]> git.proxmox.com Git - proxmox-spamassassin.git/blame - sa-updates/72_active.cf
projects / proxmox-spamassassin.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
update SpamAssassin signatures
[proxmox-spamassassin.git] / sa-updates / 72_active.cf
CommitLineData
b780ea8d
SI		 1# SpamAssassin rules file
2#
3# Please don't modify this file as your changes will be overwritten with
4# the next update. Use /etc/mail/spamassassin/local.cf instead.
5# See 'perldoc Mail::SpamAssassin::Conf' for details.
6#
7# <@LICENSE>
8# Licensed to the Apache Software Foundation (ASF) under one or more
9# contributor license agreements. See the NOTICE file distributed with
10# this work for additional information regarding copyright ownership.
11# The ASF licenses this file to you under the Apache License, Version 2.0
12# (the "License"); you may not use this file except in compliance with
13# the License. You may obtain a copy of the License at:
14#
15# http://www.apache.org/licenses/LICENSE-2.0
16#
17# Unless required by applicable law or agreed to in writing, software
18# distributed under the License is distributed on an "AS IS" BASIS,
19# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20# See the License for the specific language governing permissions and
21# limitations under the License.
22# </@LICENSE>
23#
24###########################################################################
25
21dcadbf
SI		 26require_version 4.000000
27
28##{ ACCT_PHISHING_MANY
29
30meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY
31describe ACCT_PHISHING_MANY Phishing for account information
32#score ACCT_PHISHING_MANY 3.000 # limit
33##} ACCT_PHISHING_MANY
b780ea8d 34
b780ea8d
SI		 35##{ AC_BR_BONANZA
36
37rawbody AC_BR_BONANZA /(?:<br>\s*){30}/i
38describe AC_BR_BONANZA Too many newlines in a row... spammy template
39#score AC_BR_BONANZA 0.001
40tflags AC_BR_BONANZA publish
41##} AC_BR_BONANZA
42
43##{ AC_DIV_BONANZA
44
45rawbody AC_DIV_BONANZA /(?:<div>(?:\s*<\/div>)?\s*){10}/i
46describe AC_DIV_BONANZA Too many divs in a row... spammy template
47#score AC_DIV_BONANZA 0.001
48tflags AC_DIV_BONANZA publish
49##} AC_DIV_BONANZA
50
51##{ AC_FROM_MANY_DOTS
52
53meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP
54#score AC_FROM_MANY_DOTS 3.000 # limit
55describe AC_FROM_MANY_DOTS Multiple periods in From user name
56tflags AC_FROM_MANY_DOTS publish
57##} AC_FROM_MANY_DOTS
58
59##{ AC_HTML_NONSENSE_TAGS
60
61rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/
62describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam
63#score AC_HTML_NONSENSE_TAGS 2.0
64tflags AC_HTML_NONSENSE_TAGS publish
65##} AC_HTML_NONSENSE_TAGS
66
67##{ AC_POST_EXTRAS
68
69meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID
70describe AC_POST_EXTRAS Suspicious URL
71#score AC_POST_EXTRAS 2.500 # limit
72tflags AC_POST_EXTRAS publish
73##} AC_POST_EXTRAS
74
75##{ AC_SPAMMY_URI_PATTERNS1
76
77meta AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI)
78describe AC_SPAMMY_URI_PATTERNS1 link combos match highly spammy template
79#score AC_SPAMMY_URI_PATTERNS1 4.0
80tflags AC_SPAMMY_URI_PATTERNS1 publish
81##} AC_SPAMMY_URI_PATTERNS1
82
83##{ AC_SPAMMY_URI_PATTERNS10
84
85meta AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI
86describe AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template
87#score AC_SPAMMY_URI_PATTERNS10 4.0
88tflags AC_SPAMMY_URI_PATTERNS10 publish
89##} AC_SPAMMY_URI_PATTERNS10
90
91##{ AC_SPAMMY_URI_PATTERNS11
92
93meta AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI
94describe AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template
95#score AC_SPAMMY_URI_PATTERNS11 4.0
96tflags AC_SPAMMY_URI_PATTERNS11 publish
97##} AC_SPAMMY_URI_PATTERNS11
98
99##{ AC_SPAMMY_URI_PATTERNS12
100
101meta AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI)
102describe AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template
103#score AC_SPAMMY_URI_PATTERNS12 4.0
104tflags AC_SPAMMY_URI_PATTERNS12 publish
105##} AC_SPAMMY_URI_PATTERNS12
106
107##{ AC_SPAMMY_URI_PATTERNS2
108
109meta AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI)
110describe AC_SPAMMY_URI_PATTERNS2 link combos match highly spammy template
111#score AC_SPAMMY_URI_PATTERNS2 4.0
112tflags AC_SPAMMY_URI_PATTERNS2 publish
113##} AC_SPAMMY_URI_PATTERNS2
114
115##{ AC_SPAMMY_URI_PATTERNS3
116
117meta AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI)
118describe AC_SPAMMY_URI_PATTERNS3 link combos match highly spammy template
119#score AC_SPAMMY_URI_PATTERNS3 4.0
120tflags AC_SPAMMY_URI_PATTERNS3 publish
121##} AC_SPAMMY_URI_PATTERNS3
122
123##{ AC_SPAMMY_URI_PATTERNS4
124
125meta AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI
126describe AC_SPAMMY_URI_PATTERNS4 link combos match highly spammy template
127#score AC_SPAMMY_URI_PATTERNS4 4.0
128tflags AC_SPAMMY_URI_PATTERNS4 publish
129##} AC_SPAMMY_URI_PATTERNS4
130
131##{ AC_SPAMMY_URI_PATTERNS8
132
133meta AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI
134describe AC_SPAMMY_URI_PATTERNS8 link combos match highly spammy template
135#score AC_SPAMMY_URI_PATTERNS8 4.0
136tflags AC_SPAMMY_URI_PATTERNS8 publish
137##} AC_SPAMMY_URI_PATTERNS8
138
139##{ AC_SPAMMY_URI_PATTERNS9
140
141meta AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI))
142describe AC_SPAMMY_URI_PATTERNS9 link combos match highly spammy template
143#score AC_SPAMMY_URI_PATTERNS9 4.0
144tflags AC_SPAMMY_URI_PATTERNS9 publish
145##} AC_SPAMMY_URI_PATTERNS9
146
147##{ ADMAIL
148
149meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS
150describe ADMAIL "admail" and variants
151tflags ADMAIL publish
152##} ADMAIL
153
154##{ ADMITS_SPAM
155
156meta ADMITS_SPAM __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB
157describe ADMITS_SPAM Admits this is an ad
158tflags ADMITS_SPAM publish
159##} ADMITS_SPAM
160
46cfc9e2
SI		 161##{ ADULT_DATING_COMPANY
162
163meta ADULT_DATING_COMPANY __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO
164#score ADULT_DATING_COMPANY 10.000 # limit
165tflags ADULT_DATING_COMPANY publish
166##} ADULT_DATING_COMPANY
167
b780ea8d
SI		 168##{ ADVANCE_FEE_2_NEW_FORM
169
170meta ADVANCE_FEE_2_NEW_FORM (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__FROM_LOWER && !__HAS_X_LOOP
171describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form
172#score ADVANCE_FEE_2_NEW_FORM 2.000 # limit
173tflags ADVANCE_FEE_2_NEW_FORM publish
174##} ADVANCE_FEE_2_NEW_FORM
175
176##{ ADVANCE_FEE_2_NEW_FRM_MNY
177
178meta ADVANCE_FEE_2_NEW_FRM_MNY (__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP
179describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money
180#score ADVANCE_FEE_2_NEW_FRM_MNY 2.500
181tflags ADVANCE_FEE_2_NEW_FRM_MNY publish
182##} ADVANCE_FEE_2_NEW_FRM_MNY
183
184##{ ADVANCE_FEE_2_NEW_MONEY
185
186meta ADVANCE_FEE_2_NEW_MONEY (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
187describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
188#score ADVANCE_FEE_2_NEW_MONEY 2.000 # limit
189tflags ADVANCE_FEE_2_NEW_MONEY publish
190##} ADVANCE_FEE_2_NEW_MONEY
191
192##{ ADVANCE_FEE_3_NEW
193
194meta ADVANCE_FEE_3_NEW (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG && !__BUGGED_IMG
195describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419)
196#score ADVANCE_FEE_3_NEW 3.5 # limit
197tflags ADVANCE_FEE_3_NEW publish
198##} ADVANCE_FEE_3_NEW
199
200##{ ADVANCE_FEE_3_NEW_FORM
201
202meta ADVANCE_FEE_3_NEW_FORM (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__THREADED && !__HAS_SENDER && !__FROM_LOWER && !__HAS_X_LOOP
203describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form
204tflags ADVANCE_FEE_3_NEW_FORM publish
205##} ADVANCE_FEE_3_NEW_FORM
206
207##{ ADVANCE_FEE_3_NEW_FRM_MNY
208
209meta ADVANCE_FEE_3_NEW_FRM_MNY (__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP
210describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money
211tflags ADVANCE_FEE_3_NEW_FRM_MNY publish
212##} ADVANCE_FEE_3_NEW_FRM_MNY
213
214##{ ADVANCE_FEE_3_NEW_MONEY
215
216meta ADVANCE_FEE_3_NEW_MONEY (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
217describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
218tflags ADVANCE_FEE_3_NEW_MONEY publish
219##} ADVANCE_FEE_3_NEW_MONEY
220
221##{ ADVANCE_FEE_4_NEW
222
223meta ADVANCE_FEE_4_NEW (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__HAS_X_LOOP && !__BUGGED_IMG
224describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419)
225tflags ADVANCE_FEE_4_NEW publish
226##} ADVANCE_FEE_4_NEW
227
228##{ ADVANCE_FEE_4_NEW_FORM
229
230meta ADVANCE_FEE_4_NEW_FORM (__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM)
231describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form
232tflags ADVANCE_FEE_4_NEW_FORM publish
233##} ADVANCE_FEE_4_NEW_FORM
234
235##{ ADVANCE_FEE_4_NEW_FRM_MNY
236
237meta ADVANCE_FEE_4_NEW_FRM_MNY (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY)
238describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money
239tflags ADVANCE_FEE_4_NEW_FRM_MNY publish
240##} ADVANCE_FEE_4_NEW_FRM_MNY
241
242##{ ADVANCE_FEE_4_NEW_MONEY
243
244meta ADVANCE_FEE_4_NEW_MONEY (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG
245describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money
246tflags ADVANCE_FEE_4_NEW_MONEY publish
247##} ADVANCE_FEE_4_NEW_MONEY
248
249##{ ADVANCE_FEE_5_NEW
250
251meta ADVANCE_FEE_5_NEW (__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY) && !__BUGGED_IMG
252describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419)
253tflags ADVANCE_FEE_5_NEW publish
254##} ADVANCE_FEE_5_NEW
255
256##{ ADVANCE_FEE_5_NEW_FORM
257
258meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM
259describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form
260tflags ADVANCE_FEE_5_NEW_FORM publish
261##} ADVANCE_FEE_5_NEW_FORM
262
263##{ ADVANCE_FEE_5_NEW_FRM_MNY
264
265meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY
266describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money
267tflags ADVANCE_FEE_5_NEW_FRM_MNY publish
268##} ADVANCE_FEE_5_NEW_FRM_MNY
269
270##{ ADVANCE_FEE_5_NEW_MONEY
271
272meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE && !__BUGGED_IMG
273describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
274tflags ADVANCE_FEE_5_NEW_MONEY publish
275##} ADVANCE_FEE_5_NEW_MONEY
276
277##{ AD_PREFS
278
279body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i
280describe AD_PREFS Advertising preferences
281#score AD_PREFS 0.500 # limit
282tflags AD_PREFS publish
283##} AD_PREFS
284
285##{ ALIBABA_IMG_NOT_RCVD_ALI
286
287meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE
288#score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit
289describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba
290tflags ALIBABA_IMG_NOT_RCVD_ALI publish
291##} ALIBABA_IMG_NOT_RCVD_ALI
292
293##{ AMAZON_IMG_NOT_RCVD_AMZN
294
46cfc9e2 295meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST && !__URI_PRODUCT_AMAZON && !__HAS_ERRORS_TO
b780ea8d
SI		 296#score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit
297describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon
298tflags AMAZON_IMG_NOT_RCVD_AMZN publish
299##} AMAZON_IMG_NOT_RCVD_AMZN
300
301##{ APOSTROPHE_FROM
302
303header APOSTROPHE_FROM From:addr =~ /'/
304describe APOSTROPHE_FROM From address contains an apostrophe
305##} APOSTROPHE_FROM
306
307##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
308
309if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
310 meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
311 describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto
312# score APP_DEVELOPMENT_FREEM 3.500 # limit
313 tflags APP_DEVELOPMENT_FREEM publish
314endif
315##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
316
317##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
318
319if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
320 meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE
321 describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS
322# score APP_DEVELOPMENT_NORDNS 2.000 # limit
323 tflags APP_DEVELOPMENT_NORDNS publish
324endif
325##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
326
327##{ AXB_XMAILER_MIMEOLE_OL_024C2
328
329meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2)
330describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
331##} AXB_XMAILER_MIMEOLE_OL_024C2
332
b780ea8d
SI		 333##{ BANKING_LAWS
334
335body BANKING_LAWS /banking laws/i
336describe BANKING_LAWS Talks about banking laws
337##} BANKING_LAWS
338
339##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
340
341ifplugin Mail::SpamAssassin::Plugin::MIMEEval
342body BASE64_LENGTH_78_79 eval:check_base64_length('78','79')
343endif
344##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval
345
346##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
347
348ifplugin Mail::SpamAssassin::Plugin::MIMEEval
349describe BASE64_LENGTH_79_INF base64 encoded email part uses line length of 78 or 79 characters
350body BASE64_LENGTH_79_INF eval:check_base64_length('79')
351describe BASE64_LENGTH_79_INF base64 encoded email part uses line length greater than 79 characters
352endif
353##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval
354
31955ede
SI		 355##{ BEBEE_IMG_NOT_RCVD_BB
356
357meta BEBEE_IMG_NOT_RCVD_BB __BEBEE_IMG_NOT_RCVD_BB
358#score BEBEE_IMG_NOT_RCVD_BB 2.000 # limit
359describe BEBEE_IMG_NOT_RCVD_BB Bebee hosted image but message not from Bebee
360tflags BEBEE_IMG_NOT_RCVD_BB publish
361##} BEBEE_IMG_NOT_RCVD_BB
362
b780ea8d
SI		 363##{ BIGNUM_EMAILS_FREEM
364
365meta BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS_FREEM
366describe BIGNUM_EMAILS_FREEM Lots of email addresses/leads, free email account
367#score BIGNUM_EMAILS_FREEM 3.00 # limit
368tflags BIGNUM_EMAILS_FREEM publish
369##} BIGNUM_EMAILS_FREEM
370
371##{ BIGNUM_EMAILS_MANY
372
373meta BIGNUM_EMAILS_MANY __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER
374describe BIGNUM_EMAILS_MANY Lots of email addresses/leads, over and over
375#score BIGNUM_EMAILS_MANY 3.00 # limit
376tflags BIGNUM_EMAILS_MANY publish
377##} BIGNUM_EMAILS_MANY
378
379##{ BITCOIN_BOMB
380
381meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01
382describe BITCOIN_BOMB BitCoin + bomb
383#score BITCOIN_BOMB 3.000 # limit
384tflags BITCOIN_BOMB publish
385##} BITCOIN_BOMB
386
387##{ BITCOIN_DEADLINE
388
389meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01
390describe BITCOIN_DEADLINE BitCoin with a deadline
391#score BITCOIN_DEADLINE 3.000 # limit
392tflags BITCOIN_DEADLINE publish
393##} BITCOIN_DEADLINE
394
395##{ BITCOIN_EXTORT_01
396
397meta BITCOIN_EXTORT_01 (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA )
398describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin
399#score BITCOIN_EXTORT_01 5.000 # limit
400tflags BITCOIN_EXTORT_01 publish
401##} BITCOIN_EXTORT_01
402
403##{ BITCOIN_EXTORT_02
404
405meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY
406describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin
407#score BITCOIN_EXTORT_02 5.000 # limit
408tflags BITCOIN_EXTORT_02 publish
409##} BITCOIN_EXTORT_02
410
411##{ BITCOIN_IMGUR
412
413meta BITCOIN_IMGUR __BITCOIN_IMGUR
414describe BITCOIN_IMGUR Bitcoin + hosted image
415#score BITCOIN_IMGUR 3.500 # limit
416tflags BITCOIN_IMGUR publish
417##} BITCOIN_IMGUR
418
419##{ BITCOIN_MALF_HTML
420
421meta BITCOIN_MALF_HTML HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID)
422describe BITCOIN_MALF_HTML Bitcoin + malformed HTML
423#score BITCOIN_MALF_HTML 3.500 # limit
424##} BITCOIN_MALF_HTML
425
426##{ BITCOIN_MALWARE
427
428meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED
429describe BITCOIN_MALWARE BitCoin + malware bragging
430#score BITCOIN_MALWARE 3.500 # limit
431tflags BITCOIN_MALWARE publish
432##} BITCOIN_MALWARE
433
434##{ BITCOIN_OBFU_SUBJ
435
436meta BITCOIN_OBFU_SUBJ __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI
437describe BITCOIN_OBFU_SUBJ Bitcoin + obfuscated subject
438#score BITCOIN_OBFU_SUBJ 3.500 # limit
439tflags BITCOIN_OBFU_SUBJ publish
440##} BITCOIN_OBFU_SUBJ
441
442##{ BITCOIN_ONAN
443
444meta BITCOIN_ONAN __BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01
445describe BITCOIN_ONAN BitCoin + [censored]
446#score BITCOIN_ONAN 3.000 # limit
447tflags BITCOIN_ONAN publish
448##} BITCOIN_ONAN
449
450##{ BITCOIN_PAY_ME
451
452meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01
453describe BITCOIN_PAY_ME Pay me via BitCoin
454#score BITCOIN_PAY_ME 3.000 # limit
455tflags BITCOIN_PAY_ME publish
456##} BITCOIN_PAY_ME
457
fc5290a3
SI		 458##{ BITCOIN_PDF
459
460meta BITCOIN_PDF __BITCOIN && __PDF_ATTACH
461describe BITCOIN_PDF "Bitcoin" + PDF attachment
462#score BITCOIN_PDF 2.500 # limit
463##} BITCOIN_PDF
464
b780ea8d
SI		 465##{ BITCOIN_SPAM_01
466
467meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG
468describe BITCOIN_SPAM_01 BitCoin spam pattern 01
469#score BITCOIN_SPAM_01 2.500 # limit
470tflags BITCOIN_SPAM_01 publish
471##} BITCOIN_SPAM_01
472
473##{ BITCOIN_SPAM_02
474
475meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID
476describe BITCOIN_SPAM_02 BitCoin spam pattern 02
477#score BITCOIN_SPAM_02 2.500 # limit
478tflags BITCOIN_SPAM_02 publish
479##} BITCOIN_SPAM_02
480
481##{ BITCOIN_SPAM_03
482
483meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ
484describe BITCOIN_SPAM_03 BitCoin spam pattern 03
485#score BITCOIN_SPAM_03 2.500 # limit
486tflags BITCOIN_SPAM_03 publish
487##} BITCOIN_SPAM_03
488
489##{ BITCOIN_SPAM_04
490
491meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto
492describe BITCOIN_SPAM_04 BitCoin spam pattern 04
493#score BITCOIN_SPAM_04 1.500 # limit
494tflags BITCOIN_SPAM_04 publish
495##} BITCOIN_SPAM_04
496
497##{ BITCOIN_SPAM_05
498
499meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO
500describe BITCOIN_SPAM_05 BitCoin spam pattern 05
501#score BITCOIN_SPAM_05 2.500 # limit
502tflags BITCOIN_SPAM_05 net publish
503##} BITCOIN_SPAM_05
504
505##{ BITCOIN_SPAM_06
506
507meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET
508describe BITCOIN_SPAM_06 BitCoin spam pattern 06
509#score BITCOIN_SPAM_06 1.500 # limit
510tflags BITCOIN_SPAM_06 publish
511##} BITCOIN_SPAM_06
512
513##{ BITCOIN_SPAM_07
514
515meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS
516describe BITCOIN_SPAM_07 BitCoin spam pattern 07
517#score BITCOIN_SPAM_07 3.500 # limit
518tflags BITCOIN_SPAM_07 publish
519##} BITCOIN_SPAM_07
520
521##{ BITCOIN_SPAM_08
522
523meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ
524describe BITCOIN_SPAM_08 BitCoin spam pattern 08
525#score BITCOIN_SPAM_08 2.500 # limit
526tflags BITCOIN_SPAM_08 publish
527##} BITCOIN_SPAM_08
528
529##{ BITCOIN_SPAM_09
530
531meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU )
532describe BITCOIN_SPAM_09 BitCoin spam pattern 09
533#score BITCOIN_SPAM_09 1.500 # limit
534tflags BITCOIN_SPAM_09 publish
535##} BITCOIN_SPAM_09
536
537##{ BITCOIN_SPAM_10
538
539meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 )
540describe BITCOIN_SPAM_10 BitCoin spam pattern 10
541#score BITCOIN_SPAM_10 2.500 # limit
542tflags BITCOIN_SPAM_10 publish
543##} BITCOIN_SPAM_10
544
545##{ BITCOIN_SPAM_11
546
547meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU
548describe BITCOIN_SPAM_11 BitCoin spam pattern 11
549#score BITCOIN_SPAM_11 2.500 # limit
550tflags BITCOIN_SPAM_11 publish
551##} BITCOIN_SPAM_11
552
553##{ BITCOIN_SPAM_12
554
555meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY
556describe BITCOIN_SPAM_12 BitCoin spam pattern 12
557#score BITCOIN_SPAM_12 2.500 # limit
558tflags BITCOIN_SPAM_12 publish
559##} BITCOIN_SPAM_12
560
561##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
562
563if (version >= 3.004001)
564ifplugin Mail::SpamAssassin::Plugin::AskDNS
565meta BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID
566tflags BITCOIN_SPF_ONLYALL net publish
567describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF
568#score BITCOIN_SPF_ONLYALL 2.0 # limit
569endif
570endif
571##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
572
573##{ BITCOIN_WFH_01
574
575meta BITCOIN_WFH_01 __BITCOIN_WFH_01
576describe BITCOIN_WFH_01 Work-from-Home + bitcoin
577tflags BITCOIN_WFH_01 publish
578##} BITCOIN_WFH_01
579
580##{ BITCOIN_XPRIO
581
582meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY
583describe BITCOIN_XPRIO Bitcoin + priority
584#score BITCOIN_XPRIO 2.500 # limit
585##} BITCOIN_XPRIO
586
587##{ BITCOIN_YOUR_INFO
588
589meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01
590describe BITCOIN_YOUR_INFO BitCoin with your personal info
591#score BITCOIN_YOUR_INFO 3.000 # limit
592tflags BITCOIN_YOUR_INFO publish
593##} BITCOIN_YOUR_INFO
594
21dcadbf
SI		 595##{ BODY_SINGLE_URI
596
597meta BODY_SINGLE_URI __BODY_SINGLE_URI && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP && !__VIA_ML
598describe BODY_SINGLE_URI Message body is only a URI
599#score BODY_SINGLE_URI 2.500 # limit
600##} BODY_SINGLE_URI
601
fc5290a3
SI		 602##{ BODY_SINGLE_WORD
603
604meta BODY_SINGLE_WORD __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP
605describe BODY_SINGLE_WORD Message body is only one word (no spaces)
606#score BODY_SINGLE_WORD 2.500 # limit
607##} BODY_SINGLE_WORD
608
b780ea8d
SI		 609##{ BODY_URI_ONLY
610
611meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV
612describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image
613#score BODY_URI_ONLY 3.000 # limit
614tflags BODY_URI_ONLY publish
615##} BODY_URI_ONLY
616
617##{ BOGUS_MIME_VERSION
618
619meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 || __MALF_MIME_VER
620#score BOGUS_MIME_VERSION 3.500 # limit
621describe BOGUS_MIME_VERSION Mime version header is bogus
622tflags BOGUS_MIME_VERSION publish
623##} BOGUS_MIME_VERSION
624
625##{ BOGUS_MSM_HDRS
626
627meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS
628describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers
629#score BOGUS_MSM_HDRS 3.000 # limit
630tflags BOGUS_MSM_HDRS publish
631##} BOGUS_MSM_HDRS
632
633##{ BOMB_FREEM
634
635meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto
636describe BOMB_FREEM Bomb + freemail
637#score BOMB_FREEM 2.000 # limit
638tflags BOMB_FREEM publish
639##} BOMB_FREEM
640
641##{ BOMB_MONEY
642
643meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW )
644describe BOMB_MONEY Bomb + money: bomb threat?
645#score BOMB_MONEY 2.500 # limit
646tflags BOMB_MONEY publish
647##} BOMB_MONEY
648
649##{ BTC_ORG
650
651describe BTC_ORG Bitcoin wallet ID + unusual header
652#score BTC_ORG 2.500 # limit
653##} BTC_ORG
654
655##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM)
656
657if !plugin(Mail::SpamAssassin::Plugin::DKIM)
658 meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST
659endif
660##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM)
661
662##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM
663
664ifplugin Mail::SpamAssassin::Plugin::DKIM
665 meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED
666endif
667##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM
668
b780ea8d
SI		 669##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
670
671if (version >= 3.004002)
672ifplugin Mail::SpamAssassin::Plugin::WLBLEval
673meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD
674tflags BULK_RE_SUSP_NTLD publish
675describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
676#score BULK_RE_SUSP_NTLD 1.0 # limit
677endif
678endif
679##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
680
681##{ CANT_SEE_AD
682
683meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB
684describe CANT_SEE_AD You really want to see our spam.
685#score CANT_SEE_AD 2.500 # limit
686tflags CANT_SEE_AD publish
687##} CANT_SEE_AD
688
46cfc9e2
SI		 689##{ CK_HELO_GENERIC
690
691header CK_HELO_GENERIC X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /i
692describe CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR
693#score CK_HELO_GENERIC 0.25
694##} CK_HELO_GENERIC
695
b780ea8d
SI		 696##{ CN_B2B_SPAMMER
697
698body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i
699describe CN_B2B_SPAMMER Chinese company introducing itself
700tflags CN_B2B_SPAMMER publish
701##} CN_B2B_SPAMMER
702
703##{ COMMENT_GIBBERISH
704
705meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT
706describe COMMENT_GIBBERISH Nonsense in long HTML comment
707#score COMMENT_GIBBERISH 1.50 # limit
708tflags COMMENT_GIBBERISH publish
709##} COMMENT_GIBBERISH
710
fc5290a3
SI		 711##{ COMPENSATION
712
713describe COMPENSATION "Compensation"
714#score COMPENSATION 1.50 # limit
715##} COMPENSATION
716
717##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
718
719if !plugin(Mail::SpamAssassin::Plugin::DKIM)
720 meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD
721endif
722##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM)
723
724##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
725
726ifplugin Mail::SpamAssassin::Plugin::DKIM
727 meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE
728endif
729##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM
730
b780ea8d
SI		 731##{ CONTENT_AFTER_HTML
732
dfdd1e08
SI		 733meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && (__L_CTE_8BIT || __RDNS_NUMERIC_TLD || __HTML_TAG_BALANCE_CENTER || __STY_INVIS_MANY || __TO_EQ_FROM_USR || __TO_EQ_FROM_USR_2 || __KAM_HTML_FONT_INVALID || __SUBJECT_ENCODED_B64 )
734describe CONTENT_AFTER_HTML More content after HTML close tag + other spam signs
b780ea8d
SI		 735#score CONTENT_AFTER_HTML 2.500 # limit
736tflags CONTENT_AFTER_HTML publish
737##} CONTENT_AFTER_HTML
738
dfdd1e08
SI		 739##{ CONTENT_AFTER_HTML_WEAK
740
741meta CONTENT_AFTER_HTML_WEAK __CONTENT_AFTER_HTML && !CONTENT_AFTER_HTML && !__CT_TEXT_PLAIN && !__BOUNCE_FROM_DAEMON && !__MSGID_OK_HEX && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !MAILING_LIST_MULTI && !__HAS_CID && !__URI_DOTGOV
742describe CONTENT_AFTER_HTML_WEAK More content after HTML close tag
743#score CONTENT_AFTER_HTML_WEAK 1.500 # limit
744tflags CONTENT_AFTER_HTML_WEAK publish
745##} CONTENT_AFTER_HTML_WEAK
746
b780ea8d
SI		 747##{ CORRUPT_FROM_LINE_IN_HDRS
748
749meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS)
750describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers
751tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish
752#score CORRUPT_FROM_LINE_IN_HDRS 0.001
753##} CORRUPT_FROM_LINE_IN_HDRS
754
755##{ CTE_8BIT_MISMATCH
756
757meta CTE_8BIT_MISMATCH (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS)
758describe CTE_8BIT_MISMATCH Header says 7bits but body disagrees
759#score CTE_8BIT_MISMATCH 1
760tflags CTE_8BIT_MISMATCH publish
761##} CTE_8BIT_MISMATCH
762
763##{ CTYPE_001C_A
764
765meta CTYPE_001C_A (0) # obsolete
766##} CTYPE_001C_A
767
768##{ CTYPE_001C_B
769
770header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/
771##} CTYPE_001C_B
772
773##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
774
775ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
776mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s
777describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc)
778endif
779##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
780
b780ea8d
SI		 781##{ CURR_PRICE
782
783body CURR_PRICE /\bCurrent Price:/
784##} CURR_PRICE
785
fc5290a3
SI		 786##{ DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
787
788ifplugin Mail::SpamAssassin::Plugin::HeaderEval
789header DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef')
790describe DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date
791endif
792##} DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval
793
b780ea8d
SI		 794##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
795
796if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
797 meta DAY_I_EARNED __DAY_I_EARNED >= 3
798# score DAY_I_EARNED 3.000 # limit
799 describe DAY_I_EARNED Work-at-home spam
800 tflags DAY_I_EARNED publish
801endif
802##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
803
804##{ DEAR_BENEFICIARY
805
806body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i
807describe DEAR_BENEFICIARY Dear Beneficiary:
808##} DEAR_BENEFICIARY
809
810##{ DEAR_WINNER
811
812body DEAR_WINNER /\bdear.{1,20}winner/i
813describe DEAR_WINNER Spam with generic salutation of "dear winner"
814##} DEAR_WINNER
815
816##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS
817
818ifplugin Mail::SpamAssassin::Plugin::AskDNS
819meta DKIMWL_BL __DKIMWL_WL_BL
820tflags DKIMWL_BL net publish
821describe DKIMWL_BL DKIMwl.org - Blocked sender
822#score DKIMWL_BL 3.0 # limit
823endif
824##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS
825
826##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS
827
828ifplugin Mail::SpamAssassin::Plugin::AskDNS
829meta DKIMWL_BLOCKED __DKIMWL_BLOCKED
830tflags DKIMWL_BLOCKED net publish
831describe DKIMWL_BLOCKED ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
832#score DKIMWL_BLOCKED 0.001 # limit
833endif
834##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS
835
836##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS
837
838ifplugin Mail::SpamAssassin::Plugin::AskDNS
839meta DKIMWL_WL_HIGH __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL)
840tflags DKIMWL_WL_HIGH net nice publish
841describe DKIMWL_WL_HIGH DKIMwl.org - High trust sender
842#score DKIMWL_WL_HIGH -3.0 # limit
843endif
844##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS
845
846##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS
847
848ifplugin Mail::SpamAssassin::Plugin::AskDNS
849meta DKIMWL_WL_MED __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL)
850tflags DKIMWL_WL_MED net nice publish
851describe DKIMWL_WL_MED DKIMwl.org - Medium trust sender
852#score DKIMWL_WL_MED -0.5 # limit
853endif
854##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS
855
856##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS
857
858ifplugin Mail::SpamAssassin::Plugin::AskDNS
859meta DKIMWL_WL_MEDHI __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL)
860tflags DKIMWL_WL_MEDHI net nice publish
861describe DKIMWL_WL_MEDHI DKIMwl.org - Medium-high trust sender
862#score DKIMWL_WL_MEDHI -1.0 # limit
863endif
864##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS
865
866##{ DOS_ANAL_SPAM_MAILER
867
868header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/
869describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam
870tflags DOS_ANAL_SPAM_MAILER publish
871##} DOS_ANAL_SPAM_MAILER
872
873##{ DOS_DEREK_AUG08
874
875meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10)
876##} DOS_DEREK_AUG08
877
878##{ DOS_FIX_MY_URI
879
880meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK
881describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam
882##} DOS_FIX_MY_URI
883
884##{ DOS_HIGH_BAT_TO_MX
885
886meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA
887describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits
888##} DOS_HIGH_BAT_TO_MX
889
890##{ DOS_LET_GO_JOB
891
892meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME
893describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough!
894##} DOS_LET_GO_JOB
895
896##{ DOS_OE_TO_MX
897
898meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE
899describe DOS_OE_TO_MX Delivered direct to MX with OE headers
900##} DOS_OE_TO_MX
901
902##{ DOS_OE_TO_MX_IMAGE
903
904meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
905describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image
906##} DOS_OE_TO_MX_IMAGE
907
908##{ DOS_OUTLOOK_TO_MX
909
910meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE
911describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers
912##} DOS_OUTLOOK_TO_MX
913
914##{ DOS_RCVD_IP_TWICE_C
915
916header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/
917describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo)
918##} DOS_RCVD_IP_TWICE_C
919
920##{ DOS_STOCK_BAT
921
922meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS)
923describe DOS_STOCK_BAT Probable pump and dump stock spam
924##} DOS_STOCK_BAT
925
926##{ DOS_STOCK_BAT2
927
928meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2)
929##} DOS_STOCK_BAT2
930
931##{ DOS_URI_ASTERISK
932
933uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)}
934describe DOS_URI_ASTERISK Found an asterisk in a URI
935##} DOS_URI_ASTERISK
936
937##{ DOS_YOUR_PLACE
938
939meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL))
940describe DOS_YOUR_PLACE Russian dating spam
941##} DOS_YOUR_PLACE
942
943##{ DOTGOV_IMAGE
944
945meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS
946describe DOTGOV_IMAGE .gov URI + hosted image
947#score DOTGOV_IMAGE 3.000 # limit
948tflags DOTGOV_IMAGE publish
949##} DOTGOV_IMAGE
950
951##{ DRUGS_HDIA
952
953header DRUGS_HDIA Subject =~ /\bhoodia\b/i
954describe DRUGS_HDIA Subject mentions "hoodia"
955##} DRUGS_HDIA
956
b780ea8d
SI		 957##{ DX_TEXT_02
958
959body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i
960describe DX_TEXT_02 "change your message stat"
961tflags DX_TEXT_02 publish
962##} DX_TEXT_02
963
964##{ DX_TEXT_03
965
966body DX_TEXT_03 /\b[A-Z]{3} Media (?:Group|Relations)\b/
967describe DX_TEXT_03 "XXX Media Group"
968tflags DX_TEXT_03 publish
969##} DX_TEXT_03
970
971##{ DYNAMIC_IMGUR
972
973meta DYNAMIC_IMGUR __DYNAMIC_IMGUR
974describe DYNAMIC_IMGUR dynamic IP + hosted image
975#score DYNAMIC_IMGUR 4.000 # limit
976tflags DYNAMIC_IMGUR publish
977##} DYNAMIC_IMGUR
978
979##{ DYN_RDNS_AND_INLINE_IMAGE
980
981meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
982describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS
983##} DYN_RDNS_AND_INLINE_IMAGE
984
985##{ DYN_RDNS_SHORT_HELO_HTML
986
987meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE)
988describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
989##} DYN_RDNS_SHORT_HELO_HTML
990
991##{ DYN_RDNS_SHORT_HELO_IMAGE
992
993meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH)
994describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image
995##} DYN_RDNS_SHORT_HELO_IMAGE
996
997##{ EBAY_IMG_NOT_RCVD_EBAY
998
999meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS
1000#score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit
1001describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay
1002tflags EBAY_IMG_NOT_RCVD_EBAY publish
1003##} EBAY_IMG_NOT_RCVD_EBAY
1004
1005##{ EMRCP
1006
1007body EMRCP /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i
1008describe EMRCP "Excess Maximum Return Capital Profit" scam
1009tflags EMRCP publish
1010##} EMRCP
1011
1012##{ ENCRYPTED_MESSAGE
1013
1014meta ENCRYPTED_MESSAGE __CT_ENCRYPTED
1015describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam
1016#score ENCRYPTED_MESSAGE -1.000
1017tflags ENCRYPTED_MESSAGE nice publish
1018##} ENCRYPTED_MESSAGE
1019
1020##{ END_FUTURE_EMAILS
1021
1022describe END_FUTURE_EMAILS Spammy unsubscribe
1023#score END_FUTURE_EMAILS 2.500 # limit
1024##} END_FUTURE_EMAILS
1025
1026##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1027
1028if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1029 meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER
1030endif
1031##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
1032
1033##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM
1034
1035ifplugin Mail::SpamAssassin::Plugin::DKIM
1036 meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED
1037endif
1038##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM
1039
1040##{ ENVFROM_GOOG_TRIX
1041
1042meta ENVFROM_GOOG_TRIX __ENVFROM_GOOG_TRIX_SPAMMY
1043describe ENVFROM_GOOG_TRIX From suspicious Google subdomain
1044#score ENVFROM_GOOG_TRIX 3.000 # limit
1045tflags ENVFROM_GOOG_TRIX publish
1046##} ENVFROM_GOOG_TRIX
1047
1048##{ EXCUSE_24
1049
1050body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i
1051describe EXCUSE_24 Claims you wanted this ad
1052##} EXCUSE_24
1053
31955ede 1054##{ FACEBOOK_IMG_NOT_RCVD_FB
b780ea8d 1055
31955ede
SI		 1056meta FACEBOOK_IMG_NOT_RCVD_FB __FACEBOOK_IMG_NOT_RCVD_FB && !__VIA_ML && !__ONE_IMG && !__RCD_RDNS_SMTP
1057#score FACEBOOK_IMG_NOT_RCVD_FB 2.000 # limit
1058describe FACEBOOK_IMG_NOT_RCVD_FB Facebook hosted image but message not from Facebook
1059tflags FACEBOOK_IMG_NOT_RCVD_FB publish
1060##} FACEBOOK_IMG_NOT_RCVD_FB
cabe596e 1061
fc5290a3
SI		 1062##{ FAKE_REPLY_A1
1063
1064meta FAKE_REPLY_A1 (__SUBJ_RE && __MISSING_REPLY && __MISSING_REF && __BOTH_INR_AND_REF)
1065##} FAKE_REPLY_A1
1066
1067##{ FAKE_REPLY_B
1068
1069meta FAKE_REPLY_B (__SUBJ_RE && __MISSING_REPLY && __INR_AND_NO_REF)
1070##} FAKE_REPLY_B
1071
b780ea8d
SI		 1072##{ FAKE_REPLY_C
1073
1074meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)
1075##} FAKE_REPLY_C
1076
1077##{ FBI_MONEY
1078
1079meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY
1080describe FBI_MONEY The FBI wants to give you lots of money?
1081#score FBI_MONEY 2.00 # limit
1082tflags FBI_MONEY publish
1083##} FBI_MONEY
1084
1085##{ FBI_SPOOF
1086
1087meta FBI_SPOOF __FBI_SPOOF
1088describe FBI_SPOOF Claims to be FBI, but not from FBI domain
1089#score FBI_SPOOF 2.00 # limit
1090tflags FBI_SPOOF publish
1091##} FBI_SPOOF
1092
1093##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1094
1095ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1096 meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML
1097 describe FILL_THIS_FORM Fill in a form with personal information
1098 tflags FILL_THIS_FORM publish
1099endif
1100##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1101
1102##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1103
1104ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1105 meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY
1106 describe FILL_THIS_FORM_LONG Fill in a form with personal information
1107# score FILL_THIS_FORM_LONG 2.00 # limit
1108endif
1109##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1110
1111##{ FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1112
1113if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1114 meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX
1115 describe FONT_INVIS_DIRECT Invisible text + direct-to-MX
1116# score FONT_INVIS_DIRECT 3.500 # limit
1117 tflags FONT_INVIS_DIRECT publish
1118endif
1119##} FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1120
1121##{ FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1122
1123if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1124 meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID
1125 describe FONT_INVIS_DOTGOV Invisible text + .gov URI
1126# score FONT_INVIS_DOTGOV 3.500 # limit
1127 tflags FONT_INVIS_DOTGOV publish
1128endif
1129##} FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1130
1131##{ FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1132
1133if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1134 meta FONT_INVIS_HTML_NOHTML __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG
1135 describe FONT_INVIS_HTML_NOHTML Invisible text + malformed HTML
1136# score FONT_INVIS_HTML_NOHTML 3.000 # limit
1137 tflags FONT_INVIS_HTML_NOHTML publish
1138endif
1139##} FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1140
1141##{ FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1142
1143if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1144 meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET
1145 describe FONT_INVIS_LONG_LINE Invisible text + long lines
1146# score FONT_INVIS_LONG_LINE 3.000 # limit
1147 tflags FONT_INVIS_LONG_LINE publish
1148endif
1149##} FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1150
1151##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1152
1153if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
31955ede 1154 meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX && !__RCD_RDNS_MTA
b780ea8d
SI		 1155 describe FONT_INVIS_MSGID Invisible text + suspicious message ID
1156# score FONT_INVIS_MSGID 2.500 # limit
1157 tflags FONT_INVIS_MSGID publish
1158endif
1159##} FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1160
1161##{ FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1162
1163if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1164 meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER
1165 describe FONT_INVIS_NORDNS Invisible text + no rDNS
1166# score FONT_INVIS_NORDNS 2.500 # limit
1167 tflags FONT_INVIS_NORDNS publish
1168endif
1169##} FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1170
1171##{ FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1172
1173if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1174 meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS
1175 describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI
1176# score FONT_INVIS_POSTEXTRAS 3.500 # limit
1177 tflags FONT_INVIS_POSTEXTRAS publish
1178endif
1179##} FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1180
1181##{ FORGED_SPF_HELO
1182
1183meta FORGED_SPF_HELO __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS
1184##} FORGED_SPF_HELO
1185
1186##{ FORM_FRAUD
1187
1188meta FORM_FRAUD (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK
1189describe FORM_FRAUD Fill a form and a fraud phrase
1190#score FORM_FRAUD 1.000 # limit
1191tflags FORM_FRAUD publish
1192##} FORM_FRAUD
1193
1194##{ FORM_FRAUD_3
1195
1196meta FORM_FRAUD_3 (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED
1197describe FORM_FRAUD_3 Fill a form and several fraud phrases
1198tflags FORM_FRAUD_3 publish
1199##} FORM_FRAUD_3
1200
1201##{ FORM_FRAUD_5
1202
1203meta FORM_FRAUD_5 (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE
1204describe FORM_FRAUD_5 Fill a form and many fraud phrases
1205tflags FORM_FRAUD_5 publish
1206##} FORM_FRAUD_5
1207
b780ea8d
SI		 1208##{ FOUND_YOU
1209
1210meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO
1211#score FOUND_YOU 3.25 # limit
1212describe FOUND_YOU I found you...
1213tflags FOUND_YOU publish
1214##} FOUND_YOU
1215
1216##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
1217
1218ifplugin Mail::SpamAssassin::Plugin::FreeMail
1219 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
1220 if (version >= 3.004000)
1221 meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS
1222 describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different
1223# score FREEMAIL_FORGED_FROMDOMAIN 0.25
1224 tflags FREEMAIL_FORGED_FROMDOMAIN publish
1225endif
1226endif
1227endif
1228##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
1229
1230##{ FREEMAIL_WFH_01
1231
1232meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01
1233describe FREEMAIL_WFH_01 Work-from-Home + freemail
1234tflags FREEMAIL_WFH_01 publish
1235##} FREEMAIL_WFH_01
1236
1237##{ FREEM_FRNUM_UNICD_EMPTY
1238
1239meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY
1240describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body
1241#score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit
1242tflags FREEM_FRNUM_UNICD_EMPTY publish
1243##} FREEM_FRNUM_UNICD_EMPTY
1244
1245##{ FRNAME_IN_MSG_XPRIO_NO_SUB
1246
1247meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED
1248describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject
1249#score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit
1250tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish
1251##} FRNAME_IN_MSG_XPRIO_NO_SUB
1252
fc5290a3
SI		 1253##{ FROMSPACE
1254
1255describe FROMSPACE Idiosyncratic "From" header format
1256header FROMSPACE From:raw =~ /^\s?\"\s/
1257##} FROMSPACE
1258
1259##{ FROM_2_EMAILS_SHORT
1260
1261meta FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF)
1262describe FROM_2_EMAILS_SHORT Short body and From looks like 2 different emails
1263#score FROM_2_EMAILS_SHORT 3.0 # limit
1264##} FROM_2_EMAILS_SHORT
1265
b780ea8d
SI		 1266##{ FROM_ADDR_WS
1267
1268meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL
1269describe FROM_ADDR_WS Malformed From address
1270#score FROM_ADDR_WS 3.000 # limit
1271tflags FROM_ADDR_WS publish
1272##} FROM_ADDR_WS
1273
1274##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1275
1276if (version >= 3.004002)
1277ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1278meta FROM_BANK_NOAUTH __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU)
1279tflags FROM_BANK_NOAUTH publish net
1280describe FROM_BANK_NOAUTH From Bank domain but no SPF or DKIM
1281#score FROM_BANK_NOAUTH 1.0 # limit
1282endif
1283endif
1284##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1285
1286##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1287
1288if (version >= 3.004001)
1289ifplugin Mail::SpamAssassin::Plugin::AskDNS
1290meta FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED
1291describe FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
1292tflags FROM_FMBLA_NDBLOCKED net publish
1293#score FROM_FMBLA_NDBLOCKED 0.001 # limit
1294endif
1295endif
1296##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1297
1298##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1299
1300if (version >= 3.004001)
1301ifplugin Mail::SpamAssassin::Plugin::AskDNS
1302meta FROM_FMBLA_NEWDOM __FROM_FMBLA_NEWDOM
1303describe FROM_FMBLA_NEWDOM From domain was registered in last 7 days
1304tflags FROM_FMBLA_NEWDOM net
1305#score FROM_FMBLA_NEWDOM 1.5 # limit
1306endif
1307endif
1308##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1309
1310##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1311
1312if (version >= 3.004001)
1313ifplugin Mail::SpamAssassin::Plugin::AskDNS
1314meta FROM_FMBLA_NEWDOM14 __FROM_FMBLA_NEWDOM14
1315describe FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days
1316tflags FROM_FMBLA_NEWDOM14 publish net
1317#score FROM_FMBLA_NEWDOM14 1.0 # limit
1318endif
1319endif
1320##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1321
1322##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1323
1324if (version >= 3.004001)
1325ifplugin Mail::SpamAssassin::Plugin::AskDNS
1326meta FROM_FMBLA_NEWDOM28 __FROM_FMBLA_NEWDOM28
1327describe FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28 days
1328tflags FROM_FMBLA_NEWDOM28 net publish
1329#score FROM_FMBLA_NEWDOM28 0.8 # limit
1330endif
1331endif
1332##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1333
1334##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1335
1336if (version >= 3.004002)
1337ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1338meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV
1339tflags FROM_GOV_DKIM_AU net nice publish
1340describe FROM_GOV_DKIM_AU From Government address and DKIM signed
1341#score FROM_GOV_DKIM_AU -1.0 # limit
1342endif
1343endif
1344##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1345
1346##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1347
1348if (version >= 3.004002)
1349ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1350meta FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU
1351tflags FROM_GOV_REPLYTO_FREEMAIL net publish
1352describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL
1353#score FROM_GOV_REPLYTO_FREEMAIL 2.0
1354endif
1355endif
1356##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1357
1358##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1359
1360if (version >= 3.004002)
1361ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1362meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED)
1363tflags FROM_GOV_SPOOF net publish
1364describe FROM_GOV_SPOOF From Government domain but matches SPOOFED
1365#score FROM_GOV_SPOOF 1.0 # limit
1366endif
1367endif
1368##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1369
1370##{ FROM_IN_TO_AND_SUBJ
1371
1372meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID
1373describe FROM_IN_TO_AND_SUBJ From address is in To and Subject
1374tflags FROM_IN_TO_AND_SUBJ publish
1375##} FROM_IN_TO_AND_SUBJ
1376
1377##{ FROM_MISSPACED
1378
1379meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
1380describe FROM_MISSPACED From: missing whitespace
1381#score FROM_MISSPACED 2.00
1382##} FROM_MISSPACED
1383
fc5290a3
SI		 1384##{ FROM_MISSP_DYNIP
1385
1386meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC
1387describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS
1388##} FROM_MISSP_DYNIP
1389
b780ea8d
SI		 1390##{ FROM_MISSP_EH_MATCH
1391
1392meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA
1393describe FROM_MISSP_EH_MATCH From misspaced, matches envelope
1394#score FROM_MISSP_EH_MATCH 2.00 # max
1395##} FROM_MISSP_EH_MATCH
1396
1397##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
1398
1399ifplugin Mail::SpamAssassin::Plugin::FreeMail
1400 meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA
1401 describe FROM_MISSP_FREEMAIL From misspaced + freemail provider
1402endif
1403##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail
1404
1405##{ FROM_MISSP_MSFT
1406
1407meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
1408describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
1409##} FROM_MISSP_MSFT
1410
1411##{ FROM_MISSP_REPLYTO
1412
1413meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB
1414describe FROM_MISSP_REPLYTO From misspaced, has Reply-To
1415#score FROM_MISSP_REPLYTO 2.500 # limit
1416##} FROM_MISSP_REPLYTO
1417
1418##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
1419
1420ifplugin Mail::SpamAssassin::Plugin::SPF
1421 meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL)
1422 tflags FROM_MISSP_SPF_FAIL net
1423# score FROM_MISSP_SPF_FAIL 2.00 # limit
1424endif
1425##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
1426
b780ea8d
SI		 1427##{ FROM_MISSP_USER
1428
1429meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER)
1430describe FROM_MISSP_USER From misspaced, from "User"
1431##} FROM_MISSP_USER
1432
fc5290a3
SI		 1433##{ FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
1434
1435if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
1436 meta FROM_MULTI_NORDNS __FROM_MULTI_NORDNS
1437 describe FROM_MULTI_NORDNS Multiple From addresses + no rDNS
1438endif
1439##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
1440
b780ea8d
SI		 1441##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1442
1443if (version >= 3.004001)
1444ifplugin Mail::SpamAssassin::Plugin::AskDNS
1445meta FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN
1446describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID
1447#score FROM_NEWDOM_BTC 2.0 # limit
1448tflags FROM_NEWDOM_BTC net
1449endif
1450endif
1451##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1452
1453##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1454
1455if (version >= 3.004002)
1456ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1457meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY
1458tflags FROM_NTLD_LINKBAIT publish
1459describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
1460#score FROM_NTLD_LINKBAIT 2.0 # limit
1461endif
1462endif
1463##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1464
1465##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1466
1467if (version >= 3.004002)
1468ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1469meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD
1470tflags FROM_NTLD_REPLY_FREEMAIL publish
1471describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
1472#score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit
1473endif
1474endif
1475##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1476
1477##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1478
1479if (version >= 3.004001)
1480ifplugin Mail::SpamAssassin::Plugin::AskDNS
1481meta FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN
1482describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain
1483#score FROM_NUMBERO_NEWDOMAIN 2.0 # limit
1484tflags FROM_NUMBERO_NEWDOMAIN net publish
1485endif
1486endif
1487##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
1488
b780ea8d
SI		 1489##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1490
1491if (version >= 3.004002)
1492ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1493meta FROM_PAYPAL_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED)
1494tflags FROM_PAYPAL_SPOOF publish net
1495describe FROM_PAYPAL_SPOOF From PayPal domain but matches SPOOFED
1496#score FROM_PAYPAL_SPOOF 1.6 # limit
1497endif
1498endif
1499##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1500
1501##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1502
1503if (version >= 3.004002)
1504ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1505meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD
1506tflags FROM_SUSPICIOUS_NTLD publish
1507describe FROM_SUSPICIOUS_NTLD From abused NTLD
1508#score FROM_SUSPICIOUS_NTLD 0.5 # limit
1509endif
1510endif
1511##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1512
1513##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1514
1515if (version >= 3.004002)
1516ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1517meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST
1518tflags FROM_SUSPICIOUS_NTLD_FP publish
1519describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD
1520#score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit
1521endif
1522endif
1523##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1524
21dcadbf
SI		 1525##{ FROM_UNBAL1
1526
1527header FROM_UNBAL1 From:raw =~ / < [^>]* $/xm
1528describe FROM_UNBAL1 From with unbalanced angle brackets, '>' missing
1529##} FROM_UNBAL1
1530
fc5290a3
SI		 1531##{ FROM_UNBAL2
1532
1533header FROM_UNBAL2 From:raw =~ /^ [^<]* > /xm
1534describe FROM_UNBAL2 From with unbalanced angle brackets, '<' missing
1535##} FROM_UNBAL2
1536
1537##{ FROM_WSP_TRAIL
1538
1539header FROM_WSP_TRAIL From:raw =~ /< [^>]* \s > [^<>]* \z/xm
1540describe FROM_WSP_TRAIL Trailing whitespace before '>' in From header field
1541##} FROM_WSP_TRAIL
1542
b780ea8d
SI		 1543##{ FSL_BULK_SIG
1544
31955ede 1545meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__USING_VERP1 && !__KAM_BODY_LENGTH_LT_128
b780ea8d 1546describe FSL_BULK_SIG Bulk signature with no Unsubscribe
31955ede 1547#score FSL_BULK_SIG 2.500 # limit
b780ea8d
SI		 1548tflags FSL_BULK_SIG net publish
1549##} FSL_BULK_SIG
1550
1551##{ FSL_CTYPE_WIN1251
1552
1553header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/
1554describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
1555##} FSL_CTYPE_WIN1251
1556
1557##{ FSL_FAKE_HOTMAIL_RVCD
1558
1559header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/
1560##} FSL_FAKE_HOTMAIL_RVCD
1561
1562##{ FSL_HELO_BARE_IP_1
1563
1564meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED
1565##} FSL_HELO_BARE_IP_1
1566
1567##{ FSL_HELO_DEVICE
1568
1569header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i
1570##} FSL_HELO_DEVICE
1571
1572##{ FSL_HELO_NON_FQDN_1
1573
1574header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i
1575##} FSL_HELO_NON_FQDN_1
1576
1577##{ FSL_HELO_SETUP
1578
1579header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i
1580##} FSL_HELO_SETUP
1581
1582##{ FSL_INTERIA_ABUSE
1583
1584uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/
1585##} FSL_INTERIA_ABUSE
1586
1587##{ FSL_NEW_HELO_USER
1588
1589meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3)
1590describe FSL_NEW_HELO_USER Spam's using Helo and User
1591#score FSL_NEW_HELO_USER 2.0
1592tflags FSL_NEW_HELO_USER publish
1593##} FSL_NEW_HELO_USER
1594
1595##{ FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1596
1597ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1598 body FUZZY_AMAZON /(?:^|\W)(?=<A>)(?!amazon)<A><M><A><Z><O><N>(?:$|\W)/i
1599 describe FUZZY_AMAZON Obfuscated "amazon"
1600 tflags FUZZY_AMAZON publish
1601endif
1602##} FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1603
1604##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1605
1606ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1607 body FUZZY_ANDROID /(?=<A>)(?!android)<A><N><D><R><O><I><D>/i
1608 describe FUZZY_ANDROID Obfuscated "android"
1609 tflags FUZZY_ANDROID publish
1610endif
1611##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1612
1613##{ FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1614
1615ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1616 body FUZZY_APPLE /(?:^|\W)(?=<A>)(?!appl[ey])<A><P><P><L><E>(?:$|\W)/i
1617 describe FUZZY_APPLE Obfuscated "apple"
1618 tflags FUZZY_APPLE publish
1619endif
1620##} FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1621
1622##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1623
1624ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1625 body FUZZY_BITCOIN /(?=<B>)(?!bit[-\s]?coin)<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
1626 describe FUZZY_BITCOIN Obfuscated "Bitcoin"
1627 tflags FUZZY_BITCOIN publish
1628endif
1629##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1630
1631##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1632
1633ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1634 body FUZZY_BROWSER /(?=<B>)(?!browser)<B><R><O><W><S><E><R>/i
1635 describe FUZZY_BROWSER Obfuscated "browser"
1636 tflags FUZZY_BROWSER publish
1637endif
1638##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1639
1640##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1641
1642ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1643 meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET
1644 describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet"
1645 tflags FUZZY_BTC_WALLET publish
1646endif
1647##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1648
1649##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1650
1651ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1652 body FUZZY_CLICK_HERE /(?=<C>)(?!click(?:\s|&nbsp;)here)<C><WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i
1653 describe FUZZY_CLICK_HERE Obfuscated "click here"
1654 tflags FUZZY_CLICK_HERE publish
1655endif
1656##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1657
1658##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1659
1660ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1661 meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML
1662 describe FUZZY_DR_OZ Obfuscated Doctor Oz
1663 tflags FUZZY_DR_OZ publish
1664endif
1665##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1666
1667##{ FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1668
1669ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1670 body FUZZY_FACEBOOK /(?=<F>)(?!fa[ck]ebook)<F><A><C><E><B><O><O><K>/i
1671 describe FUZZY_FACEBOOK Obfuscated "facebook"
1672 tflags FUZZY_FACEBOOK publish
1673endif
1674##} FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1675
1676##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1677
1678ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1679 body FUZZY_IMPORTANT /(?=<I>)(?!important)<I>(?:<M>|<N>)<P><O><R><T><A><N><T>/i
1680 describe FUZZY_IMPORTANT Obfuscated "important"
1681 tflags FUZZY_IMPORTANT publish
1682endif
1683##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1684
1685##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1686
1687ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1688body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i
1689describe FUZZY_MERIDIA Obfuscation of the word "meridia"
1690endif
1691##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1692
1693##{ FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1694
1695ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1696 body FUZZY_MICROSOFT /(?=<M>)(?!microsoft)<M><I><C><R><O><S><O><F><T>/i
1697 describe FUZZY_MICROSOFT Obfuscated "microsoft"
1698 tflags FUZZY_MICROSOFT publish
1699endif
1700##} FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1701
1702##{ FUZZY_MONERO
1703
1704meta FUZZY_MONERO __FUZZY_MONERO
1705describe FUZZY_MONERO Obfuscated "Monero"
1706tflags FUZZY_MONERO publish
1707##} FUZZY_MONERO
1708
1709##{ FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1710
1711ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1712 body FUZZY_NORTON /(?:^|\W)(?=<N>)(?!norton)<N><O><R><T><O><N>(?:$|\W)/i
1713 describe FUZZY_NORTON Obfuscated "norton"
1714 tflags FUZZY_NORTON publish
1715endif
1716##} FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1717
1718##{ FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1719
1720ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1721 body FUZZY_OVERSTOCK /(?:^|\W)(?=<O>)(?!over[-\s]?stock)<O><V><E><R>[-\s]?<S><T><O><C><K>(?:$|\W)/i
1722 describe FUZZY_OVERSTOCK Obfuscated "overstock"
1723 tflags FUZZY_OVERSTOCK publish
1724endif
1725##} FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1726
1727##{ FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1728
1729ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1730 body FUZZY_PAYPAL /(?:^|\W)(?=<P>)(?!pay[-\s]?pal)<P><A><Y>[-\s]?<P><A><L>(?:$|\W)/i
1731 describe FUZZY_PAYPAL Obfuscated "paypal"
1732 tflags FUZZY_PAYPAL publish
1733endif
1734##} FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1735
1736##{ FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1737
1738ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1739 meta FUZZY_PORN __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT )
1740 describe FUZZY_PORN Obfuscated "Pornography" or "Pornographic"
1741 tflags FUZZY_PORN publish
1742endif
1743##} FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1744
1745##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1746
1747ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1748 body FUZZY_PRIVACY /(?=<P>)(?!privacy)<P><R><I><V><A><C><Y>/i
1749 describe FUZZY_PRIVACY Obfuscated "privacy"
1750 tflags FUZZY_PRIVACY publish
1751endif
1752##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1753
1754##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1755
1756ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1757 body FUZZY_PROMOTION /(?=<P>)(?!promotion)<P><R><O><M><O><T><I><O><N>/i
1758 describe FUZZY_PROMOTION Obfuscated "promotion"
1759 tflags FUZZY_PROMOTION publish
1760endif
1761##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1762
1763##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1764
1765ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1766 body FUZZY_SAVINGS /(?=<S>)(?!savings)<S><A><V><I><N><G><S>/i
1767 describe FUZZY_SAVINGS Obfuscated "savings"
1768 tflags FUZZY_SAVINGS publish
1769endif
1770##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1771
1772##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1773
1774ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1775 body FUZZY_SECURITY /(?=<S>)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)<S><E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i
1776 describe FUZZY_SECURITY Obfuscated "security"
1777 tflags FUZZY_SECURITY publish
1778endif
1779##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1780
1781##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1782
1783ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1784 body FUZZY_UNSUBSCRIBE /(?=<U>)(?!unsubscribe)<U><N><S><U><B><S><C><R><I><B><E>/i
1785 describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe"
1786 tflags FUZZY_UNSUBSCRIBE publish
1787endif
1788##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1789
1790##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1791
1792ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1793 body FUZZY_WALLET /(?=<W>)(?!wallet)<W><A><L><L><E><T>/i
1794 describe FUZZY_WALLET Obfuscated "Wallet"
1795 tflags FUZZY_WALLET publish
1796endif
1797##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
1798
1799##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1800
1801if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1802 meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
1803 describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto
1804# score GAPPY_SALES_LEADS_FREEM 3.500 # limit
1805 tflags GAPPY_SALES_LEADS_FREEM publish
1806endif
1807##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
1808
dfdd1e08
SI		 1809##{ GB_BITCOIN_NH
1810
1811meta GB_BITCOIN_NH ( __BITCOIN_ID && !__URL_BTC_ID && ( __NEVER_HEAR_EN || __NEVER_HEAR_IT ) )
1812describe GB_BITCOIN_NH Localized Bitcoin scam
1813#score GB_BITCOIN_NH 3.0 # limit
1814##} GB_BITCOIN_NH
1815
1816##{ GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
1817
1818if (version >= 4.000000)
1819if can(Mail::SpamAssassin::Conf::feature_capture_rules)
1820 meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI )
1821 describe GB_CUSTOM_HTM_URI Custom html uri
1822# score GB_CUSTOM_HTM_URI 1.500 # limit
1823 tflags GB_CUSTOM_HTM_URI publish
1824endif
1825endif
1826##} GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
1827
b780ea8d
SI		 1828##{ GB_FAKE_RF_SHORT
1829
dfdd1e08 1830meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __URL_SHORTENER )
b780ea8d
SI		 1831describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener
1832#score GB_FAKE_RF_SHORT 2.000 # limit
1833tflags GB_FAKE_RF_SHORT publish
1834##} GB_FAKE_RF_SHORT
1835
1836##{ GB_FORGED_MUA_POSTFIX
1837
1838meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 )
1839describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers
1840tflags GB_FORGED_MUA_POSTFIX publish
1841#score GB_FORGED_MUA_POSTFIX 2.0 # limit
1842##} GB_FORGED_MUA_POSTFIX
1843
1844##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
1845
1846ifplugin Mail::SpamAssassin::Plugin::FreeMail
1847 meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe )
1848 describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails
1849# score GB_FREEMAIL_DISPTO 0.50 # limit
1850 tflags GB_FREEMAIL_DISPTO publish
1851endif
1852##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
1853
1854##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
1855
1856ifplugin Mail::SpamAssassin::Plugin::FreeMail
1857 meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM )
1858 describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail
1859# score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit
1860 tflags GB_FREEMAIL_DISPTO_NOTFREEM publish
1861endif
1862##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail
1863
1864##{ GB_GOOGLE_OBFUR
1865
1866uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/
1867describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect
1868#score GB_GOOGLE_OBFUR 0.75 # limit
1869tflags GB_GOOGLE_OBFUR publish
1870##} GB_GOOGLE_OBFUR
1871
fc5290a3
SI		 1872##{ GB_GOOGLE_TRANSL
1873
1874uri GB_GOOGLE_TRANSL /^https?:\/\/.{10,64}\-(ipfs|xn\-)\-.{2,20}\.translate\.goog\/.{4}\//
1875describe GB_GOOGLE_TRANSL Obfuscate url through Google Translate
1876#score GB_GOOGLE_TRANSL 0.75 # limit
1877##} GB_GOOGLE_TRANSL
1878
dfdd1e08
SI		 1879##{ GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
1880
1881if (version >= 3.004003)
1882 ifplugin Mail::SpamAssassin::Plugin::HashBL
1883 body GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,62})\b')
1884 tflags GB_HASHBL_BTC net publish
1885 describe GB_HASHBL_BTC Message contains BTC address found on BTCBL
1886# score GB_HASHBL_BTC 5.0 # limit
1887endif
1888endif
1889##} GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
1890
b780ea8d
SI		 1891##{ GEO_QUERY_STRING
1892
1893uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i
1894##} GEO_QUERY_STRING
1895
1896##{ GOOGLE_DOCS_PHISH
1897
1898meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2)
1899describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form
1900#score GOOGLE_DOCS_PHISH 3.00 # limit
1901tflags GOOGLE_DOCS_PHISH publish
1902##} GOOGLE_DOCS_PHISH
1903
1904##{ GOOGLE_DOCS_PHISH_MANY
1905
1906meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
1907describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form
1908#score GOOGLE_DOCS_PHISH_MANY 4.00 # limit
1909tflags GOOGLE_DOCS_PHISH_MANY publish
1910##} GOOGLE_DOCS_PHISH_MANY
1911
1912##{ GOOGLE_DOC_SUSP
1913
1914meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG
1915describe GOOGLE_DOC_SUSP Suspicious use of Google Docs
1916#score GOOGLE_DOC_SUSP 3.000 # limit
1917tflags GOOGLE_DOC_SUSP publish
1918##} GOOGLE_DOC_SUSP
1919
1920##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1921
1922if (version >= 3.004002)
1923ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1924meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
1925tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish
1926describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD
1927#score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
1928endif
1929endif
1930##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
1931
1932##{ GOOG_MALWARE_DNLD
1933
1934meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD
1935describe GOOG_MALWARE_DNLD File download via Google - Malware?
1936#score GOOG_MALWARE_DNLD 5.000 # limit
1937tflags GOOG_MALWARE_DNLD publish
1938##} GOOG_MALWARE_DNLD
1939
1940##{ GOOG_REDIR_DOCUSIGN
1941
1942uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i
1943describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing
1944tflags GOOG_REDIR_DOCUSIGN publish
1945##} GOOG_REDIR_DOCUSIGN
1946
21dcadbf
SI		 1947##{ GOOG_REDIR_HTML_ONLY
1948
1949meta GOOG_REDIR_HTML_ONLY (__GOOG_REDIR && MIME_HTML_ONLY) && !RDNS_NONE && !__LCL__KAM_BODY_LENGTH_LT_512
1950describe GOOG_REDIR_HTML_ONLY Google redirect to obscure spamvertised website + HTML only
1951#score GOOG_REDIR_HTML_ONLY 2.000 # limit
1952##} GOOG_REDIR_HTML_ONLY
1953
b780ea8d
SI		 1954##{ GOOG_REDIR_NORDNS
1955
1956meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE
1957describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS
1958##} GOOG_REDIR_NORDNS
1959
1960##{ GOOG_REDIR_SHORT
1961
1962meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512
1963describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message
1964tflags GOOG_REDIR_SHORT publish
1965##} GOOG_REDIR_SHORT
1966
46cfc9e2
SI		 1967##{ GOOG_STO_EMAIL_PHISH
1968
1969meta GOOG_STO_EMAIL_PHISH __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT)
1970describe GOOG_STO_EMAIL_PHISH Possible phishing with google hosted content URI having email address
1971#score GOOG_STO_EMAIL_PHISH 3.00 # limit
1972tflags GOOG_STO_EMAIL_PHISH publish
1973##} GOOG_STO_EMAIL_PHISH
1974
b780ea8d
SI		 1975##{ GOOG_STO_HTML_PHISH
1976
1977meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH
1978describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL
1979#score GOOG_STO_HTML_PHISH 3.00 # limit
1980tflags GOOG_STO_HTML_PHISH publish
1981##} GOOG_STO_HTML_PHISH
1982
1983##{ GOOG_STO_HTML_PHISH_MANY
1984
1985meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY)
1986describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL
1987#score GOOG_STO_HTML_PHISH_MANY 4.00 # limit
1988tflags GOOG_STO_HTML_PHISH_MANY publish
1989##} GOOG_STO_HTML_PHISH_MANY
1990
1991##{ GOOG_STO_IMG_HTML
1992
1993meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY
1994describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL
1995#score GOOG_STO_IMG_HTML 3.000 # limit
1996tflags GOOG_STO_IMG_HTML publish
1997##} GOOG_STO_IMG_HTML
1998
1999##{ GOOG_STO_IMG_NOHTML
2000
2001meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY
2002describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL
2003#score GOOG_STO_IMG_NOHTML 2.500 # limit
2004tflags GOOG_STO_IMG_NOHTML publish
2005##} GOOG_STO_IMG_NOHTML
2006
2007##{ GOOG_STO_NOIMG_HTML
2008
2009meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY
2010describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL
2011#score GOOG_STO_NOIMG_HTML 3.000 # limit
2012tflags GOOG_STO_NOIMG_HTML publish
2013##} GOOG_STO_NOIMG_HTML
2014
2015##{ HAS_X_NO_RELAY
2016
2017meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1
2018describe HAS_X_NO_RELAY Has spammy header
2019#score HAS_X_NO_RELAY 2.500 # limit
2020tflags HAS_X_NO_RELAY publish
2021##} HAS_X_NO_RELAY
2022
2023##{ HAS_X_OUTGOING_SPAM_STAT
2024
46cfc9e2 2025meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO
b780ea8d 2026describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results?
46cfc9e2 2027#score HAS_X_OUTGOING_SPAM_STAT 2.000 # limit
b780ea8d
SI		 2028tflags HAS_X_OUTGOING_SPAM_STAT publish
2029##} HAS_X_OUTGOING_SPAM_STAT
2030
b780ea8d
SI		 2031##{ HDRS_MISSP
2032
2033meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY)
2034describe HDRS_MISSP Misspaced headers
2035#score HDRS_MISSP 2.500 # limit
2036tflags HDRS_MISSP publish
2037##} HDRS_MISSP
2038
2039##{ HDR_ORDER_FTSDMCXX_001C
2040
2041meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C)
2042describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant)
2043##} HDR_ORDER_FTSDMCXX_001C
2044
2045##{ HDR_ORDER_FTSDMCXX_BAT
2046
2047meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY)
2048describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant)
2049##} HDR_ORDER_FTSDMCXX_BAT
2050
2051##{ HDR_ORDER_FTSDMCXX_DIRECT
2052
2053meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML
2054describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX
2055#score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit
2056tflags HDR_ORDER_FTSDMCXX_DIRECT publish
2057##} HDR_ORDER_FTSDMCXX_DIRECT
2058
2059##{ HDR_ORDER_FTSDMCXX_NORDNS
2060
2061meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED
2062describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS
2063#score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit
2064tflags HDR_ORDER_FTSDMCXX_NORDNS publish
2065##} HDR_ORDER_FTSDMCXX_NORDNS
2066
2067##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2068
2069ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2070header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999')
2071describe HEADER_COUNT_SUBJECT Multiple Subject headers found
2072endif
2073##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2074
2075##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
2076
2077ifplugin Mail::SpamAssassin::Plugin::FreeMail
2078 ifplugin Mail::SpamAssassin::Plugin::HeaderEval
2079 if (version >= 3.004000)
2080 header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains()
2081 describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different
2082# score HEADER_FROM_DIFFERENT_DOMAINS 0.25
2083 tflags HEADER_FROM_DIFFERENT_DOMAINS publish
2084endif
2085endif
2086endif
2087##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000)
2088
2089##{ HELO_FRIEND
2090
2091header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
2092##} HELO_FRIEND
2093
b780ea8d
SI		 2094##{ HELO_LH_LD
2095
2096header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
2097##} HELO_LH_LD
2098
2099##{ HELO_LOCALHOST
2100
2101header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
2102##} HELO_LOCALHOST
2103
b780ea8d
SI		 2104##{ HELO_NO_DOMAIN
2105
2106meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST
2107describe HELO_NO_DOMAIN Relay reports its domain incorrectly
2108tflags HELO_NO_DOMAIN publish
2109##} HELO_NO_DOMAIN
2110
2111##{ HELO_OEM
2112
2113header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i
2114##} HELO_OEM
2115
2116##{ HEXHASH_WORD
2117
2118meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER
2119describe HEXHASH_WORD Multiple instances of word + hexadecimal hash
2120#score HEXHASH_WORD 3.000 # limit
2121tflags HEXHASH_WORD publish
2122##} HEXHASH_WORD
2123
2124##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2125
2126ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2127mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/
2128#score HK_CTE_RAW 2
2129tflags HK_CTE_RAW publish
2130endif
2131##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2132
2133##{ HK_LOTTO
2134
2135meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT
2136#score HK_LOTTO 1
2137##} HK_LOTTO
2138
2139##{ HK_NAME_DRUGS
2140
2141header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi
2142describe HK_NAME_DRUGS From name contains drugs
2143#score HK_NAME_DRUGS 2
2144##} HK_NAME_DRUGS
2145
b780ea8d
SI		 2146##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2147
2148ifplugin Mail::SpamAssassin::Plugin::FreeMail
2149if (version >= 3.004000)
2150 meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM
2151# score HK_NAME_MR_MRS 1.0
2152endif
2153endif
2154##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
2155
2156##{ HK_RANDOM_ENVFROM
2157
46cfc9e2 2158header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
b780ea8d
SI		 2159describe HK_RANDOM_ENVFROM Envelope sender username looks random
2160#score HK_RANDOM_ENVFROM 1
2161tflags HK_RANDOM_ENVFROM publish
2162##} HK_RANDOM_ENVFROM
2163
2164##{ HK_RANDOM_FROM
2165
46cfc9e2 2166header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
b780ea8d
SI		 2167describe HK_RANDOM_FROM From username looks random
2168#score HK_RANDOM_FROM 1
2169tflags HK_RANDOM_FROM publish
2170##} HK_RANDOM_FROM
2171
2172##{ HK_RANDOM_REPLYTO
2173
46cfc9e2 2174header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi
b780ea8d
SI		 2175describe HK_RANDOM_REPLYTO Reply-To username looks random
2176#score HK_RANDOM_REPLYTO 1
2177tflags HK_RANDOM_REPLYTO publish
2178##} HK_RANDOM_REPLYTO
2179
2180##{ HK_RCVD_IP_MULTICAST
2181
2182header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./
2183#score HK_RCVD_IP_MULTICAST 2
2184tflags HK_RCVD_IP_MULTICAST publish
2185##} HK_RCVD_IP_MULTICAST
2186
2187##{ HK_SCAM
2188
2189meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25
2190#score HK_SCAM 2
2191tflags HK_SCAM publish
2192##} HK_SCAM
2193
21dcadbf
SI		 2194##{ HK_WIN
2195
2196meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2)
2197#score HK_WIN 1
2198##} HK_WIN
2199
b780ea8d
SI		 2200##{ HOSTED_IMG_DIRECT_MX
2201
2202meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS
2203#score HOSTED_IMG_DIRECT_MX 3.500 # limit
46cfc9e2 2204describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx
b780ea8d
SI		 2205tflags HOSTED_IMG_DIRECT_MX publish
2206##} HOSTED_IMG_DIRECT_MX
2207
2208##{ HOSTED_IMG_DQ_UNSUB
2209
2210meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB
2211#score HOSTED_IMG_DQ_UNSUB 3.500 # limit
2212describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm site, IP addr unsub link
2213tflags HOSTED_IMG_DQ_UNSUB publish
2214##} HOSTED_IMG_DQ_UNSUB
2215
2216##{ HOSTED_IMG_FREEM
2217
2218meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED
2219#score HOSTED_IMG_FREEM 3.500 # limit
46cfc9e2 2220describe HOSTED_IMG_FREEM Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to
b780ea8d
SI		 2221tflags HOSTED_IMG_FREEM publish
2222##} HOSTED_IMG_FREEM
2223
2224##{ HOSTED_IMG_MULTI
2225
2226meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS
2227#score HOSTED_IMG_MULTI 3.000 # limit
46cfc9e2 2228describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected
b780ea8d
SI		 2229tflags HOSTED_IMG_MULTI publish
2230##} HOSTED_IMG_MULTI
2231
2232##{ HOSTED_IMG_MULTI_PUB_01
2233
31955ede 2234meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF && !__HAS_IN_REPLY_TO
b780ea8d
SI		 2235describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site
2236#score HOSTED_IMG_MULTI_PUB_01 3.000 # limit
2237tflags HOSTED_IMG_MULTI_PUB_01 publish
2238##} HOSTED_IMG_MULTI_PUB_01
2239
2240##{ HTML_ENTITY_ASCII
2241
2242meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP
2243describe HTML_ENTITY_ASCII Obfuscated ASCII
2244#score HTML_ENTITY_ASCII 3.000 # limit
2245tflags HTML_ENTITY_ASCII publish
2246##} HTML_ENTITY_ASCII
2247
2248##{ HTML_ENTITY_ASCII_TINY
2249
31955ede 2250meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_TINY && !__HAS_IN_REPLY_TO
b780ea8d
SI		 2251describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts
2252#score HTML_ENTITY_ASCII_TINY 3.000 # limit
2253tflags HTML_ENTITY_ASCII_TINY publish
2254##} HTML_ENTITY_ASCII_TINY
2255
46cfc9e2
SI		 2256##{ HTML_FONT_TINY_NORDNS
2257
31955ede 2258meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_NORDNS && !__HAS_CID
46cfc9e2 2259describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS
31955ede 2260#score HTML_FONT_TINY_NORDNS 2.000 # limit
46cfc9e2
SI		 2261##} HTML_FONT_TINY_NORDNS
2262
b780ea8d
SI		 2263##{ HTML_OFF_PAGE
2264
2265meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS
2266describe HTML_OFF_PAGE HTML element rendered well off the displayed page
2267#score HTML_OFF_PAGE 3.000 # limit
2268tflags HTML_OFF_PAGE publish
2269##} HTML_OFF_PAGE
2270
2271##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2272
2273if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2274 meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY
2275 describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments
2276# score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit
2277 tflags HTML_SHRT_CMNT_OBFU_MANY publish
2278endif
2279##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2280
2281##{ HTML_SINGLET_MANY
2282
2283meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP
2284describe HTML_SINGLET_MANY Many single-letter HTML format blocks
2285#score HTML_SINGLET_MANY 2.500 # limit
2286tflags HTML_SINGLET_MANY publish
2287##} HTML_SINGLET_MANY
2288
2289##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2290
2291if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2292 meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID
2293 describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation?
2294# score HTML_TEXT_INVISIBLE_FONT 2.000 # limit
2295 tflags HTML_TEXT_INVISIBLE_FONT publish
2296endif
2297##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2298
2299##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2300
2301if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2302 meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX
2303 describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs
2304# score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit
2305 tflags HTML_TEXT_INVISIBLE_STYLE publish
2306endif
2307##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2308
2309##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2310
2311ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2312body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10')
2313endif
2314##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
2315
2316##{ IMG_ONLY_FM_DOM_INFO
2317
2318meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO
2319describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain
2320#score IMG_ONLY_FM_DOM_INFO 2.500 # limit
2321tflags IMG_ONLY_FM_DOM_INFO publish
2322##} IMG_ONLY_FM_DOM_INFO
2323
2324##{ JH_SPAMMY_HEADERS
2325
2326meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN
2327describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam
2328#score JH_SPAMMY_HEADERS 3.500 # limit
2329tflags JH_SPAMMY_HEADERS publish
2330##} JH_SPAMMY_HEADERS
2331
2332##{ JH_SPAMMY_PATTERN01
2333
2334rawbody JH_SPAMMY_PATTERN01 m;<img src=['"](https?://[^'"]{1,80}/)C([^/.]{1,30}\.jpg)['"]>.{0,200}<img src="\1U\2";ism
2335describe JH_SPAMMY_PATTERN01 Unusual pattern seen in spam campaign
2336#score JH_SPAMMY_PATTERN01 3.000 # limit
2337tflags JH_SPAMMY_PATTERN01 publish
2338##} JH_SPAMMY_PATTERN01
2339
2340##{ JH_SPAMMY_PATTERN02
2341
2342rawbody JH_SPAMMY_PATTERN02 m;<img [^>]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}<a href="\1t=c\2".{0,200}<a href="\1t=u\2";ism
2343describe JH_SPAMMY_PATTERN02 Unusual pattern seen in spam campaign
2344#score JH_SPAMMY_PATTERN02 3.000 # limit
2345tflags JH_SPAMMY_PATTERN02 publish
2346##} JH_SPAMMY_PATTERN02
2347
2348##{ JM_I_FEEL_LUCKY
2349
2350uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/
2351tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign
2352##} JM_I_FEEL_LUCKY
2353
2354##{ JM_RCVD_QMAILV1
2355
2356header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/
2357##} JM_RCVD_QMAILV1
2358
2359##{ JM_TORA_XM
2360
2361meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO)
2362##} JM_TORA_XM
2363
2364##{ KB_DATE_CONTAINS_TAB
2365
2366meta KB_DATE_CONTAINS_TAB __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB
2367#score KB_DATE_CONTAINS_TAB 0.5
2368##} KB_DATE_CONTAINS_TAB
2369
2370##{ KB_FAKED_THE_BAT
2371
2372meta KB_FAKED_THE_BAT (__THEBAT_MUA && KB_DATE_CONTAINS_TAB)
2373##} KB_FAKED_THE_BAT
2374
2375##{ KB_RATWARE_BOUNDARY
2376
2377meta KB_RATWARE_BOUNDARY __RATWARE_BOUND_A || __RATWARE_BOUND_B
2378##} KB_RATWARE_BOUNDARY
2379
2380##{ KB_RATWARE_MSGID
2381
2382meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA)
2383##} KB_RATWARE_MSGID
2384
2385##{ KB_RATWARE_OUTLOOK_08
2386
2387header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # "
2388##} KB_RATWARE_OUTLOOK_08
2389
2390##{ KB_RATWARE_OUTLOOK_12
2391
2392header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # "
2393##} KB_RATWARE_OUTLOOK_12
2394
2395##{ KB_RATWARE_OUTLOOK_16
2396
2397header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # "
2398##} KB_RATWARE_OUTLOOK_16
2399
2400##{ KB_RATWARE_OUTLOOK_MID
2401
2402header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi
2403##} KB_RATWARE_OUTLOOK_MID
2404
b780ea8d
SI		 2405##{ KHOP_HELO_FCRDNS
2406
2407meta KHOP_HELO_FCRDNS __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT)
2408describe KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS
2409#score KHOP_HELO_FCRDNS 0.4 # 20090603
2410##} KHOP_HELO_FCRDNS
2411
46cfc9e2
SI		 2412##{ LINKEDIN_IMG_NOT_RCVD_LNKN
2413
2414meta LINKEDIN_IMG_NOT_RCVD_LNKN __LINKED_IMG_NOT_RCVD_LINK && !__LUNSUB_BEFORE_SUBJDT
2415#score LINKEDIN_IMG_NOT_RCVD_LNKN 2.500 # limit
2416describe LINKEDIN_IMG_NOT_RCVD_LNKN Linkedin hosted image but message not from Linkedin
2417tflags LINKEDIN_IMG_NOT_RCVD_LNKN publish
2418##} LINKEDIN_IMG_NOT_RCVD_LNKN
2419
b780ea8d
SI		 2420##{ LIST_PRTL_PUMPDUMP
2421
2422meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS
2423describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump
2424#score LIST_PRTL_PUMPDUMP 2.000 # limit
2425tflags LIST_PRTL_PUMPDUMP publish
2426##} LIST_PRTL_PUMPDUMP
2427
2428##{ LIST_PRTL_SAME_USER
2429
2430meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO
2431describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same
2432#score LIST_PRTL_SAME_USER 3.000 # limit
2433tflags LIST_PRTL_SAME_USER publish
2434##} LIST_PRTL_SAME_USER
2435
2436##{ LIVEFILESTORE
2437
2438uri LIVEFILESTORE m~livefilestore.com/~
2439##} LIVEFILESTORE
2440
2441##{ LONG_HEX_URI
2442
2443meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024
2444describe LONG_HEX_URI Very long purely hexadecimal URI
2445#score LONG_HEX_URI 3.000 # limit
2446tflags LONG_HEX_URI publish
2447##} LONG_HEX_URI
2448
2449##{ LONG_IMG_URI
2450
2451meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO
2452describe LONG_IMG_URI Image URI with very long path component - web bug?
2453#score LONG_IMG_URI 3.000 # limit
2454tflags LONG_IMG_URI publish
2455##} LONG_IMG_URI
2456
2457##{ LONG_INVISIBLE_TEXT
2458
2459describe LONG_INVISIBLE_TEXT Long block of hidden text - bayes poison?
2460#score LONG_INVISIBLE_TEXT 3.000 # limit
2461tflags LONG_INVISIBLE_TEXT publish
2462##} LONG_INVISIBLE_TEXT
2463
2464##{ LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2465
2466if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2467 meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV
2468endif
2469##} LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
2470
2471##{ LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2472
2473if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2474 meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 )
2475endif
2476##} LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2477
2478##{ LONG_TERM_PRICE
2479
2480body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i
2481##} LONG_TERM_PRICE
2482
2483##{ LOOPHOLE_1
2484
2485body LOOPHOLE_1 /loop-?hole in the banking/i
2486describe LOOPHOLE_1 A loop hole in the banking laws?
2487##} LOOPHOLE_1
2488
2489##{ LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2490
2491if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2492 meta LOTS_OF_MONEY 0
2493endif
2494##} LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
2495
2496##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2497
2498ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2499 meta LOTS_OF_MONEY (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05) && !__TRAVEL_ITINERARY
2500 describe LOTS_OF_MONEY Huge... sums of money
2501# score LOTS_OF_MONEY 0.01
2502 tflags LOTS_OF_MONEY publish
2503endif
2504##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2505
2506##{ LOTTERY_1
2507
2508meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ)
2509##} LOTTERY_1
2510
2511##{ LOTTERY_PH_004470
2512
2513meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY)
2514##} LOTTERY_PH_004470
2515
b780ea8d
SI		 2516##{ LUCRATIVE
2517
2518meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED
2519describe LUCRATIVE Make lots of money!
2520#score LUCRATIVE 2.00 # limit
2521tflags LUCRATIVE publish
2522##} LUCRATIVE
2523
2524##{ L_SPAM_TOOL_13
2525
2526header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
2527##} L_SPAM_TOOL_13
2528
b780ea8d
SI		 2529##{ MALF_HTML_B64
2530
2531meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG
2532describe MALF_HTML_B64 Malformatted base64-encoded HTML content
2533#score MALF_HTML_B64 3.500 # limit
2534tflags MALF_HTML_B64 publish
2535##} MALF_HTML_B64
2536
2537##{ MALWARE_NORDNS
2538
2539meta MALWARE_NORDNS __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
2540describe MALWARE_NORDNS Malware bragging + no rDNS
2541#score MALWARE_NORDNS 3.500 # limit
2542tflags MALWARE_NORDNS publish
2543##} MALWARE_NORDNS
2544
2545##{ MALWARE_PASSWORD
2546
2547meta MALWARE_PASSWORD __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01
2548describe MALWARE_PASSWORD Malware bragging + "password"
2549#score MALWARE_PASSWORD 3.500 # limit
2550tflags MALWARE_PASSWORD publish
2551##} MALWARE_PASSWORD
2552
2553##{ MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2554
2555ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2556 meta MALW_ATTACH __MALW_ATTACH && !__HAS_THREAD_INDEX
2557 describe MALW_ATTACH Attachment filename suspicious, probable malware exploit
2558 tflags MALW_ATTACH publish
2559endif
2560##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2561
b780ea8d
SI		 2562##{ MANY_SPAN_IN_TEXT
2563
2564meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML
2565describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text
2566tflags MANY_SPAN_IN_TEXT publish
2567##} MANY_SPAN_IN_TEXT
2568
b780ea8d
SI		 2569##{ MID_DEGREES
2570
2571header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
2572##} MID_DEGREES
2573
2574##{ MILLION_HUNDRED
2575
2576body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i
2577describe MILLION_HUNDRED Million "One to Nine" Hundred
2578tflags MILLION_HUNDRED publish
2579##} MILLION_HUNDRED
2580
dfdd1e08
SI		 2581##{ MILLION_USD
2582
2583body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i
2584describe MILLION_USD Talks about millions of dollars
2585#score MILLION_USD 2
2586##} MILLION_USD
2587
b780ea8d
SI		 2588##{ MIMEOLE_DIRECT_TO_MX
2589
2590meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS
2591describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX
2592#score MIMEOLE_DIRECT_TO_MX 2.000 # limit
2593tflags MIMEOLE_DIRECT_TO_MX publish
2594##} MIMEOLE_DIRECT_TO_MX
2595
2596##{ MIME_BOUND_EQ_REL
2597
2598header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s
2599##} MIME_BOUND_EQ_REL
2600
2601##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2602
2603ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2604 meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128
2605# score MIME_NO_TEXT 2.00 # limit
2606 describe MIME_NO_TEXT No (properly identified) text body parts
2607 tflags MIME_NO_TEXT publish
2608endif
2609##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2610
2611##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2612
2613ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2614 meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA)
2615 describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP
2616endif
2617##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2618
2619##{ MIXED_AREA_CASE
2620
2621meta MIXED_AREA_CASE __MIXED_AREA_CASE
2622describe MIXED_AREA_CASE Has area tag in mixed case
2623#score MIXED_AREA_CASE 2.500 # limit
2624tflags MIXED_AREA_CASE publish
2625##} MIXED_AREA_CASE
2626
2627##{ MIXED_CENTER_CASE
2628
2629meta MIXED_CENTER_CASE __MIXED_CENTER_CASE
2630describe MIXED_CENTER_CASE Has center tag in mixed case
2631#score MIXED_CENTER_CASE 2.500 # limit
2632tflags MIXED_CENTER_CASE publish
2633##} MIXED_CENTER_CASE
2634
b780ea8d
SI		 2635##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2636
2637if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
2638 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2639 meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) )
2640 describe MIXED_ES Too many es are not es
2641 tflags MIXED_ES publish
2642# lang pl score MIXED_ES 0.01
2643# lang cz score MIXED_ES 0.01
2644# lang sk score MIXED_ES 0.01
2645# lang hr score MIXED_ES 0.01
2646# lang el score MIXED_ES 0.01
2647endif
2648endif
2649##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
2650
2651##{ MIXED_FONT_CASE
2652
2653meta MIXED_FONT_CASE __MIXED_FONT_CASE
2654describe MIXED_FONT_CASE Has font tag in mixed case
2655#score MIXED_FONT_CASE 2.500 # limit
2656tflags MIXED_FONT_CASE publish
2657##} MIXED_FONT_CASE
2658
2659##{ MIXED_HREF_CASE
2660
2661meta MIXED_HREF_CASE __MIXED_HREF_CASE_JH
2662describe MIXED_HREF_CASE Has href in mixed case
2663#score MIXED_HREF_CASE 2.000 # limit
2664tflags MIXED_HREF_CASE publish
2665##} MIXED_HREF_CASE
2666
2667##{ MIXED_IMG_CASE
2668
2669meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL
2670describe MIXED_IMG_CASE Has img tag in mixed case
2671#score MIXED_IMG_CASE 3.000 # limit
2672tflags MIXED_IMG_CASE publish
2673##} MIXED_IMG_CASE
2674
2675##{ MONERO_DEADLINE
2676
2677meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01
2678describe MONERO_DEADLINE Monero cryptocurrency with a deadline
2679#score MONERO_DEADLINE 3.000 # limit
2680tflags MONERO_DEADLINE publish
2681##} MONERO_DEADLINE
2682
2683##{ MONERO_EXTORT_01
2684
2685meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY
2686describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency
2687#score MONERO_EXTORT_01 5.000 # limit
2688tflags MONERO_EXTORT_01 publish
2689##} MONERO_EXTORT_01
2690
2691##{ MONERO_MALWARE
2692
2693meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01
2694describe MONERO_MALWARE Monero cryptocurrency + malware bragging
2695#score MONERO_MALWARE 3.500 # limit
2696tflags MONERO_MALWARE publish
2697##} MONERO_MALWARE
2698
2699##{ MONERO_PAY_ME
2700
2701meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01
2702describe MONERO_PAY_ME Pay me via Monero cryptocurrency
2703#score MONERO_PAY_ME 3.000 # limit
2704tflags MONERO_PAY_ME publish
2705##} MONERO_PAY_ME
2706
dfdd1e08
SI		 2707##{ MONEY_ATM_CARD
2708
2709meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE
2710describe MONEY_ATM_CARD Lots of money on an ATM card
2711##} MONEY_ATM_CARD
2712
b780ea8d
SI		 2713##{ MONEY_FORM
2714
2715meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP
2716describe MONEY_FORM Lots of money if you fill out a form
2717##} MONEY_FORM
2718
2719##{ MONEY_FORM_SHORT
2720
2721meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD
2722describe MONEY_FORM_SHORT Lots of money if you fill out a short form
2723#score MONEY_FORM_SHORT 2.500 # limit
2724##} MONEY_FORM_SHORT
2725
2726##{ MONEY_FRAUD_3
2727
2728meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
2729describe MONEY_FRAUD_3 Lots of money and several fraud phrases
2730tflags MONEY_FRAUD_3 publish
2731##} MONEY_FRAUD_3
2732
2733##{ MONEY_FRAUD_5
2734
2735meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE
2736describe MONEY_FRAUD_5 Lots of money and many fraud phrases
2737tflags MONEY_FRAUD_5 publish
2738##} MONEY_FRAUD_5
2739
2740##{ MONEY_FRAUD_8
2741
2742meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG
2743describe MONEY_FRAUD_8 Lots of money and very many fraud phrases
2744tflags MONEY_FRAUD_8 publish
2745##} MONEY_FRAUD_8
2746
2747##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2748
2749ifplugin Mail::SpamAssassin::Plugin::FreeMail
2750 meta MONEY_FREEMAIL_REPTO __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID
2751 describe MONEY_FREEMAIL_REPTO Lots of money from someone using free email?
2752# score MONEY_FREEMAIL_REPTO 3.000 # limit
2753 tflags MONEY_FREEMAIL_REPTO publish
2754endif
2755##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2756
fc5290a3
SI		 2757##{ MONEY_FROM_41
2758
2759meta MONEY_FROM_41 __MONEY_FROM_41
2760describe MONEY_FROM_41 Lots of money from Africa
2761#score MONEY_FROM_41 2.00 # limit
2762##} MONEY_FROM_41
2763
b780ea8d
SI		 2764##{ MONEY_FROM_MISSP
2765
2766meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP
2767describe MONEY_FROM_MISSP Lots of money and misspaced From
2768#score MONEY_FROM_MISSP 2.000 # limit
2769##} MONEY_FROM_MISSP
2770
b780ea8d
SI		 2771##{ MSGID_DOLLARS_URI_IMG
2772
2773meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW
2774describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image
2775#score MSGID_DOLLARS_URI_IMG 3.000 # limit
2776tflags MSGID_DOLLARS_URI_IMG publish
2777##} MSGID_DOLLARS_URI_IMG
2778
2779##{ MSGID_HDR_MALF
2780
2781meta MSGID_HDR_MALF __HAS_MESSAGEID
2782describe MSGID_HDR_MALF Has invalid message ID header
2783#score MSGID_HDR_MALF 3.500 # limit
2784tflags MSGID_HDR_MALF publish
2785##} MSGID_HDR_MALF
2786
2787##{ MSGID_MULTIPLE_AT
2788
2789header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/
2790describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters
2791#score MSGID_MULTIPLE_AT 0.001
2792##} MSGID_MULTIPLE_AT
2793
b780ea8d
SI		 2794##{ MSMAIL_PRI_ABNORMAL
2795
2796meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH
2797describe MSMAIL_PRI_ABNORMAL Email priority often abused
2798#score MSMAIL_PRI_ABNORMAL 1.500 # limit
2799##} MSMAIL_PRI_ABNORMAL
2800
2801##{ MSM_PRIO_REPTO
2802
2803meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH
2804describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject
2805#score MSM_PRIO_REPTO 2.500 # limit
2806tflags MSM_PRIO_REPTO publish
2807##} MSM_PRIO_REPTO
2808
2809##{ MSOE_MID_WRONG_CASE
2810
2811meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
2812##} MSOE_MID_WRONG_CASE
2813
fc5290a3
SI		 2814##{ NAME_EMAIL_DIFF
2815
2816meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
2817describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address
2818##} NAME_EMAIL_DIFF
2819
b780ea8d
SI		 2820##{ NA_DOLLARS
2821
2822body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i
2823describe NA_DOLLARS Talks about a million North American dollars
2824#score NA_DOLLARS 1.5
2825##} NA_DOLLARS
2826
2827##{ NEWEGG_IMG_NOT_RCVD_NEGG
2828
2829meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG
2830#score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit
2831describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg
2832tflags NEWEGG_IMG_NOT_RCVD_NEGG publish
2833##} NEWEGG_IMG_NOT_RCVD_NEGG
2834
31955ede
SI		 2835##{ NEW_PRODUCTS
2836
2837meta NEW_PRODUCTS __NEW_PRODUCTS && !__STY_INVIS_MANY
2838#score NEW_PRODUCTS 1.250 # limit
2839tflags NEW_PRODUCTS publish
2840##} NEW_PRODUCTS
2841
b780ea8d
SI		 2842##{ NICE_REPLY_A
2843
2844meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF)
2845describe NICE_REPLY_A Looks like a legit reply (A)
2846tflags NICE_REPLY_A nice
2847##} NICE_REPLY_A
2848
b780ea8d
SI		 2849##{ NOT_SPAM
2850
2851body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i
2852describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not!
2853tflags NOT_SPAM publish
2854##} NOT_SPAM
2855
2856##{ NO_FM_NAME_IP_HOSTN
2857
2858meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT
2859describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address
2860#score NO_FM_NAME_IP_HOSTN 2.500 # limit
2861tflags NO_FM_NAME_IP_HOSTN publish
2862##} NO_FM_NAME_IP_HOSTN
2863
2864##{ NSL_RCVD_FROM_USER
2865
2866header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
2867describe NSL_RCVD_FROM_USER Received from User
2868##} NSL_RCVD_FROM_USER
2869
2870##{ NSL_RCVD_HELO_USER
2871
2872header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
2873describe NSL_RCVD_HELO_USER Received from HELO User
2874##} NSL_RCVD_HELO_USER
2875
2876##{ NULL_IN_BODY
2877
2878full NULL_IN_BODY /\x00/
2879describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message
2880##} NULL_IN_BODY
2881
b780ea8d
SI		 2882##{ OBFU_BITCOIN
2883
2884meta OBFU_BITCOIN __OBFU_BITCOIN
2885describe OBFU_BITCOIN Obfuscated BitCoin references
2886#score OBFU_BITCOIN 3.000 # limit
2887tflags OBFU_BITCOIN publish
2888##} OBFU_BITCOIN
2889
2890##{ OBFU_JVSCR_ESC
2891
2892rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i
2893describe OBFU_JVSCR_ESC Injects content using obfuscated javascript
2894tflags OBFU_JVSCR_ESC publish
2895##} OBFU_JVSCR_ESC
2896
2897##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2898
2899ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2900 mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i
2901 describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type
2902 tflags OBFU_TEXT_ATTACH publish
2903endif
2904##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2905
2906##{ OBFU_UNSUB_UL
2907
2908meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI
2909describe OBFU_UNSUB_UL Obfuscated unsubscribe text
2910tflags OBFU_UNSUB_UL publish
2911##} OBFU_UNSUB_UL
2912
2913##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2914
2915ifplugin Mail::SpamAssassin::Plugin::FreeMail
2916 meta ODD_FREEM_REPTO __freemail_mailreplyto
2917 describe ODD_FREEM_REPTO Has unusual reply-to header
2918# score ODD_FREEM_REPTO 3.000 # limit
2919 tflags ODD_FREEM_REPTO publish
2920endif
2921##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail
2922
b780ea8d
SI		 2923##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2924
2925ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2926meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
2927describe PART_CID_STOCK Has a spammy image attachment (by Content-ID)
2928endif
2929##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2930
2931##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2932
2933ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2934meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS)
2935describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific)
2936endif
2937##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
2938
fc5290a3 2939##{ PDS_BRAND_SUBJ_NAKED_TO
dfdd1e08 2940
fc5290a3
SI		 2941meta PDS_BRAND_SUBJ_NAKED_TO __NAKED_TO && __PDS_TO_BRAND_SUBJECT && !MAILING_LIST_MULTI
2942describe PDS_BRAND_SUBJ_NAKED_TO Subject starts with To: brand and naked To:
2943#score PDS_BRAND_SUBJ_NAKED_TO 1.0
2944##} PDS_BRAND_SUBJ_NAKED_TO
dfdd1e08 2945
b780ea8d
SI		 2946##{ PDS_BTC_ID
2947
2948meta PDS_BTC_ID __PDS_BTC_ID
2949describe PDS_BTC_ID FP reduced Bitcoin ID
2950#score PDS_BTC_ID 0.5
2951##} PDS_BTC_ID
2952
2953##{ PDS_BTC_MSGID
2954
2955meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2
2956describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2
2957#score PDS_BTC_MSGID 1.0
2958##} PDS_BTC_MSGID
2959
2960##{ PDS_DBL_URL_TNB_RUNON
2961
2962meta PDS_DBL_URL_TNB_RUNON __TO_NO_BRKTS_FROM_RUNON && __PDS_DOUBLE_URL
2963describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon
2964#score PDS_DBL_URL_TNB_RUNON 2.0
2965##} PDS_DBL_URL_TNB_RUNON
2966
fc5290a3 2967##{ PDS_FRNOM_TODOM_DBL_URL
b780ea8d 2968
fc5290a3
SI		 2969meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL
2970describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL
2971#score PDS_FRNOM_TODOM_DBL_URL 1.5
2972##} PDS_FRNOM_TODOM_DBL_URL
21dcadbf 2973
fc5290a3 2974##{ PDS_FRNOM_TODOM_NAKED_TO
21dcadbf 2975
fc5290a3
SI		 2976meta PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN
2977describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain
2978#score PDS_FRNOM_TODOM_NAKED_TO 1.5
2979##} PDS_FRNOM_TODOM_NAKED_TO
2980
2981##{ PDS_FROM_NAME_TO_DOMAIN
2982
2983meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN
2984#score PDS_FROM_NAME_TO_DOMAIN 2.0
2985describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain
2986##} PDS_FROM_NAME_TO_DOMAIN
b780ea8d
SI		 2987
2988##{ PDS_HELO_SPF_FAIL
2989
2990meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE
2991describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF
2992#score PDS_HELO_SPF_FAIL 2.0
2993tflags PDS_HELO_SPF_FAIL net
2994##} PDS_HELO_SPF_FAIL
2995
46cfc9e2
SI		 2996##{ PDS_RDNS_DYNAMIC_FP
2997
2998meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA
2999#score PDS_RDNS_DYNAMIC_FP 0.01
3000describe PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps
3001##} PDS_RDNS_DYNAMIC_FP
3002
b780ea8d
SI		 3003##{ PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
3004
3005meta PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE FREEMAIL_FORGED_REPLYTO && __PDS_TONAME_EQ_TOLOCAL
3006describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TOLOCAL
3007#score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit
3008##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
3009
fc5290a3 3010##{ PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
21dcadbf 3011
fc5290a3
SI		 3012if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
3013 meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER
3014 describe PDS_TO_EQ_FROM_NAME From: name same as To: address
3015endif
3016##} PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
21dcadbf 3017
b780ea8d
SI		 3018##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3019
3020ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3021 meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER
3022 describe PHISH_ATTACH Attachment filename suspicious, probable phishing
3023 tflags PHISH_ATTACH publish
3024endif
3025##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3026
3027##{ PHISH_AZURE_CLOUDAPP
3028
3029uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i
3030describe PHISH_AZURE_CLOUDAPP Link to known phishing web application
3031#score PHISH_AZURE_CLOUDAPP 3.500
3032tflags PHISH_AZURE_CLOUDAPP publish
3033##} PHISH_AZURE_CLOUDAPP
3034
3035##{ PHISH_FBASEAPP
3036
3037meta PHISH_FBASEAPP __PHISH_FBASE_01
3038describe PHISH_FBASEAPP Probable phishing via hosted web app
3039#score PHISH_FBASEAPP 3.000 # limit
3040tflags PHISH_FBASEAPP publish
3041##} PHISH_FBASEAPP
3042
b780ea8d
SI		 3043##{ PHP_NOVER_MUA
3044
3045describe PHP_NOVER_MUA Mail from PHP with no version number
3046#score PHP_NOVER_MUA 3.000 # limit
3047tflags PHP_NOVER_MUA publish
3048##} PHP_NOVER_MUA
3049
3050##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3051
3052if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3053 meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
3054endif
3055##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3056
3057##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
3058
3059ifplugin Mail::SpamAssassin::Plugin::DKIM
3060 meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH
3061endif
3062##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM
3063
3064##{ PHP_ORIG_SCRIPT
3065
3066meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER
3067describe PHP_ORIG_SCRIPT Sent by bot & other signs
3068#score PHP_ORIG_SCRIPT 2.500 # limit
3069tflags PHP_ORIG_SCRIPT publish
3070##} PHP_ORIG_SCRIPT
3071
3072##{ PHP_SCRIPT
3073
3074meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT
3075describe PHP_SCRIPT Sent by PHP script
3076#score PHP_SCRIPT 2.500 # limit
3077tflags PHP_SCRIPT publish
3078##} PHP_SCRIPT
3079
3080##{ PHP_SCRIPT_MUA
3081
3082meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA
3083describe PHP_SCRIPT_MUA Sent by PHP script, no version number
3084#score PHP_SCRIPT_MUA 2.000 # limit
3085tflags PHP_SCRIPT_MUA publish
3086##} PHP_SCRIPT_MUA
3087
46cfc9e2
SI		 3088##{ POSSIBLE_APPLE_PHISH_02
3089
3090meta POSSIBLE_APPLE_PHISH_02 (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE)
3091describe POSSIBLE_APPLE_PHISH_02 Claims to be from apple but not processed by any apple MTA
3092tflags POSSIBLE_APPLE_PHISH_02 publish
3093##} POSSIBLE_APPLE_PHISH_02
3094
3095##{ POSSIBLE_EBAY_PHISH_02
3096
3097meta POSSIBLE_EBAY_PHISH_02 (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY)
3098describe POSSIBLE_EBAY_PHISH_02 Claims to be from ebay but not processed by any ebay MTA
3099tflags POSSIBLE_EBAY_PHISH_02 publish
3100##} POSSIBLE_EBAY_PHISH_02
3101
3102##{ POSSIBLE_PAYPAL_PHISH_01
3103
3104meta POSSIBLE_PAYPAL_PHISH_01 (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF)
3105describe POSSIBLE_PAYPAL_PHISH_01 Claims to be from paypal but has non-paypal from email address
3106tflags POSSIBLE_PAYPAL_PHISH_01 publish
3107##} POSSIBLE_PAYPAL_PHISH_01
3108
3109##{ POSSIBLE_PAYPAL_PHISH_02
3110
3111meta POSSIBLE_PAYPAL_PHISH_02 (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL)
3112describe POSSIBLE_PAYPAL_PHISH_02 Claims to be from paypal but not processed by any paypal MTA
3113tflags POSSIBLE_PAYPAL_PHISH_02 publish
3114##} POSSIBLE_PAYPAL_PHISH_02
3115
b780ea8d
SI		 3116##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3117
3118ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3119 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3120 body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal()
3121 describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't
3122# score PP_MIME_FAKE_ASCII_TEXT 1.0
3123 tflags PP_MIME_FAKE_ASCII_TEXT publish
3124endif
3125endif
3126##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal)
3127
3128##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3129
3130ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3131 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3132 body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02)
3133 describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes
3134# score PP_TOO_MUCH_UNICODE02 0.5
3135 tflags PP_TOO_MUCH_UNICODE02 publish
3136endif
3137endif
3138##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3139
3140##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3141
3142ifplugin Mail::SpamAssassin::Plugin::MIMEEval
3143 if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3144 body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05)
3145 describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes
3146# score PP_TOO_MUCH_UNICODE05 1.0
3147 tflags PP_TOO_MUCH_UNICODE05 publish
3148endif
3149endif
3150##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio)
3151
3152##{ PUMPDUMP
3153
3154meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI
3155describe PUMPDUMP Pump-and-dump stock scam phrase
3156#score PUMPDUMP 1.000 # limit
3157tflags PUMPDUMP publish
3158##} PUMPDUMP
3159
3160##{ PUMPDUMP_MULTI
3161
3162meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1
3163describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases
3164#score PUMPDUMP_MULTI 3.500 # limit
3165tflags PUMPDUMP_MULTI publish
3166##} PUMPDUMP_MULTI
3167
3168##{ PUMPDUMP_TIP
3169
3170meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP
3171describe PUMPDUMP_TIP Pump-and-dump stock tip
3172tflags PUMPDUMP_TIP publish
3173##} PUMPDUMP_TIP
3174
3175##{ RAND_HEADER_LIST_SPOOF
3176
3177meta RAND_HEADER_LIST_SPOOF __RAND_HEADER && __LIST_PARTIAL
3178describe RAND_HEADER_LIST_SPOOF Random gibberish message header(s) + pretending to be a mailing list
3179#score RAND_HEADER_LIST_SPOOF 3.000 # limit
3180tflags RAND_HEADER_LIST_SPOOF publish
3181##} RAND_HEADER_LIST_SPOOF
3182
3183##{ RAND_HEADER_MANY
3184
3185meta RAND_HEADER_MANY __RAND_HEADER_2
3186describe RAND_HEADER_MANY Multiple random gibberish message headers
3187#score RAND_HEADER_MANY 3.000 # limit
3188tflags RAND_HEADER_MANY publish
3189##} RAND_HEADER_MANY
3190
3191##{ RAND_MKTG_HEADER
3192
3193meta RAND_MKTG_HEADER __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST
3194describe RAND_MKTG_HEADER Has partially-randomized marketing/tracking header(s)
3195#score RAND_MKTG_HEADER 2.000 # limit
3196tflags RAND_MKTG_HEADER publish
3197##} RAND_MKTG_HEADER
3198
3199##{ RATWARE_NO_RDNS
3200
3201meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF
3202describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS
3203#score RATWARE_NO_RDNS 3.000 # limit
3204##} RATWARE_NO_RDNS
3205
3206##{ RCVD_BAD_ID
3207
3208header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/
3209describe RCVD_BAD_ID Received header contains id field with bad characters
3210##} RCVD_BAD_ID
3211
3212##{ RCVD_DBL_DQ
3213
3214header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/
3215describe RCVD_DBL_DQ Malformatted message header
3216tflags RCVD_DBL_DQ publish
3217##} RCVD_DBL_DQ
3218
3219##{ RCVD_DOTEDU_SHORT
3220
46cfc9e2 3221meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !ALL_TRUSTED && !__FS_SUBJ_RE && !__HAS_LIST_ID
b780ea8d 3222describe RCVD_DOTEDU_SHORT Via .edu MTA + short message
46cfc9e2 3223#score RCVD_DOTEDU_SHORT 1.500 # limit
b780ea8d
SI		 3224tflags RCVD_DOTEDU_SHORT publish
3225##} RCVD_DOTEDU_SHORT
3226
3227##{ RCVD_DOTEDU_SUSP_URI
3228
3229meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI
3230describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI
3231#score RCVD_DOTEDU_SUSP_URI 3.000 # limit
3232tflags RCVD_DOTEDU_SUSP_URI publish
3233##} RCVD_DOTEDU_SUSP_URI
3234
3235##{ RCVD_FORGED_WROTE
3236
3237header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/
3238describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
3239##} RCVD_FORGED_WROTE
3240
3241##{ RCVD_FORGED_WROTE2
3242
3243header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
3244##} RCVD_FORGED_WROTE2
3245
3246##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
3247
3248ifplugin Mail::SpamAssassin::Plugin::DNSEval
3249header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3')
3250describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record
3251tflags RCVD_IN_IADB_DK net nice
3252endif
3253##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
3254
3255##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3256
3257ifplugin Mail::SpamAssassin::Plugin::DNSEval
3258header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10')
3259describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in
3260tflags RCVD_IN_IADB_DOPTIN net nice
3261endif
3262##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3263
3264##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3265
3266ifplugin Mail::SpamAssassin::Plugin::DNSEval
3267header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9')
3268describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time
3269tflags RCVD_IN_IADB_DOPTIN_GT50 net nice
3270endif
3271##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3272
3273##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3274
3275ifplugin Mail::SpamAssassin::Plugin::DNSEval
3276header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8')
3277describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time
3278tflags RCVD_IN_IADB_DOPTIN_LT50 net nice
3279endif
3280##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3281
3282##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
3283
3284ifplugin Mail::SpamAssassin::Plugin::DNSEval
3285header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1')
3286describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database
3287tflags RCVD_IN_IADB_EDDB net nice
3288endif
3289##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval
3290
3291##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
3292
3293ifplugin Mail::SpamAssassin::Plugin::DNSEval
3294header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2')
3295describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance
3296tflags RCVD_IN_IADB_EPIA net nice
3297endif
3298##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval
3299
3300##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3301
3302ifplugin Mail::SpamAssassin::Plugin::DNSEval
3303header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103')
3304describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail
3305tflags RCVD_IN_IADB_GOODMAIL net nice
3306endif
3307##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3308
3309##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
3310
3311ifplugin Mail::SpamAssassin::Plugin::DNSEval
3312header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$')
3313describe RCVD_IN_IADB_LISTED Participates in the IADB system
3314tflags RCVD_IN_IADB_LISTED net nice
3315endif
3316##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
3317
3318##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
3319
3320ifplugin Mail::SpamAssassin::Plugin::DNSEval
3321header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4')
3322describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in
3323tflags RCVD_IN_IADB_LOOSE net nice
3324endif
3325##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval
3326
3327##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3328
3329ifplugin Mail::SpamAssassin::Plugin::DNSEval
3330header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10')
3331describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law
3332tflags RCVD_IN_IADB_MI_CPEAR net nice
3333endif
3334##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3335
3336##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3337
3338ifplugin Mail::SpamAssassin::Plugin::DNSEval
3339header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10')
3340describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days
3341tflags RCVD_IN_IADB_MI_CPR_30 net nice
3342endif
3343##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3344
3345##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3346
3347ifplugin Mail::SpamAssassin::Plugin::DNSEval
3348header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10')
3349describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR
3350tflags RCVD_IN_IADB_MI_CPR_MAT net nice
3351endif
3352##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3353
3354##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3355
3356ifplugin Mail::SpamAssassin::Plugin::DNSEval
3357header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100')
3358describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in
3359tflags RCVD_IN_IADB_ML_DOPTIN net nice
3360endif
3361##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3362
3363##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3364
3365ifplugin Mail::SpamAssassin::Plugin::DNSEval
3366header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0')
3367describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place
3368tflags RCVD_IN_IADB_NOCONTROL net nice
3369endif
3370##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval
3371
3372##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
3373
3374ifplugin Mail::SpamAssassin::Plugin::DNSEval
3375header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200')
3376describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only
3377tflags RCVD_IN_IADB_OOO net nice
3378endif
3379##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval
3380
3381##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3382
3383ifplugin Mail::SpamAssassin::Plugin::DNSEval
3384header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7')
3385describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in
3386tflags RCVD_IN_IADB_OPTIN net nice
3387endif
3388##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval
3389
3390##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3391
3392ifplugin Mail::SpamAssassin::Plugin::DNSEval
3393header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6')
3394describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time
3395tflags RCVD_IN_IADB_OPTIN_GT50 net nice
3396endif
3397##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3398
3399##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3400
3401ifplugin Mail::SpamAssassin::Plugin::DNSEval
3402header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5')
3403describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time
3404tflags RCVD_IN_IADB_OPTIN_LT50 net nice
3405endif
3406##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3407
3408##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
3409
3410ifplugin Mail::SpamAssassin::Plugin::DNSEval
3411header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1')
3412describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only
3413tflags RCVD_IN_IADB_OPTOUTONLY net nice
3414endif
3415##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval
3416
3417##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
3418
3419ifplugin Mail::SpamAssassin::Plugin::DNSEval
3420header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4')
3421describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record
3422tflags RCVD_IN_IADB_RDNS net nice
3423endif
3424##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval
3425
3426##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
3427
3428ifplugin Mail::SpamAssassin::Plugin::DNSEval
3429header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2')
3430describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record
3431tflags RCVD_IN_IADB_SENDERID net nice
3432endif
3433##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval
3434
3435##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
3436
3437ifplugin Mail::SpamAssassin::Plugin::DNSEval
3438header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1')
3439describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record
3440tflags RCVD_IN_IADB_SPF net nice
3441endif
3442##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval
3443
3444##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3445
3446ifplugin Mail::SpamAssassin::Plugin::DNSEval
3447header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2')
3448describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups
3449tflags RCVD_IN_IADB_UNVERIFIED_1 net nice
3450endif
3451##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3452
3453##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3454
3455ifplugin Mail::SpamAssassin::Plugin::DNSEval
3456header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3')
3457describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out
3458tflags RCVD_IN_IADB_UNVERIFIED_2 net nice
3459endif
3460##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3461
3462##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3463
3464ifplugin Mail::SpamAssassin::Plugin::DNSEval
3465header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10')
3466describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law
3467tflags RCVD_IN_IADB_UT_CPEAR net nice
3468endif
3469##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval
3470
3471##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3472
3473ifplugin Mail::SpamAssassin::Plugin::DNSEval
3474header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10')
3475describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days
3476tflags RCVD_IN_IADB_UT_CPR_30 net nice
3477endif
3478##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval
3479
3480##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3481
3482ifplugin Mail::SpamAssassin::Plugin::DNSEval
3483header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10')
3484describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR
3485tflags RCVD_IN_IADB_UT_CPR_MAT net nice
3486endif
3487##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval
3488
3489##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3490
3491ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3492header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.')
3493describe RCVD_IN_PSBL Received via a relay in PSBL
3494tflags RCVD_IN_PSBL net
3495endif
3496##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
3497
3498##{ RCVD_MAIL_COM
3499
3500header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is
3501describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com)
3502##} RCVD_MAIL_COM
3503
3504##{ RDNS_LOCALHOST
3505
3506header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i
3507describe RDNS_LOCALHOST Sender's public rDNS is "localhost"
3508##} RDNS_LOCALHOST
3509
3510##{ RDNS_NUM_TLD_ATCHNX
3511
3512meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT
3513describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment
3514#score RDNS_NUM_TLD_ATCHNX 3.000 # limit
3515tflags RDNS_NUM_TLD_ATCHNX publish
3516##} RDNS_NUM_TLD_ATCHNX
3517
3518##{ RDNS_NUM_TLD_XM
3519
3520meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY)
3521describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers
3522#score RDNS_NUM_TLD_XM 3.000 # limit
3523tflags RDNS_NUM_TLD_XM publish
3524##} RDNS_NUM_TLD_XM
3525
fc5290a3
SI		 3526##{ READY_TO_SHIP
3527
3528body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store|storage facility)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock|stor(?:e|age))|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|stor(?:e|age))|just arrived in our (?:warehouse|stor(?:e|age))|we will (?:contact the (?:warehouse|logistics|store|storage(?: facility)) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our (?:warehouse|storage)|this (?:new )?(?:merchandise|product|item) is (?:now )?(?:ready (?:to ship )?|available )(?:at|in|from) our (?:warehouse|stock|stor(?:e|age)))/i
3529#score READY_TO_SHIP 1.250 # limit
3530##} READY_TO_SHIP
3531
b780ea8d
SI		 3532##{ REPLYTO_WITHOUT_TO_CC
3533
3534meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS)
3535##} REPLYTO_WITHOUT_TO_CC
3536
3537##{ REPTO_419_FRAUD
3538
fc5290a3 3539header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:cbn)\@cbofficialmail\.cf|(?:2015(?:5765|648[48]))\@ce\.pucmm\.edu\.do|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|mynewmission|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:blythemasters)\@digitalassetholding\.org|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.instructor|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:info)\@onlinepch\.com|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i
b780ea8d
SI		 3540describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox
3541#score REPTO_419_FRAUD 3.000
3542tflags REPTO_419_FRAUD publish
3543##} REPTO_419_FRAUD
3544
3545##{ REPTO_419_FRAUD_AOL
3546
dfdd1e08 3547header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:brajjohn|f\.2[06]|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie)|e(?:ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|isarobinson5\.0|orrainewirangee|ynnpage44)|m(?:_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|officework172|p(?:aulpollard2|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|wattson\.renwick|yurdaaytarkan5))\@aol\.com$/i
b780ea8d
SI		 3548describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox
3549#score REPTO_419_FRAUD_AOL 3.000
3550tflags REPTO_419_FRAUD_AOL publish
3551##} REPTO_419_FRAUD_AOL
3552
3553##{ REPTO_419_FRAUD_AOL_LOOSE
3554
3555meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL
3556describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3557#score REPTO_419_FRAUD_AOL_LOOSE 1.000
3558tflags REPTO_419_FRAUD_AOL_LOOSE publish
3559##} REPTO_419_FRAUD_AOL_LOOSE
3560
3561##{ REPTO_419_FRAUD_CNS
3562
fc5290a3 3563header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|lottomaxclaims7|morrisherb|pchonline|t(?:eo\.westin|he\.trustees1|rustees202000)|westernuniopayment\.agent0018))\@consultant\.com$/i
b780ea8d
SI		 3564describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox
3565#score REPTO_419_FRAUD_CNS 3.000
3566tflags REPTO_419_FRAUD_CNS publish
3567##} REPTO_419_FRAUD_CNS
3568
3569##{ REPTO_419_FRAUD_GM
3570
fc5290a3 3571header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976(?:algaddafi|gaddafi25)|gaddafiaam)|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|ttohlawoffice\.tg|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195))|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:a(?:pinolly|rtwrighttownhomesllc)|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavisdonation1))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|i(?:idp955|ocastano21)|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|g(?:8669000|old8080)|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|bed627|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|ttcuckk)|gridrolle2)|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|yce00011)|rawlings007|s4fernado|uliewatson975|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ss(?:\.(?:melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:ishaalqadafi1976|ngela454)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|m(?:a(?:ureens847|yaoliver31)|ugan)|r(?:eem362|obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffic(?:e(?:\.012123|rricherd876|windowterms)|ialserviceuae)|hallkenneth1|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|r(?:imecapitalfianceltd|o1nvstream)|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nchoscozfifa|rfiafarfask7)|cott(?:henryjames91|peters7989)|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|peelman1972|t(?:anleyjohn1469|e(?:phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:derleyen52|kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|c5000dle|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i
b780ea8d
SI		 3572describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox
3573#score REPTO_419_FRAUD_GM 3.000
3574tflags REPTO_419_FRAUD_GM publish
3575##} REPTO_419_FRAUD_GM
3576
3577##{ REPTO_419_FRAUD_GM_LOOSE
3578
3579meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM
3580describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3581#score REPTO_419_FRAUD_GM_LOOSE 1.000
3582tflags REPTO_419_FRAUD_GM_LOOSE publish
3583##} REPTO_419_FRAUD_GM_LOOSE
3584
3585##{ REPTO_419_FRAUD_HM
3586
fc5290a3 3587header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|faxttransfer\.skyebk\.service\.care\.th|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|mr(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
b780ea8d
SI		 3588describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox
3589#score REPTO_419_FRAUD_HM 3.000
3590tflags REPTO_419_FRAUD_HM publish
3591##} REPTO_419_FRAUD_HM
3592
3593##{ REPTO_419_FRAUD_OL
3594
21dcadbf 3595header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|k(?:aujong|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:_elizabeth20|michelleallison|roseallen))|spvt2020)|philcohen0012|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i
b780ea8d
SI		 3596describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox
3597#score REPTO_419_FRAUD_OL 3.000
3598tflags REPTO_419_FRAUD_OL publish
3599##} REPTO_419_FRAUD_OL
3600
3601##{ REPTO_419_FRAUD_PM
3602
dfdd1e08 3603header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|the\.trustees1|v\.brianpierre|yihsbltan|ziraatbankasi))\@protonmail\.com$/i
b780ea8d
SI		 3604describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox
3605#score REPTO_419_FRAUD_PM 3.000
3606tflags REPTO_419_FRAUD_PM publish
3607##} REPTO_419_FRAUD_PM
3608
3609##{ REPTO_419_FRAUD_QQ
3610
31955ede 3611header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1731419584|2(?:032508290|3(?:72948239|89029403|97857528))|3523284224|akia\.j55|l\.valiant|peterwong20177|qatarfoundation01|wang_cjianlin))\@qq\.com$/i
b780ea8d
SI		 3612describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox
3613#score REPTO_419_FRAUD_QQ 3.000
3614tflags REPTO_419_FRAUD_QQ publish
3615##} REPTO_419_FRAUD_QQ
3616
3617##{ REPTO_419_FRAUD_YH
3618
dfdd1e08 3619header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
b780ea8d
SI		 3620describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox
3621#score REPTO_419_FRAUD_YH 3.000
3622tflags REPTO_419_FRAUD_YH publish
3623##} REPTO_419_FRAUD_YH
3624
3625##{ REPTO_419_FRAUD_YH_LOOSE
3626
3627meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH
3628describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox
3629#score REPTO_419_FRAUD_YH_LOOSE 1.000
3630tflags REPTO_419_FRAUD_YH_LOOSE publish
3631##} REPTO_419_FRAUD_YH_LOOSE
3632
3633##{ REPTO_419_FRAUD_YJ
3634
31955ede 3635header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|r(?:acheljude000|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i
b780ea8d
SI		 3636describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox
3637#score REPTO_419_FRAUD_YJ 3.000
3638tflags REPTO_419_FRAUD_YJ publish
3639##} REPTO_419_FRAUD_YJ
3640
3641##{ REPTO_419_FRAUD_YN
3642
dfdd1e08 3643header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lhashimi123|m(?:andarandle|g3333txx101)|n(?:a\.mariposa|n(?:acooper2019|zainab))|wesome\.mariacarmen)|c(?:harles\.kable|lemlau)|de(?:edee\-paul|jongpeter|ptoversea)|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments)|gadd4fi\.aisha|h(?:ashimireem|halesbbanddd?)|joseph\-scott2k5|l(?:es20sc|otointernational\.elgordo)|m(?:arcarmenguty|fdpm|r(?:\.kongkea|akram\.elkerrami|spercy))|p(?:aragonloansinc|rincedarren0244)|rich(?:ard\.wahl|lawands)|tresor\.mambo|w(?:b\.foundation|ill(?:1amsmarg1|iam(?:simon1960|wilbert1)))|za\.dc2016))\@yandex\.com$/i
b780ea8d
SI		 3644describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox
3645#score REPTO_419_FRAUD_YN 3.000
3646tflags REPTO_419_FRAUD_YN publish
3647##} REPTO_419_FRAUD_YN
3648
dfdd1e08
SI		 3649##{ REPTO_INFONUMSCOM
3650
3651meta REPTO_INFONUMSCOM __REPTO_INFONUMSCOM
3652#score REPTO_INFONUMSCOM 3.000 # limit
3653tflags REPTO_INFONUMSCOM publish
3654##} REPTO_INFONUMSCOM
3655
b780ea8d
SI		 3656##{ SB_GIF_AND_NO_URIS
3657
3658meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
3659##} SB_GIF_AND_NO_URIS
3660
fc5290a3 3661##{ SCC_BODY_SINGLE_WORD
dfdd1e08 3662
fc5290a3
SI		 3663meta SCC_BODY_SINGLE_WORD T_SCC_BODY_TEXT_LINE < 2 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1)
3664##} SCC_BODY_SINGLE_WORD
3665
3666##{ SCC_CANSPAM_1
3667
3668describe SCC_CANSPAM_1 Interesting compliance language
3669body SCC_CANSPAM_1 /The advertiser does not manage your subscription/
3670##} SCC_CANSPAM_1
3671
3672##{ SCC_CANSPAM_2
3673
3674describe SCC_CANSPAM_2 Interesting compliance language
3675body SCC_CANSPAM_2 /you may unsubscribe by clicking here or by writing to/
3676##} SCC_CANSPAM_2
dfdd1e08 3677
dfdd1e08
SI		 3678##{ SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3679
3680ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3681describe SCC_CTMPP Uncommon Content-Type
3682meta SCC_CTMPP __SCC_CTMPP
3683tflags SCC_CTMPP publish
3684endif
3685##} SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
3686
3687##{ SCC_ISEMM_LID_1
3688
3689describe SCC_ISEMM_LID_1 Fingerprint of a particular spammer using an old spamware
3690header SCC_ISEMM_LID_1 X-Mailer-LID =~ /54,55,56,58,53/
3691tflags SCC_ISEMM_LID_1 publish
3692#score SCC_ISEMM_LID_1 3.5
3693##} SCC_ISEMM_LID_1
3694
fc5290a3
SI		 3695##{ SCC_ISEMM_LID_1A
3696
3697describe SCC_ISEMM_LID_1A Fingerprint of a particular spammer using an old spamware
3698header SCC_ISEMM_LID_1A X-Mailer-LID =~ /54,55,56,/
3699tflags SCC_ISEMM_LID_1A publish
3700#score SCC_ISEMM_LID_1A 3.5
3701##} SCC_ISEMM_LID_1A
3702
dfdd1e08
SI		 3703##{ SCC_ISEMM_LID_1B
3704
3705describe SCC_ISEMM_LID_1B Genericized spammer fingerprint
3706header SCC_ISEMM_LID_1B X-Mailer-LID =~ /([56][0-9],)+/
3707tflags SCC_ISEMM_LID_1B publish
3708#score SCC_ISEMM_LID_1B 1.5
3709##} SCC_ISEMM_LID_1B
3710
fc5290a3
SI		 3711##{ SCC_SPAMMER_ADDR_2
3712
3713describe SCC_SPAMMER_ADDR_2 Fingerprint of a particular spammer
3714body SCC_SPAMMER_ADDR_2 /6130 W Flamingo Rd/
3715##} SCC_SPAMMER_ADDR_2
3716
dfdd1e08
SI		 3717##{ SCC_SPECIAL_GUID
3718
3719describe SCC_SPECIAL_GUID Unique in a similar way
3720rawbody SCC_SPECIAL_GUID /^([[:xdigit:]]{8})-([[:xdigit:]]{4})-([[:xdigit:]]{3})-\3-([[:xdigit:]]{12})$/m
3721tflags SCC_SPECIAL_GUID publish multiple maxhits=15
3722##} SCC_SPECIAL_GUID
46cfc9e2 3723
b780ea8d
SI		 3724##{ SENDGRID_REDIR
3725
3726meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS
3727describe SENDGRID_REDIR Redirect URI via Sendgrid
3728#score SENDGRID_REDIR 1.500 # limit
3729tflags SENDGRID_REDIR publish
3730##} SENDGRID_REDIR
3731
3732##{ SENDGRID_REDIR_PHISH
3733
3734meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH
3735describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs
3736#score SENDGRID_REDIR_PHISH 3.500 # limit
3737tflags SENDGRID_REDIR_PHISH publish
3738##} SENDGRID_REDIR_PHISH
3739
3740##{ SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3741
3742if (version >= 3.004002)
3743ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3744meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)
3745tflags SEO_SUSP_NTLD publish
3746describe SEO_SUSP_NTLD SEO offer from suspicious TLD
3747#score SEO_SUSP_NTLD 1.2 # limit
3748endif
3749endif
3750##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3751
fc5290a3
SI		 3752##{ SERGIO_SUBJECT_VIAGRA01
3753
3754header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i
3755describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject
3756##} SERGIO_SUBJECT_VIAGRA01
3757
b780ea8d
SI		 3758##{ SHOPIFY_IMG_NOT_RCVD_SFY
3759
3760meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK
3761#score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit
3762describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify
3763tflags SHOPIFY_IMG_NOT_RCVD_SFY publish
3764##} SHOPIFY_IMG_NOT_RCVD_SFY
3765
3766##{ SHORTENER_SHORT_IMG
3767
3768meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1
3769describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener
3770#score SHORTENER_SHORT_IMG 2.500 # limit
3771tflags SHORTENER_SHORT_IMG publish
3772##} SHORTENER_SHORT_IMG
3773
b780ea8d
SI		 3774##{ SHORT_HELO_AND_INLINE_IMAGE
3775
3776meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
3777describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
3778##} SHORT_HELO_AND_INLINE_IMAGE
3779
3780##{ SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3781
3782if (version >= 3.004002)
3783ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3784meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
3785tflags SHORT_IMG_SUSP_NTLD publish
3786describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD
3787#score SHORT_IMG_SUSP_NTLD 1.5 # limit
3788endif
3789endif
3790##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
3791
b780ea8d
SI		 3792##{ SHORT_TERM_PRICE
3793
3794body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
3795##} SHORT_TERM_PRICE
3796
b780ea8d
SI		 3797##{ SPAMMY_XMAILER
3798
3799meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
3800describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
3801##} SPAMMY_XMAILER
3802
3803##{ SPOOFED_FREEMAIL
3804
3805meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE
3806#score SPOOFED_FREEMAIL 2.000 # limit
3807tflags SPOOFED_FREEMAIL net
3808##} SPOOFED_FREEMAIL
3809
3810##{ SPOOFED_FREEMAIL_NO_RDNS
3811
3812meta SPOOFED_FREEMAIL_NO_RDNS __SPOOFED_FREEMAIL && __RDNS_NONE
3813describe SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
3814#score SPOOFED_FREEMAIL_NO_RDNS 1.5
3815##} SPOOFED_FREEMAIL_NO_RDNS
3816
3817##{ SPOOFED_FREEM_REPTO
3818
3819meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX
3820describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to
3821#score SPOOFED_FREEM_REPTO 2.500
3822tflags SPOOFED_FREEM_REPTO net publish
3823##} SPOOFED_FREEM_REPTO
3824
3825##{ SPOOFED_FREEM_REPTO_CHN
3826
3827meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM
3828describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to
3829#score SPOOFED_FREEM_REPTO_CHN 3.500
3830tflags SPOOFED_FREEM_REPTO_CHN net publish
3831##} SPOOFED_FREEM_REPTO_CHN
3832
3833##{ SPOOFED_FREEM_REPTO_RUS
3834
3835meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM
3836describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to
3837#score SPOOFED_FREEM_REPTO_RUS 3.500
3838tflags SPOOFED_FREEM_REPTO_RUS net publish
3839##} SPOOFED_FREEM_REPTO_RUS
3840
3841##{ SPOOF_GMAIL_MID
3842
46cfc9e2 3843meta SPOOF_GMAIL_MID SPOOFED_FREEMAIL && __PDS_SPOOF_GMAIL_MID
b780ea8d
SI		 3844#score SPOOF_GMAIL_MID 1.5
3845describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...
3846##} SPOOF_GMAIL_MID
3847
3848##{ STATIC_XPRIO_OLE
3849
3850meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE
3851describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE
3852#score STATIC_XPRIO_OLE 2.000 # limit
3853tflags STATIC_XPRIO_OLE publish
3854##} STATIC_XPRIO_OLE
3855
3856##{ STOCK_IMG_CTYPE
3857
3858meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY)
3859describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header
3860##} STOCK_IMG_CTYPE
3861
3862##{ STOCK_IMG_HDR_FROM
3863
3864meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY)
3865describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line
3866##} STOCK_IMG_HDR_FROM
3867
3868##{ STOCK_IMG_HTML
3869
3870meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY)
3871describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML
3872##} STOCK_IMG_HTML
3873
3874##{ STOCK_IMG_OUTLOOK
3875
3876meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048)
3877describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features
3878##} STOCK_IMG_OUTLOOK
3879
b780ea8d
SI		 3880##{ STOCK_PRICES
3881
3882meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE)
3883##} STOCK_PRICES
3884
3885##{ STOCK_TIP
3886
3887meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS
3888describe STOCK_TIP Stock tips
3889#score STOCK_TIP 3.000 # limit
3890tflags STOCK_TIP publish
3891##} STOCK_TIP
3892
3893##{ STOX_AND_PRICE
3894
3895meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE
3896##} STOX_AND_PRICE
3897
21dcadbf
SI		 3898##{ STOX_BOUND_090909_B
3899
3900header STOX_BOUND_090909_B Content-Type:raw =~ /;\n boundary=\"------------0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]\"$/s
3901##} STOX_BOUND_090909_B
3902
b780ea8d
SI		 3903##{ STOX_REPLY_TYPE
3904
3905header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/
3906##} STOX_REPLY_TYPE
3907
3908##{ STOX_REPLY_TYPE_WITHOUT_QUOTES
3909
3910meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE))
3911##} STOX_REPLY_TYPE_WITHOUT_QUOTES
3912
3913##{ SUBJECT_NEEDS_ENCODING
3914
3915meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME
31955ede 3916describe SUBJECT_NEEDS_ENCODING Subject includes non-encoded illegal characters
b780ea8d
SI		 3917##} SUBJECT_NEEDS_ENCODING
3918
31955ede
SI		 3919##{ SUBJ_BRKN_WORDNUMS
3920
3921#score SUBJ_BRKN_WORDNUMS 1.500 # limit
3922describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers
3923##} SUBJ_BRKN_WORDNUMS
3924
3925##{ SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3926
3927if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3928 meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS
3929endif
3930##} SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM)
3931
b780ea8d
SI		 3932##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
3933
3934ifplugin Mail::SpamAssassin::Plugin::DKIM
3935 meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER
b780ea8d
SI		 3936endif
3937##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
3938
fc5290a3
SI		 3939##{ SUSP_UTF8_WORD_COMBO
3940
3941meta SUSP_UTF8_WORD_COMBO __4BYTE_UTF8_WORD && ( __LIST_PARTIAL || __RDNS_NONE || __CLICK_HERE || __PHPMAILER_MUA || __STY_INVIS_3 || __TO___LOWER || __MSGID_OK_DIGITS || __HTML_IMG_ONLY )
3942describe SUSP_UTF8_WORD_COMBO Words using only suspicious UTF-8 characters + other signs
3943#score SUSP_UTF8_WORD_COMBO 3.000 # limit
3944##} SUSP_UTF8_WORD_COMBO
3945
3946##{ SUSP_UTF8_WORD_FROM
3947
3948meta SUSP_UTF8_WORD_FROM __4BYTE_UTF8_WORD_FROM
3949describe SUSP_UTF8_WORD_FROM Word in From name using only suspicious UTF-8 characters
3950#score SUSP_UTF8_WORD_FROM 2.000 # limit
3951##} SUSP_UTF8_WORD_FROM
3952
3953##{ SUSP_UTF8_WORD_MANY
3954
3955meta SUSP_UTF8_WORD_MANY __4BYTE_UTF8_WORD_9
3956describe SUSP_UTF8_WORD_MANY Many words using only suspicious UTF-8 characters
3957#score SUSP_UTF8_WORD_MANY 3.000 # limit
3958##} SUSP_UTF8_WORD_MANY
3959
31955ede
SI		 3960##{ SUSP_UTF8_WORD_SUBJ
3961
3962meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ
3963describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters
3964#score SUSP_UTF8_WORD_SUBJ 2.000 # limit
3965##} SUSP_UTF8_WORD_SUBJ
b780ea8d
SI		 3966
3967##{ SYSADMIN
3968
3969meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS
3970describe SYSADMIN Supposedly from your IT department
3971#score SYSADMIN 3.500 # limit
3972tflags SYSADMIN publish
3973##} SYSADMIN
3974
46cfc9e2
SI		 3975##{ TAGSTAT_IMG_NOT_RCVD_TGST
3976
3977meta TAGSTAT_IMG_NOT_RCVD_TGST __TAGSTAT_IMG_NOT_RCVD_TGST
3978#score TAGSTAT_IMG_NOT_RCVD_TGST 2.000 # limit
3979describe TAGSTAT_IMG_NOT_RCVD_TGST Tagstat hosted image but message not from Tagstat
3980tflags TAGSTAT_IMG_NOT_RCVD_TGST publish
3981##} TAGSTAT_IMG_NOT_RCVD_TGST
3982
31955ede
SI		 3983##{ TARINGANET_IMG_NOT_RCVD_TN
3984
3985meta TARINGANET_IMG_NOT_RCVD_TN __TARINGANET_IMG_NOT_RCVD_TN
3986#score TARINGANET_IMG_NOT_RCVD_TN 2.000 # limit
3987describe TARINGANET_IMG_NOT_RCVD_TN media.taringa.net hosted image but message not from taringa.net
3988tflags TARINGANET_IMG_NOT_RCVD_TN publish
3989##} TARINGANET_IMG_NOT_RCVD_TN
3990
b780ea8d
SI		 3991##{ TBIRD_SUSP_MIME_BDRY
3992
3993meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z
3994describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary
3995##} TBIRD_SUSP_MIME_BDRY
3996
3997##{ TEQF_USR_IMAGE
3998
3999meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH
4000describe TEQF_USR_IMAGE To and from user nearly same + image
4001tflags TEQF_USR_IMAGE publish
4002##} TEQF_USR_IMAGE
4003
4004##{ TEQF_USR_MSGID_HEX
4005
4006meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2
4007describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID
4008tflags TEQF_USR_MSGID_HEX publish
4009##} TEQF_USR_MSGID_HEX
4010
4011##{ TEQF_USR_MSGID_MALF
4012
4013meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2
4014describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID
4015tflags TEQF_USR_MSGID_MALF publish
4016##} TEQF_USR_MSGID_MALF
4017
4018##{ THEBAT_UNREG
4019
4020header THEBAT_UNREG X-Mailer =~ /^The Bat! .{0,20} UNREG$/
4021##} THEBAT_UNREG
4022
4023##{ THIS_AD
4024
4025meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD
4026describe THIS_AD "This ad" and variants
4027tflags THIS_AD publish
4028##} THIS_AD
4029
4030##{ THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4031
4032if (version >= 3.004002)
4033ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4034meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM
4035tflags THIS_IS_ADV_SUSP_NTLD publish
4036describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD
4037#score THIS_IS_ADV_SUSP_NTLD 1.5 # limit
4038endif
4039endif
4040##} THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4041
4042##{ TONLINE_FAKE_DKIM
4043
4044meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS
4045describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM
4046#score TONLINE_FAKE_DKIM 3.000 # limit
4047tflags TONLINE_FAKE_DKIM publish
4048##} TONLINE_FAKE_DKIM
4049
b780ea8d
SI		 4050##{ TO_EQ_FM_DIRECT_MX
4051
4052meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED
4053describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
4054#score TO_EQ_FM_DIRECT_MX 2.500 # limit
4055tflags TO_EQ_FM_DIRECT_MX publish
4056##} TO_EQ_FM_DIRECT_MX
4057
fc5290a3
SI		 4058##{ TO_EQ_FM_DOM_HTML_IMG
4059
4060meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD
4061describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link
4062##} TO_EQ_FM_DOM_HTML_IMG
4063
b780ea8d
SI		 4064##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4065
4066ifplugin Mail::SpamAssassin::Plugin::SPF
4067 meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
4068 describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed
4069 tflags TO_EQ_FM_DOM_SPF_FAIL net
4070endif
4071##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4072
b780ea8d
SI		 4073##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4074
4075ifplugin Mail::SpamAssassin::Plugin::SPF
4076 meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED
4077 describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed
4078 tflags TO_EQ_FM_SPF_FAIL net
4079endif
4080##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
4081
4082##{ TO_IN_SUBJ
4083
4084meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW
4085describe TO_IN_SUBJ To address is in Subject
4086tflags TO_IN_SUBJ publish
4087#score TO_IN_SUBJ 0.1
4088##} TO_IN_SUBJ
4089
4090##{ TO_NAME_SUBJ_NO_RDNS
4091
4092meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE
4093describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS
4094#score TO_NAME_SUBJ_NO_RDNS 3.000 # limit
4095tflags TO_NAME_SUBJ_NO_RDNS publish
4096##} TO_NAME_SUBJ_NO_RDNS
4097
4098##{ TO_NO_BRKTS_FROM_MSSP
4099
4100meta TO_NO_BRKTS_FROM_MSSP __TO_NO_BRKTS_FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__TO___LOWER && !__BUGGED_IMG && !__SUBJECT_ENCODED_QP && !__VIA_ML && !__FR_SPACING_8 && !__TAG_EXISTS_CENTER && !__RCVD_ZIXMAIL && !__RP_MATCHES_RCVD && !__HAS_SENDER
4101#score TO_NO_BRKTS_FROM_MSSP 2.50 # max
4102describe TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems
4103##} TO_NO_BRKTS_FROM_MSSP
4104
4105##{ TO_NO_BRKTS_HTML_IMG
4106
4107meta TO_NO_BRKTS_HTML_IMG __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE
4108describe TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image
4109#score TO_NO_BRKTS_HTML_IMG 2.000 # limit
4110tflags TO_NO_BRKTS_HTML_IMG publish
4111##} TO_NO_BRKTS_HTML_IMG
4112
4113##{ TO_NO_BRKTS_HTML_ONLY
4114
4115meta TO_NO_BRKTS_HTML_ONLY __TO_NO_BRKTS_HTML_ONLY && !RDNS_NONE && !__MIME_QP && !__MSGID_JAVAMAIL && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 && !__VIA_ML && !__MSGID_BEFORE_RECEIVED && !__MIME_BASE64 && !__RCD_RDNS_MAIL_MESSY && !__COMMENT_EXISTS && !LOTS_OF_MONEY && !__TAG_EXISTS_CENTER && !__UPPERCASE_URI && !__UNSUB_LINK && !__RCD_RDNS_MX_MESSY && !__DKIM_EXISTS && !__BUGGED_IMG && !__FM_TO_ALL_NUMS && !__URI_12LTRDOM && !__RDNS_NO_SUBDOM && !__HDRS_LCASE && !__LCL__ENV_AND_HDR_FROM_MATCH
4116#score TO_NO_BRKTS_HTML_ONLY 2.00 # limit
4117describe TO_NO_BRKTS_HTML_ONLY To: lacks brackets and HTML only
4118tflags TO_NO_BRKTS_HTML_ONLY publish
4119##} TO_NO_BRKTS_HTML_ONLY
4120
4121##{ TO_NO_BRKTS_MSFT
4122
4123meta TO_NO_BRKTS_MSFT __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD
4124describe TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool
4125#score TO_NO_BRKTS_MSFT 2.50 # limit
4126##} TO_NO_BRKTS_MSFT
4127
4128##{ TO_NO_BRKTS_NORDNS_HTML
4129
4130meta TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__TAG_EXISTS_CENTER && !__LONGLINE && !__DKIM_EXISTS
4131#score TO_NO_BRKTS_NORDNS_HTML 2.00 # limit
4132describe TO_NO_BRKTS_NORDNS_HTML To: lacks brackets and no rDNS and HTML only
4133tflags TO_NO_BRKTS_NORDNS_HTML publish
4134##} TO_NO_BRKTS_NORDNS_HTML
4135
4136##{ TO_NO_BRKTS_PCNT
4137
4138meta TO_NO_BRKTS_PCNT __TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS && !__KHOP_NO_FULL_NAME && !__THREADED
4139describe TO_NO_BRKTS_PCNT To: lacks brackets + percentage
4140#score TO_NO_BRKTS_PCNT 2.50 # limit
4141tflags TO_NO_BRKTS_PCNT publish
4142##} TO_NO_BRKTS_PCNT
4143
4144##{ TO_TOO_MANY_WFH_01
4145
4146meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01
4147describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients
4148tflags TO_TOO_MANY_WFH_01 publish
4149##} TO_TOO_MANY_WFH_01
4150
b780ea8d
SI		 4151##{ TT_MSGID_TRUNC
4152
4153header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/
4154describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits
4155##} TT_MSGID_TRUNC
4156
4157##{ TT_OBSCURED_VALIUM
4158
4159meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM
4160describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject
4161##} TT_OBSCURED_VALIUM
4162
4163##{ TT_OBSCURED_VIAGRA
4164
4165meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA
4166describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject
4167##} TT_OBSCURED_VIAGRA
4168
4169##{ TVD_ACT_193
4170
4171body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i
4172describe TVD_ACT_193 Message refers to an act passed in the 1930s
4173##} TVD_ACT_193
4174
4175##{ TVD_APPROVED
4176
4177body TVD_APPROVED /you.{1,2}re .{0,20}approved/i
4178describe TVD_APPROVED Body states that the recipient has been approved
4179##} TVD_APPROVED
4180
4181##{ TVD_DEAR_HOMEOWNER
4182
4183body TVD_DEAR_HOMEOWNER /^dear homeowner/i
4184describe TVD_DEAR_HOMEOWNER Spam with generic salutation of "dear homeowner"
4185##} TVD_DEAR_HOMEOWNER
4186
4187##{ TVD_EB_PHISH
4188
4189meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP
4190##} TVD_EB_PHISH
4191
4192##{ TVD_ENVFROM_APOST
4193
4194header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/
4195describe TVD_ENVFROM_APOST Envelope From contains single-quote
4196##} TVD_ENVFROM_APOST
4197
4198##{ TVD_FINGER_02
4199
4200header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i
4201##} TVD_FINGER_02
4202
4203##{ TVD_FLOAT_GENERAL
4204
4205rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i
4206describe TVD_FLOAT_GENERAL Message uses CSS float style
4207##} TVD_FLOAT_GENERAL
4208
4209##{ TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4210
4211ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4212body TVD_FUZZY_DEGREE /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i
4213describe TVD_FUZZY_DEGREE Obfuscation of the word "degree"
4214endif
4215##} TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4216
4217##{ TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4218
4219ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4220body TVD_FUZZY_FINANCE /(?!finance)<F><I><N><A><N><C><E>/i
4221describe TVD_FUZZY_FINANCE Obfuscation of the word "finance"
4222endif
4223##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4224
4225##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4226
4227ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4228body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i
4229describe TVD_FUZZY_FIXED_RATE Obfuscation of the phrase "fixed rate"
4230endif
4231##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4232
4233##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4234
4235ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4236body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i
4237describe TVD_FUZZY_MICROCAP Obfuscation of the word "micro-cap"
4238endif
4239##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4240
4241##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4242
4243ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4244body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i
4245describe TVD_FUZZY_PHARMACEUTICAL Obfuscation of the word "pharmaceutical"
4246endif
4247##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4248
4249##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4250
4251ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4252body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symboo?l)<S><Y><M><B><O><L>/i
4253describe TVD_FUZZY_SYMBOL Obfuscation of the word "symbol"
4254endif
4255##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4256
4257##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4258
4259ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4260mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/
4261describe TVD_FW_GRAPHIC_NAME_LONG Long image attachment name
4262endif
4263##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4264
4265##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4266
4267ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4268mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/
4269describe TVD_FW_GRAPHIC_NAME_MID Medium sized image attachment name
4270endif
4271##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4272
4273##{ TVD_INCREASE_SIZE
4274
4275body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i
4276describe TVD_INCREASE_SIZE Advertising for penis enlargement
4277##} TVD_INCREASE_SIZE
4278
b780ea8d
SI		 4279##{ TVD_LINK_SAVE
4280
4281body TVD_LINK_SAVE /\blink to save\b/i
4282describe TVD_LINK_SAVE Spam with the text "link to save"
4283##} TVD_LINK_SAVE
4284
4285##{ TVD_PH_BODY_ACCOUNTS_PRE
4286
4287meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE
4288describe TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts suspended", "account credited", "account verification"
4289##} TVD_PH_BODY_ACCOUNTS_PRE
4290
4291##{ TVD_PH_REC
4292
4293body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i
4294describe TVD_PH_REC Message includes a phrase commonly used in phishing mails
4295##} TVD_PH_REC
4296
4297##{ TVD_PH_SEC
4298
4299body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i
4300describe TVD_PH_SEC Message includes a phrase commonly used in phishing mails
4301##} TVD_PH_SEC
4302
4303##{ TVD_PP_PHISH
4304
4305meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP
4306##} TVD_PP_PHISH
4307
4308##{ TVD_QUAL_MEDS
4309
4310body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i
4311describe TVD_QUAL_MEDS The body matches phrases such as "quality meds" or "quality medication"
4312##} TVD_QUAL_MEDS
4313
4314##{ TVD_RATWARE_CB
4315
4316header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i
4317describe TVD_RATWARE_CB Content-Type header that is commonly indicative of ratware
4318##} TVD_RATWARE_CB
4319
4320##{ TVD_RATWARE_CB_2
4321
4322header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/
4323describe TVD_RATWARE_CB_2 Content-Type header that is commonly indicative of ratware
4324##} TVD_RATWARE_CB_2
4325
4326##{ TVD_RATWARE_MSGID_02
4327
4328header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/
4329describe TVD_RATWARE_MSGID_02 Ratware with a Message-ID header that is entirely lower-case
4330##} TVD_RATWARE_MSGID_02
4331
4332##{ TVD_RCVD_IP
4333
4334header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
4335describe TVD_RCVD_IP Message was received from an IP address
4336##} TVD_RCVD_IP
4337
4338##{ TVD_RCVD_IP4
4339
4340header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/
4341describe TVD_RCVD_IP4 Message was received from an IPv4 address
4342##} TVD_RCVD_IP4
4343
4344##{ TVD_RCVD_SPACE_BRACKET
4345
4346header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!unix)[^\[\]]*\s/i
4347##} TVD_RCVD_SPACE_BRACKET
4348
4349##{ TVD_SECTION
4350
4351body TVD_SECTION /\bSection (?:27A|21B)/i
4352describe TVD_SECTION References to specific legal codes
4353##} TVD_SECTION
4354
4355##{ TVD_SILLY_URI_OBFU
4356
4357body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i
4358describe TVD_SILLY_URI_OBFU URI obfuscation that can fool a URIBL or a uri rule
4359##} TVD_SILLY_URI_OBFU
4360
4361##{ TVD_SPACED_SUBJECT_WORD3
4362
4363header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/
4364describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace
4365##} TVD_SPACED_SUBJECT_WORD3
4366
fc5290a3
SI		 4367##{ TVD_SPACE_ENC_FM_MIME
4368
4369meta TVD_SPACE_ENC_FM_MIME __TVD_SPACE_ENCODED && __FROM_NEEDS_MIME && !__ISO_2022_JP_DELIM
4370#score TVD_SPACE_ENC_FM_MIME 2.000 # limit
4371describe TVD_SPACE_ENC_FM_MIME Space ratio & encoded subject & MIME needed
4372##} TVD_SPACE_ENC_FM_MIME
4373
b780ea8d
SI		 4374##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval
4375
4376ifplugin Mail::SpamAssassin::Plugin::BodyEval
4377body TVD_STOCK1 eval:check_stock_info('2')
4378describe TVD_STOCK1 Spam related to stock trading
4379endif
4380##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval
4381
4382##{ TVD_SUBJ_ACC_NUM
4383
4384header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/
4385describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference
4386##} TVD_SUBJ_ACC_NUM
4387
4388##{ TVD_SUBJ_FINGER_03
4389
4390header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/
4391describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *"
4392##} TVD_SUBJ_FINGER_03
4393
b780ea8d
SI		 4394##{ TVD_SUBJ_OWE
4395
4396header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i
4397describe TVD_SUBJ_OWE Subject line states that the recipieint is in debt
4398##} TVD_SUBJ_OWE
4399
4400##{ TVD_SUBJ_WIPE_DEBT
4401
4402header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i
4403describe TVD_SUBJ_WIPE_DEBT Spam advertising a way to eliminate debt
4404##} TVD_SUBJ_WIPE_DEBT
4405
4406##{ TVD_VISIT_PHARMA
4407
4408body TVD_VISIT_PHARMA /Online Ph.rmacy/i
4409describe TVD_VISIT_PHARMA Body mentions online pharmacy
4410##} TVD_VISIT_PHARMA
4411
4412##{ TVD_VIS_HIDDEN
4413
4414rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i
4415describe TVD_VIS_HIDDEN Invisible textarea HTML tags
4416##} TVD_VIS_HIDDEN
4417
4418##{ TW_GIBBERISH_MANY
4419
4420meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20
4421describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters
4422#score TW_GIBBERISH_MANY 2.000 # limit
4423tflags TW_GIBBERISH_MANY publish
4424##} TW_GIBBERISH_MANY
4425
4426##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4427
4428ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4429 meta T_ACH_CANCELLED_EXE __ACH_CANCELLED_EXE
4430 describe T_ACH_CANCELLED_EXE "ACH cancelled" probable malware
4431endif
4432##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4433
dfdd1e08
SI		 4434##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4435
4436if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4437 meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON
4438 describe T_ANY_PILL_PRICE Prices for pills
4439endif
4440##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4441
b780ea8d
SI		 4442##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4443
4444ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4445 mimeheader T_CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/
4446 describe T_CDISP_SZ_MANY Suspicious MIME header
4447# score T_CDISP_SZ_MANY 2.0 # limit
4448endif
4449##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4450
dfdd1e08
SI		 4451##{ T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4452
4453ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4454 meta T_CTYPE_NULL __CTYPE_NULL
4455 describe T_CTYPE_NULL Malformed Content-Type header
4456endif
4457##} T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4458
31955ede
SI		 4459##{ T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4460
4461ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4462header T_DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920')
4463describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date
4464endif
4465##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval
4466
b780ea8d
SI		 4467##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4468
4469ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4470 meta T_DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT)
4471 describe T_DOC_ATTACH_NO_EXT Document attachment with suspicious name
4472endif
4473##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4474
4475##{ T_DOS_OUTLOOK_TO_MX_IMAGE
4476
4477meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
4478describe T_DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image
4479##} T_DOS_OUTLOOK_TO_MX_IMAGE
4480
4481##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4482
4483ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4484 mimeheader T_DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/
4485 describe T_DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus
4486# score T_DOS_ZIP_HARDCORE 2.5
4487endif
4488##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4489
4490##{ T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4491
4492ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4493if (version >= 3.004000)
dfdd1e08 4494meta T_DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && __URL_SHORTENER && DRUGS_ERECTILE
b780ea8d
SI		 4495describe T_DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with T_URL_SHORTENER
4496#score T_DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit
4497endif
4498endif
4499##} T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4500
4501##{ T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4502
4503ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4504 meta T_FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO
4505 describe T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s)
4506endif
4507##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4508
4509##{ T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4510
4511ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4512 meta T_FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE
4513 describe T_FILL_THIS_FORM_LOAN Answer loan question(s)
4514# score T_FILL_THIS_FORM_LOAN 2.0
4515endif
4516##} T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4517
4518##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4519
4520ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4521 meta T_FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL
4522 describe T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
4523# score T_FILL_THIS_FORM_SHORT 1.00 # limit
4524endif
4525##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4526
b780ea8d
SI		 4527##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4528
4529ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4530 meta T_FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K
4531 describe T_FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam
4532endif
4533##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo
4534
4535##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail
4536
4537ifplugin Mail::SpamAssassin::Plugin::FreeMail
4538 meta T_FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF
4539 describe T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail
4540endif
4541##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail
4542
dfdd1e08
SI		 4543##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
4544
4545ifplugin Mail::SpamAssassin::Plugin::FreeMail
4546 meta T_FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED
4547 describe T_FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden
4548endif
4549##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail
4550
b780ea8d
SI		 4551##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail
4552
4553ifplugin Mail::SpamAssassin::Plugin::FreeMail
4554 meta T_FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF
4555 describe T_FREEMAIL_RVW_ATTCH Please review attached document, from freemail
4556endif
4557##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail
4558
4559##{ T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4560
4561ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4562meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO
4563describe T_FROMNAME_EQUALS_TO From:name matches To:
4564#score T_FROMNAME_EQUALS_TO 1.0
4565tflags T_FROMNAME_EQUALS_TO publish
4566endif
4567##} T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4568
4569##{ T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4570
4571ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4572meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD)
4573describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email
4574#score T_FROMNAME_SPOOFED_EMAIL 0.3
4575tflags T_FROMNAME_SPOOFED_EMAIL publish
4576endif
4577##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4578
4579##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4580
4581if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4582 meta T_FROM_MULTI_SHORT_IMG __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY
4583 describe T_FROM_MULTI_SHORT_IMG Multiple From addresses + short message with image
4584endif
4585##} T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4586
4587##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4588
4589ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4590 body T_FUZZY_OPTOUT /(?:$|\W)(?=<O>)(?!opt[-\s]?out)<O><P><T>[-\s]?<O><U><T>(?:$|\W)/i
4591 describe T_FUZZY_OPTOUT Obfuscated opt-out text
4592endif
4593##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4594
4595##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4596
4597ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4598body T_FUZZY_SPRM /<inter W1><post P2><S><P><U><R><M>/i
4599endif
4600##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4601
4602##{ T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4603
4604ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4605 meta T_FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM
4606 describe T_FUZZY_WELLSFARGO Obfuscated "Wells Fargo"
4607endif
4608##} T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4609
4610##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4611
4612ifplugin Mail::SpamAssassin::Plugin::FreeMail
4613 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4614 meta T_GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO )
4615 describe T_GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains
4616# score T_GB_FREEM_FROM_NOT_REPLY 1.500 # limit
4617 tflags T_GB_FREEM_FROM_NOT_REPLY publish
4618endif
4619endif
4620##} T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4621
4622##{ T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4623
4624ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4625 meta T_GB_FROMNAME_SPOOFED_EMAIL_IP ( T_FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED )
4626 describe T_GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip
4627# score T_GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit
4628 tflags T_GB_FROMNAME_SPOOFED_EMAIL_IP publish
4629endif
4630##} T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
4631
fc5290a3
SI		 4632##{ T_GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
4633
4634if (version >= 4.000000)
4635if can(Mail::SpamAssassin::Conf::feature_capture_rules)
4636 uri T_GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i
4637 describe T_GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse
4638# score T_GB_STORAGE_GOOGLE_EMAIL 2.000 # limit
4639 tflags T_GB_STORAGE_GOOGLE_EMAIL publish
4640endif
4641endif
4642##} T_GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
4643
31955ede
SI		 4644##{ T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail
4645
4646ifplugin Mail::SpamAssassin::Plugin::FreeMail
dfdd1e08 4647 meta T_GB_WEBFORM ( ( __XMAIL_CODEIGN || __XMAIL_PHPMAIL ) && __URL_SHORTENER && FREEMAIL_FROM )
31955ede
SI		 4648 describe T_GB_WEBFORM Webform with url shortener
4649# score T_GB_WEBFORM 1.500 # limit
4650endif
4651##} T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail
4652
fc5290a3
SI		 4653##{ T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
4654
4655if (version >= 4.000000)
4656if can(Mail::SpamAssassin::Conf::feature_capture_rules)
4657 uri T_GB_YOUTUBE_EMAIL m|^https?://(?:www\.)?youtube\.com/attribution_link\?.{20,256}/%{GB_TO_ADDR}|i
4658 describe T_GB_YOUTUBE_EMAIL Youtube attribution links abuse
4659# score T_GB_YOUTUBE_EMAIL 2.000 # limit
4660endif
4661endif
4662##} T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
4663
4664##{ T_HDRS_LCASE
4665
4666describe T_HDRS_LCASE Odd capitalization of message header
4667#score T_HDRS_LCASE 0.10 # limit
4668##} T_HDRS_LCASE
4669
4670##{ T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
4671
4672if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
4673 meta T_HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
4674endif
4675##} T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
4676
4677##{ T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
4678
4679ifplugin Mail::SpamAssassin::Plugin::FreeMail
4680 meta T_HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO
4681endif
4682##} T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
4683
b780ea8d
SI		 4684##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4685
4686ifplugin Mail::SpamAssassin::Plugin::FreeMail
4687if (version >= 3.004000)
4688 meta T_HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM
4689# score T_HK_NAME_FM_FROM 1.5
4690endif
4691endif
4692##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4693
31955ede
SI		 4694##{ T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4695
4696ifplugin Mail::SpamAssassin::Plugin::FreeMail
4697if (version >= 3.004000)
4698 meta T_HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
4699# score T_HK_NAME_FM_MR_MRS 1.5
4700endif
4701endif
4702##} T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4703
b780ea8d
SI		 4704##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4705
4706ifplugin Mail::SpamAssassin::Plugin::FreeMail
4707if (version >= 3.004000)
4708 meta T_HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM
4709# score T_HK_NAME_FROM 1.0
4710endif
4711endif
4712##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
4713
dfdd1e08
SI		 4714##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4715
4716ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4717meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN
4718endif
4719##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4720
b780ea8d
SI		 4721##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4722
4723ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4724 meta T_HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02
4725 describe T_HTML_ATTACH HTML attachment to bypass scanning?
4726endif
4727##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4728
fc5290a3
SI		 4729##{ T_HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4730
4731ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4732 meta T_HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY
4733 describe T_HTML_TAG_BALANCE_CENTER Malformatted HTML
4734endif
4735##} T_HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4736
b780ea8d
SI		 4737##{ T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4738
4739ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4740 meta T_ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT
4741 describe T_ISO_ATTACH ISO attachment - possible malware delivery
4742# score T_ISO_ATTACH 3.000 # limit
4743endif
4744##} T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4745
4746##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4747
4748ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4749meta T_KAM_HTML_FONT_INVALID __KAM_HTML_FONT_INVALID
4750describe T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML
4751#score T_KAM_HTML_FONT_INVALID 0.1
4752endif
4753##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval
4754
4755##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4756
4757if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4758 meta T_LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3
4759 describe T_LARGE_PCT_AFTER_MANY Many large percentages after...
4760endif
4761##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4762
4763##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4764
4765ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4766body T_LFUZ_PWRMALE /<inter W1><post P2><P><O><W><E><R><M><A><L><E>/i
4767endif
4768##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4769
fc5290a3
SI		 4770##{ T_LOTTO_AGENT
4771
4772meta T_LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD
4773describe T_LOTTO_AGENT Claims Agent
4774#score T_LOTTO_AGENT 1.50 # limit
4775##} T_LOTTO_AGENT
4776
b780ea8d
SI		 4777##{ T_LOTTO_AGENT_FM
4778
4779header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
4780describe T_LOTTO_AGENT_FM Claims Agent
4781##} T_LOTTO_AGENT_FM
4782
4783##{ T_LOTTO_AGENT_RPLY
4784
4785meta T_LOTTO_AGENT_RPLY __LOTTO_AGENT_RPLY && !__TO_YOUR_ORG
4786describe T_LOTTO_AGENT_RPLY Claims Agent
4787##} T_LOTTO_AGENT_RPLY
4788
4789##{ T_LOTTO_URI
4790
4791uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i
4792describe T_LOTTO_URI Claims Department URL
4793##} T_LOTTO_URI
4794
dfdd1e08
SI		 4795##{ T_MANY_HDRS_LCASE
4796
4797describe T_MANY_HDRS_LCASE Odd capitalization of multiple message headers
4798#score T_MANY_HDRS_LCASE 0.10 # limit
4799##} T_MANY_HDRS_LCASE
4800
4801##{ T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
4802
4803if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
4804 meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
4805endif
4806##} T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
4807
4808##{ T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
4809
4810ifplugin Mail::SpamAssassin::Plugin::FreeMail
4811 meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
4812endif
4813##} T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
4814
b780ea8d
SI		 4815##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4816
4817if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4818 meta T_MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2
4819 describe T_MANY_PILL_PRICE Prices for many pills
4820endif
4821##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
4822
4823##{ T_MIME_MALF if (version >= 3.004000)
4824
4825if (version >= 3.004000)
4826 meta T_MIME_MALF __MIME_MALF && !ALL_TRUSTED
4827 describe T_MIME_MALF Malformed MIME: headers in body
4828# score T_MIME_MALF 2.00 # limit
4829endif
4830##} T_MIME_MALF if (version >= 3.004000)
4831
4832##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4833
4834ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4835 meta T_MONEY_PERCENT LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY)
4836 describe T_MONEY_PERCENT X% of a lot of money for you
4837endif
4838##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4839
4840##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4841
4842ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4843 meta T_OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH)
4844 describe T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From
4845endif
4846##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4847
4848##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4849
4850ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4851 mimeheader T_OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i
4852 describe T_OBFU_DOC_ATTACH MS Document attachment with generic MIME type
4853endif
4854##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4855
4856##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4857
4858ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4859 mimeheader T_OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i
4860 describe T_OBFU_GIF_ATTACH GIF attachment with generic MIME type
4861endif
4862##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4863
4864##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4865
4866ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
dfdd1e08 4867 mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.s?html?\b,i
b780ea8d
SI		 4868 describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type
4869endif
4870##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4871
4872##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4873
4874ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4875 meta T_OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02
4876 describe T_OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware
4877endif
4878##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4879
4880##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4881
4882ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4883 mimeheader T_OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i
4884 describe T_OBFU_JPG_ATTACH JPG attachment with generic MIME type
4885endif
4886##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4887
4888##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4889
4890ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4891 mimeheader T_OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i
4892 describe T_OBFU_PDF_ATTACH PDF attachment with generic MIME type
4893endif
4894##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
4895
dfdd1e08
SI		 4896##{ T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4897
4898if (version >= 3.004002)
4899ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4900meta T_OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
4901describe T_OFFER_ONLY_AMERICA Offer only available to US
4902#score T_OFFER_ONLY_AMERICA 2.0 # limit
4903endif
4904endif
4905##} T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4906
b780ea8d
SI		 4907##{ T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4908
4909ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4910 meta T_PDS_BTC_AHACKER ( __PDS_BTC_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON )
4911 describe T_PDS_BTC_AHACKER Bitcoin Hacker
4912# score T_PDS_BTC_AHACKER 3.0 # limit
4913endif
4914##} T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4915
4916##{ T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4917
4918ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4919 meta T_PDS_BTC_HACKER ( __PDS_BTC_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM )
4920 describe T_PDS_BTC_HACKER Bitcoin Hacker
4921# score T_PDS_BTC_HACKER 2.0 # limit
4922endif
4923##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4924
fc5290a3
SI		 4925##{ T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4926
4927if (version >= 3.004002)
4928ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4929meta T_PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD )
4930describe T_PDS_BTC_NTLD Bitcoin suspect NTLD
4931#score T_PDS_BTC_NTLD 2.0 # limit
4932endif
4933endif
4934##} T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4935
4936##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4937
4938ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4939if (version >= 3.004000)
4940meta T_PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024
4941describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener
4942#score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit
4943endif
4944endif
4945##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4946
b780ea8d
SI		 4947##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4948
4949ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4950if (version >= 3.004000)
dfdd1e08 4951meta T_PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
b780ea8d
SI		 4952describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener
4953#score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit
4954endif
4955endif
4956##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4957
21dcadbf 4958##{ T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
31955ede 4959
21dcadbf
SI		 4960if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
4961 meta T_PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS
4962 describe T_PDS_FROM_2_EMAILS From header has multiple different addresses
4963# score T_PDS_FROM_2_EMAILS 3.500 # limit
31955ede 4964endif
21dcadbf 4965##} T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
31955ede 4966
fc5290a3
SI		 4967##{ T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4968
4969ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4970if (version >= 3.004000)
4971meta T_PDS_FROM_2_EMAILS_SHRTNER __URL_SHORTENER && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY
4972describe T_PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener
4973#score T_PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit
4974endif
4975endif
4976##} T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4977
b780ea8d
SI		 4978##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4979
4980ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4981 meta T_PDS_LTC_AHACKER ( __PDS_LITECOIN_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON )
4982 describe T_PDS_LTC_AHACKER Litecoin Hacker
4983# score T_PDS_LTC_AHACKER 3.0 # limit
4984endif
4985##} T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4986
4987##{ T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4988
4989ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4990 meta T_PDS_LTC_HACKER ( __PDS_LITECOIN_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM )
4991 describe T_PDS_LTC_HACKER Litecoin Hacker
4992# score T_PDS_LTC_HACKER 2.0 # limit
4993endif
4994##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
4995
fc5290a3
SI		 4996##{ T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
4997
4998ifplugin Mail::SpamAssassin::Plugin::WLBLEval
4999if (version >= 3.004000)
5000meta T_PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
5001describe T_PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME
5002#score T_PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit
5003endif
5004endif
5005##} T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5006
21dcadbf
SI		 5007##{ T_PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5008
5009if (version >= 3.004002)
5010ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5011header T_PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
5012#score T_PDS_OTHER_BAD_TLD 2.0
5013describe T_PDS_OTHER_BAD_TLD Untrustworthy TLDs
5014endif
5015endif
5016##} T_PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5017
b780ea8d
SI		 5018##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5019
5020if (version >= 3.004002)
5021ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5022header T_PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO')
5023#score T_PDS_PRO_TLD 1.0
5024describe T_PDS_PRO_TLD .pro TLD
5025endif
5026endif
5027##} T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5028
5029##{ T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5030
5031ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5032if (version >= 3.004000)
dfdd1e08 5033meta T_PDS_SHORTFWD_URISHRT __URL_SHORTENER && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
b780ea8d
SI		 5034describe T_PDS_SHORTFWD_URISHRT Threaded email with URI shortener
5035#score T_PDS_SHORTFWD_URISHRT 1.5 # limit
5036endif
5037endif
5038##} T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5039
31955ede
SI		 5040##{ T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5041
5042ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5043if (version >= 3.004000)
dfdd1e08 5044meta T_PDS_SHORTFWD_URISHRT_FP __URL_SHORTENER && __HS_SUBJ_RE_FW && __PDS_MSG_512
31955ede
SI		 5045describe T_PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener
5046#score T_PDS_SHORTFWD_URISHRT_FP 1.5 # limit
5047endif
5048endif
5049##} T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5050
5051##{ T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5052
5053ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5054if (version >= 3.004000)
dfdd1e08 5055meta T_PDS_SHORTFWD_URISHRT_QP __URL_SHORTENER && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !T_PDS_SHORTFWD_URISHRT_FP
31955ede
SI		 5056describe T_PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener
5057#score T_PDS_SHORTFWD_URISHRT_QP 1.5 # limit
5058endif
5059endif
5060##} T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5061
fc5290a3 5062##{ T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
b780ea8d 5063
fc5290a3
SI		 5064ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5065if (version >= 3.004000)
5066meta T_PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER)
5067describe T_PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP)
5068#score T_PDS_SHORT_SPOOFED_URL 2.0
b780ea8d 5069endif
fc5290a3
SI		 5070endif
5071##} T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5072
5073##{ T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5074
5075ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5076if (version >= 3.004000)
5077meta T_PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024
5078describe T_PDS_TINYSUBJ_URISHRT Short subject with URL shortener
5079#score T_PDS_TINYSUBJ_URISHRT 1.5 # limit
5080endif
5081endif
5082##} T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
cabe596e
SI		 5083
5084##{ T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5085
5086ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5087if (version >= 3.004000)
dfdd1e08 5088meta T_PDS_URISHRT_LOCALPART_SUBJ LOCALPART_IN_SUBJECT && __URL_SHORTENER && __PDS_MSG_1024
cabe596e
SI		 5089describe T_PDS_URISHRT_LOCALPART_SUBJ Localpart of To in subject
5090#score T_PDS_URISHRT_LOCALPART_SUBJ 1.0
5091endif
5092endif
5093##} T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
b780ea8d 5094
dfdd1e08
SI		 5095##{ T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5096
5097if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5098 meta T_PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF
5099 describe T_PHOTO_EDITING_DIRECT Image editing service, direct to MX
5100# score T_PHOTO_EDITING_DIRECT 3.000 # limit
5101endif
5102##} T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5103
5104##{ T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
46cfc9e2 5105
dfdd1e08
SI		 5106if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5107 meta T_PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto)
5108 describe T_PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto
5109# score T_PHOTO_EDITING_FREEM 3.750 # limit
5110endif
5111##} T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
46cfc9e2 5112
b780ea8d
SI		 5113##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5114
5115ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5116 meta T_REMOTE_IMAGE __REMOTE_IMAGE
5117 describe T_REMOTE_IMAGE Message contains an external image
5118endif
5119##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
5120
fc5290a3
SI		 5121##{ T_SCC_BODY_TEXT_LINE
5122
5123meta T_SCC_BODY_TEXT_LINE __SCC_BODY_TEXT_LINE_FULL - __SCC_SUBJECT_HAS_NON_SPACE
5124tflags T_SCC_BODY_TEXT_LINE nice
5125##} T_SCC_BODY_TEXT_LINE
5126
5127##{ T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5128
5129ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5130meta T_SCC_BOGUS_CTE_1 __SCC_BOGUS_CTE_1
5131describe T_SCC_BOGUS_CTE_1 Bogus Content-Transfer-Encoding header
5132tflags T_SCC_BOGUS_CTE_1 publish
5133endif
5134##} T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5135
b780ea8d
SI		 5136##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5137
5138if (version >= 3.004002)
5139ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5140meta T_SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR
5141describe T_SENT_TO_EMAIL_ADDR Email was sent to email address
5142#score T_SENT_TO_EMAIL_ADDR 2.0 # limit
5143endif
5144endif
5145##} T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5146
5147##{ T_SHARE_50_50
5148
5149meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY
5150describe T_SHARE_50_50 Share the money 50/50
5151##} T_SHARE_50_50
5152
fc5290a3
SI		 5153##{ T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5154
5155ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5156if (version >= 3.004000)
5157meta T_SHORT_SHORTNER __PDS_MSG_512 && __URL_SHORTENER && !DRUGS_ERECTILE
5158describe T_SHORT_SHORTNER Short body with little more than a link to a shortener
5159#score T_SHORT_SHORTNER 2.0 # limit
5160endif
5161endif
5162##} T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5163
b780ea8d
SI		 5164##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5165
5166if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5167 meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK
5168 describe T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX
5169# score T_STY_INVIS_DIRECT 2.500 # limit
5170endif
5171##} T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5172
5173##{ T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5174
5175if (version >= 3.004002)
5176ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5177meta T_SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
5178describe T_SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money
5179#score T_SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit
5180endif
5181endif
5182##} T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5183
5184##{ T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5185
5186ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5187if (version >= 3.004000)
5188meta T_TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT
5189describe T_TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local
5190#score T_TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit
5191endif
5192endif
5193##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5194
fc5290a3
SI		 5195##{ T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5196
5197ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5198if (version >= 3.004000)
5199meta T_TONOM_EQ_TOLOC_SHRT_SHRTNER __URL_SHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024
5200describe T_TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local
5201#score T_TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit
5202endif
5203endif
5204##} T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5205
b780ea8d
SI		 5206##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5207
5208ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5209body T_TVD_FUZZY_SECTOR /(?!sector)<S><E><C><T><O><R>/i
5210endif
5211##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5212
5213##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5214
5215ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5216body T_TVD_FUZZY_SECURITIES /<inter W2><post P2>(?!securities)(?!security,? es)<S><E><C><U><R><I><T><I><E><S>/i
5217endif
5218##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
5219
5220##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5221
5222ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5223mimeheader T_TVD_FW_GRAPHIC_ID2 Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/
5224endif
5225##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5226
5227##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5228
5229ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5230body T_TVD_MIME_EPI eval:check_msg_parse_flags('mime_epilogue_exists')
5231endif
5232##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5233
5234##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5235
5236ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5237body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers')
5238endif
5239##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval
5240
5241##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5242
5243ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5244 meta T_WON_MONEY_ATTACH __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH)
5245 describe T_WON_MONEY_ATTACH You won lots of money! See attachment.
5246endif
5247##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5248
5249##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5250
5251ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5252 meta T_WON_NBDY_ATTACH __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH)
5253 describe T_WON_NBDY_ATTACH You won lots of money! See attachment.
5254endif
5255##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5256
fc5290a3
SI		 5257##{ T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5258
5259ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5260if (version >= 3.004000)
5261meta T_XPRIO_URL_SHORTNER __XPRIO_MINFP && __URL_SHORTENER
5262describe T_XPRIO_URL_SHORTNER X-Priority header and short URL
5263#score T_XPRIO_URL_SHORTNER 1.0 # limit
5264endif
5265endif
5266##} T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
5267
b780ea8d
SI		 5268##{ T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5269
5270if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5271 meta T_ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID
5272 describe T_ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion
5273# score T_ZW_OBFU_BITCOIN 2.500 # limit
5274endif
5275##} T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5276
dfdd1e08
SI		 5277##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5278
5279if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5280 meta T_ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto
5281 describe T_ZW_OBFU_FREEM Obfuscated text + freemail
5282# score T_ZW_OBFU_FREEM 2.000 # limit
5283endif
5284##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5285
b780ea8d
SI		 5286##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5287
5288if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5289 meta T_ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ
5290 describe T_ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject
5291# score T_ZW_OBFU_FROMTOSUBJ 2.000 # limit
5292endif
5293##} T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5294
5295##{ UC_GIBBERISH_OBFU
5296
5297meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED
5298describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word"
5299#score UC_GIBBERISH_OBFU 3.000 # Limit
5300tflags UC_GIBBERISH_OBFU publish
5301##} UC_GIBBERISH_OBFU
5302
5303##{ UNDISC_FREEM
5304
5305meta UNDISC_FREEM __UNDISC_FREEM
5306describe UNDISC_FREEM Undisclosed recipients + freemail reply-to
5307tflags UNDISC_FREEM publish
5308##} UNDISC_FREEM
5309
5310##{ UNDISC_MONEY
5311
5312meta UNDISC_MONEY __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH
5313describe UNDISC_MONEY Undisclosed recipients + money/fraud signs
5314tflags UNDISC_MONEY publish
5315##} UNDISC_MONEY
5316
5317##{ UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5318
5319if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5320 meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32
5321 describe UNICODE_OBFU_ASC Obfuscating text with unicode
5322# score UNICODE_OBFU_ASC 2.500 # limit
5323 tflags UNICODE_OBFU_ASC publish
5324endif
5325##} UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5326
5327##{ UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5328
5329if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5330 meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS
5331 describe UNICODE_OBFU_ZW Obfuscating text with hidden characters
5332# score UNICODE_OBFU_ZW 3.500 # limit
5333 tflags UNICODE_OBFU_ZW publish
5334endif
5335##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5336
dfdd1e08
SI		 5337##{ UNSUB_GOOG_FORM
5338
5339meta UNSUB_GOOG_FORM __UNSUB_GOOG_FORM
5340describe UNSUB_GOOG_FORM Unsubscribe via Google Docs form
5341#score UNSUB_GOOG_FORM 2.500 # limit
5342tflags UNSUB_GOOG_FORM publish
5343##} UNSUB_GOOG_FORM
5344
b780ea8d
SI		 5345##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5346
5347ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5348urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2
5349body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB')
5350describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
5351tflags URIBL_RHS_DOB net
5352endif
5353##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
5354
5355##{ URI_ADOBESPARK
5356
5357meta URI_ADOBESPARK __URI_ADOBESPARK
5358#score URI_ADOBESPARK 3.500 # limit
5359tflags URI_ADOBESPARK publish
5360##} URI_ADOBESPARK
5361
5362##{ URI_AZURE_CLOUDAPP
5363
5364meta URI_AZURE_CLOUDAPP __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE
5365describe URI_AZURE_CLOUDAPP Link to hosted azure web application, possible phishing
5366#score URI_AZURE_CLOUDAPP 3.000 # limit
5367tflags URI_AZURE_CLOUDAPP publish
5368##} URI_AZURE_CLOUDAPP
5369
5370##{ URI_DASHGOVEDU
5371
5372meta URI_DASHGOVEDU __URI_DASHGOVEDU
5373describe URI_DASHGOVEDU Suspicious domain name
5374#score URI_DASHGOVEDU 3.500 # limit
5375tflags URI_DASHGOVEDU publish
5376##} URI_DASHGOVEDU
5377
5378##{ URI_DATA
5379
5380meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB
5381describe URI_DATA "data:" URI - possible malware or phish
5382#score URI_DATA 3.250 # limit
5383tflags URI_DATA publish
5384##} URI_DATA
5385
b780ea8d
SI		 5386##{ URI_DOTEDU
5387
5388meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK
5389describe URI_DOTEDU Has .edu URI
5390#score URI_DOTEDU 2.000 # limit
5391tflags URI_DOTEDU publish
5392##} URI_DOTEDU
5393
5394##{ URI_DOTEDU_ENTITY
5395
5396meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO
5397describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content
5398#score URI_DOTEDU_ENTITY 3.000 # limit
5399tflags URI_DOTEDU_ENTITY publish
5400##} URI_DOTEDU_ENTITY
5401
5402##{ URI_DOTTY_HEX
5403
5404meta URI_DOTTY_HEX __URI_DOTTY_HEX
5405describe URI_DOTTY_HEX Suspicious URI format
5406tflags URI_DOTTY_HEX publish
5407##} URI_DOTTY_HEX
5408
5409##{ URI_DQ_UNSUB
5410
5411meta URI_DQ_UNSUB __URI_DQ_UNSUB
5412describe URI_DQ_UNSUB IP-address unsubscribe URI
5413tflags URI_DQ_UNSUB publish
5414##} URI_DQ_UNSUB
5415
5416##{ URI_FIREBASEAPP
5417
5418meta URI_FIREBASEAPP __URI_FIREBASEAPP || __URI_WEBAPP
5419describe URI_FIREBASEAPP Link to hosted firebase web application, possible phishing
5420#score URI_FIREBASEAPP 3.000 # limit
5421tflags URI_FIREBASEAPP publish
5422##} URI_FIREBASEAPP
5423
5424##{ URI_GOOGLE_PROXY
5425
5426meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE && !__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID
5427describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy?
5428tflags URI_GOOGLE_PROXY publish
5429##} URI_GOOGLE_PROXY
5430
5431##{ URI_GOOG_STO_SPAMMY
5432
fc5290a3 5433uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:1tactc1200|430bc3a2d98b15a0c58bf8df8f938d|5(?:a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|a(?:1discover|4301cda1e5c450bab01|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i
b780ea8d
SI		 5434describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage
5435#score URI_GOOG_STO_SPAMMY 3.000
5436tflags URI_GOOG_STO_SPAMMY publish
5437##} URI_GOOG_STO_SPAMMY
5438
5439##{ URI_HEX_IP
5440
5441meta URI_HEX_IP __URI_HEX_IP
5442#score URI_HEX_IP 2.500 # limit
5443describe URI_HEX_IP URI with hex-encoded IP-address host
5444tflags URI_HEX_IP publish
5445##} URI_HEX_IP
5446
5447##{ URI_IMG_WP_REDIR
5448
5449meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR
5450#score URI_IMG_WP_REDIR 3.000 # limit
5451describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy
5452tflags URI_IMG_WP_REDIR publish
5453##} URI_IMG_WP_REDIR
5454
5455##{ URI_LONG_REPEAT
5456
5457meta URI_LONG_REPEAT __URI_LONG_REPEAT
31955ede 5458describe URI_LONG_REPEAT Long identical host+domain
b780ea8d
SI		 5459#score URI_LONG_REPEAT 2.500 # limit
5460tflags URI_LONG_REPEAT publish
5461##} URI_LONG_REPEAT
5462
5463##{ URI_MALWARE_SCMS
5464
5465uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i
5466describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file)
5467tflags URI_MALWARE_SCMS publish
5468##} URI_MALWARE_SCMS
5469
5470##{ URI_ONLY_MSGID_MALF
5471
5472 meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW
5473 tflags URI_ONLY_MSGID_MALF net
5474 meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO
5475describe URI_ONLY_MSGID_MALF URI only + malformed message ID
5476#score URI_ONLY_MSGID_MALF 2.000 # limit
5477tflags URI_ONLY_MSGID_MALF publish
5478##} URI_ONLY_MSGID_MALF
5479
5480##{ URI_OPTOUT_3LD
5481
5482uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i
5483describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname
5484#score URI_OPTOUT_3LD 2.000 # limit
5485tflags URI_OPTOUT_3LD publish
5486##} URI_OPTOUT_3LD
5487
5488##{ URI_OPTOUT_USME
5489
5490uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i
5491describe URI_OPTOUT_USME Opt-out URI, unusual TLD
5492tflags URI_OPTOUT_USME publish
5493##} URI_OPTOUT_USME
5494
5495##{ URI_PHISH
5496
5497describe URI_PHISH Phishing using web form
5498#score URI_PHISH 4.00 # limit
5499tflags URI_PHISH publish
5500##} URI_PHISH
5501
5502##{ URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5503
5504if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5505 meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT
5506endif
5507##} URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
5508
5509##{ URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5510
5511ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5512 meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT
5513endif
5514##} URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
5515
5516##{ URI_PHP_REDIR
5517
5518meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA
5519#score URI_PHP_REDIR 3.500 # limit
5520describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation)
5521tflags URI_PHP_REDIR publish
5522##} URI_PHP_REDIR
5523
5524##{ URI_TRY_3LD
5525
dfdd1e08 5526meta URI_TRY_3LD __URI_TRY_3LD && !__HAS_ERRORS_TO && !__HDR_RCVD_ALIBABA && !__HDR_CASE_REVERSED && !__XM_EC_MESSENGER && !__CHARITY && !__URI_DOTEDU && !__HAS_X_REF && !__HDR_RCVD_APPLE
b780ea8d
SI		 5527describe URI_TRY_3LD "Try it" URI, suspicious hostname
5528#score URI_TRY_3LD 2.000 # limit
5529tflags URI_TRY_3LD publish
5530##} URI_TRY_3LD
5531
5532##{ URI_TRY_USME
5533
5534meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS
5535describe URI_TRY_USME "Try it" URI, unusual TLD
cabe596e 5536#score URI_TRY_USME 2.000 # limit
b780ea8d
SI		 5537tflags URI_TRY_USME publish
5538##} URI_TRY_USME
5539
5540##{ URI_WPADMIN
5541
5542meta URI_WPADMIN __URI_WPADMIN
5543describe URI_WPADMIN WordPress login/admin URI, possible phishing
5544tflags URI_WPADMIN publish
5545##} URI_WPADMIN
5546
5547##{ URI_WP_DIRINDEX
5548
5549meta URI_WP_DIRINDEX __URI_WPDIRINDEX
5550describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware
5551#score URI_WP_DIRINDEX 3.500 # limit
5552tflags URI_WP_DIRINDEX publish
5553##} URI_WP_DIRINDEX
5554
5555##{ URI_WP_HACKED
5556
5557meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED
5558describe URI_WP_HACKED URI for compromised WordPress site, possible malware
5559#score URI_WP_HACKED 3.500 # limit
5560tflags URI_WP_HACKED publish
5561##} URI_WP_HACKED
5562
5563##{ URI_WP_HACKED_2
5564
5565meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1
5566describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware
5567#score URI_WP_HACKED_2 2.500 # limit
5568tflags URI_WP_HACKED_2 publish
5569##} URI_WP_HACKED_2
5570
5571##{ USB_DRIVES
5572
5573meta USB_DRIVES __SUBJ_USB_DRIVES
5574describe USB_DRIVES Trying to sell custom USB flash drives
5575#score USB_DRIVES 2.000 # limit
5576tflags USB_DRIVES publish
5577##} USB_DRIVES
5578
5579##{ VFY_ACCT_NORDNS
5580
5581meta VFY_ACCT_NORDNS __VFY_ACCT_NORDNS && !__STY_INVIS_MANY
5582describe VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA - probable phishing
5583#score VFY_ACCT_NORDNS 3.000 # limit
5584tflags VFY_ACCT_NORDNS publish
5585##} VFY_ACCT_NORDNS
5586
5587##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5588
5589if (version >= 3.004002)
5590ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5591meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD
5592tflags VPS_NO_NTLD publish
5593describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD
5594#score VPS_NO_NTLD 1.0 # limit
5595endif
5596endif
5597##} VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
5598
5599##{ WALMART_IMG_NOT_RCVD_WAL
5600
5601meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS
5602#score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit
5603describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart
5604tflags WALMART_IMG_NOT_RCVD_WAL publish
5605##} WALMART_IMG_NOT_RCVD_WAL
5606
b780ea8d
SI		 5607##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5608
5609if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5610 meta WORD_INVIS __WORD_INVIS_MINFP && !WORD_INVIS_MANY
5611 describe WORD_INVIS A hidden word
5612# score WORD_INVIS 3.000 # limit
5613 tflags WORD_INVIS publish
5614endif
5615##} WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5616
5617##{ WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5618
5619if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5620 meta WORD_INVIS_MANY __WORD_INVIS_2
5621 describe WORD_INVIS_MANY Multiple individual hidden words
5622# score WORD_INVIS_MANY 3.000 # limit
5623 tflags WORD_INVIS_MANY publish
5624endif
5625##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
5626
b780ea8d
SI		 5627##{ XM_DIGITS_ONLY
5628
5629meta XM_DIGITS_ONLY __XM_DIGITS_ONLY
5630describe XM_DIGITS_ONLY X-Mailer malformed
5631#score XM_DIGITS_ONLY 3.000 # limit
5632tflags XM_DIGITS_ONLY publish
5633##} XM_DIGITS_ONLY
5634
b780ea8d
SI		 5635##{ XM_PHPMAILER_FORGED
5636
5637meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED
5638describe XM_PHPMAILER_FORGED Apparently forged header
5639tflags XM_PHPMAILER_FORGED publish
5640##} XM_PHPMAILER_FORGED
5641
5642##{ XM_RANDOM
5643
46cfc9e2 5644meta XM_RANDOM __XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLY && !__XM_ASPQMAIL && !__XM_VERY_LONG
b780ea8d 5645describe XM_RANDOM X-Mailer apparently random
46cfc9e2 5646#score XM_RANDOM 2.500 # limit
b780ea8d
SI		 5647tflags XM_RANDOM publish
5648##} XM_RANDOM
5649
b780ea8d
SI		 5650##{ XPRIO
5651
5652describe XPRIO Has X-Priority header
5653#score XPRIO 2.250 # limit
5654tflags XPRIO publish
5655##} XPRIO
5656
5657##{ XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5658
5659if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5660 meta XPRIO __XPRIO_MINFP
5661endif
5662##} XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM)
5663
5664##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM
5665
5666ifplugin Mail::SpamAssassin::Plugin::DKIM
5667 tflags XPRIO net
5668endif
5669##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM
5670
5671##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF)
5672
5673ifplugin Mail::SpamAssassin::Plugin::DKIM
5674if !plugin(Mail::SpamAssassin::Plugin::SPF)
31955ede 5675 meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE
b780ea8d
SI		 5676endif
5677endif
5678##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF)
5679
5680##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF
5681
5682ifplugin Mail::SpamAssassin::Plugin::DKIM
5683 ifplugin Mail::SpamAssassin::Plugin::SPF
31955ede 5684 meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS
b780ea8d
SI		 5685endif
5686endif
5687##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF
5688
5689##{ XPRIO_SHORT_SUBJ
5690
5691meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF
5692describe XPRIO_SHORT_SUBJ Has X Priority header + short subject
5693#score XPRIO_SHORT_SUBJ 2.500 # limit
5694tflags XPRIO_SHORT_SUBJ publish
5695##} XPRIO_SHORT_SUBJ
5696
b780ea8d
SI		 5697##{ X_MAILER_CME_6543_MSN
5698
5699header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/
5700##} X_MAILER_CME_6543_MSN
5701
fc5290a3
SI		 5702##{ YOUR_PERMISSION
5703
5704meta YOUR_PERMISSION __YOUR_PERM && !__CTYPE_HAS_BOUNDARY && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__CT_TEXT_PLAIN && !__BUGGED_IMG && !__COMMENT_EXISTS
5705describe YOUR_PERMISSION With your permission...
5706##} YOUR_PERMISSION
5707
b780ea8d
SI		 5708##{ YOU_INHERIT
5709
5710meta YOU_INHERIT __YOU_INHERIT
5711describe YOU_INHERIT Discussing your inheritance
5712##} YOU_INHERIT
5713
5714##{ bayes_ignore_header_sandbox
5715
21dcadbf
SI		 5716bayes_ignore_header ARC-Authentication-Results
5717bayes_ignore_header ARC-Message-Signature
5718bayes_ignore_header ARC-Seal
5719bayes_ignore_header Authentication-Results
5720bayes_ignore_header Auto-Submitted
5721bayes_ignore_header Autocrypt
5722bayes_ignore_header CTCH-SenderID-TotalSpam
5723bayes_ignore_header IronPort-SDR
5724bayes_ignore_header List-Archive
5725bayes_ignore_header List-Help
5726bayes_ignore_header List-Id
5727bayes_ignore_header List-Post
5728bayes_ignore_header List-Subscribe
5729bayes_ignore_header List-Unsubscribe
5730bayes_ignore_header Mailing-List
5731bayes_ignore_header Precedence
5732bayes_ignore_header Received-SPF
5733bayes_ignore_header suggested_attachment_session_id
b780ea8d
SI		 5734bayes_ignore_header X-ACL-Warn
5735bayes_ignore_header X-Alimail-AntiSpam
5736bayes_ignore_header X-Amavis-Modified
5737bayes_ignore_header X-Anti-Spam
5738bayes_ignore_header X-Anti-Virus
5739bayes_ignore_header X-Anti-Virus-Version
5740bayes_ignore_header X-AntiAbuse
5741bayes_ignore_header X-Antispam
5742bayes_ignore_header X-Antivirus
5743bayes_ignore_header X-Antivirus-Code
5744bayes_ignore_header X-Antivirus-Status
5745bayes_ignore_header X-Antivirus-Version
5746bayes_ignore_header x-aol-global-disposition
5747bayes_ignore_header X-ASF-Spam-Status
5748bayes_ignore_header X-ASG-Debug-ID
5749bayes_ignore_header X-ASG-Orig-Subj
5750bayes_ignore_header X-ASG-Recipient-Whitelist
5751bayes_ignore_header X-ASG-Tag
5752bayes_ignore_header X-Assp-Version
21dcadbf 5753bayes_ignore_header X-Attachment-Id
b780ea8d
SI		 5754bayes_ignore_header X-Authority-Analysis
5755bayes_ignore_header X-Authvirus
5756bayes_ignore_header X-Auto-Response-Suppress
5757bayes_ignore_header X-AV-Do-Run
5758bayes_ignore_header X-AV-Status
5759bayes_ignore_header x-avast-antispam
5760bayes_ignore_header X-Backend
5761bayes_ignore_header X-Barracuda-Apparent-Source-IP
5762bayes_ignore_header X-Barracuda-Bayes
5763bayes_ignore_header X-Barracuda-BBL-IP
5764bayes_ignore_header X-Barracuda-BRTS-Status
5765bayes_ignore_header X-Barracuda-BRTS-URL-Found
5766bayes_ignore_header X-Barracuda-Connect
5767bayes_ignore_header X-Barracuda-Encrypted
5768bayes_ignore_header X-Barracuda-Envelope-From
5769bayes_ignore_header X-Barracuda-Fingerprint-Found
5770bayes_ignore_header X-Barracuda-Orig-Rcpt
5771bayes_ignore_header X-Barracuda-RBL-IP
5772bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder
5773bayes_ignore_header X-Barracuda-Spam-Report
5774bayes_ignore_header X-Barracuda-Spam-Score
5775bayes_ignore_header X-Barracuda-Spam-Status
5776bayes_ignore_header X-Barracuda-Start-Time
5777bayes_ignore_header X-Barracuda-UID
5778bayes_ignore_header X-Barracuda-URL
5779bayes_ignore_header X-Barracuda-Virus-Alert
5780bayes_ignore_header X-Bayes-Prob
5781bayes_ignore_header X-Bayesian-Result
21dcadbf 5782bayes_ignore_header X-BeenThere
b780ea8d
SI		 5783bayes_ignore_header X-BitDefender-Spam
5784bayes_ignore_header X-BitDefender-SpamStamp
5785bayes_ignore_header X-BL
5786bayes_ignore_header X-Bogosity
5787bayes_ignore_header X-Boxtrapper
5788bayes_ignore_header X-Brightmail-Tracker
5789bayes_ignore_header X-BTI-AntiSpam
5790bayes_ignore_header X-Bugzilla-Version
5791bayes_ignore_header X-CanIt-Geo
5792bayes_ignore_header X-Canit-Stats-ID
5793bayes_ignore_header X-CanItPRO-Stream
5794bayes_ignore_header X-Clapf-spamicity
21dcadbf 5795bayes_ignore_header X-ClientProxiedBy
b780ea8d
SI		 5796bayes_ignore_header X-Cloud-Security
5797bayes_ignore_header X-CM-Score
5798bayes_ignore_header X-CMAE-Analysis
5799bayes_ignore_header X-CMAE-Match
5800bayes_ignore_header X-CMAE-Score
5801bayes_ignore_header X-CMAE-Verdict
5802bayes_ignore_header X-CNFS-Analysis
5803bayes_ignore_header X-Company
21dcadbf 5804bayes_ignore_header X-Complaints-To
b780ea8d
SI		 5805bayes_ignore_header X-Coremail-Antispam
5806bayes_ignore_header X-CRM114-CacheID
5807bayes_ignore_header X-CRM114-Status
5808bayes_ignore_header X-CRM114-Version
5809bayes_ignore_header X-CT-Spam
5810bayes_ignore_header X-CTCH-SenderID
5811bayes_ignore_header X-CTCH-SenderID-TotalBulk
5812bayes_ignore_header X-CTCH-SenderID-TotalConfirmed
5813bayes_ignore_header X-CTCH-SenderID-TotalMessages
5814bayes_ignore_header X-CTCH-SenderID-TotalRecipients
5815bayes_ignore_header X-CTCH-SenderID-TotalSpam
5816bayes_ignore_header X-CTCH-SenderID-TotalSuspected
5817bayes_ignore_header X-CTCH-SenderID-TotalVirus
5818bayes_ignore_header X-CTCH-Spam
5819bayes_ignore_header X-CTCH-VOD
21dcadbf 5820bayes_ignore_header X-Delivered-To
b780ea8d
SI		 5821bayes_ignore_header X-Drweb-SpamState
5822bayes_ignore_header X-DSPAM-Confidence
5823bayes_ignore_header X-DSPAM-Factors
5824bayes_ignore_header X-DSPAM-Improbability
5825bayes_ignore_header X-DSPAM-Probability
5826bayes_ignore_header X-DSPAM-Processed
5827bayes_ignore_header X-DSPAM-Result
5828bayes_ignore_header X-DSPAM-Signature
5829bayes_ignore_header x-eavas
5830bayes_ignore_header x-eavas-action
5831bayes_ignore_header x-eavas-eavasid
5832bayes_ignore_header X-Enigmail-Version
5833bayes_ignore_header X-EsetId
5834bayes_ignore_header X-EsetResult
5835bayes_ignore_header X-Exchange-Antispam-Report
21dcadbf 5836bayes_ignore_header X-Exchange-Antispam-Report-CFA-Test
b780ea8d
SI		 5837bayes_ignore_header X-ExtloopSabreCommercials1
5838bayes_ignore_header X-EYOU-SPAMVALUE
5839bayes_ignore_header X-FB-OUTBOUND-SPAM
5840bayes_ignore_header X-FEAS-SBL
5841bayes_ignore_header X-FILTER-SCORE
5842bayes_ignore_header X-Forefront-Antispam-Report
21dcadbf 5843bayes_ignore_header X-Forefront-Antispam-Report-Untrusted
b780ea8d 5844bayes_ignore_header X-Forefront-PRVS
21dcadbf 5845bayes_ignore_header X-Freemail-From
b780ea8d
SI		 5846bayes_ignore_header X-Fuglu-Spamstatus
5847bayes_ignore_header X-Fuglu-Suspect
5848bayes_ignore_header X-getmail-filter-classifier
5849bayes_ignore_header X-GFIME-MASPAM
21dcadbf 5850bayes_ignore_header X-Gm-Message-State
b780ea8d
SI		 5851bayes_ignore_header X-Gmane-NNTP-Posting-Host
5852bayes_ignore_header X-GMX-Antispam
5853bayes_ignore_header X-GMX-Antivirus
21dcadbf 5854bayes_ignore_header X-Google-DKIM-Signature
b780ea8d
SI		 5855bayes_ignore_header X-He-Spam
5856bayes_ignore_header X-hMailServer-Spam
5857bayes_ignore_header X-IAS
5858bayes_ignore_header X-iGspam-global
5859bayes_ignore_header X-Injected-Via-Gmane
5860bayes_ignore_header X-Interia-Antivirus
5861bayes_ignore_header X-IP-Spam-Verdict
5862bayes_ignore_header X-Ironport
5863bayes_ignore_header X-IronPort-Anti-Spam-Filtered
5864bayes_ignore_header X-IronPort-Anti-Spam-Result
5865bayes_ignore_header X-IronPort-AV
5866bayes_ignore_header X-Ironport-HAT
5867bayes_ignore_header X-Ironport-HOSTNAME
5868bayes_ignore_header X-Ironport-LNR
5869bayes_ignore_header X-Ironport-MessageFilter
5870bayes_ignore_header X-Ironport-MFP
5871bayes_ignore_header X-Ironport-MID
5872bayes_ignore_header X-IronPort-Outgoing-Antispam
5873bayes_ignore_header X-Ironport-RIF
5874bayes_ignore_header X-Ironport-SBRS
5875bayes_ignore_header X-Ironport-SENDER
5876bayes_ignore_header X-Ironport-SUBJECT
5877bayes_ignore_header X-Junk-Score
5878bayes_ignore_header X-Junkmail
21dcadbf 5879bayes_ignore_header X-Klms-Anti
b780ea8d
SI		 5880bayes_ignore_header X-KLMS-AntiPhishing
5881bayes_ignore_header X-Klms-Antispam
5882bayes_ignore_header X-KLMS-AntiSpam-Info
5883bayes_ignore_header X-KLMS-AntiSpam-Interceptor-Info
5884bayes_ignore_header X-KLMS-AntiSpam-Lua-Profiles
5885bayes_ignore_header X-KLMS-AntiSpam-Method
5886bayes_ignore_header X-KLMS-AntiSpam-Moebius-Timestamps
5887bayes_ignore_header X-KLMS-AntiSpam-Rate
5888bayes_ignore_header X-KLMS-AntiSpam-Status
5889bayes_ignore_header X-KLMS-AntiSpam-Version
5890bayes_ignore_header X-KLMS-AntiVirus
5891bayes_ignore_header X-KLMS-AntiVirus-Status
5892bayes_ignore_header X-KLMS-Message-Action
5893bayes_ignore_header X-KLMS-Rule-ID
5894bayes_ignore_header X-KMail-EncryptionState
5895bayes_ignore_header X-KMail-MDN-Sent
5896bayes_ignore_header X-KMail-SignatureState
21dcadbf
SI		 5897bayes_ignore_header X-Kse-Anti
5898bayes_ignore_header X-Loom-IP
b780ea8d
SI		 5899bayes_ignore_header X-MailCleaner-SpamChec
5900bayes_ignore_header X-MailCleaner-SpamCheck
5901bayes_ignore_header X-MailFoundry
21dcadbf
SI		 5902bayes_ignore_header X-Mailman-Version
5903bayes_ignore_header X-MDAV-Processed
b780ea8d
SI		 5904bayes_ignore_header X-MDMailLookup-Result
5905bayes_ignore_header X-ME-Bayesian
5906bayes_ignore_header X-ME-Content
5907bayes_ignore_header X-MessageFilter
21dcadbf
SI		 5908bayes_ignore_header x-microsoft-antispam
5909bayes_ignore_header X-Microsoft-Antispam-Message-Info
5910bayes_ignore_header X-Microsoft-Antispam-Message-Info-Original
5911bayes_ignore_header X-Microsoft-Antispam-Untrusted
5912bayes_ignore_header X-Microsoft-Exchange-Diagnostics
b780ea8d 5913bayes_ignore_header X-Mlf-Version
21dcadbf
SI		 5914bayes_ignore_header X-Mozilla-Keys
5915bayes_ignore_header X-Mozilla-Status
5916bayes_ignore_header X-Mozilla-Status2
5917bayes_ignore_header x-ms-exchange-antispam-messagedata
5918bayes_ignore_header x-ms-exchange-antispam-messagedata-0
5919bayes_ignore_header X-MS-Exchange-CrossTenant-AuthAs
5920bayes_ignore_header X-MS-Exchange-CrossTenant-AuthSource
5921bayes_ignore_header X-MS-Exchange-CrossTenant-FromEntityHeader
5922bayes_ignore_header x-ms-exchange-crosstenant-id
5923bayes_ignore_header x-ms-exchange-crosstenant-network-message-id
5924bayes_ignore_header X-MS-Exchange-CrossTenant-OriginalArrivalTime
5925bayes_ignore_header x-ms-exchange-crosstenant-rms-persistedconsumerorg
5926bayes_ignore_header X-MS-Exchange-CrossTenant-userprincipalname
5927bayes_ignore_header x-ms-exchange-slblob-mailprops
5928bayes_ignore_header X-MS-Exchange-Transport-CrossTenantHeadersStamped
5929bayes_ignore_header x-ms-office365-filtering-correlation-id
5930bayes_ignore_header X-MS-TrafficTypeDiagnostic
5931bayes_ignore_header X-MSFBL
5932bayes_ignore_header X-MSMail-Priority
b780ea8d
SI		 5933bayes_ignore_header X-MXScan-AntiSpam
5934bayes_ignore_header X-MXScan-AntiVirus
5935bayes_ignore_header X-MXScan-Country-Sequence
5936bayes_ignore_header X-MXScan-License
5937bayes_ignore_header X-MXScan-Msgid
5938bayes_ignore_header X-MXScan-ProcessingTime
5939bayes_ignore_header X-MXScan-Scan
5940bayes_ignore_header X-NAI-Spam-Flag
5941bayes_ignore_header X-NAI-Spam-Rules
5942bayes_ignore_header X-NAI-Spam-Score
5943bayes_ignore_header X-NAI-Spam-Threshold
5944bayes_ignore_header X-NetStation-Status
21dcadbf
SI		 5945bayes_ignore_header X-No-Relay
5946bayes_ignore_header X-OriginatorOrg
b780ea8d
SI		 5947bayes_ignore_header X-OVH-SPAMCAUSE
5948bayes_ignore_header X-OVH-SPAMCAUSE:
5949bayes_ignore_header X-OVH-SPAMSCORE
5950bayes_ignore_header X-OVH-SPAMSTATE
5951bayes_ignore_header X-PerlMx-Spam
5952bayes_ignore_header X-PerlMx-Virus-Scanned
5953bayes_ignore_header X-PFSI-Info
5954bayes_ignore_header X-PMX-Spam
5955bayes_ignore_header X-PMX-Version
5956bayes_ignore_header X-Policy-Service
5957bayes_ignore_header X-policyd-weight
5958bayes_ignore_header X-PreRBLs
5959bayes_ignore_header X-Probable-Spam
5960bayes_ignore_header X-PROLinux-SpamCheck
5961bayes_ignore_header X-Proofpoint-Spam-Reason
5962bayes_ignore_header X-Proofpoint-Virus-Version
21dcadbf 5963bayes_ignore_header X-Provags-ID
b780ea8d
SI		 5964bayes_ignore_header x-purgate-eavas: clean
5965bayes_ignore_header x-purgate-id
5966bayes_ignore_header x-purgate-size
5967bayes_ignore_header x-purgate-type
5968bayes_ignore_header X-Qmail-Scanner-Diagnostics
5969bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status
5970bayes_ignore_header X-Quarantine-ID
21dcadbf 5971bayes_ignore_header X-Received
b780ea8d
SI		 5972bayes_ignore_header X-RSpam-Report
5973bayes_ignore_header X-SA-Do-Not-Run
5974bayes_ignore_header X-SA-Exim-Version
5975bayes_ignore_header X-Scanned-by
21dcadbf
SI		 5976bayes_ignore_header X-ServerMaster-MailScanner
5977bayes_ignore_header X-SG-EID
5978bayes_ignore_header X-SG-ID
b780ea8d
SI		 5979bayes_ignore_header X-SmarterMail-CustomSpamHeader
5980bayes_ignore_header X-Spam
5981bayes_ignore_header X-Spam-Action
5982bayes_ignore_header X-SPAM-AISP
5983bayes_ignore_header X-Spam-Check-By
5984bayes_ignore_header X-Spam-Checker-Version
5985bayes_ignore_header X-Spam-CMAE-Analysis
5986bayes_ignore_header X-Spam-CMAESCORE
5987bayes_ignore_header X-Spam-CTCH-RefID
5988bayes_ignore_header X-Spam-Flag
5989bayes_ignore_header X-Spam-Level
5990bayes_ignore_header X-Spam-Processed
5991bayes_ignore_header X-Spam-Report
5992bayes_ignore_header X-Spam-Scanned
5993bayes_ignore_header X-Spam-Score
5994bayes_ignore_header X-Spam-Score-Int
5995bayes_ignore_header X-Spam-SmartLearn
5996bayes_ignore_header X-Spam-Status
5997bayes_ignore_header X-Spam-Threshold
5998bayes_ignore_header X-Spam_bar
5999bayes_ignore_header X-Spambayes-Classification
6000bayes_ignore_header X-SpamExperts-Domain
6001bayes_ignore_header X-SpamExperts-Outgoing-Class
6002bayes_ignore_header X-SpamExperts-Outgoing-Evidence
6003bayes_ignore_header X-SpamExperts-Username
6004bayes_ignore_header X-Spamfilter-host
6005bayes_ignore_header X-Spamina-Bogosity
6006bayes_ignore_header X-Spamina-Spam-Report
6007bayes_ignore_header X-Spamina-Spam-Score
6008bayes_ignore_header X-SpamInfo
6009bayes_ignore_header X-Spamsave
6010bayes_ignore_header X-SpamTest-Group-ID
6011bayes_ignore_header X-SpamTest-Info
6012bayes_ignore_header X-SpamTest-Method
6013bayes_ignore_header X-SpamTest-Rate
6014bayes_ignore_header X-SpamTest-SPF
6015bayes_ignore_header X-SpamTest-Status
6016bayes_ignore_header X-SpamTest-Status-Extended
6017bayes_ignore_header X-SPF-Scan-By
6018bayes_ignore_header X-STA-Metric
6019bayes_ignore_header X-STA-NotSpam
6020bayes_ignore_header X-STA-Spam
6021bayes_ignore_header X-StarScan-Version
6022bayes_ignore_header X-SurGATE-Result
6023bayes_ignore_header X-SWITCHham-Score
6024bayes_ignore_header X-UI-Filterresults
6025bayes_ignore_header X-UI-Loop
6026bayes_ignore_header X-UI-Out-Filterresults
6027bayes_ignore_header X-Univie-Spam-Checker-Version
6028bayes_ignore_header X-Univie-Virus-Scan
6029bayes_ignore_header X-Virus
6030bayes_ignore_header X-Virus-Checker-Version
6031bayes_ignore_header X-Virus-Scanned
6032bayes_ignore_header X-Virus-Scanner-Result
6033bayes_ignore_header X-Virus-Scanner-Version
6034bayes_ignore_header X-Virus-Status
6035bayes_ignore_header X-VirusChecked
6036bayes_ignore_header X-VR-SCORE
6037bayes_ignore_header X-VR-SPAMCAUSE
6038bayes_ignore_header X-VR-STATUS
6039bayes_ignore_header X-WatchGuard-Mail-Client-IP
6040bayes_ignore_header X-WatchGuard-Mail-From
6041bayes_ignore_header X-WatchGuard-Mail-Recipients
6042bayes_ignore_header X-WatchGuard-Spam-ID
6043bayes_ignore_header X-WatchGuard-Spam-Score
6044bayes_ignore_header X-Whitelist-Domain
6045bayes_ignore_header X-WUM-CCI
21dcadbf
SI		 6046bayes_ignore_header X_CMAE_Category
6047##} bayes_ignore_header_sandbox
b780ea8d
SI		 6048
6049##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6050
6051if (version >= 3.004001)
6052ifplugin Mail::SpamAssassin::Plugin::AskDNS
6053askdns __FROM_FMBLA_NEWDOM _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/
6054askdns __FROM_FMBLA_NEWDOM14 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.14$/
6055askdns __FROM_FMBLA_NEWDOM28 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.28$/
6056askdns __FROM_FMBLA_NDBLOCKED _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/
6057reuse FROM_FMBLA_NEWDOM
6058reuse FROM_FMBLA_NEWDOM14
6059reuse FROM_FMBLA_NEWDOM28
6060reuse FROM_FMBLA_NDBLOCKED
6061reuse __PDS_NEWDOMAIN
6062reuse FROM_NUMBERO_NEWDOMAIN
6063reuse FROM_NEWDOM_BTC
6064askdns __PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/
6065reuse BITCOIN_SPF_ONLYALL
6066endif
6067endif
6068##} if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6069
6070##{ if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox
6071
6072if (version >= 3.004002)
6073ifplugin Mail::SpamAssassin::Plugin::WLBLEval
6074enlist_addrlist (PAYPAL) *@paypal.com *@paypal.co.uk *@paypal.de *@paypal.com.au *@paypal.it
6075enlist_addrlist (PAYPAL) *@paypal.es *@paypal.fr *@paypal.de *@paypal.com.hk
6076enlist_addrlist (PAYPAL) *@*.paypal.com *@*.paypal.co.uk
6077reuse __FROM_ADDRLIST_PAYPAL
6078reuse FROM_PAYPAL_SPOOF
6079enlist_addrlist (BANKS) *@abbey.co.uk *@abbey.com *@abbeyinternational.com *@abbeyinternational.co.uk *@abbeynational.com *@abbeynational.co.uk
6080enlist_addrlist (BANKS) *@allianceleicester.com *@allianceleicester.co.uk *@alliance-leicester.com *@alliance-leicester.co.uk
6081enlist_addrlist (BANKS) *@bankofamerica.com *@bankofamerica.co.uk
6082enlist_addrlist (BANKS) *@barclaycard.com *@barclays.com
6083enlist_addrlist (BANKS) *@citibank.com
6084enlist_addrlist (BANKS) *@firstdirect.com *@firstdirect.co.uk
6085enlist_addrlist (BANKS) *@halifax.com *@halifax.co.uk *@halifax-online.co.uk *@halifax-online.com
6086enlist_addrlist (BANKS) *@hbos.com *@hbos.co.uk
6087enlist_addrlist (BANKS) *@hsbc.com *@hsbc.co.uk *@hsbc.hk *@hsbcgroup.com *@hsbcgroup.co.uk
6088enlist_addrlist (BANKS) *@lloydstsb.com *@lloydstsb.co.uk *@lloyds.com
6089enlist_addrlist (BANKS) *@mbna.com
6090enlist_addrlist (BANKS) *@nationwide.com *@nationwide.co.uk
6091enlist_addrlist (BANKS) *@natwest.com *@natwest.co.uk
6092enlist_addrlist (BANKS) *@santander.com *@santander.co.uk
6093enlist_addrlist (BANKS) *@standardbank.co.za
6094enlist_addrlist (BANKS) *@ybonline.co.uk *@ybonline.com
6095reuse __FROM_ADDRLIST_BANKS
6096reuse FROM_BANK_NOAUTH
6097enlist_addrlist (GOV) *@*.gov
6098enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk
6099reuse __FROM_ADDRLIST_GOV
6100reuse FROM_GOV_SPOOF
6101reuse FROM_GOV_DKIM_AU
6102reuse FROM_GOV_REPLYTO_FREEMAIL
6103enlist_addrlist (SUSP_NTLD) *@*.icu
6104enlist_addrlist (SUSP_NTLD) *@*.online
6105enlist_addrlist (SUSP_NTLD) *@*.work
6106enlist_addrlist (SUSP_NTLD) *@*.date
6107enlist_addrlist (SUSP_NTLD) *@*.top
6108enlist_addrlist (SUSP_NTLD) *@*.fun
6109enlist_addrlist (SUSP_NTLD) *@*.life
6110enlist_addrlist (SUSP_NTLD) *@*.review
b780ea8d
SI		 6111enlist_addrlist (SUSP_NTLD) *@*.bid
6112enlist_addrlist (SUSP_NTLD) *@*.stream
b780ea8d
SI		 6113enlist_addrlist (SUSP_NTLD) *@*.gdn
6114enlist_addrlist (SUSP_NTLD) *@*.click
6115enlist_addrlist (SUSP_NTLD) *@*.world
6116enlist_addrlist (SUSP_NTLD) *@*.fit
6117enlist_addrlist (SUSP_NTLD) *@*.ooo
6118enlist_addrlist (SUSP_NTLD) *@*.faith
6119enlist_addrlist (SUSP_NTLD) *@*.buzz
6120enlist_addrlist (SUSP_NTLD) *@*.trade
6121enlist_addrlist (SUSP_NTLD) *@*.cyou
6122enlist_addrlist (SUSP_NTLD) *@*.vip
6123enlist_uri_host (SUSP_URI_NTLD) icu
6124enlist_uri_host (SUSP_URI_NTLD) online
6125enlist_uri_host (SUSP_URI_NTLD) work
6126enlist_uri_host (SUSP_URI_NTLD) date
6127enlist_uri_host (SUSP_URI_NTLD) top
6128enlist_uri_host (SUSP_URI_NTLD) fun
6129enlist_uri_host (SUSP_URI_NTLD) life
6130enlist_uri_host (SUSP_URI_NTLD) review
b780ea8d
SI		 6131enlist_uri_host (SUSP_URI_NTLD) bid
6132enlist_uri_host (SUSP_URI_NTLD) stream
b780ea8d
SI		 6133enlist_uri_host (SUSP_URI_NTLD) gdn
6134enlist_uri_host (SUSP_URI_NTLD) click
6135enlist_uri_host (SUSP_URI_NTLD) world
6136enlist_uri_host (SUSP_URI_NTLD) fit
6137enlist_uri_host (SUSP_URI_NTLD) ooo
6138enlist_uri_host (SUSP_URI_NTLD) faith
6139enlist_uri_host (SUSP_URI_NTLD) buzz
6140enlist_uri_host (SUSP_URI_NTLD) trade
6141enlist_uri_host (SUSP_URI_NTLD) cyou
6142enlist_uri_host (SUSP_URI_NTLD) vip
6143enlist_uri_host (SUSP_URI_NTLD_PRO) pro
6144reuse __FROM_ADDRLIST_SUSPNTLD
6145reuse __REPLYTO_ADDRLIST_SUSPNTLD
6146reuse FROM_SUSPICIOUS_NTLD
6147reuse GOOGLE_DRIVE_REPLY_BAD_NTLD
6148reuse VPS_NO_NTLD
6149endif
6150endif
6151##} if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox
6152
6153##{ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox
6154
6155if (version >= 3.004003)
6156 ifplugin Mail::SpamAssassin::Plugin::HashBL
dfdd1e08
SI		 6157 priority GB_HASHBL_BTC -100
6158 reuse GB_HASHBL_BTC
b780ea8d
SI		 6159endif
6160endif
6161##} if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox
6162
6163##{ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6164
6165if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6166 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6167 replace_tag lcase_e (?:e|\xc3[\xa8\xa9\xaa\xab]|\xc4[\x93\x95\x97\x99\x9b]|\xc8[\x85\x87\x80]|\xcf\xb5|\xd0\xb5|\xd1[\x90\x91\x94\xb3]|\xd2[\xbc\xbd\xbe\xbf]|\xd3[\x07\xa9\xab])
6168 replace_rules __E_LIKE_LETTER
6169endif
6170endif
6171##} if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6172
6173##{ ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6174
6175ifplugin Mail::SpamAssassin::Plugin::AskDNS
6176askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/
6177reuse __DKIMWL_FREEMAIL
6178askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/
6179reuse __DKIMWL_BULKMAIL
6180askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/
6181reuse __DKIMWL_WL_HI
6182askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/
6183reuse __DKIMWL_WL_MEDHI
6184askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/
6185reuse __DKIMWL_WL_MED
6186askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/
6187reuse __DKIMWL_WL_BL
6188askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/
6189reuse __DKIMWL_BLOCKED
6190reuse DKIMWL_WL_HIGH
6191reuse DKIMWL_WL_MEDHI
6192reuse DKIMWL_WL_MED
6193reuse DKIMWL_BL
6194reuse DKIMWL_BLOCKED
6195askdns __HELO_DNS _LASTEXTERNALHELO_ A /./
6196endif
6197##} ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox
6198
6199##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox
6200
6201ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
6202reuse RCVD_IN_PSBL
6203endif
6204##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox
6205
6206##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox
6207
6208ifplugin Mail::SpamAssassin::Plugin::DNSEval
6209reuse RCVD_IN_IADB_LISTED
6210reuse RCVD_IN_IADB_EDDB
6211reuse RCVD_IN_IADB_EPIA
6212reuse RCVD_IN_IADB_SPF
6213reuse RCVD_IN_IADB_SENDERID
6214reuse RCVD_IN_IADB_DK
6215reuse RCVD_IN_IADB_RDNS
6216reuse RCVD_IN_IADB_GOODMAIL
6217reuse RCVD_IN_IADB_NOCONTROL
6218reuse RCVD_IN_IADB_OPTOUTONLY
6219reuse RCVD_IN_IADB_UNVERIFIED_1
6220reuse RCVD_IN_IADB_UNVERIFIED_2
6221reuse RCVD_IN_IADB_LOOSE
6222reuse RCVD_IN_IADB_OPTIN_LT50
6223reuse RCVD_IN_IADB_OPTIN_GT50
6224reuse RCVD_IN_IADB_OPTIN
6225reuse RCVD_IN_IADB_DOPTIN_LT50
6226reuse RCVD_IN_IADB_DOPTIN_GT50
6227reuse RCVD_IN_IADB_DOPTIN
6228reuse RCVD_IN_IADB_ML_DOPTIN
6229reuse RCVD_IN_IADB_OOO
6230reuse RCVD_IN_IADB_MI_CPEAR
6231reuse RCVD_IN_IADB_UT_CPEAR
6232reuse RCVD_IN_IADB_MI_CPR_30
6233reuse RCVD_IN_IADB_UT_CPR_30
6234reuse RCVD_IN_IADB_MI_CPR_MAT
6235reuse RCVD_IN_IADB_UT_CPR_MAT
6236endif
6237##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox
6238
6239##{ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox
6240
6241ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
6242fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de
6243fns_ignore_headers List-Id
6244fns_check 1
6245reuse __PLUGIN_FROMNAME_SPOOF
6246reuse __PLUGIN_FROMNAME_EQUALS_TO
6247endif
6248##} ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox
6249
6250##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6251
6252ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6253replace_rules T_FUZZY_SPRM
6254replace_rules FUZZY_MERIDIA
6255replace_rules TVD_FUZZY_PHARMACEUTICAL
6256replace_rules TVD_FUZZY_SYMBOL
6257replace_rules T_TVD_FUZZY_SECURITIES
6258replace_rules TVD_FUZZY_FINANCE
6259replace_rules TVD_FUZZY_FIXED_RATE
6260replace_rules TVD_FUZZY_MICROCAP
6261replace_rules T_TVD_FUZZY_SECTOR
6262replace_rules TVD_FUZZY_DEGREE
6263 replace_rules __COPY_PASTE_EN
6264 replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?)
6265 replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3}
6266 replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s)
6267 replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?)
6268 replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])?
6269 replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100}))
6270 replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100})
6271 replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))?
6272 replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])?
6273 replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)?
6274 replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3}
6275 replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3}
6276 replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d)
6277 replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3}
6278 replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)?
6279 replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15})
6280 replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names?
6281 replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER>
6282 replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>)
6283 replace_rules __FILL_THIS_FORM_LONG1
6284 replace_rules __FILL_THIS_FORM_LONG2
6285 replace_rules __FILL_THIS_FORM_PARTIAL
6286 replace_rules __FILL_THIS_FORM_PARTIAL_RAW
6287 replace_rules __FILL_THIS_FORM_SHORT1
6288 replace_rules __FILL_THIS_FORM_SHORT2
6289 replace_rules __FILL_THIS_FORM_LOAN1
6290 replace_rules __FILL_THIS_FORM_FRAUD_PHISH1
6291 replace_tag CURRENCY (?:[\(\[]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|usd|USD|CAD|GBP|=[Aa][34]|\xa3|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS?)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]\)]?)
6292 replace_tag GB_UK \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b
6293 replace_tag NUM_NOT_DATE [1-9](?!\d\d\d\.\d\d\.\d\d\s)(?!\d?\.\d\d?\.\d\d\d\d\s)
6294 replace_tag NUM_NOT_DATE_IP <NUM_NOT_DATE>(?!\d{0,2}(?:\.0|\.[1-2]\d{0,2}){3}(?:\D|$))
6295 replace_rules __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04
6296 replace_tag PERCENT \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent)
6297 replace_rules __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS
6298 replace_rules T_FUZZY_OPTOUT
6299 replace_rules __FRT_PRICE
6300 replace_rules FUZZY_UNSUBSCRIBE
6301 replace_rules FUZZY_ANDROID
6302 replace_rules FUZZY_PROMOTION
6303 replace_rules FUZZY_PRIVACY
6304 replace_rules FUZZY_BROWSER
6305 replace_rules FUZZY_SAVINGS
6306 replace_rules FUZZY_IMPORTANT
6307 replace_rules FUZZY_SECURITY
6308 replace_rules __FUZZY_DR_OZ
6309 replace_rules FUZZY_CLICK_HERE
6310 replace_rules FUZZY_BITCOIN
6311 replace_rules __BITCOIN
6312 replace_rules FUZZY_WALLET
6313 replace_rules __FUZZY_MONERO
6314 replace_rules __FUZZY_WELLSFARGO_BODY
6315 replace_rules __FUZZY_WELLSFARGO_FROM
6316 replace_rules __FUZZY_PORN
6317 replace_rules FUZZY_AMAZON
6318 replace_rules FUZZY_APPLE
6319 replace_rules FUZZY_MICROSOFT
6320 replace_rules FUZZY_FACEBOOK
6321 replace_rules FUZZY_PAYPAL
6322 replace_rules FUZZY_NORTON
6323 replace_rules FUZZY_OVERSTOCK
6324 replace_rules __MY_VICTIM
6325 replace_rules __MY_MALWARE
6326 replace_rules __PAY_ME
6327 replace_rules __YOUR_PASSWORD
6328 replace_rules __YOUR_WEBCAM
6329 replace_rules __YOUR_ONAN
6330 replace_rules __YOUR_PERSONAL
6331 replace_rules __HOURS_DEADLINE
6332 replace_rules __EXPLOSIVE_DEVICE
6333replace_rules T_LFUZ_PWRMALE
6334 replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE
6335 reuse T_PDS_BTC_AHACKER
6336 reuse T_PDS_BTC_HACKER
6337 reuse T_PDS_LTC_AHACKER
6338 reuse T_PDS_LTC_HACKER
6339endif
6340##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox
6341
6342##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox
6343
6344ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
6345reuse URIBL_RHS_DOB
6346endif
6347##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox
6348
6349##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox
6350
6351ifplugin Mail::SpamAssassin::Plugin::WLBLEval
6352if (version >= 3.004000)
6353enlist_uri_host (PDS_CASHSHORTENER) cutpaid.com
6354enlist_uri_host (PDS_CASHSHORTENER) caat.site
6355enlist_uri_host (PDS_CASHSHORTENER) triabicia.com
6356enlist_uri_host (PDS_CASHSHORTENER) 2xs.io
6357enlist_uri_host (PDS_CASHSHORTENER) ocest.site
6358enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz
6359enlist_uri_host (PDS_CASHSHORTENER) waar.site
6360enlist_uri_host (PDS_CASHSHORTENER) cpmlink.net
6361enlist_uri_host (PDS_CASHSHORTENER) cowner.net
6362enlist_uri_host (PDS_CASHSHORTENER) adfoc.us
6363enlist_uri_host (PDS_CASHSHORTENER) shrinkhere.xyz
6364enlist_uri_host (PDS_CASHSHORTENER) gurl.pw
6365enlist_uri_host (PDS_CASHSHORTENER) shortearn.eu
6366enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz
6367enlist_uri_host (PDS_CASHSHORTENER) libittarc.com
6368enlist_uri_host (PDS_CASHSHORTENER) pc.cd
6369enlist_uri_host (PDS_CASHSHORTENER) fc.lc
6370enlist_uri_host (PDS_CASHSHORTENER) dares.xyz
6371enlist_uri_host (PDS_CASHSHORTENER) trendlouds.com
6372enlist_uri_host (PDS_CASHSHORTENER) yogaf.xyz
6373enlist_uri_host (PDS_CASHSHORTENER) cobs.xyz
6374enlist_uri_host (PDS_CASHSHORTENER) olnew.xyz
6375enlist_uri_host (PDS_CASHSHORTENER) cleft.xyz
6376enlist_uri_host (PDS_CASHSHORTENER) 7r6.com
6377enlist_uri_host (PDS_CASHSHORTENER) mitly.us
6378enlist_uri_host (PDS_CASHSHORTENER) kutpay.com
6379enlist_uri_host (PDS_CASHSHORTENER) gsurl.me
6380enlist_uri_host (PDS_CASHSHORTENER) gurl.ly
6381enlist_uri_host (PDS_CASHSHORTENER) gsurl.in
6382enlist_uri_host (PDS_CASHSHORTENER) acitoate.com
6383enlist_uri_host (PDS_CASHSHORTENER) aclabink.com
6384enlist_uri_host (PDS_CASHSHORTENER) activeation.com
6385enlist_uri_host (PDS_CASHSHORTENER) activeterium.com
6386enlist_uri_host (PDS_CASHSHORTENER) adflyforum.com
6387enlist_uri_host (PDS_CASHSHORTENER) adflymail.com
6388enlist_uri_host (PDS_CASHSHORTENER) adult.xyz
6389enlist_uri_host (PDS_CASHSHORTENER) agileurbia.com
6390enlist_uri_host (PDS_CASHSHORTENER) atomcurve.com
6391enlist_uri_host (PDS_CASHSHORTENER) ay.gy
6392enlist_uri_host (PDS_CASHSHORTENER) battleate.com
6393enlist_uri_host (PDS_CASHSHORTENER) biastonu.com
6394enlist_uri_host (PDS_CASHSHORTENER) bitigee.com
6395enlist_uri_host (PDS_CASHSHORTENER) briskrange.com
6396enlist_uri_host (PDS_CASHSHORTENER) brisktopia.com
6397enlist_uri_host (PDS_CASHSHORTENER) casualient.com
6398enlist_uri_host (PDS_CASHSHORTENER) clesolea.com
6399enlist_uri_host (PDS_CASHSHORTENER) code404.biz
6400enlist_uri_host (PDS_CASHSHORTENER) coginator.com
6401enlist_uri_host (PDS_CASHSHORTENER) cogismith.com
6402enlist_uri_host (PDS_CASHSHORTENER) covelign.com
6403enlist_uri_host (PDS_CASHSHORTENER) crefranek.com
6404enlist_uri_host (PDS_CASHSHORTENER) dashsphere.com
6405enlist_uri_host (PDS_CASHSHORTENER) dataurbia.com
6406enlist_uri_host (PDS_CASHSHORTENER) deciomm.com
6407enlist_uri_host (PDS_CASHSHORTENER) ducolomal.com
6408enlist_uri_host (PDS_CASHSHORTENER) east-jones.com
6409enlist_uri_host (PDS_CASHSHORTENER) ecleneue.com
6410enlist_uri_host (PDS_CASHSHORTENER) ellevolaw.com
6411enlist_uri_host (PDS_CASHSHORTENER) endroudo.com
6412enlist_uri_host (PDS_CASHSHORTENER) eunsetee.com
6413enlist_uri_host (PDS_CASHSHORTENER) fainbory.com
6414enlist_uri_host (PDS_CASHSHORTENER) fasttory.com
6415enlist_uri_host (PDS_CASHSHORTENER) fawright.com
6416enlist_uri_host (PDS_CASHSHORTENER) flyserve.co
6417enlist_uri_host (PDS_CASHSHORTENER) greponozy.com
6418enlist_uri_host (PDS_CASHSHORTENER) homoluath.com
6419enlist_uri_host (PDS_CASHSHORTENER) hopigrarn.com
6420enlist_uri_host (PDS_CASHSHORTENER) infopade.com
6421enlist_uri_host (PDS_CASHSHORTENER) j.gs
6422enlist_uri_host (PDS_CASHSHORTENER) kaitect.com
6423enlist_uri_host (PDS_CASHSHORTENER) kializer.com
6424enlist_uri_host (PDS_CASHSHORTENER) kibuilder.com
6425enlist_uri_host (PDS_CASHSHORTENER) kimechanic.com
6426enlist_uri_host (PDS_CASHSHORTENER) kudoflow.com
6427enlist_uri_host (PDS_CASHSHORTENER) legeerook.com
6428enlist_uri_host (PDS_CASHSHORTENER) libittarc.com
6429enlist_uri_host (PDS_CASHSHORTENER) linkjaunt.com
6430enlist_uri_host (PDS_CASHSHORTENER) locinealy.com
6431enlist_uri_host (PDS_CASHSHORTENER) maetrimal.com
6432enlist_uri_host (PDS_CASHSHORTENER) metastead.com
6433enlist_uri_host (PDS_CASHSHORTENER) mmoity.com
6434enlist_uri_host (PDS_CASHSHORTENER) mondoagram.com
6435enlist_uri_host (PDS_CASHSHORTENER) neswery.com
6436enlist_uri_host (PDS_CASHSHORTENER) nimbleinity.com
6437enlist_uri_host (PDS_CASHSHORTENER) onisedeo.com
6438enlist_uri_host (PDS_CASHSHORTENER) optitopt.com
6439enlist_uri_host (PDS_CASHSHORTENER) picocurl.com
6440enlist_uri_host (PDS_CASHSHORTENER) pladollmo.com
6441enlist_uri_host (PDS_CASHSHORTENER) preofery.com
6442enlist_uri_host (PDS_CASHSHORTENER) prereheus.com
6443enlist_uri_host (PDS_CASHSHORTENER) q.gs
6444enlist_uri_host (PDS_CASHSHORTENER) quainator.com
6445enlist_uri_host (PDS_CASHSHORTENER) quamiller.com
6446enlist_uri_host (PDS_CASHSHORTENER) queuecosm.bid
6447enlist_uri_host (PDS_CASHSHORTENER) raboninco.com
6448enlist_uri_host (PDS_CASHSHORTENER) rapidteria.com
6449enlist_uri_host (PDS_CASHSHORTENER) rapidtory.com
6450enlist_uri_host (PDS_CASHSHORTENER) sapolatsu.com
6451enlist_uri_host (PDS_CASHSHORTENER) scapognel.com
6452enlist_uri_host (PDS_CASHSHORTENER) simizer.com
6453enlist_uri_host (PDS_CASHSHORTENER) skamaker.com
6454enlist_uri_host (PDS_CASHSHORTENER) skamason.com
6455enlist_uri_host (PDS_CASHSHORTENER) sluppend.com
6456enlist_uri_host (PDS_CASHSHORTENER) sprysphere.com
6457enlist_uri_host (PDS_CASHSHORTENER) streamvoyage.com
6458enlist_uri_host (PDS_CASHSHORTENER) swarife.com
6459enlist_uri_host (PDS_CASHSHORTENER) swiftation.com
6460enlist_uri_host (PDS_CASHSHORTENER) swifttopia.com
6461enlist_uri_host (PDS_CASHSHORTENER) techigo.com
6462enlist_uri_host (PDS_CASHSHORTENER) threadsphere.bid
6463enlist_uri_host (PDS_CASHSHORTENER) tinyical.com
6464enlist_uri_host (PDS_CASHSHORTENER) tonancos.com
6465enlist_uri_host (PDS_CASHSHORTENER) triabicia.com
6466enlist_uri_host (PDS_CASHSHORTENER) turboagram.com
6467enlist_uri_host (PDS_CASHSHORTENER) twineer.com
6468enlist_uri_host (PDS_CASHSHORTENER) twiriock.com
6469enlist_uri_host (PDS_CASHSHORTENER) userlab66.com
6470enlist_uri_host (PDS_CASHSHORTENER) vaugette.com
6471enlist_uri_host (PDS_CASHSHORTENER) velocicosm.com
6472enlist_uri_host (PDS_CASHSHORTENER) velociterium.com
6473enlist_uri_host (PDS_CASHSHORTENER) viahold.com
6474enlist_uri_host (PDS_CASHSHORTENER) vializer.com
6475enlist_uri_host (PDS_CASHSHORTENER) viwright.com
6476enlist_uri_host (PDS_CASHSHORTENER) whareotiv.com
6477enlist_uri_host (PDS_CASHSHORTENER) wirecellar.com
6478enlist_uri_host (PDS_CASHSHORTENER) x19.biz
6479enlist_uri_host (PDS_CASHSHORTENER) x19network.com
6480enlist_uri_host (PDS_CASHSHORTENER) yabuilder.com
6481enlist_uri_host (PDS_CASHSHORTENER) yamechanic.com
6482enlist_uri_host (PDS_CASHSHORTENER) yoalizer.com
6483enlist_uri_host (PDS_CASHSHORTENER) yobuilder.com
6484enlist_uri_host (PDS_CASHSHORTENER) yoineer.com
6485enlist_uri_host (PDS_CASHSHORTENER) yoitect.com
6486enlist_uri_host (PDS_CASHSHORTENER) zipansion.com
6487enlist_uri_host (PDS_CASHSHORTENER) zipteria.com
6488enlist_uri_host (PDS_CASHSHORTENER) zipvale.com
b780ea8d
SI		 6489reuse T_PDS_SHORTFWD_URISHRT
6490endif
6491endif
6492##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox
6493
6494##{ redirector_pattern_sandbox
6495
6496redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i
6497redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i
6498redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i
6499redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i
6500redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i
6501redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i
6502redirector_pattern m'^https?:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i
6503redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i
6504##} redirector_pattern_sandbox
6505
6506##{ reuse_sandbox
6507
6508reuse T_PDS_HIDDEN_UK_BUSINESSLOAN
6509reuse T_PDS_DOUBLE_URL
6510reuse T_PDS_DBL_URL_LINKBAIT
6511reuse PDS_DBL_URL_TNB_RUNON
6512reuse T_PDS_DBL_URL_ILLEGAL_CHARS
fc5290a3 6513reuse FROM_2_EMAILS_SHORT
b780ea8d
SI		 6514reuse T_SHORT_BODY_QUOTE
6515reuse T_BODY_QUOTE_MALF_MSGID
6516reuse SPOOFED_FREEMAIL_NO_RDNS
6517reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN
dfdd1e08 6518reuse T_PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
46cfc9e2 6519reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT
b780ea8d 6520reuse PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
fc5290a3 6521reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT
b780ea8d
SI		 6522reuse T_PDS_LITECOIN_ID
6523reuse PDS_BTC_ID
6524reuse PDS_BTC_MSGID
6525reuse __PDS_GOOGLE_DRIVE_SHARE_1
6526reuse __PDS_GOOGLE_DRIVE_SHARE_2
6527reuse __PDS_GOOGLE_DRIVE_SHARE_3
6528reuse __PDS_GOOGLE_DRIVE_SHARE
6529reuse T_GOOGLE_DRIVE_DEAR_SOMETHING
6530reuse __PDS_GOOGLE_DRIVE_FILE
6531reuse __SHORT_BODY_G_DRIVE
6532reuse __SHORT_BODY_G_DRIVE_DYN
31955ede
SI		 6533reuse T_SHORT_BODY_G_DRIVE_DYN
6534reuse T_FROM_NAME_EQ_TO_G_DRIVE
b780ea8d
SI		 6535##} reuse_sandbox
6536
6537
6538uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i
6539
6540uri __128_HEX_URI m,/[0-9a-f]{128},
6541
6542uri __128_LC_URI m;[/?][a-z]{128,}$;
6543
6544uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i
6545
6546uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i
6547
6548meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI
6549
fc5290a3
SI		 6550body __4BYTE_UTF8_WORD /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
6551tflags __4BYTE_UTF8_WORD multiple maxhits=10
6552
6553meta __4BYTE_UTF8_WORD_9 __4BYTE_UTF8_WORD > 9
6554
6555header __4BYTE_UTF8_WORD_FROM From:name =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
6556
31955ede
SI		 6557header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
6558
b780ea8d
SI		 6559uri __64_ANY_URI m;[/?]\w{64,}$;i
6560
6561body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i
6562
6563body __ACCESS_REVOKE /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i
6564
6565body __ACCESS_SUSPENDED /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i
6566tflags __ACCESS_SUSPENDED multiple maxhits=2
6567
6568body __ACCOUNT_DISRUPT /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)? )?(?:shut ?down|suspension|locking|termination|expiration)|will terminate (?:your|its) service)\b/i
6569tflags __ACCOUNT_DISRUPT multiple maxhits=2
6570
6571body __ACCOUNT_ERROR /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i
6572
6573body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i
6574
6575body __ACCOUNT_SECURE /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i
6576
6577body __ACCOUNT_UPGRADE /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i
6578
6579meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY
6580
6581meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3
6582
6583body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
6584
6585body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i
6586
6587body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i
6588
6589body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i
6590
6591ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6592 meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH
6593endif
6594
6595uri __AC_1SEQC_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/C\//
6596
6597uri __AC_1SEQV_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/V\//
6598
6599uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/
6600
6601header __AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/
6602
6603meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO
6604
6605rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i
6606
6607uri __AC_LAND_URI /\/land\//
6608
6609uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/
6610
6611uri __AC_MHDSEQ_URI /\/mhd[a-z0-9]{20,}/
6612
6613uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/
6614
6615uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(:?php|html)\b/
6616
6617uri __AC_OUTI_URI /\/outi\b/
6618
6619uri __AC_OUTL_URI /\/outl\b/
6620
6621uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\//
6622
6623uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9.]+\/top\//
6624
6625uri __AC_POSTHTMLEXTRAS /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i
6626
6627uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i
6628
6629meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS)
6630
6631uri __AC_PUNCTNUMS_URI /\.com\/[A-Za-z+=\/.?_-]{4,}[0-9]{9,12}[a-z0-9]{1,2}[A-Za-z+=\/.?_-]+[0-9]{7,9}[A-Za-z+=\/.?_-]{6,}[0-9]{7,9}\b/
6632
6633uri __AC_REPORT_URI /\/report\//
6634
6635uri __AC_RMOVE_URI /\/r\/move\/[0-9]+\//
6636
31955ede 6637rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i
b780ea8d
SI		 6638
6639uri __AC_UHDSEQ_URI /\/uhd[a-z0-9]{20,}/
6640
6641uri __AC_UNSUB_URI /\/unsub\//
6642
6643body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i
6644
6645body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i
6646
46cfc9e2
SI		 6647body __ADULTDATINGCOMPANY_BODY /\bAdultDatingCompany\b/i
6648
6649header __ADULTDATINGCOMPANY_FROM From:name =~ /\bAdultDatingCompany\b/i
6650
6651header __ADULTDATINGCOMPANY_REPTO Reply-To:name =~ /\bAdultDatingCompany\b/i
6652
fc5290a3 6653meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD
b780ea8d
SI		 6654
6655meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
6656
6657meta __ADVANCE_FEE_2_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
6658
6659meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW
6660
fc5290a3 6661meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD
b780ea8d
SI		 6662
6663meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
6664
6665meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
6666
6667meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW
6668
fc5290a3 6669meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD
b780ea8d
SI		 6670
6671meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
6672
6673meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
6674
6675meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW
6676
fc5290a3 6677meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD
b780ea8d
SI		 6678
6679meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
6680
6681meta __ADVANCE_FEE_5_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
6682
6683meta __ADVANCE_FEE_5_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW
6684
6685body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/
6686
6687body __AFF_LOTTERY /(?:lottery|winner)/i
6688
6689meta __AFRICAN_STATE (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION)
6690
6691body __AFR_UNION /\bafrican\sunion\b/i
6692
6693body __AGREED_RATIO /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i
6694
6695meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA
6696
6697header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/
6698
46cfc9e2 6699meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO
b780ea8d
SI		 6700
6701body __AM_DYING /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i
6702
6703ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6704mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /\bimage\//i
6705endif
6706
6707if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6708 meta __ANY_TEXT_ATTACH 0
6709endif
6710
6711ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6712 mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
6713endif
6714
6715ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6716mimeheader __ANY_TEXT_ATTACH_DOC Content-Type =~ /text\/\w+/i
6717endif
6718
6719if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6720 body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i
6721 tflags __APP_DEVELOPMENT multiple maxhits=6
6722endif
6723
6724if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6725 meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5
6726endif
6727
6728body __ATM_CARD /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa|issue\s(?:(?:to|for)\s)?you\sa)[\s\(](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s\)]card/i
6729
46cfc9e2
SI		 6730ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6731 meta __ATTACH_MSO_MHTML __TEXT_XML_MT && __MSO_THEME_MT && __X_MSO_MT
6732endif
6733
b780ea8d
SI		 6734if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6735 meta __ATTACH_NAME_NO_EXT 0
6736endif
6737
6738ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6739 mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i
6740endif
6741
6742body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i
6743
6744body __AUTO_ACCIDENT /auto(?:mobile)? accident/i
6745
6746header __AXB_MO_OL_024C2 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/
6747
b780ea8d
SI		 6748header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/
6749
b780ea8d
SI		 6750body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i
6751
6752body __BANK_DRAFT /\bbank\sdraft/i
6753
6754body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i
6755
31955ede
SI		 6756meta __BEBEE_IMG_NOT_RCVD_BB __URI_IMG_BEBEE && !__HDR_RCVD_BEBEE
6757
b780ea8d
SI		 6758body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i
6759
6760body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i
6761
6762body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]{2,}k?|k))\s(?:(?!and|or|your|place|baby|suspicious|supportive|subpoenaed)\w+\s)?(?:e-?mail(?:(?![-:.\)\>\]])s?|\saddresses)|fax numbers|leads|names)\b/i
6763tflags __BIGNUM_EMAILS multiple maxhits=5
6764
6765meta __BIGNUM_EMAILS_3 __BIGNUM_EMAILS > 2
6766
6767meta __BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS && __freemail_hdr_replyto
6768
6769if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
6770 body __BITCOIN /\bB[-\s]?i[-\s]?t[-\s]?c[-\s]?o[-\s]?i[-\s]?n\b/i
6771endif
6772
6773ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6774 body __BITCOIN /<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i
6775endif
6776
6777body __BITCOIN_ID /\b(?<!=)(?:[13](?:(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){29,34}|[a-km-zA-HJ-NP-Z1-9]{29,34})|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90}|b[-_=\s]c[-_=\s]1(?:[-_=\s][acdefghjklmnpqrstuvwxyz234567890]){30,90})\b/
6778
6779meta __BITCOIN_IMGUR __IMGUR_IMG && __BITCOIN
6780
6781meta __BITCOIN_OBFU_SUBJ __BITCOIN && __SUBJ_OBFU_PUNCT
6782
6783meta __BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF
6784
6785meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL
6786
6787meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM
6788
6789meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01
6790
6791meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID)
6792
21dcadbf
SI		 6793meta __BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI)
6794
6795meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1)
6796
b780ea8d
SI		 6797body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s
6798
6799body __BODY_TEXT_LINE /^\s*\S/
6800tflags __BODY_TEXT_LINE multiple maxhits=3
6801
6802meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE
6803
6804if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6805 full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/
6806 tflags __BOGUS_MIME_HDR multiple maxhits=8
6807endif
6808
6809if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6810 meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7
6811endif
6812
6813header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/
6814
6815meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX
6816
6817body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i
6818
6819meta __BOTH_INR_AND_REF (__XM_BALSA || __XM_CALYPSO || __XM_FORTE || __XM_MHE || __XM_SQRLMAIL || __XM_SYLPHEED || __THEBAT_MUA || __XM_VM || __XM_XIMEVOL || __UA_KMAIL || __UA_MOZ5 || __UA_OPERA7)
6820
6821body __BTC_OBFU_2 /\b\W{0,10}b(?!it[-\s]?coin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i
6822
6823body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i
6824
6825if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
6826 body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i
6827endif
6828
6829body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i
6830
6831rawbody __BUGGED_IMG m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i
6832
6833body __BURKINA_FASO /\bburkina\s?faso\b/i
6834
6835body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i
6836
6837body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i
6838
6839body __CAN_HELP /\bcan help\b/i
6840
6841body __CASHPRZ /cash prize of/
6842
6843body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i
6844
6845body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i
6846tflags __CLEAN_MAILBOX multiple maxhits=2
6847
fc5290a3
SI		 6848body __CLICK_HERE /\bclick\shere\b/i
6849
b780ea8d
SI		 6850rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im
6851
6852body __COMPENSATION /\b(?:compensat(?:e|ion)|recompensed?|ausgleich)\b/i
6853
6854body __CONTACT_ATTY /\bcontact(?:er)?\s(?:my|(?:de\s)?mon)\s(?:barrister|attou?rney|lawyer|avocat|gestionnaire)\b/i
6855
6856body __CONTACT_YOU /\b(?:contact(?:ing)\syou|vous\scontacter?)\b/i
6857
6858rawbody __CONTENT_AFTER_HTML /<\/html>\s*[a-z0-9]/i
6859
6860if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
6861 body __COPY_PASTE_EN /Copy (and|\+|\&) paste/i
6862endif
6863
6864ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
6865 body __COPY_PASTE_EN /<C><O><P><Y> (?:<A><N><D>|\+|\&) <P><A><S><T><E>/i
6866endif
6867
6868body __COURIER /\bcourier\s(?:company|service)\b/i
6869
6870header __CR_IN_SUBJ Subject:raw =~ /\015/
6871
6872header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i
6873
6874header __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i
6875
6876if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6877 meta __CTYPE_NULL 0
6878endif
6879
6880ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6881 mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/
6882endif
6883
6884ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6885mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s
6886endif
6887
6888header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
6889
6890ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6891mimeheader __CT_UTF7 Content-Type =~ /\bcharset=.?utf-7\b/i
6892endif
6893
6894header __DATE_LOWER ALL =~ /date:\s\S{5}/
6895
6896if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
6897 body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i
6898 tflags __DAY_I_EARNED multiple maxhits=4
6899endif
6900
6901body __DBLCLAIM /avoid double claiming/
6902
6903body __DEAD_PARENT /\b(?:my|meu)\s(?:(?:deceased|dead)\s(?:father|mother|husband)|(?:father|dad|mother|mom|husband|marido)(?:'?s)?\s(?:death|died|passed\saway|murder|was\s(?:killed|murdered|poisoned)|faleceu))/i
6904
6905body __DEAL /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i
6906
6907body __DECEASED /\b(?:the|my|your|der|du|le|meu?)\s(?:deceased|late|verstorbenen|d(?:i|e|=E9|[\xe9]|[\xc3][\xa9])funto?|d(?:e|=E9|[\xe9]|[\xc3][\xa9])nt|falecido)\b/i
6908
6909body __DESTROY_ME /\b(?:destroy|hunt|quemar)\sm[eyi]\b/i
6910
6911body __DESTROY_YOU /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i
6912
6913body __DIED_IN /\bdied\sin\b/i
6914
6915body __DIPLOMATIC /\bdiplomatic\b/i
6916
6917ifplugin Mail::SpamAssassin::Plugin::AskDNS
6918tflags __DKIMWL_BLOCKED net
6919endif
6920
6921ifplugin Mail::SpamAssassin::Plugin::AskDNS
6922tflags __DKIMWL_BULKMAIL net
6923endif
6924
6925ifplugin Mail::SpamAssassin::Plugin::AskDNS
6926tflags __DKIMWL_FREEMAIL net
6927endif
6928
6929ifplugin Mail::SpamAssassin::Plugin::AskDNS
6930tflags __DKIMWL_WL_BL net
6931endif
6932
6933ifplugin Mail::SpamAssassin::Plugin::AskDNS
6934tflags __DKIMWL_WL_HI net
6935endif
6936
6937ifplugin Mail::SpamAssassin::Plugin::AskDNS
6938tflags __DKIMWL_WL_MED net
6939endif
6940
6941ifplugin Mail::SpamAssassin::Plugin::AskDNS
6942tflags __DKIMWL_WL_MEDHI net
6943endif
6944
6945header __DKIM_EXISTS exists:DKIM-Signature
6946tflags __DKIM_EXISTS nice
6947
6948body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i
6949
6950if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6951 meta __DOC_ATTACH 0
6952endif
6953
6954ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6955 meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2)
6956endif
6957
6958if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6959 meta __DOC_ATTACH_FN1 0
6960endif
6961
6962ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6963 mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i
6964endif
6965
6966if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6967 meta __DOC_ATTACH_FN2 0
6968endif
6969
6970ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6971 mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i
6972endif
6973
6974if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
6975 meta __DOC_ATTACH_MT 0
6976endif
6977
6978ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
6979 mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i
6980endif
6981
6982body __DORMANT_ACCT /\b(?:(?:dormant|abandoned|left\s?over)\s(?:account|fund|transaction|sum|deposit)|fonds\sdorment)/i
6983
6984body __DOS_BODY_FRI /\bfri(?:day)?\b/i
6985
6986body __DOS_BODY_MON /\bmon(?:day)?\b/i
6987
6988body __DOS_BODY_SAT /\bsat(?:day)?\b/i
6989
6990body __DOS_BODY_STOCK /\bstock\b/i
6991
6992body __DOS_BODY_SUN /\bsun(?:day)?\b/i
6993
6994body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i
6995
6996body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB|PK)\b/
6997
6998body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i
6999
7000body __DOS_BODY_WED /\bwed(?:nesday)?\b/i
7001
7002body __DOS_COMING_TO_YOUR_PLACE /I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/
7003
7004body __DOS_CORRESPOND_EMAIL /correspond with me using my email/
7005
7006meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT
7007
7008meta __DOS_DIRECT_TO_MX_UNTRUSTED __DOS_DIRECT_TO_MX && !ALL_TRUSTED
7009
7010body __DOS_DROP_ME_A_LINE /Drop me a line at/
7011
7012body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/
7013
7014body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i
7015
7016uri __DOS_HAS_ANY_URI /^\w+:\/\//
7017
7018header __DOS_HAS_LIST_ID exists:List-ID
7019
7020header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe
7021
7022header __DOS_HAS_MAILING_LIST exists:Mailing-List
7023
7024body __DOS_HI /^Hi,$/
7025
7026body __DOS_I_AM_25 /I a.?m 25/
7027
7028body __DOS_I_DRIVE_A /I drive a/
7029
7030body __DOS_LET_GO_JOB /I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/
7031
7032body __DOS_LINK /\blink\b/
7033
7034body __DOS_MEET_EACH_OTHER /(?:meet each other|[Mm]ay ?be we can meet)/
7035
7036header __DOS_MSGID_DIGITS10 Message-ID =~ /<1[013-9]\d{8}\@.*>/
7037
7038header __DOS_MSGID_DIGITS9 Message-ID =~ /<\d{9}\@.*>/
7039
7040body __DOS_MY_OLD_JOB /my old job/
7041
7042body __DOS_PERSONAL_EMAIL /personal email at/
7043
7044header __DOS_RCVD_FRI Received =~ / Fri, /
7045
7046header __DOS_RCVD_MON Received =~ / Mon, /
7047
7048header __DOS_RCVD_SAT Received =~ / Sat, /
7049
7050header __DOS_RCVD_SUN Received =~ / Sun, /
7051
7052header __DOS_RCVD_THU Received =~ / Thu, /
7053
7054header __DOS_RCVD_TUE Received =~ / Tue, /
7055
7056header __DOS_RCVD_WED Received =~ / Wed, /
7057
7058meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE)
7059
7060meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON)
7061
7062meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN)
7063
7064header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s
7065
7066header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/
7067
7068body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i
7069
7070body __DOS_STRONG_CF /\bstrong cash flow/i
7071
7072body __DOS_TAKING_HOME /Taking home \d (?:digit level|figures) in \d{1,2} months/
7073
7074body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/
7075
7076meta __DOTGOV_IMAGE __URI_DOTGOV && __REMOTE_IMAGE
7077
7078meta __DYNAMIC_IMGUR __IMGUR_IMG && __RDNS_DYNAMIC_IPADDR
7079
7080body __EARLY_DEMISE /\buntimely\sdeath\b/i
7081
b780ea8d
SI		 7082meta __EBAY_IMG_NOT_RCVD_EBAY __URI_IMG_EBAY && !__HDR_RCVD_EBAY
7083
7084meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY
7085
46cfc9e2 7086meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ) > 3)
b780ea8d
SI		 7087
7088meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE
7089
7090body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i
7091
b780ea8d
SI		 7092header __ENVFROM_GOOG_TRIX EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/
7093
7094meta __ENVFROM_GOOG_TRIX_SPAMMY __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR )
7095
7096if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7097 meta __EXE_ATTACH 0
7098endif
7099
7100ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7101 mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i
7102endif
7103
7104if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7105 body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i
7106endif
7107
7108ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7109 body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i
7110endif
7111
7112meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE + __PAXFUL + __HUSH_HUSH) > 3
7113
7114body __EX_CUSTOMER /\b(?:(?:dead|deceased|late|verstorbenen|death\sof\sthe)\s(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|depositor|mr\.|kunde|engr?\.?)|titulaire\sdu\scompte\sest\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|invest[eo]r\sdied|(?:e|=E9|[\xe9]|[\xc3][\xa9])tranger\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|mr\.|kunde|engr?\.?)\s(?:[a-z]{1,10}\s)?(?:dead|deceased|verstorbenen))/i
7115
7116if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7117 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7118 body __E_LIKE_LETTER /<lcase_e>/
7119 tflags __E_LIKE_LETTER multiple maxhits=320
7120endif
7121endif
7122
31955ede
SI		 7123meta __FACEBOOK_IMG_NOT_RCVD_FB __URI_IMG_FACEBOOK && !__HDR_RCVD_FACEBOOK
7124
b780ea8d
SI		 7125body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i
7126
7127body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/
7128
7129rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m
7130
7131header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/
7132
7133header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i
7134
7135header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov /
7136
7137meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO
7138
7139body __FB_COST /\bcost\b/i
7140
7141body __FB_NUM_PERCNT /\d\s?\%/
7142
7143body __FB_S_PRICE /pri{1,2}c[a-z]?e/i
7144
7145body __FB_S_STOCK /\bstock/i
7146
7147body __FB_TOUR /\btour/i
7148
7149body __FEES /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer|keeping)[\s\w]{0,15}\s(?:fee|charge)s?\b/i
7150
7151body __FIFTY_FIFTY /\b(?:50|fifty)(?:%?[\/:]50%?|%|\spercent)/i
7152
7153if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7154 meta __FILL_THIS_FORM 0
7155endif
7156
7157ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7158 meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4)
7159endif
7160
7161if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7162 meta __FILL_THIS_FORM_FRAUD_PHISH 0
7163endif
7164
7165ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7166 meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH)
7167endif
7168
7169if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7170 meta __FILL_THIS_FORM_FRAUD_PHISH1 0
7171endif
7172
7173ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7174 body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
7175endif
7176
7177if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7178 meta __FILL_THIS_FORM_LOAN 0
7179endif
7180
7181ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7182 meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1
7183endif
7184
7185if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7186 meta __FILL_THIS_FORM_LOAN1 0
7187endif
7188
7189ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7190 body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i
7191endif
7192
7193if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7194 meta __FILL_THIS_FORM_LONG 0
7195endif
7196
7197ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7198 meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2
7199endif
7200
7201if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7202 meta __FILL_THIS_FORM_LONG1 0
7203endif
7204
7205ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7206 body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
7207endif
7208
7209if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7210 meta __FILL_THIS_FORM_LONG2 0
7211endif
7212
7213ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7214 body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i
7215endif
7216
7217if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7218 meta __FILL_THIS_FORM_PARTIAL 0
7219endif
7220
7221ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7222 body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im
7223 tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5
7224endif
7225
7226if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7227 meta __FILL_THIS_FORM_PARTIAL_RAW 0
7228endif
7229
7230ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7231 rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20|&nbsp;|<\/\w+>){0,4}$)/im
7232 tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5
7233endif
7234
7235if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7236 meta __FILL_THIS_FORM_SHORT 0
7237endif
7238
7239ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7240 meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2)
7241endif
7242
7243if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7244 meta __FILL_THIS_FORM_SHORT1 0
7245endif
7246
7247ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7248 body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
7249endif
7250
7251if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7252 meta __FILL_THIS_FORM_SHORT2 0
7253endif
7254
7255ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7256 body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i
7257endif
7258
7259header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/
7260
7261if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7262 meta __FM_MY_PRICE __FB_S_PRICE
7263endif
7264
7265ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7266 meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE)
7267endif
7268
7269meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS
7270
7271if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7272 rawbody __FONT_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i
7273 tflags __FONT_INVIS multiple maxhits=11
7274endif
7275
7276if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7277 meta __FONT_INVIS_10 __FONT_INVIS > 10
7278endif
7279
7280if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7281 meta __FONT_INVIS_2 __FONT_INVIS > 2
7282endif
7283
7284if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7285 meta __FONT_INVIS_5 __FONT_INVIS > 5
7286endif
7287
7288if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7289 meta __FONT_INVIS_CENTER __FONT_INVIS && __TAG_EXISTS_CENTER
7290endif
7291
7292if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7293 meta __FONT_INVIS_DIRECT __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
7294endif
7295
7296if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7297 meta __FONT_INVIS_DOTGOV __FONT_INVIS && __URI_DOTGOV
7298endif
7299
7300if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7301 meta __FONT_INVIS_HTML_NOHTML __FONT_INVIS && HTML_MIME_NO_HTML_TAG
7302endif
7303
7304if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7305 meta __FONT_INVIS_LONG_LINE __FONT_INVIS && __LONGLINE
7306endif
7307
7308if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7309 meta __FONT_INVIS_MANY __FONT_INVIS_2
7310endif
7311
7312if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7313 meta __FONT_INVIS_MSGID __FONT_INVIS && __MSGID_OK_HOST
7314endif
7315
7316if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7317 meta __FONT_INVIS_NORDNS __FONT_INVIS && __RDNS_NONE
7318endif
7319
7320if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7321 meta __FONT_INVIS_SINGLET __FONT_INVIS && __HTML_SINGLET
7322endif
7323
7324header __FORGED_MUA_POSTFIX0 User-Agent =~ /Postfix/
7325
7326header __FORGED_MUA_POSTFIX1 X-Mailer =~ /Postfix/
7327
31955ede
SI		 7328header __FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/
7329
b780ea8d
SI		 7330meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D
7331describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam
7332
fc5290a3 7333meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1)
b780ea8d 7334
fc5290a3 7335meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
b780ea8d 7336
fc5290a3 7337meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
b780ea8d 7338
b780ea8d
SI		 7339if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7340 body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i
7341 tflags __FOR_SALE_LTP multiple maxhits=11
7342endif
7343
7344if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7345 meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10
7346endif
7347
7348if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7349 body __FOR_SALE_NET /00\.? NET/i
7350 tflags __FOR_SALE_NET multiple maxhits=11
7351endif
7352
7353if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7354 meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10
7355endif
7356
7357if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7358 body __FOR_SALE_OBO /\bor best offer\b/i
7359 tflags __FOR_SALE_OBO multiple maxhits=6
7360endif
7361
7362if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7363 meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5
7364endif
7365
7366if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7367 body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i
7368 tflags __FOR_SALE_PRC_100K multiple maxhits=11
7369endif
7370
7371if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7372 meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5
7373endif
7374
7375if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7376 body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i
7377 tflags __FOR_SALE_PRC_10K multiple maxhits=11
7378endif
7379
7380if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7381 meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10
7382endif
7383
7384if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7385 body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i
7386 tflags __FOR_SALE_PRC_1K multiple maxhits=11
7387endif
7388
7389if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7390 meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10
7391endif
7392
7393if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7394 rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m
7395 tflags __FOR_SALE_PRC_EOL multiple maxhits=11
7396endif
7397
7398if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7399 meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10
7400endif
7401
7402if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7403 meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20
7404endif
7405
7406body __FOUND_YOU /\b(?:I|we)\sfound\syour?\b/i
7407
7408body __FRAUD /\b(?:de)?fraud/i
7409
7410body __FRAUD_IOV /\b(?:no risks?|risky?[- ]{0,3}free|free of risks?|100% safe|v\S{1,3}llig Risikofrei ist)\b/i
7411
7412body __FRAUD_PTX /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|poison(?:e?d)?|kill(?:ed|ing|ers)\b[^.]{0,99}\b(?:war veterans|rebels?)|les tueurs)\b/i
7413
7414body __FRAUD_XWW /\b(?:honest(?:ly)?\sco(?:-?operat(?:e|ion)|llaborat(?:e|ion))|ehrliche\szusammenarbeit|sichere [kc]o+p[eo]ration|col+aboration\swith\sme)\b/i
7415
7416ifplugin Mail::SpamAssassin::Plugin::FreeMail
7417 header __FREEMAIL_DISPTO eval:check_freemail_header('Disposition-Notification-To')
7418endif
7419
7420ifplugin Mail::SpamAssassin::Plugin::FreeMail
7421 meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
7422endif
7423
7424meta __FREEMAIL_WFH_01 (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01
7425
7426meta __FREEM_FRNUM_UNICD_EMPTY FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY
7427
7428if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
7429 meta __FROM_41_FREEMAIL 0
7430endif
7431
7432ifplugin Mail::SpamAssassin::Plugin::FreeMail
7433 meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED
7434 describe __FROM_41_FREEMAIL Sent from Africa + freemail provider
7435endif
7436
7437if (version >= 3.004002)
7438ifplugin Mail::SpamAssassin::Plugin::WLBLEval
7439header __FROM_ADDRLIST_BANKS eval:check_from_in_list('BANKS')
7440endif
7441endif
7442
7443if (version >= 3.004002)
7444ifplugin Mail::SpamAssassin::Plugin::WLBLEval
7445header __FROM_ADDRLIST_GOV eval:check_from_in_list('GOV')
7446endif
7447endif
7448
7449if (version >= 3.004002)
7450ifplugin Mail::SpamAssassin::Plugin::WLBLEval
7451header __FROM_ADDRLIST_PAYPAL eval:check_from_in_list('PAYPAL')
7452endif
7453endif
7454
7455if (version >= 3.004002)
7456ifplugin Mail::SpamAssassin::Plugin::WLBLEval
7457header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD')
7458endif
7459endif
7460
7461header __FROM_ADDR_WS From:addr =~ /\s/
7462
7463header __FROM_ADMIN From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
7464
7465header __FROM_ALL_HEX From:addr =~ /^(?!(?:19|20)\d\d[01]\d[0-3]\d)(?![0-9a-f]*[a-f]{3})[0-9a-f]+\@/
7466
7467header __FROM_ALL_NUMS From:addr =~ /^\d+@/
7468
7469header __FROM_DNS From =~ /(?<![^\w.-])dns(?:admin)?\@/i
7470
7471meta __FROM_DOM_ADMIN __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
7472
7473header __FROM_DOM_INFO From:addr =~ /\.info$/i
7474
7475header __FROM_EBAY From:addr =~ /\@ebay\.com$/i
7476
46cfc9e2
SI		 7477header __FROM_EQ_ORG_1 ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism
7478
b780ea8d
SI		 7479ifplugin Mail::SpamAssassin::Plugin::FreeMail
7480 ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
7481 header __FROM_EQ_REPLY eval:check_fromname_equals_replyto()
7482endif
7483endif
7484
7485if (version >= 3.004001)
7486ifplugin Mail::SpamAssassin::Plugin::AskDNS
7487tflags __FROM_FMBLA_NDBLOCKED net
7488endif
7489endif
7490
7491if (version >= 3.004001)
7492ifplugin Mail::SpamAssassin::Plugin::AskDNS
7493tflags __FROM_FMBLA_NEWDOM net
7494endif
7495endif
7496
7497if (version >= 3.004001)
7498ifplugin Mail::SpamAssassin::Plugin::AskDNS
7499tflags __FROM_FMBLA_NEWDOM14 net
7500endif
7501endif
7502
7503if (version >= 3.004001)
7504ifplugin Mail::SpamAssassin::Plugin::AskDNS
7505tflags __FROM_FMBLA_NEWDOM28 net
7506endif
7507endif
7508
7509header __FROM_FULL_NAME From:name =~ /^[^a-z[:punct:][:cntrl:]\d\s][^[:punct:][:cntrl:]\d\s]*[[:punct:]\s]+[^a-z[:punct:][:cntrl:]\d\s]/
7510tflags __FROM_FULL_NAME nice
7511
7512header __FROM_INFO From =~ /(?<![^\w.-])info\@/i
7513
7514header __FROM_LOWER ALL =~ /from:\s\S{5}/
7515
7516header __FROM_MISSPACED From =~ /^\s*"[^"]*"</
7517
7518meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH
7519
7520if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
7521 meta __FROM_MISSP_FREEMAIL 0
7522endif
7523
7524ifplugin Mail::SpamAssassin::Plugin::FreeMail
7525 meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
7526endif
7527
7528meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO
7529
7530if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
7531 meta __FROM_MULTI_NORDNS __PDS_FROM_2_EMAILS && __RDNS_NONE
7532endif
7533
7534if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
7535 meta __FROM_MULTI_SHORT_IMG __PDS_FROM_2_EMAILS && (HTML_IMAGE_ONLY_16 || HTML_SHORT_LINK_IMG_2 || __HTML_IMG_ONLY)
7536endif
7537
46cfc9e2
SI		 7538header __FROM_NAME_APPLECOM From:name =~ /\bapple\.com\b/i
7539
7540header __FROM_NAME_EBAYCOM From:name =~ /\bebay\.com\b/i
7541
b780ea8d
SI		 7542full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm
7543
46cfc9e2
SI		 7544header __FROM_NAME_PAYPALCOM From:name =~ /\bpaypal\.com\b/i
7545
b780ea8d
SI		 7546header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i
7547
7548header __FROM_RUNON From =~ /\S+<\w+/
7549
7550header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/
7551
7552header __FROM_WEB_DAEMON From:addr =~ /(?:apache|www|web|tomcat|\biis\b).*\@/i
7553
7554header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/
7555
7556if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7557 meta __FRT_PRICE 0
7558endif
7559
7560ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7561 body __FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i
7562endif
7563
7564rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i
7565
7566header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe
7567
7568header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i
7569
b780ea8d
SI		 7570header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i
7571
7572header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i
7573
7574header __FSL_HELO_USER_3 Received =~ /(?:eh|he)lo(?:=|\s)User\)/i
7575
7576header __FSL_RELAY_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com\.? /i
7577
7578header __FS_SUBJ_RE Subject =~ /^Re: /
7579
7580ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7581 body __FUZZY_DR_OZ /(?=<D>)(?!(?-i:D(?:r.|octor)(?:\s|&nbsp;)Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i
7582endif
7583
7584if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7585 meta __FUZZY_MONERO 0
7586endif
7587
7588ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7589 body __FUZZY_MONERO /(?=<M>)(?!monero)<M><O><N><E><R><O>/i
7590endif
7591
7592ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7593 body __FUZZY_PORN /(?=<P>)(?!pornograph?(?:y|i[ca]|er))<P><O><R><N><O><G><R><A><P><H>?(?:<Y>|<I><C>|<E><R>)/i
7594endif
7595
7596ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7597 body __FUZZY_WELLSFARGO_BODY /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i
7598endif
7599
7600ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7601 header __FUZZY_WELLSFARGO_FROM From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i
7602endif
7603
7604if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7605 body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i
7606 tflags __GAPPY_SALES_LEADS multiple maxhits=3
7607endif
7608
7609if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7610 meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2
7611endif
7612
dfdd1e08
SI		 7613if (version >= 4.000000)
7614if can(Mail::SpamAssassin::Conf::feature_capture_rules)
fc5290a3 7615 uri __GB_CUSTOM_HTM_URI0 m;^https?://.{10,128}(?:\.html?|\.php|\/)?(?:\#|\?&e=)%{GB_TO_ADDR};i
dfdd1e08
SI		 7616endif
7617endif
7618
7619if (version >= 4.000000)
7620if can(Mail::SpamAssassin::Conf::feature_capture_rules)
7621 uri __GB_CUSTOM_HTM_URI1 m|^https?://.{10,64}\=https?://.{4,64}\#%{GB_TO_ADDR}|i
7622endif
7623endif
7624
7625if (version >= 4.000000)
7626if can(Mail::SpamAssassin::Conf::feature_capture_rules)
fc5290a3 7627 uri __GB_CUSTOM_HTM_URI2 m;^https?://.{10,256}(?:\/\?)?(?:(?<!blocker)email=|audit\#|wapp\#)%{GB_TO_ADDR};i
dfdd1e08
SI		 7628endif
7629endif
7630
7631if (version >= 4.000000)
7632if can(Mail::SpamAssassin::Conf::feature_capture_rules)
7633 uri __GB_DRUPAL_URI m|^https?://.{10,64}/default/files/(?:\@)?\#%{GB_TO_ADDR}|i
7634endif
7635endif
7636
46cfc9e2 7637header __GB_FAKE_RF Subject =~ /(Fw|Re)\:{1,2}[\W+]/i
b780ea8d 7638
dfdd1e08
SI		 7639if (version >= 4.000000)
7640if can(Mail::SpamAssassin::Conf::feature_capture_rules)
7641 header __GB_TO_ADDR To:addr =~ /(?<GB_TO_ADDR>.*)/
7642endif
7643endif
31955ede 7644
b780ea8d
SI		 7645body __GHANA /\bghana\b/i
7646
7647ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7648mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i
7649endif
7650
7651body __GIVE_MONEY /\b(?:(?:give\syou\s(?:this\s)?(?:money|fund|inheritance))|(?:donated?\s(?:\w\+\s){0,3}(?:the\ssum\sof|(?:(?:the|this|some)\s(?:money|funds?|inheritance)|to\s)(?:you|(?:(?:the|a)\s)?church|charit(?:y|ies)|humanit\w+|needy|poor|orphan(?:age)?s?|philanthropists\?)))|de vous donner cet argent|faire don de la somme|voudrais en faire don|tego funduszu do dom(?:=F3|[\xf3])w (?:dziecka|wdowy))\b/i
7652
7653meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST)
7654
7655meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
7656
7657meta __GOOGLE_DOC_SUSP __URI_GOOGLE_DOC && (__HAS_DOMAINKEY_SIG || __RDNS_NONE || __SYSADMIN || __STY_INVIS || LOTS_OF_MONEY || __XFER_MONEY || __ADVANCE_FEE_2_NEW) && !ALL_TRUSTED
7658
7659uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i
7660
7661uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i
7662
7663meta __GOOG_STO_HTML_PHISH __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY
7664
7665meta __GOOG_STO_IMG_HTML_1 __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML
7666
7667meta __GOOG_STO_IMG_NOHTML __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML
7668
7669meta __GOOG_STO_NOIMG_HTML !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML
7670
7671body __HAS_ANY_EMAIL /\w@\S+\.\w/
7672
7673uri __HAS_ANY_URI /^\w+:\/\//
7674
7675header __HAS_CAMPAIGNID exists:X-Campaignid
7676
7677header __HAS_CID exists:X-CID
7678
7679header __HAS_COMPLAINT_TO exists:Complaint-To
7680
7681header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature
7682
7683describe __HAS_HREF Has an anchor tag with a href attribute in non-quoted line
7684rawbody __HAS_HREF /^[^>].*?<a href=/im
7685tflags __HAS_HREF multiple maxhits=100
7686
7687describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case
7688rawbody __HAS_HREF_ONECASE /^[^>].*?<(a href|A HREF)=/m
7689tflags __HAS_HREF_ONECASE multiple maxhits=100
7690
7691describe __HAS_IMG_SRC Has an img tag on a non-quoted line
7692rawbody __HAS_IMG_SRC /^[^>].*?<img src=/im
7693tflags __HAS_IMG_SRC multiple maxhits=100
7694
7695rawbody __HAS_IMG_SRC_DATA /^[^>].*?<img src=['"]data/im
7696
7697describe __HAS_IMG_SRC_ONECASE Has an img tag on a non-quoted line with consistent case
7698rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(img src|IMG SRC)=/m
7699tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100
7700
7701header __HAS_LIST_OPEN exists:List-Open
7702
7703header __HAS_LOGID exists:logid
7704
7705header __HAS_MESSAGEID exists:MessageID
7706
7707header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script
7708
7709header __HAS_PHP_SCRIPT exists:X-PHP-Script
7710
7711header __HAS_THREAD_INDEX exists:Thread-Index
7712
7713header __HAS_TRACKING_CODE exists:Tracking-Code
7714
7715body __HAS_WON_01 /\bque ha ganado\b/i
7716
7717header __HAS_XM_LID exists:X-Mailer-LID
7718
7719header __HAS_XM_RECPTID exists:X-Mailer-RecptId
7720
7721header __HAS_XM_SENTBY exists:X-Mailer-Sent-By
7722
7723header __HAS_XM_SID exists:X-Mailer-SID
7724
7725header __HAS_X_EBSERVER exists:X-EBSERVER
7726
7727header __HAS_X_LETTER exists:X-Letter
7728
7729header __HAS_X_NO_RELAY exists:X-No-Relay
7730
7731header __HAS_X_OUTGOING_SPAM_STAT exists:X-OutGoing-Spam-Status
7732
31955ede
SI		 7733header __HAS_X_SENDER exists:X-Sender
7734
b780ea8d
SI		 7735header __HAS_X_SOURCE_DIR exists:X-Source-Dir
7736
7737header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm
7738tflags __HDRS_LCASE multiple maxhits=3
7739
7740meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH
7741
7742header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism
7743
cabe596e
SI		 7744header __HDR_CASE_REVERSED ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m
7745tflags __HDR_CASE_REVERSED multiple maxhits=4
7746
31955ede
SI		 7747header __HDR_ENVFROM_SHOPIFY X-Spam-Relays-External =~ /\shelo=\S+\.mailer\.shopify\.com\s(?:[^\]\s]+\s)*envfrom=\S+\.shopifyemail\.com\s/
7748
b780ea8d
SI		 7749header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s
7750
7751header __HDR_RCVD_ALIBABA X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/
7752
7753header __HDR_RCVD_AMAZON X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/
7754
46cfc9e2
SI		 7755header __HDR_RCVD_AMAZON_HELO X-Spam-Relays-External =~ /\srdns=\shelo=[^.]+\.smtp-out\.amazonses\.com\s/
7756
7757header __HDR_RCVD_APPLE X-Spam-Relays-External =~ /\srdns=\S+\.apple\.com\s/
7758
31955ede
SI		 7759header __HDR_RCVD_BEBEE X-Spam-Relays-External =~ /\srdns=\S+\.bebee\.com\s/
7760
b780ea8d
SI		 7761header __HDR_RCVD_EBAY X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/
7762
31955ede
SI		 7763header __HDR_RCVD_FACEBOOK X-Spam-Relays-External =~ /\srdns=\S+\.facebook\.com\s/
7764
b780ea8d
SI		 7765header __HDR_RCVD_GOOGLE X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/
7766
7767header __HDR_RCVD_KEEPA X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/
7768
46cfc9e2
SI		 7769header __HDR_RCVD_LINKEDIN X-Spam-Relays-External =~ /\srdns=\S+\.linkedin\.com\s/
7770
b780ea8d
SI		 7771header __HDR_RCVD_NEWEGG X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/
7772
46cfc9e2
SI		 7773header __HDR_RCVD_PAYPAL X-Spam-Relays-External =~ /\srdns=\S+\.paypal\.com\s/
7774
b780ea8d
SI		 7775header __HDR_RCVD_SHOPIFY X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/
7776
46cfc9e2
SI		 7777header __HDR_RCVD_TAGSTAT X-Spam-Relays-External =~ /\srdns=\S+\.tagstat\.com\s/
7778
31955ede
SI		 7779header __HDR_RCVD_TARINGANET X-Spam-Relays-External =~ /\srdns=\S+\.taringa\.net\s/
7780
b780ea8d
SI		 7781header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/
7782
7783header __HDR_RCVD_WALMART X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/
7784
7785ifplugin Mail::SpamAssassin::Plugin::AskDNS
7786tflags __HELO_DNS net
7787endif
7788
7789header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i
7790
b780ea8d
SI		 7791header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/
7792
7793header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /
7794
7795body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/
7796tflags __HEXHASHWORD_S2EU multiple maxhits=4
7797
7798body __HK_LOTTO_2 /\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i
7799
7800body __HK_LOTTO_BALLOT /\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i
7801
7802body __HK_LOTTO_STAATS /\bstaatsloteri/i
7803
7804ifplugin Mail::SpamAssassin::Plugin::FreeMail
7805if (version >= 3.004000)
7806 header __HK_NAME_FROM From:name =~ /^FROM\b/mi
7807endif
7808endif
7809
7810ifplugin Mail::SpamAssassin::Plugin::FreeMail
7811if (version >= 3.004000)
7812 header __HK_NAME_MR_MRS From:name =~ /^M(?:RS?|ISS)\b/mi
7813endif
7814endif
7815
7816body __HK_SCAM_N15 /\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i
7817
7818body __HK_SCAM_N16 /\b(?:arrangement secret|secret arrangement)\b/i
7819
7820body __HK_SCAM_N2 /\bnext of kin\b/i
7821
7822body __HK_SCAM_N3 /\bdirect telephone numbers?\b/i
7823
7824body __HK_SCAM_N8 /\byour compensation\b/i
7825
7826body __HK_SCAM_S1 /pay you the sum of/i
7827
7828body __HK_SCAM_S15 /(?:discovered a dormant account|can you be my partner)/i
7829
7830body __HK_SCAM_S25 /\bbank (?:in|of) ghana/i
7831
7832ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7833mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
7834endif
7835
7836ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7837mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi
7838endif
7839
31955ede 7840meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && __URI_HOSTED_IMG
b780ea8d 7841
31955ede 7842meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && __URI_HOSTED_IMG
b780ea8d 7843
31955ede 7844meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && __URI_HOSTED_IMG
b780ea8d 7845
31955ede 7846meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG + __URI_IMG_CHANNYPIC + __URI_IMG_TOPHATTER + __URI_IMG_GBTCDN + __URI_IMG_LINKEDIN + __URI_IMG_TUMBLR + __URI_IMG_TAGSTAT + __URI_IMG_FACEBOOK + __URI_IMG_TARINGANET + __URI_IMG_BEBEE + __URI_IMG_EFUSERASSETS + __URI_IMG_IMGBOX_THUMB + __URI_IMG_500PXORG + __URI_IMG_WIXMP + __URI_IMG_POSTIMGCC + __URI_IMG_GTRACING + __URI_IMG_JOOMCDN + __URI_IMG_DHRESOURCE) > 1
b780ea8d
SI		 7847
7848if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
7849 body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
7850endif
7851
7852ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
7853 body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
7854endif
7855
7856rawbody __HS_QUOTE /^> /
7857
7858header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/
7859
7860if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7861 meta __HTML_ATTACH_01 0
7862endif
7863
7864ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
dfdd1e08 7865 mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.s?html?\b,i
b780ea8d
SI		 7866endif
7867
7868if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7869 meta __HTML_ATTACH_02 0
7870endif
7871
7872ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
dfdd1e08 7873 mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.s?html?\b,i
b780ea8d
SI		 7874endif
7875
7876rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i
7877
7878meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML
7879
31955ede 7880meta __HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII && (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT)
b780ea8d
SI		 7881
7882rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i
7883
31955ede
SI		 7884rawbody __HTML_FONT_TINY_02 /<font\s[^>]{0,80}size\s*=\s*["']?-(?:[2-9]|[1-9]\d+)["']?[^>]{0,80}>/i
7885
7886meta __HTML_FONT_TINY_NORDNS (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT) && __RDNS_NONE
7887
b780ea8d
SI		 7888rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i
7889
7890if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7891 rawbody __HTML_SHRT_CMNT_OBFU /\w<!--\s*\w+\s*-->\w/
7892 tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10
7893endif
7894
7895if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
7896 meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE
7897endif
7898
7899rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i
7900tflags __HTML_SINGLET multiple maxhits=21
7901
7902meta __HTML_SINGLET_10 __HTML_SINGLET > 10
7903
7904meta __HTML_SINGLET_MANY __HTML_SINGLET > 20
7905
7906ifplugin Mail::SpamAssassin::Plugin::HTMLEval
7907 body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0')
7908endif
7909
7910body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i
7911
7912uri __IMGUR_IMG m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i
7913tflags __IMGUR_IMG multiple maxhits=4
7914
7915meta __IMGUR_IMG_2 __IMGUR_IMG == 2
7916
7917meta __IMGUR_IMG_3 __IMGUR_IMG == 3
7918
7919if !plugin(Mail::SpamAssassin::Plugin::ImageInfo)
7920 meta __IMG_LE_300K 0
7921endif
7922
7923ifplugin Mail::SpamAssassin::Plugin::ImageInfo
7924 body __IMG_LE_300K eval:pixel_coverage('all',62500,300000)
7925endif
7926
7927body __INHERIT_PMT /\binheritance\spayment\s/i
7928
fc5290a3
SI		 7929meta __INR_AND_NO_REF (__XM_IMAIL || __XM_APPLEMAIL || __XM_COMMUNIG || __XM_EDMAX || __XM_ELM || __XM_EMUMAIL || __XM_EXMH || __XM_LOTUSN || __XM_MAILCITY || __XM_MAILSMITH || __XM_MSCDO || __XM_MSOUT || __XM_MIMETOOLS || __XM_OPERA6 || __XM_PEGASUS || __XM_QUALCOM || __UA_IMP || __UA_MSOEMAC || __UA_MSENTOUR || __UA_OPERA7)
7930
b780ea8d
SI		 7931body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i
7932
7933body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i
7934
7935body __INVEST_MONEY /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i
7936
7937header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/
7938
7939if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7940 meta __ISO_ATTACH 0
7941endif
7942
7943ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7944 mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i
7945endif
7946
7947if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
7948 meta __ISO_ATTACH_MT 0
7949endif
7950
7951ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7952 mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i
7953endif
7954
7955body __IS_LEGAL /\b(?:(?:(this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i
7956
7957body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i
7958
7959body __I_INHERIT /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i
7960
7961body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i
7962
7963header __JM_REACTOR_DATE Date =~ / \+0000$/
7964
7965ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7966 mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i
7967endif
7968
7969ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
7970mimeheader __KAM_BLOCK_UTF7_2 Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i
7971endif
7972
7973ifplugin Mail::SpamAssassin::Plugin::BodyEval
7974 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
7975 body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024')
7976 describe __KAM_BODY_LENGTH_LT_1024 The length of the body of the email is less than 1024 bytes.
7977endif
7978endif
7979
7980ifplugin Mail::SpamAssassin::Plugin::BodyEval
7981 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
7982 body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128')
7983 describe __KAM_BODY_LENGTH_LT_128 The length of the body of the email is less than 128 bytes.
7984endif
7985endif
7986
7987ifplugin Mail::SpamAssassin::Plugin::BodyEval
7988 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
7989 body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256')
7990 describe __KAM_BODY_LENGTH_LT_256 The length of the body of the email is less than 256 bytes.
7991endif
7992endif
7993
7994ifplugin Mail::SpamAssassin::Plugin::BodyEval
7995 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
7996 body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512')
7997 describe __KAM_BODY_LENGTH_LT_512 The length of the body of the email is less than 512 bytes.
7998endif
7999endif
8000
8001if !plugin(Mail::SpamAssassin::Plugin::HTMLEval)
8002meta __KAM_HTML_FONT_INVALID 0
8003endif
8004
8005ifplugin Mail::SpamAssassin::Plugin::HTMLEval
8006body __KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color')
8007endif
8008
8009body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
8010
8011header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/
8012
8013header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/
8014
8015meta __KHOP_NO_FULL_NAME !(__NOT_A_PERSON || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME)
8016
8017if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
8018 meta __LARGE_PERCENT_AFTER 0
8019endif
8020
8021if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8022 body __LARGE_PERCENT_AFTER /\d{3}% after/i
8023 tflags __LARGE_PERCENT_AFTER multiple maxhits=4
8024endif
8025
8026if !plugin(Mail::SpamAssassin::Plugin::HeaderEval)
8027 meta __LCL__ENV_AND_HDR_FROM_MATCH 0
8028endif
8029
8030ifplugin Mail::SpamAssassin::Plugin::HeaderEval
8031 meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH
8032endif
8033
8034if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
8035 meta __LCL__KAM_BODY_LENGTH_LT_1024 0
8036endif
8037
8038ifplugin Mail::SpamAssassin::Plugin::BodyEval
8039if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
8040 meta __LCL__KAM_BODY_LENGTH_LT_1024 0
8041endif
8042endif
8043
8044ifplugin Mail::SpamAssassin::Plugin::BodyEval
8045 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8046 meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024
8047endif
8048endif
8049
8050if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
8051 meta __LCL__KAM_BODY_LENGTH_LT_128 0
8052endif
8053
8054ifplugin Mail::SpamAssassin::Plugin::BodyEval
8055if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
8056 meta __LCL__KAM_BODY_LENGTH_LT_128 0
8057endif
8058endif
8059
8060ifplugin Mail::SpamAssassin::Plugin::BodyEval
8061 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8062 meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128
8063endif
8064endif
8065
8066if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
8067 meta __LCL__KAM_BODY_LENGTH_LT_512 0
8068endif
8069
8070ifplugin Mail::SpamAssassin::Plugin::BodyEval
8071if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length))
8072 meta __LCL__KAM_BODY_LENGTH_LT_512 0
8073endif
8074endif
8075
8076ifplugin Mail::SpamAssassin::Plugin::BodyEval
8077 if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)
8078 meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512
8079endif
8080endif
8081
46cfc9e2
SI		 8082meta __LINKED_IMG_NOT_RCVD_LINK __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN
8083
b780ea8d
SI		 8084meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID
8085
8086meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1
8087
8088meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR
8089
8090body __LITECOIN_ID /\b(?<!=)[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b/
8091
8092uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i
8093
8094body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i
8095tflags __LOCK_MAILBOX multiple maxhits=2
8096
8097full __LONGLINE /^[^\r\n]{998}/m
8098
8099rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i
8100
8101if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8102 meta __LONG_STY_INVIS __STY_INVIS && __LONGLINE
8103endif
8104
8105if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8106 meta __LOTSA_MONEY_00 0
8107endif
8108
8109ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8110 body __LOTSA_MONEY_00 /<CURRENCY>[\s\.]?<NUM_NOT_DATE>[\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/
8111endif
8112
8113if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8114 meta __LOTSA_MONEY_01 0
8115endif
8116
8117ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8118 body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo](?<!\.00)\b/
8119endif
8120
8121if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8122 meta __LOTSA_MONEY_02 0
8123endif
8124
8125ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8126 body __LOTSA_MONEY_02 /(?<![-\d])<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo][\)\]\(]?\s?(?:<CURRENCY>|Pounds|(?i:dollars?|bucks))\b/
8127endif
8128
8129if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8130 meta __LOTSA_MONEY_03 0
8131endif
8132
8133ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8134 body __LOTSA_MONEY_03 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)<NUM_NOT_DATE>[\d.,\sOo]{0,5}[\)\]]?\s?(?i:M(?i:il+)?\b|mil+(?i:io|<O>)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/
8135endif
8136
8137if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8138 meta __LOTSA_MONEY_04 0
8139endif
8140
8141ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8142 body __LOTSA_MONEY_04 /(?:(?<![-\d])<NUM_NOT_DATE>[\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|mill<O>n|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|\bbucks|USD|GBP|<GB_UK>\spounds?|(?:<GB_UK>\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i
8143endif
8144
8145if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8146 meta __LOTSA_MONEY_05 0
8147endif
8148
8149ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8150 body __LOTSA_MONEY_05 /(?:(?:sum|value|amount)\sof\s)<NUM_NOT_DATE_IP>[\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i
8151endif
8152
8153meta __LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2
8154
8155body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i
8156
8157body __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i
8158
8159uri __LOTTO_ADMITS_3 /lott+ery/i
8160
8161meta __LOTTO_AGENT __LOTTO_AGENT_01 || __LOTTO_AGENT_02
8162
8163body __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(?<!memory\s)grants?(?!\smanager))\s?(?:agent|manager|officer|secretary|director|mgr\b)/i
8164
8165body __LOTTO_AGENT_02 /\blot+ery[^\.]{1,40} ticket agent/i
8166
8167header __LOTTO_AGENT_RPLY Reply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i
8168
8169if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8170 meta __LOTTO_ATTACH_1 0
8171endif
8172
8173ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8174 mimeheader __LOTTO_ATTACH_1 Content-Type =~ /lott(?:o|ery)/i
8175endif
8176
8177if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8178 meta __LOTTO_ATTACH_2 0
8179endif
8180
8181ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8182 mimeheader __LOTTO_ATTACH_2 Content-Disposition =~ /lott(?:o|ery)/i
8183endif
8184
8185body __LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)(?:\s(?:rem+it+ance|settlement|payment|award))+|payment|award|compensation|lot+ery)(?:\s\w+)?\s?(?:department|dept|unit|group|committee|bureau)/i
8186
8187body __LOTTO_RELATED /\b(?:lot+(?:o|ery)|sweepstakes)\s(?:prize|draw(?:s|ing)?|(?:ge)?win(?:n?er|n?ing)?|jackpot+|award|fund|com+it+e+|com+is+ion|guild|promotion|promocao|program|day|online|company|(?:in)?corporat|agent|co[-,]?ordinator|team)/i
8188
8189body __LOTTO_VERIFY /\bpromo\sverification/i
8190
8191body __LOTTO_WINNINGS /\b(?:claim|process(?:ing)?|transfert?(?:\s\w+)?|redeem|payment|virement|zahlung|reivindicar|demandar|remise)\s(?:(?:[a-z]{1,5}\s)?(?:your|of|the|this|de|ihrer|seu|tu)\s)+(?:win+ings?|money|(?:cash\s)?prize|award|f[ou]nds?|grant|gewinne|premio|gain)\b/i
8192
8193body __LOTTO_WIN_01 /\bwin+ing\s(?:prize|number|notification|draw|check|cheque|details|information|payment)/i
8194
8195if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8196 ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8197 body __LOWER_E /e/
8198 tflags __LOWER_E multiple maxhits=230
8199endif
8200endif
8201
8202body __LUCKY_WINNER /\b(?:lucky|gl.cklich(?:en)?|afortunados)\s(?:(?:ge)?win+ers?|ganador(?:es)?|individuals?)\b/i
8203
8204body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i
8205
fc5290a3 8206header __LUNSUB_BEFORE_SUBJDT ALL =~ /^List-unsubscribe: (?:[^\n]+\n+){1,40}^(?:Subject|Date): /ism
46cfc9e2 8207
b780ea8d
SI		 8208rawbody __L_BODY_8BITS /[\x80-\xff]/
8209
8210header __L_CTE_7BIT Content-Transfer-Encoding =~ /^7bit$/
8211
dfdd1e08
SI		 8212header __L_CTE_8BIT Content-Transfer-Encoding =~ /^8bit$/
8213
b780ea8d
SI		 8214body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i
8215
8216body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i
8217
8218header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/
8219
8220body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i
8221
8222body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i
8223
8224uri __MAIL_LINK /\?.{0,200}\w\@[\w-]{1,20}.\w\w\w?\b/i
8225tflags __MAIL_LINK nice
8226
8227body __MAKE_XTRA_DOLLAR /\bmake an extra dollar\b/i
8228
8229header __MALF_MIME_VER MIME-Version =~ /^1\.0\S/
8230
8231meta __MALWARE_NORDNS __MY_MALWARE && __RDNS_NONE
8232
8233meta __MALWARE_PASSWORD __MY_MALWARE && __PASSWORD
8234
8235ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8236 meta __MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02
8237endif
8238
8239if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8240 meta __MALW_ATTACH_01_01 0
8241endif
8242
8243ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8244 mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]+|\*(?:\d+\*)?=(?:UTF-8'')?\S+)\.SettingContent-ms\b/i
8245endif
8246
8247if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8248 meta __MALW_ATTACH_01_02 0
8249endif
8250
8251ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8252 mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i
8253endif
8254
8255if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8256 meta __MALW_ATTACH_02_01 0
8257endif
8258
8259ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
cabe596e 8260 mimeheader __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:invoice|statement|payment(?: advice)?|(?:[.,_]|%C2%B7|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i
b780ea8d
SI		 8261endif
8262
8263if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8264 meta __MALW_ATTACH_02_02 0
8265endif
8266
8267ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
cabe596e 8268 mimeheader __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|statement|payment(?: advice)?|(?:[.,_]|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i
b780ea8d
SI		 8269endif
8270
8271meta __MANY_HDRS_LCASE __HDRS_LCASE > 1
8272
8273meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4)
8274
b780ea8d
SI		 8275header __MID_START_001C Message-ID =~ /^<000001c/
8276
8277body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i
8278
8279header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/
8280
8281meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX
8282
8283header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/
8284
8285if !((version >= 3.004000))
8286 meta __MIME_CTYPE_IN_BODY 0
8287endif
8288
8289if (version >= 3.004000)
8290 body __MIME_CTYPE_IN_BODY /^Content-Type:\s/
8291endif
8292
8293if !((version >= 3.004000))
8294 meta __MIME_MALF 0
8295endif
8296
8297if (version >= 3.004000)
8298 meta __MIME_MALF __CTYPE_MULTIPART_ANY && __MIME_CTYPE_IN_BODY
8299endif
8300
8301if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8302 meta __MIME_NO_TEXT 0
8303endif
8304
8305ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8306 meta __MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH)
8307endif
8308
8309ifplugin Mail::SpamAssassin::Plugin::MIMEEval
8310 rawbody __MIME_QPC eval:check_for_mime('mime_qp_count')
8311endif
8312
8313header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET]
8314
8315header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET]
8316
8317rawbody __MIXED_AREA_CASE /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/
8318
8319rawbody __MIXED_CENTER_CASE /<(?!CENTER|center)[Cc][Ee][Nn][Tt][Ee][Rr]>/
8320
8321rawbody __MIXED_FONT_CASE /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/
8322
8323rawbody __MIXED_HREF_CASE_JH /<[Aa](?i:rea)?\s+(?!HREF|href)[Hh][Rr][Ee][Ff]=/
8324
8325rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/
8326
8327header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/
8328
8329meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO)
8330
8331body __MONERO_CURNCY /Monero \(XMR\)/
8332
8333body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/
8334
dfdd1e08
SI		 8335meta __MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD
8336
b780ea8d
SI		 8337meta __MONEY_FORM LOTS_OF_MONEY && __FILL_THIS_FORM
8338
8339meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT
8340
fc5290a3 8341meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3)
b780ea8d 8342
fc5290a3 8343meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5)
b780ea8d 8344
fc5290a3 8345meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8)
b780ea8d
SI		 8346
8347ifplugin Mail::SpamAssassin::Plugin::FreeMail
8348 meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto
8349endif
8350
fc5290a3
SI		 8351meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY
8352
b780ea8d
SI		 8353body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i
8354
8355meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE
8356
8357header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i
8358
8359header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/
8360
8361header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/
8362
8363header __MSGID_JAVAMAIL Message-ID =~ /\.JavaMail\./
8364tflags __MSGID_JAVAMAIL nice
8365
8366header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/
8367tflags __MSGID_LIST nice
8368
b780ea8d
SI		 8369header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m
8370
8371meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL
8372
8373header __MSMAIL_PRI_HIGH X-MSMail-Priority =~ /^(?:high|urgent)$/i
8374
8375header __MSMAIL_PRI_NORMAL X-MSMail-Priority =~ /^normal$/i
8376
8377meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT
8378
8379header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: /
8380
46cfc9e2
SI		 8381ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8382 mimeheader __MSO_THEME_MT Content-Type =~ m,\bapplication/vnd.ms-officetheme\b,i
8383endif
8384
b780ea8d
SI		 8385header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/
8386
8387header __MUA_TBIRD User-Agent =~ /^Mozilla\/(.*) Thunderbird/
8388
8389body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i
8390
8391if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8392 body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s|background\s|hidden\s)?)(?:mal+ware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it|backdoor|(?:sneaky\s|hidden\s|malicious\s)+(?:app|stuff))|(?:application|mal+ware)[^\.]{1,30}(?:enable[sd]|allow(?:s|ed))\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|mal+ware)\s)+giv(?:es|ing)\sme)\b/i
8393endif
8394
8395ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8396 body __MY_MALWARE /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s|<B><A><C><K><G><R><O><U><N><D>\s|<H><I><D><D><E><N>\s)?)(?:<M><A><L>+<W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>|<B><A><C><K><D><O><O><R>|(?:<S><N><E><A><K><Y>\s|<H><I><D><D><E><N>\s|<M><A><L><I><C><I><O><U><S>\s)+(?:<A><P><P>|<S><T><U><F><F>))|(?:<A><P><P><L><I><C><A><T><I><O><N>|<M><A><L>+<W><A><R><E>)[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>(?:<S>|<E><D>))\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L>+<W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i
8397endif
8398
8399if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8400 body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i
8401endif
8402
8403ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8404 body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i
8405endif
8406
8407header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/
8408
8409meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
8410
8411header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i
8412
8413header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/
8414
dfdd1e08
SI		 8415body __NEVER_HEAR_EN /(never hear me again|destroy all your secrets|not bother you again|leave you alone)/i
8416
8417body __NEVER_HEAR_IT /eliminare tutti i tuoi segreti|Ti garantisco che non ti disturbe/i
8418
b780ea8d
SI		 8419meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG
8420
31955ede
SI		 8421body __NEW_PRODUCTS /\bhere are new products|\b(?:Our company|we) (?:has |have )?(?:(?:recently|just|newly) (?:introduce|release|launche)[ds](?: a| our| the)? (?:new|(?:\w+\s){1,5}below)|a new (?!cat\s|kitten\s|dog\s|puppy\s|pet\s|baby\s|child\s|boy\s|girl\s)(?:\w+\s){1,5} here)|recently,? our company (?:launch|releas)ed|\bI want to recommend a new (?:\w+ ){1,5}(?:we|our)\b|latest version of our (?:stock|product)|\b(?:our|a) new (?:\w+ ){1,3}has (?:recently|just) been released/i
8422
b780ea8d
SI		 8423body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i
8424
8425body __NIGERIA /\bnigeria\b/i
8426
8427meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO
8428tflags __NOT_A_PERSON nice
8429
8430body __NOT_DEAD_YET /\b(?:will\sinherit|que\sherede|your\sdeath|your?\sbeing\sdead)\b/i
8431
8432body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i
8433
8434tflags __NOT_SPOOFED nice
8435
8436if !(!plugin(Mail::SpamAssassin::Plugin::DKIM))
8437if !plugin(Mail::SpamAssassin::Plugin::SPF)
8438 meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF
8439endif
8440endif
8441
8442if !(!plugin(Mail::SpamAssassin::Plugin::DKIM))
8443 ifplugin Mail::SpamAssassin::Plugin::SPF
8444 meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF
8445endif
8446endif
8447
8448if !plugin(Mail::SpamAssassin::Plugin::DKIM)
8449if !plugin(Mail::SpamAssassin::Plugin::SPF)
8450 meta __NOT_SPOOFED __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, no SPF.
8451endif
8452endif
8453
8454if !plugin(Mail::SpamAssassin::Plugin::DKIM)
8455 ifplugin Mail::SpamAssassin::Plugin::SPF
8456 meta __NOT_SPOOFED SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, yes SPF
8457endif
8458endif
8459
8460meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS)
8461
8462header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./
8463describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8
8464
8465header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./
8466describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8
8467
b780ea8d
SI		 8468header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i
8469
8470header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/
8471
8472if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8473 meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
8474endif
8475
8476ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8477 meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
8478endif
8479
8480if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8481 meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) )
8482endif
8483
8484ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8485 meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) )
8486endif
8487
8488body __OBFU_UNSUB_UL /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/
8489
8490if !plugin(Mail::SpamAssassin::Plugin::ImageInfo)
8491 meta __ONE_IMG 0
8492endif
8493
8494ifplugin Mail::SpamAssassin::Plugin::ImageInfo
8495 body __ONE_IMG eval:image_count('all',1,1)
8496endif
8497
8498header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./
8499
b780ea8d
SI		 8500body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i
8501
8502ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8503mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/
8504endif
8505
8506ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8507mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/
8508endif
8509
8510ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8511mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/
8512endif
8513
8514ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8515mimeheader __PART_STOCK_CL Content-Location =~ /./
8516endif
8517
8518body __PASSIVE_INCOME /\bpassive income\b/i
8519
8520body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i
8521
8522body __PASSWORD_EXP_CLUMSY /\bpassword is due for expiration yesterday\b/i
8523
8524body __PASSWORD_UPGRADE /\bpassword upgrade\b/i
8525
8526body __PAXFUL /\bp-?a+-?x+-?f-?u+-?l\b/i
8527
8528if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8529 body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\s(?:to\s)?me|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche)|my bribe(?:ry)?)\b/i
8530endif
8531
8532ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8533 body __PAY_ME /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s(?:<T><O>\s)?<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>|<M><Y> <B><R><I><B><E>(?:<R><Y>)?))[\s\.,]/i
8534endif
8535
8536body __PAY_YOU /\bpay\syou\b/
8537
8538if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8539 meta __PCT_FOR_YOU 0
8540endif
8541
8542ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8543 meta __PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50
8544endif
8545
8546if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8547 meta __PCT_FOR_YOU_1 0
8548endif
8549
8550ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8551 body __PCT_FOR_YOU_1 /<PERCENT>[\s)]{0,3}(?:(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?|(?:[^\s.]{1,15}\s)?an uns beide)/i
8552endif
8553
8554if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8555 meta __PCT_FOR_YOU_2 0
8556endif
8557
8558ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8559 body __PCT_FOR_YOU_2 /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s<PERCENT>/i
8560endif
8561
8562if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8563 meta __PCT_FOR_YOU_3 0
8564endif
8565
8566ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8567 body __PCT_FOR_YOU_3 /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?<!by\s)(?<!up\sto\s)<PERCENT>/i
8568endif
8569
8570if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
8571 meta __PCT_OF_PMTS 0
8572endif
8573
8574ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8575 body __PCT_OF_PMTS /<PERCENT>[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i
8576endif
8577
8578if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8579 meta __PDF_ATTACH 0
8580endif
8581
8582ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8583 meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2)
8584endif
8585
8586if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8587 meta __PDF_ATTACH_FN1 0
8588endif
8589
8590ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8591 mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i
8592endif
8593
8594if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8595 meta __PDF_ATTACH_FN2 0
8596endif
8597
8598ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8599 mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i
8600endif
8601
8602if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
8603 meta __PDF_ATTACH_MT 0
8604endif
8605
8606ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8607 mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i
8608endif
8609
8610ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8611 header __PDS_BTC_ANON From:name =~ /\bAnon/
8612endif
8613
8614ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8615 meta __PDS_BTC_BADFROM ( __PDS_BTC_HACKER || __PDS_BTC_PIRATE )
8616endif
8617
8618ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8619 header __PDS_BTC_HACKER From:name =~ /h<A>ck<E>r/i
8620endif
8621
8622meta __PDS_BTC_ID ( __BITCOIN_ID && !__URL_BTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG)
8623
8624ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
8625 header __PDS_BTC_PIRATE From:name =~ /p<I>r<A>t<E>/i
8626endif
8627
8628ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8629if (version >= 3.004000)
8630header __PDS_CASHSHORTENER eval:check_uri_host_listed('PDS_CASHSHORTENER')
8631endif
8632endif
8633
8634uri __PDS_DOUBLE_URL m;https?://[\S]+(?:\?|=)https?://[\S]+[\w]+$;
8635
8636if (version >= 3.004002)
8637ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8638body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i
8639endif
8640endif
8641
8642if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
8643 header __PDS_FROM_2_EMAILS From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i
8644endif
8645
8646header __PDS_FROM_GMAIL From:addr =~ /\@g(?:oogle)?mail\.com$/i
8647
fc5290a3 8648header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\n+To:[^\n]+\@\1/ism
b780ea8d
SI		 8649
8650header __PDS_GMAIL_MID Message-Id =~ /\@mail.gmail.com>$/
8651
8652meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2)
8653
8654header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/
8655
8656header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/
8657
8658header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/
8659
8660ifplugin Mail::SpamAssassin::Plugin::AskDNS
8661meta __PDS_HP_HELO_NODNS (__HELO_HIGHPROFILE && !__HELO_DNS)
8662tflags __PDS_HP_HELO_NODNS net
8663endif
8664
8665ifplugin Mail::SpamAssassin::Plugin::HTMLEval
8666meta __PDS_HTML_LENGTH_1024 __HTML_LENGTH_0000_1024
8667endif
8668
8669ifplugin Mail::SpamAssassin::Plugin::HTMLEval
8670meta __PDS_HTML_LENGTH_2048 __HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 || __HTML_LENGTH_1536_2048
8671endif
8672
8673meta __PDS_LITECOIN_ID (__LITECOIN_ID && !__URL_LTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG)
8674
8675meta __PDS_MSG_1024 (__KAM_BODY_LENGTH_LT_1024 || __PDS_HTML_LENGTH_1024)
8676
8677meta __PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512)
8678
8679if (version >= 3.004001)
8680ifplugin Mail::SpamAssassin::Plugin::AskDNS
8681meta __PDS_NEWDOMAIN (__FROM_FMBLA_NEWDOM || __FROM_FMBLA_NEWDOM14 || __FROM_FMBLA_NEWDOM28)
8682tflags __PDS_NEWDOMAIN net
8683endif
8684endif
8685
8686if (version >= 3.004002)
8687ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8688body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States|USA)/i
8689endif
8690endif
8691
8692if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
8693 meta __PDS_QP_1024 0
8694endif
8695
8696ifplugin Mail::SpamAssassin::Plugin::MIMEEval
8697 meta __PDS_QP_1024 (__MIME_QPC > 0) && (__MIME_QPC < 1024)
8698endif
8699
8700if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
8701 meta __PDS_QP_128 0
8702endif
8703
8704ifplugin Mail::SpamAssassin::Plugin::MIMEEval
8705 meta __PDS_QP_128 (__MIME_QPC > 0) && (__MIME_QPC < 128)
8706endif
8707
8708if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
8709 meta __PDS_QP_512 0
8710endif
8711
8712ifplugin Mail::SpamAssassin::Plugin::MIMEEval
8713 meta __PDS_QP_512 (__MIME_QPC > 0) && (__MIME_QPC < 512)
8714endif
8715
8716if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
8717 meta __PDS_QP_64 0
8718endif
8719
8720ifplugin Mail::SpamAssassin::Plugin::MIMEEval
8721 meta __PDS_QP_64 (__MIME_QPC > 0) && (__MIME_QPC < 64)
8722endif
8723
8724header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(mta|mail|mx|smtp)\b\S* /i
8725
8726if (version >= 3.004002)
8727ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8728body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i
8729endif
8730endif
8731
8732if (version >= 3.004002)
8733ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8734body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
8735endif
8736endif
8737
8738if (version >= 3.004002)
8739ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8740body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i
8741endif
8742endif
8743
8744ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8745if (version >= 3.004000)
dfdd1e08 8746meta __PDS_SHORT_URL __SHORT_URL && !__URL_SHORTENER && !ALL_TRUSTED
b780ea8d
SI		 8747endif
8748endif
8749
8750if (version >= 3.004001)
8751ifplugin Mail::SpamAssassin::Plugin::AskDNS
8752tflags __PDS_SPF_ONLYALL net
8753endif
8754endif
8755
46cfc9e2
SI		 8756meta __PDS_SPOOF_GMAIL_MID __PDS_FROM_GMAIL && !__PDS_GMAIL_MID && !__FSL_RELAY_GOOGLE
8757
b780ea8d
SI		 8758header __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? <?\1\@/
8759
fc5290a3
SI		 8760header __PDS_TO_BRAND_SUBJECT ALL =~ /^To:\s+<?[^\@]+\@([^\.]+)\.(?:[^\n]+\n+)*^Subject: \"?\1\b/ism
8761
b780ea8d 8762if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
fc5290a3 8763 header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
b780ea8d
SI		 8764endif
8765
8766if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
fc5290a3 8767 header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism
b780ea8d
SI		 8768endif
8769
8770ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8771if (version >= 3.004000)
dfdd1e08 8772meta __PDS_TO_SUBJ_URISHRT __TO_IN_SUBJ && __URL_SHORTENER && __PDS_MSG_1024
b780ea8d
SI		 8773endif
8774endif
8775
8776ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8777if (version >= 3.004000)
dfdd1e08 8778meta __PDS_URISHORTENER __URL_SHORTENER
b780ea8d
SI		 8779endif
8780endif
8781
8782meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0
8783
8784body __PENDING_MESSAGES /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i
8785
8786body __PERFECT_BINARY /\bperfect binary option\b/i
8787
8788ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8789 mimeheader __PHISH_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
8790endif
8791
8792ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8793 mimeheader __PHISH_ATTACH_01_02 Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i
8794endif
8795
8796meta __PHISH_FBASE_01 (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK
8797
8798if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8799 body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i
8800 tflags __PHOTO_RETOUCHING multiple maxhits=5
8801endif
8802
8803header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/
8804
8805meta __PHP_MUA __PHP_MUA_1 || __PHP_MUA_2
8806
8807header __PHP_MUA_1 X-Mailer =~ /^PHP\s?v?\/?\d\./
8808
8809header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/
8810
8811header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/
8812
8813meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B)
8814
8815if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
8816 meta __PILL_PRICE_01 0
8817endif
8818
8819if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8820 body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i
8821 tflags __PILL_PRICE_01 multiple maxhits=3
8822endif
8823
8824if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
8825 meta __PILL_PRICE_02 0
8826endif
8827
8828if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
8829 body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i
8830 tflags __PILL_PRICE_02 multiple maxhits=3
8831endif
8832
8833body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i
8834
8835ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
8836header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to()
8837endif
8838
8839ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
8840header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof()
8841endif
8842
8843uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf|\.svg)[^?]{4}(?:\?[^?]{1,5})?$;i
8844
8845body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i
8846
8847body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i
8848
8849body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i
8850
8851body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i
8852
8853body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i
8854
8855body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i
8856
8857body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i
8858
8859body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i
8860
8861body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i
8862
8863body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i
8864
8865body __RANDOM_PICK /\b(?:random(?:ly)?\s(?:\w+\s)?(?:select(?:ion|ed)|pick(?:ed)?|computer)|(?:select|pick)ed\s(?:at\s)?random(?:ly)?|(?:esco(?:g|lh)idos|seleccion) (?:aleatoria(?:mente)?|al azar))\b/i
8866
8867header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent|Tracking-Code)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism
8868tflags __RAND_HEADER multiple maxhits=4
8869
8870meta __RAND_HEADER_2 __RAND_HEADER > 1
8871
8872header __RAND_MKTG_HEADER ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:EBS|(?:Tracking|Subscriber|Delivery|Customer|Campaign)-[DSU]?id):/ism
8873
8874header __RATWARE_BOUND_A ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # "
8875
8876header __RATWARE_BOUND_B ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # "
8877
8878header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i
8879tflags __RCD_RDNS_MAIL nice
8880
8881header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i
8882tflags __RCD_RDNS_MAIL_MESSY nice
8883
8884header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i
8885tflags __RCD_RDNS_MTA nice
8886
8887header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i
8888tflags __RCD_RDNS_MTA_MESSY nice
8889
8890header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i
8891tflags __RCD_RDNS_MX nice
8892
8893header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/
8894tflags __RCD_RDNS_MX_MESSY nice
8895
8896header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i
8897tflags __RCD_RDNS_OB nice
8898
8899header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i
8900tflags __RCD_RDNS_SMTP nice
8901
8902header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/
8903tflags __RCD_RDNS_SMTP_MESSY nice
8904
46cfc9e2 8905header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\srdns=\S+\.edu\s/i
b780ea8d
SI		 8906
8907meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 )
8908
8909meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI )
8910
46cfc9e2 8911header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i
b780ea8d
SI		 8912
8913header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net /
8914
8915header __RDNS_LONG X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/
8916
8917header __RDNS_NO_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ /
8918
8919header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/
8920
8921header __RDNS_SHORT X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} /
8922
8923body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i
8924
8925header __RELAY_THRU_WWW Received =~ /from (?:[^ \@]+\@)?www\./
8926
8927body __RELEASE_MESSAGES /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|unreceived|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i
8928
8929ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
8930 meta __REMOTE_IMAGE (__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH)
8931endif
8932
8933if (version >= 3.004002)
8934ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8935header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD')
8936endif
8937endif
8938
dfdd1e08 8939header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|c(?:hanprivacy|laimdept|ristinabruno|ustom_service)|dhodgkins|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|ynnpage)|m(?:_l\.wanczyk|asayohara|rsjanetedwards)|officework|paulpollard|royalpalace|spwalker|usembassy|yurdaaytarkan))\d+\@aol\.com$/i
b780ea8d 8940
fc5290a3 8941header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|isha1976gaddafi|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug)|thonyjblinken)|office1office|radka|shwestwood|ustinbillmark|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|rister(?:clarkephillips|lordruben)|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah))|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|rist(?:brun?|davis|ydavisdonation)|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:nnisclark|partmentofstate)|minique|ona(?:ldwilliam|tionhelpercare)|rdavidrhama|unsilva)|e(?:benezero|christina|l(?:i(?:bethgomez|sabethmaria|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|k(?:jane|linpiesie)))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|rciavincent)|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|i(?:idp|ocastano)|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem))|e(?:atherbrooeke|ctor(?:castillos|scastillo)|lengiggs)|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:bed|mfdeputyoff|n(?:fo\.annedouglas|gridrolle)|rvinekim|smail(?:eman|tarkan))|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:athanhaskel|hugo)|seph(?:acevedo|babatunde|ichael)|vannyanderson)|rawlings|uliewatson)|k(?:a(?:l(?:iaksandr|tschmidtdavid)|malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|rnkl|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|nelink|sa(?:milner|robin))|john|oughreymargaret|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:ahhills|opabl)|kroth|shalh|tinamayer|y(?:franson|josen))|u(?:hin|rhinck)|viswan(?:czyk(?:(?:foundation|k))?)?)|brons|c\.cheadychang|dredban|elvidabullock|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ss\.yasmineibrahim)|k(?:ent|untjoro)|oham(?:edabdul|m(?:daljililati|edshamekh))|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell)|cjames|ericschmid|hanimuhammad|jamesmc|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|jackman|lisamilner|ma(?:ureens|yaoliver)|r(?:eem|obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth|xfaminternationa)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:alyh|beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|icha(?:miller|rdw(?:ahl|illis))|main|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark|uddicklana)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cott(?:henryjames|peters)|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|op(?:adam|hiajesse)|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|erryparkins|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:derleyen|marukareem|n(?:claimedfunds|itednation(?:organization|s))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut))|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|o(?:ngkm|usefzongo))|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i
b780ea8d 8942
dfdd1e08 8943header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|ilmohammed|lesiakalina|nnhester\.usa)|b(?:ank\.phbng|en(?:jaminb|nicholas)|riceangela)|c(?:\.aroline|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|dhamilton|e(?:denvictor|ricalbert)|federal\.r|j(?:a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye))|o(?:legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|o(?:bertbailey|serichard))|s(?:amthong|igurlauganna|leo|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i
b780ea8d
SI		 8944
8945header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i
8946
dfdd1e08
SI		 8947header __REPTO_INFONUMSCOM Reply-To:addr =~ /^info@\d{5,}\.com$/i
8948
b780ea8d
SI		 8949header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i
8950
8951if !((version >= 3.003000))
8952 meta __RP_MATCHES_RCVD 0
8953endif
8954
8955if (version >= 3.003000)
8956if !plugin(Mail::SpamAssassin::Plugin::WLBLEval)
8957 meta __RP_MATCHES_RCVD 0
8958endif
8959endif
8960
8961if (version >= 3.003000)
8962ifplugin Mail::SpamAssassin::Plugin::WLBLEval
8963 header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd()
8964endif
8965endif
8966
8967body __SCAM /\bscam(?:m?e[dr])?s?\b/i
8968
fc5290a3
SI		 8969body __SCC_BODY_TEXT_LINE_FULL /^\s*\S/
8970tflags __SCC_BODY_TEXT_LINE_FULL multiple maxhits=3
8971
dfdd1e08
SI		 8972ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8973mimeheader __SCC_BOGUS_CTE_1 Content-Transfer-Encoding =~ /^Hexa/i
8974endif
46cfc9e2 8975
dfdd1e08
SI		 8976ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
8977mimeheader __SCC_CTMPP Content-Type =~ /multipart\/parallel/
8978endif
46cfc9e2 8979
fc5290a3
SI		 8980header __SCC_SUBJECT_HAS_NON_SPACE Subject =~ /\S/
8981
b780ea8d
SI		 8982body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i
8983
8984header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i
8985tflags __SENDER_BOT nice
8986
8987uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=,
8988
8989meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH
8990
31955ede 8991meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || __FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ )
b780ea8d
SI		 8992
8993body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i
8994
31955ede 8995meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY && !__HDR_ENVFROM_SHOPIFY
46cfc9e2 8996
b780ea8d
SI		 8997uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/
8998
8999body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/
9000tflags __SINGLE_WORD_LINE multiple maxhits=2
9001
9002header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/
9003
9004header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i
9005
9006rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/
9007tflags __SPAN_BEG_TEXT multiple maxhits=5
9008
9009rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/
9010tflags __SPAN_END_TEXT multiple maxhits=5
9011
9012if !plugin(Mail::SpamAssassin::Plugin::SPF)
9013 meta __SPF_FULL_PASS 0
9014endif
9015
9016ifplugin Mail::SpamAssassin::Plugin::SPF
9017 meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS)
9018 tflags __SPF_FULL_PASS net
9019endif
9020
9021if !plugin(Mail::SpamAssassin::Plugin::SPF)
9022 meta __SPF_RANDOM_SENDER 0
9023endif
9024
9025ifplugin Mail::SpamAssassin::Plugin::SPF
9026 meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS)
9027 tflags __SPF_RANDOM_SENDER net
9028endif
9029
9030meta __SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM
9031tflags __SPOOFED_FREEMAIL net
9032
9033meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO
9034tflags __SPOOFED_FREEM_REPTO net
9035
9036rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i
9037
9038meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE
9039
9040body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i
9041
9042body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i
9043
9044if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9045 rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i
9046 tflags __STY_INVIS multiple maxhits=6
9047endif
9048
9049if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9050 meta __STY_INVIS_1 __STY_INVIS == 1
9051endif
9052
9053if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
46cfc9e2 9054 meta __STY_INVIS_1_MINFP __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID
b780ea8d
SI		 9055endif
9056
9057if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9058 meta __STY_INVIS_2 __STY_INVIS > 1
9059endif
9060
9061if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9062 meta __STY_INVIS_3 __STY_INVIS > 2
9063endif
9064
9065if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9066 meta __STY_INVIS_DIRECT __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED
9067endif
9068
9069if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9070 meta __STY_INVIS_MANY __STY_INVIS > 5
9071endif
9072
9073header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/
9074
9075meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY
9076
9077header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
9078
9079meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU
9080
9081header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/
9082tflags __SUBJ_BROKEN_WORD multiple maxhits=2
9083
9084meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
9085
fc5290a3 9086header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ism
b780ea8d 9087
fc5290a3 9088header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n+(?:[^\n]{1,200}\n+)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
b780ea8d 9089
fc5290a3 9090header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n+)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
b780ea8d 9091
fc5290a3 9092header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n+)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism
b780ea8d
SI		 9093
9094header __SUBJ_NOT_SHORT Subject =~ /^.{16}/
9095
9096header __SUBJ_OBFU_PUNCT Subject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/i
9097tflags __SUBJ_OBFU_PUNCT multiple maxhits=4
9098
9099header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/
9100
9101header __SUBJ_SHORT Subject =~ /^.{0,8}$/
9102
b780ea8d
SI		 9103header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/
9104
9105body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i
9106tflags __SUBSCRIPTION_INFO nice
9107
9108body __SUM_OF_FUND /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i
9109
9110body __SURVEY /\bsurvey\b/i
9111
9112body __SURVIVORS /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i
9113
9114body __SUSPICION_LOGIN /\bsuspicion login\b/i
9115
9116body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i
9117
46cfc9e2
SI		 9118meta __TAGSTAT_IMG_NOT_RCVD_TGST __URI_IMG_TAGSTAT && !__HDR_RCVD_TAGSTAT
9119
31955ede
SI		 9120meta __TARINGANET_IMG_NOT_RCVD_TN __URI_IMG_TARINGANET && !__HDR_RCVD_TARINGANET
9121
b780ea8d
SI		 9122header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/
9123
9124rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m
9125tflags __TENWORD_GIBBERISH multiple maxhits=21
9126
46cfc9e2
SI		 9127ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9128 mimeheader __TEXT_XML_MT Content-Type =~ m,\btext/xml\b,i
9129endif
9130
b780ea8d
SI		 9131body __THEY_INHERIT /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i
9132
9133body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i
9134
9135meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF)
9136tflags __THREADED nice
9137
9138header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$,
9139
9140header __TO_ALL_NUMS To:addr =~ /^\d+@/
9141
9142meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX
9143
fc5290a3
SI		 9144meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE
9145
b780ea8d
SI		 9146if !plugin(Mail::SpamAssassin::Plugin::SPF)
9147 meta __TO_EQ_FM_DOM_SPF_FAIL 0
9148endif
9149
9150ifplugin Mail::SpamAssassin::Plugin::SPF
9151 meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL
9152 tflags __TO_EQ_FM_DOM_SPF_FAIL net
9153endif
9154
b780ea8d
SI		 9155if !plugin(Mail::SpamAssassin::Plugin::SPF)
9156 meta __TO_EQ_FM_SPF_FAIL 0
9157endif
9158
9159ifplugin Mail::SpamAssassin::Plugin::SPF
9160 meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL
9161 tflags __TO_EQ_FM_SPF_FAIL net
9162endif
9163
9164meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
9165describe __TO_EQ_FROM To: same as From:
9166
fc5290a3 9167header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
b780ea8d 9168
fc5290a3 9169header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
b780ea8d
SI		 9170
9171meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)
9172describe __TO_EQ_FROM_DOM To: domain same as From: domain
9173
fc5290a3 9174header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To:\s+[^\n]+@\1[>,\s\n]/ism
b780ea8d 9175
fc5290a3 9176header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\s+[^\n]+@\1[>,\s\n]/ism
b780ea8d
SI		 9177
9178meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
9179describe __TO_EQ_FROM_USR To: username same as From: username
9180
fc5290a3 9181header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
b780ea8d 9182
fc5290a3 9183header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism
b780ea8d
SI		 9184
9185meta __TO_EQ_FROM_USR_NN (__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
9186describe __TO_EQ_FROM_USR_NN To: username same as From: username sans trailing nums
9187
fc5290a3 9188header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
b780ea8d 9189
fc5290a3 9190header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism
b780ea8d
SI		 9191
9192meta __TO_EQ_FROM_USR_NN_MINFP __TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED
9193
9194meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3)
9195
9196header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/
9197
9198if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
9199 meta __TO_NO_BRKTS_FREEMAIL 0
9200endif
9201
9202ifplugin Mail::SpamAssassin::Plugin::FreeMail
9203 meta __TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
9204endif
9205
9206meta __TO_NO_BRKTS_FROM_RUNON __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON
9207
9208meta __TO_NO_BRKTS_HTML_IMG __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG
9209
9210meta __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY
9211
9212meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
9213
9214meta __TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_HTML_ONLY && RDNS_NONE
9215
9216meta __TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT
9217
9218meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01
9219
9220header __TO_UNDISCLOSED To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i
9221
9222header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/
9223
9224body __TO_YOUR_ACCT /\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/i
9225
9226body __TO_YOUR_ORG /\b(?:to|for) your organi[sz]ation\b/i
9227
9228header __TO___LOWER ALL =~ /to:\s\S{5}/
9229
9230body __TRANSFORM_LIFE /\b(transform|change) your (?:daily )?life(?:style)?\b/i
9231
9232body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i
9233
9234body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i
9235
9236body __TRAVEL_ITINERARY /(?:travel|ticketed|your|current) itinerary/i
9237
9238meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2
9239
9240body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i
9241
9242body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i
9243
9244body __TRTMT_DEFILED /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i
9245
9246body __TRUNK_BOX /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i
9247
9248body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i
9249
9250header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i
9251
9252header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i
9253
9254header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/
9255
9256header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/
9257
9258header __TT_VALIUM Subject =~ /VALIUM/i
9259
9260header __TT_VIAGRA Subject =~ /VIAGRA/i
9261
9262ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9263mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/
9264endif
9265
9266ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9267mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i
9268endif
9269
9270ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9271mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i
9272endif
9273
9274ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9275mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i
9276endif
9277
9278ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9279mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/
9280endif
9281
9282body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i
9283
9284body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i
9285
9286body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i
9287
9288body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i
9289
9290body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i
9291
9292body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i
9293
9294body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i
9295
9296body __TVD_PH_BODY_08 /\bmultiple password failures/i
9297
9298body __TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i
9299
9300body __TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i
9301
9302meta __TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08
9303
9304header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i
9305
9306header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i
9307
9308header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i
9309
9310header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i
9311
9312header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i
9313
9314header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i
9315
9316header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i
9317
9318header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i
9319
9320header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i
9321
9322header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i
9323
9324header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i
9325
9326header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i
9327
9328header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i
9329
9330header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i
9331
9332header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i
9333
9334header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i
9335
9336header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i
9337
9338header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i
9339
9340header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i
9341
9342header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i
9343
9344meta __TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST
9345
fc5290a3
SI		 9346meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED)
9347
b780ea8d
SI		 9348if !plugin(Mail::SpamAssassin::Plugin::BodyEval)
9349 meta __TVD_SPACE_RATIO 0
9350endif
9351
9352header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i
9353
9354meta __T_PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512 || __PDS_QP_512)
9355
9356header __UA_GNUS User-Agent =~ /^Gnus/
9357
fc5290a3
SI		 9358header __UA_IMP User-Agent =~ /^Internet Messaging Program/
9359
b780ea8d
SI		 9360header __UA_KMAIL User-Agent =~ /^KMail/
9361
9362header __UA_KNODE User-Agent =~ /^KNode/
9363
9364header __UA_MOZ5 User-Agent =~ /^Mozilla\/5/
9365
fc5290a3
SI		 9366header __UA_MSENTOUR User-Agent =~ /^Microsoft-Entourage/
9367
b780ea8d
SI		 9368header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/
9369
9370header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/
9371
9372header __UA_MUTT User-Agent =~ /^Mutt/
9373
9374header __UA_OPERA7 User-Agent =~ /^Opera7/
9375
9376header __UA_PAN User-Agent =~ /^Pan/
9377
9378header __UA_XNEWS User-Agent =~ /^Xnews/
9379
9380body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/
9381tflags __UC_GIBB_OBFU multiple maxhits=2
9382
9383body __UN /\bunited\snations?\b/i
9384
9385meta __UNDISC_FREEM __TO_UNDISCLOSED && __freemail_replyto
9386
9387meta __UNDISC_MONEY __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY)
9388
9389if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9390 body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i
9391 tflags __UNICODE_OBFU_ASC multiple maxhits=10
9392endif
9393
9394if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9395 meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9
9396endif
9397
9398if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9399 body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i
9400 tflags __UNICODE_OBFU_ZW multiple maxhits=10
9401endif
9402
9403if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9404 meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9
9405endif
9406
9407if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9408 meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1
9409endif
9410
9411if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9412 meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2
9413endif
9414
9415if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9416 meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4
9417endif
9418
9419body __UNSUB_EMAIL /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i
9420tflags __UNSUB_EMAIL nice
9421
dfdd1e08
SI		 9422body __UNSUB_GOOG_FORM m,Unsub?sc?ribe\s<?https?://docs\.google\.com/forms/,i
9423
b780ea8d
SI		 9424uri __UNSUB_LINK /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i
9425tflags __UNSUB_LINK nice
9426
9427body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i
9428
9429uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/
9430
9431uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i
9432
9433uri __URI_ADOBESPARK m,https?://branchlink\.adobespark\.com/,i
9434
9435uri __URI_AZURE_CLOUDAPP m,://(?:[^./]+\.)+cloudapp\.azure\.com/,
9436
9437uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i
9438
9439uri __URI_DATA /^data:(?!image\/)[a-z]/i
9440
9441uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i
9442
b780ea8d
SI		 9443uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i
9444
9445meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW
9446
9447uri __URI_DOTGOV m;^https?://(?:[^./]+\.)+gov/;i
9448
9449uri __URI_DOTTY_HEX /(?:\.[0-9a-f]{2}){30}/
9450
9451uri __URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i
9452
9453uri __URI_FIREBASEAPP m,://[^./]+\.firebaseapp\.com/,
9454
9455uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i
9456
9457uri __URI_GOOGLE_DRV m,^https?://(?:drive\.google|googledrive)\.com/,i
9458
9459uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i
9460
46cfc9e2
SI		 9461uri __URI_GOOG_STO_EMAIL m;^https?://(?:firebase)?storage\.googleapis\.com/.*[a-z0-9]@(?:[a-z0-9]{2,20}\.){1,3}[a-z]{2,3}$;i
9462
b780ea8d
SI		 9463uri __URI_GOOG_STO_HTML m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i
9464tflags __URI_GOOG_STO_HTML multiple maxhits=5
9465
46cfc9e2 9466uri __URI_GOOG_STO_IMG m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,i
b780ea8d
SI		 9467tflags __URI_GOOG_STO_IMG multiple maxhits=5
9468
9469uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i
9470
31955ede 9471meta __URI_HOSTED_IMG ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT || __URI_IMG_FACEBOOK || __URI_IMG_TARINGANET || __URI_IMG_BEBEE || __URI_IMG_EFUSERASSETS || __URI_IMG_IMGBOX_THUMB || __URI_IMG_500PXORG || __URI_IMG_WIXMP || __URI_IMG_POSTIMGCC || __URI_IMG_GTRACING || __URI_IMG_JOOMCDN || __URI_IMG_DHRESOURCE )
b780ea8d 9472
31955ede
SI		 9473uri __URI_IMG_500PXORG m;://drscdn\.500px\.org/photo/;i
9474
9475uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png|webp),i
9476
9477uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?(?:images|media)-amazon\.com/.*\.(?:png|gif|jpe?g|webp)$,i
9478
9479uri __URI_IMG_BEBEE m;://contents\.bebee\.com/users/.+\.(?:jpe?g|gif|png|webp);i
b780ea8d
SI		 9480
9481uri __URI_IMG_CHANNYPIC m,://www\.channypicture\.com/pic/,i
9482
31955ede
SI		 9483uri __URI_IMG_DHRESOURCE m;://www\.dhresource\.com/.+\.(?:jpe?g|gif|png|webp);i
9484
b780ea8d
SI		 9485uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i
9486
31955ede
SI		 9487uri __URI_IMG_EFUSERASSETS m;://\d+\.efuserassets\.com/\d+/.+\.(?:jpe?g|gif|png|webp);i
9488
9489uri __URI_IMG_FACEBOOK m;://([^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i
9490
9491uri __URI_IMG_GBTCDN m;://des\.gbtcdn\.com/storage/store/[0-9a-f/]{30,}\.(?:png|gif|jpe?g|webp)$;i
9492
31955ede
SI		 9493uri __URI_IMG_GTRACING m;://shopify\.gtracing\.com/img/.+\.(?:jpe?g|gif|png|webp);i
9494
9495uri __URI_IMG_IMGBOX_THUMB m;://thumbs\d*\.imgbox\.com/.+\.(?:jpe?g|gif|png|webp);i
cabe596e 9496
b780ea8d 9497uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i
31955ede 9498uri __URI_IMG_JOOMCDN m;://img\.joomcdn\.net/.+\.(?:jpe?g|gif|png|webp);i
b780ea8d 9499
46cfc9e2
SI		 9500uri __URI_IMG_LINKEDIN m;://media-exp\d\.licdn\.com/dms/image/;i
9501
b780ea8d
SI		 9502uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i
9503
31955ede
SI		 9504uri __URI_IMG_POSTIMGCC m;://i\.postimg\.cc/.+\.(?:jpe?g|gif|png|webp);i
9505
9506uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png|webp),i
b780ea8d
SI		 9507
9508uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i
9509
31955ede
SI		 9510uri __URI_IMG_TAGSTAT m;://i\d+\.tagstat\.com/.+\.(?:jpe?g|gif|png|webp);i
9511
9512uri __URI_IMG_TARINGANET m;://media\.taringa\.net/knn/;i
46cfc9e2 9513
cabe596e
SI		 9514uri __URI_IMG_TOPHATTER m;://images\.tophatter\.com/[0-9a-f]{30,}/;i
9515
31955ede 9516uri __URI_IMG_TUMBLR m;://\d+\.media\.tumblr\.com/.+\.(?:jpe?g|gif|png|webp);i
46cfc9e2 9517
b780ea8d
SI		 9518uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i
9519
9520uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i
9521
31955ede
SI		 9522uri __URI_IMG_WIXMP m;://images-wixmp-[0-9a-f]{20,}\.wixmp\.com/;i
9523
b780ea8d
SI		 9524uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i
9525
9526uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i
9527
31955ede 9528uri __URI_LONG_REPEAT m;(?:://|@)(?:\w+\.)*(\w{7,}\.)\1;i
b780ea8d
SI		 9529
9530uri __URI_MAILTO /^mailto:/i
9531tflags __URI_MAILTO multiple maxhits=16
9532
9533uri __URI_MONERO /buy-monero/i
9534
9535meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2
9536
9537meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH)
9538
9539uri __URI_PHP_REDIR m;/redirect\.php\?;i
9540
46cfc9e2
SI		 9541uri __URI_PRODUCT_AMAZON m,://www\.amazon\.(?:com|co\.uk|[a-z][a-z])/dp/[a-z0-9]{10}/,i
9542
dfdd1e08 9543uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob|images?|photos?)\w)[^.]*\.(?:(?!list-manage\.)[^/.]+\.)+(?:com|net)\b,i
cabe596e 9544
b780ea8d
SI		 9545uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i
9546
9547uri __URI_WEBAPP m,://[^./]+\.web\.app/,
9548
9549uri __URI_WPADMIN m,/wp-admin/\w+/,i
9550
9551uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i
9552
9553uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i
9554
9555uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i
9556
9557uri __URL_BTC_ID m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$);
9558
9559uri __URL_LTC_ID m;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/|$);
9560
b780ea8d
SI		 9561header __USING_VERP1 Return-Path =~ /[+-].*=/
9562
9563header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i
9564tflags __VACATION nice
9565
46cfc9e2 9566body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i
b780ea8d
SI		 9567tflags __VALIDATE_MAILBOX multiple maxhits=2
9568
9569body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i
9570
9571body __VERIFY_ACCOUNT /(?:confirm|updated?|verif(?:y|ied)) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i
9572tflags __VERIFY_ACCOUNT multiple maxhits=2
9573
9574meta __VFY_ACCT_NORDNS __VERIFY_ACCOUNT && __RDNS_NONE
9575
9576if (version >= 3.004002)
9577ifplugin Mail::SpamAssassin::Plugin::WLBLEval
9578header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i
9579endif
9580endif
9581
9582meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART
9583
9584body __WEBMAIL_ACCT /\byour web ?mail account/i
9585
9586body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i
9587
9588meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2
9589
9590body __WIDOW /\b(?:widow(?:e[rd])'?s?|veuve)\b/i
9591
9592body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i
9593
9594body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i
9595
9596body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i
9597
9598if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9599 rawbody __WORD_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}</i
9600 tflags __WORD_INVIS multiple maxhits=6
9601endif
9602
9603if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9604 meta __WORD_INVIS_2 __WORD_INVIS > 1
9605endif
9606
9607if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9608 meta __WORD_INVIS_5 __WORD_INVIS > 5
9609endif
9610
9611if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
9612 meta __WORD_INVIS_MINFP __WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID
9613endif
9614
9615header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/
9616
b780ea8d
SI		 9617meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY)
9618
31955ede
SI		 9619ifplugin Mail::SpamAssassin::Plugin::FreeMail
9620 header __XMAIL_CODEIGN X-Mailer =~ /CodeIgniter/
9621endif
9622
9623ifplugin Mail::SpamAssassin::Plugin::FreeMail
9624 header __XMAIL_PHPMAIL X-Mailer =~ /PHPMailer/
9625endif
9626
fc5290a3
SI		 9627header __XM_APPLEMAIL X-Mailer =~ /^Apple Mail/
9628
46cfc9e2
SI		 9629header __XM_ASPQMAIL X-Mailer =~ /^AspQMail/
9630
b780ea8d
SI		 9631header __XM_BALSA X-Mailer =~ /^Balsa \d/
9632
9633header __XM_CALYPSO X-Mailer =~ /^Calypso/
9634
fc5290a3
SI		 9635header __XM_COMMUNIG X-Mailer =~ /^CommuniGate/
9636
b780ea8d
SI		 9637header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/
9638
cabe596e
SI		 9639header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/
9640
fc5290a3
SI		 9641header __XM_EDMAX X-Mailer =~ /^EdMax/
9642
9643header __XM_ELM X-Mailer =~ /^ELM/
9644
9645header __XM_EMUMAIL X-Mailer =~ /^EMUmail/
9646
9647header __XM_EXMH X-Mailer =~ /^exmh/
9648
b780ea8d
SI		 9649header __XM_FORTE X-Mailer =~ /^Forte Agent \d/
9650
9651header __XM_GNUS X-Mailer =~ /^Gnus v/
9652
fc5290a3
SI		 9653header __XM_IMAIL X-Mailer =~ /^<IMail v\d/
9654
9655header __XM_LOTUSN X-Mailer =~ /^Lotus Notes/
9656
9657header __XM_MAILCITY X-Mailer =~ /^MailCity Service/
9658
9659header __XM_MAILSMITH X-Mailer =~ /^Mailsmith /
9660
b780ea8d
SI		 9661header __XM_MHE X-Mailer =~ /^mh-e \d/
9662
fc5290a3
SI		 9663header __XM_MIMETOOLS X-Mailer =~ /^MIME-tools \d/i
9664
b780ea8d
SI		 9665header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/
9666
fc5290a3
SI		 9667header __XM_MSCDO X-Mailer =~ /^Microsoft CDO/
9668
b780ea8d
SI		 9669header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/
9670
9671header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/
9672
fc5290a3
SI		 9673header __XM_MSOUT X-Mailer =~ /^Microsoft Outlook[, ]?\s?[BIC]/ #Build, IMO, CWS
9674
b780ea8d
SI		 9675header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
9676
9677header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
9678
9679header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/
9680
9681header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/
9682
9683header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/
9684
9685header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
9686
fc5290a3
SI		 9687header __XM_OPERA6 X-Mailer =~ /^Opera 6/
9688
b780ea8d
SI		 9689header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/
9690
fc5290a3
SI		 9691header __XM_PEGASUS X-Mailer =~ /^Pegasus Mail/
9692
b780ea8d
SI		 9693header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/
9694
fc5290a3
SI		 9695header __XM_QUALCOM X-Mailer =~ /^QUALCOMM Windows Eudora/
9696
dfdd1e08 9697header __XM_RANDOM X-Mailer =~ /q(?!(?:q|box|i\s)?mail|\d|[-\w]*=+;)[^u]/i
b780ea8d
SI		 9698
9699header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/
9700
9701header __XM_SQRLMAIL X-Mailer =~ /^SquirrelMail/
9702
9703header __XM_SYLPHEED X-Mailer =~ /^Sylpheed/
9704
9705header __XM_UC_ONLY X-Mailer =~ /^[^a-z]+$/
9706
46cfc9e2
SI		 9707header __XM_VERY_LONG X-Mailer =~ /.{50}/
9708
b780ea8d
SI		 9709header __XM_VM X-Mailer =~ /^VM \d/
9710
9711header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/
9712
9713header __XM_XIMEVOL X-Mailer =~ /^Ximian Evolution/
9714
31955ede 9715meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS && !__HAS_X_SENDER
b780ea8d
SI		 9716
9717meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT
9718
46cfc9e2
SI		 9719ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9720 mimeheader __X_MSO_MT Content-Type =~ m,\bapplication/x-mso\b,i
9721endif
9722
b780ea8d
SI		 9723body __YOUR_BANK /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i
9724
9725body __YOUR_CONSIGNMENT /\b(?:received?|pa(?:y|id)|sen[dt]|h[oe]ld|delay(?:ed)?|impound(?:ed)?|released?|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/i
9726
9727body __YOUR_FUND /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|f\su\sn\sd|payment|geld)\b/i
9728
9729if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9730 body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i
9731endif
9732
9733ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9734 body __YOUR_ONAN /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M>+<A>+<S>+<T>+(?:<U>|<R>)+<B>+<A>+<T>+(?:<I><O><N>|<I><N><G>|<E>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>|(?:<P><L><E><A><S><U><R>(?:<E>|<I><N><G>)|<S><A><T><I><S><F><Y>(?:<I><N><G>)?)\s<Y><O><U><R><S><E><L><F>)/i
9735endif
9736
9737if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9738 body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i
9739endif
9740
9741ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9742 body __YOUR_PASSWORD /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<A><C><C><O><U><N><T>\s|<E>-?<M><A><I><L>\s)?(?:<P><A><S><S>[-\s_]?<W><O><R><D>|<P><S><W><D>\s)/i
9743endif
9744
9745body __YOUR_PERM /\byour\spermission\b/i
9746
9747if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9748 body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i
9749endif
9750
9751ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9752 body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i
9753endif
9754
9755body __YOUR_PROFIT /\byour?\sprofit/i
9756
9757if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
9758 body __YOUR_WEBCAM /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i
9759endif
9760
9761ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
9762 body __YOUR_WEBCAM /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>|<A><N><D>|<O><N>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>|<M><I><C><R><O><P><H><O><N><E>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s|<Y><O><U><R>\s)<C><A><M><E><R>+<A>/i
9763endif
9764
9765body __YOU_ASSIST /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i
9766
9767body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inherit+ance\b/i
9768
9769meta __YOU_WON __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY))
9770
9771body __YOU_WON_01 /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i
9772
9773body __YOU_WON_02 /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i
9774
9775body __YOU_WON_03 /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/i
9776
9777body __YOU_WON_04 /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i
9778
9779body __YOU_WON_05 /\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i
9780
9781if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
9782 meta __ZIP_ATTACH_MT 0
9783endif
9784
9785ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9786 mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i
9787endif
9788
9789if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
9790 meta __ZIP_ATTACH_NOFN 0
9791endif
9792
9793ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
9794 mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i
9795endif
9796
9797ifplugin Mail::SpamAssassin::Plugin::FreeMail
9798 header __freemail_mailreplyto eval:check_freemail_header('Mail-Reply-To')
9799endif
9800
9801body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i
9802
21dcadbf
SI		 9803body __hk_win_0 /\byour? e-?mail just w[oi]n/i
9804
9805body __hk_win_2 /\battn.{0,10}winner/i
9806
9807body __hk_win_3 /\bhappily aa?nnounce/i
9808
9809body __hk_win_4 /\bpleas(?:ure|ed) to inform/i
9810
9811body __hk_win_5 /\b(?:notice the|your) winning/i
9812
9813body __hk_win_7 /\bcongratulations? to your/i
9814
9815body __hk_win_8 /\bunexpected luck/i
9816
9817body __hk_win_9 /\blucky (?:nl )number/i
9818
9819body __hk_win_a /\bwinning (?:e-?mail|numbers|information)/i
9820
9821body __hk_win_b /\byour e-?mail (?:address )?(?:has )?w[io]n/i
9822
9823body __hk_win_c /\bune adresse e-?mail sur internet/i
9824
9825body __hk_win_d /\bcategory (?:\S{0,5} )?winner of our/i
9826
9827body __hk_win_i /\bfunds? transfer/i
9828
9829body __hk_win_j /\b(?:winning|ready for|sum) pay ?out/i
9830
9831body __hk_win_l /\b(?:make|file) (?:for )?your claim/i
9832
9833body __hk_win_m /\br.clamation de votre prix/i
9834
9835body __hk_win_n /\bcollect your prize/i
9836
9837body __hk_win_o /\bclarification and procedure/i
9838
b780ea8d
SI		 9839ifplugin Mail::SpamAssassin::Plugin::FreeMail
9840header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr')
9841endif
SA for PMG