[proxmox-spamassassin.git] / kam-updates / kam_sa-channels_mcgrail_com / nonKAMrules.cf

#FROM SA/MD/SARE LISTS - All consider public domain or fair use.

#BY Warren Sallade" <warren.sallade@ewgateway.org> for Drug Spams

#DISABLING DUE TO FALSE POSITIVES 2021-09-14
rawbody   __EWG_BAD34 />\s{0,3}V\s{0,3}</i
rawbody   __EWG_BAD35 />\s{0,3}I\s{0,3}</i
rawbody   __EWG_BAD36 />\s{0,3}A\s{0,3}</i
rawbody   __EWG_BAD37 />\s{0,3}G\s{0,3}</i
rawbody   __EWG_BAD38 />\s{0,3}R\s{0,3}</i
rawbody   __EWG_BAD39 />\s{0,3}A\s{0,3}</i
meta  	 EWG_VIAGRA ((__EWG_BAD34 + __EWG_BAD35 + __EWG_BAD36 + __EWG_BAD37 + __EWG_BAD38 + __EWG_BAD39) > 5) 
describe EWG_VIAGRA Viagra Obfuscation SPAM
score  	 EWG_VIAGRA 1.0

rawbody   __EWG_BAD41 />\s{0,3}C\s{0,3}</i
rawbody   __EWG_BAD42 />\s{0,3}I\s{0,3}</i
rawbody   __EWG_BAD43 />\s{0,3}A\s{0,3}</i
rawbody   __EWG_BAD44 />\s{0,3}L\s{0,3}</i
rawbody   __EWG_BAD45 />\s{0,3}I\s{0,3}</i
rawbody   __EWG_BAD46 />\s{0,3}S\s{0,3}</i
meta   	EWG_CIALIS ((__EWG_BAD41 + __EWG_BAD42 + __EWG_BAD43 + __EWG_BAD44 + __EWG_BAD45 + __EWG_BAD46) > 5)
describe EWG_CIALIS Cialis Obfuscation spam
score   EWG_CIALIS 1.0

rawbody   __EWG_BAD48 />\s{0,3}V\s{0,3}</i
rawbody   __EWG_BAD49 />\s{0,3}A\s{0,3}</i
rawbody   __EWG_BAD50 />\s{0,3}L\s{0,3}</i
rawbody   __EWG_BAD51 />\s{0,3}I\s{0,3}</i
rawbody   __EWG_BAD52 />\s{0,3}U\s{0,3}</i
rawbody   __EWG_BAD53 />\s{0,3}M\s{0,3}</i
meta   	EWG_VALIUM ((__EWG_BAD48 + __EWG_BAD49 + __EWG_BAD50 + __EWG_BAD51 + __EWG_BAD52 + __EWG_BAD53) > 5)
describe EWG_VALIUM Valium Obfuscation Spam
score   EWG_VALIUM 1.000

#FOR CURRENT RND_UC_CHAR SPAMS
header SUBJ_RND_UC_CHAR_L       Subject =~ /\%RND_UC_CHAR/
describe SUBJ_RND_UC_CHAR_L     Subject contains literal RND_UC_CHAR tag
score SUBJ_RND_UC_CHAR_L        5.0

header SUBJ_RND_UC_CHAR         Subject =~ /^Re:\s[A-Z]{2,8},\s[a-z]+\s[a-z]+\s[a-z]+\s*$/
describe SUBJ_RND_UC_CHAR       Subject fits RND_UC_CHAR pattern
score SUBJ_RND_UC_CHAR          1.0

uri         PHARMACOURT_BIZ 	/\b(?:pharmacourt|pharmawarehouse|valuepointmeds)\.biz\b/i
describe    PHARMACOURT_BIZ 	Includes a link to spammer www.pharmacourt.biz
score       PHARMACOURT_BIZ 	3.0

#meta        HABEAS_VIOLATOR_LOCAL   (!HABEAS_VIOLATOR && PHARMACOURT_BIZ && HABEAS_SWE)
#describe    HABEAS_VIOLATOR_LOCAL   Spammer known to abuse Habeas mark
#score       HABEAS_VIOLATOR_LOCAL   16.0

rawbody     UAH_VIAGRA_IMAGE 	/^<center><\!--[a-zA-Z0-9]{10,20}--><a href=.+><img src=.+\/[a-z][1-9]\.gif\" border=0><\/a><\/center>$/i
describe    UAH_VIAGRA_IMAGE	Viagra Image
score	    UAH_VIAGRA_IMAGE    3.0


#INVALID QMAIL 
header  	GERMANSPAM MESSAGEID =~ /^<.*[a-z].*\.qmail\@.*>/
describe        GERMANSPAM Contains German Spam / Invalid Qmail Message ID
score           GERMANSPAM 3.0

#GOOGLE Who really uses the "I'm Feeling Lucky" button anyway? by John Wilcock
uri      local_GOOGLE_LUCKY /(?:\bgoogle\b).+(?:&btnI=)/i
describe local_GOOGLE_LUCKY Redirect through Google Feeling Lucky
score    local_GOOGLE_LUCKY 2.0

#ZD.NET's OPEN REDIR by Raymond Dijkxhoorn
uri PROLO_REDIR_ZDNET_CHECK_1 /http:\/\/.*chkpt.zdnet.com\/chkpt/
score PROLO_REDIR_ZDNET_CHECK_1  8.0
describe PROLO_REDIR_ZDNET_CHECK_1 PROLO_REDIR-ZDNET CHECK_1_2_3, Body

#TINYTEXT by Jonathan Maliepaard <jon@enetworks.co.za>
#describe TINY_TEXT_1              Body includes very small html text 
#rawbody TINY_TEXT_1              /FONT-SIZE: (?:1|1.5|2|2.5|3)px/i
#score TINY_TEXT_1                  1.5

#describe TINY_TEXT_2              Body includes very small html text 
#rawbody TINY_TEXT_2              /FONT-SIZE: (?:1|1.5|2|2.5|3)\;/i
#score TINY_TEXT_2                  1.5


#HABEAS MARK TOO OFTEN FORGED
#REMOVED FOR 3.0SA #score HABEAS_SWE 0.0

#patch to MS Outlook 2003 has changed the headers
#REMOVED FOR 3.0SA #score   FORGED_MUA_OUTLOOK 0.00

#SCORE ADJUSTMENTS
#REMOVED FOR 3.0SA #score   RCVD_IN_NJABL_DIALUP    1.5
#REMOVED FOR 3.0SA #score   RCVD_IN_DYNABLOCK       1.0
#REMOVED FROM RULES score DNS_FROM_OPENWHOIS		2.0

#
# Abusive public hosting Raymond Dijkxhoorn
#

uri PROLO_PUBWEB_UKGEO_CHECK1 /^http:\/\/.*uk\.geocities\.com\//
score PROLO_PUBWEB_UKGEO_CHECK1  5.0
describe PROLO_PUBWEB_UKGEO_CHECK1 PROLO_PUBWEB_UKGEO_CHECK1, Body

uri PROLO_PUBWEB_ITGEO_CHECK1 /^http:\/\/.*it\.geocities\.com\//
score PROLO_PUBWEB_ITGEO_CHECK1  5.0
describe PROLO_PUBWEB_ITGEO_CHECK1 PROLO_PUBWEB_ITGEO_CHECK1, Body

uri PROLO_PUBWEB_WWWGEO_CHECK1 /^http:\/\/.*www\.geocities\.com\//
score PROLO_PUBWEB_WWWGEO_CHECK1  5.0
describe PROLO_PUBWEB_WWWGEO_CHECK1 PROLO_PUBWEB_WWWGEO_CHECK1, Body

uri PROLO_HOSTING_PROHOSTING_CHK1 /^http:\/\/.*prohosting\.com\//
score PROLO_HOSTING_PROHOSTING_CHK1  5.0
describe PROLO_HOSTING_PROHOSTING_CHK1 PROLO_HOSTING_PROHOSTING_CHK1, Body

uri PROLO_HOSTING_XTHOST_CHK1 /^http:\/\/.*xthost\.info\//
score PROLO_HOSTING_XTHOST_CHK1  5.0
describe PROLO_HOSTING_XTHOST_CHK1 PROLO_HOSTING_XTHOST_CHK1, Body

uri PROLO_HOSTING_NET4FREE_CHK1 /^http:\/\/.*net4free\.org\//
score PROLO_HOSTING_NET4FREE_CHK1  5.0
describe PROLO_HOSTING_NET4FREE_CHK1 PROLO_HOSTING_NET4FREE_CHK1, Body

#Raymond's SA Rules for Tripod Spams from Leo
body            PROLO_LEO1              /85\,45|1\,21/
body            PROLO_LEO2              /69\,95|3\,33/
body            PROLO_LEO3              /99\,95|3\,75/
uri             PROLO_LEO4              /http:\/\/.*\.tripod\.com/
meta            PROLO_LEO_M1           (PROLO_LEO1 && PROLO_LEO2 && PROLO_LEO3 && PROLO_LEO4)

score           PROLO_LEO1             0.1
score           PROLO_LEO2             0.1
score           PROLO_LEO3             0.1
score           PROLO_LEO4             0.1
score           PROLO_LEO_M1           8

describe        PROLO_LEO1             Meta Catches all Leo drug variations so far
describe        PROLO_LEO2             Meta Catches all Leo drug variations so far
describe        PROLO_LEO3             Meta Catches all Leo drug variations so far
describe        PROLO_LEO4             Meta to catch Leo now using Tripod
describe        PROLO_LEO_M1           Catches all Leo drug variations so far

#JUNK SCORES TO RECREATE ROUNDING BUG
#score		RDNS_NONE		0.0
#header		TEMP			Received =~ /64.18.1.27/
#score		TEMP			-0.5
#score           KAM_LIVE         0.0

#DFS Rule for Warning: Malformed MIME virus in the wild 10-10-2013
full __RP_ZIP_TYPE /name\s{0,2}=\s{0,2}.{0,80}\.zip/i
full     __RP_EMPTY_CTYPE /Content-Type:\s{0,4};/i
meta	 RP_ZIP_ECTYP __RP_EMPTY_CTYPE && __RP_ZIP_TYPE
describe RP_ZIP_ECTYP Zip file attachment with bogus Content-Type: header
score	 RP_ZIP_ECTYP 15

#AXB TEXTAREA
rawbody 	__AXB_RAW_TXTRO1	/\<textarea name\=\"textmain\" readonly\=\"readonly\" style\=\"width\:/
rawbody         __AXB_RAW_TXTRO2   	/\<textarea readonly\=\"readonly\" name\=\"textmain\" style\=\"width\:/
meta		AXB_RAW_TXTRO		(__AXB_RAW_TXTRO1 + __AXB_RAW_TXTRO2 >= 2)
describe	AXB_RAW_TXTRO		R/O Textarea
score		AXB_RAW_TXTRO		5.0

##########################################################################
# - Find messages with eight or more html break characters in it.
# - From: Kevin Miller <Kevin_Miller@ci.juneau.ak.us>
##########################################################################

# HTML <BR>
rawbody   __CBJ_GiveMeABreak1      /(?:<\/?br ?\/?>[\s\r\n]{0,4}){8}/mi

# NEWLINES - DISABLED
rawbody   __CBJ_GiveMeABreak2      /(?:[\r\n]){8}/mi

# EMPTY TABLE ROWS
rawbody   __CBJ_GiveMeABreak3      /(?:<tr><td><\/td><\/tr>[\r\n]{0,4}){4}/mi

# EMPTY PARAGRAPHS
rawbody   __CBJ_GiveMeABreak4      /(?:<p[^>]*>&nbsp;<\/p>\s*){4}|(?:<div[^>]*>&nbsp;<\/div>\s*){4}/mi

meta      CBJ_GiveMeABreak      (__CBJ_GiveMeABreak1 + __CBJ_GiveMeABreak3 + __CBJ_GiveMeABreak4 >= 1)
describe  CBJ_GiveMeABreak      Messages with consecutive break characters
score     CBJ_GiveMeABreak      1.75

# FIX FOR THE FAILURE THAT IS OUTLOOK
meta  MSGID_MULTIPLE_AT_OUTLOOK  (MSGID_MULTIPLE_AT && __ANY_OUTLOOK_MUA && !MSGID_OUTLOOK_INVALID)
score MSGID_MULTIPLE_AT_OUTLOOK  -1.00
describe MSGID_MULTIPLE_AT_OUTLOOK Undo MSGID_MULTIPLE_AT for Outlook MUAs that fail at standards

# SPAM THAT SAYS IT IS SPAM
header   AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /^SFV\:SPM/
describe AXB_X_FF_SEZ_S Forefront says this is spam
score    AXB_X_FF_SEZ_S 1.5

# HACKED WORDPRESS SITES
uri        __RP_D_00069_1 /\/wp-content\/(?:plugins|themes)\/.*\.php/is
uri        __RP_D_00069_2 /\/wp-includes\/.*\.php/is
meta       RP_D_00069 __RP_D_00069_1 || __RP_D_00069_2
describe   RP_D_00069 Contains URL that may point to hacked WordPress site
score      RP_D_00069 1.2

#lowering score on this rule from 1.5 to 1.2 and the stock URI_WP_HACKED_2 to 2.1
score	   URI_WP_HACKED_2   2.1

# from John Hardin <jhardin@impsec.org>
# reported on users list 09/2014 George Johnson <georgejohnson@talaya.net>
header    __RAND_HEADER                ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{5,}):\s+(?:\d{3,}[-\.][0-9a-f]{6,}|\d{6,}(?:[-\.]\d{2,5})?|[0-9a-f]{30,})$/ism
tflags    __RAND_HEADER                multiple maxhits=5
meta      RAND_HEADER_MANY             __RAND_HEADER > 4
describe  RAND_HEADER_MANY             Many random gibberish message headers
score     RAND_HEADER_MANY             1.500   # limit


uri    AXB_URI_MLW_DROPBOX    /\/(dropbox|googlebox)\/(document|doc|invoice)\.php$/
score  AXB_URI_MLW_DROPBOX    100

# from axb - the .link tld is completely useless and spam-ridden
# FP from 2017-09-12 removed
if (version >= 3.004000)
  #blacklist_uri_host link
endif

# COSTCO SPAM RULE FROM DIANNE F SKOLL
uri        __RP_D_00081_1 /\.php\?(?:dp|k|c|t)=[\/A-Za-z0-9=+]{25}/
header     __RP_D_00081_2 Subject =~ /\b(?:order|buying)\b/i
meta       RP_D_00081 __RP_D_00081_1 && __RP_D_00081_2
describe   RP_D_00081 Link to malware
score      RP_D_00081 3.5

# MORE AXB - PENDING BUG 4691
#rawbody  MINIMAL_PAGE_128 	/\<HTML\>\<BODY\>\<\/BODY\>\<\/HTML\>/
#range    MINIMAL_PAGE_128        byte 0:128
#score    MINIMAL_PAGE_128        5.0

#fast_body       PILLS_VIAGRA     /Blue pill and all popular Meds/
#score           PILLS_VIAGRA     5.0

#NOTE 53548 - TESTING JUNKEMAIL FILTER CHECK - TESTING WITH RULES 1/2 OF DOCUMENTED
header __RCVD_IN_HOSTKARMA eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter
tflags __RCVD_IN_HOSTKARMA net
 
header RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.1')
describe RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE
tflags RCVD_IN_HOSTKARMA_W net nice
score RCVD_IN_HOSTKARMA_W -2.5
 
header RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.2')
describe RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK
tflags RCVD_IN_HOSTKARMA_BL net
score RCVD_IN_HOSTKARMA_BL 1.5
 
header RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.4')
describe RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN
tflags RCVD_IN_HOSTKARMA_BR net
score RCVD_IN_HOSTKARMA_BR 0.5

#Steadramon's bogus SPF rules  - https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7099 
ifplugin Mail::SpamAssassin::Plugin::AskDNS
  askdns PDS_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .+\+all$/
  describe PDS_SPF_ALL SPF set to +all!
  score PDS_SPF_ALL 4.5

  askdns PDS_SPF_NONE _SENDERDOMAIN_ TXT /^v=spf1 \-all$/
  describe PDS_SPF_NONE No IP is supposed to send email for this domain!
  score PDS_SPF_NONE 3.5

  askdns PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/
  describe PDS_SPF_ONLYALL SPF only +all - very lazy
  score PDS_SPF_ONLYALL 4.5
endif

# FROM DFS
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader RP_D_00086 Content-Disposition =~ /SecureMessage\.chm/
score      RP_D_00086 50
describe   RP_D_00086 SecureMessage.chm malware
endif

# FROM BENNY PEDERSEN
# sig of fill space to possible drop scanning if clients have very low
# size on how much thay send to spamassassin in size

rawbody POISEN_SPAM_PILL_1 /\ \/[a-zA-Z0-9]{5}/i
tflags POISEN_SPAM_PILL_1 multiple maxhits=1
describe POISEN_SPAM_PILL_1 random spam to be learned in bayes
score POISEN_SPAM_PILL_1 0.1 0.1 0.1 0.1

rawbody POISEN_SPAM_PILL_2 /\ \/\/[a-zA-Z0-9]{5}/i
tflags POISEN_SPAM_PILL_2 multiple maxhits=1
describe POISEN_SPAM_PILL_2 random spam to be learned in bayes
score POISEN_SPAM_PILL_2 0.1 0.1 0.1 0.1

# lets check above is in body :=)

body POISEN_SPAM_PILL_3 /\ \/[a-zA-Z0-9]{5}/i
tflags POISEN_SPAM_PILL_3 multiple maxhits=1
describe POISEN_SPAM_PILL_3 random spam to be learned in bayes
score POISEN_SPAM_PILL_3 0.1 0.1 0.1 0.1

body POISEN_SPAM_PILL_4 /\ \/\/[a-zA-Z0-9]{5}/i
tflags POISEN_SPAM_PILL_4 multiple maxhits=1
describe POISEN_SPAM_PILL_4 random spam to be learned in bayes
score POISEN_SPAM_PILL_4 0.1 0.1 0.1 0.1

# meta is now

meta POISEN_SPAM_PILL ((POISEN_SPAM_PILL_1 || POISEN_SPAM_PILL_2) && (!POISEN_SPAM_PILL_3 || !POISEN_SPAM_PILL_4))
describe POISEN_SPAM_PILL Meta: its spam
score POISEN_SPAM_PILL 0.1 0.1 0.1 0.1

#HENRIK KROHNS DEPENDENCY ISSUES FROM OLD SANDBOX
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
  mimeheader      __HK_SPAMMY_CTFN        Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
  mimeheader      __HK_SPAMMY_CDFN        Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
  meta            HK_SPAMMY_FILENAME      __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN
  score           HK_SPAMMY_FILENAME      0.5
  describe        HK_SPAMMY_FILENAME      Content Type or Disposition is Spammy
endif

#KHOPESH DEPENDENCY ISSUES FROM OLD SANDBOX
meta     MALFORMED_FREEMAIL     (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM
describe MALFORMED_FREEMAIL     Bad headers on message from free email service
score   MALFORMED_FREEMAIL     0.1

#DAVE JONES / ENA OK TO ADD TO SA DEFAULT IF PROVEN WORTHY
header          ENA_SUBJ_IS_SPACE       Subject =~ /^ $/
describe        ENA_SUBJ_IS_SPACE       Subject is a space
score           ENA_SUBJ_IS_SPACE       1.2
#Lowered score from 3.2 for testing 9/19

header          ENA_SUBJ_ONLY_SPACES    Subject =~ /^\s\s+$/
describe        ENA_SUBJ_ONLY_SPACES    Subject is only spaces commonly used by spammers to get around subject checks
score           ENA_SUBJ_ONLY_SPACES    0.2
#Lowered score from 2.2 for testing 9/19

header          ENA_SUBJ_ONLY_FWD       Subject =~ /(^Fw:\s+$|^Fw\s+$|^Fwd:\s+$|^Fwd\s+$|^Fwd: \(\d\)$|^Fwd: \[\d\]$)/i
describe        ENA_SUBJ_ONLY_FWD       Subject is only "Fwd:"
score           ENA_SUBJ_ONLY_FWD       2.2

header          ENA_SUBJ_ONLY_RE        Subject =~ /(^Re:\s+$|^Re\s+$|^Re: \(\d\)$|^Re: \[\d\]$)/i
describe        ENA_SUBJ_ONLY_RE        Subject is only "Re:"
score           ENA_SUBJ_ONLY_RE        2.2

header          ENA_SUBJ_LONG_WORD      Subject =~ /\b[^[:space:][:punct:]]{30}/
describe        ENA_SUBJ_LONG_WORD      Subject has a very long word
score           ENA_SUBJ_LONG_WORD      2.2

header          ENA_SUBJ_ODD_CASE       Subject =~ /(?:[[:lower:]][[:upper:]].{0,15}){3}/
describe        ENA_SUBJ_ODD_CASE       Subject has odd case
score           ENA_SUBJ_ODD_CASE       2.6


# David Jones <djones@ena.com>, SA users list, 2 Oct 2017

#header   USERS_FROM_SPOOF_EMAIL_DISPLAY  From =~ /\@[a-z_]+?\.[a-z]{2,3} \</i
#score    USERS_FROM_SPOOF_EMAIL_DISPLAY  0.1

#describe USERS_FROM_SPOOF_EMAIL_DISPLAY  From trying to spoof an email address in the display name

# RW <rwmaillists@googlemail.com>, SA users list, 5 Oct 2017

#header   USERS_FROM_ADDR_SPACE  From:addr =~ /\s/
#score    USERS_FROM_ADDR_SPACE  0.1


# Note 56133, SA bug 5561
#score FORGED_YAHOO_RCVD 0


# RW <rwmaillists@googlemail.com>, SA users list, 26 Apr 2019
header    BOGUS_MIME_VERSION  MIME-Version =~ /^(?!.*\b1\.0\b).+/
score     BOGUS_MIME_VERSION  0.5
describe  BOGUS_MIME_VERSION  bogus MIME-Version header

# by Paul Stead <paul.stead@zeninternet.co.uk>
if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
  # skip message signed by these DKIM senders
  fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de

  # skip messages with one or more of these headers
  fns_ignore_headers List-Id List-Post Mailing-List X-Forwarded-For

  # group similar domains to one name
  fns_add_addrlist   (GMAIL)  *@gmail.com *@googlemail.com

  # From:name and From:address don't match and owners differ
  header   __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()

  # From:name address matches To:address
  header   __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()

  meta     PDS_FROMNAME_SPOOFED_EMAIL  (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD)
  describe PDS_FROMNAME_SPOOFED_EMAIL From:name doesn't match From:address
  score    PDS_FROMNAME_SPOOFED_EMAIL 0.2

endif
endif

# by Pedro David Marcos
ifplugin Mail::SpamAssassin::Plugin::AskDNS
  uri_detail      PDM_URI_GOOGLEAPIS          text =~ /check|click|update|renew|preview/i         cleaned =~ /\.googleapis\./i
  describe        PDM_URI_GOOGLEAPIS          Rule to look for spammy Google API usage
  score           PDM_URI_GOOGLEAPIS          3.0
endif

# by Bill Cole
describe HTML_BADATTR Illegal char in HTML attribute name
rawbody  HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(src|href)\s*\=/
score    HTML_BADATTR 1.0

#RECOMMENDED BY Raymond Dijkxhoorn for SURBL to block abuses on these pages
util_rb_3tld    ct.sendgrid.net
util_rb_2tld    page.link
Commit	Line	Data
6927b9b6 SI	1	#FROM SA/MD/SARE LISTS - All consider public domain or fair use.
	2
	3	#BY Warren Sallade" <warren.sallade@ewgateway.org> for Drug Spams
	4
	5	#DISABLING DUE TO FALSE POSITIVES 2021-09-14
	6	rawbody __EWG_BAD34 />\s{0,3}V\s{0,3}</i
	7	rawbody __EWG_BAD35 />\s{0,3}I\s{0,3}</i
	8	rawbody __EWG_BAD36 />\s{0,3}A\s{0,3}</i
	9	rawbody __EWG_BAD37 />\s{0,3}G\s{0,3}</i
	10	rawbody __EWG_BAD38 />\s{0,3}R\s{0,3}</i
	11	rawbody __EWG_BAD39 />\s{0,3}A\s{0,3}</i
	12	meta EWG_VIAGRA ((__EWG_BAD34 + __EWG_BAD35 + __EWG_BAD36 + __EWG_BAD37 + __EWG_BAD38 + __EWG_BAD39) > 5)
	13	describe EWG_VIAGRA Viagra Obfuscation SPAM
	14	score EWG_VIAGRA 1.0
	15
	16	rawbody __EWG_BAD41 />\s{0,3}C\s{0,3}</i
	17	rawbody __EWG_BAD42 />\s{0,3}I\s{0,3}</i
	18	rawbody __EWG_BAD43 />\s{0,3}A\s{0,3}</i
	19	rawbody __EWG_BAD44 />\s{0,3}L\s{0,3}</i
	20	rawbody __EWG_BAD45 />\s{0,3}I\s{0,3}</i
	21	rawbody __EWG_BAD46 />\s{0,3}S\s{0,3}</i
	22	meta EWG_CIALIS ((__EWG_BAD41 + __EWG_BAD42 + __EWG_BAD43 + __EWG_BAD44 + __EWG_BAD45 + __EWG_BAD46) > 5)
	23	describe EWG_CIALIS Cialis Obfuscation spam
	24	score EWG_CIALIS 1.0
	25
	26	rawbody __EWG_BAD48 />\s{0,3}V\s{0,3}</i
	27	rawbody __EWG_BAD49 />\s{0,3}A\s{0,3}</i
	28	rawbody __EWG_BAD50 />\s{0,3}L\s{0,3}</i
	29	rawbody __EWG_BAD51 />\s{0,3}I\s{0,3}</i
	30	rawbody __EWG_BAD52 />\s{0,3}U\s{0,3}</i
	31	rawbody __EWG_BAD53 />\s{0,3}M\s{0,3}</i
	32	meta EWG_VALIUM ((__EWG_BAD48 + __EWG_BAD49 + __EWG_BAD50 + __EWG_BAD51 + __EWG_BAD52 + __EWG_BAD53) > 5)
	33	describe EWG_VALIUM Valium Obfuscation Spam
	34	score EWG_VALIUM 1.000
	35
	36	#FOR CURRENT RND_UC_CHAR SPAMS
	37	header SUBJ_RND_UC_CHAR_L Subject =~ /\%RND_UC_CHAR/
	38	describe SUBJ_RND_UC_CHAR_L Subject contains literal RND_UC_CHAR tag
	39	score SUBJ_RND_UC_CHAR_L 5.0
	40
	41	header SUBJ_RND_UC_CHAR Subject =~ /^Re:\s[A-Z]{2,8},\s[a-z]+\s[a-z]+\s[a-z]+\s*$/
	42	describe SUBJ_RND_UC_CHAR Subject fits RND_UC_CHAR pattern
	43	score SUBJ_RND_UC_CHAR 1.0
	44
	45	uri PHARMACOURT_BIZ /\b(?:pharmacourt\|pharmawarehouse\|valuepointmeds)\.biz\b/i
	46	describe PHARMACOURT_BIZ Includes a link to spammer www.pharmacourt.biz
	47	score PHARMACOURT_BIZ 3.0
	48
	49	#meta HABEAS_VIOLATOR_LOCAL (!HABEAS_VIOLATOR && PHARMACOURT_BIZ && HABEAS_SWE)
	50	#describe HABEAS_VIOLATOR_LOCAL Spammer known to abuse Habeas mark
	51	#score HABEAS_VIOLATOR_LOCAL 16.0
	52
	53	rawbody UAH_VIAGRA_IMAGE /^<center><\!--[a-zA-Z0-9]{10,20}--><a href=.+><img src=.+\/[a-z][1-9]\.gif\" border=0><\/a><\/center>$/i
	54	describe UAH_VIAGRA_IMAGE Viagra Image
	55	score UAH_VIAGRA_IMAGE 3.0
	56
	57
	58	#INVALID QMAIL
	59	header GERMANSPAM MESSAGEID =~ /^<.[a-z].\.qmail\@.*>/
	60	describe GERMANSPAM Contains German Spam / Invalid Qmail Message ID
	61	score GERMANSPAM 3.0
	62
	63	#GOOGLE Who really uses the "I'm Feeling Lucky" button anyway? by John Wilcock
	64	uri local_GOOGLE_LUCKY /(?:\bgoogle\b).+(?:&btnI=)/i
65	describe local_GOOGLE_LUCKY Redirect through Google Feeling Lucky
66	score local_GOOGLE_LUCKY 2.0
67
68	#ZD.NET's OPEN REDIR by Raymond Dijkxhoorn
69	uri PROLO_REDIR_ZDNET_CHECK_1 /http:\/\/.*chkpt.zdnet.com\/chkpt/
70	score PROLO_REDIR_ZDNET_CHECK_1 8.0
71	describe PROLO_REDIR_ZDNET_CHECK_1 PROLO_REDIR-ZDNET CHECK_1_2_3, Body
72
73	#TINYTEXT by Jonathan Maliepaard <jon@enetworks.co.za>
74	#describe TINY_TEXT_1 Body includes very small html text
75	#rawbody TINY_TEXT_1 /FONT-SIZE: (?:1\|1.5\|2\|2.5\|3)px/i
76	#score TINY_TEXT_1 1.5
77
78	#describe TINY_TEXT_2 Body includes very small html text
79	#rawbody TINY_TEXT_2 /FONT-SIZE: (?:1\|1.5\|2\|2.5\|3)\;/i
80	#score TINY_TEXT_2 1.5
81
82
83	#HABEAS MARK TOO OFTEN FORGED
84	#REMOVED FOR 3.0SA #score HABEAS_SWE 0.0
85
86	#patch to MS Outlook 2003 has changed the headers
87	#REMOVED FOR 3.0SA #score FORGED_MUA_OUTLOOK 0.00
88
89	#SCORE ADJUSTMENTS
90	#REMOVED FOR 3.0SA #score RCVD_IN_NJABL_DIALUP 1.5
91	#REMOVED FOR 3.0SA #score RCVD_IN_DYNABLOCK 1.0
92	#REMOVED FROM RULES score DNS_FROM_OPENWHOIS 2.0
93
94	#
95	# Abusive public hosting Raymond Dijkxhoorn
96	#
97
98	uri PROLO_PUBWEB_UKGEO_CHECK1 /^http:\/\/.*uk\.geocities\.com\//
99	score PROLO_PUBWEB_UKGEO_CHECK1 5.0
100	describe PROLO_PUBWEB_UKGEO_CHECK1 PROLO_PUBWEB_UKGEO_CHECK1, Body
101
102	uri PROLO_PUBWEB_ITGEO_CHECK1 /^http:\/\/.*it\.geocities\.com\//
103	score PROLO_PUBWEB_ITGEO_CHECK1 5.0
104	describe PROLO_PUBWEB_ITGEO_CHECK1 PROLO_PUBWEB_ITGEO_CHECK1, Body
105
106	uri PROLO_PUBWEB_WWWGEO_CHECK1 /^http:\/\/.*www\.geocities\.com\//
107	score PROLO_PUBWEB_WWWGEO_CHECK1 5.0
108	describe PROLO_PUBWEB_WWWGEO_CHECK1 PROLO_PUBWEB_WWWGEO_CHECK1, Body
109
110	uri PROLO_HOSTING_PROHOSTING_CHK1 /^http:\/\/.*prohosting\.com\//
111	score PROLO_HOSTING_PROHOSTING_CHK1 5.0
112	describe PROLO_HOSTING_PROHOSTING_CHK1 PROLO_HOSTING_PROHOSTING_CHK1, Body
113
114	uri PROLO_HOSTING_XTHOST_CHK1 /^http:\/\/.*xthost\.info\//
115	score PROLO_HOSTING_XTHOST_CHK1 5.0
116	describe PROLO_HOSTING_XTHOST_CHK1 PROLO_HOSTING_XTHOST_CHK1, Body
117
118	uri PROLO_HOSTING_NET4FREE_CHK1 /^http:\/\/.*net4free\.org\//
119	score PROLO_HOSTING_NET4FREE_CHK1 5.0
120	describe PROLO_HOSTING_NET4FREE_CHK1 PROLO_HOSTING_NET4FREE_CHK1, Body
121
122	#Raymond's SA Rules for Tripod Spams from Leo
123	body PROLO_LEO1 /85\,45\|1\,21/
124	body PROLO_LEO2 /69\,95\|3\,33/
125	body PROLO_LEO3 /99\,95\|3\,75/
126	uri PROLO_LEO4 /http:\/\/.*\.tripod\.com/
127	meta PROLO_LEO_M1 (PROLO_LEO1 && PROLO_LEO2 && PROLO_LEO3 && PROLO_LEO4)
128
129	score PROLO_LEO1 0.1
130	score PROLO_LEO2 0.1
131	score PROLO_LEO3 0.1
132	score PROLO_LEO4 0.1
133	score PROLO_LEO_M1 8
134
135	describe PROLO_LEO1 Meta Catches all Leo drug variations so far
136	describe PROLO_LEO2 Meta Catches all Leo drug variations so far
137	describe PROLO_LEO3 Meta Catches all Leo drug variations so far
138	describe PROLO_LEO4 Meta to catch Leo now using Tripod
139	describe PROLO_LEO_M1 Catches all Leo drug variations so far
140
141	#JUNK SCORES TO RECREATE ROUNDING BUG
142	#score RDNS_NONE 0.0
143	#header TEMP Received =~ /64.18.1.27/
144	#score TEMP -0.5
145	#score KAM_LIVE 0.0
146
147	#DFS Rule for Warning: Malformed MIME virus in the wild 10-10-2013
148	full __RP_ZIP_TYPE /name\s{0,2}=\s{0,2}.{0,80}\.zip/i
149	full __RP_EMPTY_CTYPE /Content-Type:\s{0,4};/i
150	meta RP_ZIP_ECTYP __RP_EMPTY_CTYPE && __RP_ZIP_TYPE
151	describe RP_ZIP_ECTYP Zip file attachment with bogus Content-Type: header
152	score RP_ZIP_ECTYP 15
153
154	#AXB TEXTAREA
155	rawbody __AXB_RAW_TXTRO1 /\<textarea name\=\"textmain\" readonly\=\"readonly\" style\=\"width\:/
156	rawbody __AXB_RAW_TXTRO2 /\<textarea readonly\=\"readonly\" name\=\"textmain\" style\=\"width\:/
157	meta AXB_RAW_TXTRO (__AXB_RAW_TXTRO1 + __AXB_RAW_TXTRO2 >= 2)
158	describe AXB_RAW_TXTRO R/O Textarea
159	score AXB_RAW_TXTRO 5.0
160
161	##########################################################################
162	# - Find messages with eight or more html break characters in it.
163	# - From: Kevin Miller <Kevin_Miller@ci.juneau.ak.us>
164	##########################################################################
165
166	# HTML <BR>
167	rawbody __CBJ_GiveMeABreak1 /(?:<\/?br ?\/?>[\s\r\n]{0,4}){8}/mi
168
169	# NEWLINES - DISABLED
170	rawbody __CBJ_GiveMeABreak2 /(?:[\r\n]){8}/mi
171
172	# EMPTY TABLE ROWS
173	rawbody __CBJ_GiveMeABreak3 /(?:<tr><td><\/td><\/tr>[\r\n]{0,4}){4}/mi
174
175	# EMPTY PARAGRAPHS
176	rawbody __CBJ_GiveMeABreak4 /(?:<p[^>]> <\/p>\s){4}\|(?:<div[^>]> <\/div>\s){4}/mi
177
178	meta CBJ_GiveMeABreak (__CBJ_GiveMeABreak1 + __CBJ_GiveMeABreak3 + __CBJ_GiveMeABreak4 >= 1)
179	describe CBJ_GiveMeABreak Messages with consecutive break characters
180	score CBJ_GiveMeABreak 1.75
181
182	# FIX FOR THE FAILURE THAT IS OUTLOOK
183	meta MSGID_MULTIPLE_AT_OUTLOOK (MSGID_MULTIPLE_AT && __ANY_OUTLOOK_MUA && !MSGID_OUTLOOK_INVALID)
184	score MSGID_MULTIPLE_AT_OUTLOOK -1.00
185	describe MSGID_MULTIPLE_AT_OUTLOOK Undo MSGID_MULTIPLE_AT for Outlook MUAs that fail at standards
186
187	# SPAM THAT SAYS IT IS SPAM
188	header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /^SFV\:SPM/
189	describe AXB_X_FF_SEZ_S Forefront says this is spam
190	score AXB_X_FF_SEZ_S 1.5
191
192	# HACKED WORDPRESS SITES
193	uri __RP_D_00069_1 /\/wp-content\/(?:plugins\|themes)\/.*\.php/is
194	uri __RP_D_00069_2 /\/wp-includes\/.*\.php/is
195	meta RP_D_00069 __RP_D_00069_1 \|\| __RP_D_00069_2
196	describe RP_D_00069 Contains URL that may point to hacked WordPress site
197	score RP_D_00069 1.2
198
199	#lowering score on this rule from 1.5 to 1.2 and the stock URI_WP_HACKED_2 to 2.1
200	score URI_WP_HACKED_2 2.1
201
202	# from John Hardin <jhardin@impsec.org>
203	# reported on users list 09/2014 George Johnson <georgejohnson@talaya.net>
204	header __RAND_HEADER ALL =~ /^(?!Accept-Language\|Authentication-Results\|Content-\|DomainKey-Signature\|DKIM-\|List-\|MIME-\|Received-SPF\|Return-Path\|Thread-\|User-Agent)(?:[a-z]{4,}-[a-z]{3,}\|[a-z]{3,}-[a-z]{5,}):\s+(?:\d{3,}[-\.][0-9a-f]{6,}\|\d{6,}(?:[-\.]\d{2,5})?\|[0-9a-f]{30,})$/ism
205	tflags __RAND_HEADER multiple maxhits=5
206	meta RAND_HEADER_MANY __RAND_HEADER > 4
207	describe RAND_HEADER_MANY Many random gibberish message headers
208	score RAND_HEADER_MANY 1.500 # limit
209
210
211	uri AXB_URI_MLW_DROPBOX /\/(dropbox\|googlebox)\/(document\|doc\|invoice)\.php$/
212	score AXB_URI_MLW_DROPBOX 100
213
214	# from axb - the .link tld is completely useless and spam-ridden
215	# FP from 2017-09-12 removed
216	if (version >= 3.004000)
217	#blacklist_uri_host link
218	endif
219
220	# COSTCO SPAM RULE FROM DIANNE F SKOLL
221	uri __RP_D_00081_1 /\.php\?(?:dp\|k\|c\|t)=[\/A-Za-z0-9=+]{25}/
222	header __RP_D_00081_2 Subject =~ /\b(?:order\|buying)\b/i
223	meta RP_D_00081 __RP_D_00081_1 && __RP_D_00081_2
224	describe RP_D_00081 Link to malware
225	score RP_D_00081 3.5
226
227	# MORE AXB - PENDING BUG 4691
228	#rawbody MINIMAL_PAGE_128 /\<HTML\>\<BODY\>\<\/BODY\>\<\/HTML\>/
229	#range MINIMAL_PAGE_128 byte 0:128
230	#score MINIMAL_PAGE_128 5.0
231
232	#fast_body PILLS_VIAGRA /Blue pill and all popular Meds/
233	#score PILLS_VIAGRA 5.0
234
235	#NOTE 53548 - TESTING JUNKEMAIL FILTER CHECK - TESTING WITH RULES 1/2 OF DOCUMENTED
236	header __RCVD_IN_HOSTKARMA eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
237	describe __RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter
238	tflags __RCVD_IN_HOSTKARMA net
239
240	header RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.1')
241	describe RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE
242	tflags RCVD_IN_HOSTKARMA_W net nice
243	score RCVD_IN_HOSTKARMA_W -2.5
244
245	header RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.2')
246	describe RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK
247	tflags RCVD_IN_HOSTKARMA_BL net
248	score RCVD_IN_HOSTKARMA_BL 1.5
249
250	header RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.4')
251	describe RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN
252	tflags RCVD_IN_HOSTKARMA_BR net
253	score RCVD_IN_HOSTKARMA_BR 0.5
254
255	#Steadramon's bogus SPF rules - https://issues.apache.org/SpamAssassin/show_bug.cgi?id=7099
256	ifplugin Mail::SpamAssassin::Plugin::AskDNS
257	askdns PDS_SPF_ALL _SENDERDOMAIN_ TXT /^v=spf1 .+\+all$/
258	describe PDS_SPF_ALL SPF set to +all!
259	score PDS_SPF_ALL 4.5
260
261	askdns PDS_SPF_NONE _SENDERDOMAIN_ TXT /^v=spf1 \-all$/
262	describe PDS_SPF_NONE No IP is supposed to send email for this domain!
263	score PDS_SPF_NONE 3.5
264
265	askdns PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/
266	describe PDS_SPF_ONLYALL SPF only +all - very lazy
267	score PDS_SPF_ONLYALL 4.5
268	endif
269
270	# FROM DFS
271	ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
272	mimeheader RP_D_00086 Content-Disposition =~ /SecureMessage\.chm/
273	score RP_D_00086 50
274	describe RP_D_00086 SecureMessage.chm malware
275	endif
276
277	# FROM BENNY PEDERSEN
278	# sig of fill space to possible drop scanning if clients have very low
279	# size on how much thay send to spamassassin in size
280
281	rawbody POISEN_SPAM_PILL_1 /\ \/[a-zA-Z0-9]{5}/i
282	tflags POISEN_SPAM_PILL_1 multiple maxhits=1
283	describe POISEN_SPAM_PILL_1 random spam to be learned in bayes
284	score POISEN_SPAM_PILL_1 0.1 0.1 0.1 0.1
285
286	rawbody POISEN_SPAM_PILL_2 /\ \/\/[a-zA-Z0-9]{5}/i
287	tflags POISEN_SPAM_PILL_2 multiple maxhits=1
288	describe POISEN_SPAM_PILL_2 random spam to be learned in bayes
289	score POISEN_SPAM_PILL_2 0.1 0.1 0.1 0.1
290
291	# lets check above is in body :=)
292
293	body POISEN_SPAM_PILL_3 /\ \/[a-zA-Z0-9]{5}/i
294	tflags POISEN_SPAM_PILL_3 multiple maxhits=1
295	describe POISEN_SPAM_PILL_3 random spam to be learned in bayes
296	score POISEN_SPAM_PILL_3 0.1 0.1 0.1 0.1
297
298	body POISEN_SPAM_PILL_4 /\ \/\/[a-zA-Z0-9]{5}/i
299	tflags POISEN_SPAM_PILL_4 multiple maxhits=1
300	describe POISEN_SPAM_PILL_4 random spam to be learned in bayes
301	score POISEN_SPAM_PILL_4 0.1 0.1 0.1 0.1
302
303	# meta is now
304
305	meta POISEN_SPAM_PILL ((POISEN_SPAM_PILL_1 \|\| POISEN_SPAM_PILL_2) && (!POISEN_SPAM_PILL_3 \|\| !POISEN_SPAM_PILL_4))
306	describe POISEN_SPAM_PILL Meta: its spam
307	score POISEN_SPAM_PILL 0.1 0.1 0.1 0.1
308
309	#HENRIK KROHNS DEPENDENCY ISSUES FROM OLD SANDBOX
310	ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
311	mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]\|t(?:ery\|o))\|award\|prize\|winn(?:er\|ing)\|microsoft\|congrat\|urgent)/mi
312	mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]\|t(?:ery\|o))\|award\|prize\|winn(?:er\|ing)\|microsoft\|congrat\|urgent)/mi
313	meta HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN \|\| __HK_SPAMMY_CDFN
314	score HK_SPAMMY_FILENAME 0.5
315	describe HK_SPAMMY_FILENAME Content Type or Disposition is Spammy
316	endif
317
318	#KHOPESH DEPENDENCY ISSUES FROM OLD SANDBOX
319	meta MALFORMED_FREEMAIL (MISSING_HEADERS\|\|__HDRS_LCASE) && FREEMAIL_FROM
320	describe MALFORMED_FREEMAIL Bad headers on message from free email service
321	score MALFORMED_FREEMAIL 0.1
322
323	#DAVE JONES / ENA OK TO ADD TO SA DEFAULT IF PROVEN WORTHY
324	header ENA_SUBJ_IS_SPACE Subject =~ /^ $/
325	describe ENA_SUBJ_IS_SPACE Subject is a space
326	score ENA_SUBJ_IS_SPACE 1.2
327	#Lowered score from 3.2 for testing 9/19
328
329	header ENA_SUBJ_ONLY_SPACES Subject =~ /^\s\s+$/
330	describe ENA_SUBJ_ONLY_SPACES Subject is only spaces commonly used by spammers to get around subject checks
331	score ENA_SUBJ_ONLY_SPACES 0.2
332	#Lowered score from 2.2 for testing 9/19
333
334	header ENA_SUBJ_ONLY_FWD Subject =~ /(^Fw:\s+$\|^Fw\s+$\|^Fwd:\s+$\|^Fwd\s+$\|^Fwd: \(\d\)$\|^Fwd: \[\d\]$)/i
335	describe ENA_SUBJ_ONLY_FWD Subject is only "Fwd:"
336	score ENA_SUBJ_ONLY_FWD 2.2
337
338	header ENA_SUBJ_ONLY_RE Subject =~ /(^Re:\s+$\|^Re\s+$\|^Re: \(\d\)$\|^Re: \[\d\]$)/i
339	describe ENA_SUBJ_ONLY_RE Subject is only "Re:"
340	score ENA_SUBJ_ONLY_RE 2.2
341
342	header ENA_SUBJ_LONG_WORD Subject =~ /\b[^[:space:][:punct:]]{30}/
343	describe ENA_SUBJ_LONG_WORD Subject has a very long word
344	score ENA_SUBJ_LONG_WORD 2.2
345
346	header ENA_SUBJ_ODD_CASE Subject =~ /(?:[[:lower:]][[:upper:]].{0,15}){3}/
347	describe ENA_SUBJ_ODD_CASE Subject has odd case
348	score ENA_SUBJ_ODD_CASE 2.6
349
350
351	# David Jones <djones@ena.com>, SA users list, 2 Oct 2017
352
353	#header USERS_FROM_SPOOF_EMAIL_DISPLAY From =~ /\@[a-z_]+?\.[a-z]{2,3} \</i
354	#score USERS_FROM_SPOOF_EMAIL_DISPLAY 0.1
355
356	#describe USERS_FROM_SPOOF_EMAIL_DISPLAY From trying to spoof an email address in the display name
357
358	# RW <rwmaillists@googlemail.com>, SA users list, 5 Oct 2017
359
360	#header USERS_FROM_ADDR_SPACE From:addr =~ /\s/
361	#score USERS_FROM_ADDR_SPACE 0.1
362
363
364	# Note 56133, SA bug 5561
365	#score FORGED_YAHOO_RCVD 0
366
367
368	# RW <rwmaillists@googlemail.com>, SA users list, 26 Apr 2019
369	header BOGUS_MIME_VERSION MIME-Version =~ /^(?!.*\b1\.0\b).+/
370	score BOGUS_MIME_VERSION 0.5
371	describe BOGUS_MIME_VERSION bogus MIME-Version header
372
373	# by Paul Stead <paul.stead@zeninternet.co.uk>
374	if (version >= 3.004000)
375	ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
376	# skip message signed by these DKIM senders
377	fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de
378
379	# skip messages with one or more of these headers
380	fns_ignore_headers List-Id List-Post Mailing-List X-Forwarded-For
381
382	# group similar domains to one name
383	fns_add_addrlist (GMAIL) @gmail.com @googlemail.com
384
385	# From:name and From:address don't match and owners differ
386	header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
387
388	# From:name address matches To:address
389	header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
390
391	meta PDS_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD)
392	describe PDS_FROMNAME_SPOOFED_EMAIL From:name doesn't match From:address
393	score PDS_FROMNAME_SPOOFED_EMAIL 0.2
394
395	endif
396	endif
397
398	# by Pedro David Marcos
399	ifplugin Mail::SpamAssassin::Plugin::AskDNS
400	uri_detail PDM_URI_GOOGLEAPIS text =~ /check\|click\|update\|renew\|preview/i cleaned =~ /\.googleapis\./i
401	describe PDM_URI_GOOGLEAPIS Rule to look for spammy Google API usage
402	score PDM_URI_GOOGLEAPIS 3.0
403	endif
404
10758bc6 SI	405	# by Bill Cole
	406	describe HTML_BADATTR Illegal char in HTML attribute name
	407	rawbody HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(src\|href)\s*\=/
	408	score HTML_BADATTR 1.0
	409
6927b9b6 SI	410	#RECOMMENDED BY Raymond Dijkxhoorn for SURBL to block abuses on these pages
	411	util_rb_3tld ct.sendgrid.net
	412	util_rb_2tld page.link
	413