From 151f49fd24b7c74ac2850e47daecabe1a426e137 Mon Sep 17 00:00:00 2001 From: Stoiko Ivanov Date: Mon, 26 Feb 2024 21:36:42 +0100 Subject: [PATCH] update SpamAssassin signatures Signed-off-by: Stoiko Ivanov --- sa-updates/20_aux_tlds.cf | 207 +++--- sa-updates/20_fake_helo_tests.cf | 5 +- sa-updates/20_freemail_domains.cf | 4 +- sa-updates/20_head_tests.cf | 9 +- sa-updates/20_phrases.cf | 2 +- sa-updates/20_ratware.cf | 7 +- sa-updates/20_vbounce.cf | 6 +- sa-updates/25_replace.cf | 8 +- sa-updates/25_url_shortener.cf | 14 +- sa-updates/60_welcomelist_auth.cf | 6 +- sa-updates/72_active.cf | 1121 +++++++++++++++++++---------- sa-updates/72_scores.cf | 492 +++++++------ 12 files changed, 1146 insertions(+), 735 deletions(-) diff --git a/sa-updates/20_aux_tlds.cf b/sa-updates/20_aux_tlds.cf index 6cf7167..85100f5 100644 --- a/sa-updates/20_aux_tlds.cf +++ b/sa-updates/20_aux_tlds.cf @@ -56,7 +56,7 @@ endif # wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | grep -i '^xn--' | idn -u | tr '\n' ' ' | fold -w 80 -s | perl -pe 's/\s+$//; s/.*/util_rb_tld \L$_\n/' if can(Mail::SpamAssassin::Conf::feature_registryboundaries) -# Updated 2023-05-19 +# Updated 2023-11-17 util_rb_tld xn--11b4c3d xn--1ck2e1b xn--1qqw23a xn--2scrj9c xn--30rr7y xn--3bst00m util_rb_tld xn--3ds443g xn--3e0b707e xn--3hcrj9c xn--3pxu8k xn--42c2d9a xn--45br5cyl util_rb_tld xn--45brj9c xn--45q11c xn--4dbrk0ce xn--4gbrim xn--54b7fta0cc xn--55qw42g @@ -90,110 +90,108 @@ endif # For an up to date list of TLDs that can be pasted into this block, run this command: # wget https://data.iana.org/TLD/tlds-alpha-by-domain.txt -q -O - | tail -n+2 | grep -vi '^xn--' | tr '\n' ' ' | fold -w 80 -s | perl -pe 's/\s+$//; s/.*/util_rb_tld \L$_\n/' -# Updated 2023-05-19 -util_rb_tld aaa aarp abarth abb abbott abbvie abc able abogado abudhabi ac academy -util_rb_tld accenture accountant accountants aco actor ad ads adult ae aeg aero aetna af -util_rb_tld afl africa ag agakhan agency ai aig airbus airforce airtel akdn al alfaromeo -util_rb_tld alibaba alipay allfinanz allstate ally alsace alstom am amazon americanexpress -util_rb_tld americanfamily amex amfam amica amsterdam analytics android anquan anz ao aol -util_rb_tld apartments app apple aq aquarelle ar arab aramco archi army arpa art arte as -util_rb_tld asda asia associates at athleta attorney au auction audi audible audio auspost -util_rb_tld author auto autos avianca aw aws ax axa az azure ba baby baidu banamex -util_rb_tld bananarepublic band bank bar barcelona barclaycard barclays barefoot bargains -util_rb_tld baseball basketball bauhaus bayern bb bbc bbt bbva bcg bcn bd be beats beauty -util_rb_tld beer bentley berlin best bestbuy bet bf bg bh bharti bi bible bid bike bing -util_rb_tld bingo bio biz bj black blackfriday blockbuster blog bloomberg blue bm bms bmw -util_rb_tld bn bnpparibas bo boats boehringer bofa bom bond boo book booking bosch bostik +# Updated 2023-11-17 +util_rb_tld aaa aarp abb abbott abbvie abc able abogado abudhabi ac academy accenture +util_rb_tld accountant accountants aco actor ad ads adult ae aeg aero aetna af afl africa +util_rb_tld ag agakhan agency ai aig airbus airforce airtel akdn al alibaba alipay +util_rb_tld allfinanz allstate ally alsace alstom am amazon americanexpress americanfamily +util_rb_tld amex amfam amica amsterdam analytics android anquan anz ao aol apartments app +util_rb_tld apple aq aquarelle ar arab aramco archi army arpa art arte as asda asia +util_rb_tld associates at athleta attorney au auction audi audible audio auspost author +util_rb_tld auto autos avianca aw aws ax axa az azure ba baby baidu banamex bananarepublic +util_rb_tld band bank bar barcelona barclaycard barclays barefoot bargains baseball +util_rb_tld basketball bauhaus bayern bb bbc bbt bbva bcg bcn bd be beats beauty beer +util_rb_tld bentley berlin best bestbuy bet bf bg bh bharti bi bible bid bike bing bingo +util_rb_tld bio biz bj black blackfriday blockbuster blog bloomberg blue bm bms bmw bn +util_rb_tld bnpparibas bo boats boehringer bofa bom bond boo book booking bosch bostik util_rb_tld boston bot boutique box br bradesco bridgestone broadway broker brother util_rb_tld brussels bs bt build builders business buy buzz bv bw by bz bzh ca cab cafe cal util_rb_tld call calvinklein cam camera camp canon capetown capital capitalone car caravan util_rb_tld cards care career careers cars casa case cash casino cat catering catholic cba -util_rb_tld cbn cbre cbs cc cd center ceo cern cf cfa cfd cg ch chanel channel charity -util_rb_tld chase chat cheap chintai christmas chrome church ci cipriani circle cisco -util_rb_tld citadel citi citic city cityeats ck cl claims cleaning click clinic clinique -util_rb_tld clothing cloud club clubmed cm cn co coach codes coffee college cologne com -util_rb_tld comcast commbank community company compare computer comsec condos construction -util_rb_tld consulting contact contractors cooking cookingchannel cool coop corsica country -util_rb_tld coupon coupons courses cpa cr credit creditcard creditunion cricket crown crs -util_rb_tld cruise cruises cu cuisinella cv cw cx cy cymru cyou cz dabur dad dance data -util_rb_tld date dating datsun day dclk dds de deal dealer deals degree delivery dell -util_rb_tld deloitte delta democrat dental dentist desi design dev dhl diamonds diet -util_rb_tld digital direct directory discount discover dish diy dj dk dm dnp do docs doctor -util_rb_tld dog domains dot download drive dtv dubai dunlop dupont durban dvag dvr dz earth -util_rb_tld eat ec eco edeka edu education ee eg email emerck energy engineer engineering -util_rb_tld enterprises epson equipment er ericsson erni es esq estate et etisalat eu -util_rb_tld eurovision eus events exchange expert exposed express extraspace fage fail -util_rb_tld fairwinds faith family fan fans farm farmers fashion fast fedex feedback -util_rb_tld ferrari ferrero fi fiat fidelity fido film final finance financial fire -util_rb_tld firestone firmdale fish fishing fit fitness fj fk flickr flights flir florist -util_rb_tld flowers fly fm fo foo food foodnetwork football ford forex forsale forum -util_rb_tld foundation fox fr free fresenius frl frogans frontdoor frontier ftr fujitsu fun -util_rb_tld fund furniture futbol fyi ga gal gallery gallo gallup game games gap garden gay -util_rb_tld gb gbiz gd gdn ge gea gent genting george gf gg ggee gh gi gift gifts gives -util_rb_tld giving gl glass gle global globo gm gmail gmbh gmo gmx gn godaddy gold -util_rb_tld goldpoint golf goo goodyear goog google gop got gov gp gq gr grainger graphics -util_rb_tld gratis green gripe grocery group gs gt gu guardian gucci guge guide guitars -util_rb_tld guru gw gy hair hamburg hangout haus hbo hdfc hdfcbank health healthcare help -util_rb_tld helsinki here hermes hgtv hiphop hisamitsu hitachi hiv hk hkt hm hn hockey -util_rb_tld holdings holiday homedepot homegoods homes homesense honda horse hospital host -util_rb_tld hosting hot hoteles hotels hotmail house how hr hsbc ht hu hughes hyatt hyundai -util_rb_tld ibm icbc ice icu id ie ieee ifm ikano il im imamat imdb immo immobilien in inc -util_rb_tld industries infiniti info ing ink institute insurance insure int international -util_rb_tld intuit investments io ipiranga iq ir irish is ismaili ist istanbul it itau itv -util_rb_tld jaguar java jcb je jeep jetzt jewelry jio jll jm jmp jnj jo jobs joburg jot joy -util_rb_tld jp jpmorgan jprs juegos juniper kaufen kddi ke kerryhotels kerrylogistics -util_rb_tld kerryproperties kfh kg kh ki kia kids kim kinder kindle kitchen kiwi km kn -util_rb_tld koeln komatsu kosher kp kpmg kpn kr krd kred kuokgroup kw ky kyoto kz la -util_rb_tld lacaixa lamborghini lamer lancaster lancia land landrover lanxess lasalle lat -util_rb_tld latino latrobe law lawyer lb lc lds lease leclerc lefrak legal lego lexus lgbt -util_rb_tld li lidl life lifeinsurance lifestyle lighting like lilly limited limo lincoln -util_rb_tld link lipsy live living lk llc llp loan loans locker locus lol london lotte -util_rb_tld lotto love lpl lplfinancial lr ls lt ltd ltda lu lundbeck luxe luxury lv ly ma -util_rb_tld madrid maif maison makeup man management mango map market marketing markets -util_rb_tld marriott marshalls maserati mattel mba mc mckinsey md me med media meet +util_rb_tld cbn cbre cc cd center ceo cern cf cfa cfd cg ch chanel channel charity chase +util_rb_tld chat cheap chintai christmas chrome church ci cipriani circle cisco citadel +util_rb_tld citi citic city ck cl claims cleaning click clinic clinique clothing cloud club +util_rb_tld clubmed cm cn co coach codes coffee college cologne com comcast commbank +util_rb_tld community company compare computer comsec condos construction consulting +util_rb_tld contact contractors cooking cool coop corsica country coupon coupons courses +util_rb_tld cpa cr credit creditcard creditunion cricket crown crs cruise cruises cu +util_rb_tld cuisinella cv cw cx cy cymru cyou cz dabur dad dance data date dating datsun +util_rb_tld day dclk dds de deal dealer deals degree delivery dell deloitte delta democrat +util_rb_tld dental dentist desi design dev dhl diamonds diet digital direct directory +util_rb_tld discount discover dish diy dj dk dm dnp do docs doctor dog domains dot download +util_rb_tld drive dtv dubai dunlop dupont durban dvag dvr dz earth eat ec eco edeka edu +util_rb_tld education ee eg email emerck energy engineer engineering enterprises epson +util_rb_tld equipment er ericsson erni es esq estate et etisalat eu eurovision eus events +util_rb_tld exchange expert exposed express extraspace fage fail fairwinds faith family fan +util_rb_tld fans farm farmers fashion fast fedex feedback ferrari ferrero fi fidelity fido +util_rb_tld film final finance financial fire firestone firmdale fish fishing fit fitness +util_rb_tld fj fk flickr flights flir florist flowers fly fm fo foo food football ford +util_rb_tld forex forsale forum foundation fox fr free fresenius frl frogans frontier ftr +util_rb_tld fujitsu fun fund furniture futbol fyi ga gal gallery gallo gallup game games +util_rb_tld gap garden gay gb gbiz gd gdn ge gea gent genting george gf gg ggee gh gi gift +util_rb_tld gifts gives giving gl glass gle global globo gm gmail gmbh gmo gmx gn godaddy +util_rb_tld gold goldpoint golf goo goodyear goog google gop got gov gp gq gr grainger +util_rb_tld graphics gratis green gripe grocery group gs gt gu guardian gucci guge guide +util_rb_tld guitars guru gw gy hair hamburg hangout haus hbo hdfc hdfcbank health +util_rb_tld healthcare help helsinki here hermes hiphop hisamitsu hitachi hiv hk hkt hm hn +util_rb_tld hockey holdings holiday homedepot homegoods homes homesense honda horse +util_rb_tld hospital host hosting hot hotels hotmail house how hr hsbc ht hu hughes hyatt +util_rb_tld hyundai ibm icbc ice icu id ie ieee ifm ikano il im imamat imdb immo immobilien +util_rb_tld in inc industries infiniti info ing ink institute insurance insure int +util_rb_tld international intuit investments io ipiranga iq ir irish is ismaili ist +util_rb_tld istanbul it itau itv jaguar java jcb je jeep jetzt jewelry jio jll jm jmp jnj +util_rb_tld jo jobs joburg jot joy jp jpmorgan jprs juegos juniper kaufen kddi ke +util_rb_tld kerryhotels kerrylogistics kerryproperties kfh kg kh ki kia kids kim kindle +util_rb_tld kitchen kiwi km kn koeln komatsu kosher kp kpmg kpn kr krd kred kuokgroup kw ky +util_rb_tld kyoto kz la lacaixa lamborghini lamer lancaster land landrover lanxess lasalle +util_rb_tld lat latino latrobe law lawyer lb lc lds lease leclerc lefrak legal lego lexus +util_rb_tld lgbt li lidl life lifeinsurance lifestyle lighting like lilly limited limo +util_rb_tld lincoln link lipsy live living lk llc llp loan loans locker locus lol london +util_rb_tld lotte lotto love lpl lplfinancial lr ls lt ltd ltda lu lundbeck luxe luxury lv +util_rb_tld ly ma madrid maif maison makeup man management mango map market marketing +util_rb_tld markets marriott marshalls mattel mba mc mckinsey md me med media meet util_rb_tld melbourne meme memorial men menu merckmsd mg mh miami microsoft mil mini mint util_rb_tld mit mitsubishi mk ml mlb mls mm mma mn mo mobi mobile moda moe moi mom monash util_rb_tld money monster mormon mortgage moscow moto motorcycles mov movie mp mq mr ms msd -util_rb_tld mt mtn mtr mu museum music mutual mv mw mx my mz na nab nagoya name natura navy -util_rb_tld nba nc ne nec net netbank netflix network neustar new news next nextdirect -util_rb_tld nexus nf nfl ng ngo nhk ni nico nike nikon ninja nissan nissay nl no nokia -util_rb_tld northwesternmutual norton now nowruz nowtv np nr nra nrw ntt nu nyc nz obi -util_rb_tld observer office okinawa olayan olayangroup oldnavy ollo om omega one ong onl -util_rb_tld online ooo open oracle orange org organic origins osaka otsuka ott ovh pa page -util_rb_tld panasonic paris pars partners parts party passagens pay pccw pe pet pf pfizer -util_rb_tld pg ph pharmacy phd philips phone photo photography photos physio pics pictet -util_rb_tld pictures pid pin ping pink pioneer pizza pk pl place play playstation plumbing -util_rb_tld plus pm pn pnc pohl poker politie porn post pr pramerica praxi press prime pro -util_rb_tld prod productions prof progressive promo properties property protection pru -util_rb_tld prudential ps pt pub pw pwc py qa qpon quebec quest racing radio re read -util_rb_tld realestate realtor realty recipes red redstone redumbrella rehab reise reisen -util_rb_tld reit reliance ren rent rentals repair report republican rest restaurant review -util_rb_tld reviews rexroth rich richardli ricoh ril rio rip ro rocher rocks rodeo rogers -util_rb_tld room rs rsvp ru rugby ruhr run rw rwe ryukyu sa saarland safe safety sakura -util_rb_tld sale salon samsclub samsung sandvik sandvikcoromant sanofi sap sarl sas save -util_rb_tld saxo sb sbi sbs sc sca scb schaeffler schmidt scholarships school schule -util_rb_tld schwarz science scot sd se search seat secure security seek select sener -util_rb_tld services seven sew sex sexy sfr sg sh shangrila sharp shaw shell shia shiksha -util_rb_tld shoes shop shopping shouji show showtime si silk sina singles site sj sk ski -util_rb_tld skin sky skype sl sling sm smart smile sn sncf so soccer social softbank -util_rb_tld software sohu solar solutions song sony soy spa space sport spot sr srl ss st -util_rb_tld stada staples star statebank statefarm stc stcgroup stockholm storage store -util_rb_tld stream studio study style su sucks supplies supply support surf surgery suzuki -util_rb_tld sv swatch swiss sx sy sydney systems sz tab taipei talk taobao target -util_rb_tld tatamotors tatar tattoo tax taxi tc tci td tdk team tech technology tel temasek -util_rb_tld tennis teva tf tg th thd theater theatre tiaa tickets tienda tiffany tips tires -util_rb_tld tirol tj tjmaxx tjx tk tkmaxx tl tm tmall tn to today tokyo tools top toray -util_rb_tld toshiba total tours town toyota toys tr trade trading training travel -util_rb_tld travelchannel travelers travelersinsurance trust trv tt tube tui tunes tushu tv -util_rb_tld tvs tw tz ua ubank ubs ug uk unicom university uno uol ups us uy uz va -util_rb_tld vacations vana vanguard vc ve vegas ventures verisign versicherung vet vg vi -util_rb_tld viajes video vig viking villas vin vip virgin visa vision viva vivo vlaanderen -util_rb_tld vn vodka volkswagen volvo vote voting voto voyage vu vuelos wales walmart -util_rb_tld walter wang wanggou watch watches weather weatherchannel webcam weber website -util_rb_tld wed wedding weibo weir wf whoswho wien wiki williamhill win windows wine -util_rb_tld winners wme wolterskluwer woodside work works world wow ws wtc wtf xbox xerox -util_rb_tld xfinity xihuan xin xxx xyz yachts yahoo yamaxun yandex ye yodobashi yoga -util_rb_tld yokohama you youtube yt yun za zappos zara zero zip zm zone zuerich zw +util_rb_tld mt mtn mtr mu museum music mv mw mx my mz na nab nagoya name natura navy nba nc +util_rb_tld ne nec net netbank netflix network neustar new news next nextdirect nexus nf +util_rb_tld nfl ng ngo nhk ni nico nike nikon ninja nissan nissay nl no nokia norton now +util_rb_tld nowruz nowtv np nr nra nrw ntt nu nyc nz obi observer office okinawa olayan +util_rb_tld olayangroup oldnavy ollo om omega one ong onl online ooo open oracle orange org +util_rb_tld organic origins osaka otsuka ott ovh pa page panasonic paris pars partners +util_rb_tld parts party pay pccw pe pet pf pfizer pg ph pharmacy phd philips phone photo +util_rb_tld photography photos physio pics pictet pictures pid pin ping pink pioneer pizza +util_rb_tld pk pl place play playstation plumbing plus pm pn pnc pohl poker politie porn +util_rb_tld post pr pramerica praxi press prime pro prod productions prof progressive promo +util_rb_tld properties property protection pru prudential ps pt pub pw pwc py qa qpon +util_rb_tld quebec quest racing radio re read realestate realtor realty recipes red +util_rb_tld redstone redumbrella rehab reise reisen reit reliance ren rent rentals repair +util_rb_tld report republican rest restaurant review reviews rexroth rich richardli ricoh +util_rb_tld ril rio rip ro rocks rodeo rogers room rs rsvp ru rugby ruhr run rw rwe ryukyu +util_rb_tld sa saarland safe safety sakura sale salon samsclub samsung sandvik +util_rb_tld sandvikcoromant sanofi sap sarl sas save saxo sb sbi sbs sc sca scb schaeffler +util_rb_tld schmidt scholarships school schule schwarz science scot sd se search seat +util_rb_tld secure security seek select sener services seven sew sex sexy sfr sg sh +util_rb_tld shangrila sharp shaw shell shia shiksha shoes shop shopping shouji show si silk +util_rb_tld sina singles site sj sk ski skin sky skype sl sling sm smart smile sn sncf so +util_rb_tld soccer social softbank software sohu solar solutions song sony soy spa space +util_rb_tld sport spot sr srl ss st stada staples star statebank statefarm stc stcgroup +util_rb_tld stockholm storage store stream studio study style su sucks supplies supply +util_rb_tld support surf surgery suzuki sv swatch swiss sx sy sydney systems sz tab taipei +util_rb_tld talk taobao target tatamotors tatar tattoo tax taxi tc tci td tdk team tech +util_rb_tld technology tel temasek tennis teva tf tg th thd theater theatre tiaa tickets +util_rb_tld tienda tips tires tirol tj tjmaxx tjx tk tkmaxx tl tm tmall tn to today tokyo +util_rb_tld tools top toray toshiba total tours town toyota toys tr trade trading training +util_rb_tld travel travelers travelersinsurance trust trv tt tube tui tunes tushu tv tvs tw +util_rb_tld tz ua ubank ubs ug uk unicom university uno uol ups us uy uz va vacations vana +util_rb_tld vanguard vc ve vegas ventures verisign versicherung vet vg vi viajes video vig +util_rb_tld viking villas vin vip virgin visa vision viva vivo vlaanderen vn vodka +util_rb_tld volkswagen volvo vote voting voto voyage vu wales walmart walter wang wanggou +util_rb_tld watch watches weather weatherchannel webcam weber website wed wedding weibo +util_rb_tld weir wf whoswho wien wiki williamhill win windows wine winners wme +util_rb_tld wolterskluwer woodside work works world wow ws wtc wtf xbox xerox xfinity +util_rb_tld xihuan xin xxx xyz yachts yahoo yamaxun yandex ye yodobashi yoga yokohama you +util_rb_tld youtube yt yun za zappos zara zero zip zm zone zuerich zw # # 2nd level TLD list @@ -495,9 +493,17 @@ util_rb_2tld weebly.com util_rb_2tld ifrance.com util_rb_2tld jimdo.com util_rb_2tld kimsufi.com +util_rb_2tld azerbaijan.su +util_rb_2tld east-kazakhstan.su +util_rb_2tld exnet.su +util_rb_2tld georgia.su +util_rb_2tld kalmykia.su +util_rb_2tld mail15.su util_rb_2tld mail333.su +util_rb_2tld mangyshlak.su +util_rb_2tld nov.su util_rb_2tld pisem.su -util_rb_2tld mail15.su +util_rb_2tld tashkent.su util_rb_2tld prserv.net util_rb_2tld angelfire.com util_rb_2tld 163.to @@ -638,6 +644,8 @@ util_rb_2tld tumblr.com util_rb_2tld fileave.com util_rb_2tld de.tl util_rb_2tld co.com +util_rb_2tld sendpul.se +util_rb_2tld amplifyapp.com # Dyndns.com util_rb_2tld dyndns-at-home.com util_rb_2tld dyndns-at-work.com @@ -740,6 +748,7 @@ util_rb_3tld no-ip.co.uk # util_rb_3tld mobile.web.tr util_rb_3tld ct.sendgrid.net +util_rb_3tld on.fleek.co endif diff --git a/sa-updates/20_fake_helo_tests.cf b/sa-updates/20_fake_helo_tests.cf index 21b732c..c2fdde8 100644 --- a/sa-updates/20_fake_helo_tests.cf +++ b/sa-updates/20_fake_helo_tests.cf @@ -40,8 +40,11 @@ header __HELO_STATIC_SENDGRID X-Spam-Relays-External =~ /^[^\]]+ helo=o\d{1,3}-\ # 50-203-126-142-static.hfc.comcastbusiness.net header __HELO_STATIC_COMCAST X-Spam-Relays-External =~ /^[^\]]+ helo=\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}-static\.hfc\.comcastbusiness\.net\s[^\]]+ auth= /i +# smtp-0f95944d4245d0b2c.core1.sfdc-58ktaz.mta.salesforce.com +header __HELO_STATIC_SALESFORCE X-Spam-Relays-External =~ /^[^\]]+ helo=smtp\-\w+\.core\d\.sfdc\-\w+\.mta\.salesforce\.com\s[^\]]+ auth= /i + describe HELO_STATIC_HOST Relay HELO'd using static hostname -meta HELO_STATIC_HOST (__HELO_STATIC_ROGERS || __HELO_STATIC_SENDGRID || __HELO_STATIC_COMCAST) +meta HELO_STATIC_HOST (__HELO_STATIC_ROGERS || __HELO_STATIC_SENDGRID || __HELO_STATIC_COMCAST || __HELO_STATIC_SALESFORCE) # --------------------------------------------------------------------------- diff --git a/sa-updates/20_freemail_domains.cf b/sa-updates/20_freemail_domains.cf index c2cd98e..f3e554e 100644 --- a/sa-updates/20_freemail_domains.cf +++ b/sa-updates/20_freemail_domains.cf @@ -145,7 +145,7 @@ freemail_domains fedxmail.com feelings.com female.ru fepg.net ffanet.com fiberia freemail_domains filipinolinks.com financesource.com findmail.com freemail_domains fiscal.net flashmail.com flipcode.com florida.usa.com floridagators.com freemail_domains fmail.co.uk fmailbox.com fmgirl.com fmguy.com fnmail.com footballer.com foxmail.com -freemail_domains forfree.at forsythmissouri.org fortuncity.com forum.dk free.com.pe free.fr +freemail_domains forfree.at forsythmissouri.org fortuncity.com forum.dk free.com.pe free.fr *.free.hr freemail_domains free.net.nz freeaccess.nl freegates.be freeghana.com freehosting.nl freemail_domains freei.co.th freeler.nl freemail.* freemail.*.* freemail.globalsite.com.br freemail_domains freemuslim.net freenet.de freenet.kg freeola.net freepgs.com freesbee.fr @@ -387,7 +387,7 @@ freemail_domains yellow-jackets.com yellowstone.net yenimail.com yepmail.net yif freemail_domains ymail.com yopmail.com your-mail.com yours.com yourwap.com yyhmail.com z11.com z6.com freemail_domains zednet.co.uk zeeman.nl ziplip.com zipmail.com.br zipmax.com freemail_domains zmail.pt zmail.ru zona-andina.net zonai.com zoneview.net zonnet.nl -freemail_domains zoho.com zoomshare.com zoznam.sk zubee.com zuvio.com zwallet.com zworg.com +freemail_domains zoho.com zohomail.com zoomshare.com zoznam.sk zubee.com zuvio.com zwallet.com zworg.com freemail_domains zybermail.com zzn.com # chinese numbers diff --git a/sa-updates/20_head_tests.cf b/sa-updates/20_head_tests.cf index 909f7ee..e648823 100644 --- a/sa-updates/20_head_tests.cf +++ b/sa-updates/20_head_tests.cf @@ -63,13 +63,16 @@ header __PLING_QUERY Subject =~ /\?.*!|!.*\?/ meta PLING_QUERY (__PLING_QUERY && !__ISO_2022_JP_DELIM) describe PLING_QUERY Subject has exclamation mark and question mark +# A common spam idiosyncrasy +describe FROMSPACE Idiosyncratic "From" header format +header FROMSPACE From:raw =~ /^\s?\"\s/ header MSGID_SPAM_CAPS Message-ID =~ /^\s*/ +header MSGID_SPAM_LETTERS Message-Id =~ /<[a-z]{5,}\@(?:\S+\.)+\S+>/ describe MSGID_SPAM_LETTERS Spam tool Message-Id: (letters variant) @@ -421,11 +424,11 @@ header BAD_ENC_HEADER ALL:raw =~ /=\?[^?\s]+\?[^?\s]\?\s*[^?]+\s(?!\?=)/ describe BAD_ENC_HEADER Message has bad MIME encoding in the header -header __ML1 Precedence =~ m{\b(list|bulk)\b}i +header __ML1 Precedence =~ m{\b(?:list|bulk)\b}i meta __ML2 __HAS_LIST_ID header __ML3 exists:List-Post header __ML4 exists:Mailing-List -header __ML5 Return-Path:addr =~ m{^([^\@]+-(request|bounces|admin|owner)|owner-[^\@]+)(\@|\z)}i +header __ML5 Return-Path:addr =~ m{^(?:[^\@]+-(?:request|bounces|admin|owner)|owner-[^\@]+)(?:\@|\z)}i meta __VIA_ML __ML1 || __ML2 || __ML3 || __ML4 || __ML5 describe __VIA_ML Mail from a mailing list diff --git a/sa-updates/20_phrases.cf b/sa-updates/20_phrases.cf index cd439c3..c54189e 100644 --- a/sa-updates/20_phrases.cf +++ b/sa-updates/20_phrases.cf @@ -108,7 +108,7 @@ describe MONEY_BACK Money back guarantee body FREE_QUOTE_INSTANT /free.{0,12}(?:(?:instant|express|online|no.?obligation).{0,4})+.{0,32}\bquote/i describe FREE_QUOTE_INSTANT Free express or no-obligation quote -body BAD_CREDIT /\b((?:bad|poor|eliminate|repair|(?:re)?establish|damag).{0,10} (?:credit|debt)|no credit (?:check|histor|need))/i +body BAD_CREDIT /\b(?:(?:bad|poor|eliminate|repair|(?:re)?establish|damag).{0,10} (?:credit|debt)|no credit (?:check|histor|need))/i describe BAD_CREDIT Eliminate Bad Credit diff --git a/sa-updates/20_ratware.cf b/sa-updates/20_ratware.cf index b25cd70..464a1e5 100644 --- a/sa-updates/20_ratware.cf +++ b/sa-updates/20_ratware.cf @@ -63,7 +63,10 @@ header __HAS_XORIGMSGID X-Orig-Message-Id =~ /^<.+\@.+>$/m meta __GROUPSIO_GATED __GROUPSIO_MSGID && __HAS_XORIGMSGID -meta __UNUSABLE_MSGID (__LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID && __GROUPSIO_GATED) +#bz8202 +header __MCRSFT_MSGID MESSAGEID =~ /^<[[:alnum:]]{30,45}@[^>]*\.(outlook|exchangelabs).com>$/im + +meta __UNUSABLE_MSGID (__MCRSFT_MSGID || __LYRIS_EZLM_REMAILER || __GATED_THROUGH_RCVD_REMOVER || __WACKY_SENDMAIL_VERSION || __IPLANET_MESSAGING_SERVER || __HOTMAIL_BAYDAV_MSGID || __SYMPATICO_MSGID && __GROUPSIO_GATED) ## now on to the forgery rules @@ -270,7 +273,7 @@ describe X_MESSAGE_INFO Bulk email fingerprint (X-Message-Info) found # case-sensitive rule # only significant rules with no FPs, hit recently, on 2+ corpuses -header HEADER_SPAM ALL =~ /^(Alternate-Recipient|Antivirus|Approved|Delivery-Notification|Disclose-Recipients|Error-path|Language|Location|Mime-Subversion|Newsletter-ID|PID|Rot|UID|X-BounceTrace|X-CS-IP|X-Company-Address|X-Company-City|X-Company-Country|X-Company-State|X-Company-Zip|X-E(?:[Mm]ail)?|X-Encoding|X-Originating-Company|X-RMD-Text|X-SG4|X-SP-Track-ID|X-Webmail-Time|X-bounce-to):/m +header HEADER_SPAM ALL =~ /^(?:Alternate-Recipient|Antivirus|Approved|Delivery-Notification|Disclose-Recipients|Error-path|Language|Location|Mime-Subversion|Newsletter-ID|PID|Rot|UID|X-BounceTrace|X-CS-IP|X-Company-Address|X-Company-City|X-Company-Country|X-Company-State|X-Company-Zip|X-E(?:[Mm]ail)?|X-Encoding|X-Originating-Company|X-RMD-Text|X-SG4|X-SP-Track-ID|X-Webmail-Time|X-bounce-to):/m describe HEADER_SPAM Bulk email fingerprint (header-based) found header RATWARE_RCVD_PF Received =~ / \(Postfix\) with ESMTP id [^;]+\; \S+ \d+ \S+ \d+ \d+:\d+:\d+ \S+$/s diff --git a/sa-updates/20_vbounce.cf b/sa-updates/20_vbounce.cf index 3a1a39c..71127a5 100644 --- a/sa-updates/20_vbounce.cf +++ b/sa-updates/20_vbounce.cf @@ -129,7 +129,7 @@ header __BOUNCE_INTERSCAN From =~ /\bInterscan MSS Notification\b/ body __BOUNCE_NO_RESEND /\bPlease do not resend your original message\./ -header __BOUNCE_AUTO_REPLY Subject =~ /\b(automatic reply|AutoReply)\b/ +header __BOUNCE_AUTO_REPLY Subject =~ /\b(?:automatic reply|AutoReply)\b/ meta BOUNCE_MESSAGE __HAVE_BOUNCE_RELAYS && !OOOBOUNCE_MESSAGE && !__MY_SERVERS_FOUND && !ALL_TRUSTED && !__NONBOUNCE_READ_RECEIPT && (__BOUNCE_FROM_DAEMON || (__BOUNCE_RPATH_NULL && !__BOUNCE_READ_NOTIFICATION) || __BOUNCE_RPATH_MD || __BOUNCE_AUTO_GENERATED || __BOUNCE_Y_AUTOGEN || __BOUNCE_SYMANTEC || __BOUNCE_X_ERR_STAT || __BOUNCE_RETURNED || __BOUNCE_MAILDELFAIL || __BOUNCE_MSGDELFAIL || __BOUNCE_ESMTP || __BOUNCE_NEVER_SEE || __BOUNCE_NONWORKING || __BOUNCE_UNDELIVERABLE || __BOUNCE_UNDELIVERABLE_ML || __BOUNCE_NOTDEL || __BOUNCE_CTYPE || __BOUNCE_DEL_FAIL || __BOUNCE_STAT_FAIL || __BOUNCE_ADDR_ERR || __BOUNCE_NO_VAL || __BOUNCE_DATA_FORMAT || __BOUNCE_COULD_NOT || __BOUNCE_UNDEL_MSG || __BOUNCE_RPATH_ERRMAIL || __BOUNCE_INTERSCAN || __BOUNCE_ETRUST || __BOUNCE_AUTO_RESPONSE || __BOUNCE_AUTO_RESPOND || __BOUNCE_NO_RESEND || __BOUNCE_NOTIF || __BOUNCE_RET_MAIL || __BOUNCE_DEL_FAIL || __BOUNCE_MAIL_DEL_FAIL || __BOUNCE_AUTO_REPLY) @@ -246,7 +246,7 @@ body __VBOUNCE_MAILSWEEP /MAILsweeper has found that a \S+ \S+ \S+ \S+ one or header __VBOUNCE_SCREENSAVER Subject =~ /\b(?:Re: ?)Wicked screensaver\b/i header __VBOUNCE_DISALLOWED Subject =~ /^Disallowed attachment type found/ header __VBOUNCE_FROMPT From =~ /Security.?Scan Anti.?Virus/ -header __VBOUNCE_WARNING Subject =~ /^Warning:\s*E-?mail virus(es)? detected/i +header __VBOUNCE_WARNING Subject =~ /^Warning:\s*E-?mail virus(?:es)? detected/i header __VBOUNCE_DETECTED Subject =~ /^Virus detected /i header __VBOUNCE_INTERSCAN Subject =~ /^Failed to clean virus\b/i header __VBOUNCE_VIOLATION Subject =~ /^Content violation/i @@ -273,7 +273,7 @@ header __VBOUNCE_RAV Subject =~ /^RAV Anti.?Virus scan results/ body __VBOUNCE_ATTACHMENT0 /(?:Attachment.{0,40}was Deleted|the infected attachment)/ # Bart says: it appears that _ATTACHMENT0 is an alternate for _NAV -- both match the same messages. -body __VBOUNCE_AVREPORT0 /(antivirus system report|the antivirus module has|illegal attachment|Unrepairable Virus Detected)/i +body __VBOUNCE_AVREPORT0 /(?:antivirus system report|the antivirus module has|illegal attachment|Unrepairable Virus Detected)/i header __VBOUNCE_SENDER Subject =~ /^Virus to sender/ body __VBOUNCE_MAILSWEEP2 /\bblocked by Mailsweeper\b/i diff --git a/sa-updates/25_replace.cf b/sa-updates/25_replace.cf index 734ee5b..5607c2a 100644 --- a/sa-updates/25_replace.cf +++ b/sa-updates/25_replace.cf @@ -27,13 +27,13 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -replace_tag A (?:[aA\@\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xe4\xe3\xe2\xe0\xe1\xe2\xe3\xe4\xe5\xe6]|[\xb6\xc1\xc4\xcb]|[\xc3][\x80\x81\x82\x83\x84\x85\xa0\xa1\xa2\xa3\xa4\xa5]|[\xc4][\x80\x81\x82\x83\x84\x85]|[\xce][\x86\x91\x94\x9b\xac\xb1]|[\xd0][\x90\xb0]|[\xd1][\xa6\xa7]|[\xd3][\x90\x91\x92\x93]|[\xe1](?:[\x8e][\xaa]|[\xb8][\x80\x81]|[\xba][\x9a\xa0-\xb7]|[\xbc][\x80-\x8f]|[\xbd][\xb0\xb1]|[\xbe][\x80-\x8f\xb0-\xbc])|[\xf0][\x9d](?:[\x90][\x80\x9a\xb4]|[\x91][\x8e\xa8]|[\x92][\x82\x9c\xb6]|[\x93][\x90\xaa]|[\x94][\xb8\x92]|[\x95][\x92]|[\x96][\xa0\xba]|[\x97][\x94\xae]|[\x98][\x88\xa2\xbc]|[\x99][\x96\xb0]|[\x9a][\x8a\xa8]|[\x9b][\x82\xa2\xbc]|[\x9c][\x9c\xb6]|[\x9d][\x96\xb0]|[\x9e][\x90\xaa])) +replace_tag A (?:[aA\@\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xe4\xe3\xe2\xe0\xe1\xe2\xe3\xe4\xe5\xe6]|[\xb6\xc1\xc4\xcb]|[\xc3][\x80\x81\x82\x83\x84\x85\xa0\xa1\xa2\xa3\xa4\xa5]|[\xc4][\x80\x81\x82\x83\x84\x85]|[\xc9][\x91]|[\xce][\x86\x91\x94\x9b\xac\xb1]|[\xd0][\x90\xb0]|[\xd1][\xa6\xa7]|[\xd3][\x90\x91\x92\x93]|[\xe1](?:[\x8e][\xaa]|[\xb8][\x80\x81]|[\xba][\x9a\xa0-\xb7]|[\xbc][\x80-\x8f]|[\xbd][\xb0\xb1]|[\xbe][\x80-\x8f\xb0-\xbc])|[\xf0][\x9d](?:[\x90][\x80\x9a\xb4]|[\x91][\x8e\xa8]|[\x92][\x82\x9c\xb6]|[\x93][\x90\xaa]|[\x94][\xb8\x92]|[\x95][\x92]|[\x96][\xa0\xba]|[\x97][\x94\xae]|[\x98][\x88\xa2\xbc]|[\x99][\x96\xb0]|[\x9a][\x8a\xa8]|[\x9b][\x82\xa2\xbc]|[\x9c][\x9c\xb6]|[\x9d][\x96\xb0]|[\x9e][\x90\xaa])) replace_tag B (?:[bB8\xc2\xe2]|[\xce][\x92\xb2]|[\xcf][\x90\xb8]|[\xc3][\x9f]|[\xc6][\x80\x81\x82\x83\x84\x85]|[\xce][\x92\xb2]|[\xcf][\x90]|[\xd0][\x91\x92\xac\xb1\xb2]|[\xd1][\x8a\x8c\xa2\xa3]|[\xd2][\x8c\x8d]|[\xe1](?:[\xb8][\x82-\x87]|[\xba][\x9e])|[\xf0][\x9d](?:[\x90][\x81\x9b\xb5]|[\x91][\x8f\xa9]|[\x92][\x83\x9d\xb7]|[\x93][\x91\xab]|[\x94][\x85\x9f\xb9]|[\x95][\x93\xad]|[\x96][\x87\xa1\xbb]|[\x97][\x95\xaf]|[\x98][\x89\xa3\xbd]|[\x99][\x97\xb1]|[\x9a][\x8b\xa9]|[\x9b][\x83\xa3\xbd]|[\x9c][\x9d\xb7]|[\x9d][\x97\xb1]|[\x9e][\x91\xab])) replace_tag C (?:[cCk\xc7\xe7\xf2@]|[\xc3][\x87\xa7]|[\xc4][\x86\x87\x88\x89\x8a\x8b\x8c\x8d]|[\xc6][\x87\x88]|[\xcf][\x82\x9a\x9b\xb2\xb9\xbe]|[\xd0][\xa1]|[\xd1][\x81]|[\xd2][\x80\x81\xaa\xab]|[\xd5][\x87]|&\#(?:1(?:0(?:10|17|2[123]|57|89)|1(?:52|53|94|95)|99)|2(?:31|6[2-9])|39[12]|x(?:3(?:f2|f9|fe)|4(?:21|41|80|81|aa|ab)));|[\xe1](?:[\xb8][\x88\x89])|[\xf0][\x9d](?:[\x90][\x82\x9c\xb6]|[\x91][\x90\xaa]|[\x92][\x84\x9e\xb8]|[\x93][\x92\xac]|[\x94][\x86\xa0\xba]|[\x95][\x94\xae]|[\x96][\x88\xa2\xbc]|[\x97][\x96\xb0]|[\x98][\x8a\xa4\xbe]|[\x99][\x98\xb2]|[\x9a][\x8c]|[\x9b][\x93]|[\x9c][\x8d]|[\x9d][\x87]|[\x9e][\x81])) replace_tag D (?:[dD\xd0]|[\xc3][\x90]|[\xc4][\x8e\x8f\x90\x91]|[\xc6][\x89\x8a]|[\xd4][\x80\x81]|[\xd5][\xaa]|[\xe1](?:[\xb8][\x8a-\x93])|[\xf0][\x9d](?:[\x90][\x83\x9d\xb7]|[\x91][\x91\xab]|[\x92][\x85\x9f\xb9]|[\x93][\x93\xad]|[\x94][\x87\xa1\xbb]|[\x95][\x95\xaf]|[\x96][\x89\xa3\xbd]|[\x97][\x97\xb1]|[\x98][\x8b\xa5\xbf]|[\x99][\x99\xb3]|[\x9a][\x8d])) -replace_tag E (?:[eE3\xb8\xc5\xd3\xdd\xe5\xee]|[\xc3][\x88\x89\x8a\x8b\xa8\xa9\xaa\xab]|[\xc4][\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b]|[\xc8][\x84\x85\x86\x87\xa8\xa9]|[\xce][\x88\x95\xa3\xad\xb5\xbe]|[\xcf][\xb5]|[\xd0][\x80\x81\x84\x95\xb5]|[\xd1][\x90\x91\x94\xb3]|[\xd2][\xbc\xbd\xbe\xbf]|[\xd3][\x96\x97\xa9\xab]|[\xd4][\x90\x91]|[\xc8\xc9\xca\xcb\xe8\xe9\xea\xeb\xa4]|&\#(?:1(?:0(?:13|2[458]|45|77)|108|2(?:1[2-5]|3[89]|9[67]))|2(?:0[0-3]|3[2-5]|7[4-9]|8[0-3])|400|51[6-9]|5[58][23]|603|9(?:04|17|[34]1|4[19]));|[\xe1](?:[\xb8][\x94-\x9d]|[\xba][\xb8-\xbf]|[\xbb][\x80-\x87]|[\xbc][\x90-\x9d]|[\xbd][\xb2\xb3]|[\xbf][\x88\x89])|[\xf0][\x9d](?:[\x90][\x84\x9e\xb8]|[\x91][\x92\xac]|[\x92][\x86\xa0\xba]|[\x93][\x94\xae]|[\x94][\xa2\xbc]|[\x95][\x96]|[\x96][\x8a\xa4\xbe]|[\x97][\x98\xb2]|[\x98][\x8c\xa6]|[\x99][\x80\x9a\xb4]|[\x9a][\x8e\xac\xba]|[\x9b][\x86\x9c\xa6\xb4]|[\x9c][\x80\x96\xa0\xae\xba]|[\x9d][\x90\x9a\xa8\xb4]|[\x9e][\x8a\x94\xa2\xae]|[\x9f][\x84])) +replace_tag E (?:[eE3\xb8\xc5\xd3\xdd\xe5\xee]|[\xc3][\x88\x89\x8a\x8b\xa8\xa9\xaa\xab]|[\xc4][\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\xbe]|[\xc8][\x84\x85\x86\x87\xa8\xa9]|[\xc9][\x87]|[\xce][\x88\x95\xa3\xad\xb5\xbe]|[\xcf][\xb5]|[\xd0][\x80\x81\x84\x95\xb5]|[\xd1][\x90\x91\x94\xb3]|[\xd2][\xbc\xbd\xbe\xbf]|[\xd3][\x96\x97\xa9\xab]|[\xd4][\x90\x91]|[\xc8\xc9\xca\xcb\xe8\xe9\xea\xeb\xa4]|&\#(?:1(?:0(?:13|2[458]|45|77)|108|2(?:1[2-5]|3[89]|9[67]))|2(?:0[0-3]|3[2-5]|7[4-9]|8[0-3])|400|51[6-9]|5[58][23]|603|9(?:04|17|[34]1|4[19]));|[\xe1](?:[\xb8][\x94-\x9d]|[\xba][\xb8-\xbf]|[\xbb][\x80-\x87]|[\xbc][\x90-\x9d]|[\xbd][\xb2\xb3]|[\xbf][\x88\x89])|[\xf0][\x9d](?:[\x90][\x84\x9e\xb8]|[\x91][\x92\xac]|[\x92][\x86\xa0\xba]|[\x93][\x94\xae]|[\x94][\xa2\xbc]|[\x95][\x96]|[\x96][\x8a\xa4\xbe]|[\x97][\x98\xb2]|[\x98][\x8c\xa6]|[\x99][\x80\x9a\xb4]|[\x9a][\x8e\xac\xba]|[\x9b][\x86\x9c\xa6\xb4]|[\x9c][\x80\x96\xa0\xae\xba]|[\x9d][\x90\x9a\xa8\xb4]|[\x9e][\x8a\x94\xa2\xae]|[\x9f][\x84])) replace_tag F (?:[fF]|[\xcf][\x9c\x9d]|[\xd2][\x92\x93]|[\xd3][\xba\xbb]|[\xd4][\xb2]|[\xd5][\xa2]|[\xe1](?:[\xb8][\x9e\x9f]|[\xba][\x9b\x9c\x9d])|[\xf0][\x9d](?:[\x90][\x85\x9f\xb9]|[\x91][\x93\xad]|[\x92][\x87\xa1\xbb]|[\x93][\x95\xaf]|[\x94][\xa3\xbd]|[\x95][\x97\xb1]|[\x96][\x8b\xa5\xbf]|[\x97][\x99\xb3]|[\x98][\x8d\xa7]|[\x99][\x81\x9b\xb5]|[\x9a][\x8f]|[\x9f][\x8a\x8b])) -replace_tag G (?:[gGk]|[\xc4][\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3]|[\xd2][\xa8\xa9]|[\xd4][\x8c\x8d]|[\xd6][\x81]|[\xf0][\x9d](?:[\x90][\x86\xa0\xba]|[\x91][\x94\xae]|[\x92][\x88\xa2\xbc]|[\x93][\x96\xb0]|[\x94][\xa4\xbe]|[\x95][\x98]|[\x96][\x8c\xa6]|[\x97][\x80\x9a\xb4]|[\x98][\x8e\xa8]|[\x99][\x82\x9c\xb6]|[\x9a][\x90])) +replace_tag G (?:[gGk]|[\xc4][\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3]|[\xc7][\xa5]|[\xd2][\xa8\xa9]|[\xd4][\x8c\x8d]|[\xd6][\x81]|[\xf0][\x9d](?:[\x90][\x86\xa0\xba]|[\x91][\x94\xae]|[\x92][\x88\xa2\xbc]|[\x93][\x96\xb0]|[\x94][\xa4\xbe]|[\x95][\x98]|[\x96][\x8c\xa6]|[\x97][\x80\x9a\xb4]|[\x98][\x8e\xa8]|[\x99][\x82\x9c\xb6]|[\x9a][\x90])) replace_tag H (?:[hH\xb9\xc7]|[\xc4][\xa4\xa5\xa6\xa7]|[\xce][\x89\x97]|[\xcf][\xa6]|[\xd0][\x8a\x8b\x9d\xbd]|[\xd1][\x92\x9b]|[\xd2][\x94\x95\xa2\xa3\xa4\xa5\xba\xbb]|[\xd3][\x87\x88\x89\x8a]|[\xd4][\xbb]|[\xd5][\xab\xb0]|&\#(?:2(?:22[3-6]|9[2-5])|54[23]|1(?:0(?:53|85)|18[6-9]|8(?:0(?:8[89]|9[0-5])|1(?:38[89]|340)))|919);|[\xe1](?:[\xb8][\xa2-\xab]|[\xba][\x96]|[\xbc][\xa8-\xaf]|[\xbe][\x98-\x9f]|[\xbf][\x8a-\x8c])|[\xf0][\x9d](?:[\x90][\x87\xa1\xbb]|[\x91][\x95\xaf]|[\x92][\x89\xa3\xbd]|[\x93][\x97\xb1]|[\x94][\xbf]|[\x95][\x99]|[\x96][\xa7]|[\x97][\x81\x9b\xb5]|[\x98][\x8f\xa9]|[\x99][\x83\x9d\xb7]|[\x9a][\x91\xae]|[\x9b][\xa8]|[\x9c][\xa2]|[\x9d][\x9c]|[\x9e][\x96])) replace_tag I (?:[iIl|!1y?\xcc\xcd\xce\xcf\xec\xed\xee\xef\xe9\xba\xc0\xc9\xda\xdf\xfa]|[\xc3][\x8c\x8d\x8e\x8f\xac\xad\xae\xaf]|[\xc4][\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1]|[\xc7][\x8f\x90]|[\xce][\x8a\x90\x99\xaa\xaf\xb9]|[\xcf][\x8a]|[\xd0][\x86\x87]|[\xd1][\x96\x97]|[\xd3][\x80\x8f]|[\xd5][\xac]|&\#(?:1(?:03[01]|11[01]|216|231)|2(?:0[4-7]|16|3[6-9]|9[6-9])|3(?:0[0-5])|4(?:0[67]|6[34])|52[0-3]);|[\xe1](?:[\xb8][\xac-\xaf]|[\xbb][\x88-\x8b]|[\xbc][\xb0-\xbf]|[\xbd][\xb6\xb7]|[\xbf][\x90-\x9b])|[\xf0][\x9d](?:[\x90][\x88\xa2\xbc]|[\x91][\x96\xb0]|[\x92][\x8a\xa4\xbe]|[\x93][\x98\xb2]|[\x94][\xa6]|[\x95][\x80\x9a]|[\x96][\x8e\xa8]|[\x97][\x82\x9c\xb6]|[\x98][\x90\xaa]|[\x99][\x84\x9e\xb8]|[\x9a][\x92\xb0]|[\x9b][\xaa]|[\x9c][\xa4]|[\x9d][\x9e]|[\x9e][\x98])) replace_tag J (?:[jJ]|[\xc4][\xb4\xb5]|[\xcf][\xb3]|[\xd0][\x88]|[\xd1][\x98]|[\xd5][\xb5]|[\xf0][\x9d](?:[\x90][\x89\xa3\xbd]|[\x91][\x97\xb1]|[\x92][\x8b\xa5\xbf]|[\x93][\x99\xb3]|[\x94][\xa7]|[\x95][\x81\x9b]|[\x96][\x8f\xa9]|[\x97][\x83\x9d\xb7]|[\x98][\x91\xab]|[\x99][\x85\x9f\xb9]|[\x9a][\x93])) @@ -45,7 +45,7 @@ replace_tag O (?:[goO0u\xbc\xcf\xd2\xd3\xd4\xd5\xd6\xd8\xef\xf0\xf2\xf3\xf4\xf5\ replace_tag P (?:[pP\xd1\xf1\xfe]|[\xce][\xa1]|[\xcf][\x81\xb7\xb8]|[\xd0][\xa0]|[\xd1][\x80]|[\xd2][\x8e\x8f]|[\xd4][\x97]|[\xd5][\xa9]|[\xd6][\x84]|[\xe1](?:[\xb9][\x94-\x97]|[\xbf][\xa4\xa5\xac])|[\xf0][\x9d](?:[\x90][\x8f\xa9]|[\x91][\x83\x9d\xb7]|[\x92][\x91]|[\x93][\x9f]|[\x95][\x87\xa1]|[\x96][\xaf]|[\x97][\x89\xa3\xbd]|[\x98][\x97\xb1]|[\x99][\x8b\xa5\xbf]|[\x9a][\x99\xb8]|[\x9b][\x92\xb2]|[\x9c][\x8c\xac]|[\x9d][\x86\xa6]|[\x9e][\x80\xa0\xba])) replace_tag Q (?:[qQ]|[\xcf][\x98\xa4\xa5]|[\xd4][\x9a\x9b\xb3]|[\xd5][\xa3\xa6]|[\xf0][\x9d](?:[\x90][\x90\xaa]|[\x91][\x84\x9e\xb8]|[\x92][\x92]|[\x93][\x86\xba]|[\x94][\xae]|[\x95][\x88\xa2]|[\x96][\x96\xb0]|[\x97][\x8a\xa4\xbe]|[\x98][\x98\xb2]|[\x99][\x8c\xa6]|[\x9a][\x80\x9a])) replace_tag R (?:[rR]|[\xc5][\x94\x95\x96\x97\x98\x99]|[\xc8][\x90\x91\x92\x93]|[\xd0][\x93\xaf]|[\xd1][\x8f\x93]|[\xd2][\x90\x91\x93]|[\xd3][\xb6\xb7]|[\xd4][\xb8\xbb]|[\xd5][\x90\x92]|[\xd6][\x80]|&\#(?:1(?:071|103)|34[0-5]|422|5(?:2[89]|3[01]|8[89])|6(?:3[67]|40));|[\xe1](?:[\xb9][\x98-\x9f])|[\xf0][\x9d](?:[\x90][\x91\xab]|[\x91][\x85\x9f\xb9]|[\x92][\x93\xad]|[\x93][\x87\xa1\xbb]|[\x94][\x95\xaf]|[\x95][\x89\xa3\xbd]|[\x96][\x97\xb1]|[\x97][\x8b\xa5\xbf]|[\x98][\x99\xb3]|[\x99][\x8d\xa7]|[\x9a][\x81\x9b])) -replace_tag S (?:[sSz\xa6\xa7]|[\xc5][\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1]|[\xd0][\x85]|[\xd1][\x95]|[\xd5][\x8f]|[\xe1](?:[\xb9][\xa0-\xa9])|[\xf0][\x9d](?:[\x90][\x92\xac]|[\x91][\x86\xa0\xba]|[\x92][\x94]|[\x94][\xb0]|[\x95][\x8a\xa4]|[\x96][\xb2]|[\x97][\x8c\xa6]|[\x98][\x80\x9a\xb4]|[\x99][\x8e\xa8]|[\x9a][\x82\x9c])) +replace_tag S (?:[sSz\xa6\xa7]|[\xc5][\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1]|[\xc6][\xbe]|[\xd0][\x85]|[\xd1][\x95]|[\xd5][\x8f]|[\xe1](?:[\xb9][\xa0-\xa9])|[\xf0][\x9d](?:[\x90][\x92\xac]|[\x91][\x86\xa0\xba]|[\x92][\x94]|[\x94][\xb0]|[\x95][\x8a\xa4]|[\x96][\xb2]|[\x97][\x8c\xa6]|[\x98][\x80\x9a\xb4]|[\x99][\x8e\xa8]|[\x9a][\x82\x9c])) replace_tag T (?:[tT\xc3\xd4\xf4]|[\xc5][\xa2\xa3\xa4\xa5\xa6\xa7]|[\xcd][\xb2\xb3]|[\xce][\xa4]|[\xcf][\x84\xae\xaf]|[\xd0][\x93\xa2]|[\xd1][\x82]|[\xd2][\x90\xac\xad]|[\xd3][\xb6]|[\xd4][\xb5\xb7]|[\xd5][\x92\xa7]|[\xe1](?:[\xb9][\xaa-\xb1]|[\xba][\x97])|[\xf0][\x9d](?:[\x90][\x93\xad]|[\x91][\x87\xa1\xbb]|[\x92][\x95]|[\x93][\x89\xbd]|[\x94][\xb1]|[\x95][\x8b\xa5]|[\x96][\x99\xb3]|[\x97][\x8d\xa7]|[\x98][\x81\x9b\xb5]|[\x99][\x8f\xa9]|[\x9a][\x83\x9d\xbb]|[\x9b][\x95\xb5]|[\x9c][\x8f\xaf]|[\x9d][\x89\xa9]|[\x9e][\x83\xa3\xbd])) replace_tag U (?:[uUv\xb5\xd9\xda\xdb\xdc\xe0\xec\xf5\xfc\xfb\xfa\xf9\xfd]|[\xc3][\x99\x9a\x9b\x9c\xb9\xba\xbb\xbc]|[\xc5][\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3]|[\xcf][\x85\x8b\x8d]|[\xd0][\x8f\xa6]|[\xd1][\x86\x9f]|[\xd4][\xb1\xbf]|[\xd5][\x84\x8d\xb4\xb6\xbd\xbe]|[\xd6][\x87]|[\xe1](?:[\xb9][\xb2-\xbb]|[\xbb][\xa4-\xb1]|[\xbd][\x90-\x97\xba\xbb]|[\xbf][\xa0-\xa3\xa6\xa7])|[\xf0][\x9d](?:[\x90][\x94\xae]|[\x91][\x88\xa2\xbc]|[\x92][\x96\xb0]|[\x93][\x8a\xa4\xbe]|[\x94][\x98\xb2]|[\x95][\x8c\xa6]|[\x96][\x80\x9a\xb4]|[\x97][\x8e\xa8]|[\x98][\x82\x9c\xb6]|[\x99][\x90\xaa]|[\x9a][\x84\x9e]|[\x9b][\x8d\x96]|[\x9c][\x87\x90]|[\x9d][\x81\x8a\xbb]|[\x9e][\x84\xb5\xbe])) replace_tag V (?:[vVu\xe3\xed]|\\\/|[\xce][\xbd]|[\xd1][\xb4\xb5\xb6\xb7]|[\xe1](?:[\xb9][\xbc-\xbf]|[\xbd][\x90-\x97\xba\xbb]|[\xbf][\xa0-\xa3\xa6\xa7])|[\xf0][\x9d](?:[\x90][\x95\xaf]|[\x91][\x89\xa3\xbd]|[\x92][\x97]|[\x93][\x8b\xa5\xbf]|[\x95][\x8d\xa7]|[\x96][\xb5]|[\x97][\x8f\xa9]|[\x98][\x83\x9d\xb7]|[\x99][\x91\xab]|[\x9a][\x85\x9f]|[\x9b][\x96]|[\x9c][\x88]|[\x9d][\x8a])) diff --git a/sa-updates/25_url_shortener.cf b/sa-updates/25_url_shortener.cf index 4327a85..67ef2ea 100644 --- a/sa-updates/25_url_shortener.cf +++ b/sa-updates/25_url_shortener.cf @@ -54,7 +54,6 @@ score URL_SHORTENER_DISABLED 2 # # generic list of likely active services - cleaned up 25.05.2022 -url_shortener .app.link url_shortener .ftn.app url_shortener .page.link url_shortener .short.gy @@ -75,6 +74,7 @@ url_shortener bitly.com url_shortener bizj.us url_shortener chilp.it url_shortener conta.cc +url_shortener clck.ru url_shortener crks.me url_shortener cutt.ly url_shortener cutwin.biz @@ -114,7 +114,6 @@ url_shortener lnk.sk url_shortener lnkd.in url_shortener lnkiy.in url_shortener lru.jp -url_shortener lukora.cz url_shortener mrte.ch url_shortener n9.cl url_shortener ndurl.com @@ -279,6 +278,14 @@ url_shortener stopify.co url_shortener trulove.guru url_shortener yourmy.monster +# additional url shorteners 2023 +url_shortener .app.link +url_shortener bitly.ws +url_shortener han.gl +url_shortener lukora.cz +url_shortener shorturl.asia +url_shortener m2.do + # GET method required for some services, keep the same services in url_shortener also if can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_get) url_shortener_get bit.ly @@ -298,7 +305,8 @@ if !can(Mail::SpamAssassin::Plugin::DecodeShortURLs::has_short_url_redir) ## perl -pe 'while (<>) {/^\s*url_shortener\s+(\S+)/ or next;$s=quotemeta($1);$s=~s/^\\./\\w+\\./;push @a,$s} print "uri __URL_SHORTENER m,^https?://(?:".join("|",@a).")/,i\n"' < 25_url_shortener.cf ## -uri __URL_SHORTENER m,^https?://(?:\w+\.app\.link|\w+\.ftn\.app|\w+\.page\.link|\w+\.short\.gy|\w+\.shortz\.me|0rz\.tw|4sq\.com|4url\.cc|afly\.co|ai6\.net|amzn\.com|amzn\.to|b\.link|b23\.ru|binged\.it|bit\.do|bit\.ly|bitly\.com|bizj\.us|chilp\.it|conta\.cc|crks\.me|cutt\.ly|cutwin\.biz|dai\.ly|db\.tt|disq\.us|dlvr\.it|doi\.org|doiop\.com|eepurl\.com|fb\.me|fire\.to|firsturl\.de|firsturl\.net|flic\.kr|gdurl\.com|go\.ly|goo\.gl|goolnk\.com|gplinks\.in|guest\.link|hellotxt\.com|hop\.kz|hotshorturl\.com|hub\.am|huff\.to|hurl\.it|hyperurl\.co|inx\.lv|is\.gd|it2\.in|j\.mp|kore\.us|kurl\.no|l\.bestsellers\.to|lnk\.sk|lnkd\.in|lnkiy\.in|lru\.jp|lukora\.cz|mrte\.ch|n9\.cl|ndurl\.com|onion\.com|ouo\.io|ow\.ly|owl\.li|pduda\.mobi|rb\.gy|redir\.ec|rotf\.lol|s\.apache\.org|s\.free\.fr|s\.id|shar\.es|shorl\.com|shortn\.me|shorturl\.at|simurl\.net|slidesha\.re|smarturl\.it|smfu\.in|snip\.ly|snkr\.me|stpmvt\.com|t\.co|t\.ly|tcrn\.ch|tgr\.ph|tiny\.cc|tiny\.one|tiny\.pl|tinylink\.in|tinyurl\.com|to\.ly|trib\.al|twixar\.me|u\.nu|u\.to|url\.ie|urlcut\.com|urlday\.cc|urls\.im|urlz\.at|urlzs\.com|utfg\.sk|wow\.link|wp\.me|x\.co|x\.hypem\.com|xurl\.es|yhoo\.it|youtu\.be|z23\.ru|zurl\.ws|www\.shrunken\.com|0\.gp|2\.gp|2\.ly|3\.ly|4\.gp|4\.ly|5\.gp|6\.gp|6\.ly|7\.ly|8\.ly|9\.ly|g\.asia|p\.asia|ur3\.us|alturl\.com|\w+\.1sta\.com|\w+\.24ex\.com|\w+\.2fear\.com|\w+\.2fortune\.com|\w+\.2freedom\.com|\w+\.2hell\.com|\w+\.2savvy\.com|\w+\.2truth\.com|\w+\.2tunes\.com|\w+\.2ya\.com|\w+\.alturl\.com|\w+\.antiblog\.com|\w+\.bigbig\.com|\w+\.dealtap\.com|\w+\.ebored\.com|\w+\.echoz\.com|\w+\.filetap\.com|\w+\.funurl\.com|\w+\.headplug\.com|\w+\.hereweb\.com|\w+\.hitart\.com|\w+\.mirrorz\.com|\w+\.mp3update\.com|\w+\.shorturl\.com|\w+\.spyw\.com|\w+\.vze\.com|\w+\.arecool\.net|\w+\.iscool\.net|\w+\.isfun\.net|\w+\.tux\.nu|kisa\.link|www\.kisa\.link|bul\.tc|cy\.tc|fn\.tc|ftp\.tc|gr\.tc|hbr\.tc|heg\.tc|ins\.tc|ko\.tc|kod\.tc|lol\.tc|m2\.tc|ml\.tc|mmo\.tc|oy\.tc|pc\.tc|pubg\.tc|pvp\.tc|sro\.tc|tek\.link|tw\.tc|grabify\.link|catsnthing\.com|catsnthings\.fun|cheapcinema\.club|dateing\.club|fortnight\.space|fortnitechat\.site|freegiftcards\.co|gaming\-at\-my\.best|gamingfun\.me|headshot\.monster|imageshare\.best|joinmy\.site|leancoding\.co|locations\.quest|lovebird\.guru|myprivate\.pics|noodshare\.pics|partpicker\.shop|progaming\.monster|screenshare\.pics|screenshot\.best|shhh\.lol|shrekis\.life|sportshub\.bar|stopify\.co|trulove\.guru|yourmy\.monster)/,i +uri __URL_SHORTENER m,^https?://(?:\w+\.ftn\.app|\w+\.page\.link|\w+\.short\.gy|\w+\.shortz\.me|0rz\.tw|4sq\.com|4url\.cc|afly\.co|ai6\.net|amzn\.com|amzn\.to|b\.link|b23\.ru|binged\.it|bit\.do|bit\.ly|bitly\.com|bizj\.us|chilp\.it|conta\.cc|crks\.me|cutt\.ly|cutwin\.biz|dai\.ly|db\.tt|disq\.us|dlvr\.it|doi\.org|doiop\.com|eepurl\.com|fb\.me|fire\.to|firsturl\.de|firsturl\.net|flic\.kr|gdurl\.com|go\.ly|goo\.gl|goolnk\.com|gplinks\.in|guest\.link|hellotxt\.com|hop\.kz|hotshorturl\.com|hub\.am|huff\.to|hurl\.it|hyperurl\.co|inx\.lv|is\.gd|it2\.in|j\.mp|kore\.us|kurl\.no|l\.bestsellers\.to|lnk\.sk|lnkd\.in|lnkiy\.in|lru\.jp|mrte\.ch|n9\.cl|ndurl\.com|onion\.com|ouo\.io|ow\.ly|owl\.li|pduda\.mobi|rb\.gy|redir\.ec|rotf\.lol|s\.apache\.org|s\.free\.fr|s\.id|shar\.es|shorl\.com|shortn\.me|shorturl\.at|simurl\.net|slidesha\.re|smarturl\.it|smfu\.in|snip\.ly|snkr\.me|stpmvt\.com|t\.co|t\.ly|tcrn\.ch|tgr\.ph|tiny\.cc|tiny\.one|tiny\.pl|tinylink\.in|tinyurl\.com|to\.ly|trib\.al|twixar\.me|u\.nu|u\.to|url\.ie|urlcut\.com|urlday\.cc|urls\.im|urlz\.at|urlzs\.com|utfg\.sk|wow\.link|wp\.me|x\.co|x\.hypem\.com|xurl\.es|yhoo\.it|youtu\.be|z23\.ru|zurl\.ws|www\.shrunken\.com|0\.gp|2\.gp|2\.ly|3\.ly|4\.gp|4\.ly|5\.gp|6\.gp|6\.ly|7\.ly|8\.ly|9\.ly|g\.asia|p\.asia|ur3\.us|alturl\.com|\w+\.1sta\.com|\w+\.24ex\.com|\w+\.2fear\.com|\w+\.2fortune\.com|\w+\.2freedom\.com|\w+\.2hell\.com|\w+\.2savvy\.com|\w+\.2truth\.com|\w+\.2tunes\.com|\w+\.2ya\.com|\w+\.alturl\.com|\w+\.antiblog\.com|\w+\.bigbig\.com|\w+\.dealtap\.com|\w+\.ebored\.com|\w+\.echoz\.com|\w+\.filetap\.com|\w+\.funurl\.com|\w+\.headplug\.com|\w+\.hereweb\.com|\w+\.hitart\.com|\w+\.mirrorz\.com|\w+\.mp3update\.com|\w+\.shorturl\.com|\w+\.spyw\.com|\w+\.vze\.com|\w+\.arecool\.net|\w+\.iscool\.net|\w+\.isfun\.net|\w+\.tux\.nu|kisa\.link|www\.kisa\.link|bul\.tc|cy\.tc|fn\.tc|ftp\.tc|gr\.tc|hbr\.tc|heg\.tc|ins\.tc|ko\.tc|kod\.tc|lol\.tc|m2\.tc|ml\.tc|mmo\.tc|oy\.tc|pc\.tc|pubg\.tc|pvp\.tc|sro\.tc|tek\.link|tw\.tc|grabify\.link|catsnthing\.com|catsnthings\.fun|cheapcinema\.club|dateing\.club|fortnight\.space|fortnitechat\.site|freegiftcards\.co|gaming\-at\-my\.best|gamingfun\.me|headshot\.monster|imageshare\.best|joinmy\.site|leancoding\.co|locations\.quest|lovebird\.guru|myprivate\.pics|noodshare\.pics|partpicker\.shop|progaming\.monster|screenshare\.pics|screenshot\.best|shhh\.lol|shrekis\.life|sportshub\.bar|stopify\.co|trulove\.guru|yourmy\.monster|\w+\.app\.link|bitly\.ws|han\.gl|lukora\.cz|shorturl\.asia|m2\.do)/,i + endif diff --git a/sa-updates/60_welcomelist_auth.cf b/sa-updates/60_welcomelist_auth.cf index 7427286..fab31c7 100644 --- a/sa-updates/60_welcomelist_auth.cf +++ b/sa-updates/60_welcomelist_auth.cf @@ -546,7 +546,6 @@ def_welcomelist_auth *@*.bludot.com def_welcomelist_auth *@*.directgeneral.com def_welcomelist_auth *@*.subaru.com def_welcomelist_auth *@*.aexp.com -def_welcomelist_auth *@*.usssa.com def_welcomelist_auth *@*.bestwesternrewards.com def_welcomelist_auth *@*.email-weightwatchers.com def_welcomelist_auth *@*.email-allstate.com @@ -601,7 +600,6 @@ def_welcomelist_auth *@*.email-lifetouch.com def_welcomelist_auth *@*.evine.com def_welcomelist_auth *@*.donorschoose.org def_welcomelist_auth noreply@adt.com -def_welcomelist_auth *@tmomail.net def_welcomelist_auth donotreply@dhl.com def_welcomelist_auth *@travelodge.co.uk def_welcomelist_auth bounce@ryanairemail.com @@ -795,6 +793,7 @@ def_welcomelist_auth *@*.endcitizensunited.org def_welcomelist_auth *@*.redditgifts.com def_welcomelist_auth *@*.tdworld.com def_welcomelist_auth *@*.thenorthface.com +def_welcomelist_auth *@*.bark.com def_welcomelist_auth *@*.center.io def_welcomelist_auth *@*.movethisworld.com def_welcomelist_auth *@*.pgsurveying.com @@ -1099,6 +1098,7 @@ def_whitelist_auth *@*.docusign.com # authentic emails # def_whitelist_auth *@*.indeed.com +def_whitelist_auth *@*.wellframe.com def_whitelist_auth *@*.hyatt.com def_whitelist_auth *@*.sears.com def_whitelist_auth *@*.jcpenney.com @@ -1523,7 +1523,6 @@ def_whitelist_auth *@*.bludot.com def_whitelist_auth *@*.directgeneral.com def_whitelist_auth *@*.subaru.com def_whitelist_auth *@*.aexp.com -def_whitelist_auth *@*.usssa.com def_whitelist_auth *@*.bestwesternrewards.com def_whitelist_auth *@*.email-weightwatchers.com def_whitelist_auth *@*.email-allstate.com @@ -1578,7 +1577,6 @@ def_whitelist_auth *@*.email-lifetouch.com def_whitelist_auth *@*.evine.com def_whitelist_auth *@*.donorschoose.org def_whitelist_auth noreply@adt.com -def_whitelist_auth *@tmomail.net def_whitelist_auth donotreply@dhl.com def_whitelist_auth *@travelodge.co.uk def_whitelist_auth bounce@ryanairemail.com diff --git a/sa-updates/72_active.cf b/sa-updates/72_active.cf index 6ef9661..b3b48c2 100644 --- a/sa-updates/72_active.cf +++ b/sa-updates/72_active.cf @@ -51,7 +51,7 @@ tflags AC_DIV_BONANZA publish ##{ AC_FROM_MANY_DOTS meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP -#score AC_FROM_MANY_DOTS 3.000 # limit +#score AC_FROM_MANY_DOTS 2.500 # limit describe AC_FROM_MANY_DOTS Multiple periods in From user name tflags AC_FROM_MANY_DOTS publish ##} AC_FROM_MANY_DOTS @@ -330,6 +330,12 @@ meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2) describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait ##} AXB_XMAILER_MIMEOLE_OL_024C2 +##{ AXB_X_FF_SEZ_S + +header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /\bSFV\:SPM\b/ +describe AXB_X_FF_SEZ_S Forefront sez this is spam +##} AXB_X_FF_SEZ_S + ##{ BANKING_LAWS body BANKING_LAWS /banking laws/i @@ -416,13 +422,6 @@ describe BITCOIN_IMGUR Bitcoin + hosted image tflags BITCOIN_IMGUR publish ##} BITCOIN_IMGUR -##{ BITCOIN_MALF_HTML - -meta BITCOIN_MALF_HTML HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID) -describe BITCOIN_MALF_HTML Bitcoin + malformed HTML -#score BITCOIN_MALF_HTML 3.500 # limit -##} BITCOIN_MALF_HTML - ##{ BITCOIN_MALWARE meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED @@ -455,13 +454,6 @@ describe BITCOIN_PAY_ME Pay me via BitCoin tflags BITCOIN_PAY_ME publish ##} BITCOIN_PAY_ME -##{ BITCOIN_PDF - -meta BITCOIN_PDF __BITCOIN && __PDF_ATTACH -describe BITCOIN_PDF "Bitcoin" + PDF attachment -#score BITCOIN_PDF 2.500 # limit -##} BITCOIN_PDF - ##{ BITCOIN_SPAM_01 meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG @@ -570,6 +562,20 @@ endif endif ##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS +##{ BITCOIN_TOEQFM + +meta BITCOIN_TOEQFM __BITCOIN_TOEQFM +describe BITCOIN_TOEQFM Bitcoin + To same as From +#score BITCOIN_TOEQFM 3.500 # limit +##} BITCOIN_TOEQFM + +##{ BITCOIN_VISTA + +meta BITCOIN_VISTA __BITCOIN && __VISTA_MSGID +describe BITCOIN_VISTA Bitcoin + old MSFT msgid format +#score BITCOIN_VISTA 3.500 # limit +##} BITCOIN_VISTA + ##{ BITCOIN_WFH_01 meta BITCOIN_WFH_01 __BITCOIN_WFH_01 @@ -954,6 +960,13 @@ header DRUGS_HDIA Subject =~ /\bhoodia\b/i describe DRUGS_HDIA Subject mentions "hoodia" ##} DRUGS_HDIA +##{ DSN_NO_MIMEVERSION + +meta DSN_NO_MIMEVERSION (__BOUNCE_RPATH_NULL && !__MIME_VERSION) +describe DSN_NO_MIMEVERSION Return-Path <> and no MIME-Version: header +#score DSN_NO_MIMEVERSION 2 +##} DSN_NO_MIMEVERSION + ##{ DX_TEXT_02 body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i @@ -1059,16 +1072,6 @@ describe FACEBOOK_IMG_NOT_RCVD_FB Facebook hosted image but message not fro tflags FACEBOOK_IMG_NOT_RCVD_FB publish ##} FACEBOOK_IMG_NOT_RCVD_FB -##{ FAKE_REPLY_A1 - -meta FAKE_REPLY_A1 (__SUBJ_RE && __MISSING_REPLY && __MISSING_REF && __BOTH_INR_AND_REF) -##} FAKE_REPLY_A1 - -##{ FAKE_REPLY_B - -meta FAKE_REPLY_B (__SUBJ_RE && __MISSING_REPLY && __INR_AND_NO_REF) -##} FAKE_REPLY_B - ##{ FAKE_REPLY_C meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF) @@ -1250,19 +1253,6 @@ describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish ##} FRNAME_IN_MSG_XPRIO_NO_SUB -##{ FROMSPACE - -describe FROMSPACE Idiosyncratic "From" header format -header FROMSPACE From:raw =~ /^\s?\"\s/ -##} FROMSPACE - -##{ FROM_2_EMAILS_SHORT - -meta FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) -describe FROM_2_EMAILS_SHORT Short body and From looks like 2 different emails -#score FROM_2_EMAILS_SHORT 3.0 # limit -##} FROM_2_EMAILS_SHORT - ##{ FROM_ADDR_WS meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL @@ -1408,6 +1398,13 @@ meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIM describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool ##} FROM_MISSP_MSFT +##{ FROM_MISSP_PHISH + +meta FROM_MISSP_PHISH __FROM_MISSP_PHISH && !__DOS_HAS_LIST_UNSUB +describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish +#score FROM_MISSP_PHISH 3.500 # limit +##} FROM_MISSP_PHISH + ##{ FROM_MISSP_REPLYTO meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB @@ -1424,19 +1421,24 @@ ifplugin Mail::SpamAssassin::Plugin::SPF endif ##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF +##{ FROM_MISSP_TO_UNDISC + +meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED) +describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed +##} FROM_MISSP_TO_UNDISC + ##{ FROM_MISSP_USER meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) describe FROM_MISSP_USER From misspaced, from "User" ##} FROM_MISSP_USER -##{ FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) +##{ FROM_MISSP_XPRIO -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - meta FROM_MULTI_NORDNS __FROM_MULTI_NORDNS - describe FROM_MULTI_NORDNS Multiple From addresses + no rDNS -endif -##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) +meta FROM_MISSP_XPRIO (__XPRIO && __FROM_MISSPACED) && !__LYRIS_EZLM_REMAILER +describe FROM_MISSP_XPRIO Misspaced FROM + X-Priority +#score FROM_MISSP_XPRIO 2.500 # limit +##} FROM_MISSP_XPRIO ##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS @@ -1559,6 +1561,11 @@ describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/ ##} FSL_FAKE_HOTMAIL_RVCD +##{ FSL_HAS_TINYURL + +uri FSL_HAS_TINYURL /tinyurl\.com\// +##} FSL_HAS_TINYURL + ##{ FSL_HELO_BARE_IP_1 meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED @@ -1778,6 +1785,15 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags endif ##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags +##{ FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + +ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + meta FUZZY_TRUSTWALLET __FUZZY_TRUSTWALLET_BODY || __FUZZY_TRUSTWALLET_FROM + describe FUZZY_TRUSTWALLET Obfuscated "Trust Wallet", probable phishing + tflags FUZZY_TRUSTWALLET publish +endif +##} FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + ##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags ifplugin Mail::SpamAssassin::Plugin::ReplaceTags @@ -1796,6 +1812,15 @@ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags endif ##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags +##{ FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + +ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM + describe FUZZY_WELLSFARGO Obfuscated "Wells Fargo" + tflags FUZZY_WELLSFARGO publish +endif +##} FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + ##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) @@ -1806,12 +1831,12 @@ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) endif ##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) -##{ GB_BITCOIN_NH +##{ GB_BITCOIN_CP -meta GB_BITCOIN_NH ( __BITCOIN_ID && !__URL_BTC_ID && ( __NEVER_HEAR_EN || __NEVER_HEAR_IT ) ) -describe GB_BITCOIN_NH Localized Bitcoin scam -#score GB_BITCOIN_NH 3.0 # limit -##} GB_BITCOIN_NH +meta GB_BITCOIN_CP ( __GB_BITCOIN_CP_DE || __GB_BITCOIN_CP_ES || __GB_BITCOIN_CP_EN || __GB_BITCOIN_CP_FR || __GB_BITCOIN_CP_IT || __GB_BITCOIN_CP_NL || __GB_BITCOIN_CP_SE ) +describe GB_BITCOIN_CP Localized Bitcoin scam +#score GB_BITCOIN_CP 3.0 # limit +##} GB_BITCOIN_CP ##{ GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) @@ -1863,19 +1888,12 @@ endif ##{ GB_GOOGLE_OBFUR -uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/ +uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.[a-z]{2,3}\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=(?:[0-9])*\&(?:cad=rja\&uact=[0-9]+\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(?:&usg=.{1,50})?/ describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect #score GB_GOOGLE_OBFUR 0.75 # limit tflags GB_GOOGLE_OBFUR publish ##} GB_GOOGLE_OBFUR -##{ GB_GOOGLE_TRANSL - -uri GB_GOOGLE_TRANSL /^https?:\/\/.{10,64}\-(ipfs|xn\-)\-.{2,20}\.translate\.goog\/.{4}\// -describe GB_GOOGLE_TRANSL Obfuscate url through Google Translate -#score GB_GOOGLE_TRANSL 0.75 # limit -##} GB_GOOGLE_TRANSL - ##{ GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL if (version >= 3.004003) @@ -2028,6 +2046,13 @@ describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - tflags HAS_X_OUTGOING_SPAM_STAT publish ##} HAS_X_OUTGOING_SPAM_STAT +##{ HDRS_LCASE_IMGONLY + +meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN +describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML +#score HDRS_LCASE_IMGONLY 0.10 # limit +##} HDRS_LCASE_IMGONLY + ##{ HDRS_MISSP meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY) @@ -2091,6 +2116,11 @@ endif header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i ##} HELO_FRIEND +##{ HELO_LH_HOME + +header HELO_LH_HOME X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i +##} HELO_LH_HOME + ##{ HELO_LH_LD header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i @@ -2101,6 +2131,13 @@ header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdoma header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i ##} HELO_LOCALHOST +##{ HELO_MISC_IP + +meta HELO_MISC_IP (__HELO_MISC_IP && !HELO_DYNAMIC_IPADDR && !HELO_DYNAMIC_IPADDR2 && !HELO_DYNAMIC_SPLIT_IP && !HELO_DYNAMIC_HCC && !HELO_DYNAMIC_DIALIN && ((TVD_RCVD_IP4 + TVD_RCVD_IP + __FSL_HELO_BARE_IP_2) <2)) +describe HELO_MISC_IP Looking for more Dynamic IP Relays +#score HELO_MISC_IP 0.25 +##} HELO_MISC_IP + ##{ HELO_NO_DOMAIN meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST @@ -2138,11 +2175,21 @@ meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT ##{ HK_NAME_DRUGS -header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi +header HK_NAME_DRUGS From:name =~ /(?:viagra|\bcialis|cialis\b)/mi describe HK_NAME_DRUGS From name contains drugs #score HK_NAME_DRUGS 2 ##} HK_NAME_DRUGS +##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) + +ifplugin Mail::SpamAssassin::Plugin::FreeMail +if (version >= 3.004000) + meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM +# score HK_NAME_FM_MR_MRS 1.5 +endif +endif +##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) + ##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail @@ -2191,15 +2238,9 @@ meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || tflags HK_SCAM publish ##} HK_SCAM -##{ HK_WIN - -meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2) -#score HK_WIN 1 -##} HK_WIN - ##{ HOSTED_IMG_DIRECT_MX -meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS +meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS && !__HDR_RCVD_AMAZON #score HOSTED_IMG_DIRECT_MX 3.500 # limit describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx tflags HOSTED_IMG_DIRECT_MX publish @@ -2223,7 +2264,7 @@ tflags HOSTED_IMG_FREEM publish ##{ HOSTED_IMG_MULTI -meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS +meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS && !__RCD_RDNS_MAIL #score HOSTED_IMG_MULTI 3.000 # limit describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected tflags HOSTED_IMG_MULTI publish @@ -2237,6 +2278,46 @@ describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site tflags HOSTED_IMG_MULTI_PUB_01 publish ##} HOSTED_IMG_MULTI_PUB_01 +##{ HREF_EMPTY_NORDNS + +meta HREF_EMPTY_NORDNS __HREF_EMPTY_NORDNS +describe HREF_EMPTY_NORDNS Empty href + no rDNS +#score HREF_EMPTY_NORDNS 2.500 # limit +tflags HREF_EMPTY_NORDNS publish +##} HREF_EMPTY_NORDNS + +##{ HREF_EMPTY_PHPMAIL + +meta HREF_EMPTY_PHPMAIL __HREF_EMPTY_PHPMAIL +describe HREF_EMPTY_PHPMAIL Empty href + PHP Mailer +#score HREF_EMPTY_PHPMAIL 2.500 # limit +tflags HREF_EMPTY_PHPMAIL publish +##} HREF_EMPTY_PHPMAIL + +##{ HREF_EMPTY_XANTIABUSE + +meta HREF_EMPTY_XANTIABUSE __HREF_EMPTY_XANTIABUSE +describe HREF_EMPTY_XANTIABUSE Empty href + X-AntiAbuse +#score HREF_EMPTY_XANTIABUSE 2.500 # limit +tflags HREF_EMPTY_XANTIABUSE publish +##} HREF_EMPTY_XANTIABUSE + +##{ HREF_EMPTY_XAUTHED + +meta HREF_EMPTY_XAUTHED __HREF_EMPTY_XAUTHED +describe HREF_EMPTY_XAUTHED Empty href + X-Authenticated-Sender +#score HREF_EMPTY_XAUTHED 2.500 # limit +tflags HREF_EMPTY_XAUTHED publish +##} HREF_EMPTY_XAUTHED + +##{ HTML_BADATTR + +describe HTML_BADATTR Illegal char in HTML attribute name +rawbody HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(?:src|href)\s*\=/ +#score HTML_BADATTR 1 +tflags HTML_BADATTR publish +##} HTML_BADATTR + ##{ HTML_ENTITY_ASCII meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP @@ -2313,6 +2394,11 @@ body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10') endif ##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch +##{ IMG_DIRECT_TO_MX + +meta IMG_DIRECT_TO_MX __DOS_DIRECT_TO_MX && __JPEG_ATTACH && __ONE_IMG && __IMG_LE_300K +##} IMG_DIRECT_TO_MX + ##{ IMG_ONLY_FM_DOM_INFO meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO @@ -2402,6 +2488,12 @@ header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi ##} KB_RATWARE_OUTLOOK_MID +##{ KHOP_FAKE_EBAY + +meta KHOP_FAKE_EBAY __EBAY_ADDRESS && !__NOT_SPOOFED +describe KHOP_FAKE_EBAY Sender falsely claims to be from eBay +##} KHOP_FAKE_EBAY + ##{ KHOP_HELO_FCRDNS meta KHOP_HELO_FCRDNS __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT) @@ -2417,6 +2509,13 @@ describe LINKEDIN_IMG_NOT_RCVD_LNKN Linkedin hosted image but message not fro tflags LINKEDIN_IMG_NOT_RCVD_LNKN publish ##} LINKEDIN_IMG_NOT_RCVD_LNKN +##{ LIST_PARTIAL_SHORT_MSG + +meta LIST_PARTIAL_SHORT_MSG __LIST_PARTIAL_SHORT_MSG && !__DKIM_EXISTS +describe LIST_PARTIAL_SHORT_MSG Incomplete mailing list headers + short message +#score LIST_PARTIAL_SHORT_MSG 2.500 # limit +##} LIST_PARTIAL_SHORT_MSG + ##{ LIST_PRTL_PUMPDUMP meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS @@ -2438,6 +2537,13 @@ tflags LIST_PRTL_SAME_USER publish uri LIVEFILESTORE m~livefilestore.com/~ ##} LIVEFILESTORE +##{ LONGLN_LOW_CONTRAST + +meta LONGLN_LOW_CONTRAST __LONGLN_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__TRAVEL_ITINERARY +describe LONGLN_LOW_CONTRAST Excessively long line + hidden text +#score LONGLN_LOW_CONTRAST 2.500 # limit +##} LONGLN_LOW_CONTRAST + ##{ LONG_HEX_URI meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024 @@ -2477,7 +2583,7 @@ endif ##{ LONG_TERM_PRICE -body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i +body LONG_TERM_PRICE /long\W+term\W+(?:target|projected)(?:\W+price)?/i ##} LONG_TERM_PRICE ##{ LOOPHOLE_1 @@ -2526,6 +2632,12 @@ tflags LUCRATIVE publish header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/ ##} L_SPAM_TOOL_13 +##{ MALFORMED_FREEMAIL + +meta MALFORMED_FREEMAIL (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM +describe MALFORMED_FREEMAIL Bad headers on message from free email service +##} MALFORMED_FREEMAIL + ##{ MALF_HTML_B64 meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG @@ -2559,6 +2671,26 @@ ifplugin Mail::SpamAssassin::Plugin::MIMEHeader endif ##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader +##{ MANY_HDRS_LCASE + +describe MANY_HDRS_LCASE Odd capitalization of multiple message headers +#score MANY_HDRS_LCASE 0.10 # limit +##} MANY_HDRS_LCASE + +##{ MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) + +if !plugin(Mail::SpamAssassin::Plugin::FreeMail) + meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE +endif +##} MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) + +##{ MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail + +ifplugin Mail::SpamAssassin::Plugin::FreeMail + meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE +endif +##} MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail + ##{ MANY_SPAN_IN_TEXT meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML @@ -2566,6 +2698,18 @@ describe MANY_SPAN_IN_TEXT Many tags embedded within text tflags MANY_SPAN_IN_TEXT publish ##} MANY_SPAN_IN_TEXT +##{ MANY_SUBDOM + +meta MANY_SUBDOM __MANY_SUBDOM && !__JM_REACTOR_DATE && !__UNSUB_LINK && !__VIA_ML && !NO_RELAYS && !__UPPERCASE_URI && !__MIME_QP +describe MANY_SUBDOM Lots and lots of subdomain parts in a URI +##} MANY_SUBDOM + +##{ MAY_BE_FORGED + +meta MAY_BE_FORGED __MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML +describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP +##} MAY_BE_FORGED + ##{ MID_DEGREES header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/ @@ -2658,7 +2802,7 @@ tflags MIXED_FONT_CASE publish ##{ MIXED_HREF_CASE -meta MIXED_HREF_CASE __MIXED_HREF_CASE_JH +meta MIXED_HREF_CASE __MIXED_HREF_CASE && !__LYRIS_EZLM_REMAILER && !__HAS_LIST_ID describe MIXED_HREF_CASE Has href in mixed case #score MIXED_HREF_CASE 2.000 # limit tflags MIXED_HREF_CASE publish @@ -2768,6 +2912,13 @@ describe MONEY_FROM_MISSP Lots of money and misspaced From #score MONEY_FROM_MISSP 2.000 # limit ##} MONEY_FROM_MISSP +##{ MONEY_NOHTML + +meta MONEY_NOHTML LOTS_OF_MONEY && __CT_TEXT_PLAIN +describe MONEY_NOHTML Lots of money in plain text +#score MONEY_NOHTML 2.500 # limit +##} MONEY_NOHTML + ##{ MSGID_DOLLARS_URI_IMG meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW @@ -2791,12 +2942,11 @@ describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters #score MSGID_MULTIPLE_AT 0.001 ##} MSGID_MULTIPLE_AT -##{ MSMAIL_PRI_ABNORMAL +##{ MSGID_NOFQDN1 -meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH -describe MSMAIL_PRI_ABNORMAL Email priority often abused -#score MSMAIL_PRI_ABNORMAL 1.500 # limit -##} MSMAIL_PRI_ABNORMAL +meta MSGID_NOFQDN1 __MSGID_NOFQDN1 +describe MSGID_NOFQDN1 Message-ID with no domain name +##} MSGID_NOFQDN1 ##{ MSM_PRIO_REPTO @@ -2811,12 +2961,6 @@ tflags MSM_PRIO_REPTO publish meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106) ##} MSOE_MID_WRONG_CASE -##{ NAME_EMAIL_DIFF - -meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL -describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address -##} NAME_EMAIL_DIFF - ##{ NA_DOLLARS body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i @@ -2846,6 +2990,13 @@ describe NICE_REPLY_A Looks like a legit reply (A) tflags NICE_REPLY_A nice ##} NICE_REPLY_A +##{ NORDNS_LOW_CONTRAST + +meta NORDNS_LOW_CONTRAST __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID && !__THREADED +describe NORDNS_LOW_CONTRAST No rDNS + hidden text +#score NORDNS_LOW_CONTRAST 2.500 # limit +##} NORDNS_LOW_CONTRAST + ##{ NOT_SPAM body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i @@ -2936,12 +3087,12 @@ describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more endif ##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader -##{ PDS_BRAND_SUBJ_NAKED_TO +##{ PDS_BAD_THREAD_QP_64 -meta PDS_BRAND_SUBJ_NAKED_TO __NAKED_TO && __PDS_TO_BRAND_SUBJECT && !MAILING_LIST_MULTI -describe PDS_BRAND_SUBJ_NAKED_TO Subject starts with To: brand and naked To: -#score PDS_BRAND_SUBJ_NAKED_TO 1.0 -##} PDS_BRAND_SUBJ_NAKED_TO +meta PDS_BAD_THREAD_QP_64 __PDS_QP_64 && __HAS_THREAD_INDEX && !__THREAD_INDEX_GOOD +describe PDS_BAD_THREAD_QP_64 Bad thread header - short QP +#score PDS_BAD_THREAD_QP_64 1.0 +##} PDS_BAD_THREAD_QP_64 ##{ PDS_BTC_ID @@ -2964,6 +3115,28 @@ describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon #score PDS_DBL_URL_TNB_RUNON 2.0 ##} PDS_DBL_URL_TNB_RUNON +##{ PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +if (version >= 3.004000) +meta PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024 +describe PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener +#score PDS_EMPTYSUBJ_URISHRT 1.5 # limit +endif +endif +##} PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +##{ PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +if (version >= 3.004000) +meta PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 +describe PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener +#score PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit +endif +endif +##} PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + ##{ PDS_FRNOM_TODOM_DBL_URL meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL @@ -2993,27 +3166,55 @@ describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF tflags PDS_HELO_SPF_FAIL net ##} PDS_HELO_SPF_FAIL -##{ PDS_RDNS_DYNAMIC_FP +##{ PDS_HP_HELO_NORDNS -meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA -#score PDS_RDNS_DYNAMIC_FP 0.01 -describe PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps -##} PDS_RDNS_DYNAMIC_FP +meta PDS_HP_HELO_NORDNS RDNS_NONE && __HELO_HIGHPROFILE +describe PDS_HP_HELO_NORDNS High profile HELO with no sender rDNS +#score PDS_HP_HELO_NORDNS 1.0 +##} PDS_HP_HELO_NORDNS -##{ PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE +##{ PDS_NAKED_TO_NUMERO -meta PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE FREEMAIL_FORGED_REPLYTO && __PDS_TONAME_EQ_TOLOCAL -describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TOLOCAL -#score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit -##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE +meta PDS_NAKED_TO_NUMERO __NAKED_TO && __NUMBERONLY_TLD +describe PDS_NAKED_TO_NUMERO Naked-to, numberonly domain +#score PDS_NAKED_TO_NUMERO 2.0 +##} PDS_NAKED_TO_NUMERO -##{ PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) +##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) - meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER - describe PDS_TO_EQ_FROM_NAME From: name same as To: address +if (version >= 3.004002) +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD') +#score PDS_OTHER_BAD_TLD 2.0 +describe PDS_OTHER_BAD_TLD Untrustworthy TLDs +endif +endif +##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval + +##{ PDS_PHP_EVAL + +meta PDS_PHP_EVAL __PDS_PHP_EVAL1 +describe PDS_PHP_EVAL PHP header shows eval'd code +#score PDS_PHP_EVAL 1.5 +##} PDS_PHP_EVAL + +##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +if (version >= 3.004000) +meta PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024 +describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener +#score PDS_TINYSUBJ_URISHRT 1.5 # limit endif -##} PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) +endif +##} PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +##{ PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE + +meta PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE __PDS_TONAME_EQ_TOLOCAL && __HDRS_LCASE +describe PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers +#score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 2.0 # limit +##} PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE ##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader @@ -3069,6 +3270,13 @@ describe PHP_ORIG_SCRIPT Sent by bot & other signs tflags PHP_ORIG_SCRIPT publish ##} PHP_ORIG_SCRIPT +##{ PHP_ORIG_SCRIPT_EVAL + +meta PHP_ORIG_SCRIPT_EVAL __PHP_ORIG_SCRIPT_EVAL +describe PHP_ORIG_SCRIPT_EVAL From suspicious PHP source +#score PHP_ORIG_SCRIPT_EVAL 3.000 # limit +##} PHP_ORIG_SCRIPT_EVAL + ##{ PHP_SCRIPT meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT @@ -3224,6 +3432,13 @@ describe RCVD_DOTEDU_SHORT Via .edu MTA + short message tflags RCVD_DOTEDU_SHORT publish ##} RCVD_DOTEDU_SHORT +##{ RCVD_DOTEDU_SUSP + +meta RCVD_DOTEDU_SUSP __RCVD_DOTEDU_SUSP && !__HAS_X_LOOP && !__HAS_X_REF +describe RCVD_DOTEDU_SUSP Via .edu MTA + suspicious content +#score RCVD_DOTEDU_SUSP 2.000 # limit +##} RCVD_DOTEDU_SUSP + ##{ RCVD_DOTEDU_SUSP_URI meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI @@ -3243,6 +3458,15 @@ describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam) header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s ##} RCVD_FORGED_WROTE2 +##{ RCVD_IN_IADB_COURT ifplugin Mail::SpamAssassin::Plugin::DNSEval + +ifplugin Mail::SpamAssassin::Plugin::DNSEval +header RCVD_IN_IADB_COURT eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.130') +describe RCVD_IN_IADB_COURT IADB: Court-ordered email +tflags RCVD_IN_IADB_COURT net nice +endif +##} RCVD_IN_IADB_COURT ifplugin Mail::SpamAssassin::Plugin::DNSEval + ##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval @@ -3306,6 +3530,15 @@ tflags RCVD_IN_IADB_GOODMAIL net nice endif ##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval +##{ RCVD_IN_IADB_LEG_MAND ifplugin Mail::SpamAssassin::Plugin::DNSEval + +ifplugin Mail::SpamAssassin::Plugin::DNSEval +header RCVD_IN_IADB_LEG_MAND eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.120') +describe RCVD_IN_IADB_LEG_MAND IADB: Legally mandated email +tflags RCVD_IN_IADB_LEG_MAND net nice +endif +##} RCVD_IN_IADB_LEG_MAND ifplugin Mail::SpamAssassin::Plugin::DNSEval + ##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval ifplugin Mail::SpamAssassin::Plugin::DNSEval @@ -3523,12 +3756,6 @@ describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious h tflags RDNS_NUM_TLD_XM publish ##} RDNS_NUM_TLD_XM -##{ READY_TO_SHIP - -body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store|storage facility)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock|stor(?:e|age))|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|stor(?:e|age))|just arrived in our (?:warehouse|stor(?:e|age))|we will (?:contact the (?:warehouse|logistics|store|storage(?: facility)) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our (?:warehouse|storage)|this (?:new )?(?:merchandise|product|item) is (?:now )?(?:ready (?:to ship )?|available )(?:at|in|from) our (?:warehouse|stock|stor(?:e|age)))/i -#score READY_TO_SHIP 1.250 # limit -##} READY_TO_SHIP - ##{ REPLYTO_WITHOUT_TO_CC meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS) @@ -3536,7 +3763,7 @@ meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS) ##{ REPTO_419_FRAUD -header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:cbn)\@cbofficialmail\.cf|(?:2015(?:5765|648[48]))\@ce\.pucmm\.edu\.do|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|mynewmission|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:blythemasters)\@digitalassetholding\.org|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.instructor|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:info)\@onlinepch\.com|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i +header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:attorneygeorgewalter|jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:judith_faulkner63)\@cash4u\.com|(?:cbn)\@cbofficialmail\.cf|(?:201(?:47237|5(?:5765|648[48])))\@ce\.pucmm\.edu\.do|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:investmentfince\.com|lottery(?:\.support|usa\.com)))\@cpn\.it|(?:(?:angelicainiguez|brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|mynewmission|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:info)\@dieterchwarz-charity\.com|(?:blythemasters)\@digitalassetholding\.org|(?:jorgezalesky)\@diplomats\.com|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:health\-support)\@drjohnashworthherbalmeds\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.in(?:structor|tructor)|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|w(?:alter_anderson|esternunionrespond)))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:jacek_urbanski)\@irishdoorsystemsltd\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:contactme)\@jimmyofficial\.info|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|lotteryusa\.com|paulagonzalez|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:bjic)\@mail2one\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968|philiproger101))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:benoitdageville2023|nancytseling|reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:info)\@officepch\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:info)\@onlinepch\.com|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:info)\@ousos-elearning\.com|(?:schaefflermariaelisabeth)\@outlook\.de|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|noelldosi|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:trust\-wallet)\@redirectionsdepartment\.xyz|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:deputygov_kuben)\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:david\.r\.malpass|info\.(?:clev\.frb|imfamerica)|kristinewellensteinn|policyaddmin\.file))\@usa\.com|(?:team)\@veraphanteepsuwan\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD 3.000 tflags REPTO_419_FRAUD publish @@ -3544,7 +3771,7 @@ tflags REPTO_419_FRAUD publish ##{ REPTO_419_FRAUD_AOL -header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:brajjohn|f\.2[06]|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie)|e(?:ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|isarobinson5\.0|orrainewirangee|ynnpage44)|m(?:_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|officework172|p(?:aulpollard2|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|wattson\.renwick|yurdaaytarkan5))\@aol\.com$/i +header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:brajjohn|f\.2[06]|gneselizabethgiftfoundationssss|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie)|e(?:ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|info\.dieter_charity|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|isarobinson5\.0|orrainewirangee|ynnpage44)|m(?:_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|officework172|p(?:aulpollard2|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|wattson\.renwick|yurdaaytarkan5))\@aol\.com$/i describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_AOL 3.000 tflags REPTO_419_FRAUD_AOL publish @@ -3568,7 +3795,7 @@ tflags REPTO_419_FRAUD_CNS publish ##{ REPTO_419_FRAUD_GM -header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976(?:algaddafi|gaddafi25)|gaddafiaam)|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|ttohlawoffice\.tg|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195))|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:a(?:pinolly|rtwrighttownhomesllc)|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavisdonation1))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|i(?:idp955|ocastano21)|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|g(?:8669000|old8080)|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|bed627|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|ttcuckk)|gridrolle2)|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|yce00011)|rawlings007|s4fernado|uliewatson975|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ss(?:\.(?:melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:ishaalqadafi1976|ngela454)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|m(?:a(?:ureens847|yaoliver31)|ugan)|r(?:eem362|obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffic(?:e(?:\.012123|rricherd876|windowterms)|ialserviceuae)|hallkenneth1|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|r(?:imecapitalfianceltd|o1nvstream)|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nchoscozfifa|rfiafarfask7)|cott(?:henryjames91|peters7989)|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|peelman1972|t(?:anleyjohn1469|e(?:phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:derleyen52|kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|c5000dle|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i +header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|1magnumsecuritiesllc|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976(?:algaddafi|gaddafi25)|gaddafi(?:aam|sdaughter))|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|icedoris0000|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|t(?:mcarddepartment0024|tohlawoffice\.tg)|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195)|tsyholden940)|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:1nicele|a(?:pinolly|rtwrighttownhomesllc)|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavis(?:donation1|foundation0101)))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:breuilgmbh|nsilva58|stinmoskovitz\.2facebook)|v\.metus|willslevens)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabeth(?:gmuer11|maria600)|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|ngr\.des01|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|ody2|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|i(?:idp955|ocastano21)|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen|w522834)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy)|uperthilbigbeate|zimissa03)|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|g(?:8669000|old8080)|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|b(?:ed627|rahimelizabeth654)|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|marviswanczyk360|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|t(?:ech4st255|tcuckk))|gridrolle2)|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|nietaylor242|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|yce00011)|rawlings007|s4fernado|u(?:liewatson975|sticellawgroup)|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|r(?:istinewellenstein024|nkl1109)|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west(?:2289|5412)))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|s(?:arbn01|chantal86)|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:aniekreiss1971|lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ntonjustin98|ss(?:\.(?:aminaibrahim|melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati|rstephen16)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|morgangomez56|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|marinakuznetsov|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:ishaalqadafi1976|ngela454|shaalqaddfi117)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|m(?:a(?:riaelizabethscheffle98|ureens847|yaoliver31)|ugan)|r(?:eem362|obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffic(?:e(?:\.012123|rricherd876|windowterms)|ialserviceuae)|hallkenneth1|lenasheve73|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|ndingredirections|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|r(?:imecapitalfianceltd|o1nvstream)|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nchoscozfifa|rfiafarfask7)|cott(?:henryjames91|peters7989)|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler(?:2009|3))|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|p(?:agentrose|eelman1972)|t(?:anleyjohn1469|e(?:phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|e(?:nreyrosilvana54|rryparkins11)|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:derleyen52|kponguko|marukareem8|n(?:claimedfunds554|ited(?:bankforafrica\.plc102|nation(?:organization70|s(?:8182|councilrefunds))))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|johannes271|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|c5000dle|ellensteinfoundation251|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|inglukshinawtra|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_GM 3.000 tflags REPTO_419_FRAUD_GM publish @@ -3584,7 +3811,7 @@ tflags REPTO_419_FRAUD_GM_LOOSE publish ##{ REPTO_419_FRAUD_HM -header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|faxttransfer\.skyebk\.service\.care\.th|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|mr(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i +header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:ealings100|l13139|r\.dukanalycoulibaly)|egorbunova22|f(?:axttransfer\.skyebk\.service\.care\.th|ridmanmikhail511)|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|m(?:oneygrampayfund|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|tuboardgntdirector|ulaimaninfante)|t(?:a(?:baka_williamshsbbc|shacap)|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_HM 3.000 tflags REPTO_419_FRAUD_HM publish @@ -3592,7 +3819,7 @@ tflags REPTO_419_FRAUD_HM publish ##{ REPTO_419_FRAUD_OL -header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|k(?:aujong|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:_elizabeth20|michelleallison|roseallen))|spvt2020)|philcohen0012|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i +header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn|rancescogaetano01)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|k(?:aujong|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:\.olhaoschad|_elizabeth20|michelleallison|roseallen))|spvt2020)|olhalytvynenko20|philcohen0012|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_OL 3.000 tflags REPTO_419_FRAUD_OL publish @@ -3616,7 +3843,7 @@ tflags REPTO_419_FRAUD_QQ publish ##{ REPTO_419_FRAUD_YH -header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i +header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|e(?:linekra1144|n(?:jaminb34|nicholas22))|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:biorahkenneth8|legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_YH 3.000 tflags REPTO_419_FRAUD_YH publish @@ -3632,7 +3859,7 @@ tflags REPTO_419_FRAUD_YH_LOOSE publish ##{ REPTO_419_FRAUD_YJ -header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|r(?:acheljude000|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i +header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|officefile_0112|r(?:acheljude000|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox #score REPTO_419_FRAUD_YJ 3.000 tflags REPTO_419_FRAUD_YJ publish @@ -3653,6 +3880,12 @@ meta REPTO_INFONUMSCOM __REPTO_INFONUMSCOM tflags REPTO_INFONUMSCOM publish ##} REPTO_INFONUMSCOM +##{ RISK_FREE + +meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH +describe RISK_FREE No risk! +##} RISK_FREE + ##{ SB_GIF_AND_NO_URIS meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL) @@ -3660,9 +3893,16 @@ meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL) ##{ SCC_BODY_SINGLE_WORD -meta SCC_BODY_SINGLE_WORD T_SCC_BODY_TEXT_LINE < 2 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1) +meta SCC_BODY_SINGLE_WORD T_SCC_BODY_TEXT_LINE < 2 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1) +describe SCC_BODY_SINGLE_WORD Message body seems like one word ##} SCC_BODY_SINGLE_WORD +##{ SCC_BODY_URI_ONLY + +meta SCC_BODY_URI_ONLY T_SCC_BODY_TEXT_LINE < 2 && __HAS_ANY_URI && !__SMIME_MESSAGE && !T_SCC_IS_DMARC_REP +describe SCC_BODY_URI_ONLY Very short body with something maybe clickable +##} SCC_BODY_URI_ONLY + ##{ SCC_CANSPAM_1 describe SCC_CANSPAM_1 Interesting compliance language @@ -3703,7 +3943,7 @@ tflags SCC_ISEMM_LID_1A publish ##{ SCC_ISEMM_LID_1B describe SCC_ISEMM_LID_1B Genericized spammer fingerprint -header SCC_ISEMM_LID_1B X-Mailer-LID =~ /([56][0-9],)+/ +header SCC_ISEMM_LID_1B X-Mailer-LID =~ /(?:[56][0-9],)+/ tflags SCC_ISEMM_LID_1B publish #score SCC_ISEMM_LID_1B 1.5 ##} SCC_ISEMM_LID_1B @@ -3717,7 +3957,7 @@ body SCC_SPAMMER_ADDR_2 /6130 W Flamingo Rd/ ##{ SCC_SPECIAL_GUID describe SCC_SPECIAL_GUID Unique in a similar way -rawbody SCC_SPECIAL_GUID /^([[:xdigit:]]{8})-([[:xdigit:]]{4})-([[:xdigit:]]{3})-\3-([[:xdigit:]]{12})$/m +rawbody SCC_SPECIAL_GUID /^[[:xdigit:]]{8}-[[:xdigit:]]{4}-([[:xdigit:]]{3})-\1-[[:xdigit:]]{12}$/m tflags SCC_SPECIAL_GUID publish multiple maxhits=15 ##} SCC_SPECIAL_GUID @@ -3749,12 +3989,6 @@ endif endif ##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval -##{ SERGIO_SUBJECT_VIAGRA01 - -header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i -describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject -##} SERGIO_SUBJECT_VIAGRA01 - ##{ SHOPIFY_IMG_NOT_RCVD_SFY meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK @@ -3771,6 +4005,13 @@ describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener tflags SHORTENER_SHORT_IMG publish ##} SHORTENER_SHORT_IMG +##{ SHORTENER_SHORT_SUBJ + +meta SHORTENER_SHORT_SUBJ __SHORTENER_SHORT_SUBJ && !__DOS_HAS_LIST_UNSUB && !__HAS_LIST_ID && !__HDR_RCVD_GOOGLE && !__XPRIO +describe SHORTENER_SHORT_SUBJ URL shortener (avoiding URIBL?) + short subject +#score SHORTENER_SHORT_SUBJ 3.000 # limit +##} SHORTENER_SHORT_SUBJ + ##{ SHORT_HELO_AND_INLINE_IMAGE meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH) @@ -3789,17 +4030,56 @@ endif endif ##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval +##{ SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + +ifplugin Mail::SpamAssassin::Plugin::WLBLEval +if (version >= 3.004000) +meta SHORT_SHORTNER __PDS_MSG_512 && __URL_SHORTENER && !DRUGS_ERECTILE +describe SHORT_SHORTNER Short body with little more than a link to a shortener +#score SHORT_SHORTNER 2.0 # limit +endif +endif +##} SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) + ##{ SHORT_TERM_PRICE -body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i +body SHORT_TERM_PRICE /short\W+term\W+(?:target|projected)(?:\W+price)?/i ##} SHORT_TERM_PRICE +##{ SHY_OBFU_EXPIRE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + +ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + meta SHY_OBFU_EXPIRE __SHY_OBFU_EXPIRE + describe SHY_OBFU_EXPIRE Obfuscation, probable phishing +# score SHY_OBFU_EXPIRE 4.000 # limit + tflags SHY_OBFU_EXPIRE publish +endif +##} SHY_OBFU_EXPIRE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + +##{ SHY_OBFU_PASSWORD ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + +ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + meta SHY_OBFU_PASSWORD __SHY_OBFU_PASSWORD + describe SHY_OBFU_PASSWORD Obfuscation, probable phishing +# score SHY_OBFU_PASSWORD 4.000 # limit + tflags SHY_OBFU_PASSWORD publish +endif +##} SHY_OBFU_PASSWORD ifplugin Mail::SpamAssassin::Plugin::ReplaceTags + ##{ SPAMMY_XMAILER meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4) describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham ##} SPAMMY_XMAILER +##{ SPAM_CWINDOWSNET + +uri SPAM_CWINDOWSNET m;^https?://(?=[^/]+\.(?:blob|web)\.core\.windows\.net)(?:(?:aaaabbbbcdertfer(?:131|34)|b(?:9jwpncnsz2cg5bpbojgl|bbbccccddester61|dkbazmjnlvajmjjszdc|ulkma(?:ilmanager(?:im|snrperk|m)|nhegeteam))|calivokavoaka|d(?:fjmteeymhimuokqbwio|sfgdfgsdfg)|e(?:6tidwa3xtdxsxrv6fevh|fnzewdwwwxdormvkltxqj|riogsnkdqsdqsd32l|wialtlgncnagaebsuohhsz)|greatetchtoaitechnologyh|linkbulkmailpromanager|n(?:6w479nhk1tkyo6u1p844s|fnybcmyhaaphiglbzra)|o(?:ovgienjzlmmfkmwoyep|penbankstonecdn)|u(?:lqdjksdsdsd3sd|rqjlnefdqsdfik2k)|z(?:ahriiana59|c2mjw9btnqfgw6ps7ex)))\.(?:blob|web)\.core\.windows\.net/;i +describe SPAM_CWINDOWSNET Link to known hosted spam or phishing content +#score SPAM_CWINDOWSNET 3.500 +tflags SPAM_CWINDOWSNET publish +##} SPAM_CWINDOWSNET + ##{ SPOOFED_FREEMAIL meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE @@ -3895,11 +4175,6 @@ tflags STOCK_TIP publish meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE ##} STOX_AND_PRICE -##{ STOX_BOUND_090909_B - -header STOX_BOUND_090909_B Content-Type:raw =~ /;\n boundary=\"------------0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]\"$/s -##} STOX_BOUND_090909_B - ##{ STOX_REPLY_TYPE header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/ @@ -3916,6 +4191,13 @@ meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) describe SUBJECT_NEEDS_ENCODING Subject includes non-encoded illegal characters ##} SUBJECT_NEEDS_ENCODING +##{ SUBJ_ATTENTION + +meta SUBJ_ATTENTION __SUBJ_ATTENTION && !ALL_TRUSTED +describe SUBJ_ATTENTION ATTENTION in Subject +#score SUBJ_ATTENTION 0.500 # limit +##} SUBJ_ATTENTION + ##{ SUBJ_BRKN_WORDNUMS #score SUBJ_BRKN_WORDNUMS 1.500 # limit @@ -3936,13 +4218,6 @@ ifplugin Mail::SpamAssassin::Plugin::DKIM endif ##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM -##{ SUSP_UTF8_WORD_COMBO - -meta SUSP_UTF8_WORD_COMBO __4BYTE_UTF8_WORD && ( __LIST_PARTIAL || __RDNS_NONE || __CLICK_HERE || __PHPMAILER_MUA || __STY_INVIS_3 || __TO___LOWER || __MSGID_OK_DIGITS || __HTML_IMG_ONLY ) -describe SUSP_UTF8_WORD_COMBO Words using only suspicious UTF-8 characters + other signs -#score SUSP_UTF8_WORD_COMBO 3.000 # limit -##} SUSP_UTF8_WORD_COMBO - ##{ SUSP_UTF8_WORD_FROM meta SUSP_UTF8_WORD_FROM __4BYTE_UTF8_WORD_FROM @@ -3957,13 +4232,6 @@ describe SUSP_UTF8_WORD_MANY Many words using only suspicious UTF-8 ch #score SUSP_UTF8_WORD_MANY 3.000 # limit ##} SUSP_UTF8_WORD_MANY -##{ SUSP_UTF8_WORD_SUBJ - -meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ -describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters -#score SUSP_UTF8_WORD_SUBJ 2.000 # limit -##} SUSP_UTF8_WORD_SUBJ - ##{ SYSADMIN meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS @@ -4070,6 +4338,12 @@ ifplugin Mail::SpamAssassin::Plugin::SPF endif ##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF +##{ TO_EQ_FM_HTML_ONLY + +meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER +describe TO_EQ_FM_HTML_ONLY To == From and HTML only +##} TO_EQ_FM_HTML_ONLY + ##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF ifplugin Mail::SpamAssassin::Plugin::SPF @@ -4364,12 +4638,19 @@ header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace ##} TVD_SPACED_SUBJECT_WORD3 -##{ TVD_SPACE_ENC_FM_MIME +##{ TVD_SPACE_ENCODED + +meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM +#score TVD_SPACE_ENCODED 2.500 # limit +describe TVD_SPACE_ENCODED Space ratio & encoded subject +##} TVD_SPACE_ENCODED -meta TVD_SPACE_ENC_FM_MIME __TVD_SPACE_ENCODED && __FROM_NEEDS_MIME && !__ISO_2022_JP_DELIM -#score TVD_SPACE_ENC_FM_MIME 2.000 # limit -describe TVD_SPACE_ENC_FM_MIME Space ratio & encoded subject & MIME needed -##} TVD_SPACE_ENC_FM_MIME +##{ TVD_SPACE_RATIO_MINFP + +meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL +#score TVD_SPACE_RATIO_MINFP 2.500 # limit +describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?) +##} TVD_SPACE_RATIO_MINFP ##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval @@ -4391,6 +4672,11 @@ header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/ describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *" ##} TVD_SUBJ_FINGER_03 +##{ TVD_SUBJ_NUM_OBFU_MINFP + +meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO +##} TVD_SUBJ_NUM_OBFU_MINFP + ##{ TVD_SUBJ_OWE header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i @@ -4448,6 +4734,16 @@ ifplugin Mail::SpamAssassin::Plugin::MIMEHeader endif ##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader +##{ T_CTE_BAS64 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader + +ifplugin Mail::SpamAssassin::Plugin::MIMEHeader + meta T_CTE_BAS64 __CTE_BAS64 + describe T_CTE_BAS64 Malformated Content-Type-Encoding +# score T_CTE_BAS64 2.000 # limit + tflags T_CTE_BAS64 publish +endif +##} T_CTE_BAS64 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader + ##{ T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader @@ -4576,6 +4872,14 @@ tflags T_FROMNAME_SPOOFED_EMAIL publish endif ##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof +##{ T_FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) + +if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) + meta T_FROM_MULTI_NORDNS __FROM_MULTI_NORDNS + describe T_FROM_MULTI_NORDNS Multiple From addresses + no rDNS +endif +##} T_FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) + ##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) @@ -4599,14 +4903,6 @@ body T_FUZZY_SPRM /

/i endif ##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags -##{ T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - -ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - meta T_FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM - describe T_FUZZY_WELLSFARGO Obfuscated "Wells Fargo" -endif -##} T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags - ##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof ifplugin Mail::SpamAssassin::Plugin::FreeMail @@ -4691,16 +4987,6 @@ endif endif ##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) -##{ T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::FreeMail -if (version >= 3.004000) - meta T_HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM -# score T_HK_NAME_FM_MR_MRS 1.5 -endif -endif -##} T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) - ##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) ifplugin Mail::SpamAssassin::Plugin::FreeMail @@ -4792,26 +5078,6 @@ uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|re describe T_LOTTO_URI Claims Department URL ##} T_LOTTO_URI -##{ T_MANY_HDRS_LCASE - -describe T_MANY_HDRS_LCASE Odd capitalization of multiple message headers -#score T_MANY_HDRS_LCASE 0.10 # limit -##} T_MANY_HDRS_LCASE - -##{ T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - -if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE -endif -##} T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) - -##{ T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail - -ifplugin Mail::SpamAssassin::Plugin::FreeMail - meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE -endif -##} T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail - ##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) @@ -4864,7 +5130,7 @@ endif ##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader ifplugin Mail::SpamAssassin::Plugin::MIMEHeader - mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.s?html?\b,i + mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.[a-z]?html?\b,i describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type endif ##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader @@ -4933,28 +5199,6 @@ endif endif ##} T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval -##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024 -describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener -#score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit -endif -endif -##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 -describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener -#score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit -endif -endif -##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - ##{ T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) @@ -5004,17 +5248,6 @@ endif endif ##} T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) -##{ T_PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - -if (version >= 3.004002) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -header T_PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD') -#score T_PDS_OTHER_BAD_TLD 2.0 -describe T_PDS_OTHER_BAD_TLD Untrustworthy TLDs -endif -endif -##} T_PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval - ##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) @@ -5070,16 +5303,13 @@ endif endif ##} T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) -##{ T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) +##{ T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024 -describe T_PDS_TINYSUBJ_URISHRT Short subject with URL shortener -#score T_PDS_TINYSUBJ_URISHRT 1.5 # limit -endif +if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) + meta T_PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER + describe T_PDS_TO_EQ_FROM_NAME From: name same as To: address endif -##} T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) +##} T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) ##{ T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) @@ -5120,8 +5350,8 @@ endif ##{ T_SCC_BODY_TEXT_LINE -meta T_SCC_BODY_TEXT_LINE __SCC_BODY_TEXT_LINE_FULL - __SCC_SUBJECT_HAS_NON_SPACE -tflags T_SCC_BODY_TEXT_LINE nice +meta T_SCC_BODY_TEXT_LINE __SCC_BODY_TEXT_LINE_FULL - __SCC_SUBJECT_HAS_NON_SPACE +tflags T_SCC_BODY_TEXT_LINE nice ##} T_SCC_BODY_TEXT_LINE ##{ T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader @@ -5133,6 +5363,13 @@ tflags T_SCC_BOGUS_CTE_1 publish endif ##} T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader +##{ T_SCC_IS_DMARC_REP + +meta T_SCC_IS_DMARC_REP __SCC_DMARC_REP && __MIME_ATTACHMENT +describe T_SCC_IS_DMARC_REP Message looks like a DMARC report +tflags T_SCC_IS_DMARC_REP nice +##} T_SCC_IS_DMARC_REP + ##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) @@ -5150,21 +5387,10 @@ meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY describe T_SHARE_50_50 Share the money 50/50 ##} T_SHARE_50_50 -##{ T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - -ifplugin Mail::SpamAssassin::Plugin::WLBLEval -if (version >= 3.004000) -meta T_SHORT_SHORTNER __PDS_MSG_512 && __URL_SHORTENER && !DRUGS_ERECTILE -describe T_SHORT_SHORTNER Short body with little more than a link to a shortener -#score T_SHORT_SHORTNER 2.0 # limit -endif -endif -##} T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) - ##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) - meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK + meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK && !__USING_VERP1 && !__HAS_X_ENTITY_ID && !__RCD_RDNS_SMTP_MESSY && !__RDNS_STATIC describe T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX # score T_STY_INVIS_DIRECT 2.500 # limit endif @@ -5334,6 +5560,16 @@ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) endif ##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) +##{ UNICODE_OBFU_ZW_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) + +if can(Mail::SpamAssassin::Conf::feature_bug6558_free) + meta UNICODE_OBFU_ZW_MANY __UNICODE_OBFU_ZW_10 && !__RCD_RDNS_MAIL_MESSY + describe UNICODE_OBFU_ZW_MANY Heavily obfuscating text with hidden characters +# score UNICODE_OBFU_ZW_MANY 3.000 # limit + tflags UNICODE_OBFU_ZW_MANY publish +endif +##} UNICODE_OBFU_ZW_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) + ##{ UNSUB_GOOG_FORM meta UNSUB_GOOG_FORM __UNSUB_GOOG_FORM @@ -5430,7 +5666,7 @@ tflags URI_GOOGLE_PROXY publish ##{ URI_GOOG_STO_SPAMMY -uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:1tactc1200|430bc3a2d98b15a0c58bf8df8f938d|5(?:a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|a(?:1discover|4301cda1e5c450bab01|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i +uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:0(?:48dg9hjdjsr68rr409tdu516yts8d4s1yteq560dht|584d8aab5db65a3970e|ca91f665e5e9e3bff16)|1(?:479______00\-\-074\-4\-\-\-\-\-\-\-_\-\-\-\-\-\-0894_________\-\-\-\-\-\-\-\-\-______09|f28eb9c708059ce7b58|tactc1200)|2(?:024usa|2accc831928fe7a6d19)|3e6fc78af3b63110d89b|4(?:30bc3a2d98b15a0c58bf8df8f938d|hs3rzdz_r_us\-east\-1)|5(?:34c4e7320793c473d0b|a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|89azr4etr0t6k5jdh4rg9e8udo40kdj1h56gd4xd165jhkd5j04yd156j02|9c32d4d56b8ac7eb1296|a(?:1discover|4301cda1e5c450bab01|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|6fa8ec81224238ce57a|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|linkmanager|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|urankdmeksjsed|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|159310a731c3ae80e0c|ac2a3ca82cd6a5f4896|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|lqjxjdxesmapldjehahnse|msksjskeoncbvevde|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|iltrk___newyear2024___g089dh4fg16qs804dsd1jh6g5sq|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|k_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|p_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|s____mailpro\-holiday2024__9s8h7140q6h84e6hs84g6s85d403|w_4098fae4grhtejy9r80t4qt1z984ui94yuiopoikjhnbvx\-\-\-2024|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:___mailpro__evolution\-unitedstate_____78f40x1fg0|a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:ch________frebulkmnge________teamtechbuy|lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:_bulk_click\-mail_oldfrom_9898409486498904948904548094804864xx|bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage #score URI_GOOG_STO_SPAMMY 3.000 tflags URI_GOOG_STO_SPAMMY publish @@ -5444,6 +5680,14 @@ describe URI_HEX_IP URI with hex-encoded IP-address host tflags URI_HEX_IP publish ##} URI_HEX_IP +##{ URI_IMG_CWINDOWSNET + +meta URI_IMG_CWINDOWSNET __URI_IMG_CWINDOWSNET && !__RCD_RDNS_SMTP && !__REPTO_QUOTE && !__URI_DOTEDU +#score URI_IMG_CWINDOWSNET 3.500 # limit +describe URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure infra, possible phishing +tflags URI_IMG_CWINDOWSNET publish +##} URI_IMG_CWINDOWSNET + ##{ URI_IMG_WP_REDIR meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR @@ -5584,6 +5828,22 @@ describe VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA tflags VFY_ACCT_NORDNS publish ##} VFY_ACCT_NORDNS +##{ VISTA_COST + +meta VISTA_COST __VISTA_COST && !__DOS_HAS_LIST_UNSUB +describe VISTA_COST Old MSFT msgid format + "cost" +#score VISTA_COST 2.500 # limit +tflags VISTA_COST publish +##} VISTA_COST + +##{ VISTA_TONOM_EQ_TOLOC + +meta VISTA_TONOM_EQ_TOLOC __VISTA_TONOM_EQ_TOLOC && !__MSOE_MID_WRONG_CASE +describe VISTA_TONOM_EQ_TOLOC Old MSFT msgid format + To display name = username +#score VISTA_TONOM_EQ_TOLOC 2.500 # limit +tflags VISTA_TONOM_EQ_TOLOC publish +##} VISTA_TONOM_EQ_TOLOC + ##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004002) @@ -5604,6 +5864,12 @@ describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from tflags WALMART_IMG_NOT_RCVD_WAL publish ##} WALMART_IMG_NOT_RCVD_WAL +##{ WIKI_IMG + +uri WIKI_IMG m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),i +describe WIKI_IMG Image from wikipedia +##} WIKI_IMG + ##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) if can(Mail::SpamAssassin::Conf::feature_bug6558_free) @@ -5624,6 +5890,13 @@ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) endif ##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) +##{ XFER_LOTSA_MONEY + +meta XFER_LOTSA_MONEY __XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFO +describe XFER_LOTSA_MONEY Transfer a lot of money +#score XFER_LOTSA_MONEY 1.000 # limit +##} XFER_LOTSA_MONEY + ##{ XM_DIGITS_ONLY meta XM_DIGITS_ONLY __XM_DIGITS_ONLY @@ -5647,6 +5920,13 @@ describe XM_RANDOM X-Mailer apparently random tflags XM_RANDOM publish ##} XM_RANDOM +##{ XM_RECPTID + +meta XM_RECPTID __HAS_XM_RECPTID && !__TAG_EXISTS_SCRIPT && !__REPLYTO_NOREPLY && !__ENVFROM_AMAZONSES && !__DOS_DIRECT_TO_MX && !__FRAUD_PTX +describe XM_RECPTID Has spammy message header +#score XM_RECPTID 3.000 # limit +##} XM_RECPTID + ##{ XPRIO describe XPRIO Has X-Priority header @@ -5694,17 +5974,19 @@ describe XPRIO_SHORT_SUBJ Has X Priority header + short subject tflags XPRIO_SHORT_SUBJ publish ##} XPRIO_SHORT_SUBJ +##{ XPRIO_VISTA + +meta XPRIO_VISTA __XPRIO_VISTA && !__BITCOIN && !__TO_TOO_MANY +describe XPRIO_VISTA X-Priority + old MSFT msgid format +#score XPRIO_VISTA 2.500 # limit +tflags XPRIO_VISTA publish +##} XPRIO_VISTA + ##{ X_MAILER_CME_6543_MSN header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/ ##} X_MAILER_CME_6543_MSN -##{ YOUR_PERMISSION - -meta YOUR_PERMISSION __YOUR_PERM && !__CTYPE_HAS_BOUNDARY && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__CT_TEXT_PLAIN && !__BUGGED_IMG && !__COMMENT_EXISTS -describe YOUR_PERMISSION With your permission... -##} YOUR_PERMISSION - ##{ YOU_INHERIT meta YOU_INHERIT __YOU_INHERIT @@ -6227,6 +6509,8 @@ reuse RCVD_IN_IADB_DOPTIN_GT50 reuse RCVD_IN_IADB_DOPTIN reuse RCVD_IN_IADB_ML_DOPTIN reuse RCVD_IN_IADB_OOO +reuse RCVD_IN_IADB_LEG_MAND +reuse RCVD_IN_IADB_COURT reuse RCVD_IN_IADB_MI_CPEAR reuse RCVD_IN_IADB_UT_CPEAR reuse RCVD_IN_IADB_MI_CPR_30 @@ -6321,6 +6605,8 @@ replace_rules TVD_FUZZY_DEGREE replace_rules FUZZY_PAYPAL replace_rules FUZZY_NORTON replace_rules FUZZY_OVERSTOCK + replace_rules __FUZZY_TRUSTWALLET_BODY + replace_rules __FUZZY_TRUSTWALLET_FROM replace_rules __MY_VICTIM replace_rules __MY_MALWARE replace_rules __PAY_ME @@ -6330,6 +6616,9 @@ replace_rules TVD_FUZZY_DEGREE replace_rules __YOUR_PERSONAL replace_rules __HOURS_DEADLINE replace_rules __EXPLOSIVE_DEVICE + replace_tag SHY (?:=ad|[\xc2][\xad]|[\xad]|&\#xad;|&\#173;|­) + replace_rules __SHY_OBFU_PASSWORD + replace_rules __SHY_OBFU_EXPIRE replace_rules T_LFUZ_PWRMALE replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE reuse T_PDS_BTC_AHACKER @@ -6510,14 +6799,14 @@ reuse T_PDS_DOUBLE_URL reuse T_PDS_DBL_URL_LINKBAIT reuse PDS_DBL_URL_TNB_RUNON reuse T_PDS_DBL_URL_ILLEGAL_CHARS -reuse FROM_2_EMAILS_SHORT +reuse T_FROM_2_EMAILS_SHORT reuse T_SHORT_BODY_QUOTE reuse T_BODY_QUOTE_MALF_MSGID reuse SPOOFED_FREEMAIL_NO_RDNS reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN -reuse T_PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE +reuse PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT -reuse PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE +reuse T_PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT reuse T_PDS_LITECOIN_ID reuse PDS_BTC_ID @@ -6554,8 +6843,6 @@ meta __4BYTE_UTF8_WORD_9 __4BYTE_UTF8_WORD > 9 header __4BYTE_UTF8_WORD_FROM From:name =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ -header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ - uri __64_ANY_URI m;[/?]\w{64,}$;i body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i @@ -6598,7 +6885,7 @@ uri __AC_1SEQV_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/V\// uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/ -header __AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/ +header __AC_FROM_MANY_DOTS From =~ /<(?!do\.not\.reply@)(?:\w{2,}\.){2,}\w+@/i meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO @@ -6612,7 +6899,7 @@ uri __AC_MHDSEQ_URI /\/mhd[a-z0-9]{20,}/ uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/ -uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(:?php|html)\b/ +uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(?:php|html)\b/ uri __AC_OUTI_URI /\/outi\b/ @@ -6786,6 +7073,8 @@ meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM +meta __BITCOIN_TOEQFM __BITCOIN && __TO_EQ_FROM + meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01 meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID) @@ -6845,8 +7134,6 @@ body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins| body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i tflags __CLEAN_MAILBOX multiple maxhits=2 -body __CLICK_HERE /\bclick\shere\b/i - rawbody __COMMENT_GIBBERISH /