1 # SpamAssassin rules file
3 # Please don't modify this file as your changes will be overwritten with
4 # the next update. Use /etc/mail/spamassassin/local.cf instead.
5 # See 'perldoc Mail::SpamAssassin::Conf' for details.
8 # Licensed to the Apache Software Foundation (ASF) under one or more
9 # contributor license agreements. See the NOTICE file distributed with
10 # this work for additional information regarding copyright ownership.
11 # The ASF licenses this file to you under the Apache License, Version 2.0
12 # (the "License"); you may not use this file except in compliance with
13 # the License. You may obtain a copy of the License at:
15 # http://www.apache.org/licenses/LICENSE-2.0
17 # Unless required by applicable law or agreed to in writing, software
18 # distributed under the License is distributed on an "AS IS" BASIS,
19 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 # See the License for the specific language governing permissions and
21 # limitations under the License.
24 ###########################################################################
26 require_version 3.004006
30 rawbody AC_BR_BONANZA /(?:<br>\s*){30}/i
31 describe AC_BR_BONANZA Too many newlines in a row... spammy template
32 #score AC_BR_BONANZA 0.001
33 tflags AC_BR_BONANZA publish
38 rawbody AC_DIV_BONANZA /(?:<div>(?:\s*<\/div>)?\s*){10}/i
39 describe AC_DIV_BONANZA Too many divs in a row... spammy template
40 #score AC_DIV_BONANZA 0.001
41 tflags AC_DIV_BONANZA publish
46 meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP
47 #score AC_FROM_MANY_DOTS 3.000 # limit
48 describe AC_FROM_MANY_DOTS Multiple periods in From user name
49 tflags AC_FROM_MANY_DOTS publish
52 ##{ AC_HTML_NONSENSE_TAGS
54 rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/
55 describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam
56 #score AC_HTML_NONSENSE_TAGS 2.0
57 tflags AC_HTML_NONSENSE_TAGS publish
58 ##} AC_HTML_NONSENSE_TAGS
62 meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID
63 describe AC_POST_EXTRAS Suspicious URL
64 #score AC_POST_EXTRAS 2.500 # limit
65 tflags AC_POST_EXTRAS publish
68 ##{ AC_SPAMMY_URI_PATTERNS1
70 meta AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI)
71 describe AC_SPAMMY_URI_PATTERNS1 link combos match highly spammy template
72 #score AC_SPAMMY_URI_PATTERNS1 4.0
73 tflags AC_SPAMMY_URI_PATTERNS1 publish
74 ##} AC_SPAMMY_URI_PATTERNS1
76 ##{ AC_SPAMMY_URI_PATTERNS10
78 meta AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI
79 describe AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template
80 #score AC_SPAMMY_URI_PATTERNS10 4.0
81 tflags AC_SPAMMY_URI_PATTERNS10 publish
82 ##} AC_SPAMMY_URI_PATTERNS10
84 ##{ AC_SPAMMY_URI_PATTERNS11
86 meta AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI
87 describe AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template
88 #score AC_SPAMMY_URI_PATTERNS11 4.0
89 tflags AC_SPAMMY_URI_PATTERNS11 publish
90 ##} AC_SPAMMY_URI_PATTERNS11
92 ##{ AC_SPAMMY_URI_PATTERNS12
94 meta AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI)
95 describe AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template
96 #score AC_SPAMMY_URI_PATTERNS12 4.0
97 tflags AC_SPAMMY_URI_PATTERNS12 publish
98 ##} AC_SPAMMY_URI_PATTERNS12
100 ##{ AC_SPAMMY_URI_PATTERNS2
102 meta AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI)
103 describe AC_SPAMMY_URI_PATTERNS2 link combos match highly spammy template
104 #score AC_SPAMMY_URI_PATTERNS2 4.0
105 tflags AC_SPAMMY_URI_PATTERNS2 publish
106 ##} AC_SPAMMY_URI_PATTERNS2
108 ##{ AC_SPAMMY_URI_PATTERNS3
110 meta AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI)
111 describe AC_SPAMMY_URI_PATTERNS3 link combos match highly spammy template
112 #score AC_SPAMMY_URI_PATTERNS3 4.0
113 tflags AC_SPAMMY_URI_PATTERNS3 publish
114 ##} AC_SPAMMY_URI_PATTERNS3
116 ##{ AC_SPAMMY_URI_PATTERNS4
118 meta AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI
119 describe AC_SPAMMY_URI_PATTERNS4 link combos match highly spammy template
120 #score AC_SPAMMY_URI_PATTERNS4 4.0
121 tflags AC_SPAMMY_URI_PATTERNS4 publish
122 ##} AC_SPAMMY_URI_PATTERNS4
124 ##{ AC_SPAMMY_URI_PATTERNS8
126 meta AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI
127 describe AC_SPAMMY_URI_PATTERNS8 link combos match highly spammy template
128 #score AC_SPAMMY_URI_PATTERNS8 4.0
129 tflags AC_SPAMMY_URI_PATTERNS8 publish
130 ##} AC_SPAMMY_URI_PATTERNS8
132 ##{ AC_SPAMMY_URI_PATTERNS9
134 meta AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI))
135 describe AC_SPAMMY_URI_PATTERNS9 link combos match highly spammy template
136 #score AC_SPAMMY_URI_PATTERNS9 4.0
137 tflags AC_SPAMMY_URI_PATTERNS9 publish
138 ##} AC_SPAMMY_URI_PATTERNS9
142 meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS
143 describe ADMAIL "admail" and variants
144 tflags ADMAIL publish
149 meta ADMITS_SPAM __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB
150 describe ADMITS_SPAM Admits this is an ad
151 tflags ADMITS_SPAM publish
154 ##{ ADULT_DATING_COMPANY
156 meta ADULT_DATING_COMPANY __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO
157 #score ADULT_DATING_COMPANY 10.000 # limit
158 tflags ADULT_DATING_COMPANY publish
159 ##} ADULT_DATING_COMPANY
161 ##{ ADVANCE_FEE_2_NEW_FORM
163 meta ADVANCE_FEE_2_NEW_FORM (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__FROM_LOWER && !__HAS_X_LOOP
164 describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form
165 #score ADVANCE_FEE_2_NEW_FORM 2.000 # limit
166 tflags ADVANCE_FEE_2_NEW_FORM publish
167 ##} ADVANCE_FEE_2_NEW_FORM
169 ##{ ADVANCE_FEE_2_NEW_FRM_MNY
171 meta ADVANCE_FEE_2_NEW_FRM_MNY (__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP
172 describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money
173 #score ADVANCE_FEE_2_NEW_FRM_MNY 2.500
174 tflags ADVANCE_FEE_2_NEW_FRM_MNY publish
175 ##} ADVANCE_FEE_2_NEW_FRM_MNY
177 ##{ ADVANCE_FEE_2_NEW_MONEY
179 meta ADVANCE_FEE_2_NEW_MONEY (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
180 describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
181 #score ADVANCE_FEE_2_NEW_MONEY 2.000 # limit
182 tflags ADVANCE_FEE_2_NEW_MONEY publish
183 ##} ADVANCE_FEE_2_NEW_MONEY
185 ##{ ADVANCE_FEE_3_NEW
187 meta ADVANCE_FEE_3_NEW (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG && !__BUGGED_IMG
188 describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419)
189 #score ADVANCE_FEE_3_NEW 3.5 # limit
190 tflags ADVANCE_FEE_3_NEW publish
191 ##} ADVANCE_FEE_3_NEW
193 ##{ ADVANCE_FEE_3_NEW_FORM
195 meta ADVANCE_FEE_3_NEW_FORM (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__THREADED && !__HAS_SENDER && !__FROM_LOWER && !__HAS_X_LOOP
196 describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form
197 tflags ADVANCE_FEE_3_NEW_FORM publish
198 ##} ADVANCE_FEE_3_NEW_FORM
200 ##{ ADVANCE_FEE_3_NEW_FRM_MNY
202 meta ADVANCE_FEE_3_NEW_FRM_MNY (__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP
203 describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money
204 tflags ADVANCE_FEE_3_NEW_FRM_MNY publish
205 ##} ADVANCE_FEE_3_NEW_FRM_MNY
207 ##{ ADVANCE_FEE_3_NEW_MONEY
209 meta ADVANCE_FEE_3_NEW_MONEY (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
210 describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
211 tflags ADVANCE_FEE_3_NEW_MONEY publish
212 ##} ADVANCE_FEE_3_NEW_MONEY
214 ##{ ADVANCE_FEE_4_NEW
216 meta ADVANCE_FEE_4_NEW (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__HAS_X_LOOP && !__BUGGED_IMG
217 describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419)
218 tflags ADVANCE_FEE_4_NEW publish
219 ##} ADVANCE_FEE_4_NEW
221 ##{ ADVANCE_FEE_4_NEW_FORM
223 meta ADVANCE_FEE_4_NEW_FORM (__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM)
224 describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form
225 tflags ADVANCE_FEE_4_NEW_FORM publish
226 ##} ADVANCE_FEE_4_NEW_FORM
228 ##{ ADVANCE_FEE_4_NEW_FRM_MNY
230 meta ADVANCE_FEE_4_NEW_FRM_MNY (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY)
231 describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money
232 tflags ADVANCE_FEE_4_NEW_FRM_MNY publish
233 ##} ADVANCE_FEE_4_NEW_FRM_MNY
235 ##{ ADVANCE_FEE_4_NEW_MONEY
237 meta ADVANCE_FEE_4_NEW_MONEY (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
238 describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money
239 tflags ADVANCE_FEE_4_NEW_MONEY publish
240 ##} ADVANCE_FEE_4_NEW_MONEY
242 ##{ ADVANCE_FEE_5_NEW
244 meta ADVANCE_FEE_5_NEW (__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY) && !__BUGGED_IMG
245 describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419)
246 tflags ADVANCE_FEE_5_NEW publish
247 ##} ADVANCE_FEE_5_NEW
249 ##{ ADVANCE_FEE_5_NEW_FORM
251 meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM
252 describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form
253 tflags ADVANCE_FEE_5_NEW_FORM publish
254 ##} ADVANCE_FEE_5_NEW_FORM
256 ##{ ADVANCE_FEE_5_NEW_FRM_MNY
258 meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY
259 describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money
260 tflags ADVANCE_FEE_5_NEW_FRM_MNY publish
261 ##} ADVANCE_FEE_5_NEW_FRM_MNY
263 ##{ ADVANCE_FEE_5_NEW_MONEY
265 meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE && !__BUGGED_IMG
266 describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
267 tflags ADVANCE_FEE_5_NEW_MONEY publish
268 ##} ADVANCE_FEE_5_NEW_MONEY
272 body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i
273 describe AD_PREFS Advertising preferences
274 #score AD_PREFS 0.500 # limit
275 tflags AD_PREFS publish
278 ##{ ALIBABA_IMG_NOT_RCVD_ALI
280 meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE
281 #score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit
282 describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba
283 tflags ALIBABA_IMG_NOT_RCVD_ALI publish
284 ##} ALIBABA_IMG_NOT_RCVD_ALI
286 ##{ AMAZON_IMG_NOT_RCVD_AMZN
288 meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST && !__URI_PRODUCT_AMAZON && !__HAS_ERRORS_TO
289 #score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit
290 describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon
291 tflags AMAZON_IMG_NOT_RCVD_AMZN publish
292 ##} AMAZON_IMG_NOT_RCVD_AMZN
296 header APOSTROPHE_FROM From:addr =~ /'/
297 describe APOSTROPHE_FROM From address contains an apostrophe
300 ##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
302 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
303 meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
304 describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto
305 # score APP_DEVELOPMENT_FREEM 3.500 # limit
306 tflags APP_DEVELOPMENT_FREEM publish
308 ##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
310 ##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
312 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
313 meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE
314 describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS
315 # score APP_DEVELOPMENT_NORDNS 2.000 # limit
316 tflags APP_DEVELOPMENT_NORDNS publish
318 ##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
320 ##{ AXB_XMAILER_MIMEOLE_OL_024C2
322 meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2)
323 describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
324 ##} AXB_XMAILER_MIMEOLE_OL_024C2
328 header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /\bSFV\:SPM\b/
329 describe AXB_X_FF_SEZ_S Forefront sez this is spam
334 body BANKING_LAWS /banking laws/i
335 describe BANKING_LAWS Talks about banking laws
338 ##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
340 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
341 body BASE64_LENGTH_78_79 eval:check_base64_length('78','79')
343 ##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
345 ##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
347 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
348 describe BASE64_LENGTH_79_INF base64 encoded email part uses line length of 78 or 79 characters
349 body BASE64_LENGTH_79_INF eval:check_base64_length('79')
350 describe BASE64_LENGTH_79_INF base64 encoded email part uses line length greater than 79 characters
352 ##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
356 meta BAT_BDRY_TO_MALF __BAT_BOUNDARY && __TO_NO_ARROWS_R
357 describe BAT_BDRY_TO_MALF Bat boundary + misformatted To: address
358 #score BAT_BDRY_TO_MALF 2.500 # limit
361 ##{ BEBEE_IMG_NOT_RCVD_BB
363 meta BEBEE_IMG_NOT_RCVD_BB __BEBEE_IMG_NOT_RCVD_BB
364 #score BEBEE_IMG_NOT_RCVD_BB 2.000 # limit
365 describe BEBEE_IMG_NOT_RCVD_BB Bebee hosted image but message not from Bebee
366 tflags BEBEE_IMG_NOT_RCVD_BB publish
367 ##} BEBEE_IMG_NOT_RCVD_BB
369 ##{ BIGNUM_EMAILS_FREEM
371 meta BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS_FREEM
372 describe BIGNUM_EMAILS_FREEM Lots of email addresses/leads, free email account
373 #score BIGNUM_EMAILS_FREEM 3.00 # limit
374 tflags BIGNUM_EMAILS_FREEM publish
375 ##} BIGNUM_EMAILS_FREEM
377 ##{ BIGNUM_EMAILS_MANY
379 meta BIGNUM_EMAILS_MANY __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER
380 describe BIGNUM_EMAILS_MANY Lots of email addresses/leads, over and over
381 #score BIGNUM_EMAILS_MANY 3.00 # limit
382 tflags BIGNUM_EMAILS_MANY publish
383 ##} BIGNUM_EMAILS_MANY
387 meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01
388 describe BITCOIN_BOMB BitCoin + bomb
389 #score BITCOIN_BOMB 3.000 # limit
390 tflags BITCOIN_BOMB publish
395 meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01
396 describe BITCOIN_DEADLINE BitCoin with a deadline
397 #score BITCOIN_DEADLINE 3.000 # limit
398 tflags BITCOIN_DEADLINE publish
401 ##{ BITCOIN_EXTORT_01
403 meta BITCOIN_EXTORT_01 (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA )
404 describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin
405 #score BITCOIN_EXTORT_01 5.000 # limit
406 tflags BITCOIN_EXTORT_01 publish
407 ##} BITCOIN_EXTORT_01
409 ##{ BITCOIN_EXTORT_02
411 meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY
412 describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin
413 #score BITCOIN_EXTORT_02 5.000 # limit
414 tflags BITCOIN_EXTORT_02 publish
415 ##} BITCOIN_EXTORT_02
419 meta BITCOIN_IMGUR __BITCOIN_IMGUR
420 describe BITCOIN_IMGUR Bitcoin + hosted image
421 #score BITCOIN_IMGUR 3.500 # limit
422 tflags BITCOIN_IMGUR publish
425 ##{ BITCOIN_MALF_HTML
427 meta BITCOIN_MALF_HTML HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID)
428 describe BITCOIN_MALF_HTML Bitcoin + malformed HTML
429 #score BITCOIN_MALF_HTML 3.500 # limit
430 ##} BITCOIN_MALF_HTML
434 meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED
435 describe BITCOIN_MALWARE BitCoin + malware bragging
436 #score BITCOIN_MALWARE 3.500 # limit
437 tflags BITCOIN_MALWARE publish
440 ##{ BITCOIN_OBFU_SUBJ
442 meta BITCOIN_OBFU_SUBJ __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI
443 describe BITCOIN_OBFU_SUBJ Bitcoin + obfuscated subject
444 #score BITCOIN_OBFU_SUBJ 3.500 # limit
445 tflags BITCOIN_OBFU_SUBJ publish
446 ##} BITCOIN_OBFU_SUBJ
450 meta BITCOIN_ONAN __BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01
451 describe BITCOIN_ONAN BitCoin + [censored]
452 #score BITCOIN_ONAN 3.000 # limit
453 tflags BITCOIN_ONAN publish
458 meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01
459 describe BITCOIN_PAY_ME Pay me via BitCoin
460 #score BITCOIN_PAY_ME 3.000 # limit
461 tflags BITCOIN_PAY_ME publish
466 meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG
467 describe BITCOIN_SPAM_01 BitCoin spam pattern 01
468 #score BITCOIN_SPAM_01 2.500 # limit
469 tflags BITCOIN_SPAM_01 publish
474 meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID
475 describe BITCOIN_SPAM_02 BitCoin spam pattern 02
476 #score BITCOIN_SPAM_02 2.500 # limit
477 tflags BITCOIN_SPAM_02 publish
482 meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ
483 describe BITCOIN_SPAM_03 BitCoin spam pattern 03
484 #score BITCOIN_SPAM_03 2.500 # limit
485 tflags BITCOIN_SPAM_03 publish
490 meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto
491 describe BITCOIN_SPAM_04 BitCoin spam pattern 04
492 #score BITCOIN_SPAM_04 1.500 # limit
493 tflags BITCOIN_SPAM_04 publish
498 meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO
499 describe BITCOIN_SPAM_05 BitCoin spam pattern 05
500 #score BITCOIN_SPAM_05 2.500 # limit
501 tflags BITCOIN_SPAM_05 net publish
506 meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET
507 describe BITCOIN_SPAM_06 BitCoin spam pattern 06
508 #score BITCOIN_SPAM_06 1.500 # limit
509 tflags BITCOIN_SPAM_06 publish
514 meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS
515 describe BITCOIN_SPAM_07 BitCoin spam pattern 07
516 #score BITCOIN_SPAM_07 3.500 # limit
517 tflags BITCOIN_SPAM_07 publish
522 meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ
523 describe BITCOIN_SPAM_08 BitCoin spam pattern 08
524 #score BITCOIN_SPAM_08 2.500 # limit
525 tflags BITCOIN_SPAM_08 publish
530 meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU )
531 describe BITCOIN_SPAM_09 BitCoin spam pattern 09
532 #score BITCOIN_SPAM_09 1.500 # limit
533 tflags BITCOIN_SPAM_09 publish
538 meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 )
539 describe BITCOIN_SPAM_10 BitCoin spam pattern 10
540 #score BITCOIN_SPAM_10 2.500 # limit
541 tflags BITCOIN_SPAM_10 publish
546 meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU
547 describe BITCOIN_SPAM_11 BitCoin spam pattern 11
548 #score BITCOIN_SPAM_11 2.500 # limit
549 tflags BITCOIN_SPAM_11 publish
554 meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY
555 describe BITCOIN_SPAM_12 BitCoin spam pattern 12
556 #score BITCOIN_SPAM_12 2.500 # limit
557 tflags BITCOIN_SPAM_12 publish
560 ##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
562 if (version >= 3.004001)
563 ifplugin Mail::SpamAssassin::Plugin::AskDNS
564 meta BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID
565 tflags BITCOIN_SPF_ONLYALL net publish
566 describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF
567 #score BITCOIN_SPF_ONLYALL 2.0 # limit
570 ##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
574 meta BITCOIN_WFH_01 __BITCOIN_WFH_01
575 describe BITCOIN_WFH_01 Work-from-Home + bitcoin
576 tflags BITCOIN_WFH_01 publish
581 meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY
582 describe BITCOIN_XPRIO Bitcoin + priority
583 #score BITCOIN_XPRIO 2.500 # limit
586 ##{ BITCOIN_YOUR_INFO
588 meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01
589 describe BITCOIN_YOUR_INFO BitCoin with your personal info
590 #score BITCOIN_YOUR_INFO 3.000 # limit
591 tflags BITCOIN_YOUR_INFO publish
592 ##} BITCOIN_YOUR_INFO
596 meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV
597 describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image
598 #score BODY_URI_ONLY 3.000 # limit
599 tflags BODY_URI_ONLY publish
602 ##{ BOGUS_MIME_VERSION
604 meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 || __MALF_MIME_VER
605 #score BOGUS_MIME_VERSION 3.500 # limit
606 describe BOGUS_MIME_VERSION Mime version header is bogus
607 tflags BOGUS_MIME_VERSION publish
608 ##} BOGUS_MIME_VERSION
612 meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS
613 describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers
614 #score BOGUS_MSM_HDRS 3.000 # limit
615 tflags BOGUS_MSM_HDRS publish
620 meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto
621 describe BOMB_FREEM Bomb + freemail
622 #score BOMB_FREEM 2.000 # limit
623 tflags BOMB_FREEM publish
628 meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW )
629 describe BOMB_MONEY Bomb + money: bomb threat?
630 #score BOMB_MONEY 2.500 # limit
631 tflags BOMB_MONEY publish
636 describe BTC_ORG Bitcoin wallet ID + unusual header
637 #score BTC_ORG 2.500 # limit
640 ##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM)
642 if !plugin(Mail::SpamAssassin::Plugin::DKIM)
643 meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST
645 ##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM)
647 ##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM
649 ifplugin Mail::SpamAssassin::Plugin::DKIM
650 meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED
652 ##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM
654 ##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
656 if (version >= 3.004002)
657 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
658 meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD
659 tflags BULK_RE_SUSP_NTLD publish
660 describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
661 #score BULK_RE_SUSP_NTLD 1.0 # limit
664 ##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
668 meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB
669 describe CANT_SEE_AD You really want to see our spam.
670 #score CANT_SEE_AD 2.500 # limit
671 tflags CANT_SEE_AD publish
676 header CK_HELO_GENERIC X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
677 describe CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR
678 #score CK_HELO_GENERIC 0.25
683 body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i
684 describe CN_B2B_SPAMMER Chinese company introducing itself
685 tflags CN_B2B_SPAMMER publish
688 ##{ COMMENT_GIBBERISH
690 meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT
691 describe COMMENT_GIBBERISH Nonsense in long HTML comment
692 #score COMMENT_GIBBERISH 1.50 # limit
693 tflags COMMENT_GIBBERISH publish
694 ##} COMMENT_GIBBERISH
698 describe COMPENSATION "Compensation"
699 #score COMPENSATION 1.50 # limit
702 ##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
704 if !plugin(Mail::SpamAssassin::Plugin::DKIM)
705 meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD
707 ##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
709 ##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
711 ifplugin Mail::SpamAssassin::Plugin::DKIM
712 meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE
714 ##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
716 ##{ CONTENT_AFTER_HTML
718 meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && (__L_CTE_8BIT || __RDNS_NUMERIC_TLD || __HTML_TAG_BALANCE_CENTER || __STY_INVIS_MANY || __TO_EQ_FROM_USR || __TO_EQ_FROM_USR_2 || __KAM_HTML_FONT_INVALID || __SUBJECT_ENCODED_B64 )
719 describe CONTENT_AFTER_HTML More content after HTML close tag + other spam signs
720 #score CONTENT_AFTER_HTML 2.500 # limit
721 tflags CONTENT_AFTER_HTML publish
722 ##} CONTENT_AFTER_HTML
724 ##{ CONTENT_AFTER_HTML_WEAK
726 meta CONTENT_AFTER_HTML_WEAK __CONTENT_AFTER_HTML && !CONTENT_AFTER_HTML && !__CT_TEXT_PLAIN && !__BOUNCE_FROM_DAEMON && !__MSGID_OK_HEX && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !MAILING_LIST_MULTI && !__HAS_CID && !__URI_DOTGOV
727 describe CONTENT_AFTER_HTML_WEAK More content after HTML close tag
728 #score CONTENT_AFTER_HTML_WEAK 1.500 # limit
729 tflags CONTENT_AFTER_HTML_WEAK publish
730 ##} CONTENT_AFTER_HTML_WEAK
732 ##{ CORRUPT_FROM_LINE_IN_HDRS
734 meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
735 describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers
736 tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
737 #score CORRUPT_FROM_LINE_IN_HDRS 0.001
738 ##} CORRUPT_FROM_LINE_IN_HDRS
740 ##{ CTE_8BIT_MISMATCH
742 meta CTE_8BIT_MISMATCH (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS)
743 describe CTE_8BIT_MISMATCH Header says 7bits but body disagrees
744 #score CTE_8BIT_MISMATCH 1
745 tflags CTE_8BIT_MISMATCH publish
746 ##} CTE_8BIT_MISMATCH
750 meta CTYPE_001C_A (0) # obsolete
755 header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
758 ##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
760 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
761 mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
762 describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc)
764 ##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
768 body CURR_PRICE /\bCurrent Price:/
771 ##{ DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
773 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
774 header DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef')
775 describe DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date
777 ##} DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
779 ##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
781 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
782 meta DAY_I_EARNED __DAY_I_EARNED >= 3
783 # score DAY_I_EARNED 3.000 # limit
784 describe DAY_I_EARNED Work-at-home spam
785 tflags DAY_I_EARNED publish
787 ##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
791 body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i
792 describe DEAR_BENEFICIARY Dear Beneficiary:
797 body DEAR_WINNER /\bdear.{1,20}winner/i
798 describe DEAR_WINNER Spam with generic salutation of "dear winner"
801 ##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS
803 ifplugin Mail::SpamAssassin::Plugin::AskDNS
804 meta DKIMWL_BL __DKIMWL_WL_BL
805 tflags DKIMWL_BL net publish
806 describe DKIMWL_BL DKIMwl.org - Blocked sender
807 #score DKIMWL_BL 3.0 # limit
809 ##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS
811 ##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS
813 ifplugin Mail::SpamAssassin::Plugin::AskDNS
814 meta DKIMWL_BLOCKED __DKIMWL_BLOCKED
815 tflags DKIMWL_BLOCKED net publish
816 describe DKIMWL_BLOCKED ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
817 #score DKIMWL_BLOCKED 0.001 # limit
819 ##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS
821 ##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS
823 ifplugin Mail::SpamAssassin::Plugin::AskDNS
824 meta DKIMWL_WL_HIGH __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL)
825 tflags DKIMWL_WL_HIGH net nice publish
826 describe DKIMWL_WL_HIGH DKIMwl.org - High trust sender
827 #score DKIMWL_WL_HIGH -3.0 # limit
829 ##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS
831 ##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS
833 ifplugin Mail::SpamAssassin::Plugin::AskDNS
834 meta DKIMWL_WL_MED __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL)
835 tflags DKIMWL_WL_MED net nice publish
836 describe DKIMWL_WL_MED DKIMwl.org - Medium trust sender
837 #score DKIMWL_WL_MED -0.5 # limit
839 ##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS
841 ##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS
843 ifplugin Mail::SpamAssassin::Plugin::AskDNS
844 meta DKIMWL_WL_MEDHI __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL)
845 tflags DKIMWL_WL_MEDHI net nice publish
846 describe DKIMWL_WL_MEDHI DKIMwl.org - Medium-high trust sender
847 #score DKIMWL_WL_MEDHI -1.0 # limit
849 ##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS
851 ##{ DOS_ANAL_SPAM_MAILER
853 header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/
854 describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam
855 tflags DOS_ANAL_SPAM_MAILER publish
856 ##} DOS_ANAL_SPAM_MAILER
860 meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10)
865 meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
866 describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam
869 ##{ DOS_HIGH_BAT_TO_MX
871 meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA
872 describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits
873 ##} DOS_HIGH_BAT_TO_MX
877 meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
878 describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough!
883 meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
884 describe DOS_OE_TO_MX Delivered direct to MX with OE headers
887 ##{ DOS_OE_TO_MX_IMAGE
889 meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
890 describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image
891 ##} DOS_OE_TO_MX_IMAGE
893 ##{ DOS_OUTLOOK_TO_MX
895 meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE
896 describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers
897 ##} DOS_OUTLOOK_TO_MX
899 ##{ DOS_RCVD_IP_TWICE_C
901 header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/
902 describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo)
903 ##} DOS_RCVD_IP_TWICE_C
907 meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)
908 describe DOS_STOCK_BAT Probable pump and dump stock spam
913 meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)
918 uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)}
919 describe DOS_URI_ASTERISK Found an asterisk in a URI
924 meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))
925 describe DOS_YOUR_PLACE Russian dating spam
930 meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS
931 describe DOTGOV_IMAGE .gov URI + hosted image
932 #score DOTGOV_IMAGE 3.000 # limit
933 tflags DOTGOV_IMAGE publish
938 header DRUGS_HDIA Subject =~ /\bhoodia\b/i
939 describe DRUGS_HDIA Subject mentions "hoodia"
944 body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i
945 describe DX_TEXT_02 "change your message stat"
946 tflags DX_TEXT_02 publish
951 body DX_TEXT_03 /\b[A-Z]{3} Media (?:Group|Relations)\b/
952 describe DX_TEXT_03 "XXX Media Group"
953 tflags DX_TEXT_03 publish
958 meta DYNAMIC_IMGUR __DYNAMIC_IMGUR
959 describe DYNAMIC_IMGUR dynamic IP + hosted image
960 #score DYNAMIC_IMGUR 4.000 # limit
961 tflags DYNAMIC_IMGUR publish
964 ##{ DYN_RDNS_AND_INLINE_IMAGE
966 meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
967 describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS
968 ##} DYN_RDNS_AND_INLINE_IMAGE
970 ##{ DYN_RDNS_SHORT_HELO_HTML
972 meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE)
973 describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
974 ##} DYN_RDNS_SHORT_HELO_HTML
976 ##{ DYN_RDNS_SHORT_HELO_IMAGE
978 meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
979 describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image
980 ##} DYN_RDNS_SHORT_HELO_IMAGE
982 ##{ EBAY_IMG_NOT_RCVD_EBAY
984 meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS
985 #score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit
986 describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay
987 tflags EBAY_IMG_NOT_RCVD_EBAY publish
988 ##} EBAY_IMG_NOT_RCVD_EBAY
992 body EMRCP /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i
993 describe EMRCP "Excess Maximum Return Capital Profit" scam
997 ##{ ENCRYPTED_MESSAGE
999 meta ENCRYPTED_MESSAGE __CT_ENCRYPTED
1000 describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam
1001 #score ENCRYPTED_MESSAGE -1.000
1002 tflags ENCRYPTED_MESSAGE nice publish
1003 ##} ENCRYPTED_MESSAGE
1005 ##{ END_FUTURE_EMAILS
1007 describe END_FUTURE_EMAILS Spammy unsubscribe
1008 #score END_FUTURE_EMAILS 2.500 # limit
1009 ##} END_FUTURE_EMAILS
1011 ##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1013 if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1014 meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER
1016 ##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1018 ##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM
1020 ifplugin Mail::SpamAssassin::Plugin::DKIM
1021 meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED
1023 ##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM
1025 ##{ ENVFROM_GOOG_TRIX
1027 meta ENVFROM_GOOG_TRIX __ENVFROM_GOOG_TRIX_SPAMMY
1028 describe ENVFROM_GOOG_TRIX From suspicious Google subdomain
1029 #score ENVFROM_GOOG_TRIX 3.000 # limit
1030 tflags ENVFROM_GOOG_TRIX publish
1031 ##} ENVFROM_GOOG_TRIX
1035 body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i
1036 describe EXCUSE_24 Claims you wanted this ad
1039 ##{ FACEBOOK_IMG_NOT_RCVD_FB
1041 meta FACEBOOK_IMG_NOT_RCVD_FB __FACEBOOK_IMG_NOT_RCVD_FB && !__VIA_ML && !__ONE_IMG && !__RCD_RDNS_SMTP
1042 #score FACEBOOK_IMG_NOT_RCVD_FB 2.000 # limit
1043 describe FACEBOOK_IMG_NOT_RCVD_FB Facebook hosted image but message not from Facebook
1044 tflags FACEBOOK_IMG_NOT_RCVD_FB publish
1045 ##} FACEBOOK_IMG_NOT_RCVD_FB
1049 meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)
1054 meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY
1055 describe FBI_MONEY The FBI wants to give you lots of money?
1056 #score FBI_MONEY 2.00 # limit
1057 tflags FBI_MONEY publish
1062 meta FBI_SPOOF __FBI_SPOOF
1063 describe FBI_SPOOF Claims to be FBI, but not from FBI domain
1064 #score FBI_SPOOF 2.00 # limit
1065 tflags FBI_SPOOF publish
1068 ##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1070 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1071 meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML
1072 describe FILL_THIS_FORM Fill in a form with personal information
1073 tflags FILL_THIS_FORM publish
1075 ##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1077 ##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1079 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1080 meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY
1081 describe FILL_THIS_FORM_LONG Fill in a form with personal information
1082 # score FILL_THIS_FORM_LONG 2.00 # limit
1084 ##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1086 ##{ FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1088 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1089 meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX
1090 describe FONT_INVIS_DIRECT Invisible text + direct-to-MX
1091 # score FONT_INVIS_DIRECT 3.500 # limit
1092 tflags FONT_INVIS_DIRECT publish
1094 ##} FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1096 ##{ FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1098 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1099 meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID
1100 describe FONT_INVIS_DOTGOV Invisible text + .gov URI
1101 # score FONT_INVIS_DOTGOV 3.500 # limit
1102 tflags FONT_INVIS_DOTGOV publish
1104 ##} FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1106 ##{ FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1108 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1109 meta FONT_INVIS_HTML_NOHTML __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG
1110 describe FONT_INVIS_HTML_NOHTML Invisible text + malformed HTML
1111 # score FONT_INVIS_HTML_NOHTML 3.000 # limit
1112 tflags FONT_INVIS_HTML_NOHTML publish
1114 ##} FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1116 ##{ FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1118 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1119 meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET
1120 describe FONT_INVIS_LONG_LINE Invisible text + long lines
1121 # score FONT_INVIS_LONG_LINE 3.000 # limit
1122 tflags FONT_INVIS_LONG_LINE publish
1124 ##} FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1126 ##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1128 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1129 meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX && !__RCD_RDNS_MTA
1130 describe FONT_INVIS_MSGID Invisible text + suspicious message ID
1131 # score FONT_INVIS_MSGID 2.500 # limit
1132 tflags FONT_INVIS_MSGID publish
1134 ##} FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1136 ##{ FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1138 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1139 meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER
1140 describe FONT_INVIS_NORDNS Invisible text + no rDNS
1141 # score FONT_INVIS_NORDNS 2.500 # limit
1142 tflags FONT_INVIS_NORDNS publish
1144 ##} FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1146 ##{ FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1148 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1149 meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS
1150 describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI
1151 # score FONT_INVIS_POSTEXTRAS 3.500 # limit
1152 tflags FONT_INVIS_POSTEXTRAS publish
1154 ##} FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1158 meta FORGED_SPF_HELO __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS
1163 meta FORM_FRAUD (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK
1164 describe FORM_FRAUD Fill a form and a fraud phrase
1165 #score FORM_FRAUD 1.000 # limit
1166 tflags FORM_FRAUD publish
1171 meta FORM_FRAUD_3 (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED
1172 describe FORM_FRAUD_3 Fill a form and several fraud phrases
1173 tflags FORM_FRAUD_3 publish
1178 meta FORM_FRAUD_5 (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE
1179 describe FORM_FRAUD_5 Fill a form and many fraud phrases
1180 tflags FORM_FRAUD_5 publish
1185 meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO
1186 #score FOUND_YOU 3.25 # limit
1187 describe FOUND_YOU I found you...
1188 tflags FOUND_YOU publish
1191 ##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
1193 ifplugin Mail::SpamAssassin::Plugin::FreeMail
1194 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
1195 if (version >= 3.004000)
1196 meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS
1197 describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different
1198 # score FREEMAIL_FORGED_FROMDOMAIN 0.25
1199 tflags FREEMAIL_FORGED_FROMDOMAIN publish
1203 ##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
1207 meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01
1208 describe FREEMAIL_WFH_01 Work-from-Home + freemail
1209 tflags FREEMAIL_WFH_01 publish
1212 ##{ FREEM_FRNUM_UNICD_EMPTY
1214 meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY
1215 describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body
1216 #score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit
1217 tflags FREEM_FRNUM_UNICD_EMPTY publish
1218 ##} FREEM_FRNUM_UNICD_EMPTY
1220 ##{ FRNAME_IN_MSG_XPRIO_NO_SUB
1222 meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED
1223 describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject
1224 #score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit
1225 tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish
1226 ##} FRNAME_IN_MSG_XPRIO_NO_SUB
1228 ##{ FROM_2_EMAILS_SHORT
1230 meta FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF)
1231 describe FROM_2_EMAILS_SHORT Short body and From looks like 2 different emails
1232 #score FROM_2_EMAILS_SHORT 3.0 # limit
1233 ##} FROM_2_EMAILS_SHORT
1237 meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL
1238 describe FROM_ADDR_WS Malformed From address
1239 #score FROM_ADDR_WS 3.000 # limit
1240 tflags FROM_ADDR_WS publish
1243 ##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1245 if (version >= 3.004002)
1246 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1247 meta FROM_BANK_NOAUTH __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU)
1248 tflags FROM_BANK_NOAUTH publish net
1249 describe FROM_BANK_NOAUTH From Bank domain but no SPF or DKIM
1250 #score FROM_BANK_NOAUTH 1.0 # limit
1253 ##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1255 ##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1257 if (version >= 3.004001)
1258 ifplugin Mail::SpamAssassin::Plugin::AskDNS
1259 meta FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED
1260 describe FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
1261 tflags FROM_FMBLA_NDBLOCKED net publish
1262 #score FROM_FMBLA_NDBLOCKED 0.001 # limit
1265 ##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1267 ##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1269 if (version >= 3.004001)
1270 ifplugin Mail::SpamAssassin::Plugin::AskDNS
1271 meta FROM_FMBLA_NEWDOM __FROM_FMBLA_NEWDOM
1272 describe FROM_FMBLA_NEWDOM From domain was registered in last 7 days
1273 tflags FROM_FMBLA_NEWDOM net
1274 #score FROM_FMBLA_NEWDOM 1.5 # limit
1277 ##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1279 ##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1281 if (version >= 3.004001)
1282 ifplugin Mail::SpamAssassin::Plugin::AskDNS
1283 meta FROM_FMBLA_NEWDOM14 __FROM_FMBLA_NEWDOM14
1284 describe FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days
1285 tflags FROM_FMBLA_NEWDOM14 publish net
1286 #score FROM_FMBLA_NEWDOM14 1.0 # limit
1289 ##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1291 ##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1293 if (version >= 3.004001)
1294 ifplugin Mail::SpamAssassin::Plugin::AskDNS
1295 meta FROM_FMBLA_NEWDOM28 __FROM_FMBLA_NEWDOM28
1296 describe FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28 days
1297 tflags FROM_FMBLA_NEWDOM28 net publish
1298 #score FROM_FMBLA_NEWDOM28 0.8 # limit
1301 ##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1303 ##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1305 if (version >= 3.004002)
1306 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1307 meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV
1308 tflags FROM_GOV_DKIM_AU net nice publish
1309 describe FROM_GOV_DKIM_AU From Government address and DKIM signed
1310 #score FROM_GOV_DKIM_AU -1.0 # limit
1313 ##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1315 ##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1317 if (version >= 3.004002)
1318 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1319 meta FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU
1320 tflags FROM_GOV_REPLYTO_FREEMAIL net publish
1321 describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL
1322 #score FROM_GOV_REPLYTO_FREEMAIL 2.0
1325 ##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1327 ##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1329 if (version >= 3.004002)
1330 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1331 meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED)
1332 tflags FROM_GOV_SPOOF net publish
1333 describe FROM_GOV_SPOOF From Government domain but matches SPOOFED
1334 #score FROM_GOV_SPOOF 1.0 # limit
1337 ##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1339 ##{ FROM_IN_TO_AND_SUBJ
1341 meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID
1342 describe FROM_IN_TO_AND_SUBJ From address is in To and Subject
1343 tflags FROM_IN_TO_AND_SUBJ publish
1344 ##} FROM_IN_TO_AND_SUBJ
1348 meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
1349 describe FROM_MISSPACED From: missing whitespace
1350 #score FROM_MISSPACED 2.00
1353 ##{ FROM_MISSP_DYNIP
1355 meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC
1356 describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS
1357 ##} FROM_MISSP_DYNIP
1359 ##{ FROM_MISSP_EH_MATCH
1361 meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
1362 describe FROM_MISSP_EH_MATCH From misspaced, matches envelope
1363 #score FROM_MISSP_EH_MATCH 2.00 # max
1364 ##} FROM_MISSP_EH_MATCH
1366 ##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
1368 ifplugin Mail::SpamAssassin::Plugin::FreeMail
1369 meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA
1370 describe FROM_MISSP_FREEMAIL From misspaced + freemail provider
1372 ##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
1376 meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
1377 describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
1380 ##{ FROM_MISSP_REPLYTO
1382 meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB
1383 describe FROM_MISSP_REPLYTO From misspaced, has Reply-To
1384 #score FROM_MISSP_REPLYTO 2.500 # limit
1385 ##} FROM_MISSP_REPLYTO
1387 ##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
1389 ifplugin Mail::SpamAssassin::Plugin::SPF
1390 meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL)
1391 tflags FROM_MISSP_SPF_FAIL net
1392 # score FROM_MISSP_SPF_FAIL 2.00 # limit
1394 ##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
1398 meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER)
1399 describe FROM_MISSP_USER From misspaced, from "User"
1402 ##{ FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
1404 if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
1405 meta FROM_MULTI_NORDNS __FROM_MULTI_NORDNS
1406 describe FROM_MULTI_NORDNS Multiple From addresses + no rDNS
1408 ##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
1410 ##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1412 if (version >= 3.004001)
1413 ifplugin Mail::SpamAssassin::Plugin::AskDNS
1414 meta FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN
1415 describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID
1416 #score FROM_NEWDOM_BTC 2.0 # limit
1417 tflags FROM_NEWDOM_BTC net
1420 ##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1422 ##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1424 if (version >= 3.004002)
1425 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1426 meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY
1427 tflags FROM_NTLD_LINKBAIT publish
1428 describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
1429 #score FROM_NTLD_LINKBAIT 2.0 # limit
1432 ##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1434 ##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1436 if (version >= 3.004002)
1437 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1438 meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD
1439 tflags FROM_NTLD_REPLY_FREEMAIL publish
1440 describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
1441 #score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit
1444 ##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1446 ##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1448 if (version >= 3.004001)
1449 ifplugin Mail::SpamAssassin::Plugin::AskDNS
1450 meta FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN
1451 describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain
1452 #score FROM_NUMBERO_NEWDOMAIN 2.0 # limit
1453 tflags FROM_NUMBERO_NEWDOMAIN net publish
1456 ##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1458 ##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1460 if (version >= 3.004002)
1461 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1462 meta FROM_PAYPAL_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED)
1463 tflags FROM_PAYPAL_SPOOF publish net
1464 describe FROM_PAYPAL_SPOOF From PayPal domain but matches SPOOFED
1465 #score FROM_PAYPAL_SPOOF 1.6 # limit
1468 ##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1470 ##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1472 if (version >= 3.004002)
1473 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1474 meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD
1475 tflags FROM_SUSPICIOUS_NTLD publish
1476 describe FROM_SUSPICIOUS_NTLD From abused NTLD
1477 #score FROM_SUSPICIOUS_NTLD 0.5 # limit
1480 ##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1482 ##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1484 if (version >= 3.004002)
1485 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1486 meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST
1487 tflags FROM_SUSPICIOUS_NTLD_FP publish
1488 describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD
1489 #score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit
1492 ##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1496 meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__USING_VERP1 && !__KAM_BODY_LENGTH_LT_128
1497 describe FSL_BULK_SIG Bulk signature with no Unsubscribe
1498 #score FSL_BULK_SIG 2.500 # limit
1499 tflags FSL_BULK_SIG net publish
1502 ##{ FSL_CTYPE_WIN1251
1504 header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/
1505 describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
1506 ##} FSL_CTYPE_WIN1251
1508 ##{ FSL_FAKE_HOTMAIL_RVCD
1510 header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/
1511 ##} FSL_FAKE_HOTMAIL_RVCD
1513 ##{ FSL_HELO_BARE_IP_1
1515 meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED
1516 ##} FSL_HELO_BARE_IP_1
1520 header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i
1523 ##{ FSL_HELO_NON_FQDN_1
1525 header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i
1526 ##} FSL_HELO_NON_FQDN_1
1530 header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i
1533 ##{ FSL_INTERIA_ABUSE
1535 uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/
1536 ##} FSL_INTERIA_ABUSE
1538 ##{ FSL_NEW_HELO_USER
1540 meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3)
1541 describe FSL_NEW_HELO_USER Spam's using Helo and User
1542 #score FSL_NEW_HELO_USER 2.0
1543 tflags FSL_NEW_HELO_USER publish
1544 ##} FSL_NEW_HELO_USER
1546 ##{ FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1548 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1549 body FUZZY_AMAZON /(?:^|\W)(?=<A>)(?!amazon)<A><M><A><Z><O><N>(?:$|\W)/i
1550 describe FUZZY_AMAZON Obfuscated "amazon"
1551 tflags FUZZY_AMAZON publish
1553 ##} FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1555 ##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1557 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1558 body FUZZY_ANDROID /(?=<A>)(?!android)<A><N><D><R><O><I><D>/i
1559 describe FUZZY_ANDROID Obfuscated "android"
1560 tflags FUZZY_ANDROID publish
1562 ##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1564 ##{ FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1566 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1567 body FUZZY_APPLE /(?:^|\W)(?=<A>)(?!appl[ey])<A><P><P><L><E>(?:$|\W)/i
1568 describe FUZZY_APPLE Obfuscated "apple"
1569 tflags FUZZY_APPLE publish
1571 ##} FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1573 ##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1575 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1576 body FUZZY_BITCOIN /(?=<B>)(?!bit[-\s]?coin)<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
1577 describe FUZZY_BITCOIN Obfuscated "Bitcoin"
1578 tflags FUZZY_BITCOIN publish
1580 ##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1582 ##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1584 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1585 body FUZZY_BROWSER /(?=<B>)(?!browser)<B><R><O><W><S><E><R>/i
1586 describe FUZZY_BROWSER Obfuscated "browser"
1587 tflags FUZZY_BROWSER publish
1589 ##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1591 ##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1593 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1594 meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET
1595 describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet"
1596 tflags FUZZY_BTC_WALLET publish
1598 ##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1600 ##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1602 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1603 body FUZZY_CLICK_HERE /(?=<C>)(?!click(?:\s| )here)<C><WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i
1604 describe FUZZY_CLICK_HERE Obfuscated "click here"
1605 tflags FUZZY_CLICK_HERE publish
1607 ##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1609 ##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1611 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1612 meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML
1613 describe FUZZY_DR_OZ Obfuscated Doctor Oz
1614 tflags FUZZY_DR_OZ publish
1616 ##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1618 ##{ FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1620 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1621 body FUZZY_FACEBOOK /(?=<F>)(?!fa[ck]ebook)<F><A><C><E><B><O><O><K>/i
1622 describe FUZZY_FACEBOOK Obfuscated "facebook"
1623 tflags FUZZY_FACEBOOK publish
1625 ##} FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1627 ##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1629 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1630 body FUZZY_IMPORTANT /(?=<I>)(?!important)<I>(?:<M>|<N>)<P><O><R><T><A><N><T>/i
1631 describe FUZZY_IMPORTANT Obfuscated "important"
1632 tflags FUZZY_IMPORTANT publish
1634 ##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1636 ##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1638 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1639 body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i
1640 describe FUZZY_MERIDIA Obfuscation of the word "meridia"
1642 ##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1644 ##{ FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1646 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1647 body FUZZY_MICROSOFT /(?=<M>)(?!microsoft)<M><I><C><R><O><S><O><F><T>/i
1648 describe FUZZY_MICROSOFT Obfuscated "microsoft"
1649 tflags FUZZY_MICROSOFT publish
1651 ##} FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1655 meta FUZZY_MONERO __FUZZY_MONERO
1656 describe FUZZY_MONERO Obfuscated "Monero"
1657 tflags FUZZY_MONERO publish
1660 ##{ FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1662 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1663 body FUZZY_NORTON /(?:^|\W)(?=<N>)(?!norton)<N><O><R><T><O><N>(?:$|\W)/i
1664 describe FUZZY_NORTON Obfuscated "norton"
1665 tflags FUZZY_NORTON publish
1667 ##} FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1669 ##{ FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1671 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1672 body FUZZY_OVERSTOCK /(?:^|\W)(?=<O>)(?!over[-\s]?stock)<O><V><E><R>[-\s]?<S><T><O><C><K>(?:$|\W)/i
1673 describe FUZZY_OVERSTOCK Obfuscated "overstock"
1674 tflags FUZZY_OVERSTOCK publish
1676 ##} FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1678 ##{ FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1680 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1681 body FUZZY_PAYPAL /(?:^|\W)(?=<P>)(?!pay[-\s]?pal)<P><A><Y>[-\s]?<P><A><L>(?:$|\W)/i
1682 describe FUZZY_PAYPAL Obfuscated "paypal"
1683 tflags FUZZY_PAYPAL publish
1685 ##} FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1687 ##{ FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1689 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1690 meta FUZZY_PORN __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT )
1691 describe FUZZY_PORN Obfuscated "Pornography" or "Pornographic"
1692 tflags FUZZY_PORN publish
1694 ##} FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1696 ##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1698 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1699 body FUZZY_PRIVACY /(?=<P>)(?!privacy)<P><R><I><V><A><C><Y>/i
1700 describe FUZZY_PRIVACY Obfuscated "privacy"
1701 tflags FUZZY_PRIVACY publish
1703 ##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1705 ##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1707 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1708 body FUZZY_PROMOTION /(?=<P>)(?!promotion)<P><R><O><M><O><T><I><O><N>/i
1709 describe FUZZY_PROMOTION Obfuscated "promotion"
1710 tflags FUZZY_PROMOTION publish
1712 ##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1714 ##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1716 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1717 body FUZZY_SAVINGS /(?=<S>)(?!savings)<S><A><V><I><N><G><S>/i
1718 describe FUZZY_SAVINGS Obfuscated "savings"
1719 tflags FUZZY_SAVINGS publish
1721 ##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1723 ##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1725 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1726 body FUZZY_SECURITY /(?=<S>)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)<S><E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i
1727 describe FUZZY_SECURITY Obfuscated "security"
1728 tflags FUZZY_SECURITY publish
1730 ##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1732 ##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1734 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1735 body FUZZY_UNSUBSCRIBE /(?=<U>)(?!unsubscribe)<U><N><S><U><B><S><C><R><I><B><E>/i
1736 describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe"
1737 tflags FUZZY_UNSUBSCRIBE publish
1739 ##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1741 ##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1743 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1744 body FUZZY_WALLET /(?=<W>)(?!wallet)<W><A><L><L><E><T>/i
1745 describe FUZZY_WALLET Obfuscated "Wallet"
1746 tflags FUZZY_WALLET publish
1748 ##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1750 ##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1752 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1753 meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
1754 describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto
1755 # score GAPPY_SALES_LEADS_FREEM 3.500 # limit
1756 tflags GAPPY_SALES_LEADS_FREEM publish
1758 ##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1762 meta GB_BITCOIN_CP ( __GB_BITCOIN_CP_DE || __GB_BITCOIN_CP_ES || __GB_BITCOIN_CP_EN || __GB_BITCOIN_CP_FR || __GB_BITCOIN_CP_IT || __GB_BITCOIN_CP_NL || __GB_BITCOIN_CP_SE )
1763 describe GB_BITCOIN_CP Localized Bitcoin scam
1764 #score GB_BITCOIN_CP 3.0 # limit
1769 meta GB_BITCOIN_NH ( __BITCOIN_ID && !__URL_BTC_ID && ( __NEVER_HEAR_EN || __NEVER_HEAR_IT ) )
1770 describe GB_BITCOIN_NH Localized Bitcoin scam
1771 #score GB_BITCOIN_NH 3.0 # limit
1774 ##{ GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
1776 if (version >= 4.000000)
1777 if can(Mail::SpamAssassin::Conf::feature_capture_rules)
1778 meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI )
1779 describe GB_CUSTOM_HTM_URI Custom html uri
1780 # score GB_CUSTOM_HTM_URI 1.500 # limit
1781 tflags GB_CUSTOM_HTM_URI publish
1784 ##} GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
1786 ##{ GB_FAKE_RF_SHORT
1788 meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __URL_SHORTENER )
1789 describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener
1790 #score GB_FAKE_RF_SHORT 2.000 # limit
1791 tflags GB_FAKE_RF_SHORT publish
1792 ##} GB_FAKE_RF_SHORT
1794 ##{ GB_FORGED_MUA_POSTFIX
1796 meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 )
1797 describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers
1798 tflags GB_FORGED_MUA_POSTFIX publish
1799 #score GB_FORGED_MUA_POSTFIX 2.0 # limit
1800 ##} GB_FORGED_MUA_POSTFIX
1802 ##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
1804 ifplugin Mail::SpamAssassin::Plugin::FreeMail
1805 meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe )
1806 describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails
1807 # score GB_FREEMAIL_DISPTO 0.50 # limit
1808 tflags GB_FREEMAIL_DISPTO publish
1810 ##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
1812 ##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
1814 ifplugin Mail::SpamAssassin::Plugin::FreeMail
1815 meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM )
1816 describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail
1817 # score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit
1818 tflags GB_FREEMAIL_DISPTO_NOTFREEM publish
1820 ##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
1824 uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/
1825 describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect
1826 #score GB_GOOGLE_OBFUR 0.75 # limit
1827 tflags GB_GOOGLE_OBFUR publish
1830 ##{ GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
1832 if (version >= 3.004003)
1833 ifplugin Mail::SpamAssassin::Plugin::HashBL
1834 body GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,62})\b')
1835 tflags GB_HASHBL_BTC net publish
1836 describe GB_HASHBL_BTC Message contains BTC address found on BTCBL
1837 # score GB_HASHBL_BTC 5.0 # limit
1840 ##} GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
1842 ##{ GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
1844 if (version >= 4.000000)
1845 if can(Mail::SpamAssassin::Conf::feature_capture_rules)
1846 uri GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i
1847 describe GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse
1848 # score GB_STORAGE_GOOGLE_EMAIL 2.000 # limit
1849 tflags GB_STORAGE_GOOGLE_EMAIL publish
1852 ##} GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
1854 ##{ GB_URI_FLEEK_STO_HTM
1856 uri GB_URI_FLEEK_STO_HTM m,^https?://storageapi\.fleek\.co/.*\.html?,i
1857 describe GB_URI_FLEEK_STO_HTM Html file stored on Fleek cloud
1858 #score GB_URI_FLEEK_STO_HTM 1.000 # limit
1859 tflags GB_URI_FLEEK_STO_HTM multiple maxhits=5
1860 ##} GB_URI_FLEEK_STO_HTM
1862 ##{ GEO_QUERY_STRING
1864 uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
1865 ##} GEO_QUERY_STRING
1867 ##{ GOOGLE_DOCS_PHISH
1869 meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2)
1870 describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form
1871 #score GOOGLE_DOCS_PHISH 3.00 # limit
1872 tflags GOOGLE_DOCS_PHISH publish
1873 ##} GOOGLE_DOCS_PHISH
1875 ##{ GOOGLE_DOCS_PHISH_MANY
1877 meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
1878 describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form
1879 #score GOOGLE_DOCS_PHISH_MANY 4.00 # limit
1880 tflags GOOGLE_DOCS_PHISH_MANY publish
1881 ##} GOOGLE_DOCS_PHISH_MANY
1885 meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG
1886 describe GOOGLE_DOC_SUSP Suspicious use of Google Docs
1887 #score GOOGLE_DOC_SUSP 3.000 # limit
1888 tflags GOOGLE_DOC_SUSP publish
1891 ##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1893 if (version >= 3.004002)
1894 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1895 meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
1896 tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish
1897 describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD
1898 #score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
1901 ##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1903 ##{ GOOG_MALWARE_DNLD
1905 meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD
1906 describe GOOG_MALWARE_DNLD File download via Google - Malware?
1907 #score GOOG_MALWARE_DNLD 5.000 # limit
1908 tflags GOOG_MALWARE_DNLD publish
1909 ##} GOOG_MALWARE_DNLD
1911 ##{ GOOG_REDIR_DOCUSIGN
1913 uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i
1914 describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing
1915 tflags GOOG_REDIR_DOCUSIGN publish
1916 ##} GOOG_REDIR_DOCUSIGN
1918 ##{ GOOG_REDIR_NORDNS
1920 meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE
1921 describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS
1922 ##} GOOG_REDIR_NORDNS
1924 ##{ GOOG_REDIR_SHORT
1926 meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512
1927 describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message
1928 tflags GOOG_REDIR_SHORT publish
1929 ##} GOOG_REDIR_SHORT
1931 ##{ GOOG_STO_EMAIL_PHISH
1933 meta GOOG_STO_EMAIL_PHISH __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT)
1934 describe GOOG_STO_EMAIL_PHISH Possible phishing with google hosted content URI having email address
1935 #score GOOG_STO_EMAIL_PHISH 3.00 # limit
1936 tflags GOOG_STO_EMAIL_PHISH publish
1937 ##} GOOG_STO_EMAIL_PHISH
1939 ##{ GOOG_STO_HTML_PHISH
1941 meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH
1942 describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL
1943 #score GOOG_STO_HTML_PHISH 3.00 # limit
1944 tflags GOOG_STO_HTML_PHISH publish
1945 ##} GOOG_STO_HTML_PHISH
1947 ##{ GOOG_STO_HTML_PHISH_MANY
1949 meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
1950 describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL
1951 #score GOOG_STO_HTML_PHISH_MANY 4.00 # limit
1952 tflags GOOG_STO_HTML_PHISH_MANY publish
1953 ##} GOOG_STO_HTML_PHISH_MANY
1955 ##{ GOOG_STO_IMG_HTML
1957 meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY
1958 describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL
1959 #score GOOG_STO_IMG_HTML 3.000 # limit
1960 tflags GOOG_STO_IMG_HTML publish
1961 ##} GOOG_STO_IMG_HTML
1963 ##{ GOOG_STO_IMG_NOHTML
1965 meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY
1966 describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL
1967 #score GOOG_STO_IMG_NOHTML 2.500 # limit
1968 tflags GOOG_STO_IMG_NOHTML publish
1969 ##} GOOG_STO_IMG_NOHTML
1971 ##{ GOOG_STO_NOIMG_HTML
1973 meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY
1974 describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL
1975 #score GOOG_STO_NOIMG_HTML 3.000 # limit
1976 tflags GOOG_STO_NOIMG_HTML publish
1977 ##} GOOG_STO_NOIMG_HTML
1981 meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1
1982 describe HAS_X_NO_RELAY Has spammy header
1983 #score HAS_X_NO_RELAY 2.500 # limit
1984 tflags HAS_X_NO_RELAY publish
1987 ##{ HAS_X_OUTGOING_SPAM_STAT
1989 meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO
1990 describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results?
1991 #score HAS_X_OUTGOING_SPAM_STAT 2.000 # limit
1992 tflags HAS_X_OUTGOING_SPAM_STAT publish
1993 ##} HAS_X_OUTGOING_SPAM_STAT
1997 describe HDRS_LCASE Odd capitalization of message header
1998 #score HDRS_LCASE 0.10 # limit
2001 ##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2003 if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2004 meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
2006 ##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
2008 ##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
2010 ifplugin Mail::SpamAssassin::Plugin::FreeMail
2011 meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
2013 ##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
2015 ##{ HDRS_LCASE_IMGONLY
2017 meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN
2018 describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML
2019 #score HDRS_LCASE_IMGONLY 0.10 # limit
2020 ##} HDRS_LCASE_IMGONLY
2024 meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY)
2025 describe HDRS_MISSP Misspaced headers
2026 #score HDRS_MISSP 2.500 # limit
2027 tflags HDRS_MISSP publish
2030 ##{ HDR_ORDER_FTSDMCXX_001C
2032 meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
2033 describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant)
2034 ##} HDR_ORDER_FTSDMCXX_001C
2036 ##{ HDR_ORDER_FTSDMCXX_BAT
2038 meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
2039 describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant)
2040 ##} HDR_ORDER_FTSDMCXX_BAT
2042 ##{ HDR_ORDER_FTSDMCXX_DIRECT
2044 meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML
2045 describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX
2046 #score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit
2047 tflags HDR_ORDER_FTSDMCXX_DIRECT publish
2048 ##} HDR_ORDER_FTSDMCXX_DIRECT
2050 ##{ HDR_ORDER_FTSDMCXX_NORDNS
2052 meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED
2053 describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS
2054 #score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit
2055 tflags HDR_ORDER_FTSDMCXX_NORDNS publish
2056 ##} HDR_ORDER_FTSDMCXX_NORDNS
2058 ##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2060 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2061 header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999')
2062 describe HEADER_COUNT_SUBJECT Multiple Subject headers found
2064 ##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2066 ##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
2068 ifplugin Mail::SpamAssassin::Plugin::FreeMail
2069 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2070 if (version >= 3.004000)
2071 header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains()
2072 describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different
2073 # score HEADER_FROM_DIFFERENT_DOMAINS 0.25
2074 tflags HEADER_FROM_DIFFERENT_DOMAINS publish
2078 ##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
2082 header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
2087 header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
2092 header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
2097 meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST
2098 describe HELO_NO_DOMAIN Relay reports its domain incorrectly
2099 tflags HELO_NO_DOMAIN publish
2104 header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
2109 meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER
2110 describe HEXHASH_WORD Multiple instances of word + hexadecimal hash
2111 #score HEXHASH_WORD 3.000 # limit
2112 tflags HEXHASH_WORD publish
2115 ##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2117 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2118 mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/
2120 tflags HK_CTE_RAW publish
2122 ##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2126 meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT
2132 header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi
2133 describe HK_NAME_DRUGS From name contains drugs
2134 #score HK_NAME_DRUGS 2
2137 ##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2139 ifplugin Mail::SpamAssassin::Plugin::FreeMail
2140 if (version >= 3.004000)
2141 meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM
2142 # score HK_NAME_MR_MRS 1.0
2145 ##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2147 ##{ HK_RANDOM_ENVFROM
2149 header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
2150 describe HK_RANDOM_ENVFROM Envelope sender username looks random
2151 #score HK_RANDOM_ENVFROM 1
2152 tflags HK_RANDOM_ENVFROM publish
2153 ##} HK_RANDOM_ENVFROM
2157 header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
2158 describe HK_RANDOM_FROM From username looks random
2159 #score HK_RANDOM_FROM 1
2160 tflags HK_RANDOM_FROM publish
2163 ##{ HK_RANDOM_REPLYTO
2165 header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
2166 describe HK_RANDOM_REPLYTO Reply-To username looks random
2167 #score HK_RANDOM_REPLYTO 1
2168 tflags HK_RANDOM_REPLYTO publish
2169 ##} HK_RANDOM_REPLYTO
2171 ##{ HK_RCVD_IP_MULTICAST
2173 header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./
2174 #score HK_RCVD_IP_MULTICAST 2
2175 tflags HK_RCVD_IP_MULTICAST publish
2176 ##} HK_RCVD_IP_MULTICAST
2180 meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25
2182 tflags HK_SCAM publish
2185 ##{ HOSTED_IMG_DIRECT_MX
2187 meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS
2188 #score HOSTED_IMG_DIRECT_MX 3.500 # limit
2189 describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx
2190 tflags HOSTED_IMG_DIRECT_MX publish
2191 ##} HOSTED_IMG_DIRECT_MX
2193 ##{ HOSTED_IMG_DQ_UNSUB
2195 meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB
2196 #score HOSTED_IMG_DQ_UNSUB 3.500 # limit
2197 describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm site, IP addr unsub link
2198 tflags HOSTED_IMG_DQ_UNSUB publish
2199 ##} HOSTED_IMG_DQ_UNSUB
2201 ##{ HOSTED_IMG_FREEM
2203 meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED
2204 #score HOSTED_IMG_FREEM 3.500 # limit
2205 describe HOSTED_IMG_FREEM Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to
2206 tflags HOSTED_IMG_FREEM publish
2207 ##} HOSTED_IMG_FREEM
2209 ##{ HOSTED_IMG_MULTI
2211 meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS
2212 #score HOSTED_IMG_MULTI 3.000 # limit
2213 describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected
2214 tflags HOSTED_IMG_MULTI publish
2215 ##} HOSTED_IMG_MULTI
2217 ##{ HOSTED_IMG_MULTI_PUB_01
2219 meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF && !__HAS_IN_REPLY_TO
2220 describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site
2221 #score HOSTED_IMG_MULTI_PUB_01 3.000 # limit
2222 tflags HOSTED_IMG_MULTI_PUB_01 publish
2223 ##} HOSTED_IMG_MULTI_PUB_01
2225 ##{ HTML_ENTITY_ASCII
2227 meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP
2228 describe HTML_ENTITY_ASCII Obfuscated ASCII
2229 #score HTML_ENTITY_ASCII 3.000 # limit
2230 tflags HTML_ENTITY_ASCII publish
2231 ##} HTML_ENTITY_ASCII
2233 ##{ HTML_ENTITY_ASCII_TINY
2235 meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_TINY && !__HAS_IN_REPLY_TO
2236 describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts
2237 #score HTML_ENTITY_ASCII_TINY 3.000 # limit
2238 tflags HTML_ENTITY_ASCII_TINY publish
2239 ##} HTML_ENTITY_ASCII_TINY
2241 ##{ HTML_FONT_TINY_NORDNS
2243 meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_NORDNS && !__HAS_CID
2244 describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
2245 #score HTML_FONT_TINY_NORDNS 2.000 # limit
2246 ##} HTML_FONT_TINY_NORDNS
2250 meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS
2251 describe HTML_OFF_PAGE HTML element rendered well off the displayed page
2252 #score HTML_OFF_PAGE 3.000 # limit
2253 tflags HTML_OFF_PAGE publish
2256 ##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2258 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2259 meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY
2260 describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments
2261 # score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit
2262 tflags HTML_SHRT_CMNT_OBFU_MANY publish
2264 ##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2266 ##{ HTML_SINGLET_MANY
2268 meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP
2269 describe HTML_SINGLET_MANY Many single-letter HTML format blocks
2270 #score HTML_SINGLET_MANY 2.500 # limit
2271 tflags HTML_SINGLET_MANY publish
2272 ##} HTML_SINGLET_MANY
2274 ##{ HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
2276 ifplugin Mail::SpamAssassin::Plugin::HTMLEval
2277 meta HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY
2278 describe HTML_TAG_BALANCE_CENTER Malformatted HTML
2280 ##} HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
2282 ##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2284 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2285 meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID
2286 describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation?
2287 # score HTML_TEXT_INVISIBLE_FONT 2.000 # limit
2288 tflags HTML_TEXT_INVISIBLE_FONT publish
2290 ##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2292 ##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2294 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2295 meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX
2296 describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs
2297 # score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit
2298 tflags HTML_TEXT_INVISIBLE_STYLE publish
2300 ##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2302 ##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2304 ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2305 body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
2307 ##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2309 ##{ IMG_ONLY_FM_DOM_INFO
2311 meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO
2312 describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain
2313 #score IMG_ONLY_FM_DOM_INFO 2.500 # limit
2314 tflags IMG_ONLY_FM_DOM_INFO publish
2315 ##} IMG_ONLY_FM_DOM_INFO
2317 ##{ JH_SPAMMY_HEADERS
2319 meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN
2320 describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam
2321 #score JH_SPAMMY_HEADERS 3.500 # limit
2322 tflags JH_SPAMMY_HEADERS publish
2323 ##} JH_SPAMMY_HEADERS
2325 ##{ JH_SPAMMY_PATTERN01
2327 rawbody JH_SPAMMY_PATTERN01 m;<img src=['"](https?://[^'"]{1,80}/)C([^/.]{1,30}\.jpg)['"]>.{0,200}<img src="\1U\2";ism
2328 describe JH_SPAMMY_PATTERN01 Unusual pattern seen in spam campaign
2329 #score JH_SPAMMY_PATTERN01 3.000 # limit
2330 tflags JH_SPAMMY_PATTERN01 publish
2331 ##} JH_SPAMMY_PATTERN01
2333 ##{ JH_SPAMMY_PATTERN02
2335 rawbody JH_SPAMMY_PATTERN02 m;<img [^>]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}<a href="\1t=c\2".{0,200}<a href="\1t=u\2";ism
2336 describe JH_SPAMMY_PATTERN02 Unusual pattern seen in spam campaign
2337 #score JH_SPAMMY_PATTERN02 3.000 # limit
2338 tflags JH_SPAMMY_PATTERN02 publish
2339 ##} JH_SPAMMY_PATTERN02
2343 uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/
2344 tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign
2349 header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/
2354 meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
2357 ##{ KB_DATE_CONTAINS_TAB
2359 meta KB_DATE_CONTAINS_TAB __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB
2360 #score KB_DATE_CONTAINS_TAB 0.5
2361 ##} KB_DATE_CONTAINS_TAB
2363 ##{ KB_FAKED_THE_BAT
2365 meta KB_FAKED_THE_BAT (__THEBAT_MUA && KB_DATE_CONTAINS_TAB)
2366 ##} KB_FAKED_THE_BAT
2368 ##{ KB_RATWARE_BOUNDARY
2370 meta KB_RATWARE_BOUNDARY __RATWARE_BOUND_A || __RATWARE_BOUND_B
2371 ##} KB_RATWARE_BOUNDARY
2373 ##{ KB_RATWARE_MSGID
2375 meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA)
2376 ##} KB_RATWARE_MSGID
2378 ##{ KB_RATWARE_OUTLOOK_08
2380 header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # "
2381 ##} KB_RATWARE_OUTLOOK_08
2383 ##{ KB_RATWARE_OUTLOOK_12
2385 header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # "
2386 ##} KB_RATWARE_OUTLOOK_12
2388 ##{ KB_RATWARE_OUTLOOK_16
2390 header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # "
2391 ##} KB_RATWARE_OUTLOOK_16
2393 ##{ KB_RATWARE_OUTLOOK_MID
2395 header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi
2396 ##} KB_RATWARE_OUTLOOK_MID
2400 meta KHOP_FAKE_EBAY __EBAY_ADDRESS && !__NOT_SPOOFED
2401 describe KHOP_FAKE_EBAY Sender falsely claims to be from eBay
2404 ##{ KHOP_HELO_FCRDNS
2406 meta KHOP_HELO_FCRDNS __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT)
2407 describe KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
2408 #score KHOP_HELO_FCRDNS 0.4 # 20090603
2409 ##} KHOP_HELO_FCRDNS
2411 ##{ LINKEDIN_IMG_NOT_RCVD_LNKN
2413 meta LINKEDIN_IMG_NOT_RCVD_LNKN __LINKED_IMG_NOT_RCVD_LINK && !__LUNSUB_BEFORE_SUBJDT
2414 #score LINKEDIN_IMG_NOT_RCVD_LNKN 2.500 # limit
2415 describe LINKEDIN_IMG_NOT_RCVD_LNKN Linkedin hosted image but message not from Linkedin
2416 tflags LINKEDIN_IMG_NOT_RCVD_LNKN publish
2417 ##} LINKEDIN_IMG_NOT_RCVD_LNKN
2419 ##{ LIST_PRTL_PUMPDUMP
2421 meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS
2422 describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump
2423 #score LIST_PRTL_PUMPDUMP 2.000 # limit
2424 tflags LIST_PRTL_PUMPDUMP publish
2425 ##} LIST_PRTL_PUMPDUMP
2427 ##{ LIST_PRTL_SAME_USER
2429 meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO
2430 describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same
2431 #score LIST_PRTL_SAME_USER 3.000 # limit
2432 tflags LIST_PRTL_SAME_USER publish
2433 ##} LIST_PRTL_SAME_USER
2437 uri LIVEFILESTORE m~livefilestore.com/~
2442 meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024
2443 describe LONG_HEX_URI Very long purely hexadecimal URI
2444 #score LONG_HEX_URI 3.000 # limit
2445 tflags LONG_HEX_URI publish
2450 meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO
2451 describe LONG_IMG_URI Image URI with very long path component - web bug?
2452 #score LONG_IMG_URI 3.000 # limit
2453 tflags LONG_IMG_URI publish
2456 ##{ LONG_INVISIBLE_TEXT
2458 describe LONG_INVISIBLE_TEXT Long block of hidden text - bayes poison?
2459 #score LONG_INVISIBLE_TEXT 3.000 # limit
2460 tflags LONG_INVISIBLE_TEXT publish
2461 ##} LONG_INVISIBLE_TEXT
2463 ##{ LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2465 if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2466 meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV
2468 ##} LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2470 ##{ LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2472 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2473 meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 )
2475 ##} LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2479 body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i
2484 body LOOPHOLE_1 /loop-?hole in the banking/i
2485 describe LOOPHOLE_1 A loop hole in the banking laws?
2488 ##{ LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2490 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2491 meta LOTS_OF_MONEY 0
2493 ##} LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2495 ##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2497 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2498 meta LOTS_OF_MONEY (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05) && !__TRAVEL_ITINERARY
2499 describe LOTS_OF_MONEY Huge... sums of money
2500 # score LOTS_OF_MONEY 0.01
2501 tflags LOTS_OF_MONEY publish
2503 ##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2507 meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ)
2510 ##{ LOTTERY_PH_004470
2512 meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY)
2513 ##} LOTTERY_PH_004470
2517 meta LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD
2518 describe LOTTO_AGENT Claims Agent
2519 #score LOTTO_AGENT 1.50 # limit
2524 meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED
2525 describe LUCRATIVE Make lots of money!
2526 #score LUCRATIVE 2.00 # limit
2527 tflags LUCRATIVE publish
2532 header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
2535 ##{ MALFORMED_FREEMAIL
2537 meta MALFORMED_FREEMAIL (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM
2538 describe MALFORMED_FREEMAIL Bad headers on message from free email service
2539 ##} MALFORMED_FREEMAIL
2543 meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG
2544 describe MALF_HTML_B64 Malformatted base64-encoded HTML content
2545 #score MALF_HTML_B64 3.500 # limit
2546 tflags MALF_HTML_B64 publish
2551 meta MALWARE_NORDNS __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
2552 describe MALWARE_NORDNS Malware bragging + no rDNS
2553 #score MALWARE_NORDNS 3.500 # limit
2554 tflags MALWARE_NORDNS publish
2557 ##{ MALWARE_PASSWORD
2559 meta MALWARE_PASSWORD __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
2560 describe MALWARE_PASSWORD Malware bragging + "password"
2561 #score MALWARE_PASSWORD 3.500 # limit
2562 tflags MALWARE_PASSWORD publish
2563 ##} MALWARE_PASSWORD
2565 ##{ MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2567 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2568 meta MALW_ATTACH __MALW_ATTACH && !__HAS_THREAD_INDEX
2569 describe MALW_ATTACH Attachment filename suspicious, probable malware exploit
2570 tflags MALW_ATTACH publish
2572 ##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2574 ##{ MANY_SPAN_IN_TEXT
2576 meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML
2577 describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text
2578 tflags MANY_SPAN_IN_TEXT publish
2579 ##} MANY_SPAN_IN_TEXT
2583 meta MAY_BE_FORGED __MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML
2584 describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP
2589 header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
2594 body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i
2595 describe MILLION_HUNDRED Million "One to Nine" Hundred
2596 tflags MILLION_HUNDRED publish
2601 body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i
2602 describe MILLION_USD Talks about millions of dollars
2603 #score MILLION_USD 2
2606 ##{ MIMEOLE_DIRECT_TO_MX
2608 meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS
2609 describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX
2610 #score MIMEOLE_DIRECT_TO_MX 2.000 # limit
2611 tflags MIMEOLE_DIRECT_TO_MX publish
2612 ##} MIMEOLE_DIRECT_TO_MX
2614 ##{ MIME_BOUND_EQ_REL
2616 header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s
2617 ##} MIME_BOUND_EQ_REL
2619 ##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2621 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2622 meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128
2623 # score MIME_NO_TEXT 2.00 # limit
2624 describe MIME_NO_TEXT No (properly identified) text body parts
2625 tflags MIME_NO_TEXT publish
2627 ##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2629 ##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2631 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2632 meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA)
2633 describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP
2635 ##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2639 meta MIXED_AREA_CASE __MIXED_AREA_CASE
2640 describe MIXED_AREA_CASE Has area tag in mixed case
2641 #score MIXED_AREA_CASE 2.500 # limit
2642 tflags MIXED_AREA_CASE publish
2645 ##{ MIXED_CENTER_CASE
2647 meta MIXED_CENTER_CASE __MIXED_CENTER_CASE
2648 describe MIXED_CENTER_CASE Has center tag in mixed case
2649 #score MIXED_CENTER_CASE 2.500 # limit
2650 tflags MIXED_CENTER_CASE publish
2651 ##} MIXED_CENTER_CASE
2653 ##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2655 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2656 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2657 meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) )
2658 describe MIXED_ES Too many es are not es
2659 tflags MIXED_ES publish
2660 # lang pl score MIXED_ES 0.01
2661 # lang cz score MIXED_ES 0.01
2662 # lang sk score MIXED_ES 0.01
2663 # lang hr score MIXED_ES 0.01
2664 # lang el score MIXED_ES 0.01
2667 ##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2671 meta MIXED_FONT_CASE __MIXED_FONT_CASE
2672 describe MIXED_FONT_CASE Has font tag in mixed case
2673 #score MIXED_FONT_CASE 2.500 # limit
2674 tflags MIXED_FONT_CASE publish
2679 meta MIXED_HREF_CASE __MIXED_HREF_CASE_JH
2680 describe MIXED_HREF_CASE Has href in mixed case
2681 #score MIXED_HREF_CASE 2.000 # limit
2682 tflags MIXED_HREF_CASE publish
2687 meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL
2688 describe MIXED_IMG_CASE Has img tag in mixed case
2689 #score MIXED_IMG_CASE 3.000 # limit
2690 tflags MIXED_IMG_CASE publish
2695 meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01
2696 describe MONERO_DEADLINE Monero cryptocurrency with a deadline
2697 #score MONERO_DEADLINE 3.000 # limit
2698 tflags MONERO_DEADLINE publish
2701 ##{ MONERO_EXTORT_01
2703 meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY
2704 describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency
2705 #score MONERO_EXTORT_01 5.000 # limit
2706 tflags MONERO_EXTORT_01 publish
2707 ##} MONERO_EXTORT_01
2711 meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01
2712 describe MONERO_MALWARE Monero cryptocurrency + malware bragging
2713 #score MONERO_MALWARE 3.500 # limit
2714 tflags MONERO_MALWARE publish
2719 meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01
2720 describe MONERO_PAY_ME Pay me via Monero cryptocurrency
2721 #score MONERO_PAY_ME 3.000 # limit
2722 tflags MONERO_PAY_ME publish
2727 meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE
2728 describe MONEY_ATM_CARD Lots of money on an ATM card
2733 meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP
2734 describe MONEY_FORM Lots of money if you fill out a form
2737 ##{ MONEY_FORM_SHORT
2739 meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD
2740 describe MONEY_FORM_SHORT Lots of money if you fill out a short form
2741 #score MONEY_FORM_SHORT 2.500 # limit
2742 ##} MONEY_FORM_SHORT
2746 meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
2747 describe MONEY_FRAUD_3 Lots of money and several fraud phrases
2748 tflags MONEY_FRAUD_3 publish
2753 meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
2754 describe MONEY_FRAUD_5 Lots of money and many fraud phrases
2755 tflags MONEY_FRAUD_5 publish
2760 meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG
2761 describe MONEY_FRAUD_8 Lots of money and very many fraud phrases
2762 tflags MONEY_FRAUD_8 publish
2765 ##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2767 ifplugin Mail::SpamAssassin::Plugin::FreeMail
2768 meta MONEY_FREEMAIL_REPTO __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID
2769 describe MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
2770 # score MONEY_FREEMAIL_REPTO 3.000 # limit
2771 tflags MONEY_FREEMAIL_REPTO publish
2773 ##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2777 meta MONEY_FROM_41 __MONEY_FROM_41
2778 describe MONEY_FROM_41 Lots of money from Africa
2779 #score MONEY_FROM_41 2.00 # limit
2782 ##{ MONEY_FROM_MISSP
2784 meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP
2785 describe MONEY_FROM_MISSP Lots of money and misspaced From
2786 #score MONEY_FROM_MISSP 2.000 # limit
2787 ##} MONEY_FROM_MISSP
2789 ##{ MSGID_DOLLARS_URI_IMG
2791 meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW
2792 describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image
2793 #score MSGID_DOLLARS_URI_IMG 3.000 # limit
2794 tflags MSGID_DOLLARS_URI_IMG publish
2795 ##} MSGID_DOLLARS_URI_IMG
2799 meta MSGID_HDR_MALF __HAS_MESSAGEID
2800 describe MSGID_HDR_MALF Has invalid message ID header
2801 #score MSGID_HDR_MALF 3.500 # limit
2802 tflags MSGID_HDR_MALF publish
2805 ##{ MSGID_MULTIPLE_AT
2807 header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/
2808 describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters
2809 #score MSGID_MULTIPLE_AT 0.001
2810 ##} MSGID_MULTIPLE_AT
2812 ##{ MSMAIL_PRI_ABNORMAL
2814 meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH
2815 describe MSMAIL_PRI_ABNORMAL Email priority often abused
2816 #score MSMAIL_PRI_ABNORMAL 1.500 # limit
2817 ##} MSMAIL_PRI_ABNORMAL
2821 meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH
2822 describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject
2823 #score MSM_PRIO_REPTO 2.500 # limit
2824 tflags MSM_PRIO_REPTO publish
2827 ##{ MSOE_MID_WRONG_CASE
2829 meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
2830 ##} MSOE_MID_WRONG_CASE
2834 meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
2835 describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address
2840 body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i
2841 describe NA_DOLLARS Talks about a million North American dollars
2842 #score NA_DOLLARS 1.5
2845 ##{ NEWEGG_IMG_NOT_RCVD_NEGG
2847 meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG
2848 #score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit
2849 describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg
2850 tflags NEWEGG_IMG_NOT_RCVD_NEGG publish
2851 ##} NEWEGG_IMG_NOT_RCVD_NEGG
2855 meta NEW_PRODUCTS __NEW_PRODUCTS && !__STY_INVIS_MANY
2856 #score NEW_PRODUCTS 1.250 # limit
2857 tflags NEW_PRODUCTS publish
2862 meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF)
2863 describe NICE_REPLY_A Looks like a legit reply (A)
2864 tflags NICE_REPLY_A nice
2869 body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i
2870 describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not!
2871 tflags NOT_SPAM publish
2874 ##{ NO_FM_NAME_IP_HOSTN
2876 meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT
2877 describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address
2878 #score NO_FM_NAME_IP_HOSTN 2.500 # limit
2879 tflags NO_FM_NAME_IP_HOSTN publish
2880 ##} NO_FM_NAME_IP_HOSTN
2882 ##{ NSL_RCVD_FROM_USER
2884 header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
2885 describe NSL_RCVD_FROM_USER Received from User
2886 ##} NSL_RCVD_FROM_USER
2888 ##{ NSL_RCVD_HELO_USER
2890 header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
2891 describe NSL_RCVD_HELO_USER Received from HELO User
2892 ##} NSL_RCVD_HELO_USER
2896 full NULL_IN_BODY /\x00/
2897 describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message
2900 ##{ NUMBERONLY_BITCOIN_EXP
2902 meta NUMBERONLY_BITCOIN_EXP __NUMBERONLY_TLD && __BITCOIN_ID && __NAKED_TO
2903 describe NUMBERONLY_BITCOIN_EXP Domain ends in a large number and very short body with link
2904 #score NUMBERONLY_BITCOIN_EXP 2.0 # limit
2905 ##} NUMBERONLY_BITCOIN_EXP
2909 meta OBFU_BITCOIN __OBFU_BITCOIN
2910 describe OBFU_BITCOIN Obfuscated BitCoin references
2911 #score OBFU_BITCOIN 3.000 # limit
2912 tflags OBFU_BITCOIN publish
2917 rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i
2918 describe OBFU_JVSCR_ESC Injects content using obfuscated javascript
2919 tflags OBFU_JVSCR_ESC publish
2922 ##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2924 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2925 mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
2926 describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type
2927 tflags OBFU_TEXT_ATTACH publish
2929 ##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2933 meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI
2934 describe OBFU_UNSUB_UL Obfuscated unsubscribe text
2935 tflags OBFU_UNSUB_UL publish
2938 ##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2940 ifplugin Mail::SpamAssassin::Plugin::FreeMail
2941 meta ODD_FREEM_REPTO __freemail_mailreplyto
2942 describe ODD_FREEM_REPTO Has unusual reply-to header
2943 # score ODD_FREEM_REPTO 3.000 # limit
2944 tflags ODD_FREEM_REPTO publish
2946 ##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2948 ##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2950 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2951 meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
2952 describe PART_CID_STOCK Has a spammy image attachment (by Content-ID)
2954 ##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2956 ##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2958 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2959 meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
2960 describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
2962 ##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2964 ##{ PDS_BAD_THREAD_QP_64
2966 meta PDS_BAD_THREAD_QP_64 __PDS_QP_64 && __HAS_THREAD_INDEX && !__THREAD_INDEX_GOOD
2967 describe PDS_BAD_THREAD_QP_64 Bad thread header - short QP
2968 #score PDS_BAD_THREAD_QP_64 1.0
2969 ##} PDS_BAD_THREAD_QP_64
2973 meta PDS_BTC_ID __PDS_BTC_ID
2974 describe PDS_BTC_ID FP reduced Bitcoin ID
2975 #score PDS_BTC_ID 0.5
2980 meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2
2981 describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2
2982 #score PDS_BTC_MSGID 1.0
2985 ##{ PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
2987 if (version >= 3.004002)
2988 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
2989 meta PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD )
2990 describe PDS_BTC_NTLD Bitcoin suspect NTLD
2991 #score PDS_BTC_NTLD 2.0 # limit
2994 ##} PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
2996 ##{ PDS_DBL_URL_TNB_RUNON
2998 meta PDS_DBL_URL_TNB_RUNON __TO_NO_BRKTS_FROM_RUNON && __PDS_DOUBLE_URL
2999 describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon
3000 #score PDS_DBL_URL_TNB_RUNON 2.0
3001 ##} PDS_DBL_URL_TNB_RUNON
3003 ##{ PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
3005 if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
3006 meta PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS
3007 describe PDS_FROM_2_EMAILS From header has multiple different addresses
3008 # score PDS_FROM_2_EMAILS 3.500 # limit
3010 ##} PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
3012 ##{ PDS_HELO_SPF_FAIL
3014 meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE
3015 describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF
3016 #score PDS_HELO_SPF_FAIL 2.0
3017 tflags PDS_HELO_SPF_FAIL net
3018 ##} PDS_HELO_SPF_FAIL
3020 ##{ PDS_NAKED_TO_NUMERO
3022 meta PDS_NAKED_TO_NUMERO __NAKED_TO && __NUMBERONLY_TLD
3023 describe PDS_NAKED_TO_NUMERO Naked-to, numberonly domain
3024 #score PDS_NAKED_TO_NUMERO 2.0
3025 ##} PDS_NAKED_TO_NUMERO
3027 ##{ PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3029 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3030 if (version >= 3.004000)
3031 meta PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
3032 describe PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME
3033 #score PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit
3036 ##} PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3038 ##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3040 if (version >= 3.004002)
3041 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3042 header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
3043 #score PDS_OTHER_BAD_TLD 2.0
3044 describe PDS_OTHER_BAD_TLD Untrustworthy TLDs
3047 ##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3049 ##{ PDS_RDNS_DYNAMIC_FP
3051 meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA
3052 #score PDS_RDNS_DYNAMIC_FP 0.01
3053 describe PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps
3054 ##} PDS_RDNS_DYNAMIC_FP
3056 ##{ PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3058 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3059 if (version >= 3.004000)
3060 meta PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
3061 describe PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP)
3062 #score PDS_SHORT_SPOOFED_URL 2.0
3065 ##} PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3067 ##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3069 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3070 if (version >= 3.004000)
3071 meta PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024
3072 describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener
3073 #score PDS_TINYSUBJ_URISHRT 1.5 # limit
3076 ##} PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3078 ##{ PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
3080 meta PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE FREEMAIL_FORGED_REPLYTO && __PDS_TONAME_EQ_TOLOCAL
3081 describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TOLOCAL
3082 #score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit
3083 ##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
3085 ##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3087 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3088 meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER
3089 describe PHISH_ATTACH Attachment filename suspicious, probable phishing
3090 tflags PHISH_ATTACH publish
3092 ##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3094 ##{ PHISH_AZURE_CLOUDAPP
3096 uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i
3097 describe PHISH_AZURE_CLOUDAPP Link to known phishing web application
3098 #score PHISH_AZURE_CLOUDAPP 3.500
3099 tflags PHISH_AZURE_CLOUDAPP publish
3100 ##} PHISH_AZURE_CLOUDAPP
3104 meta PHISH_FBASEAPP __PHISH_FBASE_01
3105 describe PHISH_FBASEAPP Probable phishing via hosted web app
3106 #score PHISH_FBASEAPP 3.000 # limit
3107 tflags PHISH_FBASEAPP publish
3112 describe PHP_NOVER_MUA Mail from PHP with no version number
3113 #score PHP_NOVER_MUA 3.000 # limit
3114 tflags PHP_NOVER_MUA publish
3117 ##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3119 if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3120 meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
3122 ##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3124 ##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
3126 ifplugin Mail::SpamAssassin::Plugin::DKIM
3127 meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
3129 ##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
3133 meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER
3134 describe PHP_ORIG_SCRIPT Sent by bot & other signs
3135 #score PHP_ORIG_SCRIPT 2.500 # limit
3136 tflags PHP_ORIG_SCRIPT publish
3141 meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT
3142 describe PHP_SCRIPT Sent by PHP script
3143 #score PHP_SCRIPT 2.500 # limit
3144 tflags PHP_SCRIPT publish
3149 meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA
3150 describe PHP_SCRIPT_MUA Sent by PHP script, no version number
3151 #score PHP_SCRIPT_MUA 2.000 # limit
3152 tflags PHP_SCRIPT_MUA publish
3155 ##{ POSSIBLE_APPLE_PHISH_02
3157 meta POSSIBLE_APPLE_PHISH_02 (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE)
3158 describe POSSIBLE_APPLE_PHISH_02 Claims to be from apple but not processed by any apple MTA
3159 tflags POSSIBLE_APPLE_PHISH_02 publish
3160 ##} POSSIBLE_APPLE_PHISH_02
3162 ##{ POSSIBLE_EBAY_PHISH_02
3164 meta POSSIBLE_EBAY_PHISH_02 (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY)
3165 describe POSSIBLE_EBAY_PHISH_02 Claims to be from ebay but not processed by any ebay MTA
3166 tflags POSSIBLE_EBAY_PHISH_02 publish
3167 ##} POSSIBLE_EBAY_PHISH_02
3169 ##{ POSSIBLE_PAYPAL_PHISH_01
3171 meta POSSIBLE_PAYPAL_PHISH_01 (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF)
3172 describe POSSIBLE_PAYPAL_PHISH_01 Claims to be from paypal but has non-paypal from email address
3173 tflags POSSIBLE_PAYPAL_PHISH_01 publish
3174 ##} POSSIBLE_PAYPAL_PHISH_01
3176 ##{ POSSIBLE_PAYPAL_PHISH_02
3178 meta POSSIBLE_PAYPAL_PHISH_02 (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL)
3179 describe POSSIBLE_PAYPAL_PHISH_02 Claims to be from paypal but not processed by any paypal MTA
3180 tflags POSSIBLE_PAYPAL_PHISH_02 publish
3181 ##} POSSIBLE_PAYPAL_PHISH_02
3183 ##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3185 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3186 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3187 body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal()
3188 describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't
3189 # score PP_MIME_FAKE_ASCII_TEXT 1.0
3190 tflags PP_MIME_FAKE_ASCII_TEXT publish
3193 ##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3195 ##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3197 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3198 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3199 body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02)
3200 describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes
3201 # score PP_TOO_MUCH_UNICODE02 0.5
3202 tflags PP_TOO_MUCH_UNICODE02 publish
3205 ##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3207 ##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3209 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3210 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3211 body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05)
3212 describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes
3213 # score PP_TOO_MUCH_UNICODE05 1.0
3214 tflags PP_TOO_MUCH_UNICODE05 publish
3217 ##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3221 meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI
3222 describe PUMPDUMP Pump-and-dump stock scam phrase
3223 #score PUMPDUMP 1.000 # limit
3224 tflags PUMPDUMP publish
3229 meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
3230 describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases
3231 #score PUMPDUMP_MULTI 3.500 # limit
3232 tflags PUMPDUMP_MULTI publish
3237 meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP
3238 describe PUMPDUMP_TIP Pump-and-dump stock tip
3239 tflags PUMPDUMP_TIP publish
3242 ##{ RAND_HEADER_LIST_SPOOF
3244 meta RAND_HEADER_LIST_SPOOF __RAND_HEADER && __LIST_PARTIAL
3245 describe RAND_HEADER_LIST_SPOOF Random gibberish message header(s) + pretending to be a mailing list
3246 #score RAND_HEADER_LIST_SPOOF 3.000 # limit
3247 tflags RAND_HEADER_LIST_SPOOF publish
3248 ##} RAND_HEADER_LIST_SPOOF
3250 ##{ RAND_HEADER_MANY
3252 meta RAND_HEADER_MANY __RAND_HEADER_2
3253 describe RAND_HEADER_MANY Multiple random gibberish message headers
3254 #score RAND_HEADER_MANY 3.000 # limit
3255 tflags RAND_HEADER_MANY publish
3256 ##} RAND_HEADER_MANY
3258 ##{ RAND_MKTG_HEADER
3260 meta RAND_MKTG_HEADER __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST
3261 describe RAND_MKTG_HEADER Has partially-randomized marketing/tracking header(s)
3262 #score RAND_MKTG_HEADER 2.000 # limit
3263 tflags RAND_MKTG_HEADER publish
3264 ##} RAND_MKTG_HEADER
3268 meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF
3269 describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS
3270 #score RATWARE_NO_RDNS 3.000 # limit
3275 header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/
3276 describe RCVD_BAD_ID Received header contains id field with bad characters
3281 header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/
3282 describe RCVD_DBL_DQ Malformatted message header
3283 tflags RCVD_DBL_DQ publish
3286 ##{ RCVD_DOTEDU_SHORT
3288 meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !ALL_TRUSTED && !__FS_SUBJ_RE && !__HAS_LIST_ID
3289 describe RCVD_DOTEDU_SHORT Via .edu MTA + short message
3290 #score RCVD_DOTEDU_SHORT 1.500 # limit
3291 tflags RCVD_DOTEDU_SHORT publish
3292 ##} RCVD_DOTEDU_SHORT
3294 ##{ RCVD_DOTEDU_SUSP_URI
3296 meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI
3297 describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI
3298 #score RCVD_DOTEDU_SUSP_URI 3.000 # limit
3299 tflags RCVD_DOTEDU_SUSP_URI publish
3300 ##} RCVD_DOTEDU_SUSP_URI
3302 ##{ RCVD_FORGED_WROTE
3304 header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
3305 describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
3306 ##} RCVD_FORGED_WROTE
3308 ##{ RCVD_FORGED_WROTE2
3310 header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
3311 ##} RCVD_FORGED_WROTE2
3313 ##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
3315 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3316 header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3')
3317 describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record
3318 tflags RCVD_IN_IADB_DK net nice
3320 ##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
3322 ##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3324 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3325 header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10')
3326 describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in
3327 tflags RCVD_IN_IADB_DOPTIN net nice
3329 ##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3331 ##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3333 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3334 header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9')
3335 describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time
3336 tflags RCVD_IN_IADB_DOPTIN_GT50 net nice
3338 ##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3340 ##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3342 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3343 header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8')
3344 describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time
3345 tflags RCVD_IN_IADB_DOPTIN_LT50 net nice
3347 ##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3349 ##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
3351 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3352 header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1')
3353 describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database
3354 tflags RCVD_IN_IADB_EDDB net nice
3356 ##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
3358 ##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
3360 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3361 header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2')
3362 describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance
3363 tflags RCVD_IN_IADB_EPIA net nice
3365 ##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
3367 ##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3369 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3370 header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103')
3371 describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail
3372 tflags RCVD_IN_IADB_GOODMAIL net nice
3374 ##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3376 ##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
3378 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3379 header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$')
3380 describe RCVD_IN_IADB_LISTED Participates in the IADB system
3381 tflags RCVD_IN_IADB_LISTED net nice
3383 ##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
3385 ##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
3387 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3388 header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4')
3389 describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in
3390 tflags RCVD_IN_IADB_LOOSE net nice
3392 ##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
3394 ##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3396 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3397 header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10')
3398 describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law
3399 tflags RCVD_IN_IADB_MI_CPEAR net nice
3401 ##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3403 ##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3405 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3406 header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10')
3407 describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days
3408 tflags RCVD_IN_IADB_MI_CPR_30 net nice
3410 ##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3412 ##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3414 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3415 header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10')
3416 describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR
3417 tflags RCVD_IN_IADB_MI_CPR_MAT net nice
3419 ##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3421 ##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3423 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3424 header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100')
3425 describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in
3426 tflags RCVD_IN_IADB_ML_DOPTIN net nice
3428 ##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3430 ##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3432 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3433 header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0')
3434 describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place
3435 tflags RCVD_IN_IADB_NOCONTROL net nice
3437 ##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3439 ##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
3441 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3442 header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200')
3443 describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only
3444 tflags RCVD_IN_IADB_OOO net nice
3446 ##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
3448 ##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3450 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3451 header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7')
3452 describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in
3453 tflags RCVD_IN_IADB_OPTIN net nice
3455 ##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3457 ##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3459 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3460 header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6')
3461 describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time
3462 tflags RCVD_IN_IADB_OPTIN_GT50 net nice
3464 ##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3466 ##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3468 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3469 header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5')
3470 describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time
3471 tflags RCVD_IN_IADB_OPTIN_LT50 net nice
3473 ##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3475 ##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
3477 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3478 header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1')
3479 describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only
3480 tflags RCVD_IN_IADB_OPTOUTONLY net nice
3482 ##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
3484 ##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
3486 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3487 header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4')
3488 describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record
3489 tflags RCVD_IN_IADB_RDNS net nice
3491 ##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
3493 ##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
3495 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3496 header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2')
3497 describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record
3498 tflags RCVD_IN_IADB_SENDERID net nice
3500 ##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
3502 ##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
3504 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3505 header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1')
3506 describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record
3507 tflags RCVD_IN_IADB_SPF net nice
3509 ##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
3511 ##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3513 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3514 header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2')
3515 describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups
3516 tflags RCVD_IN_IADB_UNVERIFIED_1 net nice
3518 ##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3520 ##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3522 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3523 header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3')
3524 describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out
3525 tflags RCVD_IN_IADB_UNVERIFIED_2 net nice
3527 ##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3529 ##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3531 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3532 header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10')
3533 describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law
3534 tflags RCVD_IN_IADB_UT_CPEAR net nice
3536 ##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3538 ##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3540 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3541 header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10')
3542 describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days
3543 tflags RCVD_IN_IADB_UT_CPR_30 net nice
3545 ##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3547 ##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3549 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3550 header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10')
3551 describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR
3552 tflags RCVD_IN_IADB_UT_CPR_MAT net nice
3554 ##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3556 ##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3558 ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3559 header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
3560 describe RCVD_IN_PSBL Received via a relay in PSBL
3561 tflags RCVD_IN_PSBL net
3563 ##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3567 header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
3568 describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
3573 header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
3574 describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
3577 ##{ RDNS_NUM_TLD_ATCHNX
3579 meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT
3580 describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment
3581 #score RDNS_NUM_TLD_ATCHNX 3.000 # limit
3582 tflags RDNS_NUM_TLD_ATCHNX publish
3583 ##} RDNS_NUM_TLD_ATCHNX
3587 meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY)
3588 describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers
3589 #score RDNS_NUM_TLD_XM 3.000 # limit
3590 tflags RDNS_NUM_TLD_XM publish
3595 body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store|storage facility)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock|stor(?:e|age))|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|stor(?:e|age))|just arrived in our (?:warehouse|stor(?:e|age))|we will (?:contact the (?:warehouse|logistics|store|storage(?: facility)) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our (?:warehouse|storage)|this (?:new )?(?:merchandise|product|item) is (?:now )?(?:ready (?:to ship )?|available )(?:at|in|from) our (?:warehouse|stock|stor(?:e|age)))/i
3596 #score READY_TO_SHIP 1.250 # limit
3599 ##{ REPLYTO_WITHOUT_TO_CC
3601 meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS)
3602 ##} REPLYTO_WITHOUT_TO_CC
3606 header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:jessikasingh|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|re(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))))\@daum\.net|(?:blythemasters)\@digitalassetholding\.org|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|mingmui0012|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:charitylisajohnrobinson700)\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i
3607 describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox
3608 #score REPTO_419_FRAUD 3.000
3609 tflags REPTO_419_FRAUD publish
3612 ##{ REPTO_419_FRAUD_AOL
3614 header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:brajjohn|f\.2[06]|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie)|e(?:ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|isarobinson5\.0|orrainewirangee|ynnpage44)|m(?:_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|officework172|p(?:aulpollard2|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|wattson\.renwick|yurdaaytarkan5))\@aol\.com$/i
3615 describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox
3616 #score REPTO_419_FRAUD_AOL 3.000
3617 tflags REPTO_419_FRAUD_AOL publish
3618 ##} REPTO_419_FRAUD_AOL
3620 ##{ REPTO_419_FRAUD_AOL_LOOSE
3622 meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL
3623 describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3624 #score REPTO_419_FRAUD_AOL_LOOSE 1.000
3625 tflags REPTO_419_FRAUD_AOL_LOOSE publish
3626 ##} REPTO_419_FRAUD_AOL_LOOSE
3628 ##{ REPTO_419_FRAUD_CNS
3630 header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|lottomaxclaims7|morrisherb|t(?:eo\.westin|he\.trustees1|rustees202000)|westernuniopayment\.agent0018))\@consultant\.com$/i
3631 describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox
3632 #score REPTO_419_FRAUD_CNS 3.000
3633 tflags REPTO_419_FRAUD_CNS publish
3634 ##} REPTO_419_FRAUD_CNS
3636 ##{ REPTO_419_FRAUD_GM
3638 header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|ullahmundani019)|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976algaddafi|gaddafiaam)|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|ttohlawoffice\.tg|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195))|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:artwrighttownhomesllc|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavisdonation1))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|iidp955|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|gold8080|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|bed627|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|ttcuckk)|gridrolle2)|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b5406424|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|sephacevedo024|vannyanderson001|yce00011)|rawlings007|s4fernado|uliewatson975|w6935997)|k(?:a(?:l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran630|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ss(?:\.(?:melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|olsenjanett|susanread12)|a(?:ishaalqadafi1976|ngela454)|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|maureens847|r(?:obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|hallkenneth1|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|ro1nvstream|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|ussiaworldcuppromo)|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|peelman1972|t(?:anleyjohn1469|ephentam1(?:47|6))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|ousefzongo5722)|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i
3639 describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox
3640 #score REPTO_419_FRAUD_GM 3.000
3641 tflags REPTO_419_FRAUD_GM publish
3642 ##} REPTO_419_FRAUD_GM
3644 ##{ REPTO_419_FRAUD_GM_LOOSE
3646 meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM
3647 describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3648 #score REPTO_419_FRAUD_GM_LOOSE 1.000
3649 tflags REPTO_419_FRAUD_GM_LOOSE publish
3650 ##} REPTO_419_FRAUD_GM_LOOSE
3652 ##{ REPTO_419_FRAUD_HM
3654 header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:hoi21|laytousey)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|faxttransfer\.skyebk\.service\.care\.th|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|mr(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
3655 describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox
3656 #score REPTO_419_FRAUD_HM 3.000
3657 tflags REPTO_419_FRAUD_HM publish
3658 ##} REPTO_419_FRAUD_HM
3660 ##{ REPTO_419_FRAUD_OL
3662 header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|kaujong|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:_elizabeth20|michelleallison|roseallen))|spvt2020)|philcohen0012|richardwahlfreegrant|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i
3663 describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox
3664 #score REPTO_419_FRAUD_OL 3.000
3665 tflags REPTO_419_FRAUD_OL publish
3666 ##} REPTO_419_FRAUD_OL
3668 ##{ REPTO_419_FRAUD_PM
3670 header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|the\.trustees1|v\.brianpierre|yihsbltan|ziraatbankasi))\@protonmail\.com$/i
3671 describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox
3672 #score REPTO_419_FRAUD_PM 3.000
3673 tflags REPTO_419_FRAUD_PM publish
3674 ##} REPTO_419_FRAUD_PM
3676 ##{ REPTO_419_FRAUD_QQ
3678 header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1731419584|2(?:032508290|3(?:72948239|89029403|97857528))|3523284224|akia\.j55|l\.valiant|peterwong20177|qatarfoundation01|wang_cjianlin))\@qq\.com$/i
3679 describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox
3680 #score REPTO_419_FRAUD_QQ 3.000
3681 tflags REPTO_419_FRAUD_QQ publish
3682 ##} REPTO_419_FRAUD_QQ
3684 ##{ REPTO_419_FRAUD_YH
3686 header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
3687 describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox
3688 #score REPTO_419_FRAUD_YH 3.000
3689 tflags REPTO_419_FRAUD_YH publish
3690 ##} REPTO_419_FRAUD_YH
3692 ##{ REPTO_419_FRAUD_YH_LOOSE
3694 meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH
3695 describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3696 #score REPTO_419_FRAUD_YH_LOOSE 1.000
3697 tflags REPTO_419_FRAUD_YH_LOOSE publish
3698 ##} REPTO_419_FRAUD_YH_LOOSE
3700 ##{ REPTO_419_FRAUD_YJ
3702 header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|r(?:acheljude000|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i
3703 describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox
3704 #score REPTO_419_FRAUD_YJ 3.000
3705 tflags REPTO_419_FRAUD_YJ publish
3706 ##} REPTO_419_FRAUD_YJ
3708 ##{ REPTO_419_FRAUD_YN
3710 header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lhashimi123|m(?:andarandle|g3333txx101)|n(?:a\.mariposa|n(?:acooper2019|zainab))|wesome\.mariacarmen)|c(?:harles\.kable|lemlau)|de(?:edee\-paul|jongpeter|ptoversea)|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments)|gadd4fi\.aisha|h(?:ashimireem|halesbbanddd?)|joseph\-scott2k5|l(?:es20sc|otointernational\.elgordo)|m(?:arcarmenguty|fdpm|r(?:\.kongkea|akram\.elkerrami|spercy))|p(?:aragonloansinc|rincedarren0244)|rich(?:ard\.wahl|lawands)|tresor\.mambo|w(?:b\.foundation|ill(?:1amsmarg1|iam(?:simon1960|wilbert1)))|za\.dc2016))\@yandex\.com$/i
3711 describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox
3712 #score REPTO_419_FRAUD_YN 3.000
3713 tflags REPTO_419_FRAUD_YN publish
3714 ##} REPTO_419_FRAUD_YN
3716 ##{ REPTO_INFONUMSCOM
3718 meta REPTO_INFONUMSCOM __REPTO_INFONUMSCOM
3719 #score REPTO_INFONUMSCOM 3.000 # limit
3720 tflags REPTO_INFONUMSCOM publish
3721 ##} REPTO_INFONUMSCOM
3725 meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH
3726 describe RISK_FREE No risk!
3729 ##{ SB_GIF_AND_NO_URIS
3731 meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
3732 ##} SB_GIF_AND_NO_URIS
3734 ##{ SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3736 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3737 meta SCC_BOGUS_CTE_1 __SCC_BOGUS_CTE_1
3738 describe SCC_BOGUS_CTE_1 Bogus Content-Transfer-Encoding header
3739 tflags SCC_BOGUS_CTE_1 publish
3741 ##} SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3745 describe SCC_CANSPAM_2 Interesting compliance language
3746 body SCC_CANSPAM_2 /you may unsubscribe by clicking here or by writing to/
3749 ##{ SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3751 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3752 describe SCC_CTMPP Uncommon Content-Type
3753 meta SCC_CTMPP __SCC_CTMPP
3754 tflags SCC_CTMPP publish
3756 ##} SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3760 describe SCC_ISEMM_LID_1 Fingerprint of a particular spammer using an old spamware
3761 header SCC_ISEMM_LID_1 X-Mailer-LID =~ /54,55,56,58,53/
3762 tflags SCC_ISEMM_LID_1 publish
3763 #score SCC_ISEMM_LID_1 3.5
3766 ##{ SCC_ISEMM_LID_1A
3768 describe SCC_ISEMM_LID_1A Fingerprint of a particular spammer using an old spamware
3769 header SCC_ISEMM_LID_1A X-Mailer-LID =~ /54,55,56,/
3770 tflags SCC_ISEMM_LID_1A publish
3771 #score SCC_ISEMM_LID_1A 3.5
3772 ##} SCC_ISEMM_LID_1A
3774 ##{ SCC_ISEMM_LID_1B
3776 describe SCC_ISEMM_LID_1B Genericized spammer fingerprint
3777 header SCC_ISEMM_LID_1B X-Mailer-LID =~ /([56][0-9],)+/
3778 tflags SCC_ISEMM_LID_1B publish
3779 #score SCC_ISEMM_LID_1B 1.5
3780 ##} SCC_ISEMM_LID_1B
3782 ##{ SCC_SPECIAL_GUID
3784 describe SCC_SPECIAL_GUID Unique in a similar way
3785 rawbody SCC_SPECIAL_GUID /^([[:xdigit:]]{8})-([[:xdigit:]]{4})-([[:xdigit:]]{3})-\3-([[:xdigit:]]{12})$/m
3786 tflags SCC_SPECIAL_GUID publish multiple maxhits=15
3787 ##} SCC_SPECIAL_GUID
3791 meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS
3792 describe SENDGRID_REDIR Redirect URI via Sendgrid
3793 #score SENDGRID_REDIR 1.500 # limit
3794 tflags SENDGRID_REDIR publish
3797 ##{ SENDGRID_REDIR_PHISH
3799 meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH
3800 describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs
3801 #score SENDGRID_REDIR_PHISH 3.500 # limit
3802 tflags SENDGRID_REDIR_PHISH publish
3803 ##} SENDGRID_REDIR_PHISH
3805 ##{ SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3807 if (version >= 3.004002)
3808 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3809 meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)
3810 tflags SEO_SUSP_NTLD publish
3811 describe SEO_SUSP_NTLD SEO offer from suspicious TLD
3812 #score SEO_SUSP_NTLD 1.2 # limit
3815 ##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3817 ##{ SERGIO_SUBJECT_VIAGRA01
3819 header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i
3820 describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject
3821 ##} SERGIO_SUBJECT_VIAGRA01
3823 ##{ SHOPIFY_IMG_NOT_RCVD_SFY
3825 meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK
3826 #score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit
3827 describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify
3828 tflags SHOPIFY_IMG_NOT_RCVD_SFY publish
3829 ##} SHOPIFY_IMG_NOT_RCVD_SFY
3831 ##{ SHORTENER_SHORT_IMG
3833 meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1
3834 describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener
3835 #score SHORTENER_SHORT_IMG 2.500 # limit
3836 tflags SHORTENER_SHORT_IMG publish
3837 ##} SHORTENER_SHORT_IMG
3839 ##{ SHORT_HELO_AND_INLINE_IMAGE
3841 meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
3842 describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
3843 ##} SHORT_HELO_AND_INLINE_IMAGE
3845 ##{ SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3847 if (version >= 3.004002)
3848 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3849 meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
3850 tflags SHORT_IMG_SUSP_NTLD publish
3851 describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD
3852 #score SHORT_IMG_SUSP_NTLD 1.5 # limit
3855 ##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3857 ##{ SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3859 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3860 if (version >= 3.004000)
3861 meta SHORT_SHORTNER __PDS_MSG_512 && __URL_SHORTENER && !DRUGS_ERECTILE
3862 describe SHORT_SHORTNER Short body with little more than a link to a shortener
3863 #score SHORT_SHORTNER 2.0 # limit
3866 ##} SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
3868 ##{ SHORT_TERM_PRICE
3870 body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
3871 ##} SHORT_TERM_PRICE
3875 meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
3876 describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
3879 ##{ SPOOFED_FREEMAIL
3881 meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE
3882 #score SPOOFED_FREEMAIL 2.000 # limit
3883 tflags SPOOFED_FREEMAIL net
3884 ##} SPOOFED_FREEMAIL
3886 ##{ SPOOFED_FREEMAIL_NO_RDNS
3888 meta SPOOFED_FREEMAIL_NO_RDNS __SPOOFED_FREEMAIL && __RDNS_NONE
3889 describe SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
3890 #score SPOOFED_FREEMAIL_NO_RDNS 1.5
3891 ##} SPOOFED_FREEMAIL_NO_RDNS
3893 ##{ SPOOFED_FREEM_REPTO
3895 meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX
3896 describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to
3897 #score SPOOFED_FREEM_REPTO 2.500
3898 tflags SPOOFED_FREEM_REPTO net publish
3899 ##} SPOOFED_FREEM_REPTO
3901 ##{ SPOOFED_FREEM_REPTO_CHN
3903 meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM
3904 describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to
3905 #score SPOOFED_FREEM_REPTO_CHN 3.500
3906 tflags SPOOFED_FREEM_REPTO_CHN net publish
3907 ##} SPOOFED_FREEM_REPTO_CHN
3909 ##{ SPOOFED_FREEM_REPTO_RUS
3911 meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM
3912 describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to
3913 #score SPOOFED_FREEM_REPTO_RUS 3.500
3914 tflags SPOOFED_FREEM_REPTO_RUS net publish
3915 ##} SPOOFED_FREEM_REPTO_RUS
3919 meta SPOOF_GMAIL_MID SPOOFED_FREEMAIL && __PDS_SPOOF_GMAIL_MID
3920 #score SPOOF_GMAIL_MID 1.5
3921 describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...
3924 ##{ STATIC_XPRIO_OLE
3926 meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE
3927 describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE
3928 #score STATIC_XPRIO_OLE 2.000 # limit
3929 tflags STATIC_XPRIO_OLE publish
3930 ##} STATIC_XPRIO_OLE
3934 meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)
3935 describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header
3938 ##{ STOCK_IMG_HDR_FROM
3940 meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
3941 describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
3942 ##} STOCK_IMG_HDR_FROM
3946 meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
3947 describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML
3950 ##{ STOCK_IMG_OUTLOOK
3952 meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)
3953 describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features
3954 ##} STOCK_IMG_OUTLOOK
3958 meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
3963 meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS
3964 describe STOCK_TIP Stock tips
3965 #score STOCK_TIP 3.000 # limit
3966 tflags STOCK_TIP publish
3971 meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE
3976 header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/
3979 ##{ STOX_REPLY_TYPE_WITHOUT_QUOTES
3981 meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE))
3982 ##} STOX_REPLY_TYPE_WITHOUT_QUOTES
3984 ##{ SUBJECT_NEEDS_ENCODING
3986 meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME
3987 describe SUBJECT_NEEDS_ENCODING Subject includes non-encoded illegal characters
3988 ##} SUBJECT_NEEDS_ENCODING
3992 meta SUBJ_ATTENTION __SUBJ_ATTENTION && !ALL_TRUSTED
3993 describe SUBJ_ATTENTION ATTENTION in Subject
3994 #score SUBJ_ATTENTION 0.500 # limit
3997 ##{ SUBJ_BRKN_WORDNUMS
3999 #score SUBJ_BRKN_WORDNUMS 1.500 # limit
4000 describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers
4001 ##} SUBJ_BRKN_WORDNUMS
4003 ##{ SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
4005 if !plugin(Mail::SpamAssassin::Plugin::DKIM)
4006 meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS
4008 ##} SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
4010 ##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
4012 ifplugin Mail::SpamAssassin::Plugin::DKIM
4013 meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER
4015 ##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
4017 ##{ SUBJ_UNNEEDED_HTML
4019 meta SUBJ_UNNEEDED_HTML __SUBJ_UNNEEDED_HTML && !__NOT_SPOOFED && !__RP_MATCHES_RCVD && !__VIA_ML
4020 describe SUBJ_UNNEEDED_HTML Unneeded HTML formatting in Subject:
4021 ##} SUBJ_UNNEEDED_HTML
4023 ##{ SUSP_UTF8_WORD_SUBJ
4025 meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ
4026 describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters
4027 #score SUSP_UTF8_WORD_SUBJ 2.000 # limit
4028 ##} SUSP_UTF8_WORD_SUBJ
4032 meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS
4033 describe SYSADMIN Supposedly from your IT department
4034 #score SYSADMIN 3.500 # limit
4035 tflags SYSADMIN publish
4038 ##{ TAGSTAT_IMG_NOT_RCVD_TGST
4040 meta TAGSTAT_IMG_NOT_RCVD_TGST __TAGSTAT_IMG_NOT_RCVD_TGST
4041 #score TAGSTAT_IMG_NOT_RCVD_TGST 2.000 # limit
4042 describe TAGSTAT_IMG_NOT_RCVD_TGST Tagstat hosted image but message not from Tagstat
4043 tflags TAGSTAT_IMG_NOT_RCVD_TGST publish
4044 ##} TAGSTAT_IMG_NOT_RCVD_TGST
4046 ##{ TARINGANET_IMG_NOT_RCVD_TN
4048 meta TARINGANET_IMG_NOT_RCVD_TN __TARINGANET_IMG_NOT_RCVD_TN
4049 #score TARINGANET_IMG_NOT_RCVD_TN 2.000 # limit
4050 describe TARINGANET_IMG_NOT_RCVD_TN media.taringa.net hosted image but message not from taringa.net
4051 tflags TARINGANET_IMG_NOT_RCVD_TN publish
4052 ##} TARINGANET_IMG_NOT_RCVD_TN
4054 ##{ TBIRD_SUSP_MIME_BDRY
4056 meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
4057 describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary
4058 ##} TBIRD_SUSP_MIME_BDRY
4062 meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH
4063 describe TEQF_USR_IMAGE To and from user nearly same + image
4064 tflags TEQF_USR_IMAGE publish
4067 ##{ TEQF_USR_MSGID_HEX
4069 meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2
4070 describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID
4071 tflags TEQF_USR_MSGID_HEX publish
4072 ##} TEQF_USR_MSGID_HEX
4074 ##{ TEQF_USR_MSGID_MALF
4076 meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2
4077 describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID
4078 tflags TEQF_USR_MSGID_MALF publish
4079 ##} TEQF_USR_MSGID_MALF
4083 header THEBAT_UNREG X-Mailer =~ /^The Bat! .{0,20} UNREG$/
4088 meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD
4089 describe THIS_AD "This ad" and variants
4090 tflags THIS_AD publish
4093 ##{ THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4095 if (version >= 3.004002)
4096 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4097 meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM
4098 tflags THIS_IS_ADV_SUSP_NTLD publish
4099 describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD
4100 #score THIS_IS_ADV_SUSP_NTLD 1.5 # limit
4103 ##} THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4105 ##{ TONLINE_FAKE_DKIM
4107 meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS
4108 describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM
4109 #score TONLINE_FAKE_DKIM 3.000 # limit
4110 tflags TONLINE_FAKE_DKIM publish
4111 ##} TONLINE_FAKE_DKIM
4113 ##{ TO_EQ_FM_DIRECT_MX
4115 meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED
4116 describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
4117 #score TO_EQ_FM_DIRECT_MX 2.500 # limit
4118 tflags TO_EQ_FM_DIRECT_MX publish
4119 ##} TO_EQ_FM_DIRECT_MX
4121 ##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4123 ifplugin Mail::SpamAssassin::Plugin::SPF
4124 meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
4125 describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed
4126 tflags TO_EQ_FM_DOM_SPF_FAIL net
4128 ##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4130 ##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4132 ifplugin Mail::SpamAssassin::Plugin::SPF
4133 meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
4134 describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed
4135 tflags TO_EQ_FM_SPF_FAIL net
4137 ##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4141 meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW
4142 describe TO_IN_SUBJ To address is in Subject
4143 tflags TO_IN_SUBJ publish
4144 #score TO_IN_SUBJ 0.1
4147 ##{ TO_NAME_SUBJ_NO_RDNS
4149 meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE
4150 describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS
4151 #score TO_NAME_SUBJ_NO_RDNS 3.000 # limit
4152 tflags TO_NAME_SUBJ_NO_RDNS publish
4153 ##} TO_NAME_SUBJ_NO_RDNS
4155 ##{ TO_NO_BRKTS_FROM_MSSP
4157 meta TO_NO_BRKTS_FROM_MSSP __TO_NO_BRKTS_FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__TO___LOWER && !__BUGGED_IMG && !__SUBJECT_ENCODED_QP && !__VIA_ML && !__FR_SPACING_8 && !__TAG_EXISTS_CENTER && !__RCVD_ZIXMAIL && !__RP_MATCHES_RCVD && !__HAS_SENDER
4158 #score TO_NO_BRKTS_FROM_MSSP 2.50 # max
4159 describe TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems
4160 ##} TO_NO_BRKTS_FROM_MSSP
4162 ##{ TO_NO_BRKTS_HTML_IMG
4164 meta TO_NO_BRKTS_HTML_IMG __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE
4165 describe TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image
4166 #score TO_NO_BRKTS_HTML_IMG 2.000 # limit
4167 tflags TO_NO_BRKTS_HTML_IMG publish
4168 ##} TO_NO_BRKTS_HTML_IMG
4170 ##{ TO_NO_BRKTS_HTML_ONLY
4172 meta TO_NO_BRKTS_HTML_ONLY __TO_NO_BRKTS_HTML_ONLY && !RDNS_NONE && !__MIME_QP && !__MSGID_JAVAMAIL && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 && !__VIA_ML && !__MSGID_BEFORE_RECEIVED && !__MIME_BASE64 && !__RCD_RDNS_MAIL_MESSY && !__COMMENT_EXISTS && !LOTS_OF_MONEY && !__TAG_EXISTS_CENTER && !__UPPERCASE_URI && !__UNSUB_LINK && !__RCD_RDNS_MX_MESSY && !__DKIM_EXISTS && !__BUGGED_IMG && !__FM_TO_ALL_NUMS && !__URI_12LTRDOM && !__RDNS_NO_SUBDOM && !__HDRS_LCASE && !__LCL__ENV_AND_HDR_FROM_MATCH
4173 #score TO_NO_BRKTS_HTML_ONLY 2.00 # limit
4174 describe TO_NO_BRKTS_HTML_ONLY To: lacks brackets and HTML only
4175 tflags TO_NO_BRKTS_HTML_ONLY publish
4176 ##} TO_NO_BRKTS_HTML_ONLY
4178 ##{ TO_NO_BRKTS_MSFT
4180 meta TO_NO_BRKTS_MSFT __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD
4181 describe TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool
4182 #score TO_NO_BRKTS_MSFT 2.50 # limit
4183 ##} TO_NO_BRKTS_MSFT
4185 ##{ TO_NO_BRKTS_NORDNS_HTML
4187 meta TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__TAG_EXISTS_CENTER && !__LONGLINE && !__DKIM_EXISTS
4188 #score TO_NO_BRKTS_NORDNS_HTML 2.00 # limit
4189 describe TO_NO_BRKTS_NORDNS_HTML To: lacks brackets and no rDNS and HTML only
4190 tflags TO_NO_BRKTS_NORDNS_HTML publish
4191 ##} TO_NO_BRKTS_NORDNS_HTML
4193 ##{ TO_NO_BRKTS_PCNT
4195 meta TO_NO_BRKTS_PCNT __TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS && !__KHOP_NO_FULL_NAME && !__THREADED
4196 describe TO_NO_BRKTS_PCNT To: lacks brackets + percentage
4197 #score TO_NO_BRKTS_PCNT 2.50 # limit
4198 tflags TO_NO_BRKTS_PCNT publish
4199 ##} TO_NO_BRKTS_PCNT
4201 ##{ TO_TOO_MANY_WFH_01
4203 meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01
4204 describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients
4205 tflags TO_TOO_MANY_WFH_01 publish
4206 ##} TO_TOO_MANY_WFH_01
4210 header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/
4211 describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits
4214 ##{ TT_OBSCURED_VALIUM
4216 meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
4217 describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject
4218 ##} TT_OBSCURED_VALIUM
4220 ##{ TT_OBSCURED_VIAGRA
4222 meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
4223 describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject
4224 ##} TT_OBSCURED_VIAGRA
4228 body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i
4229 describe TVD_ACT_193 Message refers to an act passed in the 1930s
4234 body TVD_APPROVED /you.{1,2}re .{0,20}approved/i
4235 describe TVD_APPROVED Body states that the recipient has been approved
4238 ##{ TVD_DEAR_HOMEOWNER
4240 body TVD_DEAR_HOMEOWNER /^dear homeowner/i
4241 describe TVD_DEAR_HOMEOWNER Spam with generic salutation of "dear homeowner"
4242 ##} TVD_DEAR_HOMEOWNER
4246 meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP
4249 ##{ TVD_ENVFROM_APOST
4251 header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/
4252 describe TVD_ENVFROM_APOST Envelope From contains single-quote
4253 ##} TVD_ENVFROM_APOST
4257 header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i
4260 ##{ TVD_FLOAT_GENERAL
4262 rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i
4263 describe TVD_FLOAT_GENERAL Message uses CSS float style
4264 ##} TVD_FLOAT_GENERAL
4266 ##{ TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4268 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4269 body TVD_FUZZY_DEGREE /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i
4270 describe TVD_FUZZY_DEGREE Obfuscation of the word "degree"
4272 ##} TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4274 ##{ TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4276 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4277 body TVD_FUZZY_FINANCE /(?!finance)<F><I><N><A><N><C><E>/i
4278 describe TVD_FUZZY_FINANCE Obfuscation of the word "finance"
4280 ##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4282 ##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4284 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4285 body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i
4286 describe TVD_FUZZY_FIXED_RATE Obfuscation of the phrase "fixed rate"
4288 ##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4290 ##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4292 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4293 body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i
4294 describe TVD_FUZZY_MICROCAP Obfuscation of the word "micro-cap"
4296 ##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4298 ##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4300 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4301 body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i
4302 describe TVD_FUZZY_PHARMACEUTICAL Obfuscation of the word "pharmaceutical"
4304 ##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4306 ##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4308 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4309 body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symboo?l)<S><Y><M><B><O><L>/i
4310 describe TVD_FUZZY_SYMBOL Obfuscation of the word "symbol"
4312 ##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4314 ##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4316 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4317 mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/
4318 describe TVD_FW_GRAPHIC_NAME_LONG Long image attachment name
4320 ##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4322 ##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4324 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4325 mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/
4326 describe TVD_FW_GRAPHIC_NAME_MID Medium sized image attachment name
4328 ##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4330 ##{ TVD_INCREASE_SIZE
4332 body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i
4333 describe TVD_INCREASE_SIZE Advertising for penis enlargement
4334 ##} TVD_INCREASE_SIZE
4338 body TVD_LINK_SAVE /\blink to save\b/i
4339 describe TVD_LINK_SAVE Spam with the text "link to save"
4342 ##{ TVD_PH_BODY_ACCOUNTS_PRE
4344 meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE
4345 describe TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts suspended", "account credited", "account verification"
4346 ##} TVD_PH_BODY_ACCOUNTS_PRE
4350 body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i
4351 describe TVD_PH_REC Message includes a phrase commonly used in phishing mails
4356 body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i
4357 describe TVD_PH_SEC Message includes a phrase commonly used in phishing mails
4362 meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP
4367 body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i
4368 describe TVD_QUAL_MEDS The body matches phrases such as "quality meds" or "quality medication"
4373 header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i
4374 describe TVD_RATWARE_CB Content-Type header that is commonly indicative of ratware
4377 ##{ TVD_RATWARE_CB_2
4379 header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/
4380 describe TVD_RATWARE_CB_2 Content-Type header that is commonly indicative of ratware
4381 ##} TVD_RATWARE_CB_2
4383 ##{ TVD_RATWARE_MSGID_02
4385 header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/
4386 describe TVD_RATWARE_MSGID_02 Ratware with a Message-ID header that is entirely lower-case
4387 ##} TVD_RATWARE_MSGID_02
4391 header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
4392 describe TVD_RCVD_IP Message was received from an IP address
4397 header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/
4398 describe TVD_RCVD_IP4 Message was received from an IPv4 address
4401 ##{ TVD_RCVD_SPACE_BRACKET
4403 header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!unix)[^\[\]]*\s/i
4404 ##} TVD_RCVD_SPACE_BRACKET
4408 body TVD_SECTION /\bSection (?:27A|21B)/i
4409 describe TVD_SECTION References to specific legal codes
4412 ##{ TVD_SILLY_URI_OBFU
4414 body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i
4415 describe TVD_SILLY_URI_OBFU URI obfuscation that can fool a URIBL or a uri rule
4416 ##} TVD_SILLY_URI_OBFU
4418 ##{ TVD_SPACED_SUBJECT_WORD3
4420 header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/
4421 describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace
4422 ##} TVD_SPACED_SUBJECT_WORD3
4424 ##{ TVD_SPACE_ENCODED
4426 meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM
4427 #score TVD_SPACE_ENCODED 2.500 # limit
4428 describe TVD_SPACE_ENCODED Space ratio & encoded subject
4429 ##} TVD_SPACE_ENCODED
4431 ##{ TVD_SPACE_RATIO_MINFP
4433 meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL
4434 #score TVD_SPACE_RATIO_MINFP 2.500 # limit
4435 describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?)
4436 ##} TVD_SPACE_RATIO_MINFP
4438 ##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval
4440 ifplugin Mail::SpamAssassin::Plugin::BodyEval
4441 body TVD_STOCK1 eval:check_stock_info('2')
4442 describe TVD_STOCK1 Spam related to stock trading
4444 ##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval
4446 ##{ TVD_SUBJ_ACC_NUM
4448 header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/
4449 describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference
4450 ##} TVD_SUBJ_ACC_NUM
4452 ##{ TVD_SUBJ_FINGER_03
4454 header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/
4455 describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *"
4456 ##} TVD_SUBJ_FINGER_03
4458 ##{ TVD_SUBJ_NUM_OBFU_MINFP
4460 meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO
4461 ##} TVD_SUBJ_NUM_OBFU_MINFP
4465 header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i
4466 describe TVD_SUBJ_OWE Subject line states that the recipieint is in debt
4469 ##{ TVD_SUBJ_WIPE_DEBT
4471 header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i
4472 describe TVD_SUBJ_WIPE_DEBT Spam advertising a way to eliminate debt
4473 ##} TVD_SUBJ_WIPE_DEBT
4475 ##{ TVD_VISIT_PHARMA
4477 body TVD_VISIT_PHARMA /Online Ph.rmacy/i
4478 describe TVD_VISIT_PHARMA Body mentions online pharmacy
4479 ##} TVD_VISIT_PHARMA
4483 rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i
4484 describe TVD_VIS_HIDDEN Invisible textarea HTML tags
4487 ##{ TW_GIBBERISH_MANY
4489 meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20
4490 describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters
4491 #score TW_GIBBERISH_MANY 2.000 # limit
4492 tflags TW_GIBBERISH_MANY publish
4493 ##} TW_GIBBERISH_MANY
4495 ##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4497 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4498 meta T_ACH_CANCELLED_EXE __ACH_CANCELLED_EXE
4499 describe T_ACH_CANCELLED_EXE "ACH cancelled" probable malware
4501 ##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4503 ##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4505 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4506 meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON
4507 describe T_ANY_PILL_PRICE Prices for pills
4509 ##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4511 ##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4513 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4514 mimeheader T_CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/
4515 describe T_CDISP_SZ_MANY Suspicious MIME header
4516 # score T_CDISP_SZ_MANY 2.0 # limit
4518 ##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4520 ##{ T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4522 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4523 meta T_CTYPE_NULL __CTYPE_NULL
4524 describe T_CTYPE_NULL Malformed Content-Type header
4526 ##} T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4528 ##{ T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4530 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4531 header T_DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920')
4532 describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date
4534 ##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4536 ##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4538 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4539 meta T_DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT)
4540 describe T_DOC_ATTACH_NO_EXT Document attachment with suspicious name
4542 ##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4544 ##{ T_DOS_OUTLOOK_TO_MX_IMAGE
4546 meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
4547 describe T_DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image
4548 ##} T_DOS_OUTLOOK_TO_MX_IMAGE
4550 ##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4552 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4553 mimeheader T_DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/
4554 describe T_DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus
4555 # score T_DOS_ZIP_HARDCORE 2.5
4557 ##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4559 ##{ T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4561 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4562 if (version >= 3.004000)
4563 meta T_DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && __URL_SHORTENER && DRUGS_ERECTILE
4564 describe T_DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with T_URL_SHORTENER
4565 #score T_DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit
4568 ##} T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4570 ##{ T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4572 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4573 meta T_FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO
4574 describe T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
4576 ##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4578 ##{ T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4580 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4581 meta T_FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE
4582 describe T_FILL_THIS_FORM_LOAN Answer loan question(s)
4583 # score T_FILL_THIS_FORM_LOAN 2.0
4585 ##} T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4587 ##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4589 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4590 meta T_FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL
4591 describe T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
4592 # score T_FILL_THIS_FORM_SHORT 1.00 # limit
4594 ##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4596 ##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4598 ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4599 meta T_FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K
4600 describe T_FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam
4602 ##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4604 ##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail
4606 ifplugin Mail::SpamAssassin::Plugin::FreeMail
4607 meta T_FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF
4608 describe T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail
4610 ##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail
4612 ##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
4614 ifplugin Mail::SpamAssassin::Plugin::FreeMail
4615 meta T_FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED
4616 describe T_FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden
4618 ##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
4620 ##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail
4622 ifplugin Mail::SpamAssassin::Plugin::FreeMail
4623 meta T_FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF
4624 describe T_FREEMAIL_RVW_ATTCH Please review attached document, from freemail
4626 ##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail
4628 ##{ T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4630 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4631 meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO
4632 describe T_FROMNAME_EQUALS_TO From:name matches To:
4633 #score T_FROMNAME_EQUALS_TO 1.0
4634 tflags T_FROMNAME_EQUALS_TO publish
4636 ##} T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4638 ##{ T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4640 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4641 meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD)
4642 describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email
4643 #score T_FROMNAME_SPOOFED_EMAIL 0.3
4644 tflags T_FROMNAME_SPOOFED_EMAIL publish
4646 ##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4648 ##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4650 if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4651 meta T_FROM_MULTI_SHORT_IMG __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY
4652 describe T_FROM_MULTI_SHORT_IMG Multiple From addresses + short message with image
4654 ##} T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4656 ##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4658 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4659 body T_FUZZY_OPTOUT /(?:$|\W)(?=<O>)(?!opt[-\s]?out)<O><P><T>[-\s]?<O><U><T>(?:$|\W)/i
4660 describe T_FUZZY_OPTOUT Obfuscated opt-out text
4662 ##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4664 ##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4666 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4667 body T_FUZZY_SPRM /<inter W1><post P2><S><P><U><R><M>/i
4669 ##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4671 ##{ T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4673 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4674 meta T_FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM
4675 describe T_FUZZY_WELLSFARGO Obfuscated "Wells Fargo"
4677 ##} T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4679 ##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4681 ifplugin Mail::SpamAssassin::Plugin::FreeMail
4682 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4683 meta T_GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO )
4684 describe T_GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains
4685 # score T_GB_FREEM_FROM_NOT_REPLY 1.500 # limit
4686 tflags T_GB_FREEM_FROM_NOT_REPLY publish
4689 ##} T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4691 ##{ T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4693 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4694 meta T_GB_FROMNAME_SPOOFED_EMAIL_IP ( T_FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED )
4695 describe T_GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip
4696 # score T_GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit
4697 tflags T_GB_FROMNAME_SPOOFED_EMAIL_IP publish
4699 ##} T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4701 ##{ T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail
4703 ifplugin Mail::SpamAssassin::Plugin::FreeMail
4704 meta T_GB_WEBFORM ( ( __XMAIL_CODEIGN || __XMAIL_PHPMAIL ) && __URL_SHORTENER && FREEMAIL_FROM )
4705 describe T_GB_WEBFORM Webform with url shortener
4706 # score T_GB_WEBFORM 1.500 # limit
4708 ##} T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail
4710 ##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4712 ifplugin Mail::SpamAssassin::Plugin::FreeMail
4713 if (version >= 3.004000)
4714 meta T_HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM
4715 # score T_HK_NAME_FM_FROM 1.5
4718 ##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4720 ##{ T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4722 ifplugin Mail::SpamAssassin::Plugin::FreeMail
4723 if (version >= 3.004000)
4724 meta T_HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
4725 # score T_HK_NAME_FM_MR_MRS 1.5
4728 ##} T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4730 ##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4732 ifplugin Mail::SpamAssassin::Plugin::FreeMail
4733 if (version >= 3.004000)
4734 meta T_HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM
4735 # score T_HK_NAME_FROM 1.0
4738 ##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4740 ##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4742 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4743 meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN
4745 ##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4747 ##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4749 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4750 meta T_HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02
4751 describe T_HTML_ATTACH HTML attachment to bypass scanning?
4753 ##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4755 ##{ T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4757 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4758 meta T_ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT
4759 describe T_ISO_ATTACH ISO attachment - possible malware delivery
4760 # score T_ISO_ATTACH 3.000 # limit
4762 ##} T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4764 ##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4766 ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4767 meta T_KAM_HTML_FONT_INVALID __KAM_HTML_FONT_INVALID
4768 describe T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML
4769 #score T_KAM_HTML_FONT_INVALID 0.1
4771 ##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4773 ##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4775 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4776 meta T_LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3
4777 describe T_LARGE_PCT_AFTER_MANY Many large percentages after...
4779 ##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4781 ##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4783 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4784 body T_LFUZ_PWRMALE /<inter W1><post P2><P><O><W><E><R><M><A><L><E>/i
4786 ##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4788 ##{ T_LOTTO_AGENT_FM
4790 header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
4791 describe T_LOTTO_AGENT_FM Claims Agent
4792 ##} T_LOTTO_AGENT_FM
4794 ##{ T_LOTTO_AGENT_RPLY
4796 meta T_LOTTO_AGENT_RPLY __LOTTO_AGENT_RPLY && !__TO_YOUR_ORG
4797 describe T_LOTTO_AGENT_RPLY Claims Agent
4798 ##} T_LOTTO_AGENT_RPLY
4802 uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i
4803 describe T_LOTTO_URI Claims Department URL
4806 ##{ T_MANY_HDRS_LCASE
4808 describe T_MANY_HDRS_LCASE Odd capitalization of multiple message headers
4809 #score T_MANY_HDRS_LCASE 0.10 # limit
4810 ##} T_MANY_HDRS_LCASE
4812 ##{ T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
4814 if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
4815 meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
4817 ##} T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
4819 ##{ T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
4821 ifplugin Mail::SpamAssassin::Plugin::FreeMail
4822 meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
4824 ##} T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
4826 ##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4828 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4829 meta T_MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2
4830 describe T_MANY_PILL_PRICE Prices for many pills
4832 ##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4834 ##{ T_MIME_MALF if (version >= 3.004000)
4836 if (version >= 3.004000)
4837 meta T_MIME_MALF __MIME_MALF && !ALL_TRUSTED
4838 describe T_MIME_MALF Malformed MIME: headers in body
4839 # score T_MIME_MALF 2.00 # limit
4841 ##} T_MIME_MALF if (version >= 3.004000)
4843 ##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4845 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4846 meta T_MONEY_PERCENT LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY)
4847 describe T_MONEY_PERCENT X% of a lot of money for you
4849 ##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4851 ##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4853 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4854 meta T_OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH)
4855 describe T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
4857 ##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4859 ##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4861 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4862 mimeheader T_OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i
4863 describe T_OBFU_DOC_ATTACH MS Document attachment with generic MIME type
4865 ##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4867 ##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4869 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4870 mimeheader T_OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i
4871 describe T_OBFU_GIF_ATTACH GIF attachment with generic MIME type
4873 ##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4875 ##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4877 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4878 mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.s?html?\b,i
4879 describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type
4881 ##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4883 ##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4885 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4886 meta T_OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02
4887 describe T_OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware
4889 ##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4891 ##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4893 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4894 mimeheader T_OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i
4895 describe T_OBFU_JPG_ATTACH JPG attachment with generic MIME type
4897 ##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4899 ##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4901 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4902 mimeheader T_OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i
4903 describe T_OBFU_PDF_ATTACH PDF attachment with generic MIME type
4905 ##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4907 ##{ T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4909 if (version >= 3.004002)
4910 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4911 meta T_OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
4912 describe T_OFFER_ONLY_AMERICA Offer only available to US
4913 #score T_OFFER_ONLY_AMERICA 2.0 # limit
4916 ##} T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4918 ##{ T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4920 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4921 meta T_PDS_BTC_AHACKER ( __PDS_BTC_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON )
4922 describe T_PDS_BTC_AHACKER Bitcoin Hacker
4923 # score T_PDS_BTC_AHACKER 3.0 # limit
4925 ##} T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4927 ##{ T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4929 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4930 meta T_PDS_BTC_HACKER ( __PDS_BTC_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM )
4931 describe T_PDS_BTC_HACKER Bitcoin Hacker
4932 # score T_PDS_BTC_HACKER 2.0 # limit
4934 ##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4936 ##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4938 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4939 if (version >= 3.004000)
4940 meta T_PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024
4941 describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener
4942 #score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit
4945 ##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4947 ##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4949 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4950 if (version >= 3.004000)
4951 meta T_PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
4952 describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener
4953 #score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit
4956 ##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4958 ##{ T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4960 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4961 if (version >= 3.004000)
4962 meta T_PDS_FROM_2_EMAILS_SHRTNER __URL_SHORTENER && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY
4963 describe T_PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener
4964 #score T_PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit
4967 ##} T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4969 ##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4971 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4972 meta T_PDS_LTC_AHACKER ( __PDS_LITECOIN_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON )
4973 describe T_PDS_LTC_AHACKER Litecoin Hacker
4974 # score T_PDS_LTC_AHACKER 3.0 # limit
4976 ##} T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4978 ##{ T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4980 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4981 meta T_PDS_LTC_HACKER ( __PDS_LITECOIN_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM )
4982 describe T_PDS_LTC_HACKER Litecoin Hacker
4983 # score T_PDS_LTC_HACKER 2.0 # limit
4985 ##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4987 ##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4989 if (version >= 3.004002)
4990 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4991 header T_PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO')
4992 #score T_PDS_PRO_TLD 1.0
4993 describe T_PDS_PRO_TLD .pro TLD
4996 ##} T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4998 ##{ T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5000 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5001 if (version >= 3.004000)
5002 meta T_PDS_SHORTFWD_URISHRT __URL_SHORTENER && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
5003 describe T_PDS_SHORTFWD_URISHRT Threaded email with URI shortener
5004 #score T_PDS_SHORTFWD_URISHRT 1.5 # limit
5007 ##} T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5009 ##{ T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5011 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5012 if (version >= 3.004000)
5013 meta T_PDS_SHORTFWD_URISHRT_FP __URL_SHORTENER && __HS_SUBJ_RE_FW && __PDS_MSG_512
5014 describe T_PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener
5015 #score T_PDS_SHORTFWD_URISHRT_FP 1.5 # limit
5018 ##} T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5020 ##{ T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5022 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5023 if (version >= 3.004000)
5024 meta T_PDS_SHORTFWD_URISHRT_QP __URL_SHORTENER && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !T_PDS_SHORTFWD_URISHRT_FP
5025 describe T_PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener
5026 #score T_PDS_SHORTFWD_URISHRT_QP 1.5 # limit
5029 ##} T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5031 ##{ T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
5033 if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
5034 meta T_PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER
5035 describe T_PDS_TO_EQ_FROM_NAME From: name same as To: address
5037 ##} T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
5039 ##{ T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5041 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5042 if (version >= 3.004000)
5043 meta T_PDS_URISHRT_LOCALPART_SUBJ LOCALPART_IN_SUBJECT && __URL_SHORTENER && __PDS_MSG_1024
5044 describe T_PDS_URISHRT_LOCALPART_SUBJ Localpart of To in subject
5045 #score T_PDS_URISHRT_LOCALPART_SUBJ 1.0
5048 ##} T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5050 ##{ T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5052 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5053 meta T_PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF
5054 describe T_PHOTO_EDITING_DIRECT Image editing service, direct to MX
5055 # score T_PHOTO_EDITING_DIRECT 3.000 # limit
5057 ##} T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5059 ##{ T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5061 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5062 meta T_PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
5063 describe T_PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto
5064 # score T_PHOTO_EDITING_FREEM 3.750 # limit
5066 ##} T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5068 ##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5070 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5071 meta T_REMOTE_IMAGE __REMOTE_IMAGE
5072 describe T_REMOTE_IMAGE Message contains an external image
5074 ##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5076 ##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5078 if (version >= 3.004002)
5079 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5080 meta T_SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR
5081 describe T_SENT_TO_EMAIL_ADDR Email was sent to email address
5082 #score T_SENT_TO_EMAIL_ADDR 2.0 # limit
5085 ##} T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5089 meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY
5090 describe T_SHARE_50_50 Share the money 50/50
5093 ##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5095 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5096 meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK
5097 describe T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX
5098 # score T_STY_INVIS_DIRECT 2.500 # limit
5100 ##} T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5102 ##{ T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5104 if (version >= 3.004002)
5105 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5106 meta T_SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
5107 describe T_SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money
5108 #score T_SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit
5111 ##} T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5113 ##{ T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5115 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5116 if (version >= 3.004000)
5117 meta T_TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT
5118 describe T_TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local
5119 #score T_TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit
5122 ##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5124 ##{ T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5126 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5127 if (version >= 3.004000)
5128 meta T_TONOM_EQ_TOLOC_SHRT_SHRTNER __URL_SHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024
5129 describe T_TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local
5130 #score T_TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit
5133 ##} T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5135 ##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5137 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5138 body T_TVD_FUZZY_SECTOR /(?!sector)<S><E><C><T><O><R>/i
5140 ##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5142 ##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5144 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5145 body T_TVD_FUZZY_SECURITIES /<inter W2><post P2>(?!securities)(?!security,? es)<S><E><C><U><R><I><T><I><E><S>/i
5147 ##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5149 ##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5151 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5152 mimeheader T_TVD_FW_GRAPHIC_ID2 Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/
5154 ##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5156 ##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5158 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5159 body T_TVD_MIME_EPI eval:check_msg_parse_flags('mime_epilogue_exists')
5161 ##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5163 ##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5165 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5166 body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers')
5168 ##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5170 ##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5172 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5173 meta T_WON_MONEY_ATTACH __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH)
5174 describe T_WON_MONEY_ATTACH You won lots of money! See attachment.
5176 ##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5178 ##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5180 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5181 meta T_WON_NBDY_ATTACH __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH)
5182 describe T_WON_NBDY_ATTACH You won lots of money! See attachment.
5184 ##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5186 ##{ T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5188 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5189 meta T_ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID
5190 describe T_ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion
5191 # score T_ZW_OBFU_BITCOIN 2.500 # limit
5193 ##} T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5195 ##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5197 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5198 meta T_ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto
5199 describe T_ZW_OBFU_FREEM Obfuscated text + freemail
5200 # score T_ZW_OBFU_FREEM 2.000 # limit
5202 ##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5204 ##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5206 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5207 meta T_ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ
5208 describe T_ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject
5209 # score T_ZW_OBFU_FROMTOSUBJ 2.000 # limit
5211 ##} T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5213 ##{ UC_GIBBERISH_OBFU
5215 meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED
5216 describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word"
5217 #score UC_GIBBERISH_OBFU 3.000 # Limit
5218 tflags UC_GIBBERISH_OBFU publish
5219 ##} UC_GIBBERISH_OBFU
5223 meta UNDISC_FREEM __UNDISC_FREEM
5224 describe UNDISC_FREEM Undisclosed recipients + freemail reply-to
5225 tflags UNDISC_FREEM publish
5230 meta UNDISC_MONEY __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH
5231 describe UNDISC_MONEY Undisclosed recipients + money/fraud signs
5232 tflags UNDISC_MONEY publish
5235 ##{ UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5237 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5238 meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32
5239 describe UNICODE_OBFU_ASC Obfuscating text with unicode
5240 # score UNICODE_OBFU_ASC 2.500 # limit
5241 tflags UNICODE_OBFU_ASC publish
5243 ##} UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5245 ##{ UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5247 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5248 meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS
5249 describe UNICODE_OBFU_ZW Obfuscating text with hidden characters
5250 # score UNICODE_OBFU_ZW 3.500 # limit
5251 tflags UNICODE_OBFU_ZW publish
5253 ##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5257 meta UNSUB_GOOG_FORM __UNSUB_GOOG_FORM
5258 describe UNSUB_GOOG_FORM Unsubscribe via Google Docs form
5259 #score UNSUB_GOOG_FORM 2.500 # limit
5260 tflags UNSUB_GOOG_FORM publish
5263 ##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5265 ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5266 urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2
5267 body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB')
5268 describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
5269 tflags URIBL_RHS_DOB net
5271 ##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5275 meta URI_ADOBESPARK __URI_ADOBESPARK
5276 #score URI_ADOBESPARK 3.500 # limit
5277 tflags URI_ADOBESPARK publish
5280 ##{ URI_AZURE_CLOUDAPP
5282 meta URI_AZURE_CLOUDAPP __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE
5283 describe URI_AZURE_CLOUDAPP Link to hosted azure web application, possible phishing
5284 #score URI_AZURE_CLOUDAPP 3.000 # limit
5285 tflags URI_AZURE_CLOUDAPP publish
5286 ##} URI_AZURE_CLOUDAPP
5290 meta URI_DASHGOVEDU __URI_DASHGOVEDU
5291 describe URI_DASHGOVEDU Suspicious domain name
5292 #score URI_DASHGOVEDU 3.500 # limit
5293 tflags URI_DASHGOVEDU publish
5298 meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB
5299 describe URI_DATA "data:" URI - possible malware or phish
5300 #score URI_DATA 3.250 # limit
5301 tflags URI_DATA publish
5306 meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK
5307 describe URI_DOTEDU Has .edu URI
5308 #score URI_DOTEDU 2.000 # limit
5309 tflags URI_DOTEDU publish
5312 ##{ URI_DOTEDU_ENTITY
5314 meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO
5315 describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content
5316 #score URI_DOTEDU_ENTITY 3.000 # limit
5317 tflags URI_DOTEDU_ENTITY publish
5318 ##} URI_DOTEDU_ENTITY
5322 meta URI_DOTTY_HEX __URI_DOTTY_HEX
5323 describe URI_DOTTY_HEX Suspicious URI format
5324 tflags URI_DOTTY_HEX publish
5329 meta URI_DQ_UNSUB __URI_DQ_UNSUB
5330 describe URI_DQ_UNSUB IP-address unsubscribe URI
5331 tflags URI_DQ_UNSUB publish
5336 meta URI_FIREBASEAPP __URI_FIREBASEAPP || __URI_WEBAPP
5337 describe URI_FIREBASEAPP Link to hosted firebase web application, possible phishing
5338 #score URI_FIREBASEAPP 3.000 # limit
5339 tflags URI_FIREBASEAPP publish
5342 ##{ URI_GOOGLE_PROXY
5344 meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE && !__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID
5345 describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy?
5346 tflags URI_GOOGLE_PROXY publish
5347 ##} URI_GOOGLE_PROXY
5349 ##{ URI_GOOG_STO_SPAMMY
5351 uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:1tactc1200|430bc3a2d98b15a0c58bf8df8f938d|5(?:a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|a(?:1discover|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|tividade|udio0254)|b(?:337276797de5b3|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4ome1owne1r|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|mobile0sur1vey|o(?:enailfungus|p(?:inal|olio29034))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i
5352 describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage
5353 #score URI_GOOG_STO_SPAMMY 3.000
5354 tflags URI_GOOG_STO_SPAMMY publish
5355 ##} URI_GOOG_STO_SPAMMY
5359 meta URI_HEX_IP __URI_HEX_IP
5360 #score URI_HEX_IP 2.500 # limit
5361 describe URI_HEX_IP URI with hex-encoded IP-address host
5362 tflags URI_HEX_IP publish
5365 ##{ URI_IMG_WP_REDIR
5367 meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR
5368 #score URI_IMG_WP_REDIR 3.000 # limit
5369 describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy
5370 tflags URI_IMG_WP_REDIR publish
5371 ##} URI_IMG_WP_REDIR
5375 meta URI_LONG_REPEAT __URI_LONG_REPEAT
5376 describe URI_LONG_REPEAT Long identical host+domain
5377 #score URI_LONG_REPEAT 2.500 # limit
5378 tflags URI_LONG_REPEAT publish
5381 ##{ URI_MALWARE_SCMS
5383 uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i
5384 describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file)
5385 tflags URI_MALWARE_SCMS publish
5386 ##} URI_MALWARE_SCMS
5390 meta URI_OBFU_DOM __URI_OBFU_DOM && !__VIA_ML
5391 describe URI_OBFU_DOM URI pretending to be different domain
5394 ##{ URI_ONLY_MSGID_MALF
5396 meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW
5397 tflags URI_ONLY_MSGID_MALF net
5398 meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO
5399 describe URI_ONLY_MSGID_MALF URI only + malformed message ID
5400 #score URI_ONLY_MSGID_MALF 2.000 # limit
5401 tflags URI_ONLY_MSGID_MALF publish
5402 ##} URI_ONLY_MSGID_MALF
5406 uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i
5407 describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname
5408 #score URI_OPTOUT_3LD 2.000 # limit
5409 tflags URI_OPTOUT_3LD publish
5414 uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i
5415 describe URI_OPTOUT_USME Opt-out URI, unusual TLD
5416 tflags URI_OPTOUT_USME publish
5421 describe URI_PHISH Phishing using web form
5422 #score URI_PHISH 4.00 # limit
5423 tflags URI_PHISH publish
5426 ##{ URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5428 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5429 meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT
5431 ##} URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5433 ##{ URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5435 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5436 meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT
5438 ##} URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5442 meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA
5443 #score URI_PHP_REDIR 3.500 # limit
5444 describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation)
5445 tflags URI_PHP_REDIR publish
5450 meta URI_TRY_3LD __URI_TRY_3LD && !__HAS_ERRORS_TO && !__HDR_RCVD_ALIBABA && !__HDR_CASE_REVERSED && !__XM_EC_MESSENGER && !__CHARITY && !__URI_DOTEDU && !__HAS_X_REF && !__HDR_RCVD_APPLE
5451 describe URI_TRY_3LD "Try it" URI, suspicious hostname
5452 #score URI_TRY_3LD 2.000 # limit
5453 tflags URI_TRY_3LD publish
5458 meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS
5459 describe URI_TRY_USME "Try it" URI, unusual TLD
5460 #score URI_TRY_USME 2.000 # limit
5461 tflags URI_TRY_USME publish
5466 meta URI_WPADMIN __URI_WPADMIN
5467 describe URI_WPADMIN WordPress login/admin URI, possible phishing
5468 tflags URI_WPADMIN publish
5473 meta URI_WP_DIRINDEX __URI_WPDIRINDEX
5474 describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware
5475 #score URI_WP_DIRINDEX 3.500 # limit
5476 tflags URI_WP_DIRINDEX publish
5481 meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED
5482 describe URI_WP_HACKED URI for compromised WordPress site, possible malware
5483 #score URI_WP_HACKED 3.500 # limit
5484 tflags URI_WP_HACKED publish
5489 meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1
5490 describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware
5491 #score URI_WP_HACKED_2 2.500 # limit
5492 tflags URI_WP_HACKED_2 publish
5497 meta USB_DRIVES __SUBJ_USB_DRIVES
5498 describe USB_DRIVES Trying to sell custom USB flash drives
5499 #score USB_DRIVES 2.000 # limit
5500 tflags USB_DRIVES publish
5505 meta VFY_ACCT_NORDNS __VFY_ACCT_NORDNS && !__STY_INVIS_MANY
5506 describe VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA - probable phishing
5507 #score VFY_ACCT_NORDNS 3.000 # limit
5508 tflags VFY_ACCT_NORDNS publish
5511 ##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5513 if (version >= 3.004002)
5514 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5515 meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD
5516 tflags VPS_NO_NTLD publish
5517 describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD
5518 #score VPS_NO_NTLD 1.0 # limit
5521 ##} VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5523 ##{ WALMART_IMG_NOT_RCVD_WAL
5525 meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS
5526 #score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit
5527 describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart
5528 tflags WALMART_IMG_NOT_RCVD_WAL publish
5529 ##} WALMART_IMG_NOT_RCVD_WAL
5531 ##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5533 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5534 meta WORD_INVIS __WORD_INVIS_MINFP && !WORD_INVIS_MANY
5535 describe WORD_INVIS A hidden word
5536 # score WORD_INVIS 3.000 # limit
5537 tflags WORD_INVIS publish
5539 ##} WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5541 ##{ WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5543 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5544 meta WORD_INVIS_MANY __WORD_INVIS_2
5545 describe WORD_INVIS_MANY Multiple individual hidden words
5546 # score WORD_INVIS_MANY 3.000 # limit
5547 tflags WORD_INVIS_MANY publish
5549 ##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5551 ##{ XFER_LOTSA_MONEY
5553 meta XFER_LOTSA_MONEY __XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFO
5554 describe XFER_LOTSA_MONEY Transfer a lot of money
5555 #score XFER_LOTSA_MONEY 1.000 # limit
5556 ##} XFER_LOTSA_MONEY
5560 meta XM_DIGITS_ONLY __XM_DIGITS_ONLY
5561 describe XM_DIGITS_ONLY X-Mailer malformed
5562 #score XM_DIGITS_ONLY 3.000 # limit
5563 tflags XM_DIGITS_ONLY publish
5566 ##{ XM_PHPMAILER_FORGED
5568 meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED
5569 describe XM_PHPMAILER_FORGED Apparently forged header
5570 tflags XM_PHPMAILER_FORGED publish
5571 ##} XM_PHPMAILER_FORGED
5575 meta XM_RANDOM __XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLY && !__XM_ASPQMAIL && !__XM_VERY_LONG
5576 describe XM_RANDOM X-Mailer apparently random
5577 #score XM_RANDOM 2.500 # limit
5578 tflags XM_RANDOM publish
5583 describe XPRIO Has X-Priority header
5584 #score XPRIO 2.250 # limit
5585 tflags XPRIO publish
5588 ##{ XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5590 if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5591 meta XPRIO __XPRIO_MINFP
5593 ##} XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5595 ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM
5597 ifplugin Mail::SpamAssassin::Plugin::DKIM
5600 ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM
5602 ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF)
5604 ifplugin Mail::SpamAssassin::Plugin::DKIM
5605 if !plugin(Mail::SpamAssassin::Plugin::SPF)
5606 meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE
5609 ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF)
5611 ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF
5613 ifplugin Mail::SpamAssassin::Plugin::DKIM
5614 ifplugin Mail::SpamAssassin::Plugin::SPF
5615 meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS
5618 ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF
5620 ##{ XPRIO_SHORT_SUBJ
5622 meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF
5623 describe XPRIO_SHORT_SUBJ Has X Priority header + short subject
5624 #score XPRIO_SHORT_SUBJ 2.500 # limit
5625 tflags XPRIO_SHORT_SUBJ publish
5626 ##} XPRIO_SHORT_SUBJ
5628 ##{ XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5630 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5631 if (version >= 3.004000)
5632 meta XPRIO_URL_SHORTNER __XPRIO_MINFP && __URL_SHORTENER
5633 describe XPRIO_URL_SHORTNER X-Priority header and short URL
5634 #score XPRIO_URL_SHORTNER 1.0 # limit
5637 ##} XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5639 ##{ X_MAILER_CME_6543_MSN
5641 header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/
5642 ##} X_MAILER_CME_6543_MSN
5646 meta YOU_INHERIT __YOU_INHERIT
5647 describe YOU_INHERIT Discussing your inheritance
5650 ##{ bayes_ignore_header_sandbox
5652 bayes_ignore_header X-ACL-Warn
5653 bayes_ignore_header X-Alimail-AntiSpam
5654 bayes_ignore_header X-Amavis-Modified
5655 bayes_ignore_header X-Anti-Spam
5656 bayes_ignore_header X-Anti-Virus
5657 bayes_ignore_header X-Anti-Virus-Version
5658 bayes_ignore_header X-AntiAbuse
5659 bayes_ignore_header X-Antispam
5660 bayes_ignore_header X-Antivirus
5661 bayes_ignore_header X-Antivirus-Code
5662 bayes_ignore_header X-Antivirus-Status
5663 bayes_ignore_header X-Antivirus-Version
5664 bayes_ignore_header x-aol-global-disposition
5665 bayes_ignore_header X-ASF-Spam-Status
5666 bayes_ignore_header X-ASG-Debug-ID
5667 bayes_ignore_header X-ASG-Orig-Subj
5668 bayes_ignore_header X-ASG-Recipient-Whitelist
5669 bayes_ignore_header X-ASG-Tag
5670 bayes_ignore_header X-Assp-Version
5671 bayes_ignore_header X-Authority-Analysis
5672 bayes_ignore_header X-Authvirus
5673 bayes_ignore_header X-Auto-Response-Suppress
5674 bayes_ignore_header X-AV-Do-Run
5675 bayes_ignore_header X-AV-Status
5676 bayes_ignore_header x-avast-antispam
5677 bayes_ignore_header X-Backend
5678 bayes_ignore_header X-Barracuda-Apparent-Source-IP
5679 bayes_ignore_header X-Barracuda-Bayes
5680 bayes_ignore_header X-Barracuda-BBL-IP
5681 bayes_ignore_header X-Barracuda-BRTS-Status
5682 bayes_ignore_header X-Barracuda-BRTS-URL-Found
5683 bayes_ignore_header X-Barracuda-Connect
5684 bayes_ignore_header X-Barracuda-Encrypted
5685 bayes_ignore_header X-Barracuda-Envelope-From
5686 bayes_ignore_header X-Barracuda-Fingerprint-Found
5687 bayes_ignore_header X-Barracuda-Orig-Rcpt
5688 bayes_ignore_header X-Barracuda-RBL-IP
5689 bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder
5690 bayes_ignore_header X-Barracuda-Spam-Report
5691 bayes_ignore_header X-Barracuda-Spam-Score
5692 bayes_ignore_header X-Barracuda-Spam-Status
5693 bayes_ignore_header X-Barracuda-Start-Time
5694 bayes_ignore_header X-Barracuda-UID
5695 bayes_ignore_header X-Barracuda-URL
5696 bayes_ignore_header X-Barracuda-Virus-Alert
5697 bayes_ignore_header X-Bayes-Prob
5698 bayes_ignore_header X-Bayesian-Result
5699 bayes_ignore_header X-BitDefender-Spam
5700 bayes_ignore_header X-BitDefender-SpamStamp
5701 bayes_ignore_header X-BL
5702 bayes_ignore_header X-Bogosity
5703 bayes_ignore_header X-Boxtrapper
5704 bayes_ignore_header X-Brightmail-Tracker
5705 bayes_ignore_header X-BTI-AntiSpam
5706 bayes_ignore_header X-Bugzilla-Version
5707 bayes_ignore_header X-CanIt-Geo
5708 bayes_ignore_header X-Canit-Stats-ID
5709 bayes_ignore_header X-CanItPRO-Stream
5710 bayes_ignore_header X-Clapf-spamicity
5711 bayes_ignore_header X-Cloud-Security
5712 bayes_ignore_header X-CM-Score
5713 bayes_ignore_header X-CMAE-Analysis
5714 bayes_ignore_header X-CMAE-Match
5715 bayes_ignore_header X-CMAE-Score
5716 bayes_ignore_header X-CMAE-Verdict
5717 bayes_ignore_header X-CNFS-Analysis
5718 bayes_ignore_header X-Company
5719 bayes_ignore_header X-Coremail-Antispam
5720 bayes_ignore_header X-CRM114-CacheID
5721 bayes_ignore_header X-CRM114-Status
5722 bayes_ignore_header X-CRM114-Version
5723 bayes_ignore_header X-CT-Spam
5724 bayes_ignore_header X-CTCH-SenderID
5725 bayes_ignore_header X-CTCH-SenderID-TotalBulk
5726 bayes_ignore_header X-CTCH-SenderID-TotalConfirmed
5727 bayes_ignore_header X-CTCH-SenderID-TotalMessages
5728 bayes_ignore_header X-CTCH-SenderID-TotalRecipients
5729 bayes_ignore_header X-CTCH-SenderID-TotalSpam
5730 bayes_ignore_header X-CTCH-SenderID-TotalSuspected
5731 bayes_ignore_header X-CTCH-SenderID-TotalVirus
5732 bayes_ignore_header X-CTCH-Spam
5733 bayes_ignore_header X-CTCH-VOD
5734 bayes_ignore_header X-Drweb-SpamState
5735 bayes_ignore_header X-DSPAM-Confidence
5736 bayes_ignore_header X-DSPAM-Factors
5737 bayes_ignore_header X-DSPAM-Improbability
5738 bayes_ignore_header X-DSPAM-Probability
5739 bayes_ignore_header X-DSPAM-Processed
5740 bayes_ignore_header X-DSPAM-Result
5741 bayes_ignore_header X-DSPAM-Signature
5742 bayes_ignore_header x-eavas
5743 bayes_ignore_header x-eavas-action
5744 bayes_ignore_header x-eavas-eavasid
5745 bayes_ignore_header X-Enigmail-Version
5746 bayes_ignore_header X-EsetId
5747 bayes_ignore_header X-EsetResult
5748 bayes_ignore_header X-Exchange-Antispam-Report
5749 bayes_ignore_header X-ExtloopSabreCommercials1
5750 bayes_ignore_header X-EYOU-SPAMVALUE
5751 bayes_ignore_header X-FB-OUTBOUND-SPAM
5752 bayes_ignore_header X-FEAS-SBL
5753 bayes_ignore_header X-FILTER-SCORE
5754 bayes_ignore_header X-Forefront-Antispam-Report
5755 bayes_ignore_header X-Forefront-PRVS
5756 bayes_ignore_header X-Fuglu-Spamstatus
5757 bayes_ignore_header X-Fuglu-Suspect
5758 bayes_ignore_header X-getmail-filter-classifier
5759 bayes_ignore_header X-GFIME-MASPAM
5760 bayes_ignore_header X-Gmane-NNTP-Posting-Host
5761 bayes_ignore_header X-GMX-Antispam
5762 bayes_ignore_header X-GMX-Antivirus
5763 bayes_ignore_header X-He-Spam
5764 bayes_ignore_header X-hMailServer-Spam
5765 bayes_ignore_header X-IAS
5766 bayes_ignore_header X-iGspam-global
5767 bayes_ignore_header X-Injected-Via-Gmane
5768 bayes_ignore_header X-Interia-Antivirus
5769 bayes_ignore_header X-IP-Spam-Verdict
5770 bayes_ignore_header X-Ironport
5771 bayes_ignore_header X-IronPort-Anti-Spam-Filtered
5772 bayes_ignore_header X-IronPort-Anti-Spam-Result
5773 bayes_ignore_header X-IronPort-AV
5774 bayes_ignore_header X-Ironport-HAT
5775 bayes_ignore_header X-Ironport-HOSTNAME
5776 bayes_ignore_header X-Ironport-LNR
5777 bayes_ignore_header X-Ironport-MessageFilter
5778 bayes_ignore_header X-Ironport-MFP
5779 bayes_ignore_header X-Ironport-MID
5780 bayes_ignore_header X-IronPort-Outgoing-Antispam
5781 bayes_ignore_header X-Ironport-RIF
5782 bayes_ignore_header X-Ironport-SBRS
5783 bayes_ignore_header X-Ironport-SENDER
5784 bayes_ignore_header X-Ironport-SUBJECT
5785 bayes_ignore_header X-Junk-Score
5786 bayes_ignore_header X-Junkmail
5787 bayes_ignore_header X-KLMS-AntiPhishing
5788 bayes_ignore_header X-Klms-Antispam
5789 bayes_ignore_header X-KLMS-AntiSpam-Info
5790 bayes_ignore_header X-KLMS-AntiSpam-Interceptor-Info
5791 bayes_ignore_header X-KLMS-AntiSpam-Lua-Profiles
5792 bayes_ignore_header X-KLMS-AntiSpam-Method
5793 bayes_ignore_header X-KLMS-AntiSpam-Moebius-Timestamps
5794 bayes_ignore_header X-KLMS-AntiSpam-Rate
5795 bayes_ignore_header X-KLMS-AntiSpam-Status
5796 bayes_ignore_header X-KLMS-AntiSpam-Version
5797 bayes_ignore_header X-KLMS-AntiVirus
5798 bayes_ignore_header X-KLMS-AntiVirus-Status
5799 bayes_ignore_header X-KLMS-Message-Action
5800 bayes_ignore_header X-KLMS-Rule-ID
5801 bayes_ignore_header X-KMail-EncryptionState
5802 bayes_ignore_header X-KMail-MDN-Sent
5803 bayes_ignore_header X-KMail-SignatureState
5804 bayes_ignore_header X-MailCleaner-SpamChec
5805 bayes_ignore_header X-MailCleaner-SpamCheck
5806 bayes_ignore_header X-MailFoundry
5807 bayes_ignore_header X-MDMailLookup-Result
5808 bayes_ignore_header X-ME-Bayesian
5809 bayes_ignore_header X-ME-Content
5810 bayes_ignore_header X-MessageFilter
5811 bayes_ignore_header X-Microsoft-Antispam
5812 bayes_ignore_header X-Mlf-Version
5813 bayes_ignore_header X-MXScan-AntiSpam
5814 bayes_ignore_header X-MXScan-AntiVirus
5815 bayes_ignore_header X-MXScan-Country-Sequence
5816 bayes_ignore_header X-MXScan-License
5817 bayes_ignore_header X-MXScan-Msgid
5818 bayes_ignore_header X-MXScan-ProcessingTime
5819 bayes_ignore_header X-MXScan-Scan
5820 bayes_ignore_header X-NAI-Spam-Flag
5821 bayes_ignore_header X-NAI-Spam-Rules
5822 bayes_ignore_header X-NAI-Spam-Score
5823 bayes_ignore_header X-NAI-Spam-Threshold
5824 bayes_ignore_header X-NetStation-Status
5825 bayes_ignore_header X-OVH-SPAMCAUSE
5826 bayes_ignore_header X-OVH-SPAMCAUSE:
5827 bayes_ignore_header X-OVH-SPAMSCORE
5828 bayes_ignore_header X-OVH-SPAMSTATE
5829 bayes_ignore_header X-PerlMx-Spam
5830 bayes_ignore_header X-PerlMx-Virus-Scanned
5831 bayes_ignore_header X-PFSI-Info
5832 bayes_ignore_header X-PMX-Spam
5833 bayes_ignore_header X-PMX-Version
5834 bayes_ignore_header X-Policy-Service
5835 bayes_ignore_header X-policyd-weight
5836 bayes_ignore_header X-PreRBLs
5837 bayes_ignore_header X-Probable-Spam
5838 bayes_ignore_header X-PROLinux-SpamCheck
5839 bayes_ignore_header X-Proofpoint-Spam-Reason
5840 bayes_ignore_header X-Proofpoint-Virus-Version
5841 bayes_ignore_header x-purgate-eavas: clean
5842 bayes_ignore_header x-purgate-id
5843 bayes_ignore_header x-purgate-size
5844 bayes_ignore_header x-purgate-type
5845 bayes_ignore_header X-Qmail-Scanner-Diagnostics
5846 bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status
5847 bayes_ignore_header X-Quarantine-ID
5848 bayes_ignore_header X-RSpam-Report
5849 bayes_ignore_header X-SA-Do-Not-Run
5850 bayes_ignore_header X-SA-Exim-Version
5851 bayes_ignore_header X-Scanned-by
5852 bayes_ignore_header X-SmarterMail-CustomSpamHeader
5853 bayes_ignore_header X-Spam
5854 bayes_ignore_header X-Spam-Action
5855 bayes_ignore_header X-SPAM-AISP
5856 bayes_ignore_header X-Spam-Check-By
5857 bayes_ignore_header X-Spam-Checker-Version
5858 bayes_ignore_header X-Spam-CMAE-Analysis
5859 bayes_ignore_header X-Spam-CMAESCORE
5860 bayes_ignore_header X-Spam-CTCH-RefID
5861 bayes_ignore_header X-Spam-Flag
5862 bayes_ignore_header X-Spam-Level
5863 bayes_ignore_header X-Spam-Processed
5864 bayes_ignore_header X-Spam-Report
5865 bayes_ignore_header X-Spam-Scanned
5866 bayes_ignore_header X-Spam-Score
5867 bayes_ignore_header X-Spam-Score-Int
5868 bayes_ignore_header X-Spam-SmartLearn
5869 bayes_ignore_header X-Spam-Status
5870 bayes_ignore_header X-Spam-Threshold
5871 bayes_ignore_header X-Spam_bar
5872 bayes_ignore_header X-Spambayes-Classification
5873 bayes_ignore_header X-SpamExperts-Domain
5874 bayes_ignore_header X-SpamExperts-Outgoing-Class
5875 bayes_ignore_header X-SpamExperts-Outgoing-Evidence
5876 bayes_ignore_header X-SpamExperts-Username
5877 bayes_ignore_header X-Spamfilter-host
5878 bayes_ignore_header X-Spamina-Bogosity
5879 bayes_ignore_header X-Spamina-Spam-Report
5880 bayes_ignore_header X-Spamina-Spam-Score
5881 bayes_ignore_header X-SpamInfo
5882 bayes_ignore_header X-Spamsave
5883 bayes_ignore_header X-SpamTest-Group-ID
5884 bayes_ignore_header X-SpamTest-Info
5885 bayes_ignore_header X-SpamTest-Method
5886 bayes_ignore_header X-SpamTest-Rate
5887 bayes_ignore_header X-SpamTest-SPF
5888 bayes_ignore_header X-SpamTest-Status
5889 bayes_ignore_header X-SpamTest-Status-Extended
5890 bayes_ignore_header X-SPF-Scan-By
5891 bayes_ignore_header X-STA-Metric
5892 bayes_ignore_header X-STA-NotSpam
5893 bayes_ignore_header X-STA-Spam
5894 bayes_ignore_header X-StarScan-Version
5895 bayes_ignore_header X-SurGATE-Result
5896 bayes_ignore_header X-SWITCHham-Score
5897 bayes_ignore_header X-UI-Filterresults
5898 bayes_ignore_header X-UI-Loop
5899 bayes_ignore_header X-UI-Out-Filterresults
5900 bayes_ignore_header X-Univie-Spam-Checker-Version
5901 bayes_ignore_header X-Univie-Virus-Scan
5902 bayes_ignore_header X-Virus
5903 bayes_ignore_header X-Virus-Checker-Version
5904 bayes_ignore_header X-Virus-Scanned
5905 bayes_ignore_header X-Virus-Scanner-Result
5906 bayes_ignore_header X-Virus-Scanner-Version
5907 bayes_ignore_header X-Virus-Status
5908 bayes_ignore_header X-VirusChecked
5909 bayes_ignore_header X-VR-SCORE
5910 bayes_ignore_header X-VR-SPAMCAUSE
5911 bayes_ignore_header X-VR-STATUS
5912 bayes_ignore_header X-WatchGuard-Mail-Client-IP
5913 bayes_ignore_header X-WatchGuard-Mail-From
5914 bayes_ignore_header X-WatchGuard-Mail-Recipients
5915 bayes_ignore_header X-WatchGuard-Spam-ID
5916 bayes_ignore_header X-WatchGuard-Spam-Score
5917 bayes_ignore_header X-Whitelist-Domain
5918 bayes_ignore_header X-WUM-CCI
5919 bayes_ignore_header X_CMAE_Category##} bayes_ignore_header_sandbox
5921 ##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
5923 if (version >= 3.004001)
5924 ifplugin Mail::SpamAssassin::Plugin::AskDNS
5925 askdns __FROM_FMBLA_NEWDOM _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/
5926 askdns __FROM_FMBLA_NEWDOM14 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.14$/
5927 askdns __FROM_FMBLA_NEWDOM28 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.28$/
5928 askdns __FROM_FMBLA_NDBLOCKED _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/
5929 reuse FROM_FMBLA_NEWDOM
5930 reuse FROM_FMBLA_NEWDOM14
5931 reuse FROM_FMBLA_NEWDOM28
5932 reuse FROM_FMBLA_NDBLOCKED
5933 reuse __PDS_NEWDOMAIN
5934 reuse FROM_NUMBERO_NEWDOMAIN
5935 reuse FROM_NEWDOM_BTC
5936 askdns __PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/
5937 reuse BITCOIN_SPF_ONLYALL
5940 ##} if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
5942 ##{ if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox
5944 if (version >= 3.004002)
5945 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5946 enlist_addrlist (PAYPAL) *@paypal.com *@paypal.co.uk *@paypal.de *@paypal.com.au *@paypal.it
5947 enlist_addrlist (PAYPAL) *@paypal.es *@paypal.fr *@paypal.de *@paypal.com.hk
5948 enlist_addrlist (PAYPAL) *@*.paypal.com *@*.paypal.co.uk
5949 reuse __FROM_ADDRLIST_PAYPAL
5950 reuse FROM_PAYPAL_SPOOF
5951 enlist_addrlist (BANKS) *@abbey.co.uk *@abbey.com *@abbeyinternational.com *@abbeyinternational.co.uk *@abbeynational.com *@abbeynational.co.uk
5952 enlist_addrlist (BANKS) *@allianceleicester.com *@allianceleicester.co.uk *@alliance-leicester.com *@alliance-leicester.co.uk
5953 enlist_addrlist (BANKS) *@bankofamerica.com *@bankofamerica.co.uk
5954 enlist_addrlist (BANKS) *@barclaycard.com *@barclays.com
5955 enlist_addrlist (BANKS) *@citibank.com
5956 enlist_addrlist (BANKS) *@firstdirect.com *@firstdirect.co.uk
5957 enlist_addrlist (BANKS) *@halifax.com *@halifax.co.uk *@halifax-online.co.uk *@halifax-online.com
5958 enlist_addrlist (BANKS) *@hbos.com *@hbos.co.uk
5959 enlist_addrlist (BANKS) *@hsbc.com *@hsbc.co.uk *@hsbc.hk *@hsbcgroup.com *@hsbcgroup.co.uk
5960 enlist_addrlist (BANKS) *@lloydstsb.com *@lloydstsb.co.uk *@lloyds.com
5961 enlist_addrlist (BANKS) *@mbna.com
5962 enlist_addrlist (BANKS) *@nationwide.com *@nationwide.co.uk
5963 enlist_addrlist (BANKS) *@natwest.com *@natwest.co.uk
5964 enlist_addrlist (BANKS) *@santander.com *@santander.co.uk
5965 enlist_addrlist (BANKS) *@standardbank.co.za
5966 enlist_addrlist (BANKS) *@ybonline.co.uk *@ybonline.com
5967 reuse __FROM_ADDRLIST_BANKS
5968 reuse FROM_BANK_NOAUTH
5969 enlist_addrlist (GOV) *@*.gov
5970 enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk
5971 reuse __FROM_ADDRLIST_GOV
5972 reuse FROM_GOV_SPOOF
5973 reuse FROM_GOV_DKIM_AU
5974 reuse FROM_GOV_REPLYTO_FREEMAIL
5975 enlist_addrlist (SUSP_NTLD) *@*.icu
5976 enlist_addrlist (SUSP_NTLD) *@*.online
5977 enlist_addrlist (SUSP_NTLD) *@*.work
5978 enlist_addrlist (SUSP_NTLD) *@*.date
5979 enlist_addrlist (SUSP_NTLD) *@*.top
5980 enlist_addrlist (SUSP_NTLD) *@*.fun
5981 enlist_addrlist (SUSP_NTLD) *@*.life
5982 enlist_addrlist (SUSP_NTLD) *@*.review
5983 enlist_addrlist (SUSP_NTLD) *@*.xyz
5984 enlist_addrlist (SUSP_NTLD) *@*.bid
5985 enlist_addrlist (SUSP_NTLD) *@*.stream
5986 enlist_addrlist (SUSP_NTLD) *@*.site
5987 enlist_addrlist (SUSP_NTLD) *@*.gdn
5988 enlist_addrlist (SUSP_NTLD) *@*.click
5989 enlist_addrlist (SUSP_NTLD) *@*.world
5990 enlist_addrlist (SUSP_NTLD) *@*.fit
5991 enlist_addrlist (SUSP_NTLD) *@*.ooo
5992 enlist_addrlist (SUSP_NTLD) *@*.faith
5993 enlist_addrlist (SUSP_NTLD) *@*.buzz
5994 enlist_addrlist (SUSP_NTLD) *@*.trade
5995 enlist_addrlist (SUSP_NTLD) *@*.cyou
5996 enlist_addrlist (SUSP_NTLD) *@*.vip
5997 enlist_uri_host (SUSP_URI_NTLD) icu
5998 enlist_uri_host (SUSP_URI_NTLD) online
5999 enlist_uri_host (SUSP_URI_NTLD) work
6000 enlist_uri_host (SUSP_URI_NTLD) date
6001 enlist_uri_host (SUSP_URI_NTLD) top
6002 enlist_uri_host (SUSP_URI_NTLD) fun
6003 enlist_uri_host (SUSP_URI_NTLD) life
6004 enlist_uri_host (SUSP_URI_NTLD) review
6005 enlist_uri_host (SUSP_URI_NTLD) xyz
6006 enlist_uri_host (SUSP_URI_NTLD) bid
6007 enlist_uri_host (SUSP_URI_NTLD) stream
6008 enlist_uri_host (SUSP_URI_NTLD) site
6009 enlist_uri_host (SUSP_URI_NTLD) gdn
6010 enlist_uri_host (SUSP_URI_NTLD) click
6011 enlist_uri_host (SUSP_URI_NTLD) world
6012 enlist_uri_host (SUSP_URI_NTLD) fit
6013 enlist_uri_host (SUSP_URI_NTLD) ooo
6014 enlist_uri_host (SUSP_URI_NTLD) faith
6015 enlist_uri_host (SUSP_URI_NTLD) buzz
6016 enlist_uri_host (SUSP_URI_NTLD) trade
6017 enlist_uri_host (SUSP_URI_NTLD) cyou
6018 enlist_uri_host (SUSP_URI_NTLD) vip
6019 enlist_uri_host (SUSP_URI_NTLD_PRO) pro
6020 reuse __FROM_ADDRLIST_SUSPNTLD
6021 reuse __REPLYTO_ADDRLIST_SUSPNTLD
6022 reuse FROM_SUSPICIOUS_NTLD
6023 reuse GOOGLE_DRIVE_REPLY_BAD_NTLD
6027 ##} if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox
6029 ##{ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox
6031 if (version >= 3.004003)
6032 ifplugin Mail::SpamAssassin::Plugin::HashBL
6033 priority GB_HASHBL_BTC -100
6037 ##} if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox
6039 ##{ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6041 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6042 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6043 replace_tag lcase_e (?:e|\xc3[\xa8\xa9\xaa\xab]|\xc4[\x93\x95\x97\x99\x9b]|\xc8[\x85\x87\x80]|\xcf\xb5|\xd0\xb5|\xd1[\x90\x91\x94\xb3]|\xd2[\xbc\xbd\xbe\xbf]|\xd3[\x07\xa9\xab])
6044 replace_rules __E_LIKE_LETTER
6047 ##} if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6049 ##{ ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6051 ifplugin Mail::SpamAssassin::Plugin::AskDNS
6052 askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/
6053 reuse __DKIMWL_FREEMAIL
6054 askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/
6055 reuse __DKIMWL_BULKMAIL
6056 askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/
6057 reuse __DKIMWL_WL_HI
6058 askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/
6059 reuse __DKIMWL_WL_MEDHI
6060 askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/
6061 reuse __DKIMWL_WL_MED
6062 askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/
6063 reuse __DKIMWL_WL_BL
6064 askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/
6065 reuse __DKIMWL_BLOCKED
6066 reuse DKIMWL_WL_HIGH
6067 reuse DKIMWL_WL_MEDHI
6070 reuse DKIMWL_BLOCKED
6071 askdns __HELO_DNS _LASTEXTERNALHELO_ A /./
6073 ##} ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6075 ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox
6077 ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
6080 ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox
6082 ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox
6084 ifplugin Mail::SpamAssassin::Plugin::DNSEval
6085 reuse RCVD_IN_IADB_LISTED
6086 reuse RCVD_IN_IADB_EDDB
6087 reuse RCVD_IN_IADB_EPIA
6088 reuse RCVD_IN_IADB_SPF
6089 reuse RCVD_IN_IADB_SENDERID
6090 reuse RCVD_IN_IADB_DK
6091 reuse RCVD_IN_IADB_RDNS
6092 reuse RCVD_IN_IADB_GOODMAIL
6093 reuse RCVD_IN_IADB_NOCONTROL
6094 reuse RCVD_IN_IADB_OPTOUTONLY
6095 reuse RCVD_IN_IADB_UNVERIFIED_1
6096 reuse RCVD_IN_IADB_UNVERIFIED_2
6097 reuse RCVD_IN_IADB_LOOSE
6098 reuse RCVD_IN_IADB_OPTIN_LT50
6099 reuse RCVD_IN_IADB_OPTIN_GT50
6100 reuse RCVD_IN_IADB_OPTIN
6101 reuse RCVD_IN_IADB_DOPTIN_LT50
6102 reuse RCVD_IN_IADB_DOPTIN_GT50
6103 reuse RCVD_IN_IADB_DOPTIN
6104 reuse RCVD_IN_IADB_ML_DOPTIN
6105 reuse RCVD_IN_IADB_OOO
6106 reuse RCVD_IN_IADB_MI_CPEAR
6107 reuse RCVD_IN_IADB_UT_CPEAR
6108 reuse RCVD_IN_IADB_MI_CPR_30
6109 reuse RCVD_IN_IADB_UT_CPR_30
6110 reuse RCVD_IN_IADB_MI_CPR_MAT
6111 reuse RCVD_IN_IADB_UT_CPR_MAT
6113 ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox
6115 ##{ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox
6117 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
6118 fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de
6119 fns_ignore_headers List-Id
6121 reuse __PLUGIN_FROMNAME_SPOOF
6122 reuse __PLUGIN_FROMNAME_EQUALS_TO
6124 ##} ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox
6126 ##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6128 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6129 replace_rules T_FUZZY_SPRM
6130 replace_rules FUZZY_MERIDIA
6131 replace_rules TVD_FUZZY_PHARMACEUTICAL
6132 replace_rules TVD_FUZZY_SYMBOL
6133 replace_rules T_TVD_FUZZY_SECURITIES
6134 replace_rules TVD_FUZZY_FINANCE
6135 replace_rules TVD_FUZZY_FIXED_RATE
6136 replace_rules TVD_FUZZY_MICROCAP
6137 replace_rules T_TVD_FUZZY_SECTOR
6138 replace_rules TVD_FUZZY_DEGREE
6139 replace_rules __COPY_PASTE_EN
6140 replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?)
6141 replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3}
6142 replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s)
6143 replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?)
6144 replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])?
6145 replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100}))
6146 replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100})
6147 replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))?
6148 replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])?
6149 replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)?
6150 replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3}
6151 replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3}
6152 replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d)
6153 replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3}
6154 replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)?
6155 replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15})
6156 replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names?
6157 replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER>
6158 replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>)
6159 replace_rules __FILL_THIS_FORM_LONG1
6160 replace_rules __FILL_THIS_FORM_LONG2
6161 replace_rules __FILL_THIS_FORM_PARTIAL
6162 replace_rules __FILL_THIS_FORM_PARTIAL_RAW
6163 replace_rules __FILL_THIS_FORM_SHORT1
6164 replace_rules __FILL_THIS_FORM_SHORT2
6165 replace_rules __FILL_THIS_FORM_LOAN1
6166 replace_rules __FILL_THIS_FORM_FRAUD_PHISH1
6167 replace_tag CURRENCY (?:[\(\[]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|usd|USD|CAD|GBP|=[Aa][34]|\xa3|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS?)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]\)]?)
6168 replace_tag GB_UK \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b
6169 replace_tag NUM_NOT_DATE [1-9](?!\d\d\d\.\d\d\.\d\d\s)(?!\d?\.\d\d?\.\d\d\d\d\s)
6170 replace_tag NUM_NOT_DATE_IP <NUM_NOT_DATE>(?!\d{0,2}(?:\.0|\.[1-2]\d{0,2}){3}(?:\D|$))
6171 replace_rules __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04
6172 replace_tag PERCENT \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent)
6173 replace_rules __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS
6174 replace_rules T_FUZZY_OPTOUT
6175 replace_rules __FRT_PRICE
6176 replace_rules FUZZY_UNSUBSCRIBE
6177 replace_rules FUZZY_ANDROID
6178 replace_rules FUZZY_PROMOTION
6179 replace_rules FUZZY_PRIVACY
6180 replace_rules FUZZY_BROWSER
6181 replace_rules FUZZY_SAVINGS
6182 replace_rules FUZZY_IMPORTANT
6183 replace_rules FUZZY_SECURITY
6184 replace_rules __FUZZY_DR_OZ
6185 replace_rules FUZZY_CLICK_HERE
6186 replace_rules FUZZY_BITCOIN
6187 replace_rules __BITCOIN
6188 replace_rules FUZZY_WALLET
6189 replace_rules __FUZZY_MONERO
6190 replace_rules __FUZZY_WELLSFARGO_BODY
6191 replace_rules __FUZZY_WELLSFARGO_FROM
6192 replace_rules __FUZZY_PORN
6193 replace_rules FUZZY_AMAZON
6194 replace_rules FUZZY_APPLE
6195 replace_rules FUZZY_MICROSOFT
6196 replace_rules FUZZY_FACEBOOK
6197 replace_rules FUZZY_PAYPAL
6198 replace_rules FUZZY_NORTON
6199 replace_rules FUZZY_OVERSTOCK
6200 replace_rules __MY_VICTIM
6201 replace_rules __MY_MALWARE
6202 replace_rules __PAY_ME
6203 replace_rules __YOUR_PASSWORD
6204 replace_rules __YOUR_WEBCAM
6205 replace_rules __YOUR_ONAN
6206 replace_rules __YOUR_PERSONAL
6207 replace_rules __HOURS_DEADLINE
6208 replace_rules __EXPLOSIVE_DEVICE
6209 replace_rules T_LFUZ_PWRMALE
6210 replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE
6211 reuse T_PDS_BTC_AHACKER
6212 reuse T_PDS_BTC_HACKER
6213 reuse T_PDS_LTC_AHACKER
6214 reuse T_PDS_LTC_HACKER
6216 ##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6218 ##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox
6220 ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
6223 ##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox
6225 ##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox
6227 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
6228 if (version >= 3.004000)
6229 enlist_uri_host (PDS_CASHSHORTENER) cutpaid.com
6230 enlist_uri_host (PDS_CASHSHORTENER) caat.site
6231 enlist_uri_host (PDS_CASHSHORTENER) triabicia.com
6232 enlist_uri_host (PDS_CASHSHORTENER) 2xs.io
6233 enlist_uri_host (PDS_CASHSHORTENER) ocest.site
6234 enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz
6235 enlist_uri_host (PDS_CASHSHORTENER) waar.site
6236 enlist_uri_host (PDS_CASHSHORTENER) cpmlink.net
6237 enlist_uri_host (PDS_CASHSHORTENER) cowner.net
6238 enlist_uri_host (PDS_CASHSHORTENER) adfoc.us
6239 enlist_uri_host (PDS_CASHSHORTENER) shrinkhere.xyz
6240 enlist_uri_host (PDS_CASHSHORTENER) gurl.pw
6241 enlist_uri_host (PDS_CASHSHORTENER) shortearn.eu
6242 enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz
6243 enlist_uri_host (PDS_CASHSHORTENER) libittarc.com
6244 enlist_uri_host (PDS_CASHSHORTENER) pc.cd
6245 enlist_uri_host (PDS_CASHSHORTENER) fc.lc
6246 enlist_uri_host (PDS_CASHSHORTENER) dares.xyz
6247 enlist_uri_host (PDS_CASHSHORTENER) trendlouds.com
6248 enlist_uri_host (PDS_CASHSHORTENER) yogaf.xyz
6249 enlist_uri_host (PDS_CASHSHORTENER) cobs.xyz
6250 enlist_uri_host (PDS_CASHSHORTENER) olnew.xyz
6251 enlist_uri_host (PDS_CASHSHORTENER) cleft.xyz
6252 enlist_uri_host (PDS_CASHSHORTENER) 7r6.com
6253 enlist_uri_host (PDS_CASHSHORTENER) mitly.us
6254 enlist_uri_host (PDS_CASHSHORTENER) kutpay.com
6255 enlist_uri_host (PDS_CASHSHORTENER) gsurl.me
6256 enlist_uri_host (PDS_CASHSHORTENER) gurl.ly
6257 enlist_uri_host (PDS_CASHSHORTENER) gsurl.in
6258 enlist_uri_host (PDS_CASHSHORTENER) acitoate.com
6259 enlist_uri_host (PDS_CASHSHORTENER) aclabink.com
6260 enlist_uri_host (PDS_CASHSHORTENER) activeation.com
6261 enlist_uri_host (PDS_CASHSHORTENER) activeterium.com
6262 enlist_uri_host (PDS_CASHSHORTENER) adflyforum.com
6263 enlist_uri_host (PDS_CASHSHORTENER) adflymail.com
6264 enlist_uri_host (PDS_CASHSHORTENER) adult.xyz
6265 enlist_uri_host (PDS_CASHSHORTENER) agileurbia.com
6266 enlist_uri_host (PDS_CASHSHORTENER) atomcurve.com
6267 enlist_uri_host (PDS_CASHSHORTENER) ay.gy
6268 enlist_uri_host (PDS_CASHSHORTENER) battleate.com
6269 enlist_uri_host (PDS_CASHSHORTENER) biastonu.com
6270 enlist_uri_host (PDS_CASHSHORTENER) bitigee.com
6271 enlist_uri_host (PDS_CASHSHORTENER) briskrange.com
6272 enlist_uri_host (PDS_CASHSHORTENER) brisktopia.com
6273 enlist_uri_host (PDS_CASHSHORTENER) casualient.com
6274 enlist_uri_host (PDS_CASHSHORTENER) clesolea.com
6275 enlist_uri_host (PDS_CASHSHORTENER) code404.biz
6276 enlist_uri_host (PDS_CASHSHORTENER) coginator.com
6277 enlist_uri_host (PDS_CASHSHORTENER) cogismith.com
6278 enlist_uri_host (PDS_CASHSHORTENER) covelign.com
6279 enlist_uri_host (PDS_CASHSHORTENER) crefranek.com
6280 enlist_uri_host (PDS_CASHSHORTENER) dashsphere.com
6281 enlist_uri_host (PDS_CASHSHORTENER) dataurbia.com
6282 enlist_uri_host (PDS_CASHSHORTENER) deciomm.com
6283 enlist_uri_host (PDS_CASHSHORTENER) ducolomal.com
6284 enlist_uri_host (PDS_CASHSHORTENER) east-jones.com
6285 enlist_uri_host (PDS_CASHSHORTENER) ecleneue.com
6286 enlist_uri_host (PDS_CASHSHORTENER) ellevolaw.com
6287 enlist_uri_host (PDS_CASHSHORTENER) endroudo.com
6288 enlist_uri_host (PDS_CASHSHORTENER) eunsetee.com
6289 enlist_uri_host (PDS_CASHSHORTENER) fainbory.com
6290 enlist_uri_host (PDS_CASHSHORTENER) fasttory.com
6291 enlist_uri_host (PDS_CASHSHORTENER) fawright.com
6292 enlist_uri_host (PDS_CASHSHORTENER) flyserve.co
6293 enlist_uri_host (PDS_CASHSHORTENER) greponozy.com
6294 enlist_uri_host (PDS_CASHSHORTENER) homoluath.com
6295 enlist_uri_host (PDS_CASHSHORTENER) hopigrarn.com
6296 enlist_uri_host (PDS_CASHSHORTENER) infopade.com
6297 enlist_uri_host (PDS_CASHSHORTENER) j.gs
6298 enlist_uri_host (PDS_CASHSHORTENER) kaitect.com
6299 enlist_uri_host (PDS_CASHSHORTENER) kializer.com
6300 enlist_uri_host (PDS_CASHSHORTENER) kibuilder.com
6301 enlist_uri_host (PDS_CASHSHORTENER) kimechanic.com
6302 enlist_uri_host (PDS_CASHSHORTENER) kudoflow.com
6303 enlist_uri_host (PDS_CASHSHORTENER) legeerook.com
6304 enlist_uri_host (PDS_CASHSHORTENER) libittarc.com
6305 enlist_uri_host (PDS_CASHSHORTENER) linkjaunt.com
6306 enlist_uri_host (PDS_CASHSHORTENER) locinealy.com
6307 enlist_uri_host (PDS_CASHSHORTENER) maetrimal.com
6308 enlist_uri_host (PDS_CASHSHORTENER) metastead.com
6309 enlist_uri_host (PDS_CASHSHORTENER) mmoity.com
6310 enlist_uri_host (PDS_CASHSHORTENER) mondoagram.com
6311 enlist_uri_host (PDS_CASHSHORTENER) neswery.com
6312 enlist_uri_host (PDS_CASHSHORTENER) nimbleinity.com
6313 enlist_uri_host (PDS_CASHSHORTENER) onisedeo.com
6314 enlist_uri_host (PDS_CASHSHORTENER) optitopt.com
6315 enlist_uri_host (PDS_CASHSHORTENER) picocurl.com
6316 enlist_uri_host (PDS_CASHSHORTENER) pladollmo.com
6317 enlist_uri_host (PDS_CASHSHORTENER) preofery.com
6318 enlist_uri_host (PDS_CASHSHORTENER) prereheus.com
6319 enlist_uri_host (PDS_CASHSHORTENER) q.gs
6320 enlist_uri_host (PDS_CASHSHORTENER) quainator.com
6321 enlist_uri_host (PDS_CASHSHORTENER) quamiller.com
6322 enlist_uri_host (PDS_CASHSHORTENER) queuecosm.bid
6323 enlist_uri_host (PDS_CASHSHORTENER) raboninco.com
6324 enlist_uri_host (PDS_CASHSHORTENER) rapidteria.com
6325 enlist_uri_host (PDS_CASHSHORTENER) rapidtory.com
6326 enlist_uri_host (PDS_CASHSHORTENER) sapolatsu.com
6327 enlist_uri_host (PDS_CASHSHORTENER) scapognel.com
6328 enlist_uri_host (PDS_CASHSHORTENER) simizer.com
6329 enlist_uri_host (PDS_CASHSHORTENER) skamaker.com
6330 enlist_uri_host (PDS_CASHSHORTENER) skamason.com
6331 enlist_uri_host (PDS_CASHSHORTENER) sluppend.com
6332 enlist_uri_host (PDS_CASHSHORTENER) sprysphere.com
6333 enlist_uri_host (PDS_CASHSHORTENER) streamvoyage.com
6334 enlist_uri_host (PDS_CASHSHORTENER) swarife.com
6335 enlist_uri_host (PDS_CASHSHORTENER) swiftation.com
6336 enlist_uri_host (PDS_CASHSHORTENER) swifttopia.com
6337 enlist_uri_host (PDS_CASHSHORTENER) techigo.com
6338 enlist_uri_host (PDS_CASHSHORTENER) threadsphere.bid
6339 enlist_uri_host (PDS_CASHSHORTENER) tinyical.com
6340 enlist_uri_host (PDS_CASHSHORTENER) tonancos.com
6341 enlist_uri_host (PDS_CASHSHORTENER) triabicia.com
6342 enlist_uri_host (PDS_CASHSHORTENER) turboagram.com
6343 enlist_uri_host (PDS_CASHSHORTENER) twineer.com
6344 enlist_uri_host (PDS_CASHSHORTENER) twiriock.com
6345 enlist_uri_host (PDS_CASHSHORTENER) userlab66.com
6346 enlist_uri_host (PDS_CASHSHORTENER) vaugette.com
6347 enlist_uri_host (PDS_CASHSHORTENER) velocicosm.com
6348 enlist_uri_host (PDS_CASHSHORTENER) velociterium.com
6349 enlist_uri_host (PDS_CASHSHORTENER) viahold.com
6350 enlist_uri_host (PDS_CASHSHORTENER) vializer.com
6351 enlist_uri_host (PDS_CASHSHORTENER) viwright.com
6352 enlist_uri_host (PDS_CASHSHORTENER) whareotiv.com
6353 enlist_uri_host (PDS_CASHSHORTENER) wirecellar.com
6354 enlist_uri_host (PDS_CASHSHORTENER) x19.biz
6355 enlist_uri_host (PDS_CASHSHORTENER) x19network.com
6356 enlist_uri_host (PDS_CASHSHORTENER) yabuilder.com
6357 enlist_uri_host (PDS_CASHSHORTENER) yamechanic.com
6358 enlist_uri_host (PDS_CASHSHORTENER) yoalizer.com
6359 enlist_uri_host (PDS_CASHSHORTENER) yobuilder.com
6360 enlist_uri_host (PDS_CASHSHORTENER) yoineer.com
6361 enlist_uri_host (PDS_CASHSHORTENER) yoitect.com
6362 enlist_uri_host (PDS_CASHSHORTENER) zipansion.com
6363 enlist_uri_host (PDS_CASHSHORTENER) zipteria.com
6364 enlist_uri_host (PDS_CASHSHORTENER) zipvale.com
6365 reuse T_PDS_SHORTFWD_URISHRT
6368 ##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox
6370 ##{ redirector_pattern_sandbox
6372 redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i
6373 redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
6374 redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i
6375 redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i
6376 redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i
6377 redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i
6378 redirector_pattern m'^https?:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i
6379 redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i
6380 ##} redirector_pattern_sandbox
6384 reuse T_PDS_HIDDEN_UK_BUSINESSLOAN
6385 reuse T_PDS_DOUBLE_URL
6386 reuse T_PDS_DBL_URL_LINKBAIT
6387 reuse PDS_DBL_URL_TNB_RUNON
6388 reuse T_PDS_DBL_URL_ILLEGAL_CHARS
6389 reuse FROM_2_EMAILS_SHORT
6390 reuse T_SHORT_BODY_QUOTE
6391 reuse T_BODY_QUOTE_MALF_MSGID
6392 reuse SPOOFED_FREEMAIL_NO_RDNS
6393 reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN
6394 reuse T_PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
6395 reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT
6396 reuse PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
6397 reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT
6398 reuse T_PDS_LITECOIN_ID
6401 reuse __PDS_GOOGLE_DRIVE_SHARE_1
6402 reuse __PDS_GOOGLE_DRIVE_SHARE_2
6403 reuse __PDS_GOOGLE_DRIVE_SHARE_3
6404 reuse __PDS_GOOGLE_DRIVE_SHARE
6405 reuse T_GOOGLE_DRIVE_DEAR_SOMETHING
6406 reuse __PDS_GOOGLE_DRIVE_FILE
6407 reuse __SHORT_BODY_G_DRIVE
6408 reuse __SHORT_BODY_G_DRIVE_DYN
6409 reuse T_SHORT_BODY_G_DRIVE_DYN
6410 reuse T_FROM_NAME_EQ_TO_G_DRIVE
6414 uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i
6416 uri __128_HEX_URI m,/[0-9a-f]{128},
6418 uri __128_LC_URI m;[/?][a-z]{128,}$;
6420 uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i
6422 uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i
6424 meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
6426 header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
6428 uri __64_ANY_URI m;[/?]\w{64,}$;i
6430 body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i
6432 body __ACCESS_REVOKE /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i
6434 body __ACCESS_SUSPENDED /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i
6435 tflags __ACCESS_SUSPENDED multiple maxhits=2
6437 body __ACCOUNT_DISRUPT /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)? )?(?:shut ?down|suspension|locking|termination|expiration)|will terminate (?:your|its) service)\b/i
6438 tflags __ACCOUNT_DISRUPT multiple maxhits=2
6440 body __ACCOUNT_ERROR /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i
6442 body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i
6444 body __ACCOUNT_SECURE /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i
6446 body __ACCOUNT_UPGRADE /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i
6448 meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY
6450 meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3
6452 body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
6454 body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i
6456 body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
6458 body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i
6460 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6461 meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH
6464 uri __AC_1SEQC_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/C\//
6466 uri __AC_1SEQV_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/V\//
6468 uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/
6470 header __AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/
6472 meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO
6474 rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i
6476 uri __AC_LAND_URI /\/land\//
6478 uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/
6480 uri __AC_MHDSEQ_URI /\/mhd[a-z0-9]{20,}/
6482 uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/
6484 uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(:?php|html)\b/
6486 uri __AC_OUTI_URI /\/outi\b/
6488 uri __AC_OUTL_URI /\/outl\b/
6490 uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\//
6492 uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9.]+\/top\//
6494 uri __AC_POSTHTMLEXTRAS /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i
6496 uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i
6498 meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS)
6500 uri __AC_PUNCTNUMS_URI /\.com\/[A-Za-z+=\/.?_-]{4,}[0-9]{9,12}[a-z0-9]{1,2}[A-Za-z+=\/.?_-]+[0-9]{7,9}[A-Za-z+=\/.?_-]{6,}[0-9]{7,9}\b/
6502 uri __AC_REPORT_URI /\/report\//
6504 uri __AC_RMOVE_URI /\/r\/move\/[0-9]+\//
6506 rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
6508 uri __AC_UHDSEQ_URI /\/uhd[a-z0-9]{20,}/
6510 uri __AC_UNSUB_URI /\/unsub\//
6512 body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i
6514 body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i
6516 body __ADULTDATINGCOMPANY_BODY /\bAdultDatingCompany\b/i
6518 header __ADULTDATINGCOMPANY_FROM From:name =~ /\bAdultDatingCompany\b/i
6520 header __ADULTDATINGCOMPANY_REPTO Reply-To:name =~ /\bAdultDatingCompany\b/i
6522 meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD
6524 meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
6526 meta __ADVANCE_FEE_2_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
6528 meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
6530 meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD
6532 meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
6534 meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
6536 meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
6538 meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD
6540 meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
6542 meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
6544 meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
6546 meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD
6548 meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
6550 meta __ADVANCE_FEE_5_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
6552 meta __ADVANCE_FEE_5_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
6554 body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/
6556 body __AFF_LOTTERY /(?:lottery|winner)/i
6558 meta __AFRICAN_STATE (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION)
6560 body __AFR_UNION /\bafrican\sunion\b/i
6562 body __AGREED_RATIO /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i
6564 meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA
6566 header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/
6568 meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO
6570 body __AM_DYING /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i
6572 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6573 mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /\bimage\//i
6576 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6577 meta __ANY_TEXT_ATTACH 0
6580 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6581 mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
6584 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6585 mimeheader __ANY_TEXT_ATTACH_DOC Content-Type =~ /text\/\w+/i
6588 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6589 body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i
6590 tflags __APP_DEVELOPMENT multiple maxhits=6
6593 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6594 meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5
6597 body __ATM_CARD /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa|issue\s(?:(?:to|for)\s)?you\sa)[\s\(](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s\)]card/i
6599 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6600 meta __ATTACH_MSO_MHTML __TEXT_XML_MT && __MSO_THEME_MT && __X_MSO_MT
6603 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6604 meta __ATTACH_NAME_NO_EXT 0
6607 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6608 mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i
6611 body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i
6613 body __AUTO_ACCIDENT /auto(?:mobile)? accident/i
6615 header __AXB_MO_OL_024C2 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/
6617 header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/
6619 body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i
6621 body __BANK_DRAFT /\bbank\sdraft/i
6623 body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i
6625 meta __BEBEE_IMG_NOT_RCVD_BB __URI_IMG_BEBEE && !__HDR_RCVD_BEBEE
6627 body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i
6629 body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i
6631 body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]{2,}k?|k))\s(?:(?!and|or|your|place|baby|suspicious|supportive|subpoenaed)\w+\s)?(?:e-?mail(?:(?![-:.\)\>\]])s?|\saddresses)|fax numbers|leads|names)\b/i
6632 tflags __BIGNUM_EMAILS multiple maxhits=5
6634 meta __BIGNUM_EMAILS_3 __BIGNUM_EMAILS > 2
6636 meta __BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS && __freemail_hdr_replyto
6638 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
6639 body __BITCOIN /\bB[-\s]?i[-\s]?t[-\s]?c[-\s]?o[-\s]?i[-\s]?n\b/i
6642 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6643 body __BITCOIN /<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
6646 body __BITCOIN_ID /\b(?<!=)(?:[13](?:(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){29,34}|[a-km-zA-HJ-NP-Z1-9]{29,34})|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90}|b[-_=\s]c[-_=\s]1(?:[-_=\s][acdefghjklmnpqrstuvwxyz234567890]){30,90})\b/
6648 meta __BITCOIN_IMGUR __IMGUR_IMG && __BITCOIN
6650 meta __BITCOIN_OBFU_SUBJ __BITCOIN && __SUBJ_OBFU_PUNCT
6652 meta __BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF
6654 meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL
6656 meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM
6658 meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01
6660 meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID)
6662 body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s
6664 body __BODY_TEXT_LINE /^\s*\S/
6665 tflags __BODY_TEXT_LINE multiple maxhits=3
6667 meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE
6669 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6670 full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/
6671 tflags __BOGUS_MIME_HDR multiple maxhits=8
6674 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6675 meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7
6678 header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/
6680 meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX
6682 body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i
6684 meta __BOTH_INR_AND_REF (__XM_BALSA || __XM_CALYPSO || __XM_FORTE || __XM_MHE || __XM_SQRLMAIL || __XM_SYLPHEED || __THEBAT_MUA || __XM_VM || __XM_XIMEVOL || __UA_KMAIL || __UA_MOZ5 || __UA_OPERA7)
6686 body __BTC_OBFU_2 /\b\W{0,10}b(?!it[-\s]?coin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i
6688 body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i
6690 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
6691 body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
6694 body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i
6696 rawbody __BUGGED_IMG m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i
6698 body __BURKINA_FASO /\bburkina\s?faso\b/i
6700 body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i
6702 body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i
6704 body __CAN_HELP /\bcan help\b/i
6706 body __CASHPRZ /cash prize of/
6708 body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i
6710 body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i
6711 tflags __CLEAN_MAILBOX multiple maxhits=2
6713 rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im
6715 body __COMPENSATION /\b(?:compensat(?:e|ion)|recompensed?|ausgleich)\b/i
6717 body __CONTACT_ATTY /\bcontact(?:er)?\s(?:my|(?:de\s)?mon)\s(?:barrister|attou?rney|lawyer|avocat|gestionnaire)\b/i
6719 body __CONTACT_YOU /\b(?:contact(?:ing)\syou|vous\scontacter?)\b/i
6721 rawbody __CONTENT_AFTER_HTML /<\/html>\s*[a-z0-9]/i
6723 body __COPY_PASTE_DE /Kopieren Sie es und f(?:\xfc|\xc3\xbc)gen Sie es ein|Kopieren \& Einf(?:\xfc|\xc3\xbc)gen/i
6725 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
6726 body __COPY_PASTE_EN /Copy (and|\+|\&) paste/i
6729 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6730 body __COPY_PASTE_EN /<C><O><P><Y> (?:<A><N><D>|\+|\&) <P><A><S><T><E>/i
6733 body __COPY_PASTE_ES /copiarlo y pegarlo/i
6735 body __COPY_PASTE_FR /le copier (et le|\+) coller/i
6737 body __COPY_PASTE_IT /copia(r?)lo (e|\&) incolla(r?)lo/i
6739 body __COPY_PASTE_NL /kopieer en plak het/i
6741 body __COPY_PASTE_SE /kopiera den och klistra in/i
6743 body __COURIER /\bcourier\s(?:company|service)\b/i
6745 header __CR_IN_SUBJ Subject:raw =~ /\015/
6747 header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i
6749 header __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i
6751 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6755 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6756 mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/
6759 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6760 mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s
6763 header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
6765 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6766 mimeheader __CT_UTF7 Content-Type =~ /\bcharset=.?utf-7\b/i
6769 header __DATE_LOWER ALL =~ /date:\s\S{5}/
6771 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6772 body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i
6773 tflags __DAY_I_EARNED multiple maxhits=4
6776 body __DBLCLAIM /avoid double claiming/
6778 body __DEAD_PARENT /\b(?:my|meu)\s(?:(?:deceased|dead)\s(?:father|mother|husband)|(?:father|dad|mother|mom|husband|marido)(?:'?s)?\s(?:death|died|passed\saway|murder|was\s(?:killed|murdered|poisoned)|faleceu))/i
6780 body __DEAL /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i
6782 body __DECEASED /\b(?:the|my|your|der|du|le|meu?)\s(?:deceased|late|verstorbenen|d(?:i|e|=E9|[\xe9]|[\xc3][\xa9])funto?|d(?:e|=E9|[\xe9]|[\xc3][\xa9])nt|falecido)\b/i
6784 body __DESTROY_ME /\b(?:destroy|hunt|quemar)\sm[eyi]\b/i
6786 body __DESTROY_YOU /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i
6788 body __DIED_IN /\bdied\sin\b/i
6790 body __DIPLOMATIC /\bdiplomatic\b/i
6792 ifplugin Mail::SpamAssassin::Plugin::AskDNS
6793 tflags __DKIMWL_BLOCKED net
6796 ifplugin Mail::SpamAssassin::Plugin::AskDNS
6797 tflags __DKIMWL_BULKMAIL net
6800 ifplugin Mail::SpamAssassin::Plugin::AskDNS
6801 tflags __DKIMWL_FREEMAIL net
6804 ifplugin Mail::SpamAssassin::Plugin::AskDNS
6805 tflags __DKIMWL_WL_BL net
6808 ifplugin Mail::SpamAssassin::Plugin::AskDNS
6809 tflags __DKIMWL_WL_HI net
6812 ifplugin Mail::SpamAssassin::Plugin::AskDNS
6813 tflags __DKIMWL_WL_MED net
6816 ifplugin Mail::SpamAssassin::Plugin::AskDNS
6817 tflags __DKIMWL_WL_MEDHI net
6820 header __DKIM_EXISTS exists:DKIM-Signature
6821 tflags __DKIM_EXISTS nice
6823 body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i
6825 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6829 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6830 meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2)
6833 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6834 meta __DOC_ATTACH_FN1 0
6837 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6838 mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
6841 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6842 meta __DOC_ATTACH_FN2 0
6845 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6846 mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i
6849 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6850 meta __DOC_ATTACH_MT 0
6853 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6854 mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i
6857 body __DORMANT_ACCT /\b(?:(?:dormant|abandoned|left\s?over)\s(?:account|fund|transaction|sum|deposit)|fonds\sdorment)/i
6859 body __DOS_BODY_FRI /\bfri(?:day)?\b/i
6861 body __DOS_BODY_MON /\bmon(?:day)?\b/i
6863 body __DOS_BODY_SAT /\bsat(?:day)?\b/i
6865 body __DOS_BODY_STOCK /\bstock\b/i
6867 body __DOS_BODY_SUN /\bsun(?:day)?\b/i
6869 body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i
6871 body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB|PK)\b/
6873 body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i
6875 body __DOS_BODY_WED /\bwed(?:nesday)?\b/i
6877 body __DOS_COMING_TO_YOUR_PLACE /I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/
6879 body __DOS_CORRESPOND_EMAIL /correspond with me using my email/
6881 meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
6883 meta __DOS_DIRECT_TO_MX_UNTRUSTED __DOS_DIRECT_TO_MX && !ALL_TRUSTED
6885 body __DOS_DROP_ME_A_LINE /Drop me a line at/
6887 body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/
6889 body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i
6891 uri __DOS_HAS_ANY_URI /^\w+:\/\//
6893 header __DOS_HAS_LIST_ID exists:List-ID
6895 header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe
6897 header __DOS_HAS_MAILING_LIST exists:Mailing-List
6899 body __DOS_HI /^Hi,$/
6901 body __DOS_I_AM_25 /I a.?m 25/
6903 body __DOS_I_DRIVE_A /I drive a/
6905 body __DOS_LET_GO_JOB /I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/
6907 body __DOS_LINK /\blink\b/
6909 body __DOS_MEET_EACH_OTHER /(?:meet each other|[Mm]ay ?be we can meet)/
6911 header __DOS_MSGID_DIGITS10 Message-ID =~ /<1[013-9]\d{8}\@.*>/
6913 header __DOS_MSGID_DIGITS9 Message-ID =~ /<\d{9}\@.*>/
6915 body __DOS_MY_OLD_JOB /my old job/
6917 body __DOS_PERSONAL_EMAIL /personal email at/
6919 header __DOS_RCVD_FRI Received =~ / Fri, /
6921 header __DOS_RCVD_MON Received =~ / Mon, /
6923 header __DOS_RCVD_SAT Received =~ / Sat, /
6925 header __DOS_RCVD_SUN Received =~ / Sun, /
6927 header __DOS_RCVD_THU Received =~ / Thu, /
6929 header __DOS_RCVD_TUE Received =~ / Tue, /
6931 header __DOS_RCVD_WED Received =~ / Wed, /
6933 meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE)
6935 meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON)
6937 meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN)
6939 header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s
6941 header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/
6943 body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i
6945 body __DOS_STRONG_CF /\bstrong cash flow/i
6947 body __DOS_TAKING_HOME /Taking home \d (?:digit level|figures) in \d{1,2} months/
6949 body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/
6951 meta __DOTGOV_IMAGE __URI_DOTGOV && __REMOTE_IMAGE
6953 meta __DYNAMIC_IMGUR __IMGUR_IMG && __RDNS_DYNAMIC_IPADDR
6955 body __EARLY_DEMISE /\buntimely\sdeath\b/i
6957 header __EBAY_ADDRESS From:addr =~ /[\@.]ebay\.\w\w\w?(?:\.\w\w)?$/i
6959 meta __EBAY_IMG_NOT_RCVD_EBAY __URI_IMG_EBAY && !__HDR_RCVD_EBAY
6961 meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY
6963 meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ) > 3)
6965 meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE
6967 body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i
6969 header __ENVFROM_GOOG_TRIX EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/
6971 meta __ENVFROM_GOOG_TRIX_SPAMMY __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR )
6973 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6977 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6978 mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i
6981 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
6982 body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i
6985 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6986 body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i
6989 meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE + __PAXFUL + __HUSH_HUSH) > 3
6991 body __EX_CUSTOMER /\b(?:(?:dead|deceased|late|verstorbenen|death\sof\sthe)\s(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|depositor|mr\.|kunde|engr?\.?)|titulaire\sdu\scompte\sest\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|invest[eo]r\sdied|(?:e|=E9|[\xe9]|[\xc3][\xa9])tranger\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|mr\.|kunde|engr?\.?)\s(?:[a-z]{1,10}\s)?(?:dead|deceased|verstorbenen))/i
6993 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6994 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6995 body __E_LIKE_LETTER /<lcase_e>/
6996 tflags __E_LIKE_LETTER multiple maxhits=320
7000 meta __FACEBOOK_IMG_NOT_RCVD_FB __URI_IMG_FACEBOOK && !__HDR_RCVD_FACEBOOK
7002 body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i
7004 body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/
7006 rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m
7008 header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/
7010 header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i
7012 header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov /
7014 meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO
7016 body __FB_COST /\bcost\b/i
7018 body __FB_NUM_PERCNT /\d\s?\%/
7020 body __FB_S_PRICE /pri{1,2}c[a-z]?e/i
7022 body __FB_S_STOCK /\bstock/i
7024 body __FB_TOUR /\btour/i
7026 body __FEES /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer|keeping)[\s\w]{0,15}\s(?:fee|charge)s?\b/i
7028 body __FIFTY_FIFTY /\b(?:50|fifty)(?:%?[\/:]50%?|%|\spercent)/i
7030 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7031 meta __FILL_THIS_FORM 0
7034 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7035 meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4)
7038 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7039 meta __FILL_THIS_FORM_FRAUD_PHISH 0
7042 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7043 meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH)
7046 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7047 meta __FILL_THIS_FORM_FRAUD_PHISH1 0
7050 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7051 body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
7054 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7055 meta __FILL_THIS_FORM_LOAN 0
7058 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7059 meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1
7062 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7063 meta __FILL_THIS_FORM_LOAN1 0
7066 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7067 body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
7070 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7071 meta __FILL_THIS_FORM_LONG 0
7074 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7075 meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2
7078 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7079 meta __FILL_THIS_FORM_LONG1 0
7082 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7083 body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
7086 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7087 meta __FILL_THIS_FORM_LONG2 0
7090 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7091 body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
7094 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7095 meta __FILL_THIS_FORM_PARTIAL 0
7098 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7099 body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im
7100 tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5
7103 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7104 meta __FILL_THIS_FORM_PARTIAL_RAW 0
7107 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7108 rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20| |<\/\w+>){0,4}$)/im
7109 tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5
7112 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7113 meta __FILL_THIS_FORM_SHORT 0
7116 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7117 meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2)
7120 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7121 meta __FILL_THIS_FORM_SHORT1 0
7124 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7125 body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
7128 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7129 meta __FILL_THIS_FORM_SHORT2 0
7132 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7133 body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
7136 header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/
7138 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7139 meta __FM_MY_PRICE __FB_S_PRICE
7142 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7143 meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE)
7146 meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS
7148 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7149 rawbody __FONT_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i
7150 tflags __FONT_INVIS multiple maxhits=11
7153 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7154 meta __FONT_INVIS_10 __FONT_INVIS > 10
7157 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7158 meta __FONT_INVIS_2 __FONT_INVIS > 2
7161 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7162 meta __FONT_INVIS_5 __FONT_INVIS > 5
7165 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7166 meta __FONT_INVIS_CENTER __FONT_INVIS && __TAG_EXISTS_CENTER
7169 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7170 meta __FONT_INVIS_DIRECT __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
7173 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7174 meta __FONT_INVIS_DOTGOV __FONT_INVIS && __URI_DOTGOV
7177 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7178 meta __FONT_INVIS_HTML_NOHTML __FONT_INVIS && HTML_MIME_NO_HTML_TAG
7181 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7182 meta __FONT_INVIS_LONG_LINE __FONT_INVIS && __LONGLINE
7185 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7186 meta __FONT_INVIS_MANY __FONT_INVIS_2
7189 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7190 meta __FONT_INVIS_MSGID __FONT_INVIS && __MSGID_OK_HOST
7193 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7194 meta __FONT_INVIS_NORDNS __FONT_INVIS && __RDNS_NONE
7197 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7198 meta __FONT_INVIS_SINGLET __FONT_INVIS && __HTML_SINGLET
7201 header __FORGED_MUA_POSTFIX0 User-Agent =~ /Postfix/
7203 header __FORGED_MUA_POSTFIX1 X-Mailer =~ /Postfix/
7205 header __FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/
7207 meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D
7208 describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam
7210 meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1)
7212 meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
7214 meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
7216 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7217 body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i
7218 tflags __FOR_SALE_LTP multiple maxhits=11
7221 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7222 meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10
7225 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7226 body __FOR_SALE_NET /00\.? NET/i
7227 tflags __FOR_SALE_NET multiple maxhits=11
7230 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7231 meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10
7234 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7235 body __FOR_SALE_OBO /\bor best offer\b/i
7236 tflags __FOR_SALE_OBO multiple maxhits=6
7239 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7240 meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5
7243 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7244 body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i
7245 tflags __FOR_SALE_PRC_100K multiple maxhits=11
7248 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7249 meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5
7252 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7253 body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i
7254 tflags __FOR_SALE_PRC_10K multiple maxhits=11
7257 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7258 meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10
7261 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7262 body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i
7263 tflags __FOR_SALE_PRC_1K multiple maxhits=11
7266 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7267 meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10
7270 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7271 rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m
7272 tflags __FOR_SALE_PRC_EOL multiple maxhits=11
7275 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7276 meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10
7279 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7280 meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20
7283 body __FOUND_YOU /\b(?:I|we)\sfound\syour?\b/i
7285 body __FRAUD /\b(?:de)?fraud/i
7287 body __FRAUD_IOV /\b(?:no risks?|risky?[- ]{0,3}free|free of risks?|100% safe|v\S{1,3}llig Risikofrei ist)\b/i
7289 body __FRAUD_PTX /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|poison(?:e?d)?|kill(?:ed|ing|ers)\b[^.]{0,99}\b(?:war veterans|rebels?)|les tueurs)\b/i
7291 body __FRAUD_XWW /\b(?:honest(?:ly)?\sco(?:-?operat(?:e|ion)|llaborat(?:e|ion))|ehrliche\szusammenarbeit|sichere [kc]o+p[eo]ration|col+aboration\swith\sme)\b/i
7293 ifplugin Mail::SpamAssassin::Plugin::FreeMail
7294 header __FREEMAIL_DISPTO eval:check_freemail_header('Disposition-Notification-To')
7297 ifplugin Mail::SpamAssassin::Plugin::FreeMail
7298 meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
7301 meta __FREEMAIL_WFH_01 (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01
7303 meta __FREEM_FRNUM_UNICD_EMPTY FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY
7305 if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
7306 meta __FROM_41_FREEMAIL 0
7309 ifplugin Mail::SpamAssassin::Plugin::FreeMail
7310 meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
7311 describe __FROM_41_FREEMAIL Sent from Africa + freemail provider
7314 if (version >= 3.004002)
7315 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
7316 header __FROM_ADDRLIST_BANKS eval:check_from_in_list('BANKS')
7320 if (version >= 3.004002)
7321 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
7322 header __FROM_ADDRLIST_GOV eval:check_from_in_list('GOV')
7326 if (version >= 3.004002)
7327 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
7328 header __FROM_ADDRLIST_PAYPAL eval:check_from_in_list('PAYPAL')
7332 if (version >= 3.004002)
7333 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
7334 header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD')
7338 header __FROM_ADDR_WS From:addr =~ /\s/
7340 header __FROM_ADMIN From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
7342 header __FROM_ALL_HEX From:addr =~ /^(?!(?:19|20)\d\d[01]\d[0-3]\d)(?![0-9a-f]*[a-f]{3})[0-9a-f]+\@/
7344 header __FROM_ALL_NUMS From:addr =~ /^\d+@/
7346 header __FROM_DNS From =~ /(?<![^\w.-])dns(?:admin)?\@/i
7348 meta __FROM_DOM_ADMIN __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
7350 header __FROM_DOM_INFO From:addr =~ /\.info$/i
7352 header __FROM_EBAY From:addr =~ /\@ebay\.com$/i
7354 header __FROM_EQ_ORG_1 ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism
7356 ifplugin Mail::SpamAssassin::Plugin::FreeMail
7357 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
7358 header __FROM_EQ_REPLY eval:check_fromname_equals_replyto()
7362 if (version >= 3.004001)
7363 ifplugin Mail::SpamAssassin::Plugin::AskDNS
7364 tflags __FROM_FMBLA_NDBLOCKED net
7368 if (version >= 3.004001)
7369 ifplugin Mail::SpamAssassin::Plugin::AskDNS
7370 tflags __FROM_FMBLA_NEWDOM net
7374 if (version >= 3.004001)
7375 ifplugin Mail::SpamAssassin::Plugin::AskDNS
7376 tflags __FROM_FMBLA_NEWDOM14 net
7380 if (version >= 3.004001)
7381 ifplugin Mail::SpamAssassin::Plugin::AskDNS
7382 tflags __FROM_FMBLA_NEWDOM28 net
7386 header __FROM_FULL_NAME From:name =~ /^[^a-z[:punct:][:cntrl:]\d\s][^[:punct:][:cntrl:]\d\s]*[[:punct:]\s]+[^a-z[:punct:][:cntrl:]\d\s]/
7387 tflags __FROM_FULL_NAME nice
7389 header __FROM_INFO From =~ /(?<![^\w.-])info\@/i
7391 header __FROM_LOWER ALL =~ /from:\s\S{5}/
7393 header __FROM_MISSPACED From =~ /^\s*"[^"]*"</
7395 meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH
7397 if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
7398 meta __FROM_MISSP_FREEMAIL 0
7401 ifplugin Mail::SpamAssassin::Plugin::FreeMail
7402 meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
7405 meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO
7407 if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
7408 meta __FROM_MULTI_NORDNS __PDS_FROM_2_EMAILS && __RDNS_NONE
7411 if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
7412 meta __FROM_MULTI_SHORT_IMG __PDS_FROM_2_EMAILS && (HTML_IMAGE_ONLY_16 || HTML_SHORT_LINK_IMG_2 || __HTML_IMG_ONLY)
7415 header __FROM_NAME_APPLECOM From:name =~ /\bapple\.com\b/i
7417 header __FROM_NAME_EBAYCOM From:name =~ /\bebay\.com\b/i
7419 full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm
7421 header __FROM_NAME_PAYPALCOM From:name =~ /\bpaypal\.com\b/i
7423 header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i
7425 header __FROM_RUNON From =~ /\S+<\w+/
7427 header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/
7429 header __FROM_WEB_DAEMON From:addr =~ /(?:apache|www|web|tomcat|\biis\b).*\@/i
7431 header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/
7433 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7437 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7438 body __FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i
7441 rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i
7443 header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe
7445 header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i
7447 header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i
7449 header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i
7451 header __FSL_HELO_USER_3 Received =~ /(?:eh|he)lo(?:=|\s)User\)/i
7453 header __FSL_RELAY_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com\.? /i
7455 header __FS_SUBJ_RE Subject =~ /^Re: /
7457 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7458 body __FUZZY_DR_OZ /(?=<D>)(?!(?-i:D(?:r.|octor)(?:\s| )Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i
7461 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7462 meta __FUZZY_MONERO 0
7465 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7466 body __FUZZY_MONERO /(?=<M>)(?!monero)<M><O><N><E><R><O>/i
7469 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7470 body __FUZZY_PORN /(?=<P>)(?!pornograph?(?:y|i[ca]|er))<P><O><R><N><O><G><R><A><P><H>?(?:<Y>|<I><C>|<E><R>)/i
7473 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7474 body __FUZZY_WELLSFARGO_BODY /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i
7477 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7478 header __FUZZY_WELLSFARGO_FROM From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i
7481 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7482 body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i
7483 tflags __GAPPY_SALES_LEADS multiple maxhits=3
7486 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7487 meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2
7490 meta __GB_BITCOIN_CP_DE ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_DE )
7491 describe __GB_BITCOIN_CP_DE German Bitcoin scam
7493 meta __GB_BITCOIN_CP_EN ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_EN )
7494 describe __GB_BITCOIN_CP_EN English Bitcoin scam
7496 meta __GB_BITCOIN_CP_ES ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_ES )
7497 describe __GB_BITCOIN_CP_ES Spanish Bitcoin scam
7499 meta __GB_BITCOIN_CP_FR ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_FR )
7500 describe __GB_BITCOIN_CP_FR French Bitcoin scam
7502 meta __GB_BITCOIN_CP_IT ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_IT )
7503 describe __GB_BITCOIN_CP_IT Italian Bitcoin scam
7505 meta __GB_BITCOIN_CP_NL ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_NL )
7506 describe __GB_BITCOIN_CP_NL Dutch Bitcoin scam
7508 meta __GB_BITCOIN_CP_SE ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_SE )
7509 describe __GB_BITCOIN_CP_SE Swedish Bitcoin scam
7511 if (version >= 4.000000)
7512 if can(Mail::SpamAssassin::Conf::feature_capture_rules)
7513 uri __GB_CUSTOM_HTM_URI0 m;^https?://.{10,128}(?:\.html?|\.php|\/)(?:\#|\?&e=)%{GB_TO_ADDR};i
7517 if (version >= 4.000000)
7518 if can(Mail::SpamAssassin::Conf::feature_capture_rules)
7519 uri __GB_CUSTOM_HTM_URI1 m|^https?://.{10,64}\=https?://.{4,64}\#%{GB_TO_ADDR}|i
7523 if (version >= 4.000000)
7524 if can(Mail::SpamAssassin::Conf::feature_capture_rules)
7525 uri __GB_CUSTOM_HTM_URI2 m;^https?://.{10,256}(?:\/\?)?(?:email=|wapp\#)%{GB_TO_ADDR};i
7529 if (version >= 4.000000)
7530 if can(Mail::SpamAssassin::Conf::feature_capture_rules)
7531 uri __GB_DRUPAL_URI m|^https?://.{10,64}/default/files/(?:\@)?\#%{GB_TO_ADDR}|i
7535 header __GB_FAKE_RF Subject =~ /(Fw|Re)\:{1,2}[\W+]/i
7537 if (version >= 4.000000)
7538 if can(Mail::SpamAssassin::Conf::feature_capture_rules)
7539 header __GB_TO_ADDR To:addr =~ /(?<GB_TO_ADDR>.*)/
7543 body __GHANA /\bghana\b/i
7545 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7546 mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i
7549 body __GIVE_MONEY /\b(?:(?:give\syou\s(?:this\s)?(?:money|fund|inheritance))|(?:donated?\s(?:\w\+\s){0,3}(?:the\ssum\sof|(?:(?:the|this|some)\s(?:money|funds?|inheritance)|to\s)(?:you|(?:(?:the|a)\s)?church|charit(?:y|ies)|humanit\w+|needy|poor|orphan(?:age)?s?|philanthropists\?)))|de vous donner cet argent|faire don de la somme|voudrais en faire don|tego funduszu do dom(?:=F3|[\xf3])w (?:dziecka|wdowy))\b/i
7551 meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST)
7553 meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
7555 meta __GOOGLE_DOC_SUSP __URI_GOOGLE_DOC && (__HAS_DOMAINKEY_SIG || __RDNS_NONE || __SYSADMIN || __STY_INVIS || LOTS_OF_MONEY || __XFER_MONEY || __ADVANCE_FEE_2_NEW) && !ALL_TRUSTED
7557 uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i
7559 uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i
7561 meta __GOOG_STO_HTML_PHISH __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
7563 meta __GOOG_STO_IMG_HTML_1 __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML
7565 meta __GOOG_STO_IMG_NOHTML __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML
7567 meta __GOOG_STO_NOIMG_HTML !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML
7569 body __HAS_ANY_EMAIL /\w@\S+\.\w/
7571 uri __HAS_ANY_URI /^\w+:\/\//
7573 header __HAS_CAMPAIGNID exists:X-Campaignid
7575 header __HAS_CID exists:X-CID
7577 header __HAS_COMPLAINT_TO exists:Complaint-To
7579 header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature
7581 describe __HAS_HREF Has an anchor tag with a href attribute in non-quoted line
7582 rawbody __HAS_HREF /^[^>].*?<a href=/im
7583 tflags __HAS_HREF multiple maxhits=100
7585 describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case
7586 rawbody __HAS_HREF_ONECASE /^[^>].*?<(a href|A HREF)=/m
7587 tflags __HAS_HREF_ONECASE multiple maxhits=100
7589 describe __HAS_IMG_SRC Has an img tag on a non-quoted line
7590 rawbody __HAS_IMG_SRC /^[^>].*?<img src=/im
7591 tflags __HAS_IMG_SRC multiple maxhits=100
7593 rawbody __HAS_IMG_SRC_DATA /^[^>].*?<img src=['"]data/im
7595 describe __HAS_IMG_SRC_ONECASE Has an img tag on a non-quoted line with consistent case
7596 rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(img src|IMG SRC)=/m
7597 tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100
7599 header __HAS_LIST_OPEN exists:List-Open
7601 header __HAS_LOGID exists:logid
7603 header __HAS_MESSAGEID exists:MessageID
7605 header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script
7607 header __HAS_PHP_SCRIPT exists:X-PHP-Script
7609 header __HAS_THREAD_INDEX exists:Thread-Index
7611 header __HAS_TRACKING_CODE exists:Tracking-Code
7613 body __HAS_WON_01 /\bque ha ganado\b/i
7615 header __HAS_XM_LID exists:X-Mailer-LID
7617 header __HAS_XM_RECPTID exists:X-Mailer-RecptId
7619 header __HAS_XM_SENTBY exists:X-Mailer-Sent-By
7621 header __HAS_XM_SID exists:X-Mailer-SID
7623 header __HAS_X_EBSERVER exists:X-EBSERVER
7625 header __HAS_X_LETTER exists:X-Letter
7627 header __HAS_X_NO_RELAY exists:X-No-Relay
7629 header __HAS_X_OUTGOING_SPAM_STAT exists:X-OutGoing-Spam-Status
7631 header __HAS_X_SENDER exists:X-Sender
7633 header __HAS_X_SOURCE_DIR exists:X-Source-Dir
7635 header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm
7636 tflags __HDRS_LCASE multiple maxhits=3
7638 meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH
7640 header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism
7642 header __HDR_CASE_REVERSED ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m
7643 tflags __HDR_CASE_REVERSED multiple maxhits=4
7645 header __HDR_ENVFROM_SHOPIFY X-Spam-Relays-External =~ /\shelo=\S+\.mailer\.shopify\.com\s(?:[^\]\s]+\s)*envfrom=\S+\.shopifyemail\.com\s/
7647 header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s
7649 header __HDR_RCVD_ALIBABA X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/
7651 header __HDR_RCVD_AMAZON X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/
7653 header __HDR_RCVD_AMAZON_HELO X-Spam-Relays-External =~ /\srdns=\shelo=[^.]+\.smtp-out\.amazonses\.com\s/
7655 header __HDR_RCVD_APPLE X-Spam-Relays-External =~ /\srdns=\S+\.apple\.com\s/
7657 header __HDR_RCVD_BEBEE X-Spam-Relays-External =~ /\srdns=\S+\.bebee\.com\s/
7659 header __HDR_RCVD_EBAY X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/
7661 header __HDR_RCVD_FACEBOOK X-Spam-Relays-External =~ /\srdns=\S+\.facebook\.com\s/
7663 header __HDR_RCVD_GOOGLE X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/
7665 header __HDR_RCVD_KEEPA X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/
7667 header __HDR_RCVD_LINKEDIN X-Spam-Relays-External =~ /\srdns=\S+\.linkedin\.com\s/
7669 header __HDR_RCVD_NEWEGG X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/
7671 header __HDR_RCVD_PAYPAL X-Spam-Relays-External =~ /\srdns=\S+\.paypal\.com\s/
7673 header __HDR_RCVD_SHOPIFY X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/
7675 header __HDR_RCVD_TAGSTAT X-Spam-Relays-External =~ /\srdns=\S+\.tagstat\.com\s/
7677 header __HDR_RCVD_TARINGANET X-Spam-Relays-External =~ /\srdns=\S+\.taringa\.net\s/
7679 header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/
7681 header __HDR_RCVD_WALMART X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/
7683 ifplugin Mail::SpamAssassin::Plugin::AskDNS
7684 tflags __HELO_DNS net
7687 header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i
7689 header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/
7691 header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /
7693 body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
7694 tflags __HEXHASHWORD_S2EU multiple maxhits=4
7696 body __HK_LOTTO_2 /\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i
7698 body __HK_LOTTO_BALLOT /\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i
7700 body __HK_LOTTO_STAATS /\bstaatsloteri/i
7702 ifplugin Mail::SpamAssassin::Plugin::FreeMail
7703 if (version >= 3.004000)
7704 header __HK_NAME_FROM From:name =~ /^FROM\b/mi
7708 ifplugin Mail::SpamAssassin::Plugin::FreeMail
7709 if (version >= 3.004000)
7710 header __HK_NAME_MR_MRS From:name =~ /^M(?:RS?|ISS)\b/mi
7714 body __HK_SCAM_N15 /\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i
7716 body __HK_SCAM_N16 /\b(?:arrangement secret|secret arrangement)\b/i
7718 body __HK_SCAM_N2 /\bnext of kin\b/i
7720 body __HK_SCAM_N3 /\bdirect telephone numbers?\b/i
7722 body __HK_SCAM_N8 /\byour compensation\b/i
7724 body __HK_SCAM_S1 /pay you the sum of/i
7726 body __HK_SCAM_S15 /(?:discovered a dormant account|can you be my partner)/i
7728 body __HK_SCAM_S25 /\bbank (?:in|of) ghana/i
7730 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7731 mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
7734 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7735 mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
7738 meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && __URI_HOSTED_IMG
7740 meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && __URI_HOSTED_IMG
7742 meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && __URI_HOSTED_IMG
7744 meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG + __URI_IMG_CHANNYPIC + __URI_IMG_TOPHATTER + __URI_IMG_GBTCDN + __URI_IMG_LINKEDIN + __URI_IMG_TUMBLR + __URI_IMG_TAGSTAT + __URI_IMG_FACEBOOK + __URI_IMG_TARINGANET + __URI_IMG_BEBEE + __URI_IMG_EFUSERASSETS + __URI_IMG_IMGBOX_THUMB + __URI_IMG_500PXORG + __URI_IMG_WIXMP + __URI_IMG_POSTIMGCC + __URI_IMG_GTRACING + __URI_IMG_JOOMCDN + __URI_IMG_DHRESOURCE) > 1
7746 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7747 body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
7750 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7751 body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
7754 rawbody __HS_QUOTE /^> /
7756 header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/
7758 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7759 meta __HTML_ATTACH_01 0
7762 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7763 mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.s?html?\b,i
7766 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7767 meta __HTML_ATTACH_02 0
7770 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7771 mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.s?html?\b,i
7774 rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i
7776 meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML
7778 meta __HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII && (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT)
7780 rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i
7782 rawbody __HTML_FONT_TINY_02 /<font\s[^>]{0,80}size\s*=\s*["']?-(?:[2-9]|[1-9]\d+)["']?[^>]{0,80}>/i
7784 meta __HTML_FONT_TINY_NORDNS (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT) && __RDNS_NONE
7786 rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i
7788 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7789 rawbody __HTML_SHRT_CMNT_OBFU /\w<!--\s*\w+\s*-->\w/
7790 tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10
7793 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7794 meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE
7797 rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i
7798 tflags __HTML_SINGLET multiple maxhits=21
7800 meta __HTML_SINGLET_10 __HTML_SINGLET > 10
7802 meta __HTML_SINGLET_MANY __HTML_SINGLET > 20
7804 ifplugin Mail::SpamAssassin::Plugin::HTMLEval
7805 body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0')
7808 body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i
7810 uri __IMGUR_IMG m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i
7811 tflags __IMGUR_IMG multiple maxhits=4
7813 meta __IMGUR_IMG_2 __IMGUR_IMG == 2
7815 meta __IMGUR_IMG_3 __IMGUR_IMG == 3
7817 if !plugin(Mail::SpamAssassin::Plugin::ImageInfo)
7818 meta __IMG_LE_300K 0
7821 ifplugin Mail::SpamAssassin::Plugin::ImageInfo
7822 body __IMG_LE_300K eval:pixel_coverage('all',62500,300000)
7825 body __INHERIT_PMT /\binheritance\spayment\s/i
7827 body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i
7829 body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i
7831 body __INVEST_MONEY /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i
7833 header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/
7835 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7839 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7840 mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i
7843 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7844 meta __ISO_ATTACH_MT 0
7847 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7848 mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i
7851 body __IS_LEGAL /\b(?:(?:(this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i
7853 body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i
7855 body __I_INHERIT /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i
7857 body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i
7859 header __JM_REACTOR_DATE Date =~ / \+0000$/
7861 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7862 mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i
7865 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7866 mimeheader __KAM_BLOCK_UTF7_2 Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i
7869 ifplugin Mail::SpamAssassin::Plugin::BodyEval
7870 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
7871 body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024')
7872 describe __KAM_BODY_LENGTH_LT_1024 The length of the body of the email is less than 1024 bytes.
7876 ifplugin Mail::SpamAssassin::Plugin::BodyEval
7877 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
7878 body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128')
7879 describe __KAM_BODY_LENGTH_LT_128 The length of the body of the email is less than 128 bytes.
7883 ifplugin Mail::SpamAssassin::Plugin::BodyEval
7884 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
7885 body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256')
7886 describe __KAM_BODY_LENGTH_LT_256 The length of the body of the email is less than 256 bytes.
7890 ifplugin Mail::SpamAssassin::Plugin::BodyEval
7891 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
7892 body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512')
7893 describe __KAM_BODY_LENGTH_LT_512 The length of the body of the email is less than 512 bytes.
7897 if !plugin(Mail::SpamAssassin::Plugin::HTMLEval)
7898 meta __KAM_HTML_FONT_INVALID 0
7901 ifplugin Mail::SpamAssassin::Plugin::HTMLEval
7902 body __KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color')
7905 body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
7907 header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/
7909 header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/
7911 meta __KHOP_NO_FULL_NAME !(__NOT_A_PERSON || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME)
7913 if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
7914 meta __LARGE_PERCENT_AFTER 0
7917 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7918 body __LARGE_PERCENT_AFTER /\d{3}% after/i
7919 tflags __LARGE_PERCENT_AFTER multiple maxhits=4
7922 if !plugin(Mail::SpamAssassin::Plugin::HeaderEval)
7923 meta __LCL__ENV_AND_HDR_FROM_MATCH 0
7926 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
7927 meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH
7930 if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
7931 meta __LCL__KAM_BODY_LENGTH_LT_1024 0
7934 ifplugin Mail::SpamAssassin::Plugin::BodyEval
7935 if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
7936 meta __LCL__KAM_BODY_LENGTH_LT_1024 0
7940 ifplugin Mail::SpamAssassin::Plugin::BodyEval
7941 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
7942 meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024
7946 if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
7947 meta __LCL__KAM_BODY_LENGTH_LT_128 0
7950 ifplugin Mail::SpamAssassin::Plugin::BodyEval
7951 if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
7952 meta __LCL__KAM_BODY_LENGTH_LT_128 0
7956 ifplugin Mail::SpamAssassin::Plugin::BodyEval
7957 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
7958 meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128
7962 if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
7963 meta __LCL__KAM_BODY_LENGTH_LT_512 0
7966 ifplugin Mail::SpamAssassin::Plugin::BodyEval
7967 if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
7968 meta __LCL__KAM_BODY_LENGTH_LT_512 0
7972 ifplugin Mail::SpamAssassin::Plugin::BodyEval
7973 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
7974 meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512
7978 meta __LINKED_IMG_NOT_RCVD_LINK __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN
7980 meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID
7982 meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1
7984 meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR
7986 body __LITECOIN_ID /\b(?<!=)[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b/
7988 uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i
7990 body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i
7991 tflags __LOCK_MAILBOX multiple maxhits=2
7993 full __LONGLINE /^[^\r\n]{998}/m
7995 rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i
7997 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7998 meta __LONG_STY_INVIS __STY_INVIS && __LONGLINE
8001 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8002 meta __LOTSA_MONEY_00 0
8005 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8006 body __LOTSA_MONEY_00 /<CURRENCY>[\s\.]?<NUM_NOT_DATE>[\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/
8009 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8010 meta __LOTSA_MONEY_01 0
8013 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8014 body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo](?<!\.00)\b/
8017 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8018 meta __LOTSA_MONEY_02 0
8021 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8022 body __LOTSA_MONEY_02 /(?<![-\d])<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo][\)\]\(]?\s?(?:<CURRENCY>|Pounds|(?i:dollars?|bucks))\b/
8025 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8026 meta __LOTSA_MONEY_03 0
8029 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8030 body __LOTSA_MONEY_03 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)<NUM_NOT_DATE>[\d.,\sOo]{0,5}[\)\]]?\s?(?i:M(?i:il+)?\b|mil+(?i:io|<O>)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/
8033 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8034 meta __LOTSA_MONEY_04 0
8037 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8038 body __LOTSA_MONEY_04 /(?:(?<![-\d])<NUM_NOT_DATE>[\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|mill<O>n|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|\bbucks|USD|GBP|<GB_UK>\spounds?|(?:<GB_UK>\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i
8041 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8042 meta __LOTSA_MONEY_05 0
8045 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8046 body __LOTSA_MONEY_05 /(?:(?:sum|value|amount)\sof\s)<NUM_NOT_DATE_IP>[\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i
8049 meta __LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2
8051 body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i
8053 body __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i
8055 uri __LOTTO_ADMITS_3 /lott+ery/i
8057 meta __LOTTO_AGENT __LOTTO_AGENT_01 || __LOTTO_AGENT_02
8059 body __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(?<!memory\s)grants?(?!\smanager))\s?(?:agent|manager|officer|secretary|director|mgr\b)/i
8061 body __LOTTO_AGENT_02 /\blot+ery[^\.]{1,40} ticket agent/i
8063 header __LOTTO_AGENT_RPLY Reply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
8065 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8066 meta __LOTTO_ATTACH_1 0
8069 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8070 mimeheader __LOTTO_ATTACH_1 Content-Type =~ /lott(?:o|ery)/i
8073 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8074 meta __LOTTO_ATTACH_2 0
8077 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8078 mimeheader __LOTTO_ATTACH_2 Content-Disposition =~ /lott(?:o|ery)/i
8081 body __LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)(?:\s(?:rem+it+ance|settlement|payment|award))+|payment|award|compensation|lot+ery)(?:\s\w+)?\s?(?:department|dept|unit|group|committee|bureau)/i
8083 body __LOTTO_RELATED /\b(?:lot+(?:o|ery)|sweepstakes)\s(?:prize|draw(?:s|ing)?|(?:ge)?win(?:n?er|n?ing)?|jackpot+|award|fund|com+it+e+|com+is+ion|guild|promotion|promocao|program|day|online|company|(?:in)?corporat|agent|co[-,]?ordinator|team)/i
8085 body __LOTTO_VERIFY /\bpromo\sverification/i
8087 body __LOTTO_WINNINGS /\b(?:claim|process(?:ing)?|transfert?(?:\s\w+)?|redeem|payment|virement|zahlung|reivindicar|demandar|remise)\s(?:(?:[a-z]{1,5}\s)?(?:your|of|the|this|de|ihrer|seu|tu)\s)+(?:win+ings?|money|(?:cash\s)?prize|award|f[ou]nds?|grant|gewinne|premio|gain)\b/i
8089 body __LOTTO_WIN_01 /\bwin+ing\s(?:prize|number|notification|draw|check|cheque|details|information|payment)/i
8091 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8092 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8094 tflags __LOWER_E multiple maxhits=230
8098 body __LUCKY_WINNER /\b(?:lucky|gl.cklich(?:en)?|afortunados)\s(?:(?:ge)?win+ers?|ganador(?:es)?|individuals?)\b/i
8100 body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i
8102 header __LUNSUB_BEFORE_SUBJDT ALL =~ /^List-unsubscribe: (?:[^\n]+\n){1,40}^(?:Subject|Date): /ism
8104 rawbody __L_BODY_8BITS /[\x80-\xff]/
8106 header __L_CTE_7BIT Content-Transfer-Encoding =~ /^7bit$/
8108 header __L_CTE_8BIT Content-Transfer-Encoding =~ /^8bit$/
8110 body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i
8112 body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i
8114 header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
8116 body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i
8118 body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i
8120 uri __MAIL_LINK /\?.{0,200}\w\@[\w-]{1,20}.\w\w\w?\b/i
8121 tflags __MAIL_LINK nice
8123 body __MAKE_XTRA_DOLLAR /\bmake an extra dollar\b/i
8125 header __MALF_MIME_VER MIME-Version =~ /^1\.0\S/
8127 meta __MALWARE_NORDNS __MY_MALWARE && __RDNS_NONE
8129 meta __MALWARE_PASSWORD __MY_MALWARE && __PASSWORD
8131 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8132 meta __MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02
8135 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8136 meta __MALW_ATTACH_01_01 0
8139 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8140 mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]+|\*(?:\d+\*)?=(?:UTF-8'')?\S+)\.SettingContent-ms\b/i
8143 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8144 meta __MALW_ATTACH_01_02 0
8147 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8148 mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i
8151 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8152 meta __MALW_ATTACH_02_01 0
8155 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8156 mimeheader __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:invoice|statement|payment(?: advice)?|(?:[.,_]|%C2%B7|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i
8159 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8160 meta __MALW_ATTACH_02_02 0
8163 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8164 mimeheader __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|statement|payment(?: advice)?|(?:[.,_]|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i
8167 meta __MANY_HDRS_LCASE __HDRS_LCASE > 1
8169 meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4)
8171 header __MAY_BE_FORGED Received =~ /\(may be forged\)/
8173 header __MID_START_001C Message-ID =~ /^<000001c/
8175 body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i
8177 header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
8179 meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX
8181 header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/
8183 if !((version >= 3.004000))
8184 meta __MIME_CTYPE_IN_BODY 0
8187 if (version >= 3.004000)
8188 body __MIME_CTYPE_IN_BODY /^Content-Type:\s/
8191 if !((version >= 3.004000))
8195 if (version >= 3.004000)
8196 meta __MIME_MALF __CTYPE_MULTIPART_ANY && __MIME_CTYPE_IN_BODY
8199 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8200 meta __MIME_NO_TEXT 0
8203 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8204 meta __MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH)
8207 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
8208 rawbody __MIME_QPC eval:check_for_mime('mime_qp_count')
8211 header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET]
8213 header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET]
8215 rawbody __MIXED_AREA_CASE /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/
8217 rawbody __MIXED_CENTER_CASE /<(?!CENTER|center)[Cc][Ee][Nn][Tt][Ee][Rr]>/
8219 rawbody __MIXED_FONT_CASE /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/
8221 rawbody __MIXED_HREF_CASE_JH /<[Aa](?i:rea)?\s+(?!HREF|href)[Hh][Rr][Ee][Ff]=/
8223 rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/
8225 header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
8227 meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO)
8229 body __MONERO_CURNCY /Monero \(XMR\)/
8231 body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/
8233 meta __MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD
8235 meta __MONEY_FORM LOTS_OF_MONEY && __FILL_THIS_FORM
8237 meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT
8239 meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
8241 meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
8243 meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8)
8245 ifplugin Mail::SpamAssassin::Plugin::FreeMail
8246 meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto
8249 meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY
8251 body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i
8253 meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE
8255 header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i
8257 header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/
8259 header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/
8261 header __MSGID_JAVAMAIL Message-ID =~ /\.JavaMail\./
8262 tflags __MSGID_JAVAMAIL nice
8264 header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/
8265 tflags __MSGID_LIST nice
8267 header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m
8269 meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL
8271 header __MSMAIL_PRI_HIGH X-MSMail-Priority =~ /^(?:high|urgent)$/i
8273 header __MSMAIL_PRI_NORMAL X-MSMail-Priority =~ /^normal$/i
8275 meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT
8277 header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: /
8279 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8280 mimeheader __MSO_THEME_MT Content-Type =~ m,\bapplication/vnd.ms-officetheme\b,i
8283 header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/
8285 header __MUA_TBIRD User-Agent =~ /^Mozilla\/(.*) Thunderbird/
8287 body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i
8289 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8290 body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s|background\s|hidden\s)?)(?:mal+ware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it|backdoor|(?:sneaky\s|hidden\s|malicious\s)+(?:app|stuff))|(?:application|mal+ware)[^\.]{1,30}(?:enable[sd]|allow(?:s|ed))\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|mal+ware)\s)+giv(?:es|ing)\sme)\b/i
8293 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8294 body __MY_MALWARE /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s|<B><A><C><K><G><R><O><U><N><D>\s|<H><I><D><D><E><N>\s)?)(?:<M><A><L>+<W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>|<B><A><C><K><D><O><O><R>|(?:<S><N><E><A><K><Y>\s|<H><I><D><D><E><N>\s|<M><A><L><I><C><I><O><U><S>\s)+(?:<A><P><P>|<S><T><U><F><F>))|(?:<A><P><P><L><I><C><A><T><I><O><N>|<M><A><L>+<W><A><R><E>)[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>(?:<S>|<E><D>))\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L>+<W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i
8297 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8298 body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i
8301 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8302 body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i
8305 header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
8307 meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
8309 header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i
8311 header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/
8313 body __NEVER_HEAR_EN /(never hear me again|destroy all your secrets|not bother you again|leave you alone)/i
8315 body __NEVER_HEAR_IT /eliminare tutti i tuoi segreti|Ti garantisco che non ti disturbe/i
8317 meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG
8319 body __NEW_PRODUCTS /\bhere are new products|\b(?:Our company|we) (?:has |have )?(?:(?:recently|just|newly) (?:introduce|release|launche)[ds](?: a| our| the)? (?:new|(?:\w+\s){1,5}below)|a new (?!cat\s|kitten\s|dog\s|puppy\s|pet\s|baby\s|child\s|boy\s|girl\s)(?:\w+\s){1,5} here)|recently,? our company (?:launch|releas)ed|\bI want to recommend a new (?:\w+ ){1,5}(?:we|our)\b|latest version of our (?:stock|product)|\b(?:our|a) new (?:\w+ ){1,3}has (?:recently|just) been released/i
8321 body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i
8323 body __NIGERIA /\bnigeria\b/i
8325 meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO
8326 tflags __NOT_A_PERSON nice
8328 body __NOT_DEAD_YET /\b(?:will\sinherit|que\sherede|your\sdeath|your?\sbeing\sdead)\b/i
8330 body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i
8332 tflags __NOT_SPOOFED nice
8334 if !(!plugin(Mail::SpamAssassin::Plugin::DKIM))
8335 if !plugin(Mail::SpamAssassin::Plugin::SPF)
8336 meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF
8340 if !(!plugin(Mail::SpamAssassin::Plugin::DKIM))
8341 ifplugin Mail::SpamAssassin::Plugin::SPF
8342 meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF
8346 if !plugin(Mail::SpamAssassin::Plugin::DKIM)
8347 if !plugin(Mail::SpamAssassin::Plugin::SPF)
8348 meta __NOT_SPOOFED __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, no SPF.
8352 if !plugin(Mail::SpamAssassin::Plugin::DKIM)
8353 ifplugin Mail::SpamAssassin::Plugin::SPF
8354 meta __NOT_SPOOFED SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, yes SPF
8358 meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS)
8360 header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./
8361 describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8
8363 header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./
8364 describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8
8366 header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i
8368 header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/
8370 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8371 meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
8374 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8375 meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
8378 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8379 meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
8382 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8383 meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
8386 body __OBFU_UNSUB_UL /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/
8388 if !plugin(Mail::SpamAssassin::Plugin::ImageInfo)
8392 ifplugin Mail::SpamAssassin::Plugin::ImageInfo
8393 body __ONE_IMG eval:image_count('all',1,1)
8396 header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./
8398 body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i
8400 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8401 mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/
8404 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8405 mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/
8408 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8409 mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/
8412 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8413 mimeheader __PART_STOCK_CL Content-Location =~ /./
8416 body __PASSIVE_INCOME /\bpassive income\b/i
8418 body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i
8420 body __PASSWORD_EXP_CLUMSY /\bpassword is due for expiration yesterday\b/i
8422 body __PASSWORD_UPGRADE /\bpassword upgrade\b/i
8424 body __PAXFUL /\bp-?a+-?x+-?f-?u+-?l\b/i
8426 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8427 body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\s(?:to\s)?me|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche)|my bribe(?:ry)?)\b/i
8430 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8431 body __PAY_ME /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s(?:<T><O>\s)?<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>|<M><Y> <B><R><I><B><E>(?:<R><Y>)?))[\s\.,]/i
8434 body __PAY_YOU /\bpay\syou\b/
8436 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8437 meta __PCT_FOR_YOU 0
8440 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8441 meta __PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50
8444 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8445 meta __PCT_FOR_YOU_1 0
8448 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8449 body __PCT_FOR_YOU_1 /<PERCENT>[\s)]{0,3}(?:(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?|(?:[^\s.]{1,15}\s)?an uns beide)/i
8452 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8453 meta __PCT_FOR_YOU_2 0
8456 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8457 body __PCT_FOR_YOU_2 /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s<PERCENT>/i
8460 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8461 meta __PCT_FOR_YOU_3 0
8464 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8465 body __PCT_FOR_YOU_3 /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?<!by\s)(?<!up\sto\s)<PERCENT>/i
8468 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8469 meta __PCT_OF_PMTS 0
8472 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8473 body __PCT_OF_PMTS /<PERCENT>[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i
8476 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8480 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8481 meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2)
8484 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8485 meta __PDF_ATTACH_FN1 0
8488 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8489 mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i
8492 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8493 meta __PDF_ATTACH_FN2 0
8496 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8497 mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i
8500 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8501 meta __PDF_ATTACH_MT 0
8504 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8505 mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i
8508 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8509 header __PDS_BTC_ANON From:name =~ /\bAnon/
8512 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8513 meta __PDS_BTC_BADFROM ( __PDS_BTC_HACKER || __PDS_BTC_PIRATE )
8516 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8517 header __PDS_BTC_HACKER From:name =~ /h<A>ck<E>r/i
8520 meta __PDS_BTC_ID ( __BITCOIN_ID && !__URL_BTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG)
8522 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8523 header __PDS_BTC_PIRATE From:name =~ /p<I>r<A>t<E>/i
8526 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8527 if (version >= 3.004000)
8528 header __PDS_CASHSHORTENER eval:check_uri_host_listed('PDS_CASHSHORTENER')
8532 uri __PDS_DOUBLE_URL m;https?://[\S]+(?:\?|=)https?://[\S]+[\w]+$;
8534 if (version >= 3.004002)
8535 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8536 body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i
8540 if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
8541 header __PDS_FROM_2_EMAILS From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
8544 header __PDS_FROM_GMAIL From:addr =~ /\@g(?:oogle)?mail\.com$/i
8546 header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\nTo:[^\n]+\@\1/ism
8548 header __PDS_GMAIL_MID Message-Id =~ /\@mail.gmail.com>$/
8550 meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2)
8552 header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/
8554 header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/
8556 header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/
8558 ifplugin Mail::SpamAssassin::Plugin::AskDNS
8559 meta __PDS_HP_HELO_NODNS (__HELO_HIGHPROFILE && !__HELO_DNS)
8560 tflags __PDS_HP_HELO_NODNS net
8563 ifplugin Mail::SpamAssassin::Plugin::HTMLEval
8564 meta __PDS_HTML_LENGTH_1024 __HTML_LENGTH_0000_1024
8567 ifplugin Mail::SpamAssassin::Plugin::HTMLEval
8568 meta __PDS_HTML_LENGTH_2048 __HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 || __HTML_LENGTH_1536_2048
8571 meta __PDS_LITECOIN_ID (__LITECOIN_ID && !__URL_LTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG)
8573 meta __PDS_MSG_1024 (__KAM_BODY_LENGTH_LT_1024 || __PDS_HTML_LENGTH_1024)
8575 meta __PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512)
8577 if (version >= 3.004001)
8578 ifplugin Mail::SpamAssassin::Plugin::AskDNS
8579 meta __PDS_NEWDOMAIN (__FROM_FMBLA_NEWDOM || __FROM_FMBLA_NEWDOM14 || __FROM_FMBLA_NEWDOM28)
8580 tflags __PDS_NEWDOMAIN net
8584 if (version >= 3.004002)
8585 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8586 body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States|USA)/i
8590 if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
8591 meta __PDS_QP_1024 0
8594 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
8595 meta __PDS_QP_1024 (__MIME_QPC > 0) && (__MIME_QPC < 1024)
8598 if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
8602 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
8603 meta __PDS_QP_128 (__MIME_QPC > 0) && (__MIME_QPC < 128)
8606 if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
8610 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
8611 meta __PDS_QP_512 (__MIME_QPC > 0) && (__MIME_QPC < 512)
8614 if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
8618 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
8619 meta __PDS_QP_64 (__MIME_QPC > 0) && (__MIME_QPC < 64)
8622 header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(mta|mail|mx|smtp)\b\S* /i
8624 if (version >= 3.004002)
8625 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8626 body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i
8630 if (version >= 3.004002)
8631 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8632 body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
8636 if (version >= 3.004002)
8637 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8638 body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i
8642 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8643 if (version >= 3.004000)
8644 meta __PDS_SHORT_URL __SHORT_URL && !__URL_SHORTENER && !ALL_TRUSTED
8648 if (version >= 3.004001)
8649 ifplugin Mail::SpamAssassin::Plugin::AskDNS
8650 tflags __PDS_SPF_ONLYALL net
8654 meta __PDS_SPOOF_GMAIL_MID __PDS_FROM_GMAIL && !__PDS_GMAIL_MID && !__FSL_RELAY_GOOGLE
8656 header __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? <?\1\@/
8658 if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
8659 header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
8662 if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
8663 header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism
8666 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8667 if (version >= 3.004000)
8668 meta __PDS_TO_SUBJ_URISHRT __TO_IN_SUBJ && __URL_SHORTENER && __PDS_MSG_1024
8672 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8673 if (version >= 3.004000)
8674 meta __PDS_URISHORTENER __URL_SHORTENER
8678 meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0
8680 body __PENDING_MESSAGES /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i
8682 body __PERFECT_BINARY /\bperfect binary option\b/i
8684 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8685 mimeheader __PHISH_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
8688 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8689 mimeheader __PHISH_ATTACH_01_02 Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
8692 meta __PHISH_FBASE_01 (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK
8694 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8695 body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i
8696 tflags __PHOTO_RETOUCHING multiple maxhits=5
8699 header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/
8701 meta __PHP_MUA __PHP_MUA_1 || __PHP_MUA_2
8703 header __PHP_MUA_1 X-Mailer =~ /^PHP\s?v?\/?\d\./
8705 header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/
8707 header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/
8709 meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B)
8711 if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
8712 meta __PILL_PRICE_01 0
8715 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8716 body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i
8717 tflags __PILL_PRICE_01 multiple maxhits=3
8720 if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
8721 meta __PILL_PRICE_02 0
8724 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8725 body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i
8726 tflags __PILL_PRICE_02 multiple maxhits=3
8729 body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i
8731 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
8732 header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
8735 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
8736 header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
8739 uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf|\.svg)[^?]{4}(?:\?[^?]{1,5})?$;i
8741 body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i
8743 body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i
8745 body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i
8747 body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i
8749 body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i
8751 body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i
8753 body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i
8755 body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i
8757 body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i
8759 body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i
8761 body __RANDOM_PICK /\b(?:random(?:ly)?\s(?:\w+\s)?(?:select(?:ion|ed)|pick(?:ed)?|computer)|(?:select|pick)ed\s(?:at\s)?random(?:ly)?|(?:esco(?:g|lh)idos|seleccion) (?:aleatoria(?:mente)?|al azar))\b/i
8763 header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent|Tracking-Code)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism
8764 tflags __RAND_HEADER multiple maxhits=4
8766 meta __RAND_HEADER_2 __RAND_HEADER > 1
8768 header __RAND_MKTG_HEADER ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:EBS|(?:Tracking|Subscriber|Delivery|Customer|Campaign)-[DSU]?id):/ism
8770 header __RATWARE_BOUND_A ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # "
8772 header __RATWARE_BOUND_B ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # "
8774 header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i
8775 tflags __RCD_RDNS_MAIL nice
8777 header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i
8778 tflags __RCD_RDNS_MAIL_MESSY nice
8780 header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i
8781 tflags __RCD_RDNS_MTA nice
8783 header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i
8784 tflags __RCD_RDNS_MTA_MESSY nice
8786 header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i
8787 tflags __RCD_RDNS_MX nice
8789 header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/
8790 tflags __RCD_RDNS_MX_MESSY nice
8792 header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i
8793 tflags __RCD_RDNS_OB nice
8795 header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i
8796 tflags __RCD_RDNS_SMTP nice
8798 header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/
8799 tflags __RCD_RDNS_SMTP_MESSY nice
8801 header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\srdns=\S+\.edu\s/i
8803 meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 )
8805 meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI )
8807 header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i
8809 header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net /
8811 header __RDNS_LONG X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/
8813 header __RDNS_NO_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ /
8815 header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/
8817 header __RDNS_SHORT X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} /
8819 body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i
8821 header __RELAY_THRU_WWW Received =~ /from (?:[^ \@]+\@)?www\./
8823 body __RELEASE_MESSAGES /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|unreceived|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i
8825 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
8826 meta __REMOTE_IMAGE (__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH)
8829 if (version >= 3.004002)
8830 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8831 header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD')
8835 header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|c(?:hanprivacy|laimdept|ristinabruno|ustom_service)|dhodgkins|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|ynnpage)|m(?:_l\.wanczyk|asayohara|rsjanetedwards)|officework|paulpollard|royalpalace|spwalker|usembassy|yurdaaytarkan))\d+\@aol\.com$/i
8837 header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug))|office1office|radka|shwestwood|ustinbillmark|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|risterlordruben|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah))|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|rist(?:brun?|davis|ydavisdonation)|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:nnisclark|partmentofstate)|minique|ona(?:ldwilliam|tionhelpercare)|rdavidrhama|unsilva)|e(?:benezero|christina|l(?:i(?:bethgomez|sabethmaria|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|k(?:jane|linpiesie)))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|rciavincent)|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|iidp|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem))|e(?:atherbrooeke|ctor(?:castillos|scastillo)|lengiggs)|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:bed|mfdeputyoff|n(?:fo\.annedouglas|gridrolle)|smail(?:eman|tarkan))|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:athanhaskel|hugo)|sephacevedo|vannyanderson)|rawlings|uliewatson)|k(?:a(?:l(?:iaksandr|tschmidtdavid)|malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|rnkl|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|nelink|sa(?:milner|robin))|john|oughreymargaret|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:ahhills|opabl)|kroth|shalh|tinamayer|y(?:franson|josen))|urhinck|viswan(?:czyk(?:(?:foundation|k))?)?)|c\.cheadychang|dredban|elvidabullock|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ss\.yasmineibrahim)|k(?:ent|untjoro)|oham(?:edabdul|m(?:daljililati|edshamekh))|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell)|cjames|ericschmid|hanimuhammad|jamesmc|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela)|evelynbrown|fatimaamiraqureshi|hamima|jackman|maureens|r(?:obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth|xfaminternationa)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|icha(?:miller|rdw(?:ahl|illis))|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cottpeters|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|op(?:adam|hiajesse)|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|erryparkins|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:marukareem|n(?:claimedfunds|itednation(?:organization|s))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut))|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|ousefzongo)|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i
8839 header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|ilmohammed|lesiakalina|nnhester\.usa)|b(?:ank\.phbng|en(?:jaminb|nicholas)|riceangela)|c(?:\.aroline|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|dhamilton|e(?:denvictor|ricalbert)|federal\.r|j(?:a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye))|o(?:legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|o(?:bertbailey|serichard))|s(?:amthong|igurlauganna|leo|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i
8841 header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i
8843 header __REPTO_INFONUMSCOM Reply-To:addr =~ /^info@\d{5,}\.com$/i
8845 header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i
8847 if !((version >= 3.003000))
8848 meta __RP_MATCHES_RCVD 0
8851 if (version >= 3.003000)
8852 if !plugin(Mail::SpamAssassin::Plugin::WLBLEval)
8853 meta __RP_MATCHES_RCVD 0
8857 if (version >= 3.003000)
8858 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8859 header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
8863 body __SCAM /\bscam(?:m?e[dr])?s?\b/i
8865 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8866 mimeheader __SCC_BOGUS_CTE_1 Content-Transfer-Encoding =~ /^Hexa/i
8869 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8870 mimeheader __SCC_CTMPP Content-Type =~ /multipart\/parallel/
8873 body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i
8875 header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i
8876 tflags __SENDER_BOT nice
8878 uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=,
8880 meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH
8882 meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || __FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )
8884 body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i
8886 meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY && !__HDR_ENVFROM_SHOPIFY
8888 uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/
8890 body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/
8891 tflags __SINGLE_WORD_LINE multiple maxhits=2
8893 header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/
8895 header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i
8897 rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/
8898 tflags __SPAN_BEG_TEXT multiple maxhits=5
8900 rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/
8901 tflags __SPAN_END_TEXT multiple maxhits=5
8903 if !plugin(Mail::SpamAssassin::Plugin::SPF)
8904 meta __SPF_FULL_PASS 0
8907 ifplugin Mail::SpamAssassin::Plugin::SPF
8908 meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS)
8909 tflags __SPF_FULL_PASS net
8912 if !plugin(Mail::SpamAssassin::Plugin::SPF)
8913 meta __SPF_RANDOM_SENDER 0
8916 ifplugin Mail::SpamAssassin::Plugin::SPF
8917 meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS)
8918 tflags __SPF_RANDOM_SENDER net
8921 meta __SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM
8922 tflags __SPOOFED_FREEMAIL net
8924 meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO
8925 tflags __SPOOFED_FREEM_REPTO net
8927 rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
8929 meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE
8931 body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i
8933 body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i
8935 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8936 rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i
8937 tflags __STY_INVIS multiple maxhits=6
8940 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8941 meta __STY_INVIS_1 __STY_INVIS == 1
8944 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8945 meta __STY_INVIS_1_MINFP __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID
8948 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8949 meta __STY_INVIS_2 __STY_INVIS > 1
8952 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8953 meta __STY_INVIS_3 __STY_INVIS > 2
8956 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8957 meta __STY_INVIS_DIRECT __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
8960 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8961 meta __STY_INVIS_MANY __STY_INVIS > 5
8964 header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/
8966 meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY
8968 header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
8970 header __SUBJ_ATTENTION Subject =~ /ATTENTION/
8972 meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU
8974 header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/
8975 tflags __SUBJ_BROKEN_WORD multiple maxhits=2
8977 meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
8979 header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ism
8981 header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n(?:[^\n]{1,200}\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
8983 header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
8985 header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism
8987 header __SUBJ_NOT_SHORT Subject =~ /^.{16}/
8989 header __SUBJ_OBFU_PUNCT Subject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/i
8990 tflags __SUBJ_OBFU_PUNCT multiple maxhits=4
8992 header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/
8994 header __SUBJ_SHORT Subject =~ /^.{0,8}$/
8996 header __SUBJ_UNNEEDED_HTML Subject =~ /%[0-9a-f][0-9a-f]/i
8997 tflags __SUBJ_UNNEEDED_HTML multiple maxhits=3
8999 header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/
9001 body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i
9002 tflags __SUBSCRIPTION_INFO nice
9004 body __SUM_OF_FUND /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i
9006 body __SURVEY /\bsurvey\b/i
9008 body __SURVIVORS /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i
9010 body __SUSPICION_LOGIN /\bsuspicion login\b/i
9012 body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i
9014 meta __TAGSTAT_IMG_NOT_RCVD_TGST __URI_IMG_TAGSTAT && !__HDR_RCVD_TAGSTAT
9016 meta __TARINGANET_IMG_NOT_RCVD_TN __URI_IMG_TARINGANET && !__HDR_RCVD_TARINGANET
9018 header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
9020 rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m
9021 tflags __TENWORD_GIBBERISH multiple maxhits=21
9023 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9024 mimeheader __TEXT_XML_MT Content-Type =~ m,\btext/xml\b,i
9027 body __THEY_INHERIT /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i
9029 body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i
9031 meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF)
9032 tflags __THREADED nice
9034 header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$,
9036 header __TO_ALL_NUMS To:addr =~ /^\d+@/
9038 meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX
9040 if !plugin(Mail::SpamAssassin::Plugin::SPF)
9041 meta __TO_EQ_FM_DOM_SPF_FAIL 0
9044 ifplugin Mail::SpamAssassin::Plugin::SPF
9045 meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL
9046 tflags __TO_EQ_FM_DOM_SPF_FAIL net
9049 if !plugin(Mail::SpamAssassin::Plugin::SPF)
9050 meta __TO_EQ_FM_SPF_FAIL 0
9053 ifplugin Mail::SpamAssassin::Plugin::SPF
9054 meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL
9055 tflags __TO_EQ_FM_SPF_FAIL net
9058 meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
9059 describe __TO_EQ_FROM To: same as From:
9061 header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
9063 header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
9065 meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)
9066 describe __TO_EQ_FROM_DOM To: domain same as From: domain
9068 header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:\s+[^\n]+@\1[>,\s\n]/ism
9070 header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:\s+[^\n]+@\1[>,\s\n]/ism
9072 meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
9073 describe __TO_EQ_FROM_USR To: username same as From: username
9075 header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
9077 header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
9079 meta __TO_EQ_FROM_USR_NN (__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
9080 describe __TO_EQ_FROM_USR_NN To: username same as From: username sans trailing nums
9082 header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
9084 header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n(?:[^\n]{1,100}\n)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
9086 meta __TO_EQ_FROM_USR_NN_MINFP __TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED
9088 meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3)
9090 header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/
9092 if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
9093 meta __TO_NO_BRKTS_FREEMAIL 0
9096 ifplugin Mail::SpamAssassin::Plugin::FreeMail
9097 meta __TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
9100 meta __TO_NO_BRKTS_FROM_RUNON __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON
9102 meta __TO_NO_BRKTS_HTML_IMG __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG
9104 meta __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY
9106 meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
9108 meta __TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_HTML_ONLY && RDNS_NONE
9110 meta __TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT
9112 meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01
9114 header __TO_UNDISCLOSED To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i
9116 header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/
9118 body __TO_YOUR_ACCT /\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/i
9120 body __TO_YOUR_ORG /\b(?:to|for) your organi[sz]ation\b/i
9122 header __TO___LOWER ALL =~ /to:\s\S{5}/
9124 body __TRANSFORM_LIFE /\b(transform|change) your (?:daily )?life(?:style)?\b/i
9126 body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i
9128 body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i
9130 body __TRAVEL_ITINERARY /(?:travel|ticketed|your|current) itinerary/i
9132 meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2
9134 body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i
9136 body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i
9138 body __TRTMT_DEFILED /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i
9140 body __TRUNK_BOX /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i
9142 body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i
9144 header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i
9146 header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i
9148 header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/
9150 header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/
9152 header __TT_VALIUM Subject =~ /VALIUM/i
9154 header __TT_VIAGRA Subject =~ /VIAGRA/i
9156 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9157 mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/
9160 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9161 mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i
9164 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9165 mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i
9168 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9169 mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i
9172 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9173 mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/
9176 body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i
9178 body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i
9180 body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i
9182 body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i
9184 body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i
9186 body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i
9188 body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i
9190 body __TVD_PH_BODY_08 /\bmultiple password failures/i
9192 body __TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i
9194 body __TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i
9196 meta __TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08
9198 header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i
9200 header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i
9202 header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i
9204 header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i
9206 header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i
9208 header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i
9210 header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i
9212 header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i
9214 header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i
9216 header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i
9218 header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i
9220 header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i
9222 header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i
9224 header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i
9226 header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i
9228 header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i
9230 header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i
9232 header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i
9234 header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i
9236 header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i
9238 meta __TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST
9240 meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED)
9242 if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
9243 meta __TVD_SPACE_RATIO 0
9246 header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i
9248 meta __T_PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512 || __PDS_QP_512)
9250 header __UA_GNUS User-Agent =~ /^Gnus/
9252 header __UA_KMAIL User-Agent =~ /^KMail/
9254 header __UA_KNODE User-Agent =~ /^KNode/
9256 header __UA_MOZ5 User-Agent =~ /^Mozilla\/5/
9258 header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/
9260 header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/
9262 header __UA_MUTT User-Agent =~ /^Mutt/
9264 header __UA_OPERA7 User-Agent =~ /^Opera7/
9266 header __UA_PAN User-Agent =~ /^Pan/
9268 header __UA_XNEWS User-Agent =~ /^Xnews/
9270 body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/
9271 tflags __UC_GIBB_OBFU multiple maxhits=2
9273 body __UN /\bunited\snations?\b/i
9275 meta __UNDISC_FREEM __TO_UNDISCLOSED && __freemail_replyto
9277 meta __UNDISC_MONEY __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY)
9279 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9280 body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i
9281 tflags __UNICODE_OBFU_ASC multiple maxhits=10
9284 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9285 meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9
9288 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9289 body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i
9290 tflags __UNICODE_OBFU_ZW multiple maxhits=10
9293 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9294 meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9
9297 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9298 meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1
9301 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9302 meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2
9305 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9306 meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4
9309 body __UNSUB_EMAIL /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i
9310 tflags __UNSUB_EMAIL nice
9312 body __UNSUB_GOOG_FORM m,Unsub?sc?ribe\s<?https?://docs\.google\.com/forms/,i
9314 uri __UNSUB_LINK /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i
9315 tflags __UNSUB_LINK nice
9317 body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i
9319 uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/
9321 uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i
9323 uri __URI_ADOBESPARK m,https?://branchlink\.adobespark\.com/,i
9325 uri __URI_AZURE_CLOUDAPP m,://(?:[^./]+\.)+cloudapp\.azure\.com/,
9327 uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i
9329 uri __URI_DATA /^data:(?!image\/)[a-z]/i
9331 uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i
9333 uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i
9335 meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW
9337 uri __URI_DOTGOV m;^https?://(?:[^./]+\.)+gov/;i
9339 uri __URI_DOTTY_HEX /(?:\.[0-9a-f]{2}){30}/
9341 uri __URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i
9343 uri __URI_FIREBASEAPP m,://[^./]+\.firebaseapp\.com/,
9345 uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i
9347 uri __URI_GOOGLE_DRV m,^https?://(?:drive\.google|googledrive)\.com/,i
9349 uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i
9351 uri __URI_GOOG_STO_EMAIL m;^https?://(?:firebase)?storage\.googleapis\.com/.*[a-z0-9]@(?:[a-z0-9]{2,20}\.){1,3}[a-z]{2,3}$;i
9353 uri __URI_GOOG_STO_HTML m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i
9354 tflags __URI_GOOG_STO_HTML multiple maxhits=5
9356 uri __URI_GOOG_STO_IMG m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,i
9357 tflags __URI_GOOG_STO_IMG multiple maxhits=5
9359 uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i
9361 meta __URI_HOSTED_IMG ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT || __URI_IMG_FACEBOOK || __URI_IMG_TARINGANET || __URI_IMG_BEBEE || __URI_IMG_EFUSERASSETS || __URI_IMG_IMGBOX_THUMB || __URI_IMG_500PXORG || __URI_IMG_WIXMP || __URI_IMG_POSTIMGCC || __URI_IMG_GTRACING || __URI_IMG_JOOMCDN || __URI_IMG_DHRESOURCE )
9363 uri __URI_IMG_500PXORG m;://drscdn\.500px\.org/photo/;i
9365 uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png|webp),i
9367 uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?(?:images|media)-amazon\.com/.*\.(?:png|gif|jpe?g|webp)$,i
9369 uri __URI_IMG_BEBEE m;://contents\.bebee\.com/users/.+\.(?:jpe?g|gif|png|webp);i
9371 uri __URI_IMG_CHANNYPIC m,://www\.channypicture\.com/pic/,i
9373 uri __URI_IMG_DHRESOURCE m;://www\.dhresource\.com/.+\.(?:jpe?g|gif|png|webp);i
9375 uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i
9377 uri __URI_IMG_EFUSERASSETS m;://\d+\.efuserassets\.com/\d+/.+\.(?:jpe?g|gif|png|webp);i
9379 uri __URI_IMG_FACEBOOK m;://([^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i
9381 uri __URI_IMG_GBTCDN m;://des\.gbtcdn\.com/storage/store/[0-9a-f/]{30,}\.(?:png|gif|jpe?g|webp)$;i
9383 uri __URI_IMG_GTRACING m;://shopify\.gtracing\.com/img/.+\.(?:jpe?g|gif|png|webp);i
9385 uri __URI_IMG_IMGBOX_THUMB m;://thumbs\d*\.imgbox\.com/.+\.(?:jpe?g|gif|png|webp);i
9387 uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i
9388 uri __URI_IMG_JOOMCDN m;://img\.joomcdn\.net/.+\.(?:jpe?g|gif|png|webp);i
9390 uri __URI_IMG_LINKEDIN m;://media-exp\d\.licdn\.com/dms/image/;i
9392 uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i
9394 uri __URI_IMG_POSTIMGCC m;://i\.postimg\.cc/.+\.(?:jpe?g|gif|png|webp);i
9396 uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png|webp),i
9398 uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i
9400 uri __URI_IMG_TAGSTAT m;://i\d+\.tagstat\.com/.+\.(?:jpe?g|gif|png|webp);i
9402 uri __URI_IMG_TARINGANET m;://media\.taringa\.net/knn/;i
9404 uri __URI_IMG_TOPHATTER m;://images\.tophatter\.com/[0-9a-f]{30,}/;i
9406 uri __URI_IMG_TUMBLR m;://\d+\.media\.tumblr\.com/.+\.(?:jpe?g|gif|png|webp);i
9408 uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i
9410 uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i
9412 uri __URI_IMG_WIXMP m;://images-wixmp-[0-9a-f]{20,}\.wixmp\.com/;i
9414 uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i
9416 uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i
9418 uri __URI_LONG_REPEAT m;(?:://|@)(?:\w+\.)*(\w{7,}\.)\1;i
9420 uri __URI_MAILTO /^mailto:/i
9421 tflags __URI_MAILTO multiple maxhits=16
9423 uri __URI_MONERO /buy-monero/i
9425 uri __URI_OBFU_DOM /:\/\/(?:\w+\.)+(?:com|gov|net|org)(?:\.\w+){3,}\//i
9427 meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2
9429 meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH)
9431 uri __URI_PHP_REDIR m;/redirect\.php\?;i
9433 uri __URI_PRODUCT_AMAZON m,://www\.amazon\.(?:com|co\.uk|[a-z][a-z])/dp/[a-z0-9]{10}/,i
9435 uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob|images?|photos?)\w)[^.]*\.(?:(?!list-manage\.)[^/.]+\.)+(?:com|net)\b,i
9437 uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i
9439 uri __URI_WEBAPP m,://[^./]+\.web\.app/,
9441 uri __URI_WPADMIN m,/wp-admin/\w+/,i
9443 uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i
9445 uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i
9447 uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i
9449 uri __URL_BTC_ID m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$);
9451 uri __URL_LTC_ID m;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/|$);
9453 header __USING_VERP1 Return-Path =~ /[+-].*=/
9455 header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i
9456 tflags __VACATION nice
9458 body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i
9459 tflags __VALIDATE_MAILBOX multiple maxhits=2
9461 body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i
9463 body __VERIFY_ACCOUNT /(?:confirm|updated?|verif(?:y|ied)) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i
9464 tflags __VERIFY_ACCOUNT multiple maxhits=2
9466 meta __VFY_ACCT_NORDNS __VERIFY_ACCOUNT && __RDNS_NONE
9468 if (version >= 3.004002)
9469 ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9470 header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i
9474 meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART
9476 body __WEBMAIL_ACCT /\byour web ?mail account/i
9478 body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i
9480 meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2
9482 body __WIDOW /\b(?:widow(?:e[rd])'?s?|veuve)\b/i
9484 body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i
9486 body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i
9488 body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i
9490 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9491 rawbody __WORD_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}</i
9492 tflags __WORD_INVIS multiple maxhits=6
9495 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9496 meta __WORD_INVIS_2 __WORD_INVIS > 1
9499 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9500 meta __WORD_INVIS_5 __WORD_INVIS > 5
9503 if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9504 meta __WORD_INVIS_MINFP __WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID
9507 header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/
9509 meta __XFER_LOTSA_MONEY __XFER_MONEY && LOTS_OF_MONEY
9511 meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY)
9513 ifplugin Mail::SpamAssassin::Plugin::FreeMail
9514 header __XMAIL_CODEIGN X-Mailer =~ /CodeIgniter/
9517 ifplugin Mail::SpamAssassin::Plugin::FreeMail
9518 header __XMAIL_PHPMAIL X-Mailer =~ /PHPMailer/
9521 header __XM_APPLEMAIL X-Mailer =~ /^Apple Mail/
9523 header __XM_ASPQMAIL X-Mailer =~ /^AspQMail/
9525 header __XM_BALSA X-Mailer =~ /^Balsa \d/
9527 header __XM_CALYPSO X-Mailer =~ /^Calypso/
9529 header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/
9531 header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/
9533 header __XM_FORTE X-Mailer =~ /^Forte Agent \d/
9535 header __XM_GNUS X-Mailer =~ /^Gnus v/
9537 header __XM_MHE X-Mailer =~ /^mh-e \d/
9539 header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/
9541 header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/
9543 header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/
9545 header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
9547 header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
9549 header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/
9551 header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/
9553 header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/
9555 header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
9557 header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/
9559 header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/
9561 header __XM_RANDOM X-Mailer =~ /q(?!(?:q|box|i\s)?mail|\d|[-\w]*=+;)[^u]/i
9563 header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/
9565 header __XM_SQRLMAIL X-Mailer =~ /^SquirrelMail/
9567 header __XM_SYLPHEED X-Mailer =~ /^Sylpheed/
9569 header __XM_UC_ONLY X-Mailer =~ /^[^a-z]+$/
9571 header __XM_VERY_LONG X-Mailer =~ /.{50}/
9573 header __XM_VM X-Mailer =~ /^VM \d/
9575 header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/
9577 header __XM_XIMEVOL X-Mailer =~ /^Ximian Evolution/
9579 meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS && !__HAS_X_SENDER
9581 meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT
9583 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9584 mimeheader __X_MSO_MT Content-Type =~ m,\bapplication/x-mso\b,i
9587 body __YOUR_BANK /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i
9589 body __YOUR_CONSIGNMENT /\b(?:received?|pa(?:y|id)|sen[dt]|h[oe]ld|delay(?:ed)?|impound(?:ed)?|released?|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/i
9591 body __YOUR_FUND /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|f\su\sn\sd|payment|geld)\b/i
9593 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9594 body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i
9597 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9598 body __YOUR_ONAN /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M>+<A>+<S>+<T>+(?:<U>|<R>)+<B>+<A>+<T>+(?:<I><O><N>|<I><N><G>|<E>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>|(?:<P><L><E><A><S><U><R>(?:<E>|<I><N><G>)|<S><A><T><I><S><F><Y>(?:<I><N><G>)?)\s<Y><O><U><R><S><E><L><F>)/i
9601 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9602 body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i
9605 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9606 body __YOUR_PASSWORD /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<A><C><C><O><U><N><T>\s|<E>-?<M><A><I><L>\s)?(?:<P><A><S><S>[-\s_]?<W><O><R><D>|<P><S><W><D>\s)/i
9609 body __YOUR_PERM /\byour\spermission\b/i
9611 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9612 body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i
9615 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9616 body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i
9619 body __YOUR_PROFIT /\byour?\sprofit/i
9621 if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9622 body __YOUR_WEBCAM /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i
9625 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9626 body __YOUR_WEBCAM /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>|<A><N><D>|<O><N>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>|<M><I><C><R><O><P><H><O><N><E>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s|<Y><O><U><R>\s)<C><A><M><E><R>+<A>/i
9629 body __YOU_ASSIST /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i
9631 body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inherit+ance\b/i
9633 meta __YOU_WON __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY))
9635 body __YOU_WON_01 /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i
9637 body __YOU_WON_02 /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i
9639 body __YOU_WON_03 /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/i
9641 body __YOU_WON_04 /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i
9643 body __YOU_WON_05 /\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i
9645 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
9646 meta __ZIP_ATTACH_MT 0
9649 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9650 mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i
9653 if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
9654 meta __ZIP_ATTACH_NOFN 0
9657 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9658 mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i
9661 ifplugin Mail::SpamAssassin::Plugin::FreeMail
9662 header __freemail_mailreplyto eval:check_freemail_header('Mail-Reply-To')
9665 body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i
9667 ifplugin Mail::SpamAssassin::Plugin::FreeMail
9668 header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr')
projects / proxmox-spamassassin.git / blob