/i
describe FUZZY_PRIVACY Obfuscated "privacy"
tflags FUZZY_PRIVACY publish
endif
##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_PROMOTION /(?=)(?!promotion)
/i
describe FUZZY_PROMOTION Obfuscated "promotion"
tflags FUZZY_PROMOTION publish
endif
##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_SAVINGS /(?=)(?!savings)/i
describe FUZZY_SAVINGS Obfuscated "savings"
tflags FUZZY_SAVINGS publish
endif
##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_SECURITY /(?=)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)(?:|)(?:|)/i
describe FUZZY_SECURITY Obfuscated "security"
tflags FUZZY_SECURITY publish
endif
##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_UNSUBSCRIBE /(?=)(?!unsubscribe)/i
describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe"
tflags FUZZY_UNSUBSCRIBE publish
endif
##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body FUZZY_WALLET /(?=)(?!wallet)/i
describe FUZZY_WALLET Obfuscated "Wallet"
tflags FUZZY_WALLET publish
endif
##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto
# score GAPPY_SALES_LEADS_FREEM 3.500 # limit
tflags GAPPY_SALES_LEADS_FREEM publish
endif
##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ GB_FAKE_RF_SHORT
meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __PDS_URISHORTENER )
describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener
#score GB_FAKE_RF_SHORT 2.000 # limit
tflags GB_FAKE_RF_SHORT publish
##} GB_FAKE_RF_SHORT
##{ GB_FORGED_MUA_POSTFIX
meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 )
describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers
tflags GB_FORGED_MUA_POSTFIX publish
#score GB_FORGED_MUA_POSTFIX 2.0 # limit
##} GB_FORGED_MUA_POSTFIX
##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe )
describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails
# score GB_FREEMAIL_DISPTO 0.50 # limit
tflags GB_FREEMAIL_DISPTO publish
endif
##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM )
describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail
# score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit
tflags GB_FREEMAIL_DISPTO_NOTFREEM publish
endif
##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ GB_GOOGLE_OBFUR
uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/
describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect
#score GB_GOOGLE_OBFUR 0.75 # limit
tflags GB_GOOGLE_OBFUR publish
##} GB_GOOGLE_OBFUR
##{ GEO_QUERY_STRING
uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
##} GEO_QUERY_STRING
##{ GOOGLE_DOCS_PHISH
meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2)
describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form
#score GOOGLE_DOCS_PHISH 3.00 # limit
tflags GOOGLE_DOCS_PHISH publish
##} GOOGLE_DOCS_PHISH
##{ GOOGLE_DOCS_PHISH_MANY
meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form
#score GOOGLE_DOCS_PHISH_MANY 4.00 # limit
tflags GOOGLE_DOCS_PHISH_MANY publish
##} GOOGLE_DOCS_PHISH_MANY
##{ GOOGLE_DOC_SUSP
meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG
describe GOOGLE_DOC_SUSP Suspicious use of Google Docs
#score GOOGLE_DOC_SUSP 3.000 # limit
tflags GOOGLE_DOC_SUSP publish
##} GOOGLE_DOC_SUSP
##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish
describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD
#score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
endif
endif
##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
##{ GOOG_MALWARE_DNLD
meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD
describe GOOG_MALWARE_DNLD File download via Google - Malware?
#score GOOG_MALWARE_DNLD 5.000 # limit
tflags GOOG_MALWARE_DNLD publish
##} GOOG_MALWARE_DNLD
##{ GOOG_REDIR_DOCUSIGN
uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i
describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing
tflags GOOG_REDIR_DOCUSIGN publish
##} GOOG_REDIR_DOCUSIGN
##{ GOOG_REDIR_NORDNS
meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE
describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS
##} GOOG_REDIR_NORDNS
##{ GOOG_REDIR_SHORT
meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512
describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message
tflags GOOG_REDIR_SHORT publish
##} GOOG_REDIR_SHORT
##{ GOOG_STO_EMAIL_PHISH
meta GOOG_STO_EMAIL_PHISH __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT)
describe GOOG_STO_EMAIL_PHISH Possible phishing with google hosted content URI having email address
#score GOOG_STO_EMAIL_PHISH 3.00 # limit
tflags GOOG_STO_EMAIL_PHISH publish
##} GOOG_STO_EMAIL_PHISH
##{ GOOG_STO_HTML_PHISH
meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH
describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL
#score GOOG_STO_HTML_PHISH 3.00 # limit
tflags GOOG_STO_HTML_PHISH publish
##} GOOG_STO_HTML_PHISH
##{ GOOG_STO_HTML_PHISH_MANY
meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL
#score GOOG_STO_HTML_PHISH_MANY 4.00 # limit
tflags GOOG_STO_HTML_PHISH_MANY publish
##} GOOG_STO_HTML_PHISH_MANY
##{ GOOG_STO_IMG_HTML
meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY
describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL
#score GOOG_STO_IMG_HTML 3.000 # limit
tflags GOOG_STO_IMG_HTML publish
##} GOOG_STO_IMG_HTML
##{ GOOG_STO_IMG_NOHTML
meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY
describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL
#score GOOG_STO_IMG_NOHTML 2.500 # limit
tflags GOOG_STO_IMG_NOHTML publish
##} GOOG_STO_IMG_NOHTML
##{ GOOG_STO_NOIMG_HTML
meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY
describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL
#score GOOG_STO_NOIMG_HTML 3.000 # limit
tflags GOOG_STO_NOIMG_HTML publish
##} GOOG_STO_NOIMG_HTML
##{ HAS_X_NO_RELAY
meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1
describe HAS_X_NO_RELAY Has spammy header
#score HAS_X_NO_RELAY 2.500 # limit
tflags HAS_X_NO_RELAY publish
##} HAS_X_NO_RELAY
##{ HAS_X_OUTGOING_SPAM_STAT
meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO
describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results?
#score HAS_X_OUTGOING_SPAM_STAT 2.000 # limit
tflags HAS_X_OUTGOING_SPAM_STAT publish
##} HAS_X_OUTGOING_SPAM_STAT
##{ HDRS_LCASE
describe HDRS_LCASE Odd capitalization of message header
#score HDRS_LCASE 0.10 # limit
##} HDRS_LCASE
##{ HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
endif
##} HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
##{ HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
endif
##} HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ HDRS_LCASE_IMGONLY
meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN
describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML
#score HDRS_LCASE_IMGONLY 0.10 # limit
##} HDRS_LCASE_IMGONLY
##{ HDRS_MISSP
meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY)
describe HDRS_MISSP Misspaced headers
#score HDRS_MISSP 2.500 # limit
tflags HDRS_MISSP publish
##} HDRS_MISSP
##{ HDR_ORDER_FTSDMCXX_001C
meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant)
##} HDR_ORDER_FTSDMCXX_001C
##{ HDR_ORDER_FTSDMCXX_BAT
meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant)
##} HDR_ORDER_FTSDMCXX_BAT
##{ HDR_ORDER_FTSDMCXX_DIRECT
meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML
describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX
#score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit
tflags HDR_ORDER_FTSDMCXX_DIRECT publish
##} HDR_ORDER_FTSDMCXX_DIRECT
##{ HDR_ORDER_FTSDMCXX_NORDNS
meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED
describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS
#score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit
tflags HDR_ORDER_FTSDMCXX_NORDNS publish
##} HDR_ORDER_FTSDMCXX_NORDNS
##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999')
describe HEADER_COUNT_SUBJECT Multiple Subject headers found
endif
##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::HeaderEval
if (version >= 3.004000)
header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains()
describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different
# score HEADER_FROM_DIFFERENT_DOMAINS 0.25
tflags HEADER_FROM_DIFFERENT_DOMAINS publish
endif
endif
endif
##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
##{ HELO_FRIEND
header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
##} HELO_FRIEND
##{ HELO_LH_LD
header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
##} HELO_LH_LD
##{ HELO_LOCALHOST
header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
##} HELO_LOCALHOST
##{ HELO_NO_DOMAIN
meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST
describe HELO_NO_DOMAIN Relay reports its domain incorrectly
tflags HELO_NO_DOMAIN publish
##} HELO_NO_DOMAIN
##{ HELO_OEM
header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
##} HELO_OEM
##{ HEXHASH_WORD
meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER
describe HEXHASH_WORD Multiple instances of word + hexadecimal hash
#score HEXHASH_WORD 3.000 # limit
tflags HEXHASH_WORD publish
##} HEXHASH_WORD
##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/
#score HK_CTE_RAW 2
tflags HK_CTE_RAW publish
endif
##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ HK_LOTTO
meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT
#score HK_LOTTO 1
##} HK_LOTTO
##{ HK_NAME_DRUGS
header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi
describe HK_NAME_DRUGS From name contains drugs
#score HK_NAME_DRUGS 2
##} HK_NAME_DRUGS
##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
# score HK_NAME_FM_MR_MRS 1.5
endif
endif
##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
if (version >= 3.004000)
meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM
# score HK_NAME_MR_MRS 1.0
endif
endif
##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
##{ HK_RANDOM_ENVFROM
header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_ENVFROM Envelope sender username looks random
#score HK_RANDOM_ENVFROM 1
tflags HK_RANDOM_ENVFROM publish
##} HK_RANDOM_ENVFROM
##{ HK_RANDOM_FROM
header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_FROM From username looks random
#score HK_RANDOM_FROM 1
tflags HK_RANDOM_FROM publish
##} HK_RANDOM_FROM
##{ HK_RANDOM_REPLYTO
header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
describe HK_RANDOM_REPLYTO Reply-To username looks random
#score HK_RANDOM_REPLYTO 1
tflags HK_RANDOM_REPLYTO publish
##} HK_RANDOM_REPLYTO
##{ HK_RCVD_IP_MULTICAST
header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./
#score HK_RCVD_IP_MULTICAST 2
tflags HK_RCVD_IP_MULTICAST publish
##} HK_RCVD_IP_MULTICAST
##{ HK_SCAM
meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25
#score HK_SCAM 2
tflags HK_SCAM publish
##} HK_SCAM
##{ HK_WIN
meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2)
#score HK_WIN 1
##} HK_WIN
##{ HOSTED_IMG_DIRECT_MX
meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS
#score HOSTED_IMG_DIRECT_MX 3.500 # limit
describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx
tflags HOSTED_IMG_DIRECT_MX publish
##} HOSTED_IMG_DIRECT_MX
##{ HOSTED_IMG_DQ_UNSUB
meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB
#score HOSTED_IMG_DQ_UNSUB 3.500 # limit
describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm site, IP addr unsub link
tflags HOSTED_IMG_DQ_UNSUB publish
##} HOSTED_IMG_DQ_UNSUB
##{ HOSTED_IMG_FREEM
meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED
#score HOSTED_IMG_FREEM 3.500 # limit
describe HOSTED_IMG_FREEM Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to
tflags HOSTED_IMG_FREEM publish
##} HOSTED_IMG_FREEM
##{ HOSTED_IMG_MULTI
meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS
#score HOSTED_IMG_MULTI 3.000 # limit
describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected
tflags HOSTED_IMG_MULTI publish
##} HOSTED_IMG_MULTI
##{ HOSTED_IMG_MULTI_PUB_01
meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF
describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site
#score HOSTED_IMG_MULTI_PUB_01 3.000 # limit
tflags HOSTED_IMG_MULTI_PUB_01 publish
##} HOSTED_IMG_MULTI_PUB_01
##{ HTML_ENTITY_ASCII
meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP
describe HTML_ENTITY_ASCII Obfuscated ASCII
#score HTML_ENTITY_ASCII 3.000 # limit
tflags HTML_ENTITY_ASCII publish
##} HTML_ENTITY_ASCII
##{ HTML_ENTITY_ASCII_TINY
meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_MINFP && __HTML_FONT_TINY_01
describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts
#score HTML_ENTITY_ASCII_TINY 3.000 # limit
tflags HTML_ENTITY_ASCII_TINY publish
##} HTML_ENTITY_ASCII_TINY
##{ HTML_FONT_TINY_NORDNS
meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_01 && __RDNS_NONE
describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
#score HTML_FONT_TINY_NORDNS 1.500 # limit
##} HTML_FONT_TINY_NORDNS
##{ HTML_OFF_PAGE
meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS
describe HTML_OFF_PAGE HTML element rendered well off the displayed page
#score HTML_OFF_PAGE 3.000 # limit
tflags HTML_OFF_PAGE publish
##} HTML_OFF_PAGE
##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY
describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments
# score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit
tflags HTML_SHRT_CMNT_OBFU_MANY publish
endif
##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ HTML_SINGLET_MANY
meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP
describe HTML_SINGLET_MANY Many single-letter HTML format blocks
#score HTML_SINGLET_MANY 2.500 # limit
tflags HTML_SINGLET_MANY publish
##} HTML_SINGLET_MANY
##{ HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
ifplugin Mail::SpamAssassin::Plugin::HTMLEval
meta HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY
describe HTML_TAG_BALANCE_CENTER Malformatted HTML
endif
##} HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID
describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation?
# score HTML_TEXT_INVISIBLE_FONT 2.000 # limit
tflags HTML_TEXT_INVISIBLE_FONT publish
endif
##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX
describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs
# score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit
tflags HTML_TEXT_INVISIBLE_STYLE publish
endif
##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
endif
##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
##{ IMG_ONLY_FM_DOM_INFO
meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO
describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain
#score IMG_ONLY_FM_DOM_INFO 2.500 # limit
tflags IMG_ONLY_FM_DOM_INFO publish
##} IMG_ONLY_FM_DOM_INFO
##{ JH_SPAMMY_HEADERS
meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN
describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam
#score JH_SPAMMY_HEADERS 3.500 # limit
tflags JH_SPAMMY_HEADERS publish
##} JH_SPAMMY_HEADERS
##{ JH_SPAMMY_PATTERN01
rawbody JH_SPAMMY_PATTERN01 m;.{0,200}]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200} tags embedded within text
tflags MANY_SPAN_IN_TEXT publish
##} MANY_SPAN_IN_TEXT
##{ MAY_BE_FORGED
meta MAY_BE_FORGED __MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML
describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP
##} MAY_BE_FORGED
##{ MID_DEGREES
header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
##} MID_DEGREES
##{ MILLION_HUNDRED
body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i
describe MILLION_HUNDRED Million "One to Nine" Hundred
tflags MILLION_HUNDRED publish
##} MILLION_HUNDRED
##{ MILLION_USD
body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i
describe MILLION_USD Talks about millions of dollars
#score MILLION_USD 2
##} MILLION_USD
##{ MIMEOLE_DIRECT_TO_MX
meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS
describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX
#score MIMEOLE_DIRECT_TO_MX 2.000 # limit
tflags MIMEOLE_DIRECT_TO_MX publish
##} MIMEOLE_DIRECT_TO_MX
##{ MIME_BOUND_EQ_REL
header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s
##} MIME_BOUND_EQ_REL
##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128
# score MIME_NO_TEXT 2.00 # limit
describe MIME_NO_TEXT No (properly identified) text body parts
tflags MIME_NO_TEXT publish
endif
##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA)
describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP
endif
##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ MIXED_AREA_CASE
meta MIXED_AREA_CASE __MIXED_AREA_CASE
describe MIXED_AREA_CASE Has area tag in mixed case
#score MIXED_AREA_CASE 2.500 # limit
tflags MIXED_AREA_CASE publish
##} MIXED_AREA_CASE
##{ MIXED_CENTER_CASE
meta MIXED_CENTER_CASE __MIXED_CENTER_CASE
describe MIXED_CENTER_CASE Has center tag in mixed case
#score MIXED_CENTER_CASE 2.500 # limit
tflags MIXED_CENTER_CASE publish
##} MIXED_CENTER_CASE
##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) )
describe MIXED_ES Too many es are not es
tflags MIXED_ES publish
# lang pl score MIXED_ES 0.01
# lang cz score MIXED_ES 0.01
# lang sk score MIXED_ES 0.01
# lang hr score MIXED_ES 0.01
# lang el score MIXED_ES 0.01
endif
endif
##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
##{ MIXED_FONT_CASE
meta MIXED_FONT_CASE __MIXED_FONT_CASE
describe MIXED_FONT_CASE Has font tag in mixed case
#score MIXED_FONT_CASE 2.500 # limit
tflags MIXED_FONT_CASE publish
##} MIXED_FONT_CASE
##{ MIXED_HREF_CASE
meta MIXED_HREF_CASE __MIXED_HREF_CASE_JH
describe MIXED_HREF_CASE Has href in mixed case
#score MIXED_HREF_CASE 2.000 # limit
tflags MIXED_HREF_CASE publish
##} MIXED_HREF_CASE
##{ MIXED_IMG_CASE
meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL
describe MIXED_IMG_CASE Has img tag in mixed case
#score MIXED_IMG_CASE 3.000 # limit
tflags MIXED_IMG_CASE publish
##} MIXED_IMG_CASE
##{ MONERO_DEADLINE
meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01
describe MONERO_DEADLINE Monero cryptocurrency with a deadline
#score MONERO_DEADLINE 3.000 # limit
tflags MONERO_DEADLINE publish
##} MONERO_DEADLINE
##{ MONERO_EXTORT_01
meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY
describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency
#score MONERO_EXTORT_01 5.000 # limit
tflags MONERO_EXTORT_01 publish
##} MONERO_EXTORT_01
##{ MONERO_MALWARE
meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01
describe MONERO_MALWARE Monero cryptocurrency + malware bragging
#score MONERO_MALWARE 3.500 # limit
tflags MONERO_MALWARE publish
##} MONERO_MALWARE
##{ MONERO_PAY_ME
meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01
describe MONERO_PAY_ME Pay me via Monero cryptocurrency
#score MONERO_PAY_ME 3.000 # limit
tflags MONERO_PAY_ME publish
##} MONERO_PAY_ME
##{ MONEY_ATM_CARD
meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE
describe MONEY_ATM_CARD Lots of money on an ATM card
##} MONEY_ATM_CARD
##{ MONEY_FORM
meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP
describe MONEY_FORM Lots of money if you fill out a form
##} MONEY_FORM
##{ MONEY_FORM_SHORT
meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD
describe MONEY_FORM_SHORT Lots of money if you fill out a short form
#score MONEY_FORM_SHORT 2.500 # limit
##} MONEY_FORM_SHORT
##{ MONEY_FRAUD_3
meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
describe MONEY_FRAUD_3 Lots of money and several fraud phrases
tflags MONEY_FRAUD_3 publish
##} MONEY_FRAUD_3
##{ MONEY_FRAUD_5
meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
describe MONEY_FRAUD_5 Lots of money and many fraud phrases
tflags MONEY_FRAUD_5 publish
##} MONEY_FRAUD_5
##{ MONEY_FRAUD_8
meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG
describe MONEY_FRAUD_8 Lots of money and very many fraud phrases
tflags MONEY_FRAUD_8 publish
##} MONEY_FRAUD_8
##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta MONEY_FREEMAIL_REPTO __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID
describe MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
# score MONEY_FREEMAIL_REPTO 3.000 # limit
tflags MONEY_FREEMAIL_REPTO publish
endif
##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ MONEY_FROM_41
meta MONEY_FROM_41 __MONEY_FROM_41
describe MONEY_FROM_41 Lots of money from Africa
#score MONEY_FROM_41 2.00 # limit
##} MONEY_FROM_41
##{ MONEY_FROM_MISSP
meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP
describe MONEY_FROM_MISSP Lots of money and misspaced From
#score MONEY_FROM_MISSP 2.000 # limit
##} MONEY_FROM_MISSP
##{ MONEY_NOHTML
meta MONEY_NOHTML LOTS_OF_MONEY && __CT_TEXT_PLAIN
describe MONEY_NOHTML Lots of money in plain text
#score MONEY_NOHTML 2.500 # limit
##} MONEY_NOHTML
##{ MSGID_DOLLARS_URI_IMG
meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW
describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image
#score MSGID_DOLLARS_URI_IMG 3.000 # limit
tflags MSGID_DOLLARS_URI_IMG publish
##} MSGID_DOLLARS_URI_IMG
##{ MSGID_HDR_MALF
meta MSGID_HDR_MALF __HAS_MESSAGEID
describe MSGID_HDR_MALF Has invalid message ID header
#score MSGID_HDR_MALF 3.500 # limit
tflags MSGID_HDR_MALF publish
##} MSGID_HDR_MALF
##{ MSGID_MULTIPLE_AT
header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/
describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters
#score MSGID_MULTIPLE_AT 0.001
##} MSGID_MULTIPLE_AT
##{ MSGID_WSP_TRAIL
header MSGID_WSP_TRAIL Message-ID:raw =~ /< [^>]* \s > [^<>]* \z/xm
describe MSGID_WSP_TRAIL Trailing whitespace before '>' in Message-ID header
##} MSGID_WSP_TRAIL
##{ MSMAIL_PRI_ABNORMAL
meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH
describe MSMAIL_PRI_ABNORMAL Email priority often abused
#score MSMAIL_PRI_ABNORMAL 1.500 # limit
##} MSMAIL_PRI_ABNORMAL
##{ MSM_PRIO_REPTO
meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH
describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject
#score MSM_PRIO_REPTO 2.500 # limit
tflags MSM_PRIO_REPTO publish
##} MSM_PRIO_REPTO
##{ MSOE_MID_WRONG_CASE
meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
##} MSOE_MID_WRONG_CASE
##{ NAME_EMAIL_DIFF
meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address
##} NAME_EMAIL_DIFF
##{ NA_DOLLARS
body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i
describe NA_DOLLARS Talks about a million North American dollars
#score NA_DOLLARS 1.5
##} NA_DOLLARS
##{ NEWEGG_IMG_NOT_RCVD_NEGG
meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG
#score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit
describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg
tflags NEWEGG_IMG_NOT_RCVD_NEGG publish
##} NEWEGG_IMG_NOT_RCVD_NEGG
##{ NICE_REPLY_A
meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF)
describe NICE_REPLY_A Looks like a legit reply (A)
tflags NICE_REPLY_A nice
##} NICE_REPLY_A
##{ NOT_SPAM
body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i
describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not!
tflags NOT_SPAM publish
##} NOT_SPAM
##{ NO_FM_NAME_IP_HOSTN
meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT
describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address
#score NO_FM_NAME_IP_HOSTN 2.500 # limit
tflags NO_FM_NAME_IP_HOSTN publish
##} NO_FM_NAME_IP_HOSTN
##{ NSL_RCVD_FROM_USER
header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
describe NSL_RCVD_FROM_USER Received from User
##} NSL_RCVD_FROM_USER
##{ NSL_RCVD_HELO_USER
header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
describe NSL_RCVD_HELO_USER Received from HELO User
##} NSL_RCVD_HELO_USER
##{ NULL_IN_BODY
full NULL_IN_BODY /\x00/
describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message
##} NULL_IN_BODY
##{ NUMBEREND_LINKBAIT
meta NUMBEREND_LINKBAIT __NUMBEREND_TLD && __LCL__KAM_BODY_LENGTH_LT_1024 && __BODY_URI_ONLY
describe NUMBEREND_LINKBAIT Domain ends in a large number and very short body with link
#score NUMBEREND_LINKBAIT 1.0 # limit
##} NUMBEREND_LINKBAIT
##{ OBFU_BITCOIN
meta OBFU_BITCOIN __OBFU_BITCOIN
describe OBFU_BITCOIN Obfuscated BitCoin references
#score OBFU_BITCOIN 3.000 # limit
tflags OBFU_BITCOIN publish
##} OBFU_BITCOIN
##{ OBFU_JVSCR_ESC
rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i
describe OBFU_JVSCR_ESC Injects content using obfuscated javascript
tflags OBFU_JVSCR_ESC publish
##} OBFU_JVSCR_ESC
##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type
tflags OBFU_TEXT_ATTACH publish
endif
##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ OBFU_UNSUB_UL
meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI
describe OBFU_UNSUB_UL Obfuscated unsubscribe text
tflags OBFU_UNSUB_UL publish
##} OBFU_UNSUB_UL
##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
ifplugin Mail::SpamAssassin::Plugin::FreeMail
meta ODD_FREEM_REPTO __freemail_mailreplyto
describe ODD_FREEM_REPTO Has unusual reply-to header
# score ODD_FREEM_REPTO 3.000 # limit
tflags ODD_FREEM_REPTO publish
endif
##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
##{ OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
describe OFFER_ONLY_AMERICA Offer only available to US
#score OFFER_ONLY_AMERICA 2.0 # limit
endif
endif
##} OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
##{ ONLINE_MKTG_CNSLT
body ONLINE_MKTG_CNSLT /\bonline marketing consultant\b/i
##} ONLINE_MKTG_CNSLT
##{ ORDER_TODAY
meta ORDER_TODAY __ORDER_TODAY && (__HTML_IMG_ONLY || __ALIBABA_IMG_NOT_RCVD_ALI || __TO_NO_BRKTS_NORDNS_HTML)
describe ORDER_TODAY Get your order in now!
#score ORDER_TODAY 2.500 # limit
##} ORDER_TODAY
##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
describe PART_CID_STOCK Has a spammy image attachment (by Content-ID)
endif
##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
endif
##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ PDS_BTC_ID
meta PDS_BTC_ID __PDS_BTC_ID
describe PDS_BTC_ID FP reduced Bitcoin ID
#score PDS_BTC_ID 0.5
##} PDS_BTC_ID
##{ PDS_BTC_MSGID
meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2
describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2
#score PDS_BTC_MSGID 1.0
##} PDS_BTC_MSGID
##{ PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
meta PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD )
describe PDS_BTC_NTLD Bitcoin suspect NTLD
#score PDS_BTC_NTLD 2.0 # limit
endif
endif
##} PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
##{ PDS_DBL_URL_TNB_RUNON
meta PDS_DBL_URL_TNB_RUNON __TO_NO_BRKTS_FROM_RUNON && __PDS_DOUBLE_URL
describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon
#score PDS_DBL_URL_TNB_RUNON 2.0
##} PDS_DBL_URL_TNB_RUNON
##{ PDS_FRNOM_TODOM_DBL_URL
meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL
describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL
#score PDS_FRNOM_TODOM_DBL_URL 1.5
##} PDS_FRNOM_TODOM_DBL_URL
##{ PDS_FRNOM_TODOM_NAKED_TO
meta PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN
describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain
#score PDS_FRNOM_TODOM_NAKED_TO 1.5
##} PDS_FRNOM_TODOM_NAKED_TO
##{ PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta PDS_FROM_2_EMAILS_SHRTNER (__PDS_URISHORTENER || __URL_SHORTENER) && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY
describe PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener
#score PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit
endif
endif
##} PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
##{ PDS_FROM_NAME_TO_DOMAIN
meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN
#score PDS_FROM_NAME_TO_DOMAIN 2.0
describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain
##} PDS_FROM_NAME_TO_DOMAIN
##{ PDS_HELO_SPF_FAIL
meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE
describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF
#score PDS_HELO_SPF_FAIL 2.0
tflags PDS_HELO_SPF_FAIL net
##} PDS_HELO_SPF_FAIL
##{ PDS_HP_HELO_NORDNS
meta PDS_HP_HELO_NORDNS RDNS_NONE && __HELO_HIGHPROFILE
describe PDS_HP_HELO_NORDNS High profile HELO with no sender rDNS
#score PDS_HP_HELO_NORDNS 1.0
##} PDS_HP_HELO_NORDNS
##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
#score PDS_OTHER_BAD_TLD 2.0
describe PDS_OTHER_BAD_TLD Untrustworthy TLDs
endif
endif
##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
##{ PDS_PHPEXP_BOT
meta PDS_PHPEXP_BOT __SENDER_BOT && (__PDS_TONAME_EQ_TOLOCAL + __NAKED_TO >= 1) && (__PDS_PHP_EVAL2 + __PDS_PHP_EVAL1 + T_PDS_X_PHP_WP_EXP + __PDS_X_PHP_WELLKNOWN >= 1)
describe PDS_PHPEXP_BOT PHP exploit bot sender
#score PDS_PHPEXP_BOT 1.5
##} PDS_PHPEXP_BOT
##{ PDS_PHP_EVAL
meta PDS_PHP_EVAL __PDS_PHP_EVAL1
describe PDS_PHP_EVAL PHP header shows eval'd code
#score PDS_PHP_EVAL 1.5
##} PDS_PHP_EVAL
##{ PDS_RDNS_DYNAMIC_FP
meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA
#score PDS_RDNS_DYNAMIC_FP 0.01
describe PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps
##} PDS_RDNS_DYNAMIC_FP
##{ PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta PDS_SHORTFWD_URISHRT_FP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __PDS_MSG_512
describe PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener
#score PDS_SHORTFWD_URISHRT_FP 1.5 # limit
endif
endif
##} PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
##{ PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta PDS_SHORTFWD_URISHRT_QP (__PDS_URISHORTENER || __URL_SHORTENER) && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !PDS_SHORTFWD_URISHRT_FP
describe PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener
#score PDS_SHORTFWD_URISHRT_QP 1.5 # limit
endif
endif
##} PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004000)
meta PDS_TINYSUBJ_URISHRT (__PDS_URISHORTENER || __URL_SHORTENER) && __SUBJ_SHORT && __PDS_MSG_1024
describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener
#score PDS_TINYSUBJ_URISHRT 1.5 # limit
endif
endif
##} PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
##{ PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
meta PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE FREEMAIL_FORGED_REPLYTO && __PDS_TONAME_EQ_TOLOCAL
describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TOLOCAL
#score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit
##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
##{ PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
meta PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE __PDS_TONAME_EQ_TOLOCAL && __HDRS_LCASE
describe PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers
#score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 2.0 # limit
##} PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
##{ PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER
describe PDS_TO_EQ_FROM_NAME From: name same as To: address
endif
##} PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER
describe PHISH_ATTACH Attachment filename suspicious, probable phishing
tflags PHISH_ATTACH publish
endif
##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
##{ PHISH_AZURE_CLOUDAPP
uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i
describe PHISH_AZURE_CLOUDAPP Link to known phishing web application
#score PHISH_AZURE_CLOUDAPP 3.500
tflags PHISH_AZURE_CLOUDAPP publish
##} PHISH_AZURE_CLOUDAPP
##{ PHISH_FBASEAPP
meta PHISH_FBASEAPP __PHISH_FBASE_01
describe PHISH_FBASEAPP Probable phishing via hosted web app
#score PHISH_FBASEAPP 3.000 # limit
tflags PHISH_FBASEAPP publish
##} PHISH_FBASEAPP
##{ PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF
describe PHOTO_EDITING_DIRECT Image editing service, direct to MX
# score PHOTO_EDITING_DIRECT 3.000 # limit
endif
##} PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
describe PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto
# score PHOTO_EDITING_FREEM 3.750 # limit
endif
##} PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ PHP_NOVER_MUA
describe PHP_NOVER_MUA Mail from PHP with no version number
#score PHP_NOVER_MUA 3.000 # limit
tflags PHP_NOVER_MUA publish
##} PHP_NOVER_MUA
##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
if !plugin(Mail::SpamAssassin::Plugin::DKIM)
meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
ifplugin Mail::SpamAssassin::Plugin::DKIM
meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
endif
##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
##{ PHP_ORIG_SCRIPT
meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER
describe PHP_ORIG_SCRIPT Sent by bot & other signs
#score PHP_ORIG_SCRIPT 2.500 # limit
tflags PHP_ORIG_SCRIPT publish
##} PHP_ORIG_SCRIPT
##{ PHP_ORIG_SCRIPT_EVAL
meta PHP_ORIG_SCRIPT_EVAL __PHP_ORIG_SCRIPT_EVAL
describe PHP_ORIG_SCRIPT_EVAL From suspicious PHP source
#score PHP_ORIG_SCRIPT_EVAL 3.000 # limit
##} PHP_ORIG_SCRIPT_EVAL
##{ PHP_SCRIPT
meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT
describe PHP_SCRIPT Sent by PHP script
#score PHP_SCRIPT 2.500 # limit
tflags PHP_SCRIPT publish
##} PHP_SCRIPT
##{ PHP_SCRIPT_MUA
meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA
describe PHP_SCRIPT_MUA Sent by PHP script, no version number
#score PHP_SCRIPT_MUA 2.000 # limit
tflags PHP_SCRIPT_MUA publish
##} PHP_SCRIPT_MUA
##{ POSSIBLE_APPLE_PHISH_02
meta POSSIBLE_APPLE_PHISH_02 (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE)
describe POSSIBLE_APPLE_PHISH_02 Claims to be from apple but not processed by any apple MTA
tflags POSSIBLE_APPLE_PHISH_02 publish
##} POSSIBLE_APPLE_PHISH_02
##{ POSSIBLE_EBAY_PHISH_02
meta POSSIBLE_EBAY_PHISH_02 (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY)
describe POSSIBLE_EBAY_PHISH_02 Claims to be from ebay but not processed by any ebay MTA
tflags POSSIBLE_EBAY_PHISH_02 publish
##} POSSIBLE_EBAY_PHISH_02
##{ POSSIBLE_PAYPAL_PHISH_01
meta POSSIBLE_PAYPAL_PHISH_01 (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF)
describe POSSIBLE_PAYPAL_PHISH_01 Claims to be from paypal but has non-paypal from email address
tflags POSSIBLE_PAYPAL_PHISH_01 publish
##} POSSIBLE_PAYPAL_PHISH_01
##{ POSSIBLE_PAYPAL_PHISH_02
meta POSSIBLE_PAYPAL_PHISH_02 (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL)
describe POSSIBLE_PAYPAL_PHISH_02 Claims to be from paypal but not processed by any paypal MTA
tflags POSSIBLE_PAYPAL_PHISH_02 publish
##} POSSIBLE_PAYPAL_PHISH_02
##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal()
describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't
# score PP_MIME_FAKE_ASCII_TEXT 1.0
tflags PP_MIME_FAKE_ASCII_TEXT publish
endif
endif
##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02)
describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes
# score PP_TOO_MUCH_UNICODE02 0.5
tflags PP_TOO_MUCH_UNICODE02 publish
endif
endif
##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
ifplugin Mail::SpamAssassin::Plugin::MIMEEval
if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05)
describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes
# score PP_TOO_MUCH_UNICODE05 1.0
tflags PP_TOO_MUCH_UNICODE05 publish
endif
endif
##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
##{ PUMPDUMP
meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI
describe PUMPDUMP Pump-and-dump stock scam phrase
#score PUMPDUMP 1.000 # limit
tflags PUMPDUMP publish
##} PUMPDUMP
##{ PUMPDUMP_MULTI
meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases
#score PUMPDUMP_MULTI 3.500 # limit
tflags PUMPDUMP_MULTI publish
##} PUMPDUMP_MULTI
##{ PUMPDUMP_TIP
meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP
describe PUMPDUMP_TIP Pump-and-dump stock tip
tflags PUMPDUMP_TIP publish
##} PUMPDUMP_TIP
##{ RAND_HEADER_LIST_SPOOF
meta RAND_HEADER_LIST_SPOOF __RAND_HEADER && __LIST_PARTIAL
describe RAND_HEADER_LIST_SPOOF Random gibberish message header(s) + pretending to be a mailing list
#score RAND_HEADER_LIST_SPOOF 3.000 # limit
tflags RAND_HEADER_LIST_SPOOF publish
##} RAND_HEADER_LIST_SPOOF
##{ RAND_HEADER_MANY
meta RAND_HEADER_MANY __RAND_HEADER_2
describe RAND_HEADER_MANY Multiple random gibberish message headers
#score RAND_HEADER_MANY 3.000 # limit
tflags RAND_HEADER_MANY publish
##} RAND_HEADER_MANY
##{ RAND_MKTG_HEADER
meta RAND_MKTG_HEADER __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST
describe RAND_MKTG_HEADER Has partially-randomized marketing/tracking header(s)
#score RAND_MKTG_HEADER 2.000 # limit
tflags RAND_MKTG_HEADER publish
##} RAND_MKTG_HEADER
##{ RATWARE_NO_RDNS
meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF
describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS
#score RATWARE_NO_RDNS 3.000 # limit
##} RATWARE_NO_RDNS
##{ RCVD_BAD_ID
header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/
describe RCVD_BAD_ID Received header contains id field with bad characters
##} RCVD_BAD_ID
##{ RCVD_DBL_DQ
header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/
describe RCVD_DBL_DQ Malformatted message header
tflags RCVD_DBL_DQ publish
##} RCVD_DBL_DQ
##{ RCVD_DOTEDU_SHORT
meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !ALL_TRUSTED && !__FS_SUBJ_RE && !__HAS_LIST_ID
describe RCVD_DOTEDU_SHORT Via .edu MTA + short message
#score RCVD_DOTEDU_SHORT 1.500 # limit
tflags RCVD_DOTEDU_SHORT publish
##} RCVD_DOTEDU_SHORT
##{ RCVD_DOTEDU_SUSP_URI
meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI
describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI
#score RCVD_DOTEDU_SUSP_URI 3.000 # limit
tflags RCVD_DOTEDU_SUSP_URI publish
##} RCVD_DOTEDU_SUSP_URI
##{ RCVD_FORGED_WROTE
header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
##} RCVD_FORGED_WROTE
##{ RCVD_FORGED_WROTE2
header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
##} RCVD_FORGED_WROTE2
##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3')
describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record
tflags RCVD_IN_IADB_DK net nice
endif
##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10')
describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in
tflags RCVD_IN_IADB_DOPTIN net nice
endif
##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9')
describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time
tflags RCVD_IN_IADB_DOPTIN_GT50 net nice
endif
##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8')
describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time
tflags RCVD_IN_IADB_DOPTIN_LT50 net nice
endif
##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1')
describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database
tflags RCVD_IN_IADB_EDDB net nice
endif
##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2')
describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance
tflags RCVD_IN_IADB_EPIA net nice
endif
##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103')
describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail
tflags RCVD_IN_IADB_GOODMAIL net nice
endif
##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$')
describe RCVD_IN_IADB_LISTED Participates in the IADB system
tflags RCVD_IN_IADB_LISTED net nice
endif
##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4')
describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in
tflags RCVD_IN_IADB_LOOSE net nice
endif
##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10')
describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law
tflags RCVD_IN_IADB_MI_CPEAR net nice
endif
##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10')
describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days
tflags RCVD_IN_IADB_MI_CPR_30 net nice
endif
##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10')
describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR
tflags RCVD_IN_IADB_MI_CPR_MAT net nice
endif
##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100')
describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in
tflags RCVD_IN_IADB_ML_DOPTIN net nice
endif
##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0')
describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place
tflags RCVD_IN_IADB_NOCONTROL net nice
endif
##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200')
describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only
tflags RCVD_IN_IADB_OOO net nice
endif
##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7')
describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in
tflags RCVD_IN_IADB_OPTIN net nice
endif
##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6')
describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time
tflags RCVD_IN_IADB_OPTIN_GT50 net nice
endif
##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5')
describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time
tflags RCVD_IN_IADB_OPTIN_LT50 net nice
endif
##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1')
describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only
tflags RCVD_IN_IADB_OPTOUTONLY net nice
endif
##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4')
describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record
tflags RCVD_IN_IADB_RDNS net nice
endif
##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2')
describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record
tflags RCVD_IN_IADB_SENDERID net nice
endif
##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1')
describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record
tflags RCVD_IN_IADB_SPF net nice
endif
##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2')
describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups
tflags RCVD_IN_IADB_UNVERIFIED_1 net nice
endif
##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3')
describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out
tflags RCVD_IN_IADB_UNVERIFIED_2 net nice
endif
##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10')
describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law
tflags RCVD_IN_IADB_UT_CPEAR net nice
endif
##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10')
describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days
tflags RCVD_IN_IADB_UT_CPR_30 net nice
endif
##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10')
describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR
tflags RCVD_IN_IADB_UT_CPR_MAT net nice
endif
##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
describe RCVD_IN_PSBL Received via a relay in PSBL
tflags RCVD_IN_PSBL net
endif
##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
##{ RCVD_MAIL_COM
header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
##} RCVD_MAIL_COM
##{ RDNS_LOCALHOST
header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
##} RDNS_LOCALHOST
##{ RDNS_NUM_TLD_ATCHNX
meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT
describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment
#score RDNS_NUM_TLD_ATCHNX 3.000 # limit
tflags RDNS_NUM_TLD_ATCHNX publish
##} RDNS_NUM_TLD_ATCHNX
##{ RDNS_NUM_TLD_XM
meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY)
describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers
#score RDNS_NUM_TLD_XM 3.000 # limit
tflags RDNS_NUM_TLD_XM publish
##} RDNS_NUM_TLD_XM
##{ READY_TO_SHIP
body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock)|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|store)|just arrived in our warehouse|we will (?:contact the (?:warehouse|logistics) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our warehouse)/i
#score READY_TO_SHIP 1.250 # limit
##} READY_TO_SHIP
##{ REPLYTO_EMPTY
header REPLYTO_EMPTY Reply-To =~ /<>/
describe REPLYTO_EMPTY Reply-To undeliverable
##} REPLYTO_EMPTY
##{ REPLYTO_WITHOUT_TO_CC
meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS)
##} REPLYTO_WITHOUT_TO_CC
##{ REPTO_419_FRAUD
header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:speakers)\@012\.net\.il|(?:mail)\@101private\.com|(?:(?:alfredcheuk002|fbi_1234|longchii|mavis_wanczyk|qfdonation))\@126\.com|(?:(?:a(?:aronmichaels005|lfredcheuk_yuchow)|ehagler|google_promoaward0?|istarsolar|joeblp|microsoft(?:_office16|award01)|panyawein|wong(?:_shiu(?:09|2016)|shiu_ki)))\@163\.com|(?:(?:navas1|ray\-thomas7h))\@1email\.eu|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:(?:mr\.tonyelumelu|r(?:emittancedept001|ussia2018worldcuplotto5)))\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:info)\@aidakj\.com|(?:(?:a\.aktr|c(?:arlos\.adan|entralbank_malaysia2)|infovsa|maria\.louge|sarahjiwooali|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:adainis|jessikasingh|travisalex))\@aliyun\.com|(?:(?:director|info))\@anletco-jp\.com|(?:(?:deanie_ron|m(?:softgbcmanager|undo\.europe)|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:institutionaldepartment)\@aol\.nl|(?:deajohn)\@arubacloub\.com|(?:djohns)\@arubacloud\.com|(?:jeromecgb12)\@asia\.com|(?:bllphillips)\@att\.net|(?:garry\.quinlan)\@australiamail\.com|(?:(?:traoreahmed|zetiaziz))\@barid\.com|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:noreply\.fujvfes)\@bibliothequegaillard\.com|(?:costruire)\@bigmat\.it|(?:alerts\-noreply)\@bis\.org|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:executivedirector)\@box\.az|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:drbenardsani\.nnpc)\@bsgcpk\.com|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:rim43505)\@cantv\.net|(?:duncanttodd)\@centrum\.cz|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|fbipayment(?:50|600)|harunajim667|ralphwjohnson))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:dmalpasswb|re(?:covered\-tax|em(?:2018|alhashimi|hashimi2020))))\@daum\.net|(?:rex)\@departmentofsecretary\.com|(?:blythemasters)\@digitalassetholding\.org|(?:(?:diplomaticagent11|jentwistle90))\@diplomats\.com|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:(?:herrick01|rogersteare02))\@e1\.ru|(?:olga\.ingrif)\@ecb-securities\.com|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:no\-reply)\@economizar-na-web\.com\.br|(?:(?:denbrink|kathy_gerald1965|megaclaimcenter))\@email\.com|(?:johnkadiri)\@englandmail\.com|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|claimdpts|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:(?:jeferrey|yakuyaya77))\@financier\.com|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:notice)\@fnb\.co\.za|(?:info)\@fnconsultant\.biz|(?:(?:atmofficeauthoriza|captain\.lucasadam|e(?:golan2|u_payment)|gella1|k(?:aith\-angel|ossihpilip202)|pchwinningoffice1953|qatardonations16|smadartsadik|tepnherve00|worldauthorization))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:o(?:ctaviancm|rlando\.bloom))\@gmx\.co\.uk|(?:(?:a(?:hmet\.broker|lliance\.consultant)|f(?:aridaomar|er3nrod1512)|johnson\.douglas|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:joxford)\@gmx\.us|(?:ben\.malbon)\@googlefps\.co\.uk|(?:m\.johnson10012)\@googlemail\.com|(?:larrypage)\@gpa-team\.com|(?:ceo)\@gpromo-team\.com|(?:sundarpichai)\@gpromoteam\.com|(?:sundarpichai)\@gpromoteamuk\.com|(?:garreth\.webb)\@grossfitconsultancy\.biz|(?:irenegeorgiadou)\@hellenicbankcy\.com|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:williamsdavid_3r)\@hotmail\.co\.uk|(?:christgoldwilliams)\@hotmail\.fr|(?:douglasflint)\@hsbcbank\.group|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:victorwang67)\@imail\.com|(?:01)\@imf-org\.org|(?:chrisdodgshun)\@inbound\.plus|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:janetyellenoffice|off(?:er2021|iceme)))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:sgt\.dave)\@inmano\.com|(?:baankston)\@instruction\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:wbuk0[13])\@katamail\.com|(?:(?:ditmereduart|europsenderscouriers|lewiscarl))\@keemail\.me|(?:mikiwilliams)\@knol-power\.nl|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:philiphampton)\@lec20\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:deqishanmedical1)\@localnet\.com|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:fanliangjen)\@mail\.china\.com|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|eddy_haryono|ghazal\-a|info\.federalreserve\.org|kateclough1|mriamchombo1968|nancyvee80|ren\.deqi212))\@mail\.com|(?:williamsdawson)\@mail\.com\.tr|(?:(?:ayishagddafio|david\.onyeoma\.74|hmtreasyru\.ng|sambo_dasuki))\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:brantwbishop)\@mailbox\.org|(?:epowerball)\@mailbox\.sk|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:rbi\-e)\@mit\.tc|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:paul\.chang)\@msn\.com|(?:enquiry)\@multiplysearch\.com|(?:cadpayout01)\@my\.com|(?:(?:contactmee|ministersoffinance))\@mynet\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:zenith)\@nmk\.ugu\.pl|(?:maxedwards)\@octopusinvestment\.co\.uk|(?:lindsaytrembley)\@oimail\.com|(?:googleclaims111)\@one\.lt|(?:accountingdrg)\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:(?:castorock|infobiz2|jarramos|mrsalice09))\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:servicio\.correo)\@orange\.fr|(?:turkish\-air)\@outlook\.com\.tr|(?:(?:ahmed3khan|dpt_transferunionwestern|mr\.onyeadams|rohitjain0))\@outlook\.fr|(?:m\.khan1)\@outlook\.sa|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:info)\@phillipsmorgan\.co\.za|(?:wood)\@poczta\.onet\.eu|(?:m(?:aryjosen|boyaeth))\@post\.com|(?:united\.globeawardoffice)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:jamesmr\.monday)\@rocketmail\.com|(?:(?:g(?:loriacmackenzie001|mackenzie001)|monicatorres001|wanczykmavis101))\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:info)\@roycockrum\.org|(?:mrs\.rachel2013)\@safe-mail\.net|(?:vera)\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:peterddeng)\@secsuremailer\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:swat)\@sltdchambers\.com|(?:(?:dycheseaan|sean(?:dyyches|sdychh)))\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:contact\.hmrc\.gov\.uk)\@sudhisalooja\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:xiankailu)\@taiyaubank-hk\.com|(?:mhua)\@tbochk\.com|(?:veronicabright)\@terra\.com\.pe|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:zimcargoservicehelpdesks)\@tlen\.pl|(?:drew)\@ton\.net\.ru|(?:itpark01)\@tpg\.com\.au|(?:bobby\.william)\@tradent\.net|(?:info)\@treasury-departmentdc\.twomini\.com|(?:info)\@treasury-usa\.3eeweb\.com|(?:info)\@un-grant\.info|(?:(?:b(?:lueskyanimatedfilm|rown\.monica_l)|info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:bmuczdh)\@virgilio\.it|(?:itgiix)\@visa\.com|(?:vankoning)\@volny\.cz|(?:holt1231)\@w\.cn|(?:infos)\@walmart\.com|(?:daydreamin)\@wanadoo\.fr|(?:(?:foreignoperationmanager|mr\.(?:ikokuoya|olicadams)))\@web\.cg|(?:weboffice05)\@web\.de|(?:b(?:\-calebfirm2007|oriscaleb121))\@webmail\.co\.za|(?:(?:frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:grahamjoneschambers)\@wildblue\.net|(?:e\.shaw)\@wilmagroup\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:stephaniehans\.euromillionlottery)\@yahoo\.be|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|bobwatson92|fundyawa2014|j(?:effwilliam207|oe_modisen)|lloydsbanksb|owengreen70|rebeccajoe98|samue95))\@yahoo\.co\.uk|(?:(?:changgordon(?:61|946)|lordsmartin|revlarrutycoker2015|thomaspeter227|zhu\.shumin))\@yahoo\.com\.hk|(?:imf_office_agent)\@yahoo\.com\.my|(?:(?:dr\.pauljames110|jessicp1))\@yahoo\.com\.sg|(?:boa2cb)\@yahoo\.com\.vn|(?:(?:contactus88\-00|jflangvm5nshyazyo7si6jfuqah6jsldw2kw6c2t|lmj82717|m(?:r\.angelabenjamin|srangelabne32)))\@yahoo\.es|(?:(?:charlinebebe22|fortinsandrine|rita_will001))\@yahoo\.fr|(?:maktoum\.shasher)\@yahoo\.pt|(?:ukdebtmanagement5)\@yahool\.com|(?:dr\.amelia\.george1)\@yandex\.ru|(?:jayanderson)\@yccaifuu\.com|(?:(?:alfred_cheuk_chow|friedrich_mayrh1|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|feliciamagi|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:(?:asiafoundationorg\.hr|jefflindsay))\@zoho\.com|(?:laprimitivaes)\@zohomail\.eu)$/i
describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD 3.000
tflags REPTO_419_FRAUD publish
##} REPTO_419_FRAUD
##{ REPTO_419_FRAUD_AOL
header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:\.dordevicii|aromartins|f\.2[06]|ljaber111|meliageorge|n(?:d(?:_bley|rew_hans)|ttilimarim)|rthur\.alan)|b(?:aanidleewy|claimdept|rownchurchill2)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|ristinabruno38|ustom_service58)|d(?:avid(?:\.kms|opatry)|hodgkins001|ianwaynie|onald_anderson44)|e(?:ng(?:joej|r\.abdulla)|ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|i(?:sarobinson5\.0|zcarroll101)|orrainewirangee)|m(?:_l\.wanczyk62|aviswanczyk[do]|rs(?:isabelladzsesszika|safiagaddafi))|no(?:rmapatto|tification\.notification)|p(?:a(?:tricia(?:\.hans|hans)|ulpollard2)|eterwong345|otfolio\.management)|r(?:achel_wat2|oyalpalace2018)|s(?:afiiagadafi|gt\.gillianj200|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|w(?:attson\.renwick|ebank244|issam\.haddad|u\.xiabk)|yurdaaytarkan5|zeti\.aziz))\@aol\.com$/i
describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_AOL 3.000
tflags REPTO_419_FRAUD_AOL publish
##} REPTO_419_FRAUD_AOL
##{ REPTO_419_FRAUD_AOL_LOOSE
meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL
describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_AOL_LOOSE 1.000
tflags REPTO_419_FRAUD_AOL_LOOSE publish
##} REPTO_419_FRAUD_AOL_LOOSE
##{ REPTO_419_FRAUD_CNS
header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|legacylawfirmdakar|m(?:iguel\-pinto|orrisherb)|owenschamber|santiagosegur|t(?:eo\.westin|he\.trustees1?|rustees202000)|westernunion1659))\@consultant\.com$/i
describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_CNS 3.000
tflags REPTO_419_FRAUD_CNS publish
##} REPTO_419_FRAUD_CNS
##{ REPTO_419_FRAUD_GM
header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|41speedlinkdelivery|7912richardtony|a(?:b(?:d97412345|u(?:lkareem461|shadi0004))|c(?:aalzz11|count\.optionsmr\.jonasarmstrong|e(?:alss11|cere001))|d(?:esilgon77|iallo\.boa)|erofilxeport|gent\.laryedwad|isha(?:1976algaddafi|gaddafiaam)|jaminamo|l(?:\.jo60691737|a(?:n\.austin(?:041|223)|scramac)|ber\.yang222|ex(?:ander(?:daisy911|peterson4499)|hoffman3319|smithznn)|ghafrij13|hajarb|lenholden121|nizmaria|ure\.wawrenka1472)|m(?:b\.w\.stuart\.symington|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|tasomda))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|itaminarnguessan|n(?:a(?:choihkkic|llee091|sigurlaug458)|jenijohnsonn)|t(?:honyalvaradollc|o(?:meuenio|niopaco20consultant)))|r(?:adka01|chibaldhamble|thur11alan)|s(?:h(?:0611jnag|westwood7)|ianbae1010|sistance7agent)|t(?:m(?:mastercard41|office929)|tohlawoffice\.tg)|w1614860|yevayawovi190|zi(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50)))|b(?:a(?:lla250abc|nk(?:centralasiahalobca34|ingcentralng)|ochang7a|r(?:bersmadar75|r(?:\.(?:charles(?:1954|office)|martinrichard)|ister(?:\.fidelisokafor|lordruben94)|ubenjames)|teld\.huisman01))|bongo593|c0996013|e(?:linekra1|n(?:ezero392|jaminsarah195))|i(?:anigercash|ll(?:\.lawrence0747|fhome))|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:a(?:ndy\.heavenscenttt|volpaul55)|endalaporte112|ianmoynih00)|uff(?:ettwarrene21|ookj))|c(?:a(?:ixaseguros9810001|mluba2017|r(?:eisu98|l(?:os\.s\.helux|thomos)|twrighttownhomesllc))|bnatm847|claimsa|e(?:li(?:cerez|neroullier(?:200|nm))|ntraltrustlltd)|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:esluenga01|tonnewmanus1)))|e(?:mchung1011|nchung1011)|i(?:enk(?:raymond|wongp)|mwiakim))|iticonsultantjohncg0|kruger00017|l(?:a(?:im(?:adviser11|officeadm)|xtonpaul00)|s79408)|o(?:l(?:\.(?:ahmedmarani|fakhrialsalabi(?:01)?|hmedismari)|abdullahassi|edavid77032|husseinharmuchc(?:cj|j)|inchrisweir50|mohmanairf|o(?:mbasjuan53|nelsaad00))|mpensationcommitteboard|n(?:sult(?:ancy64|matthias|sto\.u)|tact(?:\.kolason|ad00[04]))|operation612)|pt\.eugenebarash|r(?:a(?:bbechambers|wfordgillies1)|ist(?:bru(?:05|n05)|i1537bru))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|iel(?:35508109|zulu11)|nydan24532)|v(?:i(?:d(?:\.loanfirm18|ibe718|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98)|ychan1970))|c(?:layconsult|ole77032)|e(?:btm123|n(?:iwalts|nis(?:clark659|quaid888))|partmentofstate(?:123|321)|tlefeckhardd)|hill27676|i(?:ane\.s\.wojcicki|gitalassetholding|p(?:francis1|lomat(?:\.john\.clerke|sshenry)))|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.(?:meirh|wilsonpaul02)|abodid|davidrhama221|j(?:amesdee|oesimon77)|kennedyuzo|meier\.heidi?|o(?:vieogor1|wenfrederick))|u(?:a1155a|nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|d(?:runity|winfreeman22)|fcc\.financial\.dept|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|otocashoffice1?)|m(?:2keld|ailpostlink09|efiele(?:328|g757)|ilyrichmond391)|r(?:enakgeorge123|ioncarter\.private)|ssexlss1|vgpatmow)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49(?:666|966)|k49666)|j569282|l(?:556249|aurentdz40|uhmann\.dn)|mb\.agent|o(?:ropunionbank|undations\.west)|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|isca(?:mendoza960|samendoza))|k(?:j(?:ane984|wangg)|laurarivera)))|bbankny\.gov|e(?:derick\.colemanesq|elottosweepstake51))|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|rielkalia1102)|r(?:ethbull112016|yakinson121))|bill4880|e(?:n(?:\.ahmedmsksi|eral(?:abdulrazak|williamstony990))|orgekwame481|r(?:aldjhjh11|tjanvlieghe787))|g780904|i(?:idp955|lbert12oook)|kwasiiwusu1\.persona|l(?:enmoore0011|oriachow5052)|o(?:glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219)|vgodwinemefiele111)|r(?:ace(?:jackmanwoods|obia001)|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:old\.dia1100|ryebert101|twellbdaniel)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:a(?:dofficecentre0210|therbrooeke101)|cto(?:alon|r(?:castillos653|scastillo6))|lpdesk47321)|gold8080|heba\.hhassan207|i(?:ldad837|toshurui)|klee\.mike|o(?:lsemeyerole6|nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|trryt34|uichmh)|i(?:1955smael|amannjejosonn|bed627|n(?:fo(?:\.(?:abogadosmfontana|g00gleclaim|questiondesk|ulmusau)|64240|98cbnoffice7|a(?:prl06|sminternationalpk)|dessk\.dfwairportonline|fdrserve)|gridrolle2|t(?:ernationallppp1|linvestorsfirm))|smailtarkan533|terryoffice)|j(?:35809121|a(?:6002932|888179|cobmaseon5995|m(?:alpriv8un|es(?:husmansdesk2240|okoh82))|nusensecureprivate|sonyeungchiwai|vierlesme001)|b5406424|c2222222rrr|e(?:ff(?:deandk2|erydean1960)|nniannjhsonn|ssikasingh4)|imyang977|k3311131|mpowellfr|o(?:e(?:dward023|kendal540|lmodisen)|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|tanko214|uba234|walterlove2010)|monkzza|n(?:esandassociates68|monkssa)|s(?:ephacevedo024|ianeangenor)|y(?:ce00011|mrskone5))|rawlings007|s4fernado|uliet\.le(?:222|e2222)|w6935997)|k(?:a(?:lstromjames3|malnizar000|rabo\.ramala39|t(?:ebaronbarr|hilittman7|jamess043|rinaziako56))|e(?:lsawamelia55|n(?:mck(?:ay1980|enziejr)|nedy\.sawadogo19))|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28)|wasiowusug)|l(?:a(?:r(?:ateambo|rytoms200)|ursent892|wrencefoundation30)|blackshirepm|e(?:ndfair\.co\.uk1|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|li(?:ane\.bettencourt1945|ianchrstph)|n(?:elink008|glung104)|xiung(?:l48|9))|john6132|o(?:g(?:anntomas|eengen)|rrainewirengee|ttyoffice1|u(?:ghreymargaret67|isdreyfusmargarita5))|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ck(?:enzbezos|oliver324)|incare655|jor(?:dennishornbeck53|townsend01)|k(?:altschmidt|toumsheikhhasher)|n(?:duesq58|fran630|uelfranco(?:727|foundation0))|r(?:cusdembialomr|i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|nacoleman84|opabl26)|k(?:roth456|uses200)|y(?:franson56|jify00aaz01))|s(?:onmanny05|pencer5151)|t(?:hewriaanza|twilly3)|u(?:noveutileina|rhinck11?)|viswanczyk(?:1(?:19|987)|4(?:89|5)|775|foundation45|k112|zz)|xaajn|ydetratt)|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|engeoffrey|l(?:lagolan|vidabullock5)|nnss01)|gfrederick80|husameddine|i(?:c(?:he(?:alwuu002|lintagro)|paulla|w954)|k(?:edawson1960s|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|nfin\.gv|ss(?:\.melisa\.mehmett|boteogottai|yaelronen))|jminabii|k(?:ent7117|untjoro52)|lbriggs08860|m(?:1086771|argaritalouisdreyfus)|nmalarge|o(?:ham(?:edabdul1717|madraqab00)|rienkal30)|r(?:\.(?:justinmaxwell09|lusee|wlsonkabore)|7672900|cjames001|d517341|ericfranck|fabianchukwu|hanimuhammad627|jamesmc6|martine80|paulfrank01|r(?:echardthomas|ichardanthony1)|s(?:\.(?:biyufungchi16|janetolsen?|olsenjanett|patarkatsishvili|susanread12)|a(?:ishaalqadafi1976|ngela454)|g(?:ezeria|racewoods70)|h(?:amima60|ristinemadeleine)|j(?:ackman123|lleach)|maureens847|nicolefr1marios|r(?:obinsanders185|uthsmith9900)|s(?:arahbenjamin103|ophiac)|veraaellen)|tomcrist\.ca)|s(?:agent02|golaan4|smadar44)|twvvv|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter(?:2017|968))|obuyuki\.hirano128|tawdglobal)|o(?:\.peace004|3344nb|ffice(?:\.012123|rricherd876|windowterms)|hallkenneth1|liviemorgan4|marinyandeng|nufoundationclaims|pcwkdw|swald\.l(?:\.lewis|ewwis)|vieogor1)|p(?:\.compton101|a(?:storfrancesco1|trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018)|ymentofficer14)|brookk0|e(?:130304|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|h(?:\.cbnl|illip\.richead218)|i(?:eterstevens511|lz37754)|o(?:lloke|wellmrwilliam)|r(?:esleybathini1|o(?:1nvstream|cessing2013general))|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymond(?:aba200|damon15))|e(?:beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n2214)|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.(?:jamesabel1|mikedadax)|ernestcebi|frankjackson91))|i(?:ch(?:ard(?:lustig4u|w(?:ahl511|illis815))|lawandds)|tawilliams4141)|josh200000|o(?:berthanandez6655|naldmorris786|s(?:a\.gomes0044|e(?:kipkalya934|tam00)))|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ssiaworldcuppromo|thmporat1\"))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid7000)|nchoscozfifa|rfiafarfask7)|cottpeters7989|e(?:cretservicce[78]|rgeantrobertbrown1|ydouthiebaconsultant)|g\.offiice\.group|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|e(?:ikhalmaktoum79|ry(?:\.gtl131|etr03))|inawatrathaksin93)|i(?:lverlakeconsultant|mlkheng5)|krause680|l5342743|o(?:fia\.adams201|u(?:rcingloggs|thwsltd))|peelman1972|rfredericodehernandez|sdt224|tephentam1(?:47|6)|u(?:iyang(?:\.boc|02)|leiman\.cbnn|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|w(?:eeneyjohnson384|islottnl))|t(?:a(?:mmy21gill|y(?:ebsouami0|lorcathy362))|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|bigbiglottowinning77|odorosloannis9|resawilliams7661?|smithfm124))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|c(?:hrist1995|rist(?:52|donation12|foundation99|world)))|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|ransfermoney21\.2|tkhan69s)|u(?:babankbjplc|dregwqr|kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|sdepartmentofjustice80)|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|d232633|i(?:elandherzog\.sw\.herad16|ge122|ll(?:clark2618|iamrobert3852|update123))|kfinancialservice|orldbankregionalmanageroffice|u(?:\.office212|mt722)|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974)|z(?:enithbankplconline98|kiaslan1963|minhong65)))\@gmail\.com$/i
describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_GM 3.000
tflags REPTO_419_FRAUD_GM publish
##} REPTO_419_FRAUD_GM
##{ REPTO_419_FRAUD_GM_LOOSE
meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM
describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_GM_LOOSE 1.000
tflags REPTO_419_FRAUD_GM_LOOSE publish
##} REPTO_419_FRAUD_GM_LOOSE
##{ REPTO_419_FRAUD_HM
header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|nikal01|zezul\.idrisazezulidris)|benarnault0|c(?:ecilekaramoko123|hoi21)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|fanliangjen2|gen\.dmathokdiigwol|infos(?:43|8)|katabettencourt2018|l(?:\.b120k|e(?:a_edem|wisarm44)|imfu201677|ulihongm)|m(?:cliffmomah998|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.roselinejac|elizabetmk|helenbgeorge|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|p(?:atrickmullinfinaceservs|owen10001)|s(?:ajda\.andleeb|gthansencs|tephenbettinger|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_HM 3.000
tflags REPTO_419_FRAUD_HM publish
##} REPTO_419_FRAUD_HM
##{ REPTO_419_FRAUD_OL
header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:a(?:23423|lexandermason)|brahamwilliamsonrpsltduk|l(?:bertchebe|exw113)|ndrew(?:_hai|gamble7)|utoresponds)|b(?:a(?:r(?:bayo_jacobs|claysplc2016)|sidris)|etty\.c_investment|illgfile203|riam8molefe)|c(?:bforeignremitdept|harlie\.j\.goodmand|o(?:l\.(?:airforce\.saadwarfali|warfalisaadairforce)|mpensationfunding))|d(?:eborahleeconsult|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020)|g(?:20compessdesk|eoffreynicolas\.esq|ilbertowosukk)|huyennvoha|j(?:ackson4steve|e(?:anedo1?|ssicameir30))|k(?:aujong|kkunited1)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|gbplc3|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|bryandavisuk44|jonah\.ot|mduku|s(?:\.coraluttah|_elizabeth20|michelleallison|roseallen)|vitaloadams)|spvt2020)|p(?:aul(?:\.walter120|blakey05)|hilcohen0012)|qanejmhffgg|r(?:c19691|ichardwahlfreegrant)|s(?:aaman10|gi2019|ilverlakeconsultantllc|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019|reff11)|unvanzyl_mrs|winuklotocash2018))\@outlook\.com$/i
describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_OL 3.000
tflags REPTO_419_FRAUD_OL publish
##} REPTO_419_FRAUD_OL
##{ REPTO_419_FRAUD_PM
header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|v\.brianpierre|wraggsmk|yihsbltan|ziraatbankasi))\@protonmail\.com$/i
describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_PM 3.000
tflags REPTO_419_FRAUD_PM publish
##} REPTO_419_FRAUD_PM
##{ REPTO_419_FRAUD_QQ
header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1(?:731419584|821317384)|2(?:0(?:32508290|90641921)|3(?:72948239|89029403|97857528)|751232036)|3(?:323469072|523284224)|a(?:gent(?:markruben_fbi|promofficer)|kia\.j55)|claimoffice1|dennisonctrenton|l\.valiant|peterwong20177|s(?:abrinacrawford000|hu60w)|treasury_deptment0|wang_cjianlin))\@qq\.com$/i
describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_QQ 3.000
tflags REPTO_419_FRAUD_QQ publish
##} REPTO_419_FRAUD_QQ
##{ REPTO_419_FRAUD_YH
header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|gaaintl\-4g5ee\.w3|l(?:berts\.odia|esiakalina2006)|mbassador\.l|nn(?:awax48|hester\.usa4))|b(?:a(?:che\.delfine|nk\.phbng14|rr(?:\.thomasclark|ister\.(?:dennis11|marcus)|lawrencefubara39|william_davies))|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.(?:aroline90|coulibaly2)|a(?:binet_maitre_emmanuel_patris|mpbellwilliamms)|h(?:arlesscharf112|hoy\.t|im\.w|jackson65)|juan852|o(?:llins(?:mattew32|wayne84)|mpliment\.sseason|ntelamine)|ythiamiller\.un10)|d(?:hamilton9099|i(?:aanesoto190|plomaticagent180)|r(?:\.aminramli|_raymondfung|victorobaji))|e(?:dwarddawson|ricalbert24)|f(?:aizaadama2016|bicompensation_funds|ederal\.r73|id00180)|g(?:ov\.ukmessageboard|raham\.eddie2016|uesfilet1336523)|harry1vans|i(?:\.project33411|befranfgnfmf|nfo(?:111mail|bank1|money)|project32411)|j(?:\.edwards228|a(?:ckson\.davis915|ne(?:_ooparah|temoon150))|essica\.p_family|inping\.tw|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:elvinmark629|im(?:\.leang2018?|leang(?:575|90))|yle_grubbe)|l(?:e(?:a_edem13|ge331|hman(?:909|bila))|i(?:m_kaan|sarobinson_555|uhngbin)|y_cheapiseth(?:11|2019))|m(?:arie_avis12|d(?:\.ps|zsesszika672)|elissalewis(?:10001|4004)|iss\.zarryb|o(?:hammedaahil46|keye79)|r(?:kellyayi62|s(?:\.esthernicolas|isabella\.dzesszikan|themo))|s\.gracie_olakun|unny(?:\.sopheap207|_sopheap30))|n(?:adhowc|estordaniel2|orahuz1960)|o(?:fficial_franksylvester88|legkozyrev1|mranshaalan52)|p(?:a(?:ckerkelvin|yus123x)|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|i(?:chard\.w94|taadamsw10)|o(?:b(?:ertbailey2004|orts20)|se(?:mary\.3as|richard655)))|s(?:amthong4040|igurlauganna34|leo25|mith(?:\.dr|colin767)|opheap\.munny|pwalker101|sgt\.bethany|tevecox\.98)|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|u(?:butu16|kdebtmanagement5)|vanserge2001|will(?:clark0010|iamsimon(?:22|521))|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YH 3.000
tflags REPTO_419_FRAUD_YH publish
##} REPTO_419_FRAUD_YH
##{ REPTO_419_FRAUD_YH_LOOSE
meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH
describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YH_LOOSE 1.000
tflags REPTO_419_FRAUD_YH_LOOSE publish
##} REPTO_419_FRAUD_YH_LOOSE
##{ REPTO_419_FRAUD_YJ
header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73|n(?:gelinarichardson01|ita(?:kirkweeks45|usarpac)))|b(?:a(?:lmaa1115|rrevansthomas213)|ealife4god|gsblcagent|nchmclaw)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc|ssicajlavoie|velynjoshua56)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|ktbradley|oneygram100|rs_chen_00001)|nikbnson1|o(?:fficialinfoemail|livia_mabor)|pamgells|r(?:acheljude000|eplykasikorn|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i
describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YJ 3.000
tflags REPTO_419_FRAUD_YJ publish
##} REPTO_419_FRAUD_YJ
##{ REPTO_419_FRAUD_YN
header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lsharibi|m(?:andarandle|g3333txx101)|na\.mariposa|wesome\.mariacarmen)|b(?:ayemahama|igghandgrant|radely\.j)|clemlau|diezanimadueke|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments|uzhongjun\.director)|g(?:\.anniversary(?:101)?|add4fi\.aisha)|hhalesbbanddd?|irenaa\.georgiadou|j(?:efrey(?:\-dean|\.dean11)|o(?:hnnicholsonjr|seph\-scott2k5)|uliet\.lee2222)|kenhamberlet|l(?:es20sc|otointernational\.elgordo)|m(?:a(?:hama\.baye|rcarmenguty)|fdpm|ohamed\.bennani|r(?:\-(?:jos\.martins|robert\-patrick\.patrick)|\.kongkea|akram\.elkerrami|spercy))|nokiahouse1[03]|olivia\.mabor|p(?:aragonloansinc|hilipfen778|ri(?:ncedarren0244|vatemail24)|ullmanrb)|rich(?:ard\.wahl|lawands)|skyeloanand\.financelimited|t(?:\.baloyi|an\.sung|omss\.smith|resor\.mambo)|w(?:b\.foundation|ill(?:1amsmarg1|iamsimon1960))|za\.dc2016))\@yandex\.com$/i
describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YN 3.000
tflags REPTO_419_FRAUD_YN publish
##} REPTO_419_FRAUD_YN
##{ RISK_FREE
meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH
describe RISK_FREE No risk!
##} RISK_FREE
##{ SB_GIF_AND_NO_URIS
meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
##} SB_GIF_AND_NO_URIS
##{ SCC_NEWBIE_HASBEENS
describe SCC_NEWBIE_HASBEENS Abused gTLDs seen in spam from Google Apps.
header SCC_NEWBIE_HASBEENS X-Beenthere =~ /\.(today|online|monster)/
##} SCC_NEWBIE_HASBEENS
##{ SCRIPT_GIBBERISH
meta SCRIPT_GIBBERISH __SCRIPT_GIBBERISH && (__BODY_XHTML || !__SCRIPT_TAG_IN_BODY) && !__TAG_EXISTS_META
describe SCRIPT_GIBBERISH Nonsense in HTML