]>
Commit | Line | Data |
---|---|---|
1 | # SpamAssassin rules file | |
2 | # | |
3 | # Please don't modify this file as your changes will be overwritten with | |
4 | # the next update. Use /etc/mail/spamassassin/local.cf instead. | |
5 | # See 'perldoc Mail::SpamAssassin::Conf' for details. | |
6 | # | |
7 | # <@LICENSE> | |
8 | # Licensed to the Apache Software Foundation (ASF) under one or more | |
9 | # contributor license agreements. See the NOTICE file distributed with | |
10 | # this work for additional information regarding copyright ownership. | |
11 | # The ASF licenses this file to you under the Apache License, Version 2.0 | |
12 | # (the "License"); you may not use this file except in compliance with | |
13 | # the License. You may obtain a copy of the License at: | |
14 | # | |
15 | # http://www.apache.org/licenses/LICENSE-2.0 | |
16 | # | |
17 | # Unless required by applicable law or agreed to in writing, software | |
18 | # distributed under the License is distributed on an "AS IS" BASIS, | |
19 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
20 | # See the License for the specific language governing permissions and | |
21 | # limitations under the License. | |
22 | # </@LICENSE> | |
23 | # | |
24 | ########################################################################### | |
25 | ||
26 | require_version 3.004006 | |
27 | ||
28 | ##{ ACCT_PHISHING_MANY | |
29 | ||
30 | meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY | |
31 | describe ACCT_PHISHING_MANY Phishing for account information | |
32 | #score ACCT_PHISHING_MANY 3.000 # limit | |
33 | ##} ACCT_PHISHING_MANY | |
34 | ||
35 | ##{ AC_BR_BONANZA | |
36 | ||
37 | rawbody AC_BR_BONANZA /(?:<br>\s*){30}/i | |
38 | describe AC_BR_BONANZA Too many newlines in a row... spammy template | |
39 | #score AC_BR_BONANZA 0.001 | |
40 | tflags AC_BR_BONANZA publish | |
41 | ##} AC_BR_BONANZA | |
42 | ||
43 | ##{ AC_DIV_BONANZA | |
44 | ||
45 | rawbody AC_DIV_BONANZA /(?:<div>(?:\s*<\/div>)?\s*){10}/i | |
46 | describe AC_DIV_BONANZA Too many divs in a row... spammy template | |
47 | #score AC_DIV_BONANZA 0.001 | |
48 | tflags AC_DIV_BONANZA publish | |
49 | ##} AC_DIV_BONANZA | |
50 | ||
51 | ##{ AC_FROM_MANY_DOTS | |
52 | ||
53 | meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP | |
54 | #score AC_FROM_MANY_DOTS 3.000 # limit | |
55 | describe AC_FROM_MANY_DOTS Multiple periods in From user name | |
56 | tflags AC_FROM_MANY_DOTS publish | |
57 | ##} AC_FROM_MANY_DOTS | |
58 | ||
59 | ##{ AC_HTML_NONSENSE_TAGS | |
60 | ||
61 | rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/ | |
62 | describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam | |
63 | #score AC_HTML_NONSENSE_TAGS 2.0 | |
64 | tflags AC_HTML_NONSENSE_TAGS publish | |
65 | ##} AC_HTML_NONSENSE_TAGS | |
66 | ||
67 | ##{ AC_POST_EXTRAS | |
68 | ||
69 | meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID | |
70 | describe AC_POST_EXTRAS Suspicious URL | |
71 | #score AC_POST_EXTRAS 2.500 # limit | |
72 | tflags AC_POST_EXTRAS publish | |
73 | ##} AC_POST_EXTRAS | |
74 | ||
75 | ##{ AC_SPAMMY_URI_PATTERNS1 | |
76 | ||
77 | meta AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI) | |
78 | describe AC_SPAMMY_URI_PATTERNS1 link combos match highly spammy template | |
79 | #score AC_SPAMMY_URI_PATTERNS1 4.0 | |
80 | tflags AC_SPAMMY_URI_PATTERNS1 publish | |
81 | ##} AC_SPAMMY_URI_PATTERNS1 | |
82 | ||
83 | ##{ AC_SPAMMY_URI_PATTERNS10 | |
84 | ||
85 | meta AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI | |
86 | describe AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template | |
87 | #score AC_SPAMMY_URI_PATTERNS10 4.0 | |
88 | tflags AC_SPAMMY_URI_PATTERNS10 publish | |
89 | ##} AC_SPAMMY_URI_PATTERNS10 | |
90 | ||
91 | ##{ AC_SPAMMY_URI_PATTERNS11 | |
92 | ||
93 | meta AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI | |
94 | describe AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template | |
95 | #score AC_SPAMMY_URI_PATTERNS11 4.0 | |
96 | tflags AC_SPAMMY_URI_PATTERNS11 publish | |
97 | ##} AC_SPAMMY_URI_PATTERNS11 | |
98 | ||
99 | ##{ AC_SPAMMY_URI_PATTERNS12 | |
100 | ||
101 | meta AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI) | |
102 | describe AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template | |
103 | #score AC_SPAMMY_URI_PATTERNS12 4.0 | |
104 | tflags AC_SPAMMY_URI_PATTERNS12 publish | |
105 | ##} AC_SPAMMY_URI_PATTERNS12 | |
106 | ||
107 | ##{ AC_SPAMMY_URI_PATTERNS2 | |
108 | ||
109 | meta AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI) | |
110 | describe AC_SPAMMY_URI_PATTERNS2 link combos match highly spammy template | |
111 | #score AC_SPAMMY_URI_PATTERNS2 4.0 | |
112 | tflags AC_SPAMMY_URI_PATTERNS2 publish | |
113 | ##} AC_SPAMMY_URI_PATTERNS2 | |
114 | ||
115 | ##{ AC_SPAMMY_URI_PATTERNS3 | |
116 | ||
117 | meta AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI) | |
118 | describe AC_SPAMMY_URI_PATTERNS3 link combos match highly spammy template | |
119 | #score AC_SPAMMY_URI_PATTERNS3 4.0 | |
120 | tflags AC_SPAMMY_URI_PATTERNS3 publish | |
121 | ##} AC_SPAMMY_URI_PATTERNS3 | |
122 | ||
123 | ##{ AC_SPAMMY_URI_PATTERNS4 | |
124 | ||
125 | meta AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI | |
126 | describe AC_SPAMMY_URI_PATTERNS4 link combos match highly spammy template | |
127 | #score AC_SPAMMY_URI_PATTERNS4 4.0 | |
128 | tflags AC_SPAMMY_URI_PATTERNS4 publish | |
129 | ##} AC_SPAMMY_URI_PATTERNS4 | |
130 | ||
131 | ##{ AC_SPAMMY_URI_PATTERNS8 | |
132 | ||
133 | meta AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI | |
134 | describe AC_SPAMMY_URI_PATTERNS8 link combos match highly spammy template | |
135 | #score AC_SPAMMY_URI_PATTERNS8 4.0 | |
136 | tflags AC_SPAMMY_URI_PATTERNS8 publish | |
137 | ##} AC_SPAMMY_URI_PATTERNS8 | |
138 | ||
139 | ##{ AC_SPAMMY_URI_PATTERNS9 | |
140 | ||
141 | meta AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI)) | |
142 | describe AC_SPAMMY_URI_PATTERNS9 link combos match highly spammy template | |
143 | #score AC_SPAMMY_URI_PATTERNS9 4.0 | |
144 | tflags AC_SPAMMY_URI_PATTERNS9 publish | |
145 | ##} AC_SPAMMY_URI_PATTERNS9 | |
146 | ||
147 | ##{ ADMAIL | |
148 | ||
149 | meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS | |
150 | describe ADMAIL "admail" and variants | |
151 | tflags ADMAIL publish | |
152 | ##} ADMAIL | |
153 | ||
154 | ##{ ADMITS_SPAM | |
155 | ||
156 | meta ADMITS_SPAM __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB | |
157 | describe ADMITS_SPAM Admits this is an ad | |
158 | tflags ADMITS_SPAM publish | |
159 | ##} ADMITS_SPAM | |
160 | ||
161 | ##{ ADULT_DATING_COMPANY | |
162 | ||
163 | meta ADULT_DATING_COMPANY __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO | |
164 | #score ADULT_DATING_COMPANY 10.000 # limit | |
165 | tflags ADULT_DATING_COMPANY publish | |
166 | ##} ADULT_DATING_COMPANY | |
167 | ||
168 | ##{ ADVANCE_FEE_2_NEW_FORM | |
169 | ||
170 | meta ADVANCE_FEE_2_NEW_FORM (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__FROM_LOWER && !__HAS_X_LOOP | |
171 | describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form | |
172 | #score ADVANCE_FEE_2_NEW_FORM 2.000 # limit | |
173 | tflags ADVANCE_FEE_2_NEW_FORM publish | |
174 | ##} ADVANCE_FEE_2_NEW_FORM | |
175 | ||
176 | ##{ ADVANCE_FEE_2_NEW_FRM_MNY | |
177 | ||
178 | meta ADVANCE_FEE_2_NEW_FRM_MNY (__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP | |
179 | describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money | |
180 | #score ADVANCE_FEE_2_NEW_FRM_MNY 2.500 | |
181 | tflags ADVANCE_FEE_2_NEW_FRM_MNY publish | |
182 | ##} ADVANCE_FEE_2_NEW_FRM_MNY | |
183 | ||
184 | ##{ ADVANCE_FEE_2_NEW_MONEY | |
185 | ||
186 | meta ADVANCE_FEE_2_NEW_MONEY (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG | |
187 | describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money | |
188 | #score ADVANCE_FEE_2_NEW_MONEY 2.000 # limit | |
189 | tflags ADVANCE_FEE_2_NEW_MONEY publish | |
190 | ##} ADVANCE_FEE_2_NEW_MONEY | |
191 | ||
192 | ##{ ADVANCE_FEE_3_NEW | |
193 | ||
194 | meta ADVANCE_FEE_3_NEW (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG && !__BUGGED_IMG | |
195 | describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419) | |
196 | #score ADVANCE_FEE_3_NEW 3.5 # limit | |
197 | tflags ADVANCE_FEE_3_NEW publish | |
198 | ##} ADVANCE_FEE_3_NEW | |
199 | ||
200 | ##{ ADVANCE_FEE_3_NEW_FORM | |
201 | ||
202 | meta ADVANCE_FEE_3_NEW_FORM (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__THREADED && !__HAS_SENDER && !__FROM_LOWER && !__HAS_X_LOOP | |
203 | describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form | |
204 | tflags ADVANCE_FEE_3_NEW_FORM publish | |
205 | ##} ADVANCE_FEE_3_NEW_FORM | |
206 | ||
207 | ##{ ADVANCE_FEE_3_NEW_FRM_MNY | |
208 | ||
209 | meta ADVANCE_FEE_3_NEW_FRM_MNY (__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP | |
210 | describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money | |
211 | tflags ADVANCE_FEE_3_NEW_FRM_MNY publish | |
212 | ##} ADVANCE_FEE_3_NEW_FRM_MNY | |
213 | ||
214 | ##{ ADVANCE_FEE_3_NEW_MONEY | |
215 | ||
216 | meta ADVANCE_FEE_3_NEW_MONEY (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG | |
217 | describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money | |
218 | tflags ADVANCE_FEE_3_NEW_MONEY publish | |
219 | ##} ADVANCE_FEE_3_NEW_MONEY | |
220 | ||
221 | ##{ ADVANCE_FEE_4_NEW | |
222 | ||
223 | meta ADVANCE_FEE_4_NEW (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__HAS_X_LOOP && !__BUGGED_IMG | |
224 | describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419) | |
225 | tflags ADVANCE_FEE_4_NEW publish | |
226 | ##} ADVANCE_FEE_4_NEW | |
227 | ||
228 | ##{ ADVANCE_FEE_4_NEW_FORM | |
229 | ||
230 | meta ADVANCE_FEE_4_NEW_FORM (__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) | |
231 | describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form | |
232 | tflags ADVANCE_FEE_4_NEW_FORM publish | |
233 | ##} ADVANCE_FEE_4_NEW_FORM | |
234 | ||
235 | ##{ ADVANCE_FEE_4_NEW_FRM_MNY | |
236 | ||
237 | meta ADVANCE_FEE_4_NEW_FRM_MNY (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) | |
238 | describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money | |
239 | tflags ADVANCE_FEE_4_NEW_FRM_MNY publish | |
240 | ##} ADVANCE_FEE_4_NEW_FRM_MNY | |
241 | ||
242 | ##{ ADVANCE_FEE_4_NEW_MONEY | |
243 | ||
244 | meta ADVANCE_FEE_4_NEW_MONEY (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG | |
245 | describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money | |
246 | tflags ADVANCE_FEE_4_NEW_MONEY publish | |
247 | ##} ADVANCE_FEE_4_NEW_MONEY | |
248 | ||
249 | ##{ ADVANCE_FEE_5_NEW | |
250 | ||
251 | meta ADVANCE_FEE_5_NEW (__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY) && !__BUGGED_IMG | |
252 | describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419) | |
253 | tflags ADVANCE_FEE_5_NEW publish | |
254 | ##} ADVANCE_FEE_5_NEW | |
255 | ||
256 | ##{ ADVANCE_FEE_5_NEW_FORM | |
257 | ||
258 | meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM | |
259 | describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form | |
260 | tflags ADVANCE_FEE_5_NEW_FORM publish | |
261 | ##} ADVANCE_FEE_5_NEW_FORM | |
262 | ||
263 | ##{ ADVANCE_FEE_5_NEW_FRM_MNY | |
264 | ||
265 | meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY | |
266 | describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money | |
267 | tflags ADVANCE_FEE_5_NEW_FRM_MNY publish | |
268 | ##} ADVANCE_FEE_5_NEW_FRM_MNY | |
269 | ||
270 | ##{ ADVANCE_FEE_5_NEW_MONEY | |
271 | ||
272 | meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE && !__BUGGED_IMG | |
273 | describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money | |
274 | tflags ADVANCE_FEE_5_NEW_MONEY publish | |
275 | ##} ADVANCE_FEE_5_NEW_MONEY | |
276 | ||
277 | ##{ AD_PREFS | |
278 | ||
279 | body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i | |
280 | describe AD_PREFS Advertising preferences | |
281 | #score AD_PREFS 0.500 # limit | |
282 | tflags AD_PREFS publish | |
283 | ##} AD_PREFS | |
284 | ||
285 | ##{ ALIBABA_IMG_NOT_RCVD_ALI | |
286 | ||
287 | meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE | |
288 | #score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit | |
289 | describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba | |
290 | tflags ALIBABA_IMG_NOT_RCVD_ALI publish | |
291 | ##} ALIBABA_IMG_NOT_RCVD_ALI | |
292 | ||
293 | ##{ AMAZON_IMG_NOT_RCVD_AMZN | |
294 | ||
295 | meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST && !__URI_PRODUCT_AMAZON && !__HAS_ERRORS_TO | |
296 | #score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit | |
297 | describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon | |
298 | tflags AMAZON_IMG_NOT_RCVD_AMZN publish | |
299 | ##} AMAZON_IMG_NOT_RCVD_AMZN | |
300 | ||
301 | ##{ APOSTROPHE_FROM | |
302 | ||
303 | header APOSTROPHE_FROM From:addr =~ /'/ | |
304 | describe APOSTROPHE_FROM From address contains an apostrophe | |
305 | ##} APOSTROPHE_FROM | |
306 | ||
307 | ##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
308 | ||
309 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
310 | meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) | |
311 | describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto | |
312 | # score APP_DEVELOPMENT_FREEM 3.500 # limit | |
313 | tflags APP_DEVELOPMENT_FREEM publish | |
314 | endif | |
315 | ##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
316 | ||
317 | ##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
318 | ||
319 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
320 | meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE | |
321 | describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS | |
322 | # score APP_DEVELOPMENT_NORDNS 2.000 # limit | |
323 | tflags APP_DEVELOPMENT_NORDNS publish | |
324 | endif | |
325 | ##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
326 | ||
327 | ##{ AXB_XMAILER_MIMEOLE_OL_024C2 | |
328 | ||
329 | meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2) | |
330 | describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait | |
331 | ##} AXB_XMAILER_MIMEOLE_OL_024C2 | |
332 | ||
333 | ##{ AXB_XMAILER_MIMEOLE_OL_1ECD5 | |
334 | ||
335 | meta AXB_XMAILER_MIMEOLE_OL_1ECD5 (__AXB_XM_OL_1ECD5 && __AXB_MO_OL_1ECD5) | |
336 | describe AXB_XMAILER_MIMEOLE_OL_1ECD5 Yet another X header trait##} AXB_XMAILER_MIMEOLE_OL_1ECD5 | |
337 | ||
338 | ##{ BANKING_LAWS | |
339 | ||
340 | body BANKING_LAWS /banking laws/i | |
341 | describe BANKING_LAWS Talks about banking laws | |
342 | ##} BANKING_LAWS | |
343 | ||
344 | ##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
345 | ||
346 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
347 | body BASE64_LENGTH_78_79 eval:check_base64_length('78','79') | |
348 | endif | |
349 | ##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
350 | ||
351 | ##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
352 | ||
353 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
354 | describe BASE64_LENGTH_79_INF base64 encoded email part uses line length of 78 or 79 characters | |
355 | body BASE64_LENGTH_79_INF eval:check_base64_length('79') | |
356 | describe BASE64_LENGTH_79_INF base64 encoded email part uses line length greater than 79 characters | |
357 | endif | |
358 | ##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
359 | ||
360 | ##{ BIGNUM_EMAILS_FREEM | |
361 | ||
362 | meta BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS_FREEM | |
363 | describe BIGNUM_EMAILS_FREEM Lots of email addresses/leads, free email account | |
364 | #score BIGNUM_EMAILS_FREEM 3.00 # limit | |
365 | tflags BIGNUM_EMAILS_FREEM publish | |
366 | ##} BIGNUM_EMAILS_FREEM | |
367 | ||
368 | ##{ BIGNUM_EMAILS_MANY | |
369 | ||
370 | meta BIGNUM_EMAILS_MANY __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER | |
371 | describe BIGNUM_EMAILS_MANY Lots of email addresses/leads, over and over | |
372 | #score BIGNUM_EMAILS_MANY 3.00 # limit | |
373 | tflags BIGNUM_EMAILS_MANY publish | |
374 | ##} BIGNUM_EMAILS_MANY | |
375 | ||
376 | ##{ BITCOIN_BOMB | |
377 | ||
378 | meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01 | |
379 | describe BITCOIN_BOMB BitCoin + bomb | |
380 | #score BITCOIN_BOMB 3.000 # limit | |
381 | tflags BITCOIN_BOMB publish | |
382 | ##} BITCOIN_BOMB | |
383 | ||
384 | ##{ BITCOIN_DEADLINE | |
385 | ||
386 | meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01 | |
387 | describe BITCOIN_DEADLINE BitCoin with a deadline | |
388 | #score BITCOIN_DEADLINE 3.000 # limit | |
389 | tflags BITCOIN_DEADLINE publish | |
390 | ##} BITCOIN_DEADLINE | |
391 | ||
392 | ##{ BITCOIN_EXTORT_01 | |
393 | ||
394 | meta BITCOIN_EXTORT_01 (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA ) | |
395 | describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin | |
396 | #score BITCOIN_EXTORT_01 5.000 # limit | |
397 | tflags BITCOIN_EXTORT_01 publish | |
398 | ##} BITCOIN_EXTORT_01 | |
399 | ||
400 | ##{ BITCOIN_EXTORT_02 | |
401 | ||
402 | meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY | |
403 | describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin | |
404 | #score BITCOIN_EXTORT_02 5.000 # limit | |
405 | tflags BITCOIN_EXTORT_02 publish | |
406 | ##} BITCOIN_EXTORT_02 | |
407 | ||
408 | ##{ BITCOIN_IMGUR | |
409 | ||
410 | meta BITCOIN_IMGUR __BITCOIN_IMGUR | |
411 | describe BITCOIN_IMGUR Bitcoin + hosted image | |
412 | #score BITCOIN_IMGUR 3.500 # limit | |
413 | tflags BITCOIN_IMGUR publish | |
414 | ##} BITCOIN_IMGUR | |
415 | ||
416 | ##{ BITCOIN_MALF_HTML | |
417 | ||
418 | meta BITCOIN_MALF_HTML HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID) | |
419 | describe BITCOIN_MALF_HTML Bitcoin + malformed HTML | |
420 | #score BITCOIN_MALF_HTML 3.500 # limit | |
421 | ##} BITCOIN_MALF_HTML | |
422 | ||
423 | ##{ BITCOIN_MALWARE | |
424 | ||
425 | meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED | |
426 | describe BITCOIN_MALWARE BitCoin + malware bragging | |
427 | #score BITCOIN_MALWARE 3.500 # limit | |
428 | tflags BITCOIN_MALWARE publish | |
429 | ##} BITCOIN_MALWARE | |
430 | ||
431 | ##{ BITCOIN_OBFU_SUBJ | |
432 | ||
433 | meta BITCOIN_OBFU_SUBJ __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI | |
434 | describe BITCOIN_OBFU_SUBJ Bitcoin + obfuscated subject | |
435 | #score BITCOIN_OBFU_SUBJ 3.500 # limit | |
436 | tflags BITCOIN_OBFU_SUBJ publish | |
437 | ##} BITCOIN_OBFU_SUBJ | |
438 | ||
439 | ##{ BITCOIN_ONAN | |
440 | ||
441 | meta BITCOIN_ONAN __BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01 | |
442 | describe BITCOIN_ONAN BitCoin + [censored] | |
443 | #score BITCOIN_ONAN 3.000 # limit | |
444 | tflags BITCOIN_ONAN publish | |
445 | ##} BITCOIN_ONAN | |
446 | ||
447 | ##{ BITCOIN_PAY_ME | |
448 | ||
449 | meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01 | |
450 | describe BITCOIN_PAY_ME Pay me via BitCoin | |
451 | #score BITCOIN_PAY_ME 3.000 # limit | |
452 | tflags BITCOIN_PAY_ME publish | |
453 | ##} BITCOIN_PAY_ME | |
454 | ||
455 | ##{ BITCOIN_SPAM_01 | |
456 | ||
457 | meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG | |
458 | describe BITCOIN_SPAM_01 BitCoin spam pattern 01 | |
459 | #score BITCOIN_SPAM_01 2.500 # limit | |
460 | tflags BITCOIN_SPAM_01 publish | |
461 | ##} BITCOIN_SPAM_01 | |
462 | ||
463 | ##{ BITCOIN_SPAM_02 | |
464 | ||
465 | meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID | |
466 | describe BITCOIN_SPAM_02 BitCoin spam pattern 02 | |
467 | #score BITCOIN_SPAM_02 2.500 # limit | |
468 | tflags BITCOIN_SPAM_02 publish | |
469 | ##} BITCOIN_SPAM_02 | |
470 | ||
471 | ##{ BITCOIN_SPAM_03 | |
472 | ||
473 | meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ | |
474 | describe BITCOIN_SPAM_03 BitCoin spam pattern 03 | |
475 | #score BITCOIN_SPAM_03 2.500 # limit | |
476 | tflags BITCOIN_SPAM_03 publish | |
477 | ##} BITCOIN_SPAM_03 | |
478 | ||
479 | ##{ BITCOIN_SPAM_04 | |
480 | ||
481 | meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto | |
482 | describe BITCOIN_SPAM_04 BitCoin spam pattern 04 | |
483 | #score BITCOIN_SPAM_04 1.500 # limit | |
484 | tflags BITCOIN_SPAM_04 publish | |
485 | ##} BITCOIN_SPAM_04 | |
486 | ||
487 | ##{ BITCOIN_SPAM_05 | |
488 | ||
489 | meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO | |
490 | describe BITCOIN_SPAM_05 BitCoin spam pattern 05 | |
491 | #score BITCOIN_SPAM_05 2.500 # limit | |
492 | tflags BITCOIN_SPAM_05 net publish | |
493 | ##} BITCOIN_SPAM_05 | |
494 | ||
495 | ##{ BITCOIN_SPAM_06 | |
496 | ||
497 | meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET | |
498 | describe BITCOIN_SPAM_06 BitCoin spam pattern 06 | |
499 | #score BITCOIN_SPAM_06 1.500 # limit | |
500 | tflags BITCOIN_SPAM_06 publish | |
501 | ##} BITCOIN_SPAM_06 | |
502 | ||
503 | ##{ BITCOIN_SPAM_07 | |
504 | ||
505 | meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS | |
506 | describe BITCOIN_SPAM_07 BitCoin spam pattern 07 | |
507 | #score BITCOIN_SPAM_07 3.500 # limit | |
508 | tflags BITCOIN_SPAM_07 publish | |
509 | ##} BITCOIN_SPAM_07 | |
510 | ||
511 | ##{ BITCOIN_SPAM_08 | |
512 | ||
513 | meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ | |
514 | describe BITCOIN_SPAM_08 BitCoin spam pattern 08 | |
515 | #score BITCOIN_SPAM_08 2.500 # limit | |
516 | tflags BITCOIN_SPAM_08 publish | |
517 | ##} BITCOIN_SPAM_08 | |
518 | ||
519 | ##{ BITCOIN_SPAM_09 | |
520 | ||
521 | meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU ) | |
522 | describe BITCOIN_SPAM_09 BitCoin spam pattern 09 | |
523 | #score BITCOIN_SPAM_09 1.500 # limit | |
524 | tflags BITCOIN_SPAM_09 publish | |
525 | ##} BITCOIN_SPAM_09 | |
526 | ||
527 | ##{ BITCOIN_SPAM_10 | |
528 | ||
529 | meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 ) | |
530 | describe BITCOIN_SPAM_10 BitCoin spam pattern 10 | |
531 | #score BITCOIN_SPAM_10 2.500 # limit | |
532 | tflags BITCOIN_SPAM_10 publish | |
533 | ##} BITCOIN_SPAM_10 | |
534 | ||
535 | ##{ BITCOIN_SPAM_11 | |
536 | ||
537 | meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU | |
538 | describe BITCOIN_SPAM_11 BitCoin spam pattern 11 | |
539 | #score BITCOIN_SPAM_11 2.500 # limit | |
540 | tflags BITCOIN_SPAM_11 publish | |
541 | ##} BITCOIN_SPAM_11 | |
542 | ||
543 | ##{ BITCOIN_SPAM_12 | |
544 | ||
545 | meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY | |
546 | describe BITCOIN_SPAM_12 BitCoin spam pattern 12 | |
547 | #score BITCOIN_SPAM_12 2.500 # limit | |
548 | tflags BITCOIN_SPAM_12 publish | |
549 | ##} BITCOIN_SPAM_12 | |
550 | ||
551 | ##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
552 | ||
553 | if (version >= 3.004001) | |
554 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
555 | meta BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID | |
556 | tflags BITCOIN_SPF_ONLYALL net publish | |
557 | describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF | |
558 | #score BITCOIN_SPF_ONLYALL 2.0 # limit | |
559 | endif | |
560 | endif | |
561 | ##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
562 | ||
563 | ##{ BITCOIN_WFH_01 | |
564 | ||
565 | meta BITCOIN_WFH_01 __BITCOIN_WFH_01 | |
566 | describe BITCOIN_WFH_01 Work-from-Home + bitcoin | |
567 | tflags BITCOIN_WFH_01 publish | |
568 | ##} BITCOIN_WFH_01 | |
569 | ||
570 | ##{ BITCOIN_XPRIO | |
571 | ||
572 | meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY | |
573 | describe BITCOIN_XPRIO Bitcoin + priority | |
574 | #score BITCOIN_XPRIO 2.500 # limit | |
575 | ##} BITCOIN_XPRIO | |
576 | ||
577 | ##{ BITCOIN_YOUR_INFO | |
578 | ||
579 | meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01 | |
580 | describe BITCOIN_YOUR_INFO BitCoin with your personal info | |
581 | #score BITCOIN_YOUR_INFO 3.000 # limit | |
582 | tflags BITCOIN_YOUR_INFO publish | |
583 | ##} BITCOIN_YOUR_INFO | |
584 | ||
585 | ##{ BODY_SINGLE_URI | |
586 | ||
587 | meta BODY_SINGLE_URI __BODY_SINGLE_URI && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP && !__VIA_ML | |
588 | describe BODY_SINGLE_URI Message body is only a URI | |
589 | #score BODY_SINGLE_URI 2.500 # limit | |
590 | ##} BODY_SINGLE_URI | |
591 | ||
592 | ##{ BODY_URI_ONLY | |
593 | ||
594 | meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV | |
595 | describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image | |
596 | #score BODY_URI_ONLY 3.000 # limit | |
597 | tflags BODY_URI_ONLY publish | |
598 | ##} BODY_URI_ONLY | |
599 | ||
600 | ##{ BOGUS_MIME_VERSION | |
601 | ||
602 | meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 || __MALF_MIME_VER | |
603 | #score BOGUS_MIME_VERSION 3.500 # limit | |
604 | describe BOGUS_MIME_VERSION Mime version header is bogus | |
605 | tflags BOGUS_MIME_VERSION publish | |
606 | ##} BOGUS_MIME_VERSION | |
607 | ||
608 | ##{ BOGUS_MSM_HDRS | |
609 | ||
610 | meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS | |
611 | describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers | |
612 | #score BOGUS_MSM_HDRS 3.000 # limit | |
613 | tflags BOGUS_MSM_HDRS publish | |
614 | ##} BOGUS_MSM_HDRS | |
615 | ||
616 | ##{ BOMB_FREEM | |
617 | ||
618 | meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto | |
619 | describe BOMB_FREEM Bomb + freemail | |
620 | #score BOMB_FREEM 2.000 # limit | |
621 | tflags BOMB_FREEM publish | |
622 | ##} BOMB_FREEM | |
623 | ||
624 | ##{ BOMB_MONEY | |
625 | ||
626 | meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW ) | |
627 | describe BOMB_MONEY Bomb + money: bomb threat? | |
628 | #score BOMB_MONEY 2.500 # limit | |
629 | tflags BOMB_MONEY publish | |
630 | ##} BOMB_MONEY | |
631 | ||
632 | ##{ BTC_ORG | |
633 | ||
634 | describe BTC_ORG Bitcoin wallet ID + unusual header | |
635 | #score BTC_ORG 2.500 # limit | |
636 | ##} BTC_ORG | |
637 | ||
638 | ##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
639 | ||
640 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
641 | meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST | |
642 | endif | |
643 | ##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
644 | ||
645 | ##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM | |
646 | ||
647 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
648 | meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED | |
649 | endif | |
650 | ##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM | |
651 | ||
652 | ##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
653 | ||
654 | if (version >= 3.004002) | |
655 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
656 | meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD | |
657 | tflags BULK_RE_SUSP_NTLD publish | |
658 | describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD | |
659 | #score BULK_RE_SUSP_NTLD 1.0 # limit | |
660 | endif | |
661 | endif | |
662 | ##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
663 | ||
664 | ##{ CANT_SEE_AD | |
665 | ||
666 | meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB | |
667 | describe CANT_SEE_AD You really want to see our spam. | |
668 | #score CANT_SEE_AD 2.500 # limit | |
669 | tflags CANT_SEE_AD publish | |
670 | ##} CANT_SEE_AD | |
671 | ||
672 | ##{ CK_HELO_GENERIC | |
673 | ||
674 | header CK_HELO_GENERIC X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /i | |
675 | describe CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR | |
676 | #score CK_HELO_GENERIC 0.25 | |
677 | ##} CK_HELO_GENERIC | |
678 | ||
679 | ##{ CN_B2B_SPAMMER | |
680 | ||
681 | body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i | |
682 | describe CN_B2B_SPAMMER Chinese company introducing itself | |
683 | tflags CN_B2B_SPAMMER publish | |
684 | ##} CN_B2B_SPAMMER | |
685 | ||
686 | ##{ COMMENT_GIBBERISH | |
687 | ||
688 | meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT | |
689 | describe COMMENT_GIBBERISH Nonsense in long HTML comment | |
690 | #score COMMENT_GIBBERISH 1.50 # limit | |
691 | tflags COMMENT_GIBBERISH publish | |
692 | ##} COMMENT_GIBBERISH | |
693 | ||
694 | ##{ COMPENSATION | |
695 | ||
696 | describe COMPENSATION "Compensation" | |
697 | #score COMPENSATION 1.50 # limit | |
698 | ##} COMPENSATION | |
699 | ||
700 | ##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
701 | ||
702 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
703 | meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD | |
704 | endif | |
705 | ##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
706 | ||
707 | ##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM | |
708 | ||
709 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
710 | meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE | |
711 | endif | |
712 | ##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM | |
713 | ||
714 | ##{ CONTENT_AFTER_HTML | |
715 | ||
716 | meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !__RCD_RDNS_MTA_MESSY && !__URI_DOTGOV | |
717 | describe CONTENT_AFTER_HTML More content after HTML close tag | |
718 | #score CONTENT_AFTER_HTML 2.500 # limit | |
719 | tflags CONTENT_AFTER_HTML publish | |
720 | ##} CONTENT_AFTER_HTML | |
721 | ||
722 | ##{ CORRUPT_FROM_LINE_IN_HDRS | |
723 | ||
724 | meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS) | |
725 | describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers | |
726 | tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish | |
727 | #score CORRUPT_FROM_LINE_IN_HDRS 0.001 | |
728 | ##} CORRUPT_FROM_LINE_IN_HDRS | |
729 | ||
730 | ##{ CTE_8BIT_MISMATCH | |
731 | ||
732 | meta CTE_8BIT_MISMATCH (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS) | |
733 | describe CTE_8BIT_MISMATCH Header says 7bits but body disagrees | |
734 | #score CTE_8BIT_MISMATCH 1 | |
735 | tflags CTE_8BIT_MISMATCH publish | |
736 | ##} CTE_8BIT_MISMATCH | |
737 | ||
738 | ##{ CTYPE_001C_A | |
739 | ||
740 | meta CTYPE_001C_A (0) # obsolete | |
741 | ##} CTYPE_001C_A | |
742 | ||
743 | ##{ CTYPE_001C_B | |
744 | ||
745 | header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/ | |
746 | ##} CTYPE_001C_B | |
747 | ||
748 | ##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
749 | ||
750 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
751 | mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s | |
752 | describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc) | |
753 | endif | |
754 | ##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
755 | ||
756 | ##{ CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
757 | ||
758 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
759 | meta CTYPE_NULL __CTYPE_NULL | |
760 | describe CTYPE_NULL Malformed Content-Type header | |
761 | endif | |
762 | ##} CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
763 | ||
764 | ##{ CURR_PRICE | |
765 | ||
766 | body CURR_PRICE /\bCurrent Price:/ | |
767 | ##} CURR_PRICE | |
768 | ||
769 | ##{ DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
770 | ||
771 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
772 | header DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920') | |
773 | describe DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date | |
774 | endif | |
775 | ##} DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
776 | ||
777 | ##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
778 | ||
779 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
780 | meta DAY_I_EARNED __DAY_I_EARNED >= 3 | |
781 | # score DAY_I_EARNED 3.000 # limit | |
782 | describe DAY_I_EARNED Work-at-home spam | |
783 | tflags DAY_I_EARNED publish | |
784 | endif | |
785 | ##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
786 | ||
787 | ##{ DEAR_BENEFICIARY | |
788 | ||
789 | body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i | |
790 | describe DEAR_BENEFICIARY Dear Beneficiary: | |
791 | ##} DEAR_BENEFICIARY | |
792 | ||
793 | ##{ DEAR_WINNER | |
794 | ||
795 | body DEAR_WINNER /\bdear.{1,20}winner/i | |
796 | describe DEAR_WINNER Spam with generic salutation of "dear winner" | |
797 | ##} DEAR_WINNER | |
798 | ||
799 | ##{ DETAILS_OF_PRODUCT | |
800 | ||
801 | body DETAILS_OF_PRODUCT /(?:Please|kindly) (?:see|refer to|check(?: out)?) the (?:details of the product|(?:detailed |complete |specific )?product (?:details|information)) (below|following|that follow|in detail)|the following (?:(?:is the )?(?:detailed )?product information|is a brief introduction to (?:\w+\s){0,5}this product)|\bhere (is|are) some basic information about this|you can (?:\w+ )?understand our product/i | |
802 | #score DETAILS_OF_PRODUCT 1.250 # limit | |
803 | ##} DETAILS_OF_PRODUCT | |
804 | ||
805 | ##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
806 | ||
807 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
808 | meta DKIMWL_BL __DKIMWL_WL_BL | |
809 | tflags DKIMWL_BL net publish | |
810 | describe DKIMWL_BL DKIMwl.org - Blocked sender | |
811 | #score DKIMWL_BL 3.0 # limit | |
812 | endif | |
813 | ##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
814 | ||
815 | ##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
816 | ||
817 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
818 | meta DKIMWL_BLOCKED __DKIMWL_BLOCKED | |
819 | tflags DKIMWL_BLOCKED net publish | |
820 | describe DKIMWL_BLOCKED ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. | |
821 | #score DKIMWL_BLOCKED 0.001 # limit | |
822 | endif | |
823 | ##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
824 | ||
825 | ##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
826 | ||
827 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
828 | meta DKIMWL_WL_HIGH __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL) | |
829 | tflags DKIMWL_WL_HIGH net nice publish | |
830 | describe DKIMWL_WL_HIGH DKIMwl.org - High trust sender | |
831 | #score DKIMWL_WL_HIGH -3.0 # limit | |
832 | endif | |
833 | ##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
834 | ||
835 | ##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
836 | ||
837 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
838 | meta DKIMWL_WL_MED __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) | |
839 | tflags DKIMWL_WL_MED net nice publish | |
840 | describe DKIMWL_WL_MED DKIMwl.org - Medium trust sender | |
841 | #score DKIMWL_WL_MED -0.5 # limit | |
842 | endif | |
843 | ##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
844 | ||
845 | ##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
846 | ||
847 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
848 | meta DKIMWL_WL_MEDHI __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) | |
849 | tflags DKIMWL_WL_MEDHI net nice publish | |
850 | describe DKIMWL_WL_MEDHI DKIMwl.org - Medium-high trust sender | |
851 | #score DKIMWL_WL_MEDHI -1.0 # limit | |
852 | endif | |
853 | ##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
854 | ||
855 | ##{ DOS_ANAL_SPAM_MAILER | |
856 | ||
857 | header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/ | |
858 | describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam | |
859 | tflags DOS_ANAL_SPAM_MAILER publish | |
860 | ##} DOS_ANAL_SPAM_MAILER | |
861 | ||
862 | ##{ DOS_DEREK_AUG08 | |
863 | ||
864 | meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10) | |
865 | ##} DOS_DEREK_AUG08 | |
866 | ||
867 | ##{ DOS_FIX_MY_URI | |
868 | ||
869 | meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK | |
870 | describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam | |
871 | ##} DOS_FIX_MY_URI | |
872 | ||
873 | ##{ DOS_HIGH_BAT_TO_MX | |
874 | ||
875 | meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA | |
876 | describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits | |
877 | ##} DOS_HIGH_BAT_TO_MX | |
878 | ||
879 | ##{ DOS_LET_GO_JOB | |
880 | ||
881 | meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME | |
882 | describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough! | |
883 | ##} DOS_LET_GO_JOB | |
884 | ||
885 | ##{ DOS_OE_TO_MX | |
886 | ||
887 | meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE | |
888 | describe DOS_OE_TO_MX Delivered direct to MX with OE headers | |
889 | ##} DOS_OE_TO_MX | |
890 | ||
891 | ##{ DOS_OE_TO_MX_IMAGE | |
892 | ||
893 | meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH | |
894 | describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image | |
895 | ##} DOS_OE_TO_MX_IMAGE | |
896 | ||
897 | ##{ DOS_OUTLOOK_TO_MX | |
898 | ||
899 | meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE | |
900 | describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers | |
901 | ##} DOS_OUTLOOK_TO_MX | |
902 | ||
903 | ##{ DOS_RCVD_IP_TWICE_C | |
904 | ||
905 | header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/ | |
906 | describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo) | |
907 | ##} DOS_RCVD_IP_TWICE_C | |
908 | ||
909 | ##{ DOS_STOCK_BAT | |
910 | ||
911 | meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS) | |
912 | describe DOS_STOCK_BAT Probable pump and dump stock spam | |
913 | ##} DOS_STOCK_BAT | |
914 | ||
915 | ##{ DOS_STOCK_BAT2 | |
916 | ||
917 | meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2) | |
918 | ##} DOS_STOCK_BAT2 | |
919 | ||
920 | ##{ DOS_URI_ASTERISK | |
921 | ||
922 | uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)} | |
923 | describe DOS_URI_ASTERISK Found an asterisk in a URI | |
924 | ##} DOS_URI_ASTERISK | |
925 | ||
926 | ##{ DOS_YOUR_PLACE | |
927 | ||
928 | meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL)) | |
929 | describe DOS_YOUR_PLACE Russian dating spam | |
930 | ##} DOS_YOUR_PLACE | |
931 | ||
932 | ##{ DOTGOV_IMAGE | |
933 | ||
934 | meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS | |
935 | describe DOTGOV_IMAGE .gov URI + hosted image | |
936 | #score DOTGOV_IMAGE 3.000 # limit | |
937 | tflags DOTGOV_IMAGE publish | |
938 | ##} DOTGOV_IMAGE | |
939 | ||
940 | ##{ DRUGS_HDIA | |
941 | ||
942 | header DRUGS_HDIA Subject =~ /\bhoodia\b/i | |
943 | describe DRUGS_HDIA Subject mentions "hoodia" | |
944 | ##} DRUGS_HDIA | |
945 | ||
946 | ##{ DX_TEXT_02 | |
947 | ||
948 | body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i | |
949 | describe DX_TEXT_02 "change your message stat" | |
950 | tflags DX_TEXT_02 publish | |
951 | ##} DX_TEXT_02 | |
952 | ||
953 | ##{ DX_TEXT_03 | |
954 | ||
955 | body DX_TEXT_03 /\b[A-Z]{3} Media (?:Group|Relations)\b/ | |
956 | describe DX_TEXT_03 "XXX Media Group" | |
957 | tflags DX_TEXT_03 publish | |
958 | ##} DX_TEXT_03 | |
959 | ||
960 | ##{ DYNAMIC_IMGUR | |
961 | ||
962 | meta DYNAMIC_IMGUR __DYNAMIC_IMGUR | |
963 | describe DYNAMIC_IMGUR dynamic IP + hosted image | |
964 | #score DYNAMIC_IMGUR 4.000 # limit | |
965 | tflags DYNAMIC_IMGUR publish | |
966 | ##} DYNAMIC_IMGUR | |
967 | ||
968 | ##{ DYN_RDNS_AND_INLINE_IMAGE | |
969 | ||
970 | meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) | |
971 | describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS | |
972 | ##} DYN_RDNS_AND_INLINE_IMAGE | |
973 | ||
974 | ##{ DYN_RDNS_SHORT_HELO_HTML | |
975 | ||
976 | meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE) | |
977 | describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML | |
978 | ##} DYN_RDNS_SHORT_HELO_HTML | |
979 | ||
980 | ##{ DYN_RDNS_SHORT_HELO_IMAGE | |
981 | ||
982 | meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) | |
983 | describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image | |
984 | ##} DYN_RDNS_SHORT_HELO_IMAGE | |
985 | ||
986 | ##{ EBAY_IMG_NOT_RCVD_EBAY | |
987 | ||
988 | meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS | |
989 | #score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit | |
990 | describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay | |
991 | tflags EBAY_IMG_NOT_RCVD_EBAY publish | |
992 | ##} EBAY_IMG_NOT_RCVD_EBAY | |
993 | ||
994 | ##{ EMRCP | |
995 | ||
996 | body EMRCP /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i | |
997 | describe EMRCP "Excess Maximum Return Capital Profit" scam | |
998 | tflags EMRCP publish | |
999 | ##} EMRCP | |
1000 | ||
1001 | ##{ ENCRYPTED_MESSAGE | |
1002 | ||
1003 | meta ENCRYPTED_MESSAGE __CT_ENCRYPTED | |
1004 | describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam | |
1005 | #score ENCRYPTED_MESSAGE -1.000 | |
1006 | tflags ENCRYPTED_MESSAGE nice publish | |
1007 | ##} ENCRYPTED_MESSAGE | |
1008 | ||
1009 | ##{ END_FUTURE_EMAILS | |
1010 | ||
1011 | describe END_FUTURE_EMAILS Spammy unsubscribe | |
1012 | #score END_FUTURE_EMAILS 2.500 # limit | |
1013 | ##} END_FUTURE_EMAILS | |
1014 | ||
1015 | ##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
1016 | ||
1017 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
1018 | meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER | |
1019 | endif | |
1020 | ##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
1021 | ||
1022 | ##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM | |
1023 | ||
1024 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
1025 | meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED | |
1026 | endif | |
1027 | ##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM | |
1028 | ||
1029 | ##{ ENVFROM_GOOG_TRIX | |
1030 | ||
1031 | meta ENVFROM_GOOG_TRIX __ENVFROM_GOOG_TRIX_SPAMMY | |
1032 | describe ENVFROM_GOOG_TRIX From suspicious Google subdomain | |
1033 | #score ENVFROM_GOOG_TRIX 3.000 # limit | |
1034 | tflags ENVFROM_GOOG_TRIX publish | |
1035 | ##} ENVFROM_GOOG_TRIX | |
1036 | ||
1037 | ##{ EXCUSE_24 | |
1038 | ||
1039 | body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i | |
1040 | describe EXCUSE_24 Claims you wanted this ad | |
1041 | ##} EXCUSE_24 | |
1042 | ||
1043 | ##{ FAKE_REPLY_A1 | |
1044 | ||
1045 | meta FAKE_REPLY_A1 (__SUBJ_RE && __MISSING_REPLY && __MISSING_REF && __BOTH_INR_AND_REF) | |
1046 | ##} FAKE_REPLY_A1 | |
1047 | ||
1048 | ##{ FAKE_REPLY_B | |
1049 | ||
1050 | meta FAKE_REPLY_B (__SUBJ_RE && __MISSING_REPLY && __INR_AND_NO_REF) | |
1051 | ##} FAKE_REPLY_B | |
1052 | ||
1053 | ##{ FAKE_REPLY_C | |
1054 | ||
1055 | meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF) | |
1056 | ##} FAKE_REPLY_C | |
1057 | ||
1058 | ##{ FBI_MONEY | |
1059 | ||
1060 | meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY | |
1061 | describe FBI_MONEY The FBI wants to give you lots of money? | |
1062 | #score FBI_MONEY 2.00 # limit | |
1063 | tflags FBI_MONEY publish | |
1064 | ##} FBI_MONEY | |
1065 | ||
1066 | ##{ FBI_SPOOF | |
1067 | ||
1068 | meta FBI_SPOOF __FBI_SPOOF | |
1069 | describe FBI_SPOOF Claims to be FBI, but not from FBI domain | |
1070 | #score FBI_SPOOF 2.00 # limit | |
1071 | tflags FBI_SPOOF publish | |
1072 | ##} FBI_SPOOF | |
1073 | ||
1074 | ##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1075 | ||
1076 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1077 | meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML | |
1078 | describe FILL_THIS_FORM Fill in a form with personal information | |
1079 | tflags FILL_THIS_FORM publish | |
1080 | endif | |
1081 | ##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1082 | ||
1083 | ##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1084 | ||
1085 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1086 | meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY | |
1087 | describe FILL_THIS_FORM_LONG Fill in a form with personal information | |
1088 | # score FILL_THIS_FORM_LONG 2.00 # limit | |
1089 | endif | |
1090 | ##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1091 | ||
1092 | ##{ FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1093 | ||
1094 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1095 | meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX | |
1096 | describe FONT_INVIS_DIRECT Invisible text + direct-to-MX | |
1097 | # score FONT_INVIS_DIRECT 3.500 # limit | |
1098 | tflags FONT_INVIS_DIRECT publish | |
1099 | endif | |
1100 | ##} FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1101 | ||
1102 | ##{ FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1103 | ||
1104 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1105 | meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID | |
1106 | describe FONT_INVIS_DOTGOV Invisible text + .gov URI | |
1107 | # score FONT_INVIS_DOTGOV 3.500 # limit | |
1108 | tflags FONT_INVIS_DOTGOV publish | |
1109 | endif | |
1110 | ##} FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1111 | ||
1112 | ##{ FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1113 | ||
1114 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1115 | meta FONT_INVIS_HTML_NOHTML __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG | |
1116 | describe FONT_INVIS_HTML_NOHTML Invisible text + malformed HTML | |
1117 | # score FONT_INVIS_HTML_NOHTML 3.000 # limit | |
1118 | tflags FONT_INVIS_HTML_NOHTML publish | |
1119 | endif | |
1120 | ##} FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1121 | ||
1122 | ##{ FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1123 | ||
1124 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1125 | meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET | |
1126 | describe FONT_INVIS_LONG_LINE Invisible text + long lines | |
1127 | # score FONT_INVIS_LONG_LINE 3.000 # limit | |
1128 | tflags FONT_INVIS_LONG_LINE publish | |
1129 | endif | |
1130 | ##} FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1131 | ||
1132 | ##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1133 | ||
1134 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1135 | meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX | |
1136 | describe FONT_INVIS_MSGID Invisible text + suspicious message ID | |
1137 | # score FONT_INVIS_MSGID 2.500 # limit | |
1138 | tflags FONT_INVIS_MSGID publish | |
1139 | endif | |
1140 | ##} FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1141 | ||
1142 | ##{ FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1143 | ||
1144 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1145 | meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER | |
1146 | describe FONT_INVIS_NORDNS Invisible text + no rDNS | |
1147 | # score FONT_INVIS_NORDNS 2.500 # limit | |
1148 | tflags FONT_INVIS_NORDNS publish | |
1149 | endif | |
1150 | ##} FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1151 | ||
1152 | ##{ FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1153 | ||
1154 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1155 | meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS | |
1156 | describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI | |
1157 | # score FONT_INVIS_POSTEXTRAS 3.500 # limit | |
1158 | tflags FONT_INVIS_POSTEXTRAS publish | |
1159 | endif | |
1160 | ##} FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1161 | ||
1162 | ##{ FORGED_SPF_HELO | |
1163 | ||
1164 | meta FORGED_SPF_HELO __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS | |
1165 | ##} FORGED_SPF_HELO | |
1166 | ||
1167 | ##{ FORM_FRAUD | |
1168 | ||
1169 | meta FORM_FRAUD (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK | |
1170 | describe FORM_FRAUD Fill a form and a fraud phrase | |
1171 | #score FORM_FRAUD 1.000 # limit | |
1172 | tflags FORM_FRAUD publish | |
1173 | ##} FORM_FRAUD | |
1174 | ||
1175 | ##{ FORM_FRAUD_3 | |
1176 | ||
1177 | meta FORM_FRAUD_3 (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED | |
1178 | describe FORM_FRAUD_3 Fill a form and several fraud phrases | |
1179 | tflags FORM_FRAUD_3 publish | |
1180 | ##} FORM_FRAUD_3 | |
1181 | ||
1182 | ##{ FORM_FRAUD_5 | |
1183 | ||
1184 | meta FORM_FRAUD_5 (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE | |
1185 | describe FORM_FRAUD_5 Fill a form and many fraud phrases | |
1186 | tflags FORM_FRAUD_5 publish | |
1187 | ##} FORM_FRAUD_5 | |
1188 | ||
1189 | ##{ FORM_LOW_CONTRAST | |
1190 | ||
1191 | meta FORM_LOW_CONTRAST __FORM_LOW_CONTRAST && !__BUGGED_IMG && !__HAS_REPLY_TO && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__MSGID_JAVAMAIL | |
1192 | describe FORM_LOW_CONTRAST Fill in a form with hidden text | |
1193 | #score FORM_LOW_CONTRAST 2.500 # Limit | |
1194 | tflags FORM_LOW_CONTRAST publish | |
1195 | ##} FORM_LOW_CONTRAST | |
1196 | ||
1197 | ##{ FOUND_YOU | |
1198 | ||
1199 | meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO | |
1200 | #score FOUND_YOU 3.25 # limit | |
1201 | describe FOUND_YOU I found you... | |
1202 | tflags FOUND_YOU publish | |
1203 | ##} FOUND_YOU | |
1204 | ||
1205 | ##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) | |
1206 | ||
1207 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1208 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
1209 | if (version >= 3.004000) | |
1210 | meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS | |
1211 | describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different | |
1212 | # score FREEMAIL_FORGED_FROMDOMAIN 0.25 | |
1213 | tflags FREEMAIL_FORGED_FROMDOMAIN publish | |
1214 | endif | |
1215 | endif | |
1216 | endif | |
1217 | ##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) | |
1218 | ||
1219 | ##{ FREEMAIL_WFH_01 | |
1220 | ||
1221 | meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01 | |
1222 | describe FREEMAIL_WFH_01 Work-from-Home + freemail | |
1223 | tflags FREEMAIL_WFH_01 publish | |
1224 | ##} FREEMAIL_WFH_01 | |
1225 | ||
1226 | ##{ FREEM_FRNUM_UNICD_EMPTY | |
1227 | ||
1228 | meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY | |
1229 | describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body | |
1230 | #score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit | |
1231 | tflags FREEM_FRNUM_UNICD_EMPTY publish | |
1232 | ##} FREEM_FRNUM_UNICD_EMPTY | |
1233 | ||
1234 | ##{ FRNAME_IN_MSG_XPRIO_NO_SUB | |
1235 | ||
1236 | meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED | |
1237 | describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject | |
1238 | #score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit | |
1239 | tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish | |
1240 | ##} FRNAME_IN_MSG_XPRIO_NO_SUB | |
1241 | ||
1242 | ##{ FROMSPACE | |
1243 | ||
1244 | describe FROMSPACE Idiosyncratic "From" header format | |
1245 | header FROMSPACE From:raw =~ /^\s?\"\s/ | |
1246 | ##} FROMSPACE | |
1247 | ||
1248 | ##{ FROM_2_EMAILS_SHORT | |
1249 | ||
1250 | meta FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) | |
1251 | describe FROM_2_EMAILS_SHORT Short body and From looks like 2 different emails | |
1252 | #score FROM_2_EMAILS_SHORT 3.0 # limit | |
1253 | ##} FROM_2_EMAILS_SHORT | |
1254 | ||
1255 | ##{ FROM_ADDR_WS | |
1256 | ||
1257 | meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL | |
1258 | describe FROM_ADDR_WS Malformed From address | |
1259 | #score FROM_ADDR_WS 3.000 # limit | |
1260 | tflags FROM_ADDR_WS publish | |
1261 | ##} FROM_ADDR_WS | |
1262 | ||
1263 | ##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1264 | ||
1265 | if (version >= 3.004002) | |
1266 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1267 | meta FROM_BANK_NOAUTH __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU) | |
1268 | tflags FROM_BANK_NOAUTH publish net | |
1269 | describe FROM_BANK_NOAUTH From Bank domain but no SPF or DKIM | |
1270 | #score FROM_BANK_NOAUTH 1.0 # limit | |
1271 | endif | |
1272 | endif | |
1273 | ##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1274 | ||
1275 | ##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1276 | ||
1277 | if (version >= 3.004001) | |
1278 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1279 | meta FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED | |
1280 | describe FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. | |
1281 | tflags FROM_FMBLA_NDBLOCKED net publish | |
1282 | #score FROM_FMBLA_NDBLOCKED 0.001 # limit | |
1283 | endif | |
1284 | endif | |
1285 | ##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1286 | ||
1287 | ##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1288 | ||
1289 | if (version >= 3.004001) | |
1290 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1291 | meta FROM_FMBLA_NEWDOM __FROM_FMBLA_NEWDOM | |
1292 | describe FROM_FMBLA_NEWDOM From domain was registered in last 7 days | |
1293 | tflags FROM_FMBLA_NEWDOM net | |
1294 | #score FROM_FMBLA_NEWDOM 1.5 # limit | |
1295 | endif | |
1296 | endif | |
1297 | ##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1298 | ||
1299 | ##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1300 | ||
1301 | if (version >= 3.004001) | |
1302 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1303 | meta FROM_FMBLA_NEWDOM14 __FROM_FMBLA_NEWDOM14 | |
1304 | describe FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days | |
1305 | tflags FROM_FMBLA_NEWDOM14 publish net | |
1306 | #score FROM_FMBLA_NEWDOM14 1.0 # limit | |
1307 | endif | |
1308 | endif | |
1309 | ##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1310 | ||
1311 | ##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1312 | ||
1313 | if (version >= 3.004001) | |
1314 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1315 | meta FROM_FMBLA_NEWDOM28 __FROM_FMBLA_NEWDOM28 | |
1316 | describe FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28 days | |
1317 | tflags FROM_FMBLA_NEWDOM28 net publish | |
1318 | #score FROM_FMBLA_NEWDOM28 0.8 # limit | |
1319 | endif | |
1320 | endif | |
1321 | ##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1322 | ||
1323 | ##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1324 | ||
1325 | if (version >= 3.004002) | |
1326 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1327 | meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV | |
1328 | tflags FROM_GOV_DKIM_AU net nice publish | |
1329 | describe FROM_GOV_DKIM_AU From Government address and DKIM signed | |
1330 | #score FROM_GOV_DKIM_AU -1.0 # limit | |
1331 | endif | |
1332 | endif | |
1333 | ##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1334 | ||
1335 | ##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1336 | ||
1337 | if (version >= 3.004002) | |
1338 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1339 | meta FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU | |
1340 | tflags FROM_GOV_REPLYTO_FREEMAIL net publish | |
1341 | describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL | |
1342 | #score FROM_GOV_REPLYTO_FREEMAIL 2.0 | |
1343 | endif | |
1344 | endif | |
1345 | ##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1346 | ||
1347 | ##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1348 | ||
1349 | if (version >= 3.004002) | |
1350 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1351 | meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED) | |
1352 | tflags FROM_GOV_SPOOF net publish | |
1353 | describe FROM_GOV_SPOOF From Government domain but matches SPOOFED | |
1354 | #score FROM_GOV_SPOOF 1.0 # limit | |
1355 | endif | |
1356 | endif | |
1357 | ##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1358 | ||
1359 | ##{ FROM_IN_TO_AND_SUBJ | |
1360 | ||
1361 | meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID | |
1362 | describe FROM_IN_TO_AND_SUBJ From address is in To and Subject | |
1363 | tflags FROM_IN_TO_AND_SUBJ publish | |
1364 | ##} FROM_IN_TO_AND_SUBJ | |
1365 | ||
1366 | ##{ FROM_MISSPACED | |
1367 | ||
1368 | meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA | |
1369 | describe FROM_MISSPACED From: missing whitespace | |
1370 | #score FROM_MISSPACED 2.00 | |
1371 | ##} FROM_MISSPACED | |
1372 | ||
1373 | ##{ FROM_MISSP_DYNIP | |
1374 | ||
1375 | meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC | |
1376 | describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS | |
1377 | ##} FROM_MISSP_DYNIP | |
1378 | ||
1379 | ##{ FROM_MISSP_EH_MATCH | |
1380 | ||
1381 | meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA | |
1382 | describe FROM_MISSP_EH_MATCH From misspaced, matches envelope | |
1383 | #score FROM_MISSP_EH_MATCH 2.00 # max | |
1384 | ##} FROM_MISSP_EH_MATCH | |
1385 | ||
1386 | ##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1387 | ||
1388 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1389 | meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA | |
1390 | describe FROM_MISSP_FREEMAIL From misspaced + freemail provider | |
1391 | endif | |
1392 | ##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1393 | ||
1394 | ##{ FROM_MISSP_MSFT | |
1395 | ||
1396 | meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) | |
1397 | describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool | |
1398 | ##} FROM_MISSP_MSFT | |
1399 | ||
1400 | ##{ FROM_MISSP_PHISH | |
1401 | ||
1402 | meta FROM_MISSP_PHISH __FROM_MISSP_PHISH && !__DOS_HAS_LIST_UNSUB | |
1403 | describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish | |
1404 | #score FROM_MISSP_PHISH 3.500 # limit | |
1405 | ##} FROM_MISSP_PHISH | |
1406 | ||
1407 | ##{ FROM_MISSP_REPLYTO | |
1408 | ||
1409 | meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB | |
1410 | describe FROM_MISSP_REPLYTO From misspaced, has Reply-To | |
1411 | #score FROM_MISSP_REPLYTO 2.500 # limit | |
1412 | ##} FROM_MISSP_REPLYTO | |
1413 | ||
1414 | ##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
1415 | ||
1416 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
1417 | meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL) | |
1418 | tflags FROM_MISSP_SPF_FAIL net | |
1419 | # score FROM_MISSP_SPF_FAIL 2.00 # limit | |
1420 | endif | |
1421 | ##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
1422 | ||
1423 | ##{ FROM_MISSP_TO_UNDISC | |
1424 | ||
1425 | meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED) | |
1426 | describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed | |
1427 | ##} FROM_MISSP_TO_UNDISC | |
1428 | ||
1429 | ##{ FROM_MISSP_USER | |
1430 | ||
1431 | meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) | |
1432 | describe FROM_MISSP_USER From misspaced, from "User" | |
1433 | ##} FROM_MISSP_USER | |
1434 | ||
1435 | ##{ FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
1436 | ||
1437 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
1438 | meta FROM_MULTI_NORDNS __FROM_MULTI_NORDNS | |
1439 | describe FROM_MULTI_NORDNS Multiple From addresses + no rDNS | |
1440 | endif | |
1441 | ##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
1442 | ||
1443 | ##{ FROM_NAME_EQ_TO_G_DRIVE | |
1444 | ||
1445 | meta FROM_NAME_EQ_TO_G_DRIVE !__SHORT_BODY_G_DRIVE_DYN && __SHORT_BODY_G_DRIVE && (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) | |
1446 | describe FROM_NAME_EQ_TO_G_DRIVE From:name equals To:addr and GDRIVE link | |
1447 | #score FROM_NAME_EQ_TO_G_DRIVE 1.5 # limit | |
1448 | ##} FROM_NAME_EQ_TO_G_DRIVE | |
1449 | ||
1450 | ##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1451 | ||
1452 | if (version >= 3.004001) | |
1453 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1454 | meta FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN | |
1455 | describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID | |
1456 | #score FROM_NEWDOM_BTC 2.0 # limit | |
1457 | tflags FROM_NEWDOM_BTC net | |
1458 | endif | |
1459 | endif | |
1460 | ##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1461 | ||
1462 | ##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1463 | ||
1464 | if (version >= 3.004002) | |
1465 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1466 | meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY | |
1467 | tflags FROM_NTLD_LINKBAIT publish | |
1468 | describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI | |
1469 | #score FROM_NTLD_LINKBAIT 2.0 # limit | |
1470 | endif | |
1471 | endif | |
1472 | ##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1473 | ||
1474 | ##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1475 | ||
1476 | if (version >= 3.004002) | |
1477 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1478 | meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD | |
1479 | tflags FROM_NTLD_REPLY_FREEMAIL publish | |
1480 | describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL | |
1481 | #score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit | |
1482 | endif | |
1483 | endif | |
1484 | ##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1485 | ||
1486 | ##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1487 | ||
1488 | if (version >= 3.004001) | |
1489 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1490 | meta FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN | |
1491 | describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain | |
1492 | #score FROM_NUMBERO_NEWDOMAIN 2.0 # limit | |
1493 | tflags FROM_NUMBERO_NEWDOMAIN net publish | |
1494 | endif | |
1495 | endif | |
1496 | ##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1497 | ||
1498 | ##{ FROM_NUMERIC_TLD | |
1499 | ||
1500 | header FROM_NUMERIC_TLD From:addr =~ /\.\d+$/ | |
1501 | describe FROM_NUMERIC_TLD From: address has numeric TLD | |
1502 | #score FROM_NUMERIC_TLD 3.000 # limit | |
1503 | ##} FROM_NUMERIC_TLD | |
1504 | ||
1505 | ##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1506 | ||
1507 | if (version >= 3.004002) | |
1508 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1509 | meta FROM_PAYPAL_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED) | |
1510 | tflags FROM_PAYPAL_SPOOF publish net | |
1511 | describe FROM_PAYPAL_SPOOF From PayPal domain but matches SPOOFED | |
1512 | #score FROM_PAYPAL_SPOOF 1.6 # limit | |
1513 | endif | |
1514 | endif | |
1515 | ##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1516 | ||
1517 | ##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1518 | ||
1519 | if (version >= 3.004002) | |
1520 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1521 | meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD | |
1522 | tflags FROM_SUSPICIOUS_NTLD publish | |
1523 | describe FROM_SUSPICIOUS_NTLD From abused NTLD | |
1524 | #score FROM_SUSPICIOUS_NTLD 0.5 # limit | |
1525 | endif | |
1526 | endif | |
1527 | ##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1528 | ||
1529 | ##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1530 | ||
1531 | if (version >= 3.004002) | |
1532 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1533 | meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST | |
1534 | tflags FROM_SUSPICIOUS_NTLD_FP publish | |
1535 | describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD | |
1536 | #score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit | |
1537 | endif | |
1538 | endif | |
1539 | ##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1540 | ||
1541 | ##{ FROM_WSP_TRAIL | |
1542 | ||
1543 | header FROM_WSP_TRAIL From:raw =~ /< [^>]* \s > [^<>]* \z/xm | |
1544 | describe FROM_WSP_TRAIL Trailing whitespace before '>' in From header field | |
1545 | ##} FROM_WSP_TRAIL | |
1546 | ||
1547 | ##{ FSL_BULK_SIG | |
1548 | ||
1549 | meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP_MESSY | |
1550 | describe FSL_BULK_SIG Bulk signature with no Unsubscribe | |
1551 | #score FSL_BULK_SIG 3.000 # limit | |
1552 | tflags FSL_BULK_SIG net publish | |
1553 | ##} FSL_BULK_SIG | |
1554 | ||
1555 | ##{ FSL_CTYPE_WIN1251 | |
1556 | ||
1557 | header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/ | |
1558 | describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam | |
1559 | ##} FSL_CTYPE_WIN1251 | |
1560 | ||
1561 | ##{ FSL_FAKE_HOTMAIL_RVCD | |
1562 | ||
1563 | header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/ | |
1564 | ##} FSL_FAKE_HOTMAIL_RVCD | |
1565 | ||
1566 | ##{ FSL_HELO_BARE_IP_1 | |
1567 | ||
1568 | meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED | |
1569 | ##} FSL_HELO_BARE_IP_1 | |
1570 | ||
1571 | ##{ FSL_HELO_DEVICE | |
1572 | ||
1573 | header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i | |
1574 | ##} FSL_HELO_DEVICE | |
1575 | ||
1576 | ##{ FSL_HELO_FAKE | |
1577 | ||
1578 | header FSL_HELO_FAKE X-Spam-Relays-External =~ /\bhelo=(?:yandex.ru|(?:hotmail|gmail|google|yahoo|msn|microsoft)\.com)\b/i | |
1579 | ##} FSL_HELO_FAKE | |
1580 | ||
1581 | ##{ FSL_HELO_NON_FQDN_1 | |
1582 | ||
1583 | header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i | |
1584 | ##} FSL_HELO_NON_FQDN_1 | |
1585 | ||
1586 | ##{ FSL_HELO_SETUP | |
1587 | ||
1588 | header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i | |
1589 | ##} FSL_HELO_SETUP | |
1590 | ||
1591 | ##{ FSL_INTERIA_ABUSE | |
1592 | ||
1593 | uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/ | |
1594 | ##} FSL_INTERIA_ABUSE | |
1595 | ||
1596 | ##{ FSL_NEW_HELO_USER | |
1597 | ||
1598 | meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3) | |
1599 | describe FSL_NEW_HELO_USER Spam's using Helo and User | |
1600 | #score FSL_NEW_HELO_USER 2.0 | |
1601 | tflags FSL_NEW_HELO_USER publish | |
1602 | ##} FSL_NEW_HELO_USER | |
1603 | ||
1604 | ##{ FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1605 | ||
1606 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1607 | body FUZZY_AMAZON /(?:^|\W)(?=<A>)(?!amazon)<A><M><A><Z><O><N>(?:$|\W)/i | |
1608 | describe FUZZY_AMAZON Obfuscated "amazon" | |
1609 | tflags FUZZY_AMAZON publish | |
1610 | endif | |
1611 | ##} FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1612 | ||
1613 | ##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1614 | ||
1615 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1616 | body FUZZY_ANDROID /(?=<A>)(?!android)<A><N><D><R><O><I><D>/i | |
1617 | describe FUZZY_ANDROID Obfuscated "android" | |
1618 | tflags FUZZY_ANDROID publish | |
1619 | endif | |
1620 | ##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1621 | ||
1622 | ##{ FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1623 | ||
1624 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1625 | body FUZZY_APPLE /(?:^|\W)(?=<A>)(?!appl[ey])<A><P><P><L><E>(?:$|\W)/i | |
1626 | describe FUZZY_APPLE Obfuscated "apple" | |
1627 | tflags FUZZY_APPLE publish | |
1628 | endif | |
1629 | ##} FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1630 | ||
1631 | ##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1632 | ||
1633 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1634 | body FUZZY_BITCOIN /(?=<B>)(?!bit[-\s]?coin)<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i | |
1635 | describe FUZZY_BITCOIN Obfuscated "Bitcoin" | |
1636 | tflags FUZZY_BITCOIN publish | |
1637 | endif | |
1638 | ##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1639 | ||
1640 | ##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1641 | ||
1642 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1643 | body FUZZY_BROWSER /(?=<B>)(?!browser)<B><R><O><W><S><E><R>/i | |
1644 | describe FUZZY_BROWSER Obfuscated "browser" | |
1645 | tflags FUZZY_BROWSER publish | |
1646 | endif | |
1647 | ##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1648 | ||
1649 | ##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1650 | ||
1651 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1652 | meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET | |
1653 | describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet" | |
1654 | tflags FUZZY_BTC_WALLET publish | |
1655 | endif | |
1656 | ##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1657 | ||
1658 | ##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1659 | ||
1660 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1661 | body FUZZY_CLICK_HERE /(?=<C>)(?!click(?:\s| )here)<C><WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i | |
1662 | describe FUZZY_CLICK_HERE Obfuscated "click here" | |
1663 | tflags FUZZY_CLICK_HERE publish | |
1664 | endif | |
1665 | ##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1666 | ||
1667 | ##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1668 | ||
1669 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1670 | meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML | |
1671 | describe FUZZY_DR_OZ Obfuscated Doctor Oz | |
1672 | tflags FUZZY_DR_OZ publish | |
1673 | endif | |
1674 | ##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1675 | ||
1676 | ##{ FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1677 | ||
1678 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1679 | body FUZZY_FACEBOOK /(?=<F>)(?!fa[ck]ebook)<F><A><C><E><B><O><O><K>/i | |
1680 | describe FUZZY_FACEBOOK Obfuscated "facebook" | |
1681 | tflags FUZZY_FACEBOOK publish | |
1682 | endif | |
1683 | ##} FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1684 | ||
1685 | ##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1686 | ||
1687 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1688 | body FUZZY_IMPORTANT /(?=<I>)(?!important)<I>(?:<M>|<N>)<P><O><R><T><A><N><T>/i | |
1689 | describe FUZZY_IMPORTANT Obfuscated "important" | |
1690 | tflags FUZZY_IMPORTANT publish | |
1691 | endif | |
1692 | ##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1693 | ||
1694 | ##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1695 | ||
1696 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1697 | body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i | |
1698 | describe FUZZY_MERIDIA Obfuscation of the word "meridia" | |
1699 | endif | |
1700 | ##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1701 | ||
1702 | ##{ FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1703 | ||
1704 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1705 | body FUZZY_MICROSOFT /(?=<M>)(?!microsoft)<M><I><C><R><O><S><O><F><T>/i | |
1706 | describe FUZZY_MICROSOFT Obfuscated "microsoft" | |
1707 | tflags FUZZY_MICROSOFT publish | |
1708 | endif | |
1709 | ##} FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1710 | ||
1711 | ##{ FUZZY_MONERO | |
1712 | ||
1713 | meta FUZZY_MONERO __FUZZY_MONERO | |
1714 | describe FUZZY_MONERO Obfuscated "Monero" | |
1715 | tflags FUZZY_MONERO publish | |
1716 | ##} FUZZY_MONERO | |
1717 | ||
1718 | ##{ FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1719 | ||
1720 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1721 | body FUZZY_NORTON /(?:^|\W)(?=<N>)(?!norton)<N><O><R><T><O><N>(?:$|\W)/i | |
1722 | describe FUZZY_NORTON Obfuscated "norton" | |
1723 | tflags FUZZY_NORTON publish | |
1724 | endif | |
1725 | ##} FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1726 | ||
1727 | ##{ FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1728 | ||
1729 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1730 | body FUZZY_OVERSTOCK /(?:^|\W)(?=<O>)(?!over[-\s]?stock)<O><V><E><R>[-\s]?<S><T><O><C><K>(?:$|\W)/i | |
1731 | describe FUZZY_OVERSTOCK Obfuscated "overstock" | |
1732 | tflags FUZZY_OVERSTOCK publish | |
1733 | endif | |
1734 | ##} FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1735 | ||
1736 | ##{ FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1737 | ||
1738 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1739 | body FUZZY_PAYPAL /(?:^|\W)(?=<P>)(?!pay[-\s]?pal)<P><A><Y>[-\s]?<P><A><L>(?:$|\W)/i | |
1740 | describe FUZZY_PAYPAL Obfuscated "paypal" | |
1741 | tflags FUZZY_PAYPAL publish | |
1742 | endif | |
1743 | ##} FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1744 | ||
1745 | ##{ FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1746 | ||
1747 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1748 | meta FUZZY_PORN __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT ) | |
1749 | describe FUZZY_PORN Obfuscated "Pornography" or "Pornographic" | |
1750 | tflags FUZZY_PORN publish | |
1751 | endif | |
1752 | ##} FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1753 | ||
1754 | ##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1755 | ||
1756 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1757 | body FUZZY_PRIVACY /(?=<P>)(?!privacy)<P><R><I><V><A><C><Y>/i | |
1758 | describe FUZZY_PRIVACY Obfuscated "privacy" | |
1759 | tflags FUZZY_PRIVACY publish | |
1760 | endif | |
1761 | ##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1762 | ||
1763 | ##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1764 | ||
1765 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1766 | body FUZZY_PROMOTION /(?=<P>)(?!promotion)<P><R><O><M><O><T><I><O><N>/i | |
1767 | describe FUZZY_PROMOTION Obfuscated "promotion" | |
1768 | tflags FUZZY_PROMOTION publish | |
1769 | endif | |
1770 | ##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1771 | ||
1772 | ##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1773 | ||
1774 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1775 | body FUZZY_SAVINGS /(?=<S>)(?!savings)<S><A><V><I><N><G><S>/i | |
1776 | describe FUZZY_SAVINGS Obfuscated "savings" | |
1777 | tflags FUZZY_SAVINGS publish | |
1778 | endif | |
1779 | ##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1780 | ||
1781 | ##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1782 | ||
1783 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1784 | body FUZZY_SECURITY /(?=<S>)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)<S><E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i | |
1785 | describe FUZZY_SECURITY Obfuscated "security" | |
1786 | tflags FUZZY_SECURITY publish | |
1787 | endif | |
1788 | ##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1789 | ||
1790 | ##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1791 | ||
1792 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1793 | body FUZZY_UNSUBSCRIBE /(?=<U>)(?!unsubscribe)<U><N><S><U><B><S><C><R><I><B><E>/i | |
1794 | describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe" | |
1795 | tflags FUZZY_UNSUBSCRIBE publish | |
1796 | endif | |
1797 | ##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1798 | ||
1799 | ##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1800 | ||
1801 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1802 | body FUZZY_WALLET /(?=<W>)(?!wallet)<W><A><L><L><E><T>/i | |
1803 | describe FUZZY_WALLET Obfuscated "Wallet" | |
1804 | tflags FUZZY_WALLET publish | |
1805 | endif | |
1806 | ##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1807 | ||
1808 | ##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1809 | ||
1810 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1811 | meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) | |
1812 | describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto | |
1813 | # score GAPPY_SALES_LEADS_FREEM 3.500 # limit | |
1814 | tflags GAPPY_SALES_LEADS_FREEM publish | |
1815 | endif | |
1816 | ##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1817 | ||
1818 | ##{ GB_FAKE_RF_SHORT | |
1819 | ||
1820 | meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __PDS_URISHORTENER ) | |
1821 | describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener | |
1822 | #score GB_FAKE_RF_SHORT 2.000 # limit | |
1823 | tflags GB_FAKE_RF_SHORT publish | |
1824 | ##} GB_FAKE_RF_SHORT | |
1825 | ||
1826 | ##{ GB_FORGED_MUA_POSTFIX | |
1827 | ||
1828 | meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 ) | |
1829 | describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers | |
1830 | tflags GB_FORGED_MUA_POSTFIX publish | |
1831 | #score GB_FORGED_MUA_POSTFIX 2.0 # limit | |
1832 | ##} GB_FORGED_MUA_POSTFIX | |
1833 | ||
1834 | ##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1835 | ||
1836 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1837 | meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe ) | |
1838 | describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails | |
1839 | # score GB_FREEMAIL_DISPTO 0.50 # limit | |
1840 | tflags GB_FREEMAIL_DISPTO publish | |
1841 | endif | |
1842 | ##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1843 | ||
1844 | ##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1845 | ||
1846 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1847 | meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM ) | |
1848 | describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail | |
1849 | # score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit | |
1850 | tflags GB_FREEMAIL_DISPTO_NOTFREEM publish | |
1851 | endif | |
1852 | ##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1853 | ||
1854 | ##{ GB_GOOGLE_OBFUR | |
1855 | ||
1856 | uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/ | |
1857 | describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect | |
1858 | #score GB_GOOGLE_OBFUR 0.75 # limit | |
1859 | tflags GB_GOOGLE_OBFUR publish | |
1860 | ##} GB_GOOGLE_OBFUR | |
1861 | ||
1862 | ##{ GEO_QUERY_STRING | |
1863 | ||
1864 | uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i | |
1865 | ##} GEO_QUERY_STRING | |
1866 | ||
1867 | ##{ GOOGLE_DOCS_PHISH | |
1868 | ||
1869 | meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2) | |
1870 | describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form | |
1871 | #score GOOGLE_DOCS_PHISH 3.00 # limit | |
1872 | tflags GOOGLE_DOCS_PHISH publish | |
1873 | ##} GOOGLE_DOCS_PHISH | |
1874 | ||
1875 | ##{ GOOGLE_DOCS_PHISH_MANY | |
1876 | ||
1877 | meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) | |
1878 | describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form | |
1879 | #score GOOGLE_DOCS_PHISH_MANY 4.00 # limit | |
1880 | tflags GOOGLE_DOCS_PHISH_MANY publish | |
1881 | ##} GOOGLE_DOCS_PHISH_MANY | |
1882 | ||
1883 | ##{ GOOGLE_DOC_SUSP | |
1884 | ||
1885 | meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG | |
1886 | describe GOOGLE_DOC_SUSP Suspicious use of Google Docs | |
1887 | #score GOOGLE_DOC_SUSP 3.000 # limit | |
1888 | tflags GOOGLE_DOC_SUSP publish | |
1889 | ##} GOOGLE_DOC_SUSP | |
1890 | ||
1891 | ##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1892 | ||
1893 | if (version >= 3.004002) | |
1894 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1895 | meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD | |
1896 | tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish | |
1897 | describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD | |
1898 | #score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit | |
1899 | endif | |
1900 | endif | |
1901 | ##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1902 | ||
1903 | ##{ GOOG_MALWARE_DNLD | |
1904 | ||
1905 | meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD | |
1906 | describe GOOG_MALWARE_DNLD File download via Google - Malware? | |
1907 | #score GOOG_MALWARE_DNLD 5.000 # limit | |
1908 | tflags GOOG_MALWARE_DNLD publish | |
1909 | ##} GOOG_MALWARE_DNLD | |
1910 | ||
1911 | ##{ GOOG_REDIR_DOCUSIGN | |
1912 | ||
1913 | uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i | |
1914 | describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing | |
1915 | tflags GOOG_REDIR_DOCUSIGN publish | |
1916 | ##} GOOG_REDIR_DOCUSIGN | |
1917 | ||
1918 | ##{ GOOG_REDIR_NORDNS | |
1919 | ||
1920 | meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE | |
1921 | describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS | |
1922 | ##} GOOG_REDIR_NORDNS | |
1923 | ||
1924 | ##{ GOOG_REDIR_SHORT | |
1925 | ||
1926 | meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 | |
1927 | describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message | |
1928 | tflags GOOG_REDIR_SHORT publish | |
1929 | ##} GOOG_REDIR_SHORT | |
1930 | ||
1931 | ##{ GOOG_STO_EMAIL_PHISH | |
1932 | ||
1933 | meta GOOG_STO_EMAIL_PHISH __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT) | |
1934 | describe GOOG_STO_EMAIL_PHISH Possible phishing with google hosted content URI having email address | |
1935 | #score GOOG_STO_EMAIL_PHISH 3.00 # limit | |
1936 | tflags GOOG_STO_EMAIL_PHISH publish | |
1937 | ##} GOOG_STO_EMAIL_PHISH | |
1938 | ||
1939 | ##{ GOOG_STO_HTML_PHISH | |
1940 | ||
1941 | meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH | |
1942 | describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL | |
1943 | #score GOOG_STO_HTML_PHISH 3.00 # limit | |
1944 | tflags GOOG_STO_HTML_PHISH publish | |
1945 | ##} GOOG_STO_HTML_PHISH | |
1946 | ||
1947 | ##{ GOOG_STO_HTML_PHISH_MANY | |
1948 | ||
1949 | meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) | |
1950 | describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL | |
1951 | #score GOOG_STO_HTML_PHISH_MANY 4.00 # limit | |
1952 | tflags GOOG_STO_HTML_PHISH_MANY publish | |
1953 | ##} GOOG_STO_HTML_PHISH_MANY | |
1954 | ||
1955 | ##{ GOOG_STO_IMG_HTML | |
1956 | ||
1957 | meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY | |
1958 | describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL | |
1959 | #score GOOG_STO_IMG_HTML 3.000 # limit | |
1960 | tflags GOOG_STO_IMG_HTML publish | |
1961 | ##} GOOG_STO_IMG_HTML | |
1962 | ||
1963 | ##{ GOOG_STO_IMG_NOHTML | |
1964 | ||
1965 | meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY | |
1966 | describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL | |
1967 | #score GOOG_STO_IMG_NOHTML 2.500 # limit | |
1968 | tflags GOOG_STO_IMG_NOHTML publish | |
1969 | ##} GOOG_STO_IMG_NOHTML | |
1970 | ||
1971 | ##{ GOOG_STO_NOIMG_HTML | |
1972 | ||
1973 | meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY | |
1974 | describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL | |
1975 | #score GOOG_STO_NOIMG_HTML 3.000 # limit | |
1976 | tflags GOOG_STO_NOIMG_HTML publish | |
1977 | ##} GOOG_STO_NOIMG_HTML | |
1978 | ||
1979 | ##{ HAS_X_NO_RELAY | |
1980 | ||
1981 | meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1 | |
1982 | describe HAS_X_NO_RELAY Has spammy header | |
1983 | #score HAS_X_NO_RELAY 2.500 # limit | |
1984 | tflags HAS_X_NO_RELAY publish | |
1985 | ##} HAS_X_NO_RELAY | |
1986 | ||
1987 | ##{ HAS_X_OUTGOING_SPAM_STAT | |
1988 | ||
1989 | meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO | |
1990 | describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results? | |
1991 | #score HAS_X_OUTGOING_SPAM_STAT 2.000 # limit | |
1992 | tflags HAS_X_OUTGOING_SPAM_STAT publish | |
1993 | ##} HAS_X_OUTGOING_SPAM_STAT | |
1994 | ||
1995 | ##{ HDRS_LCASE | |
1996 | ||
1997 | describe HDRS_LCASE Odd capitalization of message header | |
1998 | #score HDRS_LCASE 0.10 # limit | |
1999 | ##} HDRS_LCASE | |
2000 | ||
2001 | ##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
2002 | ||
2003 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
2004 | meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO | |
2005 | endif | |
2006 | ##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
2007 | ||
2008 | ##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2009 | ||
2010 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2011 | meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO | |
2012 | endif | |
2013 | ##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2014 | ||
2015 | ##{ HDRS_LCASE_IMGONLY | |
2016 | ||
2017 | meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN | |
2018 | describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML | |
2019 | #score HDRS_LCASE_IMGONLY 0.10 # limit | |
2020 | ##} HDRS_LCASE_IMGONLY | |
2021 | ||
2022 | ##{ HDRS_MISSP | |
2023 | ||
2024 | meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY) | |
2025 | describe HDRS_MISSP Misspaced headers | |
2026 | #score HDRS_MISSP 2.500 # limit | |
2027 | tflags HDRS_MISSP publish | |
2028 | ##} HDRS_MISSP | |
2029 | ||
2030 | ##{ HDR_ORDER_FTSDMCXX_001C | |
2031 | ||
2032 | meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C) | |
2033 | describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant) | |
2034 | ##} HDR_ORDER_FTSDMCXX_001C | |
2035 | ||
2036 | ##{ HDR_ORDER_FTSDMCXX_BAT | |
2037 | ||
2038 | meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY) | |
2039 | describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant) | |
2040 | ##} HDR_ORDER_FTSDMCXX_BAT | |
2041 | ||
2042 | ##{ HDR_ORDER_FTSDMCXX_DIRECT | |
2043 | ||
2044 | meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML | |
2045 | describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX | |
2046 | #score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit | |
2047 | tflags HDR_ORDER_FTSDMCXX_DIRECT publish | |
2048 | ##} HDR_ORDER_FTSDMCXX_DIRECT | |
2049 | ||
2050 | ##{ HDR_ORDER_FTSDMCXX_NORDNS | |
2051 | ||
2052 | meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED | |
2053 | describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS | |
2054 | #score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit | |
2055 | tflags HDR_ORDER_FTSDMCXX_NORDNS publish | |
2056 | ##} HDR_ORDER_FTSDMCXX_NORDNS | |
2057 | ||
2058 | ##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
2059 | ||
2060 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
2061 | header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999') | |
2062 | describe HEADER_COUNT_SUBJECT Multiple Subject headers found | |
2063 | endif | |
2064 | ##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
2065 | ||
2066 | ##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) | |
2067 | ||
2068 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2069 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
2070 | if (version >= 3.004000) | |
2071 | header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains() | |
2072 | describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different | |
2073 | # score HEADER_FROM_DIFFERENT_DOMAINS 0.25 | |
2074 | tflags HEADER_FROM_DIFFERENT_DOMAINS publish | |
2075 | endif | |
2076 | endif | |
2077 | endif | |
2078 | ##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) | |
2079 | ||
2080 | ##{ HELO_FRIEND | |
2081 | ||
2082 | header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i | |
2083 | ##} HELO_FRIEND | |
2084 | ||
2085 | ##{ HELO_LH_LD | |
2086 | ||
2087 | header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i | |
2088 | ##} HELO_LH_LD | |
2089 | ||
2090 | ##{ HELO_LOCALHOST | |
2091 | ||
2092 | header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i | |
2093 | ##} HELO_LOCALHOST | |
2094 | ||
2095 | ##{ HELO_NO_DOMAIN | |
2096 | ||
2097 | meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST | |
2098 | describe HELO_NO_DOMAIN Relay reports its domain incorrectly | |
2099 | tflags HELO_NO_DOMAIN publish | |
2100 | ##} HELO_NO_DOMAIN | |
2101 | ||
2102 | ##{ HELO_OEM | |
2103 | ||
2104 | header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i | |
2105 | ##} HELO_OEM | |
2106 | ||
2107 | ##{ HEXHASH_WORD | |
2108 | ||
2109 | meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER | |
2110 | describe HEXHASH_WORD Multiple instances of word + hexadecimal hash | |
2111 | #score HEXHASH_WORD 3.000 # limit | |
2112 | tflags HEXHASH_WORD publish | |
2113 | ##} HEXHASH_WORD | |
2114 | ||
2115 | ##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2116 | ||
2117 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2118 | mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/ | |
2119 | #score HK_CTE_RAW 2 | |
2120 | tflags HK_CTE_RAW publish | |
2121 | endif | |
2122 | ##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2123 | ||
2124 | ##{ HK_LOTTO | |
2125 | ||
2126 | meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT | |
2127 | #score HK_LOTTO 1 | |
2128 | ##} HK_LOTTO | |
2129 | ||
2130 | ##{ HK_NAME_DRUGS | |
2131 | ||
2132 | header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi | |
2133 | describe HK_NAME_DRUGS From name contains drugs | |
2134 | #score HK_NAME_DRUGS 2 | |
2135 | ##} HK_NAME_DRUGS | |
2136 | ||
2137 | ##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
2138 | ||
2139 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2140 | if (version >= 3.004000) | |
2141 | meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM | |
2142 | # score HK_NAME_FM_MR_MRS 1.5 | |
2143 | endif | |
2144 | endif | |
2145 | ##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
2146 | ||
2147 | ##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
2148 | ||
2149 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2150 | if (version >= 3.004000) | |
2151 | meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM | |
2152 | # score HK_NAME_MR_MRS 1.0 | |
2153 | endif | |
2154 | endif | |
2155 | ##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
2156 | ||
2157 | ##{ HK_RANDOM_ENVFROM | |
2158 | ||
2159 | header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi | |
2160 | describe HK_RANDOM_ENVFROM Envelope sender username looks random | |
2161 | #score HK_RANDOM_ENVFROM 1 | |
2162 | tflags HK_RANDOM_ENVFROM publish | |
2163 | ##} HK_RANDOM_ENVFROM | |
2164 | ||
2165 | ##{ HK_RANDOM_FROM | |
2166 | ||
2167 | header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi | |
2168 | describe HK_RANDOM_FROM From username looks random | |
2169 | #score HK_RANDOM_FROM 1 | |
2170 | tflags HK_RANDOM_FROM publish | |
2171 | ##} HK_RANDOM_FROM | |
2172 | ||
2173 | ##{ HK_RANDOM_REPLYTO | |
2174 | ||
2175 | header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi | |
2176 | describe HK_RANDOM_REPLYTO Reply-To username looks random | |
2177 | #score HK_RANDOM_REPLYTO 1 | |
2178 | tflags HK_RANDOM_REPLYTO publish | |
2179 | ##} HK_RANDOM_REPLYTO | |
2180 | ||
2181 | ##{ HK_RCVD_IP_MULTICAST | |
2182 | ||
2183 | header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./ | |
2184 | #score HK_RCVD_IP_MULTICAST 2 | |
2185 | tflags HK_RCVD_IP_MULTICAST publish | |
2186 | ##} HK_RCVD_IP_MULTICAST | |
2187 | ||
2188 | ##{ HK_SCAM | |
2189 | ||
2190 | meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25 | |
2191 | #score HK_SCAM 2 | |
2192 | tflags HK_SCAM publish | |
2193 | ##} HK_SCAM | |
2194 | ||
2195 | ##{ HK_WIN | |
2196 | ||
2197 | meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2) | |
2198 | #score HK_WIN 1 | |
2199 | ##} HK_WIN | |
2200 | ||
2201 | ##{ HOSTED_IMG_DIRECT_MX | |
2202 | ||
2203 | meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS | |
2204 | #score HOSTED_IMG_DIRECT_MX 3.500 # limit | |
2205 | describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx | |
2206 | tflags HOSTED_IMG_DIRECT_MX publish | |
2207 | ##} HOSTED_IMG_DIRECT_MX | |
2208 | ||
2209 | ##{ HOSTED_IMG_DQ_UNSUB | |
2210 | ||
2211 | meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB | |
2212 | #score HOSTED_IMG_DQ_UNSUB 3.500 # limit | |
2213 | describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm site, IP addr unsub link | |
2214 | tflags HOSTED_IMG_DQ_UNSUB publish | |
2215 | ##} HOSTED_IMG_DQ_UNSUB | |
2216 | ||
2217 | ##{ HOSTED_IMG_FREEM | |
2218 | ||
2219 | meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED | |
2220 | #score HOSTED_IMG_FREEM 3.500 # limit | |
2221 | describe HOSTED_IMG_FREEM Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to | |
2222 | tflags HOSTED_IMG_FREEM publish | |
2223 | ##} HOSTED_IMG_FREEM | |
2224 | ||
2225 | ##{ HOSTED_IMG_MULTI | |
2226 | ||
2227 | meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS | |
2228 | #score HOSTED_IMG_MULTI 3.000 # limit | |
2229 | describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected | |
2230 | tflags HOSTED_IMG_MULTI publish | |
2231 | ##} HOSTED_IMG_MULTI | |
2232 | ||
2233 | ##{ HOSTED_IMG_MULTI_PUB_01 | |
2234 | ||
2235 | meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF | |
2236 | describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site | |
2237 | #score HOSTED_IMG_MULTI_PUB_01 3.000 # limit | |
2238 | tflags HOSTED_IMG_MULTI_PUB_01 publish | |
2239 | ##} HOSTED_IMG_MULTI_PUB_01 | |
2240 | ||
2241 | ##{ HTML_ENTITY_ASCII | |
2242 | ||
2243 | meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP | |
2244 | describe HTML_ENTITY_ASCII Obfuscated ASCII | |
2245 | #score HTML_ENTITY_ASCII 3.000 # limit | |
2246 | tflags HTML_ENTITY_ASCII publish | |
2247 | ##} HTML_ENTITY_ASCII | |
2248 | ||
2249 | ##{ HTML_ENTITY_ASCII_TINY | |
2250 | ||
2251 | meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_MINFP && __HTML_FONT_TINY_01 | |
2252 | describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts | |
2253 | #score HTML_ENTITY_ASCII_TINY 3.000 # limit | |
2254 | tflags HTML_ENTITY_ASCII_TINY publish | |
2255 | ##} HTML_ENTITY_ASCII_TINY | |
2256 | ||
2257 | ##{ HTML_FONT_TINY_NORDNS | |
2258 | ||
2259 | meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_01 && __RDNS_NONE | |
2260 | describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS | |
2261 | #score HTML_FONT_TINY_NORDNS 1.500 # limit | |
2262 | ##} HTML_FONT_TINY_NORDNS | |
2263 | ||
2264 | ##{ HTML_OFF_PAGE | |
2265 | ||
2266 | meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS | |
2267 | describe HTML_OFF_PAGE HTML element rendered well off the displayed page | |
2268 | #score HTML_OFF_PAGE 3.000 # limit | |
2269 | tflags HTML_OFF_PAGE publish | |
2270 | ##} HTML_OFF_PAGE | |
2271 | ||
2272 | ##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2273 | ||
2274 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2275 | meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY | |
2276 | describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments | |
2277 | # score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit | |
2278 | tflags HTML_SHRT_CMNT_OBFU_MANY publish | |
2279 | endif | |
2280 | ##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2281 | ||
2282 | ##{ HTML_SINGLET_MANY | |
2283 | ||
2284 | meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP | |
2285 | describe HTML_SINGLET_MANY Many single-letter HTML format blocks | |
2286 | #score HTML_SINGLET_MANY 2.500 # limit | |
2287 | tflags HTML_SINGLET_MANY publish | |
2288 | ##} HTML_SINGLET_MANY | |
2289 | ||
2290 | ##{ HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
2291 | ||
2292 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
2293 | meta HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY | |
2294 | describe HTML_TAG_BALANCE_CENTER Malformatted HTML | |
2295 | endif | |
2296 | ##} HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
2297 | ||
2298 | ##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2299 | ||
2300 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2301 | meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID | |
2302 | describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation? | |
2303 | # score HTML_TEXT_INVISIBLE_FONT 2.000 # limit | |
2304 | tflags HTML_TEXT_INVISIBLE_FONT publish | |
2305 | endif | |
2306 | ##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2307 | ||
2308 | ##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2309 | ||
2310 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2311 | meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX | |
2312 | describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs | |
2313 | # score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit | |
2314 | tflags HTML_TEXT_INVISIBLE_STYLE publish | |
2315 | endif | |
2316 | ##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2317 | ||
2318 | ##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch | |
2319 | ||
2320 | ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch | |
2321 | body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10') | |
2322 | endif | |
2323 | ##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch | |
2324 | ||
2325 | ##{ IMG_ONLY_FM_DOM_INFO | |
2326 | ||
2327 | meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO | |
2328 | describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain | |
2329 | #score IMG_ONLY_FM_DOM_INFO 2.500 # limit | |
2330 | tflags IMG_ONLY_FM_DOM_INFO publish | |
2331 | ##} IMG_ONLY_FM_DOM_INFO | |
2332 | ||
2333 | ##{ JH_SPAMMY_HEADERS | |
2334 | ||
2335 | meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN | |
2336 | describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam | |
2337 | #score JH_SPAMMY_HEADERS 3.500 # limit | |
2338 | tflags JH_SPAMMY_HEADERS publish | |
2339 | ##} JH_SPAMMY_HEADERS | |
2340 | ||
2341 | ##{ JH_SPAMMY_PATTERN01 | |
2342 | ||
2343 | rawbody JH_SPAMMY_PATTERN01 m;<img src=['"](https?://[^'"]{1,80}/)C([^/.]{1,30}\.jpg)['"]>.{0,200}<img src="\1U\2";ism | |
2344 | describe JH_SPAMMY_PATTERN01 Unusual pattern seen in spam campaign | |
2345 | #score JH_SPAMMY_PATTERN01 3.000 # limit | |
2346 | tflags JH_SPAMMY_PATTERN01 publish | |
2347 | ##} JH_SPAMMY_PATTERN01 | |
2348 | ||
2349 | ##{ JH_SPAMMY_PATTERN02 | |
2350 | ||
2351 | rawbody JH_SPAMMY_PATTERN02 m;<img [^>]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}<a href="\1t=c\2".{0,200}<a href="\1t=u\2";ism | |
2352 | describe JH_SPAMMY_PATTERN02 Unusual pattern seen in spam campaign | |
2353 | #score JH_SPAMMY_PATTERN02 3.000 # limit | |
2354 | tflags JH_SPAMMY_PATTERN02 publish | |
2355 | ##} JH_SPAMMY_PATTERN02 | |
2356 | ||
2357 | ##{ JM_I_FEEL_LUCKY | |
2358 | ||
2359 | uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/ | |
2360 | tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign | |
2361 | ##} JM_I_FEEL_LUCKY | |
2362 | ||
2363 | ##{ JM_RCVD_QMAILV1 | |
2364 | ||
2365 | header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/ | |
2366 | ##} JM_RCVD_QMAILV1 | |
2367 | ||
2368 | ##{ JM_TORA_XM | |
2369 | ||
2370 | meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO) | |
2371 | ##} JM_TORA_XM | |
2372 | ||
2373 | ##{ KB_DATE_CONTAINS_TAB | |
2374 | ||
2375 | meta KB_DATE_CONTAINS_TAB __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB | |
2376 | #score KB_DATE_CONTAINS_TAB 0.5 | |
2377 | ##} KB_DATE_CONTAINS_TAB | |
2378 | ||
2379 | ##{ KB_FAKED_THE_BAT | |
2380 | ||
2381 | meta KB_FAKED_THE_BAT (__THEBAT_MUA && KB_DATE_CONTAINS_TAB) | |
2382 | ##} KB_FAKED_THE_BAT | |
2383 | ||
2384 | ##{ KB_RATWARE_BOUNDARY | |
2385 | ||
2386 | meta KB_RATWARE_BOUNDARY __RATWARE_BOUND_A || __RATWARE_BOUND_B | |
2387 | ##} KB_RATWARE_BOUNDARY | |
2388 | ||
2389 | ##{ KB_RATWARE_MSGID | |
2390 | ||
2391 | meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA) | |
2392 | ##} KB_RATWARE_MSGID | |
2393 | ||
2394 | ##{ KB_RATWARE_OUTLOOK_08 | |
2395 | ||
2396 | header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # " | |
2397 | ##} KB_RATWARE_OUTLOOK_08 | |
2398 | ||
2399 | ##{ KB_RATWARE_OUTLOOK_12 | |
2400 | ||
2401 | header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " | |
2402 | ##} KB_RATWARE_OUTLOOK_12 | |
2403 | ||
2404 | ##{ KB_RATWARE_OUTLOOK_16 | |
2405 | ||
2406 | header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " | |
2407 | ##} KB_RATWARE_OUTLOOK_16 | |
2408 | ||
2409 | ##{ KB_RATWARE_OUTLOOK_MID | |
2410 | ||
2411 | header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi | |
2412 | ##} KB_RATWARE_OUTLOOK_MID | |
2413 | ||
2414 | ##{ KHOP_FAKE_EBAY | |
2415 | ||
2416 | meta KHOP_FAKE_EBAY __EBAY_ADDRESS && !__NOT_SPOOFED | |
2417 | describe KHOP_FAKE_EBAY Sender falsely claims to be from eBay | |
2418 | ##} KHOP_FAKE_EBAY | |
2419 | ||
2420 | ##{ KHOP_HELO_FCRDNS | |
2421 | ||
2422 | meta KHOP_HELO_FCRDNS __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT) | |
2423 | describe KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS | |
2424 | #score KHOP_HELO_FCRDNS 0.4 # 20090603 | |
2425 | ##} KHOP_HELO_FCRDNS | |
2426 | ||
2427 | ##{ LINKEDIN_IMG_NOT_RCVD_LNKN | |
2428 | ||
2429 | meta LINKEDIN_IMG_NOT_RCVD_LNKN __LINKED_IMG_NOT_RCVD_LINK && !__LUNSUB_BEFORE_SUBJDT | |
2430 | #score LINKEDIN_IMG_NOT_RCVD_LNKN 2.500 # limit | |
2431 | describe LINKEDIN_IMG_NOT_RCVD_LNKN Linkedin hosted image but message not from Linkedin | |
2432 | tflags LINKEDIN_IMG_NOT_RCVD_LNKN publish | |
2433 | ##} LINKEDIN_IMG_NOT_RCVD_LNKN | |
2434 | ||
2435 | ##{ LIST_PRTL_PUMPDUMP | |
2436 | ||
2437 | meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS | |
2438 | describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump | |
2439 | #score LIST_PRTL_PUMPDUMP 2.000 # limit | |
2440 | tflags LIST_PRTL_PUMPDUMP publish | |
2441 | ##} LIST_PRTL_PUMPDUMP | |
2442 | ||
2443 | ##{ LIST_PRTL_SAME_USER | |
2444 | ||
2445 | meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO | |
2446 | describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same | |
2447 | #score LIST_PRTL_SAME_USER 3.000 # limit | |
2448 | tflags LIST_PRTL_SAME_USER publish | |
2449 | ##} LIST_PRTL_SAME_USER | |
2450 | ||
2451 | ##{ LIVEFILESTORE | |
2452 | ||
2453 | uri LIVEFILESTORE m~livefilestore.com/~ | |
2454 | ##} LIVEFILESTORE | |
2455 | ||
2456 | ##{ LONG_HEX_URI | |
2457 | ||
2458 | meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024 | |
2459 | describe LONG_HEX_URI Very long purely hexadecimal URI | |
2460 | #score LONG_HEX_URI 3.000 # limit | |
2461 | tflags LONG_HEX_URI publish | |
2462 | ##} LONG_HEX_URI | |
2463 | ||
2464 | ##{ LONG_IMG_URI | |
2465 | ||
2466 | meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO | |
2467 | describe LONG_IMG_URI Image URI with very long path component - web bug? | |
2468 | #score LONG_IMG_URI 3.000 # limit | |
2469 | tflags LONG_IMG_URI publish | |
2470 | ##} LONG_IMG_URI | |
2471 | ||
2472 | ##{ LONG_INVISIBLE_TEXT | |
2473 | ||
2474 | describe LONG_INVISIBLE_TEXT Long block of hidden text - bayes poison? | |
2475 | #score LONG_INVISIBLE_TEXT 3.000 # limit | |
2476 | tflags LONG_INVISIBLE_TEXT publish | |
2477 | ##} LONG_INVISIBLE_TEXT | |
2478 | ||
2479 | ##{ LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
2480 | ||
2481 | if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
2482 | meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV | |
2483 | endif | |
2484 | ##} LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
2485 | ||
2486 | ##{ LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2487 | ||
2488 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2489 | meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 ) | |
2490 | endif | |
2491 | ##} LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2492 | ||
2493 | ##{ LONG_TERM_PRICE | |
2494 | ||
2495 | body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i | |
2496 | ##} LONG_TERM_PRICE | |
2497 | ||
2498 | ##{ LOOPHOLE_1 | |
2499 | ||
2500 | body LOOPHOLE_1 /loop-?hole in the banking/i | |
2501 | describe LOOPHOLE_1 A loop hole in the banking laws? | |
2502 | ##} LOOPHOLE_1 | |
2503 | ||
2504 | ##{ LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
2505 | ||
2506 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
2507 | meta LOTS_OF_MONEY 0 | |
2508 | endif | |
2509 | ##} LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
2510 | ||
2511 | ##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2512 | ||
2513 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2514 | meta LOTS_OF_MONEY (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05) && !__TRAVEL_ITINERARY | |
2515 | describe LOTS_OF_MONEY Huge... sums of money | |
2516 | # score LOTS_OF_MONEY 0.01 | |
2517 | tflags LOTS_OF_MONEY publish | |
2518 | endif | |
2519 | ##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2520 | ||
2521 | ##{ LOTTERY_1 | |
2522 | ||
2523 | meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ) | |
2524 | ##} LOTTERY_1 | |
2525 | ||
2526 | ##{ LOTTERY_PH_004470 | |
2527 | ||
2528 | meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY) | |
2529 | ##} LOTTERY_PH_004470 | |
2530 | ||
2531 | ##{ LOTTO_AGENT | |
2532 | ||
2533 | meta LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD | |
2534 | describe LOTTO_AGENT Claims Agent | |
2535 | #score LOTTO_AGENT 1.50 # limit | |
2536 | ##} LOTTO_AGENT | |
2537 | ||
2538 | ##{ LUCRATIVE | |
2539 | ||
2540 | meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED | |
2541 | describe LUCRATIVE Make lots of money! | |
2542 | #score LUCRATIVE 2.00 # limit | |
2543 | tflags LUCRATIVE publish | |
2544 | ##} LUCRATIVE | |
2545 | ||
2546 | ##{ L_SPAM_TOOL_13 | |
2547 | ||
2548 | header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/ | |
2549 | ##} L_SPAM_TOOL_13 | |
2550 | ||
2551 | ##{ MALF_HTML_B64 | |
2552 | ||
2553 | meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG | |
2554 | describe MALF_HTML_B64 Malformatted base64-encoded HTML content | |
2555 | #score MALF_HTML_B64 3.500 # limit | |
2556 | tflags MALF_HTML_B64 publish | |
2557 | ##} MALF_HTML_B64 | |
2558 | ||
2559 | ##{ MALWARE_NORDNS | |
2560 | ||
2561 | meta MALWARE_NORDNS __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 | |
2562 | describe MALWARE_NORDNS Malware bragging + no rDNS | |
2563 | #score MALWARE_NORDNS 3.500 # limit | |
2564 | tflags MALWARE_NORDNS publish | |
2565 | ##} MALWARE_NORDNS | |
2566 | ||
2567 | ##{ MALWARE_PASSWORD | |
2568 | ||
2569 | meta MALWARE_PASSWORD __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 | |
2570 | describe MALWARE_PASSWORD Malware bragging + "password" | |
2571 | #score MALWARE_PASSWORD 3.500 # limit | |
2572 | tflags MALWARE_PASSWORD publish | |
2573 | ##} MALWARE_PASSWORD | |
2574 | ||
2575 | ##{ MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2576 | ||
2577 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2578 | meta MALW_ATTACH __MALW_ATTACH && !__HAS_THREAD_INDEX | |
2579 | describe MALW_ATTACH Attachment filename suspicious, probable malware exploit | |
2580 | tflags MALW_ATTACH publish | |
2581 | endif | |
2582 | ##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2583 | ||
2584 | ##{ MANY_HDRS_LCASE | |
2585 | ||
2586 | describe MANY_HDRS_LCASE Odd capitalization of multiple message headers | |
2587 | #score MANY_HDRS_LCASE 0.10 # limit | |
2588 | ##} MANY_HDRS_LCASE | |
2589 | ||
2590 | ##{ MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
2591 | ||
2592 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
2593 | meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE | |
2594 | endif | |
2595 | ##} MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
2596 | ||
2597 | ##{ MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2598 | ||
2599 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2600 | meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE | |
2601 | endif | |
2602 | ##} MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2603 | ||
2604 | ##{ MANY_SPAN_IN_TEXT | |
2605 | ||
2606 | meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML | |
2607 | describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text | |
2608 | tflags MANY_SPAN_IN_TEXT publish | |
2609 | ##} MANY_SPAN_IN_TEXT | |
2610 | ||
2611 | ##{ MAY_BE_FORGED | |
2612 | ||
2613 | meta MAY_BE_FORGED __MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML | |
2614 | describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP | |
2615 | ##} MAY_BE_FORGED | |
2616 | ||
2617 | ##{ MID_DEGREES | |
2618 | ||
2619 | header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/ | |
2620 | ##} MID_DEGREES | |
2621 | ||
2622 | ##{ MILLION_HUNDRED | |
2623 | ||
2624 | body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i | |
2625 | describe MILLION_HUNDRED Million "One to Nine" Hundred | |
2626 | tflags MILLION_HUNDRED publish | |
2627 | ##} MILLION_HUNDRED | |
2628 | ||
2629 | ##{ MILLION_USD | |
2630 | ||
2631 | body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i | |
2632 | describe MILLION_USD Talks about millions of dollars | |
2633 | #score MILLION_USD 2 | |
2634 | ##} MILLION_USD | |
2635 | ||
2636 | ##{ MIMEOLE_DIRECT_TO_MX | |
2637 | ||
2638 | meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS | |
2639 | describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX | |
2640 | #score MIMEOLE_DIRECT_TO_MX 2.000 # limit | |
2641 | tflags MIMEOLE_DIRECT_TO_MX publish | |
2642 | ##} MIMEOLE_DIRECT_TO_MX | |
2643 | ||
2644 | ##{ MIME_BOUND_EQ_REL | |
2645 | ||
2646 | header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s | |
2647 | ##} MIME_BOUND_EQ_REL | |
2648 | ||
2649 | ##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2650 | ||
2651 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2652 | meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128 | |
2653 | # score MIME_NO_TEXT 2.00 # limit | |
2654 | describe MIME_NO_TEXT No (properly identified) text body parts | |
2655 | tflags MIME_NO_TEXT publish | |
2656 | endif | |
2657 | ##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2658 | ||
2659 | ##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2660 | ||
2661 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2662 | meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA) | |
2663 | describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP | |
2664 | endif | |
2665 | ##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2666 | ||
2667 | ##{ MIXED_AREA_CASE | |
2668 | ||
2669 | meta MIXED_AREA_CASE __MIXED_AREA_CASE | |
2670 | describe MIXED_AREA_CASE Has area tag in mixed case | |
2671 | #score MIXED_AREA_CASE 2.500 # limit | |
2672 | tflags MIXED_AREA_CASE publish | |
2673 | ##} MIXED_AREA_CASE | |
2674 | ||
2675 | ##{ MIXED_CENTER_CASE | |
2676 | ||
2677 | meta MIXED_CENTER_CASE __MIXED_CENTER_CASE | |
2678 | describe MIXED_CENTER_CASE Has center tag in mixed case | |
2679 | #score MIXED_CENTER_CASE 2.500 # limit | |
2680 | tflags MIXED_CENTER_CASE publish | |
2681 | ##} MIXED_CENTER_CASE | |
2682 | ||
2683 | ##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2684 | ||
2685 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2686 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2687 | meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) ) | |
2688 | describe MIXED_ES Too many es are not es | |
2689 | tflags MIXED_ES publish | |
2690 | # lang pl score MIXED_ES 0.01 | |
2691 | # lang cz score MIXED_ES 0.01 | |
2692 | # lang sk score MIXED_ES 0.01 | |
2693 | # lang hr score MIXED_ES 0.01 | |
2694 | # lang el score MIXED_ES 0.01 | |
2695 | endif | |
2696 | endif | |
2697 | ##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2698 | ||
2699 | ##{ MIXED_FONT_CASE | |
2700 | ||
2701 | meta MIXED_FONT_CASE __MIXED_FONT_CASE | |
2702 | describe MIXED_FONT_CASE Has font tag in mixed case | |
2703 | #score MIXED_FONT_CASE 2.500 # limit | |
2704 | tflags MIXED_FONT_CASE publish | |
2705 | ##} MIXED_FONT_CASE | |
2706 | ||
2707 | ##{ MIXED_HREF_CASE | |
2708 | ||
2709 | meta MIXED_HREF_CASE __MIXED_HREF_CASE_JH | |
2710 | describe MIXED_HREF_CASE Has href in mixed case | |
2711 | #score MIXED_HREF_CASE 2.000 # limit | |
2712 | tflags MIXED_HREF_CASE publish | |
2713 | ##} MIXED_HREF_CASE | |
2714 | ||
2715 | ##{ MIXED_IMG_CASE | |
2716 | ||
2717 | meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL | |
2718 | describe MIXED_IMG_CASE Has img tag in mixed case | |
2719 | #score MIXED_IMG_CASE 3.000 # limit | |
2720 | tflags MIXED_IMG_CASE publish | |
2721 | ##} MIXED_IMG_CASE | |
2722 | ||
2723 | ##{ MONERO_DEADLINE | |
2724 | ||
2725 | meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01 | |
2726 | describe MONERO_DEADLINE Monero cryptocurrency with a deadline | |
2727 | #score MONERO_DEADLINE 3.000 # limit | |
2728 | tflags MONERO_DEADLINE publish | |
2729 | ##} MONERO_DEADLINE | |
2730 | ||
2731 | ##{ MONERO_EXTORT_01 | |
2732 | ||
2733 | meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY | |
2734 | describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency | |
2735 | #score MONERO_EXTORT_01 5.000 # limit | |
2736 | tflags MONERO_EXTORT_01 publish | |
2737 | ##} MONERO_EXTORT_01 | |
2738 | ||
2739 | ##{ MONERO_MALWARE | |
2740 | ||
2741 | meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01 | |
2742 | describe MONERO_MALWARE Monero cryptocurrency + malware bragging | |
2743 | #score MONERO_MALWARE 3.500 # limit | |
2744 | tflags MONERO_MALWARE publish | |
2745 | ##} MONERO_MALWARE | |
2746 | ||
2747 | ##{ MONERO_PAY_ME | |
2748 | ||
2749 | meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01 | |
2750 | describe MONERO_PAY_ME Pay me via Monero cryptocurrency | |
2751 | #score MONERO_PAY_ME 3.000 # limit | |
2752 | tflags MONERO_PAY_ME publish | |
2753 | ##} MONERO_PAY_ME | |
2754 | ||
2755 | ##{ MONEY_ATM_CARD | |
2756 | ||
2757 | meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE | |
2758 | describe MONEY_ATM_CARD Lots of money on an ATM card | |
2759 | ##} MONEY_ATM_CARD | |
2760 | ||
2761 | ##{ MONEY_FORM | |
2762 | ||
2763 | meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP | |
2764 | describe MONEY_FORM Lots of money if you fill out a form | |
2765 | ##} MONEY_FORM | |
2766 | ||
2767 | ##{ MONEY_FORM_SHORT | |
2768 | ||
2769 | meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD | |
2770 | describe MONEY_FORM_SHORT Lots of money if you fill out a short form | |
2771 | #score MONEY_FORM_SHORT 2.500 # limit | |
2772 | ##} MONEY_FORM_SHORT | |
2773 | ||
2774 | ##{ MONEY_FRAUD_3 | |
2775 | ||
2776 | meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE | |
2777 | describe MONEY_FRAUD_3 Lots of money and several fraud phrases | |
2778 | tflags MONEY_FRAUD_3 publish | |
2779 | ##} MONEY_FRAUD_3 | |
2780 | ||
2781 | ##{ MONEY_FRAUD_5 | |
2782 | ||
2783 | meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE | |
2784 | describe MONEY_FRAUD_5 Lots of money and many fraud phrases | |
2785 | tflags MONEY_FRAUD_5 publish | |
2786 | ##} MONEY_FRAUD_5 | |
2787 | ||
2788 | ##{ MONEY_FRAUD_8 | |
2789 | ||
2790 | meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG | |
2791 | describe MONEY_FRAUD_8 Lots of money and very many fraud phrases | |
2792 | tflags MONEY_FRAUD_8 publish | |
2793 | ##} MONEY_FRAUD_8 | |
2794 | ||
2795 | ##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2796 | ||
2797 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2798 | meta MONEY_FREEMAIL_REPTO __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID | |
2799 | describe MONEY_FREEMAIL_REPTO Lots of money from someone using free email? | |
2800 | # score MONEY_FREEMAIL_REPTO 3.000 # limit | |
2801 | tflags MONEY_FREEMAIL_REPTO publish | |
2802 | endif | |
2803 | ##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2804 | ||
2805 | ##{ MONEY_FROM_41 | |
2806 | ||
2807 | meta MONEY_FROM_41 __MONEY_FROM_41 | |
2808 | describe MONEY_FROM_41 Lots of money from Africa | |
2809 | #score MONEY_FROM_41 2.00 # limit | |
2810 | ##} MONEY_FROM_41 | |
2811 | ||
2812 | ##{ MONEY_FROM_MISSP | |
2813 | ||
2814 | meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP | |
2815 | describe MONEY_FROM_MISSP Lots of money and misspaced From | |
2816 | #score MONEY_FROM_MISSP 2.000 # limit | |
2817 | ##} MONEY_FROM_MISSP | |
2818 | ||
2819 | ##{ MONEY_NOHTML | |
2820 | ||
2821 | meta MONEY_NOHTML LOTS_OF_MONEY && __CT_TEXT_PLAIN | |
2822 | describe MONEY_NOHTML Lots of money in plain text | |
2823 | #score MONEY_NOHTML 2.500 # limit | |
2824 | ##} MONEY_NOHTML | |
2825 | ||
2826 | ##{ MSGID_DOLLARS_URI_IMG | |
2827 | ||
2828 | meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW | |
2829 | describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image | |
2830 | #score MSGID_DOLLARS_URI_IMG 3.000 # limit | |
2831 | tflags MSGID_DOLLARS_URI_IMG publish | |
2832 | ##} MSGID_DOLLARS_URI_IMG | |
2833 | ||
2834 | ##{ MSGID_HDR_MALF | |
2835 | ||
2836 | meta MSGID_HDR_MALF __HAS_MESSAGEID | |
2837 | describe MSGID_HDR_MALF Has invalid message ID header | |
2838 | #score MSGID_HDR_MALF 3.500 # limit | |
2839 | tflags MSGID_HDR_MALF publish | |
2840 | ##} MSGID_HDR_MALF | |
2841 | ||
2842 | ##{ MSGID_MULTIPLE_AT | |
2843 | ||
2844 | header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/ | |
2845 | describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters | |
2846 | #score MSGID_MULTIPLE_AT 0.001 | |
2847 | ##} MSGID_MULTIPLE_AT | |
2848 | ||
2849 | ##{ MSGID_WSP_TRAIL | |
2850 | ||
2851 | header MSGID_WSP_TRAIL Message-ID:raw =~ /< [^>]* \s > [^<>]* \z/xm | |
2852 | describe MSGID_WSP_TRAIL Trailing whitespace before '>' in Message-ID header | |
2853 | ##} MSGID_WSP_TRAIL | |
2854 | ||
2855 | ##{ MSMAIL_PRI_ABNORMAL | |
2856 | ||
2857 | meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH | |
2858 | describe MSMAIL_PRI_ABNORMAL Email priority often abused | |
2859 | #score MSMAIL_PRI_ABNORMAL 1.500 # limit | |
2860 | ##} MSMAIL_PRI_ABNORMAL | |
2861 | ||
2862 | ##{ MSM_PRIO_REPTO | |
2863 | ||
2864 | meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH | |
2865 | describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject | |
2866 | #score MSM_PRIO_REPTO 2.500 # limit | |
2867 | tflags MSM_PRIO_REPTO publish | |
2868 | ##} MSM_PRIO_REPTO | |
2869 | ||
2870 | ##{ MSOE_MID_WRONG_CASE | |
2871 | ||
2872 | meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106) | |
2873 | ##} MSOE_MID_WRONG_CASE | |
2874 | ||
2875 | ##{ NAME_EMAIL_DIFF | |
2876 | ||
2877 | meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL | |
2878 | describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address | |
2879 | ##} NAME_EMAIL_DIFF | |
2880 | ||
2881 | ##{ NA_DOLLARS | |
2882 | ||
2883 | body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i | |
2884 | describe NA_DOLLARS Talks about a million North American dollars | |
2885 | #score NA_DOLLARS 1.5 | |
2886 | ##} NA_DOLLARS | |
2887 | ||
2888 | ##{ NEWEGG_IMG_NOT_RCVD_NEGG | |
2889 | ||
2890 | meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG | |
2891 | #score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit | |
2892 | describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg | |
2893 | tflags NEWEGG_IMG_NOT_RCVD_NEGG publish | |
2894 | ##} NEWEGG_IMG_NOT_RCVD_NEGG | |
2895 | ||
2896 | ##{ NICE_REPLY_A | |
2897 | ||
2898 | meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF) | |
2899 | describe NICE_REPLY_A Looks like a legit reply (A) | |
2900 | tflags NICE_REPLY_A nice | |
2901 | ##} NICE_REPLY_A | |
2902 | ||
2903 | ##{ NOT_SPAM | |
2904 | ||
2905 | body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i | |
2906 | describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not! | |
2907 | tflags NOT_SPAM publish | |
2908 | ##} NOT_SPAM | |
2909 | ||
2910 | ##{ NO_FM_NAME_IP_HOSTN | |
2911 | ||
2912 | meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT | |
2913 | describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address | |
2914 | #score NO_FM_NAME_IP_HOSTN 2.500 # limit | |
2915 | tflags NO_FM_NAME_IP_HOSTN publish | |
2916 | ##} NO_FM_NAME_IP_HOSTN | |
2917 | ||
2918 | ##{ NSL_RCVD_FROM_USER | |
2919 | ||
2920 | header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/ | |
2921 | describe NSL_RCVD_FROM_USER Received from User | |
2922 | ##} NSL_RCVD_FROM_USER | |
2923 | ||
2924 | ##{ NSL_RCVD_HELO_USER | |
2925 | ||
2926 | header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i | |
2927 | describe NSL_RCVD_HELO_USER Received from HELO User | |
2928 | ##} NSL_RCVD_HELO_USER | |
2929 | ||
2930 | ##{ NULL_IN_BODY | |
2931 | ||
2932 | full NULL_IN_BODY /\x00/ | |
2933 | describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message | |
2934 | ##} NULL_IN_BODY | |
2935 | ||
2936 | ##{ NUMBEREND_LINKBAIT | |
2937 | ||
2938 | meta NUMBEREND_LINKBAIT __NUMBEREND_TLD && __LCL__KAM_BODY_LENGTH_LT_1024 && __BODY_URI_ONLY | |
2939 | describe NUMBEREND_LINKBAIT Domain ends in a large number and very short body with link | |
2940 | #score NUMBEREND_LINKBAIT 1.0 # limit | |
2941 | ##} NUMBEREND_LINKBAIT | |
2942 | ||
2943 | ##{ OBFU_BITCOIN | |
2944 | ||
2945 | meta OBFU_BITCOIN __OBFU_BITCOIN | |
2946 | describe OBFU_BITCOIN Obfuscated BitCoin references | |
2947 | #score OBFU_BITCOIN 3.000 # limit | |
2948 | tflags OBFU_BITCOIN publish | |
2949 | ##} OBFU_BITCOIN | |
2950 | ||
2951 | ##{ OBFU_JVSCR_ESC | |
2952 | ||
2953 | rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i | |
2954 | describe OBFU_JVSCR_ESC Injects content using obfuscated javascript | |
2955 | tflags OBFU_JVSCR_ESC publish | |
2956 | ##} OBFU_JVSCR_ESC | |
2957 | ||
2958 | ##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2959 | ||
2960 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2961 | mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i | |
2962 | describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type | |
2963 | tflags OBFU_TEXT_ATTACH publish | |
2964 | endif | |
2965 | ##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2966 | ||
2967 | ##{ OBFU_UNSUB_UL | |
2968 | ||
2969 | meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI | |
2970 | describe OBFU_UNSUB_UL Obfuscated unsubscribe text | |
2971 | tflags OBFU_UNSUB_UL publish | |
2972 | ##} OBFU_UNSUB_UL | |
2973 | ||
2974 | ##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2975 | ||
2976 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2977 | meta ODD_FREEM_REPTO __freemail_mailreplyto | |
2978 | describe ODD_FREEM_REPTO Has unusual reply-to header | |
2979 | # score ODD_FREEM_REPTO 3.000 # limit | |
2980 | tflags ODD_FREEM_REPTO publish | |
2981 | endif | |
2982 | ##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2983 | ||
2984 | ##{ OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
2985 | ||
2986 | if (version >= 3.004002) | |
2987 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
2988 | meta OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA | |
2989 | describe OFFER_ONLY_AMERICA Offer only available to US | |
2990 | #score OFFER_ONLY_AMERICA 2.0 # limit | |
2991 | endif | |
2992 | endif | |
2993 | ##} OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
2994 | ||
2995 | ##{ ONLINE_MKTG_CNSLT | |
2996 | ||
2997 | body ONLINE_MKTG_CNSLT /\bonline marketing consultant\b/i | |
2998 | ##} ONLINE_MKTG_CNSLT | |
2999 | ||
3000 | ##{ ORDER_TODAY | |
3001 | ||
3002 | meta ORDER_TODAY __ORDER_TODAY && (__HTML_IMG_ONLY || __ALIBABA_IMG_NOT_RCVD_ALI || __TO_NO_BRKTS_NORDNS_HTML) | |
3003 | describe ORDER_TODAY Get your order in now! | |
3004 | #score ORDER_TODAY 2.500 # limit | |
3005 | ##} ORDER_TODAY | |
3006 | ||
3007 | ##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3008 | ||
3009 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3010 | meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F) | |
3011 | describe PART_CID_STOCK Has a spammy image attachment (by Content-ID) | |
3012 | endif | |
3013 | ##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3014 | ||
3015 | ##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3016 | ||
3017 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3018 | meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS) | |
3019 | describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific) | |
3020 | endif | |
3021 | ##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3022 | ||
3023 | ##{ PDS_BTC_ID | |
3024 | ||
3025 | meta PDS_BTC_ID __PDS_BTC_ID | |
3026 | describe PDS_BTC_ID FP reduced Bitcoin ID | |
3027 | #score PDS_BTC_ID 0.5 | |
3028 | ##} PDS_BTC_ID | |
3029 | ||
3030 | ##{ PDS_BTC_MSGID | |
3031 | ||
3032 | meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2 | |
3033 | describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2 | |
3034 | #score PDS_BTC_MSGID 1.0 | |
3035 | ##} PDS_BTC_MSGID | |
3036 | ||
3037 | ##{ PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3038 | ||
3039 | if (version >= 3.004002) | |
3040 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3041 | meta PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD ) | |
3042 | describe PDS_BTC_NTLD Bitcoin suspect NTLD | |
3043 | #score PDS_BTC_NTLD 2.0 # limit | |
3044 | endif | |
3045 | endif | |
3046 | ##} PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3047 | ||
3048 | ##{ PDS_DBL_URL_TNB_RUNON | |
3049 | ||
3050 | meta PDS_DBL_URL_TNB_RUNON __TO_NO_BRKTS_FROM_RUNON && __PDS_DOUBLE_URL | |
3051 | describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon | |
3052 | #score PDS_DBL_URL_TNB_RUNON 2.0 | |
3053 | ##} PDS_DBL_URL_TNB_RUNON | |
3054 | ||
3055 | ##{ PDS_FRNOM_TODOM_DBL_URL | |
3056 | ||
3057 | meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL | |
3058 | describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL | |
3059 | #score PDS_FRNOM_TODOM_DBL_URL 1.5 | |
3060 | ##} PDS_FRNOM_TODOM_DBL_URL | |
3061 | ||
3062 | ##{ PDS_FRNOM_TODOM_NAKED_TO | |
3063 | ||
3064 | meta PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN | |
3065 | describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain | |
3066 | #score PDS_FRNOM_TODOM_NAKED_TO 1.5 | |
3067 | ##} PDS_FRNOM_TODOM_NAKED_TO | |
3068 | ||
3069 | ##{ PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3070 | ||
3071 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3072 | if (version >= 3.004000) | |
3073 | meta PDS_FROM_2_EMAILS_SHRTNER (__PDS_URISHORTENER || __URL_SHORTENER) && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY | |
3074 | describe PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener | |
3075 | #score PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit | |
3076 | endif | |
3077 | endif | |
3078 | ##} PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3079 | ||
3080 | ##{ PDS_FROM_NAME_TO_DOMAIN | |
3081 | ||
3082 | meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN | |
3083 | #score PDS_FROM_NAME_TO_DOMAIN 2.0 | |
3084 | describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain | |
3085 | ##} PDS_FROM_NAME_TO_DOMAIN | |
3086 | ||
3087 | ##{ PDS_HELO_SPF_FAIL | |
3088 | ||
3089 | meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE | |
3090 | describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF | |
3091 | #score PDS_HELO_SPF_FAIL 2.0 | |
3092 | tflags PDS_HELO_SPF_FAIL net | |
3093 | ##} PDS_HELO_SPF_FAIL | |
3094 | ||
3095 | ##{ PDS_HP_HELO_NORDNS | |
3096 | ||
3097 | meta PDS_HP_HELO_NORDNS RDNS_NONE && __HELO_HIGHPROFILE | |
3098 | describe PDS_HP_HELO_NORDNS High profile HELO with no sender rDNS | |
3099 | #score PDS_HP_HELO_NORDNS 1.0 | |
3100 | ##} PDS_HP_HELO_NORDNS | |
3101 | ||
3102 | ##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3103 | ||
3104 | if (version >= 3.004002) | |
3105 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3106 | header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD') | |
3107 | #score PDS_OTHER_BAD_TLD 2.0 | |
3108 | describe PDS_OTHER_BAD_TLD Untrustworthy TLDs | |
3109 | endif | |
3110 | endif | |
3111 | ##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3112 | ||
3113 | ##{ PDS_PHPEXP_BOT | |
3114 | ||
3115 | meta PDS_PHPEXP_BOT __SENDER_BOT && (__PDS_TONAME_EQ_TOLOCAL + __NAKED_TO >= 1) && (__PDS_PHP_EVAL2 + __PDS_PHP_EVAL1 + T_PDS_X_PHP_WP_EXP + __PDS_X_PHP_WELLKNOWN >= 1) | |
3116 | describe PDS_PHPEXP_BOT PHP exploit bot sender | |
3117 | #score PDS_PHPEXP_BOT 1.5 | |
3118 | ##} PDS_PHPEXP_BOT | |
3119 | ||
3120 | ##{ PDS_PHP_EVAL | |
3121 | ||
3122 | meta PDS_PHP_EVAL __PDS_PHP_EVAL1 | |
3123 | describe PDS_PHP_EVAL PHP header shows eval'd code | |
3124 | #score PDS_PHP_EVAL 1.5 | |
3125 | ##} PDS_PHP_EVAL | |
3126 | ||
3127 | ##{ PDS_RDNS_DYNAMIC_FP | |
3128 | ||
3129 | meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA | |
3130 | #score PDS_RDNS_DYNAMIC_FP 0.01 | |
3131 | describe PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps | |
3132 | ##} PDS_RDNS_DYNAMIC_FP | |
3133 | ||
3134 | ##{ PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3135 | ||
3136 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3137 | if (version >= 3.004000) | |
3138 | meta PDS_SHORTFWD_URISHRT_FP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __PDS_MSG_512 | |
3139 | describe PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener | |
3140 | #score PDS_SHORTFWD_URISHRT_FP 1.5 # limit | |
3141 | endif | |
3142 | endif | |
3143 | ##} PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3144 | ||
3145 | ##{ PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3146 | ||
3147 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3148 | if (version >= 3.004000) | |
3149 | meta PDS_SHORTFWD_URISHRT_QP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !PDS_SHORTFWD_URISHRT_FP | |
3150 | describe PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener | |
3151 | #score PDS_SHORTFWD_URISHRT_QP 1.5 # limit | |
3152 | endif | |
3153 | endif | |
3154 | ##} PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3155 | ||
3156 | ##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3157 | ||
3158 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3159 | if (version >= 3.004000) | |
3160 | meta PDS_TINYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJ_SHORT && __PDS_MSG_1024 | |
3161 | describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener | |
3162 | #score PDS_TINYSUBJ_URISHRT 1.5 # limit | |
3163 | endif | |
3164 | endif | |
3165 | ##} PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3166 | ||
3167 | ##{ PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE | |
3168 | ||
3169 | meta PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE FREEMAIL_FORGED_REPLYTO && __PDS_TONAME_EQ_TOLOCAL | |
3170 | describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TOLOCAL | |
3171 | #score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit | |
3172 | ##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE | |
3173 | ||
3174 | ##{ PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE | |
3175 | ||
3176 | meta PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE __PDS_TONAME_EQ_TOLOCAL && __HDRS_LCASE | |
3177 | describe PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers | |
3178 | #score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 2.0 # limit | |
3179 | ##} PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE | |
3180 | ||
3181 | ##{ PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
3182 | ||
3183 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
3184 | meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER | |
3185 | describe PDS_TO_EQ_FROM_NAME From: name same as To: address | |
3186 | endif | |
3187 | ##} PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
3188 | ||
3189 | ##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3190 | ||
3191 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3192 | meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER | |
3193 | describe PHISH_ATTACH Attachment filename suspicious, probable phishing | |
3194 | tflags PHISH_ATTACH publish | |
3195 | endif | |
3196 | ##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3197 | ||
3198 | ##{ PHISH_AZURE_CLOUDAPP | |
3199 | ||
3200 | uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i | |
3201 | describe PHISH_AZURE_CLOUDAPP Link to known phishing web application | |
3202 | #score PHISH_AZURE_CLOUDAPP 3.500 | |
3203 | tflags PHISH_AZURE_CLOUDAPP publish | |
3204 | ##} PHISH_AZURE_CLOUDAPP | |
3205 | ||
3206 | ##{ PHISH_FBASEAPP | |
3207 | ||
3208 | meta PHISH_FBASEAPP __PHISH_FBASE_01 | |
3209 | describe PHISH_FBASEAPP Probable phishing via hosted web app | |
3210 | #score PHISH_FBASEAPP 3.000 # limit | |
3211 | tflags PHISH_FBASEAPP publish | |
3212 | ##} PHISH_FBASEAPP | |
3213 | ||
3214 | ##{ PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
3215 | ||
3216 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
3217 | meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF | |
3218 | describe PHOTO_EDITING_DIRECT Image editing service, direct to MX | |
3219 | # score PHOTO_EDITING_DIRECT 3.000 # limit | |
3220 | endif | |
3221 | ##} PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
3222 | ||
3223 | ##{ PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
3224 | ||
3225 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
3226 | meta PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) | |
3227 | describe PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto | |
3228 | # score PHOTO_EDITING_FREEM 3.750 # limit | |
3229 | endif | |
3230 | ##} PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
3231 | ||
3232 | ##{ PHP_NOVER_MUA | |
3233 | ||
3234 | describe PHP_NOVER_MUA Mail from PHP with no version number | |
3235 | #score PHP_NOVER_MUA 3.000 # limit | |
3236 | tflags PHP_NOVER_MUA publish | |
3237 | ##} PHP_NOVER_MUA | |
3238 | ||
3239 | ##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
3240 | ||
3241 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
3242 | meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH | |
3243 | endif | |
3244 | ##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
3245 | ||
3246 | ##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM | |
3247 | ||
3248 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
3249 | meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH | |
3250 | endif | |
3251 | ##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM | |
3252 | ||
3253 | ##{ PHP_ORIG_SCRIPT | |
3254 | ||
3255 | meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER | |
3256 | describe PHP_ORIG_SCRIPT Sent by bot & other signs | |
3257 | #score PHP_ORIG_SCRIPT 2.500 # limit | |
3258 | tflags PHP_ORIG_SCRIPT publish | |
3259 | ##} PHP_ORIG_SCRIPT | |
3260 | ||
3261 | ##{ PHP_ORIG_SCRIPT_EVAL | |
3262 | ||
3263 | meta PHP_ORIG_SCRIPT_EVAL __PHP_ORIG_SCRIPT_EVAL | |
3264 | describe PHP_ORIG_SCRIPT_EVAL From suspicious PHP source | |
3265 | #score PHP_ORIG_SCRIPT_EVAL 3.000 # limit | |
3266 | ##} PHP_ORIG_SCRIPT_EVAL | |
3267 | ||
3268 | ##{ PHP_SCRIPT | |
3269 | ||
3270 | meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT | |
3271 | describe PHP_SCRIPT Sent by PHP script | |
3272 | #score PHP_SCRIPT 2.500 # limit | |
3273 | tflags PHP_SCRIPT publish | |
3274 | ##} PHP_SCRIPT | |
3275 | ||
3276 | ##{ PHP_SCRIPT_MUA | |
3277 | ||
3278 | meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA | |
3279 | describe PHP_SCRIPT_MUA Sent by PHP script, no version number | |
3280 | #score PHP_SCRIPT_MUA 2.000 # limit | |
3281 | tflags PHP_SCRIPT_MUA publish | |
3282 | ##} PHP_SCRIPT_MUA | |
3283 | ||
3284 | ##{ POSSIBLE_APPLE_PHISH_02 | |
3285 | ||
3286 | meta POSSIBLE_APPLE_PHISH_02 (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE) | |
3287 | describe POSSIBLE_APPLE_PHISH_02 Claims to be from apple but not processed by any apple MTA | |
3288 | tflags POSSIBLE_APPLE_PHISH_02 publish | |
3289 | ##} POSSIBLE_APPLE_PHISH_02 | |
3290 | ||
3291 | ##{ POSSIBLE_EBAY_PHISH_02 | |
3292 | ||
3293 | meta POSSIBLE_EBAY_PHISH_02 (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY) | |
3294 | describe POSSIBLE_EBAY_PHISH_02 Claims to be from ebay but not processed by any ebay MTA | |
3295 | tflags POSSIBLE_EBAY_PHISH_02 publish | |
3296 | ##} POSSIBLE_EBAY_PHISH_02 | |
3297 | ||
3298 | ##{ POSSIBLE_PAYPAL_PHISH_01 | |
3299 | ||
3300 | meta POSSIBLE_PAYPAL_PHISH_01 (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF) | |
3301 | describe POSSIBLE_PAYPAL_PHISH_01 Claims to be from paypal but has non-paypal from email address | |
3302 | tflags POSSIBLE_PAYPAL_PHISH_01 publish | |
3303 | ##} POSSIBLE_PAYPAL_PHISH_01 | |
3304 | ||
3305 | ##{ POSSIBLE_PAYPAL_PHISH_02 | |
3306 | ||
3307 | meta POSSIBLE_PAYPAL_PHISH_02 (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL) | |
3308 | describe POSSIBLE_PAYPAL_PHISH_02 Claims to be from paypal but not processed by any paypal MTA | |
3309 | tflags POSSIBLE_PAYPAL_PHISH_02 publish | |
3310 | ##} POSSIBLE_PAYPAL_PHISH_02 | |
3311 | ||
3312 | ##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) | |
3313 | ||
3314 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
3315 | if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) | |
3316 | body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal() | |
3317 | describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't | |
3318 | # score PP_MIME_FAKE_ASCII_TEXT 1.0 | |
3319 | tflags PP_MIME_FAKE_ASCII_TEXT publish | |
3320 | endif | |
3321 | endif | |
3322 | ##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) | |
3323 | ||
3324 | ##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3325 | ||
3326 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
3327 | if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3328 | body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02) | |
3329 | describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes | |
3330 | # score PP_TOO_MUCH_UNICODE02 0.5 | |
3331 | tflags PP_TOO_MUCH_UNICODE02 publish | |
3332 | endif | |
3333 | endif | |
3334 | ##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3335 | ||
3336 | ##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3337 | ||
3338 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
3339 | if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3340 | body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05) | |
3341 | describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes | |
3342 | # score PP_TOO_MUCH_UNICODE05 1.0 | |
3343 | tflags PP_TOO_MUCH_UNICODE05 publish | |
3344 | endif | |
3345 | endif | |
3346 | ##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3347 | ||
3348 | ##{ PUMPDUMP | |
3349 | ||
3350 | meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI | |
3351 | describe PUMPDUMP Pump-and-dump stock scam phrase | |
3352 | #score PUMPDUMP 1.000 # limit | |
3353 | tflags PUMPDUMP publish | |
3354 | ##} PUMPDUMP | |
3355 | ||
3356 | ##{ PUMPDUMP_MULTI | |
3357 | ||
3358 | meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1 | |
3359 | describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases | |
3360 | #score PUMPDUMP_MULTI 3.500 # limit | |
3361 | tflags PUMPDUMP_MULTI publish | |
3362 | ##} PUMPDUMP_MULTI | |
3363 | ||
3364 | ##{ PUMPDUMP_TIP | |
3365 | ||
3366 | meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP | |
3367 | describe PUMPDUMP_TIP Pump-and-dump stock tip | |
3368 | tflags PUMPDUMP_TIP publish | |
3369 | ##} PUMPDUMP_TIP | |
3370 | ||
3371 | ##{ RAND_HEADER_LIST_SPOOF | |
3372 | ||
3373 | meta RAND_HEADER_LIST_SPOOF __RAND_HEADER && __LIST_PARTIAL | |
3374 | describe RAND_HEADER_LIST_SPOOF Random gibberish message header(s) + pretending to be a mailing list | |
3375 | #score RAND_HEADER_LIST_SPOOF 3.000 # limit | |
3376 | tflags RAND_HEADER_LIST_SPOOF publish | |
3377 | ##} RAND_HEADER_LIST_SPOOF | |
3378 | ||
3379 | ##{ RAND_HEADER_MANY | |
3380 | ||
3381 | meta RAND_HEADER_MANY __RAND_HEADER_2 | |
3382 | describe RAND_HEADER_MANY Multiple random gibberish message headers | |
3383 | #score RAND_HEADER_MANY 3.000 # limit | |
3384 | tflags RAND_HEADER_MANY publish | |
3385 | ##} RAND_HEADER_MANY | |
3386 | ||
3387 | ##{ RAND_MKTG_HEADER | |
3388 | ||
3389 | meta RAND_MKTG_HEADER __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST | |
3390 | describe RAND_MKTG_HEADER Has partially-randomized marketing/tracking header(s) | |
3391 | #score RAND_MKTG_HEADER 2.000 # limit | |
3392 | tflags RAND_MKTG_HEADER publish | |
3393 | ##} RAND_MKTG_HEADER | |
3394 | ||
3395 | ##{ RATWARE_NO_RDNS | |
3396 | ||
3397 | meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF | |
3398 | describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS | |
3399 | #score RATWARE_NO_RDNS 3.000 # limit | |
3400 | ##} RATWARE_NO_RDNS | |
3401 | ||
3402 | ##{ RCVD_BAD_ID | |
3403 | ||
3404 | header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/ | |
3405 | describe RCVD_BAD_ID Received header contains id field with bad characters | |
3406 | ##} RCVD_BAD_ID | |
3407 | ||
3408 | ##{ RCVD_DBL_DQ | |
3409 | ||
3410 | header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/ | |
3411 | describe RCVD_DBL_DQ Malformatted message header | |
3412 | tflags RCVD_DBL_DQ publish | |
3413 | ##} RCVD_DBL_DQ | |
3414 | ||
3415 | ##{ RCVD_DOTEDU_SHORT | |
3416 | ||
3417 | meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !ALL_TRUSTED && !__FS_SUBJ_RE && !__HAS_LIST_ID | |
3418 | describe RCVD_DOTEDU_SHORT Via .edu MTA + short message | |
3419 | #score RCVD_DOTEDU_SHORT 1.500 # limit | |
3420 | tflags RCVD_DOTEDU_SHORT publish | |
3421 | ##} RCVD_DOTEDU_SHORT | |
3422 | ||
3423 | ##{ RCVD_DOTEDU_SUSP_URI | |
3424 | ||
3425 | meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI | |
3426 | describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI | |
3427 | #score RCVD_DOTEDU_SUSP_URI 3.000 # limit | |
3428 | tflags RCVD_DOTEDU_SUSP_URI publish | |
3429 | ##} RCVD_DOTEDU_SUSP_URI | |
3430 | ||
3431 | ##{ RCVD_FORGED_WROTE | |
3432 | ||
3433 | header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/ | |
3434 | describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam) | |
3435 | ##} RCVD_FORGED_WROTE | |
3436 | ||
3437 | ##{ RCVD_FORGED_WROTE2 | |
3438 | ||
3439 | header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s | |
3440 | ##} RCVD_FORGED_WROTE2 | |
3441 | ||
3442 | ##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3443 | ||
3444 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3445 | header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3') | |
3446 | describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record | |
3447 | tflags RCVD_IN_IADB_DK net nice | |
3448 | endif | |
3449 | ##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3450 | ||
3451 | ##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3452 | ||
3453 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3454 | header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10') | |
3455 | describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in | |
3456 | tflags RCVD_IN_IADB_DOPTIN net nice | |
3457 | endif | |
3458 | ##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3459 | ||
3460 | ##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3461 | ||
3462 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3463 | header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9') | |
3464 | describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time | |
3465 | tflags RCVD_IN_IADB_DOPTIN_GT50 net nice | |
3466 | endif | |
3467 | ##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3468 | ||
3469 | ##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3470 | ||
3471 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3472 | header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8') | |
3473 | describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time | |
3474 | tflags RCVD_IN_IADB_DOPTIN_LT50 net nice | |
3475 | endif | |
3476 | ##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3477 | ||
3478 | ##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3479 | ||
3480 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3481 | header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1') | |
3482 | describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database | |
3483 | tflags RCVD_IN_IADB_EDDB net nice | |
3484 | endif | |
3485 | ##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3486 | ||
3487 | ##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3488 | ||
3489 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3490 | header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2') | |
3491 | describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance | |
3492 | tflags RCVD_IN_IADB_EPIA net nice | |
3493 | endif | |
3494 | ##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3495 | ||
3496 | ##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3497 | ||
3498 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3499 | header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103') | |
3500 | describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail | |
3501 | tflags RCVD_IN_IADB_GOODMAIL net nice | |
3502 | endif | |
3503 | ##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3504 | ||
3505 | ##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3506 | ||
3507 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3508 | header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$') | |
3509 | describe RCVD_IN_IADB_LISTED Participates in the IADB system | |
3510 | tflags RCVD_IN_IADB_LISTED net nice | |
3511 | endif | |
3512 | ##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3513 | ||
3514 | ##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3515 | ||
3516 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3517 | header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4') | |
3518 | describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in | |
3519 | tflags RCVD_IN_IADB_LOOSE net nice | |
3520 | endif | |
3521 | ##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3522 | ||
3523 | ##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3524 | ||
3525 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3526 | header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10') | |
3527 | describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law | |
3528 | tflags RCVD_IN_IADB_MI_CPEAR net nice | |
3529 | endif | |
3530 | ##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3531 | ||
3532 | ##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3533 | ||
3534 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3535 | header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10') | |
3536 | describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days | |
3537 | tflags RCVD_IN_IADB_MI_CPR_30 net nice | |
3538 | endif | |
3539 | ##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3540 | ||
3541 | ##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3542 | ||
3543 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3544 | header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10') | |
3545 | describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR | |
3546 | tflags RCVD_IN_IADB_MI_CPR_MAT net nice | |
3547 | endif | |
3548 | ##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3549 | ||
3550 | ##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3551 | ||
3552 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3553 | header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100') | |
3554 | describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in | |
3555 | tflags RCVD_IN_IADB_ML_DOPTIN net nice | |
3556 | endif | |
3557 | ##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3558 | ||
3559 | ##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3560 | ||
3561 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3562 | header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0') | |
3563 | describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place | |
3564 | tflags RCVD_IN_IADB_NOCONTROL net nice | |
3565 | endif | |
3566 | ##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3567 | ||
3568 | ##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3569 | ||
3570 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3571 | header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200') | |
3572 | describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only | |
3573 | tflags RCVD_IN_IADB_OOO net nice | |
3574 | endif | |
3575 | ##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3576 | ||
3577 | ##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3578 | ||
3579 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3580 | header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7') | |
3581 | describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in | |
3582 | tflags RCVD_IN_IADB_OPTIN net nice | |
3583 | endif | |
3584 | ##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3585 | ||
3586 | ##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3587 | ||
3588 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3589 | header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6') | |
3590 | describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time | |
3591 | tflags RCVD_IN_IADB_OPTIN_GT50 net nice | |
3592 | endif | |
3593 | ##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3594 | ||
3595 | ##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3596 | ||
3597 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3598 | header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5') | |
3599 | describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time | |
3600 | tflags RCVD_IN_IADB_OPTIN_LT50 net nice | |
3601 | endif | |
3602 | ##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3603 | ||
3604 | ##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3605 | ||
3606 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3607 | header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1') | |
3608 | describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only | |
3609 | tflags RCVD_IN_IADB_OPTOUTONLY net nice | |
3610 | endif | |
3611 | ##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3612 | ||
3613 | ##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3614 | ||
3615 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3616 | header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4') | |
3617 | describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record | |
3618 | tflags RCVD_IN_IADB_RDNS net nice | |
3619 | endif | |
3620 | ##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3621 | ||
3622 | ##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3623 | ||
3624 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3625 | header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2') | |
3626 | describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record | |
3627 | tflags RCVD_IN_IADB_SENDERID net nice | |
3628 | endif | |
3629 | ##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3630 | ||
3631 | ##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3632 | ||
3633 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3634 | header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1') | |
3635 | describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record | |
3636 | tflags RCVD_IN_IADB_SPF net nice | |
3637 | endif | |
3638 | ##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3639 | ||
3640 | ##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3641 | ||
3642 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3643 | header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2') | |
3644 | describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups | |
3645 | tflags RCVD_IN_IADB_UNVERIFIED_1 net nice | |
3646 | endif | |
3647 | ##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3648 | ||
3649 | ##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3650 | ||
3651 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3652 | header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3') | |
3653 | describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out | |
3654 | tflags RCVD_IN_IADB_UNVERIFIED_2 net nice | |
3655 | endif | |
3656 | ##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3657 | ||
3658 | ##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3659 | ||
3660 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3661 | header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10') | |
3662 | describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law | |
3663 | tflags RCVD_IN_IADB_UT_CPEAR net nice | |
3664 | endif | |
3665 | ##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3666 | ||
3667 | ##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3668 | ||
3669 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3670 | header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10') | |
3671 | describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days | |
3672 | tflags RCVD_IN_IADB_UT_CPR_30 net nice | |
3673 | endif | |
3674 | ##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3675 | ||
3676 | ##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3677 | ||
3678 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3679 | header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10') | |
3680 | describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR | |
3681 | tflags RCVD_IN_IADB_UT_CPR_MAT net nice | |
3682 | endif | |
3683 | ##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3684 | ||
3685 | ##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # { | |
3686 | ||
3687 | ifplugin Mail::SpamAssassin::Plugin::DNSEval # { | |
3688 | header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.') | |
3689 | describe RCVD_IN_PSBL Received via a relay in PSBL | |
3690 | tflags RCVD_IN_PSBL net | |
3691 | endif | |
3692 | ##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # { | |
3693 | ||
3694 | ##{ RCVD_MAIL_COM | |
3695 | ||
3696 | header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is | |
3697 | describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com) | |
3698 | ##} RCVD_MAIL_COM | |
3699 | ||
3700 | ##{ RDNS_LOCALHOST | |
3701 | ||
3702 | header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i | |
3703 | describe RDNS_LOCALHOST Sender's public rDNS is "localhost" | |
3704 | ##} RDNS_LOCALHOST | |
3705 | ||
3706 | ##{ RDNS_NUM_TLD_ATCHNX | |
3707 | ||
3708 | meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT | |
3709 | describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment | |
3710 | #score RDNS_NUM_TLD_ATCHNX 3.000 # limit | |
3711 | tflags RDNS_NUM_TLD_ATCHNX publish | |
3712 | ##} RDNS_NUM_TLD_ATCHNX | |
3713 | ||
3714 | ##{ RDNS_NUM_TLD_XM | |
3715 | ||
3716 | meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY) | |
3717 | describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers | |
3718 | #score RDNS_NUM_TLD_XM 3.000 # limit | |
3719 | tflags RDNS_NUM_TLD_XM publish | |
3720 | ##} RDNS_NUM_TLD_XM | |
3721 | ||
3722 | ##{ READY_TO_SHIP | |
3723 | ||
3724 | body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock)|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|store)|just arrived in our warehouse|we will (?:contact the (?:warehouse|logistics) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our warehouse)/i | |
3725 | #score READY_TO_SHIP 1.250 # limit | |
3726 | ##} READY_TO_SHIP | |
3727 | ||
3728 | ##{ REPLYTO_EMPTY | |
3729 | ||
3730 | header REPLYTO_EMPTY Reply-To =~ /<>/ | |
3731 | describe REPLYTO_EMPTY Reply-To undeliverable | |
3732 | ##} REPLYTO_EMPTY | |
3733 | ||
3734 | ##{ REPLYTO_WITHOUT_TO_CC | |
3735 | ||
3736 | meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS) | |
3737 | ##} REPLYTO_WITHOUT_TO_CC | |
3738 | ||
3739 | ##{ REPTO_419_FRAUD | |
3740 | ||
3741 | header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:speakers)\@012\.net\.il|(?:mail)\@101private\.com|(?:(?:alfredcheuk002|fbi_1234|longchii|mavis_wanczyk|qfdonation))\@126\.com|(?:(?:a(?:aronmichaels005|lfredcheuk_yuchow)|ehagler|google_promoaward0?|istarsolar|joeblp|microsoft(?:_office16|award01)|panyawein|wong(?:_shiu(?:09|2016)|shiu_ki)))\@163\.com|(?:(?:navas1|ray\-thomas7h))\@1email\.eu|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:(?:mr\.tonyelumelu|r(?:emittancedept001|ussia2018worldcuplotto5)))\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:info)\@aidakj\.com|(?:(?:a\.aktr|c(?:arlos\.adan|entralbank_malaysia2)|infovsa|maria\.louge|sarahjiwooali|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:adainis|jessikasingh|travisalex))\@aliyun\.com|(?:(?:director|info))\@anletco-jp\.com|(?:(?:deanie_ron|m(?:softgbcmanager|undo\.europe)|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:institutionaldepartment)\@aol\.nl|(?:deajohn)\@arubacloub\.com|(?:djohns)\@arubacloud\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:garry\.quinlan)\@australiamail\.com|(?:(?:traoreahmed|zetiaziz))\@barid\.com|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:noreply\.fujvfes)\@bibliothequegaillard\.com|(?:costruire)\@bigmat\.it|(?:alerts\-noreply)\@bis\.org|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:executivedirector)\@box\.az|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:drbenardsani\.nnpc)\@bsgcpk\.com|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:rim43505)\@cantv\.net|(?:duncanttodd)\@centrum\.cz|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|fbipayment(?:50|600)|harunajim667|ralphwjohnson))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:dmalpasswb|re(?:covered\-tax|em(?:2018|alhashimi|hashimi2020))))\@daum\.net|(?:rex)\@departmentofsecretary\.com|(?:blythemasters)\@digitalassetholding\.org|(?:(?:diplomaticagent11|jentwistle90))\@diplomats\.com|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:(?:herrick01|rogersteare02))\@e1\.ru|(?:olga\.ingrif)\@ecb-securities\.com|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:no\-reply)\@economizar-na-web\.com\.br|(?:(?:denbrink|kathy_gerald1965|megaclaimcenter))\@email\.com|(?:johnkadiri)\@englandmail\.com|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|claimdpts|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:(?:jeferrey|yakuyaya77))\@financier\.com|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:notice)\@fnb\.co\.za|(?:info)\@fnconsultant\.biz|(?:(?:atmofficeauthoriza|captain\.lucasadam|e(?:golan2|u_payment)|gella1|k(?:aith\-angel|ossihpilip202)|pchwinningoffice1953|qatardonations16|smadartsadik|tepnherve00|worldauthorization))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:o(?:ctaviancm|rlando\.bloom))\@gmx\.co\.uk|(?:(?:a(?:hmet\.broker|lliance\.consultant)|f(?:aridaomar|er3nrod1512)|johnson\.douglas|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:joxford)\@gmx\.us|(?:ben\.malbon)\@googlefps\.co\.uk|(?:m\.johnson10012)\@googlemail\.com|(?:larrypage)\@gpa-team\.com|(?:ceo)\@gpromo-team\.com|(?:sundarpichai)\@gpromoteam\.com|(?:sundarpichai)\@gpromoteamuk\.com|(?:garreth\.webb)\@grossfitconsultancy\.biz|(?:irenegeorgiadou)\@hellenicbankcy\.com|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:williamsdavid_3r)\@hotmail\.co\.uk|(?:christgoldwilliams)\@hotmail\.fr|(?:douglasflint)\@hsbcbank\.group|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:victorwang67)\@imail\.com|(?:01)\@imf-org\.org|(?:chrisdodgshun)\@inbound\.plus|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:janetyellenoffice|off(?:er2021|iceme)))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:sgt\.dave)\@inmano\.com|(?:baankston)\@instruction\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:wbuk0[13])\@katamail\.com|(?:(?:ditmereduart|europsenderscouriers|lewiscarl))\@keemail\.me|(?:mikiwilliams)\@knol-power\.nl|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:philiphampton)\@lec20\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:deqishanmedical1)\@localnet\.com|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:fanliangjen)\@mail\.china\.com|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|eddy_haryono|ghazal\-a|info\.federalreserve\.org|kateclough1|mriamchombo1968|nancyvee80|ren\.deqi212))\@mail\.com|(?:williamsdawson)\@mail\.com\.tr|(?:(?:ayishagddafio|david\.onyeoma\.74|hmtreasyru\.ng|sambo_dasuki))\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:brantwbishop)\@mailbox\.org|(?:epowerball)\@mailbox\.sk|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:rbi\-e)\@mit\.tc|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:paul\.chang)\@msn\.com|(?:enquiry)\@multiplysearch\.com|(?:cadpayout01)\@my\.com|(?:(?:contactmee|ministersoffinance))\@mynet\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:zenith)\@nmk\.ugu\.pl|(?:maxedwards)\@octopusinvestment\.co\.uk|(?:lindsaytrembley)\@oimail\.com|(?:googleclaims111)\@one\.lt|(?:accountingdrg)\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:(?:castorock|infobiz2|jarramos|mrsalice09))\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:servicio\.correo)\@orange\.fr|(?:turkish\-air)\@outlook\.com\.tr|(?:(?:ahmed3khan|dpt_transferunionwestern|mr\.onyeadams|rohitjain0))\@outlook\.fr|(?:m\.khan1)\@outlook\.sa|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:info)\@phillipsmorgan\.co\.za|(?:wood)\@poczta\.onet\.eu|(?:m(?:aryjosen|boyaeth))\@post\.com|(?:united\.globeawardoffice)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:jamesmr\.monday)\@rocketmail\.com|(?:(?:g(?:loriacmackenzie001|mackenzie001)|monicatorres001|wanczykmavis101))\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:info)\@roycockrum\.org|(?:mrs\.rachel2013)\@safe-mail\.net|(?:vera)\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:peterddeng)\@secsuremailer\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:swat)\@sltdchambers\.com|(?:(?:dycheseaan|sean(?:dyyches|sdychh)))\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:contact\.hmrc\.gov\.uk)\@sudhisalooja\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:xiankailu)\@taiyaubank-hk\.com|(?:mhua)\@tbochk\.com|(?:veronicabright)\@terra\.com\.pe|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:zimcargoservicehelpdesks)\@tlen\.pl|(?:drew)\@ton\.net\.ru|(?:itpark01)\@tpg\.com\.au|(?:bobby\.william)\@tradent\.net|(?:info)\@treasury-departmentdc\.twomini\.com|(?:info)\@treasury-usa\.3eeweb\.com|(?:info)\@un-grant\.info|(?:(?:b(?:lueskyanimatedfilm|rown\.monica_l)|info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:bmuczdh)\@virgilio\.it|(?:itgiix)\@visa\.com|(?:vankoning)\@volny\.cz|(?:holt1231)\@w\.cn|(?:infos)\@walmart\.com|(?:daydreamin)\@wanadoo\.fr|(?:(?:foreignoperationmanager|mr\.(?:ikokuoya|olicadams)))\@web\.cg|(?:weboffice05)\@web\.de|(?:b(?:\-calebfirm2007|oriscaleb121))\@webmail\.co\.za|(?:(?:frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:grahamjoneschambers)\@wildblue\.net|(?:e\.shaw)\@wilmagroup\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:stephaniehans\.euromillionlottery)\@yahoo\.be|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|bobwatson92|fundyawa2014|j(?:effwilliam207|oe_modisen)|lloydsbanksb|owengreen70|rebeccajoe98|samue95))\@yahoo\.co\.uk|(?:(?:changgordon(?:61|946)|lordsmartin|revlarrutycoker2015|thomaspeter227|zhu\.shumin))\@yahoo\.com\.hk|(?:imf_office_agent)\@yahoo\.com\.my|(?:(?:dr\.pauljames110|jessicp1))\@yahoo\.com\.sg|(?:boa2cb)\@yahoo\.com\.vn|(?:(?:contactus88\-00|jflangvm5nshyazyo7si6jfuqah6jsldw2kw6c2t|lmj82717|m(?:r\.angelabenjamin|srangelabne32)))\@yahoo\.es|(?:(?:charlinebebe22|fortinsandrine|rita_will001))\@yahoo\.fr|(?:maktoum\.shasher)\@yahoo\.pt|(?:ukdebtmanagement5)\@yahool\.com|(?:dr\.amelia\.george1)\@yandex\.ru|(?:jayanderson)\@yccaifuu\.com|(?:(?:alfred_cheuk_chow|friedrich_mayrh1|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|feliciamagi|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:(?:asiafoundationorg\.hr|jefflindsay))\@zoho\.com|(?:laprimitivaes)\@zohomail\.eu)$/i | |
3742 | describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox | |
3743 | #score REPTO_419_FRAUD 3.000 | |
3744 | tflags REPTO_419_FRAUD publish | |
3745 | ##} REPTO_419_FRAUD | |
3746 | ||
3747 | ##{ REPTO_419_FRAUD_AOL | |
3748 | ||
3749 | header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:\.dordevicii|aromartins|f\.2[06]|ljaber111|meliageorge|n(?:d(?:_bley|rew_hans)|ttilimarim)|rthur\.alan)|b(?:aanidleewy|claimdept|rownchurchill2)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|ristinabruno38|ustom_service58)|d(?:avid(?:\.kms|opatry)|hodgkins001|ianwaynie|onald_anderson44)|e(?:ng(?:joej|r\.abdulla)|ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|i(?:sarobinson5\.0|zcarroll101)|orrainewirangee)|m(?:_l\.wanczyk62|aviswanczyk[do]|rs(?:isabelladzsesszika|safiagaddafi))|no(?:rmapatto|tification\.notification)|p(?:a(?:tricia(?:\.hans|hans)|ulpollard2)|eterwong345|otfolio\.management)|r(?:achel_wat2|oyalpalace2018)|s(?:afiiagadafi|gt\.gillianj200|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|w(?:attson\.renwick|ebank244|issam\.haddad|u\.xiabk)|yurdaaytarkan5|zeti\.aziz))\@aol\.com$/i | |
3750 | describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox | |
3751 | #score REPTO_419_FRAUD_AOL 3.000 | |
3752 | tflags REPTO_419_FRAUD_AOL publish | |
3753 | ##} REPTO_419_FRAUD_AOL | |
3754 | ||
3755 | ##{ REPTO_419_FRAUD_AOL_LOOSE | |
3756 | ||
3757 | meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL | |
3758 | describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox | |
3759 | #score REPTO_419_FRAUD_AOL_LOOSE 1.000 | |
3760 | tflags REPTO_419_FRAUD_AOL_LOOSE publish | |
3761 | ##} REPTO_419_FRAUD_AOL_LOOSE | |
3762 | ||
3763 | ##{ REPTO_419_FRAUD_CNS | |
3764 | ||
3765 | header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|legacylawfirmdakar|m(?:iguel\-pinto|orrisherb)|owenschamber|santiagosegur|t(?:eo\.westin|he\.trustees1?|rustees202000)|westernunion1659))\@consultant\.com$/i | |
3766 | describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox | |
3767 | #score REPTO_419_FRAUD_CNS 3.000 | |
3768 | tflags REPTO_419_FRAUD_CNS publish | |
3769 | ##} REPTO_419_FRAUD_CNS | |
3770 | ||
3771 | ##{ REPTO_419_FRAUD_GM | |
3772 | ||
3773 | header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|41speedlinkdelivery|7912richardtony|a(?:b(?:d97412345|u(?:lkareem461|shadi0004))|c(?:aalzz11|count\.optionsmr\.jonasarmstrong|e(?:alss11|cere001))|d(?:esilgon77|iallo\.boa)|erofilxeport|gent\.laryedwad|isha(?:1976algaddafi|gaddafiaam)|jaminamo|l(?:\.jo60691737|a(?:n\.austin(?:041|223)|scramac)|ber\.yang222|ex(?:ander(?:daisy911|peterson4499)|hoffman3319|smithznn)|ghafrij13|hajarb|lenholden121|nizmaria|ure\.wawrenka1472)|m(?:b\.w\.stuart\.symington|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|tasomda))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|itaminarnguessan|n(?:a(?:choihkkic|llee091|sigurlaug458)|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|r(?:adka01|chibaldhamble|thur11alan)|s(?:h(?:0611jnag|westwood7)|ianbae1010|sistance7agent)|t(?:m(?:mastercard41|office929)|tohlawoffice\.tg)|w1614860|yevayawovi190|zi(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50)))|b(?:a(?:lla250abc|nk(?:centralasiahalobca34|ingcentralng)|ochang7a|r(?:bersmadar75|r(?:\.(?:charles(?:1954|office)|martinrichard)|ister(?:\.fidelisokafor|lordruben94)|ubenjames)|teld\.huisman01))|bongo593|c0996013|e(?:linekra1|n(?:ezero392|jaminsarah195))|i(?:anigercash|ll(?:\.lawrence0747|fhome))|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:a(?:ndy\.heavenscenttt|volpaul55)|endalaporte112|ianmoynih00)|uff(?:ettwarrene21|ookj))|c(?:a(?:ixaseguros9810001|mluba2017|r(?:eisu98|l(?:os\.s\.helux|thomos)|twrighttownhomesllc))|bnatm847|claimsa|e(?:li(?:cerez|neroullier(?:200|nm))|ntraltrustlltd)|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:esluenga01|tonnewmanus1)))|e(?:mchung1011|nchung1011)|i(?:enk(?:raymond|wongp)|mwiakim))|iticonsultantjohncg0|kruger00017|l(?:a(?:im(?:adviser11|officeadm)|xtonpaul00)|s79408)|o(?:l(?:\.(?:ahmedmarani|fakhrialsalabi(?:01)?|hmedismari)|abdullahassi|edavid77032|husseinharmuchc(?:cj|j)|inchrisweir50|mohmanairf|o(?:mbasjuan53|nelsaad00))|mpensationcommitteboard|n(?:sult(?:ancy64|matthias|sto\.u)|tact(?:\.kolason|ad00[04]))|operation612)|pt\.eugenebarash|r(?:a(?:bbechambers|wfordgillies1)|ist(?:bru(?:05|n05)|i1537bru))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|iel(?:35508109|zulu11)|nydan24532)|v(?:i(?:d(?:\.loanfirm18|ibe718|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98)|ychan1970))|c(?:layconsult|ole77032)|e(?:btm123|n(?:iwalts|nis(?:clark659|quaid888))|partmentofstate(?:123|321)|tlefeckhardd)|hill27676|i(?:ane\.s\.wojcicki|gitalassetholding|p(?:francis1|lomat(?:\.john\.clerke|sshenry)))|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.(?:meirh|wilsonpaul02)|abodid|davidrhama221|j(?:amesdee|oesimon77)|kennedyuzo|meier\.heidi?|o(?:vieogor1|wenfrederick))|u(?:a1155a|nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|d(?:runity|winfreeman22)|fcc\.financial\.dept|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|otocashoffice1?)|m(?:2keld|ailpostlink09|efiele(?:328|g757)|ilyrichmond391)|r(?:enakgeorge123|ioncarter\.private)|ssexlss1|vgpatmow)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49(?:666|966)|k49666)|j569282|l(?:556249|aurentdz40|uhmann\.dn)|mb\.agent|o(?:ropunionbank|undations\.west)|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|isca(?:mendoza960|samendoza))|k(?:j(?:ane984|wangg)|laurarivera)))|bbankny\.gov|e(?:derick\.colemanesq|elottosweepstake51))|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|rielkalia1102)|r(?:ethbull112016|yakinson121))|bill4880|e(?:n(?:\.ahmedmsksi|eral(?:abdulrazak|williamstony990))|orgekwame481|r(?:aldjhjh11|tjanvlieghe787))|g780904|i(?:idp955|lbert12oook)|kwasiiwusu1\.persona|l(?:enmoore0011|oriachow5052)|o(?:glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219)|vgodwinemefiele111)|r(?:ace(?:jackmanwoods|obia001)|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:old\.dia1100|ryebert101|twellbdaniel)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:a(?:dofficecentre0210|therbrooeke101)|cto(?:alon|r(?:castillos653|scastillo6))|lpdesk47321)|gold8080|heba\.hhassan207|i(?:ldad837|toshurui)|klee\.mike|o(?:lsemeyerole6|nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|trryt34|uichmh)|i(?:1955smael|amannjejosonn|bed627|n(?:fo(?:\.(?:abogadosmfontana|g00gleclaim|questiondesk|ulmusau)|64240|98cbnoffice7|a(?:prl06|sminternationalpk)|dessk\.dfwairportonline|fdrserve)|gridrolle2|t(?:ernationallppp1|linvestorsfirm))|smailtarkan533|terryoffice)|j(?:35809121|a(?:6002932|888179|cobmaseon5995|m(?:alpriv8un|es(?:husmansdesk2240|okoh82))|nusensecureprivate|sonyeungchiwai|vierlesme001)|b5406424|c2222222rrr|e(?:ff(?:deandk2|erydean1960)|nniannjhsonn|ssikasingh4)|imyang977|k3311131|mpowellfr|o(?:e(?:dward023|kendal540|lmodisen)|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|tanko214|uba234|walterlove2010)|monkzza|n(?:esandassociates68|monkssa)|s(?:ephacevedo024|ianeangenor)|y(?:ce00011|mrskone5))|rawlings007|s4fernado|uliet\.le(?:222|e2222)|w6935997)|k(?:a(?:lstromjames3|malnizar000|rabo\.ramala39|t(?:ebaronbarr|hilittman7|jamess043|rinaziako56))|e(?:lsawamelia55|n(?:mck(?:ay1980|enziejr)|nedy\.sawadogo19))|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28)|wasiowusug)|l(?:a(?:r(?:ateambo|rytoms200)|ursent892|wrencefoundation30)|blackshirepm|e(?:ndfair\.co\.uk1|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|li(?:ane\.bettencourt1945|ianchrstph)|n(?:elink008|glung104)|xiung(?:l48|9))|john6132|o(?:g(?:anntomas|eengen)|rrainewirengee|ttyoffice1|u(?:ghreymargaret67|isdreyfusmargarita5))|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ck(?:enzbezos|oliver324)|incare655|jor(?:dennishornbeck53|townsend01)|k(?:altschmidt|toumsheikhhasher)|n(?:duesq58|fran630|uelfranco(?:727|foundation0))|r(?:cusdembialomr|i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|nacoleman84|opabl26)|k(?:roth456|uses200)|y(?:franson56|jify00aaz01))|s(?:onmanny05|pencer5151)|t(?:hewriaanza|twilly3)|u(?:noveutileina|rhinck11?)|viswanczyk(?:1(?:19|987)|4(?:89|5)|775|foundation45|k112|zz)|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|engeoffrey|l(?:lagolan|vidabullock5)|nnss01)|gfrederick80|husameddine|i(?:c(?:he(?:alwuu002|lintagro)|paulla|w954)|k(?:edawson1960s|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|nfin\.gv|ss(?:\.melisa\.mehmett|boteogottai|yaelronen))|jminabii|k(?:ent7117|untjoro52)|lbriggs08860|m(?:1086771|argaritalouisdreyfus)|nmalarge|o(?:ham(?:edabdul1717|madraqab00)|rienkal30)|r(?:\.(?:justinmaxwell09|lusee|wlsonkabore)|7672900|cjames001|d517341|ericfranck|fabianchukwu|hanimuhammad627|jamesmc6|martine80|paulfrank01|r(?:echardthomas|ichardanthony1)|s(?:\.(?:biyufungchi16|janetolsen?|olsenjanett|patarkatsishvili|susanread12)|a(?:ishaalqadafi1976|ngela454)|g(?:ezeria|racewoods70)|h(?:amima60|ristinemadeleine)|j(?:ackman123|lleach)|maureens847|nicolefr1marios|r(?:obinsanders185|uthsmith9900)|s(?:arahbenjamin103|ophiac)|veraaellen)|tomcrist\.ca)|s(?:agent02|golaan4|smadar44)|twvvv|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter(?:2017|968))|obuyuki\.hirano128|tawdglobal)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|hallkenneth1|liviemorgan4|marinyandeng|nufoundationclaims|pcwkdw|swald\.l(?:\.lewis|ewwis)|vieogor1)|p(?:\.compton101|a(?:storfrancesco1|trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018)|ymentofficer14)|brookk0|e(?:130304|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|h(?:\.cbnl|illip\.richead218)|i(?:eterstevens511|lz37754)|o(?:lloke|wellmrwilliam)|r(?:esleybathini1|o(?:1nvstream|cessing2013general))|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymond(?:aba200|damon15))|e(?:beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n2214)|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.(?:jamesabel1|mikedadax)|ernestcebi|frankjackson91))|i(?:ch(?:ard(?:lustig4u|w(?:ahl511|illis815))|lawandds)|tawilliams4141)|josh200000|o(?:berthanandez6655|naldmorris786|s(?:a\.gomes0044|e(?:kipkalya934|tam00)))|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ssiaworldcuppromo|thmporat1\"))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1|ydouthiebaconsultant)|g\.offiice\.group|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|e(?:ikhalmaktoum79|ry(?:\.gtl131|etr03))|inawatrathaksin93)|i(?:lverlakeconsultant|mlkheng5)|krause680|l5342743|o(?:fia\.adams201|u(?:rcingloggs|thwsltd))|peelman1972|rfredericodehernandez|sdt224|tephentam1(?:47|6)|u(?:iyang(?:\.boc|02)|leiman\.cbnn|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|w(?:eeneyjohnson384|islottnl))|t(?:a(?:mmy21gill|y(?:ebsouami0|lorcathy362))|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|bigbiglottowinning77|odorosloannis9|resawilliams7661?|smithfm124))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|c(?:hrist1995|rist(?:52|donation12|foundation99|world)))|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|ransfermoney21\.2|tkhan69s)|u(?:babankbjplc|dregwqr|kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|sdepartmentofjustice80)|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|d232633|i(?:elandherzog\.sw\.herad16|ge122|ll(?:clark2618|iamrobert3852|update123))|kfinancialservice|orldbankregionalmanageroffice|u(?:\.office212|mt722)|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974)|z(?:enithbankplconline98|kiaslan1963|minhong65)))\@gmail\.com$/i | |
3774 | describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox | |
3775 | #score REPTO_419_FRAUD_GM 3.000 | |
3776 | tflags REPTO_419_FRAUD_GM publish | |
3777 | ##} REPTO_419_FRAUD_GM | |
3778 | ||
3779 | ##{ REPTO_419_FRAUD_GM_LOOSE | |
3780 | ||
3781 | meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM | |
3782 | describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox | |
3783 | #score REPTO_419_FRAUD_GM_LOOSE 1.000 | |
3784 | tflags REPTO_419_FRAUD_GM_LOOSE publish | |
3785 | ##} REPTO_419_FRAUD_GM_LOOSE | |
3786 | ||
3787 | ##{ REPTO_419_FRAUD_HM | |
3788 | ||
3789 | header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|nikal01|zezul\.idrisazezulidris)|benarnault0|c(?:ecilekaramoko123|hoi21)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|fanliangjen2|gen\.dmathokdiigwol|infos(?:43|8)|katabettencourt2018|l(?:\.b120k|e(?:a_edem|wisarm44)|imfu201677|ulihongm)|m(?:cliffmomah998|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.roselinejac|elizabetmk|helenbgeorge|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|p(?:atrickmullinfinaceservs|owen10001)|s(?:ajda\.andleeb|gthansencs|tephenbettinger|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i | |
3790 | describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox | |
3791 | #score REPTO_419_FRAUD_HM 3.000 | |
3792 | tflags REPTO_419_FRAUD_HM publish | |
3793 | ##} REPTO_419_FRAUD_HM | |
3794 | ||
3795 | ##{ REPTO_419_FRAUD_OL | |
3796 | ||
3797 | header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:a(?:23423|lexandermason)|brahamwilliamsonrpsltduk|l(?:bertchebe|exw113)|ndrew(?:_hai|gamble7)|utoresponds)|b(?:a(?:r(?:bayo_jacobs|claysplc2016)|sidris)|etty\.c_investment|illgfile203|riam8molefe)|c(?:bforeignremitdept|harlie\.j\.goodmand|o(?:l\.(?:airforce\.saadwarfali|warfalisaadairforce)|mpensationfunding))|d(?:eborahleeconsult|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020)|g(?:20compessdesk|eoffreynicolas\.esq|ilbertowosukk)|huyennvoha|j(?:ackson4steve|e(?:anedo1?|ssicameir30))|k(?:aujong|kkunited1)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|gbplc3|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|bryandavisuk44|jonah\.ot|mduku|s(?:\.coraluttah|_elizabeth20|michelleallison|roseallen)|vitaloadams)|spvt2020)|p(?:aul(?:\.walter120|blakey05)|hilcohen0012)|qanejmhffgg|r(?:c19691|ichardwahlfreegrant)|s(?:aaman10|gi2019|ilverlakeconsultantllc|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019|reff11)|unvanzyl_mrs|winuklotocash2018))\@outlook\.com$/i | |
3798 | describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox | |
3799 | #score REPTO_419_FRAUD_OL 3.000 | |
3800 | tflags REPTO_419_FRAUD_OL publish | |
3801 | ##} REPTO_419_FRAUD_OL | |
3802 | ||
3803 | ##{ REPTO_419_FRAUD_PM | |
3804 | ||
3805 | header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|v\.brianpierre|wraggsmk|yihsbltan|ziraatbankasi))\@protonmail\.com$/i | |
3806 | describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox | |
3807 | #score REPTO_419_FRAUD_PM 3.000 | |
3808 | tflags REPTO_419_FRAUD_PM publish | |
3809 | ##} REPTO_419_FRAUD_PM | |
3810 | ||
3811 | ##{ REPTO_419_FRAUD_QQ | |
3812 | ||
3813 | header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1(?:731419584|821317384)|2(?:0(?:32508290|90641921)|3(?:72948239|89029403|97857528)|751232036)|3(?:323469072|523284224)|a(?:gent(?:markruben_fbi|promofficer)|kia\.j55)|claimoffice1|dennisonctrenton|l\.valiant|peterwong20177|s(?:abrinacrawford000|hu60w)|treasury_deptment0|wang_cjianlin))\@qq\.com$/i | |
3814 | describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox | |
3815 | #score REPTO_419_FRAUD_QQ 3.000 | |
3816 | tflags REPTO_419_FRAUD_QQ publish | |
3817 | ##} REPTO_419_FRAUD_QQ | |
3818 | ||
3819 | ##{ REPTO_419_FRAUD_YH | |
3820 | ||
3821 | header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|gaaintl\-4g5ee\.w3|l(?:berts\.odia|esiakalina2006)|mbassador\.l|nn(?:awax48|hester\.usa4))|b(?:a(?:che\.delfine|nk\.phbng14|rr(?:\.thomasclark|ister\.(?:dennis11|marcus)|lawrencefubara39|william_davies))|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.(?:aroline90|coulibaly2)|a(?:binet_maitre_emmanuel_patris|mpbellwilliamms)|h(?:arlesscharf112|hoy\.t|im\.w|jackson65)|juan852|o(?:llins(?:mattew32|wayne84)|mpliment\.sseason|ntelamine)|ythiamiller\.un10)|d(?:hamilton9099|i(?:aanesoto190|plomaticagent180)|r(?:\.aminramli|_raymondfung|victorobaji))|e(?:dwarddawson|ricalbert24)|f(?:aizaadama2016|bicompensation_funds|ederal\.r73|id00180)|g(?:ov\.ukmessageboard|raham\.eddie2016|uesfilet1336523)|harry1vans|i(?:\.project33411|befranfgnfmf|nfo(?:111mail|bank1|money)|project32411)|j(?:\.edwards228|a(?:ckson\.davis915|ne(?:_ooparah|temoon150))|essica\.p_family|inping\.tw|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:elvinmark629|im(?:\.leang2018?|leang(?:575|90))|yle_grubbe)|l(?:e(?:a_edem13|ge331|hman(?:909|bila))|i(?:m_kaan|sarobinson_555|uhngbin)|y_cheapiseth(?:11|2019))|m(?:arie_avis12|d(?:\.ps|zsesszika672)|elissalewis(?:10001|4004)|iss\.zarryb|o(?:hammedaahil46|keye79)|r(?:kellyayi62|s(?:\.esthernicolas|isabella\.dzesszikan|themo))|s\.gracie_olakun|unny(?:\.sopheap207|_sopheap30))|n(?:adhowc|estordaniel2|orahuz1960)|o(?:fficial_franksylvester88|legkozyrev1|mranshaalan52)|p(?:a(?:ckerkelvin|yus123x)|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|i(?:chard\.w94|taadamsw10)|o(?:b(?:ertbailey2004|orts20)|se(?:mary\.3as|richard655)))|s(?:amthong4040|igurlauganna34|leo25|mith(?:\.dr|colin767)|opheap\.munny|pwalker101|sgt\.bethany|tevecox\.98)|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|u(?:butu16|kdebtmanagement5)|vanserge2001|will(?:clark0010|iamsimon(?:22|521))|xianglongdai60|zhaodonghk))\@yahoo\.com$/i | |
3822 | describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox | |
3823 | #score REPTO_419_FRAUD_YH 3.000 | |
3824 | tflags REPTO_419_FRAUD_YH publish | |
3825 | ##} REPTO_419_FRAUD_YH | |
3826 | ||
3827 | ##{ REPTO_419_FRAUD_YH_LOOSE | |
3828 | ||
3829 | meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH | |
3830 | describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox | |
3831 | #score REPTO_419_FRAUD_YH_LOOSE 1.000 | |
3832 | tflags REPTO_419_FRAUD_YH_LOOSE publish | |
3833 | ##} REPTO_419_FRAUD_YH_LOOSE | |
3834 | ||
3835 | ##{ REPTO_419_FRAUD_YJ | |
3836 | ||
3837 | header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73|n(?:gelinarichardson01|ita(?:kirkweeks45|usarpac)))|b(?:a(?:lmaa1115|rrevansthomas213)|ealife4god|gsblcagent|nchmclaw)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc|ssicajlavoie|velynjoshua56)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|ktbradley|oneygram100|rs_chen_00001)|nikbnson1|o(?:fficialinfoemail|livia_mabor)|pamgells|r(?:acheljude000|eplykasikorn|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i | |
3838 | describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox | |
3839 | #score REPTO_419_FRAUD_YJ 3.000 | |
3840 | tflags REPTO_419_FRAUD_YJ publish | |
3841 | ##} REPTO_419_FRAUD_YJ | |
3842 | ||
3843 | ##{ REPTO_419_FRAUD_YN | |
3844 | ||
3845 | header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lsharibi|m(?:andarandle|g3333txx101)|na\.mariposa|wesome\.mariacarmen)|b(?:ayemahama|igghandgrant|radely\.j)|clemlau|diezanimadueke|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments|uzhongjun\.director)|g(?:\.anniversary(?:101)?|add4fi\.aisha)|hhalesbbanddd?|irenaa\.georgiadou|j(?:efrey(?:\-dean|\.dean11)|o(?:hnnicholsonjr|seph\-scott2k5)|uliet\.lee2222)|kenhamberlet|l(?:es20sc|otointernational\.elgordo)|m(?:a(?:hama\.baye|rcarmenguty)|fdpm|ohamed\.bennani|r(?:\-(?:jos\.martins|robert\-patrick\.patrick)|\.kongkea|akram\.elkerrami|spercy))|nokiahouse1[03]|olivia\.mabor|p(?:aragonloansinc|hilipfen778|ri(?:ncedarren0244|vatemail24)|ullmanrb)|rich(?:ard\.wahl|lawands)|skyeloanand\.financelimited|t(?:\.baloyi|an\.sung|omss\.smith|resor\.mambo)|w(?:b\.foundation|ill(?:1amsmarg1|iamsimon1960))|za\.dc2016))\@yandex\.com$/i | |
3846 | describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox | |
3847 | #score REPTO_419_FRAUD_YN 3.000 | |
3848 | tflags REPTO_419_FRAUD_YN publish | |
3849 | ##} REPTO_419_FRAUD_YN | |
3850 | ||
3851 | ##{ RISK_FREE | |
3852 | ||
3853 | meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH | |
3854 | describe RISK_FREE No risk! | |
3855 | ##} RISK_FREE | |
3856 | ||
3857 | ##{ SB_GIF_AND_NO_URIS | |
3858 | ||
3859 | meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL) | |
3860 | ##} SB_GIF_AND_NO_URIS | |
3861 | ||
3862 | ##{ SCC_NEWBIE_HASBEENS | |
3863 | ||
3864 | describe SCC_NEWBIE_HASBEENS Abused gTLDs seen in spam from Google Apps. | |
3865 | header SCC_NEWBIE_HASBEENS X-Beenthere =~ /\.(today|online|monster)/ | |
3866 | ##} SCC_NEWBIE_HASBEENS | |
3867 | ||
3868 | ##{ SCRIPT_GIBBERISH | |
3869 | ||
3870 | meta SCRIPT_GIBBERISH __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META | |
3871 | describe SCRIPT_GIBBERISH Nonsense in HTML <SCRIPT> tag | |
3872 | ##} SCRIPT_GIBBERISH | |
3873 | ||
3874 | ##{ SENDGRID_REDIR | |
3875 | ||
3876 | meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS | |
3877 | describe SENDGRID_REDIR Redirect URI via Sendgrid | |
3878 | #score SENDGRID_REDIR 1.500 # limit | |
3879 | tflags SENDGRID_REDIR publish | |
3880 | ##} SENDGRID_REDIR | |
3881 | ||
3882 | ##{ SENDGRID_REDIR_PHISH | |
3883 | ||
3884 | meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH | |
3885 | describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs | |
3886 | #score SENDGRID_REDIR_PHISH 3.500 # limit | |
3887 | tflags SENDGRID_REDIR_PHISH publish | |
3888 | ##} SENDGRID_REDIR_PHISH | |
3889 | ||
3890 | ##{ SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3891 | ||
3892 | if (version >= 3.004002) | |
3893 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3894 | meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1) | |
3895 | tflags SEO_SUSP_NTLD publish | |
3896 | describe SEO_SUSP_NTLD SEO offer from suspicious TLD | |
3897 | #score SEO_SUSP_NTLD 1.2 # limit | |
3898 | endif | |
3899 | endif | |
3900 | ##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3901 | ||
3902 | ##{ SERGIO_SUBJECT_VIAGRA01 | |
3903 | ||
3904 | header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i | |
3905 | describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject | |
3906 | ##} SERGIO_SUBJECT_VIAGRA01 | |
3907 | ||
3908 | ##{ SHOPIFY_IMG_NOT_RCVD_SFY | |
3909 | ||
3910 | meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK | |
3911 | #score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit | |
3912 | describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify | |
3913 | tflags SHOPIFY_IMG_NOT_RCVD_SFY publish | |
3914 | ##} SHOPIFY_IMG_NOT_RCVD_SFY | |
3915 | ||
3916 | ##{ SHORTENED_URL_SRC | |
3917 | ||
3918 | rawbody SHORTENED_URL_SRC /<[^>]{1,99}\ssrc=\W?https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}/ | |
3919 | ##} SHORTENED_URL_SRC | |
3920 | ||
3921 | ##{ SHORTENER_SHORT_IMG | |
3922 | ||
3923 | meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1 | |
3924 | describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener | |
3925 | #score SHORTENER_SHORT_IMG 2.500 # limit | |
3926 | tflags SHORTENER_SHORT_IMG publish | |
3927 | ##} SHORTENER_SHORT_IMG | |
3928 | ||
3929 | ##{ SHORTENER_SHORT_SUBJ | |
3930 | ||
3931 | meta SHORTENER_SHORT_SUBJ __SHORTENER_SHORT_SUBJ && !__DOS_HAS_LIST_UNSUB && !__HAS_LIST_ID && !__HDR_RCVD_GOOGLE && !__XPRIO | |
3932 | describe SHORTENER_SHORT_SUBJ URL shortener (avoiding URIBL?) + short subject | |
3933 | #score SHORTENER_SHORT_SUBJ 3.000 # limit | |
3934 | ##} SHORTENER_SHORT_SUBJ | |
3935 | ||
3936 | ##{ SHORT_BODY_G_DRIVE_DYN | |
3937 | ||
3938 | meta SHORT_BODY_G_DRIVE_DYN __SHORT_BODY_G_DRIVE_DYN | |
3939 | describe SHORT_BODY_G_DRIVE_DYN Short body with Google Drive link and dynamic looking sender | |
3940 | #score SHORT_BODY_G_DRIVE_DYN 1.5 # limit | |
3941 | ##} SHORT_BODY_G_DRIVE_DYN | |
3942 | ||
3943 | ##{ SHORT_HELO_AND_INLINE_IMAGE | |
3944 | ||
3945 | meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH) | |
3946 | describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image | |
3947 | ##} SHORT_HELO_AND_INLINE_IMAGE | |
3948 | ||
3949 | ##{ SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3950 | ||
3951 | if (version >= 3.004002) | |
3952 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3953 | meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD | |
3954 | tflags SHORT_IMG_SUSP_NTLD publish | |
3955 | describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD | |
3956 | #score SHORT_IMG_SUSP_NTLD 1.5 # limit | |
3957 | endif | |
3958 | endif | |
3959 | ##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3960 | ||
3961 | ##{ SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3962 | ||
3963 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3964 | if (version >= 3.004000) | |
3965 | meta SHORT_SHORTNER __PDS_MSG_512 && (__PDS_URISHORTENER || __URL_SHORTENER) && !DRUGS_ERECTILE | |
3966 | describe SHORT_SHORTNER Short body with little more than a link to a shortener | |
3967 | #score SHORT_SHORTNER 2.0 # limit | |
3968 | endif | |
3969 | endif | |
3970 | ##} SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
3971 | ||
3972 | ##{ SHORT_TERM_PRICE | |
3973 | ||
3974 | body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i | |
3975 | ##} SHORT_TERM_PRICE | |
3976 | ||
3977 | ##{ SINGLETS_LOW_CONTRAST | |
3978 | ||
3979 | meta SINGLETS_LOW_CONTRAST __HTML_SINGLET_MANY && __HTML_FONT_LOW_CONTRAST_MINFP | |
3980 | describe SINGLETS_LOW_CONTRAST Single-letter formatted HTML + hidden text | |
3981 | tflags SINGLETS_LOW_CONTRAST publish | |
3982 | ##} SINGLETS_LOW_CONTRAST | |
3983 | ||
3984 | ##{ SPAMMY_XMAILER | |
3985 | ||
3986 | meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4) | |
3987 | describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham | |
3988 | ##} SPAMMY_XMAILER | |
3989 | ||
3990 | ##{ SPOOFED_FREEMAIL | |
3991 | ||
3992 | meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE | |
3993 | #score SPOOFED_FREEMAIL 2.000 # limit | |
3994 | tflags SPOOFED_FREEMAIL net | |
3995 | ##} SPOOFED_FREEMAIL | |
3996 | ||
3997 | ##{ SPOOFED_FREEMAIL_NO_RDNS | |
3998 | ||
3999 | meta SPOOFED_FREEMAIL_NO_RDNS __SPOOFED_FREEMAIL && __RDNS_NONE | |
4000 | describe SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS | |
4001 | #score SPOOFED_FREEMAIL_NO_RDNS 1.5 | |
4002 | ##} SPOOFED_FREEMAIL_NO_RDNS | |
4003 | ||
4004 | ##{ SPOOFED_FREEM_REPTO | |
4005 | ||
4006 | meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX | |
4007 | describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to | |
4008 | #score SPOOFED_FREEM_REPTO 2.500 | |
4009 | tflags SPOOFED_FREEM_REPTO net publish | |
4010 | ##} SPOOFED_FREEM_REPTO | |
4011 | ||
4012 | ##{ SPOOFED_FREEM_REPTO_CHN | |
4013 | ||
4014 | meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM | |
4015 | describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to | |
4016 | #score SPOOFED_FREEM_REPTO_CHN 3.500 | |
4017 | tflags SPOOFED_FREEM_REPTO_CHN net publish | |
4018 | ##} SPOOFED_FREEM_REPTO_CHN | |
4019 | ||
4020 | ##{ SPOOFED_FREEM_REPTO_RUS | |
4021 | ||
4022 | meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM | |
4023 | describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to | |
4024 | #score SPOOFED_FREEM_REPTO_RUS 3.500 | |
4025 | tflags SPOOFED_FREEM_REPTO_RUS net publish | |
4026 | ##} SPOOFED_FREEM_REPTO_RUS | |
4027 | ||
4028 | ##{ SPOOF_GMAIL_MID | |
4029 | ||
4030 | meta SPOOF_GMAIL_MID SPOOFED_FREEMAIL && __PDS_SPOOF_GMAIL_MID | |
4031 | #score SPOOF_GMAIL_MID 1.5 | |
4032 | describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be... | |
4033 | ##} SPOOF_GMAIL_MID | |
4034 | ||
4035 | ##{ STATIC_XPRIO_OLE | |
4036 | ||
4037 | meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE | |
4038 | describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE | |
4039 | #score STATIC_XPRIO_OLE 2.000 # limit | |
4040 | tflags STATIC_XPRIO_OLE publish | |
4041 | ##} STATIC_XPRIO_OLE | |
4042 | ||
4043 | ##{ STOCK_IMG_CTYPE | |
4044 | ||
4045 | meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY) | |
4046 | describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header | |
4047 | ##} STOCK_IMG_CTYPE | |
4048 | ||
4049 | ##{ STOCK_IMG_HDR_FROM | |
4050 | ||
4051 | meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY) | |
4052 | describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line | |
4053 | ##} STOCK_IMG_HDR_FROM | |
4054 | ||
4055 | ##{ STOCK_IMG_HTML | |
4056 | ||
4057 | meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY) | |
4058 | describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML | |
4059 | ##} STOCK_IMG_HTML | |
4060 | ||
4061 | ##{ STOCK_IMG_OUTLOOK | |
4062 | ||
4063 | meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048) | |
4064 | describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features | |
4065 | ##} STOCK_IMG_OUTLOOK | |
4066 | ||
4067 | ##{ STOCK_LOW_CONTRAST | |
4068 | ||
4069 | meta STOCK_LOW_CONTRAST (__HTML_FONT_LOW_CONTRAST_MINFP && __FB_S_STOCK) && !__BUGGED_IMG | |
4070 | describe STOCK_LOW_CONTRAST Stocks + hidden text | |
4071 | #score STOCK_LOW_CONTRAST 2.500 # limit | |
4072 | tflags STOCK_LOW_CONTRAST publish | |
4073 | ##} STOCK_LOW_CONTRAST | |
4074 | ||
4075 | ##{ STOCK_PRICES | |
4076 | ||
4077 | meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE) | |
4078 | ##} STOCK_PRICES | |
4079 | ||
4080 | ##{ STOCK_TIP | |
4081 | ||
4082 | meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS | |
4083 | describe STOCK_TIP Stock tips | |
4084 | #score STOCK_TIP 3.000 # limit | |
4085 | tflags STOCK_TIP publish | |
4086 | ##} STOCK_TIP | |
4087 | ||
4088 | ##{ STOX_AND_PRICE | |
4089 | ||
4090 | meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE | |
4091 | ##} STOX_AND_PRICE | |
4092 | ||
4093 | ##{ STOX_REPLY_TYPE | |
4094 | ||
4095 | header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/ | |
4096 | ##} STOX_REPLY_TYPE | |
4097 | ||
4098 | ##{ STOX_REPLY_TYPE_WITHOUT_QUOTES | |
4099 | ||
4100 | meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE)) | |
4101 | ##} STOX_REPLY_TYPE_WITHOUT_QUOTES | |
4102 | ||
4103 | ##{ SUBJECT_NEEDS_ENCODING | |
4104 | ||
4105 | meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME | |
4106 | describe SUBJECT_NEEDS_ENCODING Subject is encoded but does not specify the encoding | |
4107 | ##} SUBJECT_NEEDS_ENCODING | |
4108 | ||
4109 | ##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM | |
4110 | ||
4111 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
4112 | meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER | |
4113 | describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers | |
4114 | endif | |
4115 | ##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM | |
4116 | ||
4117 | ##{ SUBJ_UNNEEDED_HTML | |
4118 | ||
4119 | meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML | |
4120 | describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject: | |
4121 | ##} SUBJ_UNNEEDED_HTML | |
4122 | ||
4123 | ##{ SYSADMIN | |
4124 | ||
4125 | meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS | |
4126 | describe SYSADMIN Supposedly from your IT department | |
4127 | #score SYSADMIN 3.500 # limit | |
4128 | tflags SYSADMIN publish | |
4129 | ##} SYSADMIN | |
4130 | ||
4131 | ##{ TAGSTAT_IMG_NOT_RCVD_TGST | |
4132 | ||
4133 | meta TAGSTAT_IMG_NOT_RCVD_TGST __TAGSTAT_IMG_NOT_RCVD_TGST | |
4134 | #score TAGSTAT_IMG_NOT_RCVD_TGST 2.000 # limit | |
4135 | describe TAGSTAT_IMG_NOT_RCVD_TGST Tagstat hosted image but message not from Tagstat | |
4136 | tflags TAGSTAT_IMG_NOT_RCVD_TGST publish | |
4137 | ##} TAGSTAT_IMG_NOT_RCVD_TGST | |
4138 | ||
4139 | ##{ TBIRD_SUSP_MIME_BDRY | |
4140 | ||
4141 | meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z | |
4142 | describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary | |
4143 | ##} TBIRD_SUSP_MIME_BDRY | |
4144 | ||
4145 | ##{ TEQF_USR_IMAGE | |
4146 | ||
4147 | meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH | |
4148 | describe TEQF_USR_IMAGE To and from user nearly same + image | |
4149 | tflags TEQF_USR_IMAGE publish | |
4150 | ##} TEQF_USR_IMAGE | |
4151 | ||
4152 | ##{ TEQF_USR_MSGID_HEX | |
4153 | ||
4154 | meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2 | |
4155 | describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID | |
4156 | tflags TEQF_USR_MSGID_HEX publish | |
4157 | ##} TEQF_USR_MSGID_HEX | |
4158 | ||
4159 | ##{ TEQF_USR_MSGID_MALF | |
4160 | ||
4161 | meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2 | |
4162 | describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID | |
4163 | tflags TEQF_USR_MSGID_MALF publish | |
4164 | ##} TEQF_USR_MSGID_MALF | |
4165 | ||
4166 | ##{ THEBAT_UNREG | |
4167 | ||
4168 | header THEBAT_UNREG X-Mailer =~ /^The Bat! .{0,20} UNREG$/ | |
4169 | ##} THEBAT_UNREG | |
4170 | ||
4171 | ##{ THIS_AD | |
4172 | ||
4173 | meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD | |
4174 | describe THIS_AD "This ad" and variants | |
4175 | tflags THIS_AD publish | |
4176 | ##} THIS_AD | |
4177 | ||
4178 | ##{ THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4179 | ||
4180 | if (version >= 3.004002) | |
4181 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4182 | meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM | |
4183 | tflags THIS_IS_ADV_SUSP_NTLD publish | |
4184 | describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD | |
4185 | #score THIS_IS_ADV_SUSP_NTLD 1.5 # limit | |
4186 | endif | |
4187 | endif | |
4188 | ##} THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4189 | ||
4190 | ##{ TONLINE_FAKE_DKIM | |
4191 | ||
4192 | meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS | |
4193 | describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM | |
4194 | #score TONLINE_FAKE_DKIM 3.000 # limit | |
4195 | tflags TONLINE_FAKE_DKIM publish | |
4196 | ##} TONLINE_FAKE_DKIM | |
4197 | ||
4198 | ##{ TO_EQ_FM_DIRECT_MX | |
4199 | ||
4200 | meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED | |
4201 | describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX | |
4202 | #score TO_EQ_FM_DIRECT_MX 2.500 # limit | |
4203 | tflags TO_EQ_FM_DIRECT_MX publish | |
4204 | ##} TO_EQ_FM_DIRECT_MX | |
4205 | ||
4206 | ##{ TO_EQ_FM_DOM_HTML_IMG | |
4207 | ||
4208 | meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD | |
4209 | describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link | |
4210 | ##} TO_EQ_FM_DOM_HTML_IMG | |
4211 | ||
4212 | ##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
4213 | ||
4214 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
4215 | meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED | |
4216 | describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed | |
4217 | tflags TO_EQ_FM_DOM_SPF_FAIL net | |
4218 | endif | |
4219 | ##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
4220 | ||
4221 | ##{ TO_EQ_FM_HTML_ONLY | |
4222 | ||
4223 | meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER | |
4224 | describe TO_EQ_FM_HTML_ONLY To == From and HTML only | |
4225 | ##} TO_EQ_FM_HTML_ONLY | |
4226 | ||
4227 | ##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
4228 | ||
4229 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
4230 | meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED | |
4231 | describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed | |
4232 | tflags TO_EQ_FM_SPF_FAIL net | |
4233 | endif | |
4234 | ##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
4235 | ||
4236 | ##{ TO_IN_SUBJ | |
4237 | ||
4238 | meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW | |
4239 | describe TO_IN_SUBJ To address is in Subject | |
4240 | tflags TO_IN_SUBJ publish | |
4241 | #score TO_IN_SUBJ 0.1 | |
4242 | ##} TO_IN_SUBJ | |
4243 | ||
4244 | ##{ TO_NAME_SUBJ_NO_RDNS | |
4245 | ||
4246 | meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE | |
4247 | describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS | |
4248 | #score TO_NAME_SUBJ_NO_RDNS 3.000 # limit | |
4249 | tflags TO_NAME_SUBJ_NO_RDNS publish | |
4250 | ##} TO_NAME_SUBJ_NO_RDNS | |
4251 | ||
4252 | ##{ TO_NO_BRKTS_FROM_MSSP | |
4253 | ||
4254 | meta TO_NO_BRKTS_FROM_MSSP __TO_NO_BRKTS_FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__TO___LOWER && !__BUGGED_IMG && !__SUBJECT_ENCODED_QP && !__VIA_ML && !__FR_SPACING_8 && !__TAG_EXISTS_CENTER && !__RCVD_ZIXMAIL && !__RP_MATCHES_RCVD && !__HAS_SENDER | |
4255 | #score TO_NO_BRKTS_FROM_MSSP 2.50 # max | |
4256 | describe TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems | |
4257 | ##} TO_NO_BRKTS_FROM_MSSP | |
4258 | ||
4259 | ##{ TO_NO_BRKTS_HTML_IMG | |
4260 | ||
4261 | meta TO_NO_BRKTS_HTML_IMG __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE | |
4262 | describe TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image | |
4263 | #score TO_NO_BRKTS_HTML_IMG 2.000 # limit | |
4264 | tflags TO_NO_BRKTS_HTML_IMG publish | |
4265 | ##} TO_NO_BRKTS_HTML_IMG | |
4266 | ||
4267 | ##{ TO_NO_BRKTS_HTML_ONLY | |
4268 | ||
4269 | meta TO_NO_BRKTS_HTML_ONLY __TO_NO_BRKTS_HTML_ONLY && !RDNS_NONE && !__MIME_QP && !__MSGID_JAVAMAIL && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 && !__VIA_ML && !__MSGID_BEFORE_RECEIVED && !__MIME_BASE64 && !__RCD_RDNS_MAIL_MESSY && !__COMMENT_EXISTS && !LOTS_OF_MONEY && !__TAG_EXISTS_CENTER && !__UPPERCASE_URI && !__UNSUB_LINK && !__RCD_RDNS_MX_MESSY && !__DKIM_EXISTS && !__BUGGED_IMG && !__FM_TO_ALL_NUMS && !__URI_12LTRDOM && !__RDNS_NO_SUBDOM && !__HDRS_LCASE && !__LCL__ENV_AND_HDR_FROM_MATCH | |
4270 | #score TO_NO_BRKTS_HTML_ONLY 2.00 # limit | |
4271 | describe TO_NO_BRKTS_HTML_ONLY To: lacks brackets and HTML only | |
4272 | tflags TO_NO_BRKTS_HTML_ONLY publish | |
4273 | ##} TO_NO_BRKTS_HTML_ONLY | |
4274 | ||
4275 | ##{ TO_NO_BRKTS_MSFT | |
4276 | ||
4277 | meta TO_NO_BRKTS_MSFT __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD | |
4278 | describe TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool | |
4279 | #score TO_NO_BRKTS_MSFT 2.50 # limit | |
4280 | ##} TO_NO_BRKTS_MSFT | |
4281 | ||
4282 | ##{ TO_NO_BRKTS_NORDNS_HTML | |
4283 | ||
4284 | meta TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__TAG_EXISTS_CENTER && !__LONGLINE && !__DKIM_EXISTS | |
4285 | #score TO_NO_BRKTS_NORDNS_HTML 2.00 # limit | |
4286 | describe TO_NO_BRKTS_NORDNS_HTML To: lacks brackets and no rDNS and HTML only | |
4287 | tflags TO_NO_BRKTS_NORDNS_HTML publish | |
4288 | ##} TO_NO_BRKTS_NORDNS_HTML | |
4289 | ||
4290 | ##{ TO_NO_BRKTS_PCNT | |
4291 | ||
4292 | meta TO_NO_BRKTS_PCNT __TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS && !__KHOP_NO_FULL_NAME && !__THREADED | |
4293 | describe TO_NO_BRKTS_PCNT To: lacks brackets + percentage | |
4294 | #score TO_NO_BRKTS_PCNT 2.50 # limit | |
4295 | tflags TO_NO_BRKTS_PCNT publish | |
4296 | ##} TO_NO_BRKTS_PCNT | |
4297 | ||
4298 | ##{ TO_TOO_MANY_WFH_01 | |
4299 | ||
4300 | meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01 | |
4301 | describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients | |
4302 | tflags TO_TOO_MANY_WFH_01 publish | |
4303 | ##} TO_TOO_MANY_WFH_01 | |
4304 | ||
4305 | ##{ TRANSFORM_LIFE | |
4306 | ||
4307 | meta TRANSFORM_LIFE __TRANSFORM_LIFE && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_X_MAILER && !__VIA_ML | |
4308 | describe TRANSFORM_LIFE Transform your life! | |
4309 | #score TRANSFORM_LIFE 2.500 # limit | |
4310 | ##} TRANSFORM_LIFE | |
4311 | ||
4312 | ##{ TT_MSGID_TRUNC | |
4313 | ||
4314 | header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/ | |
4315 | describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits | |
4316 | ##} TT_MSGID_TRUNC | |
4317 | ||
4318 | ##{ TT_OBSCURED_VALIUM | |
4319 | ||
4320 | meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM | |
4321 | describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject | |
4322 | ##} TT_OBSCURED_VALIUM | |
4323 | ||
4324 | ##{ TT_OBSCURED_VIAGRA | |
4325 | ||
4326 | meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA | |
4327 | describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject | |
4328 | ##} TT_OBSCURED_VIAGRA | |
4329 | ||
4330 | ##{ TVD_ACT_193 | |
4331 | ||
4332 | body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i | |
4333 | describe TVD_ACT_193 Message refers to an act passed in the 1930s | |
4334 | ##} TVD_ACT_193 | |
4335 | ||
4336 | ##{ TVD_APPROVED | |
4337 | ||
4338 | body TVD_APPROVED /you.{1,2}re .{0,20}approved/i | |
4339 | describe TVD_APPROVED Body states that the recipient has been approved | |
4340 | ##} TVD_APPROVED | |
4341 | ||
4342 | ##{ TVD_DEAR_HOMEOWNER | |
4343 | ||
4344 | body TVD_DEAR_HOMEOWNER /^dear homeowner/i | |
4345 | describe TVD_DEAR_HOMEOWNER Spam with generic salutation of "dear homeowner" | |
4346 | ##} TVD_DEAR_HOMEOWNER | |
4347 | ||
4348 | ##{ TVD_EB_PHISH | |
4349 | ||
4350 | meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP | |
4351 | ##} TVD_EB_PHISH | |
4352 | ||
4353 | ##{ TVD_ENVFROM_APOST | |
4354 | ||
4355 | header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/ | |
4356 | describe TVD_ENVFROM_APOST Envelope From contains single-quote | |
4357 | ##} TVD_ENVFROM_APOST | |
4358 | ||
4359 | ##{ TVD_FINGER_02 | |
4360 | ||
4361 | header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i | |
4362 | ##} TVD_FINGER_02 | |
4363 | ||
4364 | ##{ TVD_FLOAT_GENERAL | |
4365 | ||
4366 | rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i | |
4367 | describe TVD_FLOAT_GENERAL Message uses CSS float style | |
4368 | ##} TVD_FLOAT_GENERAL | |
4369 | ||
4370 | ##{ TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4371 | ||
4372 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4373 | body TVD_FUZZY_DEGREE /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i | |
4374 | describe TVD_FUZZY_DEGREE Obfuscation of the word "degree" | |
4375 | endif | |
4376 | ##} TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4377 | ||
4378 | ##{ TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4379 | ||
4380 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4381 | body TVD_FUZZY_FINANCE /(?!finance)<F><I><N><A><N><C><E>/i | |
4382 | describe TVD_FUZZY_FINANCE Obfuscation of the word "finance" | |
4383 | endif | |
4384 | ##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4385 | ||
4386 | ##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4387 | ||
4388 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4389 | body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i | |
4390 | describe TVD_FUZZY_FIXED_RATE Obfuscation of the phrase "fixed rate" | |
4391 | endif | |
4392 | ##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4393 | ||
4394 | ##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4395 | ||
4396 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4397 | body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i | |
4398 | describe TVD_FUZZY_MICROCAP Obfuscation of the word "micro-cap" | |
4399 | endif | |
4400 | ##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4401 | ||
4402 | ##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4403 | ||
4404 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4405 | body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i | |
4406 | describe TVD_FUZZY_PHARMACEUTICAL Obfuscation of the word "pharmaceutical" | |
4407 | endif | |
4408 | ##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4409 | ||
4410 | ##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4411 | ||
4412 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4413 | body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symboo?l)<S><Y><M><B><O><L>/i | |
4414 | describe TVD_FUZZY_SYMBOL Obfuscation of the word "symbol" | |
4415 | endif | |
4416 | ##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4417 | ||
4418 | ##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4419 | ||
4420 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4421 | mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/ | |
4422 | describe TVD_FW_GRAPHIC_NAME_LONG Long image attachment name | |
4423 | endif | |
4424 | ##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4425 | ||
4426 | ##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4427 | ||
4428 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4429 | mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/ | |
4430 | describe TVD_FW_GRAPHIC_NAME_MID Medium sized image attachment name | |
4431 | endif | |
4432 | ##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4433 | ||
4434 | ##{ TVD_INCREASE_SIZE | |
4435 | ||
4436 | body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i | |
4437 | describe TVD_INCREASE_SIZE Advertising for penis enlargement | |
4438 | ##} TVD_INCREASE_SIZE | |
4439 | ||
4440 | ##{ TVD_LINK_SAVE | |
4441 | ||
4442 | body TVD_LINK_SAVE /\blink to save\b/i | |
4443 | describe TVD_LINK_SAVE Spam with the text "link to save" | |
4444 | ##} TVD_LINK_SAVE | |
4445 | ||
4446 | ##{ TVD_PH_BODY_ACCOUNTS_PRE | |
4447 | ||
4448 | meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE | |
4449 | describe TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts suspended", "account credited", "account verification" | |
4450 | ##} TVD_PH_BODY_ACCOUNTS_PRE | |
4451 | ||
4452 | ##{ TVD_PH_BODY_META | |
4453 | ||
4454 | meta TVD_PH_BODY_META __TVD_PH_BODY_META | |
4455 | ##} TVD_PH_BODY_META | |
4456 | ||
4457 | ##{ TVD_PH_REC | |
4458 | ||
4459 | body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i | |
4460 | describe TVD_PH_REC Message includes a phrase commonly used in phishing mails | |
4461 | ##} TVD_PH_REC | |
4462 | ||
4463 | ##{ TVD_PH_SEC | |
4464 | ||
4465 | body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i | |
4466 | describe TVD_PH_SEC Message includes a phrase commonly used in phishing mails | |
4467 | ##} TVD_PH_SEC | |
4468 | ||
4469 | ##{ TVD_PP_PHISH | |
4470 | ||
4471 | meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP | |
4472 | ##} TVD_PP_PHISH | |
4473 | ||
4474 | ##{ TVD_QUAL_MEDS | |
4475 | ||
4476 | body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i | |
4477 | describe TVD_QUAL_MEDS The body matches phrases such as "quality meds" or "quality medication" | |
4478 | ##} TVD_QUAL_MEDS | |
4479 | ||
4480 | ##{ TVD_RATWARE_CB | |
4481 | ||
4482 | header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i | |
4483 | describe TVD_RATWARE_CB Content-Type header that is commonly indicative of ratware | |
4484 | ##} TVD_RATWARE_CB | |
4485 | ||
4486 | ##{ TVD_RATWARE_CB_2 | |
4487 | ||
4488 | header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/ | |
4489 | describe TVD_RATWARE_CB_2 Content-Type header that is commonly indicative of ratware | |
4490 | ##} TVD_RATWARE_CB_2 | |
4491 | ||
4492 | ##{ TVD_RATWARE_MSGID_02 | |
4493 | ||
4494 | header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/ | |
4495 | describe TVD_RATWARE_MSGID_02 Ratware with a Message-ID header that is entirely lower-case | |
4496 | ##} TVD_RATWARE_MSGID_02 | |
4497 | ||
4498 | ##{ TVD_RCVD_IP | |
4499 | ||
4500 | header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/ | |
4501 | describe TVD_RCVD_IP Message was received from an IP address | |
4502 | ##} TVD_RCVD_IP | |
4503 | ||
4504 | ##{ TVD_RCVD_IP4 | |
4505 | ||
4506 | header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/ | |
4507 | describe TVD_RCVD_IP4 Message was received from an IPv4 address | |
4508 | ##} TVD_RCVD_IP4 | |
4509 | ||
4510 | ##{ TVD_RCVD_SPACE_BRACKET | |
4511 | ||
4512 | header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!unix)[^\[\]]*\s/i | |
4513 | ##} TVD_RCVD_SPACE_BRACKET | |
4514 | ||
4515 | ##{ TVD_SECTION | |
4516 | ||
4517 | body TVD_SECTION /\bSection (?:27A|21B)/i | |
4518 | describe TVD_SECTION References to specific legal codes | |
4519 | ##} TVD_SECTION | |
4520 | ||
4521 | ##{ TVD_SILLY_URI_OBFU | |
4522 | ||
4523 | body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i | |
4524 | describe TVD_SILLY_URI_OBFU URI obfuscation that can fool a URIBL or a uri rule | |
4525 | ##} TVD_SILLY_URI_OBFU | |
4526 | ||
4527 | ##{ TVD_SPACED_SUBJECT_WORD3 | |
4528 | ||
4529 | header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/ | |
4530 | describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace | |
4531 | ##} TVD_SPACED_SUBJECT_WORD3 | |
4532 | ||
4533 | ##{ TVD_SPACE_ENCODED | |
4534 | ||
4535 | meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM | |
4536 | #score TVD_SPACE_ENCODED 2.500 # limit | |
4537 | describe TVD_SPACE_ENCODED Space ratio & encoded subject | |
4538 | ##} TVD_SPACE_ENCODED | |
4539 | ||
4540 | ##{ TVD_SPACE_RATIO_MINFP | |
4541 | ||
4542 | meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL | |
4543 | #score TVD_SPACE_RATIO_MINFP 2.500 # limit | |
4544 | describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?) | |
4545 | ##} TVD_SPACE_RATIO_MINFP | |
4546 | ||
4547 | ##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
4548 | ||
4549 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
4550 | body TVD_STOCK1 eval:check_stock_info('2') | |
4551 | describe TVD_STOCK1 Spam related to stock trading | |
4552 | endif | |
4553 | ##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
4554 | ||
4555 | ##{ TVD_SUBJ_ACC_NUM | |
4556 | ||
4557 | header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/ | |
4558 | describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference | |
4559 | ##} TVD_SUBJ_ACC_NUM | |
4560 | ||
4561 | ##{ TVD_SUBJ_FINGER_03 | |
4562 | ||
4563 | header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/ | |
4564 | describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *" | |
4565 | ##} TVD_SUBJ_FINGER_03 | |
4566 | ||
4567 | ##{ TVD_SUBJ_NUM_OBFU_MINFP | |
4568 | ||
4569 | meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO | |
4570 | ##} TVD_SUBJ_NUM_OBFU_MINFP | |
4571 | ||
4572 | ##{ TVD_SUBJ_OWE | |
4573 | ||
4574 | header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i | |
4575 | describe TVD_SUBJ_OWE Subject line states that the recipieint is in debt | |
4576 | ##} TVD_SUBJ_OWE | |
4577 | ||
4578 | ##{ TVD_SUBJ_WIPE_DEBT | |
4579 | ||
4580 | header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i | |
4581 | describe TVD_SUBJ_WIPE_DEBT Spam advertising a way to eliminate debt | |
4582 | ##} TVD_SUBJ_WIPE_DEBT | |
4583 | ||
4584 | ##{ TVD_VISIT_PHARMA | |
4585 | ||
4586 | body TVD_VISIT_PHARMA /Online Ph.rmacy/i | |
4587 | describe TVD_VISIT_PHARMA Body mentions online pharmacy | |
4588 | ##} TVD_VISIT_PHARMA | |
4589 | ||
4590 | ##{ TVD_VIS_HIDDEN | |
4591 | ||
4592 | rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i | |
4593 | describe TVD_VIS_HIDDEN Invisible textarea HTML tags | |
4594 | ##} TVD_VIS_HIDDEN | |
4595 | ||
4596 | ##{ TW_GIBBERISH_MANY | |
4597 | ||
4598 | meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20 | |
4599 | describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters | |
4600 | #score TW_GIBBERISH_MANY 2.000 # limit | |
4601 | tflags TW_GIBBERISH_MANY publish | |
4602 | ##} TW_GIBBERISH_MANY | |
4603 | ||
4604 | ##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4605 | ||
4606 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4607 | meta T_ACH_CANCELLED_EXE __ACH_CANCELLED_EXE | |
4608 | describe T_ACH_CANCELLED_EXE "ACH cancelled" probable malware | |
4609 | endif | |
4610 | ##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4611 | ||
4612 | ##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4613 | ||
4614 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4615 | meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON | |
4616 | describe T_ANY_PILL_PRICE Prices for pills | |
4617 | endif | |
4618 | ##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4619 | ||
4620 | ##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4621 | ||
4622 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4623 | mimeheader T_CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/ | |
4624 | describe T_CDISP_SZ_MANY Suspicious MIME header | |
4625 | # score T_CDISP_SZ_MANY 2.0 # limit | |
4626 | endif | |
4627 | ##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4628 | ||
4629 | ##{ T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
4630 | ||
4631 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
4632 | header T_DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') | |
4633 | describe T_DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date | |
4634 | endif | |
4635 | ##} T_DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
4636 | ||
4637 | ##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4638 | ||
4639 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4640 | meta T_DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT) | |
4641 | describe T_DOC_ATTACH_NO_EXT Document attachment with suspicious name | |
4642 | endif | |
4643 | ##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4644 | ||
4645 | ##{ T_DOS_OUTLOOK_TO_MX_IMAGE | |
4646 | ||
4647 | meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH | |
4648 | describe T_DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image | |
4649 | ##} T_DOS_OUTLOOK_TO_MX_IMAGE | |
4650 | ||
4651 | ##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4652 | ||
4653 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4654 | mimeheader T_DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/ | |
4655 | describe T_DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus | |
4656 | # score T_DOS_ZIP_HARDCORE 2.5 | |
4657 | endif | |
4658 | ##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4659 | ||
4660 | ##{ T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
4661 | ||
4662 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4663 | if (version >= 3.004000) | |
4664 | meta T_DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && (__PDS_URISHORTENER || __URL_SHORTENER) && DRUGS_ERECTILE | |
4665 | describe T_DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with T_URL_SHORTENER | |
4666 | #score T_DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit | |
4667 | endif | |
4668 | endif | |
4669 | ##} T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
4670 | ||
4671 | ##{ T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4672 | ||
4673 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4674 | meta T_FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO | |
4675 | describe T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) | |
4676 | endif | |
4677 | ##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4678 | ||
4679 | ##{ T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4680 | ||
4681 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4682 | meta T_FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE | |
4683 | describe T_FILL_THIS_FORM_LOAN Answer loan question(s) | |
4684 | # score T_FILL_THIS_FORM_LOAN 2.0 | |
4685 | endif | |
4686 | ##} T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4687 | ||
4688 | ##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4689 | ||
4690 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4691 | meta T_FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL | |
4692 | describe T_FILL_THIS_FORM_SHORT Fill in a short form with personal information | |
4693 | # score T_FILL_THIS_FORM_SHORT 1.00 # limit | |
4694 | endif | |
4695 | ##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4696 | ||
4697 | ##{ T_FORGED_RELAY_MUA_TO_MX | |
4698 | ||
4699 | header T_FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/ | |
4700 | ##} T_FORGED_RELAY_MUA_TO_MX | |
4701 | ||
4702 | ##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
4703 | ||
4704 | ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
4705 | meta T_FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K | |
4706 | describe T_FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam | |
4707 | endif | |
4708 | ##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
4709 | ||
4710 | ##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4711 | ||
4712 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4713 | meta T_FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF | |
4714 | describe T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail | |
4715 | endif | |
4716 | ##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4717 | ||
4718 | ##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4719 | ||
4720 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4721 | meta T_FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED | |
4722 | describe T_FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden | |
4723 | endif | |
4724 | ##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4725 | ||
4726 | ##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4727 | ||
4728 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4729 | meta T_FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF | |
4730 | describe T_FREEMAIL_RVW_ATTCH Please review attached document, from freemail | |
4731 | endif | |
4732 | ##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4733 | ||
4734 | ##{ T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4735 | ||
4736 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4737 | meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO | |
4738 | describe T_FROMNAME_EQUALS_TO From:name matches To: | |
4739 | #score T_FROMNAME_EQUALS_TO 1.0 | |
4740 | tflags T_FROMNAME_EQUALS_TO publish | |
4741 | endif | |
4742 | ##} T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4743 | ||
4744 | ##{ T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4745 | ||
4746 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4747 | meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD) | |
4748 | describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email | |
4749 | #score T_FROMNAME_SPOOFED_EMAIL 0.3 | |
4750 | tflags T_FROMNAME_SPOOFED_EMAIL publish | |
4751 | endif | |
4752 | ##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4753 | ||
4754 | ##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
4755 | ||
4756 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
4757 | meta T_FROM_MULTI_SHORT_IMG __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY | |
4758 | describe T_FROM_MULTI_SHORT_IMG Multiple From addresses + short message with image | |
4759 | endif | |
4760 | ##} T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
4761 | ||
4762 | ##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4763 | ||
4764 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4765 | body T_FUZZY_OPTOUT /(?:$|\W)(?=<O>)(?!opt[-\s]?out)<O><P><T>[-\s]?<O><U><T>(?:$|\W)/i | |
4766 | describe T_FUZZY_OPTOUT Obfuscated opt-out text | |
4767 | endif | |
4768 | ##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4769 | ||
4770 | ##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4771 | ||
4772 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4773 | body T_FUZZY_SPRM /<inter W1><post P2><S><P><U><R><M>/i | |
4774 | endif | |
4775 | ##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4776 | ||
4777 | ##{ T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4778 | ||
4779 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4780 | meta T_FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM | |
4781 | describe T_FUZZY_WELLSFARGO Obfuscated "Wells Fargo" | |
4782 | endif | |
4783 | ##} T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4784 | ||
4785 | ##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4786 | ||
4787 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4788 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4789 | meta T_GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO ) | |
4790 | describe T_GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains | |
4791 | # score T_GB_FREEM_FROM_NOT_REPLY 1.500 # limit | |
4792 | tflags T_GB_FREEM_FROM_NOT_REPLY publish | |
4793 | endif | |
4794 | endif | |
4795 | ##} T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4796 | ||
4797 | ##{ T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4798 | ||
4799 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4800 | meta T_GB_FROMNAME_SPOOFED_EMAIL_IP ( T_FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED ) | |
4801 | describe T_GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip | |
4802 | # score T_GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit | |
4803 | tflags T_GB_FROMNAME_SPOOFED_EMAIL_IP publish | |
4804 | endif | |
4805 | ##} T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4806 | ||
4807 | ##{ T_GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL | |
4808 | ||
4809 | if (version >= 3.004003) | |
4810 | ifplugin Mail::SpamAssassin::Plugin::HashBL | |
4811 | body T_GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})\b') | |
4812 | tflags T_GB_HASHBL_BTC net | |
4813 | describe T_GB_HASHBL_BTC Message contains BTC address found on BTCBL | |
4814 | # score T_GB_HASHBL_BTC 5.0 # limit | |
4815 | endif | |
4816 | endif | |
4817 | ##} T_GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL | |
4818 | ||
4819 | ##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
4820 | ||
4821 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4822 | if (version >= 3.004000) | |
4823 | meta T_HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM | |
4824 | # score T_HK_NAME_FM_FROM 1.5 | |
4825 | endif | |
4826 | endif | |
4827 | ##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
4828 | ||
4829 | ##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
4830 | ||
4831 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4832 | if (version >= 3.004000) | |
4833 | meta T_HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM | |
4834 | # score T_HK_NAME_FROM 1.0 | |
4835 | endif | |
4836 | endif | |
4837 | ##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
4838 | ||
4839 | ##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4840 | ||
4841 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4842 | meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN | |
4843 | endif | |
4844 | ##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4845 | ||
4846 | ##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4847 | ||
4848 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4849 | meta T_HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02 | |
4850 | describe T_HTML_ATTACH HTML attachment to bypass scanning? | |
4851 | endif | |
4852 | ##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4853 | ||
4854 | ##{ T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4855 | ||
4856 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4857 | meta T_ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT | |
4858 | describe T_ISO_ATTACH ISO attachment - possible malware delivery | |
4859 | # score T_ISO_ATTACH 3.000 # limit | |
4860 | endif | |
4861 | ##} T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4862 | ||
4863 | ##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4864 | ||
4865 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4866 | meta T_KAM_HTML_FONT_INVALID __KAM_HTML_FONT_INVALID | |
4867 | describe T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML | |
4868 | #score T_KAM_HTML_FONT_INVALID 0.1 | |
4869 | endif | |
4870 | ##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4871 | ||
4872 | ##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4873 | ||
4874 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4875 | meta T_LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3 | |
4876 | describe T_LARGE_PCT_AFTER_MANY Many large percentages after... | |
4877 | endif | |
4878 | ##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4879 | ||
4880 | ##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4881 | ||
4882 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4883 | body T_LFUZ_PWRMALE /<inter W1><post P2><P><O><W><E><R><M><A><L><E>/i | |
4884 | endif | |
4885 | ##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4886 | ||
4887 | ##{ T_LOTTO_AGENT_FM | |
4888 | ||
4889 | header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i | |
4890 | describe T_LOTTO_AGENT_FM Claims Agent | |
4891 | ##} T_LOTTO_AGENT_FM | |
4892 | ||
4893 | ##{ T_LOTTO_AGENT_RPLY | |
4894 | ||
4895 | meta T_LOTTO_AGENT_RPLY __LOTTO_AGENT_RPLY && !__TO_YOUR_ORG | |
4896 | describe T_LOTTO_AGENT_RPLY Claims Agent | |
4897 | ##} T_LOTTO_AGENT_RPLY | |
4898 | ||
4899 | ##{ T_LOTTO_URI | |
4900 | ||
4901 | uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i | |
4902 | describe T_LOTTO_URI Claims Department URL | |
4903 | ##} T_LOTTO_URI | |
4904 | ||
4905 | ##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4906 | ||
4907 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4908 | meta T_MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2 | |
4909 | describe T_MANY_PILL_PRICE Prices for many pills | |
4910 | endif | |
4911 | ##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4912 | ||
4913 | ##{ T_MIME_MALF if (version >= 3.004000) | |
4914 | ||
4915 | if (version >= 3.004000) | |
4916 | meta T_MIME_MALF __MIME_MALF && !ALL_TRUSTED | |
4917 | describe T_MIME_MALF Malformed MIME: headers in body | |
4918 | # score T_MIME_MALF 2.00 # limit | |
4919 | endif | |
4920 | ##} T_MIME_MALF if (version >= 3.004000) | |
4921 | ||
4922 | ##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4923 | ||
4924 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4925 | meta T_MONEY_PERCENT LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY) | |
4926 | describe T_MONEY_PERCENT X% of a lot of money for you | |
4927 | endif | |
4928 | ##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4929 | ||
4930 | ##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4931 | ||
4932 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4933 | meta T_OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH) | |
4934 | describe T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From | |
4935 | endif | |
4936 | ##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4937 | ||
4938 | ##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4939 | ||
4940 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4941 | mimeheader T_OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i | |
4942 | describe T_OBFU_DOC_ATTACH MS Document attachment with generic MIME type | |
4943 | endif | |
4944 | ##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4945 | ||
4946 | ##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4947 | ||
4948 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4949 | mimeheader T_OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i | |
4950 | describe T_OBFU_GIF_ATTACH GIF attachment with generic MIME type | |
4951 | endif | |
4952 | ##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4953 | ||
4954 | ##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4955 | ||
4956 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4957 | mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.html?\b,i | |
4958 | describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type | |
4959 | endif | |
4960 | ##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4961 | ||
4962 | ##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4963 | ||
4964 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4965 | meta T_OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02 | |
4966 | describe T_OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware | |
4967 | endif | |
4968 | ##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4969 | ||
4970 | ##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4971 | ||
4972 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4973 | mimeheader T_OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i | |
4974 | describe T_OBFU_JPG_ATTACH JPG attachment with generic MIME type | |
4975 | endif | |
4976 | ##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4977 | ||
4978 | ##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4979 | ||
4980 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4981 | mimeheader T_OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i | |
4982 | describe T_OBFU_PDF_ATTACH PDF attachment with generic MIME type | |
4983 | endif | |
4984 | ##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4985 | ||
4986 | ##{ T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4987 | ||
4988 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4989 | meta T_PDS_BTC_AHACKER ( __PDS_BTC_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) | |
4990 | describe T_PDS_BTC_AHACKER Bitcoin Hacker | |
4991 | # score T_PDS_BTC_AHACKER 3.0 # limit | |
4992 | endif | |
4993 | ##} T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4994 | ||
4995 | ##{ T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4996 | ||
4997 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4998 | meta T_PDS_BTC_HACKER ( __PDS_BTC_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) | |
4999 | describe T_PDS_BTC_HACKER Bitcoin Hacker | |
5000 | # score T_PDS_BTC_HACKER 2.0 # limit | |
5001 | endif | |
5002 | ##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5003 | ||
5004 | ##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5005 | ||
5006 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5007 | if (version >= 3.004000) | |
5008 | meta T_PDS_EMPTYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJECT_EMPTY && __PDS_MSG_1024 | |
5009 | describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener | |
5010 | #score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit | |
5011 | endif | |
5012 | endif | |
5013 | ##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5014 | ||
5015 | ##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5016 | ||
5017 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5018 | if (version >= 3.004000) | |
5019 | meta T_PDS_FREEMAIL_REPLYTO_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 | |
5020 | describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener | |
5021 | #score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit | |
5022 | endif | |
5023 | endif | |
5024 | ##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5025 | ||
5026 | ##{ T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
5027 | ||
5028 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
5029 | meta T_PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS | |
5030 | describe T_PDS_FROM_2_EMAILS From header has multiple different addresses | |
5031 | # score T_PDS_FROM_2_EMAILS 3.500 # limit | |
5032 | endif | |
5033 | ##} T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
5034 | ||
5035 | ##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5036 | ||
5037 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5038 | meta T_PDS_LTC_AHACKER ( __PDS_LITECOIN_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) | |
5039 | describe T_PDS_LTC_AHACKER Litecoin Hacker | |
5040 | # score T_PDS_LTC_AHACKER 3.0 # limit | |
5041 | endif | |
5042 | ##} T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5043 | ||
5044 | ##{ T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5045 | ||
5046 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5047 | meta T_PDS_LTC_HACKER ( __PDS_LITECOIN_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) | |
5048 | describe T_PDS_LTC_HACKER Litecoin Hacker | |
5049 | # score T_PDS_LTC_HACKER 2.0 # limit | |
5050 | endif | |
5051 | ##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5052 | ||
5053 | ##{ T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5054 | ||
5055 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5056 | if (version >= 3.004000) | |
5057 | meta T_PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) | |
5058 | describe T_PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME | |
5059 | #score T_PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit | |
5060 | endif | |
5061 | endif | |
5062 | ##} T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5063 | ||
5064 | ##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5065 | ||
5066 | if (version >= 3.004002) | |
5067 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5068 | header T_PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO') | |
5069 | #score T_PDS_PRO_TLD 1.0 | |
5070 | describe T_PDS_PRO_TLD .pro TLD | |
5071 | endif | |
5072 | endif | |
5073 | ##} T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5074 | ||
5075 | ##{ T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5076 | ||
5077 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5078 | if (version >= 3.004000) | |
5079 | meta T_PDS_SHORTFWD_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 | |
5080 | describe T_PDS_SHORTFWD_URISHRT Threaded email with URI shortener | |
5081 | #score T_PDS_SHORTFWD_URISHRT 1.5 # limit | |
5082 | endif | |
5083 | endif | |
5084 | ##} T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5085 | ||
5086 | ##{ T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5087 | ||
5088 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5089 | if (version >= 3.004000) | |
5090 | meta T_PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) | |
5091 | describe T_PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP) | |
5092 | #score T_PDS_SHORT_SPOOFED_URL 2.0 | |
5093 | endif | |
5094 | endif | |
5095 | ##} T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5096 | ||
5097 | ##{ T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5098 | ||
5099 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5100 | if (version >= 3.004000) | |
5101 | meta T_PDS_URISHRT_LOCALPART_SUBJ LOCALPART_IN_SUBJECT && (__PDS_URISHORTENER || __URL_SHORTENER) && __PDS_MSG_1024 | |
5102 | describe T_PDS_URISHRT_LOCALPART_SUBJ Localpart of To in subject | |
5103 | #score T_PDS_URISHRT_LOCALPART_SUBJ 1.0 | |
5104 | endif | |
5105 | endif | |
5106 | ##} T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5107 | ||
5108 | ##{ T_PDS_X_PHP_WP_EXP | |
5109 | ||
5110 | meta T_PDS_X_PHP_WP_EXP (__PDS_X_PHP_WPCONTENT || __PDS_X_PHP_WPINCLUDES || __PDS_X_PHP_WPADMIN || __PDS_X_PHP_WPJS) | |
5111 | describe T_PDS_X_PHP_WP_EXP X-PHP-Script shows sent from a Wordpress PHP script where you would not expect one | |
5112 | #score T_PDS_X_PHP_WP_EXP 1.5 | |
5113 | ##} T_PDS_X_PHP_WP_EXP | |
5114 | ||
5115 | ##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { | |
5116 | ||
5117 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { | |
5118 | meta T_REMOTE_IMAGE __REMOTE_IMAGE | |
5119 | describe T_REMOTE_IMAGE Message contains an external image | |
5120 | endif | |
5121 | ##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { | |
5122 | ||
5123 | ##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5124 | ||
5125 | if (version >= 3.004002) | |
5126 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5127 | meta T_SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR | |
5128 | describe T_SENT_TO_EMAIL_ADDR Email was sent to email address | |
5129 | #score T_SENT_TO_EMAIL_ADDR 2.0 # limit | |
5130 | endif | |
5131 | endif | |
5132 | ##} T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5133 | ||
5134 | ##{ T_SHARE_50_50 | |
5135 | ||
5136 | meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY | |
5137 | describe T_SHARE_50_50 Share the money 50/50 | |
5138 | ##} T_SHARE_50_50 | |
5139 | ||
5140 | ##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5141 | ||
5142 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5143 | meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK | |
5144 | describe T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX | |
5145 | # score T_STY_INVIS_DIRECT 2.500 # limit | |
5146 | endif | |
5147 | ##} T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5148 | ||
5149 | ##{ T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5150 | ||
5151 | if (version >= 3.004002) | |
5152 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5153 | meta T_SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD | |
5154 | describe T_SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money | |
5155 | #score T_SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit | |
5156 | endif | |
5157 | endif | |
5158 | ##} T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5159 | ||
5160 | ##{ T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5161 | ||
5162 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5163 | if (version >= 3.004000) | |
5164 | meta T_TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT | |
5165 | describe T_TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local | |
5166 | #score T_TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit | |
5167 | endif | |
5168 | endif | |
5169 | ##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5170 | ||
5171 | ##{ T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5172 | ||
5173 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5174 | if (version >= 3.004000) | |
5175 | meta T_TONOM_EQ_TOLOC_SHRT_SHRTNER __PDS_URISHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024 | |
5176 | describe T_TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local | |
5177 | #score T_TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit | |
5178 | endif | |
5179 | endif | |
5180 | ##} T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5181 | ||
5182 | ##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5183 | ||
5184 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5185 | body T_TVD_FUZZY_SECTOR /(?!sector)<S><E><C><T><O><R>/i | |
5186 | endif | |
5187 | ##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5188 | ||
5189 | ##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5190 | ||
5191 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5192 | body T_TVD_FUZZY_SECURITIES /<inter W2><post P2>(?!securities)(?!security,? es)<S><E><C><U><R><I><T><I><E><S>/i | |
5193 | endif | |
5194 | ##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5195 | ||
5196 | ##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5197 | ||
5198 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5199 | mimeheader T_TVD_FW_GRAPHIC_ID2 Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/ | |
5200 | endif | |
5201 | ##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5202 | ||
5203 | ##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5204 | ||
5205 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5206 | body T_TVD_MIME_EPI eval:check_msg_parse_flags('mime_epilogue_exists') | |
5207 | endif | |
5208 | ##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5209 | ||
5210 | ##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5211 | ||
5212 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5213 | body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers') | |
5214 | endif | |
5215 | ##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5216 | ||
5217 | ##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5218 | ||
5219 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5220 | meta T_WON_MONEY_ATTACH __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH) | |
5221 | describe T_WON_MONEY_ATTACH You won lots of money! See attachment. | |
5222 | endif | |
5223 | ##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5224 | ||
5225 | ##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5226 | ||
5227 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5228 | meta T_WON_NBDY_ATTACH __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH) | |
5229 | describe T_WON_NBDY_ATTACH You won lots of money! See attachment. | |
5230 | endif | |
5231 | ##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5232 | ||
5233 | ##{ T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5234 | ||
5235 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5236 | meta T_ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID | |
5237 | describe T_ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion | |
5238 | # score T_ZW_OBFU_BITCOIN 2.500 # limit | |
5239 | endif | |
5240 | ##} T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5241 | ||
5242 | ##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5243 | ||
5244 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5245 | meta T_ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto | |
5246 | describe T_ZW_OBFU_FREEM Obfuscated text + freemail | |
5247 | # score T_ZW_OBFU_FREEM 2.000 # limit | |
5248 | endif | |
5249 | ##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5250 | ||
5251 | ##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5252 | ||
5253 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5254 | meta T_ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ | |
5255 | describe T_ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject | |
5256 | # score T_ZW_OBFU_FROMTOSUBJ 2.000 # limit | |
5257 | endif | |
5258 | ##} T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5259 | ||
5260 | ##{ UC_GIBBERISH_OBFU | |
5261 | ||
5262 | meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED | |
5263 | describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word" | |
5264 | #score UC_GIBBERISH_OBFU 3.000 # Limit | |
5265 | tflags UC_GIBBERISH_OBFU publish | |
5266 | ##} UC_GIBBERISH_OBFU | |
5267 | ||
5268 | ##{ UNDISC_FREEM | |
5269 | ||
5270 | meta UNDISC_FREEM __UNDISC_FREEM | |
5271 | describe UNDISC_FREEM Undisclosed recipients + freemail reply-to | |
5272 | tflags UNDISC_FREEM publish | |
5273 | ##} UNDISC_FREEM | |
5274 | ||
5275 | ##{ UNDISC_MONEY | |
5276 | ||
5277 | meta UNDISC_MONEY __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH | |
5278 | describe UNDISC_MONEY Undisclosed recipients + money/fraud signs | |
5279 | tflags UNDISC_MONEY publish | |
5280 | ##} UNDISC_MONEY | |
5281 | ||
5282 | ##{ UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5283 | ||
5284 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5285 | meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32 | |
5286 | describe UNICODE_OBFU_ASC Obfuscating text with unicode | |
5287 | # score UNICODE_OBFU_ASC 2.500 # limit | |
5288 | tflags UNICODE_OBFU_ASC publish | |
5289 | endif | |
5290 | ##} UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5291 | ||
5292 | ##{ UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5293 | ||
5294 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5295 | meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS | |
5296 | describe UNICODE_OBFU_ZW Obfuscating text with hidden characters | |
5297 | # score UNICODE_OBFU_ZW 3.500 # limit | |
5298 | tflags UNICODE_OBFU_ZW publish | |
5299 | endif | |
5300 | ##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5301 | ||
5302 | ##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL | |
5303 | ||
5304 | ifplugin Mail::SpamAssassin::Plugin::URIDNSBL | |
5305 | urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2 | |
5306 | body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB') | |
5307 | describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) | |
5308 | tflags URIBL_RHS_DOB net | |
5309 | endif | |
5310 | ##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL | |
5311 | ||
5312 | ##{ URI_ADOBESPARK | |
5313 | ||
5314 | meta URI_ADOBESPARK __URI_ADOBESPARK | |
5315 | #score URI_ADOBESPARK 3.500 # limit | |
5316 | tflags URI_ADOBESPARK publish | |
5317 | ##} URI_ADOBESPARK | |
5318 | ||
5319 | ##{ URI_AZURE_CLOUDAPP | |
5320 | ||
5321 | meta URI_AZURE_CLOUDAPP __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE | |
5322 | describe URI_AZURE_CLOUDAPP Link to hosted azure web application, possible phishing | |
5323 | #score URI_AZURE_CLOUDAPP 3.000 # limit | |
5324 | tflags URI_AZURE_CLOUDAPP publish | |
5325 | ##} URI_AZURE_CLOUDAPP | |
5326 | ||
5327 | ##{ URI_DASHGOVEDU | |
5328 | ||
5329 | meta URI_DASHGOVEDU __URI_DASHGOVEDU | |
5330 | describe URI_DASHGOVEDU Suspicious domain name | |
5331 | #score URI_DASHGOVEDU 3.500 # limit | |
5332 | tflags URI_DASHGOVEDU publish | |
5333 | ##} URI_DASHGOVEDU | |
5334 | ||
5335 | ##{ URI_DATA | |
5336 | ||
5337 | meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB | |
5338 | describe URI_DATA "data:" URI - possible malware or phish | |
5339 | #score URI_DATA 3.250 # limit | |
5340 | tflags URI_DATA publish | |
5341 | ##} URI_DATA | |
5342 | ||
5343 | ##{ URI_DEOBFU_INSTR | |
5344 | ||
5345 | meta URI_DEOBFU_INSTR __URI_DEOBFU_INSTR && !__MSGID_OK_HOST | |
5346 | describe URI_DEOBFU_INSTR How to deobfuscate this URI | |
5347 | ##} URI_DEOBFU_INSTR | |
5348 | ||
5349 | ##{ URI_DOTEDU | |
5350 | ||
5351 | meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK | |
5352 | describe URI_DOTEDU Has .edu URI | |
5353 | #score URI_DOTEDU 2.000 # limit | |
5354 | tflags URI_DOTEDU publish | |
5355 | ##} URI_DOTEDU | |
5356 | ||
5357 | ##{ URI_DOTEDU_ENTITY | |
5358 | ||
5359 | meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO | |
5360 | describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content | |
5361 | #score URI_DOTEDU_ENTITY 3.000 # limit | |
5362 | tflags URI_DOTEDU_ENTITY publish | |
5363 | ##} URI_DOTEDU_ENTITY | |
5364 | ||
5365 | ##{ URI_DOTTY_HEX | |
5366 | ||
5367 | meta URI_DOTTY_HEX __URI_DOTTY_HEX | |
5368 | describe URI_DOTTY_HEX Suspicious URI format | |
5369 | tflags URI_DOTTY_HEX publish | |
5370 | ##} URI_DOTTY_HEX | |
5371 | ||
5372 | ##{ URI_DQ_UNSUB | |
5373 | ||
5374 | meta URI_DQ_UNSUB __URI_DQ_UNSUB | |
5375 | describe URI_DQ_UNSUB IP-address unsubscribe URI | |
5376 | tflags URI_DQ_UNSUB publish | |
5377 | ##} URI_DQ_UNSUB | |
5378 | ||
5379 | ##{ URI_FIREBASEAPP | |
5380 | ||
5381 | meta URI_FIREBASEAPP __URI_FIREBASEAPP || __URI_WEBAPP | |
5382 | describe URI_FIREBASEAPP Link to hosted firebase web application, possible phishing | |
5383 | #score URI_FIREBASEAPP 3.000 # limit | |
5384 | tflags URI_FIREBASEAPP publish | |
5385 | ##} URI_FIREBASEAPP | |
5386 | ||
5387 | ##{ URI_GOOGLE_PROXY | |
5388 | ||
5389 | meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE && !__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID | |
5390 | describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy? | |
5391 | tflags URI_GOOGLE_PROXY publish | |
5392 | ##} URI_GOOGLE_PROXY | |
5393 | ||
5394 | ##{ URI_GOOG_STO_SPAMMY | |
5395 | ||
5396 | uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:1tactc1200|5a70f8147b2241c|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|a(?:1discover|d(?:t100visa|vanced1500)|geless(?:brain|t001)|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|tividade|udio0254)|b(?:337276797de5b3|7772dcb|ath(?:and777|bhow98|dfgdfgdfh|rooomlki)|cvncv7845|d(?:fbgverhg|sgbsehtth|thdethydeth)|e(?:dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ueprintms0?)|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader0[48])))|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf)|rrectskin|verageinsu)|reative14141)|d(?:e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy0icits)|trega)|rec(?:01tions|tiledysfunction)|talsprcious|vent(?:0saves01?|save010?)|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|luster|old(?:ii00215|trust00)|r(?:fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1|protection7))|ympro22)|h(?:dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rply(?:24701|y0012))|ome(?:9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|le(?:0(?:1ed|541)|24700|77en|health475)|ttress0707)|e(?:dica(?:lsupplies|r(?:0085|123n|df747))|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|len(?:hsances?|shsance0s)|o(?:n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho01to001|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:adclub11|grow101|n(?:ewlaemailved|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|ingsevent)|ylife004)|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|outhbeach(?:001|skin)|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:lescope001|rminix0909)|h(?:e(?:photostick2804|rasleeves|unbreakable)|opinall)|innitus(?:102|new911)|o(?:enailfungus|pinal)|r(?:a(?:balhos|nslato10)|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|sbmosquito)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ightloss(?:005|newketo)|llgrove90)|i(?:fibooster|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|zantacdedzef))/;i | |
5397 | describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage | |
5398 | #score URI_GOOG_STO_SPAMMY 3.000 | |
5399 | tflags URI_GOOG_STO_SPAMMY publish | |
5400 | ##} URI_GOOG_STO_SPAMMY | |
5401 | ||
5402 | ##{ URI_HEX_IP | |
5403 | ||
5404 | meta URI_HEX_IP __URI_HEX_IP | |
5405 | #score URI_HEX_IP 2.500 # limit | |
5406 | describe URI_HEX_IP URI with hex-encoded IP-address host | |
5407 | tflags URI_HEX_IP publish | |
5408 | ##} URI_HEX_IP | |
5409 | ||
5410 | ##{ URI_IMG_WP_REDIR | |
5411 | ||
5412 | meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR | |
5413 | #score URI_IMG_WP_REDIR 3.000 # limit | |
5414 | describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy | |
5415 | tflags URI_IMG_WP_REDIR publish | |
5416 | ##} URI_IMG_WP_REDIR | |
5417 | ||
5418 | ##{ URI_LONG_REPEAT | |
5419 | ||
5420 | meta URI_LONG_REPEAT __URI_LONG_REPEAT | |
5421 | describe URI_LONG_REPEAT Very long identical host+domain | |
5422 | #score URI_LONG_REPEAT 2.500 # limit | |
5423 | tflags URI_LONG_REPEAT publish | |
5424 | ##} URI_LONG_REPEAT | |
5425 | ||
5426 | ##{ URI_MALWARE_SCMS | |
5427 | ||
5428 | uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i | |
5429 | describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file) | |
5430 | tflags URI_MALWARE_SCMS publish | |
5431 | ##} URI_MALWARE_SCMS | |
5432 | ||
5433 | ##{ URI_ONLY_MSGID_MALF | |
5434 | ||
5435 | meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW | |
5436 | tflags URI_ONLY_MSGID_MALF net | |
5437 | meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO | |
5438 | describe URI_ONLY_MSGID_MALF URI only + malformed message ID | |
5439 | #score URI_ONLY_MSGID_MALF 2.000 # limit | |
5440 | tflags URI_ONLY_MSGID_MALF publish | |
5441 | ##} URI_ONLY_MSGID_MALF | |
5442 | ||
5443 | ##{ URI_OPTOUT_3LD | |
5444 | ||
5445 | uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i | |
5446 | describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname | |
5447 | #score URI_OPTOUT_3LD 2.000 # limit | |
5448 | tflags URI_OPTOUT_3LD publish | |
5449 | ##} URI_OPTOUT_3LD | |
5450 | ||
5451 | ##{ URI_OPTOUT_USME | |
5452 | ||
5453 | uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i | |
5454 | describe URI_OPTOUT_USME Opt-out URI, unusual TLD | |
5455 | tflags URI_OPTOUT_USME publish | |
5456 | ##} URI_OPTOUT_USME | |
5457 | ||
5458 | ##{ URI_PHISH | |
5459 | ||
5460 | describe URI_PHISH Phishing using web form | |
5461 | #score URI_PHISH 4.00 # limit | |
5462 | tflags URI_PHISH publish | |
5463 | ##} URI_PHISH | |
5464 | ||
5465 | ##{ URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
5466 | ||
5467 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
5468 | meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT | |
5469 | endif | |
5470 | ##} URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
5471 | ||
5472 | ##{ URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5473 | ||
5474 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5475 | meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT | |
5476 | endif | |
5477 | ##} URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5478 | ||
5479 | ##{ URI_PHP_REDIR | |
5480 | ||
5481 | meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA | |
5482 | #score URI_PHP_REDIR 3.500 # limit | |
5483 | describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation) | |
5484 | tflags URI_PHP_REDIR publish | |
5485 | ##} URI_PHP_REDIR | |
5486 | ||
5487 | ##{ URI_TRY_3LD | |
5488 | ||
5489 | meta URI_TRY_3LD __URI_TRY_3LD && !__HAS_ERRORS_TO && !__HDR_RCVD_ALIBABA && !__HDR_CASE_REVERSED && !__XM_EC_MESSENGER && !__CHARITY && !__URI_DOTEDU | |
5490 | describe URI_TRY_3LD "Try it" URI, suspicious hostname | |
5491 | #score URI_TRY_3LD 2.000 # limit | |
5492 | tflags URI_TRY_3LD publish | |
5493 | ##} URI_TRY_3LD | |
5494 | ||
5495 | ##{ URI_TRY_USME | |
5496 | ||
5497 | meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS | |
5498 | describe URI_TRY_USME "Try it" URI, unusual TLD | |
5499 | #score URI_TRY_USME 2.000 # limit | |
5500 | tflags URI_TRY_USME publish | |
5501 | ##} URI_TRY_USME | |
5502 | ||
5503 | ##{ URI_WPADMIN | |
5504 | ||
5505 | meta URI_WPADMIN __URI_WPADMIN | |
5506 | describe URI_WPADMIN WordPress login/admin URI, possible phishing | |
5507 | tflags URI_WPADMIN publish | |
5508 | ##} URI_WPADMIN | |
5509 | ||
5510 | ##{ URI_WP_DIRINDEX | |
5511 | ||
5512 | meta URI_WP_DIRINDEX __URI_WPDIRINDEX | |
5513 | describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware | |
5514 | #score URI_WP_DIRINDEX 3.500 # limit | |
5515 | tflags URI_WP_DIRINDEX publish | |
5516 | ##} URI_WP_DIRINDEX | |
5517 | ||
5518 | ##{ URI_WP_HACKED | |
5519 | ||
5520 | meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED | |
5521 | describe URI_WP_HACKED URI for compromised WordPress site, possible malware | |
5522 | #score URI_WP_HACKED 3.500 # limit | |
5523 | tflags URI_WP_HACKED publish | |
5524 | ##} URI_WP_HACKED | |
5525 | ||
5526 | ##{ URI_WP_HACKED_2 | |
5527 | ||
5528 | meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1 | |
5529 | describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware | |
5530 | #score URI_WP_HACKED_2 2.500 # limit | |
5531 | tflags URI_WP_HACKED_2 publish | |
5532 | ##} URI_WP_HACKED_2 | |
5533 | ||
5534 | ##{ USB_DRIVES | |
5535 | ||
5536 | meta USB_DRIVES __SUBJ_USB_DRIVES | |
5537 | describe USB_DRIVES Trying to sell custom USB flash drives | |
5538 | #score USB_DRIVES 2.000 # limit | |
5539 | tflags USB_DRIVES publish | |
5540 | ##} USB_DRIVES | |
5541 | ||
5542 | ##{ VFY_ACCT_NORDNS | |
5543 | ||
5544 | meta VFY_ACCT_NORDNS __VFY_ACCT_NORDNS && !__STY_INVIS_MANY | |
5545 | describe VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA - probable phishing | |
5546 | #score VFY_ACCT_NORDNS 3.000 # limit | |
5547 | tflags VFY_ACCT_NORDNS publish | |
5548 | ##} VFY_ACCT_NORDNS | |
5549 | ||
5550 | ##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5551 | ||
5552 | if (version >= 3.004002) | |
5553 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5554 | meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD | |
5555 | tflags VPS_NO_NTLD publish | |
5556 | describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD | |
5557 | #score VPS_NO_NTLD 1.0 # limit | |
5558 | endif | |
5559 | endif | |
5560 | ##} VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5561 | ||
5562 | ##{ WALMART_IMG_NOT_RCVD_WAL | |
5563 | ||
5564 | meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS | |
5565 | #score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit | |
5566 | describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart | |
5567 | tflags WALMART_IMG_NOT_RCVD_WAL publish | |
5568 | ##} WALMART_IMG_NOT_RCVD_WAL | |
5569 | ||
5570 | ##{ WANT_TO_ORDER | |
5571 | ||
5572 | body WANT_TO_ORDER /you (?:(?:would )?like|want|are interested|need|wish)(?: to| in)? (?:plac(?:e|ing) an order|order(?:ing)? (?:for )?(?:this|it|now|today|our \w+)|take one (?:or two )?(?:today|now))\b/i | |
5573 | #score WANT_TO_ORDER 2.750 # limit | |
5574 | ##} WANT_TO_ORDER | |
5575 | ||
5576 | ##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5577 | ||
5578 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5579 | meta WORD_INVIS __WORD_INVIS_MINFP && !WORD_INVIS_MANY | |
5580 | describe WORD_INVIS A hidden word | |
5581 | # score WORD_INVIS 3.000 # limit | |
5582 | tflags WORD_INVIS publish | |
5583 | endif | |
5584 | ##} WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5585 | ||
5586 | ##{ WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5587 | ||
5588 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5589 | meta WORD_INVIS_MANY __WORD_INVIS_2 | |
5590 | describe WORD_INVIS_MANY Multiple individual hidden words | |
5591 | # score WORD_INVIS_MANY 3.000 # limit | |
5592 | tflags WORD_INVIS_MANY publish | |
5593 | endif | |
5594 | ##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5595 | ||
5596 | ##{ XFER_LOTSA_MONEY | |
5597 | ||
5598 | meta XFER_LOTSA_MONEY __XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFO | |
5599 | describe XFER_LOTSA_MONEY Transfer a lot of money | |
5600 | #score XFER_LOTSA_MONEY 1.000 # limit | |
5601 | ##} XFER_LOTSA_MONEY | |
5602 | ||
5603 | ##{ XM_DIGITS_ONLY | |
5604 | ||
5605 | meta XM_DIGITS_ONLY __XM_DIGITS_ONLY | |
5606 | describe XM_DIGITS_ONLY X-Mailer malformed | |
5607 | #score XM_DIGITS_ONLY 3.000 # limit | |
5608 | tflags XM_DIGITS_ONLY publish | |
5609 | ##} XM_DIGITS_ONLY | |
5610 | ||
5611 | ##{ XM_PHPMAILER_FORGED | |
5612 | ||
5613 | meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED | |
5614 | describe XM_PHPMAILER_FORGED Apparently forged header | |
5615 | tflags XM_PHPMAILER_FORGED publish | |
5616 | ##} XM_PHPMAILER_FORGED | |
5617 | ||
5618 | ##{ XM_RANDOM | |
5619 | ||
5620 | meta XM_RANDOM __XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLY && !__XM_ASPQMAIL && !__XM_VERY_LONG | |
5621 | describe XM_RANDOM X-Mailer apparently random | |
5622 | #score XM_RANDOM 2.500 # limit | |
5623 | tflags XM_RANDOM publish | |
5624 | ##} XM_RANDOM | |
5625 | ||
5626 | ##{ XM_RECPTID | |
5627 | ||
5628 | meta XM_RECPTID __HAS_XM_RECPTID && !__TAG_EXISTS_SCRIPT && !__REPLYTO_NOREPLY && !__ENVFROM_AMAZONSES && !__DOS_DIRECT_TO_MX && !__FRAUD_PTX | |
5629 | describe XM_RECPTID Has spammy message header | |
5630 | #score XM_RECPTID 3.000 # limit | |
5631 | ##} XM_RECPTID | |
5632 | ||
5633 | ##{ XPRIO | |
5634 | ||
5635 | describe XPRIO Has X-Priority header | |
5636 | #score XPRIO 2.250 # limit | |
5637 | tflags XPRIO publish | |
5638 | ##} XPRIO | |
5639 | ||
5640 | ##{ XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
5641 | ||
5642 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
5643 | meta XPRIO __XPRIO_MINFP | |
5644 | endif | |
5645 | ##} XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
5646 | ||
5647 | ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5648 | ||
5649 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5650 | tflags XPRIO net | |
5651 | endif | |
5652 | ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5653 | ||
5654 | ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
5655 | ||
5656 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5657 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
5658 | meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE | |
5659 | endif | |
5660 | endif | |
5661 | ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
5662 | ||
5663 | ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF | |
5664 | ||
5665 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5666 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
5667 | meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !__DKIM_DEPENDABLE && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS | |
5668 | endif | |
5669 | endif | |
5670 | ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF | |
5671 | ||
5672 | ##{ XPRIO_SHORT_SUBJ | |
5673 | ||
5674 | meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF | |
5675 | describe XPRIO_SHORT_SUBJ Has X Priority header + short subject | |
5676 | #score XPRIO_SHORT_SUBJ 2.500 # limit | |
5677 | tflags XPRIO_SHORT_SUBJ publish | |
5678 | ##} XPRIO_SHORT_SUBJ | |
5679 | ||
5680 | ##{ XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5681 | ||
5682 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5683 | if (version >= 3.004000) | |
5684 | meta XPRIO_URL_SHORTNER __XPRIO_MINFP && __PDS_URISHORTENER | |
5685 | describe XPRIO_URL_SHORTNER X-Priority header and short URL | |
5686 | #score XPRIO_URL_SHORTNER 1.0 # limit | |
5687 | endif | |
5688 | endif | |
5689 | ##} XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5690 | ||
5691 | ##{ X_MAILER_CME_6543_MSN | |
5692 | ||
5693 | header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/ | |
5694 | ##} X_MAILER_CME_6543_MSN | |
5695 | ||
5696 | ##{ YOUR_DELIVERY_ADDRESS | |
5697 | ||
5698 | body YOUR_DELIVERY_ADDRESS /(?:(?:respond|reply|answer) (?:to )?(?:our|this) ?e?mail (?:[\w,]+\s){0,10}(?:with|and send(?: us)?)|we need to know|let us know|(?:send|provide|tell|inform)(?: us)?(?: of)?|confirm|indicate)(?: t?he (?:order )?quantity and)? (?:your |the )?(?:detailed |specific )?(?:(?:delivery |shipping |mailing |shipment |receiving )?address(?:\s?[,.;]|(?: and| so)? we| if you)|address (?:for|of) (?:shipping|delivery|shipment))/i | |
5699 | #score YOUR_DELIVERY_ADDRESS 1.250 # limit | |
5700 | ##} YOUR_DELIVERY_ADDRESS | |
5701 | ||
5702 | ##{ YOU_INHERIT | |
5703 | ||
5704 | meta YOU_INHERIT __YOU_INHERIT | |
5705 | describe YOU_INHERIT Discussing your inheritance | |
5706 | ##} YOU_INHERIT | |
5707 | ||
5708 | ##{ bayes_ignore_header_sandbox | |
5709 | ||
5710 | bayes_ignore_header X-ACL-Warn | |
5711 | bayes_ignore_header X-Alimail-AntiSpam | |
5712 | bayes_ignore_header X-Amavis-Modified | |
5713 | bayes_ignore_header X-Anti-Spam | |
5714 | bayes_ignore_header X-Anti-Virus | |
5715 | bayes_ignore_header X-Anti-Virus-Version | |
5716 | bayes_ignore_header X-AntiAbuse | |
5717 | bayes_ignore_header X-Antispam | |
5718 | bayes_ignore_header X-Antivirus | |
5719 | bayes_ignore_header X-Antivirus-Code | |
5720 | bayes_ignore_header X-Antivirus-Status | |
5721 | bayes_ignore_header X-Antivirus-Version | |
5722 | bayes_ignore_header x-aol-global-disposition | |
5723 | bayes_ignore_header X-ASF-Spam-Status | |
5724 | bayes_ignore_header X-ASG-Debug-ID | |
5725 | bayes_ignore_header X-ASG-Orig-Subj | |
5726 | bayes_ignore_header X-ASG-Recipient-Whitelist | |
5727 | bayes_ignore_header X-ASG-Tag | |
5728 | bayes_ignore_header X-Assp-Version | |
5729 | bayes_ignore_header X-Authority-Analysis | |
5730 | bayes_ignore_header X-Authvirus | |
5731 | bayes_ignore_header X-Auto-Response-Suppress | |
5732 | bayes_ignore_header X-AV-Do-Run | |
5733 | bayes_ignore_header X-AV-Status | |
5734 | bayes_ignore_header x-avast-antispam | |
5735 | bayes_ignore_header X-Backend | |
5736 | bayes_ignore_header X-Barracuda-Apparent-Source-IP | |
5737 | bayes_ignore_header X-Barracuda-Bayes | |
5738 | bayes_ignore_header X-Barracuda-BBL-IP | |
5739 | bayes_ignore_header X-Barracuda-BRTS-Status | |
5740 | bayes_ignore_header X-Barracuda-BRTS-URL-Found | |
5741 | bayes_ignore_header X-Barracuda-Connect | |
5742 | bayes_ignore_header X-Barracuda-Encrypted | |
5743 | bayes_ignore_header X-Barracuda-Envelope-From | |
5744 | bayes_ignore_header X-Barracuda-Fingerprint-Found | |
5745 | bayes_ignore_header X-Barracuda-Orig-Rcpt | |
5746 | bayes_ignore_header X-Barracuda-RBL-IP | |
5747 | bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder | |
5748 | bayes_ignore_header X-Barracuda-Spam-Report | |
5749 | bayes_ignore_header X-Barracuda-Spam-Score | |
5750 | bayes_ignore_header X-Barracuda-Spam-Status | |
5751 | bayes_ignore_header X-Barracuda-Start-Time | |
5752 | bayes_ignore_header X-Barracuda-UID | |
5753 | bayes_ignore_header X-Barracuda-URL | |
5754 | bayes_ignore_header X-Barracuda-Virus-Alert | |
5755 | bayes_ignore_header X-Bayes-Prob | |
5756 | bayes_ignore_header X-Bayesian-Result | |
5757 | bayes_ignore_header X-BitDefender-Spam | |
5758 | bayes_ignore_header X-BitDefender-SpamStamp | |
5759 | bayes_ignore_header X-BL | |
5760 | bayes_ignore_header X-Bogosity | |
5761 | bayes_ignore_header X-Boxtrapper | |
5762 | bayes_ignore_header X-Brightmail-Tracker | |
5763 | bayes_ignore_header X-BTI-AntiSpam | |
5764 | bayes_ignore_header X-Bugzilla-Version | |
5765 | bayes_ignore_header X-CanIt-Geo | |
5766 | bayes_ignore_header X-Canit-Stats-ID | |
5767 | bayes_ignore_header X-CanItPRO-Stream | |
5768 | bayes_ignore_header X-Clapf-spamicity | |
5769 | bayes_ignore_header X-Cloud-Security | |
5770 | bayes_ignore_header X-CM-Score | |
5771 | bayes_ignore_header X-CMAE-Analysis | |
5772 | bayes_ignore_header X-CMAE-Match | |
5773 | bayes_ignore_header X-CMAE-Score | |
5774 | bayes_ignore_header X-CMAE-Verdict | |
5775 | bayes_ignore_header X-CNFS-Analysis | |
5776 | bayes_ignore_header X-Company | |
5777 | bayes_ignore_header X-Coremail-Antispam | |
5778 | bayes_ignore_header X-CRM114-CacheID | |
5779 | bayes_ignore_header X-CRM114-Status | |
5780 | bayes_ignore_header X-CRM114-Version | |
5781 | bayes_ignore_header X-CT-Spam | |
5782 | bayes_ignore_header X-CTCH-SenderID | |
5783 | bayes_ignore_header X-CTCH-SenderID-TotalBulk | |
5784 | bayes_ignore_header X-CTCH-SenderID-TotalConfirmed | |
5785 | bayes_ignore_header X-CTCH-SenderID-TotalMessages | |
5786 | bayes_ignore_header X-CTCH-SenderID-TotalRecipients | |
5787 | bayes_ignore_header X-CTCH-SenderID-TotalSpam | |
5788 | bayes_ignore_header X-CTCH-SenderID-TotalSuspected | |
5789 | bayes_ignore_header X-CTCH-SenderID-TotalVirus | |
5790 | bayes_ignore_header X-CTCH-Spam | |
5791 | bayes_ignore_header X-CTCH-VOD | |
5792 | bayes_ignore_header X-Drweb-SpamState | |
5793 | bayes_ignore_header X-DSPAM-Confidence | |
5794 | bayes_ignore_header X-DSPAM-Factors | |
5795 | bayes_ignore_header X-DSPAM-Improbability | |
5796 | bayes_ignore_header X-DSPAM-Probability | |
5797 | bayes_ignore_header X-DSPAM-Processed | |
5798 | bayes_ignore_header X-DSPAM-Result | |
5799 | bayes_ignore_header X-DSPAM-Signature | |
5800 | bayes_ignore_header x-eavas | |
5801 | bayes_ignore_header x-eavas-action | |
5802 | bayes_ignore_header x-eavas-eavasid | |
5803 | bayes_ignore_header X-Enigmail-Version | |
5804 | bayes_ignore_header X-EsetId | |
5805 | bayes_ignore_header X-EsetResult | |
5806 | bayes_ignore_header X-Exchange-Antispam-Report | |
5807 | bayes_ignore_header X-ExtloopSabreCommercials1 | |
5808 | bayes_ignore_header X-EYOU-SPAMVALUE | |
5809 | bayes_ignore_header X-FB-OUTBOUND-SPAM | |
5810 | bayes_ignore_header X-FEAS-SBL | |
5811 | bayes_ignore_header X-FILTER-SCORE | |
5812 | bayes_ignore_header X-Forefront-Antispam-Report | |
5813 | bayes_ignore_header X-Forefront-PRVS | |
5814 | bayes_ignore_header X-Fuglu-Spamstatus | |
5815 | bayes_ignore_header X-Fuglu-Suspect | |
5816 | bayes_ignore_header X-getmail-filter-classifier | |
5817 | bayes_ignore_header X-GFIME-MASPAM | |
5818 | bayes_ignore_header X-Gmane-NNTP-Posting-Host | |
5819 | bayes_ignore_header X-GMX-Antispam | |
5820 | bayes_ignore_header X-GMX-Antivirus | |
5821 | bayes_ignore_header X-He-Spam | |
5822 | bayes_ignore_header X-hMailServer-Spam | |
5823 | bayes_ignore_header X-IAS | |
5824 | bayes_ignore_header X-iGspam-global | |
5825 | bayes_ignore_header X-Injected-Via-Gmane | |
5826 | bayes_ignore_header X-Interia-Antivirus | |
5827 | bayes_ignore_header X-IP-Spam-Verdict | |
5828 | bayes_ignore_header X-Ironport | |
5829 | bayes_ignore_header X-IronPort-Anti-Spam-Filtered | |
5830 | bayes_ignore_header X-IronPort-Anti-Spam-Result | |
5831 | bayes_ignore_header X-IronPort-AV | |
5832 | bayes_ignore_header X-Ironport-HAT | |
5833 | bayes_ignore_header X-Ironport-HOSTNAME | |
5834 | bayes_ignore_header X-Ironport-LNR | |
5835 | bayes_ignore_header X-Ironport-MessageFilter | |
5836 | bayes_ignore_header X-Ironport-MFP | |
5837 | bayes_ignore_header X-Ironport-MID | |
5838 | bayes_ignore_header X-IronPort-Outgoing-Antispam | |
5839 | bayes_ignore_header X-Ironport-RIF | |
5840 | bayes_ignore_header X-Ironport-SBRS | |
5841 | bayes_ignore_header X-Ironport-SENDER | |
5842 | bayes_ignore_header X-Ironport-SUBJECT | |
5843 | bayes_ignore_header X-Junk-Score | |
5844 | bayes_ignore_header X-Junkmail | |
5845 | bayes_ignore_header X-KLMS-AntiPhishing | |
5846 | bayes_ignore_header X-Klms-Antispam | |
5847 | bayes_ignore_header X-KLMS-AntiSpam-Info | |
5848 | bayes_ignore_header X-KLMS-AntiSpam-Interceptor-Info | |
5849 | bayes_ignore_header X-KLMS-AntiSpam-Lua-Profiles | |
5850 | bayes_ignore_header X-KLMS-AntiSpam-Method | |
5851 | bayes_ignore_header X-KLMS-AntiSpam-Moebius-Timestamps | |
5852 | bayes_ignore_header X-KLMS-AntiSpam-Rate | |
5853 | bayes_ignore_header X-KLMS-AntiSpam-Status | |
5854 | bayes_ignore_header X-KLMS-AntiSpam-Version | |
5855 | bayes_ignore_header X-KLMS-AntiVirus | |
5856 | bayes_ignore_header X-KLMS-AntiVirus-Status | |
5857 | bayes_ignore_header X-KLMS-Message-Action | |
5858 | bayes_ignore_header X-KLMS-Rule-ID | |
5859 | bayes_ignore_header X-KMail-EncryptionState | |
5860 | bayes_ignore_header X-KMail-MDN-Sent | |
5861 | bayes_ignore_header X-KMail-SignatureState | |
5862 | bayes_ignore_header X-MailCleaner-SpamChec | |
5863 | bayes_ignore_header X-MailCleaner-SpamCheck | |
5864 | bayes_ignore_header X-MailFoundry | |
5865 | bayes_ignore_header X-MDMailLookup-Result | |
5866 | bayes_ignore_header X-ME-Bayesian | |
5867 | bayes_ignore_header X-ME-Content | |
5868 | bayes_ignore_header X-MessageFilter | |
5869 | bayes_ignore_header X-Microsoft-Antispam | |
5870 | bayes_ignore_header X-Mlf-Version | |
5871 | bayes_ignore_header X-MXScan-AntiSpam | |
5872 | bayes_ignore_header X-MXScan-AntiVirus | |
5873 | bayes_ignore_header X-MXScan-Country-Sequence | |
5874 | bayes_ignore_header X-MXScan-License | |
5875 | bayes_ignore_header X-MXScan-Msgid | |
5876 | bayes_ignore_header X-MXScan-ProcessingTime | |
5877 | bayes_ignore_header X-MXScan-Scan | |
5878 | bayes_ignore_header X-NAI-Spam-Flag | |
5879 | bayes_ignore_header X-NAI-Spam-Rules | |
5880 | bayes_ignore_header X-NAI-Spam-Score | |
5881 | bayes_ignore_header X-NAI-Spam-Threshold | |
5882 | bayes_ignore_header X-NetStation-Status | |
5883 | bayes_ignore_header X-OVH-SPAMCAUSE | |
5884 | bayes_ignore_header X-OVH-SPAMCAUSE: | |
5885 | bayes_ignore_header X-OVH-SPAMSCORE | |
5886 | bayes_ignore_header X-OVH-SPAMSTATE | |
5887 | bayes_ignore_header X-PerlMx-Spam | |
5888 | bayes_ignore_header X-PerlMx-Virus-Scanned | |
5889 | bayes_ignore_header X-PFSI-Info | |
5890 | bayes_ignore_header X-PMX-Spam | |
5891 | bayes_ignore_header X-PMX-Version | |
5892 | bayes_ignore_header X-Policy-Service | |
5893 | bayes_ignore_header X-policyd-weight | |
5894 | bayes_ignore_header X-PreRBLs | |
5895 | bayes_ignore_header X-Probable-Spam | |
5896 | bayes_ignore_header X-PROLinux-SpamCheck | |
5897 | bayes_ignore_header X-Proofpoint-Spam-Reason | |
5898 | bayes_ignore_header X-Proofpoint-Virus-Version | |
5899 | bayes_ignore_header x-purgate-eavas: clean | |
5900 | bayes_ignore_header x-purgate-id | |
5901 | bayes_ignore_header x-purgate-size | |
5902 | bayes_ignore_header x-purgate-type | |
5903 | bayes_ignore_header X-Qmail-Scanner-Diagnostics | |
5904 | bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status | |
5905 | bayes_ignore_header X-Quarantine-ID | |
5906 | bayes_ignore_header X-RSpam-Report | |
5907 | bayes_ignore_header X-SA-Do-Not-Run | |
5908 | bayes_ignore_header X-SA-Exim-Version | |
5909 | bayes_ignore_header X-Scanned-by | |
5910 | bayes_ignore_header X-SmarterMail-CustomSpamHeader | |
5911 | bayes_ignore_header X-Spam | |
5912 | bayes_ignore_header X-Spam-Action | |
5913 | bayes_ignore_header X-SPAM-AISP | |
5914 | bayes_ignore_header X-Spam-Check-By | |
5915 | bayes_ignore_header X-Spam-Checker-Version | |
5916 | bayes_ignore_header X-Spam-CMAE-Analysis | |
5917 | bayes_ignore_header X-Spam-CMAESCORE | |
5918 | bayes_ignore_header X-Spam-CTCH-RefID | |
5919 | bayes_ignore_header X-Spam-Flag | |
5920 | bayes_ignore_header X-Spam-Level | |
5921 | bayes_ignore_header X-Spam-Processed | |
5922 | bayes_ignore_header X-Spam-Report | |
5923 | bayes_ignore_header X-Spam-Scanned | |
5924 | bayes_ignore_header X-Spam-Score | |
5925 | bayes_ignore_header X-Spam-Score-Int | |
5926 | bayes_ignore_header X-Spam-SmartLearn | |
5927 | bayes_ignore_header X-Spam-Status | |
5928 | bayes_ignore_header X-Spam-Threshold | |
5929 | bayes_ignore_header X-Spam_bar | |
5930 | bayes_ignore_header X-Spambayes-Classification | |
5931 | bayes_ignore_header X-SpamExperts-Domain | |
5932 | bayes_ignore_header X-SpamExperts-Outgoing-Class | |
5933 | bayes_ignore_header X-SpamExperts-Outgoing-Evidence | |
5934 | bayes_ignore_header X-SpamExperts-Username | |
5935 | bayes_ignore_header X-Spamfilter-host | |
5936 | bayes_ignore_header X-Spamina-Bogosity | |
5937 | bayes_ignore_header X-Spamina-Spam-Report | |
5938 | bayes_ignore_header X-Spamina-Spam-Score | |
5939 | bayes_ignore_header X-SpamInfo | |
5940 | bayes_ignore_header X-Spamsave | |
5941 | bayes_ignore_header X-SpamTest-Group-ID | |
5942 | bayes_ignore_header X-SpamTest-Info | |
5943 | bayes_ignore_header X-SpamTest-Method | |
5944 | bayes_ignore_header X-SpamTest-Rate | |
5945 | bayes_ignore_header X-SpamTest-SPF | |
5946 | bayes_ignore_header X-SpamTest-Status | |
5947 | bayes_ignore_header X-SpamTest-Status-Extended | |
5948 | bayes_ignore_header X-SPF-Scan-By | |
5949 | bayes_ignore_header X-STA-Metric | |
5950 | bayes_ignore_header X-STA-NotSpam | |
5951 | bayes_ignore_header X-STA-Spam | |
5952 | bayes_ignore_header X-StarScan-Version | |
5953 | bayes_ignore_header X-SurGATE-Result | |
5954 | bayes_ignore_header X-SWITCHham-Score | |
5955 | bayes_ignore_header X-UI-Filterresults | |
5956 | bayes_ignore_header X-UI-Loop | |
5957 | bayes_ignore_header X-UI-Out-Filterresults | |
5958 | bayes_ignore_header X-Univie-Spam-Checker-Version | |
5959 | bayes_ignore_header X-Univie-Virus-Scan | |
5960 | bayes_ignore_header X-Virus | |
5961 | bayes_ignore_header X-Virus-Checker-Version | |
5962 | bayes_ignore_header X-Virus-Scanned | |
5963 | bayes_ignore_header X-Virus-Scanner-Result | |
5964 | bayes_ignore_header X-Virus-Scanner-Version | |
5965 | bayes_ignore_header X-Virus-Status | |
5966 | bayes_ignore_header X-VirusChecked | |
5967 | bayes_ignore_header X-VR-SCORE | |
5968 | bayes_ignore_header X-VR-SPAMCAUSE | |
5969 | bayes_ignore_header X-VR-STATUS | |
5970 | bayes_ignore_header X-WatchGuard-Mail-Client-IP | |
5971 | bayes_ignore_header X-WatchGuard-Mail-From | |
5972 | bayes_ignore_header X-WatchGuard-Mail-Recipients | |
5973 | bayes_ignore_header X-WatchGuard-Spam-ID | |
5974 | bayes_ignore_header X-WatchGuard-Spam-Score | |
5975 | bayes_ignore_header X-Whitelist-Domain | |
5976 | bayes_ignore_header X-WUM-CCI | |
5977 | bayes_ignore_header X_CMAE_Category##} bayes_ignore_header_sandbox | |
5978 | ||
5979 | ##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox | |
5980 | ||
5981 | if (version >= 3.004001) | |
5982 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
5983 | askdns __FROM_FMBLA_NEWDOM _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/ | |
5984 | askdns __FROM_FMBLA_NEWDOM14 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.14$/ | |
5985 | askdns __FROM_FMBLA_NEWDOM28 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.28$/ | |
5986 | askdns __FROM_FMBLA_NDBLOCKED _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/ | |
5987 | reuse FROM_FMBLA_NEWDOM | |
5988 | reuse FROM_FMBLA_NEWDOM14 | |
5989 | reuse FROM_FMBLA_NEWDOM28 | |
5990 | reuse FROM_FMBLA_NDBLOCKED | |
5991 | reuse __PDS_NEWDOMAIN | |
5992 | reuse FROM_NUMBERO_NEWDOMAIN | |
5993 | reuse FROM_NEWDOM_BTC | |
5994 | askdns __PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/ | |
5995 | reuse BITCOIN_SPF_ONLYALL | |
5996 | endif | |
5997 | endif | |
5998 | ##} if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox | |
5999 | ||
6000 | ##{ if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox | |
6001 | ||
6002 | if (version >= 3.004002) | |
6003 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
6004 | enlist_addrlist (PAYPAL) *@paypal.com *@paypal.co.uk *@paypal.de *@paypal.com.au *@paypal.it | |
6005 | enlist_addrlist (PAYPAL) *@paypal.es *@paypal.fr *@paypal.de *@paypal.com.hk | |
6006 | enlist_addrlist (PAYPAL) *@*.paypal.com *@*.paypal.co.uk | |
6007 | reuse __FROM_ADDRLIST_PAYPAL | |
6008 | reuse FROM_PAYPAL_SPOOF | |
6009 | enlist_addrlist (BANKS) *@abbey.co.uk *@abbey.com *@abbeyinternational.com *@abbeyinternational.co.uk *@abbeynational.com *@abbeynational.co.uk | |
6010 | enlist_addrlist (BANKS) *@allianceleicester.com *@allianceleicester.co.uk *@alliance-leicester.com *@alliance-leicester.co.uk | |
6011 | enlist_addrlist (BANKS) *@bankofamerica.com *@bankofamerica.co.uk | |
6012 | enlist_addrlist (BANKS) *@barclaycard.com *@barclays.com | |
6013 | enlist_addrlist (BANKS) *@citibank.com | |
6014 | enlist_addrlist (BANKS) *@firstdirect.com *@firstdirect.co.uk | |
6015 | enlist_addrlist (BANKS) *@halifax.com *@halifax.co.uk *@halifax-online.co.uk *@halifax-online.com | |
6016 | enlist_addrlist (BANKS) *@hbos.com *@hbos.co.uk | |
6017 | enlist_addrlist (BANKS) *@hsbc.com *@hsbc.co.uk *@hsbc.hk *@hsbcgroup.com *@hsbcgroup.co.uk | |
6018 | enlist_addrlist (BANKS) *@lloydstsb.com *@lloydstsb.co.uk *@lloyds.com | |
6019 | enlist_addrlist (BANKS) *@mbna.com | |
6020 | enlist_addrlist (BANKS) *@nationwide.com *@nationwide.co.uk | |
6021 | enlist_addrlist (BANKS) *@natwest.com *@natwest.co.uk | |
6022 | enlist_addrlist (BANKS) *@santander.com *@santander.co.uk | |
6023 | enlist_addrlist (BANKS) *@standardbank.co.za | |
6024 | enlist_addrlist (BANKS) *@ybonline.co.uk *@ybonline.com | |
6025 | reuse __FROM_ADDRLIST_BANKS | |
6026 | reuse FROM_BANK_NOAUTH | |
6027 | enlist_addrlist (GOV) *@*.gov | |
6028 | enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk | |
6029 | reuse __FROM_ADDRLIST_GOV | |
6030 | reuse FROM_GOV_SPOOF | |
6031 | reuse FROM_GOV_DKIM_AU | |
6032 | reuse FROM_GOV_REPLYTO_FREEMAIL | |
6033 | enlist_addrlist (SUSP_NTLD) *@*.icu | |
6034 | enlist_addrlist (SUSP_NTLD) *@*.online | |
6035 | enlist_addrlist (SUSP_NTLD) *@*.work | |
6036 | enlist_addrlist (SUSP_NTLD) *@*.date | |
6037 | enlist_addrlist (SUSP_NTLD) *@*.top | |
6038 | enlist_addrlist (SUSP_NTLD) *@*.fun | |
6039 | enlist_addrlist (SUSP_NTLD) *@*.life | |
6040 | enlist_addrlist (SUSP_NTLD) *@*.review | |
6041 | enlist_addrlist (SUSP_NTLD) *@*.xyz | |
6042 | enlist_addrlist (SUSP_NTLD) *@*.bid | |
6043 | enlist_addrlist (SUSP_NTLD) *@*.stream | |
6044 | enlist_addrlist (SUSP_NTLD) *@*.site | |
6045 | enlist_addrlist (SUSP_NTLD) *@*.space | |
6046 | enlist_addrlist (SUSP_NTLD) *@*.gdn | |
6047 | enlist_addrlist (SUSP_NTLD) *@*.click | |
6048 | enlist_addrlist (SUSP_NTLD) *@*.world | |
6049 | enlist_addrlist (SUSP_NTLD) *@*.fit | |
6050 | enlist_addrlist (SUSP_NTLD) *@*.ooo | |
6051 | enlist_addrlist (SUSP_NTLD) *@*.faith | |
6052 | enlist_addrlist (SUSP_NTLD) *@*.buzz | |
6053 | enlist_addrlist (SUSP_NTLD) *@*.trade | |
6054 | enlist_addrlist (SUSP_NTLD) *@*.cyou | |
6055 | enlist_addrlist (SUSP_NTLD) *@*.vip | |
6056 | enlist_uri_host (SUSP_URI_NTLD) icu | |
6057 | enlist_uri_host (SUSP_URI_NTLD) online | |
6058 | enlist_uri_host (SUSP_URI_NTLD) work | |
6059 | enlist_uri_host (SUSP_URI_NTLD) date | |
6060 | enlist_uri_host (SUSP_URI_NTLD) top | |
6061 | enlist_uri_host (SUSP_URI_NTLD) fun | |
6062 | enlist_uri_host (SUSP_URI_NTLD) life | |
6063 | enlist_uri_host (SUSP_URI_NTLD) review | |
6064 | enlist_uri_host (SUSP_URI_NTLD) xyz | |
6065 | enlist_uri_host (SUSP_URI_NTLD) bid | |
6066 | enlist_uri_host (SUSP_URI_NTLD) stream | |
6067 | enlist_uri_host (SUSP_URI_NTLD) site | |
6068 | enlist_uri_host (SUSP_URI_NTLD) space | |
6069 | enlist_uri_host (SUSP_URI_NTLD) gdn | |
6070 | enlist_uri_host (SUSP_URI_NTLD) click | |
6071 | enlist_uri_host (SUSP_URI_NTLD) world | |
6072 | enlist_uri_host (SUSP_URI_NTLD) fit | |
6073 | enlist_uri_host (SUSP_URI_NTLD) ooo | |
6074 | enlist_uri_host (SUSP_URI_NTLD) faith | |
6075 | enlist_uri_host (SUSP_URI_NTLD) buzz | |
6076 | enlist_uri_host (SUSP_URI_NTLD) trade | |
6077 | enlist_uri_host (SUSP_URI_NTLD) cyou | |
6078 | enlist_uri_host (SUSP_URI_NTLD) vip | |
6079 | enlist_uri_host (SUSP_URI_NTLD_PRO) pro | |
6080 | reuse __FROM_ADDRLIST_SUSPNTLD | |
6081 | reuse __REPLYTO_ADDRLIST_SUSPNTLD | |
6082 | reuse FROM_SUSPICIOUS_NTLD | |
6083 | reuse GOOGLE_DRIVE_REPLY_BAD_NTLD | |
6084 | reuse VPS_NO_NTLD | |
6085 | endif | |
6086 | endif | |
6087 | ##} if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox | |
6088 | ||
6089 | ##{ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox | |
6090 | ||
6091 | if (version >= 3.004003) | |
6092 | ifplugin Mail::SpamAssassin::Plugin::HashBL | |
6093 | priority T_GB_HASHBL_BTC -100 | |
6094 | reuse T_GB_HASHBL_BTC | |
6095 | endif | |
6096 | endif | |
6097 | ##} if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox | |
6098 | ||
6099 | ##{ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox | |
6100 | ||
6101 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
6102 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
6103 | replace_tag lcase_e (?:e|\xc3[\xa8\xa9\xaa\xab]|\xc4[\x93\x95\x97\x99\x9b]|\xc8[\x85\x87\x80]|\xcf\xb5|\xd0\xb5|\xd1[\x90\x91\x94\xb3]|\xd2[\xbc\xbd\xbe\xbf]|\xd3[\x07\xa9\xab]) | |
6104 | replace_rules __E_LIKE_LETTER | |
6105 | endif | |
6106 | endif | |
6107 | ##} if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox | |
6108 | ||
6109 | ##{ ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox | |
6110 | ||
6111 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
6112 | askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/ | |
6113 | reuse __DKIMWL_FREEMAIL | |
6114 | askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/ | |
6115 | reuse __DKIMWL_BULKMAIL | |
6116 | askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/ | |
6117 | reuse __DKIMWL_WL_HI | |
6118 | askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/ | |
6119 | reuse __DKIMWL_WL_MEDHI | |
6120 | askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/ | |
6121 | reuse __DKIMWL_WL_MED | |
6122 | askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/ | |
6123 | reuse __DKIMWL_WL_BL | |
6124 | askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/ | |
6125 | reuse __DKIMWL_BLOCKED | |
6126 | reuse DKIMWL_WL_HIGH | |
6127 | reuse DKIMWL_WL_MEDHI | |
6128 | reuse DKIMWL_WL_MED | |
6129 | reuse DKIMWL_BL | |
6130 | reuse DKIMWL_BLOCKED | |
6131 | askdns __HELO_DNS _LASTEXTERNALHELO_ A /./ | |
6132 | endif | |
6133 | ##} ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox | |
6134 | ||
6135 | ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox | |
6136 | ||
6137 | ifplugin Mail::SpamAssassin::Plugin::DNSEval # { | |
6138 | reuse RCVD_IN_PSBL | |
6139 | endif | |
6140 | ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox | |
6141 | ||
6142 | ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox | |
6143 | ||
6144 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
6145 | reuse RCVD_IN_IADB_LISTED | |
6146 | reuse RCVD_IN_IADB_EDDB | |
6147 | reuse RCVD_IN_IADB_EPIA | |
6148 | reuse RCVD_IN_IADB_SPF | |
6149 | reuse RCVD_IN_IADB_SENDERID | |
6150 | reuse RCVD_IN_IADB_DK | |
6151 | reuse RCVD_IN_IADB_RDNS | |
6152 | reuse RCVD_IN_IADB_GOODMAIL | |
6153 | reuse RCVD_IN_IADB_NOCONTROL | |
6154 | reuse RCVD_IN_IADB_OPTOUTONLY | |
6155 | reuse RCVD_IN_IADB_UNVERIFIED_1 | |
6156 | reuse RCVD_IN_IADB_UNVERIFIED_2 | |
6157 | reuse RCVD_IN_IADB_LOOSE | |
6158 | reuse RCVD_IN_IADB_OPTIN_LT50 | |
6159 | reuse RCVD_IN_IADB_OPTIN_GT50 | |
6160 | reuse RCVD_IN_IADB_OPTIN | |
6161 | reuse RCVD_IN_IADB_DOPTIN_LT50 | |
6162 | reuse RCVD_IN_IADB_DOPTIN_GT50 | |
6163 | reuse RCVD_IN_IADB_DOPTIN | |
6164 | reuse RCVD_IN_IADB_ML_DOPTIN | |
6165 | reuse RCVD_IN_IADB_OOO | |
6166 | reuse RCVD_IN_IADB_MI_CPEAR | |
6167 | reuse RCVD_IN_IADB_UT_CPEAR | |
6168 | reuse RCVD_IN_IADB_MI_CPR_30 | |
6169 | reuse RCVD_IN_IADB_UT_CPR_30 | |
6170 | reuse RCVD_IN_IADB_MI_CPR_MAT | |
6171 | reuse RCVD_IN_IADB_UT_CPR_MAT | |
6172 | endif | |
6173 | ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox | |
6174 | ||
6175 | ##{ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox | |
6176 | ||
6177 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
6178 | fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de | |
6179 | fns_ignore_headers List-Id | |
6180 | fns_check 1 | |
6181 | reuse __PLUGIN_FROMNAME_SPOOF | |
6182 | reuse __PLUGIN_FROMNAME_EQUALS_TO | |
6183 | endif | |
6184 | ##} ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox | |
6185 | ||
6186 | ##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox | |
6187 | ||
6188 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
6189 | replace_rules T_FUZZY_SPRM | |
6190 | replace_rules FUZZY_MERIDIA | |
6191 | replace_rules TVD_FUZZY_PHARMACEUTICAL | |
6192 | replace_rules TVD_FUZZY_SYMBOL | |
6193 | replace_rules T_TVD_FUZZY_SECURITIES | |
6194 | replace_rules TVD_FUZZY_FINANCE | |
6195 | replace_rules TVD_FUZZY_FIXED_RATE | |
6196 | replace_rules TVD_FUZZY_MICROCAP | |
6197 | replace_rules T_TVD_FUZZY_SECTOR | |
6198 | replace_rules TVD_FUZZY_DEGREE | |
6199 | replace_rules __COPY_PASTE_EN | |
6200 | replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?) | |
6201 | replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3} | |
6202 | replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s) | |
6203 | replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?) | |
6204 | replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])? | |
6205 | replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100})) | |
6206 | replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100}) | |
6207 | replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))? | |
6208 | replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])? | |
6209 | replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)? | |
6210 | replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3} | |
6211 | replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3} | |
6212 | replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d) | |
6213 | replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3} | |
6214 | replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)? | |
6215 | replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15}) | |
6216 | replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names? | |
6217 | replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER> | |
6218 | replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>) | |
6219 | replace_rules __FILL_THIS_FORM_LONG1 | |
6220 | replace_rules __FILL_THIS_FORM_LONG2 | |
6221 | replace_rules __FILL_THIS_FORM_PARTIAL | |
6222 | replace_rules __FILL_THIS_FORM_PARTIAL_RAW | |
6223 | replace_rules __FILL_THIS_FORM_SHORT1 | |
6224 | replace_rules __FILL_THIS_FORM_SHORT2 | |
6225 | replace_rules __FILL_THIS_FORM_LOAN1 | |
6226 | replace_rules __FILL_THIS_FORM_FRAUD_PHISH1 | |
6227 | replace_tag CURRENCY (?:[\(\[]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|usd|USD|CAD|GBP|=[Aa][34]|\xa3|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS?)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]\)]?) | |
6228 | replace_tag GB_UK \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b | |
6229 | replace_tag NUM_NOT_DATE [1-9](?!\d\d\d\.\d\d\.\d\d\s)(?!\d?\.\d\d?\.\d\d\d\d\s) | |
6230 | replace_tag NUM_NOT_DATE_IP <NUM_NOT_DATE>(?!\d{0,2}(?:\.0|\.[1-2]\d{0,2}){3}(?:\D|$)) | |
6231 | replace_rules __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04 | |
6232 | replace_tag PERCENT \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent) | |
6233 | replace_rules __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS | |
6234 | replace_rules T_FUZZY_OPTOUT | |
6235 | replace_rules __FRT_PRICE | |
6236 | replace_rules FUZZY_UNSUBSCRIBE | |
6237 | replace_rules FUZZY_ANDROID | |
6238 | replace_rules FUZZY_PROMOTION | |
6239 | replace_rules FUZZY_PRIVACY | |
6240 | replace_rules FUZZY_BROWSER | |
6241 | replace_rules FUZZY_SAVINGS | |
6242 | replace_rules FUZZY_IMPORTANT | |
6243 | replace_rules FUZZY_SECURITY | |
6244 | replace_rules __FUZZY_DR_OZ | |
6245 | replace_rules FUZZY_CLICK_HERE | |
6246 | replace_rules FUZZY_BITCOIN | |
6247 | replace_rules __BITCOIN | |
6248 | replace_rules FUZZY_WALLET | |
6249 | replace_rules __FUZZY_MONERO | |
6250 | replace_rules __FUZZY_WELLSFARGO_BODY | |
6251 | replace_rules __FUZZY_WELLSFARGO_FROM | |
6252 | replace_rules __FUZZY_PORN | |
6253 | replace_rules FUZZY_AMAZON | |
6254 | replace_rules FUZZY_APPLE | |
6255 | replace_rules FUZZY_MICROSOFT | |
6256 | replace_rules FUZZY_FACEBOOK | |
6257 | replace_rules FUZZY_PAYPAL | |
6258 | replace_rules FUZZY_NORTON | |
6259 | replace_rules FUZZY_OVERSTOCK | |
6260 | replace_rules __MY_VICTIM | |
6261 | replace_rules __MY_MALWARE | |
6262 | replace_rules __PAY_ME | |
6263 | replace_rules __YOUR_PASSWORD | |
6264 | replace_rules __YOUR_WEBCAM | |
6265 | replace_rules __YOUR_ONAN | |
6266 | replace_rules __YOUR_PERSONAL | |
6267 | replace_rules __HOURS_DEADLINE | |
6268 | replace_rules __EXPLOSIVE_DEVICE | |
6269 | replace_rules T_LFUZ_PWRMALE | |
6270 | replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE | |
6271 | reuse T_PDS_BTC_AHACKER | |
6272 | reuse T_PDS_BTC_HACKER | |
6273 | reuse T_PDS_LTC_AHACKER | |
6274 | reuse T_PDS_LTC_HACKER | |
6275 | endif | |
6276 | ##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox | |
6277 | ||
6278 | ##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox | |
6279 | ||
6280 | ifplugin Mail::SpamAssassin::Plugin::URIDNSBL | |
6281 | reuse URIBL_RHS_DOB | |
6282 | endif | |
6283 | ##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox | |
6284 | ||
6285 | ##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox | |
6286 | ||
6287 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
6288 | if (version >= 3.004000) | |
6289 | enlist_uri_host (PDS_CASHSHORTENER) cutpaid.com | |
6290 | enlist_uri_host (PDS_CASHSHORTENER) caat.site | |
6291 | enlist_uri_host (PDS_CASHSHORTENER) triabicia.com | |
6292 | enlist_uri_host (PDS_CASHSHORTENER) 2xs.io | |
6293 | enlist_uri_host (PDS_CASHSHORTENER) ocest.site | |
6294 | enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz | |
6295 | enlist_uri_host (PDS_CASHSHORTENER) waar.site | |
6296 | enlist_uri_host (PDS_CASHSHORTENER) cpmlink.net | |
6297 | enlist_uri_host (PDS_CASHSHORTENER) cowner.net | |
6298 | enlist_uri_host (PDS_CASHSHORTENER) adfoc.us | |
6299 | enlist_uri_host (PDS_CASHSHORTENER) shrinkhere.xyz | |
6300 | enlist_uri_host (PDS_CASHSHORTENER) gurl.pw | |
6301 | enlist_uri_host (PDS_CASHSHORTENER) shortearn.eu | |
6302 | enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz | |
6303 | enlist_uri_host (PDS_CASHSHORTENER) libittarc.com | |
6304 | enlist_uri_host (PDS_CASHSHORTENER) pc.cd | |
6305 | enlist_uri_host (PDS_CASHSHORTENER) fc.lc | |
6306 | enlist_uri_host (PDS_CASHSHORTENER) dares.xyz | |
6307 | enlist_uri_host (PDS_CASHSHORTENER) trendlouds.com | |
6308 | enlist_uri_host (PDS_CASHSHORTENER) yogaf.xyz | |
6309 | enlist_uri_host (PDS_CASHSHORTENER) cobs.xyz | |
6310 | enlist_uri_host (PDS_CASHSHORTENER) olnew.xyz | |
6311 | enlist_uri_host (PDS_CASHSHORTENER) cleft.xyz | |
6312 | enlist_uri_host (PDS_CASHSHORTENER) 7r6.com | |
6313 | enlist_uri_host (PDS_CASHSHORTENER) mitly.us | |
6314 | enlist_uri_host (PDS_CASHSHORTENER) kutpay.com | |
6315 | enlist_uri_host (PDS_CASHSHORTENER) gsurl.me | |
6316 | enlist_uri_host (PDS_CASHSHORTENER) gurl.ly | |
6317 | enlist_uri_host (PDS_CASHSHORTENER) gsurl.in | |
6318 | enlist_uri_host (PDS_CASHSHORTENER) acitoate.com | |
6319 | enlist_uri_host (PDS_CASHSHORTENER) aclabink.com | |
6320 | enlist_uri_host (PDS_CASHSHORTENER) activeation.com | |
6321 | enlist_uri_host (PDS_CASHSHORTENER) activeterium.com | |
6322 | enlist_uri_host (PDS_CASHSHORTENER) adflyforum.com | |
6323 | enlist_uri_host (PDS_CASHSHORTENER) adflymail.com | |
6324 | enlist_uri_host (PDS_CASHSHORTENER) adult.xyz | |
6325 | enlist_uri_host (PDS_CASHSHORTENER) agileurbia.com | |
6326 | enlist_uri_host (PDS_CASHSHORTENER) atomcurve.com | |
6327 | enlist_uri_host (PDS_CASHSHORTENER) ay.gy | |
6328 | enlist_uri_host (PDS_CASHSHORTENER) battleate.com | |
6329 | enlist_uri_host (PDS_CASHSHORTENER) biastonu.com | |
6330 | enlist_uri_host (PDS_CASHSHORTENER) bitigee.com | |
6331 | enlist_uri_host (PDS_CASHSHORTENER) briskrange.com | |
6332 | enlist_uri_host (PDS_CASHSHORTENER) brisktopia.com | |
6333 | enlist_uri_host (PDS_CASHSHORTENER) casualient.com | |
6334 | enlist_uri_host (PDS_CASHSHORTENER) clesolea.com | |
6335 | enlist_uri_host (PDS_CASHSHORTENER) code404.biz | |
6336 | enlist_uri_host (PDS_CASHSHORTENER) coginator.com | |
6337 | enlist_uri_host (PDS_CASHSHORTENER) cogismith.com | |
6338 | enlist_uri_host (PDS_CASHSHORTENER) covelign.com | |
6339 | enlist_uri_host (PDS_CASHSHORTENER) crefranek.com | |
6340 | enlist_uri_host (PDS_CASHSHORTENER) dashsphere.com | |
6341 | enlist_uri_host (PDS_CASHSHORTENER) dataurbia.com | |
6342 | enlist_uri_host (PDS_CASHSHORTENER) deciomm.com | |
6343 | enlist_uri_host (PDS_CASHSHORTENER) ducolomal.com | |
6344 | enlist_uri_host (PDS_CASHSHORTENER) east-jones.com | |
6345 | enlist_uri_host (PDS_CASHSHORTENER) ecleneue.com | |
6346 | enlist_uri_host (PDS_CASHSHORTENER) ellevolaw.com | |
6347 | enlist_uri_host (PDS_CASHSHORTENER) endroudo.com | |
6348 | enlist_uri_host (PDS_CASHSHORTENER) eunsetee.com | |
6349 | enlist_uri_host (PDS_CASHSHORTENER) fainbory.com | |
6350 | enlist_uri_host (PDS_CASHSHORTENER) fasttory.com | |
6351 | enlist_uri_host (PDS_CASHSHORTENER) fawright.com | |
6352 | enlist_uri_host (PDS_CASHSHORTENER) flyserve.co | |
6353 | enlist_uri_host (PDS_CASHSHORTENER) greponozy.com | |
6354 | enlist_uri_host (PDS_CASHSHORTENER) homoluath.com | |
6355 | enlist_uri_host (PDS_CASHSHORTENER) hopigrarn.com | |
6356 | enlist_uri_host (PDS_CASHSHORTENER) infopade.com | |
6357 | enlist_uri_host (PDS_CASHSHORTENER) j.gs | |
6358 | enlist_uri_host (PDS_CASHSHORTENER) kaitect.com | |
6359 | enlist_uri_host (PDS_CASHSHORTENER) kializer.com | |
6360 | enlist_uri_host (PDS_CASHSHORTENER) kibuilder.com | |
6361 | enlist_uri_host (PDS_CASHSHORTENER) kimechanic.com | |
6362 | enlist_uri_host (PDS_CASHSHORTENER) kudoflow.com | |
6363 | enlist_uri_host (PDS_CASHSHORTENER) legeerook.com | |
6364 | enlist_uri_host (PDS_CASHSHORTENER) libittarc.com | |
6365 | enlist_uri_host (PDS_CASHSHORTENER) linkjaunt.com | |
6366 | enlist_uri_host (PDS_CASHSHORTENER) locinealy.com | |
6367 | enlist_uri_host (PDS_CASHSHORTENER) maetrimal.com | |
6368 | enlist_uri_host (PDS_CASHSHORTENER) metastead.com | |
6369 | enlist_uri_host (PDS_CASHSHORTENER) mmoity.com | |
6370 | enlist_uri_host (PDS_CASHSHORTENER) mondoagram.com | |
6371 | enlist_uri_host (PDS_CASHSHORTENER) neswery.com | |
6372 | enlist_uri_host (PDS_CASHSHORTENER) nimbleinity.com | |
6373 | enlist_uri_host (PDS_CASHSHORTENER) onisedeo.com | |
6374 | enlist_uri_host (PDS_CASHSHORTENER) optitopt.com | |
6375 | enlist_uri_host (PDS_CASHSHORTENER) picocurl.com | |
6376 | enlist_uri_host (PDS_CASHSHORTENER) pladollmo.com | |
6377 | enlist_uri_host (PDS_CASHSHORTENER) preofery.com | |
6378 | enlist_uri_host (PDS_CASHSHORTENER) prereheus.com | |
6379 | enlist_uri_host (PDS_CASHSHORTENER) q.gs | |
6380 | enlist_uri_host (PDS_CASHSHORTENER) quainator.com | |
6381 | enlist_uri_host (PDS_CASHSHORTENER) quamiller.com | |
6382 | enlist_uri_host (PDS_CASHSHORTENER) queuecosm.bid | |
6383 | enlist_uri_host (PDS_CASHSHORTENER) raboninco.com | |
6384 | enlist_uri_host (PDS_CASHSHORTENER) rapidteria.com | |
6385 | enlist_uri_host (PDS_CASHSHORTENER) rapidtory.com | |
6386 | enlist_uri_host (PDS_CASHSHORTENER) sapolatsu.com | |
6387 | enlist_uri_host (PDS_CASHSHORTENER) scapognel.com | |
6388 | enlist_uri_host (PDS_CASHSHORTENER) simizer.com | |
6389 | enlist_uri_host (PDS_CASHSHORTENER) skamaker.com | |
6390 | enlist_uri_host (PDS_CASHSHORTENER) skamason.com | |
6391 | enlist_uri_host (PDS_CASHSHORTENER) sluppend.com | |
6392 | enlist_uri_host (PDS_CASHSHORTENER) sprysphere.com | |
6393 | enlist_uri_host (PDS_CASHSHORTENER) streamvoyage.com | |
6394 | enlist_uri_host (PDS_CASHSHORTENER) swarife.com | |
6395 | enlist_uri_host (PDS_CASHSHORTENER) swiftation.com | |
6396 | enlist_uri_host (PDS_CASHSHORTENER) swifttopia.com | |
6397 | enlist_uri_host (PDS_CASHSHORTENER) techigo.com | |
6398 | enlist_uri_host (PDS_CASHSHORTENER) threadsphere.bid | |
6399 | enlist_uri_host (PDS_CASHSHORTENER) tinyical.com | |
6400 | enlist_uri_host (PDS_CASHSHORTENER) tonancos.com | |
6401 | enlist_uri_host (PDS_CASHSHORTENER) triabicia.com | |
6402 | enlist_uri_host (PDS_CASHSHORTENER) turboagram.com | |
6403 | enlist_uri_host (PDS_CASHSHORTENER) twineer.com | |
6404 | enlist_uri_host (PDS_CASHSHORTENER) twiriock.com | |
6405 | enlist_uri_host (PDS_CASHSHORTENER) userlab66.com | |
6406 | enlist_uri_host (PDS_CASHSHORTENER) vaugette.com | |
6407 | enlist_uri_host (PDS_CASHSHORTENER) velocicosm.com | |
6408 | enlist_uri_host (PDS_CASHSHORTENER) velociterium.com | |
6409 | enlist_uri_host (PDS_CASHSHORTENER) viahold.com | |
6410 | enlist_uri_host (PDS_CASHSHORTENER) vializer.com | |
6411 | enlist_uri_host (PDS_CASHSHORTENER) viwright.com | |
6412 | enlist_uri_host (PDS_CASHSHORTENER) whareotiv.com | |
6413 | enlist_uri_host (PDS_CASHSHORTENER) wirecellar.com | |
6414 | enlist_uri_host (PDS_CASHSHORTENER) x19.biz | |
6415 | enlist_uri_host (PDS_CASHSHORTENER) x19network.com | |
6416 | enlist_uri_host (PDS_CASHSHORTENER) yabuilder.com | |
6417 | enlist_uri_host (PDS_CASHSHORTENER) yamechanic.com | |
6418 | enlist_uri_host (PDS_CASHSHORTENER) yoalizer.com | |
6419 | enlist_uri_host (PDS_CASHSHORTENER) yobuilder.com | |
6420 | enlist_uri_host (PDS_CASHSHORTENER) yoineer.com | |
6421 | enlist_uri_host (PDS_CASHSHORTENER) yoitect.com | |
6422 | enlist_uri_host (PDS_CASHSHORTENER) zipansion.com | |
6423 | enlist_uri_host (PDS_CASHSHORTENER) zipteria.com | |
6424 | enlist_uri_host (PDS_CASHSHORTENER) zipvale.com | |
6425 | enlist_uri_host (PDS_URISHORTENER) owl.li | |
6426 | enlist_uri_host (PDS_URISHORTENER) formspring.me | |
6427 | enlist_uri_host (PDS_URISHORTENER) cc.uz | |
6428 | enlist_uri_host (PDS_URISHORTENER) back.ly | |
6429 | enlist_uri_host (PDS_URISHORTENER) surl.me | |
6430 | enlist_uri_host (PDS_URISHORTENER) mysp.ac | |
6431 | enlist_uri_host (PDS_URISHORTENER) s.apache.org | |
6432 | enlist_uri_host (PDS_URISHORTENER) 0rz.tw | |
6433 | enlist_uri_host (PDS_URISHORTENER) 1l2.us | |
6434 | enlist_uri_host (PDS_URISHORTENER) 1link.in | |
6435 | enlist_uri_host (PDS_URISHORTENER) 1u.ro | |
6436 | enlist_uri_host (PDS_URISHORTENER) 1url.com | |
6437 | enlist_uri_host (PDS_URISHORTENER) 2.gp | |
6438 | enlist_uri_host (PDS_URISHORTENER) 2.ly | |
6439 | enlist_uri_host (PDS_URISHORTENER) 2big.at | |
6440 | enlist_uri_host (PDS_URISHORTENER) 2chap.it | |
6441 | enlist_uri_host (PDS_URISHORTENER) 2pl.us | |
6442 | enlist_uri_host (PDS_URISHORTENER) 2su.de | |
6443 | enlist_uri_host (PDS_URISHORTENER) 2tu.us | |
6444 | enlist_uri_host (PDS_URISHORTENER) 2ze.us | |
6445 | enlist_uri_host (PDS_URISHORTENER) 3.ly | |
6446 | enlist_uri_host (PDS_URISHORTENER) 301.to | |
6447 | enlist_uri_host (PDS_URISHORTENER) 301url.com | |
6448 | enlist_uri_host (PDS_URISHORTENER) 307.to | |
6449 | enlist_uri_host (PDS_URISHORTENER) 4ms.me | |
6450 | enlist_uri_host (PDS_URISHORTENER) 4sq.com | |
6451 | enlist_uri_host (PDS_URISHORTENER) 4url.cc | |
6452 | enlist_uri_host (PDS_URISHORTENER) 6url.com | |
6453 | enlist_uri_host (PDS_URISHORTENER) 7.ly | |
6454 | enlist_uri_host (PDS_URISHORTENER) 9mp.com | |
6455 | enlist_uri_host (PDS_URISHORTENER) a.gd | |
6456 | enlist_uri_host (PDS_URISHORTENER) a.gg | |
6457 | enlist_uri_host (PDS_URISHORTENER) a.nf | |
6458 | enlist_uri_host (PDS_URISHORTENER) a2a.me | |
6459 | enlist_uri_host (PDS_URISHORTENER) a2n.eu | |
6460 | enlist_uri_host (PDS_URISHORTENER) aa.cx | |
6461 | enlist_uri_host (PDS_URISHORTENER) abbr.com | |
6462 | enlist_uri_host (PDS_URISHORTENER) abcurl.net | |
6463 | enlist_uri_host (PDS_URISHORTENER) abe5.com | |
6464 | enlist_uri_host (PDS_URISHORTENER) access.im | |
6465 | enlist_uri_host (PDS_URISHORTENER) ad.vu | |
6466 | enlist_uri_host (PDS_URISHORTENER) adf.ly | |
6467 | enlist_uri_host (PDS_URISHORTENER) adjix.com | |
6468 | enlist_uri_host (PDS_URISHORTENER) afx.cc | |
6469 | enlist_uri_host (PDS_URISHORTENER) all.fuseurl.com | |
6470 | enlist_uri_host (PDS_URISHORTENER) alturl.com | |
6471 | enlist_uri_host (PDS_URISHORTENER) amzn.com | |
6472 | enlist_uri_host (PDS_URISHORTENER) amzn.to | |
6473 | enlist_uri_host (PDS_URISHORTENER) ar.gy | |
6474 | enlist_uri_host (PDS_URISHORTENER) arm.in | |
6475 | enlist_uri_host (PDS_URISHORTENER) arst.ch | |
6476 | enlist_uri_host (PDS_URISHORTENER) asso.in | |
6477 | enlist_uri_host (PDS_URISHORTENER) atu.ca | |
6478 | enlist_uri_host (PDS_URISHORTENER) aurls.info | |
6479 | enlist_uri_host (PDS_URISHORTENER) awe.sm | |
6480 | enlist_uri_host (PDS_URISHORTENER) ayl.lv | |
6481 | enlist_uri_host (PDS_URISHORTENER) azc.cc | |
6482 | enlist_uri_host (PDS_URISHORTENER) azqq.com | |
6483 | enlist_uri_host (PDS_URISHORTENER) b23.ru | |
6484 | enlist_uri_host (PDS_URISHORTENER) b2l.me | |
6485 | enlist_uri_host (PDS_URISHORTENER) b65.com | |
6486 | enlist_uri_host (PDS_URISHORTENER) b65.us | |
6487 | enlist_uri_host (PDS_URISHORTENER) bacn.me | |
6488 | enlist_uri_host (PDS_URISHORTENER) bcool.bz | |
6489 | enlist_uri_host (PDS_URISHORTENER) beam.to | |
6490 | enlist_uri_host (PDS_URISHORTENER) bgl.me | |
6491 | enlist_uri_host (PDS_URISHORTENER) binged.it | |
6492 | enlist_uri_host (PDS_URISHORTENER) bit.do | |
6493 | enlist_uri_host (PDS_URISHORTENER) bit.ly | |
6494 | enlist_uri_host (PDS_URISHORTENER) bitly.com | |
6495 | enlist_uri_host (PDS_URISHORTENER) bizj.us | |
6496 | enlist_uri_host (PDS_URISHORTENER) bkite.com | |
6497 | enlist_uri_host (PDS_URISHORTENER) blippr.com | |
6498 | enlist_uri_host (PDS_URISHORTENER) bloat.me | |
6499 | enlist_uri_host (PDS_URISHORTENER) blu.cc | |
6500 | enlist_uri_host (PDS_URISHORTENER) bon.no | |
6501 | enlist_uri_host (PDS_URISHORTENER) bravo.ly | |
6502 | enlist_uri_host (PDS_URISHORTENER) bsa.ly | |
6503 | enlist_uri_host (PDS_URISHORTENER) bt.io | |
6504 | enlist_uri_host (PDS_URISHORTENER) budurl.com | |
6505 | enlist_uri_host (PDS_URISHORTENER) buff.ly | |
6506 | enlist_uri_host (PDS_URISHORTENER) buk.me | |
6507 | enlist_uri_host (PDS_URISHORTENER) burnurl.com | |
6508 | enlist_uri_host (PDS_URISHORTENER) c-o.in | |
6509 | enlist_uri_host (PDS_URISHORTENER) c.shamekh.ws | |
6510 | enlist_uri_host (PDS_URISHORTENER) canurl.com | |
6511 | enlist_uri_host (PDS_URISHORTENER) cd4.me | |
6512 | enlist_uri_host (PDS_URISHORTENER) chilp.it | |
6513 | enlist_uri_host (PDS_URISHORTENER) chopd.it | |
6514 | enlist_uri_host (PDS_URISHORTENER) chpt.me | |
6515 | enlist_uri_host (PDS_URISHORTENER) chs.mx | |
6516 | enlist_uri_host (PDS_URISHORTENER) chzb.gr | |
6517 | enlist_uri_host (PDS_URISHORTENER) cl.lk | |
6518 | enlist_uri_host (PDS_URISHORTENER) cl.ly | |
6519 | enlist_uri_host (PDS_URISHORTENER) clck.ru | |
6520 | enlist_uri_host (PDS_URISHORTENER) cli.gs | |
6521 | enlist_uri_host (PDS_URISHORTENER) cliccami.info | |
6522 | enlist_uri_host (PDS_URISHORTENER) clickthru.ca | |
6523 | enlist_uri_host (PDS_URISHORTENER) clipurl.us | |
6524 | enlist_uri_host (PDS_URISHORTENER) clk.my | |
6525 | enlist_uri_host (PDS_URISHORTENER) cloaky.de | |
6526 | enlist_uri_host (PDS_URISHORTENER) clop.in | |
6527 | enlist_uri_host (PDS_URISHORTENER) clp.ly | |
6528 | enlist_uri_host (PDS_URISHORTENER) coge.la | |
6529 | enlist_uri_host (PDS_URISHORTENER) cokeurl.com | |
6530 | enlist_uri_host (PDS_URISHORTENER) conta.cc | |
6531 | enlist_uri_host (PDS_URISHORTENER) cort.as | |
6532 | enlist_uri_host (PDS_URISHORTENER) cot.ag | |
6533 | enlist_uri_host (PDS_URISHORTENER) crks.me | |
6534 | enlist_uri_host (PDS_URISHORTENER) crum.pl | |
6535 | enlist_uri_host (PDS_URISHORTENER) ctvr.us | |
6536 | enlist_uri_host (PDS_URISHORTENER) curio.us | |
6537 | enlist_uri_host (PDS_URISHORTENER) cuthut.com | |
6538 | enlist_uri_host (PDS_URISHORTENER) cutt.us | |
6539 | enlist_uri_host (PDS_URISHORTENER) cuturl.com | |
6540 | enlist_uri_host (PDS_URISHORTENER) cuturls.com | |
6541 | enlist_uri_host (PDS_URISHORTENER) dai.ly | |
6542 | enlist_uri_host (PDS_URISHORTENER) db.tt | |
6543 | enlist_uri_host (PDS_URISHORTENER) dealspl.us | |
6544 | enlist_uri_host (PDS_URISHORTENER) decenturl.com | |
6545 | enlist_uri_host (PDS_URISHORTENER) df9.net | |
6546 | enlist_uri_host (PDS_URISHORTENER) dfl8.me | |
6547 | enlist_uri_host (PDS_URISHORTENER) digbig.com | |
6548 | enlist_uri_host (PDS_URISHORTENER) digg.com | |
6549 | enlist_uri_host (PDS_URISHORTENER) digipills.com | |
6550 | enlist_uri_host (PDS_URISHORTENER) digs.by | |
6551 | enlist_uri_host (PDS_URISHORTENER) disq.us | |
6552 | enlist_uri_host (PDS_URISHORTENER) dld.bz | |
6553 | enlist_uri_host (PDS_URISHORTENER) dlvr.it | |
6554 | enlist_uri_host (PDS_URISHORTENER) dn.vc | |
6555 | enlist_uri_host (PDS_URISHORTENER) do.my | |
6556 | enlist_uri_host (PDS_URISHORTENER) doi.org | |
6557 | enlist_uri_host (PDS_URISHORTENER) doiop.com | |
6558 | enlist_uri_host (PDS_URISHORTENER) dopen.us | |
6559 | enlist_uri_host (PDS_URISHORTENER) dr.tl | |
6560 | enlist_uri_host (PDS_URISHORTENER) drudge.tw | |
6561 | enlist_uri_host (PDS_URISHORTENER) durl.me | |
6562 | enlist_uri_host (PDS_URISHORTENER) durl.us | |
6563 | enlist_uri_host (PDS_URISHORTENER) dvlr.it | |
6564 | enlist_uri_host (PDS_URISHORTENER) dwarfurl.com | |
6565 | enlist_uri_host (PDS_URISHORTENER) easyuri.com | |
6566 | enlist_uri_host (PDS_URISHORTENER) easyurl.net | |
6567 | enlist_uri_host (PDS_URISHORTENER) eca.sh | |
6568 | enlist_uri_host (PDS_URISHORTENER) eclurl.com | |
6569 | enlist_uri_host (PDS_URISHORTENER) eepurl.com | |
6570 | enlist_uri_host (PDS_URISHORTENER) eezurl.com | |
6571 | enlist_uri_host (PDS_URISHORTENER) eweri.com | |
6572 | enlist_uri_host (PDS_URISHORTENER) ewerl.com | |
6573 | enlist_uri_host (PDS_URISHORTENER) ezurl.eu | |
6574 | enlist_uri_host (PDS_URISHORTENER) fa.by | |
6575 | enlist_uri_host (PDS_URISHORTENER) faceto.us | |
6576 | enlist_uri_host (PDS_URISHORTENER) fav.me | |
6577 | enlist_uri_host (PDS_URISHORTENER) fb.me | |
6578 | enlist_uri_host (PDS_URISHORTENER) fbshare.me | |
6579 | enlist_uri_host (PDS_URISHORTENER) ff.im | |
6580 | enlist_uri_host (PDS_URISHORTENER) fff.to | |
6581 | enlist_uri_host (PDS_URISHORTENER) fhurl.com | |
6582 | enlist_uri_host (PDS_URISHORTENER) fire.to | |
6583 | enlist_uri_host (PDS_URISHORTENER) firsturl.de | |
6584 | enlist_uri_host (PDS_URISHORTENER) firsturl.net | |
6585 | enlist_uri_host (PDS_URISHORTENER) flic.kr | |
6586 | enlist_uri_host (PDS_URISHORTENER) flingk.com | |
6587 | enlist_uri_host (PDS_URISHORTENER) flq.us | |
6588 | enlist_uri_host (PDS_URISHORTENER) fly2.ws | |
6589 | enlist_uri_host (PDS_URISHORTENER) fon.gs | |
6590 | enlist_uri_host (PDS_URISHORTENER) foxyurl.com | |
6591 | enlist_uri_host (PDS_URISHORTENER) freak.to | |
6592 | enlist_uri_host (PDS_URISHORTENER) fur.ly | |
6593 | enlist_uri_host (PDS_URISHORTENER) fuseurl.com | |
6594 | enlist_uri_host (PDS_URISHORTENER) fuzzy.to | |
6595 | enlist_uri_host (PDS_URISHORTENER) fwd4.me | |
6596 | enlist_uri_host (PDS_URISHORTENER) fwdurl.net | |
6597 | enlist_uri_host (PDS_URISHORTENER) fwib.net | |
6598 | enlist_uri_host (PDS_URISHORTENER) g.ro.lt | |
6599 | enlist_uri_host (PDS_URISHORTENER) g8l.us | |
6600 | enlist_uri_host (PDS_URISHORTENER) get-shorty.com | |
6601 | enlist_uri_host (PDS_URISHORTENER) get-url.com | |
6602 | enlist_uri_host (PDS_URISHORTENER) get.sh | |
6603 | enlist_uri_host (PDS_URISHORTENER) geturl.us | |
6604 | enlist_uri_host (PDS_URISHORTENER) gg.gg | |
6605 | enlist_uri_host (PDS_URISHORTENER) gi.vc | |
6606 | enlist_uri_host (PDS_URISHORTENER) gizmo.do | |
6607 | enlist_uri_host (PDS_URISHORTENER) gkurl.us | |
6608 | enlist_uri_host (PDS_URISHORTENER) gl.am | |
6609 | enlist_uri_host (PDS_URISHORTENER) go.9nl.com | |
6610 | enlist_uri_host (PDS_URISHORTENER) go.ign.com | |
6611 | enlist_uri_host (PDS_URISHORTENER) go.to | |
6612 | enlist_uri_host (PDS_URISHORTENER) go.usa.gov | |
6613 | enlist_uri_host (PDS_URISHORTENER) go2.me | |
6614 | enlist_uri_host (PDS_URISHORTENER) gog.li | |
6615 | enlist_uri_host (PDS_URISHORTENER) golmao.com | |
6616 | enlist_uri_host (PDS_URISHORTENER) goo.gl | |
6617 | enlist_uri_host (PDS_URISHORTENER) goo.io | |
6618 | enlist_uri_host (PDS_URISHORTENER) good.ly | |
6619 | enlist_uri_host (PDS_URISHORTENER) goshrink.com | |
6620 | enlist_uri_host (PDS_URISHORTENER) gplus.to | |
6621 | enlist_uri_host (PDS_URISHORTENER) gri.ms | |
6622 | enlist_uri_host (PDS_URISHORTENER) gurl.es | |
6623 | enlist_uri_host (PDS_URISHORTENER) hao.jp | |
6624 | enlist_uri_host (PDS_URISHORTENER) hellotxt.com | |
6625 | enlist_uri_host (PDS_URISHORTENER) hex.io | |
6626 | enlist_uri_host (PDS_URISHORTENER) hiderefer.com | |
6627 | enlist_uri_host (PDS_URISHORTENER) hmm.ph | |
6628 | enlist_uri_host (PDS_URISHORTENER) hop.im | |
6629 | enlist_uri_host (PDS_URISHORTENER) hop.kz | |
6630 | enlist_uri_host (PDS_URISHORTENER) hopclicks.com | |
6631 | enlist_uri_host (PDS_URISHORTENER) hotredirect.com | |
6632 | enlist_uri_host (PDS_URISHORTENER) hotshorturl.com | |
6633 | enlist_uri_host (PDS_URISHORTENER) href.in | |
6634 | enlist_uri_host (PDS_URISHORTENER) hsblinks.com | |
6635 | enlist_uri_host (PDS_URISHORTENER) ht.ly | |
6636 | enlist_uri_host (PDS_URISHORTENER) htxt.it | |
6637 | enlist_uri_host (PDS_URISHORTENER) hub.am | |
6638 | enlist_uri_host (PDS_URISHORTENER) huff.to | |
6639 | enlist_uri_host (PDS_URISHORTENER) hugeurl.com | |
6640 | enlist_uri_host (PDS_URISHORTENER) hulu.com | |
6641 | enlist_uri_host (PDS_URISHORTENER) hurl.it | |
6642 | enlist_uri_host (PDS_URISHORTENER) hurl.me | |
6643 | enlist_uri_host (PDS_URISHORTENER) hurl.no | |
6644 | enlist_uri_host (PDS_URISHORTENER) hurl.ws | |
6645 | enlist_uri_host (PDS_URISHORTENER) icanhaz.com | |
6646 | enlist_uri_host (PDS_URISHORTENER) icio.us | |
6647 | enlist_uri_host (PDS_URISHORTENER) idek.net | |
6648 | enlist_uri_host (PDS_URISHORTENER) ikr.me | |
6649 | enlist_uri_host (PDS_URISHORTENER) ilix.in | |
6650 | enlist_uri_host (PDS_URISHORTENER) inx.lv | |
6651 | enlist_uri_host (PDS_URISHORTENER) ir.pe | |
6652 | enlist_uri_host (PDS_URISHORTENER) irt.me | |
6653 | enlist_uri_host (PDS_URISHORTENER) is.gd | |
6654 | enlist_uri_host (PDS_URISHORTENER) iscool.net | |
6655 | enlist_uri_host (PDS_URISHORTENER) it2.in | |
6656 | enlist_uri_host (PDS_URISHORTENER) ito.mx | |
6657 | enlist_uri_host (PDS_URISHORTENER) its.my | |
6658 | enlist_uri_host (PDS_URISHORTENER) itsy.it | |
6659 | enlist_uri_host (PDS_URISHORTENER) ix.lt | |
6660 | enlist_uri_host (PDS_URISHORTENER) j.mp | |
6661 | enlist_uri_host (PDS_URISHORTENER) j2j.de | |
6662 | enlist_uri_host (PDS_URISHORTENER) jdem.cz | |
6663 | enlist_uri_host (PDS_URISHORTENER) jijr.com | |
6664 | enlist_uri_host (PDS_URISHORTENER) just.as | |
6665 | enlist_uri_host (PDS_URISHORTENER) k.vu | |
6666 | enlist_uri_host (PDS_URISHORTENER) k6.kz | |
6667 | enlist_uri_host (PDS_URISHORTENER) ketkp.in | |
6668 | enlist_uri_host (PDS_URISHORTENER) kisa.ch | |
6669 | enlist_uri_host (PDS_URISHORTENER) kissa.be | |
6670 | enlist_uri_host (PDS_URISHORTENER) kl.am | |
6671 | enlist_uri_host (PDS_URISHORTENER) klck.me | |
6672 | enlist_uri_host (PDS_URISHORTENER) kore.us | |
6673 | enlist_uri_host (PDS_URISHORTENER) korta.nu | |
6674 | enlist_uri_host (PDS_URISHORTENER) kots.nu | |
6675 | enlist_uri_host (PDS_URISHORTENER) krunchd.com | |
6676 | enlist_uri_host (PDS_URISHORTENER) krz.ch | |
6677 | enlist_uri_host (PDS_URISHORTENER) ktzr.us | |
6678 | enlist_uri_host (PDS_URISHORTENER) kxk.me | |
6679 | enlist_uri_host (PDS_URISHORTENER) l.hh.de | |
6680 | enlist_uri_host (PDS_URISHORTENER) l.pr | |
6681 | enlist_uri_host (PDS_URISHORTENER) l9k.net | |
6682 | enlist_uri_host (PDS_URISHORTENER) lat.ms | |
6683 | enlist_uri_host (PDS_URISHORTENER) liip.to | |
6684 | enlist_uri_host (PDS_URISHORTENER) liltext.com | |
6685 | enlist_uri_host (PDS_URISHORTENER) lin.cr | |
6686 | enlist_uri_host (PDS_URISHORTENER) lin.io | |
6687 | enlist_uri_host (PDS_URISHORTENER) linkbee.com | |
6688 | enlist_uri_host (PDS_URISHORTENER) linkbun.ch | |
6689 | enlist_uri_host (PDS_URISHORTENER) linkee.com | |
6690 | enlist_uri_host (PDS_URISHORTENER) linkgap.com | |
6691 | enlist_uri_host (PDS_URISHORTENER) linkslice.com | |
6692 | enlist_uri_host (PDS_URISHORTENER) linxfix.de | |
6693 | enlist_uri_host (PDS_URISHORTENER) liteurl.net | |
6694 | enlist_uri_host (PDS_URISHORTENER) liurl.cn | |
6695 | enlist_uri_host (PDS_URISHORTENER) livesi.de | |
6696 | enlist_uri_host (PDS_URISHORTENER) lix.in | |
6697 | enlist_uri_host (PDS_URISHORTENER) lk.ht | |
6698 | enlist_uri_host (PDS_URISHORTENER) ln-s.net | |
6699 | enlist_uri_host (PDS_URISHORTENER) ln-s.ru | |
6700 | enlist_uri_host (PDS_URISHORTENER) lnk.by | |
6701 | enlist_uri_host (PDS_URISHORTENER) lnk.gd | |
6702 | enlist_uri_host (PDS_URISHORTENER) lnk.in | |
6703 | enlist_uri_host (PDS_URISHORTENER) lnk.ly | |
6704 | enlist_uri_host (PDS_URISHORTENER) lnk.ms | |
6705 | enlist_uri_host (PDS_URISHORTENER) lnk.sk | |
6706 | enlist_uri_host (PDS_URISHORTENER) lnkd.in | |
6707 | enlist_uri_host (PDS_URISHORTENER) lnkurl.com | |
6708 | enlist_uri_host (PDS_URISHORTENER) loopt.us | |
6709 | enlist_uri_host (PDS_URISHORTENER) lost.in | |
6710 | enlist_uri_host (PDS_URISHORTENER) lru.jp | |
6711 | enlist_uri_host (PDS_URISHORTENER) lt.tl | |
6712 | enlist_uri_host (PDS_URISHORTENER) lu.to | |
6713 | enlist_uri_host (PDS_URISHORTENER) lurl.no | |
6714 | enlist_uri_host (PDS_URISHORTENER) macte.ch | |
6715 | enlist_uri_host (PDS_URISHORTENER) mash.to | |
6716 | enlist_uri_host (PDS_URISHORTENER) mavrev.com | |
6717 | enlist_uri_host (PDS_URISHORTENER) mcaf.ee | |
6718 | enlist_uri_host (PDS_URISHORTENER) memurl.com | |
6719 | enlist_uri_host (PDS_URISHORTENER) merky.de | |
6720 | enlist_uri_host (PDS_URISHORTENER) metamark.net | |
6721 | enlist_uri_host (PDS_URISHORTENER) migre.me | |
6722 | enlist_uri_host (PDS_URISHORTENER) min2.me | |
6723 | enlist_uri_host (PDS_URISHORTENER) minilien.com | |
6724 | enlist_uri_host (PDS_URISHORTENER) minilink.org | |
6725 | enlist_uri_host (PDS_URISHORTENER) miniurl.com | |
6726 | enlist_uri_host (PDS_URISHORTENER) minurl.fr | |
6727 | enlist_uri_host (PDS_URISHORTENER) mke.me | |
6728 | enlist_uri_host (PDS_URISHORTENER) moby.to | |
6729 | enlist_uri_host (PDS_URISHORTENER) moourl.com | |
6730 | enlist_uri_host (PDS_URISHORTENER) mrte.ch | |
6731 | enlist_uri_host (PDS_URISHORTENER) msg.sg | |
6732 | enlist_uri_host (PDS_URISHORTENER) murl.kz | |
6733 | enlist_uri_host (PDS_URISHORTENER) mv2.me | |
6734 | enlist_uri_host (PDS_URISHORTENER) myloc.me | |
6735 | enlist_uri_host (PDS_URISHORTENER) mysp.in | |
6736 | enlist_uri_host (PDS_URISHORTENER) myurl.in | |
6737 | enlist_uri_host (PDS_URISHORTENER) myurl.si | |
6738 | enlist_uri_host (PDS_URISHORTENER) n.pr | |
6739 | enlist_uri_host (PDS_URISHORTENER) nanoref.com | |
6740 | enlist_uri_host (PDS_URISHORTENER) nanourl.se | |
6741 | enlist_uri_host (PDS_URISHORTENER) nbc.co | |
6742 | enlist_uri_host (PDS_URISHORTENER) nblo.gs | |
6743 | enlist_uri_host (PDS_URISHORTENER) nbx.ch | |
6744 | enlist_uri_host (PDS_URISHORTENER) ncane.com | |
6745 | enlist_uri_host (PDS_URISHORTENER) ndurl.com | |
6746 | enlist_uri_host (PDS_URISHORTENER) ne1.net | |
6747 | enlist_uri_host (PDS_URISHORTENER) netnet.me | |
6748 | enlist_uri_host (PDS_URISHORTENER) netshortcut.com | |
6749 | enlist_uri_host (PDS_URISHORTENER) ni.to | |
6750 | enlist_uri_host (PDS_URISHORTENER) nig.gr | |
6751 | enlist_uri_host (PDS_URISHORTENER) nm.ly | |
6752 | enlist_uri_host (PDS_URISHORTENER) nn.nf | |
6753 | enlist_uri_host (PDS_URISHORTENER) not.my | |
6754 | enlist_uri_host (PDS_URISHORTENER) notlong.com | |
6755 | enlist_uri_host (PDS_URISHORTENER) nsfw.in | |
6756 | enlist_uri_host (PDS_URISHORTENER) nutshellurl.com | |
6757 | enlist_uri_host (PDS_URISHORTENER) nxy.in | |
6758 | enlist_uri_host (PDS_URISHORTENER) nyti.ms | |
6759 | enlist_uri_host (PDS_URISHORTENER) o-x.fr | |
6760 | enlist_uri_host (PDS_URISHORTENER) o.ly | |
6761 | enlist_uri_host (PDS_URISHORTENER) oboeyasui.com | |
6762 | enlist_uri_host (PDS_URISHORTENER) oc1.us | |
6763 | enlist_uri_host (PDS_URISHORTENER) offur.com | |
6764 | enlist_uri_host (PDS_URISHORTENER) ofl.me | |
6765 | enlist_uri_host (PDS_URISHORTENER) om.ly | |
6766 | enlist_uri_host (PDS_URISHORTENER) omf.gd | |
6767 | enlist_uri_host (PDS_URISHORTENER) omoikane.net | |
6768 | enlist_uri_host (PDS_URISHORTENER) on.cnn.com | |
6769 | enlist_uri_host (PDS_URISHORTENER) on.mktw.net | |
6770 | enlist_uri_host (PDS_URISHORTENER) onecent.us | |
6771 | enlist_uri_host (PDS_URISHORTENER) onforb.es | |
6772 | enlist_uri_host (PDS_URISHORTENER) onion.com | |
6773 | enlist_uri_host (PDS_URISHORTENER) onsaas.info | |
6774 | enlist_uri_host (PDS_URISHORTENER) ooqx.com | |
6775 | enlist_uri_host (PDS_URISHORTENER) oreil.ly | |
6776 | enlist_uri_host (PDS_URISHORTENER) orz.se | |
6777 | enlist_uri_host (PDS_URISHORTENER) ow.ly | |
6778 | enlist_uri_host (PDS_URISHORTENER) oxyz.info | |
6779 | enlist_uri_host (PDS_URISHORTENER) p.ly | |
6780 | enlist_uri_host (PDS_URISHORTENER) p8g.tw | |
6781 | enlist_uri_host (PDS_URISHORTENER) parv.us | |
6782 | enlist_uri_host (PDS_URISHORTENER) paulding.net | |
6783 | enlist_uri_host (PDS_URISHORTENER) pduda.mobi | |
6784 | enlist_uri_host (PDS_URISHORTENER) peaurl.com | |
6785 | enlist_uri_host (PDS_URISHORTENER) pendek.in | |
6786 | enlist_uri_host (PDS_URISHORTENER) pep.si | |
6787 | enlist_uri_host (PDS_URISHORTENER) pic.gd | |
6788 | enlist_uri_host (PDS_URISHORTENER) piko.me | |
6789 | enlist_uri_host (PDS_URISHORTENER) ping.fm | |
6790 | enlist_uri_host (PDS_URISHORTENER) piurl.com | |
6791 | enlist_uri_host (PDS_URISHORTENER) pli.gs | |
6792 | enlist_uri_host (PDS_URISHORTENER) plumurl.com | |
6793 | enlist_uri_host (PDS_URISHORTENER) plurl.me | |
6794 | enlist_uri_host (PDS_URISHORTENER) pnt.me | |
6795 | enlist_uri_host (PDS_URISHORTENER) politi.co | |
6796 | enlist_uri_host (PDS_URISHORTENER) poll.fm | |
6797 | enlist_uri_host (PDS_URISHORTENER) pop.ly | |
6798 | enlist_uri_host (PDS_URISHORTENER) poprl.com | |
6799 | enlist_uri_host (PDS_URISHORTENER) post.ly | |
6800 | enlist_uri_host (PDS_URISHORTENER) posted.at | |
6801 | enlist_uri_host (PDS_URISHORTENER) pp.gg | |
6802 | enlist_uri_host (PDS_URISHORTENER) profile.to | |
6803 | enlist_uri_host (PDS_URISHORTENER) pt2.me | |
6804 | enlist_uri_host (PDS_URISHORTENER) ptiturl.com | |
6805 | enlist_uri_host (PDS_URISHORTENER) pub.vitrue.com | |
6806 | enlist_uri_host (PDS_URISHORTENER) puke.it | |
6807 | enlist_uri_host (PDS_URISHORTENER) pysper.com | |
6808 | enlist_uri_host (PDS_URISHORTENER) qik.li | |
6809 | enlist_uri_host (PDS_URISHORTENER) qlnk.net | |
6810 | enlist_uri_host (PDS_URISHORTENER) qoiob.com | |
6811 | enlist_uri_host (PDS_URISHORTENER) qr.cx | |
6812 | enlist_uri_host (PDS_URISHORTENER) qte.me | |
6813 | enlist_uri_host (PDS_URISHORTENER) qu.tc | |
6814 | enlist_uri_host (PDS_URISHORTENER) quickurl.co.uk | |
6815 | enlist_uri_host (PDS_URISHORTENER) qurl.com | |
6816 | enlist_uri_host (PDS_URISHORTENER) qurlyq.com | |
6817 | enlist_uri_host (PDS_URISHORTENER) quu.nu | |
6818 | enlist_uri_host (PDS_URISHORTENER) qux.in | |
6819 | enlist_uri_host (PDS_URISHORTENER) qy.fi | |
6820 | enlist_uri_host (PDS_URISHORTENER) r.im | |
6821 | enlist_uri_host (PDS_URISHORTENER) rb6.me | |
6822 | enlist_uri_host (PDS_URISHORTENER) rde.me | |
6823 | enlist_uri_host (PDS_URISHORTENER) read.bi | |
6824 | enlist_uri_host (PDS_URISHORTENER) readthis.ca | |
6825 | enlist_uri_host (PDS_URISHORTENER) reallytinyurl.com | |
6826 | enlist_uri_host (PDS_URISHORTENER) redir.ec | |
6827 | enlist_uri_host (PDS_URISHORTENER) redirects.ca | |
6828 | enlist_uri_host (PDS_URISHORTENER) redirx.com | |
6829 | enlist_uri_host (PDS_URISHORTENER) relyt.us | |
6830 | enlist_uri_host (PDS_URISHORTENER) retwt.me | |
6831 | enlist_uri_host (PDS_URISHORTENER) ri.ms | |
6832 | enlist_uri_host (PDS_URISHORTENER) rickroll.it | |
6833 | enlist_uri_host (PDS_URISHORTENER) rivva.de | |
6834 | enlist_uri_host (PDS_URISHORTENER) riz.gd | |
6835 | enlist_uri_host (PDS_URISHORTENER) rly.cc | |
6836 | enlist_uri_host (PDS_URISHORTENER) rnk.me | |
6837 | enlist_uri_host (PDS_URISHORTENER) rsmonkey.com | |
6838 | enlist_uri_host (PDS_URISHORTENER) rt.nu | |
6839 | enlist_uri_host (PDS_URISHORTENER) ru.ly | |
6840 | enlist_uri_host (PDS_URISHORTENER) rubyurl.com | |
6841 | enlist_uri_host (PDS_URISHORTENER) rurl.org | |
6842 | enlist_uri_host (PDS_URISHORTENER) rww.tw | |
6843 | enlist_uri_host (PDS_URISHORTENER) s.gnoss.us | |
6844 | enlist_uri_host (PDS_URISHORTENER) s3nt.com | |
6845 | enlist_uri_host (PDS_URISHORTENER) s4c.in | |
6846 | enlist_uri_host (PDS_URISHORTENER) s7y.us | |
6847 | enlist_uri_host (PDS_URISHORTENER) safe.mn | |
6848 | enlist_uri_host (PDS_URISHORTENER) safelinks.ru | |
6849 | enlist_uri_host (PDS_URISHORTENER) sai.ly | |
6850 | enlist_uri_host (PDS_URISHORTENER) sameurl.com | |
6851 | enlist_uri_host (PDS_URISHORTENER) sdut.us | |
6852 | enlist_uri_host (PDS_URISHORTENER) sed.cx | |
6853 | enlist_uri_host (PDS_URISHORTENER) sfu.ca | |
6854 | enlist_uri_host (PDS_URISHORTENER) shadyurl.com | |
6855 | enlist_uri_host (PDS_URISHORTENER) shar.es | |
6856 | enlist_uri_host (PDS_URISHORTENER) shim.net | |
6857 | enlist_uri_host (PDS_URISHORTENER) shink.de | |
6858 | enlist_uri_host (PDS_URISHORTENER) shorl.com | |
6859 | enlist_uri_host (PDS_URISHORTENER) short.ie | |
6860 | enlist_uri_host (PDS_URISHORTENER) short.to | |
6861 | enlist_uri_host (PDS_URISHORTENER) shorten.ws | |
6862 | enlist_uri_host (PDS_URISHORTENER) shortenurl.com | |
6863 | enlist_uri_host (PDS_URISHORTENER) shorterlink.com | |
6864 | enlist_uri_host (PDS_URISHORTENER) shortio.com | |
6865 | enlist_uri_host (PDS_URISHORTENER) shortlinks.co.uk | |
6866 | enlist_uri_host (PDS_URISHORTENER) shortly.nl | |
6867 | enlist_uri_host (PDS_URISHORTENER) shortn.me | |
6868 | enlist_uri_host (PDS_URISHORTENER) shortna.me | |
6869 | enlist_uri_host (PDS_URISHORTENER) shortr.me | |
6870 | enlist_uri_host (PDS_URISHORTENER) shorturl.com | |
6871 | enlist_uri_host (PDS_URISHORTENER) shortz.me | |
6872 | enlist_uri_host (PDS_URISHORTENER) shoturl.us | |
6873 | enlist_uri_host (PDS_URISHORTENER) shout.to | |
6874 | enlist_uri_host (PDS_URISHORTENER) show.my | |
6875 | enlist_uri_host (PDS_URISHORTENER) shredu | |
6876 | enlist_uri_host (PDS_URISHORTENER) shredurl.com | |
6877 | enlist_uri_host (PDS_URISHORTENER) shrinkify.com | |
6878 | enlist_uri_host (PDS_URISHORTENER) shrinkr.com | |
6879 | enlist_uri_host (PDS_URISHORTENER) shrinkster.com | |
6880 | enlist_uri_host (PDS_URISHORTENER) shrinkurl.us | |
6881 | enlist_uri_host (PDS_URISHORTENER) shrt.fr | |
6882 | enlist_uri_host (PDS_URISHORTENER) shrt.st | |
6883 | enlist_uri_host (PDS_URISHORTENER) shrt.ws | |
6884 | enlist_uri_host (PDS_URISHORTENER) shrten.com | |
6885 | enlist_uri_host (PDS_URISHORTENER) shrtl.com | |
6886 | enlist_uri_host (PDS_URISHORTENER) shrtn.com | |
6887 | enlist_uri_host (PDS_URISHORTENER) shrtnd.com | |
6888 | enlist_uri_host (PDS_URISHORTENER) shrunkin.com | |
6889 | enlist_uri_host (PDS_URISHORTENER) shurl.net | |
6890 | enlist_uri_host (PDS_URISHORTENER) shw.me | |
6891 | enlist_uri_host (PDS_URISHORTENER) simurl.com | |
6892 | enlist_uri_host (PDS_URISHORTENER) simurl.net | |
6893 | enlist_uri_host (PDS_URISHORTENER) simurl.org | |
6894 | enlist_uri_host (PDS_URISHORTENER) simurl.us | |
6895 | enlist_uri_host (PDS_URISHORTENER) sitelutions.com | |
6896 | enlist_uri_host (PDS_URISHORTENER) siteo.us | |
6897 | enlist_uri_host (PDS_URISHORTENER) sl.ly | |
6898 | enlist_uri_host (PDS_URISHORTENER) slate.me | |
6899 | enlist_uri_host (PDS_URISHORTENER) slidesha.re | |
6900 | enlist_uri_host (PDS_URISHORTENER) slki.ru | |
6901 | enlist_uri_host (PDS_URISHORTENER) smallr.com | |
6902 | enlist_uri_host (PDS_URISHORTENER) smallr.net | |
6903 | enlist_uri_host (PDS_URISHORTENER) smarturl.it | |
6904 | enlist_uri_host (PDS_URISHORTENER) smfu.in | |
6905 | enlist_uri_host (PDS_URISHORTENER) smsh.me | |
6906 | enlist_uri_host (PDS_URISHORTENER) smurl.com | |
6907 | enlist_uri_host (PDS_URISHORTENER) smurl.name | |
6908 | enlist_uri_host (PDS_URISHORTENER) sn.im | |
6909 | enlist_uri_host (PDS_URISHORTENER) sn.vc | |
6910 | enlist_uri_host (PDS_URISHORTENER) snadr.it | |
6911 | enlist_uri_host (PDS_URISHORTENER) snipie.com | |
6912 | enlist_uri_host (PDS_URISHORTENER) snipr.com | |
6913 | enlist_uri_host (PDS_URISHORTENER) snipurl.com | |
6914 | enlist_uri_host (PDS_URISHORTENER) snkr.me | |
6915 | enlist_uri_host (PDS_URISHORTENER) snurl.com | |
6916 | enlist_uri_host (PDS_URISHORTENER) soo.gd | |
6917 | enlist_uri_host (PDS_URISHORTENER) song.ly | |
6918 | enlist_uri_host (PDS_URISHORTENER) sp2.ro | |
6919 | enlist_uri_host (PDS_URISHORTENER) spedr.com | |
6920 | enlist_uri_host (PDS_URISHORTENER) sqze.it | |
6921 | enlist_uri_host (PDS_URISHORTENER) srnk.net | |
6922 | enlist_uri_host (PDS_URISHORTENER) srs.li | |
6923 | enlist_uri_host (PDS_URISHORTENER) starturl.com | |
6924 | enlist_uri_host (PDS_URISHORTENER) stickurl.com | |
6925 | enlist_uri_host (PDS_URISHORTENER) stpmvt.com | |
6926 | enlist_uri_host (PDS_URISHORTENER) sturly.com | |
6927 | enlist_uri_host (PDS_URISHORTENER) su.pr | |
6928 | enlist_uri_host (PDS_URISHORTENER) surl.co.uk | |
6929 | enlist_uri_host (PDS_URISHORTENER) surl.hu | |
6930 | enlist_uri_host (PDS_URISHORTENER) surl.it | |
6931 | enlist_uri_host (PDS_URISHORTENER) t.cn | |
6932 | enlist_uri_host (PDS_URISHORTENER) t.co | |
6933 | enlist_uri_host (PDS_URISHORTENER) t.lh.com | |
6934 | enlist_uri_host (PDS_URISHORTENER) ta.gd | |
6935 | enlist_uri_host (PDS_URISHORTENER) takemyfile.com | |
6936 | enlist_uri_host (PDS_URISHORTENER) tbd.ly | |
6937 | enlist_uri_host (PDS_URISHORTENER) tcrn.ch | |
6938 | enlist_uri_host (PDS_URISHORTENER) tgr.me | |
6939 | enlist_uri_host (PDS_URISHORTENER) tgr.ph | |
6940 | enlist_uri_host (PDS_URISHORTENER) th8.us | |
6941 | enlist_uri_host (PDS_URISHORTENER) thecow.me | |
6942 | enlist_uri_host (PDS_URISHORTENER) thrdl.es | |
6943 | enlist_uri_host (PDS_URISHORTENER) tighturl.com | |
6944 | enlist_uri_host (PDS_URISHORTENER) timesurl.at | |
6945 | enlist_uri_host (PDS_URISHORTENER) tini.us | |
6946 | enlist_uri_host (PDS_URISHORTENER) tiniuri.com | |
6947 | enlist_uri_host (PDS_URISHORTENER) tiny.cc | |
6948 | enlist_uri_host (PDS_URISHORTENER) tiny.ly | |
6949 | enlist_uri_host (PDS_URISHORTENER) tiny.pl | |
6950 | enlist_uri_host (PDS_URISHORTENER) tinyarro.ws | |
6951 | enlist_uri_host (PDS_URISHORTENER) tinylink.com | |
6952 | enlist_uri_host (PDS_URISHORTENER) tinylink.in | |
6953 | enlist_uri_host (PDS_URISHORTENER) tinypl.us | |
6954 | enlist_uri_host (PDS_URISHORTENER) tinysong.com | |
6955 | enlist_uri_host (PDS_URISHORTENER) tinytw.it | |
6956 | enlist_uri_host (PDS_URISHORTENER) tinyuri.ca | |
6957 | enlist_uri_host (PDS_URISHORTENER) tinyurl.com | |
6958 | enlist_uri_host (PDS_URISHORTENER) tk. | |
6959 | enlist_uri_host (PDS_URISHORTENER) tl.gd | |
6960 | enlist_uri_host (PDS_URISHORTENER) tllg.net | |
6961 | enlist_uri_host (PDS_URISHORTENER) tmi.me | |
6962 | enlist_uri_host (PDS_URISHORTENER) tncr.ws | |
6963 | enlist_uri_host (PDS_URISHORTENER) tnij.org | |
6964 | enlist_uri_host (PDS_URISHORTENER) tnw.to | |
6965 | enlist_uri_host (PDS_URISHORTENER) tny.com | |
6966 | enlist_uri_host (PDS_URISHORTENER) to. | |
6967 | enlist_uri_host (PDS_URISHORTENER) to.je | |
6968 | enlist_uri_host (PDS_URISHORTENER) to.ly | |
6969 | enlist_uri_host (PDS_URISHORTENER) to.vg | |
6970 | enlist_uri_host (PDS_URISHORTENER) togoto.us | |
6971 | enlist_uri_host (PDS_URISHORTENER) totc.us | |
6972 | enlist_uri_host (PDS_URISHORTENER) toysr.us | |
6973 | enlist_uri_host (PDS_URISHORTENER) tpm.ly | |
6974 | enlist_uri_host (PDS_URISHORTENER) tr.im | |
6975 | enlist_uri_host (PDS_URISHORTENER) tr.my | |
6976 | enlist_uri_host (PDS_URISHORTENER) tra.kz | |
6977 | enlist_uri_host (PDS_URISHORTENER) traceurl.com | |
6978 | enlist_uri_host (PDS_URISHORTENER) trackurl.it | |
6979 | enlist_uri_host (PDS_URISHORTENER) trcb.me | |
6980 | enlist_uri_host (PDS_URISHORTENER) trg.li | |
6981 | enlist_uri_host (PDS_URISHORTENER) trib.al | |
6982 | enlist_uri_host (PDS_URISHORTENER) trick.ly | |
6983 | enlist_uri_host (PDS_URISHORTENER) trii.us | |
6984 | enlist_uri_host (PDS_URISHORTENER) trim.li | |
6985 | enlist_uri_host (PDS_URISHORTENER) trumpink.lt | |
6986 | enlist_uri_host (PDS_URISHORTENER) trunc.it | |
6987 | enlist_uri_host (PDS_URISHORTENER) truncurl.com | |
6988 | enlist_uri_host (PDS_URISHORTENER) tsort.us | |
6989 | enlist_uri_host (PDS_URISHORTENER) tubeurl.com | |
6990 | enlist_uri_host (PDS_URISHORTENER) turo.us | |
6991 | enlist_uri_host (PDS_URISHORTENER) tw0.us | |
6992 | enlist_uri_host (PDS_URISHORTENER) tw1.us | |
6993 | enlist_uri_host (PDS_URISHORTENER) tw2.us | |
6994 | enlist_uri_host (PDS_URISHORTENER) tw5.us | |
6995 | enlist_uri_host (PDS_URISHORTENER) tw6.us | |
6996 | enlist_uri_host (PDS_URISHORTENER) tw8.us | |
6997 | enlist_uri_host (PDS_URISHORTENER) tw9.us | |
6998 | enlist_uri_host (PDS_URISHORTENER) twa.lk | |
6999 | enlist_uri_host (PDS_URISHORTENER) tweet.me | |
7000 | enlist_uri_host (PDS_URISHORTENER) tweetburner.com | |
7001 | enlist_uri_host (PDS_URISHORTENER) tweetl.com | |
7002 | enlist_uri_host (PDS_URISHORTENER) twhub.com | |
7003 | enlist_uri_host (PDS_URISHORTENER) twi.gy | |
7004 | enlist_uri_host (PDS_URISHORTENER) twip.us | |
7005 | enlist_uri_host (PDS_URISHORTENER) twirl.at | |
7006 | enlist_uri_host (PDS_URISHORTENER) twit.ac | |
7007 | enlist_uri_host (PDS_URISHORTENER) twitclicks.com | |
7008 | enlist_uri_host (PDS_URISHORTENER) twitterurl.net | |
7009 | enlist_uri_host (PDS_URISHORTENER) twitterurl.org | |
7010 | enlist_uri_host (PDS_URISHORTENER) twitthis.com | |
7011 | enlist_uri_host (PDS_URISHORTENER) twittu.ms | |
7012 | enlist_uri_host (PDS_URISHORTENER) twiturl.de | |
7013 | enlist_uri_host (PDS_URISHORTENER) twitzap.com | |
7014 | enlist_uri_host (PDS_URISHORTENER) twlv.net | |
7015 | enlist_uri_host (PDS_URISHORTENER) twtr.us | |
7016 | enlist_uri_host (PDS_URISHORTENER) twurl.cc | |
7017 | enlist_uri_host (PDS_URISHORTENER) twurl.nl | |
7018 | enlist_uri_host (PDS_URISHORTENER) u.mavrev.com | |
7019 | enlist_uri_host (PDS_URISHORTENER) u.nu | |
7020 | enlist_uri_host (PDS_URISHORTENER) u76.org | |
7021 | enlist_uri_host (PDS_URISHORTENER) ub0.cc | |
7022 | enlist_uri_host (PDS_URISHORTENER) uiop.me | |
7023 | enlist_uri_host (PDS_URISHORTENER) ulimit.com | |
7024 | enlist_uri_host (PDS_URISHORTENER) ulu.lu | |
7025 | enlist_uri_host (PDS_URISHORTENER) unfaker.it | |
7026 | enlist_uri_host (PDS_URISHORTENER) updating.me | |
7027 | enlist_uri_host (PDS_URISHORTENER) u.to | |
7028 | enlist_uri_host (PDS_URISHORTENER) ur.ly | |
7029 | enlist_uri_host (PDS_URISHORTENER) ur1.ca | |
7030 | enlist_uri_host (PDS_URISHORTENER) urizy.com | |
7031 | enlist_uri_host (PDS_URISHORTENER) url.ag | |
7032 | enlist_uri_host (PDS_URISHORTENER) url.az | |
7033 | enlist_uri_host (PDS_URISHORTENER) url.co.uk | |
7034 | enlist_uri_host (PDS_URISHORTENER) url.go.it | |
7035 | enlist_uri_host (PDS_URISHORTENER) url.ie | |
7036 | enlist_uri_host (PDS_URISHORTENER) url.inc-x.eu | |
7037 | enlist_uri_host (PDS_URISHORTENER) url.lotpatrol.com | |
7038 | enlist_uri_host (PDS_URISHORTENER) url360.me | |
7039 | enlist_uri_host (PDS_URISHORTENER) url4.eu | |
7040 | enlist_uri_host (PDS_URISHORTENER) urlao.com | |
7041 | enlist_uri_host (PDS_URISHORTENER) urlbee.com | |
7042 | enlist_uri_host (PDS_URISHORTENER) urlborg.com | |
7043 | enlist_uri_host (PDS_URISHORTENER) urlbrief.com | |
7044 | enlist_uri_host (PDS_URISHORTENER) urlcorta.es | |
7045 | enlist_uri_host (PDS_URISHORTENER) urlcover.com | |
7046 | enlist_uri_host (PDS_URISHORTENER) urlcut.com | |
7047 | enlist_uri_host (PDS_URISHORTENER) urlcutter.com | |
7048 | enlist_uri_host (PDS_URISHORTENER) urlenco.de | |
7049 | enlist_uri_host (PDS_URISHORTENER) urlg.info | |
7050 | enlist_uri_host (PDS_URISHORTENER) urlhawk.com | |
7051 | enlist_uri_host (PDS_URISHORTENER) urli.nl | |
7052 | enlist_uri_host (PDS_URISHORTENER) urlin.it | |
7053 | enlist_uri_host (PDS_URISHORTENER) urlkiss.com | |
7054 | enlist_uri_host (PDS_URISHORTENER) urloo.com | |
7055 | enlist_uri_host (PDS_URISHORTENER) urlpire.com | |
7056 | enlist_uri_host (PDS_URISHORTENER) urls.im | |
7057 | enlist_uri_host (PDS_URISHORTENER) urlshorteningservicefortwitter.com | |
7058 | enlist_uri_host (PDS_URISHORTENER) urltea.com | |
7059 | enlist_uri_host (PDS_URISHORTENER) urlu.ms | |
7060 | enlist_uri_host (PDS_URISHORTENER) urlvi.b | |
7061 | enlist_uri_host (PDS_URISHORTENER) urlvi.be | |
7062 | enlist_uri_host (PDS_URISHORTENER) urlx.ie | |
7063 | enlist_uri_host (PDS_URISHORTENER) urlz.at | |
7064 | enlist_uri_host (PDS_URISHORTENER) urlzen.com | |
7065 | enlist_uri_host (PDS_URISHORTENER) usat.ly | |
7066 | enlist_uri_host (PDS_URISHORTENER) use.my | |
7067 | enlist_uri_host (PDS_URISHORTENER) uservoice.com | |
7068 | enlist_uri_host (PDS_URISHORTENER) ustre.am | |
7069 | enlist_uri_host (PDS_URISHORTENER) vado.it | |
7070 | enlist_uri_host (PDS_URISHORTENER) vb.ly | |
7071 | enlist_uri_host (PDS_URISHORTENER) vdirect.com | |
7072 | enlist_uri_host (PDS_URISHORTENER) vgn.am | |
7073 | enlist_uri_host (PDS_URISHORTENER) vi.ly | |
7074 | enlist_uri_host (PDS_URISHORTENER) viigo.im | |
7075 | enlist_uri_host (PDS_URISHORTENER) virl.com | |
7076 | enlist_uri_host (PDS_URISHORTENER) vl.am | |
7077 | enlist_uri_host (PDS_URISHORTENER) vm.lc | |
7078 | enlist_uri_host (PDS_URISHORTENER) voizle.com | |
7079 | enlist_uri_host (PDS_URISHORTENER) vtc.es | |
7080 | enlist_uri_host (PDS_URISHORTENER) w0r.me | |
7081 | enlist_uri_host (PDS_URISHORTENER) w33.us | |
7082 | enlist_uri_host (PDS_URISHORTENER) w34.us | |
7083 | enlist_uri_host (PDS_URISHORTENER) w3t.org | |
7084 | enlist_uri_host (PDS_URISHORTENER) w55.de | |
7085 | enlist_uri_host (PDS_URISHORTENER) wa9.la | |
7086 | enlist_uri_host (PDS_URISHORTENER) wapo.st | |
7087 | enlist_uri_host (PDS_URISHORTENER) wapurl.co.uk | |
7088 | enlist_uri_host (PDS_URISHORTENER) webalias.com | |
7089 | enlist_uri_host (PDS_URISHORTENER) welcome.to | |
7090 | enlist_uri_host (PDS_URISHORTENER) wh.gov | |
7091 | enlist_uri_host (PDS_URISHORTENER) widg.me | |
7092 | enlist_uri_host (PDS_URISHORTENER) wipi.es | |
7093 | enlist_uri_host (PDS_URISHORTENER) wkrg.com | |
7094 | enlist_uri_host (PDS_URISHORTENER) woo.ly | |
7095 | enlist_uri_host (PDS_URISHORTENER) wp.me | |
7096 | enlist_uri_host (PDS_URISHORTENER) x.co | |
7097 | enlist_uri_host (PDS_URISHORTENER) x.hypem.com | |
7098 | enlist_uri_host (PDS_URISHORTENER) x.se | |
7099 | enlist_uri_host (PDS_URISHORTENER) x.vu | |
7100 | enlist_uri_host (PDS_URISHORTENER) xeeurl.com | |
7101 | enlist_uri_host (PDS_URISHORTENER) xil.in | |
7102 | enlist_uri_host (PDS_URISHORTENER) xlurl.de | |
7103 | enlist_uri_host (PDS_URISHORTENER) xn--1ci.ws | |
7104 | enlist_uri_host (PDS_URISHORTENER) xn--3fi.ws | |
7105 | enlist_uri_host (PDS_URISHORTENER) xn--5gi.ws | |
7106 | enlist_uri_host (PDS_URISHORTENER) xn--9gi.ws | |
7107 | enlist_uri_host (PDS_URISHORTENER) xn--bih.ws | |
7108 | enlist_uri_host (PDS_URISHORTENER) xn--cwg.ws | |
7109 | enlist_uri_host (PDS_URISHORTENER) xn--egi.ws | |
7110 | enlist_uri_host (PDS_URISHORTENER) xn--fwg.ws | |
7111 | enlist_uri_host (PDS_URISHORTENER) xn--hgi.ws | |
7112 | enlist_uri_host (PDS_URISHORTENER) xn--l3h.ws | |
7113 | enlist_uri_host (PDS_URISHORTENER) xn--odi.ws | |
7114 | enlist_uri_host (PDS_URISHORTENER) xn--ogi.ws | |
7115 | enlist_uri_host (PDS_URISHORTENER) xn--rei.ws | |
7116 | enlist_uri_host (PDS_URISHORTENER) xn--vgi.ws | |
7117 | enlist_uri_host (PDS_URISHORTENER) xr.com | |
7118 | enlist_uri_host (PDS_URISHORTENER) xrl.in | |
7119 | enlist_uri_host (PDS_URISHORTENER) xrl.us | |
7120 | enlist_uri_host (PDS_URISHORTENER) xrt.me | |
7121 | enlist_uri_host (PDS_URISHORTENER) xurl.es | |
7122 | enlist_uri_host (PDS_URISHORTENER) xurl.jp | |
7123 | enlist_uri_host (PDS_URISHORTENER) xxsurl.de | |
7124 | enlist_uri_host (PDS_URISHORTENER) xzb.cc | |
7125 | enlist_uri_host (PDS_URISHORTENER) y.ahoo.it | |
7126 | enlist_uri_host (PDS_URISHORTENER) yatuc.com | |
7127 | enlist_uri_host (PDS_URISHORTENER) ye-s.com | |
7128 | enlist_uri_host (PDS_URISHORTENER) ye.pe | |
7129 | enlist_uri_host (PDS_URISHORTENER) yep.it | |
7130 | enlist_uri_host (PDS_URISHORTENER) yfrog.com | |
7131 | enlist_uri_host (PDS_URISHORTENER) yhoo.it | |
7132 | enlist_uri_host (PDS_URISHORTENER) yiyd.com | |
7133 | enlist_uri_host (PDS_URISHORTENER) yuarel.com | |
7134 | enlist_uri_host (PDS_URISHORTENER) z.pe | |
7135 | enlist_uri_host (PDS_URISHORTENER) z0p.de | |
7136 | enlist_uri_host (PDS_URISHORTENER) zapt.in | |
7137 | enlist_uri_host (PDS_URISHORTENER) zi.ma | |
7138 | enlist_uri_host (PDS_URISHORTENER) zi.me | |
7139 | enlist_uri_host (PDS_URISHORTENER) zi.mu | |
7140 | enlist_uri_host (PDS_URISHORTENER) zi.pe | |
7141 | enlist_uri_host (PDS_URISHORTENER) zip.li | |
7142 | enlist_uri_host (PDS_URISHORTENER) zipmyurl.com | |
7143 | enlist_uri_host (PDS_URISHORTENER) zite.to | |
7144 | enlist_uri_host (PDS_URISHORTENER) zootit.com | |
7145 | enlist_uri_host (PDS_URISHORTENER) zud.me | |
7146 | enlist_uri_host (PDS_URISHORTENER) zurl.ws | |
7147 | enlist_uri_host (PDS_URISHORTENER) zz.gd | |
7148 | enlist_uri_host (PDS_URISHORTENER) zzang.kr | |
7149 | enlist_uri_host (PDS_URISHORTENER) t.ly | |
7150 | enlist_uri_host (PDS_URISHORTENER) wow.link | |
7151 | enlist_uri_host (PDS_URISHORTENER) twixar.me | |
7152 | enlist_uri_host (PDS_URISHORTENER) lnk.cm | |
7153 | enlist_uri_host (PDS_URISHORTENER) rb.gy | |
7154 | enlist_uri_host (PDS_URISHORTENER) gplinks.in | |
7155 | enlist_uri_host (PDS_URISHORTENER) utfg.sk | |
7156 | enlist_uri_host (PDS_URISHORTENER) um.lk | |
7157 | enlist_uri_host (PDS_URISHORTENER) xn--vi8hiv.ws | |
7158 | enlist_uri_host (PDS_URISHORTENER) ouo.io | |
7159 | enlist_uri_host (PDS_URISHORTENER) mmo.tc | |
7160 | enlist_uri_host (PDS_URISHORTENER) pvp.tc | |
7161 | enlist_uri_host (PDS_URISHORTENER) ko.tc | |
7162 | enlist_uri_host (PDS_URISHORTENER) m2.tc | |
7163 | enlist_uri_host (PDS_URISHORTENER) sro.tc | |
7164 | enlist_uri_host (PDS_URISHORTENER) heg.tc | |
7165 | enlist_uri_host (PDS_URISHORTENER) fn.tc | |
7166 | enlist_uri_host (PDS_URISHORTENER) lol.tc | |
7167 | enlist_uri_host (PDS_URISHORTENER) tek.link | |
7168 | enlist_uri_host (PDS_URISHORTENER) tr.im | |
7169 | enlist_uri_host (PDS_URISHORTENER) cutwin.biz | |
7170 | enlist_uri_host (PDS_URISHORTENER) urlzs.com | |
7171 | enlist_uri_host (PDS_URISHORTENER) qqc.co | |
7172 | enlist_uri_host (PDS_URISHORTENER) yyv.co | |
7173 | enlist_uri_host (PDS_URISHORTENER) erq.io | |
7174 | enlist_uri_host (PDS_URISHORTENER) yko.io | |
7175 | enlist_uri_host (PDS_URISHORTENER) poweredbysecurity.online | |
7176 | enlist_uri_host (PDS_URISHORTENER) poweredbysecurity.org | |
7177 | enlist_uri_host (PDS_URISHORTENER) poweredbydialup.online | |
7178 | enlist_uri_host (PDS_URISHORTENER) poweredbydialup.club | |
7179 | enlist_uri_host (PDS_URISHORTENER) canadianlumberjacks.online | |
7180 | enlist_uri_host (PDS_URISHORTENER) canadianlumberjacks.club | |
7181 | enlist_uri_host (PDS_URISHORTENER) packetlivesmatter.online | |
7182 | enlist_uri_host (PDS_URISHORTENER) packetlivesmatter.club | |
7183 | enlist_uri_host (PDS_URISHORTENER) amishprincess.com | |
7184 | enlist_uri_host (PDS_URISHORTENER) poweredbydialup.org | |
7185 | enlist_uri_host (PDS_URISHORTENER) amishdatacenter.com | |
7186 | enlist_uri_host (PDS_URISHORTENER) youtubeshort.pro | |
7187 | enlist_uri_host (PDS_URISHORTENER) catsnthing.com | |
7188 | enlist_uri_host (PDS_URISHORTENER) youtubeshort.watch | |
7189 | enlist_uri_host (PDS_URISHORTENER) yourtube.site | |
7190 | enlist_uri_host (PDS_URISHORTENER) catsnthings.fun | |
7191 | enlist_uri_host (PDS_URISHORTENER) curiouscat.club | |
7192 | enlist_uri_host (PDS_URISHORTENER) crabrave.pw | |
7193 | enlist_uri_host (PDS_URISHORTENER) fortnitechat.site | |
7194 | enlist_uri_host (PDS_URISHORTENER) fortnight.space | |
7195 | enlist_uri_host (PDS_URISHORTENER) disçordapp.com | |
7196 | enlist_uri_host (PDS_URISHORTENER) freegiftcards.co | |
7197 | enlist_uri_host (PDS_URISHORTENER) minecräft.com | |
7198 | enlist_uri_host (PDS_URISHORTENER) stopify.co | |
7199 | enlist_uri_host (PDS_URISHORTENER) spottyfly.com | |
7200 | enlist_uri_host (PDS_URISHORTENER) bmwforum.co | |
7201 | enlist_uri_host (PDS_URISHORTENER) grabify.link | |
7202 | enlist_uri_host (PDS_URISHORTENER) joinmy.site | |
7203 | enlist_uri_host (PDS_URISHORTENER) youshouldclick.us | |
7204 | reuse T_PDS_SHORTFWD_URISHRT | |
7205 | endif | |
7206 | endif | |
7207 | ##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox | |
7208 | ||
7209 | ##{ redirector_pattern_sandbox | |
7210 | ||
7211 | redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i | |
7212 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i | |
7213 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i | |
7214 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i | |
7215 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i | |
7216 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i | |
7217 | redirector_pattern m'^https?:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i | |
7218 | redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i | |
7219 | ##} redirector_pattern_sandbox | |
7220 | ||
7221 | ##{ reuse_sandbox | |
7222 | ||
7223 | reuse T_PDS_HIDDEN_UK_BUSINESSLOAN | |
7224 | reuse T_PDS_DOUBLE_URL | |
7225 | reuse T_PDS_DBL_URL_LINKBAIT | |
7226 | reuse PDS_DBL_URL_TNB_RUNON | |
7227 | reuse T_PDS_DBL_URL_ILLEGAL_CHARS | |
7228 | reuse FROM_2_EMAILS_SHORT | |
7229 | reuse T_SHORT_BODY_QUOTE | |
7230 | reuse T_BODY_QUOTE_MALF_MSGID | |
7231 | reuse SPOOFED_FREEMAIL_NO_RDNS | |
7232 | reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN | |
7233 | reuse PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE | |
7234 | reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT | |
7235 | reuse PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE | |
7236 | reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT | |
7237 | reuse T_PDS_LITECOIN_ID | |
7238 | reuse PDS_BTC_ID | |
7239 | reuse PDS_BTC_MSGID | |
7240 | reuse __PDS_GOOGLE_DRIVE_SHARE_1 | |
7241 | reuse __PDS_GOOGLE_DRIVE_SHARE_2 | |
7242 | reuse __PDS_GOOGLE_DRIVE_SHARE_3 | |
7243 | reuse __PDS_GOOGLE_DRIVE_SHARE | |
7244 | reuse T_GOOGLE_DRIVE_DEAR_SOMETHING | |
7245 | reuse __PDS_GOOGLE_DRIVE_FILE | |
7246 | reuse __SHORT_BODY_G_DRIVE | |
7247 | reuse __SHORT_BODY_G_DRIVE_DYN | |
7248 | reuse SHORT_BODY_G_DRIVE_DYN | |
7249 | reuse FROM_NAME_EQ_TO_G_DRIVE | |
7250 | ##} reuse_sandbox | |
7251 | ||
7252 | ||
7253 | uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i | |
7254 | ||
7255 | uri __128_HEX_URI m,/[0-9a-f]{128}, | |
7256 | ||
7257 | uri __128_LC_URI m;[/?][a-z]{128,}$; | |
7258 | ||
7259 | uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i | |
7260 | ||
7261 | uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i | |
7262 | ||
7263 | meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI | |
7264 | ||
7265 | uri __64_ANY_URI m;[/?]\w{64,}$;i | |
7266 | ||
7267 | body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i | |
7268 | ||
7269 | body __ACCESS_REVOKE /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i | |
7270 | ||
7271 | body __ACCESS_SUSPENDED /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i | |
7272 | tflags __ACCESS_SUSPENDED multiple maxhits=2 | |
7273 | ||
7274 | body __ACCOUNT_DISRUPT /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)? )?(?:shut ?down|suspension|locking|termination|expiration)|will terminate (?:your|its) service)\b/i | |
7275 | tflags __ACCOUNT_DISRUPT multiple maxhits=2 | |
7276 | ||
7277 | body __ACCOUNT_ERROR /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i | |
7278 | ||
7279 | body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i | |
7280 | ||
7281 | body __ACCOUNT_SECURE /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i | |
7282 | ||
7283 | body __ACCOUNT_UPGRADE /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i | |
7284 | ||
7285 | meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY | |
7286 | ||
7287 | meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3 | |
7288 | ||
7289 | body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i | |
7290 | ||
7291 | body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i | |
7292 | ||
7293 | body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i | |
7294 | ||
7295 | body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i | |
7296 | ||
7297 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7298 | meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH | |
7299 | endif | |
7300 | ||
7301 | uri __AC_1SEQC_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/C\// | |
7302 | ||
7303 | uri __AC_1SEQV_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/V\// | |
7304 | ||
7305 | uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/ | |
7306 | ||
7307 | header __AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/ | |
7308 | ||
7309 | meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO | |
7310 | ||
7311 | rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i | |
7312 | ||
7313 | uri __AC_LAND_URI /\/land\// | |
7314 | ||
7315 | uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/ | |
7316 | ||
7317 | uri __AC_MHDSEQ_URI /\/mhd[a-z0-9]{20,}/ | |
7318 | ||
7319 | uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/ | |
7320 | ||
7321 | uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(:?php|html)\b/ | |
7322 | ||
7323 | uri __AC_OUTI_URI /\/outi\b/ | |
7324 | ||
7325 | uri __AC_OUTL_URI /\/outl\b/ | |
7326 | ||
7327 | uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\// | |
7328 | ||
7329 | uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9.]+\/top\// | |
7330 | ||
7331 | uri __AC_POSTHTMLEXTRAS /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i | |
7332 | ||
7333 | uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i | |
7334 | ||
7335 | meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS) | |
7336 | ||
7337 | uri __AC_PUNCTNUMS_URI /\.com\/[A-Za-z+=\/.?_-]{4,}[0-9]{9,12}[a-z0-9]{1,2}[A-Za-z+=\/.?_-]+[0-9]{7,9}[A-Za-z+=\/.?_-]{6,}[0-9]{7,9}\b/ | |
7338 | ||
7339 | uri __AC_REPORT_URI /\/report\// | |
7340 | ||
7341 | uri __AC_RMOVE_URI /\/r\/move\/[0-9]+\// | |
7342 | ||
7343 | rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i | |
7344 | ||
7345 | uri __AC_UHDSEQ_URI /\/uhd[a-z0-9]{20,}/ | |
7346 | ||
7347 | uri __AC_UNSUB_URI /\/unsub\// | |
7348 | ||
7349 | body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i | |
7350 | ||
7351 | body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i | |
7352 | ||
7353 | body __ADULTDATINGCOMPANY_BODY /\bAdultDatingCompany\b/i | |
7354 | ||
7355 | header __ADULTDATINGCOMPANY_FROM From:name =~ /\bAdultDatingCompany\b/i | |
7356 | ||
7357 | header __ADULTDATINGCOMPANY_REPTO Reply-To:name =~ /\bAdultDatingCompany\b/i | |
7358 | ||
7359 | meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD | |
7360 | ||
7361 | meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW | |
7362 | ||
7363 | meta __ADVANCE_FEE_2_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW | |
7364 | ||
7365 | meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW | |
7366 | ||
7367 | meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD | |
7368 | ||
7369 | meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW | |
7370 | ||
7371 | meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW | |
7372 | ||
7373 | meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW | |
7374 | ||
7375 | meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD | |
7376 | ||
7377 | meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW | |
7378 | ||
7379 | meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW | |
7380 | ||
7381 | meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW | |
7382 | ||
7383 | meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD | |
7384 | ||
7385 | meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW | |
7386 | ||
7387 | meta __ADVANCE_FEE_5_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW | |
7388 | ||
7389 | meta __ADVANCE_FEE_5_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW | |
7390 | ||
7391 | body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/ | |
7392 | ||
7393 | body __AFF_LOTTERY /(?:lottery|winner)/i | |
7394 | ||
7395 | meta __AFRICAN_STATE (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION) | |
7396 | ||
7397 | body __AFR_UNION /\bafrican\sunion\b/i | |
7398 | ||
7399 | body __AGREED_RATIO /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i | |
7400 | ||
7401 | meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA | |
7402 | ||
7403 | header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/ | |
7404 | ||
7405 | meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO | |
7406 | ||
7407 | body __AM_DYING /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i | |
7408 | ||
7409 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7410 | mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /\bimage\//i | |
7411 | endif | |
7412 | ||
7413 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7414 | meta __ANY_TEXT_ATTACH 0 | |
7415 | endif | |
7416 | ||
7417 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7418 | mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i | |
7419 | endif | |
7420 | ||
7421 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7422 | mimeheader __ANY_TEXT_ATTACH_DOC Content-Type =~ /text\/\w+/i | |
7423 | endif | |
7424 | ||
7425 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7426 | body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i | |
7427 | tflags __APP_DEVELOPMENT multiple maxhits=6 | |
7428 | endif | |
7429 | ||
7430 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7431 | meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5 | |
7432 | endif | |
7433 | ||
7434 | body __ATM_CARD /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa|issue\s(?:(?:to|for)\s)?you\sa)[\s\(](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s\)]card/i | |
7435 | ||
7436 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7437 | meta __ATTACH_MSO_MHTML __TEXT_XML_MT && __MSO_THEME_MT && __X_MSO_MT | |
7438 | endif | |
7439 | ||
7440 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7441 | meta __ATTACH_NAME_NO_EXT 0 | |
7442 | endif | |
7443 | ||
7444 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7445 | mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i | |
7446 | endif | |
7447 | ||
7448 | body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i | |
7449 | ||
7450 | body __AUTO_ACCIDENT /auto(?:mobile)? accident/i | |
7451 | ||
7452 | header __AXB_MO_OL_024C2 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/ | |
7453 | ||
7454 | header __AXB_MO_OL_1ECD5 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2800\.1081/ | |
7455 | ||
7456 | header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/ | |
7457 | ||
7458 | header __AXB_XM_OL_1ECD5 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2800\.1081/ | |
7459 | ||
7460 | body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i | |
7461 | ||
7462 | body __BANK_DRAFT /\bbank\sdraft/i | |
7463 | ||
7464 | body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i | |
7465 | ||
7466 | body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i | |
7467 | ||
7468 | body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i | |
7469 | ||
7470 | body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]{2,}k?|k))\s(?:(?!and|or|your|place|baby|suspicious|supportive|subpoenaed)\w+\s)?(?:e-?mail(?:(?![-:.\)\>\]])s?|\saddresses)|fax numbers|leads|names)\b/i | |
7471 | tflags __BIGNUM_EMAILS multiple maxhits=5 | |
7472 | ||
7473 | meta __BIGNUM_EMAILS_3 __BIGNUM_EMAILS > 2 | |
7474 | ||
7475 | meta __BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS && __freemail_hdr_replyto | |
7476 | ||
7477 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7478 | body __BITCOIN /\bB[-\s]?i[-\s]?t[-\s]?c[-\s]?o[-\s]?i[-\s]?n\b/i | |
7479 | endif | |
7480 | ||
7481 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7482 | body __BITCOIN /<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i | |
7483 | endif | |
7484 | ||
7485 | body __BITCOIN_ID /\b(?<!=)(?:[13](?:(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){29,34}|[a-km-zA-HJ-NP-Z1-9]{29,34})|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90}|b[-_=\s]c[-_=\s]1(?:[-_=\s][acdefghjklmnpqrstuvwxyz234567890]){30,90})\b/ | |
7486 | ||
7487 | meta __BITCOIN_IMGUR __IMGUR_IMG && __BITCOIN | |
7488 | ||
7489 | meta __BITCOIN_OBFU_SUBJ __BITCOIN && __SUBJ_OBFU_PUNCT | |
7490 | ||
7491 | meta __BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF | |
7492 | ||
7493 | meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL | |
7494 | ||
7495 | meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM | |
7496 | ||
7497 | meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01 | |
7498 | ||
7499 | meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID) | |
7500 | ||
7501 | meta __BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI) | |
7502 | ||
7503 | meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1) | |
7504 | ||
7505 | body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s | |
7506 | ||
7507 | body __BODY_TEXT_LINE /^\s*\S/ | |
7508 | tflags __BODY_TEXT_LINE multiple maxhits=3 | |
7509 | ||
7510 | meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE | |
7511 | ||
7512 | body __BODY_XHTML /<x-html>/i | |
7513 | ||
7514 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7515 | full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/ | |
7516 | tflags __BOGUS_MIME_HDR multiple maxhits=8 | |
7517 | endif | |
7518 | ||
7519 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7520 | meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7 | |
7521 | endif | |
7522 | ||
7523 | header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/ | |
7524 | ||
7525 | meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX | |
7526 | ||
7527 | body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i | |
7528 | ||
7529 | meta __BOTH_INR_AND_REF (__XM_BALSA || __XM_CALYPSO || __XM_FORTE || __XM_MHE || __XM_SQRLMAIL || __XM_SYLPHEED || __THEBAT_MUA || __XM_VM || __XM_XIMEVOL || __UA_KMAIL || __UA_MOZ5 || __UA_OPERA7) | |
7530 | ||
7531 | body __BTC_OBFU_2 /\b\W{0,10}b(?!it[-\s]?coin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i | |
7532 | ||
7533 | body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i | |
7534 | ||
7535 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7536 | body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i | |
7537 | endif | |
7538 | ||
7539 | body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i | |
7540 | ||
7541 | rawbody __BUGGED_IMG m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i | |
7542 | ||
7543 | body __BURKINA_FASO /\bburkina\s?faso\b/i | |
7544 | ||
7545 | body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i | |
7546 | ||
7547 | body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i | |
7548 | ||
7549 | body __CAN_HELP /\bcan help\b/i | |
7550 | ||
7551 | body __CASHPRZ /cash prize of/ | |
7552 | ||
7553 | body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i | |
7554 | ||
7555 | body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i | |
7556 | tflags __CLEAN_MAILBOX multiple maxhits=2 | |
7557 | ||
7558 | rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im | |
7559 | ||
7560 | body __COMPENSATION /\b(?:compensat(?:e|ion)|recompensed?|ausgleich)\b/i | |
7561 | ||
7562 | body __CONTACT_ATTY /\bcontact(?:er)?\s(?:my|(?:de\s)?mon)\s(?:barrister|attou?rney|lawyer|avocat|gestionnaire)\b/i | |
7563 | ||
7564 | body __CONTACT_YOU /\b(?:contact(?:ing)\syou|vous\scontacter?)\b/i | |
7565 | ||
7566 | rawbody __CONTENT_AFTER_HTML /<\/html>\s*[a-z0-9]/i | |
7567 | ||
7568 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7569 | body __COPY_PASTE_EN /Copy (and|\+|\&) paste/i | |
7570 | endif | |
7571 | ||
7572 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7573 | body __COPY_PASTE_EN /<C><O><P><Y> (?:<A><N><D>|\+|\&) <P><A><S><T><E>/i | |
7574 | endif | |
7575 | ||
7576 | body __COURIER /\bcourier\s(?:company|service)\b/i | |
7577 | ||
7578 | header __CR_IN_SUBJ Subject:raw =~ /\015/ | |
7579 | ||
7580 | header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i | |
7581 | ||
7582 | header __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i | |
7583 | ||
7584 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7585 | meta __CTYPE_NULL 0 | |
7586 | endif | |
7587 | ||
7588 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7589 | mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/ | |
7590 | endif | |
7591 | ||
7592 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7593 | mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s | |
7594 | endif | |
7595 | ||
7596 | header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/ | |
7597 | ||
7598 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7599 | mimeheader __CT_UTF7 Content-Type =~ /\bcharset=.?utf-7\b/i | |
7600 | endif | |
7601 | ||
7602 | header __DATE_LOWER ALL =~ /date:\s\S{5}/ | |
7603 | ||
7604 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7605 | body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i | |
7606 | tflags __DAY_I_EARNED multiple maxhits=4 | |
7607 | endif | |
7608 | ||
7609 | body __DBLCLAIM /avoid double claiming/ | |
7610 | ||
7611 | body __DEAD_PARENT /\b(?:my|meu)\s(?:(?:deceased|dead)\s(?:father|mother|husband)|(?:father|dad|mother|mom|husband|marido)(?:'?s)?\s(?:death|died|passed\saway|murder|was\s(?:killed|murdered|poisoned)|faleceu))/i | |
7612 | ||
7613 | body __DEAL /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i | |
7614 | ||
7615 | body __DECEASED /\b(?:the|my|your|der|du|le|meu?)\s(?:deceased|late|verstorbenen|d(?:i|e|=E9|[\xe9]|[\xc3][\xa9])funto?|d(?:e|=E9|[\xe9]|[\xc3][\xa9])nt|falecido)\b/i | |
7616 | ||
7617 | body __DESTROY_ME /\b(?:destroy|hunt|quemar)\sm[eyi]\b/i | |
7618 | ||
7619 | body __DESTROY_YOU /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i | |
7620 | ||
7621 | body __DIED_IN /\bdied\sin\b/i | |
7622 | ||
7623 | body __DIPLOMATIC /\bdiplomatic\b/i | |
7624 | ||
7625 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7626 | tflags __DKIMWL_BLOCKED net | |
7627 | endif | |
7628 | ||
7629 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7630 | tflags __DKIMWL_BULKMAIL net | |
7631 | endif | |
7632 | ||
7633 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7634 | tflags __DKIMWL_FREEMAIL net | |
7635 | endif | |
7636 | ||
7637 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7638 | tflags __DKIMWL_WL_BL net | |
7639 | endif | |
7640 | ||
7641 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7642 | tflags __DKIMWL_WL_HI net | |
7643 | endif | |
7644 | ||
7645 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7646 | tflags __DKIMWL_WL_MED net | |
7647 | endif | |
7648 | ||
7649 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7650 | tflags __DKIMWL_WL_MEDHI net | |
7651 | endif | |
7652 | ||
7653 | header __DKIM_EXISTS exists:DKIM-Signature | |
7654 | tflags __DKIM_EXISTS nice | |
7655 | ||
7656 | body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i | |
7657 | ||
7658 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7659 | meta __DOC_ATTACH 0 | |
7660 | endif | |
7661 | ||
7662 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7663 | meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2) | |
7664 | endif | |
7665 | ||
7666 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7667 | meta __DOC_ATTACH_FN1 0 | |
7668 | endif | |
7669 | ||
7670 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7671 | mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i | |
7672 | endif | |
7673 | ||
7674 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7675 | meta __DOC_ATTACH_FN2 0 | |
7676 | endif | |
7677 | ||
7678 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7679 | mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i | |
7680 | endif | |
7681 | ||
7682 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7683 | meta __DOC_ATTACH_MT 0 | |
7684 | endif | |
7685 | ||
7686 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7687 | mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i | |
7688 | endif | |
7689 | ||
7690 | body __DORMANT_ACCT /\b(?:(?:dormant|abandoned|left\s?over)\s(?:account|fund|transaction|sum|deposit)|fonds\sdorment)/i | |
7691 | ||
7692 | body __DOS_BODY_FRI /\bfri(?:day)?\b/i | |
7693 | ||
7694 | body __DOS_BODY_MON /\bmon(?:day)?\b/i | |
7695 | ||
7696 | body __DOS_BODY_SAT /\bsat(?:day)?\b/i | |
7697 | ||
7698 | body __DOS_BODY_STOCK /\bstock\b/i | |
7699 | ||
7700 | body __DOS_BODY_SUN /\bsun(?:day)?\b/i | |
7701 | ||
7702 | body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i | |
7703 | ||
7704 | body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB|PK)\b/ | |
7705 | ||
7706 | body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i | |
7707 | ||
7708 | body __DOS_BODY_WED /\bwed(?:nesday)?\b/i | |
7709 | ||
7710 | body __DOS_COMING_TO_YOUR_PLACE /I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/ | |
7711 | ||
7712 | body __DOS_CORRESPOND_EMAIL /correspond with me using my email/ | |
7713 | ||
7714 | meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT | |
7715 | ||
7716 | meta __DOS_DIRECT_TO_MX_UNTRUSTED __DOS_DIRECT_TO_MX && !ALL_TRUSTED | |
7717 | ||
7718 | body __DOS_DROP_ME_A_LINE /Drop me a line at/ | |
7719 | ||
7720 | body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/ | |
7721 | ||
7722 | body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i | |
7723 | ||
7724 | uri __DOS_HAS_ANY_URI /^\w+:\/\// | |
7725 | ||
7726 | header __DOS_HAS_LIST_ID exists:List-ID | |
7727 | ||
7728 | header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe | |
7729 | ||
7730 | header __DOS_HAS_MAILING_LIST exists:Mailing-List | |
7731 | ||
7732 | body __DOS_HI /^Hi,$/ | |
7733 | ||
7734 | body __DOS_I_AM_25 /I a.?m 25/ | |
7735 | ||
7736 | body __DOS_I_DRIVE_A /I drive a/ | |
7737 | ||
7738 | body __DOS_LET_GO_JOB /I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/ | |
7739 | ||
7740 | body __DOS_LINK /\blink\b/ | |
7741 | ||
7742 | body __DOS_MEET_EACH_OTHER /(?:meet each other|[Mm]ay ?be we can meet)/ | |
7743 | ||
7744 | header __DOS_MSGID_DIGITS10 Message-ID =~ /<1[013-9]\d{8}\@.*>/ | |
7745 | ||
7746 | header __DOS_MSGID_DIGITS9 Message-ID =~ /<\d{9}\@.*>/ | |
7747 | ||
7748 | body __DOS_MY_OLD_JOB /my old job/ | |
7749 | ||
7750 | body __DOS_PERSONAL_EMAIL /personal email at/ | |
7751 | ||
7752 | header __DOS_RCVD_FRI Received =~ / Fri, / | |
7753 | ||
7754 | header __DOS_RCVD_MON Received =~ / Mon, / | |
7755 | ||
7756 | header __DOS_RCVD_SAT Received =~ / Sat, / | |
7757 | ||
7758 | header __DOS_RCVD_SUN Received =~ / Sun, / | |
7759 | ||
7760 | header __DOS_RCVD_THU Received =~ / Thu, / | |
7761 | ||
7762 | header __DOS_RCVD_TUE Received =~ / Tue, / | |
7763 | ||
7764 | header __DOS_RCVD_WED Received =~ / Wed, / | |
7765 | ||
7766 | meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE) | |
7767 | ||
7768 | meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON) | |
7769 | ||
7770 | meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN) | |
7771 | ||
7772 | header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s | |
7773 | ||
7774 | header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/ | |
7775 | ||
7776 | body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i | |
7777 | ||
7778 | body __DOS_STRONG_CF /\bstrong cash flow/i | |
7779 | ||
7780 | body __DOS_TAKING_HOME /Taking home \d (?:digit level|figures) in \d{1,2} months/ | |
7781 | ||
7782 | body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/ | |
7783 | ||
7784 | meta __DOTGOV_IMAGE __URI_DOTGOV && __REMOTE_IMAGE | |
7785 | ||
7786 | meta __DYNAMIC_IMGUR __IMGUR_IMG && __RDNS_DYNAMIC_IPADDR | |
7787 | ||
7788 | body __EARLY_DEMISE /\buntimely\sdeath\b/i | |
7789 | ||
7790 | header __EBAY_ADDRESS From:addr =~ /[\@.]ebay\.\w\w\w?(?:\.\w\w)?$/i | |
7791 | ||
7792 | meta __EBAY_IMG_NOT_RCVD_EBAY __URI_IMG_EBAY && !__HDR_RCVD_EBAY | |
7793 | ||
7794 | meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY | |
7795 | ||
7796 | meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ) > 3) | |
7797 | ||
7798 | meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE | |
7799 | ||
7800 | body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i | |
7801 | ||
7802 | header __ENVFROM_AMAZONSES EnvelopeFrom =~ /\@amazonses\.com$/ | |
7803 | ||
7804 | header __ENVFROM_GOOG_TRIX EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/ | |
7805 | ||
7806 | meta __ENVFROM_GOOG_TRIX_SPAMMY __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR ) | |
7807 | ||
7808 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7809 | meta __EXE_ATTACH 0 | |
7810 | endif | |
7811 | ||
7812 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7813 | mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i | |
7814 | endif | |
7815 | ||
7816 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7817 | body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i | |
7818 | endif | |
7819 | ||
7820 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7821 | body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i | |
7822 | endif | |
7823 | ||
7824 | meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE + __PAXFUL + __HUSH_HUSH) > 3 | |
7825 | ||
7826 | body __EX_CUSTOMER /\b(?:(?:dead|deceased|late|verstorbenen|death\sof\sthe)\s(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|depositor|mr\.|kunde|engr?\.?)|titulaire\sdu\scompte\sest\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|invest[eo]r\sdied|(?:e|=E9|[\xe9]|[\xc3][\xa9])tranger\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|mr\.|kunde|engr?\.?)\s(?:[a-z]{1,10}\s)?(?:dead|deceased|verstorbenen))/i | |
7827 | ||
7828 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7829 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7830 | body __E_LIKE_LETTER /<lcase_e>/ | |
7831 | tflags __E_LIKE_LETTER multiple maxhits=320 | |
7832 | endif | |
7833 | endif | |
7834 | ||
7835 | body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i | |
7836 | ||
7837 | body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/ | |
7838 | ||
7839 | rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m | |
7840 | ||
7841 | header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/ | |
7842 | ||
7843 | header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i | |
7844 | ||
7845 | header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov / | |
7846 | ||
7847 | meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO | |
7848 | ||
7849 | body __FB_COST /\bcost\b/i | |
7850 | ||
7851 | body __FB_NUM_PERCNT /\d\s?\%/ | |
7852 | ||
7853 | body __FB_S_PRICE /pri{1,2}c[a-z]?e/i | |
7854 | ||
7855 | body __FB_S_STOCK /\bstock/i | |
7856 | ||
7857 | body __FB_TOUR /\btour/i | |
7858 | ||
7859 | body __FEES /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer|keeping)[\s\w]{0,15}\s(?:fee|charge)s?\b/i | |
7860 | ||
7861 | body __FIFTY_FIFTY /\b(?:50|fifty)(?:%?[\/:]50%?|%|\spercent)/i | |
7862 | ||
7863 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7864 | meta __FILL_THIS_FORM 0 | |
7865 | endif | |
7866 | ||
7867 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7868 | meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4) | |
7869 | endif | |
7870 | ||
7871 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7872 | meta __FILL_THIS_FORM_FRAUD_PHISH 0 | |
7873 | endif | |
7874 | ||
7875 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7876 | meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH) | |
7877 | endif | |
7878 | ||
7879 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7880 | meta __FILL_THIS_FORM_FRAUD_PHISH1 0 | |
7881 | endif | |
7882 | ||
7883 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7884 | body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i | |
7885 | endif | |
7886 | ||
7887 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7888 | meta __FILL_THIS_FORM_LOAN 0 | |
7889 | endif | |
7890 | ||
7891 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7892 | meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1 | |
7893 | endif | |
7894 | ||
7895 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7896 | meta __FILL_THIS_FORM_LOAN1 0 | |
7897 | endif | |
7898 | ||
7899 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7900 | body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i | |
7901 | endif | |
7902 | ||
7903 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7904 | meta __FILL_THIS_FORM_LONG 0 | |
7905 | endif | |
7906 | ||
7907 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7908 | meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2 | |
7909 | endif | |
7910 | ||
7911 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7912 | meta __FILL_THIS_FORM_LONG1 0 | |
7913 | endif | |
7914 | ||
7915 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7916 | body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i | |
7917 | endif | |
7918 | ||
7919 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7920 | meta __FILL_THIS_FORM_LONG2 0 | |
7921 | endif | |
7922 | ||
7923 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7924 | body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i | |
7925 | endif | |
7926 | ||
7927 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7928 | meta __FILL_THIS_FORM_PARTIAL 0 | |
7929 | endif | |
7930 | ||
7931 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7932 | body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im | |
7933 | tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5 | |
7934 | endif | |
7935 | ||
7936 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7937 | meta __FILL_THIS_FORM_PARTIAL_RAW 0 | |
7938 | endif | |
7939 | ||
7940 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7941 | rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20| |<\/\w+>){0,4}$)/im | |
7942 | tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5 | |
7943 | endif | |
7944 | ||
7945 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7946 | meta __FILL_THIS_FORM_SHORT 0 | |
7947 | endif | |
7948 | ||
7949 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7950 | meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2) | |
7951 | endif | |
7952 | ||
7953 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7954 | meta __FILL_THIS_FORM_SHORT1 0 | |
7955 | endif | |
7956 | ||
7957 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7958 | body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i | |
7959 | endif | |
7960 | ||
7961 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7962 | meta __FILL_THIS_FORM_SHORT2 0 | |
7963 | endif | |
7964 | ||
7965 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7966 | body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i | |
7967 | endif | |
7968 | ||
7969 | header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/ | |
7970 | ||
7971 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7972 | meta __FM_MY_PRICE __FB_S_PRICE | |
7973 | endif | |
7974 | ||
7975 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7976 | meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE) | |
7977 | endif | |
7978 | ||
7979 | meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS | |
7980 | ||
7981 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7982 | rawbody __FONT_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i | |
7983 | tflags __FONT_INVIS multiple maxhits=11 | |
7984 | endif | |
7985 | ||
7986 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7987 | meta __FONT_INVIS_10 __FONT_INVIS > 10 | |
7988 | endif | |
7989 | ||
7990 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7991 | meta __FONT_INVIS_2 __FONT_INVIS > 2 | |
7992 | endif | |
7993 | ||
7994 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7995 | meta __FONT_INVIS_5 __FONT_INVIS > 5 | |
7996 | endif | |
7997 | ||
7998 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7999 | meta __FONT_INVIS_CENTER __FONT_INVIS && __TAG_EXISTS_CENTER | |
8000 | endif | |
8001 | ||
8002 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8003 | meta __FONT_INVIS_DIRECT __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED | |
8004 | endif | |
8005 | ||
8006 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8007 | meta __FONT_INVIS_DOTGOV __FONT_INVIS && __URI_DOTGOV | |
8008 | endif | |
8009 | ||
8010 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8011 | meta __FONT_INVIS_HTML_NOHTML __FONT_INVIS && HTML_MIME_NO_HTML_TAG | |
8012 | endif | |
8013 | ||
8014 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8015 | meta __FONT_INVIS_LONG_LINE __FONT_INVIS && __LONGLINE | |
8016 | endif | |
8017 | ||
8018 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8019 | meta __FONT_INVIS_MANY __FONT_INVIS_2 | |
8020 | endif | |
8021 | ||
8022 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8023 | meta __FONT_INVIS_MSGID __FONT_INVIS && __MSGID_OK_HOST | |
8024 | endif | |
8025 | ||
8026 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8027 | meta __FONT_INVIS_NORDNS __FONT_INVIS && __RDNS_NONE | |
8028 | endif | |
8029 | ||
8030 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8031 | meta __FONT_INVIS_SINGLET __FONT_INVIS && __HTML_SINGLET | |
8032 | endif | |
8033 | ||
8034 | header __FORGED_MUA_POSTFIX0 User-Agent =~ /Postfix/ | |
8035 | ||
8036 | header __FORGED_MUA_POSTFIX1 X-Mailer =~ /Postfix/ | |
8037 | ||
8038 | meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D | |
8039 | describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam | |
8040 | ||
8041 | meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1) | |
8042 | ||
8043 | meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) | |
8044 | ||
8045 | meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) | |
8046 | ||
8047 | meta __FORM_LOW_CONTRAST (__FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_SHORT2) && __HTML_FONT_LOW_CONTRAST_MINFP | |
8048 | ||
8049 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8050 | body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i | |
8051 | tflags __FOR_SALE_LTP multiple maxhits=11 | |
8052 | endif | |
8053 | ||
8054 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8055 | meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10 | |
8056 | endif | |
8057 | ||
8058 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8059 | body __FOR_SALE_NET /00\.? NET/i | |
8060 | tflags __FOR_SALE_NET multiple maxhits=11 | |
8061 | endif | |
8062 | ||
8063 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8064 | meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10 | |
8065 | endif | |
8066 | ||
8067 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8068 | body __FOR_SALE_OBO /\bor best offer\b/i | |
8069 | tflags __FOR_SALE_OBO multiple maxhits=6 | |
8070 | endif | |
8071 | ||
8072 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8073 | meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5 | |
8074 | endif | |
8075 | ||
8076 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8077 | body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i | |
8078 | tflags __FOR_SALE_PRC_100K multiple maxhits=11 | |
8079 | endif | |
8080 | ||
8081 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8082 | meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5 | |
8083 | endif | |
8084 | ||
8085 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8086 | body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i | |
8087 | tflags __FOR_SALE_PRC_10K multiple maxhits=11 | |
8088 | endif | |
8089 | ||
8090 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8091 | meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10 | |
8092 | endif | |
8093 | ||
8094 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8095 | body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i | |
8096 | tflags __FOR_SALE_PRC_1K multiple maxhits=11 | |
8097 | endif | |
8098 | ||
8099 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8100 | meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10 | |
8101 | endif | |
8102 | ||
8103 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8104 | rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m | |
8105 | tflags __FOR_SALE_PRC_EOL multiple maxhits=11 | |
8106 | endif | |
8107 | ||
8108 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8109 | meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10 | |
8110 | endif | |
8111 | ||
8112 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8113 | meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20 | |
8114 | endif | |
8115 | ||
8116 | body __FOUND_YOU /\b(?:I|we)\sfound\syour?\b/i | |
8117 | ||
8118 | body __FRAUD /\b(?:de)?fraud/i | |
8119 | ||
8120 | body __FRAUD_IOV /\b(?:no risks?|risky?[- ]{0,3}free|free of risks?|100% safe|v\S{1,3}llig Risikofrei ist)\b/i | |
8121 | ||
8122 | body __FRAUD_PTX /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|poison(?:e?d)?|kill(?:ed|ing|ers)\b[^.]{0,99}\b(?:war veterans|rebels?)|les tueurs)\b/i | |
8123 | ||
8124 | body __FRAUD_XWW /\b(?:honest(?:ly)?\sco(?:-?operat(?:e|ion)|llaborat(?:e|ion))|ehrliche\szusammenarbeit|sichere [kc]o+p[eo]ration|col+aboration\swith\sme)\b/i | |
8125 | ||
8126 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8127 | header __FREEMAIL_DISPTO eval:check_freemail_header('Disposition-Notification-To') | |
8128 | endif | |
8129 | ||
8130 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8131 | meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) | |
8132 | endif | |
8133 | ||
8134 | meta __FREEMAIL_WFH_01 (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01 | |
8135 | ||
8136 | meta __FREEM_FRNUM_UNICD_EMPTY FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY | |
8137 | ||
8138 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
8139 | meta __FROM_41_FREEMAIL 0 | |
8140 | endif | |
8141 | ||
8142 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8143 | meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED | |
8144 | describe __FROM_41_FREEMAIL Sent from Africa + freemail provider | |
8145 | endif | |
8146 | ||
8147 | if (version >= 3.004002) | |
8148 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8149 | header __FROM_ADDRLIST_BANKS eval:check_from_in_list('BANKS') | |
8150 | endif | |
8151 | endif | |
8152 | ||
8153 | if (version >= 3.004002) | |
8154 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8155 | header __FROM_ADDRLIST_GOV eval:check_from_in_list('GOV') | |
8156 | endif | |
8157 | endif | |
8158 | ||
8159 | if (version >= 3.004002) | |
8160 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8161 | header __FROM_ADDRLIST_PAYPAL eval:check_from_in_list('PAYPAL') | |
8162 | endif | |
8163 | endif | |
8164 | ||
8165 | if (version >= 3.004002) | |
8166 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8167 | header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD') | |
8168 | endif | |
8169 | endif | |
8170 | ||
8171 | header __FROM_ADDR_WS From:addr =~ /\s/ | |
8172 | ||
8173 | header __FROM_ADMIN From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i | |
8174 | ||
8175 | header __FROM_ALL_HEX From:addr =~ /^(?!(?:19|20)\d\d[01]\d[0-3]\d)(?![0-9a-f]*[a-f]{3})[0-9a-f]+\@/ | |
8176 | ||
8177 | header __FROM_ALL_NUMS From:addr =~ /^\d+@/ | |
8178 | ||
8179 | header __FROM_AMEX From =~ /american\s?express/i | |
8180 | ||
8181 | header __FROM_ASB_BANK From:addr =~ /\basb\.co\.nz$/i | |
8182 | ||
8183 | header __FROM_BANK_LOOSE From =~ /ban(?:k|co)/i | |
8184 | ||
8185 | header __FROM_CHASE From:addr =~ /chase(?:2?-?paymentech)\.com$/i | |
8186 | ||
8187 | header __FROM_CMNWLTH_BANK From:addr =~ /\bcommonwealth\.com\.au$/i | |
8188 | ||
8189 | header __FROM_DNS From =~ /(?<![^\w.-])dns(?:admin)?\@/i | |
8190 | ||
8191 | meta __FROM_DOM_ADMIN __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN | |
8192 | ||
8193 | header __FROM_DOM_INFO From:addr =~ /\.info$/i | |
8194 | ||
8195 | header __FROM_EBAY From:addr =~ /\@ebay\.com$/i | |
8196 | ||
8197 | header __FROM_EBAY_LOOSE From =~ /\be-?bay\b/i | |
8198 | ||
8199 | header __FROM_EQ_ORG_1 ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism | |
8200 | ||
8201 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8202 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
8203 | header __FROM_EQ_REPLY eval:check_fromname_equals_replyto() | |
8204 | endif | |
8205 | endif | |
8206 | ||
8207 | if (version >= 3.004001) | |
8208 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
8209 | tflags __FROM_FMBLA_NDBLOCKED net | |
8210 | endif | |
8211 | endif | |
8212 | ||
8213 | if (version >= 3.004001) | |
8214 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
8215 | tflags __FROM_FMBLA_NEWDOM net | |
8216 | endif | |
8217 | endif | |
8218 | ||
8219 | if (version >= 3.004001) | |
8220 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
8221 | tflags __FROM_FMBLA_NEWDOM14 net | |
8222 | endif | |
8223 | endif | |
8224 | ||
8225 | if (version >= 3.004001) | |
8226 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
8227 | tflags __FROM_FMBLA_NEWDOM28 net | |
8228 | endif | |
8229 | endif | |
8230 | ||
8231 | header __FROM_FULL_NAME From:name =~ /^[^a-z[:punct:][:cntrl:]\d\s][^[:punct:][:cntrl:]\d\s]*[[:punct:]\s]+[^a-z[:punct:][:cntrl:]\d\s]/ | |
8232 | tflags __FROM_FULL_NAME nice | |
8233 | ||
8234 | header __FROM_HSBC From:addr =~ /\bhsbc\.co\.uk$/i | |
8235 | ||
8236 | header __FROM_INFO From =~ /(?<![^\w.-])info\@/i | |
8237 | ||
8238 | header __FROM_LLOYDSTSB From:addr =~ /\blloyds(?:tsb)\.(?:co\.uk|com)$/i | |
8239 | ||
8240 | header __FROM_LOWER ALL =~ /from:\s\S{5}/ | |
8241 | ||
8242 | header __FROM_MISSPACED From =~ /^\s*"[^"]*"</ | |
8243 | ||
8244 | meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH | |
8245 | ||
8246 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
8247 | meta __FROM_MISSP_FREEMAIL 0 | |
8248 | endif | |
8249 | ||
8250 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8251 | meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO) | |
8252 | endif | |
8253 | ||
8254 | meta __FROM_MISSP_PHISH __FROM_MISSPACED && (__FROM_ASB_BANK || __FROM_AMEX || __FROM_BANK_LOOSE || __FROM_CHASE || __FROM_CMNWLTH_BANK || __FROM_EBAY_LOOSE || __FROM_HSBC || __FROM_LLOYDSTSB || __FROM_PAYPAL_LOOSE || __FROM_WELLSFARGO || __FROM_WESTERNUNION) | |
8255 | ||
8256 | meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO | |
8257 | ||
8258 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
8259 | meta __FROM_MULTI_NORDNS __PDS_FROM_2_EMAILS && __RDNS_NONE | |
8260 | endif | |
8261 | ||
8262 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
8263 | meta __FROM_MULTI_SHORT_IMG __PDS_FROM_2_EMAILS && (HTML_IMAGE_ONLY_16 || HTML_SHORT_LINK_IMG_2 || __HTML_IMG_ONLY) | |
8264 | endif | |
8265 | ||
8266 | header __FROM_NAME_APPLECOM From:name =~ /\bapple\.com\b/i | |
8267 | ||
8268 | header __FROM_NAME_EBAYCOM From:name =~ /\bebay\.com\b/i | |
8269 | ||
8270 | full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm | |
8271 | ||
8272 | header __FROM_NAME_PAYPALCOM From:name =~ /\bpaypal\.com\b/i | |
8273 | ||
8274 | header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i | |
8275 | ||
8276 | header __FROM_PAYPAL_LOOSE From =~ /paypal/i | |
8277 | ||
8278 | header __FROM_RUNON From =~ /\S+<\w+/ | |
8279 | ||
8280 | header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/ | |
8281 | ||
8282 | header __FROM_WEB_DAEMON From:addr =~ /(?:apache|www|web|tomcat|\biis\b).*\@/i | |
8283 | ||
8284 | header __FROM_WELLSFARGO From:addr =~ /wellsfargo\.com$/i | |
8285 | ||
8286 | header __FROM_WESTERNUNION From:addr =~ /westernunion\.com$/i | |
8287 | ||
8288 | header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/ | |
8289 | ||
8290 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8291 | meta __FRT_PRICE 0 | |
8292 | endif | |
8293 | ||
8294 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8295 | body __FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i | |
8296 | endif | |
8297 | ||
8298 | rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i | |
8299 | ||
8300 | header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe | |
8301 | ||
8302 | header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i | |
8303 | ||
8304 | header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i | |
8305 | ||
8306 | header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i | |
8307 | ||
8308 | header __FSL_HELO_USER_3 Received =~ /(?:eh|he)lo(?:=|\s)User\)/i | |
8309 | ||
8310 | header __FSL_RELAY_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com\.? /i | |
8311 | ||
8312 | header __FS_SUBJ_RE Subject =~ /^Re: / | |
8313 | ||
8314 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8315 | body __FUZZY_DR_OZ /(?=<D>)(?!(?-i:D(?:r.|octor)(?:\s| )Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i | |
8316 | endif | |
8317 | ||
8318 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8319 | meta __FUZZY_MONERO 0 | |
8320 | endif | |
8321 | ||
8322 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8323 | body __FUZZY_MONERO /(?=<M>)(?!monero)<M><O><N><E><R><O>/i | |
8324 | endif | |
8325 | ||
8326 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8327 | body __FUZZY_PORN /(?=<P>)(?!pornograph?(?:y|i[ca]|er))<P><O><R><N><O><G><R><A><P><H>?(?:<Y>|<I><C>|<E><R>)/i | |
8328 | endif | |
8329 | ||
8330 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8331 | body __FUZZY_WELLSFARGO_BODY /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i | |
8332 | endif | |
8333 | ||
8334 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8335 | header __FUZZY_WELLSFARGO_FROM From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i | |
8336 | endif | |
8337 | ||
8338 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8339 | body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i | |
8340 | tflags __GAPPY_SALES_LEADS multiple maxhits=3 | |
8341 | endif | |
8342 | ||
8343 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8344 | meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2 | |
8345 | endif | |
8346 | ||
8347 | header __GB_FAKE_RF Subject =~ /(Fw|Re)\:{1,2}[\W+]/i | |
8348 | ||
8349 | body __GHANA /\bghana\b/i | |
8350 | ||
8351 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8352 | mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i | |
8353 | endif | |
8354 | ||
8355 | body __GIVE_MONEY /\b(?:(?:give\syou\s(?:this\s)?(?:money|fund|inheritance))|(?:donated?\s(?:\w\+\s){0,3}(?:the\ssum\sof|(?:(?:the|this|some)\s(?:money|funds?|inheritance)|to\s)(?:you|(?:(?:the|a)\s)?church|charit(?:y|ies)|humanit\w+|needy|poor|orphan(?:age)?s?|philanthropists\?)))|de vous donner cet argent|faire don de la somme|voudrais en faire don|tego funduszu do dom(?:=F3|[\xf3])w (?:dziecka|wdowy))\b/i | |
8356 | ||
8357 | meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) | |
8358 | ||
8359 | meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY | |
8360 | ||
8361 | meta __GOOGLE_DOC_SUSP __URI_GOOGLE_DOC && (__HAS_DOMAINKEY_SIG || __RDNS_NONE || __SYSADMIN || __STY_INVIS || LOTS_OF_MONEY || __XFER_MONEY || __ADVANCE_FEE_2_NEW) && !ALL_TRUSTED | |
8362 | ||
8363 | uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i | |
8364 | ||
8365 | uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i | |
8366 | ||
8367 | meta __GOOG_STO_HTML_PHISH __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY | |
8368 | ||
8369 | meta __GOOG_STO_IMG_HTML_1 __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML | |
8370 | ||
8371 | meta __GOOG_STO_IMG_NOHTML __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML | |
8372 | ||
8373 | meta __GOOG_STO_NOIMG_HTML !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML | |
8374 | ||
8375 | body __HAS_ANY_EMAIL /\w@\S+\.\w/ | |
8376 | ||
8377 | uri __HAS_ANY_URI /^\w+:\/\// | |
8378 | ||
8379 | header __HAS_CAMPAIGNID exists:X-Campaignid | |
8380 | ||
8381 | header __HAS_CID exists:X-CID | |
8382 | ||
8383 | header __HAS_COMPLAINT_TO exists:Complaint-To | |
8384 | ||
8385 | header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature | |
8386 | ||
8387 | describe __HAS_HREF Has an anchor tag with a href attribute in non-quoted line | |
8388 | rawbody __HAS_HREF /^[^>].*?<a href=/im | |
8389 | tflags __HAS_HREF multiple maxhits=100 | |
8390 | ||
8391 | describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case | |
8392 | rawbody __HAS_HREF_ONECASE /^[^>].*?<(a href|A HREF)=/m | |
8393 | tflags __HAS_HREF_ONECASE multiple maxhits=100 | |
8394 | ||
8395 | describe __HAS_IMG_SRC Has an img tag on a non-quoted line | |
8396 | rawbody __HAS_IMG_SRC /^[^>].*?<img src=/im | |
8397 | tflags __HAS_IMG_SRC multiple maxhits=100 | |
8398 | ||
8399 | rawbody __HAS_IMG_SRC_DATA /^[^>].*?<img src=['"]data/im | |
8400 | ||
8401 | describe __HAS_IMG_SRC_ONECASE Has an img tag on a non-quoted line with consistent case | |
8402 | rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(img src|IMG SRC)=/m | |
8403 | tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100 | |
8404 | ||
8405 | header __HAS_LIST_OPEN exists:List-Open | |
8406 | ||
8407 | header __HAS_LOGID exists:logid | |
8408 | ||
8409 | header __HAS_MESSAGEID exists:MessageID | |
8410 | ||
8411 | header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script | |
8412 | ||
8413 | header __HAS_PHP_SCRIPT exists:X-PHP-Script | |
8414 | ||
8415 | header __HAS_THREAD_INDEX exists:Thread-Index | |
8416 | ||
8417 | header __HAS_TRACKING_CODE exists:Tracking-Code | |
8418 | ||
8419 | body __HAS_WON_01 /\bque ha ganado\b/i | |
8420 | ||
8421 | header __HAS_XM_LID exists:X-Mailer-LID | |
8422 | ||
8423 | header __HAS_XM_RECPTID exists:X-Mailer-RecptId | |
8424 | ||
8425 | header __HAS_XM_SENTBY exists:X-Mailer-Sent-By | |
8426 | ||
8427 | header __HAS_XM_SID exists:X-Mailer-SID | |
8428 | ||
8429 | header __HAS_X_EBSERVER exists:X-EBSERVER | |
8430 | ||
8431 | header __HAS_X_LETTER exists:X-Letter | |
8432 | ||
8433 | header __HAS_X_NO_RELAY exists:X-No-Relay | |
8434 | ||
8435 | header __HAS_X_OUTGOING_SPAM_STAT exists:X-OutGoing-Spam-Status | |
8436 | ||
8437 | header __HAS_X_SOURCE_DIR exists:X-Source-Dir | |
8438 | ||
8439 | header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm | |
8440 | tflags __HDRS_LCASE multiple maxhits=3 | |
8441 | ||
8442 | meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH | |
8443 | ||
8444 | header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism | |
8445 | ||
8446 | header __HDR_CASE_REVERSED ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m | |
8447 | tflags __HDR_CASE_REVERSED multiple maxhits=4 | |
8448 | ||
8449 | header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s | |
8450 | ||
8451 | header __HDR_RCVD_ALIBABA X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/ | |
8452 | ||
8453 | header __HDR_RCVD_AMAZON X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/ | |
8454 | ||
8455 | header __HDR_RCVD_AMAZON_HELO X-Spam-Relays-External =~ /\srdns=\shelo=[^.]+\.smtp-out\.amazonses\.com\s/ | |
8456 | ||
8457 | header __HDR_RCVD_APPLE X-Spam-Relays-External =~ /\srdns=\S+\.apple\.com\s/ | |
8458 | ||
8459 | header __HDR_RCVD_EBAY X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/ | |
8460 | ||
8461 | header __HDR_RCVD_GOOGLE X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/ | |
8462 | ||
8463 | header __HDR_RCVD_KEEPA X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/ | |
8464 | ||
8465 | header __HDR_RCVD_LINKEDIN X-Spam-Relays-External =~ /\srdns=\S+\.linkedin\.com\s/ | |
8466 | ||
8467 | header __HDR_RCVD_NEWEGG X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/ | |
8468 | ||
8469 | header __HDR_RCVD_PAYPAL X-Spam-Relays-External =~ /\srdns=\S+\.paypal\.com\s/ | |
8470 | ||
8471 | header __HDR_RCVD_SHOPIFY X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/ | |
8472 | ||
8473 | header __HDR_RCVD_TAGSTAT X-Spam-Relays-External =~ /\srdns=\S+\.tagstat\.com\s/ | |
8474 | ||
8475 | header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/ | |
8476 | ||
8477 | header __HDR_RCVD_WALMART X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/ | |
8478 | ||
8479 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
8480 | tflags __HELO_DNS net | |
8481 | endif | |
8482 | ||
8483 | header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i | |
8484 | ||
8485 | header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/ | |
8486 | ||
8487 | header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ / | |
8488 | ||
8489 | body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/ | |
8490 | tflags __HEXHASHWORD_S2EU multiple maxhits=4 | |
8491 | ||
8492 | body __HK_LOTTO_2 /\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i | |
8493 | ||
8494 | body __HK_LOTTO_BALLOT /\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i | |
8495 | ||
8496 | body __HK_LOTTO_STAATS /\bstaatsloteri/i | |
8497 | ||
8498 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8499 | if (version >= 3.004000) | |
8500 | header __HK_NAME_FROM From:name =~ /^FROM\b/mi | |
8501 | endif | |
8502 | endif | |
8503 | ||
8504 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8505 | if (version >= 3.004000) | |
8506 | header __HK_NAME_MR_MRS From:name =~ /^M(?:RS?|ISS)\b/mi | |
8507 | endif | |
8508 | endif | |
8509 | ||
8510 | body __HK_SCAM_N15 /\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i | |
8511 | ||
8512 | body __HK_SCAM_N16 /\b(?:arrangement secret|secret arrangement)\b/i | |
8513 | ||
8514 | body __HK_SCAM_N2 /\bnext of kin\b/i | |
8515 | ||
8516 | body __HK_SCAM_N3 /\bdirect telephone numbers?\b/i | |
8517 | ||
8518 | body __HK_SCAM_N8 /\byour compensation\b/i | |
8519 | ||
8520 | body __HK_SCAM_S1 /pay you the sum of/i | |
8521 | ||
8522 | body __HK_SCAM_S15 /(?:discovered a dormant account|can you be my partner)/i | |
8523 | ||
8524 | body __HK_SCAM_S25 /\bbank (?:in|of) ghana/i | |
8525 | ||
8526 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8527 | mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi | |
8528 | endif | |
8529 | ||
8530 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8531 | mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi | |
8532 | endif | |
8533 | ||
8534 | meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT) | |
8535 | ||
8536 | meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT) | |
8537 | ||
8538 | meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_WP_REDIR || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT) | |
8539 | ||
8540 | meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG + __URI_IMG_CHANNYPIC + __URI_IMG_TOPHATTER + __URI_IMG_GBTCDN + __URI_IMG_LINKEDIN + __URI_IMG_TUMBLR + __URI_IMG_TAGSTAT) > 1 | |
8541 | ||
8542 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8543 | body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i | |
8544 | endif | |
8545 | ||
8546 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8547 | body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i | |
8548 | endif | |
8549 | ||
8550 | rawbody __HS_QUOTE /^> / | |
8551 | ||
8552 | header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/ | |
8553 | ||
8554 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8555 | meta __HTML_ATTACH_01 0 | |
8556 | endif | |
8557 | ||
8558 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8559 | mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.html?\b,i | |
8560 | endif | |
8561 | ||
8562 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8563 | meta __HTML_ATTACH_02 0 | |
8564 | endif | |
8565 | ||
8566 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8567 | mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.html?\b,i | |
8568 | endif | |
8569 | ||
8570 | rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i | |
8571 | ||
8572 | meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML | |
8573 | ||
8574 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
8575 | meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN | |
8576 | endif | |
8577 | ||
8578 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
8579 | meta __HTML_FONT_LOW_CONTRAST_MINFP HTML_FONT_LOW_CONTRAST && !__HAS_SENDER && !__THREADED && !__HAS_THREAD_INDEX && !ALL_TRUSTED && !__NOT_SPOOFED && !__HDRS_LCASE_KNOWN && !DKIM_VALID | |
8580 | endif | |
8581 | ||
8582 | rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i | |
8583 | ||
8584 | rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i | |
8585 | ||
8586 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8587 | rawbody __HTML_SHRT_CMNT_OBFU /\w<!--\s*\w+\s*-->\w/ | |
8588 | tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10 | |
8589 | endif | |
8590 | ||
8591 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8592 | meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE | |
8593 | endif | |
8594 | ||
8595 | rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i | |
8596 | tflags __HTML_SINGLET multiple maxhits=21 | |
8597 | ||
8598 | meta __HTML_SINGLET_10 __HTML_SINGLET > 10 | |
8599 | ||
8600 | meta __HTML_SINGLET_MANY __HTML_SINGLET > 20 | |
8601 | ||
8602 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
8603 | body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0') | |
8604 | endif | |
8605 | ||
8606 | body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i | |
8607 | ||
8608 | uri __IMGUR_IMG m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i | |
8609 | tflags __IMGUR_IMG multiple maxhits=4 | |
8610 | ||
8611 | meta __IMGUR_IMG_2 __IMGUR_IMG == 2 | |
8612 | ||
8613 | meta __IMGUR_IMG_3 __IMGUR_IMG == 3 | |
8614 | ||
8615 | if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) | |
8616 | meta __IMG_LE_300K 0 | |
8617 | endif | |
8618 | ||
8619 | ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
8620 | body __IMG_LE_300K eval:pixel_coverage('all',62500,300000) | |
8621 | endif | |
8622 | ||
8623 | body __INHERIT_PMT /\binheritance\spayment\s/i | |
8624 | ||
8625 | meta __INR_AND_NO_REF (__XM_IMAIL || __XM_APPLEMAIL || __XM_COMMUNIG || __XM_EDMAX || __XM_ELM || __XM_EMUMAIL || __XM_EXMH || __XM_LOTUSN || __XM_MAILCITY || __XM_MAILSMITH || __XM_MSCDO || __XM_MSOUT || __XM_MIMETOOLS || __XM_OPERA6 || __XM_PEGASUS || __XM_QUALCOM || __UA_IMP || __UA_MSOEMAC || __UA_MSENTOUR || __UA_OPERA7) | |
8626 | ||
8627 | body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i | |
8628 | ||
8629 | body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i | |
8630 | ||
8631 | body __INVEST_MONEY /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i | |
8632 | ||
8633 | header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/ | |
8634 | ||
8635 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8636 | meta __ISO_ATTACH 0 | |
8637 | endif | |
8638 | ||
8639 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8640 | mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i | |
8641 | endif | |
8642 | ||
8643 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8644 | meta __ISO_ATTACH_MT 0 | |
8645 | endif | |
8646 | ||
8647 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8648 | mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i | |
8649 | endif | |
8650 | ||
8651 | body __IS_LEGAL /\b(?:(?:(this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i | |
8652 | ||
8653 | body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i | |
8654 | ||
8655 | body __I_INHERIT /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i | |
8656 | ||
8657 | body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i | |
8658 | ||
8659 | header __JM_REACTOR_DATE Date =~ / \+0000$/ | |
8660 | ||
8661 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8662 | mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i | |
8663 | endif | |
8664 | ||
8665 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8666 | mimeheader __KAM_BLOCK_UTF7_2 Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i | |
8667 | endif | |
8668 | ||
8669 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8670 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8671 | body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024') | |
8672 | describe __KAM_BODY_LENGTH_LT_1024 The length of the body of the email is less than 1024 bytes. | |
8673 | endif | |
8674 | endif | |
8675 | ||
8676 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8677 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8678 | body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128') | |
8679 | describe __KAM_BODY_LENGTH_LT_128 The length of the body of the email is less than 128 bytes. | |
8680 | endif | |
8681 | endif | |
8682 | ||
8683 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8684 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8685 | body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256') | |
8686 | describe __KAM_BODY_LENGTH_LT_256 The length of the body of the email is less than 256 bytes. | |
8687 | endif | |
8688 | endif | |
8689 | ||
8690 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8691 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8692 | body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512') | |
8693 | describe __KAM_BODY_LENGTH_LT_512 The length of the body of the email is less than 512 bytes. | |
8694 | endif | |
8695 | endif | |
8696 | ||
8697 | if !plugin(Mail::SpamAssassin::Plugin::HTMLEval) | |
8698 | meta __KAM_HTML_FONT_INVALID 0 | |
8699 | endif | |
8700 | ||
8701 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
8702 | body __KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color') | |
8703 | endif | |
8704 | ||
8705 | body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is | |
8706 | ||
8707 | header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/ | |
8708 | ||
8709 | header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/ | |
8710 | ||
8711 | meta __KHOP_NO_FULL_NAME !(__NOT_A_PERSON || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME) | |
8712 | ||
8713 | if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
8714 | meta __LARGE_PERCENT_AFTER 0 | |
8715 | endif | |
8716 | ||
8717 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8718 | body __LARGE_PERCENT_AFTER /\d{3}% after/i | |
8719 | tflags __LARGE_PERCENT_AFTER multiple maxhits=4 | |
8720 | endif | |
8721 | ||
8722 | if !plugin(Mail::SpamAssassin::Plugin::HeaderEval) | |
8723 | meta __LCL__ENV_AND_HDR_FROM_MATCH 0 | |
8724 | endif | |
8725 | ||
8726 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
8727 | meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH | |
8728 | endif | |
8729 | ||
8730 | if !plugin(Mail::SpamAssassin::Plugin::BodyEval) | |
8731 | meta __LCL__KAM_BODY_LENGTH_LT_1024 0 | |
8732 | endif | |
8733 | ||
8734 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8735 | if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) | |
8736 | meta __LCL__KAM_BODY_LENGTH_LT_1024 0 | |
8737 | endif | |
8738 | endif | |
8739 | ||
8740 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8741 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8742 | meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024 | |
8743 | endif | |
8744 | endif | |
8745 | ||
8746 | if !plugin(Mail::SpamAssassin::Plugin::BodyEval) | |
8747 | meta __LCL__KAM_BODY_LENGTH_LT_128 0 | |
8748 | endif | |
8749 | ||
8750 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8751 | if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) | |
8752 | meta __LCL__KAM_BODY_LENGTH_LT_128 0 | |
8753 | endif | |
8754 | endif | |
8755 | ||
8756 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8757 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8758 | meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128 | |
8759 | endif | |
8760 | endif | |
8761 | ||
8762 | if !plugin(Mail::SpamAssassin::Plugin::BodyEval) | |
8763 | meta __LCL__KAM_BODY_LENGTH_LT_512 0 | |
8764 | endif | |
8765 | ||
8766 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8767 | if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) | |
8768 | meta __LCL__KAM_BODY_LENGTH_LT_512 0 | |
8769 | endif | |
8770 | endif | |
8771 | ||
8772 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8773 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8774 | meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512 | |
8775 | endif | |
8776 | endif | |
8777 | ||
8778 | meta __LINKED_IMG_NOT_RCVD_LINK __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN | |
8779 | ||
8780 | meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID | |
8781 | ||
8782 | meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1 | |
8783 | ||
8784 | meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR | |
8785 | ||
8786 | body __LITECOIN_ID /\b(?<!=)[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b/ | |
8787 | ||
8788 | uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i | |
8789 | ||
8790 | body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i | |
8791 | tflags __LOCK_MAILBOX multiple maxhits=2 | |
8792 | ||
8793 | full __LONGLINE /^[^\r\n]{998}/m | |
8794 | ||
8795 | rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i | |
8796 | ||
8797 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8798 | meta __LONG_STY_INVIS __STY_INVIS && __LONGLINE | |
8799 | endif | |
8800 | ||
8801 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8802 | meta __LOTSA_MONEY_00 0 | |
8803 | endif | |
8804 | ||
8805 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8806 | body __LOTSA_MONEY_00 /<CURRENCY>[\s\.]?<NUM_NOT_DATE>[\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/ | |
8807 | endif | |
8808 | ||
8809 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8810 | meta __LOTSA_MONEY_01 0 | |
8811 | endif | |
8812 | ||
8813 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8814 | body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo](?<!\.00)\b/ | |
8815 | endif | |
8816 | ||
8817 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8818 | meta __LOTSA_MONEY_02 0 | |
8819 | endif | |
8820 | ||
8821 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8822 | body __LOTSA_MONEY_02 /(?<![-\d])<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo][\)\]\(]?\s?(?:<CURRENCY>|Pounds|(?i:dollars?|bucks))\b/ | |
8823 | endif | |
8824 | ||
8825 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8826 | meta __LOTSA_MONEY_03 0 | |
8827 | endif | |
8828 | ||
8829 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8830 | body __LOTSA_MONEY_03 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)<NUM_NOT_DATE>[\d.,\sOo]{0,5}[\)\]]?\s?(?i:M(?i:il+)?\b|mil+(?i:io|<O>)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/ | |
8831 | endif | |
8832 | ||
8833 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8834 | meta __LOTSA_MONEY_04 0 | |
8835 | endif | |
8836 | ||
8837 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8838 | body __LOTSA_MONEY_04 /(?:(?<![-\d])<NUM_NOT_DATE>[\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|mill<O>n|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|\bbucks|USD|GBP|<GB_UK>\spounds?|(?:<GB_UK>\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i | |
8839 | endif | |
8840 | ||
8841 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8842 | meta __LOTSA_MONEY_05 0 | |
8843 | endif | |
8844 | ||
8845 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8846 | body __LOTSA_MONEY_05 /(?:(?:sum|value|amount)\sof\s)<NUM_NOT_DATE_IP>[\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i | |
8847 | endif | |
8848 | ||
8849 | meta __LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2 | |
8850 | ||
8851 | body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i | |
8852 | ||
8853 | body __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i | |
8854 | ||
8855 | uri __LOTTO_ADMITS_3 /lott+ery/i | |
8856 | ||
8857 | meta __LOTTO_AGENT __LOTTO_AGENT_01 || __LOTTO_AGENT_02 | |
8858 | ||
8859 | body __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(?<!memory\s)grants?(?!\smanager))\s?(?:agent|manager|officer|secretary|director|mgr\b)/i | |
8860 | ||
8861 | body __LOTTO_AGENT_02 /\blot+ery[^\.]{1,40} ticket agent/i | |
8862 | ||
8863 | header __LOTTO_AGENT_RPLY Reply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i | |
8864 | ||
8865 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8866 | meta __LOTTO_ATTACH_1 0 | |
8867 | endif | |
8868 | ||
8869 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8870 | mimeheader __LOTTO_ATTACH_1 Content-Type =~ /lott(?:o|ery)/i | |
8871 | endif | |
8872 | ||
8873 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8874 | meta __LOTTO_ATTACH_2 0 | |
8875 | endif | |
8876 | ||
8877 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8878 | mimeheader __LOTTO_ATTACH_2 Content-Disposition =~ /lott(?:o|ery)/i | |
8879 | endif | |
8880 | ||
8881 | body __LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)(?:\s(?:rem+it+ance|settlement|payment|award))+|payment|award|compensation|lot+ery)(?:\s\w+)?\s?(?:department|dept|unit|group|committee|bureau)/i | |
8882 | ||
8883 | body __LOTTO_RELATED /\b(?:lot+(?:o|ery)|sweepstakes)\s(?:prize|draw(?:s|ing)?|(?:ge)?win(?:n?er|n?ing)?|jackpot+|award|fund|com+it+e+|com+is+ion|guild|promotion|promocao|program|day|online|company|(?:in)?corporat|agent|co[-,]?ordinator|team)/i | |
8884 | ||
8885 | body __LOTTO_VERIFY /\bpromo\sverification/i | |
8886 | ||
8887 | body __LOTTO_WINNINGS /\b(?:claim|process(?:ing)?|transfert?(?:\s\w+)?|redeem|payment|virement|zahlung|reivindicar|demandar|remise)\s(?:(?:[a-z]{1,5}\s)?(?:your|of|the|this|de|ihrer|seu|tu)\s)+(?:win+ings?|money|(?:cash\s)?prize|award|f[ou]nds?|grant|gewinne|premio|gain)\b/i | |
8888 | ||
8889 | body __LOTTO_WIN_01 /\bwin+ing\s(?:prize|number|notification|draw|check|cheque|details|information|payment)/i | |
8890 | ||
8891 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8892 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8893 | body __LOWER_E /e/ | |
8894 | tflags __LOWER_E multiple maxhits=230 | |
8895 | endif | |
8896 | endif | |
8897 | ||
8898 | body __LUCKY_WINNER /\b(?:lucky|gl.cklich(?:en)?|afortunados)\s(?:(?:ge)?win+ers?|ganador(?:es)?|individuals?)\b/i | |
8899 | ||
8900 | body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i | |
8901 | ||
8902 | header __LUNSUB_BEFORE_SUBJDT ALL =~ /^List-unsubscribe: (?:[^\n]+\n){1,40}^(?:Subject|Date): /ism | |
8903 | ||
8904 | rawbody __L_BODY_8BITS /[\x80-\xff]/ | |
8905 | ||
8906 | header __L_CTE_7BIT Content-Transfer-Encoding =~ /^7bit$/ | |
8907 | ||
8908 | body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i | |
8909 | ||
8910 | body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i | |
8911 | ||
8912 | header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/ | |
8913 | ||
8914 | body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i | |
8915 | ||
8916 | body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i | |
8917 | ||
8918 | uri __MAIL_LINK /\?.{0,200}\w\@[\w-]{1,20}.\w\w\w?\b/i | |
8919 | tflags __MAIL_LINK nice | |
8920 | ||
8921 | body __MAKE_XTRA_DOLLAR /\bmake an extra dollar\b/i | |
8922 | ||
8923 | header __MALF_MIME_VER MIME-Version =~ /^1\.0\S/ | |
8924 | ||
8925 | meta __MALWARE_NORDNS __MY_MALWARE && __RDNS_NONE | |
8926 | ||
8927 | meta __MALWARE_PASSWORD __MY_MALWARE && __PASSWORD | |
8928 | ||
8929 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8930 | meta __MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02 | |
8931 | endif | |
8932 | ||
8933 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8934 | meta __MALW_ATTACH_01_01 0 | |
8935 | endif | |
8936 | ||
8937 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8938 | mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]+|\*(?:\d+\*)?=(?:UTF-8'')?\S+)\.SettingContent-ms\b/i | |
8939 | endif | |
8940 | ||
8941 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8942 | meta __MALW_ATTACH_01_02 0 | |
8943 | endif | |
8944 | ||
8945 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8946 | mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i | |
8947 | endif | |
8948 | ||
8949 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8950 | meta __MALW_ATTACH_02_01 0 | |
8951 | endif | |
8952 | ||
8953 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8954 | mimeheader __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:invoice|statement|payment(?: advice)?|(?:[.,_]|%C2%B7|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i | |
8955 | endif | |
8956 | ||
8957 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8958 | meta __MALW_ATTACH_02_02 0 | |
8959 | endif | |
8960 | ||
8961 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8962 | mimeheader __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|statement|payment(?: advice)?|(?:[.,_]|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i | |
8963 | endif | |
8964 | ||
8965 | meta __MANY_HDRS_LCASE __HDRS_LCASE > 1 | |
8966 | ||
8967 | meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4) | |
8968 | ||
8969 | header __MAY_BE_FORGED Received =~ /\(may be forged\)/ | |
8970 | ||
8971 | header __MID_START_001C Message-ID =~ /^<000001c/ | |
8972 | ||
8973 | body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i | |
8974 | ||
8975 | header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/ | |
8976 | ||
8977 | meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX | |
8978 | ||
8979 | header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/ | |
8980 | ||
8981 | if !((version >= 3.004000)) | |
8982 | meta __MIME_CTYPE_IN_BODY 0 | |
8983 | endif | |
8984 | ||
8985 | if (version >= 3.004000) | |
8986 | body __MIME_CTYPE_IN_BODY /^Content-Type:\s/ | |
8987 | endif | |
8988 | ||
8989 | if !((version >= 3.004000)) | |
8990 | meta __MIME_MALF 0 | |
8991 | endif | |
8992 | ||
8993 | if (version >= 3.004000) | |
8994 | meta __MIME_MALF __CTYPE_MULTIPART_ANY && __MIME_CTYPE_IN_BODY | |
8995 | endif | |
8996 | ||
8997 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8998 | meta __MIME_NO_TEXT 0 | |
8999 | endif | |
9000 | ||
9001 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9002 | meta __MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH) | |
9003 | endif | |
9004 | ||
9005 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
9006 | rawbody __MIME_QPC eval:check_for_mime('mime_qp_count') | |
9007 | endif | |
9008 | ||
9009 | header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET] | |
9010 | ||
9011 | header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET] | |
9012 | ||
9013 | rawbody __MIXED_AREA_CASE /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/ | |
9014 | ||
9015 | rawbody __MIXED_CENTER_CASE /<(?!CENTER|center)[Cc][Ee][Nn][Tt][Ee][Rr]>/ | |
9016 | ||
9017 | rawbody __MIXED_FONT_CASE /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/ | |
9018 | ||
9019 | rawbody __MIXED_HREF_CASE_JH /<[Aa](?i:rea)?\s+(?!HREF|href)[Hh][Rr][Ee][Ff]=/ | |
9020 | ||
9021 | rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/ | |
9022 | ||
9023 | header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ | |
9024 | ||
9025 | meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO) | |
9026 | ||
9027 | body __MONERO_CURNCY /Monero \(XMR\)/ | |
9028 | ||
9029 | body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/ | |
9030 | ||
9031 | meta __MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD | |
9032 | ||
9033 | meta __MONEY_FORM LOTS_OF_MONEY && __FILL_THIS_FORM | |
9034 | ||
9035 | meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT | |
9036 | ||
9037 | meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) | |
9038 | ||
9039 | meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) | |
9040 | ||
9041 | meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8) | |
9042 | ||
9043 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
9044 | meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto | |
9045 | endif | |
9046 | ||
9047 | meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY | |
9048 | ||
9049 | body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i | |
9050 | ||
9051 | meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE | |
9052 | ||
9053 | header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i | |
9054 | ||
9055 | header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/ | |
9056 | ||
9057 | header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/ | |
9058 | ||
9059 | header __MSGID_JAVAMAIL Message-ID =~ /\.JavaMail\./ | |
9060 | tflags __MSGID_JAVAMAIL nice | |
9061 | ||
9062 | header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/ | |
9063 | tflags __MSGID_LIST nice | |
9064 | ||
9065 | header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m | |
9066 | ||
9067 | meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL | |
9068 | ||
9069 | header __MSMAIL_PRI_HIGH X-MSMail-Priority =~ /^(?:high|urgent)$/i | |
9070 | ||
9071 | header __MSMAIL_PRI_NORMAL X-MSMail-Priority =~ /^normal$/i | |
9072 | ||
9073 | meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT | |
9074 | ||
9075 | header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: / | |
9076 | ||
9077 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9078 | mimeheader __MSO_THEME_MT Content-Type =~ m,\bapplication/vnd.ms-officetheme\b,i | |
9079 | endif | |
9080 | ||
9081 | header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/ | |
9082 | ||
9083 | header __MUA_TBIRD User-Agent =~ /^Mozilla\/(.*) Thunderbird/ | |
9084 | ||
9085 | body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i | |
9086 | ||
9087 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9088 | body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s|background\s|hidden\s)?)(?:mal+ware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it|backdoor|(?:sneaky\s|hidden\s|malicious\s)+(?:app|stuff))|(?:application|mal+ware)[^\.]{1,30}(?:enable[sd]|allow(?:s|ed))\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|mal+ware)\s)+giv(?:es|ing)\sme)\b/i | |
9089 | endif | |
9090 | ||
9091 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9092 | body __MY_MALWARE /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s|<B><A><C><K><G><R><O><U><N><D>\s|<H><I><D><D><E><N>\s)?)(?:<M><A><L>+<W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>|<B><A><C><K><D><O><O><R>|(?:<S><N><E><A><K><Y>\s|<H><I><D><D><E><N>\s|<M><A><L><I><C><I><O><U><S>\s)+(?:<A><P><P>|<S><T><U><F><F>))|(?:<A><P><P><L><I><C><A><T><I><O><N>|<M><A><L>+<W><A><R><E>)[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>(?:<S>|<E><D>))\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L>+<W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i | |
9093 | endif | |
9094 | ||
9095 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9096 | body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i | |
9097 | endif | |
9098 | ||
9099 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9100 | body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i | |
9101 | endif | |
9102 | ||
9103 | header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/ | |
9104 | ||
9105 | meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL | |
9106 | ||
9107 | header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i | |
9108 | ||
9109 | header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/ | |
9110 | ||
9111 | meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG | |
9112 | ||
9113 | body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i | |
9114 | ||
9115 | body __NIGERIA /\bnigeria\b/i | |
9116 | ||
9117 | meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO | |
9118 | tflags __NOT_A_PERSON nice | |
9119 | ||
9120 | body __NOT_DEAD_YET /\b(?:will\sinherit|que\sherede|your\sdeath|your?\sbeing\sdead)\b/i | |
9121 | ||
9122 | body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i | |
9123 | ||
9124 | tflags __NOT_SPOOFED nice | |
9125 | ||
9126 | if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) | |
9127 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9128 | meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF | |
9129 | endif | |
9130 | endif | |
9131 | ||
9132 | if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) | |
9133 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9134 | meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF | |
9135 | endif | |
9136 | endif | |
9137 | ||
9138 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
9139 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9140 | meta __NOT_SPOOFED __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, no SPF. | |
9141 | endif | |
9142 | endif | |
9143 | ||
9144 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
9145 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9146 | meta __NOT_SPOOFED SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, yes SPF | |
9147 | endif | |
9148 | endif | |
9149 | ||
9150 | meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS) | |
9151 | ||
9152 | header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./ | |
9153 | describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8 | |
9154 | ||
9155 | header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./ | |
9156 | describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8 | |
9157 | ||
9158 | header __NUMBEREND_TLD From:addr =~ /\@[a-z]{2,}[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i | |
9159 | ||
9160 | header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i | |
9161 | ||
9162 | header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/ | |
9163 | ||
9164 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9165 | meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) | |
9166 | endif | |
9167 | ||
9168 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9169 | meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) | |
9170 | endif | |
9171 | ||
9172 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9173 | meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) | |
9174 | endif | |
9175 | ||
9176 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9177 | meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) | |
9178 | endif | |
9179 | ||
9180 | body __OBFU_UNSUB_UL /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/ | |
9181 | ||
9182 | if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) | |
9183 | meta __ONE_IMG 0 | |
9184 | endif | |
9185 | ||
9186 | ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
9187 | body __ONE_IMG eval:image_count('all',1,1) | |
9188 | endif | |
9189 | ||
9190 | header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./ | |
9191 | ||
9192 | body __ORDER_TODAY /\border (?:it|one|yours|this) (?:today|now|right\saway)\b/i | |
9193 | ||
9194 | body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i | |
9195 | ||
9196 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9197 | mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/ | |
9198 | endif | |
9199 | ||
9200 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9201 | mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/ | |
9202 | endif | |
9203 | ||
9204 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9205 | mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/ | |
9206 | endif | |
9207 | ||
9208 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9209 | mimeheader __PART_STOCK_CL Content-Location =~ /./ | |
9210 | endif | |
9211 | ||
9212 | body __PASSIVE_INCOME /\bpassive income\b/i | |
9213 | ||
9214 | body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i | |
9215 | ||
9216 | body __PASSWORD_EXP_CLUMSY /\bpassword is due for expiration yesterday\b/i | |
9217 | ||
9218 | body __PASSWORD_UPGRADE /\bpassword upgrade\b/i | |
9219 | ||
9220 | body __PAXFUL /\bp-?a+-?x+-?f-?u+-?l\b/i | |
9221 | ||
9222 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9223 | body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\s(?:to\s)?me|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche)|my bribe(?:ry)?)\b/i | |
9224 | endif | |
9225 | ||
9226 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9227 | body __PAY_ME /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s(?:<T><O>\s)?<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>|<M><Y> <B><R><I><B><E>(?:<R><Y>)?))[\s\.,]/i | |
9228 | endif | |
9229 | ||
9230 | body __PAY_YOU /\bpay\syou\b/ | |
9231 | ||
9232 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9233 | meta __PCT_FOR_YOU 0 | |
9234 | endif | |
9235 | ||
9236 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9237 | meta __PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50 | |
9238 | endif | |
9239 | ||
9240 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9241 | meta __PCT_FOR_YOU_1 0 | |
9242 | endif | |
9243 | ||
9244 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9245 | body __PCT_FOR_YOU_1 /<PERCENT>[\s)]{0,3}(?:(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?|(?:[^\s.]{1,15}\s)?an uns beide)/i | |
9246 | endif | |
9247 | ||
9248 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9249 | meta __PCT_FOR_YOU_2 0 | |
9250 | endif | |
9251 | ||
9252 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9253 | body __PCT_FOR_YOU_2 /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s<PERCENT>/i | |
9254 | endif | |
9255 | ||
9256 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9257 | meta __PCT_FOR_YOU_3 0 | |
9258 | endif | |
9259 | ||
9260 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9261 | body __PCT_FOR_YOU_3 /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?<!by\s)(?<!up\sto\s)<PERCENT>/i | |
9262 | endif | |
9263 | ||
9264 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9265 | meta __PCT_OF_PMTS 0 | |
9266 | endif | |
9267 | ||
9268 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9269 | body __PCT_OF_PMTS /<PERCENT>[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i | |
9270 | endif | |
9271 | ||
9272 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
9273 | meta __PDF_ATTACH 0 | |
9274 | endif | |
9275 | ||
9276 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9277 | meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2) | |
9278 | endif | |
9279 | ||
9280 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
9281 | meta __PDF_ATTACH_FN1 0 | |
9282 | endif | |
9283 | ||
9284 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9285 | mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i | |
9286 | endif | |
9287 | ||
9288 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
9289 | meta __PDF_ATTACH_FN2 0 | |
9290 | endif | |
9291 | ||
9292 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9293 | mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i | |
9294 | endif | |
9295 | ||
9296 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
9297 | meta __PDF_ATTACH_MT 0 | |
9298 | endif | |
9299 | ||
9300 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9301 | mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i | |
9302 | endif | |
9303 | ||
9304 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9305 | header __PDS_BTC_ANON From:name =~ /\bAnon/ | |
9306 | endif | |
9307 | ||
9308 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9309 | meta __PDS_BTC_BADFROM ( __PDS_BTC_HACKER || __PDS_BTC_PIRATE ) | |
9310 | endif | |
9311 | ||
9312 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9313 | header __PDS_BTC_HACKER From:name =~ /h<A>ck<E>r/i | |
9314 | endif | |
9315 | ||
9316 | meta __PDS_BTC_ID ( __BITCOIN_ID && !__URL_BTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) | |
9317 | ||
9318 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9319 | header __PDS_BTC_PIRATE From:name =~ /p<I>r<A>t<E>/i | |
9320 | endif | |
9321 | ||
9322 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9323 | if (version >= 3.004000) | |
9324 | header __PDS_CASHSHORTENER eval:check_uri_host_listed('PDS_CASHSHORTENER') | |
9325 | endif | |
9326 | endif | |
9327 | ||
9328 | uri __PDS_DOUBLE_URL m;https?://[\S]+(?:\?|=)https?://[\S]+[\w]+$; | |
9329 | ||
9330 | if (version >= 3.004002) | |
9331 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9332 | body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i | |
9333 | endif | |
9334 | endif | |
9335 | ||
9336 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
9337 | header __PDS_FROM_2_EMAILS From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i | |
9338 | endif | |
9339 | ||
9340 | header __PDS_FROM_GMAIL From:addr =~ /\@g(?:oogle)?mail\.com$/i | |
9341 | ||
9342 | header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\nTo:[^\n]+\@\1/ism | |
9343 | ||
9344 | header __PDS_GMAIL_MID Message-Id =~ /\@mail.gmail.com>$/ | |
9345 | ||
9346 | uri __PDS_GOOGLE_DRIVE_FILE /\/drive\.google\.com\/file/i | |
9347 | ||
9348 | meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2) | |
9349 | ||
9350 | header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/ | |
9351 | ||
9352 | header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/ | |
9353 | ||
9354 | header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/ | |
9355 | ||
9356 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
9357 | meta __PDS_HP_HELO_NODNS (__HELO_HIGHPROFILE && !__HELO_DNS) | |
9358 | tflags __PDS_HP_HELO_NODNS net | |
9359 | endif | |
9360 | ||
9361 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
9362 | meta __PDS_HTML_LENGTH_1024 __HTML_LENGTH_0000_1024 | |
9363 | endif | |
9364 | ||
9365 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
9366 | meta __PDS_HTML_LENGTH_2048 __HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 || __HTML_LENGTH_1536_2048 | |
9367 | endif | |
9368 | ||
9369 | meta __PDS_LITECOIN_ID (__LITECOIN_ID && !__URL_LTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) | |
9370 | ||
9371 | meta __PDS_MSG_1024 (__KAM_BODY_LENGTH_LT_1024 || __PDS_HTML_LENGTH_1024) | |
9372 | ||
9373 | meta __PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512) | |
9374 | ||
9375 | if (version >= 3.004001) | |
9376 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
9377 | meta __PDS_NEWDOMAIN (__FROM_FMBLA_NEWDOM || __FROM_FMBLA_NEWDOM14 || __FROM_FMBLA_NEWDOM28) | |
9378 | tflags __PDS_NEWDOMAIN net | |
9379 | endif | |
9380 | endif | |
9381 | ||
9382 | if (version >= 3.004002) | |
9383 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9384 | body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States|USA)/i | |
9385 | endif | |
9386 | endif | |
9387 | ||
9388 | header __PDS_PHP_EVAL1 X-PHP-Originating-Script =~ /eval..'d code/i | |
9389 | ||
9390 | header __PDS_PHP_EVAL2 X-PHP-Originating-Script =~ /runtime-created function/ | |
9391 | ||
9392 | if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) | |
9393 | meta __PDS_QP_1024 0 | |
9394 | endif | |
9395 | ||
9396 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
9397 | meta __PDS_QP_1024 (__MIME_QPC > 0) && (__MIME_QPC < 1024) | |
9398 | endif | |
9399 | ||
9400 | if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) | |
9401 | meta __PDS_QP_128 0 | |
9402 | endif | |
9403 | ||
9404 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
9405 | meta __PDS_QP_128 (__MIME_QPC > 0) && (__MIME_QPC < 128) | |
9406 | endif | |
9407 | ||
9408 | if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) | |
9409 | meta __PDS_QP_512 0 | |
9410 | endif | |
9411 | ||
9412 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
9413 | meta __PDS_QP_512 (__MIME_QPC > 0) && (__MIME_QPC < 512) | |
9414 | endif | |
9415 | ||
9416 | if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) | |
9417 | meta __PDS_QP_64 0 | |
9418 | endif | |
9419 | ||
9420 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
9421 | meta __PDS_QP_64 (__MIME_QPC > 0) && (__MIME_QPC < 64) | |
9422 | endif | |
9423 | ||
9424 | header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(mta|mail|mx|smtp)\b\S* /i | |
9425 | ||
9426 | if (version >= 3.004002) | |
9427 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9428 | body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i | |
9429 | endif | |
9430 | endif | |
9431 | ||
9432 | if (version >= 3.004002) | |
9433 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9434 | body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i | |
9435 | endif | |
9436 | endif | |
9437 | ||
9438 | if (version >= 3.004002) | |
9439 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9440 | body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i | |
9441 | endif | |
9442 | endif | |
9443 | ||
9444 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9445 | if (version >= 3.004000) | |
9446 | meta __PDS_SHORT_URL __SHORT_URL && !__URL_SHORTENER && !__PDS_URISHORTENER && !ALL_TRUSTED | |
9447 | endif | |
9448 | endif | |
9449 | ||
9450 | if (version >= 3.004001) | |
9451 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
9452 | tflags __PDS_SPF_ONLYALL net | |
9453 | endif | |
9454 | endif | |
9455 | ||
9456 | meta __PDS_SPOOF_GMAIL_MID __PDS_FROM_GMAIL && !__PDS_GMAIL_MID && !__FSL_RELAY_GOOGLE | |
9457 | ||
9458 | header __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? <?\1\@/ | |
9459 | ||
9460 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
9461 | header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism | |
9462 | endif | |
9463 | ||
9464 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
9465 | header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism | |
9466 | endif | |
9467 | ||
9468 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9469 | if (version >= 3.004000) | |
9470 | meta __PDS_TO_SUBJ_URISHRT __TO_IN_SUBJ && (__PDS_URISHORTENER || __URL_SHORTENER) && __PDS_MSG_1024 | |
9471 | endif | |
9472 | endif | |
9473 | ||
9474 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9475 | if (version >= 3.004000) | |
9476 | header __PDS_URISHORTENER eval:check_uri_host_listed('PDS_URISHORTENER') | |
9477 | endif | |
9478 | endif | |
9479 | ||
9480 | header __PDS_X_PHP_WELLKNOWN X-PHP-Script =~ m;/\.well-known/; | |
9481 | ||
9482 | header __PDS_X_PHP_WPADMIN X-PHP-Script =~ m;/wp-admin/(?:css|themes|js|images|user|maint)/[\S]+\.php for;i | |
9483 | ||
9484 | header __PDS_X_PHP_WPCONTENT X-PHP-Script =~ m;/wp-content/(?:themes|uploads)/[\S]+\.php for;i | |
9485 | ||
9486 | header __PDS_X_PHP_WPINCLUDES X-PHP-Script =~ m;/wp-includes/(?:css|fonts|js|pomo|Text|theme-compat)/[\S]+\.php for;i | |
9487 | ||
9488 | header __PDS_X_PHP_WPJS X-PHP-Script =~ m;/js/[\S]+\.php for;i | |
9489 | ||
9490 | meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0 | |
9491 | ||
9492 | body __PENDING_MESSAGES /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i | |
9493 | ||
9494 | body __PERFECT_BINARY /\bperfect binary option\b/i | |
9495 | ||
9496 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9497 | mimeheader __PHISH_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i | |
9498 | endif | |
9499 | ||
9500 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9501 | mimeheader __PHISH_ATTACH_01_02 Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i | |
9502 | endif | |
9503 | ||
9504 | meta __PHISH_FBASE_01 (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK | |
9505 | ||
9506 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9507 | body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i | |
9508 | tflags __PHOTO_RETOUCHING multiple maxhits=5 | |
9509 | endif | |
9510 | ||
9511 | header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/ | |
9512 | ||
9513 | meta __PHP_MUA __PHP_MUA_1 || __PHP_MUA_2 | |
9514 | ||
9515 | header __PHP_MUA_1 X-Mailer =~ /^PHP\s?v?\/?\d\./ | |
9516 | ||
9517 | header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/ | |
9518 | ||
9519 | header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/ | |
9520 | ||
9521 | header __PHP_ORIG_SCRIPT_EVAL X-PHP-Originating-Script =~ /\beval\b.*\bcode\b/i | |
9522 | ||
9523 | meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B) | |
9524 | ||
9525 | if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
9526 | meta __PILL_PRICE_01 0 | |
9527 | endif | |
9528 | ||
9529 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9530 | body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i | |
9531 | tflags __PILL_PRICE_01 multiple maxhits=3 | |
9532 | endif | |
9533 | ||
9534 | if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
9535 | meta __PILL_PRICE_02 0 | |
9536 | endif | |
9537 | ||
9538 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9539 | body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i | |
9540 | tflags __PILL_PRICE_02 multiple maxhits=3 | |
9541 | endif | |
9542 | ||
9543 | body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i | |
9544 | ||
9545 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
9546 | header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to() | |
9547 | endif | |
9548 | ||
9549 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
9550 | header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() | |
9551 | endif | |
9552 | ||
9553 | uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf|\.svg)[^?]{4}(?:\?[^?]{1,5})?$;i | |
9554 | ||
9555 | body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i | |
9556 | ||
9557 | body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i | |
9558 | ||
9559 | body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i | |
9560 | ||
9561 | body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i | |
9562 | ||
9563 | body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i | |
9564 | ||
9565 | body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i | |
9566 | ||
9567 | body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i | |
9568 | ||
9569 | body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i | |
9570 | ||
9571 | body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i | |
9572 | ||
9573 | body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i | |
9574 | ||
9575 | body __RANDOM_PICK /\b(?:random(?:ly)?\s(?:\w+\s)?(?:select(?:ion|ed)|pick(?:ed)?|computer)|(?:select|pick)ed\s(?:at\s)?random(?:ly)?|(?:esco(?:g|lh)idos|seleccion) (?:aleatoria(?:mente)?|al azar))\b/i | |
9576 | ||
9577 | header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent|Tracking-Code)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism | |
9578 | tflags __RAND_HEADER multiple maxhits=4 | |
9579 | ||
9580 | meta __RAND_HEADER_2 __RAND_HEADER > 1 | |
9581 | ||
9582 | header __RAND_MKTG_HEADER ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:EBS|(?:Tracking|Subscriber|Delivery|Customer|Campaign)-[DSU]?id):/ism | |
9583 | ||
9584 | header __RATWARE_BOUND_A ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # " | |
9585 | ||
9586 | header __RATWARE_BOUND_B ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # " | |
9587 | ||
9588 | header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i | |
9589 | tflags __RCD_RDNS_MAIL nice | |
9590 | ||
9591 | header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i | |
9592 | tflags __RCD_RDNS_MAIL_MESSY nice | |
9593 | ||
9594 | header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i | |
9595 | tflags __RCD_RDNS_MTA nice | |
9596 | ||
9597 | header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i | |
9598 | tflags __RCD_RDNS_MTA_MESSY nice | |
9599 | ||
9600 | header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i | |
9601 | tflags __RCD_RDNS_MX nice | |
9602 | ||
9603 | header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/ | |
9604 | tflags __RCD_RDNS_MX_MESSY nice | |
9605 | ||
9606 | header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i | |
9607 | tflags __RCD_RDNS_OB nice | |
9608 | ||
9609 | header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i | |
9610 | tflags __RCD_RDNS_SMTP nice | |
9611 | ||
9612 | header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/ | |
9613 | tflags __RCD_RDNS_SMTP_MESSY nice | |
9614 | ||
9615 | header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\srdns=\S+\.edu\s/i | |
9616 | ||
9617 | meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 ) | |
9618 | ||
9619 | meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI ) | |
9620 | ||
9621 | header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i | |
9622 | ||
9623 | header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net / | |
9624 | ||
9625 | header __RDNS_LONG X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/ | |
9626 | ||
9627 | header __RDNS_NO_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ / | |
9628 | ||
9629 | header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/ | |
9630 | ||
9631 | header __RDNS_SHORT X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} / | |
9632 | ||
9633 | body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i | |
9634 | ||
9635 | header __RELAY_THRU_WWW Received =~ /from (?:[^ \@]+\@)?www\./ | |
9636 | ||
9637 | body __RELEASE_MESSAGES /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|unreceived|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i | |
9638 | ||
9639 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { | |
9640 | meta __REMOTE_IMAGE (__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH) | |
9641 | endif | |
9642 | ||
9643 | if (version >= 3.004002) | |
9644 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9645 | header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD') | |
9646 | endif | |
9647 | endif | |
9648 | ||
9649 | header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i | |
9650 | ||
9651 | header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|brownchurchill|c(?:hanprivacy|ristinabruno|ustom_service)|d(?:hodgkins|onald_anderson)|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|izcarroll)|m_l\.wanczyk|p(?:aulpollard|eterwong)|r(?:achel_wat|oyalpalace)|s(?:gt\.gillianj|pwalker)|usembassy|webank|yurdaaytarkan))\d+\@aol\.com$/i | |
9652 | ||
9653 | header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:a(?:bu(?:lkareem|shadi)|c(?:aalzz|e(?:alss|cere))|desilgon|l(?:an\.austin|ber\.yang|ex(?:ander(?:daisy|peterson)|hoffman)|ghafrij|lenholden|ure\.wawrenka)|m(?:ericadeliverycomapny|inaltwaijiri)|n(?:dyfox|na(?:llee|sigurlaug))|radka|s(?:hwestwood|ianbae)|tm(?:mastercard|office)|yevayawovi|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|r(?:\.charles|isterlordruben)|teld\.huisman))|bongo|e(?:linekra|n(?:ezero|jaminsarah))|ill\.lawrence|mwautomobile|oarddept|r(?:avolpaul|endalaporte|ianmoynih)|uffettwarrene)|c(?:a(?:mluba|reisu)|bnatm|elineroullier|h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|la(?:imadviser|xtonpaul)|o(?:l(?:\.fakhrialsalabi|inchrisweir|o(?:mbasjuan|nelsaad))|n(?:sultancy|tactad)|operation)|r(?:awfordgillies|istbrun?)|ustomerservicelacaixa)|d(?:a(?:nielzulu|v(?:i(?:d(?:\.loanfirm|ibe|larbi|pere|ramirez\.luis)|scarolyn|yax)|ychan))|e(?:btm|nnis(?:clark|quaid)|partmentofstate)|ipfrancis|minique|ona(?:ldwilliam|tionhelpercare)|r(?:\.wilsonpaul|davidrhama|joesimon|ovieogor)|unsilva)|e(?:benezero|christina|dwinfreeman|l(?:i(?:bethgomez|sabethmaria|zabethedw)|otocashoffice)|m(?:ailpostlink|efieleg?|ilyrichmond)|renakgeorge|ssexlss)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|laurentdz|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|kjane))|eelottosweepstake)|ulanlan)|g(?:00gleggewinner|a(?:brielkalia|ryakinson)|bill|e(?:neralwilliamstony|orgekwame|r(?:aldjhjh|tjanvlieghe))|iidp|l(?:enmoore|oriachow)|o(?:o(?:golteam|oglegwiinner)|vgodwinemefiele)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:old\.dia|ryebert)|sh(?:imyreem|mireem))|e(?:a(?:dofficecentre|therbrooeke)|ctor(?:castillos|scastillo))|gold|heba\.hhassan|ildad|o(?:lsemeyerole|nmackjohn|rnbeckmajordennis|seoky)|trryt)|i(?:bed|n(?:fo(?:98cbnoffice|aprl)|gridrolle|ternationallppp)|smailtarkan)|j(?:a(?:cobmaseon|mes(?:husmansdesk|okoh)|vierlesme)|e(?:ff(?:deandk|erydean)|ssikasingh)|imyang|o(?:e(?:dward|kendal)|hn(?:griffn|r(?:awlings|oxfordjr)|sonwilson|tanko|uba|walterlove|a)|nesandassociates|sephacevedo|ymrskone)|rawlings|uliet\.lee?)|k(?:a(?:lstromjames|malnizar|rabo\.ramala|t(?:hilittman|jamess|rinaziako))|e(?:lsawamelia|n(?:mckay|nedy\.sawadogo))|halidbuhazza|kasbu|rnkl|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:ndfair\.co\.uk|rynne(?:0west|west))|i(?:amfinchus|liane\.bettencourt|n(?:elink|glung)|xiungl?)|john|o(?:ttyoffice|u(?:ghreymargaret|isdreyfusmargarita))|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:ckoliver|incare|jor(?:dennishornbeck|townsend)|n(?:duesq|fran|uelfranco(?:foundation)?)|r(?:i(?:ahhills|nacoleman|opabl)|k(?:roth|uses)|y(?:franson|jify00aaz))|s(?:onmanny|pencer)|ttwilly|urhinck|viswanczyk(?:(?:foundation|k))?)|c\.cheadychang|dredban|e(?:lvidabullock|nnss)|gfrederick|i(?:c(?:healwuu|w)|khai(?:\.fridman|lfridm))|k(?:ent|untjoro)|o(?:ham(?:edabdul|madraqab)|rienkal)|r(?:\.justinmaxwell|cjames|hanimuhammad|jamesmc|martine|paulfrank|richardanthony|s(?:\.(?:biyufungchi|susanread)|a(?:ishaalqadafi|ngela)|gracewoods|hamima|jackman|maureens|r(?:obinsanders|uthsmith)|sarahbenjamin))|s(?:agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth|liviemorgan|vieogor)|p(?:\.compton|a(?:storfrancesco|ul(?:eed|n)|ymentofficer)|brookk|eter(?:\.waddell|guggi|kenin|stephen)|hillip\.richead|ieterstevens|resleybathini)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymond(?:aba|damon))|e(?:beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|frankjackson))|i(?:chardw(?:ahl|illis)|tawilliams)|o(?:berthanandez|naldmorris|s(?:a\.gomes|e(?:kipkalya|tam)))|t\.rev\.ericmark)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cottpeters|e(?:cretservicce|rgeantrobertbrown)|h(?:anemissler|e(?:ikhalmaktoum|ry(?:\.gtl|etr))|inawatrathaksin)|imlkheng|krause|ofia\.adams|peelman|sdt|tephentam|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:ay(?:ebsouami|lorcathy)|erryparkins|h(?:ailandbankoffice|e(?:ara\.choy|bigbiglottowinning|odorosloannis|resawilliams|smithfm))|imothymetheny|lyerdonald|o(?:mc(?:hrist|rist(?:(?:donation|foundation))?)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:marukareem|n(?:claimedfunds|itednation(?:organization|s))|sdepartmentofjustice)|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut))|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|i(?:elandherzog\.sw\.herad|ge|ll(?:clark|iamrobert|update))|u(?:\.office|mt)|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo)|z(?:enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i | |
9654 | ||
9655 | header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|gaaintl\-4g5ee\.w|lesiakalina|nn(?:awax|hester\.usa))|b(?:a(?:nk\.phbng|rr(?:ister\.dennis|lawrencefubara))|en(?:jaminb|nicholas)|riceangela)|c(?:\.(?:aroline|coulibaly)|h(?:arlesscharf|jackson)|juan|ollins(?:mattew|wayne)|ythiamiller\.un)|d(?:hamilton|i(?:aanesoto|plomaticagent))|ericalbert|f(?:aizaadama|ederal\.r)|graham\.eddie|infobank|j(?:\.edwards|a(?:ckson\.davis|netemoon)|kimyong)|k(?:elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|ge|hman)|isarobinson_|y_cheapiseth)|m(?:arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye)|rkellyayi|unny(?:\.sopheap|_sopheap))|n(?:estordaniel|orahuz)|o(?:fficial_franksylvester|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|i(?:chard\.w|taadamsw)|o(?:b(?:ertbailey|orts)|serichard))|s(?:amthong|igurlauganna|leo|mithcolin|pwalker|tevecox\.)|tylerhess\.|u(?:butu|kdebtmanagement)|vanserge|will(?:clark|iamsimon)|xianglongdai))\d+\@yahoo\.com$/i | |
9656 | ||
9657 | header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i | |
9658 | ||
9659 | header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i | |
9660 | ||
9661 | if !((version >= 3.003000)) | |
9662 | meta __RP_MATCHES_RCVD 0 | |
9663 | endif | |
9664 | ||
9665 | if (version >= 3.003000) | |
9666 | if !plugin(Mail::SpamAssassin::Plugin::WLBLEval) | |
9667 | meta __RP_MATCHES_RCVD 0 | |
9668 | endif | |
9669 | endif | |
9670 | ||
9671 | if (version >= 3.003000) | |
9672 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9673 | header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() | |
9674 | endif | |
9675 | endif | |
9676 | ||
9677 | body __SCAM /\bscam(?:m?e[dr])?s?\b/i | |
9678 | ||
9679 | rawbody __SCRIPT_GIBBERISH /<script>[^;<]{100}/im | |
9680 | ||
9681 | body __SCRIPT_TAG_IN_BODY /<script>/i | |
9682 | ||
9683 | body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i | |
9684 | ||
9685 | header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i | |
9686 | tflags __SENDER_BOT nice | |
9687 | ||
9688 | uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=, | |
9689 | ||
9690 | meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH | |
9691 | ||
9692 | meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || T_FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ ) | |
9693 | ||
9694 | body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i | |
9695 | ||
9696 | meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY | |
9697 | ||
9698 | meta __SHORTENER_SHORT_SUBJ __URL_SHORTENER && __SUBJ_SHORT | |
9699 | ||
9700 | meta __SHORT_BODY_G_DRIVE __BODY_URI_ONLY && __LCL__KAM_BODY_LENGTH_LT_512 && __PDS_GOOGLE_DRIVE_FILE | |
9701 | ||
9702 | meta __SHORT_BODY_G_DRIVE_DYN __SHORT_BODY_G_DRIVE && (RDNS_DYNAMIC || HELO_DYNAMIC_IPADDR || HELO_DYNAMIC_HCC || FSL_HELO_NON_FQDN_1) | |
9703 | ||
9704 | uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/ | |
9705 | ||
9706 | body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/ | |
9707 | tflags __SINGLE_WORD_LINE multiple maxhits=2 | |
9708 | ||
9709 | header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/ | |
9710 | ||
9711 | header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i | |
9712 | ||
9713 | rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/ | |
9714 | tflags __SPAN_BEG_TEXT multiple maxhits=5 | |
9715 | ||
9716 | rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/ | |
9717 | tflags __SPAN_END_TEXT multiple maxhits=5 | |
9718 | ||
9719 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9720 | meta __SPF_FULL_PASS 0 | |
9721 | endif | |
9722 | ||
9723 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9724 | meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS) | |
9725 | tflags __SPF_FULL_PASS net | |
9726 | endif | |
9727 | ||
9728 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9729 | meta __SPF_RANDOM_SENDER 0 | |
9730 | endif | |
9731 | ||
9732 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9733 | meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS) | |
9734 | tflags __SPF_RANDOM_SENDER net | |
9735 | endif | |
9736 | ||
9737 | meta __SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM | |
9738 | tflags __SPOOFED_FREEMAIL net | |
9739 | ||
9740 | meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO | |
9741 | tflags __SPOOFED_FREEM_REPTO net | |
9742 | ||
9743 | rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i | |
9744 | ||
9745 | meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE | |
9746 | ||
9747 | body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i | |
9748 | ||
9749 | body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i | |
9750 | ||
9751 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9752 | rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i | |
9753 | tflags __STY_INVIS multiple maxhits=6 | |
9754 | endif | |
9755 | ||
9756 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9757 | meta __STY_INVIS_1 __STY_INVIS == 1 | |
9758 | endif | |
9759 | ||
9760 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9761 | meta __STY_INVIS_1_MINFP __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID | |
9762 | endif | |
9763 | ||
9764 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9765 | meta __STY_INVIS_2 __STY_INVIS > 1 | |
9766 | endif | |
9767 | ||
9768 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9769 | meta __STY_INVIS_3 __STY_INVIS > 2 | |
9770 | endif | |
9771 | ||
9772 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9773 | meta __STY_INVIS_DIRECT __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED | |
9774 | endif | |
9775 | ||
9776 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9777 | meta __STY_INVIS_MANY __STY_INVIS > 5 | |
9778 | endif | |
9779 | ||
9780 | header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/ | |
9781 | ||
9782 | meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY | |
9783 | ||
9784 | header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i | |
9785 | ||
9786 | meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU | |
9787 | ||
9788 | header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/ | |
9789 | tflags __SUBJ_BROKEN_WORD multiple maxhits=2 | |
9790 | ||
9791 | meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN | |
9792 | ||
9793 | header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ism | |
9794 | ||
9795 | header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism | |
9796 | ||
9797 | header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism | |
9798 | ||
9799 | header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism | |
9800 | ||
9801 | header __SUBJ_NOT_SHORT Subject =~ /^.{16}/ | |
9802 | ||
9803 | header __SUBJ_OBFU_PUNCT Subject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/i | |
9804 | tflags __SUBJ_OBFU_PUNCT multiple maxhits=4 | |
9805 | ||
9806 | header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/ | |
9807 | ||
9808 | header __SUBJ_SHORT Subject =~ /^.{0,8}$/ | |
9809 | ||
9810 | header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i | |
9811 | tflags __SUBJ_UNNEEDED_HTML multiple maxhits=3 | |
9812 | ||
9813 | header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/ | |
9814 | ||
9815 | body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i | |
9816 | tflags __SUBSCRIPTION_INFO nice | |
9817 | ||
9818 | body __SUM_OF_FUND /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i | |
9819 | ||
9820 | body __SURVEY /\bsurvey\b/i | |
9821 | ||
9822 | body __SURVIVORS /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i | |
9823 | ||
9824 | body __SUSPICION_LOGIN /\bsuspicion login\b/i | |
9825 | ||
9826 | body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i | |
9827 | ||
9828 | meta __TAGSTAT_IMG_NOT_RCVD_TGST __URI_IMG_TAGSTAT && !__HDR_RCVD_TAGSTAT | |
9829 | ||
9830 | header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/ | |
9831 | ||
9832 | rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m | |
9833 | tflags __TENWORD_GIBBERISH multiple maxhits=21 | |
9834 | ||
9835 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9836 | mimeheader __TEXT_XML_MT Content-Type =~ m,\btext/xml\b,i | |
9837 | endif | |
9838 | ||
9839 | body __THEY_INHERIT /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i | |
9840 | ||
9841 | body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i | |
9842 | ||
9843 | meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF) | |
9844 | tflags __THREADED nice | |
9845 | ||
9846 | header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$, | |
9847 | ||
9848 | header __TO_ALL_NUMS To:addr =~ /^\d+@/ | |
9849 | ||
9850 | meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX | |
9851 | ||
9852 | meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE | |
9853 | ||
9854 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9855 | meta __TO_EQ_FM_DOM_SPF_FAIL 0 | |
9856 | endif | |
9857 | ||
9858 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9859 | meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL | |
9860 | tflags __TO_EQ_FM_DOM_SPF_FAIL net | |
9861 | endif | |
9862 | ||
9863 | meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY | |
9864 | ||
9865 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9866 | meta __TO_EQ_FM_SPF_FAIL 0 | |
9867 | endif | |
9868 | ||
9869 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9870 | meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL | |
9871 | tflags __TO_EQ_FM_SPF_FAIL net | |
9872 | endif | |
9873 | ||
9874 | meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2) | |
9875 | describe __TO_EQ_FROM To: same as From: | |
9876 | ||
9877 | header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism | |
9878 | ||
9879 | header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism | |
9880 | ||
9881 | meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2) | |
9882 | describe __TO_EQ_FROM_DOM To: domain same as From: domain | |
9883 | ||
9884 | header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism | |
9885 | ||
9886 | header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism | |
9887 | ||
9888 | meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) | |
9889 | describe __TO_EQ_FROM_USR To: username same as From: username | |
9890 | ||
9891 | header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism | |
9892 | ||
9893 | header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism | |
9894 | ||
9895 | meta __TO_EQ_FROM_USR_NN (__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) | |
9896 | describe __TO_EQ_FROM_USR_NN To: username same as From: username sans trailing nums | |
9897 | ||
9898 | header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism | |
9899 | ||
9900 | header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism | |
9901 | ||
9902 | meta __TO_EQ_FROM_USR_NN_MINFP __TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED | |
9903 | ||
9904 | meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3) | |
9905 | ||
9906 | header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/ | |
9907 | ||
9908 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
9909 | meta __TO_NO_BRKTS_FREEMAIL 0 | |
9910 | endif | |
9911 | ||
9912 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
9913 | meta __TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO) | |
9914 | endif | |
9915 | ||
9916 | meta __TO_NO_BRKTS_FROM_RUNON __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON | |
9917 | ||
9918 | meta __TO_NO_BRKTS_HTML_IMG __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG | |
9919 | ||
9920 | meta __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY | |
9921 | ||
9922 | meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) | |
9923 | ||
9924 | meta __TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_HTML_ONLY && RDNS_NONE | |
9925 | ||
9926 | meta __TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT | |
9927 | ||
9928 | meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01 | |
9929 | ||
9930 | header __TO_UNDISCLOSED To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i | |
9931 | ||
9932 | header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/ | |
9933 | ||
9934 | body __TO_YOUR_ACCT /\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/i | |
9935 | ||
9936 | body __TO_YOUR_ORG /\b(?:to|for) your organi[sz]ation\b/i | |
9937 | ||
9938 | header __TO___LOWER ALL =~ /to:\s\S{5}/ | |
9939 | ||
9940 | body __TRANSFORM_LIFE /\b(transform|change) your (?:daily )?life(?:style)?\b/i | |
9941 | ||
9942 | body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i | |
9943 | ||
9944 | body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i | |
9945 | ||
9946 | body __TRAVEL_ITINERARY /(?:travel|ticketed|your|current) itinerary/i | |
9947 | ||
9948 | meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2 | |
9949 | ||
9950 | body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i | |
9951 | ||
9952 | body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i | |
9953 | ||
9954 | body __TRTMT_DEFILED /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i | |
9955 | ||
9956 | body __TRUNK_BOX /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i | |
9957 | ||
9958 | body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i | |
9959 | ||
9960 | header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i | |
9961 | ||
9962 | header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i | |
9963 | ||
9964 | header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/ | |
9965 | ||
9966 | header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/ | |
9967 | ||
9968 | header __TT_VALIUM Subject =~ /VALIUM/i | |
9969 | ||
9970 | header __TT_VIAGRA Subject =~ /VIAGRA/i | |
9971 | ||
9972 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9973 | mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/ | |
9974 | endif | |
9975 | ||
9976 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9977 | mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i | |
9978 | endif | |
9979 | ||
9980 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9981 | mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i | |
9982 | endif | |
9983 | ||
9984 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9985 | mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i | |
9986 | endif | |
9987 | ||
9988 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9989 | mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/ | |
9990 | endif | |
9991 | ||
9992 | body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i | |
9993 | ||
9994 | body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i | |
9995 | ||
9996 | body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i | |
9997 | ||
9998 | body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i | |
9999 | ||
10000 | body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i | |
10001 | ||
10002 | body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i | |
10003 | ||
10004 | body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i | |
10005 | ||
10006 | body __TVD_PH_BODY_08 /\bmultiple password failures/i | |
10007 | ||
10008 | body __TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i | |
10009 | ||
10010 | body __TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i | |
10011 | ||
10012 | meta __TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08 | |
10013 | ||
10014 | header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i | |
10015 | ||
10016 | header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i | |
10017 | ||
10018 | header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i | |
10019 | ||
10020 | header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i | |
10021 | ||
10022 | header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i | |
10023 | ||
10024 | header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i | |
10025 | ||
10026 | header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i | |
10027 | ||
10028 | header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i | |
10029 | ||
10030 | header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i | |
10031 | ||
10032 | header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i | |
10033 | ||
10034 | header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i | |
10035 | ||
10036 | header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i | |
10037 | ||
10038 | header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i | |
10039 | ||
10040 | header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i | |
10041 | ||
10042 | header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i | |
10043 | ||
10044 | header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i | |
10045 | ||
10046 | header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i | |
10047 | ||
10048 | header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i | |
10049 | ||
10050 | header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i | |
10051 | ||
10052 | header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i | |
10053 | ||
10054 | meta __TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST | |
10055 | ||
10056 | meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) | |
10057 | ||
10058 | if !plugin(Mail::SpamAssassin::Plugin::BodyEval) | |
10059 | meta __TVD_SPACE_RATIO 0 | |
10060 | endif | |
10061 | ||
10062 | header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i | |
10063 | ||
10064 | meta __T_PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512 || __PDS_QP_512) | |
10065 | ||
10066 | header __UA_GNUS User-Agent =~ /^Gnus/ | |
10067 | ||
10068 | header __UA_IMP User-Agent =~ /^Internet Messaging Program/ | |
10069 | ||
10070 | header __UA_KMAIL User-Agent =~ /^KMail/ | |
10071 | ||
10072 | header __UA_KNODE User-Agent =~ /^KNode/ | |
10073 | ||
10074 | header __UA_MOZ5 User-Agent =~ /^Mozilla\/5/ | |
10075 | ||
10076 | header __UA_MSENTOUR User-Agent =~ /^Microsoft-Entourage/ | |
10077 | ||
10078 | header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/ | |
10079 | ||
10080 | header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/ | |
10081 | ||
10082 | header __UA_MUTT User-Agent =~ /^Mutt/ | |
10083 | ||
10084 | header __UA_OPERA7 User-Agent =~ /^Opera7/ | |
10085 | ||
10086 | header __UA_PAN User-Agent =~ /^Pan/ | |
10087 | ||
10088 | header __UA_XNEWS User-Agent =~ /^Xnews/ | |
10089 | ||
10090 | body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/ | |
10091 | tflags __UC_GIBB_OBFU multiple maxhits=2 | |
10092 | ||
10093 | body __UN /\bunited\snations?\b/i | |
10094 | ||
10095 | meta __UNDISC_FREEM __TO_UNDISCLOSED && __freemail_replyto | |
10096 | ||
10097 | meta __UNDISC_MONEY __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY) | |
10098 | ||
10099 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10100 | body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i | |
10101 | tflags __UNICODE_OBFU_ASC multiple maxhits=10 | |
10102 | endif | |
10103 | ||
10104 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10105 | meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9 | |
10106 | endif | |
10107 | ||
10108 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10109 | body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i | |
10110 | tflags __UNICODE_OBFU_ZW multiple maxhits=10 | |
10111 | endif | |
10112 | ||
10113 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10114 | meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9 | |
10115 | endif | |
10116 | ||
10117 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10118 | meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1 | |
10119 | endif | |
10120 | ||
10121 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10122 | meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2 | |
10123 | endif | |
10124 | ||
10125 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10126 | meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4 | |
10127 | endif | |
10128 | ||
10129 | body __UNSUB_EMAIL /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i | |
10130 | tflags __UNSUB_EMAIL nice | |
10131 | ||
10132 | uri __UNSUB_LINK /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i | |
10133 | tflags __UNSUB_LINK nice | |
10134 | ||
10135 | body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i | |
10136 | ||
10137 | uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/ | |
10138 | ||
10139 | uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i | |
10140 | ||
10141 | uri __URI_ADOBESPARK m,https?://branchlink\.adobespark\.com/,i | |
10142 | ||
10143 | uri __URI_AZURE_CLOUDAPP m,://(?:[^./]+\.)+cloudapp\.azure\.com/, | |
10144 | ||
10145 | uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i | |
10146 | ||
10147 | uri __URI_DATA /^data:(?!image\/)[a-z]/i | |
10148 | ||
10149 | uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i | |
10150 | ||
10151 | body __URI_DEOBFU_INSTR /(?:delete|remove|take\sout)(?:\sthe)?\sspaces/i | |
10152 | ||
10153 | uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i | |
10154 | ||
10155 | meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW | |
10156 | ||
10157 | uri __URI_DOTGOV m;^https?://(?:[^./]+\.)+gov/;i | |
10158 | ||
10159 | uri __URI_DOTTY_HEX /(?:\.[0-9a-f]{2}){30}/ | |
10160 | ||
10161 | uri __URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i | |
10162 | ||
10163 | uri __URI_FIREBASEAPP m,://[^./]+\.firebaseapp\.com/, | |
10164 | ||
10165 | uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i | |
10166 | ||
10167 | uri __URI_GOOGLE_DRV m,^https?://(?:drive\.google|googledrive)\.com/,i | |
10168 | ||
10169 | uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i | |
10170 | ||
10171 | uri __URI_GOOG_STO_EMAIL m;^https?://(?:firebase)?storage\.googleapis\.com/.*[a-z0-9]@(?:[a-z0-9]{2,20}\.){1,3}[a-z]{2,3}$;i | |
10172 | ||
10173 | uri __URI_GOOG_STO_HTML m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i | |
10174 | tflags __URI_GOOG_STO_HTML multiple maxhits=5 | |
10175 | ||
10176 | uri __URI_GOOG_STO_IMG m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,i | |
10177 | tflags __URI_GOOG_STO_IMG multiple maxhits=5 | |
10178 | ||
10179 | uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i | |
10180 | ||
10181 | uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png),i | |
10182 | ||
10183 | uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?(?:images|media)-amazon\.com/.*\.(?:png|gif|jpe?g)$,i | |
10184 | ||
10185 | uri __URI_IMG_CHANNYPIC m,://www\.channypicture\.com/pic/,i | |
10186 | ||
10187 | uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i | |
10188 | ||
10189 | uri __URI_IMG_GBTCDN m;://des\.gbtcdn\.com/storage/store/[0-9a-f/]{30,}\.(?:png|gif|jpe?g)$;i | |
10190 | ||
10191 | uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i | |
10192 | ||
10193 | uri __URI_IMG_LINKEDIN m;://media-exp\d\.licdn\.com/dms/image/;i | |
10194 | ||
10195 | uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i | |
10196 | ||
10197 | uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png),i | |
10198 | ||
10199 | uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i | |
10200 | ||
10201 | uri __URI_IMG_TAGSTAT m;://i\d+\.tagstat\.com/.+\.(?:jpe?g|gif|png);i | |
10202 | ||
10203 | uri __URI_IMG_TOPHATTER m;://images\.tophatter\.com/[0-9a-f]{30,}/;i | |
10204 | ||
10205 | uri __URI_IMG_TUMBLR m;://\d+\.media\.tumblr\.com/.+\.(?:jpe?g|gif|png);i | |
10206 | ||
10207 | uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i | |
10208 | ||
10209 | uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i | |
10210 | ||
10211 | uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i | |
10212 | ||
10213 | uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i | |
10214 | ||
10215 | uri __URI_LONG_REPEAT m;(?:://|@)(?:\w+\.)*(\w{10,}\.)\1;i | |
10216 | ||
10217 | uri __URI_MAILTO /^mailto:/i | |
10218 | tflags __URI_MAILTO multiple maxhits=16 | |
10219 | ||
10220 | uri __URI_MONERO /buy-monero/i | |
10221 | ||
10222 | meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2 | |
10223 | ||
10224 | meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) | |
10225 | ||
10226 | uri __URI_PHP_REDIR m;/redirect\.php\?;i | |
10227 | ||
10228 | uri __URI_PRODUCT_AMAZON m,://www\.amazon\.(?:com|co\.uk|[a-z][a-z])/dp/[a-z0-9]{10}/,i | |
10229 | ||
10230 | uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob)\w)[^.]*\.[^/]+\.(?:com|net)\b,i | |
10231 | ||
10232 | uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i | |
10233 | ||
10234 | uri __URI_WEBAPP m,://[^./]+\.web\.app/, | |
10235 | ||
10236 | uri __URI_WPADMIN m,/wp-admin/\w+/,i | |
10237 | ||
10238 | uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i | |
10239 | ||
10240 | uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i | |
10241 | ||
10242 | uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i | |
10243 | ||
10244 | uri __URL_BTC_ID m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$); | |
10245 | ||
10246 | uri __URL_LTC_ID m;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/|$); | |
10247 | ||
10248 | uri __URL_SHORTENER /^https?:\/\/(?:bit\.ly|bit\.do|buff\.ly|tinyurl\.com|ow\.ly|owl\.li|is\.gd|tumblr\.com|mysp\.ac|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|goo\.io|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com|t\.cn|t\.co|x\.co|hop\.kz|urla\.ru|fw\.to|back\.ly|ecs\.page\.link|cc\.uz|smarturl\.it|s\.apache\.org)\/[^\/]{3}\/?/ | |
10249 | ||
10250 | header __USING_VERP1 Return-Path =~ /[+-].*=/ | |
10251 | ||
10252 | header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i | |
10253 | tflags __VACATION nice | |
10254 | ||
10255 | body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i | |
10256 | tflags __VALIDATE_MAILBOX multiple maxhits=2 | |
10257 | ||
10258 | body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i | |
10259 | ||
10260 | body __VERIFY_ACCOUNT /(?:confirm|updated?|verif(?:y|ied)) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i | |
10261 | tflags __VERIFY_ACCOUNT multiple maxhits=2 | |
10262 | ||
10263 | meta __VFY_ACCT_NORDNS __VERIFY_ACCOUNT && __RDNS_NONE | |
10264 | ||
10265 | if (version >= 3.004002) | |
10266 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
10267 | header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i | |
10268 | endif | |
10269 | endif | |
10270 | ||
10271 | meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART | |
10272 | ||
10273 | body __WEBMAIL_ACCT /\byour web ?mail account/i | |
10274 | ||
10275 | body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i | |
10276 | ||
10277 | meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2 | |
10278 | ||
10279 | body __WIDOW /\b(?:widow(?:e[rd])'?s?|veuve)\b/i | |
10280 | ||
10281 | body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i | |
10282 | ||
10283 | body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i | |
10284 | ||
10285 | body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i | |
10286 | ||
10287 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10288 | rawbody __WORD_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}</i | |
10289 | tflags __WORD_INVIS multiple maxhits=6 | |
10290 | endif | |
10291 | ||
10292 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10293 | meta __WORD_INVIS_2 __WORD_INVIS > 1 | |
10294 | endif | |
10295 | ||
10296 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10297 | meta __WORD_INVIS_5 __WORD_INVIS > 5 | |
10298 | endif | |
10299 | ||
10300 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
10301 | meta __WORD_INVIS_MINFP __WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID | |
10302 | endif | |
10303 | ||
10304 | header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/ | |
10305 | ||
10306 | meta __XFER_LOTSA_MONEY __XFER_MONEY && LOTS_OF_MONEY | |
10307 | ||
10308 | meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY) | |
10309 | ||
10310 | header __XM_APPLEMAIL X-Mailer =~ /^Apple Mail/ | |
10311 | ||
10312 | header __XM_ASPQMAIL X-Mailer =~ /^AspQMail/ | |
10313 | ||
10314 | header __XM_BALSA X-Mailer =~ /^Balsa \d/ | |
10315 | ||
10316 | header __XM_CALYPSO X-Mailer =~ /^Calypso/ | |
10317 | ||
10318 | header __XM_COMMUNIG X-Mailer =~ /^CommuniGate/ | |
10319 | ||
10320 | header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/ | |
10321 | ||
10322 | header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/ | |
10323 | ||
10324 | header __XM_EDMAX X-Mailer =~ /^EdMax/ | |
10325 | ||
10326 | header __XM_ELM X-Mailer =~ /^ELM/ | |
10327 | ||
10328 | header __XM_EMUMAIL X-Mailer =~ /^EMUmail/ | |
10329 | ||
10330 | header __XM_EXMH X-Mailer =~ /^exmh/ | |
10331 | ||
10332 | header __XM_FORTE X-Mailer =~ /^Forte Agent \d/ | |
10333 | ||
10334 | header __XM_GNUS X-Mailer =~ /^Gnus v/ | |
10335 | ||
10336 | header __XM_IMAIL X-Mailer =~ /^<IMail v\d/ | |
10337 | ||
10338 | header __XM_LOTUSN X-Mailer =~ /^Lotus Notes/ | |
10339 | ||
10340 | header __XM_MAILCITY X-Mailer =~ /^MailCity Service/ | |
10341 | ||
10342 | header __XM_MAILSMITH X-Mailer =~ /^Mailsmith / | |
10343 | ||
10344 | header __XM_MHE X-Mailer =~ /^mh-e \d/ | |
10345 | ||
10346 | header __XM_MIMETOOLS X-Mailer =~ /^MIME-tools \d/i | |
10347 | ||
10348 | header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/ | |
10349 | ||
10350 | header __XM_MSCDO X-Mailer =~ /^Microsoft CDO/ | |
10351 | ||
10352 | header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/ | |
10353 | ||
10354 | header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/ | |
10355 | ||
10356 | header __XM_MSOUT X-Mailer =~ /^Microsoft Outlook[, ]?\s?[BIC]/ #Build, IMO, CWS | |
10357 | ||
10358 | header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/ | |
10359 | ||
10360 | header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/ | |
10361 | ||
10362 | header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/ | |
10363 | ||
10364 | header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/ | |
10365 | ||
10366 | header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/ | |
10367 | ||
10368 | header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/ | |
10369 | ||
10370 | header __XM_OPERA6 X-Mailer =~ /^Opera 6/ | |
10371 | ||
10372 | header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/ | |
10373 | ||
10374 | header __XM_PEGASUS X-Mailer =~ /^Pegasus Mail/ | |
10375 | ||
10376 | header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/ | |
10377 | ||
10378 | header __XM_QUALCOM X-Mailer =~ /^QUALCOMM Windows Eudora/ | |
10379 | ||
10380 | header __XM_RANDOM X-Mailer =~ /q(?!q?mail|boxmail|\d|[-\w]*=+;)[^u]/i | |
10381 | ||
10382 | header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/ | |
10383 | ||
10384 | header __XM_SQRLMAIL X-Mailer =~ /^SquirrelMail/ | |
10385 | ||
10386 | header __XM_SYLPHEED X-Mailer =~ /^Sylpheed/ | |
10387 | ||
10388 | header __XM_UC_ONLY X-Mailer =~ /^[^a-z]+$/ | |
10389 | ||
10390 | header __XM_VERY_LONG X-Mailer =~ /.{50}/ | |
10391 | ||
10392 | header __XM_VM X-Mailer =~ /^VM \d/ | |
10393 | ||
10394 | header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/ | |
10395 | ||
10396 | header __XM_XIMEVOL X-Mailer =~ /^Ximian Evolution/ | |
10397 | ||
10398 | meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS | |
10399 | ||
10400 | meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT | |
10401 | ||
10402 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
10403 | mimeheader __X_MSO_MT Content-Type =~ m,\bapplication/x-mso\b,i | |
10404 | endif | |
10405 | ||
10406 | body __YOUR_BANK /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i | |
10407 | ||
10408 | body __YOUR_CONSIGNMENT /\b(?:received?|pa(?:y|id)|sen[dt]|h[oe]ld|delay(?:ed)?|impound(?:ed)?|released?|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/i | |
10409 | ||
10410 | body __YOUR_FUND /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|f\su\sn\sd|payment|geld)\b/i | |
10411 | ||
10412 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
10413 | body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i | |
10414 | endif | |
10415 | ||
10416 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
10417 | body __YOUR_ONAN /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M>+<A>+<S>+<T>+(?:<U>|<R>)+<B>+<A>+<T>+(?:<I><O><N>|<I><N><G>|<E>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>|(?:<P><L><E><A><S><U><R>(?:<E>|<I><N><G>)|<S><A><T><I><S><F><Y>(?:<I><N><G>)?)\s<Y><O><U><R><S><E><L><F>)/i | |
10418 | endif | |
10419 | ||
10420 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
10421 | body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i | |
10422 | endif | |
10423 | ||
10424 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
10425 | body __YOUR_PASSWORD /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<A><C><C><O><U><N><T>\s|<E>-?<M><A><I><L>\s)?(?:<P><A><S><S>[-\s_]?<W><O><R><D>|<P><S><W><D>\s)/i | |
10426 | endif | |
10427 | ||
10428 | body __YOUR_PERM /\byour\spermission\b/i | |
10429 | ||
10430 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
10431 | body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i | |
10432 | endif | |
10433 | ||
10434 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
10435 | body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i | |
10436 | endif | |
10437 | ||
10438 | body __YOUR_PROFIT /\byour?\sprofit/i | |
10439 | ||
10440 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
10441 | body __YOUR_WEBCAM /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i | |
10442 | endif | |
10443 | ||
10444 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
10445 | body __YOUR_WEBCAM /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>|<A><N><D>|<O><N>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>|<M><I><C><R><O><P><H><O><N><E>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s|<Y><O><U><R>\s)<C><A><M><E><R>+<A>/i | |
10446 | endif | |
10447 | ||
10448 | body __YOU_ASSIST /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i | |
10449 | ||
10450 | body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inherit+ance\b/i | |
10451 | ||
10452 | meta __YOU_WON __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY)) | |
10453 | ||
10454 | body __YOU_WON_01 /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i | |
10455 | ||
10456 | body __YOU_WON_02 /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i | |
10457 | ||
10458 | body __YOU_WON_03 /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/i | |
10459 | ||
10460 | body __YOU_WON_04 /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i | |
10461 | ||
10462 | body __YOU_WON_05 /\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i | |
10463 | ||
10464 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
10465 | meta __ZIP_ATTACH_MT 0 | |
10466 | endif | |
10467 | ||
10468 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
10469 | mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i | |
10470 | endif | |
10471 | ||
10472 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
10473 | meta __ZIP_ATTACH_NOFN 0 | |
10474 | endif | |
10475 | ||
10476 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
10477 | mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i | |
10478 | endif | |
10479 | ||
10480 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
10481 | header __freemail_mailreplyto eval:check_freemail_header('Mail-Reply-To') | |
10482 | endif | |
10483 | ||
10484 | body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i | |
10485 | ||
10486 | body __hk_win_0 /\byour? e-?mail just w[oi]n/i | |
10487 | ||
10488 | body __hk_win_2 /\battn.{0,10}winner/i | |
10489 | ||
10490 | body __hk_win_3 /\bhappily aa?nnounce/i | |
10491 | ||
10492 | body __hk_win_4 /\bpleas(?:ure|ed) to inform/i | |
10493 | ||
10494 | body __hk_win_5 /\b(?:notice the|your) winning/i | |
10495 | ||
10496 | body __hk_win_7 /\bcongratulations? to your/i | |
10497 | ||
10498 | body __hk_win_8 /\bunexpected luck/i | |
10499 | ||
10500 | body __hk_win_9 /\blucky (?:nl )number/i | |
10501 | ||
10502 | body __hk_win_a /\bwinning (?:e-?mail|numbers|information)/i | |
10503 | ||
10504 | body __hk_win_b /\byour e-?mail (?:address )?(?:has )?w[io]n/i | |
10505 | ||
10506 | body __hk_win_c /\bune adresse e-?mail sur internet/i | |
10507 | ||
10508 | body __hk_win_d /\bcategory (?:\S{0,5} )?winner of our/i | |
10509 | ||
10510 | body __hk_win_i /\bfunds? transfer/i | |
10511 | ||
10512 | body __hk_win_j /\b(?:winning|ready for|sum) pay ?out/i | |
10513 | ||
10514 | body __hk_win_l /\b(?:make|file) (?:for )?your claim/i | |
10515 | ||
10516 | body __hk_win_m /\br.clamation de votre prix/i | |
10517 | ||
10518 | body __hk_win_n /\bcollect your prize/i | |
10519 | ||
10520 | body __hk_win_o /\bclarification and procedure/i | |
10521 | ||
10522 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
10523 | header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr') | |
10524 | endif |