:kirkweeks45|usarpac)))|b(?:a(?:lmaa1115|rrevansthomas213)|ealife4god|gsblcagent|nchmclaw)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc|ssicajlavoie|velynjoshua56)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|ktbradley|oneygram100|rs_chen_00001)|nikbnson1|o(?:fficialinfoemail|livia_mabor)|pamgells|r(?:acheljude000|eplykasikorn|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i
3814describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox
3815#score REPTO_419_FRAUD_YJ 3.000
3816tflags REPTO_419_FRAUD_YJ publish
3817##} REPTO_419_FRAUD_YJ
3818
3819##{ REPTO_419_FRAUD_YN
3820
3821header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lsharibi|m(?:andarandle|g3333txx101)|na\.mariposa|wesome\.mariacarmen)|b(?:ayemahama|igghandgrant|radely\.j)|clemlau|diezanimadueke|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments|uzhongjun\.director)|g(?:\.anniversary(?:101)?|add4fi\.aisha)|hhalesbbanddd?|irenaa\.georgiadou|j(?:efrey(?:\-dean|\.dean11)|o(?:hnnicholsonjr|seph\-scott2k5)|uliet\.lee2222)|kenhamberlet|l(?:es20sc|otointernational\.elgordo)|m(?:a(?:hama\.baye|rcarmenguty)|fdpm|ohamed\.bennani|r(?:\-(?:jos\.martins|robert\-patrick\.patrick)|\.kongkea|spercy))|nokiahouse1[03]|olivia\.mabor|p(?:aragonloansinc|hilipfen778|ri(?:ncedarren0244|vatemail24)|ullmanrb)|rich(?:ard\.wahl|lawands)|skyeloanand\.financelimited|t(?:\.baloyi|an\.sung|omss\.smith|resor\.mambo)|w(?:b\.foundation|ill(?:1amsmarg1|iamsimon1960))|za\.dc2016))\@yandex\.com$/i
3822describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox
3823#score REPTO_419_FRAUD_YN 3.000
3824tflags REPTO_419_FRAUD_YN publish
3825##} REPTO_419_FRAUD_YN
3826
3827##{ RISK_FREE
3828
3829meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH
3830describe RISK_FREE No risk!
3831##} RISK_FREE
3832
3833##{ SB_GIF_AND_NO_URIS
3834
3835meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
3836##} SB_GIF_AND_NO_URIS
3837
3838##{ SENDGRID_REDIR
3839
3840meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS
3841describe SENDGRID_REDIR Redirect URI via Sendgrid
3842#score SENDGRID_REDIR 1.500 # limit
3843tflags SENDGRID_REDIR publish
3844##} SENDGRID_REDIR
3845
3846##{ SENDGRID_REDIR_PHISH
3847
3848meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH
3849describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs
3850#score SENDGRID_REDIR_PHISH 3.500 # limit
3851tflags SENDGRID_REDIR_PHISH publish
3852##} SENDGRID_REDIR_PHISH
3853
3854##{ SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3855
3856if (version >= 3.004002)
3857ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3858meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)
3859tflags SEO_SUSP_NTLD publish
3860describe SEO_SUSP_NTLD SEO offer from suspicious TLD
3861#score SEO_SUSP_NTLD 1.2 # limit
3862endif
3863endif
3864##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3865
3866##{ SERGIO_SUBJECT_VIAGRA01
3867
3868header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i
3869describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject
3870##} SERGIO_SUBJECT_VIAGRA01
3871
3872##{ SHOPIFY_IMG_NOT_RCVD_SFY
3873
3874meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK
3875#score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit
3876describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify
3877tflags SHOPIFY_IMG_NOT_RCVD_SFY publish
3878##} SHOPIFY_IMG_NOT_RCVD_SFY
3879
3880##{ SHORTENER_SHORT_IMG
3881
3882meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1
3883describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener
3884#score SHORTENER_SHORT_IMG 2.500 # limit
3885tflags SHORTENER_SHORT_IMG publish
3886##} SHORTENER_SHORT_IMG
3887
3888##{ SHORTENER_SHORT_SUBJ
3889
3890meta SHORTENER_SHORT_SUBJ __SHORTENER_SHORT_SUBJ && !__DOS_HAS_LIST_UNSUB && !__HAS_LIST_ID && !__HDR_RCVD_GOOGLE && !__XPRIO
3891describe SHORTENER_SHORT_SUBJ URL shortener (avoiding URIBL?) + short subject
3892#score SHORTENER_SHORT_SUBJ 3.000 # limit
3893##} SHORTENER_SHORT_SUBJ
3894
3895##{ SHORT_HELO_AND_INLINE_IMAGE
3896
3897meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
3898describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
3899##} SHORT_HELO_AND_INLINE_IMAGE
3900
3901##{ SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3902
3903if (version >= 3.004002)
3904ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3905meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
3906tflags SHORT_IMG_SUSP_NTLD publish
3907describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD
3908#score SHORT_IMG_SUSP_NTLD 1.5 # limit
3909endif
3910endif
3911##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3912
3913##{ SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3914
3915ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3916if (version >= 3.004000)
3917meta SHORT_SHORTNER __PDS_MSG_512 && (__PDS_URISHORTENER || __URL_SHORTENER) && !DRUGS_ERECTILE
3918describe SHORT_SHORTNER Short body with little more than a link to a shortener
3919#score SHORT_SHORTNER 2.0 # limit
3920endif
3921endif
3922##} SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3923
3924##{ SHORT_TERM_PRICE
3925
3926body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
3927##} SHORT_TERM_PRICE
3928
3929##{ SINGLETS_LOW_CONTRAST
3930
3931meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP
3932describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text
3933tflags SINGLETS_LOW_CONTRAST publish
3934##} SINGLETS_LOW_CONTRAST
3935
3936##{ SPAMMY_XMAILER
3937
3938meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
3939describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
3940##} SPAMMY_XMAILER
3941
3942##{ SPOOFED_FREEMAIL
3943
3944meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE
3945#score SPOOFED_FREEMAIL 2.000 # limit
3946tflags SPOOFED_FREEMAIL net
3947##} SPOOFED_FREEMAIL
3948
3949##{ SPOOFED_FREEMAIL_NO_RDNS
3950
3951meta SPOOFED_FREEMAIL_NO_RDNS __SPOOFED_FREEMAIL && __RDNS_NONE
3952describe SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
3953#score SPOOFED_FREEMAIL_NO_RDNS 1.5
3954##} SPOOFED_FREEMAIL_NO_RDNS
3955
3956##{ SPOOFED_FREEM_REPTO
3957
3958meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX
3959describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to
3960#score SPOOFED_FREEM_REPTO 2.500
3961tflags SPOOFED_FREEM_REPTO net publish
3962##} SPOOFED_FREEM_REPTO
3963
3964##{ SPOOFED_FREEM_REPTO_CHN
3965
3966meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM
3967describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to
3968#score SPOOFED_FREEM_REPTO_CHN 3.500
3969tflags SPOOFED_FREEM_REPTO_CHN net publish
3970##} SPOOFED_FREEM_REPTO_CHN
3971
3972##{ SPOOFED_FREEM_REPTO_RUS
3973
3974meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM
3975describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to
3976#score SPOOFED_FREEM_REPTO_RUS 3.500
3977tflags SPOOFED_FREEM_REPTO_RUS net publish
3978##} SPOOFED_FREEM_REPTO_RUS
3979
3980##{ SPOOF_GMAIL_MID
3981
3982meta SPOOF_GMAIL_MID SPOOFED_FREEMAIL && __PDS_FROM_GMAIL && !__PDS_GMAIL_MID
3983#score SPOOF_GMAIL_MID 1.5
3984describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...
3985##} SPOOF_GMAIL_MID
3986
3987##{ STATIC_XPRIO_OLE
3988
3989meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE
3990describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE
3991#score STATIC_XPRIO_OLE 2.000 # limit
3992tflags STATIC_XPRIO_OLE publish
3993##} STATIC_XPRIO_OLE
3994
3995##{ STOCK_IMG_CTYPE
3996
3997meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)
3998describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header
3999##} STOCK_IMG_CTYPE
4000
4001##{ STOCK_IMG_HDR_FROM
4002
4003meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
4004describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
4005##} STOCK_IMG_HDR_FROM
4006
4007##{ STOCK_IMG_HTML
4008
4009meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
4010describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML
4011##} STOCK_IMG_HTML
4012
4013##{ STOCK_IMG_OUTLOOK
4014
4015meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)
4016describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features
4017##} STOCK_IMG_OUTLOOK
4018
4019##{ STOCK_LOW_CONTRAST
4020
4021meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG
4022describe STOCK_LOW_CONTRAST Stocks + hidden text
4023#score STOCK_LOW_CONTRAST 2.500 # limit
4024tflags STOCK_LOW_CONTRAST publish
4025##} STOCK_LOW_CONTRAST
4026
4027##{ STOCK_PRICES
4028
4029meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
4030##} STOCK_PRICES
4031
4032##{ STOCK_TIP
4033
4034meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS
4035describe STOCK_TIP Stock tips
4036#score STOCK_TIP 3.000 # limit
4037tflags STOCK_TIP publish
4038##} STOCK_TIP
4039
4040##{ STOX_AND_PRICE
4041
4042meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE
4043##} STOX_AND_PRICE
4044
4045##{ STOX_REPLY_TYPE
4046
4047header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/
4048##} STOX_REPLY_TYPE
4049
4050##{ STOX_REPLY_TYPE_WITHOUT_QUOTES
4051
4052meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE))
4053##} STOX_REPLY_TYPE_WITHOUT_QUOTES
4054
4055##{ SUBJECT_NEEDS_ENCODING
4056
4057meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME
4058describe SUBJECT_NEEDS_ENCODING Subject is encoded but does not specify the encoding
4059##} SUBJECT_NEEDS_ENCODING
4060
4061##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
4062
4063ifplugin Mail::SpamAssassin::Plugin::DKIM
4064 meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER
4065 describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers
4066endif
4067##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
4068
4069##{ SUBJ_UNNEEDED_HTML
4070
4071meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML
4072describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject:
4073##} SUBJ_UNNEEDED_HTML
4074
4075##{ SYSADMIN
4076
4077meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS
4078describe SYSADMIN Supposedly from your IT department
4079#score SYSADMIN 3.500 # limit
4080tflags SYSADMIN publish
4081##} SYSADMIN
4082
4083##{ TBIRD_SUSP_MIME_BDRY
4084
4085meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
4086describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary
4087##} TBIRD_SUSP_MIME_BDRY
4088
4089##{ TEQF_USR_IMAGE
4090
4091meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH
4092describe TEQF_USR_IMAGE To and from user nearly same + image
4093tflags TEQF_USR_IMAGE publish
4094##} TEQF_USR_IMAGE
4095
4096##{ TEQF_USR_MSGID_HEX
4097
4098meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2
4099describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID
4100tflags TEQF_USR_MSGID_HEX publish
4101##} TEQF_USR_MSGID_HEX
4102
4103##{ TEQF_USR_MSGID_MALF
4104
4105meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2
4106describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID
4107tflags TEQF_USR_MSGID_MALF publish
4108##} TEQF_USR_MSGID_MALF
4109
4110##{ THEBAT_UNREG
4111
4112header THEBAT_UNREG X-Mailer =~ /^The Bat! .{0,20} UNREG$/
4113##} THEBAT_UNREG
4114
4115##{ THIS_AD
4116
4117meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD
4118describe THIS_AD "This ad" and variants
4119tflags THIS_AD publish
4120##} THIS_AD
4121
4122##{ THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4123
4124if (version >= 3.004002)
4125ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4126meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM
4127tflags THIS_IS_ADV_SUSP_NTLD publish
4128describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD
4129#score THIS_IS_ADV_SUSP_NTLD 1.5 # limit
4130endif
4131endif
4132##} THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4133
4134##{ TONLINE_FAKE_DKIM
4135
4136meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS
4137describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM
4138#score TONLINE_FAKE_DKIM 3.000 # limit
4139tflags TONLINE_FAKE_DKIM publish
4140##} TONLINE_FAKE_DKIM
4141
4142##{ TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4143
4144ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4145if (version >= 3.004000)
4146meta TONOM_EQ_TOLOC_SHRT_SHRTNER __PDS_URISHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024
4147describe TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local
4148#score TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit
4149endif
4150endif
4151##} TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4152
4153##{ TO_EQ_FM_DIRECT_MX
4154
4155meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED
4156describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
4157#score TO_EQ_FM_DIRECT_MX 2.500 # limit
4158tflags TO_EQ_FM_DIRECT_MX publish
4159##} TO_EQ_FM_DIRECT_MX
4160
4161##{ TO_EQ_FM_DOM_HTML_IMG
4162
4163meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD
4164describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link
4165##} TO_EQ_FM_DOM_HTML_IMG
4166
4167##{ TO_EQ_FM_DOM_HTML_ONLY
4168
4169meta TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FM_DOM_HTML_ONLY && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !HTML_MIME_NO_HTML_TAG && !__IS_EXCH && !__MSGID_BEFORE_RECEIVED && !__FM_TO_ALL_NUMS && !__FROM_LOWER && !__HAS_IN_REPLY_TO && !__BUGGED_IMG && !__FROM_ENCODED_QP && !__MSGID_OK_HEX
4170describe TO_EQ_FM_DOM_HTML_ONLY To domain == From domain and HTML only
4171##} TO_EQ_FM_DOM_HTML_ONLY
4172
4173##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4174
4175ifplugin Mail::SpamAssassin::Plugin::SPF
4176 meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
4177 describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed
4178 tflags TO_EQ_FM_DOM_SPF_FAIL net
4179endif
4180##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4181
4182##{ TO_EQ_FM_HTML_ONLY
4183
4184meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER
4185describe TO_EQ_FM_HTML_ONLY To == From and HTML only
4186##} TO_EQ_FM_HTML_ONLY
4187
4188##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4189
4190ifplugin Mail::SpamAssassin::Plugin::SPF
4191 meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
4192 describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed
4193 tflags TO_EQ_FM_SPF_FAIL net
4194endif
4195##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4196
4197##{ TO_IN_SUBJ
4198
4199meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW
4200describe TO_IN_SUBJ To address is in Subject
4201tflags TO_IN_SUBJ publish
4202#score TO_IN_SUBJ 0.1
4203##} TO_IN_SUBJ
4204
4205##{ TO_NAME_SUBJ_NO_RDNS
4206
4207meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE
4208describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS
4209#score TO_NAME_SUBJ_NO_RDNS 3.000 # limit
4210tflags TO_NAME_SUBJ_NO_RDNS publish
4211##} TO_NAME_SUBJ_NO_RDNS
4212
4213##{ TO_NO_BRKTS_FROM_MSSP
4214
4215meta TO_NO_BRKTS_FROM_MSSP __TO_NO_BRKTS_FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__TO___LOWER && !__BUGGED_IMG && !__SUBJECT_ENCODED_QP && !__VIA_ML && !__FR_SPACING_8 && !__TAG_EXISTS_CENTER && !__RCVD_ZIXMAIL && !__RP_MATCHES_RCVD && !__HAS_SENDER
4216#score TO_NO_BRKTS_FROM_MSSP 2.50 # max
4217describe TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems
4218##} TO_NO_BRKTS_FROM_MSSP
4219
4220##{ TO_NO_BRKTS_HTML_IMG
4221
4222meta TO_NO_BRKTS_HTML_IMG __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE
4223describe TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image
4224#score TO_NO_BRKTS_HTML_IMG 2.000 # limit
4225tflags TO_NO_BRKTS_HTML_IMG publish
4226##} TO_NO_BRKTS_HTML_IMG
4227
4228##{ TO_NO_BRKTS_HTML_ONLY
4229
4230meta TO_NO_BRKTS_HTML_ONLY __TO_NO_BRKTS_HTML_ONLY && !RDNS_NONE && !__MIME_QP && !__MSGID_JAVAMAIL && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 && !__VIA_ML && !__MSGID_BEFORE_RECEIVED && !__MIME_BASE64 && !__RCD_RDNS_MAIL_MESSY && !__COMMENT_EXISTS && !LOTS_OF_MONEY && !__TAG_EXISTS_CENTER && !__UPPERCASE_URI && !__UNSUB_LINK && !__RCD_RDNS_MX_MESSY && !__DKIM_EXISTS && !__BUGGED_IMG && !__FM_TO_ALL_NUMS && !__URI_12LTRDOM && !__RDNS_NO_SUBDOM && !__HDRS_LCASE && !__LCL__ENV_AND_HDR_FROM_MATCH
4231#score TO_NO_BRKTS_HTML_ONLY 2.00 # limit
4232describe TO_NO_BRKTS_HTML_ONLY To: lacks brackets and HTML only
4233tflags TO_NO_BRKTS_HTML_ONLY publish
4234##} TO_NO_BRKTS_HTML_ONLY
4235
4236##{ TO_NO_BRKTS_MSFT
4237
4238meta TO_NO_BRKTS_MSFT __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD
4239describe TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool
4240#score TO_NO_BRKTS_MSFT 2.50 # limit
4241##} TO_NO_BRKTS_MSFT
4242
4243##{ TO_NO_BRKTS_NORDNS_HTML
4244
4245meta TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__TAG_EXISTS_CENTER && !__LONGLINE && !__DKIM_EXISTS
4246#score TO_NO_BRKTS_NORDNS_HTML 2.00 # limit
4247describe TO_NO_BRKTS_NORDNS_HTML To: lacks brackets and no rDNS and HTML only
4248tflags TO_NO_BRKTS_NORDNS_HTML publish
4249##} TO_NO_BRKTS_NORDNS_HTML
4250
4251##{ TO_NO_BRKTS_PCNT
4252
4253meta TO_NO_BRKTS_PCNT __TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS && !__KHOP_NO_FULL_NAME && !__THREADED
4254describe TO_NO_BRKTS_PCNT To: lacks brackets + percentage
4255#score TO_NO_BRKTS_PCNT 2.50 # limit
4256tflags TO_NO_BRKTS_PCNT publish
4257##} TO_NO_BRKTS_PCNT
4258
4259##{ TO_TOO_MANY_WFH_01
4260
4261meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01
4262describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients
4263tflags TO_TOO_MANY_WFH_01 publish
4264##} TO_TOO_MANY_WFH_01
4265
4266##{ TRANSFORM_LIFE
4267
4268meta TRANSFORM_LIFE __TRANSFORM_LIFE && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_X_MAILER && !__VIA_ML
4269describe TRANSFORM_LIFE Transform your life!
4270#score TRANSFORM_LIFE 2.500 # limit
4271##} TRANSFORM_LIFE
4272
4273##{ TT_MSGID_TRUNC
4274
4275header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/
4276describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits
4277##} TT_MSGID_TRUNC
4278
4279##{ TT_OBSCURED_VALIUM
4280
4281meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
4282describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject
4283##} TT_OBSCURED_VALIUM
4284
4285##{ TT_OBSCURED_VIAGRA
4286
4287meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
4288describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject
4289##} TT_OBSCURED_VIAGRA
4290
4291##{ TVD_ACT_193
4292
4293body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i
4294describe TVD_ACT_193 Message refers to an act passed in the 1930s
4295##} TVD_ACT_193
4296
4297##{ TVD_APPROVED
4298
4299body TVD_APPROVED /you.{1,2}re .{0,20}approved/i
4300describe TVD_APPROVED Body states that the recipient has been approved
4301##} TVD_APPROVED
4302
4303##{ TVD_DEAR_HOMEOWNER
4304
4305body TVD_DEAR_HOMEOWNER /^dear homeowner/i
4306describe TVD_DEAR_HOMEOWNER Spam with generic salutation of "dear homeowner"
4307##} TVD_DEAR_HOMEOWNER
4308
4309##{ TVD_EB_PHISH
4310
4311meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP
4312##} TVD_EB_PHISH
4313
4314##{ TVD_ENVFROM_APOST
4315
4316header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/
4317describe TVD_ENVFROM_APOST Envelope From contains single-quote
4318##} TVD_ENVFROM_APOST
4319
4320##{ TVD_FINGER_02
4321
4322header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i
4323##} TVD_FINGER_02
4324
4325##{ TVD_FLOAT_GENERAL
4326
4327rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i
4328describe TVD_FLOAT_GENERAL Message uses CSS float style
4329##} TVD_FLOAT_GENERAL
4330
4331##{ TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4332
4333ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4334body TVD_FUZZY_DEGREE /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i
4335describe TVD_FUZZY_DEGREE Obfuscation of the word "degree"
4336endif
4337##} TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4338
4339##{ TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4340
4341ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4342body TVD_FUZZY_FINANCE /(?!finance)<F><I><N><A><N><C><E>/i
4343describe TVD_FUZZY_FINANCE Obfuscation of the word "finance"
4344endif
4345##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4346
4347##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4348
4349ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4350body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i
4351describe TVD_FUZZY_FIXED_RATE Obfuscation of the phrase "fixed rate"
4352endif
4353##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4354
4355##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4356
4357ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4358body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i
4359describe TVD_FUZZY_MICROCAP Obfuscation of the word "micro-cap"
4360endif
4361##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4362
4363##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4364
4365ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4366body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i
4367describe TVD_FUZZY_PHARMACEUTICAL Obfuscation of the word "pharmaceutical"
4368endif
4369##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4370
4371##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4372
4373ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4374body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symboo?l)<S><Y><M><B><O><L>/i
4375describe TVD_FUZZY_SYMBOL Obfuscation of the word "symbol"
4376endif
4377##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4378
4379##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4380
4381ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4382mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/
4383describe TVD_FW_GRAPHIC_NAME_LONG Long image attachment name
4384endif
4385##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4386
4387##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4388
4389ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4390mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/
4391describe TVD_FW_GRAPHIC_NAME_MID Medium sized image attachment name
4392endif
4393##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4394
4395##{ TVD_INCREASE_SIZE
4396
4397body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i
4398describe TVD_INCREASE_SIZE Advertising for penis enlargement
4399##} TVD_INCREASE_SIZE
4400
4401##{ TVD_IP_HEX
4402
4403uri TVD_IP_HEX m@^https?://(?:\d+\.){0,3}0x[0-9a-f]{2}@i
4404##} TVD_IP_HEX
4405
4406##{ TVD_IP_SING_HEX
4407
4408uri TVD_IP_SING_HEX m@^https?://0x[0-9a-f]+(?:[:/]|$)@i
4409##} TVD_IP_SING_HEX
4410
4411##{ TVD_LINK_SAVE
4412
4413body TVD_LINK_SAVE /\blink to save\b/i
4414describe TVD_LINK_SAVE Spam with the text "link to save"
4415##} TVD_LINK_SAVE
4416
4417##{ TVD_PH_BODY_ACCOUNTS_PRE
4418
4419meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE
4420describe TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts suspended", "account credited", "account verification"
4421##} TVD_PH_BODY_ACCOUNTS_PRE
4422
4423##{ TVD_PH_REC
4424
4425body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i
4426describe TVD_PH_REC Message includes a phrase commonly used in phishing mails
4427##} TVD_PH_REC
4428
4429##{ TVD_PH_SEC
4430
4431body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i
4432describe TVD_PH_SEC Message includes a phrase commonly used in phishing mails
4433##} TVD_PH_SEC
4434
4435##{ TVD_PP_PHISH
4436
4437meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP
4438##} TVD_PP_PHISH
4439
4440##{ TVD_QUAL_MEDS
4441
4442body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i
4443describe TVD_QUAL_MEDS The body matches phrases such as "quality meds" or "quality medication"
4444##} TVD_QUAL_MEDS
4445
4446##{ TVD_RATWARE_CB
4447
4448header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i
4449describe TVD_RATWARE_CB Content-Type header that is commonly indicative of ratware
4450##} TVD_RATWARE_CB
4451
4452##{ TVD_RATWARE_CB_2
4453
4454header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/
4455describe TVD_RATWARE_CB_2 Content-Type header that is commonly indicative of ratware
4456##} TVD_RATWARE_CB_2
4457
4458##{ TVD_RATWARE_MSGID_02
4459
4460header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/
4461describe TVD_RATWARE_MSGID_02 Ratware with a Message-ID header that is entirely lower-case
4462##} TVD_RATWARE_MSGID_02
4463
4464##{ TVD_RCVD_IP
4465
4466header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
4467describe TVD_RCVD_IP Message was received from an IP address
4468##} TVD_RCVD_IP
4469
4470##{ TVD_RCVD_IP4
4471
4472header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/
4473describe TVD_RCVD_IP4 Message was received from an IPv4 address
4474##} TVD_RCVD_IP4
4475
4476##{ TVD_RCVD_SPACE_BRACKET
4477
4478header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!unix)[^\[\]]*\s/i
4479##} TVD_RCVD_SPACE_BRACKET
4480
4481##{ TVD_SECTION
4482
4483body TVD_SECTION /\bSection (?:27A|21B)/i
4484describe TVD_SECTION References to specific legal codes
4485##} TVD_SECTION
4486
4487##{ TVD_SILLY_URI_OBFU
4488
4489body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i
4490describe TVD_SILLY_URI_OBFU URI obfuscation that can fool a URIBL or a uri rule
4491##} TVD_SILLY_URI_OBFU
4492
4493##{ TVD_SPACED_SUBJECT_WORD3
4494
4495header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/
4496describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace
4497##} TVD_SPACED_SUBJECT_WORD3
4498
4499##{ TVD_SPACE_ENCODED
4500
4501meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM
4502#score TVD_SPACE_ENCODED 2.500 # limit
4503describe TVD_SPACE_ENCODED Space ratio & encoded subject
4504##} TVD_SPACE_ENCODED
4505
4506##{ TVD_SPACE_RATIO_MINFP
4507
4508meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL
4509#score TVD_SPACE_RATIO_MINFP 2.500 # limit
4510describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?)
4511##} TVD_SPACE_RATIO_MINFP
4512
4513##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval
4514
4515ifplugin Mail::SpamAssassin::Plugin::BodyEval
4516body TVD_STOCK1 eval:check_stock_info('2')
4517describe TVD_STOCK1 Spam related to stock trading
4518endif
4519##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval
4520
4521##{ TVD_SUBJ_ACC_NUM
4522
4523header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/
4524describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference
4525##} TVD_SUBJ_ACC_NUM
4526
4527##{ TVD_SUBJ_FINGER_03
4528
4529header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/
4530describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *"
4531##} TVD_SUBJ_FINGER_03
4532
4533##{ TVD_SUBJ_NUM_OBFU_MINFP
4534
4535meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO
4536##} TVD_SUBJ_NUM_OBFU_MINFP
4537
4538##{ TVD_SUBJ_OWE
4539
4540header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i
4541describe TVD_SUBJ_OWE Subject line states that the recipieint is in debt
4542##} TVD_SUBJ_OWE
4543
4544##{ TVD_SUBJ_WIPE_DEBT
4545
4546header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i
4547describe TVD_SUBJ_WIPE_DEBT Spam advertising a way to eliminate debt
4548##} TVD_SUBJ_WIPE_DEBT
4549
4550##{ TVD_VISIT_PHARMA
4551
4552body TVD_VISIT_PHARMA /Online Ph.rmacy/i
4553describe TVD_VISIT_PHARMA Body mentions online pharmacy
4554##} TVD_VISIT_PHARMA
4555
4556##{ TVD_VIS_HIDDEN
4557
4558rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i
4559describe TVD_VIS_HIDDEN Invisible textarea HTML tags
4560##} TVD_VIS_HIDDEN
4561
4562##{ TW_GIBBERISH_MANY
4563
4564meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20
4565describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters
4566#score TW_GIBBERISH_MANY 2.000 # limit
4567tflags TW_GIBBERISH_MANY publish
4568##} TW_GIBBERISH_MANY
4569
4570##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4571
4572ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4573 meta T_ACH_CANCELLED_EXE __ACH_CANCELLED_EXE
4574 describe T_ACH_CANCELLED_EXE "ACH cancelled" probable malware
4575endif
4576##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4577
4578##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4579
4580if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4581 meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON
4582 describe T_ANY_PILL_PRICE Prices for pills
4583endif
4584##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4585
4586##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4587
4588ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4589 mimeheader T_CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/
4590 describe T_CDISP_SZ_MANY Suspicious MIME header
4591# score T_CDISP_SZ_MANY 2.0 # limit
4592endif
4593##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4594
4595##{ T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4596
4597ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4598header T_DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920')
4599describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date
4600endif
4601##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4602
4603##{ T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4604
4605ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4606header T_DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef')
4607describe T_DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date
4608endif
4609##} T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4610
4611##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4612
4613ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4614 meta T_DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT)
4615 describe T_DOC_ATTACH_NO_EXT Document attachment with suspicious name
4616endif
4617##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4618
4619##{ T_DOS_OUTLOOK_TO_MX_IMAGE
4620
4621meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
4622describe T_DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image
4623##} T_DOS_OUTLOOK_TO_MX_IMAGE
4624
4625##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4626
4627ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4628 mimeheader T_DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/
4629 describe T_DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus
4630# score T_DOS_ZIP_HARDCORE 2.5
4631endif
4632##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4633
4634##{ T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4635
4636ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4637if (version >= 3.004000)
4638meta T_DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && (__PDS_URISHORTENER || __URL_SHORTENER) && DRUGS_ERECTILE
4639describe T_DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with T_URL_SHORTENER
4640#score T_DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit
4641endif
4642endif
4643##} T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4644
4645##{ T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4646
4647ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4648 meta T_FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO
4649 describe T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
4650endif
4651##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4652
4653##{ T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4654
4655ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4656 meta T_FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE
4657 describe T_FILL_THIS_FORM_LOAN Answer loan question(s)
4658# score T_FILL_THIS_FORM_LOAN 2.0
4659endif
4660##} T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4661
4662##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4663
4664ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4665 meta T_FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL
4666 describe T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
4667# score T_FILL_THIS_FORM_SHORT 1.00 # limit
4668endif
4669##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4670
4671##{ T_FORGED_RELAY_MUA_TO_MX
4672
4673header T_FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/
4674##} T_FORGED_RELAY_MUA_TO_MX
4675
4676##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4677
4678ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4679 meta T_FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K
4680 describe T_FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam
4681endif
4682##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4683
4684##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail
4685
4686ifplugin Mail::SpamAssassin::Plugin::FreeMail
4687 meta T_FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF
4688 describe T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail
4689endif
4690##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail
4691
4692##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
4693
4694ifplugin Mail::SpamAssassin::Plugin::FreeMail
4695 meta T_FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED
4696 describe T_FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden
4697endif
4698##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
4699
4700##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail
4701
4702ifplugin Mail::SpamAssassin::Plugin::FreeMail
4703 meta T_FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF
4704 describe T_FREEMAIL_RVW_ATTCH Please review attached document, from freemail
4705endif
4706##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail
4707
4708##{ T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4709
4710ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4711meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO
4712describe T_FROMNAME_EQUALS_TO From:name matches To:
4713#score T_FROMNAME_EQUALS_TO 1.0
4714tflags T_FROMNAME_EQUALS_TO publish
4715endif
4716##} T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4717
4718##{ T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4719
4720ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4721meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD)
4722describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email
4723#score T_FROMNAME_SPOOFED_EMAIL 0.3
4724tflags T_FROMNAME_SPOOFED_EMAIL publish
4725endif
4726##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4727
4728##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4729
4730if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4731 meta T_FROM_MULTI_SHORT_IMG __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY
4732 describe T_FROM_MULTI_SHORT_IMG Multiple From addresses + short message with image
4733endif
4734##} T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4735
4736##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4737
4738ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4739 body T_FUZZY_OPTOUT /(?:$|\W)(?=<O>)(?!opt[-\s]?out)<O><P><T>[-\s]?<O><U><T>(?:$|\W)/i
4740 describe T_FUZZY_OPTOUT Obfuscated opt-out text
4741endif
4742##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4743
4744##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4745
4746ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4747body T_FUZZY_SPRM /<inter W1><post P2><S><P><U><R><M>/i
4748endif
4749##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4750
4751##{ T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4752
4753ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4754 meta T_FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM
4755 describe T_FUZZY_WELLSFARGO Obfuscated "Wells Fargo"
4756endif
4757##} T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4758
4759##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4760
4761ifplugin Mail::SpamAssassin::Plugin::FreeMail
4762 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4763 meta T_GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO )
4764 describe T_GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains
4765# score T_GB_FREEM_FROM_NOT_REPLY 1.500 # limit
4766 tflags T_GB_FREEM_FROM_NOT_REPLY publish
4767endif
4768endif
4769##} T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4770
4771##{ T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4772
4773ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4774 meta T_GB_FROMNAME_SPOOFED_EMAIL_IP ( T_FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED )
4775 describe T_GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip
4776# score T_GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit
4777 tflags T_GB_FROMNAME_SPOOFED_EMAIL_IP publish
4778endif
4779##} T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4780
4781##{ T_GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
4782
4783if (version >= 3.004003)
4784 ifplugin Mail::SpamAssassin::Plugin::HashBL
4785 body T_GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b')
4786 tflags T_GB_HASHBL_BTC net
4787 describe T_GB_HASHBL_BTC Message contains BTC address found on BTCBL
4788# score T_GB_HASHBL_BTC 5.0 # limit
4789endif
4790endif
4791##} T_GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
4792
4793##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4794
4795ifplugin Mail::SpamAssassin::Plugin::FreeMail
4796if (version >= 3.004000)
4797 meta T_HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM
4798# score T_HK_NAME_FM_FROM 1.5
4799endif
4800endif
4801##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4802
4803##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4804
4805ifplugin Mail::SpamAssassin::Plugin::FreeMail
4806if (version >= 3.004000)
4807 meta T_HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM
4808# score T_HK_NAME_FROM 1.0
4809endif
4810endif
4811##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4812
4813##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4814
4815ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4816meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN
4817endif
4818##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4819
4820##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4821
4822ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4823 meta T_HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02
4824 describe T_HTML_ATTACH HTML attachment to bypass scanning?
4825endif
4826##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4827
4828##{ T_HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4829
4830ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4831 meta T_HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY
4832 describe T_HTML_TAG_BALANCE_CENTER Malformatted HTML
4833endif
4834##} T_HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4835
4836##{ T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4837
4838ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4839 meta T_ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT
4840 describe T_ISO_ATTACH ISO attachment - possible malware delivery
4841# score T_ISO_ATTACH 3.000 # limit
4842endif
4843##} T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4844
4845##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4846
4847ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4848meta T_KAM_HTML_FONT_INVALID __KAM_HTML_FONT_INVALID
4849describe T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML
4850#score T_KAM_HTML_FONT_INVALID 0.1
4851endif
4852##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4853
4854##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4855
4856if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4857 meta T_LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3
4858 describe T_LARGE_PCT_AFTER_MANY Many large percentages after...
4859endif
4860##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4861
4862##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4863
4864ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4865body T_LFUZ_PWRMALE /<inter W1><post P2><P><O><W><E><R><M><A><L><E>/i
4866endif
4867##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4868
4869##{ T_LOTTO_AGENT_FM
4870
4871header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
4872describe T_LOTTO_AGENT_FM Claims Agent
4873##} T_LOTTO_AGENT_FM
4874
4875##{ T_LOTTO_AGENT_RPLY
4876
4877meta T_LOTTO_AGENT_RPLY __LOTTO_AGENT_RPLY && !__TO_YOUR_ORG
4878describe T_LOTTO_AGENT_RPLY Claims Agent
4879##} T_LOTTO_AGENT_RPLY
4880
4881##{ T_LOTTO_URI
4882
4883uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i
4884describe T_LOTTO_URI Claims Department URL
4885##} T_LOTTO_URI
4886
4887##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4888
4889if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4890 meta T_MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2
4891 describe T_MANY_PILL_PRICE Prices for many pills
4892endif
4893##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4894
4895##{ T_MIME_MALF if (version >= 3.004000)
4896
4897if (version >= 3.004000)
4898 meta T_MIME_MALF __MIME_MALF && !ALL_TRUSTED
4899 describe T_MIME_MALF Malformed MIME: headers in body
4900# score T_MIME_MALF 2.00 # limit
4901endif
4902##} T_MIME_MALF if (version >= 3.004000)
4903
4904##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4905
4906ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4907 meta T_MONEY_PERCENT LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY)
4908 describe T_MONEY_PERCENT X% of a lot of money for you
4909endif
4910##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4911
4912##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4913
4914ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4915 meta T_OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH)
4916 describe T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
4917endif
4918##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4919
4920##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4921
4922ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4923 mimeheader T_OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i
4924 describe T_OBFU_DOC_ATTACH MS Document attachment with generic MIME type
4925endif
4926##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4927
4928##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4929
4930ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4931 mimeheader T_OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i
4932 describe T_OBFU_GIF_ATTACH GIF attachment with generic MIME type
4933endif
4934##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4935
4936##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4937
4938ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4939 mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.html?\b,i
4940 describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type
4941endif
4942##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4943
4944##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4945
4946ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4947 meta T_OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02
4948 describe T_OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware
4949endif
4950##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4951
4952##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4953
4954ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4955 mimeheader T_OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i
4956 describe T_OBFU_JPG_ATTACH JPG attachment with generic MIME type
4957endif
4958##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4959
4960##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4961
4962ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4963 mimeheader T_OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i
4964 describe T_OBFU_PDF_ATTACH PDF attachment with generic MIME type
4965endif
4966##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4967
4968##{ T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4969
4970ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4971 meta T_PDS_BTC_AHACKER ( __PDS_BTC_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON )
4972 describe T_PDS_BTC_AHACKER Bitcoin Hacker
4973# score T_PDS_BTC_AHACKER 3.0 # limit
4974endif
4975##} T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4976
4977##{ T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4978
4979ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4980 meta T_PDS_BTC_HACKER ( __PDS_BTC_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM )
4981 describe T_PDS_BTC_HACKER Bitcoin Hacker
4982# score T_PDS_BTC_HACKER 2.0 # limit
4983endif
4984##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4985
4986##{ T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4987
4988if (version >= 3.004002)
4989ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4990meta T_PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD )
4991describe T_PDS_BTC_NTLD Bitcoin suspect NTLD
4992#score T_PDS_BTC_NTLD 2.0 # limit
4993endif
4994endif
4995##} T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4996
4997##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4998
4999ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5000if (version >= 3.004000)
5001meta T_PDS_FREEMAIL_REPLYTO_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
5002describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener
5003#score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit
5004endif
5005endif
5006##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5007
5008##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5009
5010ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5011 meta T_PDS_LTC_AHACKER ( __PDS_LITECOIN_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON )
5012 describe T_PDS_LTC_AHACKER Litecoin Hacker
5013# score T_PDS_LTC_AHACKER 3.0 # limit
5014endif
5015##} T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5016
5017##{ T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5018
5019ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5020 meta T_PDS_LTC_HACKER ( __PDS_LITECOIN_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM )
5021 describe T_PDS_LTC_HACKER Litecoin Hacker
5022# score T_PDS_LTC_HACKER 2.0 # limit
5023endif
5024##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5025
5026##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5027
5028if (version >= 3.004002)
5029ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5030header T_PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO')
5031#score T_PDS_PRO_TLD 1.0
5032describe T_PDS_PRO_TLD .pro TLD
5033endif
5034endif
5035##} T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5036
5037##{ T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5038
5039ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5040if (version >= 3.004000)
5041meta T_PDS_SHORTFWD_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
5042describe T_PDS_SHORTFWD_URISHRT Threaded email with URI shortener
5043#score T_PDS_SHORTFWD_URISHRT 1.5 # limit
5044endif
5045endif
5046##} T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5047
5048##{ T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5049
5050ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5051if (version >= 3.004000)
5052meta T_PDS_SHORTFWD_URISHRT_FP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __PDS_MSG_512
5053describe T_PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener
5054#score T_PDS_SHORTFWD_URISHRT_FP 1.5 # limit
5055endif
5056endif
5057##} T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5058
5059##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5060
5061ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5062 meta T_REMOTE_IMAGE __REMOTE_IMAGE
5063 describe T_REMOTE_IMAGE Message contains an external image
5064endif
5065##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5066
5067##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5068
5069if (version >= 3.004002)
5070ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5071meta T_SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR
5072describe T_SENT_TO_EMAIL_ADDR Email was sent to email address
5073#score T_SENT_TO_EMAIL_ADDR 2.0 # limit
5074endif
5075endif
5076##} T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5077
5078##{ T_SHARE_50_50
5079
5080meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY
5081describe T_SHARE_50_50 Share the money 50/50
5082##} T_SHARE_50_50
5083
5084##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5085
5086if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5087 meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK
5088 describe T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX
5089# score T_STY_INVIS_DIRECT 2.500 # limit
5090endif
5091##} T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5092
5093##{ T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5094
5095if (version >= 3.004002)
5096ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5097meta T_SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
5098describe T_SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money
5099#score T_SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit
5100endif
5101endif
5102##} T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5103
5104##{ T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5105
5106ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5107if (version >= 3.004000)
5108meta T_TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT
5109describe T_TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local
5110#score T_TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit
5111endif
5112endif
5113##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5114
5115##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5116
5117ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5118body T_TVD_FUZZY_SECTOR /(?!sector)<S><E><C><T><O><R>/i
5119endif
5120##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5121
5122##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5123
5124ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5125body T_TVD_FUZZY_SECURITIES /<inter W2><post P2>(?!securities)(?!security,? es)<S><E><C><U><R><I><T><I><E><S>/i
5126endif
5127##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5128
5129##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5130
5131ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5132mimeheader T_TVD_FW_GRAPHIC_ID2 Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/
5133endif
5134##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5135
5136##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5137
5138ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5139body T_TVD_MIME_EPI eval:check_msg_parse_flags('mime_epilogue_exists')
5140endif
5141##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5142
5143##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5144
5145ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5146body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers')
5147endif
5148##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5149
5150##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5151
5152ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5153 meta T_WON_MONEY_ATTACH __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH)
5154 describe T_WON_MONEY_ATTACH You won lots of money! See attachment.
5155endif
5156##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5157
5158##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5159
5160ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5161 meta T_WON_NBDY_ATTACH __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH)
5162 describe T_WON_NBDY_ATTACH You won lots of money! See attachment.
5163endif
5164##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5165
5166##{ T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5167
5168if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5169 meta T_ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID
5170 describe T_ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion
5171# score T_ZW_OBFU_BITCOIN 2.500 # limit
5172endif
5173##} T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5174
5175##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5176
5177if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5178 meta T_ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto
5179 describe T_ZW_OBFU_FREEM Obfuscated text + freemail
5180# score T_ZW_OBFU_FREEM 2.000 # limit
5181endif
5182##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5183
5184##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5185
5186if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5187 meta T_ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ
5188 describe T_ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject
5189# score T_ZW_OBFU_FROMTOSUBJ 2.000 # limit
5190endif
5191##} T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5192
5193##{ UC_GIBBERISH_OBFU
5194
5195meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED
5196describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word"
5197#score UC_GIBBERISH_OBFU 3.000 # Limit
5198tflags UC_GIBBERISH_OBFU publish
5199##} UC_GIBBERISH_OBFU
5200
5201##{ UNDISC_FREEM
5202
5203meta UNDISC_FREEM __UNDISC_FREEM
5204describe UNDISC_FREEM Undisclosed recipients + freemail reply-to
5205tflags UNDISC_FREEM publish
5206##} UNDISC_FREEM
5207
5208##{ UNDISC_MONEY
5209
5210meta UNDISC_MONEY __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH
5211describe UNDISC_MONEY Undisclosed recipients + money/fraud signs
5212tflags UNDISC_MONEY publish
5213##} UNDISC_MONEY
5214
5215##{ UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5216
5217if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5218 meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32
5219 describe UNICODE_OBFU_ASC Obfuscating text with unicode
5220# score UNICODE_OBFU_ASC 2.500 # limit
5221 tflags UNICODE_OBFU_ASC publish
5222endif
5223##} UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5224
5225##{ UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5226
5227if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5228 meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS
5229 describe UNICODE_OBFU_ZW Obfuscating text with hidden characters
5230# score UNICODE_OBFU_ZW 3.500 # limit
5231 tflags UNICODE_OBFU_ZW publish
5232endif
5233##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5234
5235##{ UPGRADE_MAILBOX
5236
5237meta UPGRADE_MAILBOX __UPGR_MAILBOX && __HTML_FONT_LOW_CONTRAST_MINFP
5238describe UPGRADE_MAILBOX Upgrade your mailbox! (phishing?)
5239##} UPGRADE_MAILBOX
5240
5241##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5242
5243ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5244urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2
5245body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB')
5246describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
5247tflags URIBL_RHS_DOB net
5248endif
5249##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5250
5251##{ URI_ADOBESPARK
5252
5253meta URI_ADOBESPARK __URI_ADOBESPARK
5254#score URI_ADOBESPARK 3.500 # limit
5255tflags URI_ADOBESPARK publish
5256##} URI_ADOBESPARK
5257
5258##{ URI_AZURE_CLOUDAPP
5259
5260meta URI_AZURE_CLOUDAPP __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE
5261describe URI_AZURE_CLOUDAPP Link to hosted azure web application, possible phishing
5262#score URI_AZURE_CLOUDAPP 3.000 # limit
5263tflags URI_AZURE_CLOUDAPP publish
5264##} URI_AZURE_CLOUDAPP
5265
5266##{ URI_DASHGOVEDU
5267
5268meta URI_DASHGOVEDU __URI_DASHGOVEDU
5269describe URI_DASHGOVEDU Suspicious domain name
5270#score URI_DASHGOVEDU 3.500 # limit
5271tflags URI_DASHGOVEDU publish
5272##} URI_DASHGOVEDU
5273
5274##{ URI_DATA
5275
5276meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB
5277describe URI_DATA "data:" URI - possible malware or phish
5278#score URI_DATA 3.250 # limit
5279tflags URI_DATA publish
5280##} URI_DATA
5281
5282##{ URI_DOTDOT_LOW_CNTRST
5283
5284meta URI_DOTDOT_LOW_CNTRST HTML_FONT_LOW_CONTRAST && __URI_DOM_DOTDOT
5285describe URI_DOTDOT_LOW_CNTRST Suspicious URI + hidden text
5286#score URI_DOTDOT_LOW_CNTRST 2.500 # limit
5287##} URI_DOTDOT_LOW_CNTRST
5288
5289##{ URI_DOTEDU
5290
5291meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK
5292describe URI_DOTEDU Has .edu URI
5293#score URI_DOTEDU 2.000 # limit
5294tflags URI_DOTEDU publish
5295##} URI_DOTEDU
5296
5297##{ URI_DOTEDU_ENTITY
5298
5299meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO
5300describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content
5301#score URI_DOTEDU_ENTITY 3.000 # limit
5302tflags URI_DOTEDU_ENTITY publish
5303##} URI_DOTEDU_ENTITY
5304
5305##{ URI_DOTTY_HEX
5306
5307meta URI_DOTTY_HEX __URI_DOTTY_HEX
5308describe URI_DOTTY_HEX Suspicious URI format
5309tflags URI_DOTTY_HEX publish
5310##} URI_DOTTY_HEX
5311
5312##{ URI_DQ_UNSUB
5313
5314meta URI_DQ_UNSUB __URI_DQ_UNSUB
5315describe URI_DQ_UNSUB IP-address unsubscribe URI
5316tflags URI_DQ_UNSUB publish
5317##} URI_DQ_UNSUB
5318
5319##{ URI_FIREBASEAPP
5320
5321meta URI_FIREBASEAPP __URI_FIREBASEAPP || __URI_WEBAPP
5322describe URI_FIREBASEAPP Link to hosted firebase web application, possible phishing
5323#score URI_FIREBASEAPP 3.000 # limit
5324tflags URI_FIREBASEAPP publish
5325##} URI_FIREBASEAPP
5326
5327##{ URI_GOOGLE_PROXY
5328
5329meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE && !__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID
5330describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy?
5331tflags URI_GOOGLE_PROXY publish
5332##} URI_GOOGLE_PROXY
5333
5334##{ URI_GOOG_STO_SPAMMY
5335
5336uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:1tactc1200|5a70f8147b2241c|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|a(?:d(?:t100visa|vanced1500)|lliedtrust7?|n(?:c77emen777|nutsegtsety|tidcfsdfzef)|pp(?:empresa|itausa)|tividade|udio0254)|b(?:337276797de5b3|7772dcb|ath(?:and777|dfgdfgdfh|rooomlki)|cvncv7845|d(?:fbgverhg|sgbsehtth|thdethydeth)|e(?:dvgervg|t(?:terbutter008|umpoiytre))|looodsugarerte|obby\-dependencies|r(?:ieanfrg|tghrh)|utterknife)|c(?:art\-checkout|bd(?:11gummies|gummty|kfgdfg)|dfeesde|jowa|o(?:mpr(?:essionsocks|ovanteanexo)|n(?:7cealed|defesf)|verageinsu)|reative14141)|d(?:e(?:nta77fend|rma(?:7correc7t|correctskin|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|recting77)|rtrebtgh747|zdzefef)|e(?:7co7verage|liminatorlower|ntrega|rectiledysfunction|xpertwindows|yesightmax)|f(?:d(?:128218622bd3f|fdfdzezr78|zdzelom)|habgfdgbfrtg|i(?:7542512|del(?:ityinsulife|ty(?:gbdtrbr|tyhjudtyu))|ghttinnitusnow|ltyredfezz|refig(?:22hting|hting)|xguca777)|la(?:shlight7fr7ee|tbelly)|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|ungusfghgh)|g(?:7oldco|fhfjgfhfg|hetiop|luster|oldii00215|r(?:fgrgrg|owplus11)|u(?:ardiao|mmzdfefzf|tterprotection7))|h(?:dfghbrh|e(?:art14141|rplyy0012)|ome(?:9865|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:7urance7net|t(?:a(?:0541|f(?:atioplo|gregrerg)|hard00021|nttranslator)|h(?:ard879477|eater001))|urancenet)|vest777in)|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:7rim|ghghgh|jkkfghk|oo7896|toto2323))|nef6565)|l(?:a(?:bcream|wncare3)|eaf7filt7er|i(?:berty77arran|fefiltrevdf)|ocaweb|umiagudiidd)|m(?:a(?:galu|le77en|ttress0707)|e(?:dica(?:lsupplies|r(?:0085|123n|df747))|llitox00545|t(?:abolismlos|f(?:85|dfvde)))|on(?:5g154g|t(?:ezuma001|zdzsds)))|n(?:badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld)|omeg(?:7aburn|a7burn)|p(?:ersonalized21|o(?:rtableheater7|vsedfzef)|r(?:intsvalentine|otectsecurity)|soidngf8147|ureplant7)|r(?:apidecision77|e(?:adclub11|n(?:ewlaemailved|walllll0065))|iverb1986srt4|oundupccancer)|s(?:a(?:mples7nuge7|vage72)|dfgwsd74fg|eniorserk77s|ignlaotrrmp|teelprobite77|ughdetged|zdzdzdzd)|t(?:acflashlight72|heunbreakable|r(?:abalhos|ugreen30)|unnifgdege)|u(?:berxlm|ltrahgt|sbmosquito)|v(?:e(?:7hicle7cov|hi7clesh7)|frgrerg|i(?:salander|vint0401)|szdefzsfzef)|w(?:4enmedicra8|alk(?:0015|ghghgh)|defgzegfze|e(?:bwhatsfotos|edkiller|llgrove90)|ifibooster)|xcbxcbopiaze|yusdgtduf777|zantacdedzef))/;i
5337describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage
5338#score URI_GOOG_STO_SPAMMY 3.000
5339tflags URI_GOOG_STO_SPAMMY publish
5340##} URI_GOOG_STO_SPAMMY
5341
5342##{ URI_HEX_IP
5343
5344meta URI_HEX_IP __URI_HEX_IP
5345#score URI_HEX_IP 2.500 # limit
5346describe URI_HEX_IP URI with hex-encoded IP-address host
5347tflags URI_HEX_IP publish
5348##} URI_HEX_IP
5349
5350##{ URI_IMG_WP_REDIR
5351
5352meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR
5353#score URI_IMG_WP_REDIR 3.000 # limit
5354describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy
5355tflags URI_IMG_WP_REDIR publish
5356##} URI_IMG_WP_REDIR
5357
5358##{ URI_LONG_REPEAT
5359
5360meta URI_LONG_REPEAT __URI_LONG_REPEAT
5361describe URI_LONG_REPEAT Very long identical host+domain
5362#score URI_LONG_REPEAT 2.500 # limit
5363tflags URI_LONG_REPEAT publish
5364##} URI_LONG_REPEAT
5365
5366##{ URI_MALWARE_SCMS
5367
5368uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i
5369describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file)
5370tflags URI_MALWARE_SCMS publish
5371##} URI_MALWARE_SCMS
5372
5373##{ URI_ONLY_MSGID_MALF
5374
5375 meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW
5376 tflags URI_ONLY_MSGID_MALF net
5377 meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO
5378describe URI_ONLY_MSGID_MALF URI only + malformed message ID
5379#score URI_ONLY_MSGID_MALF 2.000 # limit
5380tflags URI_ONLY_MSGID_MALF publish
5381##} URI_ONLY_MSGID_MALF
5382
5383##{ URI_OPTOUT_3LD
5384
5385uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i
5386describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname
5387#score URI_OPTOUT_3LD 2.000 # limit
5388tflags URI_OPTOUT_3LD publish
5389##} URI_OPTOUT_3LD
5390
5391##{ URI_OPTOUT_USME
5392
5393uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i
5394describe URI_OPTOUT_USME Opt-out URI, unusual TLD
5395tflags URI_OPTOUT_USME publish
5396##} URI_OPTOUT_USME
5397
5398##{ URI_PHISH
5399
5400describe URI_PHISH Phishing using web form
5401#score URI_PHISH 4.00 # limit
5402tflags URI_PHISH publish
5403##} URI_PHISH
5404
5405##{ URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5406
5407if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5408 meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT
5409endif
5410##} URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5411
5412##{ URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5413
5414ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5415 meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT
5416endif
5417##} URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5418
5419##{ URI_PHP_REDIR
5420
5421meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA
5422#score URI_PHP_REDIR 3.500 # limit
5423describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation)
5424tflags URI_PHP_REDIR publish
5425##} URI_PHP_REDIR
5426
5427##{ URI_TRY_3LD
5428
5429uri URI_TRY_3LD m,^https?://(?:try|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!sub|turbotax)\w)[^.]*\.[^/]+\.(?:com|net)\b,i
5430describe URI_TRY_3LD "Try it" URI, suspicious hostname
5431#score URI_TRY_3LD 2.000 # limit
5432tflags URI_TRY_3LD publish
5433##} URI_TRY_3LD
5434
5435##{ URI_TRY_USME
5436
5437meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS
5438describe URI_TRY_USME "Try it" URI, unusual TLD
5439tflags URI_TRY_USME publish
5440##} URI_TRY_USME
5441
5442##{ URI_WPADMIN
5443
5444meta URI_WPADMIN __URI_WPADMIN
5445describe URI_WPADMIN WordPress login/admin URI, possible phishing
5446tflags URI_WPADMIN publish
5447##} URI_WPADMIN
5448
5449##{ URI_WP_DIRINDEX
5450
5451meta URI_WP_DIRINDEX __URI_WPDIRINDEX
5452describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware
5453#score URI_WP_DIRINDEX 3.500 # limit
5454tflags URI_WP_DIRINDEX publish
5455##} URI_WP_DIRINDEX
5456
5457##{ URI_WP_HACKED
5458
5459meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED
5460describe URI_WP_HACKED URI for compromised WordPress site, possible malware
5461#score URI_WP_HACKED 3.500 # limit
5462tflags URI_WP_HACKED publish
5463##} URI_WP_HACKED
5464
5465##{ URI_WP_HACKED_2
5466
5467meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1
5468describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware
5469#score URI_WP_HACKED_2 2.500 # limit
5470tflags URI_WP_HACKED_2 publish
5471##} URI_WP_HACKED_2
5472
5473##{ USB_DRIVES
5474
5475meta USB_DRIVES __SUBJ_USB_DRIVES
5476describe USB_DRIVES Trying to sell custom USB flash drives
5477#score USB_DRIVES 2.000 # limit
5478tflags USB_DRIVES publish
5479##} USB_DRIVES
5480
5481##{ VFY_ACCT_NORDNS
5482
5483meta VFY_ACCT_NORDNS __VFY_ACCT_NORDNS && !__STY_INVIS_MANY
5484describe VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA - probable phishing
5485#score VFY_ACCT_NORDNS 3.000 # limit
5486tflags VFY_ACCT_NORDNS publish
5487##} VFY_ACCT_NORDNS
5488
5489##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5490
5491if (version >= 3.004002)
5492ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5493meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD
5494tflags VPS_NO_NTLD publish
5495describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD
5496#score VPS_NO_NTLD 1.0 # limit
5497endif
5498endif
5499##} VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5500
5501##{ WALMART_IMG_NOT_RCVD_WAL
5502
5503meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS
5504#score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit
5505describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart
5506tflags WALMART_IMG_NOT_RCVD_WAL publish
5507##} WALMART_IMG_NOT_RCVD_WAL
5508
5509##{ WANT_TO_ORDER
5510
5511body WANT_TO_ORDER /you (?:(?:would )?like|want)( to)? order (?:this|it|now|today)\b/i
5512#score WANT_TO_ORDER 1.500 # limit
5513##} WANT_TO_ORDER
5514
5515##{ WIKI_IMG
5516
5517uri WIKI_IMG m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),i
5518describe WIKI_IMG Image from wikipedia
5519##} WIKI_IMG
5520
5521##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5522
5523if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5524 meta WORD_INVIS __WORD_INVIS_MINFP && !WORD_INVIS_MANY
5525 describe WORD_INVIS A hidden word
5526# score WORD_INVIS 3.000 # limit
5527 tflags WORD_INVIS publish
5528endif
5529##} WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5530
5531##{ WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5532
5533if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5534 meta WORD_INVIS_MANY __WORD_INVIS_2
5535 describe WORD_INVIS_MANY Multiple individual hidden words
5536# score WORD_INVIS_MANY 3.000 # limit
5537 tflags WORD_INVIS_MANY publish
5538endif
5539##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5540
5541##{ XFER_LOTSA_MONEY
5542
5543meta XFER_LOTSA_MONEY __XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFO
5544describe XFER_LOTSA_MONEY Transfer a lot of money
5545#score XFER_LOTSA_MONEY 1.000 # limit
5546##} XFER_LOTSA_MONEY
5547
5548##{ XM_DIGITS_ONLY
5549
5550meta XM_DIGITS_ONLY __XM_DIGITS_ONLY
5551describe XM_DIGITS_ONLY X-Mailer malformed
5552#score XM_DIGITS_ONLY 3.000 # limit
5553tflags XM_DIGITS_ONLY publish
5554##} XM_DIGITS_ONLY
5555
5556##{ XM_LIGHT_HEAVY
5557
5558meta XM_LIGHT_HEAVY __XM_LIGHT_HEAVY && !__HAS_X_BEEN_THERE
5559describe XM_LIGHT_HEAVY Special edition of a MUA
5560#score XM_LIGHT_HEAVY 2.500 # limit
5561##} XM_LIGHT_HEAVY
5562
5563##{ XM_PHPMAILER_FORGED
5564
5565meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED
5566describe XM_PHPMAILER_FORGED Apparently forged header
5567tflags XM_PHPMAILER_FORGED publish
5568##} XM_PHPMAILER_FORGED
5569
5570##{ XM_RANDOM
5571
5572meta XM_RANDOM __XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLY
5573describe XM_RANDOM X-Mailer apparently random
5574#score XM_RANDOM 3.000 # limit
5575tflags XM_RANDOM publish
5576##} XM_RANDOM
5577
5578##{ XM_RECPTID
5579
5580meta XM_RECPTID __HAS_XM_RECPTID && !__TAG_EXISTS_SCRIPT && !__REPLYTO_NOREPLY && !__ENVFROM_AMAZONSES && !__DOS_DIRECT_TO_MX && !__FRAUD_PTX
5581describe XM_RECPTID Has spammy message header
5582#score XM_RECPTID 3.000 # limit
5583##} XM_RECPTID
5584
5585##{ XPRIO
5586
5587describe XPRIO Has X-Priority header
5588#score XPRIO 2.250 # limit
5589tflags XPRIO publish
5590##} XPRIO
5591
5592##{ XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5593
5594if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5595 meta XPRIO __XPRIO_MINFP
5596endif
5597##} XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5598
5599##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM
5600
5601ifplugin Mail::SpamAssassin::Plugin::DKIM
5602 tflags XPRIO net
5603endif
5604##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM
5605
5606##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF)
5607
5608ifplugin Mail::SpamAssassin::Plugin::DKIM
5609if !plugin(Mail::SpamAssassin::Plugin::SPF)
5610 meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE
5611endif
5612endif
5613##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF)
5614
5615##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF
5616
5617ifplugin Mail::SpamAssassin::Plugin::DKIM
5618 ifplugin Mail::SpamAssassin::Plugin::SPF
5619 meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS
5620endif
5621endif
5622##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF
5623
5624##{ XPRIO_SHORT_SUBJ
5625
5626meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF
5627describe XPRIO_SHORT_SUBJ Has X Priority header + short subject
5628#score XPRIO_SHORT_SUBJ 2.500 # limit
5629tflags XPRIO_SHORT_SUBJ publish
5630##} XPRIO_SHORT_SUBJ
5631
5632##{ XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5633
5634ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5635if (version >= 3.004000)
5636meta XPRIO_URL_SHORTNER __XPRIO_MINFP && __PDS_URISHORTENER
5637describe XPRIO_URL_SHORTNER X-Priority header and short URL
5638#score XPRIO_URL_SHORTNER 1.0 # limit
5639endif
5640endif
5641##} XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5642
5643##{ X_MAILER_CME_6543_MSN
5644
5645header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/
5646##} X_MAILER_CME_6543_MSN
5647
5648##{ YOUR_DELIVERY_ADDRESS
5649
5650body YOUR_DELIVERY_ADDRESS /(?:respond|reply) (to )?(?:our|this) email (?:with|and send) your (?:(?:delivery |shipping )?address|address (?:for|of) shipping)/i
5651#score YOUR_DELIVERY_ADDRESS 1.500 # limit
5652##} YOUR_DELIVERY_ADDRESS
5653
5654##{ YOU_INHERIT
5655
5656meta YOU_INHERIT __YOU_INHERIT
5657describe YOU_INHERIT Discussing your inheritance
5658##} YOU_INHERIT
5659
5660##{ bayes_ignore_header_sandbox
5661
5662bayes_ignore_header X-ACL-Warn
5663bayes_ignore_header X-Alimail-AntiSpam
5664bayes_ignore_header X-Amavis-Modified
5665bayes_ignore_header X-Anti-Spam
5666bayes_ignore_header X-Anti-Virus
5667bayes_ignore_header X-Anti-Virus-Version
5668bayes_ignore_header X-AntiAbuse
5669bayes_ignore_header X-Antispam
5670bayes_ignore_header X-Antivirus
5671bayes_ignore_header X-Antivirus-Code
5672bayes_ignore_header X-Antivirus-Status
5673bayes_ignore_header X-Antivirus-Version
5674bayes_ignore_header x-aol-global-disposition
5675bayes_ignore_header X-ASF-Spam-Status
5676bayes_ignore_header X-ASG-Debug-ID
5677bayes_ignore_header X-ASG-Orig-Subj
5678bayes_ignore_header X-ASG-Recipient-Whitelist
5679bayes_ignore_header X-ASG-Tag
5680bayes_ignore_header X-Assp-Version
5681bayes_ignore_header X-Authority-Analysis
5682bayes_ignore_header X-Authvirus
5683bayes_ignore_header X-Auto-Response-Suppress
5684bayes_ignore_header X-AV-Do-Run
5685bayes_ignore_header X-AV-Status
5686bayes_ignore_header x-avast-antispam
5687bayes_ignore_header X-Backend
5688bayes_ignore_header X-Barracuda-Apparent-Source-IP
5689bayes_ignore_header X-Barracuda-Bayes
5690bayes_ignore_header X-Barracuda-BBL-IP
5691bayes_ignore_header X-Barracuda-BRTS-Status
5692bayes_ignore_header X-Barracuda-BRTS-URL-Found
5693bayes_ignore_header X-Barracuda-Connect
5694bayes_ignore_header X-Barracuda-Encrypted
5695bayes_ignore_header X-Barracuda-Envelope-From
5696bayes_ignore_header X-Barracuda-Fingerprint-Found
5697bayes_ignore_header X-Barracuda-Orig-Rcpt
5698bayes_ignore_header X-Barracuda-RBL-IP
5699bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder
5700bayes_ignore_header X-Barracuda-Spam-Report
5701bayes_ignore_header X-Barracuda-Spam-Score
5702bayes_ignore_header X-Barracuda-Spam-Status
5703bayes_ignore_header X-Barracuda-Start-Time
5704bayes_ignore_header X-Barracuda-UID
5705bayes_ignore_header X-Barracuda-URL
5706bayes_ignore_header X-Barracuda-Virus-Alert
5707bayes_ignore_header X-Bayes-Prob
5708bayes_ignore_header X-Bayesian-Result
5709bayes_ignore_header X-BitDefender-Spam
5710bayes_ignore_header X-BitDefender-SpamStamp
5711bayes_ignore_header X-BL
5712bayes_ignore_header X-Bogosity
5713bayes_ignore_header X-Boxtrapper
5714bayes_ignore_header X-Brightmail-Tracker
5715bayes_ignore_header X-BTI-AntiSpam
5716bayes_ignore_header X-Bugzilla-Version
5717bayes_ignore_header X-CanIt-Geo
5718bayes_ignore_header X-Canit-Stats-ID
5719bayes_ignore_header X-CanItPRO-Stream
5720bayes_ignore_header X-Clapf-spamicity
5721bayes_ignore_header X-Cloud-Security
5722bayes_ignore_header X-CM-Score
5723bayes_ignore_header X-CMAE-Analysis
5724bayes_ignore_header X-CMAE-Match
5725bayes_ignore_header X-CMAE-Score
5726bayes_ignore_header X-CMAE-Verdict
5727bayes_ignore_header X-CNFS-Analysis
5728bayes_ignore_header X-Company
5729bayes_ignore_header X-Coremail-Antispam
5730bayes_ignore_header X-CRM114-CacheID
5731bayes_ignore_header X-CRM114-Status
5732bayes_ignore_header X-CRM114-Version
5733bayes_ignore_header X-CT-Spam
5734bayes_ignore_header X-CTCH-SenderID
5735bayes_ignore_header X-CTCH-SenderID-TotalBulk
5736bayes_ignore_header X-CTCH-SenderID-TotalConfirmed
5737bayes_ignore_header X-CTCH-SenderID-TotalMessages
5738bayes_ignore_header X-CTCH-SenderID-TotalRecipients
5739bayes_ignore_header X-CTCH-SenderID-TotalSpam
5740bayes_ignore_header X-CTCH-SenderID-TotalSuspected
5741bayes_ignore_header X-CTCH-SenderID-TotalVirus
5742bayes_ignore_header X-CTCH-Spam
5743bayes_ignore_header X-CTCH-VOD
5744bayes_ignore_header X-Drweb-SpamState
5745bayes_ignore_header X-DSPAM-Confidence
5746bayes_ignore_header X-DSPAM-Factors
5747bayes_ignore_header X-DSPAM-Improbability
5748bayes_ignore_header X-DSPAM-Probability
5749bayes_ignore_header X-DSPAM-Processed
5750bayes_ignore_header X-DSPAM-Result
5751bayes_ignore_header X-DSPAM-Signature
5752bayes_ignore_header x-eavas
5753bayes_ignore_header x-eavas-action
5754bayes_ignore_header x-eavas-eavasid
5755bayes_ignore_header X-Enigmail-Version
5756bayes_ignore_header X-EsetId
5757bayes_ignore_header X-EsetResult
5758bayes_ignore_header X-Exchange-Antispam-Report
5759bayes_ignore_header X-ExtloopSabreCommercials1
5760bayes_ignore_header X-EYOU-SPAMVALUE
5761bayes_ignore_header X-FB-OUTBOUND-SPAM
5762bayes_ignore_header X-FEAS-SBL
5763bayes_ignore_header X-FILTER-SCORE
5764bayes_ignore_header X-Forefront-Antispam-Report
5765bayes_ignore_header X-Forefront-PRVS
5766bayes_ignore_header X-Fuglu-Spamstatus
5767bayes_ignore_header X-Fuglu-Suspect
5768bayes_ignore_header X-getmail-filter-classifier
5769bayes_ignore_header X-GFIME-MASPAM
5770bayes_ignore_header X-Gmane-NNTP-Posting-Host
5771bayes_ignore_header X-GMX-Antispam
5772bayes_ignore_header X-GMX-Antivirus
5773bayes_ignore_header X-He-Spam
5774bayes_ignore_header X-hMailServer-Spam
5775bayes_ignore_header X-IAS
5776bayes_ignore_header X-iGspam-global
5777bayes_ignore_header X-Injected-Via-Gmane
5778bayes_ignore_header X-Interia-Antivirus
5779bayes_ignore_header X-IP-Spam-Verdict
5780bayes_ignore_header X-Ironport
5781bayes_ignore_header X-IronPort-Anti-Spam-Filtered
5782bayes_ignore_header X-IronPort-Anti-Spam-Result
5783bayes_ignore_header X-IronPort-AV
5784bayes_ignore_header X-Ironport-HAT
5785bayes_ignore_header X-Ironport-HOSTNAME
5786bayes_ignore_header X-Ironport-LNR
5787bayes_ignore_header X-Ironport-MessageFilter
5788bayes_ignore_header X-Ironport-MFP
5789bayes_ignore_header X-Ironport-MID
5790bayes_ignore_header X-IronPort-Outgoing-Antispam
5791bayes_ignore_header X-Ironport-RIF
5792bayes_ignore_header X-Ironport-SBRS
5793bayes_ignore_header X-Ironport-SENDER
5794bayes_ignore_header X-Ironport-SUBJECT
5795bayes_ignore_header X-Junk-Score
5796bayes_ignore_header X-Junkmail
5797bayes_ignore_header X-KLMS-AntiPhishing
5798bayes_ignore_header X-Klms-Antispam
5799bayes_ignore_header X-KLMS-AntiSpam-Info
5800bayes_ignore_header X-KLMS-AntiSpam-Interceptor-Info
5801bayes_ignore_header X-KLMS-AntiSpam-Lua-Profiles
5802bayes_ignore_header X-KLMS-AntiSpam-Method
5803bayes_ignore_header X-KLMS-AntiSpam-Moebius-Timestamps
5804bayes_ignore_header X-KLMS-AntiSpam-Rate
5805bayes_ignore_header X-KLMS-AntiSpam-Status
5806bayes_ignore_header X-KLMS-AntiSpam-Version
5807bayes_ignore_header X-KLMS-AntiVirus
5808bayes_ignore_header X-KLMS-AntiVirus-Status
5809bayes_ignore_header X-KLMS-Message-Action
5810bayes_ignore_header X-KLMS-Rule-ID
5811bayes_ignore_header X-KMail-EncryptionState
5812bayes_ignore_header X-KMail-MDN-Sent
5813bayes_ignore_header X-KMail-SignatureState
5814bayes_ignore_header X-MailCleaner-SpamChec
5815bayes_ignore_header X-MailCleaner-SpamCheck
5816bayes_ignore_header X-MailFoundry
5817bayes_ignore_header X-MDMailLookup-Result
5818bayes_ignore_header X-ME-Bayesian
5819bayes_ignore_header X-ME-Content
5820bayes_ignore_header X-MessageFilter
5821bayes_ignore_header X-Microsoft-Antispam
5822bayes_ignore_header X-Mlf-Version
5823bayes_ignore_header X-MXScan-AntiSpam
5824bayes_ignore_header X-MXScan-AntiVirus
5825bayes_ignore_header X-MXScan-Country-Sequence
5826bayes_ignore_header X-MXScan-License
5827bayes_ignore_header X-MXScan-Msgid
5828bayes_ignore_header X-MXScan-ProcessingTime
5829bayes_ignore_header X-MXScan-Scan
5830bayes_ignore_header X-NAI-Spam-Flag
5831bayes_ignore_header X-NAI-Spam-Rules
5832bayes_ignore_header X-NAI-Spam-Score
5833bayes_ignore_header X-NAI-Spam-Threshold
5834bayes_ignore_header X-NetStation-Status
5835bayes_ignore_header X-OVH-SPAMCAUSE
5836bayes_ignore_header X-OVH-SPAMCAUSE:
5837bayes_ignore_header X-OVH-SPAMSCORE
5838bayes_ignore_header X-OVH-SPAMSTATE
5839bayes_ignore_header X-PerlMx-Spam
5840bayes_ignore_header X-PerlMx-Virus-Scanned
5841bayes_ignore_header X-PFSI-Info
5842bayes_ignore_header X-PMX-Spam
5843bayes_ignore_header X-PMX-Version
5844bayes_ignore_header X-Policy-Service
5845bayes_ignore_header X-policyd-weight
5846bayes_ignore_header X-PreRBLs
5847bayes_ignore_header X-Probable-Spam
5848bayes_ignore_header X-PROLinux-SpamCheck
5849bayes_ignore_header X-Proofpoint-Spam-Reason
5850bayes_ignore_header X-Proofpoint-Virus-Version
5851bayes_ignore_header x-purgate-eavas: clean
5852bayes_ignore_header x-purgate-id
5853bayes_ignore_header x-purgate-size
5854bayes_ignore_header x-purgate-type
5855bayes_ignore_header X-Qmail-Scanner-Diagnostics
5856bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status
5857bayes_ignore_header X-Quarantine-ID
5858bayes_ignore_header X-RSpam-Report
5859bayes_ignore_header X-SA-Do-Not-Run
5860bayes_ignore_header X-SA-Exim-Version
5861bayes_ignore_header X-Scanned-by
5862bayes_ignore_header X-SmarterMail-CustomSpamHeader
5863bayes_ignore_header X-Spam
5864bayes_ignore_header X-Spam-Action
5865bayes_ignore_header X-SPAM-AISP
5866bayes_ignore_header X-Spam-Check-By
5867bayes_ignore_header X-Spam-Checker-Version
5868bayes_ignore_header X-Spam-CMAE-Analysis
5869bayes_ignore_header X-Spam-CMAESCORE
5870bayes_ignore_header X-Spam-CTCH-RefID
5871bayes_ignore_header X-Spam-Flag
5872bayes_ignore_header X-Spam-Level
5873bayes_ignore_header X-Spam-Processed
5874bayes_ignore_header X-Spam-Report
5875bayes_ignore_header X-Spam-Scanned
5876bayes_ignore_header X-Spam-Score
5877bayes_ignore_header X-Spam-Score-Int
5878bayes_ignore_header X-Spam-SmartLearn
5879bayes_ignore_header X-Spam-Status
5880bayes_ignore_header X-Spam-Threshold
5881bayes_ignore_header X-Spam_bar
5882bayes_ignore_header X-Spambayes-Classification
5883bayes_ignore_header X-SpamExperts-Domain
5884bayes_ignore_header X-SpamExperts-Outgoing-Class
5885bayes_ignore_header X-SpamExperts-Outgoing-Evidence
5886bayes_ignore_header X-SpamExperts-Username
5887bayes_ignore_header X-Spamfilter-host
5888bayes_ignore_header X-Spamina-Bogosity
5889bayes_ignore_header X-Spamina-Spam-Report
5890bayes_ignore_header X-Spamina-Spam-Score
5891bayes_ignore_header X-SpamInfo
5892bayes_ignore_header X-Spamsave
5893bayes_ignore_header X-SpamTest-Group-ID
5894bayes_ignore_header X-SpamTest-Info
5895bayes_ignore_header X-SpamTest-Method
5896bayes_ignore_header X-SpamTest-Rate
5897bayes_ignore_header X-SpamTest-SPF
5898bayes_ignore_header X-SpamTest-Status
5899bayes_ignore_header X-SpamTest-Status-Extended
5900bayes_ignore_header X-SPF-Scan-By
5901bayes_ignore_header X-STA-Metric
5902bayes_ignore_header X-STA-NotSpam
5903bayes_ignore_header X-STA-Spam
5904bayes_ignore_header X-StarScan-Version
5905bayes_ignore_header X-SurGATE-Result
5906bayes_ignore_header X-SWITCHham-Score
5907bayes_ignore_header X-UI-Filterresults
5908bayes_ignore_header X-UI-Loop
5909bayes_ignore_header X-UI-Out-Filterresults
5910bayes_ignore_header X-Univie-Spam-Checker-Version
5911bayes_ignore_header X-Univie-Virus-Scan
5912bayes_ignore_header X-Virus
5913bayes_ignore_header X-Virus-Checker-Version
5914bayes_ignore_header X-Virus-Scanned
5915bayes_ignore_header X-Virus-Scanner-Result
5916bayes_ignore_header X-Virus-Scanner-Version
5917bayes_ignore_header X-Virus-Status
5918bayes_ignore_header X-VirusChecked
5919bayes_ignore_header X-VR-SCORE
5920bayes_ignore_header X-VR-SPAMCAUSE
5921bayes_ignore_header X-VR-STATUS
5922bayes_ignore_header X-WatchGuard-Mail-Client-IP
5923bayes_ignore_header X-WatchGuard-Mail-From
5924bayes_ignore_header X-WatchGuard-Mail-Recipients
5925bayes_ignore_header X-WatchGuard-Spam-ID
5926bayes_ignore_header X-WatchGuard-Spam-Score
5927bayes_ignore_header X-Whitelist-Domain
5928bayes_ignore_header X-WUM-CCI
5929bayes_ignore_header X_CMAE_Category##} bayes_ignore_header_sandbox
5930
5931##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
5932
5933if (version >= 3.004001)
5934ifplugin Mail::SpamAssassin::Plugin::AskDNS
5935askdns __FROM_FMBLA_NEWDOM _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/
5936askdns __FROM_FMBLA_NEWDOM14 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.14$/
5937askdns __FROM_FMBLA_NEWDOM28 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.28$/
5938askdns __FROM_FMBLA_NDBLOCKED _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/
5939reuse FROM_FMBLA_NEWDOM
5940reuse FROM_FMBLA_NEWDOM14
5941reuse FROM_FMBLA_NEWDOM28
5942reuse FROM_FMBLA_NDBLOCKED
5943reuse __PDS_NEWDOMAIN
5944reuse FROM_NUMBERO_NEWDOMAIN
5945reuse FROM_NEWDOM_BTC
5946askdns __PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/
5947reuse BITCOIN_SPF_ONLYALL
5948endif
5949endif
5950##} if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
5951
5952##{ if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox
5953
5954if (version >= 3.004002)
5955ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5956enlist_addrlist (PAYPAL) *@paypal.com *@paypal.co.uk *@paypal.de *@paypal.com.au *@paypal.it
5957enlist_addrlist (PAYPAL) *@paypal.es *@paypal.fr *@paypal.de *@paypal.com.hk
5958enlist_addrlist (PAYPAL) *@*.paypal.com *@*.paypal.co.uk
5959reuse __FROM_ADDRLIST_PAYPAL
5960reuse FROM_PAYPAL_SPOOF
5961enlist_addrlist (BANKS) *@abbey.co.uk *@abbey.com *@abbeyinternational.com *@abbeyinternational.co.uk *@abbeynational.com *@abbeynational.co.uk
5962enlist_addrlist (BANKS) *@allianceleicester.com *@allianceleicester.co.uk *@alliance-leicester.com *@alliance-leicester.co.uk
5963enlist_addrlist (BANKS) *@bankofamerica.com *@bankofamerica.co.uk
5964enlist_addrlist (BANKS) *@barclaycard.com *@barclays.com
5965enlist_addrlist (BANKS) *@citibank.com
5966enlist_addrlist (BANKS) *@firstdirect.com *@firstdirect.co.uk
5967enlist_addrlist (BANKS) *@halifax.com *@halifax.co.uk *@halifax-online.co.uk *@halifax-online.com
5968enlist_addrlist (BANKS) *@hbos.com *@hbos.co.uk
5969enlist_addrlist (BANKS) *@hsbc.com *@hsbc.co.uk *@hsbc.hk *@hsbcgroup.com *@hsbcgroup.co.uk
5970enlist_addrlist (BANKS) *@lloydstsb.com *@lloydstsb.co.uk *@lloyds.com
5971enlist_addrlist (BANKS) *@mbna.com
5972enlist_addrlist (BANKS) *@nationwide.com *@nationwide.co.uk
5973enlist_addrlist (BANKS) *@natwest.com *@natwest.co.uk
5974enlist_addrlist (BANKS) *@santander.com *@santander.co.uk
5975enlist_addrlist (BANKS) *@standardbank.co.za
5976enlist_addrlist (BANKS) *@ybonline.co.uk *@ybonline.com
5977reuse __FROM_ADDRLIST_BANKS
5978reuse FROM_BANK_NOAUTH
5979enlist_addrlist (GOV) *@*.gov
5980enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk
5981reuse __FROM_ADDRLIST_GOV
5982reuse FROM_GOV_SPOOF
5983reuse FROM_GOV_DKIM_AU
5984reuse FROM_GOV_REPLYTO_FREEMAIL
5985enlist_addrlist (SUSP_NTLD) *@*.icu
5986enlist_addrlist (SUSP_NTLD) *@*.online
5987enlist_addrlist (SUSP_NTLD) *@*.work
5988enlist_addrlist (SUSP_NTLD) *@*.date
5989enlist_addrlist (SUSP_NTLD) *@*.top
5990enlist_addrlist (SUSP_NTLD) *@*.fun
5991enlist_addrlist (SUSP_NTLD) *@*.life
5992enlist_addrlist (SUSP_NTLD) *@*.review
5993enlist_addrlist (SUSP_NTLD) *@*.xyz
5994enlist_addrlist (SUSP_NTLD) *@*.bid
5995enlist_addrlist (SUSP_NTLD) *@*.stream
5996enlist_addrlist (SUSP_NTLD) *@*.site
5997enlist_addrlist (SUSP_NTLD) *@*.space
5998enlist_addrlist (SUSP_NTLD) *@*.gdn
5999enlist_addrlist (SUSP_NTLD) *@*.click
6000enlist_addrlist (SUSP_NTLD) *@*.world
6001enlist_addrlist (SUSP_NTLD) *@*.fit
6002enlist_addrlist (SUSP_NTLD) *@*.ooo
6003enlist_addrlist (SUSP_NTLD) *@*.faith
6004enlist_addrlist (SUSP_NTLD) *@*.buzz
6005enlist_addrlist (SUSP_NTLD) *@*.trade
6006enlist_addrlist (SUSP_NTLD) *@*.cyou
6007enlist_addrlist (SUSP_NTLD) *@*.vip
6008enlist_uri_host (SUSP_URI_NTLD) icu
6009enlist_uri_host (SUSP_URI_NTLD) online
6010enlist_uri_host (SUSP_URI_NTLD) work
6011enlist_uri_host (SUSP_URI_NTLD) date
6012enlist_uri_host (SUSP_URI_NTLD) top
6013enlist_uri_host (SUSP_URI_NTLD) fun
6014enlist_uri_host (SUSP_URI_NTLD) life
6015enlist_uri_host (SUSP_URI_NTLD) review
6016enlist_uri_host (SUSP_URI_NTLD) xyz
6017enlist_uri_host (SUSP_URI_NTLD) bid
6018enlist_uri_host (SUSP_URI_NTLD) stream
6019enlist_uri_host (SUSP_URI_NTLD) site
6020enlist_uri_host (SUSP_URI_NTLD) space
6021enlist_uri_host (SUSP_URI_NTLD) gdn
6022enlist_uri_host (SUSP_URI_NTLD) click
6023enlist_uri_host (SUSP_URI_NTLD) world
6024enlist_uri_host (SUSP_URI_NTLD) fit
6025enlist_uri_host (SUSP_URI_NTLD) ooo
6026enlist_uri_host (SUSP_URI_NTLD) faith
6027enlist_uri_host (SUSP_URI_NTLD) buzz
6028enlist_uri_host (SUSP_URI_NTLD) trade
6029enlist_uri_host (SUSP_URI_NTLD) cyou
6030enlist_uri_host (SUSP_URI_NTLD) vip
6031enlist_uri_host (SUSP_URI_NTLD_PRO) pro
6032reuse __FROM_ADDRLIST_SUSPNTLD
6033reuse __REPLYTO_ADDRLIST_SUSPNTLD
6034reuse FROM_SUSPICIOUS_NTLD
6035reuse GOOGLE_DRIVE_REPLY_BAD_NTLD
6036reuse VPS_NO_NTLD
6037endif
6038endif
6039##} if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox
6040
6041##{ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox
6042
6043if (version >= 3.004003)
6044 ifplugin Mail::SpamAssassin::Plugin::HashBL
6045 priority T_GB_HASHBL_BTC -100
6046 reuse T_GB_HASHBL_BTC
6047endif
6048endif
6049##} if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox
6050
6051##{ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6052
6053if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6054 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6055 replace_tag lcase_e (?:e|\xc3[\xa8\xa9\xaa\xab]|\xc4[\x93\x95\x97\x99\x9b]|\xc8[\x85\x87\x80]|\xcf\xb5|\xd0\xb5|\xd1[\x90\x91\x94\xb3]|\xd2[\xbc\xbd\xbe\xbf]|\xd3[\x07\xa9\xab])
6056 replace_rules __E_LIKE_LETTER
6057endif
6058endif
6059##} if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6060
6061##{ ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6062
6063ifplugin Mail::SpamAssassin::Plugin::AskDNS
6064askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/
6065reuse __DKIMWL_FREEMAIL
6066askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/
6067reuse __DKIMWL_BULKMAIL
6068askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/
6069reuse __DKIMWL_WL_HI
6070askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/
6071reuse __DKIMWL_WL_MEDHI
6072askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/
6073reuse __DKIMWL_WL_MED
6074askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/
6075reuse __DKIMWL_WL_BL
6076askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/
6077reuse __DKIMWL_BLOCKED
6078reuse DKIMWL_WL_HIGH
6079reuse DKIMWL_WL_MEDHI
6080reuse DKIMWL_WL_MED
6081reuse DKIMWL_BL
6082reuse DKIMWL_BLOCKED
6083askdns __HELO_DNS _LASTEXTERNALHELO_ A /./
6084endif
6085##} ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6086
6087##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox
6088
6089ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
6090reuse RCVD_IN_PSBL
6091endif
6092##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox
6093
6094##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox
6095
6096ifplugin Mail::SpamAssassin::Plugin::DNSEval
6097reuse RCVD_IN_IADB_LISTED
6098reuse RCVD_IN_IADB_EDDB
6099reuse RCVD_IN_IADB_EPIA
6100reuse RCVD_IN_IADB_SPF
6101reuse RCVD_IN_IADB_SENDERID
6102reuse RCVD_IN_IADB_DK
6103reuse RCVD_IN_IADB_RDNS
6104reuse RCVD_IN_IADB_GOODMAIL
6105reuse RCVD_IN_IADB_NOCONTROL
6106reuse RCVD_IN_IADB_OPTOUTONLY
6107reuse RCVD_IN_IADB_UNVERIFIED_1
6108reuse RCVD_IN_IADB_UNVERIFIED_2
6109reuse RCVD_IN_IADB_LOOSE
6110reuse RCVD_IN_IADB_OPTIN_LT50
6111reuse RCVD_IN_IADB_OPTIN_GT50
6112reuse RCVD_IN_IADB_OPTIN
6113reuse RCVD_IN_IADB_DOPTIN_LT50
6114reuse RCVD_IN_IADB_DOPTIN_GT50
6115reuse RCVD_IN_IADB_DOPTIN
6116reuse RCVD_IN_IADB_ML_DOPTIN
6117reuse RCVD_IN_IADB_OOO
6118reuse RCVD_IN_IADB_MI_CPEAR
6119reuse RCVD_IN_IADB_UT_CPEAR
6120reuse RCVD_IN_IADB_MI_CPR_30
6121reuse RCVD_IN_IADB_UT_CPR_30
6122reuse RCVD_IN_IADB_MI_CPR_MAT
6123reuse RCVD_IN_IADB_UT_CPR_MAT
6124endif
6125##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox
6126
6127##{ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox
6128
6129ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
6130fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de
6131fns_ignore_headers List-Id
6132fns_check 1
6133reuse __PLUGIN_FROMNAME_SPOOF
6134reuse __PLUGIN_FROMNAME_EQUALS_TO
6135endif
6136##} ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox
6137
6138##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6139
6140ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6141replace_rules T_FUZZY_SPRM
6142replace_rules FUZZY_MERIDIA
6143replace_rules TVD_FUZZY_PHARMACEUTICAL
6144replace_rules TVD_FUZZY_SYMBOL
6145replace_rules T_TVD_FUZZY_SECURITIES
6146replace_rules TVD_FUZZY_FINANCE
6147replace_rules TVD_FUZZY_FIXED_RATE
6148replace_rules TVD_FUZZY_MICROCAP
6149replace_rules T_TVD_FUZZY_SECTOR
6150replace_rules TVD_FUZZY_DEGREE
6151 replace_rules __COPY_PASTE_EN
6152 replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?)
6153 replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3}
6154 replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s)
6155 replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?)
6156 replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])?
6157 replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100}))
6158 replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100})
6159 replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))?
6160 replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])?
6161 replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)?
6162 replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3}
6163 replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3}
6164 replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d)
6165 replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3}
6166 replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)?
6167 replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15})
6168 replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names?
6169 replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER>
6170 replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>)
6171 replace_rules __FILL_THIS_FORM_LONG1
6172 replace_rules __FILL_THIS_FORM_LONG2
6173 replace_rules __FILL_THIS_FORM_PARTIAL
6174 replace_rules __FILL_THIS_FORM_PARTIAL_RAW
6175 replace_rules __FILL_THIS_FORM_SHORT1
6176 replace_rules __FILL_THIS_FORM_SHORT2
6177 replace_rules __FILL_THIS_FORM_LOAN1
6178 replace_rules __FILL_THIS_FORM_FRAUD_PHISH1
6179 replace_tag CURRENCY (?:[\(\[]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|usd|USD|CAD|GBP|=[Aa][34]|\xa3|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS?)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]\)]?)
6180 replace_tag GB_UK \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b
6181 replace_tag NUM_NOT_DATE [1-9](?!\d\d\d\.\d\d\.\d\d\s)(?!\d?\.\d\d?\.\d\d\d\d\s)
6182 replace_tag NUM_NOT_DATE_IP <NUM_NOT_DATE>(?!\d{0,2}(?:\.0|\.[1-2]\d{0,2}){3}(?:\D|$))
6183 replace_rules __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04
6184 replace_tag PERCENT \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent)
6185 replace_rules __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS
6186 replace_rules T_FUZZY_OPTOUT
6187 replace_rules __FRT_PRICE
6188 replace_rules FUZZY_UNSUBSCRIBE
6189 replace_rules FUZZY_ANDROID
6190 replace_rules FUZZY_PROMOTION
6191 replace_rules FUZZY_PRIVACY
6192 replace_rules FUZZY_BROWSER
6193 replace_rules FUZZY_SAVINGS
6194 replace_rules FUZZY_IMPORTANT
6195 replace_rules FUZZY_SECURITY
6196 replace_rules __FUZZY_DR_OZ
6197 replace_rules FUZZY_CLICK_HERE
6198 replace_rules FUZZY_BITCOIN
6199 replace_rules __BITCOIN
6200 replace_rules FUZZY_WALLET
6201 replace_rules __FUZZY_MONERO
6202 replace_rules __FUZZY_WELLSFARGO_BODY
6203 replace_rules __FUZZY_WELLSFARGO_FROM
6204 replace_rules __FUZZY_PORN
6205 replace_rules FUZZY_AMAZON
6206 replace_rules FUZZY_APPLE
6207 replace_rules FUZZY_MICROSOFT
6208 replace_rules FUZZY_FACEBOOK
6209 replace_rules FUZZY_PAYPAL
6210 replace_rules FUZZY_NORTON
6211 replace_rules FUZZY_OVERSTOCK
6212 replace_rules __MY_VICTIM
6213 replace_rules __MY_MALWARE
6214 replace_rules __PAY_ME
6215 replace_rules __YOUR_PASSWORD
6216 replace_rules __YOUR_WEBCAM
6217 replace_rules __YOUR_ONAN
6218 replace_rules __YOUR_PERSONAL
6219 replace_rules __HOURS_DEADLINE
6220 replace_rules __EXPLOSIVE_DEVICE
6221replace_rules T_LFUZ_PWRMALE
6222 replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE
6223 reuse T_PDS_BTC_AHACKER
6224 reuse T_PDS_BTC_HACKER
6225 reuse T_PDS_LTC_AHACKER
6226 reuse T_PDS_LTC_HACKER
6227endif
6228##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6229
6230##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox
6231
6232ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
6233reuse URIBL_RHS_DOB
6234endif
6235##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox
6236
6237##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox
6238
6239ifplugin Mail::SpamAssassin::Plugin::WLBLEval
6240if (version >= 3.004000)
6241enlist_uri_host (PDS_CASHSHORTENER) cutpaid.com
6242enlist_uri_host (PDS_CASHSHORTENER) caat.site
6243enlist_uri_host (PDS_CASHSHORTENER) triabicia.com
6244enlist_uri_host (PDS_CASHSHORTENER) 2xs.io
6245enlist_uri_host (PDS_CASHSHORTENER) ocest.site
6246enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz
6247enlist_uri_host (PDS_CASHSHORTENER) waar.site
6248enlist_uri_host (PDS_CASHSHORTENER) cpmlink.net
6249enlist_uri_host (PDS_CASHSHORTENER) cowner.net
6250enlist_uri_host (PDS_CASHSHORTENER) adfoc.us
6251enlist_uri_host (PDS_CASHSHORTENER) shrinkhere.xyz
6252enlist_uri_host (PDS_CASHSHORTENER) gurl.pw
6253enlist_uri_host (PDS_CASHSHORTENER) shortearn.eu
6254enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz
6255enlist_uri_host (PDS_CASHSHORTENER) libittarc.com
6256enlist_uri_host (PDS_CASHSHORTENER) pc.cd
6257enlist_uri_host (PDS_CASHSHORTENER) fc.lc
6258enlist_uri_host (PDS_CASHSHORTENER) dares.xyz
6259enlist_uri_host (PDS_CASHSHORTENER) trendlouds.com
6260enlist_uri_host (PDS_CASHSHORTENER) yogaf.xyz
6261enlist_uri_host (PDS_CASHSHORTENER) cobs.xyz
6262enlist_uri_host (PDS_CASHSHORTENER) olnew.xyz
6263enlist_uri_host (PDS_CASHSHORTENER) cleft.xyz
6264enlist_uri_host (PDS_CASHSHORTENER) 7r6.com
6265enlist_uri_host (PDS_CASHSHORTENER) mitly.us
6266enlist_uri_host (PDS_CASHSHORTENER) kutpay.com
6267enlist_uri_host (PDS_CASHSHORTENER) gsurl.me
6268enlist_uri_host (PDS_CASHSHORTENER) gurl.ly
6269enlist_uri_host (PDS_CASHSHORTENER) gsurl.in
6270enlist_uri_host (PDS_CASHSHORTENER) acitoate.com
6271enlist_uri_host (PDS_CASHSHORTENER) aclabink.com
6272enlist_uri_host (PDS_CASHSHORTENER) activeation.com
6273enlist_uri_host (PDS_CASHSHORTENER) activeterium.com
6274enlist_uri_host (PDS_CASHSHORTENER) adflyforum.com
6275enlist_uri_host (PDS_CASHSHORTENER) adflymail.com
6276enlist_uri_host (PDS_CASHSHORTENER) adult.xyz
6277enlist_uri_host (PDS_CASHSHORTENER) agileurbia.com
6278enlist_uri_host (PDS_CASHSHORTENER) atomcurve.com
6279enlist_uri_host (PDS_CASHSHORTENER) ay.gy
6280enlist_uri_host (PDS_CASHSHORTENER) battleate.com
6281enlist_uri_host (PDS_CASHSHORTENER) biastonu.com
6282enlist_uri_host (PDS_CASHSHORTENER) bitigee.com
6283enlist_uri_host (PDS_CASHSHORTENER) briskrange.com
6284enlist_uri_host (PDS_CASHSHORTENER) brisktopia.com
6285enlist_uri_host (PDS_CASHSHORTENER) casualient.com
6286enlist_uri_host (PDS_CASHSHORTENER) clesolea.com
6287enlist_uri_host (PDS_CASHSHORTENER) code404.biz
6288enlist_uri_host (PDS_CASHSHORTENER) coginator.com
6289enlist_uri_host (PDS_CASHSHORTENER) cogismith.com
6290enlist_uri_host (PDS_CASHSHORTENER) covelign.com
6291enlist_uri_host (PDS_CASHSHORTENER) crefranek.com
6292enlist_uri_host (PDS_CASHSHORTENER) dashsphere.com
6293enlist_uri_host (PDS_CASHSHORTENER) dataurbia.com
6294enlist_uri_host (PDS_CASHSHORTENER) deciomm.com
6295enlist_uri_host (PDS_CASHSHORTENER) ducolomal.com
6296enlist_uri_host (PDS_CASHSHORTENER) east-jones.com
6297enlist_uri_host (PDS_CASHSHORTENER) ecleneue.com
6298enlist_uri_host (PDS_CASHSHORTENER) ellevolaw.com
6299enlist_uri_host (PDS_CASHSHORTENER) endroudo.com
6300enlist_uri_host (PDS_CASHSHORTENER) eunsetee.com
6301enlist_uri_host (PDS_CASHSHORTENER) fainbory.com
6302enlist_uri_host (PDS_CASHSHORTENER) fasttory.com
6303enlist_uri_host (PDS_CASHSHORTENER) fawright.com
6304enlist_uri_host (PDS_CASHSHORTENER) flyserve.co
6305enlist_uri_host (PDS_CASHSHORTENER) greponozy.com
6306enlist_uri_host (PDS_CASHSHORTENER) homoluath.com
6307enlist_uri_host (PDS_CASHSHORTENER) hopigrarn.com
6308enlist_uri_host (PDS_CASHSHORTENER) infopade.com
6309enlist_uri_host (PDS_CASHSHORTENER) j.gs
6310enlist_uri_host (PDS_CASHSHORTENER) kaitect.com
6311enlist_uri_host (PDS_CASHSHORTENER) kializer.com
6312enlist_uri_host (PDS_CASHSHORTENER) kibuilder.com
6313enlist_uri_host (PDS_CASHSHORTENER) kimechanic.com
6314enlist_uri_host (PDS_CASHSHORTENER) kudoflow.com
6315enlist_uri_host (PDS_CASHSHORTENER) legeerook.com
6316enlist_uri_host (PDS_CASHSHORTENER) libittarc.com
6317enlist_uri_host (PDS_CASHSHORTENER) linkjaunt.com
6318enlist_uri_host (PDS_CASHSHORTENER) locinealy.com
6319enlist_uri_host (PDS_CASHSHORTENER) maetrimal.com
6320enlist_uri_host (PDS_CASHSHORTENER) metastead.com
6321enlist_uri_host (PDS_CASHSHORTENER) mmoity.com
6322enlist_uri_host (PDS_CASHSHORTENER) mondoagram.com
6323enlist_uri_host (PDS_CASHSHORTENER) neswery.com
6324enlist_uri_host (PDS_CASHSHORTENER) nimbleinity.com
6325enlist_uri_host (PDS_CASHSHORTENER) onisedeo.com
6326enlist_uri_host (PDS_CASHSHORTENER) optitopt.com
6327enlist_uri_host (PDS_CASHSHORTENER) picocurl.com
6328enlist_uri_host (PDS_CASHSHORTENER) pladollmo.com
6329enlist_uri_host (PDS_CASHSHORTENER) preofery.com
6330enlist_uri_host (PDS_CASHSHORTENER) prereheus.com
6331enlist_uri_host (PDS_CASHSHORTENER) q.gs
6332enlist_uri_host (PDS_CASHSHORTENER) quainator.com
6333enlist_uri_host (PDS_CASHSHORTENER) quamiller.com
6334enlist_uri_host (PDS_CASHSHORTENER) queuecosm.bid
6335enlist_uri_host (PDS_CASHSHORTENER) raboninco.com
6336enlist_uri_host (PDS_CASHSHORTENER) rapidteria.com
6337enlist_uri_host (PDS_CASHSHORTENER) rapidtory.com
6338enlist_uri_host (PDS_CASHSHORTENER) sapolatsu.com
6339enlist_uri_host (PDS_CASHSHORTENER) scapognel.com
6340enlist_uri_host (PDS_CASHSHORTENER) simizer.com
6341enlist_uri_host (PDS_CASHSHORTENER) skamaker.com
6342enlist_uri_host (PDS_CASHSHORTENER) skamason.com
6343enlist_uri_host (PDS_CASHSHORTENER) sluppend.com
6344enlist_uri_host (PDS_CASHSHORTENER) sprysphere.com
6345enlist_uri_host (PDS_CASHSHORTENER) streamvoyage.com
6346enlist_uri_host (PDS_CASHSHORTENER) swarife.com
6347enlist_uri_host (PDS_CASHSHORTENER) swiftation.com
6348enlist_uri_host (PDS_CASHSHORTENER) swifttopia.com
6349enlist_uri_host (PDS_CASHSHORTENER) techigo.com
6350enlist_uri_host (PDS_CASHSHORTENER) threadsphere.bid
6351enlist_uri_host (PDS_CASHSHORTENER) tinyical.com
6352enlist_uri_host (PDS_CASHSHORTENER) tonancos.com
6353enlist_uri_host (PDS_CASHSHORTENER) triabicia.com
6354enlist_uri_host (PDS_CASHSHORTENER) turboagram.com
6355enlist_uri_host (PDS_CASHSHORTENER) twineer.com
6356enlist_uri_host (PDS_CASHSHORTENER) twiriock.com
6357enlist_uri_host (PDS_CASHSHORTENER) userlab66.com
6358enlist_uri_host (PDS_CASHSHORTENER) vaugette.com
6359enlist_uri_host (PDS_CASHSHORTENER) velocicosm.com
6360enlist_uri_host (PDS_CASHSHORTENER) velociterium.com
6361enlist_uri_host (PDS_CASHSHORTENER) viahold.com
6362enlist_uri_host (PDS_CASHSHORTENER) vializer.com
6363enlist_uri_host (PDS_CASHSHORTENER) viwright.com
6364enlist_uri_host (PDS_CASHSHORTENER) whareotiv.com
6365enlist_uri_host (PDS_CASHSHORTENER) wirecellar.com
6366enlist_uri_host (PDS_CASHSHORTENER) x19.biz
6367enlist_uri_host (PDS_CASHSHORTENER) x19network.com
6368enlist_uri_host (PDS_CASHSHORTENER) yabuilder.com
6369enlist_uri_host (PDS_CASHSHORTENER) yamechanic.com
6370enlist_uri_host (PDS_CASHSHORTENER) yoalizer.com
6371enlist_uri_host (PDS_CASHSHORTENER) yobuilder.com
6372enlist_uri_host (PDS_CASHSHORTENER) yoineer.com
6373enlist_uri_host (PDS_CASHSHORTENER) yoitect.com
6374enlist_uri_host (PDS_CASHSHORTENER) zipansion.com
6375enlist_uri_host (PDS_CASHSHORTENER) zipteria.com
6376enlist_uri_host (PDS_CASHSHORTENER) zipvale.com
6377enlist_uri_host (PDS_URISHORTENER) owl.li
6378enlist_uri_host (PDS_URISHORTENER) formspring.me
6379enlist_uri_host (PDS_URISHORTENER) cc.uz
6380enlist_uri_host (PDS_URISHORTENER) back.ly
6381enlist_uri_host (PDS_URISHORTENER) surl.me
6382enlist_uri_host (PDS_URISHORTENER) mysp.ac
6383enlist_uri_host (PDS_URISHORTENER) s.apache.org
6384enlist_uri_host (PDS_URISHORTENER) 0rz.tw
6385enlist_uri_host (PDS_URISHORTENER) 1l2.us
6386enlist_uri_host (PDS_URISHORTENER) 1link.in
6387enlist_uri_host (PDS_URISHORTENER) 1u.ro
6388enlist_uri_host (PDS_URISHORTENER) 1url.com
6389enlist_uri_host (PDS_URISHORTENER) 2.gp
6390enlist_uri_host (PDS_URISHORTENER) 2.ly
6391enlist_uri_host (PDS_URISHORTENER) 2big.at
6392enlist_uri_host (PDS_URISHORTENER) 2chap.it
6393enlist_uri_host (PDS_URISHORTENER) 2pl.us
6394enlist_uri_host (PDS_URISHORTENER) 2su.de
6395enlist_uri_host (PDS_URISHORTENER) 2tu.us
6396enlist_uri_host (PDS_URISHORTENER) 2ze.us
6397enlist_uri_host (PDS_URISHORTENER) 3.ly
6398enlist_uri_host (PDS_URISHORTENER) 301.to
6399enlist_uri_host (PDS_URISHORTENER) 301url.com
6400enlist_uri_host (PDS_URISHORTENER) 307.to
6401enlist_uri_host (PDS_URISHORTENER) 4ms.me
6402enlist_uri_host (PDS_URISHORTENER) 4sq.com
6403enlist_uri_host (PDS_URISHORTENER) 4url.cc
6404enlist_uri_host (PDS_URISHORTENER) 6url.com
6405enlist_uri_host (PDS_URISHORTENER) 7.ly
6406enlist_uri_host (PDS_URISHORTENER) 9mp.com
6407enlist_uri_host (PDS_URISHORTENER) a.gd
6408enlist_uri_host (PDS_URISHORTENER) a.gg
6409enlist_uri_host (PDS_URISHORTENER) a.nf
6410enlist_uri_host (PDS_URISHORTENER) a2a.me
6411enlist_uri_host (PDS_URISHORTENER) a2n.eu
6412enlist_uri_host (PDS_URISHORTENER) aa.cx
6413enlist_uri_host (PDS_URISHORTENER) abbr.com
6414enlist_uri_host (PDS_URISHORTENER) abcurl.net
6415enlist_uri_host (PDS_URISHORTENER) abe5.com
6416enlist_uri_host (PDS_URISHORTENER) access.im
6417enlist_uri_host (PDS_URISHORTENER) ad.vu
6418enlist_uri_host (PDS_URISHORTENER) adf.ly
6419enlist_uri_host (PDS_URISHORTENER) adjix.com
6420enlist_uri_host (PDS_URISHORTENER) afx.cc
6421enlist_uri_host (PDS_URISHORTENER) all.fuseurl.com
6422enlist_uri_host (PDS_URISHORTENER) alturl.com
6423enlist_uri_host (PDS_URISHORTENER) amzn.com
6424enlist_uri_host (PDS_URISHORTENER) amzn.to
6425enlist_uri_host (PDS_URISHORTENER) ar.gy
6426enlist_uri_host (PDS_URISHORTENER) arm.in
6427enlist_uri_host (PDS_URISHORTENER) arst.ch
6428enlist_uri_host (PDS_URISHORTENER) asso.in
6429enlist_uri_host (PDS_URISHORTENER) atu.ca
6430enlist_uri_host (PDS_URISHORTENER) aurls.info
6431enlist_uri_host (PDS_URISHORTENER) awe.sm
6432enlist_uri_host (PDS_URISHORTENER) ayl.lv
6433enlist_uri_host (PDS_URISHORTENER) azc.cc
6434enlist_uri_host (PDS_URISHORTENER) azqq.com
6435enlist_uri_host (PDS_URISHORTENER) b23.ru
6436enlist_uri_host (PDS_URISHORTENER) b2l.me
6437enlist_uri_host (PDS_URISHORTENER) b65.com
6438enlist_uri_host (PDS_URISHORTENER) b65.us
6439enlist_uri_host (PDS_URISHORTENER) bacn.me
6440enlist_uri_host (PDS_URISHORTENER) bcool.bz
6441enlist_uri_host (PDS_URISHORTENER) beam.to
6442enlist_uri_host (PDS_URISHORTENER) bgl.me
6443enlist_uri_host (PDS_URISHORTENER) binged.it
6444enlist_uri_host (PDS_URISHORTENER) bit.do
6445enlist_uri_host (PDS_URISHORTENER) bit.ly
6446enlist_uri_host (PDS_URISHORTENER) bitly.com
6447enlist_uri_host (PDS_URISHORTENER) bizj.us
6448enlist_uri_host (PDS_URISHORTENER) bkite.com
6449enlist_uri_host (PDS_URISHORTENER) blippr.com
6450enlist_uri_host (PDS_URISHORTENER) bloat.me
6451enlist_uri_host (PDS_URISHORTENER) blu.cc
6452enlist_uri_host (PDS_URISHORTENER) bon.no
6453enlist_uri_host (PDS_URISHORTENER) bravo.ly
6454enlist_uri_host (PDS_URISHORTENER) bsa.ly
6455enlist_uri_host (PDS_URISHORTENER) bt.io
6456enlist_uri_host (PDS_URISHORTENER) budurl.com
6457enlist_uri_host (PDS_URISHORTENER) buff.ly
6458enlist_uri_host (PDS_URISHORTENER) buk.me
6459enlist_uri_host (PDS_URISHORTENER) burnurl.com
6460enlist_uri_host (PDS_URISHORTENER) c-o.in
6461enlist_uri_host (PDS_URISHORTENER) c.shamekh.ws
6462enlist_uri_host (PDS_URISHORTENER) canurl.com
6463enlist_uri_host (PDS_URISHORTENER) cd4.me
6464enlist_uri_host (PDS_URISHORTENER) chilp.it
6465enlist_uri_host (PDS_URISHORTENER) chopd.it
6466enlist_uri_host (PDS_URISHORTENER) chpt.me
6467enlist_uri_host (PDS_URISHORTENER) chs.mx
6468enlist_uri_host (PDS_URISHORTENER) chzb.gr
6469enlist_uri_host (PDS_URISHORTENER) cl.lk
6470enlist_uri_host (PDS_URISHORTENER) cl.ly
6471enlist_uri_host (PDS_URISHORTENER) clck.ru
6472enlist_uri_host (PDS_URISHORTENER) cli.gs
6473enlist_uri_host (PDS_URISHORTENER) cliccami.info
6474enlist_uri_host (PDS_URISHORTENER) clickthru.ca
6475enlist_uri_host (PDS_URISHORTENER) clipurl.us
6476enlist_uri_host (PDS_URISHORTENER) clk.my
6477enlist_uri_host (PDS_URISHORTENER) cloaky.de
6478enlist_uri_host (PDS_URISHORTENER) clop.in
6479enlist_uri_host (PDS_URISHORTENER) clp.ly
6480enlist_uri_host (PDS_URISHORTENER) coge.la
6481enlist_uri_host (PDS_URISHORTENER) cokeurl.com
6482enlist_uri_host (PDS_URISHORTENER) conta.cc
6483enlist_uri_host (PDS_URISHORTENER) cort.as
6484enlist_uri_host (PDS_URISHORTENER) cot.ag
6485enlist_uri_host (PDS_URISHORTENER) crks.me
6486enlist_uri_host (PDS_URISHORTENER) crum.pl
6487enlist_uri_host (PDS_URISHORTENER) ctvr.us
6488enlist_uri_host (PDS_URISHORTENER) curio.us
6489enlist_uri_host (PDS_URISHORTENER) cuthut.com
6490enlist_uri_host (PDS_URISHORTENER) cutt.us
6491enlist_uri_host (PDS_URISHORTENER) cuturl.com
6492enlist_uri_host (PDS_URISHORTENER) cuturls.com
6493enlist_uri_host (PDS_URISHORTENER) dai.ly
6494enlist_uri_host (PDS_URISHORTENER) db.tt
6495enlist_uri_host (PDS_URISHORTENER) dealspl.us
6496enlist_uri_host (PDS_URISHORTENER) decenturl.com
6497enlist_uri_host (PDS_URISHORTENER) df9.net
6498enlist_uri_host (PDS_URISHORTENER) dfl8.me
6499enlist_uri_host (PDS_URISHORTENER) digbig.com
6500enlist_uri_host (PDS_URISHORTENER) digg.com
6501enlist_uri_host (PDS_URISHORTENER) digipills.com
6502enlist_uri_host (PDS_URISHORTENER) digs.by
6503enlist_uri_host (PDS_URISHORTENER) disq.us
6504enlist_uri_host (PDS_URISHORTENER) dld.bz
6505enlist_uri_host (PDS_URISHORTENER) dlvr.it
6506enlist_uri_host (PDS_URISHORTENER) dn.vc
6507enlist_uri_host (PDS_URISHORTENER) do.my
6508enlist_uri_host (PDS_URISHORTENER) doi.org
6509enlist_uri_host (PDS_URISHORTENER) doiop.com
6510enlist_uri_host (PDS_URISHORTENER) dopen.us
6511enlist_uri_host (PDS_URISHORTENER) dr.tl
6512enlist_uri_host (PDS_URISHORTENER) drudge.tw
6513enlist_uri_host (PDS_URISHORTENER) durl.me
6514enlist_uri_host (PDS_URISHORTENER) durl.us
6515enlist_uri_host (PDS_URISHORTENER) dvlr.it
6516enlist_uri_host (PDS_URISHORTENER) dwarfurl.com
6517enlist_uri_host (PDS_URISHORTENER) easyuri.com
6518enlist_uri_host (PDS_URISHORTENER) easyurl.net
6519enlist_uri_host (PDS_URISHORTENER) eca.sh
6520enlist_uri_host (PDS_URISHORTENER) eclurl.com
6521enlist_uri_host (PDS_URISHORTENER) eepurl.com
6522enlist_uri_host (PDS_URISHORTENER) eezurl.com
6523enlist_uri_host (PDS_URISHORTENER) eweri.com
6524enlist_uri_host (PDS_URISHORTENER) ewerl.com
6525enlist_uri_host (PDS_URISHORTENER) ezurl.eu
6526enlist_uri_host (PDS_URISHORTENER) fa.by
6527enlist_uri_host (PDS_URISHORTENER) faceto.us
6528enlist_uri_host (PDS_URISHORTENER) fav.me
6529enlist_uri_host (PDS_URISHORTENER) fb.me
6530enlist_uri_host (PDS_URISHORTENER) fbshare.me
6531enlist_uri_host (PDS_URISHORTENER) ff.im
6532enlist_uri_host (PDS_URISHORTENER) fff.to
6533enlist_uri_host (PDS_URISHORTENER) fhurl.com
6534enlist_uri_host (PDS_URISHORTENER) fire.to
6535enlist_uri_host (PDS_URISHORTENER) firsturl.de
6536enlist_uri_host (PDS_URISHORTENER) firsturl.net
6537enlist_uri_host (PDS_URISHORTENER) flic.kr
6538enlist_uri_host (PDS_URISHORTENER) flingk.com
6539enlist_uri_host (PDS_URISHORTENER) flq.us
6540enlist_uri_host (PDS_URISHORTENER) fly2.ws
6541enlist_uri_host (PDS_URISHORTENER) fon.gs
6542enlist_uri_host (PDS_URISHORTENER) foxyurl.com
6543enlist_uri_host (PDS_URISHORTENER) freak.to
6544enlist_uri_host (PDS_URISHORTENER) fur.ly
6545enlist_uri_host (PDS_URISHORTENER) fuseurl.com
6546enlist_uri_host (PDS_URISHORTENER) fuzzy.to
6547enlist_uri_host (PDS_URISHORTENER) fwd4.me
6548enlist_uri_host (PDS_URISHORTENER) fwdurl.net
6549enlist_uri_host (PDS_URISHORTENER) fwib.net
6550enlist_uri_host (PDS_URISHORTENER) g.ro.lt
6551enlist_uri_host (PDS_URISHORTENER) g8l.us
6552enlist_uri_host (PDS_URISHORTENER) get-shorty.com
6553enlist_uri_host (PDS_URISHORTENER) get-url.com
6554enlist_uri_host (PDS_URISHORTENER) get.sh
6555enlist_uri_host (PDS_URISHORTENER) geturl.us
6556enlist_uri_host (PDS_URISHORTENER) gg.gg
6557enlist_uri_host (PDS_URISHORTENER) gi.vc
6558enlist_uri_host (PDS_URISHORTENER) gizmo.do
6559enlist_uri_host (PDS_URISHORTENER) gkurl.us
6560enlist_uri_host (PDS_URISHORTENER) gl.am
6561enlist_uri_host (PDS_URISHORTENER) go.9nl.com
6562enlist_uri_host (PDS_URISHORTENER) go.ign.com
6563enlist_uri_host (PDS_URISHORTENER) go.to
6564enlist_uri_host (PDS_URISHORTENER) go.usa.gov
6565enlist_uri_host (PDS_URISHORTENER) go2.me
6566enlist_uri_host (PDS_URISHORTENER) gog.li
6567enlist_uri_host (PDS_URISHORTENER) golmao.com
6568enlist_uri_host (PDS_URISHORTENER) goo.gl
6569enlist_uri_host (PDS_URISHORTENER) goo.io
6570enlist_uri_host (PDS_URISHORTENER) good.ly
6571enlist_uri_host (PDS_URISHORTENER) goshrink.com
6572enlist_uri_host (PDS_URISHORTENER) gplus.to
6573enlist_uri_host (PDS_URISHORTENER) gri.ms
6574enlist_uri_host (PDS_URISHORTENER) gurl.es
6575enlist_uri_host (PDS_URISHORTENER) hao.jp
6576enlist_uri_host (PDS_URISHORTENER) hellotxt.com
6577enlist_uri_host (PDS_URISHORTENER) hex.io
6578enlist_uri_host (PDS_URISHORTENER) hiderefer.com
6579enlist_uri_host (PDS_URISHORTENER) hmm.ph
6580enlist_uri_host (PDS_URISHORTENER) hop.im
6581enlist_uri_host (PDS_URISHORTENER) hop.kz
6582enlist_uri_host (PDS_URISHORTENER) hopclicks.com
6583enlist_uri_host (PDS_URISHORTENER) hotredirect.com
6584enlist_uri_host (PDS_URISHORTENER) hotshorturl.com
6585enlist_uri_host (PDS_URISHORTENER) href.in
6586enlist_uri_host (PDS_URISHORTENER) hsblinks.com
6587enlist_uri_host (PDS_URISHORTENER) ht.ly
6588enlist_uri_host (PDS_URISHORTENER) htxt.it
6589enlist_uri_host (PDS_URISHORTENER) hub.am
6590enlist_uri_host (PDS_URISHORTENER) huff.to
6591enlist_uri_host (PDS_URISHORTENER) hugeurl.com
6592enlist_uri_host (PDS_URISHORTENER) hulu.com
6593enlist_uri_host (PDS_URISHORTENER) hurl.it
6594enlist_uri_host (PDS_URISHORTENER) hurl.me
6595enlist_uri_host (PDS_URISHORTENER) hurl.no
6596enlist_uri_host (PDS_URISHORTENER) hurl.ws
6597enlist_uri_host (PDS_URISHORTENER) icanhaz.com
6598enlist_uri_host (PDS_URISHORTENER) icio.us
6599enlist_uri_host (PDS_URISHORTENER) idek.net
6600enlist_uri_host (PDS_URISHORTENER) ikr.me
6601enlist_uri_host (PDS_URISHORTENER) ilix.in
6602enlist_uri_host (PDS_URISHORTENER) inx.lv
6603enlist_uri_host (PDS_URISHORTENER) ir.pe
6604enlist_uri_host (PDS_URISHORTENER) irt.me
6605enlist_uri_host (PDS_URISHORTENER) is.gd
6606enlist_uri_host (PDS_URISHORTENER) iscool.net
6607enlist_uri_host (PDS_URISHORTENER) it2.in
6608enlist_uri_host (PDS_URISHORTENER) ito.mx
6609enlist_uri_host (PDS_URISHORTENER) its.my
6610enlist_uri_host (PDS_URISHORTENER) itsy.it
6611enlist_uri_host (PDS_URISHORTENER) ix.lt
6612enlist_uri_host (PDS_URISHORTENER) j.mp
6613enlist_uri_host (PDS_URISHORTENER) j2j.de
6614enlist_uri_host (PDS_URISHORTENER) jdem.cz
6615enlist_uri_host (PDS_URISHORTENER) jijr.com
6616enlist_uri_host (PDS_URISHORTENER) just.as
6617enlist_uri_host (PDS_URISHORTENER) k.vu
6618enlist_uri_host (PDS_URISHORTENER) k6.kz
6619enlist_uri_host (PDS_URISHORTENER) ketkp.in
6620enlist_uri_host (PDS_URISHORTENER) kisa.ch
6621enlist_uri_host (PDS_URISHORTENER) kissa.be
6622enlist_uri_host (PDS_URISHORTENER) kl.am
6623enlist_uri_host (PDS_URISHORTENER) klck.me
6624enlist_uri_host (PDS_URISHORTENER) kore.us
6625enlist_uri_host (PDS_URISHORTENER) korta.nu
6626enlist_uri_host (PDS_URISHORTENER) kots.nu
6627enlist_uri_host (PDS_URISHORTENER) krunchd.com
6628enlist_uri_host (PDS_URISHORTENER) krz.ch
6629enlist_uri_host (PDS_URISHORTENER) ktzr.us
6630enlist_uri_host (PDS_URISHORTENER) kxk.me
6631enlist_uri_host (PDS_URISHORTENER) l.hh.de
6632enlist_uri_host (PDS_URISHORTENER) l.pr
6633enlist_uri_host (PDS_URISHORTENER) l9k.net
6634enlist_uri_host (PDS_URISHORTENER) lat.ms
6635enlist_uri_host (PDS_URISHORTENER) liip.to
6636enlist_uri_host (PDS_URISHORTENER) liltext.com
6637enlist_uri_host (PDS_URISHORTENER) lin.cr
6638enlist_uri_host (PDS_URISHORTENER) lin.io
6639enlist_uri_host (PDS_URISHORTENER) linkbee.com
6640enlist_uri_host (PDS_URISHORTENER) linkbun.ch
6641enlist_uri_host (PDS_URISHORTENER) linkee.com
6642enlist_uri_host (PDS_URISHORTENER) linkgap.com
6643enlist_uri_host (PDS_URISHORTENER) linkslice.com
6644enlist_uri_host (PDS_URISHORTENER) linxfix.de
6645enlist_uri_host (PDS_URISHORTENER) liteurl.net
6646enlist_uri_host (PDS_URISHORTENER) liurl.cn
6647enlist_uri_host (PDS_URISHORTENER) livesi.de
6648enlist_uri_host (PDS_URISHORTENER) lix.in
6649enlist_uri_host (PDS_URISHORTENER) lk.ht
6650enlist_uri_host (PDS_URISHORTENER) ln-s.net
6651enlist_uri_host (PDS_URISHORTENER) ln-s.ru
6652enlist_uri_host (PDS_URISHORTENER) lnk.by
6653enlist_uri_host (PDS_URISHORTENER) lnk.gd
6654enlist_uri_host (PDS_URISHORTENER) lnk.in
6655enlist_uri_host (PDS_URISHORTENER) lnk.ly
6656enlist_uri_host (PDS_URISHORTENER) lnk.ms
6657enlist_uri_host (PDS_URISHORTENER) lnk.sk
6658enlist_uri_host (PDS_URISHORTENER) lnkd.in
6659enlist_uri_host (PDS_URISHORTENER) lnkurl.com
6660enlist_uri_host (PDS_URISHORTENER) loopt.us
6661enlist_uri_host (PDS_URISHORTENER) lost.in
6662enlist_uri_host (PDS_URISHORTENER) lru.jp
6663enlist_uri_host (PDS_URISHORTENER) lt.tl
6664enlist_uri_host (PDS_URISHORTENER) lu.to
6665enlist_uri_host (PDS_URISHORTENER) lurl.no
6666enlist_uri_host (PDS_URISHORTENER) macte.ch
6667enlist_uri_host (PDS_URISHORTENER) mash.to
6668enlist_uri_host (PDS_URISHORTENER) mavrev.com
6669enlist_uri_host (PDS_URISHORTENER) mcaf.ee
6670enlist_uri_host (PDS_URISHORTENER) memurl.com
6671enlist_uri_host (PDS_URISHORTENER) merky.de
6672enlist_uri_host (PDS_URISHORTENER) metamark.net
6673enlist_uri_host (PDS_URISHORTENER) migre.me
6674enlist_uri_host (PDS_URISHORTENER) min2.me
6675enlist_uri_host (PDS_URISHORTENER) minilien.com
6676enlist_uri_host (PDS_URISHORTENER) minilink.org
6677enlist_uri_host (PDS_URISHORTENER) miniurl.com
6678enlist_uri_host (PDS_URISHORTENER) minurl.fr
6679enlist_uri_host (PDS_URISHORTENER) mke.me
6680enlist_uri_host (PDS_URISHORTENER) moby.to
6681enlist_uri_host (PDS_URISHORTENER) moourl.com
6682enlist_uri_host (PDS_URISHORTENER) mrte.ch
6683enlist_uri_host (PDS_URISHORTENER) msg.sg
6684enlist_uri_host (PDS_URISHORTENER) murl.kz
6685enlist_uri_host (PDS_URISHORTENER) mv2.me
6686enlist_uri_host (PDS_URISHORTENER) myloc.me
6687enlist_uri_host (PDS_URISHORTENER) mysp.in
6688enlist_uri_host (PDS_URISHORTENER) myurl.in
6689enlist_uri_host (PDS_URISHORTENER) myurl.si
6690enlist_uri_host (PDS_URISHORTENER) n.pr
6691enlist_uri_host (PDS_URISHORTENER) nanoref.com
6692enlist_uri_host (PDS_URISHORTENER) nanourl.se
6693enlist_uri_host (PDS_URISHORTENER) nbc.co
6694enlist_uri_host (PDS_URISHORTENER) nblo.gs
6695enlist_uri_host (PDS_URISHORTENER) nbx.ch
6696enlist_uri_host (PDS_URISHORTENER) ncane.com
6697enlist_uri_host (PDS_URISHORTENER) ndurl.com
6698enlist_uri_host (PDS_URISHORTENER) ne1.net
6699enlist_uri_host (PDS_URISHORTENER) netnet.me
6700enlist_uri_host (PDS_URISHORTENER) netshortcut.com
6701enlist_uri_host (PDS_URISHORTENER) ni.to
6702enlist_uri_host (PDS_URISHORTENER) nig.gr
6703enlist_uri_host (PDS_URISHORTENER) nm.ly
6704enlist_uri_host (PDS_URISHORTENER) nn.nf
6705enlist_uri_host (PDS_URISHORTENER) not.my
6706enlist_uri_host (PDS_URISHORTENER) notlong.com
6707enlist_uri_host (PDS_URISHORTENER) nsfw.in
6708enlist_uri_host (PDS_URISHORTENER) nutshellurl.com
6709enlist_uri_host (PDS_URISHORTENER) nxy.in
6710enlist_uri_host (PDS_URISHORTENER) nyti.ms
6711enlist_uri_host (PDS_URISHORTENER) o-x.fr
6712enlist_uri_host (PDS_URISHORTENER) o.ly
6713enlist_uri_host (PDS_URISHORTENER) oboeyasui.com
6714enlist_uri_host (PDS_URISHORTENER) oc1.us
6715enlist_uri_host (PDS_URISHORTENER) offur.com
6716enlist_uri_host (PDS_URISHORTENER) ofl.me
6717enlist_uri_host (PDS_URISHORTENER) om.ly
6718enlist_uri_host (PDS_URISHORTENER) omf.gd
6719enlist_uri_host (PDS_URISHORTENER) omoikane.net
6720enlist_uri_host (PDS_URISHORTENER) on.cnn.com
6721enlist_uri_host (PDS_URISHORTENER) on.mktw.net
6722enlist_uri_host (PDS_URISHORTENER) onecent.us
6723enlist_uri_host (PDS_URISHORTENER) onforb.es
6724enlist_uri_host (PDS_URISHORTENER) onion.com
6725enlist_uri_host (PDS_URISHORTENER) onsaas.info
6726enlist_uri_host (PDS_URISHORTENER) ooqx.com
6727enlist_uri_host (PDS_URISHORTENER) oreil.ly
6728enlist_uri_host (PDS_URISHORTENER) orz.se
6729enlist_uri_host (PDS_URISHORTENER) ow.ly
6730enlist_uri_host (PDS_URISHORTENER) oxyz.info
6731enlist_uri_host (PDS_URISHORTENER) p.ly
6732enlist_uri_host (PDS_URISHORTENER) p8g.tw
6733enlist_uri_host (PDS_URISHORTENER) parv.us
6734enlist_uri_host (PDS_URISHORTENER) paulding.net
6735enlist_uri_host (PDS_URISHORTENER) pduda.mobi
6736enlist_uri_host (PDS_URISHORTENER) peaurl.com
6737enlist_uri_host (PDS_URISHORTENER) pendek.in
6738enlist_uri_host (PDS_URISHORTENER) pep.si
6739enlist_uri_host (PDS_URISHORTENER) pic.gd
6740enlist_uri_host (PDS_URISHORTENER) piko.me
6741enlist_uri_host (PDS_URISHORTENER) ping.fm
6742enlist_uri_host (PDS_URISHORTENER) piurl.com
6743enlist_uri_host (PDS_URISHORTENER) pli.gs
6744enlist_uri_host (PDS_URISHORTENER) plumurl.com
6745enlist_uri_host (PDS_URISHORTENER) plurl.me
6746enlist_uri_host (PDS_URISHORTENER) pnt.me
6747enlist_uri_host (PDS_URISHORTENER) politi.co
6748enlist_uri_host (PDS_URISHORTENER) poll.fm
6749enlist_uri_host (PDS_URISHORTENER) pop.ly
6750enlist_uri_host (PDS_URISHORTENER) poprl.com
6751enlist_uri_host (PDS_URISHORTENER) post.ly
6752enlist_uri_host (PDS_URISHORTENER) posted.at
6753enlist_uri_host (PDS_URISHORTENER) pp.gg
6754enlist_uri_host (PDS_URISHORTENER) profile.to
6755enlist_uri_host (PDS_URISHORTENER) pt2.me
6756enlist_uri_host (PDS_URISHORTENER) ptiturl.com
6757enlist_uri_host (PDS_URISHORTENER) pub.vitrue.com
6758enlist_uri_host (PDS_URISHORTENER) puke.it
6759enlist_uri_host (PDS_URISHORTENER) pysper.com
6760enlist_uri_host (PDS_URISHORTENER) qik.li
6761enlist_uri_host (PDS_URISHORTENER) qlnk.net
6762enlist_uri_host (PDS_URISHORTENER) qoiob.com
6763enlist_uri_host (PDS_URISHORTENER) qr.cx
6764enlist_uri_host (PDS_URISHORTENER) qte.me
6765enlist_uri_host (PDS_URISHORTENER) qu.tc
6766enlist_uri_host (PDS_URISHORTENER) quickurl.co.uk
6767enlist_uri_host (PDS_URISHORTENER) qurl.com
6768enlist_uri_host (PDS_URISHORTENER) qurlyq.com
6769enlist_uri_host (PDS_URISHORTENER) quu.nu
6770enlist_uri_host (PDS_URISHORTENER) qux.in
6771enlist_uri_host (PDS_URISHORTENER) qy.fi
6772enlist_uri_host (PDS_URISHORTENER) r.im
6773enlist_uri_host (PDS_URISHORTENER) rb6.me
6774enlist_uri_host (PDS_URISHORTENER) rde.me
6775enlist_uri_host (PDS_URISHORTENER) read.bi
6776enlist_uri_host (PDS_URISHORTENER) readthis.ca
6777enlist_uri_host (PDS_URISHORTENER) reallytinyurl.com
6778enlist_uri_host (PDS_URISHORTENER) redir.ec
6779enlist_uri_host (PDS_URISHORTENER) redirects.ca
6780enlist_uri_host (PDS_URISHORTENER) redirx.com
6781enlist_uri_host (PDS_URISHORTENER) relyt.us
6782enlist_uri_host (PDS_URISHORTENER) retwt.me
6783enlist_uri_host (PDS_URISHORTENER) ri.ms
6784enlist_uri_host (PDS_URISHORTENER) rickroll.it
6785enlist_uri_host (PDS_URISHORTENER) rivva.de
6786enlist_uri_host (PDS_URISHORTENER) riz.gd
6787enlist_uri_host (PDS_URISHORTENER) rly.cc
6788enlist_uri_host (PDS_URISHORTENER) rnk.me
6789enlist_uri_host (PDS_URISHORTENER) rsmonkey.com
6790enlist_uri_host (PDS_URISHORTENER) rt.nu
6791enlist_uri_host (PDS_URISHORTENER) ru.ly
6792enlist_uri_host (PDS_URISHORTENER) rubyurl.com
6793enlist_uri_host (PDS_URISHORTENER) rurl.org
6794enlist_uri_host (PDS_URISHORTENER) rww.tw
6795enlist_uri_host (PDS_URISHORTENER) s.gnoss.us
6796enlist_uri_host (PDS_URISHORTENER) s3nt.com
6797enlist_uri_host (PDS_URISHORTENER) s4c.in
6798enlist_uri_host (PDS_URISHORTENER) s7y.us
6799enlist_uri_host (PDS_URISHORTENER) safe.mn
6800enlist_uri_host (PDS_URISHORTENER) safelinks.ru
6801enlist_uri_host (PDS_URISHORTENER) sai.ly
6802enlist_uri_host (PDS_URISHORTENER) sameurl.com
6803enlist_uri_host (PDS_URISHORTENER) sdut.us
6804enlist_uri_host (PDS_URISHORTENER) sed.cx
6805enlist_uri_host (PDS_URISHORTENER) sfu.ca
6806enlist_uri_host (PDS_URISHORTENER) shadyurl.com
6807enlist_uri_host (PDS_URISHORTENER) shar.es
6808enlist_uri_host (PDS_URISHORTENER) shim.net
6809enlist_uri_host (PDS_URISHORTENER) shink.de
6810enlist_uri_host (PDS_URISHORTENER) shorl.com
6811enlist_uri_host (PDS_URISHORTENER) short.ie
6812enlist_uri_host (PDS_URISHORTENER) short.to
6813enlist_uri_host (PDS_URISHORTENER) shorten.ws
6814enlist_uri_host (PDS_URISHORTENER) shortenurl.com
6815enlist_uri_host (PDS_URISHORTENER) shorterlink.com
6816enlist_uri_host (PDS_URISHORTENER) shortio.com
6817enlist_uri_host (PDS_URISHORTENER) shortlinks.co.uk
6818enlist_uri_host (PDS_URISHORTENER) shortly.nl
6819enlist_uri_host (PDS_URISHORTENER) shortn.me
6820enlist_uri_host (PDS_URISHORTENER) shortna.me
6821enlist_uri_host (PDS_URISHORTENER) shortr.me
6822enlist_uri_host (PDS_URISHORTENER) shorturl.com
6823enlist_uri_host (PDS_URISHORTENER) shortz.me
6824enlist_uri_host (PDS_URISHORTENER) shoturl.us
6825enlist_uri_host (PDS_URISHORTENER) shout.to
6826enlist_uri_host (PDS_URISHORTENER) show.my
6827enlist_uri_host (PDS_URISHORTENER) shredu
6828enlist_uri_host (PDS_URISHORTENER) shredurl.com
6829enlist_uri_host (PDS_URISHORTENER) shrinkify.com
6830enlist_uri_host (PDS_URISHORTENER) shrinkr.com
6831enlist_uri_host (PDS_URISHORTENER) shrinkster.com
6832enlist_uri_host (PDS_URISHORTENER) shrinkurl.us
6833enlist_uri_host (PDS_URISHORTENER) shrt.fr
6834enlist_uri_host (PDS_URISHORTENER) shrt.st
6835enlist_uri_host (PDS_URISHORTENER) shrt.ws
6836enlist_uri_host (PDS_URISHORTENER) shrten.com
6837enlist_uri_host (PDS_URISHORTENER) shrtl.com
6838enlist_uri_host (PDS_URISHORTENER) shrtn.com
6839enlist_uri_host (PDS_URISHORTENER) shrtnd.com
6840enlist_uri_host (PDS_URISHORTENER) shrunkin.com
6841enlist_uri_host (PDS_URISHORTENER) shurl.net
6842enlist_uri_host (PDS_URISHORTENER) shw.me
6843enlist_uri_host (PDS_URISHORTENER) simurl.com
6844enlist_uri_host (PDS_URISHORTENER) simurl.net
6845enlist_uri_host (PDS_URISHORTENER) simurl.org
6846enlist_uri_host (PDS_URISHORTENER) simurl.us
6847enlist_uri_host (PDS_URISHORTENER) sitelutions.com
6848enlist_uri_host (PDS_URISHORTENER) siteo.us
6849enlist_uri_host (PDS_URISHORTENER) sl.ly
6850enlist_uri_host (PDS_URISHORTENER) slate.me
6851enlist_uri_host (PDS_URISHORTENER) slidesha.re
6852enlist_uri_host (PDS_URISHORTENER) slki.ru
6853enlist_uri_host (PDS_URISHORTENER) smallr.com
6854enlist_uri_host (PDS_URISHORTENER) smallr.net
6855enlist_uri_host (PDS_URISHORTENER) smarturl.it
6856enlist_uri_host (PDS_URISHORTENER) smfu.in
6857enlist_uri_host (PDS_URISHORTENER) smsh.me
6858enlist_uri_host (PDS_URISHORTENER) smurl.com
6859enlist_uri_host (PDS_URISHORTENER) smurl.name
6860enlist_uri_host (PDS_URISHORTENER) sn.im
6861enlist_uri_host (PDS_URISHORTENER) sn.vc
6862enlist_uri_host (PDS_URISHORTENER) snadr.it
6863enlist_uri_host (PDS_URISHORTENER) snipie.com
6864enlist_uri_host (PDS_URISHORTENER) snipr.com
6865enlist_uri_host (PDS_URISHORTENER) snipurl.com
6866enlist_uri_host (PDS_URISHORTENER) snkr.me
6867enlist_uri_host (PDS_URISHORTENER) snurl.com
6868enlist_uri_host (PDS_URISHORTENER) soo.gd
6869enlist_uri_host (PDS_URISHORTENER) song.ly
6870enlist_uri_host (PDS_URISHORTENER) sp2.ro
6871enlist_uri_host (PDS_URISHORTENER) spedr.com
6872enlist_uri_host (PDS_URISHORTENER) sqze.it
6873enlist_uri_host (PDS_URISHORTENER) srnk.net
6874enlist_uri_host (PDS_URISHORTENER) srs.li
6875enlist_uri_host (PDS_URISHORTENER) starturl.com
6876enlist_uri_host (PDS_URISHORTENER) stickurl.com
6877enlist_uri_host (PDS_URISHORTENER) stpmvt.com
6878enlist_uri_host (PDS_URISHORTENER) sturly.com
6879enlist_uri_host (PDS_URISHORTENER) su.pr
6880enlist_uri_host (PDS_URISHORTENER) surl.co.uk
6881enlist_uri_host (PDS_URISHORTENER) surl.hu
6882enlist_uri_host (PDS_URISHORTENER) surl.it
6883enlist_uri_host (PDS_URISHORTENER) t.cn
6884enlist_uri_host (PDS_URISHORTENER) t.co
6885enlist_uri_host (PDS_URISHORTENER) t.lh.com
6886enlist_uri_host (PDS_URISHORTENER) ta.gd
6887enlist_uri_host (PDS_URISHORTENER) takemyfile.com
6888enlist_uri_host (PDS_URISHORTENER) tbd.ly
6889enlist_uri_host (PDS_URISHORTENER) tcrn.ch
6890enlist_uri_host (PDS_URISHORTENER) tgr.me
6891enlist_uri_host (PDS_URISHORTENER) tgr.ph
6892enlist_uri_host (PDS_URISHORTENER) th8.us
6893enlist_uri_host (PDS_URISHORTENER) thecow.me
6894enlist_uri_host (PDS_URISHORTENER) thrdl.es
6895enlist_uri_host (PDS_URISHORTENER) tighturl.com
6896enlist_uri_host (PDS_URISHORTENER) timesurl.at
6897enlist_uri_host (PDS_URISHORTENER) tini.us
6898enlist_uri_host (PDS_URISHORTENER) tiniuri.com
6899enlist_uri_host (PDS_URISHORTENER) tiny.cc
6900enlist_uri_host (PDS_URISHORTENER) tiny.ly
6901enlist_uri_host (PDS_URISHORTENER) tiny.pl
6902enlist_uri_host (PDS_URISHORTENER) tinyarro.ws
6903enlist_uri_host (PDS_URISHORTENER) tinylink.com
6904enlist_uri_host (PDS_URISHORTENER) tinylink.in
6905enlist_uri_host (PDS_URISHORTENER) tinypl.us
6906enlist_uri_host (PDS_URISHORTENER) tinysong.com
6907enlist_uri_host (PDS_URISHORTENER) tinytw.it
6908enlist_uri_host (PDS_URISHORTENER) tinyuri.ca
6909enlist_uri_host (PDS_URISHORTENER) tinyurl.com
6910enlist_uri_host (PDS_URISHORTENER) tk.
6911enlist_uri_host (PDS_URISHORTENER) tl.gd
6912enlist_uri_host (PDS_URISHORTENER) tllg.net
6913enlist_uri_host (PDS_URISHORTENER) tmi.me
6914enlist_uri_host (PDS_URISHORTENER) tncr.ws
6915enlist_uri_host (PDS_URISHORTENER) tnij.org
6916enlist_uri_host (PDS_URISHORTENER) tnw.to
6917enlist_uri_host (PDS_URISHORTENER) tny.com
6918enlist_uri_host (PDS_URISHORTENER) to.
6919enlist_uri_host (PDS_URISHORTENER) to.je
6920enlist_uri_host (PDS_URISHORTENER) to.ly
6921enlist_uri_host (PDS_URISHORTENER) to.vg
6922enlist_uri_host (PDS_URISHORTENER) togoto.us
6923enlist_uri_host (PDS_URISHORTENER) totc.us
6924enlist_uri_host (PDS_URISHORTENER) toysr.us
6925enlist_uri_host (PDS_URISHORTENER) tpm.ly
6926enlist_uri_host (PDS_URISHORTENER) tr.im
6927enlist_uri_host (PDS_URISHORTENER) tr.my
6928enlist_uri_host (PDS_URISHORTENER) tra.kz
6929enlist_uri_host (PDS_URISHORTENER) traceurl.com
6930enlist_uri_host (PDS_URISHORTENER) trackurl.it
6931enlist_uri_host (PDS_URISHORTENER) trcb.me
6932enlist_uri_host (PDS_URISHORTENER) trg.li
6933enlist_uri_host (PDS_URISHORTENER) trib.al
6934enlist_uri_host (PDS_URISHORTENER) trick.ly
6935enlist_uri_host (PDS_URISHORTENER) trii.us
6936enlist_uri_host (PDS_URISHORTENER) trim.li
6937enlist_uri_host (PDS_URISHORTENER) trumpink.lt
6938enlist_uri_host (PDS_URISHORTENER) trunc.it
6939enlist_uri_host (PDS_URISHORTENER) truncurl.com
6940enlist_uri_host (PDS_URISHORTENER) tsort.us
6941enlist_uri_host (PDS_URISHORTENER) tubeurl.com
6942enlist_uri_host (PDS_URISHORTENER) turo.us
6943enlist_uri_host (PDS_URISHORTENER) tw0.us
6944enlist_uri_host (PDS_URISHORTENER) tw1.us
6945enlist_uri_host (PDS_URISHORTENER) tw2.us
6946enlist_uri_host (PDS_URISHORTENER) tw5.us
6947enlist_uri_host (PDS_URISHORTENER) tw6.us
6948enlist_uri_host (PDS_URISHORTENER) tw8.us
6949enlist_uri_host (PDS_URISHORTENER) tw9.us
6950enlist_uri_host (PDS_URISHORTENER) twa.lk
6951enlist_uri_host (PDS_URISHORTENER) tweet.me
6952enlist_uri_host (PDS_URISHORTENER) tweetburner.com
6953enlist_uri_host (PDS_URISHORTENER) tweetl.com
6954enlist_uri_host (PDS_URISHORTENER) twhub.com
6955enlist_uri_host (PDS_URISHORTENER) twi.gy
6956enlist_uri_host (PDS_URISHORTENER) twip.us
6957enlist_uri_host (PDS_URISHORTENER) twirl.at
6958enlist_uri_host (PDS_URISHORTENER) twit.ac
6959enlist_uri_host (PDS_URISHORTENER) twitclicks.com
6960enlist_uri_host (PDS_URISHORTENER) twitterurl.net
6961enlist_uri_host (PDS_URISHORTENER) twitterurl.org
6962enlist_uri_host (PDS_URISHORTENER) twitthis.com
6963enlist_uri_host (PDS_URISHORTENER) twittu.ms
6964enlist_uri_host (PDS_URISHORTENER) twiturl.de
6965enlist_uri_host (PDS_URISHORTENER) twitzap.com
6966enlist_uri_host (PDS_URISHORTENER) twlv.net
6967enlist_uri_host (PDS_URISHORTENER) twtr.us
6968enlist_uri_host (PDS_URISHORTENER) twurl.cc
6969enlist_uri_host (PDS_URISHORTENER) twurl.nl
6970enlist_uri_host (PDS_URISHORTENER) u.mavrev.com
6971enlist_uri_host (PDS_URISHORTENER) u.nu
6972enlist_uri_host (PDS_URISHORTENER) u76.org
6973enlist_uri_host (PDS_URISHORTENER) ub0.cc
6974enlist_uri_host (PDS_URISHORTENER) uiop.me
6975enlist_uri_host (PDS_URISHORTENER) ulimit.com
6976enlist_uri_host (PDS_URISHORTENER) ulu.lu
6977enlist_uri_host (PDS_URISHORTENER) unfaker.it
6978enlist_uri_host (PDS_URISHORTENER) updating.me
6979enlist_uri_host (PDS_URISHORTENER) u.to
6980enlist_uri_host (PDS_URISHORTENER) ur.ly
6981enlist_uri_host (PDS_URISHORTENER) ur1.ca
6982enlist_uri_host (PDS_URISHORTENER) urizy.com
6983enlist_uri_host (PDS_URISHORTENER) url.ag
6984enlist_uri_host (PDS_URISHORTENER) url.az
6985enlist_uri_host (PDS_URISHORTENER) url.co.uk
6986enlist_uri_host (PDS_URISHORTENER) url.go.it
6987enlist_uri_host (PDS_URISHORTENER) url.ie
6988enlist_uri_host (PDS_URISHORTENER) url.inc-x.eu
6989enlist_uri_host (PDS_URISHORTENER) url.lotpatrol.com
6990enlist_uri_host (PDS_URISHORTENER) url360.me
6991enlist_uri_host (PDS_URISHORTENER) url4.eu
6992enlist_uri_host (PDS_URISHORTENER) urlao.com
6993enlist_uri_host (PDS_URISHORTENER) urlbee.com
6994enlist_uri_host (PDS_URISHORTENER) urlborg.com
6995enlist_uri_host (PDS_URISHORTENER) urlbrief.com
6996enlist_uri_host (PDS_URISHORTENER) urlcorta.es
6997enlist_uri_host (PDS_URISHORTENER) urlcover.com
6998enlist_uri_host (PDS_URISHORTENER) urlcut.com
6999enlist_uri_host (PDS_URISHORTENER) urlcutter.com
7000enlist_uri_host (PDS_URISHORTENER) urlenco.de
7001enlist_uri_host (PDS_URISHORTENER) urlg.info
7002enlist_uri_host (PDS_URISHORTENER) urlhawk.com
7003enlist_uri_host (PDS_URISHORTENER) urli.nl
7004enlist_uri_host (PDS_URISHORTENER) urlin.it
7005enlist_uri_host (PDS_URISHORTENER) urlkiss.com
7006enlist_uri_host (PDS_URISHORTENER) urloo.com
7007enlist_uri_host (PDS_URISHORTENER) urlpire.com
7008enlist_uri_host (PDS_URISHORTENER) urls.im
7009enlist_uri_host (PDS_URISHORTENER) urlshorteningservicefortwitter.com
7010enlist_uri_host (PDS_URISHORTENER) urltea.com
7011enlist_uri_host (PDS_URISHORTENER) urlu.ms
7012enlist_uri_host (PDS_URISHORTENER) urlvi.b
7013enlist_uri_host (PDS_URISHORTENER) urlvi.be
7014enlist_uri_host (PDS_URISHORTENER) urlx.ie
7015enlist_uri_host (PDS_URISHORTENER) urlz.at
7016enlist_uri_host (PDS_URISHORTENER) urlzen.com
7017enlist_uri_host (PDS_URISHORTENER) usat.ly
7018enlist_uri_host (PDS_URISHORTENER) use.my
7019enlist_uri_host (PDS_URISHORTENER) uservoice.com
7020enlist_uri_host (PDS_URISHORTENER) ustre.am
7021enlist_uri_host (PDS_URISHORTENER) vado.it
7022enlist_uri_host (PDS_URISHORTENER) vb.ly
7023enlist_uri_host (PDS_URISHORTENER) vdirect.com
7024enlist_uri_host (PDS_URISHORTENER) vgn.am
7025enlist_uri_host (PDS_URISHORTENER) vi.ly
7026enlist_uri_host (PDS_URISHORTENER) viigo.im
7027enlist_uri_host (PDS_URISHORTENER) virl.com
7028enlist_uri_host (PDS_URISHORTENER) vl.am
7029enlist_uri_host (PDS_URISHORTENER) vm.lc
7030enlist_uri_host (PDS_URISHORTENER) voizle.com
7031enlist_uri_host (PDS_URISHORTENER) vtc.es
7032enlist_uri_host (PDS_URISHORTENER) w0r.me
7033enlist_uri_host (PDS_URISHORTENER) w33.us
7034enlist_uri_host (PDS_URISHORTENER) w34.us
7035enlist_uri_host (PDS_URISHORTENER) w3t.org
7036enlist_uri_host (PDS_URISHORTENER) w55.de
7037enlist_uri_host (PDS_URISHORTENER) wa9.la
7038enlist_uri_host (PDS_URISHORTENER) wapo.st
7039enlist_uri_host (PDS_URISHORTENER) wapurl.co.uk
7040enlist_uri_host (PDS_URISHORTENER) webalias.com
7041enlist_uri_host (PDS_URISHORTENER) welcome.to
7042enlist_uri_host (PDS_URISHORTENER) wh.gov
7043enlist_uri_host (PDS_URISHORTENER) widg.me
7044enlist_uri_host (PDS_URISHORTENER) wipi.es
7045enlist_uri_host (PDS_URISHORTENER) wkrg.com
7046enlist_uri_host (PDS_URISHORTENER) woo.ly
7047enlist_uri_host (PDS_URISHORTENER) wp.me
7048enlist_uri_host (PDS_URISHORTENER) x.co
7049enlist_uri_host (PDS_URISHORTENER) x.hypem.com
7050enlist_uri_host (PDS_URISHORTENER) x.se
7051enlist_uri_host (PDS_URISHORTENER) x.vu
7052enlist_uri_host (PDS_URISHORTENER) xeeurl.com
7053enlist_uri_host (PDS_URISHORTENER) xil.in
7054enlist_uri_host (PDS_URISHORTENER) xlurl.de
7055enlist_uri_host (PDS_URISHORTENER) xn--1ci.ws
7056enlist_uri_host (PDS_URISHORTENER) xn--3fi.ws
7057enlist_uri_host (PDS_URISHORTENER) xn--5gi.ws
7058enlist_uri_host (PDS_URISHORTENER) xn--9gi.ws
7059enlist_uri_host (PDS_URISHORTENER) xn--bih.ws
7060enlist_uri_host (PDS_URISHORTENER) xn--cwg.ws
7061enlist_uri_host (PDS_URISHORTENER) xn--egi.ws
7062enlist_uri_host (PDS_URISHORTENER) xn--fwg.ws
7063enlist_uri_host (PDS_URISHORTENER) xn--hgi.ws
7064enlist_uri_host (PDS_URISHORTENER) xn--l3h.ws
7065enlist_uri_host (PDS_URISHORTENER) xn--odi.ws
7066enlist_uri_host (PDS_URISHORTENER) xn--ogi.ws
7067enlist_uri_host (PDS_URISHORTENER) xn--rei.ws
7068enlist_uri_host (PDS_URISHORTENER) xn--vgi.ws
7069enlist_uri_host (PDS_URISHORTENER) xr.com
7070enlist_uri_host (PDS_URISHORTENER) xrl.in
7071enlist_uri_host (PDS_URISHORTENER) xrl.us
7072enlist_uri_host (PDS_URISHORTENER) xrt.me
7073enlist_uri_host (PDS_URISHORTENER) xurl.es
7074enlist_uri_host (PDS_URISHORTENER) xurl.jp
7075enlist_uri_host (PDS_URISHORTENER) xxsurl.de
7076enlist_uri_host (PDS_URISHORTENER) xzb.cc
7077enlist_uri_host (PDS_URISHORTENER) y.ahoo.it
7078enlist_uri_host (PDS_URISHORTENER) yatuc.com
7079enlist_uri_host (PDS_URISHORTENER) ye-s.com
7080enlist_uri_host (PDS_URISHORTENER) ye.pe
7081enlist_uri_host (PDS_URISHORTENER) yep.it
7082enlist_uri_host (PDS_URISHORTENER) yfrog.com
7083enlist_uri_host (PDS_URISHORTENER) yhoo.it
7084enlist_uri_host (PDS_URISHORTENER) yiyd.com
7085enlist_uri_host (PDS_URISHORTENER) yuarel.com
7086enlist_uri_host (PDS_URISHORTENER) z.pe
7087enlist_uri_host (PDS_URISHORTENER) z0p.de
7088enlist_uri_host (PDS_URISHORTENER) zapt.in
7089enlist_uri_host (PDS_URISHORTENER) zi.ma
7090enlist_uri_host (PDS_URISHORTENER) zi.me
7091enlist_uri_host (PDS_URISHORTENER) zi.mu
7092enlist_uri_host (PDS_URISHORTENER) zi.pe
7093enlist_uri_host (PDS_URISHORTENER) zip.li
7094enlist_uri_host (PDS_URISHORTENER) zipmyurl.com
7095enlist_uri_host (PDS_URISHORTENER) zite.to
7096enlist_uri_host (PDS_URISHORTENER) zootit.com
7097enlist_uri_host (PDS_URISHORTENER) zud.me
7098enlist_uri_host (PDS_URISHORTENER) zurl.ws
7099enlist_uri_host (PDS_URISHORTENER) zz.gd
7100enlist_uri_host (PDS_URISHORTENER) zzang.kr
7101enlist_uri_host (PDS_URISHORTENER) t.ly
7102enlist_uri_host (PDS_URISHORTENER) wow.link
7103enlist_uri_host (PDS_URISHORTENER) twixar.me
7104enlist_uri_host (PDS_URISHORTENER) lnk.cm
7105enlist_uri_host (PDS_URISHORTENER) rb.gy
7106enlist_uri_host (PDS_URISHORTENER) gplinks.in
7107enlist_uri_host (PDS_URISHORTENER) utfg.sk
7108enlist_uri_host (PDS_URISHORTENER) um.lk
7109enlist_uri_host (PDS_URISHORTENER) xn--vi8hiv.ws
7110enlist_uri_host (PDS_URISHORTENER) ouo.io
7111enlist_uri_host (PDS_URISHORTENER) mmo.tc
7112enlist_uri_host (PDS_URISHORTENER) pvp.tc
7113enlist_uri_host (PDS_URISHORTENER) ko.tc
7114enlist_uri_host (PDS_URISHORTENER) m2.tc
7115enlist_uri_host (PDS_URISHORTENER) sro.tc
7116enlist_uri_host (PDS_URISHORTENER) heg.tc
7117enlist_uri_host (PDS_URISHORTENER) fn.tc
7118enlist_uri_host (PDS_URISHORTENER) lol.tc
7119enlist_uri_host (PDS_URISHORTENER) tek.link
7120enlist_uri_host (PDS_URISHORTENER) tr.im
7121enlist_uri_host (PDS_URISHORTENER) cutwin.biz
7122enlist_uri_host (PDS_URISHORTENER) urlzs.com
7123enlist_uri_host (PDS_URISHORTENER) qqc.co
7124enlist_uri_host (PDS_URISHORTENER) yyv.co
7125enlist_uri_host (PDS_URISHORTENER) erq.io
7126enlist_uri_host (PDS_URISHORTENER) yko.io
7127enlist_uri_host (PDS_URISHORTENER) poweredbysecurity.online
7128enlist_uri_host (PDS_URISHORTENER) poweredbysecurity.org
7129enlist_uri_host (PDS_URISHORTENER) poweredbydialup.online
7130enlist_uri_host (PDS_URISHORTENER) poweredbydialup.club
7131enlist_uri_host (PDS_URISHORTENER) canadianlumberjacks.online
7132enlist_uri_host (PDS_URISHORTENER) canadianlumberjacks.club
7133enlist_uri_host (PDS_URISHORTENER) packetlivesmatter.online
7134enlist_uri_host (PDS_URISHORTENER) packetlivesmatter.club
7135enlist_uri_host (PDS_URISHORTENER) amishprincess.com
7136enlist_uri_host (PDS_URISHORTENER) poweredbydialup.org
7137enlist_uri_host (PDS_URISHORTENER) amishdatacenter.com
7138enlist_uri_host (PDS_URISHORTENER) youtubeshort.pro
7139enlist_uri_host (PDS_URISHORTENER) catsnthing.com
7140enlist_uri_host (PDS_URISHORTENER) youtubeshort.watch
7141enlist_uri_host (PDS_URISHORTENER) yourtube.site
7142enlist_uri_host (PDS_URISHORTENER) catsnthings.fun
7143enlist_uri_host (PDS_URISHORTENER) curiouscat.club
7144enlist_uri_host (PDS_URISHORTENER) crabrave.pw
7145enlist_uri_host (PDS_URISHORTENER) fortnitechat.site
7146enlist_uri_host (PDS_URISHORTENER) fortnight.space
7147enlist_uri_host (PDS_URISHORTENER) disçordapp.com
7148enlist_uri_host (PDS_URISHORTENER) freegiftcards.co
7149enlist_uri_host (PDS_URISHORTENER) minecräft.com
7150enlist_uri_host (PDS_URISHORTENER) stopify.co
7151enlist_uri_host (PDS_URISHORTENER) spottyfly.com
7152enlist_uri_host (PDS_URISHORTENER) bmwforum.co
7153enlist_uri_host (PDS_URISHORTENER) grabify.link
7154enlist_uri_host (PDS_URISHORTENER) joinmy.site
7155enlist_uri_host (PDS_URISHORTENER) youshouldclick.us
7156reuse T_PDS_SHORTFWD_URISHRT
7157endif
7158endif
7159##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox
7160
7161##{ redirector_pattern_sandbox
7162
7163redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i
7164redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
7165redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i
7166redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i
7167redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i
7168redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i
7169redirector_pattern m'^https?:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i
7170redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i
7171##} redirector_pattern_sandbox
7172
7173##{ reuse_sandbox
7174
7175reuse T_PDS_HIDDEN_UK_BUSINESSLOAN
7176reuse T_PDS_DOUBLE_URL
7177reuse T_PDS_DBL_URL_LINKBAIT
7178reuse PDS_DBL_URL_TNB_RUNON
7179reuse T_PDS_DBL_URL_ILLEGAL_CHARS
7180reuse FROM_2_EMAILS_SHORT
7181reuse T_SHORT_BODY_QUOTE
7182reuse T_BODY_QUOTE_MALF_MSGID
7183reuse SPOOFED_FREEMAIL_NO_RDNS
7184reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN
7185reuse PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
7186reuse PDS_TONAME_EQ_TOLOCAL_SHORT
7187reuse PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
7188reuse PDS_TONAME_EQ_TOLOCAL_VSHORT
7189reuse T_PDS_LITECOIN_ID
7190reuse PDS_BTC_ID
7191reuse PDS_BTC_MSGID
7192reuse __PDS_GOOGLE_DRIVE_SHARE_1
7193reuse __PDS_GOOGLE_DRIVE_SHARE_2
7194reuse __PDS_GOOGLE_DRIVE_SHARE_3
7195reuse __PDS_GOOGLE_DRIVE_SHARE
7196reuse T_GOOGLE_DRIVE_DEAR_SOMETHING
7197reuse __PDS_GOOGLE_DRIVE_FILE
7198reuse __SHORT_BODY_G_DRIVE
7199reuse __SHORT_BODY_G_DRIVE_DYN
7200reuse T_SHORT_BODY_G_DRIVE_DYN
7201reuse T_FROM_NAME_EQ_TO_G_DRIVE
7202##} reuse_sandbox
7203
7204
7205uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i
7206
7207uri __128_HEX_URI m,/[0-9a-f]{128},
7208
7209uri __128_LC_URI m;[/?][a-z]{128,}$;
7210
7211uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i
7212
7213uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i
7214
7215meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
7216
7217uri __64_ANY_URI m;[/?]\w{64,}$;i
7218
7219body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i
7220
7221body __ACCESS_REVOKE /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i
7222
7223body __ACCESS_SUSPENDED /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i
7224tflags __ACCESS_SUSPENDED multiple maxhits=2
7225
7226body __ACCOUNT_DISRUPT /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)? )?(?:shut ?down|suspension|locking|termination|expiration)|will terminate (?:your|its) service)\b/i
7227tflags __ACCOUNT_DISRUPT multiple maxhits=2
7228
7229body __ACCOUNT_ERROR /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i
7230
7231body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i
7232
7233body __ACCOUNT_SECURE /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i
7234
7235body __ACCOUNT_UPGRADE /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i
7236
7237meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY
7238
7239meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3
7240
7241body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
7242
7243body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i
7244
7245body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
7246
7247body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i
7248
7249ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7250 meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH
7251endif
7252
7253uri __AC_1SEQC_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/C\//
7254
7255uri __AC_1SEQV_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/V\//
7256
7257uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/
7258
7259header __AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/
7260
7261meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO
7262
7263rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i
7264
7265uri __AC_LAND_URI /\/land\//
7266
7267uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/
7268
7269uri __AC_MHDSEQ_URI /\/mhd[a-z0-9]{20,}/
7270
7271uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/
7272
7273uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(:?php|html)\b/
7274
7275uri __AC_OUTI_URI /\/outi\b/
7276
7277uri __AC_OUTL_URI /\/outl\b/
7278
7279uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\//
7280
7281uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9.]+\/top\//
7282
7283uri __AC_POSTHTMLEXTRAS /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i
7284
7285uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i
7286
7287meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS)
7288
7289uri __AC_PUNCTNUMS_URI /\.com\/[A-Za-z+=\/.?_-]{4,}[0-9]{9,12}[a-z0-9]{1,2}[A-Za-z+=\/.?_-]+[0-9]{7,9}[A-Za-z+=\/.?_-]{6,}[0-9]{7,9}\b/
7290
7291uri __AC_REPORT_URI /\/report\//
7292
7293uri __AC_RMOVE_URI /\/r\/move\/[0-9]+\//
7294
7295rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
7296
7297uri __AC_UHDSEQ_URI /\/uhd[a-z0-9]{20,}/
7298
7299uri __AC_UNSUB_URI /\/unsub\//
7300
7301body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i
7302
7303body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i
7304
7305meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD
7306
7307meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
7308
7309meta __ADVANCE_FEE_2_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
7310
7311meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
7312
7313meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD
7314
7315meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
7316
7317meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
7318
7319meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
7320
7321meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD
7322
7323meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
7324
7325meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
7326
7327meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
7328
7329meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD
7330
7331meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
7332
7333meta __ADVANCE_FEE_5_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
7334
7335meta __ADVANCE_FEE_5_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
7336
7337body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/
7338
7339body __AFF_LOTTERY /(?:lottery|winner)/i
7340
7341meta __AFRICAN_STATE (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION)
7342
7343body __AFR_UNION /\bafrican\sunion\b/i
7344
7345body __AGREED_RATIO /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i
7346
7347meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA
7348
7349header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/
7350
7351meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON
7352
7353body __AM_DYING /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i
7354
7355ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7356mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /\bimage\//i
7357endif
7358
7359if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7360 meta __ANY_TEXT_ATTACH 0
7361endif
7362
7363ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7364 mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
7365endif
7366
7367ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7368mimeheader __ANY_TEXT_ATTACH_DOC Content-Type =~ /text\/\w+/i
7369endif
7370
7371if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7372 body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i
7373 tflags __APP_DEVELOPMENT multiple maxhits=6
7374endif
7375
7376if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7377 meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5
7378endif
7379
7380body __ATM_CARD /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa|issue\s(?:(?:to|for)\s)?you\sa)[\s\(](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s\)]card/i
7381
7382if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7383 meta __ATTACH_NAME_NO_EXT 0
7384endif
7385
7386ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7387 mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i
7388endif
7389
7390body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i
7391
7392body __AUTO_ACCIDENT /auto(?:mobile)? accident/i
7393
7394header __AXB_MO_OL_024C2 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/
7395
7396header __AXB_MO_OL_1ECD5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1081/
7397
7398header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/
7399
7400header __AXB_XM_OL_1ECD5 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1081/
7401
7402body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i
7403
7404body __BANK_DRAFT /\bbank\sdraft/i
7405
7406body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i
7407
7408body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i
7409
7410body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i
7411
7412body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]{2,}k?|k))\s(?:(?!and|or|your|place|baby|suspicious|supportive|subpoenaed)\w+\s)?(?:e-?mail(?:(?![-:.\)\>\]])s?|\saddresses)|fax numbers|leads|names)\b/i
7413tflags __BIGNUM_EMAILS multiple maxhits=5
7414
7415meta __BIGNUM_EMAILS_3 __BIGNUM_EMAILS > 2
7416
7417meta __BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS && __freemail_hdr_replyto
7418
7419if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7420 body __BITCOIN /\bB[-\s]?i[-\s]?t[-\s]?c[-\s]?o[-\s]?i[-\s]?n\b/i
7421endif
7422
7423ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7424 body __BITCOIN /<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
7425endif
7426
7427body __BITCOIN_ID /\b(?<!=)(?:[13](?:(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){29,34}|[a-km-zA-HJ-NP-Z1-9]{29,34})|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90}|b[-_=\s]c[-_=\s]1(?:[-_=\s][acdefghjklmnpqrstuvwxyz234567890]){30,90})\b/
7428
7429meta __BITCOIN_IMGUR __IMGUR_IMG && __BITCOIN
7430
7431meta __BITCOIN_OBFU_SUBJ __BITCOIN && __SUBJ_OBFU_PUNCT
7432
7433meta __BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF
7434
7435meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL
7436
7437meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM
7438
7439meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01
7440
7441meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID)
7442
7443meta __BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI)
7444
7445meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1)
7446
7447body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s
7448
7449body __BODY_TEXT_LINE /^\s*\S/
7450tflags __BODY_TEXT_LINE multiple maxhits=3
7451
7452meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE
7453
7454if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7455 full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/
7456 tflags __BOGUS_MIME_HDR multiple maxhits=8
7457endif
7458
7459if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7460 meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7
7461endif
7462
7463header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/
7464
7465meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX
7466
7467body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i
7468
7469meta __BOTH_INR_AND_REF (__XM_BALSA || __XM_CALYPSO || __XM_FORTE || __XM_MHE || __XM_SQRLMAIL || __XM_SYLPHEED || __THEBAT_MUA || __XM_VM || __XM_XIMEVOL || __UA_KMAIL || __UA_MOZ5 || __UA_OPERA7)
7470
7471body __BTC_OBFU_2 /\b\W{0,10}b(?!it[-\s]?coin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i
7472
7473body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i
7474
7475if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7476 body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
7477endif
7478
7479body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i
7480
7481rawbody __BUGGED_IMG m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i
7482
7483body __BURKINA_FASO /\bburkina\s?faso\b/i
7484
7485body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i
7486
7487body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i
7488
7489body __CAN_HELP /\bcan help\b/i
7490
7491body __CASHPRZ /cash prize of/
7492
7493body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i
7494
7495body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i
7496tflags __CLEAN_MAILBOX multiple maxhits=2
7497
7498rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im
7499
7500body __COMPENSATION /\b(?:compensat(?:e|ion)|recompensed?|ausgleich)\b/i
7501
7502body __CONTACT_ATTY /\bcontact(?:er)?\s(?:my|(?:de\s)?mon)\s(?:barrister|attou?rney|lawyer|avocat|gestionnaire)\b/i
7503
7504body __CONTACT_YOU /\b(?:contact(?:ing)\syou|vous\scontacter?)\b/i
7505
7506rawbody __CONTENT_AFTER_HTML /<\/html>\s*[a-z0-9]/i
7507
7508if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7509 body __COPY_PASTE_EN /Copy (and|\+|\&) paste/i
7510endif
7511
7512ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7513 body __COPY_PASTE_EN /<C><O><P><Y> (?:<A><N><D>|\+|\&) <P><A><S><T><E>/i
7514endif
7515
7516body __COURIER /\bcourier\s(?:company|service)\b/i
7517
7518header __CR_IN_SUBJ Subject:raw =~ /\015/
7519
7520header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i
7521
7522header __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i
7523
7524if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7525 meta __CTYPE_NULL 0
7526endif
7527
7528ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7529 mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/
7530endif
7531
7532ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7533mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s
7534endif
7535
7536header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
7537
7538ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7539mimeheader __CT_UTF7 Content-Type =~ /\bcharset=.?utf-7\b/i
7540endif
7541
7542header __DATE_LOWER ALL =~ /date:\s\S{5}/
7543
7544if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7545 body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i
7546 tflags __DAY_I_EARNED multiple maxhits=4
7547endif
7548
7549body __DBLCLAIM /avoid double claiming/
7550
7551body __DEAD_PARENT /\b(?:my|meu)\s(?:(?:deceased|dead)\s(?:father|mother|husband)|(?:father|dad|mother|mom|husband|marido)(?:'?s)?\s(?:death|died|passed\saway|murder|was\s(?:killed|murdered|poisoned)|faleceu))/i
7552
7553body __DEAL /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i
7554
7555body __DECEASED /\b(?:the|my|your|der|du|le|meu?)\s(?:deceased|late|verstorbenen|d(?:i|e|=E9|[\xe9]|[\xc3][\xa9])funto?|d(?:e|=E9|[\xe9]|[\xc3][\xa9])nt|falecido)\b/i
7556
7557body __DESTROY_ME /\b(?:destroy|hunt|quemar)\sm[eyi]\b/i
7558
7559body __DESTROY_YOU /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i
7560
7561body __DIED_IN /\bdied\sin\b/i
7562
7563body __DIPLOMATIC /\bdiplomatic\b/i
7564
7565ifplugin Mail::SpamAssassin::Plugin::AskDNS
7566tflags __DKIMWL_BLOCKED net
7567endif
7568
7569ifplugin Mail::SpamAssassin::Plugin::AskDNS
7570tflags __DKIMWL_BULKMAIL net
7571endif
7572
7573ifplugin Mail::SpamAssassin::Plugin::AskDNS
7574tflags __DKIMWL_FREEMAIL net
7575endif
7576
7577ifplugin Mail::SpamAssassin::Plugin::AskDNS
7578tflags __DKIMWL_WL_BL net
7579endif
7580
7581ifplugin Mail::SpamAssassin::Plugin::AskDNS
7582tflags __DKIMWL_WL_HI net
7583endif
7584
7585ifplugin Mail::SpamAssassin::Plugin::AskDNS
7586tflags __DKIMWL_WL_MED net
7587endif
7588
7589ifplugin Mail::SpamAssassin::Plugin::AskDNS
7590tflags __DKIMWL_WL_MEDHI net
7591endif
7592
7593header __DKIM_EXISTS exists:DKIM-Signature
7594tflags __DKIM_EXISTS nice
7595
7596body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i
7597
7598if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7599 meta __DOC_ATTACH 0
7600endif
7601
7602ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7603 meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2)
7604endif
7605
7606if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7607 meta __DOC_ATTACH_FN1 0
7608endif
7609
7610ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7611 mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
7612endif
7613
7614if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7615 meta __DOC_ATTACH_FN2 0
7616endif
7617
7618ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7619 mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i
7620endif
7621
7622if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7623 meta __DOC_ATTACH_MT 0
7624endif
7625
7626ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7627 mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i
7628endif
7629
7630body __DORMANT_ACCT /\b(?:(?:dormant|abandoned|left\s?over)\s(?:account|fund|transaction|sum|deposit)|fonds\sdorment)/i
7631
7632body __DOS_BODY_FRI /\bfri(?:day)?\b/i
7633
7634body __DOS_BODY_MON /\bmon(?:day)?\b/i
7635
7636body __DOS_BODY_SAT /\bsat(?:day)?\b/i
7637
7638body __DOS_BODY_STOCK /\bstock\b/i
7639
7640body __DOS_BODY_SUN /\bsun(?:day)?\b/i
7641
7642body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i
7643
7644body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB|PK)\b/
7645
7646body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i
7647
7648body __DOS_BODY_WED /\bwed(?:nesday)?\b/i
7649
7650body __DOS_COMING_TO_YOUR_PLACE /I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/
7651
7652body __DOS_CORRESPOND_EMAIL /correspond with me using my email/
7653
7654meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
7655
7656meta __DOS_DIRECT_TO_MX_UNTRUSTED __DOS_DIRECT_TO_MX && !ALL_TRUSTED
7657
7658body __DOS_DROP_ME_A_LINE /Drop me a line at/
7659
7660body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/
7661
7662body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i
7663
7664uri __DOS_HAS_ANY_URI /^\w+:\/\//
7665
7666header __DOS_HAS_LIST_ID exists:List-ID
7667
7668header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe
7669
7670header __DOS_HAS_MAILING_LIST exists:Mailing-List
7671
7672body __DOS_HI /^Hi,$/
7673
7674body __DOS_I_AM_25 /I a.?m 25/
7675
7676body __DOS_I_DRIVE_A /I drive a/
7677
7678body __DOS_LET_GO_JOB /I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/
7679
7680body __DOS_LINK /\blink\b/
7681
7682body __DOS_MEET_EACH_OTHER /(?:meet each other|[Mm]ay ?be we can meet)/
7683
7684header __DOS_MSGID_DIGITS10 Message-ID =~ /<1[013-9]\d{8}\@.*>/
7685
7686header __DOS_MSGID_DIGITS9 Message-ID =~ /<\d{9}\@.*>/
7687
7688body __DOS_MY_OLD_JOB /my old job/
7689
7690body __DOS_PERSONAL_EMAIL /personal email at/
7691
7692header __DOS_RCVD_FRI Received =~ / Fri, /
7693
7694header __DOS_RCVD_MON Received =~ / Mon, /
7695
7696header __DOS_RCVD_SAT Received =~ / Sat, /
7697
7698header __DOS_RCVD_SUN Received =~ / Sun, /
7699
7700header __DOS_RCVD_THU Received =~ / Thu, /
7701
7702header __DOS_RCVD_TUE Received =~ / Tue, /
7703
7704header __DOS_RCVD_WED Received =~ / Wed, /
7705
7706meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE)
7707
7708meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON)
7709
7710meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN)
7711
7712header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s
7713
7714header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/
7715
7716body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i
7717
7718body __DOS_STRONG_CF /\bstrong cash flow/i
7719
7720body __DOS_TAKING_HOME /Taking home \d (?:digit level|figures) in \d{1,2} months/
7721
7722body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/
7723
7724meta __DOTGOV_IMAGE __URI_DOTGOV && __REMOTE_IMAGE
7725
7726meta __DYNAMIC_IMGUR __IMGUR_IMG && __RDNS_DYNAMIC_IPADDR
7727
7728body __EARLY_DEMISE /\buntimely\sdeath\b/i
7729
7730header __EBAY_ADDRESS From:addr =~ /[\@.]ebay\.\w\w\w?(?:\.\w\w)?$/i
7731
7732meta __EBAY_IMG_NOT_RCVD_EBAY __URI_IMG_EBAY && !__HDR_RCVD_EBAY
7733
7734meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY
7735
7736meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 3)
7737
7738meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE
7739
7740body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i
7741
7742header __ENVFROM_AMAZONSES EnvelopeFrom =~ /\@amazonses\.com$/
7743
7744header __ENVFROM_GOOG_TRIX EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/
7745
7746meta __ENVFROM_GOOG_TRIX_SPAMMY __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR )
7747
7748if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7749 meta __EXE_ATTACH 0
7750endif
7751
7752ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7753 mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i
7754endif
7755
7756if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7757 body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i
7758endif
7759
7760ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7761 body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i
7762endif
7763
7764meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE + __PAXFUL + __HUSH_HUSH) > 3
7765
7766body __EX_CUSTOMER /\b(?:(?:dead|deceased|late|verstorbenen|death\sof\sthe)\s(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|depositor|mr\.|kunde|engr?\.?)|titulaire\sdu\scompte\sest\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|invest[eo]r\sdied|(?:e|=E9|[\xe9]|[\xc3][\xa9])tranger\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|mr\.|kunde|engr?\.?)\s(?:[a-z]{1,10}\s)?(?:dead|deceased|verstorbenen))/i
7767
7768if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7769 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7770 body __E_LIKE_LETTER /<lcase_e>/
7771 tflags __E_LIKE_LETTER multiple maxhits=320
7772endif
7773endif
7774
7775body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i
7776
7777body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/
7778
7779rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m
7780
7781header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/
7782
7783header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i
7784
7785header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov /
7786
7787meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO
7788
7789body __FB_COST /\bcost\b/i
7790
7791body __FB_NUM_PERCNT /\d\s?\%/
7792
7793body __FB_S_PRICE /pri{1,2}c[a-z]?e/i
7794
7795body __FB_S_STOCK /\bstock/i
7796
7797body __FB_TOUR /\btour/i
7798
7799body __FEES /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer|keeping)[\s\w]{0,15}\s(?:fee|charge)s?\b/i
7800
7801body __FIFTY_FIFTY /\b(?:50|fifty)(?:%?[\/:]50%?|%|\spercent)/i
7802
7803if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7804 meta __FILL_THIS_FORM 0
7805endif
7806
7807ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7808 meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4)
7809endif
7810
7811if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7812 meta __FILL_THIS_FORM_FRAUD_PHISH 0
7813endif
7814
7815ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7816 meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH)
7817endif
7818
7819if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7820 meta __FILL_THIS_FORM_FRAUD_PHISH1 0
7821endif
7822
7823ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7824 body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
7825endif
7826
7827if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7828 meta __FILL_THIS_FORM_LOAN 0
7829endif
7830
7831ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7832 meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1
7833endif
7834
7835if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7836 meta __FILL_THIS_FORM_LOAN1 0
7837endif
7838
7839ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7840 body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
7841endif
7842
7843if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7844 meta __FILL_THIS_FORM_LONG 0
7845endif
7846
7847ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7848 meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2
7849endif
7850
7851if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7852 meta __FILL_THIS_FORM_LONG1 0
7853endif
7854
7855ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7856 body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
7857endif
7858
7859if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7860 meta __FILL_THIS_FORM_LONG2 0
7861endif
7862
7863ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7864 body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
7865endif
7866
7867if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7868 meta __FILL_THIS_FORM_PARTIAL 0
7869endif
7870
7871ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7872 body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im
7873 tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5
7874endif
7875
7876if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7877 meta __FILL_THIS_FORM_PARTIAL_RAW 0
7878endif
7879
7880ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7881 rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20|&nbsp;|<\/\w+>){0,4}$)/im
7882 tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5
7883endif
7884
7885if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7886 meta __FILL_THIS_FORM_SHORT 0
7887endif
7888
7889ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7890 meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2)
7891endif
7892
7893if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7894 meta __FILL_THIS_FORM_SHORT1 0
7895endif
7896
7897ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7898 body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
7899endif
7900
7901if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7902 meta __FILL_THIS_FORM_SHORT2 0
7903endif
7904
7905ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7906 body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
7907endif
7908
7909header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/
7910
7911if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7912 meta __FM_MY_PRICE __FB_S_PRICE
7913endif
7914
7915ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7916 meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE)
7917endif
7918
7919meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS
7920
7921if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7922 rawbody __FONT_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i
7923 tflags __FONT_INVIS multiple maxhits=11
7924endif
7925
7926if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7927 meta __FONT_INVIS_10 __FONT_INVIS > 10
7928endif
7929
7930if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7931 meta __FONT_INVIS_2 __FONT_INVIS > 2
7932endif
7933
7934if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7935 meta __FONT_INVIS_5 __FONT_INVIS > 5
7936endif
7937
7938if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7939 meta __FONT_INVIS_CENTER __FONT_INVIS && __TAG_EXISTS_CENTER
7940endif
7941
7942if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7943 meta __FONT_INVIS_DIRECT __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
7944endif
7945
7946if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7947 meta __FONT_INVIS_DOTGOV __FONT_INVIS && __URI_DOTGOV
7948endif
7949
7950if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7951 meta __FONT_INVIS_HTML_NOHTML __FONT_INVIS && HTML_MIME_NO_HTML_TAG
7952endif
7953
7954if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7955 meta __FONT_INVIS_LONG_LINE __FONT_INVIS && __LONGLINE
7956endif
7957
7958if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7959 meta __FONT_INVIS_MANY __FONT_INVIS_2
7960endif
7961
7962if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7963 meta __FONT_INVIS_MSGID __FONT_INVIS && __MSGID_OK_HOST
7964endif
7965
7966if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7967 meta __FONT_INVIS_NORDNS __FONT_INVIS && __RDNS_NONE
7968endif
7969
7970if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7971 meta __FONT_INVIS_SINGLET __FONT_INVIS && __HTML_SINGLET
7972endif
7973
7974header __FORGED_MUA_POSTFIX0 User-Agent =~ /Postfix/
7975
7976header __FORGED_MUA_POSTFIX1 X-Mailer =~ /Postfix/
7977
7978meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D
7979describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam
7980
7981meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1)
7982
7983meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
7984
7985meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
7986
7987meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP
7988
7989if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7990 body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i
7991 tflags __FOR_SALE_LTP multiple maxhits=11
7992endif
7993
7994if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7995 meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10
7996endif
7997
7998if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7999 body __FOR_SALE_NET /00\.? NET/i
8000 tflags __FOR_SALE_NET multiple maxhits=11
8001endif
8002
8003if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8004 meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10
8005endif
8006
8007if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8008 body __FOR_SALE_OBO /\bor best offer\b/i
8009 tflags __FOR_SALE_OBO multiple maxhits=6
8010endif
8011
8012if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8013 meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5
8014endif
8015
8016if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8017 body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i
8018 tflags __FOR_SALE_PRC_100K multiple maxhits=11
8019endif
8020
8021if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8022 meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5
8023endif
8024
8025if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8026 body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i
8027 tflags __FOR_SALE_PRC_10K multiple maxhits=11
8028endif
8029
8030if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8031 meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10
8032endif
8033
8034if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8035 body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i
8036 tflags __FOR_SALE_PRC_1K multiple maxhits=11
8037endif
8038
8039if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8040 meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10
8041endif
8042
8043if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8044 rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m
8045 tflags __FOR_SALE_PRC_EOL multiple maxhits=11
8046endif
8047
8048if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8049 meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10
8050endif
8051
8052if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8053 meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20
8054endif
8055
8056body __FOUND_YOU /\b(?:I|we)\sfound\syour?\b/i
8057
8058body __FRAUD /\b(?:de)?fraud/i
8059
8060body __FRAUD_IOV /\b(?:no risks?|risky?[- ]{0,3}free|free of risks?|100% safe|v\S{1,3}llig Risikofrei ist)\b/i
8061
8062body __FRAUD_PTX /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|poison(?:e?d)?|kill(?:ed|ing|ers)\b[^.]{0,99}\b(?:war veterans|rebels?)|les tueurs)\b/i
8063
8064body __FRAUD_XWW /\b(?:honest(?:ly)?\sco(?:-?operat(?:e|ion)|llaborat(?:e|ion))|ehrliche\szusammenarbeit|sichere [kc]o+p[eo]ration|col+aboration\swith\sme)\b/i
8065
8066ifplugin Mail::SpamAssassin::Plugin::FreeMail
8067 header __FREEMAIL_DISPTO eval:check_freemail_header('Disposition-Notification-To')
8068endif
8069
8070ifplugin Mail::SpamAssassin::Plugin::FreeMail
8071 meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
8072endif
8073
8074meta __FREEMAIL_WFH_01 (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01
8075
8076meta __FREEM_FRNUM_UNICD_EMPTY FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY
8077
8078if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
8079 meta __FROM_41_FREEMAIL 0
8080endif
8081
8082ifplugin Mail::SpamAssassin::Plugin::FreeMail
8083 meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
8084 describe __FROM_41_FREEMAIL Sent from Africa + freemail provider
8085endif
8086
8087if (version >= 3.004002)
8088ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8089header __FROM_ADDRLIST_BANKS eval:check_from_in_list('BANKS')
8090endif
8091endif
8092
8093if (version >= 3.004002)
8094ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8095header __FROM_ADDRLIST_GOV eval:check_from_in_list('GOV')
8096endif
8097endif
8098
8099if (version >= 3.004002)
8100ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8101header __FROM_ADDRLIST_PAYPAL eval:check_from_in_list('PAYPAL')
8102endif
8103endif
8104
8105if (version >= 3.004002)
8106ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8107header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD')
8108endif
8109endif
8110
8111header __FROM_ADDR_WS From:addr =~ /\s/
8112
8113header __FROM_ADMIN From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
8114
8115header __FROM_ALL_HEX From:addr =~ /^(?!(?:19|20)\d\d[01]\d[0-3]\d)(?![0-9a-f]*[a-f]{3})[0-9a-f]+\@/
8116
8117header __FROM_ALL_NUMS From:addr =~ /^\d+@/
8118
8119header __FROM_DNS From =~ /(?<![^\w.-])dns(?:admin)?\@/i
8120
8121meta __FROM_DOM_ADMIN __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
8122
8123header __FROM_DOM_INFO From:addr =~ /\.info$/i
8124
8125header __FROM_EBAY From:addr =~ /\@ebay\.com$/i
8126
8127ifplugin Mail::SpamAssassin::Plugin::FreeMail
8128 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
8129 header __FROM_EQ_REPLY eval:check_fromname_equals_replyto()
8130endif
8131endif
8132
8133if (version >= 3.004001)
8134ifplugin Mail::SpamAssassin::Plugin::AskDNS
8135tflags __FROM_FMBLA_NDBLOCKED net
8136endif
8137endif
8138
8139if (version >= 3.004001)
8140ifplugin Mail::SpamAssassin::Plugin::AskDNS
8141tflags __FROM_FMBLA_NEWDOM net
8142endif
8143endif
8144
8145if (version >= 3.004001)
8146ifplugin Mail::SpamAssassin::Plugin::AskDNS
8147tflags __FROM_FMBLA_NEWDOM14 net
8148endif
8149endif
8150
8151if (version >= 3.004001)
8152ifplugin Mail::SpamAssassin::Plugin::AskDNS
8153tflags __FROM_FMBLA_NEWDOM28 net
8154endif
8155endif
8156
8157header __FROM_FULL_NAME From:name =~ /^[^a-z[:punct:][:cntrl:]\d\s][^[:punct:][:cntrl:]\d\s]*[[:punct:]\s]+[^a-z[:punct:][:cntrl:]\d\s]/
8158tflags __FROM_FULL_NAME nice
8159
8160header __FROM_INFO From =~ /(?<![^\w.-])info\@/i
8161
8162header __FROM_LOWER ALL =~ /from:\s\S{5}/
8163
8164header __FROM_MISSPACED From =~ /^\s*"[^"]*"</
8165
8166meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH
8167
8168if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
8169 meta __FROM_MISSP_FREEMAIL 0
8170endif
8171
8172ifplugin Mail::SpamAssassin::Plugin::FreeMail
8173 meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
8174endif
8175
8176meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO
8177
8178if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
8179 meta __FROM_MULTI_NORDNS __PDS_FROM_2_EMAILS && __RDNS_NONE
8180endif
8181
8182if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
8183 meta __FROM_MULTI_SHORT_IMG __PDS_FROM_2_EMAILS && (HTML_IMAGE_ONLY_16 || HTML_SHORT_LINK_IMG_2 || __HTML_IMG_ONLY)
8184endif
8185
8186full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm
8187
8188header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i
8189
8190header __FROM_RUNON From =~ /\S+<\w+/
8191
8192header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/
8193
8194header __FROM_WEB_DAEMON From:addr =~ /(?:apache|www|web|tomcat|\biis\b).*\@/i
8195
8196header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/
8197
8198if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8199 meta __FRT_PRICE 0
8200endif
8201
8202ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8203 body __FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i
8204endif
8205
8206rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i
8207
8208header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe
8209
8210header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i
8211
8212header __FSL_HELO_BARE_IP_2 X-Spam-Relays-Untrusted =~ /helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} /i
8213
8214header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i
8215
8216header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i
8217
8218header __FSL_HELO_USER_3 Received =~ /(?:eh|he)lo(?:=|\s)User\)/i
8219
8220header __FSL_RELAY_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com\.? /i
8221
8222header __FS_SUBJ_RE Subject =~ /^Re: /
8223
8224ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8225 body __FUZZY_DR_OZ /(?=<D>)(?!(?-i:D(?:r.|octor)(?:\s|&nbsp;)Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i
8226endif
8227
8228if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8229 meta __FUZZY_MONERO 0
8230endif
8231
8232ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8233 body __FUZZY_MONERO /(?=<M>)(?!monero)<M><O><N><E><R><O>/i
8234endif
8235
8236ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8237 body __FUZZY_PORN /(?=<P>)(?!pornograph?(?:y|i[ca]|er))<P><O><R><N><O><G><R><A><P><H>?(?:<Y>|<I><C>|<E><R>)/i
8238endif
8239
8240ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8241 body __FUZZY_WELLSFARGO_BODY /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i
8242endif
8243
8244ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8245 header __FUZZY_WELLSFARGO_FROM From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i
8246endif
8247
8248if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8249 body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i
8250 tflags __GAPPY_SALES_LEADS multiple maxhits=3
8251endif
8252
8253if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8254 meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2
8255endif
8256
8257header __GB_FAKE_RF Subject =~ /(Fw|Re)\:[a-z0-9\+]/i
8258
8259body __GHANA /\bghana\b/i
8260
8261ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8262mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i
8263endif
8264
8265body __GIVE_MONEY /\b(?:(?:give\syou\s(?:this\s)?(?:money|fund|inheritance))|(?:donated?\s(?:\w\+\s){0,3}(?:the\ssum\sof|(?:(?:the|this|some)\s(?:money|funds?|inheritance)|to\s)(?:you|(?:(?:the|a)\s)?church|charit(?:y|ies)|humanit\w+|needy|poor|orphan(?:age)?s?|philanthropists\?)))|de vous donner cet argent|faire don de la somme|voudrais en faire don|tego funduszu do dom(?:=F3|[\xf3])w (?:dziecka|wdowy))\b/i
8266
8267meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST)
8268
8269meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
8270
8271meta __GOOGLE_DOC_SUSP __URI_GOOGLE_DOC && (__HAS_DOMAINKEY_SIG || __RDNS_NONE || __SYSADMIN || __STY_INVIS || LOTS_OF_MONEY || __XFER_MONEY || __ADVANCE_FEE_2_NEW) && !ALL_TRUSTED
8272
8273uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i
8274
8275uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i
8276
8277meta __GOOG_STO_HTML_PHISH __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
8278
8279meta __GOOG_STO_IMG_HTML_1 __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML
8280
8281meta __GOOG_STO_IMG_NOHTML __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML
8282
8283meta __GOOG_STO_NOIMG_HTML !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML
8284
8285body __HAS_ANY_EMAIL /\w@\S+\.\w/
8286
8287uri __HAS_ANY_URI /^\w+:\/\//
8288
8289header __HAS_CAMPAIGNID exists:X-Campaignid
8290
8291header __HAS_CID exists:X-CID
8292
8293header __HAS_COMPLAINT_TO exists:Complaint-To
8294
8295header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature
8296
8297describe __HAS_HREF Has an anchor tag with a href attribute in non-quoted line
8298rawbody __HAS_HREF /^[^>].*?<a href=/im
8299tflags __HAS_HREF multiple maxhits=100
8300
8301describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case
8302rawbody __HAS_HREF_ONECASE /^[^>].*?<(a href|A HREF)=/m
8303tflags __HAS_HREF_ONECASE multiple maxhits=100
8304
8305describe __HAS_IMG_SRC Has an img tag on a non-quoted line
8306rawbody __HAS_IMG_SRC /^[^>].*?<img src=/im
8307tflags __HAS_IMG_SRC multiple maxhits=100
8308
8309rawbody __HAS_IMG_SRC_DATA /^[^>].*?<img src=['"]data/im
8310
8311describe __HAS_IMG_SRC_ONECASE Has an img tag on a non-quoted line with consistent case
8312rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(img src|IMG SRC)=/m
8313tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100
8314
8315header __HAS_LIST_OPEN exists:List-Open
8316
8317header __HAS_LOGID exists:logid
8318
8319header __HAS_MESSAGEID exists:MessageID
8320
8321header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script
8322
8323header __HAS_PHP_SCRIPT exists:X-PHP-Script
8324
8325header __HAS_THREAD_INDEX exists:Thread-Index
8326
8327header __HAS_TRACKING_CODE exists:Tracking-Code
8328
8329body __HAS_WON_01 /\bque ha ganado\b/i
8330
8331header __HAS_XM_LID exists:X-Mailer-LID
8332
8333header __HAS_XM_RECPTID exists:X-Mailer-RecptId
8334
8335header __HAS_XM_SENTBY exists:X-Mailer-Sent-By
8336
8337header __HAS_XM_SID exists:X-Mailer-SID
8338
8339header __HAS_X_EBSERVER exists:X-EBSERVER
8340
8341header __HAS_X_LETTER exists:X-Letter
8342
8343header __HAS_X_NO_RELAY exists:X-No-Relay
8344
8345header __HAS_X_OUTGOING_SPAM_STAT exists:X-OutGoing-Spam-Status
8346
8347header __HAS_X_SOURCE_DIR exists:X-Source-Dir
8348
8349header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm
8350tflags __HDRS_LCASE multiple maxhits=3
8351
8352meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH
8353
8354header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism
8355
8356header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s
8357
8358header __HDR_RCVD_ALIBABA X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/
8359
8360header __HDR_RCVD_AMAZON X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/
8361
8362header __HDR_RCVD_EBAY X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/
8363
8364header __HDR_RCVD_GOOGLE X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/
8365
8366header __HDR_RCVD_KEEPA X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/
8367
8368header __HDR_RCVD_NEWEGG X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/
8369
8370header __HDR_RCVD_SHOPIFY X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/
8371
8372header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/
8373
8374header __HDR_RCVD_WALMART X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/
8375
8376ifplugin Mail::SpamAssassin::Plugin::AskDNS
8377tflags __HELO_DNS net
8378endif
8379
8380header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i
8381
8382header __HELO_MISC_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^a-z\?]\S{0,30}(?:\d{1,3}[^\d]){4}[^\]]+ auth= /i
8383
8384header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/
8385
8386header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /
8387
8388body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
8389tflags __HEXHASHWORD_S2EU multiple maxhits=4
8390
8391body __HK_LOTTO_2 /\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i
8392
8393body __HK_LOTTO_BALLOT /\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i
8394
8395body __HK_LOTTO_STAATS /\bstaatsloteri/i
8396
8397ifplugin Mail::SpamAssassin::Plugin::FreeMail
8398if (version >= 3.004000)
8399 header __HK_NAME_FROM From:name =~ /^FROM\b/mi
8400endif
8401endif
8402
8403ifplugin Mail::SpamAssassin::Plugin::FreeMail
8404if (version >= 3.004000)
8405 header __HK_NAME_MR_MRS From:name =~ /^M(?:RS?|ISS)\b/mi
8406endif
8407endif
8408
8409body __HK_SCAM_N15 /\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i
8410
8411body __HK_SCAM_N16 /\b(?:arrangement secret|secret arrangement)\b/i
8412
8413body __HK_SCAM_N2 /\bnext of kin\b/i
8414
8415body __HK_SCAM_N3 /\bdirect telephone numbers?\b/i
8416
8417body __HK_SCAM_N8 /\byour compensation\b/i
8418
8419body __HK_SCAM_S1 /pay you the sum of/i
8420
8421body __HK_SCAM_S15 /(?:discovered a dormant account|can you be my partner)/i
8422
8423body __HK_SCAM_S25 /\bbank (?:in|of) ghana/i
8424
8425ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8426mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
8427endif
8428
8429ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8430mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
8431endif
8432
8433meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC)
8434
8435meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC)
8436
8437meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_WP_REDIR || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC)
8438
8439meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC) > 1
8440
8441if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8442 body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
8443endif
8444
8445ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8446 body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
8447endif
8448
8449rawbody __HS_QUOTE /^> /
8450
8451header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/
8452
8453if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8454 meta __HTML_ATTACH_01 0
8455endif
8456
8457ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8458 mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.html?\b,i
8459endif
8460
8461if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8462 meta __HTML_ATTACH_02 0
8463endif
8464
8465ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8466 mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i
8467endif
8468
8469rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i
8470
8471meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML
8472
8473if !plugin(Mail::SpamAssassin::Plugin::DKIM)
8474 meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN
8475endif
8476
8477ifplugin Mail::SpamAssassin::Plugin::DKIM
8478 meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID
8479endif
8480
8481rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i
8482
8483rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i
8484
8485if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8486 rawbody __HTML_SHRT_CMNT_OBFU /\w<!--\s*\w+\s*-->\w/
8487 tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10
8488endif
8489
8490if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8491 meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE
8492endif
8493
8494rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i
8495tflags __HTML_SINGLET multiple maxhits=21
8496
8497meta __HTML_SINGLET_10 __HTML_SINGLET > 10
8498
8499meta __HTML_SINGLET_MANY __HTML_SINGLET > 20
8500
8501ifplugin Mail::SpamAssassin::Plugin::HTMLEval
8502 body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0')
8503endif
8504
8505body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i
8506
8507uri __IMGUR_IMG m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i
8508tflags __IMGUR_IMG multiple maxhits=4
8509
8510meta __IMGUR_IMG_2 __IMGUR_IMG == 2
8511
8512meta __IMGUR_IMG_3 __IMGUR_IMG == 3
8513
8514if !plugin(Mail::SpamAssassin::Plugin::ImageInfo)
8515 meta __IMG_LE_300K 0
8516endif
8517
8518ifplugin Mail::SpamAssassin::Plugin::ImageInfo
8519 body __IMG_LE_300K eval:pixel_coverage('all',62500,300000)
8520endif
8521
8522body __INHERIT_PMT /\binheritance\spayment\s/i
8523
8524body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i
8525
8526body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i
8527
8528body __INVEST_MONEY /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i
8529
8530header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/
8531
8532if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8533 meta __ISO_ATTACH 0
8534endif
8535
8536ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8537 mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i
8538endif
8539
8540if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8541 meta __ISO_ATTACH_MT 0
8542endif
8543
8544ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8545 mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i
8546endif
8547
8548body __IS_LEGAL /\b(?:(?:(this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i
8549
8550body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i
8551
8552body __I_INHERIT /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i
8553
8554body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i
8555
8556header __JM_REACTOR_DATE Date =~ / \+0000$/
8557
8558ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8559 mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i
8560endif
8561
8562ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8563mimeheader __KAM_BLOCK_UTF7_2 Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i
8564endif
8565
8566ifplugin Mail::SpamAssassin::Plugin::BodyEval
8567 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8568 body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024')
8569 describe __KAM_BODY_LENGTH_LT_1024 The length of the body of the email is less than 1024 bytes.
8570endif
8571endif
8572
8573ifplugin Mail::SpamAssassin::Plugin::BodyEval
8574 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8575 body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128')
8576 describe __KAM_BODY_LENGTH_LT_128 The length of the body of the email is less than 128 bytes.
8577endif
8578endif
8579
8580ifplugin Mail::SpamAssassin::Plugin::BodyEval
8581 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8582 body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256')
8583 describe __KAM_BODY_LENGTH_LT_256 The length of the body of the email is less than 256 bytes.
8584endif
8585endif
8586
8587ifplugin Mail::SpamAssassin::Plugin::BodyEval
8588 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8589 body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512')
8590 describe __KAM_BODY_LENGTH_LT_512 The length of the body of the email is less than 512 bytes.
8591endif
8592endif
8593
8594if !plugin(Mail::SpamAssassin::Plugin::HTMLEval)
8595meta __KAM_HTML_FONT_INVALID 0
8596endif
8597
8598ifplugin Mail::SpamAssassin::Plugin::HTMLEval
8599body __KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color')
8600endif
8601
8602body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
8603
8604header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/
8605
8606header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/
8607
8608meta __KHOP_NO_FULL_NAME !(__NOT_A_PERSON || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME)
8609
8610if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
8611 meta __LARGE_PERCENT_AFTER 0
8612endif
8613
8614if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8615 body __LARGE_PERCENT_AFTER /\d{3}% after/i
8616 tflags __LARGE_PERCENT_AFTER multiple maxhits=4
8617endif
8618
8619if !plugin(Mail::SpamAssassin::Plugin::HeaderEval)
8620 meta __LCL__ENV_AND_HDR_FROM_MATCH 0
8621endif
8622
8623ifplugin Mail::SpamAssassin::Plugin::HeaderEval
8624 meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH
8625endif
8626
8627if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
8628 meta __LCL__KAM_BODY_LENGTH_LT_1024 0
8629endif
8630
8631ifplugin Mail::SpamAssassin::Plugin::BodyEval
8632if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
8633 meta __LCL__KAM_BODY_LENGTH_LT_1024 0
8634endif
8635endif
8636
8637ifplugin Mail::SpamAssassin::Plugin::BodyEval
8638 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8639 meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024
8640endif
8641endif
8642
8643if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
8644 meta __LCL__KAM_BODY_LENGTH_LT_128 0
8645endif
8646
8647ifplugin Mail::SpamAssassin::Plugin::BodyEval
8648if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
8649 meta __LCL__KAM_BODY_LENGTH_LT_128 0
8650endif
8651endif
8652
8653ifplugin Mail::SpamAssassin::Plugin::BodyEval
8654 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8655 meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128
8656endif
8657endif
8658
8659if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
8660 meta __LCL__KAM_BODY_LENGTH_LT_512 0
8661endif
8662
8663ifplugin Mail::SpamAssassin::Plugin::BodyEval
8664if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
8665 meta __LCL__KAM_BODY_LENGTH_LT_512 0
8666endif
8667endif
8668
8669ifplugin Mail::SpamAssassin::Plugin::BodyEval
8670 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8671 meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512
8672endif
8673endif
8674
8675meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID
8676
8677meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1
8678
8679meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR
8680
8681body __LITECOIN_ID /\b(?<!=)[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b/
8682
8683uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i
8684
8685body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i
8686tflags __LOCK_MAILBOX multiple maxhits=2
8687
8688full __LONGLINE /^[^\r\n]{998}/m
8689
8690rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i
8691
8692if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8693 meta __LONG_STY_INVIS __STY_INVIS && __LONGLINE
8694endif
8695
8696if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8697 meta __LOTSA_MONEY_00 0
8698endif
8699
8700ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8701 body __LOTSA_MONEY_00 /<CURRENCY>[\s\.]?<NUM_NOT_DATE>[\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/
8702endif
8703
8704if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8705 meta __LOTSA_MONEY_01 0
8706endif
8707
8708ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8709 body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo](?<!\.00)\b/
8710endif
8711
8712if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8713 meta __LOTSA_MONEY_02 0
8714endif
8715
8716ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8717 body __LOTSA_MONEY_02 /(?<![-\d])<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo][\)\]\(]?\s?(?:<CURRENCY>|Pounds|(?i:dollars?|bucks))\b/
8718endif
8719
8720if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8721 meta __LOTSA_MONEY_03 0
8722endif
8723
8724ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8725 body __LOTSA_MONEY_03 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)<NUM_NOT_DATE>[\d.,\sOo]{0,5}[\)\]]?\s?(?i:M(?i:il+)?\b|mil+(?i:io|<O>)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/
8726endif
8727
8728if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8729 meta __LOTSA_MONEY_04 0
8730endif
8731
8732ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8733 body __LOTSA_MONEY_04 /(?:(?<![-\d])<NUM_NOT_DATE>[\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|mill<O>n|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|\bbucks|USD|GBP|<GB_UK>\spounds?|(?:<GB_UK>\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i
8734endif
8735
8736if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8737 meta __LOTSA_MONEY_05 0
8738endif
8739
8740ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8741 body __LOTSA_MONEY_05 /(?:(?:sum|value|amount)\sof\s)<NUM_NOT_DATE_IP>[\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i
8742endif
8743
8744meta __LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2
8745
8746body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i
8747
8748body __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i
8749
8750uri __LOTTO_ADMITS_3 /lott+ery/i
8751
8752meta __LOTTO_AGENT __LOTTO_AGENT_01 || __LOTTO_AGENT_02
8753
8754body __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(?<!memory\s)grants?(?!\smanager))\s?(?:agent|manager|officer|secretary|director|mgr\b)/i
8755
8756body __LOTTO_AGENT_02 /\blot+ery[^\.]{1,40} ticket agent/i
8757
8758header __LOTTO_AGENT_RPLY Reply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
8759
8760if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8761 meta __LOTTO_ATTACH_1 0
8762endif
8763
8764ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8765 mimeheader __LOTTO_ATTACH_1 Content-Type =~ /lott(?:o|ery)/i
8766endif
8767
8768if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8769 meta __LOTTO_ATTACH_2 0
8770endif
8771
8772ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8773 mimeheader __LOTTO_ATTACH_2 Content-Disposition =~ /lott(?:o|ery)/i
8774endif
8775
8776body __LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)(?:\s(?:rem+it+ance|settlement|payment|award))+|payment|award|compensation|lot+ery)(?:\s\w+)?\s?(?:department|dept|unit|group|committee|bureau)/i
8777
8778body __LOTTO_RELATED /\b(?:lot+(?:o|ery)|sweepstakes)\s(?:prize|draw(?:s|ing)?|(?:ge)?win(?:n?er|n?ing)?|jackpot+|award|fund|com+it+e+|com+is+ion|guild|promotion|promocao|program|day|online|company|(?:in)?corporat|agent|co[-,]?ordinator|team)/i
8779
8780body __LOTTO_VERIFY /\bpromo\sverification/i
8781
8782body __LOTTO_WINNINGS /\b(?:claim|process(?:ing)?|transfert?(?:\s\w+)?|redeem|payment|virement|zahlung|reivindicar|demandar|remise)\s(?:(?:[a-z]{1,5}\s)?(?:your|of|the|this|de|ihrer|seu|tu)\s)+(?:win+ings?|money|(?:cash\s)?prize|award|f[ou]nds?|grant|gewinne|premio|gain)\b/i
8783
8784body __LOTTO_WIN_01 /\bwin+ing\s(?:prize|number|notification|draw|check|cheque|details|information|payment)/i
8785
8786if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8787 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8788 body __LOWER_E /e/
8789 tflags __LOWER_E multiple maxhits=230
8790endif
8791endif
8792
8793body __LUCKY_WINNER /\b(?:lucky|gl.cklich(?:en)?|afortunados)\s(?:(?:ge)?win+ers?|ganador(?:es)?|individuals?)\b/i
8794
8795body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i
8796
8797rawbody __L_BODY_8BITS /[\x80-\xff]/
8798
8799header __L_CTE_7BIT Content-Transfer-Encoding =~ /^7bit$/
8800
8801body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i
8802
8803body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i
8804
8805header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
8806
8807body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i
8808
8809body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i
8810
8811uri __MAIL_LINK /\?.{0,200}\w\@[\w-]{1,20}.\w\w\w?\b/i
8812tflags __MAIL_LINK nice
8813
8814body __MAKE_XTRA_DOLLAR /\bmake an extra dollar\b/i
8815
8816header __MALF_MIME_VER MIME-Version =~ /^1\.0\S/
8817
8818meta __MALWARE_NORDNS __MY_MALWARE && __RDNS_NONE
8819
8820meta __MALWARE_PASSWORD __MY_MALWARE && __PASSWORD
8821
8822ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8823 meta __MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02
8824endif
8825
8826if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8827 meta __MALW_ATTACH_01_01 0
8828endif
8829
8830ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8831 mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]+|\*(?:\d+\*)?=(?:UTF-8'')?\S+)\.SettingContent-ms\b/i
8832endif
8833
8834if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8835 meta __MALW_ATTACH_01_02 0
8836endif
8837
8838ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8839 mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i
8840endif
8841
8842if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8843 meta __MALW_ATTACH_02_01 0
8844endif
8845
8846ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8847 mimeheader __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:invoice|statement|(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|7z|rar|r17|gz)[";$]/i
8848endif
8849
8850if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8851 meta __MALW_ATTACH_02_02 0
8852endif
8853
8854ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8855 mimeheader __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|statement|(?:\.|[\xc2][\xb7]|_)(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|7z|rar|r17|gz)[";$]/i
8856endif
8857
8858meta __MANY_HDRS_LCASE __HDRS_LCASE > 1
8859
8860meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4)
8861
8862header __MAY_BE_FORGED Received =~ /\(may be forged\)/
8863
8864header __MID_START_001C Message-ID =~ /^<000001c/
8865
8866body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i
8867
8868header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
8869
8870meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX
8871
8872header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/
8873
8874if !((version >= 3.004000))
8875 meta __MIME_CTYPE_IN_BODY 0
8876endif
8877
8878if (version >= 3.004000)
8879 body __MIME_CTYPE_IN_BODY /^Content-Type:\s/
8880endif
8881
8882if !((version >= 3.004000))
8883 meta __MIME_MALF 0
8884endif
8885
8886if (version >= 3.004000)
8887 meta __MIME_MALF __CTYPE_MULTIPART_ANY && __MIME_CTYPE_IN_BODY
8888endif
8889
8890if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8891 meta __MIME_NO_TEXT 0
8892endif
8893
8894ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8895 meta __MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH)
8896endif
8897
8898ifplugin Mail::SpamAssassin::Plugin::MIMEEval
8899 rawbody __MIME_QPC eval:check_for_mime('mime_qp_count')
8900endif
8901
8902header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET]
8903
8904header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET]
8905
8906rawbody __MIXED_AREA_CASE /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/
8907
8908rawbody __MIXED_CENTER_CASE /<(?!CENTER|center)[Cc][Ee][Nn][Tt][Ee][Rr]>/
8909
8910rawbody __MIXED_FONT_CASE /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/
8911
8912rawbody __MIXED_HREF_CASE_JH /<[Aa](?i:rea)?\s+(?!HREF|href)[Hh][Rr][Ee][Ff]=/
8913
8914rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/
8915
8916header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
8917
8918meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO)
8919
8920body __MONERO_CURNCY /Monero \(XMR\)/
8921
8922body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/
8923
8924meta __MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD
8925
8926meta __MONEY_FORM LOTS_OF_MONEY && __FILL_THIS_FORM
8927
8928meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT
8929
8930meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
8931
8932meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
8933
8934meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8)
8935
8936ifplugin Mail::SpamAssassin::Plugin::FreeMail
8937 meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto
8938endif
8939
8940meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY
8941
8942body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i
8943
8944meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE
8945
8946header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i
8947
8948header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/
8949
8950header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/
8951
8952header __MSGID_JAVAMAIL Message-ID =~ /\.JavaMail\./
8953tflags __MSGID_JAVAMAIL nice
8954
8955header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/
8956tflags __MSGID_LIST nice
8957
8958header __MSGID_NOFQDN1 Message-ID =~ /<[^\@]*>/m
8959
8960header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m
8961
8962meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL
8963
8964header __MSMAIL_PRI_HIGH X-MSMail-Priority =~ /^(?:high|urgent)$/i
8965
8966header __MSMAIL_PRI_NORMAL X-MSMail-Priority =~ /^normal$/i
8967
8968meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT
8969
8970header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: /
8971
8972header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/
8973
8974header __MUA_TBIRD User-Agent =~ /^Mozilla\/(.*) Thunderbird/
8975
8976body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i
8977
8978if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8979 body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s|background\s|hidden\s)?)(?:mal+ware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it|backdoor|(?:sneaky\s|hidden\s|malicious\s)+(?:app|stuff))|(?:application|mal+ware)[^\.]{1,30}(?:enable[sd]|allow(?:s|ed))\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|mal+ware)\s)+giv(?:es|ing)\sme)\b/i
8980endif
8981
8982ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8983 body __MY_MALWARE /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s|<B><A><C><K><G><R><O><U><N><D>\s|<H><I><D><D><E><N>\s)?)(?:<M><A><L>+<W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>|<B><A><C><K><D><O><O><R>|(?:<S><N><E><A><K><Y>\s|<H><I><D><D><E><N>\s|<M><A><L><I><C><I><O><U><S>\s)+(?:<A><P><P>|<S><T><U><F><F>))|(?:<A><P><P><L><I><C><A><T><I><O><N>|<M><A><L>+<W><A><R><E>)[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>(?:<S>|<E><D>))\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L>+<W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i
8984endif
8985
8986if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8987 body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i
8988endif
8989
8990ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8991 body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i
8992endif
8993
8994header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
8995
8996meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
8997
8998header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i
8999
9000header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/
9001
9002meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG
9003
9004body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i
9005
9006body __NIGERIA /\bnigeria\b/i
9007
9008meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO
9009tflags __NOT_A_PERSON nice
9010
9011body __NOT_DEAD_YET /\b(?:will\sinherit|que\sherede|your\sdeath|your?\sbeing\sdead)\b/i
9012
9013body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i
9014
9015tflags __NOT_SPOOFED nice
9016
9017if !(!plugin(Mail::SpamAssassin::Plugin::DKIM))
9018if !plugin(Mail::SpamAssassin::Plugin::SPF)
9019 meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF
9020endif
9021endif
9022
9023if !(!plugin(Mail::SpamAssassin::Plugin::DKIM))
9024 ifplugin Mail::SpamAssassin::Plugin::SPF
9025 meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF
9026endif
9027endif
9028
9029if !plugin(Mail::SpamAssassin::Plugin::DKIM)
9030if !plugin(Mail::SpamAssassin::Plugin::SPF)
9031 meta __NOT_SPOOFED __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, no SPF.
9032endif
9033endif
9034
9035if !plugin(Mail::SpamAssassin::Plugin::DKIM)
9036 ifplugin Mail::SpamAssassin::Plugin::SPF
9037 meta __NOT_SPOOFED SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, yes SPF
9038endif
9039endif
9040
9041meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS)
9042
9043header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./
9044describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8
9045
9046header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./
9047describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8
9048
9049header __NUMBEREND_TLD From:addr =~ /\@[a-z]{2,}[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i
9050
9051header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i
9052
9053header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/
9054
9055if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9056 meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
9057endif
9058
9059ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9060 meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
9061endif
9062
9063if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9064 meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
9065endif
9066
9067ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9068 meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
9069endif
9070
9071body __OBFU_UNSUB_UL /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/
9072
9073if !plugin(Mail::SpamAssassin::Plugin::ImageInfo)
9074 meta __ONE_IMG 0
9075endif
9076
9077ifplugin Mail::SpamAssassin::Plugin::ImageInfo
9078 body __ONE_IMG eval:image_count('all',1,1)
9079endif
9080
9081header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./
9082
9083body __ORDER_TODAY /\border (?:it|one|yours|this) (?:today|now|right\saway)\b/i
9084
9085body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i
9086
9087ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9088mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/
9089endif
9090
9091ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9092mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/
9093endif
9094
9095ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9096mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/
9097endif
9098
9099ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9100mimeheader __PART_STOCK_CL Content-Location =~ /./
9101endif
9102
9103body __PASSIVE_INCOME /\bpassive income\b/i
9104
9105body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i
9106
9107body __PASSWORD_EXP_CLUMSY /\bpassword is due for expiration yesterday\b/i
9108
9109body __PASSWORD_UPGRADE /\bpassword upgrade\b/i
9110
9111body __PAXFUL /\bp-?a+-?x+-?f-?u+-?l\b/i
9112
9113if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9114 body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\s(?:to\s)?me|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche)|my bribe(?:ry)?)\b/i
9115endif
9116
9117ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9118 body __PAY_ME /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s(?:<T><O>\s)?<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>|<M><Y> <B><R><I><B><E>(?:<R><Y>)?))[\s\.,]/i
9119endif
9120
9121body __PAY_YOU /\bpay\syou\b/
9122
9123if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9124 meta __PCT_FOR_YOU 0
9125endif
9126
9127ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9128 meta __PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50
9129endif
9130
9131if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9132 meta __PCT_FOR_YOU_1 0
9133endif
9134
9135ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9136 body __PCT_FOR_YOU_1 /<PERCENT>[\s)]{0,3}(?:(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?|(?:[^\s.]{1,15}\s)?an uns beide)/i
9137endif
9138
9139if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9140 meta __PCT_FOR_YOU_2 0
9141endif
9142
9143ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9144 body __PCT_FOR_YOU_2 /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s<PERCENT>/i
9145endif
9146
9147if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9148 meta __PCT_FOR_YOU_3 0
9149endif
9150
9151ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9152 body __PCT_FOR_YOU_3 /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?<!by\s)(?<!up\sto\s)<PERCENT>/i
9153endif
9154
9155if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9156 meta __PCT_OF_PMTS 0
9157endif
9158
9159ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9160 body __PCT_OF_PMTS /<PERCENT>[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i
9161endif
9162
9163if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
9164 meta __PDF_ATTACH 0
9165endif
9166
9167ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9168 meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2)
9169endif
9170
9171if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
9172 meta __PDF_ATTACH_FN1 0
9173endif
9174
9175ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9176 mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i
9177endif
9178
9179if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
9180 meta __PDF_ATTACH_FN2 0
9181endif
9182
9183ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9184 mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i
9185endif
9186
9187if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
9188 meta __PDF_ATTACH_MT 0
9189endif
9190
9191ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9192 mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i
9193endif
9194
9195ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9196 header __PDS_BTC_ANON From:name =~ /\bAnon/
9197endif
9198
9199ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9200 meta __PDS_BTC_BADFROM ( __PDS_BTC_HACKER || __PDS_BTC_PIRATE )
9201endif
9202
9203ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9204 header __PDS_BTC_HACKER From:name =~ /h<A>ck<E>r/i
9205endif
9206
9207meta __PDS_BTC_ID ( __BITCOIN_ID && !__URL_BTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG)
9208
9209ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9210 header __PDS_BTC_PIRATE From:name =~ /p<I>r<A>t<E>/i
9211endif
9212
9213ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9214if (version >= 3.004000)
9215header __PDS_CASHSHORTENER eval:check_uri_host_listed('PDS_CASHSHORTENER')
9216endif
9217endif
9218
9219uri __PDS_DOUBLE_URL m;https?://[\S]+(?:\?|=)https?://[\S]+[\w]+$;
9220
9221if (version >= 3.004002)
9222ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9223body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i
9224endif
9225endif
9226
9227if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
9228 header __PDS_FROM_2_EMAILS From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
9229endif
9230
9231header __PDS_FROM_GMAIL From:addr =~ /\@g(?:oogle)?mail\.com$/i
9232
9233header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\nTo:[^\n]+\@\1/ism
9234
9235header __PDS_GMAIL_MID Message-Id =~ /\@mail.gmail.com>$/
9236
9237meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2)
9238
9239header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/
9240
9241header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/
9242
9243header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/
9244
9245ifplugin Mail::SpamAssassin::Plugin::AskDNS
9246meta __PDS_HP_HELO_NODNS (__HELO_HIGHPROFILE && !__HELO_DNS)
9247tflags __PDS_HP_HELO_NODNS net
9248endif
9249
9250ifplugin Mail::SpamAssassin::Plugin::HTMLEval
9251meta __PDS_HTML_LENGTH_1024 __HTML_LENGTH_0000_1024
9252endif
9253
9254ifplugin Mail::SpamAssassin::Plugin::HTMLEval
9255meta __PDS_HTML_LENGTH_2048 __HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 || __HTML_LENGTH_1536_2048
9256endif
9257
9258meta __PDS_LITECOIN_ID (__LITECOIN_ID && !__URL_LTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG)
9259
9260meta __PDS_MSG_1024 (__KAM_BODY_LENGTH_LT_1024 || __PDS_HTML_LENGTH_1024)
9261
9262meta __PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512)
9263
9264if (version >= 3.004001)
9265ifplugin Mail::SpamAssassin::Plugin::AskDNS
9266meta __PDS_NEWDOMAIN (__FROM_FMBLA_NEWDOM || __FROM_FMBLA_NEWDOM14 || __FROM_FMBLA_NEWDOM28)
9267tflags __PDS_NEWDOMAIN net
9268endif
9269endif
9270
9271if (version >= 3.004002)
9272ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9273body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States|USA)/i
9274endif
9275endif
9276
9277if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
9278 meta __PDS_QP_1024 0
9279endif
9280
9281ifplugin Mail::SpamAssassin::Plugin::MIMEEval
9282 meta __PDS_QP_1024 (__MIME_QPC > 0) && (__MIME_QPC < 1024)
9283endif
9284
9285if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
9286 meta __PDS_QP_128 0
9287endif
9288
9289ifplugin Mail::SpamAssassin::Plugin::MIMEEval
9290 meta __PDS_QP_128 (__MIME_QPC > 0) && (__MIME_QPC < 128)
9291endif
9292
9293if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
9294 meta __PDS_QP_512 0
9295endif
9296
9297ifplugin Mail::SpamAssassin::Plugin::MIMEEval
9298 meta __PDS_QP_512 (__MIME_QPC > 0) && (__MIME_QPC < 512)
9299endif
9300
9301if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
9302 meta __PDS_QP_64 0
9303endif
9304
9305ifplugin Mail::SpamAssassin::Plugin::MIMEEval
9306 meta __PDS_QP_64 (__MIME_QPC > 0) && (__MIME_QPC < 64)
9307endif
9308
9309header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(mta|mail|mx|smtp)\b\S* /i
9310
9311if (version >= 3.004002)
9312ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9313body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i
9314endif
9315endif
9316
9317if (version >= 3.004002)
9318ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9319body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
9320endif
9321endif
9322
9323if (version >= 3.004002)
9324ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9325body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i
9326endif
9327endif
9328
9329ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9330if (version >= 3.004000)
9331meta __PDS_SHORT_URL __SHORT_URL && !__URL_SHORTENER && !__PDS_URISHORTENER && !ALL_TRUSTED
9332endif
9333endif
9334
9335if (version >= 3.004001)
9336ifplugin Mail::SpamAssassin::Plugin::AskDNS
9337tflags __PDS_SPF_ONLYALL net
9338endif
9339endif
9340
9341header __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? <?\1\@/
9342
9343if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
9344 header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
9345endif
9346
9347if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
9348 header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism
9349endif
9350
9351ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9352if (version >= 3.004000)
9353meta __PDS_TO_SUBJ_URISHRT __TO_IN_SUBJ && (__PDS_URISHORTENER || __URL_SHORTENER) && __PDS_MSG_1024
9354endif
9355endif
9356
9357ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9358if (version >= 3.004000)
9359header __PDS_URISHORTENER eval:check_uri_host_listed('PDS_URISHORTENER')
9360endif
9361endif
9362
9363meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0
9364
9365body __PENDING_MESSAGES /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i
9366
9367body __PERFECT_BINARY /\bperfect binary option\b/i
9368
9369ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9370 mimeheader __PHISH_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
9371endif
9372
9373ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9374 mimeheader __PHISH_ATTACH_01_02 Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
9375endif
9376
9377meta __PHISH_FBASE_01 (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK
9378
9379if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9380 body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i
9381 tflags __PHOTO_RETOUCHING multiple maxhits=5
9382endif
9383
9384header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/
9385
9386meta __PHP_MUA __PHP_MUA_1 || __PHP_MUA_2
9387
9388header __PHP_MUA_1 X-Mailer =~ /^PHP\s?v?\/?\d\./
9389
9390header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/
9391
9392header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/
9393
9394meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B)
9395
9396if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
9397 meta __PILL_PRICE_01 0
9398endif
9399
9400if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9401 body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i
9402 tflags __PILL_PRICE_01 multiple maxhits=3
9403endif
9404
9405if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
9406 meta __PILL_PRICE_02 0
9407endif
9408
9409if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9410 body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i
9411 tflags __PILL_PRICE_02 multiple maxhits=3
9412endif
9413
9414body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i
9415
9416ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
9417header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
9418endif
9419
9420ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
9421header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
9422endif
9423
9424uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf|\.svg)[^?]{4}(?:\?[^?]{1,5})?$;i
9425
9426body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i
9427
9428body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i
9429
9430body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i
9431
9432body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i
9433
9434body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i
9435
9436body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i
9437
9438body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i
9439
9440body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i
9441
9442body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i
9443
9444body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i
9445
9446body __RANDOM_PICK /\b(?:random(?:ly)?\s(?:\w+\s)?(?:select(?:ion|ed)|pick(?:ed)?|computer)|(?:select|pick)ed\s(?:at\s)?random(?:ly)?|(?:esco(?:g|lh)idos|seleccion) (?:aleatoria(?:mente)?|al azar))\b/i
9447
9448header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent|Tracking-Code)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism
9449tflags __RAND_HEADER multiple maxhits=4
9450
9451meta __RAND_HEADER_2 __RAND_HEADER > 1
9452
9453header __RAND_MKTG_HEADER ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:EBS|(?:Tracking|Subscriber|Delivery|Customer|Campaign)-[DSU]?id):/ism
9454
9455header __RATWARE_BOUND_A ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # "
9456
9457header __RATWARE_BOUND_B ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # "
9458
9459header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i
9460tflags __RCD_RDNS_MAIL nice
9461
9462header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i
9463tflags __RCD_RDNS_MAIL_MESSY nice
9464
9465header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i
9466tflags __RCD_RDNS_MTA nice
9467
9468header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i
9469tflags __RCD_RDNS_MTA_MESSY nice
9470
9471header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i
9472tflags __RCD_RDNS_MX nice
9473
9474header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/
9475tflags __RCD_RDNS_MX_MESSY nice
9476
9477header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i
9478tflags __RCD_RDNS_OB nice
9479
9480header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i
9481tflags __RCD_RDNS_SMTP nice
9482
9483header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/
9484tflags __RCD_RDNS_SMTP_MESSY nice
9485
9486header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\.edu\s/i
9487
9488meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 )
9489
9490meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI )
9491
9492header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\.gov\s/i
9493
9494header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net /
9495
9496header __RDNS_LONG X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/
9497
9498header __RDNS_NO_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ /
9499
9500header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/
9501
9502header __RDNS_SHORT X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} /
9503
9504body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i
9505
9506header __RELAY_THRU_WWW Received =~ /from (?:[^ \@]+\@)?www\./
9507
9508body __RELEASE_MESSAGES /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|unreceived|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i
9509
9510ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
9511 meta __REMOTE_IMAGE (__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH)
9512endif
9513
9514if (version >= 3.004002)
9515ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9516header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD')
9517endif
9518endif
9519
9520header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i
9521
9522header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|brownchurchill|c(?:hanprivacy|ristinabruno|ustom_service)|d(?:hodgkins|onald_anderson)|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|izcarroll)|m_l\.wanczyk|p(?:aulpollard|eterwong)|r(?:achel_wat|oyalpalace)|s(?:gt\.gillianj|pwalker)|usembassy|webank))\d+\@aol\.com$/i
9523
9524header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:a(?:bu(?:lkareem|shadi)|c(?:aalzz|e(?:alss|cere))|desilgon|l(?:an\.austin|ber\.yang|ex(?:ander(?:daisy|peterson)|hoffman)|ghafrij|lenholden|ure\.wawrenka)|m(?:ericadeliverycomapny|inaltwaijiri)|n(?:dyfox|na(?:llee|sigurlaug))|radka|s(?:hwestwood|ianbae)|tm(?:mastercard|office)|yevayawovi|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|r(?:\.charles|isterlordruben)|teld\.huisman))|bongo|e(?:linekra|n(?:ezero|jaminsarah))|ill\.lawrence|mwautomobile|oarddept|r(?:avolpaul|endalaporte|ianmoynih)|uffettwarrene)|c(?:a(?:mluba|reisu)|bnatm|elineroullier|h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|la(?:imadviser|xtonpaul)|o(?:l(?:\.fakhrialsalabi|inchrisweir|o(?:mbasjuan|nelsaad))|n(?:sultancy|tactad)|operation)|r(?:awfordgillies|istbrun?)|ustomerservicelacaixa)|d(?:a(?:nielzulu|v(?:i(?:d(?:\.loanfirm|ibe|larbi|pere|ramirez\.luis)|scarolyn|yax)|ychan))|e(?:btm|nnis(?:clark|quaid)|partmentofstate)|ipfrancis|ona(?:ldwilliam|tionhelpercare)|r(?:\.wilsonpaul|davidrhama|joesimon|ovieogor)|unsilva)|e(?:benezero|christina|dwinfreeman|l(?:i(?:bethgomez|sabethmaria|zabethedw)|otocashoffice)|m(?:ailpostlink|efieleg?|ilyrichmond)|renakgeorge|ssexlss)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|laurentdz|r(?:a(?:100dub|nc(?:espatrickconnolly|iscamendoza))|eelottosweepstake)|ulanlan)|g(?:00gleggewinner|a(?:brielkalia|ryakinson)|bill|e(?:neralwilliamstony|orgekwame|r(?:aldjhjh|tjanvlieghe))|iidp|l(?:enmoore|oriachow)|o(?:o(?:golteam|oglegwiinner)|vgodwinemefiele)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:old\.dia|ryebert)|sh(?:imyreem|mireem))|e(?:a(?:dofficecentre|therbrooeke)|ctor(?:castillos|scastillo))|gold|heba\.hhassan|ildad|o(?:lsemeyerole|nmackjohn|rnbeckmajordennis|seoky)|trryt)|i(?:bed|n(?:fo(?:98cbnoffice|aprl)|gridrolle|ternationallppp))|j(?:a(?:cobmaseon|mes(?:husmansdesk|okoh)|vierlesme)|e(?:ff(?:deandk|erydean)|ssikasingh)|imyang|o(?:e(?:dward|kendal)|hn(?:griffn|r(?:awlings|oxfordjr)|sonwilson|tanko|uba|walterlove|a)|nesandassociates|sephacevedo|ymrskone)|rawlings|uliet\.lee?)|k(?:a(?:lstromjames|malnizar|rabo\.ramala|t(?:hilittman|jamess|rinaziako))|e(?:lsawamelia|n(?:mckay|nedy\.sawadogo))|halidbuhazza|kasbu|rnkl|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:ndfair\.co\.uk|rynne(?:0west|west))|i(?:amfinchus|liane\.bettencourt|n(?:elink|glung)|xiungl?)|john|o(?:ttyoffice|u(?:ghreymargaret|isdreyfusmargarita))|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:ckoliver|incare|jor(?:dennishornbeck|townsend)|nuelfranco(?:foundation)?|r(?:i(?:ahhills|nacoleman|opabl)|k(?:roth|uses)|y(?:franson|jify00aaz))|s(?:onmanny|pencer)|ttwilly|urhinck|viswanczyk(?:(?:foundation|k))?)|c\.cheadychang|dredban|e(?:lvidabullock|nnss)|gfrederick|i(?:c(?:healwuu|w)|khai(?:\.fridman|lfridm))|k(?:ent|untjoro)|o(?:ham(?:edabdul|madraqab)|rienkal)|r(?:\.justinmaxwell|cjames|hanimuhammad|jamesmc|martine|paulfrank|richardanthony|s(?:\.(?:biyufungchi|susanread)|a(?:ishaalqadafi|ngela)|gracewoods|hamima|jackman|maureens|r(?:obinsanders|uthsmith)|sarahbenjamin))|s(?:agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|obuyuki\.hirano)|o(?:\.peace|fficerricherd|liviemorgan|vieogor)|p(?:\.compton|a(?:storfrancesco|ul(?:eed|n)|ymentofficer)|brookk|eter(?:\.waddell|guggi|kenin|stephen)|hillip\.richead|ieterstevens|resleybathini)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymond(?:aba|damon))|e(?:beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|frankjackson))|i(?:chardw(?:ahl|illis)|tawilliams)|o(?:berthanandez|naldmorris|s(?:a\.gomes|e(?:kipkalya|tam)))|t\.rev\.ericmark)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cottpeters|e(?:cretservicce|rgeantrobertbrown)|h(?:anemissler|e(?:ikhalmaktoum|ry(?:\.gtl|etr))|inawatrathaksin)|imlkheng|krause|ofia\.adams|peelman|sdt|tephentam|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:ay(?:ebsouami|lorcathy)|erryparkins|h(?:ailandbankoffice|e(?:ara\.choy|bigbiglottowinning|odorosloannis|resawilliams|smithfm))|imothymetheny|lyerdonald|o(?:mc(?:hrist|rist(?:(?:donation|foundation))?)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:marukareem|n(?:claimedfunds|itednation(?:organization|s))|sdepartmentofjustice)|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut))|w(?:a(?:dp|hlr(?:ichard)?|nczykm)|i(?:ge|ll(?:iamrobert|update))|u(?:\.office|mt)|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo)|z(?:enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i
9525
9526header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|gaaintl\-4g5ee\.w|lesiakalina|nn(?:awax|hester\.usa))|b(?:a(?:nk\.phbng|rr(?:ister\.dennis|lawrencefubara))|en(?:jaminb|nicholas)|riceangela)|c(?:\.(?:aroline|coulibaly)|h(?:arlesscharf|jackson)|juan|ollins(?:mattew|wayne)|ythiamiller\.un)|d(?:hamilton|i(?:aanesoto|plomaticagent))|f(?:aizaadama|ederal\.r)|graham\.eddie|infobank|j(?:\.edwards|a(?:ckson\.davis|netemoon)|kimyong)|k(?:elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|ge|hman)|isarobinson_|y_cheapiseth)|m(?:arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye)|rkellyayi|unny(?:\.sopheap|_sopheap))|n(?:estordaniel|orahuz)|o(?:fficial_franksylvester|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|i(?:chard\.w|taadamsw)|o(?:b(?:ertbailey|orts)|serichard))|s(?:amthong|igurlauganna|leo|mithcolin|pwalker|tevecox\.)|tylerhess\.|u(?:butu|kdebtmanagement)|vanserge|will(?:clark|iamsimon)|xianglongdai))\d+\@yahoo\.com$/i
9527
9528header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i
9529
9530header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i
9531
9532if !((version >= 3.003000))
9533 meta __RP_MATCHES_RCVD 0
9534endif
9535
9536if (version >= 3.003000)
9537if !plugin(Mail::SpamAssassin::Plugin::WLBLEval)
9538 meta __RP_MATCHES_RCVD 0
9539endif
9540endif
9541
9542if (version >= 3.003000)
9543ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9544 header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
9545endif
9546endif
9547
9548body __SCAM /\bscam(?:m?e[dr])?s?\b/i
9549
9550body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i
9551
9552header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i
9553tflags __SENDER_BOT nice
9554
9555uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=,
9556
9557meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH
9558
9559meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || T_FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )
9560
9561body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i
9562
9563meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY
9564
9565meta __SHORTENER_SHORT_SUBJ __URL_SHORTENER && __SUBJ_SHORT
9566
9567uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/
9568
9569body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/
9570tflags __SINGLE_WORD_LINE multiple maxhits=2
9571
9572header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/
9573
9574header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i
9575
9576rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/
9577tflags __SPAN_BEG_TEXT multiple maxhits=5
9578
9579rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/
9580tflags __SPAN_END_TEXT multiple maxhits=5
9581
9582if !plugin(Mail::SpamAssassin::Plugin::SPF)
9583 meta __SPF_FULL_PASS 0
9584endif
9585
9586ifplugin Mail::SpamAssassin::Plugin::SPF
9587 meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS)
9588 tflags __SPF_FULL_PASS net
9589endif
9590
9591if !plugin(Mail::SpamAssassin::Plugin::SPF)
9592 meta __SPF_RANDOM_SENDER 0
9593endif
9594
9595ifplugin Mail::SpamAssassin::Plugin::SPF
9596 meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS)
9597 tflags __SPF_RANDOM_SENDER net
9598endif
9599
9600meta __SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM
9601tflags __SPOOFED_FREEMAIL net
9602
9603meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO
9604tflags __SPOOFED_FREEM_REPTO net
9605
9606rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
9607
9608meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE
9609
9610body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i
9611
9612body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i
9613
9614if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9615 rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i
9616 tflags __STY_INVIS multiple maxhits=6
9617endif
9618
9619if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9620 meta __STY_INVIS_1 __STY_INVIS == 1
9621endif
9622
9623if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9624 meta __STY_INVIS_1_MINFP __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID && !__FROM_ADDRLIST_PAYPAL
9625endif
9626
9627if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9628 meta __STY_INVIS_2 __STY_INVIS > 1
9629endif
9630
9631if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9632 meta __STY_INVIS_3 __STY_INVIS > 2
9633endif
9634
9635if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9636 meta __STY_INVIS_DIRECT __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
9637endif
9638
9639if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9640 meta __STY_INVIS_MANY __STY_INVIS > 5
9641endif
9642
9643header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/
9644
9645meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY
9646
9647header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
9648
9649meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU
9650
9651header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/
9652tflags __SUBJ_BROKEN_WORD multiple maxhits=2
9653
9654meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
9655
9656header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ism
9657
9658header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
9659
9660header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
9661
9662header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism
9663
9664header __SUBJ_NOT_SHORT Subject =~ /^.{16}/
9665
9666header __SUBJ_OBFU_PUNCT Subject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/i
9667tflags __SUBJ_OBFU_PUNCT multiple maxhits=4
9668
9669header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/
9670
9671header __SUBJ_SHORT Subject =~ /^.{0,8}$/
9672
9673header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i
9674tflags __SUBJ_UNNEEDED_HTML multiple maxhits=3
9675
9676header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/
9677
9678body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i
9679tflags __SUBSCRIPTION_INFO nice
9680
9681body __SUM_OF_FUND /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i
9682
9683body __SURVEY /\bsurvey\b/i
9684
9685body __SURVIVORS /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i
9686
9687body __SUSPICION_LOGIN /\bsuspicion login\b/i
9688
9689body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i
9690
9691header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
9692
9693rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m
9694tflags __TENWORD_GIBBERISH multiple maxhits=21
9695
9696body __THEY_INHERIT /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i
9697
9698body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i
9699
9700meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF)
9701tflags __THREADED nice
9702
9703header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$,
9704
9705header __TO_ALL_NUMS To:addr =~ /^\d+@/
9706
9707meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX
9708
9709meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE
9710
9711meta __TO_EQ_FM_DOM_HTML_ONLY __TO_EQ_FROM_DOM && MIME_HTML_ONLY
9712
9713if !plugin(Mail::SpamAssassin::Plugin::SPF)
9714 meta __TO_EQ_FM_DOM_SPF_FAIL 0
9715endif
9716
9717ifplugin Mail::SpamAssassin::Plugin::SPF
9718 meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL
9719 tflags __TO_EQ_FM_DOM_SPF_FAIL net
9720endif
9721
9722meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY
9723
9724if !plugin(Mail::SpamAssassin::Plugin::SPF)
9725 meta __TO_EQ_FM_SPF_FAIL 0
9726endif
9727
9728ifplugin Mail::SpamAssassin::Plugin::SPF
9729 meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL
9730 tflags __TO_EQ_FM_SPF_FAIL net
9731endif
9732
9733meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
9734describe __TO_EQ_FROM To: same as From:
9735
9736header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
9737
9738header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
9739
9740meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)
9741describe __TO_EQ_FROM_DOM To: domain same as From: domain
9742
9743header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism
9744
9745header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism
9746
9747meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
9748describe __TO_EQ_FROM_USR To: username same as From: username
9749
9750header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
9751
9752header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
9753
9754meta __TO_EQ_FROM_USR_NN (__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
9755describe __TO_EQ_FROM_USR_NN To: username same as From: username sans trailing nums
9756
9757header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
9758
9759header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
9760
9761meta __TO_EQ_FROM_USR_NN_MINFP __TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED
9762
9763meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3)
9764
9765header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/
9766
9767if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
9768 meta __TO_NO_BRKTS_FREEMAIL 0
9769endif
9770
9771ifplugin Mail::SpamAssassin::Plugin::FreeMail
9772 meta __TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
9773endif
9774
9775meta __TO_NO_BRKTS_FROM_RUNON __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON
9776
9777meta __TO_NO_BRKTS_HTML_IMG __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG
9778
9779meta __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY
9780
9781meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
9782
9783meta __TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_HTML_ONLY && RDNS_NONE
9784
9785meta __TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT
9786
9787meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01
9788
9789header __TO_UNDISCLOSED To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i
9790
9791header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/
9792
9793body __TO_YOUR_ACCT /\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/i
9794
9795body __TO_YOUR_ORG /\b(?:to|for) your organi[sz]ation\b/i
9796
9797header __TO___LOWER ALL =~ /to:\s\S{5}/
9798
9799body __TRANSFORM_LIFE /\b(transform|change) your (?:daily )?life(?:style)?\b/i
9800
9801body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i
9802
9803body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i
9804
9805body __TRAVEL_ITINERARY /(?:travel|ticketed|your|current) itinerary/i
9806
9807meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2
9808
9809body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i
9810
9811body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i
9812
9813body __TRTMT_DEFILED /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i
9814
9815body __TRUNK_BOX /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i
9816
9817body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i
9818
9819header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i
9820
9821header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i
9822
9823header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/
9824
9825header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/
9826
9827header __TT_VALIUM Subject =~ /VALIUM/i
9828
9829header __TT_VIAGRA Subject =~ /VIAGRA/i
9830
9831ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9832mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/
9833endif
9834
9835ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9836mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i
9837endif
9838
9839ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9840mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i
9841endif
9842
9843ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9844mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i
9845endif
9846
9847ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9848mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/
9849endif
9850
9851body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i
9852
9853body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i
9854
9855body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i
9856
9857body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i
9858
9859body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i
9860
9861body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i
9862
9863body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i
9864
9865body __TVD_PH_BODY_08 /\bmultiple password failures/i
9866
9867body __TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i
9868
9869body __TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i
9870
9871meta __TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08
9872
9873header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i
9874
9875header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i
9876
9877header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i
9878
9879header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i
9880
9881header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i
9882
9883header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i
9884
9885header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i
9886
9887header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i
9888
9889header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i
9890
9891header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i
9892
9893header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i
9894
9895header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i
9896
9897header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i
9898
9899header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i
9900
9901header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i
9902
9903header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i
9904
9905header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i
9906
9907header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i
9908
9909header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i
9910
9911header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i
9912
9913meta __TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST
9914
9915meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED)
9916
9917if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
9918 meta __TVD_SPACE_RATIO 0
9919endif
9920
9921header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i
9922
9923meta __T_PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512 || __PDS_QP_512)
9924
9925header __UA_GNUS User-Agent =~ /^Gnus/
9926
9927header __UA_KMAIL User-Agent =~ /^KMail/
9928
9929header __UA_KNODE User-Agent =~ /^KNode/
9930
9931header __UA_MOZ5 User-Agent =~ /^Mozilla\/5/
9932
9933header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/
9934
9935header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/
9936
9937header __UA_MUTT User-Agent =~ /^Mutt/
9938
9939header __UA_OPERA7 User-Agent =~ /^Opera7/
9940
9941header __UA_PAN User-Agent =~ /^Pan/
9942
9943header __UA_XNEWS User-Agent =~ /^Xnews/
9944
9945body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/
9946tflags __UC_GIBB_OBFU multiple maxhits=2
9947
9948body __UN /\bunited\snations?\b/i
9949
9950meta __UNDISC_FREEM __TO_UNDISCLOSED && __freemail_replyto
9951
9952meta __UNDISC_MONEY __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY)
9953
9954if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9955 body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i
9956 tflags __UNICODE_OBFU_ASC multiple maxhits=10
9957endif
9958
9959if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9960 meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9
9961endif
9962
9963if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9964 body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i
9965 tflags __UNICODE_OBFU_ZW multiple maxhits=10
9966endif
9967
9968if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9969 meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9
9970endif
9971
9972if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9973 meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1
9974endif
9975
9976if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9977 meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2
9978endif
9979
9980if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9981 meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4
9982endif
9983
9984body __UNSUB_EMAIL /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i
9985tflags __UNSUB_EMAIL nice
9986
9987uri __UNSUB_LINK /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i
9988tflags __UNSUB_LINK nice
9989
9990body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i
9991
9992uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/
9993
9994uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i
9995
9996uri __URI_ADOBESPARK m,https?://branchlink\.adobespark\.com/,i
9997
9998uri __URI_AZURE_CLOUDAPP m,://(?:[^./]+\.)+cloudapp\.azure\.com/,
9999
10000uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i
10001
10002uri __URI_DATA /^data:(?!image\/)[a-z]/i
10003
10004uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i
10005
10006uri __URI_DOM_DOTDOT m,://[^/]+\.\.,
10007
10008uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i
10009
10010meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW
10011
10012uri __URI_DOTGOV m;^https?://(?:[^./]+\.)+gov/;i
10013
10014uri __URI_DOTTY_HEX /(?:\.[0-9a-f]{2}){30}/
10015
10016uri __URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i
10017
10018uri __URI_FIREBASEAPP m,://[^./]+\.firebaseapp\.com/,
10019
10020uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i
10021
10022uri __URI_GOOGLE_DRV m,^https?://(?:drive\.google|googledrive)\.com/,i
10023
10024uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i
10025
10026uri __URI_GOOG_STO_HTML m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i
10027tflags __URI_GOOG_STO_HTML multiple maxhits=5
10028
10029uri __URI_GOOG_STO_IMG m,^https?://storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,i
10030tflags __URI_GOOG_STO_IMG multiple maxhits=5
10031
10032uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i
10033
10034uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png),i
10035
10036uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?images-amazon\.com/,i
10037
10038uri __URI_IMG_CHANNYPIC m,://www\.channypicture\.com/pic/,i
10039
10040uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i
10041
10042uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i
10043
10044uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i
10045
10046uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png),i
10047
10048uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i
10049
10050uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i
10051
10052uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i
10053
10054uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i
10055
10056uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i
10057
10058uri __URI_LONG_REPEAT m;(?:://|@)(?:\w+\.)*(\w{10,}\.)\1;i
10059
10060uri __URI_MAILTO /^mailto:/i
10061tflags __URI_MAILTO multiple maxhits=16
10062
10063uri __URI_MONERO /buy-monero/i
10064
10065meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2
10066
10067meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH)
10068
10069uri __URI_PHP_REDIR m;/redirect\.php\?;i
10070
10071uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i
10072
10073uri __URI_WEBAPP m,://[^./]+\.web\.app/,
10074
10075uri __URI_WPADMIN m,/wp-admin/\w+/,i
10076
10077uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i
10078
10079uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i
10080
10081uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i
10082
10083uri __URL_BTC_ID m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$);
10084
10085uri __URL_LTC_ID m;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/|$);
10086
10087uri __URL_SHORTENER /^https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}\/?/
10088
10089header __USING_VERP1 Return-Path =~ /[+-].*=/
10090
10091header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i
10092tflags __VACATION nice
10093
10094body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails))\b/i
10095tflags __VALIDATE_MAILBOX multiple maxhits=2
10096
10097body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i
10098
10099body __VERIFY_ACCOUNT /(?:confirm|updated?|verif(?:y|ied)) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i
10100tflags __VERIFY_ACCOUNT multiple maxhits=2
10101
10102meta __VFY_ACCT_NORDNS __VERIFY_ACCOUNT && __RDNS_NONE
10103
10104if (version >= 3.004002)
10105ifplugin Mail::SpamAssassin::Plugin::WLBLEval
10106header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i
10107endif
10108endif
10109
10110meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART
10111
10112body __WEBMAIL_ACCT /\byour web ?mail account/i
10113
10114body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i
10115
10116meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2
10117
10118body __WIDOW /\b(?:widow(?:e[rd])'?s?|veuve)\b/i
10119
10120body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i
10121
10122body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i
10123
10124body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i
10125
10126if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10127 rawbody __WORD_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}</i
10128 tflags __WORD_INVIS multiple maxhits=6
10129endif
10130
10131if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10132 meta __WORD_INVIS_2 __WORD_INVIS > 1
10133endif
10134
10135if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10136 meta __WORD_INVIS_5 __WORD_INVIS > 5
10137endif
10138
10139if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
10140 meta __WORD_INVIS_MINFP __WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID
10141endif
10142
10143header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/
10144
10145meta __XFER_LOTSA_MONEY __XFER_MONEY && LOTS_OF_MONEY
10146
10147meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY)
10148
10149header __XM_APPLEMAIL X-Mailer =~ /^Apple Mail/
10150
10151header __XM_BALSA X-Mailer =~ /^Balsa \d/
10152
10153header __XM_CALYPSO X-Mailer =~ /^Calypso/
10154
10155header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/
10156
10157header __XM_FORTE X-Mailer =~ /^Forte Agent \d/
10158
10159header __XM_GNUS X-Mailer =~ /^Gnus v/
10160
10161header __XM_IPHONEMAIL X-Mailer =~ /^iPhone Mail \([0-9A-F]{4,8}\)/
10162
10163header __XM_LIGHT_HEAVY X-Mailer =~ /\b(?:light|(?<!::)lite|standard|business|pro(?:fessional)?|educational|personal)\b/i
10164
10165header __XM_MHE X-Mailer =~ /^mh-e \d/
10166
10167header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/
10168
10169header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/
10170
10171header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/
10172
10173header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
10174
10175header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
10176
10177header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/
10178
10179header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/
10180
10181header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/
10182
10183header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
10184
10185header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/
10186
10187header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/
10188
10189header __XM_RANDOM X-Mailer =~ /q(?!q?mail|boxmail|\d|[-\w]*=+;)[^u]/i
10190
10191header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/
10192
10193header __XM_SQRLMAIL X-Mailer =~ /^SquirrelMail/
10194
10195header __XM_SYLPHEED X-Mailer =~ /^Sylpheed/
10196
10197header __XM_UC_ONLY X-Mailer =~ /^[^a-z]+$/
10198
10199header __XM_VM X-Mailer =~ /^VM \d/
10200
10201header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/
10202
10203header __XM_XIMEVOL X-Mailer =~ /^Ximian Evolution/
10204
10205meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS
10206
10207meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT
10208
10209body __YOUR_BANK /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i
10210
10211body __YOUR_CONSIGNMENT /\b(?:received?|pa(?:y|id)|sen[dt]|h[oe]ld|delay(?:ed)?|impound(?:ed)?|released?|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/i
10212
10213body __YOUR_FUND /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|f\su\sn\sd|payment|geld)\b/i
10214
10215if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
10216 body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i
10217endif
10218
10219ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
10220 body __YOUR_ONAN /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M>+<A>+<S>+<T>+(?:<U>|<R>)+<B>+<A>+<T>+(?:<I><O><N>|<I><N><G>|<E>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>|(?:<P><L><E><A><S><U><R>(?:<E>|<I><N><G>)|<S><A><T><I><S><F><Y>(?:<I><N><G>)?)\s<Y><O><U><R><S><E><L><F>)/i
10221endif
10222
10223if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
10224 body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i
10225endif
10226
10227ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
10228 body __YOUR_PASSWORD /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<A><C><C><O><U><N><T>\s|<E>-?<M><A><I><L>\s)?(?:<P><A><S><S>[-\s_]?<W><O><R><D>|<P><S><W><D>\s)/i
10229endif
10230
10231body __YOUR_PERM /\byour\spermission\b/i
10232
10233if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
10234 body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i
10235endif
10236
10237ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
10238 body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i
10239endif
10240
10241body __YOUR_PROFIT /\byour?\sprofit/i
10242
10243if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
10244 body __YOUR_WEBCAM /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i
10245endif
10246
10247ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
10248 body __YOUR_WEBCAM /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>|<A><N><D>|<O><N>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>|<M><I><C><R><O><P><H><O><N><E>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s|<Y><O><U><R>\s)<C><A><M><E><R>+<A>/i
10249endif
10250
10251body __YOU_ASSIST /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i
10252
10253body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inherit+ance\b/i
10254
10255meta __YOU_WON __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY))
10256
10257body __YOU_WON_01 /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i
10258
10259body __YOU_WON_02 /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i
10260
10261body __YOU_WON_03 /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/i
10262
10263body __YOU_WON_04 /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i
10264
10265body __YOU_WON_05 /\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i
10266
10267if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
10268 meta __ZIP_ATTACH_MT 0
10269endif
10270
10271ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
10272 mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i
10273endif
10274
10275if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
10276 meta __ZIP_ATTACH_NOFN 0
10277endif
10278
10279ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
10280 mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i
10281endif
10282
10283ifplugin Mail::SpamAssassin::Plugin::FreeMail
10284 header __freemail_mailreplyto eval:check_freemail_header('Mail-Reply-To')
10285endif
10286
10287body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i
10288
10289body __hk_win_0 /\byour? e-?mail just w[oi]n/i
10290
10291body __hk_win_2 /\battn.{0,10}winner/i
10292
10293body __hk_win_3 /\bhappily aa?nnounce/i
10294
10295body __hk_win_4 /\bpleas(?:ure|ed) to inform/i
10296
10297body __hk_win_5 /\b(?:notice the|your) winning/i
10298
10299body __hk_win_7 /\bcongratulations? to your/i
10300
10301body __hk_win_8 /\bunexpected luck/i
10302
10303body __hk_win_9 /\blucky (?:nl )number/i
10304
10305body __hk_win_a /\bwinning (?:e-?mail|numbers|information)/i
10306
10307body __hk_win_b /\byour e-?mail (?:address )?(?:has )?w[io]n/i
10308
10309body __hk_win_c /\bune adresse e-?mail sur internet/i
10310
10311body __hk_win_d /\bcategory (?:\S{0,5} )?winner of our/i
10312
10313body __hk_win_i /\bfunds? transfer/i
10314
10315body __hk_win_j /\b(?:winning|ready for|sum) pay ?out/i
10316
10317body __hk_win_l /\b(?:make|file) (?:for )?your claim/i
10318
10319body __hk_win_m /\br.clamation de votre prix/i
10320
10321body __hk_win_n /\bcollect your prize/i
10322
10323body __hk_win_o /\bclarification and procedure/i
10324
10325ifplugin Mail::SpamAssassin::Plugin::FreeMail
10326header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr')
10327endif
SA for PMG