]>
Commit | Line | Data |
---|---|---|
b780ea8d SI |
1 | # SpamAssassin rules file |
2 | # | |
3 | # Please don't modify this file as your changes will be overwritten with | |
4 | # the next update. Use /etc/mail/spamassassin/local.cf instead. | |
5 | # See 'perldoc Mail::SpamAssassin::Conf' for details. | |
6 | # | |
7 | # <@LICENSE> | |
8 | # Licensed to the Apache Software Foundation (ASF) under one or more | |
9 | # contributor license agreements. See the NOTICE file distributed with | |
10 | # this work for additional information regarding copyright ownership. | |
11 | # The ASF licenses this file to you under the Apache License, Version 2.0 | |
12 | # (the "License"); you may not use this file except in compliance with | |
13 | # the License. You may obtain a copy of the License at: | |
14 | # | |
15 | # http://www.apache.org/licenses/LICENSE-2.0 | |
16 | # | |
17 | # Unless required by applicable law or agreed to in writing, software | |
18 | # distributed under the License is distributed on an "AS IS" BASIS, | |
19 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
20 | # See the License for the specific language governing permissions and | |
21 | # limitations under the License. | |
22 | # </@LICENSE> | |
23 | # | |
24 | ########################################################################### | |
25 | ||
21dcadbf SI |
26 | require_version 4.000000 |
27 | ||
28 | ##{ ACCT_PHISHING_MANY | |
29 | ||
30 | meta ACCT_PHISHING_MANY (__ACCT_PHISH_MANY || __EMAIL_PHISH_MANY) && !GOOGLE_DOCS_PHISH_MANY && !GOOG_STO_HTML_PHISH_MANY | |
31 | describe ACCT_PHISHING_MANY Phishing for account information | |
32 | #score ACCT_PHISHING_MANY 3.000 # limit | |
33 | ##} ACCT_PHISHING_MANY | |
b780ea8d | 34 | |
b780ea8d SI |
35 | ##{ AC_BR_BONANZA |
36 | ||
37 | rawbody AC_BR_BONANZA /(?:<br>\s*){30}/i | |
38 | describe AC_BR_BONANZA Too many newlines in a row... spammy template | |
39 | #score AC_BR_BONANZA 0.001 | |
40 | tflags AC_BR_BONANZA publish | |
41 | ##} AC_BR_BONANZA | |
42 | ||
43 | ##{ AC_DIV_BONANZA | |
44 | ||
45 | rawbody AC_DIV_BONANZA /(?:<div>(?:\s*<\/div>)?\s*){10}/i | |
46 | describe AC_DIV_BONANZA Too many divs in a row... spammy template | |
47 | #score AC_DIV_BONANZA 0.001 | |
48 | tflags AC_DIV_BONANZA publish | |
49 | ##} AC_DIV_BONANZA | |
50 | ||
51 | ##{ AC_FROM_MANY_DOTS | |
52 | ||
53 | meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP | |
54 | #score AC_FROM_MANY_DOTS 3.000 # limit | |
55 | describe AC_FROM_MANY_DOTS Multiple periods in From user name | |
56 | tflags AC_FROM_MANY_DOTS publish | |
57 | ##} AC_FROM_MANY_DOTS | |
58 | ||
59 | ##{ AC_HTML_NONSENSE_TAGS | |
60 | ||
61 | rawbody AC_HTML_NONSENSE_TAGS /(?:<[A-Za-z0-9]{4,}>\s*){10}/ | |
62 | describe AC_HTML_NONSENSE_TAGS Many consecutive multi-letter HTML tags, likely nonsense/spam | |
63 | #score AC_HTML_NONSENSE_TAGS 2.0 | |
64 | tflags AC_HTML_NONSENSE_TAGS publish | |
65 | ##} AC_HTML_NONSENSE_TAGS | |
66 | ||
67 | ##{ AC_POST_EXTRAS | |
68 | ||
69 | meta AC_POST_EXTRAS __AC_POST_EXTRAS && !__URI_MAILTO && !__HAS_LIST_ID | |
70 | describe AC_POST_EXTRAS Suspicious URL | |
71 | #score AC_POST_EXTRAS 2.500 # limit | |
72 | tflags AC_POST_EXTRAS publish | |
73 | ##} AC_POST_EXTRAS | |
74 | ||
75 | ##{ AC_SPAMMY_URI_PATTERNS1 | |
76 | ||
77 | meta AC_SPAMMY_URI_PATTERNS1 (__AC_OUTL_URI && __AC_OUTI_URI) | |
78 | describe AC_SPAMMY_URI_PATTERNS1 link combos match highly spammy template | |
79 | #score AC_SPAMMY_URI_PATTERNS1 4.0 | |
80 | tflags AC_SPAMMY_URI_PATTERNS1 publish | |
81 | ##} AC_SPAMMY_URI_PATTERNS1 | |
82 | ||
83 | ##{ AC_SPAMMY_URI_PATTERNS10 | |
84 | ||
85 | meta AC_SPAMMY_URI_PATTERNS10 __AC_PUNCTNUMS_URI | |
86 | describe AC_SPAMMY_URI_PATTERNS10 link combos match highly spammy template | |
87 | #score AC_SPAMMY_URI_PATTERNS10 4.0 | |
88 | tflags AC_SPAMMY_URI_PATTERNS10 publish | |
89 | ##} AC_SPAMMY_URI_PATTERNS10 | |
90 | ||
91 | ##{ AC_SPAMMY_URI_PATTERNS11 | |
92 | ||
93 | meta AC_SPAMMY_URI_PATTERNS11 __AC_NDOMLONGNASPX_URI | |
94 | describe AC_SPAMMY_URI_PATTERNS11 link combos match highly spammy template | |
95 | #score AC_SPAMMY_URI_PATTERNS11 4.0 | |
96 | tflags AC_SPAMMY_URI_PATTERNS11 publish | |
97 | ##} AC_SPAMMY_URI_PATTERNS11 | |
98 | ||
99 | ##{ AC_SPAMMY_URI_PATTERNS12 | |
100 | ||
101 | meta AC_SPAMMY_URI_PATTERNS12 (__AC_CHDSEQ_URI && __AC_MHDSEQ_URI && __AC_UHDSEQ_URI) | |
102 | describe AC_SPAMMY_URI_PATTERNS12 link combos match highly spammy template | |
103 | #score AC_SPAMMY_URI_PATTERNS12 4.0 | |
104 | tflags AC_SPAMMY_URI_PATTERNS12 publish | |
105 | ##} AC_SPAMMY_URI_PATTERNS12 | |
106 | ||
107 | ##{ AC_SPAMMY_URI_PATTERNS2 | |
108 | ||
109 | meta AC_SPAMMY_URI_PATTERNS2 (__AC_LAND_URI && __AC_UNSUB_URI && __AC_REPORT_URI) | |
110 | describe AC_SPAMMY_URI_PATTERNS2 link combos match highly spammy template | |
111 | #score AC_SPAMMY_URI_PATTERNS2 4.0 | |
112 | tflags AC_SPAMMY_URI_PATTERNS2 publish | |
113 | ##} AC_SPAMMY_URI_PATTERNS2 | |
114 | ||
115 | ##{ AC_SPAMMY_URI_PATTERNS3 | |
116 | ||
117 | meta AC_SPAMMY_URI_PATTERNS3 (__AC_PHPOFFTOP_URI && __AC_PHPOFFSUB_URI) | |
118 | describe AC_SPAMMY_URI_PATTERNS3 link combos match highly spammy template | |
119 | #score AC_SPAMMY_URI_PATTERNS3 4.0 | |
120 | tflags AC_SPAMMY_URI_PATTERNS3 publish | |
121 | ##} AC_SPAMMY_URI_PATTERNS3 | |
122 | ||
123 | ##{ AC_SPAMMY_URI_PATTERNS4 | |
124 | ||
125 | meta AC_SPAMMY_URI_PATTERNS4 __AC_NUMS_URI | |
126 | describe AC_SPAMMY_URI_PATTERNS4 link combos match highly spammy template | |
127 | #score AC_SPAMMY_URI_PATTERNS4 4.0 | |
128 | tflags AC_SPAMMY_URI_PATTERNS4 publish | |
129 | ##} AC_SPAMMY_URI_PATTERNS4 | |
130 | ||
131 | ##{ AC_SPAMMY_URI_PATTERNS8 | |
132 | ||
133 | meta AC_SPAMMY_URI_PATTERNS8 __AC_LONGSEQ_URI | |
134 | describe AC_SPAMMY_URI_PATTERNS8 link combos match highly spammy template | |
135 | #score AC_SPAMMY_URI_PATTERNS8 4.0 | |
136 | tflags AC_SPAMMY_URI_PATTERNS8 publish | |
137 | ##} AC_SPAMMY_URI_PATTERNS8 | |
138 | ||
139 | ##{ AC_SPAMMY_URI_PATTERNS9 | |
140 | ||
141 | meta AC_SPAMMY_URI_PATTERNS9 (__AC_1SEQC_URI && (__AC_1SEQV_URI || __AC_RMOVE_URI)) | |
142 | describe AC_SPAMMY_URI_PATTERNS9 link combos match highly spammy template | |
143 | #score AC_SPAMMY_URI_PATTERNS9 4.0 | |
144 | tflags AC_SPAMMY_URI_PATTERNS9 publish | |
145 | ##} AC_SPAMMY_URI_PATTERNS9 | |
146 | ||
147 | ##{ ADMAIL | |
148 | ||
149 | meta ADMAIL __ADMAIL && !__DKIM_EXISTS && !__COMMENT_EXISTS | |
150 | describe ADMAIL "admail" and variants | |
151 | tflags ADMAIL publish | |
152 | ##} ADMAIL | |
153 | ||
154 | ##{ ADMITS_SPAM | |
155 | ||
156 | meta ADMITS_SPAM __ADMITS_SPAM && !__FROM_LOWER && !__MSGID_JAVAMAIL && !__HAS_CAMPAIGNID && !__STY_INVIS_2 && !__LYRIS_EZLM_REMAILER && !__RCD_RDNS_OB | |
157 | describe ADMITS_SPAM Admits this is an ad | |
158 | tflags ADMITS_SPAM publish | |
159 | ##} ADMITS_SPAM | |
160 | ||
46cfc9e2 SI |
161 | ##{ ADULT_DATING_COMPANY |
162 | ||
163 | meta ADULT_DATING_COMPANY __ADULTDATINGCOMPANY_BODY || __ADULTDATINGCOMPANY_FROM || __ADULTDATINGCOMPANY_REPTO | |
164 | #score ADULT_DATING_COMPANY 10.000 # limit | |
165 | tflags ADULT_DATING_COMPANY publish | |
166 | ##} ADULT_DATING_COMPANY | |
167 | ||
b780ea8d SI |
168 | ##{ ADVANCE_FEE_2_NEW_FORM |
169 | ||
170 | meta ADVANCE_FEE_2_NEW_FORM (__ADVANCE_FEE_2_NEW_FORM && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__FROM_LOWER && !__HAS_X_LOOP | |
171 | describe ADVANCE_FEE_2_NEW_FORM Advance Fee fraud and a form | |
172 | #score ADVANCE_FEE_2_NEW_FORM 2.000 # limit | |
173 | tflags ADVANCE_FEE_2_NEW_FORM publish | |
174 | ##} ADVANCE_FEE_2_NEW_FORM | |
175 | ||
176 | ##{ ADVANCE_FEE_2_NEW_FRM_MNY | |
177 | ||
178 | meta ADVANCE_FEE_2_NEW_FRM_MNY (__ADVANCE_FEE_2_NEW_FRM_MNY && !__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP | |
179 | describe ADVANCE_FEE_2_NEW_FRM_MNY Advance Fee fraud form and lots of money | |
180 | #score ADVANCE_FEE_2_NEW_FRM_MNY 2.500 | |
181 | tflags ADVANCE_FEE_2_NEW_FRM_MNY publish | |
182 | ##} ADVANCE_FEE_2_NEW_FRM_MNY | |
183 | ||
184 | ##{ ADVANCE_FEE_2_NEW_MONEY | |
185 | ||
186 | meta ADVANCE_FEE_2_NEW_MONEY (__ADVANCE_FEE_2_NEW_MONEY && !__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__LYRIS_EZLM_REMAILER && !__COMMENT_EXISTS && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG | |
187 | describe ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money | |
188 | #score ADVANCE_FEE_2_NEW_MONEY 2.000 # limit | |
189 | tflags ADVANCE_FEE_2_NEW_MONEY publish | |
190 | ##} ADVANCE_FEE_2_NEW_MONEY | |
191 | ||
192 | ##{ ADVANCE_FEE_3_NEW | |
193 | ||
194 | meta ADVANCE_FEE_3_NEW (__ADVANCE_FEE_3_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_4_NEW && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__HAS_SENDER && !__HAS_X_LOOP && !__TO_YOUR_ORG && !__BUGGED_IMG | |
195 | describe ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419) | |
196 | #score ADVANCE_FEE_3_NEW 3.5 # limit | |
197 | tflags ADVANCE_FEE_3_NEW publish | |
198 | ##} ADVANCE_FEE_3_NEW | |
199 | ||
200 | ##{ ADVANCE_FEE_3_NEW_FORM | |
201 | ||
202 | meta ADVANCE_FEE_3_NEW_FORM (__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) && !__THREADED && !__HAS_SENDER && !__FROM_LOWER && !__HAS_X_LOOP | |
203 | describe ADVANCE_FEE_3_NEW_FORM Advance Fee fraud and a form | |
204 | tflags ADVANCE_FEE_3_NEW_FORM publish | |
205 | ##} ADVANCE_FEE_3_NEW_FORM | |
206 | ||
207 | ##{ ADVANCE_FEE_3_NEW_FRM_MNY | |
208 | ||
209 | meta ADVANCE_FEE_3_NEW_FRM_MNY (__ADVANCE_FEE_3_NEW_FRM_MNY && !__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__HAS_X_LOOP | |
210 | describe ADVANCE_FEE_3_NEW_FRM_MNY Advance Fee fraud form and lots of money | |
211 | tflags ADVANCE_FEE_3_NEW_FRM_MNY publish | |
212 | ##} ADVANCE_FEE_3_NEW_FRM_MNY | |
213 | ||
214 | ##{ ADVANCE_FEE_3_NEW_MONEY | |
215 | ||
216 | meta ADVANCE_FEE_3_NEW_MONEY (__ADVANCE_FEE_3_NEW_MONEY && !__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__VIA_ML && !__THREADED && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG | |
217 | describe ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money | |
218 | tflags ADVANCE_FEE_3_NEW_MONEY publish | |
219 | ##} ADVANCE_FEE_3_NEW_MONEY | |
220 | ||
221 | ##{ ADVANCE_FEE_4_NEW | |
222 | ||
223 | meta ADVANCE_FEE_4_NEW (__ADVANCE_FEE_4_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY && !__ADVANCE_FEE_5_NEW) && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__HAS_ERRORS_TO && !__HAS_X_LOOP && !__BUGGED_IMG | |
224 | describe ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419) | |
225 | tflags ADVANCE_FEE_4_NEW publish | |
226 | ##} ADVANCE_FEE_4_NEW | |
227 | ||
228 | ##{ ADVANCE_FEE_4_NEW_FORM | |
229 | ||
230 | meta ADVANCE_FEE_4_NEW_FORM (__ADVANCE_FEE_4_NEW_FORM && !__ADVANCE_FEE_5_NEW_FORM) | |
231 | describe ADVANCE_FEE_4_NEW_FORM Advance Fee fraud and a form | |
232 | tflags ADVANCE_FEE_4_NEW_FORM publish | |
233 | ##} ADVANCE_FEE_4_NEW_FORM | |
234 | ||
235 | ##{ ADVANCE_FEE_4_NEW_FRM_MNY | |
236 | ||
237 | meta ADVANCE_FEE_4_NEW_FRM_MNY (__ADVANCE_FEE_4_NEW_FRM_MNY && !__ADVANCE_FEE_5_NEW_FRM_MNY) | |
238 | describe ADVANCE_FEE_4_NEW_FRM_MNY Advance Fee fraud form and lots of money | |
239 | tflags ADVANCE_FEE_4_NEW_FRM_MNY publish | |
240 | ##} ADVANCE_FEE_4_NEW_FRM_MNY | |
241 | ||
242 | ##{ ADVANCE_FEE_4_NEW_MONEY | |
243 | ||
244 | meta ADVANCE_FEE_4_NEW_MONEY (__ADVANCE_FEE_4_NEW_MONEY && !__ADVANCE_FEE_5_NEW_MONEY) && !__BOTH_INR_AND_REF && !__HAS_SENDER && !__HAS_X_LOOP && !__BUGGED_IMG | |
245 | describe ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money | |
246 | tflags ADVANCE_FEE_4_NEW_MONEY publish | |
247 | ##} ADVANCE_FEE_4_NEW_MONEY | |
248 | ||
249 | ##{ ADVANCE_FEE_5_NEW | |
250 | ||
251 | meta ADVANCE_FEE_5_NEW (__ADVANCE_FEE_5_NEW && !__FILL_THIS_FORM && !LOTS_OF_MONEY) && !__BUGGED_IMG | |
252 | describe ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419) | |
253 | tflags ADVANCE_FEE_5_NEW publish | |
254 | ##} ADVANCE_FEE_5_NEW | |
255 | ||
256 | ##{ ADVANCE_FEE_5_NEW_FORM | |
257 | ||
258 | meta ADVANCE_FEE_5_NEW_FORM __ADVANCE_FEE_5_NEW_FORM | |
259 | describe ADVANCE_FEE_5_NEW_FORM Advance Fee fraud and a form | |
260 | tflags ADVANCE_FEE_5_NEW_FORM publish | |
261 | ##} ADVANCE_FEE_5_NEW_FORM | |
262 | ||
263 | ##{ ADVANCE_FEE_5_NEW_FRM_MNY | |
264 | ||
265 | meta ADVANCE_FEE_5_NEW_FRM_MNY __ADVANCE_FEE_5_NEW_FRM_MNY | |
266 | describe ADVANCE_FEE_5_NEW_FRM_MNY Advance Fee fraud form and lots of money | |
267 | tflags ADVANCE_FEE_5_NEW_FRM_MNY publish | |
268 | ##} ADVANCE_FEE_5_NEW_FRM_MNY | |
269 | ||
270 | ##{ ADVANCE_FEE_5_NEW_MONEY | |
271 | ||
272 | meta ADVANCE_FEE_5_NEW_MONEY __ADVANCE_FEE_5_NEW_MONEY && !__BOUNCE_CTYPE && !__BUGGED_IMG | |
273 | describe ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money | |
274 | tflags ADVANCE_FEE_5_NEW_MONEY publish | |
275 | ##} ADVANCE_FEE_5_NEW_MONEY | |
276 | ||
277 | ##{ AD_PREFS | |
278 | ||
279 | body AD_PREFS /(?:\b|_)(?:ad(?:vert[i1l]s[i1l]ng)?|promo(?:tion)?|marketing)[- _](?:pref(?:s|erences)|settings)(?:\b|_)/i | |
280 | describe AD_PREFS Advertising preferences | |
281 | #score AD_PREFS 0.500 # limit | |
282 | tflags AD_PREFS publish | |
283 | ##} AD_PREFS | |
284 | ||
285 | ##{ ALIBABA_IMG_NOT_RCVD_ALI | |
286 | ||
287 | meta ALIBABA_IMG_NOT_RCVD_ALI __ALIBABA_IMG_NOT_RCVD_ALI && !__YOUR_PASSWORD && !__UNSUB_LINK && !__MSGID_BEFORE_RECEIVED && !__HAS_HREF_ONECASE | |
288 | #score ALIBABA_IMG_NOT_RCVD_ALI 2.500 # limit | |
289 | describe ALIBABA_IMG_NOT_RCVD_ALI Alibaba hosted image but message not from Alibaba | |
290 | tflags ALIBABA_IMG_NOT_RCVD_ALI publish | |
291 | ##} ALIBABA_IMG_NOT_RCVD_ALI | |
292 | ||
293 | ##{ AMAZON_IMG_NOT_RCVD_AMZN | |
294 | ||
46cfc9e2 | 295 | meta AMAZON_IMG_NOT_RCVD_AMZN __AMAZON_IMG_NOT_RCVD_AMZN && !__HDR_RCVD_KEEPA && !__URI_DBL_DOM && !__RCD_RDNS_SMTP && !__RCD_RDNS_MTA && !__DATE_LOWER && !__MSGID_LIST && !__URI_PRODUCT_AMAZON && !__HAS_ERRORS_TO |
b780ea8d SI |
296 | #score AMAZON_IMG_NOT_RCVD_AMZN 2.500 # limit |
297 | describe AMAZON_IMG_NOT_RCVD_AMZN Amazon hosted image but message not from Amazon | |
298 | tflags AMAZON_IMG_NOT_RCVD_AMZN publish | |
299 | ##} AMAZON_IMG_NOT_RCVD_AMZN | |
300 | ||
301 | ##{ APOSTROPHE_FROM | |
302 | ||
303 | header APOSTROPHE_FROM From:addr =~ /'/ | |
304 | describe APOSTROPHE_FROM From address contains an apostrophe | |
305 | ##} APOSTROPHE_FROM | |
306 | ||
307 | ##{ APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
308 | ||
309 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
310 | meta APP_DEVELOPMENT_FREEM __APP_DEVELOPMENT_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) | |
311 | describe APP_DEVELOPMENT_FREEM App development pitch, freemail or CHN replyto | |
312 | # score APP_DEVELOPMENT_FREEM 3.500 # limit | |
313 | tflags APP_DEVELOPMENT_FREEM publish | |
314 | endif | |
315 | ##} APP_DEVELOPMENT_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
316 | ||
317 | ##{ APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
318 | ||
319 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
320 | meta APP_DEVELOPMENT_NORDNS __APP_DEVELOPMENT && __RDNS_NONE | |
321 | describe APP_DEVELOPMENT_NORDNS App development pitch, no rDNS | |
322 | # score APP_DEVELOPMENT_NORDNS 2.000 # limit | |
323 | tflags APP_DEVELOPMENT_NORDNS publish | |
324 | endif | |
325 | ##} APP_DEVELOPMENT_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
326 | ||
327 | ##{ AXB_XMAILER_MIMEOLE_OL_024C2 | |
328 | ||
329 | meta AXB_XMAILER_MIMEOLE_OL_024C2 (__AXB_XM_OL_024C2 && __AXB_MO_OL_024C2) | |
330 | describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait | |
331 | ##} AXB_XMAILER_MIMEOLE_OL_024C2 | |
332 | ||
b780ea8d SI |
333 | ##{ BANKING_LAWS |
334 | ||
335 | body BANKING_LAWS /banking laws/i | |
336 | describe BANKING_LAWS Talks about banking laws | |
337 | ##} BANKING_LAWS | |
338 | ||
339 | ##{ BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
340 | ||
341 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
342 | body BASE64_LENGTH_78_79 eval:check_base64_length('78','79') | |
343 | endif | |
344 | ##} BASE64_LENGTH_78_79 ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
345 | ||
346 | ##{ BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
347 | ||
348 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
349 | describe BASE64_LENGTH_79_INF base64 encoded email part uses line length of 78 or 79 characters | |
350 | body BASE64_LENGTH_79_INF eval:check_base64_length('79') | |
351 | describe BASE64_LENGTH_79_INF base64 encoded email part uses line length greater than 79 characters | |
352 | endif | |
353 | ##} BASE64_LENGTH_79_INF ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
354 | ||
31955ede SI |
355 | ##{ BEBEE_IMG_NOT_RCVD_BB |
356 | ||
357 | meta BEBEE_IMG_NOT_RCVD_BB __BEBEE_IMG_NOT_RCVD_BB | |
358 | #score BEBEE_IMG_NOT_RCVD_BB 2.000 # limit | |
359 | describe BEBEE_IMG_NOT_RCVD_BB Bebee hosted image but message not from Bebee | |
360 | tflags BEBEE_IMG_NOT_RCVD_BB publish | |
361 | ##} BEBEE_IMG_NOT_RCVD_BB | |
362 | ||
b780ea8d SI |
363 | ##{ BIGNUM_EMAILS_FREEM |
364 | ||
365 | meta BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS_FREEM | |
366 | describe BIGNUM_EMAILS_FREEM Lots of email addresses/leads, free email account | |
367 | #score BIGNUM_EMAILS_FREEM 3.00 # limit | |
368 | tflags BIGNUM_EMAILS_FREEM publish | |
369 | ##} BIGNUM_EMAILS_FREEM | |
370 | ||
371 | ##{ BIGNUM_EMAILS_MANY | |
372 | ||
373 | meta BIGNUM_EMAILS_MANY __BIGNUM_EMAILS_3 && !__HAS_ERRORS_TO && !__HAS_CAMPAIGNID && !__DATE_LOWER | |
374 | describe BIGNUM_EMAILS_MANY Lots of email addresses/leads, over and over | |
375 | #score BIGNUM_EMAILS_MANY 3.00 # limit | |
376 | tflags BIGNUM_EMAILS_MANY publish | |
377 | ##} BIGNUM_EMAILS_MANY | |
378 | ||
379 | ##{ BITCOIN_BOMB | |
380 | ||
381 | meta BITCOIN_BOMB __BITCOIN_ID && __EXPLOSIVE_DEVICE && !BITCOIN_EXTORT_01 | |
382 | describe BITCOIN_BOMB BitCoin + bomb | |
383 | #score BITCOIN_BOMB 3.000 # limit | |
384 | tflags BITCOIN_BOMB publish | |
385 | ##} BITCOIN_BOMB | |
386 | ||
387 | ##{ BITCOIN_DEADLINE | |
388 | ||
389 | meta BITCOIN_DEADLINE __BITCOIN_ID && __HOURS_DEADLINE && !BITCOIN_EXTORT_01 | |
390 | describe BITCOIN_DEADLINE BitCoin with a deadline | |
391 | #score BITCOIN_DEADLINE 3.000 # limit | |
392 | tflags BITCOIN_DEADLINE publish | |
393 | ##} BITCOIN_DEADLINE | |
394 | ||
395 | ##{ BITCOIN_EXTORT_01 | |
396 | ||
397 | meta BITCOIN_EXTORT_01 (__BITCOIN_ID && __EXTORT_MANY) && !( __FROM_FULL_NAME && __SENDER_BOT && __SINGLE_WORD_LINE && __MIME_HTML && __PHPMAILER_MUA ) | |
398 | describe BITCOIN_EXTORT_01 Extortion spam, pay via BitCoin | |
399 | #score BITCOIN_EXTORT_01 5.000 # limit | |
400 | tflags BITCOIN_EXTORT_01 publish | |
401 | ##} BITCOIN_EXTORT_01 | |
402 | ||
403 | ##{ BITCOIN_EXTORT_02 | |
404 | ||
405 | meta BITCOIN_EXTORT_02 __OBFU_BITCOIN_NOID && __EXTORT_MANY | |
406 | describe BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin | |
407 | #score BITCOIN_EXTORT_02 5.000 # limit | |
408 | tflags BITCOIN_EXTORT_02 publish | |
409 | ##} BITCOIN_EXTORT_02 | |
410 | ||
411 | ##{ BITCOIN_IMGUR | |
412 | ||
413 | meta BITCOIN_IMGUR __BITCOIN_IMGUR | |
414 | describe BITCOIN_IMGUR Bitcoin + hosted image | |
415 | #score BITCOIN_IMGUR 3.500 # limit | |
416 | tflags BITCOIN_IMGUR publish | |
417 | ##} BITCOIN_IMGUR | |
418 | ||
419 | ##{ BITCOIN_MALF_HTML | |
420 | ||
421 | meta BITCOIN_MALF_HTML HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID) | |
422 | describe BITCOIN_MALF_HTML Bitcoin + malformed HTML | |
423 | #score BITCOIN_MALF_HTML 3.500 # limit | |
424 | ##} BITCOIN_MALF_HTML | |
425 | ||
426 | ##{ BITCOIN_MALWARE | |
427 | ||
428 | meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED | |
429 | describe BITCOIN_MALWARE BitCoin + malware bragging | |
430 | #score BITCOIN_MALWARE 3.500 # limit | |
431 | tflags BITCOIN_MALWARE publish | |
432 | ##} BITCOIN_MALWARE | |
433 | ||
434 | ##{ BITCOIN_OBFU_SUBJ | |
435 | ||
436 | meta BITCOIN_OBFU_SUBJ __BITCOIN_OBFU_SUBJ && !__128_ALNUM_URI | |
437 | describe BITCOIN_OBFU_SUBJ Bitcoin + obfuscated subject | |
438 | #score BITCOIN_OBFU_SUBJ 3.500 # limit | |
439 | tflags BITCOIN_OBFU_SUBJ publish | |
440 | ##} BITCOIN_OBFU_SUBJ | |
441 | ||
442 | ##{ BITCOIN_ONAN | |
443 | ||
444 | meta BITCOIN_ONAN __BITCOIN_ID && __YOUR_ONAN && __KHOP_NO_FULL_NAME && !BITCOIN_EXTORT_01 | |
445 | describe BITCOIN_ONAN BitCoin + [censored] | |
446 | #score BITCOIN_ONAN 3.000 # limit | |
447 | tflags BITCOIN_ONAN publish | |
448 | ##} BITCOIN_ONAN | |
449 | ||
450 | ##{ BITCOIN_PAY_ME | |
451 | ||
452 | meta BITCOIN_PAY_ME __BITCOIN_ID && __PAY_ME && !BITCOIN_EXTORT_01 | |
453 | describe BITCOIN_PAY_ME Pay me via BitCoin | |
454 | #score BITCOIN_PAY_ME 3.000 # limit | |
455 | tflags BITCOIN_PAY_ME publish | |
456 | ##} BITCOIN_PAY_ME | |
457 | ||
fc5290a3 SI |
458 | ##{ BITCOIN_PDF |
459 | ||
460 | meta BITCOIN_PDF __BITCOIN && __PDF_ATTACH | |
461 | describe BITCOIN_PDF "Bitcoin" + PDF attachment | |
462 | #score BITCOIN_PDF 2.500 # limit | |
463 | ##} BITCOIN_PDF | |
464 | ||
b780ea8d SI |
465 | ##{ BITCOIN_SPAM_01 |
466 | ||
467 | meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG | |
468 | describe BITCOIN_SPAM_01 BitCoin spam pattern 01 | |
469 | #score BITCOIN_SPAM_01 2.500 # limit | |
470 | tflags BITCOIN_SPAM_01 publish | |
471 | ##} BITCOIN_SPAM_01 | |
472 | ||
473 | ##{ BITCOIN_SPAM_02 | |
474 | ||
475 | meta BITCOIN_SPAM_02 __BITCOIN_SPAM_02 && !__URL_BTC_ID | |
476 | describe BITCOIN_SPAM_02 BitCoin spam pattern 02 | |
477 | #score BITCOIN_SPAM_02 2.500 # limit | |
478 | tflags BITCOIN_SPAM_02 publish | |
479 | ##} BITCOIN_SPAM_02 | |
480 | ||
481 | ##{ BITCOIN_SPAM_03 | |
482 | ||
483 | meta BITCOIN_SPAM_03 __BITCOIN_ID && __SINGLE_WORD_SUBJ | |
484 | describe BITCOIN_SPAM_03 BitCoin spam pattern 03 | |
485 | #score BITCOIN_SPAM_03 2.500 # limit | |
486 | tflags BITCOIN_SPAM_03 publish | |
487 | ##} BITCOIN_SPAM_03 | |
488 | ||
489 | ##{ BITCOIN_SPAM_04 | |
490 | ||
491 | meta BITCOIN_SPAM_04 __BITCOIN_ID && __freemail_hdr_replyto | |
492 | describe BITCOIN_SPAM_04 BitCoin spam pattern 04 | |
493 | #score BITCOIN_SPAM_04 1.500 # limit | |
494 | tflags BITCOIN_SPAM_04 publish | |
495 | ##} BITCOIN_SPAM_04 | |
496 | ||
497 | ##{ BITCOIN_SPAM_05 | |
498 | ||
499 | meta BITCOIN_SPAM_05 __BITCOIN_SPAM_05 && !__HAS_IN_REPLY_TO | |
500 | describe BITCOIN_SPAM_05 BitCoin spam pattern 05 | |
501 | #score BITCOIN_SPAM_05 2.500 # limit | |
502 | tflags BITCOIN_SPAM_05 net publish | |
503 | ##} BITCOIN_SPAM_05 | |
504 | ||
505 | ##{ BITCOIN_SPAM_06 | |
506 | ||
507 | meta BITCOIN_SPAM_06 __BITCOIN_ID && TVD_RCVD_SPACE_BRACKET | |
508 | describe BITCOIN_SPAM_06 BitCoin spam pattern 06 | |
509 | #score BITCOIN_SPAM_06 1.500 # limit | |
510 | tflags BITCOIN_SPAM_06 publish | |
511 | ##} BITCOIN_SPAM_06 | |
512 | ||
513 | ##{ BITCOIN_SPAM_07 | |
514 | ||
515 | meta BITCOIN_SPAM_07 __BITCOIN_SPAM_07 && !__DKIM_EXISTS | |
516 | describe BITCOIN_SPAM_07 BitCoin spam pattern 07 | |
517 | #score BITCOIN_SPAM_07 3.500 # limit | |
518 | tflags BITCOIN_SPAM_07 publish | |
519 | ##} BITCOIN_SPAM_07 | |
520 | ||
521 | ##{ BITCOIN_SPAM_08 | |
522 | ||
523 | meta BITCOIN_SPAM_08 __BITCOIN_ID && __TO_IN_SUBJ | |
524 | describe BITCOIN_SPAM_08 BitCoin spam pattern 08 | |
525 | #score BITCOIN_SPAM_08 2.500 # limit | |
526 | tflags BITCOIN_SPAM_08 publish | |
527 | ##} BITCOIN_SPAM_08 | |
528 | ||
529 | ##{ BITCOIN_SPAM_09 | |
530 | ||
531 | meta BITCOIN_SPAM_09 __BITCOIN_ID && ( __DESTROY_ME || __DESTROY_YOU ) | |
532 | describe BITCOIN_SPAM_09 BitCoin spam pattern 09 | |
533 | #score BITCOIN_SPAM_09 1.500 # limit | |
534 | tflags BITCOIN_SPAM_09 publish | |
535 | ##} BITCOIN_SPAM_09 | |
536 | ||
537 | ##{ BITCOIN_SPAM_10 | |
538 | ||
539 | meta BITCOIN_SPAM_10 __BITCOIN_ID && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 ) | |
540 | describe BITCOIN_SPAM_10 BitCoin spam pattern 10 | |
541 | #score BITCOIN_SPAM_10 2.500 # limit | |
542 | tflags BITCOIN_SPAM_10 publish | |
543 | ##} BITCOIN_SPAM_10 | |
544 | ||
545 | ##{ BITCOIN_SPAM_11 | |
546 | ||
547 | meta BITCOIN_SPAM_11 __BITCOIN_ID && HTML_MESSAGE && __HTML_SHRT_CMNT_OBFU | |
548 | describe BITCOIN_SPAM_11 BitCoin spam pattern 11 | |
549 | #score BITCOIN_SPAM_11 2.500 # limit | |
550 | tflags BITCOIN_SPAM_11 publish | |
551 | ##} BITCOIN_SPAM_11 | |
552 | ||
553 | ##{ BITCOIN_SPAM_12 | |
554 | ||
555 | meta BITCOIN_SPAM_12 __BITCOIN_ID && __BOGUS_MIME_HDR_MANY | |
556 | describe BITCOIN_SPAM_12 BitCoin spam pattern 12 | |
557 | #score BITCOIN_SPAM_12 2.500 # limit | |
558 | tflags BITCOIN_SPAM_12 publish | |
559 | ##} BITCOIN_SPAM_12 | |
560 | ||
561 | ##{ BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
562 | ||
563 | if (version >= 3.004001) | |
564 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
565 | meta BITCOIN_SPF_ONLYALL __PDS_SPF_ONLYALL && __BITCOIN_ID | |
566 | tflags BITCOIN_SPF_ONLYALL net publish | |
567 | describe BITCOIN_SPF_ONLYALL Bitcoin from a domain specifically set to pass +all SPF | |
568 | #score BITCOIN_SPF_ONLYALL 2.0 # limit | |
569 | endif | |
570 | endif | |
571 | ##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
572 | ||
573 | ##{ BITCOIN_WFH_01 | |
574 | ||
575 | meta BITCOIN_WFH_01 __BITCOIN_WFH_01 | |
576 | describe BITCOIN_WFH_01 Work-from-Home + bitcoin | |
577 | tflags BITCOIN_WFH_01 publish | |
578 | ##} BITCOIN_WFH_01 | |
579 | ||
580 | ##{ BITCOIN_XPRIO | |
581 | ||
582 | meta BITCOIN_XPRIO __BITCOIN_XPRIO && !__ML1 && !__HAS_SENDER && !__DKIM_EXISTS && !__RCD_RDNS_MAIL_MESSY | |
583 | describe BITCOIN_XPRIO Bitcoin + priority | |
584 | #score BITCOIN_XPRIO 2.500 # limit | |
585 | ##} BITCOIN_XPRIO | |
586 | ||
587 | ##{ BITCOIN_YOUR_INFO | |
588 | ||
589 | meta BITCOIN_YOUR_INFO __BITCOIN_ID && __YOUR_PERSONAL && !BITCOIN_EXTORT_01 | |
590 | describe BITCOIN_YOUR_INFO BitCoin with your personal info | |
591 | #score BITCOIN_YOUR_INFO 3.000 # limit | |
592 | tflags BITCOIN_YOUR_INFO publish | |
593 | ##} BITCOIN_YOUR_INFO | |
594 | ||
21dcadbf SI |
595 | ##{ BODY_SINGLE_URI |
596 | ||
597 | meta BODY_SINGLE_URI __BODY_SINGLE_URI && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP && !__VIA_ML | |
598 | describe BODY_SINGLE_URI Message body is only a URI | |
599 | #score BODY_SINGLE_URI 2.500 # limit | |
600 | ##} BODY_SINGLE_URI | |
601 | ||
fc5290a3 SI |
602 | ##{ BODY_SINGLE_WORD |
603 | ||
604 | meta BODY_SINGLE_WORD __BODY_SINGLE_WORD && !ALL_TRUSTED && !__HDRS_LCASE_KNOWN && !__FROM_ALL_NUMS && !__RCD_RDNS_SMTP | |
605 | describe BODY_SINGLE_WORD Message body is only one word (no spaces) | |
606 | #score BODY_SINGLE_WORD 2.500 # limit | |
607 | ##} BODY_SINGLE_WORD | |
608 | ||
b780ea8d SI |
609 | ##{ BODY_URI_ONLY |
610 | ||
611 | meta BODY_URI_ONLY __BODY_URI_ONLY && !__NOT_SPOOFED && !__TO_EQ_FROM_DOM && !__X_CRON_ENV && !__DKIM_EXISTS && !__VIA_ML && !__HAS_X_REF && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD && !__URI_GOOGLE_DRV | |
612 | describe BODY_URI_ONLY Message body is only a URI in one line of text or for an image | |
613 | #score BODY_URI_ONLY 3.000 # limit | |
614 | tflags BODY_URI_ONLY publish | |
615 | ##} BODY_URI_ONLY | |
616 | ||
617 | ##{ BOGUS_MIME_VERSION | |
618 | ||
619 | meta BOGUS_MIME_VERSION __BOGUS_MIME_VER_02 || __MALF_MIME_VER | |
620 | #score BOGUS_MIME_VERSION 3.500 # limit | |
621 | describe BOGUS_MIME_VERSION Mime version header is bogus | |
622 | tflags BOGUS_MIME_VERSION publish | |
623 | ##} BOGUS_MIME_VERSION | |
624 | ||
625 | ##{ BOGUS_MSM_HDRS | |
626 | ||
627 | meta BOGUS_MSM_HDRS __BOGUS_MSM_HDRS | |
628 | describe BOGUS_MSM_HDRS Apparently bogus Microsoft email headers | |
629 | #score BOGUS_MSM_HDRS 3.000 # limit | |
630 | tflags BOGUS_MSM_HDRS publish | |
631 | ##} BOGUS_MSM_HDRS | |
632 | ||
633 | ##{ BOMB_FREEM | |
634 | ||
635 | meta BOMB_FREEM __EXPLOSIVE_DEVICE && __freemail_hdr_replyto | |
636 | describe BOMB_FREEM Bomb + freemail | |
637 | #score BOMB_FREEM 2.000 # limit | |
638 | tflags BOMB_FREEM publish | |
639 | ##} BOMB_FREEM | |
640 | ||
641 | ##{ BOMB_MONEY | |
642 | ||
643 | meta BOMB_MONEY __EXPLOSIVE_DEVICE && ( __ADVANCE_FEE_3_NEW || __ADVANCE_FEE_4_NEW || __ADVANCE_FEE_5_NEW ) | |
644 | describe BOMB_MONEY Bomb + money: bomb threat? | |
645 | #score BOMB_MONEY 2.500 # limit | |
646 | tflags BOMB_MONEY publish | |
647 | ##} BOMB_MONEY | |
648 | ||
649 | ##{ BTC_ORG | |
650 | ||
651 | describe BTC_ORG Bitcoin wallet ID + unusual header | |
652 | #score BTC_ORG 2.500 # limit | |
653 | ##} BTC_ORG | |
654 | ||
655 | ##{ BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
656 | ||
657 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
658 | meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST | |
659 | endif | |
660 | ##} BTC_ORG if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
661 | ||
662 | ##{ BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM | |
663 | ||
664 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
665 | meta BTC_ORG (__BITCOIN_ID && __HAS_ORGANIZATION) && !ALL_TRUSTED && __DOS_HAS_MAILING_LIST && !DKIM_SIGNED | |
666 | endif | |
667 | ##} BTC_ORG ifplugin Mail::SpamAssassin::Plugin::DKIM | |
668 | ||
b780ea8d SI |
669 | ##{ BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval |
670 | ||
671 | if (version >= 3.004002) | |
672 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
673 | meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD | |
674 | tflags BULK_RE_SUSP_NTLD publish | |
675 | describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD | |
676 | #score BULK_RE_SUSP_NTLD 1.0 # limit | |
677 | endif | |
678 | endif | |
679 | ##} BULK_RE_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
680 | ||
681 | ##{ CANT_SEE_AD | |
682 | ||
683 | meta CANT_SEE_AD (__CANT_SEE_AD_1 || __CANT_SEE_AD_2) && !__DOS_HAS_LIST_UNSUB | |
684 | describe CANT_SEE_AD You really want to see our spam. | |
685 | #score CANT_SEE_AD 2.500 # limit | |
686 | tflags CANT_SEE_AD publish | |
687 | ##} CANT_SEE_AD | |
688 | ||
46cfc9e2 SI |
689 | ##{ CK_HELO_GENERIC |
690 | ||
691 | header CK_HELO_GENERIC X-Spam-Relays-Untrusted =~ /^[^\]]+helo=(?=\S*(?:pool|dyna|lease|dial|dip|static))\S*\d+[^\d\s]+\d+[^\]]+ auth= /i | |
692 | describe CK_HELO_GENERIC Relay used name indicative of a Dynamic Pool or Generic rPTR | |
693 | #score CK_HELO_GENERIC 0.25 | |
694 | ##} CK_HELO_GENERIC | |
695 | ||
b780ea8d SI |
696 | ##{ CN_B2B_SPAMMER |
697 | ||
698 | body CN_B2B_SPAMMER /\bWe are (?:(?:a )?(?:China|Taiwan)[-\s]based|(?:one of (?:the )?best|(?:a )?leading) (?:international|[^\.]{10,90} (?:in|from) (?:\w+, )?(?:China|Taiwan)))\b/i | |
699 | describe CN_B2B_SPAMMER Chinese company introducing itself | |
700 | tflags CN_B2B_SPAMMER publish | |
701 | ##} CN_B2B_SPAMMER | |
702 | ||
703 | ##{ COMMENT_GIBBERISH | |
704 | ||
705 | meta COMMENT_GIBBERISH __COMMENT_GIBBERISH && !__JM_REACTOR_DATE && !__RCD_RDNS_MTA_MESSY && !__SENDER_BOT | |
706 | describe COMMENT_GIBBERISH Nonsense in long HTML comment | |
707 | #score COMMENT_GIBBERISH 1.50 # limit | |
708 | tflags COMMENT_GIBBERISH publish | |
709 | ##} COMMENT_GIBBERISH | |
710 | ||
fc5290a3 SI |
711 | ##{ COMPENSATION |
712 | ||
713 | describe COMPENSATION "Compensation" | |
714 | #score COMPENSATION 1.50 # limit | |
715 | ##} COMPENSATION | |
716 | ||
717 | ##{ COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
718 | ||
719 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
720 | meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD | |
721 | endif | |
722 | ##} COMPENSATION if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
723 | ||
724 | ##{ COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM | |
725 | ||
726 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
727 | meta COMPENSATION __COMPENSATION && !__DOS_HAS_LIST_UNSUB && !__HAS_X_LOOP && !__HAS_ERRORS_TO && !__UNSUB_LINK && !__OPERA_MID_NON_OP && !__FB_S_STOCK && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__LOCAL_PP_NONPPURL && !__NOT_A_PERSON && !__SUBSCRIPTION_INFO && !__DKIM_EXISTS && !__HAS_SENDER && !__RP_MATCHES_RCVD && !__DKIM_DEPENDABLE | |
728 | endif | |
729 | ##} COMPENSATION ifplugin Mail::SpamAssassin::Plugin::DKIM | |
730 | ||
b780ea8d SI |
731 | ##{ CONTENT_AFTER_HTML |
732 | ||
dfdd1e08 SI |
733 | meta CONTENT_AFTER_HTML __CONTENT_AFTER_HTML && (__L_CTE_8BIT || __RDNS_NUMERIC_TLD || __HTML_TAG_BALANCE_CENTER || __STY_INVIS_MANY || __TO_EQ_FROM_USR || __TO_EQ_FROM_USR_2 || __KAM_HTML_FONT_INVALID || __SUBJECT_ENCODED_B64 ) |
734 | describe CONTENT_AFTER_HTML More content after HTML close tag + other spam signs | |
b780ea8d SI |
735 | #score CONTENT_AFTER_HTML 2.500 # limit |
736 | tflags CONTENT_AFTER_HTML publish | |
737 | ##} CONTENT_AFTER_HTML | |
738 | ||
dfdd1e08 SI |
739 | ##{ CONTENT_AFTER_HTML_WEAK |
740 | ||
741 | meta CONTENT_AFTER_HTML_WEAK __CONTENT_AFTER_HTML && !CONTENT_AFTER_HTML && !__CT_TEXT_PLAIN && !__BOUNCE_FROM_DAEMON && !__MSGID_OK_HEX && !__HAS_SENDER && !__LYRIS_EZLM_REMAILER && !MAILING_LIST_MULTI && !__HAS_CID && !__URI_DOTGOV | |
742 | describe CONTENT_AFTER_HTML_WEAK More content after HTML close tag | |
743 | #score CONTENT_AFTER_HTML_WEAK 1.500 # limit | |
744 | tflags CONTENT_AFTER_HTML_WEAK publish | |
745 | ##} CONTENT_AFTER_HTML_WEAK | |
746 | ||
b780ea8d SI |
747 | ##{ CORRUPT_FROM_LINE_IN_HDRS |
748 | ||
749 | meta CORRUPT_FROM_LINE_IN_HDRS (MISSING_HEADERS && __BODY_STARTS_WITH_FROM_LINE && MISSING_DATE && NO_RELAYS) | |
750 | describe CORRUPT_FROM_LINE_IN_HDRS Informational: message is corrupt, with a From line in its headers | |
751 | tflags CORRUPT_FROM_LINE_IN_HDRS userconf publish | |
752 | #score CORRUPT_FROM_LINE_IN_HDRS 0.001 | |
753 | ##} CORRUPT_FROM_LINE_IN_HDRS | |
754 | ||
755 | ##{ CTE_8BIT_MISMATCH | |
756 | ||
757 | meta CTE_8BIT_MISMATCH (__CT_TEXT_PLAIN && (!__CTE || __L_CTE_7BIT) && __L_BODY_8BITS) | |
758 | describe CTE_8BIT_MISMATCH Header says 7bits but body disagrees | |
759 | #score CTE_8BIT_MISMATCH 1 | |
760 | tflags CTE_8BIT_MISMATCH publish | |
761 | ##} CTE_8BIT_MISMATCH | |
762 | ||
763 | ##{ CTYPE_001C_A | |
764 | ||
765 | meta CTYPE_001C_A (0) # obsolete | |
766 | ##} CTYPE_001C_A | |
767 | ||
768 | ##{ CTYPE_001C_B | |
769 | ||
770 | header CTYPE_001C_B Content-Type =~ /multipart.{0,200}boundary=\"----=_NextPart_000_0000_01C[0-9A-F]{5}\.[0-9A-F]{7}0\"/ | |
771 | ##} CTYPE_001C_B | |
772 | ||
773 | ##{ CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
774 | ||
775 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
776 | mimeheader CTYPE_8SPACE_GIF Content-Type:raw =~ /^image\/gif;\n {8}name=\".+?\"$/s | |
777 | describe CTYPE_8SPACE_GIF Stock spam image part 'Content-Type' found (8 spc) | |
778 | endif | |
779 | ##} CTYPE_8SPACE_GIF ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
780 | ||
b780ea8d SI |
781 | ##{ CURR_PRICE |
782 | ||
783 | body CURR_PRICE /\bCurrent Price:/ | |
784 | ##} CURR_PRICE | |
785 | ||
fc5290a3 SI |
786 | ##{ DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval |
787 | ||
788 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
789 | header DATE_IN_FUTURE_Q_PLUS eval:check_for_shifted_date('2920', 'undef') | |
790 | describe DATE_IN_FUTURE_Q_PLUS Date: is over 4 months after Received: date | |
791 | endif | |
792 | ##} DATE_IN_FUTURE_Q_PLUS ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
793 | ||
b780ea8d SI |
794 | ##{ DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
795 | ||
796 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
797 | meta DAY_I_EARNED __DAY_I_EARNED >= 3 | |
798 | # score DAY_I_EARNED 3.000 # limit | |
799 | describe DAY_I_EARNED Work-at-home spam | |
800 | tflags DAY_I_EARNED publish | |
801 | endif | |
802 | ##} DAY_I_EARNED if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
803 | ||
804 | ##{ DEAR_BENEFICIARY | |
805 | ||
806 | body DEAR_BENEFICIARY /\b(?:De[ae]r\s|At+(?:ention|n):?\s?)(?:\S+\s)?Ben[ei]ficiary\b/i | |
807 | describe DEAR_BENEFICIARY Dear Beneficiary: | |
808 | ##} DEAR_BENEFICIARY | |
809 | ||
810 | ##{ DEAR_WINNER | |
811 | ||
812 | body DEAR_WINNER /\bdear.{1,20}winner/i | |
813 | describe DEAR_WINNER Spam with generic salutation of "dear winner" | |
814 | ##} DEAR_WINNER | |
815 | ||
816 | ##{ DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
817 | ||
818 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
819 | meta DKIMWL_BL __DKIMWL_WL_BL | |
820 | tflags DKIMWL_BL net publish | |
821 | describe DKIMWL_BL DKIMwl.org - Blocked sender | |
822 | #score DKIMWL_BL 3.0 # limit | |
823 | endif | |
824 | ##} DKIMWL_BL ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
825 | ||
826 | ##{ DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
827 | ||
828 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
829 | meta DKIMWL_BLOCKED __DKIMWL_BLOCKED | |
830 | tflags DKIMWL_BLOCKED net publish | |
831 | describe DKIMWL_BLOCKED ADMINISTRATOR NOTICE: The query to DKIMWL.org was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. | |
832 | #score DKIMWL_BLOCKED 0.001 # limit | |
833 | endif | |
834 | ##} DKIMWL_BLOCKED ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
835 | ||
836 | ##{ DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
837 | ||
838 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
839 | meta DKIMWL_WL_HIGH __DKIMWL_WL_HI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL || __DKIMWL_BULKMAIL) | |
840 | tflags DKIMWL_WL_HIGH net nice publish | |
841 | describe DKIMWL_WL_HIGH DKIMwl.org - High trust sender | |
842 | #score DKIMWL_WL_HIGH -3.0 # limit | |
843 | endif | |
844 | ##} DKIMWL_WL_HIGH ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
845 | ||
846 | ##{ DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
847 | ||
848 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
849 | meta DKIMWL_WL_MED __DKIMWL_WL_MED && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) | |
850 | tflags DKIMWL_WL_MED net nice publish | |
851 | describe DKIMWL_WL_MED DKIMwl.org - Medium trust sender | |
852 | #score DKIMWL_WL_MED -0.5 # limit | |
853 | endif | |
854 | ##} DKIMWL_WL_MED ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
855 | ||
856 | ##{ DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
857 | ||
858 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
859 | meta DKIMWL_WL_MEDHI __DKIMWL_WL_MEDHI && !(FREEMAIL_FROM || FREEMAIL_REPLYTO || FREEMAIL_FORGED_REPLYTO || __DKIMWL_FREEMAIL) | |
860 | tflags DKIMWL_WL_MEDHI net nice publish | |
861 | describe DKIMWL_WL_MEDHI DKIMwl.org - Medium-high trust sender | |
862 | #score DKIMWL_WL_MEDHI -1.0 # limit | |
863 | endif | |
864 | ##} DKIMWL_WL_MEDHI ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
865 | ||
866 | ##{ DOS_ANAL_SPAM_MAILER | |
867 | ||
868 | header DOS_ANAL_SPAM_MAILER X-mailer =~ /^[A-Z][a-z]{6}e \d\.\d{2}$/ | |
869 | describe DOS_ANAL_SPAM_MAILER X-mailer pattern common to anal porn site spam | |
870 | tflags DOS_ANAL_SPAM_MAILER publish | |
871 | ##} DOS_ANAL_SPAM_MAILER | |
872 | ||
873 | ##{ DOS_DEREK_AUG08 | |
874 | ||
875 | meta DOS_DEREK_AUG08 __DOS_SINGLE_EXT_RELAY && __DOS_HAS_ANY_URI && __NAKED_TO && __LAST_UNTRUSTED_RELAY_NO_AUTH && SPF_PASS && __TVD_MIME_ATT_TP && __CT_TEXT_PLAIN && (__DOS_MSGID_DIGITS9 || __DOS_MSGID_DIGITS10) | |
876 | ##} DOS_DEREK_AUG08 | |
877 | ||
878 | ##{ DOS_FIX_MY_URI | |
879 | ||
880 | meta DOS_FIX_MY_URI __MIMEOLE_1106 && __DOS_HAS_ANY_URI && __DOS_SINGLE_EXT_RELAY && __DOS_HI && __DOS_LINK | |
881 | describe DOS_FIX_MY_URI Looks like a "fix my obfu'd URI please" spam | |
882 | ##} DOS_FIX_MY_URI | |
883 | ||
884 | ##{ DOS_HIGH_BAT_TO_MX | |
885 | ||
886 | meta DOS_HIGH_BAT_TO_MX __DOS_DIRECT_TO_MX && __HIGHBITS && __LAST_UNTRUSTED_RELAY_NO_AUTH && __THEBAT_MUA | |
887 | describe DOS_HIGH_BAT_TO_MX The Bat! Direct to MX with High Bits | |
888 | ##} DOS_HIGH_BAT_TO_MX | |
889 | ||
890 | ##{ DOS_LET_GO_JOB | |
891 | ||
892 | meta DOS_LET_GO_JOB __DOS_LET_GO_JOB && __DOS_MY_OLD_JOB && __DOS_I_DRIVE_A && __DOS_TAKING_HOME | |
893 | describe DOS_LET_GO_JOB Let go from their job and now makes lots of dough! | |
894 | ##} DOS_LET_GO_JOB | |
895 | ||
896 | ##{ DOS_OE_TO_MX | |
897 | ||
898 | meta DOS_OE_TO_MX __OE_MUA && __DOS_DIRECT_TO_MX && !DOS_OE_TO_MX_IMAGE | |
899 | describe DOS_OE_TO_MX Delivered direct to MX with OE headers | |
900 | ##} DOS_OE_TO_MX | |
901 | ||
902 | ##{ DOS_OE_TO_MX_IMAGE | |
903 | ||
904 | meta DOS_OE_TO_MX_IMAGE __OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH | |
905 | describe DOS_OE_TO_MX_IMAGE Direct to MX with OE headers and an image | |
906 | ##} DOS_OE_TO_MX_IMAGE | |
907 | ||
908 | ##{ DOS_OUTLOOK_TO_MX | |
909 | ||
910 | meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE | |
911 | describe DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers | |
912 | ##} DOS_OUTLOOK_TO_MX | |
913 | ||
914 | ##{ DOS_RCVD_IP_TWICE_C | |
915 | ||
916 | header DOS_RCVD_IP_TWICE_C X-Spam-Relays-External =~ /^\s*\[ ip=(?!127)([\d.]+) [^\[]*\bhelo=(?:![\d.]{7,15}!)? [^\[]*\[ ip=\1 [^\]]*\]\s*$/ | |
917 | describe DOS_RCVD_IP_TWICE_C Received from the same IP twice in a row (only one external relay; empty or IP helo) | |
918 | ##} DOS_RCVD_IP_TWICE_C | |
919 | ||
920 | ##{ DOS_STOCK_BAT | |
921 | ||
922 | meta DOS_STOCK_BAT __THEBAT_MUA && (__DOS_BODY_STOCK || __DOS_BODY_TICKER) && (__DOS_REF_TODAY || __DOS_REF_NEXT_WK_DAY || __DOS_REF_2_WK_DAYS) | |
923 | describe DOS_STOCK_BAT Probable pump and dump stock spam | |
924 | ##} DOS_STOCK_BAT | |
925 | ||
926 | ##{ DOS_STOCK_BAT2 | |
927 | ||
928 | meta DOS_STOCK_BAT2 DOS_STOCK_BAT && (__DOS_FIN_ADVANTAGE + __DOS_STRONG_CF + __DOS_STEADY_COURSE > 2) | |
929 | ##} DOS_STOCK_BAT2 | |
930 | ||
931 | ##{ DOS_URI_ASTERISK | |
932 | ||
933 | uri DOS_URI_ASTERISK m{^[Hh][Tt]{2}[Pp][Ss]?://[^/:]+(?:\*[A-Za-z0-9-]*\.|\*)[A-Za-z]{2,3}(?:\.[A-Za-z]{2})?(?:$|:|/)} | |
934 | describe DOS_URI_ASTERISK Found an asterisk in a URI | |
935 | ##} DOS_URI_ASTERISK | |
936 | ||
937 | ##{ DOS_YOUR_PLACE | |
938 | ||
939 | meta DOS_YOUR_PLACE (__DOS_COMING_TO_YOUR_PLACE && __DOS_MEET_EACH_OTHER && (__DOS_DROP_ME_A_LINE || __DOS_CORRESPOND_EMAIL || __DOS_EMAIL_DIRECTLY || __DOS_I_AM_25 || __DOS_WRITE_ME_AT || __DOS_PERSONAL_EMAIL)) | |
940 | describe DOS_YOUR_PLACE Russian dating spam | |
941 | ##} DOS_YOUR_PLACE | |
942 | ||
943 | ##{ DOTGOV_IMAGE | |
944 | ||
945 | meta DOTGOV_IMAGE __DOTGOV_IMAGE && !__HAVE_BOUNCE_RELAYS | |
946 | describe DOTGOV_IMAGE .gov URI + hosted image | |
947 | #score DOTGOV_IMAGE 3.000 # limit | |
948 | tflags DOTGOV_IMAGE publish | |
949 | ##} DOTGOV_IMAGE | |
950 | ||
951 | ##{ DRUGS_HDIA | |
952 | ||
953 | header DRUGS_HDIA Subject =~ /\bhoodia\b/i | |
954 | describe DRUGS_HDIA Subject mentions "hoodia" | |
955 | ##} DRUGS_HDIA | |
956 | ||
b780ea8d SI |
957 | ##{ DX_TEXT_02 |
958 | ||
959 | body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i | |
960 | describe DX_TEXT_02 "change your message stat" | |
961 | tflags DX_TEXT_02 publish | |
962 | ##} DX_TEXT_02 | |
963 | ||
964 | ##{ DX_TEXT_03 | |
965 | ||
966 | body DX_TEXT_03 /\b[A-Z]{3} Media (?:Group|Relations)\b/ | |
967 | describe DX_TEXT_03 "XXX Media Group" | |
968 | tflags DX_TEXT_03 publish | |
969 | ##} DX_TEXT_03 | |
970 | ||
971 | ##{ DYNAMIC_IMGUR | |
972 | ||
973 | meta DYNAMIC_IMGUR __DYNAMIC_IMGUR | |
974 | describe DYNAMIC_IMGUR dynamic IP + hosted image | |
975 | #score DYNAMIC_IMGUR 4.000 # limit | |
976 | tflags DYNAMIC_IMGUR publish | |
977 | ##} DYNAMIC_IMGUR | |
978 | ||
979 | ##{ DYN_RDNS_AND_INLINE_IMAGE | |
980 | ||
981 | meta DYN_RDNS_AND_INLINE_IMAGE (RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) | |
982 | describe DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent by dynamic rDNS | |
983 | ##} DYN_RDNS_AND_INLINE_IMAGE | |
984 | ||
985 | ##{ DYN_RDNS_SHORT_HELO_HTML | |
986 | ||
987 | meta DYN_RDNS_SHORT_HELO_HTML (__HELO_NO_DOMAIN && RDNS_DYNAMIC && HTML_MESSAGE) | |
988 | describe DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML | |
989 | ##} DYN_RDNS_SHORT_HELO_HTML | |
990 | ||
991 | ##{ DYN_RDNS_SHORT_HELO_IMAGE | |
992 | ||
993 | meta DYN_RDNS_SHORT_HELO_IMAGE (__HELO_NO_DOMAIN && RDNS_DYNAMIC && __ANY_IMAGE_ATTACH) | |
994 | describe DYN_RDNS_SHORT_HELO_IMAGE Short HELO string, dynamic rDNS, inline image | |
995 | ##} DYN_RDNS_SHORT_HELO_IMAGE | |
996 | ||
997 | ##{ EBAY_IMG_NOT_RCVD_EBAY | |
998 | ||
999 | meta EBAY_IMG_NOT_RCVD_EBAY __EBAY_IMG_NOT_RCVD_EBAY && !__URI_MAILTO && !__RCD_RDNS_MAIL && !__DKIM_EXISTS | |
1000 | #score EBAY_IMG_NOT_RCVD_EBAY 3.000 # limit | |
1001 | describe EBAY_IMG_NOT_RCVD_EBAY E-bay hosted image but message not from E-bay | |
1002 | tflags EBAY_IMG_NOT_RCVD_EBAY publish | |
1003 | ##} EBAY_IMG_NOT_RCVD_EBAY | |
1004 | ||
1005 | ##{ EMRCP | |
1006 | ||
1007 | body EMRCP /\bExcess (?:Maximum )?Return Capital (?:Profits?|Funds?)\b/i | |
1008 | describe EMRCP "Excess Maximum Return Capital Profit" scam | |
1009 | tflags EMRCP publish | |
1010 | ##} EMRCP | |
1011 | ||
1012 | ##{ ENCRYPTED_MESSAGE | |
1013 | ||
1014 | meta ENCRYPTED_MESSAGE __CT_ENCRYPTED | |
1015 | describe ENCRYPTED_MESSAGE Message is encrypted, not likely to be spam | |
1016 | #score ENCRYPTED_MESSAGE -1.000 | |
1017 | tflags ENCRYPTED_MESSAGE nice publish | |
1018 | ##} ENCRYPTED_MESSAGE | |
1019 | ||
1020 | ##{ END_FUTURE_EMAILS | |
1021 | ||
1022 | describe END_FUTURE_EMAILS Spammy unsubscribe | |
1023 | #score END_FUTURE_EMAILS 2.500 # limit | |
1024 | ##} END_FUTURE_EMAILS | |
1025 | ||
1026 | ##{ END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
1027 | ||
1028 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
1029 | meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER | |
1030 | endif | |
1031 | ##} END_FUTURE_EMAILS if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
1032 | ||
1033 | ##{ END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM | |
1034 | ||
1035 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
1036 | meta END_FUTURE_EMAILS __END_FUTURE_EMAILS && !__SUBJECT_ENCODED_B64 && !__HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__TO___LOWER && !__DKIM_DEPENDABLE && !DKIM_SIGNED | |
1037 | endif | |
1038 | ##} END_FUTURE_EMAILS ifplugin Mail::SpamAssassin::Plugin::DKIM | |
1039 | ||
1040 | ##{ ENVFROM_GOOG_TRIX | |
1041 | ||
1042 | meta ENVFROM_GOOG_TRIX __ENVFROM_GOOG_TRIX_SPAMMY | |
1043 | describe ENVFROM_GOOG_TRIX From suspicious Google subdomain | |
1044 | #score ENVFROM_GOOG_TRIX 3.000 # limit | |
1045 | tflags ENVFROM_GOOG_TRIX publish | |
1046 | ##} ENVFROM_GOOG_TRIX | |
1047 | ||
1048 | ##{ EXCUSE_24 | |
1049 | ||
1050 | body EXCUSE_24 /you(?:'ve|'re| have| are)? receiv(?:e|ed|ing) this (?:advertisement|offer|special|recurring|paid).{0,16}\b(?:by either|because)/i | |
1051 | describe EXCUSE_24 Claims you wanted this ad | |
1052 | ##} EXCUSE_24 | |
1053 | ||
31955ede | 1054 | ##{ FACEBOOK_IMG_NOT_RCVD_FB |
b780ea8d | 1055 | |
31955ede SI |
1056 | meta FACEBOOK_IMG_NOT_RCVD_FB __FACEBOOK_IMG_NOT_RCVD_FB && !__VIA_ML && !__ONE_IMG && !__RCD_RDNS_SMTP |
1057 | #score FACEBOOK_IMG_NOT_RCVD_FB 2.000 # limit | |
1058 | describe FACEBOOK_IMG_NOT_RCVD_FB Facebook hosted image but message not from Facebook | |
1059 | tflags FACEBOOK_IMG_NOT_RCVD_FB publish | |
1060 | ##} FACEBOOK_IMG_NOT_RCVD_FB | |
cabe596e | 1061 | |
fc5290a3 SI |
1062 | ##{ FAKE_REPLY_A1 |
1063 | ||
1064 | meta FAKE_REPLY_A1 (__SUBJ_RE && __MISSING_REPLY && __MISSING_REF && __BOTH_INR_AND_REF) | |
1065 | ##} FAKE_REPLY_A1 | |
1066 | ||
1067 | ##{ FAKE_REPLY_B | |
1068 | ||
1069 | meta FAKE_REPLY_B (__SUBJ_RE && __MISSING_REPLY && __INR_AND_NO_REF) | |
1070 | ##} FAKE_REPLY_B | |
1071 | ||
b780ea8d SI |
1072 | ##{ FAKE_REPLY_C |
1073 | ||
1074 | meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF) | |
1075 | ##} FAKE_REPLY_C | |
1076 | ||
1077 | ##{ FBI_MONEY | |
1078 | ||
1079 | meta FBI_MONEY __FBI_SPOOF && LOTS_OF_MONEY | |
1080 | describe FBI_MONEY The FBI wants to give you lots of money? | |
1081 | #score FBI_MONEY 2.00 # limit | |
1082 | tflags FBI_MONEY publish | |
1083 | ##} FBI_MONEY | |
1084 | ||
1085 | ##{ FBI_SPOOF | |
1086 | ||
1087 | meta FBI_SPOOF __FBI_SPOOF | |
1088 | describe FBI_SPOOF Claims to be FBI, but not from FBI domain | |
1089 | #score FBI_SPOOF 2.00 # limit | |
1090 | tflags FBI_SPOOF publish | |
1091 | ##} FBI_SPOOF | |
1092 | ||
1093 | ##{ FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1094 | ||
1095 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1096 | meta FILL_THIS_FORM __FILL_THIS_FORM && !__THREADED && !__FB_TOUR && !__VIA_ML | |
1097 | describe FILL_THIS_FORM Fill in a form with personal information | |
1098 | tflags FILL_THIS_FORM publish | |
1099 | endif | |
1100 | ##} FILL_THIS_FORM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1101 | ||
1102 | ##{ FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1103 | ||
1104 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1105 | meta FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG && !__VIA_ML && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__TRAVEL_MANY | |
1106 | describe FILL_THIS_FORM_LONG Fill in a form with personal information | |
1107 | # score FILL_THIS_FORM_LONG 2.00 # limit | |
1108 | endif | |
1109 | ##} FILL_THIS_FORM_LONG ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1110 | ||
1111 | ##{ FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1112 | ||
1113 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1114 | meta FONT_INVIS_DIRECT __FONT_INVIS_DIRECT && !__UNSUB_LINK && !__HAS_ERRORS_TO && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__URI_DOTGOV && !__NAKED_TO && !__MSGID_OK_HEX | |
1115 | describe FONT_INVIS_DIRECT Invisible text + direct-to-MX | |
1116 | # score FONT_INVIS_DIRECT 3.500 # limit | |
1117 | tflags FONT_INVIS_DIRECT publish | |
1118 | endif | |
1119 | ##} FONT_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1120 | ||
1121 | ##{ FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1122 | ||
1123 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1124 | meta FONT_INVIS_DOTGOV __FONT_INVIS_DOTGOV && !__MOZILLA_MSGID && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__HAS_LIST_ID | |
1125 | describe FONT_INVIS_DOTGOV Invisible text + .gov URI | |
1126 | # score FONT_INVIS_DOTGOV 3.500 # limit | |
1127 | tflags FONT_INVIS_DOTGOV publish | |
1128 | endif | |
1129 | ##} FONT_INVIS_DOTGOV if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1130 | ||
1131 | ##{ FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1132 | ||
1133 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1134 | meta FONT_INVIS_HTML_NOHTML __FONT_INVIS_HTML_NOHTML && !__RDNS_LONG | |
1135 | describe FONT_INVIS_HTML_NOHTML Invisible text + malformed HTML | |
1136 | # score FONT_INVIS_HTML_NOHTML 3.000 # limit | |
1137 | tflags FONT_INVIS_HTML_NOHTML publish | |
1138 | endif | |
1139 | ##} FONT_INVIS_HTML_NOHTML if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1140 | ||
1141 | ##{ FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1142 | ||
1143 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1144 | meta FONT_INVIS_LONG_LINE __FONT_INVIS_LONG_LINE && !__HTML_SINGLET | |
1145 | describe FONT_INVIS_LONG_LINE Invisible text + long lines | |
1146 | # score FONT_INVIS_LONG_LINE 3.000 # limit | |
1147 | tflags FONT_INVIS_LONG_LINE publish | |
1148 | endif | |
1149 | ##} FONT_INVIS_LONG_LINE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1150 | ||
1151 | ##{ FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1152 | ||
1153 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
31955ede | 1154 | meta FONT_INVIS_MSGID __FONT_INVIS_MSGID && !__RCD_RDNS_MX_MESSY && !__RCD_RDNS_MX && !__HAS_ERRORS_TO && !__RCD_RDNS_MAIL && !__MAIL_LINK && !__HDR_RCVD_AMAZON && !__MIME_QP && !__HAS_CAMPAIGNID && !__HAS_THREAD_INDEX && !__RCD_RDNS_MTA |
b780ea8d SI |
1155 | describe FONT_INVIS_MSGID Invisible text + suspicious message ID |
1156 | # score FONT_INVIS_MSGID 2.500 # limit | |
1157 | tflags FONT_INVIS_MSGID publish | |
1158 | endif | |
1159 | ##} FONT_INVIS_MSGID if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1160 | ||
1161 | ##{ FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1162 | ||
1163 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1164 | meta FONT_INVIS_NORDNS __FONT_INVIS_NORDNS && !__HTML_SINGLET && !__LYRIS_EZLM_REMAILER && !__YOUR_PERSONAL && !__HAS_X_MAILER | |
1165 | describe FONT_INVIS_NORDNS Invisible text + no rDNS | |
1166 | # score FONT_INVIS_NORDNS 2.500 # limit | |
1167 | tflags FONT_INVIS_NORDNS publish | |
1168 | endif | |
1169 | ##} FONT_INVIS_NORDNS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1170 | ||
1171 | ##{ FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1172 | ||
1173 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1174 | meta FONT_INVIS_POSTEXTRAS (__FONT_INVIS || __STY_INVIS) && __AC_POST_EXTRAS | |
1175 | describe FONT_INVIS_POSTEXTRAS Invisible text + suspicious URI | |
1176 | # score FONT_INVIS_POSTEXTRAS 3.500 # limit | |
1177 | tflags FONT_INVIS_POSTEXTRAS publish | |
1178 | endif | |
1179 | ##} FONT_INVIS_POSTEXTRAS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1180 | ||
1181 | ##{ FORGED_SPF_HELO | |
1182 | ||
1183 | meta FORGED_SPF_HELO __HELO_NOT_RDNS && SPF_HELO_PASS && !SPF_PASS | |
1184 | ##} FORGED_SPF_HELO | |
1185 | ||
1186 | ##{ FORM_FRAUD | |
1187 | ||
1188 | meta FORM_FRAUD (__FORM_FRAUD && !__FORM_FRAUD_3 && !__FORM_FRAUD_5) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__COMMENT_EXISTS && !__NOT_SPOOFED && !__UPPERCASE_URI && !__UNSUB_LINK | |
1189 | describe FORM_FRAUD Fill a form and a fraud phrase | |
1190 | #score FORM_FRAUD 1.000 # limit | |
1191 | tflags FORM_FRAUD publish | |
1192 | ##} FORM_FRAUD | |
1193 | ||
1194 | ##{ FORM_FRAUD_3 | |
1195 | ||
1196 | meta FORM_FRAUD_3 (__FORM_FRAUD_3 && !__FORM_FRAUD_5 && !__ADVANCE_FEE_3_NEW_FORM && !__ADVANCE_FEE_3_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__HTML_LINK_IMAGE && !__MIME_QP && !__DOS_BODY_FRI && !__UNSUB_LINK && !__BUGGED_IMG && !__NOT_SPOOFED | |
1197 | describe FORM_FRAUD_3 Fill a form and several fraud phrases | |
1198 | tflags FORM_FRAUD_3 publish | |
1199 | ##} FORM_FRAUD_3 | |
1200 | ||
1201 | ##{ FORM_FRAUD_5 | |
1202 | ||
1203 | meta FORM_FRAUD_5 (__FORM_FRAUD_5 && !__ADVANCE_FEE_5_NEW_FORM && !__ADVANCE_FEE_5_NEW_FRM_MNY) && !__DOS_HAS_LIST_UNSUB && !__THREADED && !__HAS_THREAD_INDEX && !__VIA_ML && !__BOUNCE_CTYPE | |
1204 | describe FORM_FRAUD_5 Fill a form and many fraud phrases | |
1205 | tflags FORM_FRAUD_5 publish | |
1206 | ##} FORM_FRAUD_5 | |
1207 | ||
b780ea8d SI |
1208 | ##{ FOUND_YOU |
1209 | ||
1210 | meta FOUND_YOU __FOUND_YOU && !__DKIM_EXISTS && !__SUBJ_RE && !__HAS_X_REF && !__RP_MATCHES_RCVD && !__COMMENT_EXISTS && !__HAS_ERRORS_TO && !__HAS_IN_REPLY_TO | |
1211 | #score FOUND_YOU 3.25 # limit | |
1212 | describe FOUND_YOU I found you... | |
1213 | tflags FOUND_YOU publish | |
1214 | ##} FOUND_YOU | |
1215 | ||
1216 | ##{ FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) | |
1217 | ||
1218 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1219 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
1220 | if (version >= 3.004000) | |
1221 | meta FREEMAIL_FORGED_FROMDOMAIN FREEMAIL_FROM && HEADER_FROM_DIFFERENT_DOMAINS | |
1222 | describe FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different | |
1223 | # score FREEMAIL_FORGED_FROMDOMAIN 0.25 | |
1224 | tflags FREEMAIL_FORGED_FROMDOMAIN publish | |
1225 | endif | |
1226 | endif | |
1227 | endif | |
1228 | ##} FREEMAIL_FORGED_FROMDOMAIN ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) | |
1229 | ||
1230 | ##{ FREEMAIL_WFH_01 | |
1231 | ||
1232 | meta FREEMAIL_WFH_01 __FREEMAIL_WFH_01 | |
1233 | describe FREEMAIL_WFH_01 Work-from-Home + freemail | |
1234 | tflags FREEMAIL_WFH_01 publish | |
1235 | ##} FREEMAIL_WFH_01 | |
1236 | ||
1237 | ##{ FREEM_FRNUM_UNICD_EMPTY | |
1238 | ||
1239 | meta FREEM_FRNUM_UNICD_EMPTY __FREEM_FRNUM_UNICD_EMPTY | |
1240 | describe FREEM_FRNUM_UNICD_EMPTY Numeric freemail From address, unicode From name and Subject, empty body | |
1241 | #score FREEM_FRNUM_UNICD_EMPTY 3.750 # limit | |
1242 | tflags FREEM_FRNUM_UNICD_EMPTY publish | |
1243 | ##} FREEM_FRNUM_UNICD_EMPTY | |
1244 | ||
1245 | ##{ FRNAME_IN_MSG_XPRIO_NO_SUB | |
1246 | ||
1247 | meta FRNAME_IN_MSG_XPRIO_NO_SUB (__FROM_NAME_IN_MSG && __XPRIO && (__SUBJECT_EMPTY || __SUBJ_SHORT)) && !__DKIM_EXISTS && !__SUBJ_NOT_SHORT && !ALL_TRUSTED | |
1248 | describe FRNAME_IN_MSG_XPRIO_NO_SUB From name in message + X-Priority + short or no subject | |
1249 | #score FRNAME_IN_MSG_XPRIO_NO_SUB 2.500 # limit | |
1250 | tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish | |
1251 | ##} FRNAME_IN_MSG_XPRIO_NO_SUB | |
1252 | ||
fc5290a3 SI |
1253 | ##{ FROMSPACE |
1254 | ||
1255 | describe FROMSPACE Idiosyncratic "From" header format | |
1256 | header FROMSPACE From:raw =~ /^\s?\"\s/ | |
1257 | ##} FROMSPACE | |
1258 | ||
1259 | ##{ FROM_2_EMAILS_SHORT | |
1260 | ||
1261 | meta FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) | |
1262 | describe FROM_2_EMAILS_SHORT Short body and From looks like 2 different emails | |
1263 | #score FROM_2_EMAILS_SHORT 3.0 # limit | |
1264 | ##} FROM_2_EMAILS_SHORT | |
1265 | ||
b780ea8d SI |
1266 | ##{ FROM_ADDR_WS |
1267 | ||
1268 | meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL | |
1269 | describe FROM_ADDR_WS Malformed From address | |
1270 | #score FROM_ADDR_WS 3.000 # limit | |
1271 | tflags FROM_ADDR_WS publish | |
1272 | ##} FROM_ADDR_WS | |
1273 | ||
1274 | ##{ FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1275 | ||
1276 | if (version >= 3.004002) | |
1277 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1278 | meta FROM_BANK_NOAUTH __FROM_ADDRLIST_BANKS && (! NO_RELAYS && ! ALL_TRUSTED) && (! SPF_PASS && ! DKIM_VALID_AU) | |
1279 | tflags FROM_BANK_NOAUTH publish net | |
1280 | describe FROM_BANK_NOAUTH From Bank domain but no SPF or DKIM | |
1281 | #score FROM_BANK_NOAUTH 1.0 # limit | |
1282 | endif | |
1283 | endif | |
1284 | ##} FROM_BANK_NOAUTH if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1285 | ||
1286 | ##{ FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1287 | ||
1288 | if (version >= 3.004001) | |
1289 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1290 | meta FROM_FMBLA_NDBLOCKED __FROM_FMBLA_NDBLOCKED | |
1291 | describe FROM_FMBLA_NDBLOCKED ADMINISTRATOR NOTICE: The query to fresh.fmb.la was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information. | |
1292 | tflags FROM_FMBLA_NDBLOCKED net publish | |
1293 | #score FROM_FMBLA_NDBLOCKED 0.001 # limit | |
1294 | endif | |
1295 | endif | |
1296 | ##} FROM_FMBLA_NDBLOCKED if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1297 | ||
1298 | ##{ FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1299 | ||
1300 | if (version >= 3.004001) | |
1301 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1302 | meta FROM_FMBLA_NEWDOM __FROM_FMBLA_NEWDOM | |
1303 | describe FROM_FMBLA_NEWDOM From domain was registered in last 7 days | |
1304 | tflags FROM_FMBLA_NEWDOM net | |
1305 | #score FROM_FMBLA_NEWDOM 1.5 # limit | |
1306 | endif | |
1307 | endif | |
1308 | ##} FROM_FMBLA_NEWDOM if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1309 | ||
1310 | ##{ FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1311 | ||
1312 | if (version >= 3.004001) | |
1313 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1314 | meta FROM_FMBLA_NEWDOM14 __FROM_FMBLA_NEWDOM14 | |
1315 | describe FROM_FMBLA_NEWDOM14 From domain was registered in last 7-14 days | |
1316 | tflags FROM_FMBLA_NEWDOM14 publish net | |
1317 | #score FROM_FMBLA_NEWDOM14 1.0 # limit | |
1318 | endif | |
1319 | endif | |
1320 | ##} FROM_FMBLA_NEWDOM14 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1321 | ||
1322 | ##{ FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1323 | ||
1324 | if (version >= 3.004001) | |
1325 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1326 | meta FROM_FMBLA_NEWDOM28 __FROM_FMBLA_NEWDOM28 | |
1327 | describe FROM_FMBLA_NEWDOM28 From domain was registered in last 14-28 days | |
1328 | tflags FROM_FMBLA_NEWDOM28 net publish | |
1329 | #score FROM_FMBLA_NEWDOM28 0.8 # limit | |
1330 | endif | |
1331 | endif | |
1332 | ##} FROM_FMBLA_NEWDOM28 if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1333 | ||
1334 | ##{ FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1335 | ||
1336 | if (version >= 3.004002) | |
1337 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1338 | meta FROM_GOV_DKIM_AU DKIM_VALID_AU && __FROM_ADDRLIST_GOV | |
1339 | tflags FROM_GOV_DKIM_AU net nice publish | |
1340 | describe FROM_GOV_DKIM_AU From Government address and DKIM signed | |
1341 | #score FROM_GOV_DKIM_AU -1.0 # limit | |
1342 | endif | |
1343 | endif | |
1344 | ##} FROM_GOV_DKIM_AU if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1345 | ||
1346 | ##{ FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1347 | ||
1348 | if (version >= 3.004002) | |
1349 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1350 | meta FROM_GOV_REPLYTO_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_GOV && !DKIM_VALID_AU | |
1351 | tflags FROM_GOV_REPLYTO_FREEMAIL net publish | |
1352 | describe FROM_GOV_REPLYTO_FREEMAIL From Government domain but ReplyTo is FREEMAIL | |
1353 | #score FROM_GOV_REPLYTO_FREEMAIL 2.0 | |
1354 | endif | |
1355 | endif | |
1356 | ##} FROM_GOV_REPLYTO_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1357 | ||
1358 | ##{ FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1359 | ||
1360 | if (version >= 3.004002) | |
1361 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1362 | meta FROM_GOV_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_GOV && (! NO_RELAYS && ! ALL_TRUSTED) | |
1363 | tflags FROM_GOV_SPOOF net publish | |
1364 | describe FROM_GOV_SPOOF From Government domain but matches SPOOFED | |
1365 | #score FROM_GOV_SPOOF 1.0 # limit | |
1366 | endif | |
1367 | endif | |
1368 | ##} FROM_GOV_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1369 | ||
1370 | ##{ FROM_IN_TO_AND_SUBJ | |
1371 | ||
1372 | meta FROM_IN_TO_AND_SUBJ (__TO_EQ_FROM && __SUBJ_HAS_FROM_1) && !__HAS_LIST_ID | |
1373 | describe FROM_IN_TO_AND_SUBJ From address is in To and Subject | |
1374 | tflags FROM_IN_TO_AND_SUBJ publish | |
1375 | ##} FROM_IN_TO_AND_SUBJ | |
1376 | ||
1377 | ##{ FROM_MISSPACED | |
1378 | ||
1379 | meta FROM_MISSPACED __FROM_MISSPACED && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__UNSUB_LINK && !__TO___LOWER && !__BUGGED_IMG && !__DOS_HAS_LIST_UNSUB && !__TO_EQ_FROM_DOM && !__MAIL_LINK && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA | |
1380 | describe FROM_MISSPACED From: missing whitespace | |
1381 | #score FROM_MISSPACED 2.00 | |
1382 | ##} FROM_MISSPACED | |
1383 | ||
fc5290a3 SI |
1384 | ##{ FROM_MISSP_DYNIP |
1385 | ||
1386 | meta FROM_MISSP_DYNIP __FROM_RUNON && RDNS_DYNAMIC | |
1387 | describe FROM_MISSP_DYNIP From misspaced + dynamic rDNS | |
1388 | ##} FROM_MISSP_DYNIP | |
1389 | ||
b780ea8d SI |
1390 | ##{ FROM_MISSP_EH_MATCH |
1391 | ||
1392 | meta FROM_MISSP_EH_MATCH __FROM_MISSP_EH_MATCH && !__RCD_RDNS_MTA_MESSY && !__UNSUB_LINK && !__COMMENT_EXISTS && !__TO___LOWER && !__MIME_QP && !__TO_EQ_FROM_DOM && !__BUGGED_IMG && !__DKIM_EXISTS && !__RCVD_ZIXMAIL && !__MTLANDROID_MUA && !__XEROXWORKCTR_MUA && !__PHP_MUA && !__AMADEUSMS_MUA && !__FLASHMAIL_MUA | |
1393 | describe FROM_MISSP_EH_MATCH From misspaced, matches envelope | |
1394 | #score FROM_MISSP_EH_MATCH 2.00 # max | |
1395 | ##} FROM_MISSP_EH_MATCH | |
1396 | ||
1397 | ##{ FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1398 | ||
1399 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1400 | meta FROM_MISSP_FREEMAIL __FROM_MISSP_FREEMAIL && !__TO_EQ_FROM_DOM && !__MTLANDROID_MUA | |
1401 | describe FROM_MISSP_FREEMAIL From misspaced + freemail provider | |
1402 | endif | |
1403 | ##} FROM_MISSP_FREEMAIL ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1404 | ||
1405 | ##{ FROM_MISSP_MSFT | |
1406 | ||
1407 | meta FROM_MISSP_MSFT __FROM_RUNON && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) | |
1408 | describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool | |
1409 | ##} FROM_MISSP_MSFT | |
1410 | ||
1411 | ##{ FROM_MISSP_REPLYTO | |
1412 | ||
1413 | meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB | |
1414 | describe FROM_MISSP_REPLYTO From misspaced, has Reply-To | |
1415 | #score FROM_MISSP_REPLYTO 2.500 # limit | |
1416 | ##} FROM_MISSP_REPLYTO | |
1417 | ||
1418 | ##{ FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
1419 | ||
1420 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
1421 | meta FROM_MISSP_SPF_FAIL (__FROM_RUNON && SPF_FAIL) | |
1422 | tflags FROM_MISSP_SPF_FAIL net | |
1423 | # score FROM_MISSP_SPF_FAIL 2.00 # limit | |
1424 | endif | |
1425 | ##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
1426 | ||
b780ea8d SI |
1427 | ##{ FROM_MISSP_USER |
1428 | ||
1429 | meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER) | |
1430 | describe FROM_MISSP_USER From misspaced, from "User" | |
1431 | ##} FROM_MISSP_USER | |
1432 | ||
fc5290a3 SI |
1433 | ##{ FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) |
1434 | ||
1435 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
1436 | meta FROM_MULTI_NORDNS __FROM_MULTI_NORDNS | |
1437 | describe FROM_MULTI_NORDNS Multiple From addresses + no rDNS | |
1438 | endif | |
1439 | ##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
1440 | ||
b780ea8d SI |
1441 | ##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS |
1442 | ||
1443 | if (version >= 3.004001) | |
1444 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1445 | meta FROM_NEWDOM_BTC __PDS_BTC_ID && __PDS_NEWDOMAIN | |
1446 | describe FROM_NEWDOM_BTC Newdomain with Bitcoin ID | |
1447 | #score FROM_NEWDOM_BTC 2.0 # limit | |
1448 | tflags FROM_NEWDOM_BTC net | |
1449 | endif | |
1450 | endif | |
1451 | ##} FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1452 | ||
1453 | ##{ FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1454 | ||
1455 | if (version >= 3.004002) | |
1456 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1457 | meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY | |
1458 | tflags FROM_NTLD_LINKBAIT publish | |
1459 | describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI | |
1460 | #score FROM_NTLD_LINKBAIT 2.0 # limit | |
1461 | endif | |
1462 | endif | |
1463 | ##} FROM_NTLD_LINKBAIT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1464 | ||
1465 | ##{ FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1466 | ||
1467 | if (version >= 3.004002) | |
1468 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1469 | meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD | |
1470 | tflags FROM_NTLD_REPLY_FREEMAIL publish | |
1471 | describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL | |
1472 | #score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit | |
1473 | endif | |
1474 | endif | |
1475 | ##} FROM_NTLD_REPLY_FREEMAIL if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1476 | ||
1477 | ##{ FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1478 | ||
1479 | if (version >= 3.004001) | |
1480 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1481 | meta FROM_NUMBERO_NEWDOMAIN __NUMBERONLY_TLD && __PDS_NEWDOMAIN | |
1482 | describe FROM_NUMBERO_NEWDOMAIN Fingerprint and new domain | |
1483 | #score FROM_NUMBERO_NEWDOMAIN 2.0 # limit | |
1484 | tflags FROM_NUMBERO_NEWDOMAIN net publish | |
1485 | endif | |
1486 | endif | |
1487 | ##} FROM_NUMBERO_NEWDOMAIN if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
1488 | ||
b780ea8d SI |
1489 | ##{ FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval |
1490 | ||
1491 | if (version >= 3.004002) | |
1492 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1493 | meta FROM_PAYPAL_SPOOF !__NOT_SPOOFED && __FROM_ADDRLIST_PAYPAL && (! NO_RELAYS && ! ALL_TRUSTED) | |
1494 | tflags FROM_PAYPAL_SPOOF publish net | |
1495 | describe FROM_PAYPAL_SPOOF From PayPal domain but matches SPOOFED | |
1496 | #score FROM_PAYPAL_SPOOF 1.6 # limit | |
1497 | endif | |
1498 | endif | |
1499 | ##} FROM_PAYPAL_SPOOF if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1500 | ||
1501 | ##{ FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1502 | ||
1503 | if (version >= 3.004002) | |
1504 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1505 | meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD | |
1506 | tflags FROM_SUSPICIOUS_NTLD publish | |
1507 | describe FROM_SUSPICIOUS_NTLD From abused NTLD | |
1508 | #score FROM_SUSPICIOUS_NTLD 0.5 # limit | |
1509 | endif | |
1510 | endif | |
1511 | ##} FROM_SUSPICIOUS_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1512 | ||
1513 | ##{ FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1514 | ||
1515 | if (version >= 3.004002) | |
1516 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1517 | meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST | |
1518 | tflags FROM_SUSPICIOUS_NTLD_FP publish | |
1519 | describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD | |
1520 | #score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit | |
1521 | endif | |
1522 | endif | |
1523 | ##} FROM_SUSPICIOUS_NTLD_FP if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1524 | ||
21dcadbf SI |
1525 | ##{ FROM_UNBAL1 |
1526 | ||
1527 | header FROM_UNBAL1 From:raw =~ / < [^>]* $/xm | |
1528 | describe FROM_UNBAL1 From with unbalanced angle brackets, '>' missing | |
1529 | ##} FROM_UNBAL1 | |
1530 | ||
fc5290a3 SI |
1531 | ##{ FROM_UNBAL2 |
1532 | ||
1533 | header FROM_UNBAL2 From:raw =~ /^ [^<]* > /xm | |
1534 | describe FROM_UNBAL2 From with unbalanced angle brackets, '<' missing | |
1535 | ##} FROM_UNBAL2 | |
1536 | ||
1537 | ##{ FROM_WSP_TRAIL | |
1538 | ||
1539 | header FROM_WSP_TRAIL From:raw =~ /< [^>]* \s > [^<>]* \z/xm | |
1540 | describe FROM_WSP_TRAIL Trailing whitespace before '>' in From header field | |
1541 | ##} FROM_WSP_TRAIL | |
1542 | ||
b780ea8d SI |
1543 | ##{ FSL_BULK_SIG |
1544 | ||
31955ede | 1545 | meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__USING_VERP1 && !__KAM_BODY_LENGTH_LT_128 |
b780ea8d | 1546 | describe FSL_BULK_SIG Bulk signature with no Unsubscribe |
31955ede | 1547 | #score FSL_BULK_SIG 2.500 # limit |
b780ea8d SI |
1548 | tflags FSL_BULK_SIG net publish |
1549 | ##} FSL_BULK_SIG | |
1550 | ||
1551 | ##{ FSL_CTYPE_WIN1251 | |
1552 | ||
1553 | header FSL_CTYPE_WIN1251 Content-Type =~ /charset="Windows-1251"/ | |
1554 | describe FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam | |
1555 | ##} FSL_CTYPE_WIN1251 | |
1556 | ||
1557 | ##{ FSL_FAKE_HOTMAIL_RVCD | |
1558 | ||
1559 | header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/ | |
1560 | ##} FSL_FAKE_HOTMAIL_RVCD | |
1561 | ||
1562 | ##{ FSL_HELO_BARE_IP_1 | |
1563 | ||
1564 | meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED | |
1565 | ##} FSL_HELO_BARE_IP_1 | |
1566 | ||
1567 | ##{ FSL_HELO_DEVICE | |
1568 | ||
1569 | header FSL_HELO_DEVICE X-Spam-Relays-External =~ /\bhelo=(?:(?:dsl)?device|speedtouch)\.lan\b/i | |
1570 | ##} FSL_HELO_DEVICE | |
1571 | ||
1572 | ##{ FSL_HELO_NON_FQDN_1 | |
1573 | ||
1574 | header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ helo=[a-zA-Z0-9-_]+ /i | |
1575 | ##} FSL_HELO_NON_FQDN_1 | |
1576 | ||
1577 | ##{ FSL_HELO_SETUP | |
1578 | ||
1579 | header FSL_HELO_SETUP X-Spam-Relays-External =~ /\bhelo=\S+\.setup\b/i | |
1580 | ##} FSL_HELO_SETUP | |
1581 | ||
1582 | ##{ FSL_INTERIA_ABUSE | |
1583 | ||
1584 | uri FSL_INTERIA_ABUSE /\/\S+\.(?:w|eu|fm)\.interia\.pl/ | |
1585 | ##} FSL_INTERIA_ABUSE | |
1586 | ||
1587 | ##{ FSL_NEW_HELO_USER | |
1588 | ||
1589 | meta FSL_NEW_HELO_USER (__FSL_HELO_USER_1 || __FSL_HELO_USER_2 || __FSL_HELO_USER_3) | |
1590 | describe FSL_NEW_HELO_USER Spam's using Helo and User | |
1591 | #score FSL_NEW_HELO_USER 2.0 | |
1592 | tflags FSL_NEW_HELO_USER publish | |
1593 | ##} FSL_NEW_HELO_USER | |
1594 | ||
1595 | ##{ FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1596 | ||
1597 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1598 | body FUZZY_AMAZON /(?:^|\W)(?=<A>)(?!amazon)<A><M><A><Z><O><N>(?:$|\W)/i | |
1599 | describe FUZZY_AMAZON Obfuscated "amazon" | |
1600 | tflags FUZZY_AMAZON publish | |
1601 | endif | |
1602 | ##} FUZZY_AMAZON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1603 | ||
1604 | ##{ FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1605 | ||
1606 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1607 | body FUZZY_ANDROID /(?=<A>)(?!android)<A><N><D><R><O><I><D>/i | |
1608 | describe FUZZY_ANDROID Obfuscated "android" | |
1609 | tflags FUZZY_ANDROID publish | |
1610 | endif | |
1611 | ##} FUZZY_ANDROID ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1612 | ||
1613 | ##{ FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1614 | ||
1615 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1616 | body FUZZY_APPLE /(?:^|\W)(?=<A>)(?!appl[ey])<A><P><P><L><E>(?:$|\W)/i | |
1617 | describe FUZZY_APPLE Obfuscated "apple" | |
1618 | tflags FUZZY_APPLE publish | |
1619 | endif | |
1620 | ##} FUZZY_APPLE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1621 | ||
1622 | ##{ FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1623 | ||
1624 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1625 | body FUZZY_BITCOIN /(?=<B>)(?!bit[-\s]?coin)<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i | |
1626 | describe FUZZY_BITCOIN Obfuscated "Bitcoin" | |
1627 | tflags FUZZY_BITCOIN publish | |
1628 | endif | |
1629 | ##} FUZZY_BITCOIN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1630 | ||
1631 | ##{ FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1632 | ||
1633 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1634 | body FUZZY_BROWSER /(?=<B>)(?!browser)<B><R><O><W><S><E><R>/i | |
1635 | describe FUZZY_BROWSER Obfuscated "browser" | |
1636 | tflags FUZZY_BROWSER publish | |
1637 | endif | |
1638 | ##} FUZZY_BROWSER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1639 | ||
1640 | ##{ FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1641 | ||
1642 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1643 | meta FUZZY_BTC_WALLET FUZZY_BITCOIN && FUZZY_WALLET | |
1644 | describe FUZZY_BTC_WALLET Heavily obfuscated "bitcoin wallet" | |
1645 | tflags FUZZY_BTC_WALLET publish | |
1646 | endif | |
1647 | ##} FUZZY_BTC_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1648 | ||
1649 | ##{ FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1650 | ||
1651 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1652 | body FUZZY_CLICK_HERE /(?=<C>)(?!click(?:\s| )here)<C><WS>*<L><WS>*<I><WS>*<C><WS>*<K><WS>+<H><WS>*<E><WS>*<R><WS>*<E>/i | |
1653 | describe FUZZY_CLICK_HERE Obfuscated "click here" | |
1654 | tflags FUZZY_CLICK_HERE publish | |
1655 | endif | |
1656 | ##} FUZZY_CLICK_HERE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1657 | ||
1658 | ##{ FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1659 | ||
1660 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1661 | meta FUZZY_DR_OZ __FUZZY_DR_OZ && !__VIA_ML | |
1662 | describe FUZZY_DR_OZ Obfuscated Doctor Oz | |
1663 | tflags FUZZY_DR_OZ publish | |
1664 | endif | |
1665 | ##} FUZZY_DR_OZ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1666 | ||
1667 | ##{ FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1668 | ||
1669 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1670 | body FUZZY_FACEBOOK /(?=<F>)(?!fa[ck]ebook)<F><A><C><E><B><O><O><K>/i | |
1671 | describe FUZZY_FACEBOOK Obfuscated "facebook" | |
1672 | tflags FUZZY_FACEBOOK publish | |
1673 | endif | |
1674 | ##} FUZZY_FACEBOOK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1675 | ||
1676 | ##{ FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1677 | ||
1678 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1679 | body FUZZY_IMPORTANT /(?=<I>)(?!important)<I>(?:<M>|<N>)<P><O><R><T><A><N><T>/i | |
1680 | describe FUZZY_IMPORTANT Obfuscated "important" | |
1681 | tflags FUZZY_IMPORTANT publish | |
1682 | endif | |
1683 | ##} FUZZY_IMPORTANT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1684 | ||
1685 | ##{ FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1686 | ||
1687 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1688 | body FUZZY_MERIDIA /<inter W3><post P2>\b(?!meridia)<M><E><R><I><D><I><A>\b/i | |
1689 | describe FUZZY_MERIDIA Obfuscation of the word "meridia" | |
1690 | endif | |
1691 | ##} FUZZY_MERIDIA ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1692 | ||
1693 | ##{ FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1694 | ||
1695 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1696 | body FUZZY_MICROSOFT /(?=<M>)(?!microsoft)<M><I><C><R><O><S><O><F><T>/i | |
1697 | describe FUZZY_MICROSOFT Obfuscated "microsoft" | |
1698 | tflags FUZZY_MICROSOFT publish | |
1699 | endif | |
1700 | ##} FUZZY_MICROSOFT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1701 | ||
1702 | ##{ FUZZY_MONERO | |
1703 | ||
1704 | meta FUZZY_MONERO __FUZZY_MONERO | |
1705 | describe FUZZY_MONERO Obfuscated "Monero" | |
1706 | tflags FUZZY_MONERO publish | |
1707 | ##} FUZZY_MONERO | |
1708 | ||
1709 | ##{ FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1710 | ||
1711 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1712 | body FUZZY_NORTON /(?:^|\W)(?=<N>)(?!norton)<N><O><R><T><O><N>(?:$|\W)/i | |
1713 | describe FUZZY_NORTON Obfuscated "norton" | |
1714 | tflags FUZZY_NORTON publish | |
1715 | endif | |
1716 | ##} FUZZY_NORTON ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1717 | ||
1718 | ##{ FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1719 | ||
1720 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1721 | body FUZZY_OVERSTOCK /(?:^|\W)(?=<O>)(?!over[-\s]?stock)<O><V><E><R>[-\s]?<S><T><O><C><K>(?:$|\W)/i | |
1722 | describe FUZZY_OVERSTOCK Obfuscated "overstock" | |
1723 | tflags FUZZY_OVERSTOCK publish | |
1724 | endif | |
1725 | ##} FUZZY_OVERSTOCK ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1726 | ||
1727 | ##{ FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1728 | ||
1729 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1730 | body FUZZY_PAYPAL /(?:^|\W)(?=<P>)(?!pay[-\s]?pal)<P><A><Y>[-\s]?<P><A><L>(?:$|\W)/i | |
1731 | describe FUZZY_PAYPAL Obfuscated "paypal" | |
1732 | tflags FUZZY_PAYPAL publish | |
1733 | endif | |
1734 | ##} FUZZY_PAYPAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1735 | ||
1736 | ##{ FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1737 | ||
1738 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1739 | meta FUZZY_PORN __FUZZY_PORN && !( __ENV_AND_HDR_FROM_MATCH && __SENDER_BOT ) | |
1740 | describe FUZZY_PORN Obfuscated "Pornography" or "Pornographic" | |
1741 | tflags FUZZY_PORN publish | |
1742 | endif | |
1743 | ##} FUZZY_PORN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1744 | ||
1745 | ##{ FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1746 | ||
1747 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1748 | body FUZZY_PRIVACY /(?=<P>)(?!privacy)<P><R><I><V><A><C><Y>/i | |
1749 | describe FUZZY_PRIVACY Obfuscated "privacy" | |
1750 | tflags FUZZY_PRIVACY publish | |
1751 | endif | |
1752 | ##} FUZZY_PRIVACY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1753 | ||
1754 | ##{ FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1755 | ||
1756 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1757 | body FUZZY_PROMOTION /(?=<P>)(?!promotion)<P><R><O><M><O><T><I><O><N>/i | |
1758 | describe FUZZY_PROMOTION Obfuscated "promotion" | |
1759 | tflags FUZZY_PROMOTION publish | |
1760 | endif | |
1761 | ##} FUZZY_PROMOTION ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1762 | ||
1763 | ##{ FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1764 | ||
1765 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1766 | body FUZZY_SAVINGS /(?=<S>)(?!savings)<S><A><V><I><N><G><S>/i | |
1767 | describe FUZZY_SAVINGS Obfuscated "savings" | |
1768 | tflags FUZZY_SAVINGS publish | |
1769 | endif | |
1770 | ##} FUZZY_SAVINGS ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1771 | ||
1772 | ##{ FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1773 | ||
1774 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1775 | body FUZZY_SECURITY /(?=<S>)(?!security)(?!seguridad)(?!s\xc3\xa9curit\xc3\xa9)<S><E>(?:<C>|<G>)<U><R><I>(?:<T><Y>|<D><A><D>)/i | |
1776 | describe FUZZY_SECURITY Obfuscated "security" | |
1777 | tflags FUZZY_SECURITY publish | |
1778 | endif | |
1779 | ##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1780 | ||
1781 | ##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1782 | ||
1783 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1784 | body FUZZY_UNSUBSCRIBE /(?=<U>)(?!unsubscribe)<U><N><S><U><B><S><C><R><I><B><E>/i | |
1785 | describe FUZZY_UNSUBSCRIBE Obfuscated "unsubscribe" | |
1786 | tflags FUZZY_UNSUBSCRIBE publish | |
1787 | endif | |
1788 | ##} FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1789 | ||
1790 | ##{ FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1791 | ||
1792 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1793 | body FUZZY_WALLET /(?=<W>)(?!wallet)<W><A><L><L><E><T>/i | |
1794 | describe FUZZY_WALLET Obfuscated "Wallet" | |
1795 | tflags FUZZY_WALLET publish | |
1796 | endif | |
1797 | ##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
1798 | ||
1799 | ##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1800 | ||
1801 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1802 | meta GAPPY_SALES_LEADS_FREEM __GAPPY_SALES_LEADS_MANY && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) | |
1803 | describe GAPPY_SALES_LEADS_FREEM Obfuscated marketing text, freemail or CHN replyto | |
1804 | # score GAPPY_SALES_LEADS_FREEM 3.500 # limit | |
1805 | tflags GAPPY_SALES_LEADS_FREEM publish | |
1806 | endif | |
1807 | ##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
1808 | ||
dfdd1e08 SI |
1809 | ##{ GB_BITCOIN_NH |
1810 | ||
1811 | meta GB_BITCOIN_NH ( __BITCOIN_ID && !__URL_BTC_ID && ( __NEVER_HEAR_EN || __NEVER_HEAR_IT ) ) | |
1812 | describe GB_BITCOIN_NH Localized Bitcoin scam | |
1813 | #score GB_BITCOIN_NH 3.0 # limit | |
1814 | ##} GB_BITCOIN_NH | |
1815 | ||
1816 | ##{ GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) | |
1817 | ||
1818 | if (version >= 4.000000) | |
1819 | if can(Mail::SpamAssassin::Conf::feature_capture_rules) | |
1820 | meta GB_CUSTOM_HTM_URI ( __GB_CUSTOM_HTM_URI0 || __GB_CUSTOM_HTM_URI1 || __GB_CUSTOM_HTM_URI2 || __GB_DRUPAL_URI ) | |
1821 | describe GB_CUSTOM_HTM_URI Custom html uri | |
1822 | # score GB_CUSTOM_HTM_URI 1.500 # limit | |
1823 | tflags GB_CUSTOM_HTM_URI publish | |
1824 | endif | |
1825 | endif | |
1826 | ##} GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) | |
1827 | ||
b780ea8d SI |
1828 | ##{ GB_FAKE_RF_SHORT |
1829 | ||
dfdd1e08 | 1830 | meta GB_FAKE_RF_SHORT ( ! __THREADED && __GB_FAKE_RF && __URL_SHORTENER ) |
b780ea8d SI |
1831 | describe GB_FAKE_RF_SHORT Fake reply or forward with url shortener |
1832 | #score GB_FAKE_RF_SHORT 2.000 # limit | |
1833 | tflags GB_FAKE_RF_SHORT publish | |
1834 | ##} GB_FAKE_RF_SHORT | |
1835 | ||
1836 | ##{ GB_FORGED_MUA_POSTFIX | |
1837 | ||
1838 | meta GB_FORGED_MUA_POSTFIX ( __FORGED_MUA_POSTFIX0 || __FORGED_MUA_POSTFIX1 ) | |
1839 | describe GB_FORGED_MUA_POSTFIX Forged Postfix mua headers | |
1840 | tflags GB_FORGED_MUA_POSTFIX publish | |
1841 | #score GB_FORGED_MUA_POSTFIX 2.0 # limit | |
1842 | ##} GB_FORGED_MUA_POSTFIX | |
1843 | ||
1844 | ##{ GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1845 | ||
1846 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1847 | meta GB_FREEMAIL_DISPTO ( __FREEMAIL_DISPTO && !__freemail_safe ) | |
1848 | describe GB_FREEMAIL_DISPTO Disposition-Notification-To/From or Disposition-Notification-To/body contain different freemails | |
1849 | # score GB_FREEMAIL_DISPTO 0.50 # limit | |
1850 | tflags GB_FREEMAIL_DISPTO publish | |
1851 | endif | |
1852 | ##} GB_FREEMAIL_DISPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1853 | ||
1854 | ##{ GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1855 | ||
1856 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1857 | meta GB_FREEMAIL_DISPTO_NOTFREEM ( __FREEMAIL_DISPTO && !__freemail_safe && !FREEMAIL_FROM ) | |
1858 | describe GB_FREEMAIL_DISPTO_NOTFREEM Disposition-Notification-To/From contain different freemails but mailfrom is not a freemail | |
1859 | # score GB_FREEMAIL_DISPTO_NOTFREEM 0.50 # limit | |
1860 | tflags GB_FREEMAIL_DISPTO_NOTFREEM publish | |
1861 | endif | |
1862 | ##} GB_FREEMAIL_DISPTO_NOTFREEM ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
1863 | ||
1864 | ##{ GB_GOOGLE_OBFUR | |
1865 | ||
1866 | uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/ | |
1867 | describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect | |
1868 | #score GB_GOOGLE_OBFUR 0.75 # limit | |
1869 | tflags GB_GOOGLE_OBFUR publish | |
1870 | ##} GB_GOOGLE_OBFUR | |
1871 | ||
fc5290a3 SI |
1872 | ##{ GB_GOOGLE_TRANSL |
1873 | ||
1874 | uri GB_GOOGLE_TRANSL /^https?:\/\/.{10,64}\-(ipfs|xn\-)\-.{2,20}\.translate\.goog\/.{4}\// | |
1875 | describe GB_GOOGLE_TRANSL Obfuscate url through Google Translate | |
1876 | #score GB_GOOGLE_TRANSL 0.75 # limit | |
1877 | ##} GB_GOOGLE_TRANSL | |
1878 | ||
dfdd1e08 SI |
1879 | ##{ GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL |
1880 | ||
1881 | if (version >= 3.004003) | |
1882 | ifplugin Mail::SpamAssassin::Plugin::HashBL | |
1883 | body GB_HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b(?<!=)([13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,62})\b') | |
1884 | tflags GB_HASHBL_BTC net publish | |
1885 | describe GB_HASHBL_BTC Message contains BTC address found on BTCBL | |
1886 | # score GB_HASHBL_BTC 5.0 # limit | |
1887 | endif | |
1888 | endif | |
1889 | ##} GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL | |
1890 | ||
b780ea8d SI |
1891 | ##{ GEO_QUERY_STRING |
1892 | ||
1893 | uri GEO_QUERY_STRING /^http:\/\/(?:\w{2,4}\.)?geocities\.com(?::\d*)?\/.+?\/\?/i | |
1894 | ##} GEO_QUERY_STRING | |
1895 | ||
1896 | ##{ GOOGLE_DOCS_PHISH | |
1897 | ||
1898 | meta GOOGLE_DOCS_PHISH (__GOOGLE_DOCS_PHISH_1 || __GOOGLE_DOCS_PHISH_2) | |
1899 | describe GOOGLE_DOCS_PHISH Possible phishing via a Google Docs form | |
1900 | #score GOOGLE_DOCS_PHISH 3.00 # limit | |
1901 | tflags GOOGLE_DOCS_PHISH publish | |
1902 | ##} GOOGLE_DOCS_PHISH | |
1903 | ||
1904 | ##{ GOOGLE_DOCS_PHISH_MANY | |
1905 | ||
1906 | meta GOOGLE_DOCS_PHISH_MANY __URI_GOOGLE_DOC && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) | |
1907 | describe GOOGLE_DOCS_PHISH_MANY Phishing via a Google Docs form | |
1908 | #score GOOGLE_DOCS_PHISH_MANY 4.00 # limit | |
1909 | tflags GOOGLE_DOCS_PHISH_MANY publish | |
1910 | ##} GOOGLE_DOCS_PHISH_MANY | |
1911 | ||
1912 | ##{ GOOGLE_DOC_SUSP | |
1913 | ||
1914 | meta GOOGLE_DOC_SUSP __GOOGLE_DOC_SUSP && !GOOGLE_DOCS_PHISH_MANY && !__HAS_SENDER && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__USING_VERP1 && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_SMTP && ! __HAS_LIST_ID && !__SURVEY && !__BUGGED_IMG | |
1915 | describe GOOGLE_DOC_SUSP Suspicious use of Google Docs | |
1916 | #score GOOGLE_DOC_SUSP 3.000 # limit | |
1917 | tflags GOOGLE_DOC_SUSP publish | |
1918 | ##} GOOGLE_DOC_SUSP | |
1919 | ||
1920 | ##{ GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1921 | ||
1922 | if (version >= 3.004002) | |
1923 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1924 | meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD | |
1925 | tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish | |
1926 | describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD | |
1927 | #score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit | |
1928 | endif | |
1929 | endif | |
1930 | ##} GOOGLE_DRIVE_REPLY_BAD_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
1931 | ||
1932 | ##{ GOOG_MALWARE_DNLD | |
1933 | ||
1934 | meta GOOG_MALWARE_DNLD __GOOG_MALWARE_DNLD | |
1935 | describe GOOG_MALWARE_DNLD File download via Google - Malware? | |
1936 | #score GOOG_MALWARE_DNLD 5.000 # limit | |
1937 | tflags GOOG_MALWARE_DNLD publish | |
1938 | ##} GOOG_MALWARE_DNLD | |
1939 | ||
1940 | ##{ GOOG_REDIR_DOCUSIGN | |
1941 | ||
1942 | uri GOOG_REDIR_DOCUSIGN m;://www\.google\.com/url\?.*q=https?://www\.docusign\.com/;i | |
1943 | describe GOOG_REDIR_DOCUSIGN Indirect docusign link, probable phishing | |
1944 | tflags GOOG_REDIR_DOCUSIGN publish | |
1945 | ##} GOOG_REDIR_DOCUSIGN | |
1946 | ||
21dcadbf SI |
1947 | ##{ GOOG_REDIR_HTML_ONLY |
1948 | ||
1949 | meta GOOG_REDIR_HTML_ONLY (__GOOG_REDIR && MIME_HTML_ONLY) && !RDNS_NONE && !__LCL__KAM_BODY_LENGTH_LT_512 | |
1950 | describe GOOG_REDIR_HTML_ONLY Google redirect to obscure spamvertised website + HTML only | |
1951 | #score GOOG_REDIR_HTML_ONLY 2.000 # limit | |
1952 | ##} GOOG_REDIR_HTML_ONLY | |
1953 | ||
b780ea8d SI |
1954 | ##{ GOOG_REDIR_NORDNS |
1955 | ||
1956 | meta GOOG_REDIR_NORDNS __GOOG_REDIR && RDNS_NONE | |
1957 | describe GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website + no rDNS | |
1958 | ##} GOOG_REDIR_NORDNS | |
1959 | ||
1960 | ##{ GOOG_REDIR_SHORT | |
1961 | ||
1962 | meta GOOG_REDIR_SHORT __GOOG_REDIR && __LCL__KAM_BODY_LENGTH_LT_512 | |
1963 | describe GOOG_REDIR_SHORT Google redirect to obscure spamvertised website + short message | |
1964 | tflags GOOG_REDIR_SHORT publish | |
1965 | ##} GOOG_REDIR_SHORT | |
1966 | ||
46cfc9e2 SI |
1967 | ##{ GOOG_STO_EMAIL_PHISH |
1968 | ||
1969 | meta GOOG_STO_EMAIL_PHISH __URI_GOOG_STO_EMAIL && (__PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ || __FROM_ADMIN || __VERIFY_ACCOUNT) | |
1970 | describe GOOG_STO_EMAIL_PHISH Possible phishing with google hosted content URI having email address | |
1971 | #score GOOG_STO_EMAIL_PHISH 3.00 # limit | |
1972 | tflags GOOG_STO_EMAIL_PHISH publish | |
1973 | ##} GOOG_STO_EMAIL_PHISH | |
1974 | ||
b780ea8d SI |
1975 | ##{ GOOG_STO_HTML_PHISH |
1976 | ||
1977 | meta GOOG_STO_HTML_PHISH __GOOG_STO_HTML_PHISH | |
1978 | describe GOOG_STO_HTML_PHISH Possible phishing with google content hosting to avoid URIBL | |
1979 | #score GOOG_STO_HTML_PHISH 3.00 # limit | |
1980 | tflags GOOG_STO_HTML_PHISH publish | |
1981 | ##} GOOG_STO_HTML_PHISH | |
1982 | ||
1983 | ##{ GOOG_STO_HTML_PHISH_MANY | |
1984 | ||
1985 | meta GOOG_STO_HTML_PHISH_MANY __URI_GOOG_STO_HTML && (__EMAIL_PHISH_MANY || __ACCT_PHISH_MANY) | |
1986 | describe GOOG_STO_HTML_PHISH_MANY Phishing with google content hosting to avoid URIBL | |
1987 | #score GOOG_STO_HTML_PHISH_MANY 4.00 # limit | |
1988 | tflags GOOG_STO_HTML_PHISH_MANY publish | |
1989 | ##} GOOG_STO_HTML_PHISH_MANY | |
1990 | ||
1991 | ##{ GOOG_STO_IMG_HTML | |
1992 | ||
1993 | meta GOOG_STO_IMG_HTML __GOOG_STO_IMG_HTML_1 && !URI_GOOG_STO_SPAMMY | |
1994 | describe GOOG_STO_IMG_HTML Apparently using google content hosting to avoid URIBL | |
1995 | #score GOOG_STO_IMG_HTML 3.000 # limit | |
1996 | tflags GOOG_STO_IMG_HTML publish | |
1997 | ##} GOOG_STO_IMG_HTML | |
1998 | ||
1999 | ##{ GOOG_STO_IMG_NOHTML | |
2000 | ||
2001 | meta GOOG_STO_IMG_NOHTML __GOOG_STO_IMG_NOHTML && (__RDNS_NONE || HTML_TEXT_INVISIBLE_STYLE || THIS_AD || __SUBJECT_ENCODED_B64 || __LOTTO_ADMITS || __REPTO_QUOTE) && !__USING_VERP1 && !__HAS_ERRORS_TO && !__RCD_RDNS_MTA_MESSY && !__LYRIS_EZLM_REMAILER && !__HAS_CID && !URI_GOOG_STO_SPAMMY | |
2002 | describe GOOG_STO_IMG_NOHTML Apparently using google content hosting to avoid URIBL | |
2003 | #score GOOG_STO_IMG_NOHTML 2.500 # limit | |
2004 | tflags GOOG_STO_IMG_NOHTML publish | |
2005 | ##} GOOG_STO_IMG_NOHTML | |
2006 | ||
2007 | ##{ GOOG_STO_NOIMG_HTML | |
2008 | ||
2009 | meta GOOG_STO_NOIMG_HTML __GOOG_STO_NOIMG_HTML && !URI_GOOG_STO_SPAMMY | |
2010 | describe GOOG_STO_NOIMG_HTML Apparently using google content hosting to avoid URIBL | |
2011 | #score GOOG_STO_NOIMG_HTML 3.000 # limit | |
2012 | tflags GOOG_STO_NOIMG_HTML publish | |
2013 | ##} GOOG_STO_NOIMG_HTML | |
2014 | ||
2015 | ##{ HAS_X_NO_RELAY | |
2016 | ||
2017 | meta HAS_X_NO_RELAY __HAS_X_NO_RELAY && !__TO_EQ_FROM_1 | |
2018 | describe HAS_X_NO_RELAY Has spammy header | |
2019 | #score HAS_X_NO_RELAY 2.500 # limit | |
2020 | tflags HAS_X_NO_RELAY publish | |
2021 | ##} HAS_X_NO_RELAY | |
2022 | ||
2023 | ##{ HAS_X_OUTGOING_SPAM_STAT | |
2024 | ||
46cfc9e2 | 2025 | meta HAS_X_OUTGOING_SPAM_STAT __HAS_X_OUTGOING_SPAM_STAT && !MAILING_LIST_MULTI && !__HAS_X_MAILMAN_VERSION && !__AUTOREPLY_ASU && !__THREAD_INDEX_GOOD && !__HAS_X_LOOP && !__DOC_ATTACH && !__PDF_ATTACH && !__FROM_EQ_ORG_1 && !__HAS_IN_REPLY_TO |
b780ea8d | 2026 | describe HAS_X_OUTGOING_SPAM_STAT Has header claiming outbound spam scan - why trust the results? |
46cfc9e2 | 2027 | #score HAS_X_OUTGOING_SPAM_STAT 2.000 # limit |
b780ea8d SI |
2028 | tflags HAS_X_OUTGOING_SPAM_STAT publish |
2029 | ##} HAS_X_OUTGOING_SPAM_STAT | |
2030 | ||
b780ea8d SI |
2031 | ##{ HDRS_MISSP |
2032 | ||
2033 | meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY) | |
2034 | describe HDRS_MISSP Misspaced headers | |
2035 | #score HDRS_MISSP 2.500 # limit | |
2036 | tflags HDRS_MISSP publish | |
2037 | ##} HDRS_MISSP | |
2038 | ||
2039 | ##{ HDR_ORDER_FTSDMCXX_001C | |
2040 | ||
2041 | meta HDR_ORDER_FTSDMCXX_001C (__HDR_ORDER_FTSDMCXXXX && __MID_START_001C) | |
2042 | describe HDR_ORDER_FTSDMCXX_001C Header order similar to spam (FTSDMCXX/MID variant) | |
2043 | ##} HDR_ORDER_FTSDMCXX_001C | |
2044 | ||
2045 | ##{ HDR_ORDER_FTSDMCXX_BAT | |
2046 | ||
2047 | meta HDR_ORDER_FTSDMCXX_BAT (__HDR_ORDER_FTSDMCXXXX && __BAT_BOUNDARY) | |
2048 | describe HDR_ORDER_FTSDMCXX_BAT Header order similar to spam (FTSDMCXX/boundary variant) | |
2049 | ##} HDR_ORDER_FTSDMCXX_BAT | |
2050 | ||
2051 | ##{ HDR_ORDER_FTSDMCXX_DIRECT | |
2052 | ||
2053 | meta HDR_ORDER_FTSDMCXX_DIRECT (__HDR_ORDER_FTSDMCXXXX && __DOS_SINGLE_EXT_RELAY) && !ALL_TRUSTED && !__VIA_ML | |
2054 | describe HDR_ORDER_FTSDMCXX_DIRECT Header order similar to spam (FTSDMCXX/boundary variant) + direct-to-MX | |
2055 | #score HDR_ORDER_FTSDMCXX_DIRECT 2.000 # limit | |
2056 | tflags HDR_ORDER_FTSDMCXX_DIRECT publish | |
2057 | ##} HDR_ORDER_FTSDMCXX_DIRECT | |
2058 | ||
2059 | ##{ HDR_ORDER_FTSDMCXX_NORDNS | |
2060 | ||
2061 | meta HDR_ORDER_FTSDMCXX_NORDNS (__HDR_ORDER_FTSDMCXXXX && __RDNS_NONE) && !ALL_TRUSTED | |
2062 | describe HDR_ORDER_FTSDMCXX_NORDNS Header order similar to spam (FTSDMCXX/boundary variant) + no rDNS | |
2063 | #score HDR_ORDER_FTSDMCXX_NORDNS 3.500 # limit | |
2064 | tflags HDR_ORDER_FTSDMCXX_NORDNS publish | |
2065 | ##} HDR_ORDER_FTSDMCXX_NORDNS | |
2066 | ||
2067 | ##{ HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
2068 | ||
2069 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
2070 | header HEADER_COUNT_SUBJECT eval:check_header_count_range('Subject','2','999') | |
2071 | describe HEADER_COUNT_SUBJECT Multiple Subject headers found | |
2072 | endif | |
2073 | ##} HEADER_COUNT_SUBJECT ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
2074 | ||
2075 | ##{ HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) | |
2076 | ||
2077 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2078 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
2079 | if (version >= 3.004000) | |
2080 | header HEADER_FROM_DIFFERENT_DOMAINS eval:check_equal_from_domains() | |
2081 | describe HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different | |
2082 | # score HEADER_FROM_DIFFERENT_DOMAINS 0.25 | |
2083 | tflags HEADER_FROM_DIFFERENT_DOMAINS publish | |
2084 | endif | |
2085 | endif | |
2086 | endif | |
2087 | ##} HEADER_FROM_DIFFERENT_DOMAINS ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::HeaderEval if (version >= 3.004000) | |
2088 | ||
2089 | ##{ HELO_FRIEND | |
2090 | ||
2091 | header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i | |
2092 | ##} HELO_FRIEND | |
2093 | ||
b780ea8d SI |
2094 | ##{ HELO_LH_LD |
2095 | ||
2096 | header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i | |
2097 | ##} HELO_LH_LD | |
2098 | ||
2099 | ##{ HELO_LOCALHOST | |
2100 | ||
2101 | header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i | |
2102 | ##} HELO_LOCALHOST | |
2103 | ||
b780ea8d SI |
2104 | ##{ HELO_NO_DOMAIN |
2105 | ||
2106 | meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST | |
2107 | describe HELO_NO_DOMAIN Relay reports its domain incorrectly | |
2108 | tflags HELO_NO_DOMAIN publish | |
2109 | ##} HELO_NO_DOMAIN | |
2110 | ||
2111 | ##{ HELO_OEM | |
2112 | ||
2113 | header HELO_OEM X-Spam-Relays-External =~ /^[^\]]+ helo=(?:pc|oem\S*) /i | |
2114 | ##} HELO_OEM | |
2115 | ||
2116 | ##{ HEXHASH_WORD | |
2117 | ||
2118 | meta HEXHASH_WORD (__HEXHASHWORD_S2EU > 1) && !ALL_TRUSTED && !__LYRIS_EZLM_REMAILER && !__MSGID_HEXISH && !__RDNS_SHORT && !__CTYPE_MULTIPART_MIXED && !__HAS_X_REF && !__HAS_IMG_SRC_ONECASE && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__HAS_SENDER | |
2119 | describe HEXHASH_WORD Multiple instances of word + hexadecimal hash | |
2120 | #score HEXHASH_WORD 3.000 # limit | |
2121 | tflags HEXHASH_WORD publish | |
2122 | ##} HEXHASH_WORD | |
2123 | ||
2124 | ##{ HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2125 | ||
2126 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2127 | mimeheader HK_CTE_RAW Content-Transfer-Encoding =~ /^raw$/ | |
2128 | #score HK_CTE_RAW 2 | |
2129 | tflags HK_CTE_RAW publish | |
2130 | endif | |
2131 | ##} HK_CTE_RAW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2132 | ||
2133 | ##{ HK_LOTTO | |
2134 | ||
2135 | meta HK_LOTTO __HK_LOTTO_2 || __HK_LOTTO_STAATS || __HK_LOTTO_BALLOT | |
2136 | #score HK_LOTTO 1 | |
2137 | ##} HK_LOTTO | |
2138 | ||
2139 | ##{ HK_NAME_DRUGS | |
2140 | ||
2141 | header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi | |
2142 | describe HK_NAME_DRUGS From name contains drugs | |
2143 | #score HK_NAME_DRUGS 2 | |
2144 | ##} HK_NAME_DRUGS | |
2145 | ||
b780ea8d SI |
2146 | ##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) |
2147 | ||
2148 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2149 | if (version >= 3.004000) | |
2150 | meta HK_NAME_MR_MRS __HK_NAME_MR_MRS && !FREEMAIL_FROM | |
2151 | # score HK_NAME_MR_MRS 1.0 | |
2152 | endif | |
2153 | endif | |
2154 | ##} HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
2155 | ||
2156 | ##{ HK_RANDOM_ENVFROM | |
2157 | ||
46cfc9e2 | 2158 | header HK_RANDOM_ENVFROM EnvelopeFrom =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi |
b780ea8d SI |
2159 | describe HK_RANDOM_ENVFROM Envelope sender username looks random |
2160 | #score HK_RANDOM_ENVFROM 1 | |
2161 | tflags HK_RANDOM_ENVFROM publish | |
2162 | ##} HK_RANDOM_ENVFROM | |
2163 | ||
2164 | ##{ HK_RANDOM_FROM | |
2165 | ||
46cfc9e2 | 2166 | header HK_RANDOM_FROM From:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi |
b780ea8d SI |
2167 | describe HK_RANDOM_FROM From username looks random |
2168 | #score HK_RANDOM_FROM 1 | |
2169 | tflags HK_RANDOM_FROM publish | |
2170 | ##} HK_RANDOM_FROM | |
2171 | ||
2172 | ##{ HK_RANDOM_REPLYTO | |
2173 | ||
46cfc9e2 | 2174 | header HK_RANDOM_REPLYTO Reply-To:addr =~ /^(?!(?:mail|bounce)[_.-]|[^@]*(?:[+=^~\#-]|mcgr|kpmg|nlpbr|ndqv|lcgc|cplpr)|[^@]{26}|.*?\@.{0,20}\b(?:cmp-info|cmpgnr|cnn|tori|jysk|amadeus|amazon)\.[a-z]{2,3}$)[^@]*(?:[bcdfgjklmnpqrtvwxz]{5}|[aeiouy]{5}|([a-z]{1,2})(?:\1){3})/mi |
b780ea8d SI |
2175 | describe HK_RANDOM_REPLYTO Reply-To username looks random |
2176 | #score HK_RANDOM_REPLYTO 1 | |
2177 | tflags HK_RANDOM_REPLYTO publish | |
2178 | ##} HK_RANDOM_REPLYTO | |
2179 | ||
2180 | ##{ HK_RCVD_IP_MULTICAST | |
2181 | ||
2182 | header HK_RCVD_IP_MULTICAST X-Spam-Relays-External =~ / ip=(?:22[4-9]|23[0-9])\./ | |
2183 | #score HK_RCVD_IP_MULTICAST 2 | |
2184 | tflags HK_RCVD_IP_MULTICAST publish | |
2185 | ##} HK_RCVD_IP_MULTICAST | |
2186 | ||
2187 | ##{ HK_SCAM | |
2188 | ||
2189 | meta HK_SCAM __HK_SCAM_N2 || __HK_SCAM_N3 || __HK_SCAM_N8 || __HK_SCAM_N15 || __HK_SCAM_N16 || __HK_SCAM_S1 || __HK_SCAM_S15 || __HK_SCAM_S25 | |
2190 | #score HK_SCAM 2 | |
2191 | tflags HK_SCAM publish | |
2192 | ##} HK_SCAM | |
2193 | ||
21dcadbf SI |
2194 | ##{ HK_WIN |
2195 | ||
2196 | meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2) | |
2197 | #score HK_WIN 1 | |
2198 | ##} HK_WIN | |
2199 | ||
b780ea8d SI |
2200 | ##{ HOSTED_IMG_DIRECT_MX |
2201 | ||
2202 | meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS | |
2203 | #score HOSTED_IMG_DIRECT_MX 3.500 # limit | |
46cfc9e2 | 2204 | describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx |
b780ea8d SI |
2205 | tflags HOSTED_IMG_DIRECT_MX publish |
2206 | ##} HOSTED_IMG_DIRECT_MX | |
2207 | ||
2208 | ##{ HOSTED_IMG_DQ_UNSUB | |
2209 | ||
2210 | meta HOSTED_IMG_DQ_UNSUB __HOSTED_IMG_DQ_UNSUB | |
2211 | #score HOSTED_IMG_DQ_UNSUB 3.500 # limit | |
2212 | describe HOSTED_IMG_DQ_UNSUB Image hosted at large ecomm site, IP addr unsub link | |
2213 | tflags HOSTED_IMG_DQ_UNSUB publish | |
2214 | ##} HOSTED_IMG_DQ_UNSUB | |
2215 | ||
2216 | ##{ HOSTED_IMG_FREEM | |
2217 | ||
2218 | meta HOSTED_IMG_FREEM __HOSTED_IMG_FREEM && !__THREADED | |
2219 | #score HOSTED_IMG_FREEM 3.500 # limit | |
46cfc9e2 | 2220 | describe HOSTED_IMG_FREEM Image hosted at large ecomm, CDN or hosting site or redirected, freemail from or reply-to |
b780ea8d SI |
2221 | tflags HOSTED_IMG_FREEM publish |
2222 | ##} HOSTED_IMG_FREEM | |
2223 | ||
2224 | ##{ HOSTED_IMG_MULTI | |
2225 | ||
2226 | meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS | |
2227 | #score HOSTED_IMG_MULTI 3.000 # limit | |
46cfc9e2 | 2228 | describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected |
b780ea8d SI |
2229 | tflags HOSTED_IMG_MULTI publish |
2230 | ##} HOSTED_IMG_MULTI | |
2231 | ||
2232 | ##{ HOSTED_IMG_MULTI_PUB_01 | |
2233 | ||
31955ede | 2234 | meta HOSTED_IMG_MULTI_PUB_01 (__IMGUR_IMG_2 || __IMGUR_IMG_3) && !__DATE_LOWER && !__BOTH_INR_AND_REF && !__HAS_IN_REPLY_TO |
b780ea8d SI |
2235 | describe HOSTED_IMG_MULTI_PUB_01 Multiple hosted images at public site |
2236 | #score HOSTED_IMG_MULTI_PUB_01 3.000 # limit | |
2237 | tflags HOSTED_IMG_MULTI_PUB_01 publish | |
2238 | ##} HOSTED_IMG_MULTI_PUB_01 | |
2239 | ||
2240 | ##{ HTML_ENTITY_ASCII | |
2241 | ||
2242 | meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP | |
2243 | describe HTML_ENTITY_ASCII Obfuscated ASCII | |
2244 | #score HTML_ENTITY_ASCII 3.000 # limit | |
2245 | tflags HTML_ENTITY_ASCII publish | |
2246 | ##} HTML_ENTITY_ASCII | |
2247 | ||
2248 | ##{ HTML_ENTITY_ASCII_TINY | |
2249 | ||
31955ede | 2250 | meta HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII_TINY && !__HAS_IN_REPLY_TO |
b780ea8d SI |
2251 | describe HTML_ENTITY_ASCII_TINY Obfuscated ASCII + tiny fonts |
2252 | #score HTML_ENTITY_ASCII_TINY 3.000 # limit | |
2253 | tflags HTML_ENTITY_ASCII_TINY publish | |
2254 | ##} HTML_ENTITY_ASCII_TINY | |
2255 | ||
46cfc9e2 SI |
2256 | ##{ HTML_FONT_TINY_NORDNS |
2257 | ||
31955ede | 2258 | meta HTML_FONT_TINY_NORDNS __HTML_FONT_TINY_NORDNS && !__HAS_CID |
46cfc9e2 | 2259 | describe HTML_FONT_TINY_NORDNS Font too small to read, no rDNS |
31955ede | 2260 | #score HTML_FONT_TINY_NORDNS 2.000 # limit |
46cfc9e2 SI |
2261 | ##} HTML_FONT_TINY_NORDNS |
2262 | ||
b780ea8d SI |
2263 | ##{ HTML_OFF_PAGE |
2264 | ||
2265 | meta HTML_OFF_PAGE __HTML_OFF_PAGE && !__RP_MATCHES_RCVD && !__LONGLINE && !__DKIM_EXISTS | |
2266 | describe HTML_OFF_PAGE HTML element rendered well off the displayed page | |
2267 | #score HTML_OFF_PAGE 3.000 # limit | |
2268 | tflags HTML_OFF_PAGE publish | |
2269 | ##} HTML_OFF_PAGE | |
2270 | ||
2271 | ##{ HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2272 | ||
2273 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2274 | meta HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU_MANY | |
2275 | describe HTML_SHRT_CMNT_OBFU_MANY Obfuscation with many short HTML comments | |
2276 | # score HTML_SHRT_CMNT_OBFU_MANY 2.500 # limit | |
2277 | tflags HTML_SHRT_CMNT_OBFU_MANY publish | |
2278 | endif | |
2279 | ##} HTML_SHRT_CMNT_OBFU_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2280 | ||
2281 | ##{ HTML_SINGLET_MANY | |
2282 | ||
2283 | meta HTML_SINGLET_MANY __HTML_SINGLET_MANY && !__RCD_RDNS_MTA_MESSY && !__NOT_SPOOFED && !ALL_TRUSTED && !__USING_VERP1 && !__MIME_QP | |
2284 | describe HTML_SINGLET_MANY Many single-letter HTML format blocks | |
2285 | #score HTML_SINGLET_MANY 2.500 # limit | |
2286 | tflags HTML_SINGLET_MANY publish | |
2287 | ##} HTML_SINGLET_MANY | |
2288 | ||
2289 | ##{ HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2290 | ||
2291 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2292 | meta HTML_TEXT_INVISIBLE_FONT __FONT_INVIS_MANY && !__HAS_ERRORS_TO && !__URI_DOTGOV && !__LYRIS_EZLM_REMAILER && !__ML3 && !__THREADED && !__DKIMWL_WL_HI && !USER_IN_DEF_DKIM_WL && !__MOZILLA_MSGID | |
2293 | describe HTML_TEXT_INVISIBLE_FONT HTML hidden text - word obfuscation? | |
2294 | # score HTML_TEXT_INVISIBLE_FONT 2.000 # limit | |
2295 | tflags HTML_TEXT_INVISIBLE_FONT publish | |
2296 | endif | |
2297 | ##} HTML_TEXT_INVISIBLE_FONT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2298 | ||
2299 | ##{ HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2300 | ||
2301 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2302 | meta HTML_TEXT_INVISIBLE_STYLE __STY_INVIS_MANY && (__RDNS_NONE || __HDRS_LCASE || __UNSUB_EMAIL || __ADMITS_SPAM || __FROM_DOM_INFO || __HTML_TAG_BALANCE_CENTER || __MSGID_RANDY ) && !__RDNS_LONG && !__FROM_ENCODED_QP && !__HAS_THREAD_INDEX | |
2303 | describe HTML_TEXT_INVISIBLE_STYLE HTML hidden text + other spam signs | |
2304 | # score HTML_TEXT_INVISIBLE_STYLE 3.500 # limit | |
2305 | tflags HTML_TEXT_INVISIBLE_STYLE publish | |
2306 | endif | |
2307 | ##} HTML_TEXT_INVISIBLE_STYLE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2308 | ||
2309 | ##{ HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch | |
2310 | ||
2311 | ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch | |
2312 | body HTTPS_HTTP_MISMATCH eval:check_https_http_mismatch('1','10') | |
2313 | endif | |
2314 | ##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch | |
2315 | ||
2316 | ##{ IMG_ONLY_FM_DOM_INFO | |
2317 | ||
2318 | meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO | |
2319 | describe IMG_ONLY_FM_DOM_INFO HTML image-only message from .info domain | |
2320 | #score IMG_ONLY_FM_DOM_INFO 2.500 # limit | |
2321 | tflags IMG_ONLY_FM_DOM_INFO publish | |
2322 | ##} IMG_ONLY_FM_DOM_INFO | |
2323 | ||
2324 | ##{ JH_SPAMMY_HEADERS | |
2325 | ||
2326 | meta JH_SPAMMY_HEADERS __HAS_COMPLAINT_TO || __HAS_TRACKING_CODE || __HAS_LOGID || __HAS_X_LETTER || __HAS_X_EBSERVER || __HAS_LIST_OPEN | |
2327 | describe JH_SPAMMY_HEADERS Has unusual message header(s) seen primarily in spam | |
2328 | #score JH_SPAMMY_HEADERS 3.500 # limit | |
2329 | tflags JH_SPAMMY_HEADERS publish | |
2330 | ##} JH_SPAMMY_HEADERS | |
2331 | ||
2332 | ##{ JH_SPAMMY_PATTERN01 | |
2333 | ||
2334 | rawbody JH_SPAMMY_PATTERN01 m;<img src=['"](https?://[^'"]{1,80}/)C([^/.]{1,30}\.jpg)['"]>.{0,200}<img src="\1U\2";ism | |
2335 | describe JH_SPAMMY_PATTERN01 Unusual pattern seen in spam campaign | |
2336 | #score JH_SPAMMY_PATTERN01 3.000 # limit | |
2337 | tflags JH_SPAMMY_PATTERN01 publish | |
2338 | ##} JH_SPAMMY_PATTERN01 | |
2339 | ||
2340 | ##{ JH_SPAMMY_PATTERN02 | |
2341 | ||
2342 | rawbody JH_SPAMMY_PATTERN02 m;<img [^>]{0,50}src=['"](https?://[^"'\s]{1,80}\.php\?)t=o(\&[^"'\s]{1,50})["'][>\s].{0,200}<a href="\1t=c\2".{0,200}<a href="\1t=u\2";ism | |
2343 | describe JH_SPAMMY_PATTERN02 Unusual pattern seen in spam campaign | |
2344 | #score JH_SPAMMY_PATTERN02 3.000 # limit | |
2345 | tflags JH_SPAMMY_PATTERN02 publish | |
2346 | ##} JH_SPAMMY_PATTERN02 | |
2347 | ||
2348 | ##{ JM_I_FEEL_LUCKY | |
2349 | ||
2350 | uri JM_I_FEEL_LUCKY /(?:\&|\?)btnI=ec(?:$|\&)/ | |
2351 | tflags JM_I_FEEL_LUCKY publish # low hitrate, but always a good sign | |
2352 | ##} JM_I_FEEL_LUCKY | |
2353 | ||
2354 | ##{ JM_RCVD_QMAILV1 | |
2355 | ||
2356 | header JM_RCVD_QMAILV1 Received =~ /by \S+ \(Qmailv1\) with ESMTP/ | |
2357 | ##} JM_RCVD_QMAILV1 | |
2358 | ||
2359 | ##{ JM_TORA_XM | |
2360 | ||
2361 | meta JM_TORA_XM (__MAILER_OL_6626 && __MOLE_2962 && __NAKED_TO) | |
2362 | ##} JM_TORA_XM | |
2363 | ||
2364 | ##{ KB_DATE_CONTAINS_TAB | |
2365 | ||
2366 | meta KB_DATE_CONTAINS_TAB __KB_DATE_CONTAINS_TAB && !__ML_TURNS_SP_TO_TAB | |
2367 | #score KB_DATE_CONTAINS_TAB 0.5 | |
2368 | ##} KB_DATE_CONTAINS_TAB | |
2369 | ||
2370 | ##{ KB_FAKED_THE_BAT | |
2371 | ||
2372 | meta KB_FAKED_THE_BAT (__THEBAT_MUA && KB_DATE_CONTAINS_TAB) | |
2373 | ##} KB_FAKED_THE_BAT | |
2374 | ||
2375 | ##{ KB_RATWARE_BOUNDARY | |
2376 | ||
2377 | meta KB_RATWARE_BOUNDARY __RATWARE_BOUND_A || __RATWARE_BOUND_B | |
2378 | ##} KB_RATWARE_BOUNDARY | |
2379 | ||
2380 | ##{ KB_RATWARE_MSGID | |
2381 | ||
2382 | meta KB_RATWARE_MSGID (__KB_MSGID_OUTLOOK_888 && __ANY_OUTLOOK_MUA) | |
2383 | ##} KB_RATWARE_MSGID | |
2384 | ||
2385 | ##{ KB_RATWARE_OUTLOOK_08 | |
2386 | ||
2387 | header KB_RATWARE_OUTLOOK_08 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi # " | |
2388 | ##} KB_RATWARE_OUTLOOK_08 | |
2389 | ||
2390 | ##{ KB_RATWARE_OUTLOOK_12 | |
2391 | ||
2392 | header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " | |
2393 | ##} KB_RATWARE_OUTLOOK_12 | |
2394 | ||
2395 | ##{ KB_RATWARE_OUTLOOK_16 | |
2396 | ||
2397 | header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi # " | |
2398 | ##} KB_RATWARE_OUTLOOK_16 | |
2399 | ||
2400 | ##{ KB_RATWARE_OUTLOOK_MID | |
2401 | ||
2402 | header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi | |
2403 | ##} KB_RATWARE_OUTLOOK_MID | |
2404 | ||
b780ea8d SI |
2405 | ##{ KHOP_HELO_FCRDNS |
2406 | ||
2407 | meta KHOP_HELO_FCRDNS __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT) | |
2408 | describe KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS | |
2409 | #score KHOP_HELO_FCRDNS 0.4 # 20090603 | |
2410 | ##} KHOP_HELO_FCRDNS | |
2411 | ||
46cfc9e2 SI |
2412 | ##{ LINKEDIN_IMG_NOT_RCVD_LNKN |
2413 | ||
2414 | meta LINKEDIN_IMG_NOT_RCVD_LNKN __LINKED_IMG_NOT_RCVD_LINK && !__LUNSUB_BEFORE_SUBJDT | |
2415 | #score LINKEDIN_IMG_NOT_RCVD_LNKN 2.500 # limit | |
2416 | describe LINKEDIN_IMG_NOT_RCVD_LNKN Linkedin hosted image but message not from Linkedin | |
2417 | tflags LINKEDIN_IMG_NOT_RCVD_LNKN publish | |
2418 | ##} LINKEDIN_IMG_NOT_RCVD_LNKN | |
2419 | ||
b780ea8d SI |
2420 | ##{ LIST_PRTL_PUMPDUMP |
2421 | ||
2422 | meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS | |
2423 | describe LIST_PRTL_PUMPDUMP Incomplete List-* headers and stock pump-and-dump | |
2424 | #score LIST_PRTL_PUMPDUMP 2.000 # limit | |
2425 | tflags LIST_PRTL_PUMPDUMP publish | |
2426 | ##} LIST_PRTL_PUMPDUMP | |
2427 | ||
2428 | ##{ LIST_PRTL_SAME_USER | |
2429 | ||
2430 | meta LIST_PRTL_SAME_USER __LIST_PRTL_SAME_USER && !__BUGGED_IMG && !__DKIM_EXISTS && !__RP_MATCHES_RCVD && !__HAS_ERRORS_TO | |
2431 | describe LIST_PRTL_SAME_USER Incomplete List-* headers and from+to user the same | |
2432 | #score LIST_PRTL_SAME_USER 3.000 # limit | |
2433 | tflags LIST_PRTL_SAME_USER publish | |
2434 | ##} LIST_PRTL_SAME_USER | |
2435 | ||
2436 | ##{ LIVEFILESTORE | |
2437 | ||
2438 | uri LIVEFILESTORE m~livefilestore.com/~ | |
2439 | ##} LIVEFILESTORE | |
2440 | ||
2441 | ##{ LONG_HEX_URI | |
2442 | ||
2443 | meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024 | |
2444 | describe LONG_HEX_URI Very long purely hexadecimal URI | |
2445 | #score LONG_HEX_URI 3.000 # limit | |
2446 | tflags LONG_HEX_URI publish | |
2447 | ##} LONG_HEX_URI | |
2448 | ||
2449 | ##{ LONG_IMG_URI | |
2450 | ||
2451 | meta LONG_IMG_URI __45_ALNUM_IMG && !ALL_TRUSTED && !__HAS_ERRORS_TO | |
2452 | describe LONG_IMG_URI Image URI with very long path component - web bug? | |
2453 | #score LONG_IMG_URI 3.000 # limit | |
2454 | tflags LONG_IMG_URI publish | |
2455 | ##} LONG_IMG_URI | |
2456 | ||
2457 | ##{ LONG_INVISIBLE_TEXT | |
2458 | ||
2459 | describe LONG_INVISIBLE_TEXT Long block of hidden text - bayes poison? | |
2460 | #score LONG_INVISIBLE_TEXT 3.000 # limit | |
2461 | tflags LONG_INVISIBLE_TEXT publish | |
2462 | ##} LONG_INVISIBLE_TEXT | |
2463 | ||
2464 | ##{ LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
2465 | ||
2466 | if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
2467 | meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV | |
2468 | endif | |
2469 | ##} LONG_INVISIBLE_TEXT if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
2470 | ||
2471 | ##{ LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2472 | ||
2473 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2474 | meta LONG_INVISIBLE_TEXT __LONG_INVIS_DIV || (__LONG_STY_INVIS && !__UNSUB_LINK && !__RCD_RDNS_MTA_MESSY && !__USING_VERP1 && !__RCD_RDNS_MTA && !__RCD_RDNS_MTA_MESSY && !__MIME_QP && !__HAS_X_MAILER && !__REPTO_QUOTE && !__USING_VERP1 ) | |
2475 | endif | |
2476 | ##} LONG_INVISIBLE_TEXT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2477 | ||
2478 | ##{ LONG_TERM_PRICE | |
2479 | ||
2480 | body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i | |
2481 | ##} LONG_TERM_PRICE | |
2482 | ||
2483 | ##{ LOOPHOLE_1 | |
2484 | ||
2485 | body LOOPHOLE_1 /loop-?hole in the banking/i | |
2486 | describe LOOPHOLE_1 A loop hole in the banking laws? | |
2487 | ##} LOOPHOLE_1 | |
2488 | ||
2489 | ##{ LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
2490 | ||
2491 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
2492 | meta LOTS_OF_MONEY 0 | |
2493 | endif | |
2494 | ##} LOTS_OF_MONEY if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
2495 | ||
2496 | ##{ LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2497 | ||
2498 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2499 | meta LOTS_OF_MONEY (__LOTSA_MONEY_00 || __LOTSA_MONEY_01 || __LOTSA_MONEY_02 || __LOTSA_MONEY_03 || __LOTSA_MONEY_04 || __LOTSA_MONEY_05) && !__TRAVEL_ITINERARY | |
2500 | describe LOTS_OF_MONEY Huge... sums of money | |
2501 | # score LOTS_OF_MONEY 0.01 | |
2502 | tflags LOTS_OF_MONEY publish | |
2503 | endif | |
2504 | ##} LOTS_OF_MONEY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2505 | ||
2506 | ##{ LOTTERY_1 | |
2507 | ||
2508 | meta LOTTERY_1 (__DBLCLAIM && __CASHPRZ) | |
2509 | ##} LOTTERY_1 | |
2510 | ||
2511 | ##{ LOTTERY_PH_004470 | |
2512 | ||
2513 | meta LOTTERY_PH_004470 (__AFF_004470_NUMBER && __AFF_LOTTERY) | |
2514 | ##} LOTTERY_PH_004470 | |
2515 | ||
b780ea8d SI |
2516 | ##{ LUCRATIVE |
2517 | ||
2518 | meta LUCRATIVE ( __LUCRATIVE && __HELO_NO_DOMAIN ) && !ALL_TRUSTED | |
2519 | describe LUCRATIVE Make lots of money! | |
2520 | #score LUCRATIVE 2.00 # limit | |
2521 | tflags LUCRATIVE publish | |
2522 | ##} LUCRATIVE | |
2523 | ||
2524 | ##{ L_SPAM_TOOL_13 | |
2525 | ||
2526 | header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/ | |
2527 | ##} L_SPAM_TOOL_13 | |
2528 | ||
b780ea8d SI |
2529 | ##{ MALF_HTML_B64 |
2530 | ||
2531 | meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG | |
2532 | describe MALF_HTML_B64 Malformatted base64-encoded HTML content | |
2533 | #score MALF_HTML_B64 3.500 # limit | |
2534 | tflags MALF_HTML_B64 publish | |
2535 | ##} MALF_HTML_B64 | |
2536 | ||
2537 | ##{ MALWARE_NORDNS | |
2538 | ||
2539 | meta MALWARE_NORDNS __MALWARE_NORDNS && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 | |
2540 | describe MALWARE_NORDNS Malware bragging + no rDNS | |
2541 | #score MALWARE_NORDNS 3.500 # limit | |
2542 | tflags MALWARE_NORDNS publish | |
2543 | ##} MALWARE_NORDNS | |
2544 | ||
2545 | ##{ MALWARE_PASSWORD | |
2546 | ||
2547 | meta MALWARE_PASSWORD __MALWARE_PASSWORD && !BITCOIN_EXTORT_01 && !MONERO_EXTORT_01 | |
2548 | describe MALWARE_PASSWORD Malware bragging + "password" | |
2549 | #score MALWARE_PASSWORD 3.500 # limit | |
2550 | tflags MALWARE_PASSWORD publish | |
2551 | ##} MALWARE_PASSWORD | |
2552 | ||
2553 | ##{ MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2554 | ||
2555 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2556 | meta MALW_ATTACH __MALW_ATTACH && !__HAS_THREAD_INDEX | |
2557 | describe MALW_ATTACH Attachment filename suspicious, probable malware exploit | |
2558 | tflags MALW_ATTACH publish | |
2559 | endif | |
2560 | ##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2561 | ||
b780ea8d SI |
2562 | ##{ MANY_SPAN_IN_TEXT |
2563 | ||
2564 | meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML | |
2565 | describe MANY_SPAN_IN_TEXT Many <SPAN> tags embedded within text | |
2566 | tflags MANY_SPAN_IN_TEXT publish | |
2567 | ##} MANY_SPAN_IN_TEXT | |
2568 | ||
b780ea8d SI |
2569 | ##{ MID_DEGREES |
2570 | ||
2571 | header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/ | |
2572 | ##} MID_DEGREES | |
2573 | ||
2574 | ##{ MILLION_HUNDRED | |
2575 | ||
2576 | body MILLION_HUNDRED /Million\s+\S+\s+Hundred/i | |
2577 | describe MILLION_HUNDRED Million "One to Nine" Hundred | |
2578 | tflags MILLION_HUNDRED publish | |
2579 | ##} MILLION_HUNDRED | |
2580 | ||
dfdd1e08 SI |
2581 | ##{ MILLION_USD |
2582 | ||
2583 | body MILLION_USD /Million\b.{0,40}\b(?:United States? Dollars?|USD)/i | |
2584 | describe MILLION_USD Talks about millions of dollars | |
2585 | #score MILLION_USD 2 | |
2586 | ##} MILLION_USD | |
2587 | ||
b780ea8d SI |
2588 | ##{ MIMEOLE_DIRECT_TO_MX |
2589 | ||
2590 | meta MIMEOLE_DIRECT_TO_MX __MIMEOLE_DIRECT_TO_MX && !__ANY_IMAGE_ATTACH && !__DKIM_EXISTS | |
2591 | describe MIMEOLE_DIRECT_TO_MX MIMEOLE + direct-to-MX | |
2592 | #score MIMEOLE_DIRECT_TO_MX 2.000 # limit | |
2593 | tflags MIMEOLE_DIRECT_TO_MX publish | |
2594 | ##} MIMEOLE_DIRECT_TO_MX | |
2595 | ||
2596 | ##{ MIME_BOUND_EQ_REL | |
2597 | ||
2598 | header MIME_BOUND_EQ_REL Content-Type =~ /boundary="=====================_\d+==\.REL"/s | |
2599 | ##} MIME_BOUND_EQ_REL | |
2600 | ||
2601 | ##{ MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2602 | ||
2603 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2604 | meta MIME_NO_TEXT __MIME_NO_TEXT && !__BOUNCE_CTYPE && !__CT_ENCRYPTED && !ALL_TRUSTED && !__MSGID_APPLEMAIL && !__USER_AGENT_APPLEMAIL && !__HAS_IN_REPLY_TO && !__HAS_X_REF && !__HS_SUBJ_RE_FW && !__PDF_ATTACH && !__LCL__KAM_BODY_LENGTH_LT_128 | |
2605 | # score MIME_NO_TEXT 2.00 # limit | |
2606 | describe MIME_NO_TEXT No (properly identified) text body parts | |
2607 | tflags MIME_NO_TEXT publish | |
2608 | endif | |
2609 | ##} MIME_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2610 | ||
2611 | ##{ MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2612 | ||
2613 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2614 | meta MIME_PHP_NO_TEXT (MIME_NO_TEXT && __PHP_MUA) | |
2615 | describe MIME_PHP_NO_TEXT No text body parts, X-Mailer: PHP | |
2616 | endif | |
2617 | ##} MIME_PHP_NO_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2618 | ||
2619 | ##{ MIXED_AREA_CASE | |
2620 | ||
2621 | meta MIXED_AREA_CASE __MIXED_AREA_CASE | |
2622 | describe MIXED_AREA_CASE Has area tag in mixed case | |
2623 | #score MIXED_AREA_CASE 2.500 # limit | |
2624 | tflags MIXED_AREA_CASE publish | |
2625 | ##} MIXED_AREA_CASE | |
2626 | ||
2627 | ##{ MIXED_CENTER_CASE | |
2628 | ||
2629 | meta MIXED_CENTER_CASE __MIXED_CENTER_CASE | |
2630 | describe MIXED_CENTER_CASE Has center tag in mixed case | |
2631 | #score MIXED_CENTER_CASE 2.500 # limit | |
2632 | tflags MIXED_CENTER_CASE publish | |
2633 | ##} MIXED_CENTER_CASE | |
2634 | ||
b780ea8d SI |
2635 | ##{ MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
2636 | ||
2637 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
2638 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2639 | meta MIXED_ES ( ! HTML_IMAGE_ONLY_16 ) && ( __LOWER_E > 20 ) && ( __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( __E_LIKE_LETTER < ( 10 * __LOWER_E ) ) | |
2640 | describe MIXED_ES Too many es are not es | |
2641 | tflags MIXED_ES publish | |
2642 | # lang pl score MIXED_ES 0.01 | |
2643 | # lang cz score MIXED_ES 0.01 | |
2644 | # lang sk score MIXED_ES 0.01 | |
2645 | # lang hr score MIXED_ES 0.01 | |
2646 | # lang el score MIXED_ES 0.01 | |
2647 | endif | |
2648 | endif | |
2649 | ##} MIXED_ES if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
2650 | ||
2651 | ##{ MIXED_FONT_CASE | |
2652 | ||
2653 | meta MIXED_FONT_CASE __MIXED_FONT_CASE | |
2654 | describe MIXED_FONT_CASE Has font tag in mixed case | |
2655 | #score MIXED_FONT_CASE 2.500 # limit | |
2656 | tflags MIXED_FONT_CASE publish | |
2657 | ##} MIXED_FONT_CASE | |
2658 | ||
2659 | ##{ MIXED_HREF_CASE | |
2660 | ||
2661 | meta MIXED_HREF_CASE __MIXED_HREF_CASE_JH | |
2662 | describe MIXED_HREF_CASE Has href in mixed case | |
2663 | #score MIXED_HREF_CASE 2.000 # limit | |
2664 | tflags MIXED_HREF_CASE publish | |
2665 | ##} MIXED_HREF_CASE | |
2666 | ||
2667 | ##{ MIXED_IMG_CASE | |
2668 | ||
2669 | meta MIXED_IMG_CASE __MIXED_IMG_CASE_JH && !__MSGID_JAVAMAIL | |
2670 | describe MIXED_IMG_CASE Has img tag in mixed case | |
2671 | #score MIXED_IMG_CASE 3.000 # limit | |
2672 | tflags MIXED_IMG_CASE publish | |
2673 | ##} MIXED_IMG_CASE | |
2674 | ||
2675 | ##{ MONERO_DEADLINE | |
2676 | ||
2677 | meta MONERO_DEADLINE __MONERO && __HOURS_DEADLINE && !MONERO_EXTORT_01 | |
2678 | describe MONERO_DEADLINE Monero cryptocurrency with a deadline | |
2679 | #score MONERO_DEADLINE 3.000 # limit | |
2680 | tflags MONERO_DEADLINE publish | |
2681 | ##} MONERO_DEADLINE | |
2682 | ||
2683 | ##{ MONERO_EXTORT_01 | |
2684 | ||
2685 | meta MONERO_EXTORT_01 __MONERO && __EXTORT_MANY | |
2686 | describe MONERO_EXTORT_01 Extortion spam, pay via Monero cryptocurrency | |
2687 | #score MONERO_EXTORT_01 5.000 # limit | |
2688 | tflags MONERO_EXTORT_01 publish | |
2689 | ##} MONERO_EXTORT_01 | |
2690 | ||
2691 | ##{ MONERO_MALWARE | |
2692 | ||
2693 | meta MONERO_MALWARE __MONERO && __MY_MALWARE && !MONERO_EXTORT_01 | |
2694 | describe MONERO_MALWARE Monero cryptocurrency + malware bragging | |
2695 | #score MONERO_MALWARE 3.500 # limit | |
2696 | tflags MONERO_MALWARE publish | |
2697 | ##} MONERO_MALWARE | |
2698 | ||
2699 | ##{ MONERO_PAY_ME | |
2700 | ||
2701 | meta MONERO_PAY_ME __MONERO && __PAY_ME && !MONERO_EXTORT_01 | |
2702 | describe MONERO_PAY_ME Pay me via Monero cryptocurrency | |
2703 | #score MONERO_PAY_ME 3.000 # limit | |
2704 | tflags MONERO_PAY_ME publish | |
2705 | ##} MONERO_PAY_ME | |
2706 | ||
dfdd1e08 SI |
2707 | ##{ MONEY_ATM_CARD |
2708 | ||
2709 | meta MONEY_ATM_CARD __MONEY_ATM_CARD && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE | |
2710 | describe MONEY_ATM_CARD Lots of money on an ATM card | |
2711 | ##} MONEY_ATM_CARD | |
2712 | ||
b780ea8d SI |
2713 | ##{ MONEY_FORM |
2714 | ||
2715 | meta MONEY_FORM __MONEY_FORM && !__FB_TOUR && !__FM_MY_PRICE && !__FR_SPACING_8 && !__COMMENT_EXISTS && !__CAN_HELP | |
2716 | describe MONEY_FORM Lots of money if you fill out a form | |
2717 | ##} MONEY_FORM | |
2718 | ||
2719 | ##{ MONEY_FORM_SHORT | |
2720 | ||
2721 | meta MONEY_FORM_SHORT __MONEY_FORM_SHORT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HTML_LINK_IMAGE && !__UPPERCASE_URI && !__THREADED && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__THREAD_INDEX_GOOD | |
2722 | describe MONEY_FORM_SHORT Lots of money if you fill out a short form | |
2723 | #score MONEY_FORM_SHORT 2.500 # limit | |
2724 | ##} MONEY_FORM_SHORT | |
2725 | ||
2726 | ##{ MONEY_FRAUD_3 | |
2727 | ||
2728 | meta MONEY_FRAUD_3 (__MONEY_FRAUD_3 && !__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_3_NEW_MONEY) && !__COMMENT_EXISTS && !__TAG_EXISTS_CENTER && !__IS_EXCH && !__VIA_ML && !__HAS_THREAD_INDEX && !__UNSUB_LINK && !__DOS_HAS_LIST_UNSUB && !__HTML_LINK_IMAGE && !__THREADED && !__DOS_BODY_THU && !__URL_SHORTENER && !__TAG_EXISTS_STYLE | |
2729 | describe MONEY_FRAUD_3 Lots of money and several fraud phrases | |
2730 | tflags MONEY_FRAUD_3 publish | |
2731 | ##} MONEY_FRAUD_3 | |
2732 | ||
2733 | ##{ MONEY_FRAUD_5 | |
2734 | ||
2735 | meta MONEY_FRAUD_5 (__MONEY_FRAUD_5 && !__MONEY_FRAUD_8 && !__ADVANCE_FEE_5_NEW_MONEY) && !__VIA_ML && !__HAS_THREAD_INDEX && !__COMMENT_EXISTS && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__URL_SHORTENER && !__TAG_EXISTS_STYLE | |
2736 | describe MONEY_FRAUD_5 Lots of money and many fraud phrases | |
2737 | tflags MONEY_FRAUD_5 publish | |
2738 | ##} MONEY_FRAUD_5 | |
2739 | ||
2740 | ##{ MONEY_FRAUD_8 | |
2741 | ||
2742 | meta MONEY_FRAUD_8 __MONEY_FRAUD_8 && !__VIA_ML && !__HAS_THREAD_INDEX && !__BUGGED_IMG | |
2743 | describe MONEY_FRAUD_8 Lots of money and very many fraud phrases | |
2744 | tflags MONEY_FRAUD_8 publish | |
2745 | ##} MONEY_FRAUD_8 | |
2746 | ||
2747 | ##{ MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2748 | ||
2749 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2750 | meta MONEY_FREEMAIL_REPTO __MONEY_FREEMAIL_REPTO && !__HAS_CAMPAIGNID | |
2751 | describe MONEY_FREEMAIL_REPTO Lots of money from someone using free email? | |
2752 | # score MONEY_FREEMAIL_REPTO 3.000 # limit | |
2753 | tflags MONEY_FREEMAIL_REPTO publish | |
2754 | endif | |
2755 | ##} MONEY_FREEMAIL_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2756 | ||
fc5290a3 SI |
2757 | ##{ MONEY_FROM_41 |
2758 | ||
2759 | meta MONEY_FROM_41 __MONEY_FROM_41 | |
2760 | describe MONEY_FROM_41 Lots of money from Africa | |
2761 | #score MONEY_FROM_41 2.00 # limit | |
2762 | ##} MONEY_FROM_41 | |
2763 | ||
b780ea8d SI |
2764 | ##{ MONEY_FROM_MISSP |
2765 | ||
2766 | meta MONEY_FROM_MISSP LOTS_OF_MONEY && __FROM_MISSPACED && !__MIME_QP | |
2767 | describe MONEY_FROM_MISSP Lots of money and misspaced From | |
2768 | #score MONEY_FROM_MISSP 2.000 # limit | |
2769 | ##} MONEY_FROM_MISSP | |
2770 | ||
b780ea8d SI |
2771 | ##{ MSGID_DOLLARS_URI_IMG |
2772 | ||
2773 | meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW | |
2774 | describe MSGID_DOLLARS_URI_IMG Suspicious Message-ID and image | |
2775 | #score MSGID_DOLLARS_URI_IMG 3.000 # limit | |
2776 | tflags MSGID_DOLLARS_URI_IMG publish | |
2777 | ##} MSGID_DOLLARS_URI_IMG | |
2778 | ||
2779 | ##{ MSGID_HDR_MALF | |
2780 | ||
2781 | meta MSGID_HDR_MALF __HAS_MESSAGEID | |
2782 | describe MSGID_HDR_MALF Has invalid message ID header | |
2783 | #score MSGID_HDR_MALF 3.500 # limit | |
2784 | tflags MSGID_HDR_MALF publish | |
2785 | ##} MSGID_HDR_MALF | |
2786 | ||
2787 | ##{ MSGID_MULTIPLE_AT | |
2788 | ||
2789 | header MSGID_MULTIPLE_AT MESSAGEID =~ /<[^>]*\@[^>]*\@/ | |
2790 | describe MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters | |
2791 | #score MSGID_MULTIPLE_AT 0.001 | |
2792 | ##} MSGID_MULTIPLE_AT | |
2793 | ||
b780ea8d SI |
2794 | ##{ MSMAIL_PRI_ABNORMAL |
2795 | ||
2796 | meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH | |
2797 | describe MSMAIL_PRI_ABNORMAL Email priority often abused | |
2798 | #score MSMAIL_PRI_ABNORMAL 1.500 # limit | |
2799 | ##} MSMAIL_PRI_ABNORMAL | |
2800 | ||
2801 | ##{ MSM_PRIO_REPTO | |
2802 | ||
2803 | meta MSM_PRIO_REPTO __MSM_PRIO_REPTO && !__ENV_AND_HDR_FROM_MATCH | |
2804 | describe MSM_PRIO_REPTO MSMail priority header + Reply-to + short subject | |
2805 | #score MSM_PRIO_REPTO 2.500 # limit | |
2806 | tflags MSM_PRIO_REPTO publish | |
2807 | ##} MSM_PRIO_REPTO | |
2808 | ||
2809 | ##{ MSOE_MID_WRONG_CASE | |
2810 | ||
2811 | meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106) | |
2812 | ##} MSOE_MID_WRONG_CASE | |
2813 | ||
fc5290a3 SI |
2814 | ##{ NAME_EMAIL_DIFF |
2815 | ||
2816 | meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL | |
2817 | describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address | |
2818 | ##} NAME_EMAIL_DIFF | |
2819 | ||
b780ea8d SI |
2820 | ##{ NA_DOLLARS |
2821 | ||
2822 | body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i | |
2823 | describe NA_DOLLARS Talks about a million North American dollars | |
2824 | #score NA_DOLLARS 1.5 | |
2825 | ##} NA_DOLLARS | |
2826 | ||
2827 | ##{ NEWEGG_IMG_NOT_RCVD_NEGG | |
2828 | ||
2829 | meta NEWEGG_IMG_NOT_RCVD_NEGG __NEWEGG_IMG_NOT_RCVD_NEGG | |
2830 | #score NEWEGG_IMG_NOT_RCVD_NEGG 2.500 # limit | |
2831 | describe NEWEGG_IMG_NOT_RCVD_NEGG Newegg hosted image but message not from Newegg | |
2832 | tflags NEWEGG_IMG_NOT_RCVD_NEGG publish | |
2833 | ##} NEWEGG_IMG_NOT_RCVD_NEGG | |
2834 | ||
31955ede SI |
2835 | ##{ NEW_PRODUCTS |
2836 | ||
2837 | meta NEW_PRODUCTS __NEW_PRODUCTS && !__STY_INVIS_MANY | |
2838 | #score NEW_PRODUCTS 1.250 # limit | |
2839 | tflags NEW_PRODUCTS publish | |
2840 | ##} NEW_PRODUCTS | |
2841 | ||
b780ea8d SI |
2842 | ##{ NICE_REPLY_A |
2843 | ||
2844 | meta NICE_REPLY_A (__SUBJ_RE && !__MISSING_REPLY && !__MISSING_REF && __BOTH_INR_AND_REF) | |
2845 | describe NICE_REPLY_A Looks like a legit reply (A) | |
2846 | tflags NICE_REPLY_A nice | |
2847 | ##} NICE_REPLY_A | |
2848 | ||
b780ea8d SI |
2849 | ##{ NOT_SPAM |
2850 | ||
2851 | body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i | |
2852 | describe NOT_SPAM I'm not spam! Really! I'm not, I'm not, I'm not! | |
2853 | tflags NOT_SPAM publish | |
2854 | ##} NOT_SPAM | |
2855 | ||
2856 | ##{ NO_FM_NAME_IP_HOSTN | |
2857 | ||
2858 | meta NO_FM_NAME_IP_HOSTN (__KHOP_NO_FULL_NAME && __IP_IN_RELAY) && !__DOS_RELAYED_EXT | |
2859 | describe NO_FM_NAME_IP_HOSTN No From name + hostname using IP address | |
2860 | #score NO_FM_NAME_IP_HOSTN 2.500 # limit | |
2861 | tflags NO_FM_NAME_IP_HOSTN publish | |
2862 | ##} NO_FM_NAME_IP_HOSTN | |
2863 | ||
2864 | ##{ NSL_RCVD_FROM_USER | |
2865 | ||
2866 | header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/ | |
2867 | describe NSL_RCVD_FROM_USER Received from User | |
2868 | ##} NSL_RCVD_FROM_USER | |
2869 | ||
2870 | ##{ NSL_RCVD_HELO_USER | |
2871 | ||
2872 | header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i | |
2873 | describe NSL_RCVD_HELO_USER Received from HELO User | |
2874 | ##} NSL_RCVD_HELO_USER | |
2875 | ||
2876 | ##{ NULL_IN_BODY | |
2877 | ||
2878 | full NULL_IN_BODY /\x00/ | |
2879 | describe NULL_IN_BODY Message has NUL (ASCII 0) byte in message | |
2880 | ##} NULL_IN_BODY | |
2881 | ||
b780ea8d SI |
2882 | ##{ OBFU_BITCOIN |
2883 | ||
2884 | meta OBFU_BITCOIN __OBFU_BITCOIN | |
2885 | describe OBFU_BITCOIN Obfuscated BitCoin references | |
2886 | #score OBFU_BITCOIN 3.000 # limit | |
2887 | tflags OBFU_BITCOIN publish | |
2888 | ##} OBFU_BITCOIN | |
2889 | ||
2890 | ##{ OBFU_JVSCR_ESC | |
2891 | ||
2892 | rawbody OBFU_JVSCR_ESC /document\.write\(unescape\(["'](?:%[0-9a-f]{2}){10}/i | |
2893 | describe OBFU_JVSCR_ESC Injects content using obfuscated javascript | |
2894 | tflags OBFU_JVSCR_ESC publish | |
2895 | ##} OBFU_JVSCR_ESC | |
2896 | ||
2897 | ##{ OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2898 | ||
2899 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2900 | mimeheader OBFU_TEXT_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.txt\b,i | |
2901 | describe OBFU_TEXT_ATTACH Text attachment with non-text MIME type | |
2902 | tflags OBFU_TEXT_ATTACH publish | |
2903 | endif | |
2904 | ##} OBFU_TEXT_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2905 | ||
2906 | ##{ OBFU_UNSUB_UL | |
2907 | ||
2908 | meta OBFU_UNSUB_UL __OBFU_UNSUB_UL && !MAILING_LIST_MULTI | |
2909 | describe OBFU_UNSUB_UL Obfuscated unsubscribe text | |
2910 | tflags OBFU_UNSUB_UL publish | |
2911 | ##} OBFU_UNSUB_UL | |
2912 | ||
2913 | ##{ ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2914 | ||
2915 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2916 | meta ODD_FREEM_REPTO __freemail_mailreplyto | |
2917 | describe ODD_FREEM_REPTO Has unusual reply-to header | |
2918 | # score ODD_FREEM_REPTO 3.000 # limit | |
2919 | tflags ODD_FREEM_REPTO publish | |
2920 | endif | |
2921 | ##} ODD_FREEM_REPTO ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
2922 | ||
b780ea8d SI |
2923 | ##{ PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
2924 | ||
2925 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2926 | meta PART_CID_STOCK (__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F) | |
2927 | describe PART_CID_STOCK Has a spammy image attachment (by Content-ID) | |
2928 | endif | |
2929 | ##} PART_CID_STOCK ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2930 | ||
2931 | ##{ PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2932 | ||
2933 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2934 | meta PART_CID_STOCK_LESS (__ANY_IMAGE_ATTACH&&__PART_CID_STOCK_LESS) | |
2935 | describe PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, more specific) | |
2936 | endif | |
2937 | ##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
2938 | ||
fc5290a3 | 2939 | ##{ PDS_BRAND_SUBJ_NAKED_TO |
dfdd1e08 | 2940 | |
fc5290a3 SI |
2941 | meta PDS_BRAND_SUBJ_NAKED_TO __NAKED_TO && __PDS_TO_BRAND_SUBJECT && !MAILING_LIST_MULTI |
2942 | describe PDS_BRAND_SUBJ_NAKED_TO Subject starts with To: brand and naked To: | |
2943 | #score PDS_BRAND_SUBJ_NAKED_TO 1.0 | |
2944 | ##} PDS_BRAND_SUBJ_NAKED_TO | |
dfdd1e08 | 2945 | |
b780ea8d SI |
2946 | ##{ PDS_BTC_ID |
2947 | ||
2948 | meta PDS_BTC_ID __PDS_BTC_ID | |
2949 | describe PDS_BTC_ID FP reduced Bitcoin ID | |
2950 | #score PDS_BTC_ID 0.5 | |
2951 | ##} PDS_BTC_ID | |
2952 | ||
2953 | ##{ PDS_BTC_MSGID | |
2954 | ||
2955 | meta PDS_BTC_MSGID __PDS_BTC_ID && __MSGID_NOFQDN2 | |
2956 | describe PDS_BTC_MSGID Bitcoin ID with T_MSGID_NOFQDN2 | |
2957 | #score PDS_BTC_MSGID 1.0 | |
2958 | ##} PDS_BTC_MSGID | |
2959 | ||
2960 | ##{ PDS_DBL_URL_TNB_RUNON | |
2961 | ||
2962 | meta PDS_DBL_URL_TNB_RUNON __TO_NO_BRKTS_FROM_RUNON && __PDS_DOUBLE_URL | |
2963 | describe PDS_DBL_URL_TNB_RUNON Double-url and To no arrows, from runon | |
2964 | #score PDS_DBL_URL_TNB_RUNON 2.0 | |
2965 | ##} PDS_DBL_URL_TNB_RUNON | |
2966 | ||
fc5290a3 | 2967 | ##{ PDS_FRNOM_TODOM_DBL_URL |
b780ea8d | 2968 | |
fc5290a3 SI |
2969 | meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL |
2970 | describe PDS_FRNOM_TODOM_DBL_URL From Name to domain, double URL | |
2971 | #score PDS_FRNOM_TODOM_DBL_URL 1.5 | |
2972 | ##} PDS_FRNOM_TODOM_DBL_URL | |
21dcadbf | 2973 | |
fc5290a3 | 2974 | ##{ PDS_FRNOM_TODOM_NAKED_TO |
21dcadbf | 2975 | |
fc5290a3 SI |
2976 | meta PDS_FRNOM_TODOM_NAKED_TO __NAKED_TO && PDS_FROM_NAME_TO_DOMAIN |
2977 | describe PDS_FRNOM_TODOM_NAKED_TO Naked to From name equals to Domain | |
2978 | #score PDS_FRNOM_TODOM_NAKED_TO 1.5 | |
2979 | ##} PDS_FRNOM_TODOM_NAKED_TO | |
2980 | ||
2981 | ##{ PDS_FROM_NAME_TO_DOMAIN | |
2982 | ||
2983 | meta PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN | |
2984 | #score PDS_FROM_NAME_TO_DOMAIN 2.0 | |
2985 | describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain | |
2986 | ##} PDS_FROM_NAME_TO_DOMAIN | |
b780ea8d SI |
2987 | |
2988 | ##{ PDS_HELO_SPF_FAIL | |
2989 | ||
2990 | meta PDS_HELO_SPF_FAIL SPF_HELO_FAIL && __HELO_HIGHPROFILE | |
2991 | describe PDS_HELO_SPF_FAIL High profile HELO that fails SPF | |
2992 | #score PDS_HELO_SPF_FAIL 2.0 | |
2993 | tflags PDS_HELO_SPF_FAIL net | |
2994 | ##} PDS_HELO_SPF_FAIL | |
2995 | ||
46cfc9e2 SI |
2996 | ##{ PDS_RDNS_DYNAMIC_FP |
2997 | ||
2998 | meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA | |
2999 | #score PDS_RDNS_DYNAMIC_FP 0.01 | |
3000 | describe PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps | |
3001 | ##} PDS_RDNS_DYNAMIC_FP | |
3002 | ||
b780ea8d SI |
3003 | ##{ PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE |
3004 | ||
3005 | meta PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE FREEMAIL_FORGED_REPLYTO && __PDS_TONAME_EQ_TOLOCAL | |
3006 | describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TOLOCAL | |
3007 | #score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit | |
3008 | ##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE | |
3009 | ||
fc5290a3 | 3010 | ##{ PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) |
21dcadbf | 3011 | |
fc5290a3 SI |
3012 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) |
3013 | meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER | |
3014 | describe PDS_TO_EQ_FROM_NAME From: name same as To: address | |
3015 | endif | |
3016 | ##} PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
21dcadbf | 3017 | |
b780ea8d SI |
3018 | ##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
3019 | ||
3020 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3021 | meta PHISH_ATTACH (__PHISH_ATTACH_01_01 || __PHISH_ATTACH_01_02) && !__HAS_SENDER | |
3022 | describe PHISH_ATTACH Attachment filename suspicious, probable phishing | |
3023 | tflags PHISH_ATTACH publish | |
3024 | endif | |
3025 | ##} PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3026 | ||
3027 | ##{ PHISH_AZURE_CLOUDAPP | |
3028 | ||
3029 | uri PHISH_AZURE_CLOUDAPP m;^https?://(?=[^/]+\.cloudapp\.azure\.com)(?:(?:b(?:illetedecalle\.northeurope|urofaxnotificado\.eastus)|comprobante(?:digital\.southcentralus|fiscale\.eastus)|infracciondeestacionamiento(?:\.eastus|s\.ukwest)|multa(?:detrafico\.eastus|prev\.eastus|s\.(?:eastus|southcentralus))|notificadosburofax\.eastus|penadetransitomulta\.eastus))\.cloudapp\.azure\.com/;i | |
3030 | describe PHISH_AZURE_CLOUDAPP Link to known phishing web application | |
3031 | #score PHISH_AZURE_CLOUDAPP 3.500 | |
3032 | tflags PHISH_AZURE_CLOUDAPP publish | |
3033 | ##} PHISH_AZURE_CLOUDAPP | |
3034 | ||
3035 | ##{ PHISH_FBASEAPP | |
3036 | ||
3037 | meta PHISH_FBASEAPP __PHISH_FBASE_01 | |
3038 | describe PHISH_FBASEAPP Probable phishing via hosted web app | |
3039 | #score PHISH_FBASEAPP 3.000 # limit | |
3040 | tflags PHISH_FBASEAPP publish | |
3041 | ##} PHISH_FBASEAPP | |
3042 | ||
b780ea8d SI |
3043 | ##{ PHP_NOVER_MUA |
3044 | ||
3045 | describe PHP_NOVER_MUA Mail from PHP with no version number | |
3046 | #score PHP_NOVER_MUA 3.000 # limit | |
3047 | tflags PHP_NOVER_MUA publish | |
3048 | ##} PHP_NOVER_MUA | |
3049 | ||
3050 | ##{ PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
3051 | ||
3052 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
3053 | meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH | |
3054 | endif | |
3055 | ##} PHP_NOVER_MUA if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
3056 | ||
3057 | ##{ PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM | |
3058 | ||
3059 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
3060 | meta PHP_NOVER_MUA __PHP_NOVER_MUA && !__DKIM_DEPENDABLE && !__TO_NO_BRKTS_HTML_ONLY && !__MSGID_OK_DIGITS && !__UPPERCASE_25_50 && !__RP_MATCHES_RCVD && !__GIF_ATTACH | |
3061 | endif | |
3062 | ##} PHP_NOVER_MUA ifplugin Mail::SpamAssassin::Plugin::DKIM | |
3063 | ||
3064 | ##{ PHP_ORIG_SCRIPT | |
3065 | ||
3066 | meta PHP_ORIG_SCRIPT __PHP_ORIG_SCRIPT_SONLY && !ALL_TRUSTED && !__SUBSCRIPTION_INFO && !__MSGID_BEFORE_RECEIVED && !MSGID_FROM_MTA_HEADER | |
3067 | describe PHP_ORIG_SCRIPT Sent by bot & other signs | |
3068 | #score PHP_ORIG_SCRIPT 2.500 # limit | |
3069 | tflags PHP_ORIG_SCRIPT publish | |
3070 | ##} PHP_ORIG_SCRIPT | |
3071 | ||
3072 | ##{ PHP_SCRIPT | |
3073 | ||
3074 | meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT | |
3075 | describe PHP_SCRIPT Sent by PHP script | |
3076 | #score PHP_SCRIPT 2.500 # limit | |
3077 | tflags PHP_SCRIPT publish | |
3078 | ##} PHP_SCRIPT | |
3079 | ||
3080 | ##{ PHP_SCRIPT_MUA | |
3081 | ||
3082 | meta PHP_SCRIPT_MUA __HAS_PHP_SCRIPT && __PHP_NOVER_MUA | |
3083 | describe PHP_SCRIPT_MUA Sent by PHP script, no version number | |
3084 | #score PHP_SCRIPT_MUA 2.000 # limit | |
3085 | tflags PHP_SCRIPT_MUA publish | |
3086 | ##} PHP_SCRIPT_MUA | |
3087 | ||
46cfc9e2 SI |
3088 | ##{ POSSIBLE_APPLE_PHISH_02 |
3089 | ||
3090 | meta POSSIBLE_APPLE_PHISH_02 (__FROM_NAME_APPLECOM && !__HDR_RCVD_APPLE) | |
3091 | describe POSSIBLE_APPLE_PHISH_02 Claims to be from apple but not processed by any apple MTA | |
3092 | tflags POSSIBLE_APPLE_PHISH_02 publish | |
3093 | ##} POSSIBLE_APPLE_PHISH_02 | |
3094 | ||
3095 | ##{ POSSIBLE_EBAY_PHISH_02 | |
3096 | ||
3097 | meta POSSIBLE_EBAY_PHISH_02 (__FROM_NAME_EBAYCOM && !__HDR_RCVD_EBAY) | |
3098 | describe POSSIBLE_EBAY_PHISH_02 Claims to be from ebay but not processed by any ebay MTA | |
3099 | tflags POSSIBLE_EBAY_PHISH_02 publish | |
3100 | ##} POSSIBLE_EBAY_PHISH_02 | |
3101 | ||
3102 | ##{ POSSIBLE_PAYPAL_PHISH_01 | |
3103 | ||
3104 | meta POSSIBLE_PAYPAL_PHISH_01 (__FROM_NAME_PAYPALCOM && __NAME_EMAIL_DIFF) | |
3105 | describe POSSIBLE_PAYPAL_PHISH_01 Claims to be from paypal but has non-paypal from email address | |
3106 | tflags POSSIBLE_PAYPAL_PHISH_01 publish | |
3107 | ##} POSSIBLE_PAYPAL_PHISH_01 | |
3108 | ||
3109 | ##{ POSSIBLE_PAYPAL_PHISH_02 | |
3110 | ||
3111 | meta POSSIBLE_PAYPAL_PHISH_02 (__FROM_NAME_PAYPALCOM && !__HDR_RCVD_PAYPAL) | |
3112 | describe POSSIBLE_PAYPAL_PHISH_02 Claims to be from paypal but not processed by any paypal MTA | |
3113 | tflags POSSIBLE_PAYPAL_PHISH_02 publish | |
3114 | ##} POSSIBLE_PAYPAL_PHISH_02 | |
3115 | ||
b780ea8d SI |
3116 | ##{ PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) |
3117 | ||
3118 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
3119 | if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) | |
3120 | body PP_MIME_FAKE_ASCII_TEXT eval:check_for_ascii_text_illegal() | |
3121 | describe PP_MIME_FAKE_ASCII_TEXT MIME text/plain claims to be ASCII but isn't | |
3122 | # score PP_MIME_FAKE_ASCII_TEXT 1.0 | |
3123 | tflags PP_MIME_FAKE_ASCII_TEXT publish | |
3124 | endif | |
3125 | endif | |
3126 | ##} PP_MIME_FAKE_ASCII_TEXT ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_for_ascii_text_illegal) | |
3127 | ||
3128 | ##{ PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3129 | ||
3130 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
3131 | if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3132 | body PP_TOO_MUCH_UNICODE02 eval:check_abundant_unicode_ratio(0.02) | |
3133 | describe PP_TOO_MUCH_UNICODE02 Is text/plain but has many unicode escapes | |
3134 | # score PP_TOO_MUCH_UNICODE02 0.5 | |
3135 | tflags PP_TOO_MUCH_UNICODE02 publish | |
3136 | endif | |
3137 | endif | |
3138 | ##} PP_TOO_MUCH_UNICODE02 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3139 | ||
3140 | ##{ PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3141 | ||
3142 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
3143 | if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3144 | body PP_TOO_MUCH_UNICODE05 eval:check_abundant_unicode_ratio(0.05) | |
3145 | describe PP_TOO_MUCH_UNICODE05 Is text/plain but has many unicode escapes | |
3146 | # score PP_TOO_MUCH_UNICODE05 1.0 | |
3147 | tflags PP_TOO_MUCH_UNICODE05 publish | |
3148 | endif | |
3149 | endif | |
3150 | ##} PP_TOO_MUCH_UNICODE05 ifplugin Mail::SpamAssassin::Plugin::MIMEEval if can(Mail::SpamAssassin::Plugin::MIMEEval::has_check_abundant_unicode_ratio) | |
3151 | ||
3152 | ##{ PUMPDUMP | |
3153 | ||
3154 | meta PUMPDUMP (__PUMPDUMP_01 || __PUMPDUMP_02 || __PUMPDUMP_03 || __PUMPDUMP_04 || __PUMPDUMP_05 || __PUMPDUMP_06 || __PUMPDUMP_07 || __PUMPDUMP_08 || __PUMPDUMP_09 || __PUMPDUMP_10) && !PUMPDUMP_MULTI | |
3155 | describe PUMPDUMP Pump-and-dump stock scam phrase | |
3156 | #score PUMPDUMP 1.000 # limit | |
3157 | tflags PUMPDUMP publish | |
3158 | ##} PUMPDUMP | |
3159 | ||
3160 | ##{ PUMPDUMP_MULTI | |
3161 | ||
3162 | meta PUMPDUMP_MULTI (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 1 | |
3163 | describe PUMPDUMP_MULTI Pump-and-dump stock scam phrases | |
3164 | #score PUMPDUMP_MULTI 3.500 # limit | |
3165 | tflags PUMPDUMP_MULTI publish | |
3166 | ##} PUMPDUMP_MULTI | |
3167 | ||
3168 | ##{ PUMPDUMP_TIP | |
3169 | ||
3170 | meta PUMPDUMP_TIP __PD_CNT_1 && __STOCK_TIP | |
3171 | describe PUMPDUMP_TIP Pump-and-dump stock tip | |
3172 | tflags PUMPDUMP_TIP publish | |
3173 | ##} PUMPDUMP_TIP | |
3174 | ||
3175 | ##{ RAND_HEADER_LIST_SPOOF | |
3176 | ||
3177 | meta RAND_HEADER_LIST_SPOOF __RAND_HEADER && __LIST_PARTIAL | |
3178 | describe RAND_HEADER_LIST_SPOOF Random gibberish message header(s) + pretending to be a mailing list | |
3179 | #score RAND_HEADER_LIST_SPOOF 3.000 # limit | |
3180 | tflags RAND_HEADER_LIST_SPOOF publish | |
3181 | ##} RAND_HEADER_LIST_SPOOF | |
3182 | ||
3183 | ##{ RAND_HEADER_MANY | |
3184 | ||
3185 | meta RAND_HEADER_MANY __RAND_HEADER_2 | |
3186 | describe RAND_HEADER_MANY Multiple random gibberish message headers | |
3187 | #score RAND_HEADER_MANY 3.000 # limit | |
3188 | tflags RAND_HEADER_MANY publish | |
3189 | ##} RAND_HEADER_MANY | |
3190 | ||
3191 | ##{ RAND_MKTG_HEADER | |
3192 | ||
3193 | meta RAND_MKTG_HEADER __RAND_MKTG_HEADER && !__HAVE_BOUNCE_RELAYS && !__HAS_THREAD_INDEX && !__HAS_X_MAILING_LIST | |
3194 | describe RAND_MKTG_HEADER Has partially-randomized marketing/tracking header(s) | |
3195 | #score RAND_MKTG_HEADER 2.000 # limit | |
3196 | tflags RAND_MKTG_HEADER publish | |
3197 | ##} RAND_MKTG_HEADER | |
3198 | ||
3199 | ##{ RATWARE_NO_RDNS | |
3200 | ||
3201 | meta RATWARE_NO_RDNS __RATWARE_BOUND_A && __RDNS_NONE && __MIME_HTML && __MISSING_REF | |
3202 | describe RATWARE_NO_RDNS Suspicious MsgID and MIME boundary + no rDNS | |
3203 | #score RATWARE_NO_RDNS 3.000 # limit | |
3204 | ##} RATWARE_NO_RDNS | |
3205 | ||
3206 | ##{ RCVD_BAD_ID | |
3207 | ||
3208 | header RCVD_BAD_ID Received =~ /\bid\s+[a-zA-Z0-9_+\/\\,-]+(?:[!"\#\$\%&'()*<=>?\@\[\]^\`{|}~]|;\S)/ | |
3209 | describe RCVD_BAD_ID Received header contains id field with bad characters | |
3210 | ##} RCVD_BAD_ID | |
3211 | ||
3212 | ##{ RCVD_DBL_DQ | |
3213 | ||
3214 | header RCVD_DBL_DQ Received =~ /(?:\[\d+\.\d+\.\d+\.\d+\]){2}/ | |
3215 | describe RCVD_DBL_DQ Malformatted message header | |
3216 | tflags RCVD_DBL_DQ publish | |
3217 | ##} RCVD_DBL_DQ | |
3218 | ||
3219 | ##{ RCVD_DOTEDU_SHORT | |
3220 | ||
46cfc9e2 | 3221 | meta RCVD_DOTEDU_SHORT __RCVD_DOTEDU_SHORT && !ALL_TRUSTED && !__FS_SUBJ_RE && !__HAS_LIST_ID |
b780ea8d | 3222 | describe RCVD_DOTEDU_SHORT Via .edu MTA + short message |
46cfc9e2 | 3223 | #score RCVD_DOTEDU_SHORT 1.500 # limit |
b780ea8d SI |
3224 | tflags RCVD_DOTEDU_SHORT publish |
3225 | ##} RCVD_DOTEDU_SHORT | |
3226 | ||
3227 | ##{ RCVD_DOTEDU_SUSP_URI | |
3228 | ||
3229 | meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI | |
3230 | describe RCVD_DOTEDU_SUSP_URI Via .edu MTA + suspicious URI | |
3231 | #score RCVD_DOTEDU_SUSP_URI 3.000 # limit | |
3232 | tflags RCVD_DOTEDU_SUSP_URI publish | |
3233 | ##} RCVD_DOTEDU_SUSP_URI | |
3234 | ||
3235 | ##{ RCVD_FORGED_WROTE | |
3236 | ||
3237 | header RCVD_FORGED_WROTE Received =~ / by \S+ with esmtp \([^a-z ]{6,} [^a-z ]{3,}\) id/ | |
3238 | describe RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam) | |
3239 | ##} RCVD_FORGED_WROTE | |
3240 | ||
3241 | ##{ RCVD_FORGED_WROTE2 | |
3242 | ||
3243 | header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s | |
3244 | ##} RCVD_FORGED_WROTE2 | |
3245 | ||
3246 | ##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3247 | ||
3248 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3249 | header RCVD_IN_IADB_DK eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.3') | |
3250 | describe RCVD_IN_IADB_DK IADB: Sender publishes Domain Keys record | |
3251 | tflags RCVD_IN_IADB_DK net nice | |
3252 | endif | |
3253 | ##} RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3254 | ||
3255 | ##{ RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3256 | ||
3257 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3258 | header RCVD_IN_IADB_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.10') | |
3259 | describe RCVD_IN_IADB_DOPTIN IADB: All mailing list mail is confirmed opt-in | |
3260 | tflags RCVD_IN_IADB_DOPTIN net nice | |
3261 | endif | |
3262 | ##} RCVD_IN_IADB_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3263 | ||
3264 | ##{ RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3265 | ||
3266 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3267 | header RCVD_IN_IADB_DOPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.9') | |
3268 | describe RCVD_IN_IADB_DOPTIN_GT50 IADB: Confirmed opt-in used more than 50% of the time | |
3269 | tflags RCVD_IN_IADB_DOPTIN_GT50 net nice | |
3270 | endif | |
3271 | ##} RCVD_IN_IADB_DOPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3272 | ||
3273 | ##{ RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3274 | ||
3275 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3276 | header RCVD_IN_IADB_DOPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.8') | |
3277 | describe RCVD_IN_IADB_DOPTIN_LT50 IADB: Confirmed opt-in used less than 50% of the time | |
3278 | tflags RCVD_IN_IADB_DOPTIN_LT50 net nice | |
3279 | endif | |
3280 | ##} RCVD_IN_IADB_DOPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3281 | ||
3282 | ##{ RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3283 | ||
3284 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3285 | header RCVD_IN_IADB_EDDB eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.1') | |
3286 | describe RCVD_IN_IADB_EDDB IADB: Participates in Email Deliverability Database | |
3287 | tflags RCVD_IN_IADB_EDDB net nice | |
3288 | endif | |
3289 | ##} RCVD_IN_IADB_EDDB ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3290 | ||
3291 | ##{ RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3292 | ||
3293 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3294 | header RCVD_IN_IADB_EPIA eval:check_rbl_sub('iadb-firsttrusted', '127.0.2.2') | |
3295 | describe RCVD_IN_IADB_EPIA IADB: Member of Email Processing Industry Alliance | |
3296 | tflags RCVD_IN_IADB_EPIA net nice | |
3297 | endif | |
3298 | ##} RCVD_IN_IADB_EPIA ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3299 | ||
3300 | ##{ RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3301 | ||
3302 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3303 | header RCVD_IN_IADB_GOODMAIL eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.103') | |
3304 | describe RCVD_IN_IADB_GOODMAIL IADB: Sender has been certified by GoodMail | |
3305 | tflags RCVD_IN_IADB_GOODMAIL net nice | |
3306 | endif | |
3307 | ##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3308 | ||
3309 | ##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3310 | ||
3311 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3312 | header RCVD_IN_IADB_LISTED eval:check_rbl_sub('iadb-firsttrusted', '^127\.0\.0\.[12]$') | |
3313 | describe RCVD_IN_IADB_LISTED Participates in the IADB system | |
3314 | tflags RCVD_IN_IADB_LISTED net nice | |
3315 | endif | |
3316 | ##} RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3317 | ||
3318 | ##{ RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3319 | ||
3320 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3321 | header RCVD_IN_IADB_LOOSE eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.4') | |
3322 | describe RCVD_IN_IADB_LOOSE IADB: Adds relationship addrs w/out opt-in | |
3323 | tflags RCVD_IN_IADB_LOOSE net nice | |
3324 | endif | |
3325 | ##} RCVD_IN_IADB_LOOSE ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3326 | ||
3327 | ##{ RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3328 | ||
3329 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3330 | header RCVD_IN_IADB_MI_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.1.10') | |
3331 | describe RCVD_IN_IADB_MI_CPEAR IADB: Complies with Michigan's CPEAR law | |
3332 | tflags RCVD_IN_IADB_MI_CPEAR net nice | |
3333 | endif | |
3334 | ##} RCVD_IN_IADB_MI_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3335 | ||
3336 | ##{ RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3337 | ||
3338 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3339 | header RCVD_IN_IADB_MI_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.101.10') | |
3340 | describe RCVD_IN_IADB_MI_CPR_30 IADB: Checked lists against Michigan's CPR within 30 days | |
3341 | tflags RCVD_IN_IADB_MI_CPR_30 net nice | |
3342 | endif | |
3343 | ##} RCVD_IN_IADB_MI_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3344 | ||
3345 | ##{ RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3346 | ||
3347 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3348 | header RCVD_IN_IADB_MI_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.201.10') | |
3349 | describe RCVD_IN_IADB_MI_CPR_MAT IADB: Sends no material under Michigan's CPR | |
3350 | tflags RCVD_IN_IADB_MI_CPR_MAT net nice | |
3351 | endif | |
3352 | ##} RCVD_IN_IADB_MI_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3353 | ||
3354 | ##{ RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3355 | ||
3356 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3357 | header RCVD_IN_IADB_ML_DOPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.100') | |
3358 | describe RCVD_IN_IADB_ML_DOPTIN IADB: Mailing list email only, confirmed opt-in | |
3359 | tflags RCVD_IN_IADB_ML_DOPTIN net nice | |
3360 | endif | |
3361 | ##} RCVD_IN_IADB_ML_DOPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3362 | ||
3363 | ##{ RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3364 | ||
3365 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3366 | header RCVD_IN_IADB_NOCONTROL eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.0') | |
3367 | describe RCVD_IN_IADB_NOCONTROL IADB: Has absolutely no mailing controls in place | |
3368 | tflags RCVD_IN_IADB_NOCONTROL net nice | |
3369 | endif | |
3370 | ##} RCVD_IN_IADB_NOCONTROL ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3371 | ||
3372 | ##{ RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3373 | ||
3374 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3375 | header RCVD_IN_IADB_OOO eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.200') | |
3376 | describe RCVD_IN_IADB_OOO IADB: One-to-one/transactional email only | |
3377 | tflags RCVD_IN_IADB_OOO net nice | |
3378 | endif | |
3379 | ##} RCVD_IN_IADB_OOO ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3380 | ||
3381 | ##{ RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3382 | ||
3383 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3384 | header RCVD_IN_IADB_OPTIN eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.7') | |
3385 | describe RCVD_IN_IADB_OPTIN IADB: All mailing list mail is opt-in | |
3386 | tflags RCVD_IN_IADB_OPTIN net nice | |
3387 | endif | |
3388 | ##} RCVD_IN_IADB_OPTIN ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3389 | ||
3390 | ##{ RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3391 | ||
3392 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3393 | header RCVD_IN_IADB_OPTIN_GT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.6') | |
3394 | describe RCVD_IN_IADB_OPTIN_GT50 IADB: Opt-in used more than 50% of the time | |
3395 | tflags RCVD_IN_IADB_OPTIN_GT50 net nice | |
3396 | endif | |
3397 | ##} RCVD_IN_IADB_OPTIN_GT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3398 | ||
3399 | ##{ RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3400 | ||
3401 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3402 | header RCVD_IN_IADB_OPTIN_LT50 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.5') | |
3403 | describe RCVD_IN_IADB_OPTIN_LT50 IADB: Opt-in used less than 50% of the time | |
3404 | tflags RCVD_IN_IADB_OPTIN_LT50 net nice | |
3405 | endif | |
3406 | ##} RCVD_IN_IADB_OPTIN_LT50 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3407 | ||
3408 | ##{ RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3409 | ||
3410 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3411 | header RCVD_IN_IADB_OPTOUTONLY eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.1') | |
3412 | describe RCVD_IN_IADB_OPTOUTONLY IADB: Scrapes addresses, pure opt-out only | |
3413 | tflags RCVD_IN_IADB_OPTOUTONLY net nice | |
3414 | endif | |
3415 | ##} RCVD_IN_IADB_OPTOUTONLY ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3416 | ||
3417 | ##{ RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3418 | ||
3419 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3420 | header RCVD_IN_IADB_RDNS eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.4') | |
3421 | describe RCVD_IN_IADB_RDNS IADB: Sender has reverse DNS record | |
3422 | tflags RCVD_IN_IADB_RDNS net nice | |
3423 | endif | |
3424 | ##} RCVD_IN_IADB_RDNS ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3425 | ||
3426 | ##{ RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3427 | ||
3428 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3429 | header RCVD_IN_IADB_SENDERID eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.2') | |
3430 | describe RCVD_IN_IADB_SENDERID IADB: Sender publishes Sender ID record | |
3431 | tflags RCVD_IN_IADB_SENDERID net nice | |
3432 | endif | |
3433 | ##} RCVD_IN_IADB_SENDERID ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3434 | ||
3435 | ##{ RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3436 | ||
3437 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3438 | header RCVD_IN_IADB_SPF eval:check_rbl_sub('iadb-firsttrusted', '127.2.255.1') | |
3439 | describe RCVD_IN_IADB_SPF IADB: Sender publishes SPF record | |
3440 | tflags RCVD_IN_IADB_SPF net nice | |
3441 | endif | |
3442 | ##} RCVD_IN_IADB_SPF ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3443 | ||
3444 | ##{ RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3445 | ||
3446 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3447 | header RCVD_IN_IADB_UNVERIFIED_1 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.2') | |
3448 | describe RCVD_IN_IADB_UNVERIFIED_1 IADB: Accepts unverified sign-ups | |
3449 | tflags RCVD_IN_IADB_UNVERIFIED_1 net nice | |
3450 | endif | |
3451 | ##} RCVD_IN_IADB_UNVERIFIED_1 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3452 | ||
3453 | ##{ RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3454 | ||
3455 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3456 | header RCVD_IN_IADB_UNVERIFIED_2 eval:check_rbl_sub('iadb-firsttrusted', '127.3.100.3') | |
3457 | describe RCVD_IN_IADB_UNVERIFIED_2 IADB: Accepts unverified sign-ups, gives chance to opt out | |
3458 | tflags RCVD_IN_IADB_UNVERIFIED_2 net nice | |
3459 | endif | |
3460 | ##} RCVD_IN_IADB_UNVERIFIED_2 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3461 | ||
3462 | ##{ RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3463 | ||
3464 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3465 | header RCVD_IN_IADB_UT_CPEAR eval:check_rbl_sub('iadb-firsttrusted', '127.101.2.10') | |
3466 | describe RCVD_IN_IADB_UT_CPEAR IADB: Complies with Utah's CPEAR law | |
3467 | tflags RCVD_IN_IADB_UT_CPEAR net nice | |
3468 | endif | |
3469 | ##} RCVD_IN_IADB_UT_CPEAR ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3470 | ||
3471 | ##{ RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3472 | ||
3473 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3474 | header RCVD_IN_IADB_UT_CPR_30 eval:check_rbl_sub('iadb-firsttrusted', '127.101.102.10') | |
3475 | describe RCVD_IN_IADB_UT_CPR_30 IADB: Checked lists against Utah's CPR within 30 days | |
3476 | tflags RCVD_IN_IADB_UT_CPR_30 net nice | |
3477 | endif | |
3478 | ##} RCVD_IN_IADB_UT_CPR_30 ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3479 | ||
3480 | ##{ RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3481 | ||
3482 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3483 | header RCVD_IN_IADB_UT_CPR_MAT eval:check_rbl_sub('iadb-firsttrusted', '127.101.202.10') | |
3484 | describe RCVD_IN_IADB_UT_CPR_MAT IADB: Sends no material under Utah's CPR | |
3485 | tflags RCVD_IN_IADB_UT_CPR_MAT net nice | |
3486 | endif | |
3487 | ##} RCVD_IN_IADB_UT_CPR_MAT ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
3488 | ||
3489 | ##{ RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # { | |
3490 | ||
3491 | ifplugin Mail::SpamAssassin::Plugin::DNSEval # { | |
3492 | header RCVD_IN_PSBL eval:check_rbl('psbl-lastexternal', 'psbl.surriel.com.') | |
3493 | describe RCVD_IN_PSBL Received via a relay in PSBL | |
3494 | tflags RCVD_IN_PSBL net | |
3495 | endif | |
3496 | ##} RCVD_IN_PSBL ifplugin Mail::SpamAssassin::Plugin::DNSEval # { | |
3497 | ||
3498 | ##{ RCVD_MAIL_COM | |
3499 | ||
3500 | header RCVD_MAIL_COM Received =~ /[\s\(\[](?:post|mail)\.com[\s\)\]]/is | |
3501 | describe RCVD_MAIL_COM Forged Received header (contains post.com or mail.com) | |
3502 | ##} RCVD_MAIL_COM | |
3503 | ||
3504 | ##{ RDNS_LOCALHOST | |
3505 | ||
3506 | header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i | |
3507 | describe RDNS_LOCALHOST Sender's public rDNS is "localhost" | |
3508 | ##} RDNS_LOCALHOST | |
3509 | ||
3510 | ##{ RDNS_NUM_TLD_ATCHNX | |
3511 | ||
3512 | meta RDNS_NUM_TLD_ATCHNX __RDNS_NUMERIC_TLD && __ATTACH_NAME_NO_EXT | |
3513 | describe RDNS_NUM_TLD_ATCHNX Relay rDNS has numeric TLD + suspicious attachment | |
3514 | #score RDNS_NUM_TLD_ATCHNX 3.000 # limit | |
3515 | tflags RDNS_NUM_TLD_ATCHNX publish | |
3516 | ##} RDNS_NUM_TLD_ATCHNX | |
3517 | ||
3518 | ##{ RDNS_NUM_TLD_XM | |
3519 | ||
3520 | meta RDNS_NUM_TLD_XM __RDNS_NUMERIC_TLD && (__HAS_XM_SID || __HAS_XM_LID || __HAS_XM_RECPTID || __HAS_XM_SENTBY) | |
3521 | describe RDNS_NUM_TLD_XM Relay rDNS has numeric TLD + suspicious headers | |
3522 | #score RDNS_NUM_TLD_XM 3.000 # limit | |
3523 | tflags RDNS_NUM_TLD_XM publish | |
3524 | ##} RDNS_NUM_TLD_XM | |
3525 | ||
fc5290a3 SI |
3526 | ##{ READY_TO_SHIP |
3527 | ||
3528 | body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store|storage facility)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock|stor(?:e|age))|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|stor(?:e|age))|just arrived in our (?:warehouse|stor(?:e|age))|we will (?:contact the (?:warehouse|logistics|store|storage(?: facility)) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our (?:warehouse|storage)|this (?:new )?(?:merchandise|product|item) is (?:now )?(?:ready (?:to ship )?|available )(?:at|in|from) our (?:warehouse|stock|stor(?:e|age)))/i | |
3529 | #score READY_TO_SHIP 1.250 # limit | |
3530 | ##} READY_TO_SHIP | |
3531 | ||
b780ea8d SI |
3532 | ##{ REPLYTO_WITHOUT_TO_CC |
3533 | ||
3534 | meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS) | |
3535 | ##} REPLYTO_WITHOUT_TO_CC | |
3536 | ||
3537 | ##{ REPTO_419_FRAUD | |
3538 | ||
fc5290a3 | 3539 | header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:cbn)\@cbofficialmail\.cf|(?:2015(?:5765|648[48]))\@ce\.pucmm\.edu\.do|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|mynewmission|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:blythemasters)\@digitalassetholding\.org|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.instructor|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:info)\@onlinepch\.com|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i |
b780ea8d SI |
3540 | describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox |
3541 | #score REPTO_419_FRAUD 3.000 | |
3542 | tflags REPTO_419_FRAUD publish | |
3543 | ##} REPTO_419_FRAUD | |
3544 | ||
3545 | ##{ REPTO_419_FRAUD_AOL | |
3546 | ||
dfdd1e08 | 3547 | header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:brajjohn|f\.2[06]|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie)|e(?:ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|isarobinson5\.0|orrainewirangee|ynnpage44)|m(?:_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|officework172|p(?:aulpollard2|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|wattson\.renwick|yurdaaytarkan5))\@aol\.com$/i |
b780ea8d SI |
3548 | describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox |
3549 | #score REPTO_419_FRAUD_AOL 3.000 | |
3550 | tflags REPTO_419_FRAUD_AOL publish | |
3551 | ##} REPTO_419_FRAUD_AOL | |
3552 | ||
3553 | ##{ REPTO_419_FRAUD_AOL_LOOSE | |
3554 | ||
3555 | meta REPTO_419_FRAUD_AOL_LOOSE __REPTO_419_FRAUD_AOL_LOOSE && !REPTO_419_FRAUD_AOL | |
3556 | describe REPTO_419_FRAUD_AOL_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox | |
3557 | #score REPTO_419_FRAUD_AOL_LOOSE 1.000 | |
3558 | tflags REPTO_419_FRAUD_AOL_LOOSE publish | |
3559 | ##} REPTO_419_FRAUD_AOL_LOOSE | |
3560 | ||
3561 | ##{ REPTO_419_FRAUD_CNS | |
3562 | ||
fc5290a3 | 3563 | header REPTO_419_FRAUD_CNS Reply-To:addr =~ /^(?=[^\s<>@]+\@consultant\.com)(?:(?:anthonyalvarad|davidhenri|lottomaxclaims7|morrisherb|pchonline|t(?:eo\.westin|he\.trustees1|rustees202000)|westernuniopayment\.agent0018))\@consultant\.com$/i |
b780ea8d SI |
3564 | describe REPTO_419_FRAUD_CNS Reply-To is known advance fee fraud collector mailbox |
3565 | #score REPTO_419_FRAUD_CNS 3.000 | |
3566 | tflags REPTO_419_FRAUD_CNS publish | |
3567 | ##} REPTO_419_FRAUD_CNS | |
3568 | ||
3569 | ##{ REPTO_419_FRAUD_GM | |
3570 | ||
fc5290a3 | 3571 | header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976(?:algaddafi|gaddafi25)|gaddafiaam)|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|ttohlawoffice\.tg|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195))|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:a(?:pinolly|rtwrighttownhomesllc)|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavisdonation1))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|i(?:idp955|ocastano21)|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|g(?:8669000|old8080)|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|bed627|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|ttcuckk)|gridrolle2)|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|yce00011)|rawlings007|s4fernado|uliewatson975|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ss(?:\.(?:melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:ishaalqadafi1976|ngela454)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|m(?:a(?:ureens847|yaoliver31)|ugan)|r(?:eem362|obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffic(?:e(?:\.012123|rricherd876|windowterms)|ialserviceuae)|hallkenneth1|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|r(?:imecapitalfianceltd|o1nvstream)|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nchoscozfifa|rfiafarfask7)|cott(?:henryjames91|peters7989)|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|peelman1972|t(?:anleyjohn1469|e(?:phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:derleyen52|kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|c5000dle|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i |
b780ea8d SI |
3572 | describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox |
3573 | #score REPTO_419_FRAUD_GM 3.000 | |
3574 | tflags REPTO_419_FRAUD_GM publish | |
3575 | ##} REPTO_419_FRAUD_GM | |
3576 | ||
3577 | ##{ REPTO_419_FRAUD_GM_LOOSE | |
3578 | ||
3579 | meta REPTO_419_FRAUD_GM_LOOSE __REPTO_419_FRAUD_GM_LOOSE && !REPTO_419_FRAUD_GM | |
3580 | describe REPTO_419_FRAUD_GM_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox | |
3581 | #score REPTO_419_FRAUD_GM_LOOSE 1.000 | |
3582 | tflags REPTO_419_FRAUD_GM_LOOSE publish | |
3583 | ##} REPTO_419_FRAUD_GM_LOOSE | |
3584 | ||
3585 | ##{ REPTO_419_FRAUD_HM | |
3586 | ||
fc5290a3 | 3587 | header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|faxttransfer\.skyebk\.service\.care\.th|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|mr(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i |
b780ea8d SI |
3588 | describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox |
3589 | #score REPTO_419_FRAUD_HM 3.000 | |
3590 | tflags REPTO_419_FRAUD_HM publish | |
3591 | ##} REPTO_419_FRAUD_HM | |
3592 | ||
3593 | ##{ REPTO_419_FRAUD_OL | |
3594 | ||
21dcadbf | 3595 | header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|k(?:aujong|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:_elizabeth20|michelleallison|roseallen))|spvt2020)|philcohen0012|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i |
b780ea8d SI |
3596 | describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox |
3597 | #score REPTO_419_FRAUD_OL 3.000 | |
3598 | tflags REPTO_419_FRAUD_OL publish | |
3599 | ##} REPTO_419_FRAUD_OL | |
3600 | ||
3601 | ##{ REPTO_419_FRAUD_PM | |
3602 | ||
dfdd1e08 | 3603 | header REPTO_419_FRAUD_PM Reply-To:addr =~ /^(?=[^\s<>@]+\@protonmail\.com)(?:(?:armstrong0244|berndkoch|davidmetus|euclaim|p(?:a(?:melagriffi|t\.nwankwo)|rotonydonation)|scottpeter012|the\.trustees1|v\.brianpierre|yihsbltan|ziraatbankasi))\@protonmail\.com$/i |
b780ea8d SI |
3604 | describe REPTO_419_FRAUD_PM Reply-To is known advance fee fraud collector mailbox |
3605 | #score REPTO_419_FRAUD_PM 3.000 | |
3606 | tflags REPTO_419_FRAUD_PM publish | |
3607 | ##} REPTO_419_FRAUD_PM | |
3608 | ||
3609 | ##{ REPTO_419_FRAUD_QQ | |
3610 | ||
31955ede | 3611 | header REPTO_419_FRAUD_QQ Reply-To:addr =~ /^(?=[^\s<>@]+\@qq\.com)(?:(?:1731419584|2(?:032508290|3(?:72948239|89029403|97857528))|3523284224|akia\.j55|l\.valiant|peterwong20177|qatarfoundation01|wang_cjianlin))\@qq\.com$/i |
b780ea8d SI |
3612 | describe REPTO_419_FRAUD_QQ Reply-To is known advance fee fraud collector mailbox |
3613 | #score REPTO_419_FRAUD_QQ 3.000 | |
3614 | tflags REPTO_419_FRAUD_QQ publish | |
3615 | ##} REPTO_419_FRAUD_QQ | |
3616 | ||
3617 | ##{ REPTO_419_FRAUD_YH | |
3618 | ||
dfdd1e08 | 3619 | header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i |
b780ea8d SI |
3620 | describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox |
3621 | #score REPTO_419_FRAUD_YH 3.000 | |
3622 | tflags REPTO_419_FRAUD_YH publish | |
3623 | ##} REPTO_419_FRAUD_YH | |
3624 | ||
3625 | ##{ REPTO_419_FRAUD_YH_LOOSE | |
3626 | ||
3627 | meta REPTO_419_FRAUD_YH_LOOSE __REPTO_419_FRAUD_YH_LOOSE && !REPTO_419_FRAUD_YH | |
3628 | describe REPTO_419_FRAUD_YH_LOOSE Ends-in-digits Reply-To is similar to known advance fee fraud collector mailbox | |
3629 | #score REPTO_419_FRAUD_YH_LOOSE 1.000 | |
3630 | tflags REPTO_419_FRAUD_YH_LOOSE publish | |
3631 | ##} REPTO_419_FRAUD_YH_LOOSE | |
3632 | ||
3633 | ##{ REPTO_419_FRAUD_YJ | |
3634 | ||
31955ede | 3635 | header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|r(?:acheljude000|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i |
b780ea8d SI |
3636 | describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox |
3637 | #score REPTO_419_FRAUD_YJ 3.000 | |
3638 | tflags REPTO_419_FRAUD_YJ publish | |
3639 | ##} REPTO_419_FRAUD_YJ | |
3640 | ||
3641 | ##{ REPTO_419_FRAUD_YN | |
3642 | ||
dfdd1e08 | 3643 | header REPTO_419_FRAUD_YN Reply-To:addr =~ /^(?=[^\s<>@]+\@yandex\.com)(?:(?:a(?:lhashimi123|m(?:andarandle|g3333txx101)|n(?:a\.mariposa|n(?:acooper2019|zainab))|wesome\.mariacarmen)|c(?:harles\.kable|lemlau)|de(?:edee\-paul|jongpeter|ptoversea)|f(?:3dex\.courier|ed\.r3v|reedommarketinvestments)|gadd4fi\.aisha|h(?:ashimireem|halesbbanddd?)|joseph\-scott2k5|l(?:es20sc|otointernational\.elgordo)|m(?:arcarmenguty|fdpm|r(?:\.kongkea|akram\.elkerrami|spercy))|p(?:aragonloansinc|rincedarren0244)|rich(?:ard\.wahl|lawands)|tresor\.mambo|w(?:b\.foundation|ill(?:1amsmarg1|iam(?:simon1960|wilbert1)))|za\.dc2016))\@yandex\.com$/i |
b780ea8d SI |
3644 | describe REPTO_419_FRAUD_YN Reply-To is known advance fee fraud collector mailbox |
3645 | #score REPTO_419_FRAUD_YN 3.000 | |
3646 | tflags REPTO_419_FRAUD_YN publish | |
3647 | ##} REPTO_419_FRAUD_YN | |
3648 | ||
dfdd1e08 SI |
3649 | ##{ REPTO_INFONUMSCOM |
3650 | ||
3651 | meta REPTO_INFONUMSCOM __REPTO_INFONUMSCOM | |
3652 | #score REPTO_INFONUMSCOM 3.000 # limit | |
3653 | tflags REPTO_INFONUMSCOM publish | |
3654 | ##} REPTO_INFONUMSCOM | |
3655 | ||
b780ea8d SI |
3656 | ##{ SB_GIF_AND_NO_URIS |
3657 | ||
3658 | meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL) | |
3659 | ##} SB_GIF_AND_NO_URIS | |
3660 | ||
fc5290a3 | 3661 | ##{ SCC_BODY_SINGLE_WORD |
dfdd1e08 | 3662 | |
fc5290a3 SI |
3663 | meta SCC_BODY_SINGLE_WORD T_SCC_BODY_TEXT_LINE < 2 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1) |
3664 | ##} SCC_BODY_SINGLE_WORD | |
3665 | ||
3666 | ##{ SCC_CANSPAM_1 | |
3667 | ||
3668 | describe SCC_CANSPAM_1 Interesting compliance language | |
3669 | body SCC_CANSPAM_1 /The advertiser does not manage your subscription/ | |
3670 | ##} SCC_CANSPAM_1 | |
3671 | ||
3672 | ##{ SCC_CANSPAM_2 | |
3673 | ||
3674 | describe SCC_CANSPAM_2 Interesting compliance language | |
3675 | body SCC_CANSPAM_2 /you may unsubscribe by clicking here or by writing to/ | |
3676 | ##} SCC_CANSPAM_2 | |
dfdd1e08 | 3677 | |
dfdd1e08 SI |
3678 | ##{ SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
3679 | ||
3680 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3681 | describe SCC_CTMPP Uncommon Content-Type | |
3682 | meta SCC_CTMPP __SCC_CTMPP | |
3683 | tflags SCC_CTMPP publish | |
3684 | endif | |
3685 | ##} SCC_CTMPP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
3686 | ||
3687 | ##{ SCC_ISEMM_LID_1 | |
3688 | ||
3689 | describe SCC_ISEMM_LID_1 Fingerprint of a particular spammer using an old spamware | |
3690 | header SCC_ISEMM_LID_1 X-Mailer-LID =~ /54,55,56,58,53/ | |
3691 | tflags SCC_ISEMM_LID_1 publish | |
3692 | #score SCC_ISEMM_LID_1 3.5 | |
3693 | ##} SCC_ISEMM_LID_1 | |
3694 | ||
fc5290a3 SI |
3695 | ##{ SCC_ISEMM_LID_1A |
3696 | ||
3697 | describe SCC_ISEMM_LID_1A Fingerprint of a particular spammer using an old spamware | |
3698 | header SCC_ISEMM_LID_1A X-Mailer-LID =~ /54,55,56,/ | |
3699 | tflags SCC_ISEMM_LID_1A publish | |
3700 | #score SCC_ISEMM_LID_1A 3.5 | |
3701 | ##} SCC_ISEMM_LID_1A | |
3702 | ||
dfdd1e08 SI |
3703 | ##{ SCC_ISEMM_LID_1B |
3704 | ||
3705 | describe SCC_ISEMM_LID_1B Genericized spammer fingerprint | |
3706 | header SCC_ISEMM_LID_1B X-Mailer-LID =~ /([56][0-9],)+/ | |
3707 | tflags SCC_ISEMM_LID_1B publish | |
3708 | #score SCC_ISEMM_LID_1B 1.5 | |
3709 | ##} SCC_ISEMM_LID_1B | |
3710 | ||
fc5290a3 SI |
3711 | ##{ SCC_SPAMMER_ADDR_2 |
3712 | ||
3713 | describe SCC_SPAMMER_ADDR_2 Fingerprint of a particular spammer | |
3714 | body SCC_SPAMMER_ADDR_2 /6130 W Flamingo Rd/ | |
3715 | ##} SCC_SPAMMER_ADDR_2 | |
3716 | ||
dfdd1e08 SI |
3717 | ##{ SCC_SPECIAL_GUID |
3718 | ||
3719 | describe SCC_SPECIAL_GUID Unique in a similar way | |
3720 | rawbody SCC_SPECIAL_GUID /^([[:xdigit:]]{8})-([[:xdigit:]]{4})-([[:xdigit:]]{3})-\3-([[:xdigit:]]{12})$/m | |
3721 | tflags SCC_SPECIAL_GUID publish multiple maxhits=15 | |
3722 | ##} SCC_SPECIAL_GUID | |
46cfc9e2 | 3723 | |
b780ea8d SI |
3724 | ##{ SENDGRID_REDIR |
3725 | ||
3726 | meta SENDGRID_REDIR __SENDGRID_REDIR_NOPHISH && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_X_BEEN_THERE && !__HAS_X_MAILMAN_VERSION && !__STY_INVIS_MANY && !__HTML_SINGLET_10 && !__HAVE_BOUNCE_RELAYS | |
3727 | describe SENDGRID_REDIR Redirect URI via Sendgrid | |
3728 | #score SENDGRID_REDIR 1.500 # limit | |
3729 | tflags SENDGRID_REDIR publish | |
3730 | ##} SENDGRID_REDIR | |
3731 | ||
3732 | ##{ SENDGRID_REDIR_PHISH | |
3733 | ||
3734 | meta SENDGRID_REDIR_PHISH __SENDGRID_REDIR_PHISH | |
3735 | describe SENDGRID_REDIR_PHISH Redirect URI via Sendgrid + phishing signs | |
3736 | #score SENDGRID_REDIR_PHISH 3.500 # limit | |
3737 | tflags SENDGRID_REDIR_PHISH publish | |
3738 | ##} SENDGRID_REDIR_PHISH | |
3739 | ||
3740 | ##{ SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3741 | ||
3742 | if (version >= 3.004002) | |
3743 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3744 | meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1) | |
3745 | tflags SEO_SUSP_NTLD publish | |
3746 | describe SEO_SUSP_NTLD SEO offer from suspicious TLD | |
3747 | #score SEO_SUSP_NTLD 1.2 # limit | |
3748 | endif | |
3749 | endif | |
3750 | ##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3751 | ||
fc5290a3 SI |
3752 | ##{ SERGIO_SUBJECT_VIAGRA01 |
3753 | ||
3754 | header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i | |
3755 | describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject | |
3756 | ##} SERGIO_SUBJECT_VIAGRA01 | |
3757 | ||
b780ea8d SI |
3758 | ##{ SHOPIFY_IMG_NOT_RCVD_SFY |
3759 | ||
3760 | meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK | |
3761 | #score SHOPIFY_IMG_NOT_RCVD_SFY 2.500 # limit | |
3762 | describe SHOPIFY_IMG_NOT_RCVD_SFY Shopify hosted image but message not from Shopify | |
3763 | tflags SHOPIFY_IMG_NOT_RCVD_SFY publish | |
3764 | ##} SHOPIFY_IMG_NOT_RCVD_SFY | |
3765 | ||
3766 | ##{ SHORTENER_SHORT_IMG | |
3767 | ||
3768 | meta SHORTENER_SHORT_IMG __URL_SHORTENER && HTML_SHORT_LINK_IMG_1 | |
3769 | describe SHORTENER_SHORT_IMG Short HTML + image + URL shortener | |
3770 | #score SHORTENER_SHORT_IMG 2.500 # limit | |
3771 | tflags SHORTENER_SHORT_IMG publish | |
3772 | ##} SHORTENER_SHORT_IMG | |
3773 | ||
b780ea8d SI |
3774 | ##{ SHORT_HELO_AND_INLINE_IMAGE |
3775 | ||
3776 | meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH) | |
3777 | describe SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image | |
3778 | ##} SHORT_HELO_AND_INLINE_IMAGE | |
3779 | ||
3780 | ##{ SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3781 | ||
3782 | if (version >= 3.004002) | |
3783 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3784 | meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD | |
3785 | tflags SHORT_IMG_SUSP_NTLD publish | |
3786 | describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD | |
3787 | #score SHORT_IMG_SUSP_NTLD 1.5 # limit | |
3788 | endif | |
3789 | endif | |
3790 | ##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
3791 | ||
b780ea8d SI |
3792 | ##{ SHORT_TERM_PRICE |
3793 | ||
3794 | body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i | |
3795 | ##} SHORT_TERM_PRICE | |
3796 | ||
b780ea8d SI |
3797 | ##{ SPAMMY_XMAILER |
3798 | ||
3799 | meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4) | |
3800 | describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham | |
3801 | ##} SPAMMY_XMAILER | |
3802 | ||
3803 | ##{ SPOOFED_FREEMAIL | |
3804 | ||
3805 | meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE | |
3806 | #score SPOOFED_FREEMAIL 2.000 # limit | |
3807 | tflags SPOOFED_FREEMAIL net | |
3808 | ##} SPOOFED_FREEMAIL | |
3809 | ||
3810 | ##{ SPOOFED_FREEMAIL_NO_RDNS | |
3811 | ||
3812 | meta SPOOFED_FREEMAIL_NO_RDNS __SPOOFED_FREEMAIL && __RDNS_NONE | |
3813 | describe SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS | |
3814 | #score SPOOFED_FREEMAIL_NO_RDNS 1.5 | |
3815 | ##} SPOOFED_FREEMAIL_NO_RDNS | |
3816 | ||
3817 | ##{ SPOOFED_FREEM_REPTO | |
3818 | ||
3819 | meta SPOOFED_FREEM_REPTO __SPOOFED_FREEM_REPTO && !__AC_TINY_FONT && !__HAS_IN_REPLY_TO && !__HAS_THREAD_INDEX | |
3820 | describe SPOOFED_FREEM_REPTO Forged freemail sender with freemail reply-to | |
3821 | #score SPOOFED_FREEM_REPTO 2.500 | |
3822 | tflags SPOOFED_FREEM_REPTO net publish | |
3823 | ##} SPOOFED_FREEM_REPTO | |
3824 | ||
3825 | ##{ SPOOFED_FREEM_REPTO_CHN | |
3826 | ||
3827 | meta SPOOFED_FREEM_REPTO_CHN (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_CHN_FREEM | |
3828 | describe SPOOFED_FREEM_REPTO_CHN Forged freemail sender with Chinese freemail reply-to | |
3829 | #score SPOOFED_FREEM_REPTO_CHN 3.500 | |
3830 | tflags SPOOFED_FREEM_REPTO_CHN net publish | |
3831 | ##} SPOOFED_FREEM_REPTO_CHN | |
3832 | ||
3833 | ##{ SPOOFED_FREEM_REPTO_RUS | |
3834 | ||
3835 | meta SPOOFED_FREEM_REPTO_RUS (__SPOOFED_FREEM_REPTO || FORGED_YAHOO_RCVD) && __REPTO_RUS_FREEM | |
3836 | describe SPOOFED_FREEM_REPTO_RUS Forged freemail sender with Russian freemail reply-to | |
3837 | #score SPOOFED_FREEM_REPTO_RUS 3.500 | |
3838 | tflags SPOOFED_FREEM_REPTO_RUS net publish | |
3839 | ##} SPOOFED_FREEM_REPTO_RUS | |
3840 | ||
3841 | ##{ SPOOF_GMAIL_MID | |
3842 | ||
46cfc9e2 | 3843 | meta SPOOF_GMAIL_MID SPOOFED_FREEMAIL && __PDS_SPOOF_GMAIL_MID |
b780ea8d SI |
3844 | #score SPOOF_GMAIL_MID 1.5 |
3845 | describe SPOOF_GMAIL_MID From Gmail but it doesn't seem to be... | |
3846 | ##} SPOOF_GMAIL_MID | |
3847 | ||
3848 | ##{ STATIC_XPRIO_OLE | |
3849 | ||
3850 | meta STATIC_XPRIO_OLE __STATIC_XPRIO_OLE | |
3851 | describe STATIC_XPRIO_OLE Static RDNS + X-Priority + MIMEOLE | |
3852 | #score STATIC_XPRIO_OLE 2.000 # limit | |
3853 | tflags STATIC_XPRIO_OLE publish | |
3854 | ##} STATIC_XPRIO_OLE | |
3855 | ||
3856 | ##{ STOCK_IMG_CTYPE | |
3857 | ||
3858 | meta STOCK_IMG_CTYPE (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__CTYPE_ONETAB_GIF&&__HTML_IMG_ONLY) | |
3859 | describe STOCK_IMG_CTYPE Stock spam image part, with distinctive Content-Type header | |
3860 | ##} STOCK_IMG_CTYPE | |
3861 | ||
3862 | ##{ STOCK_IMG_HDR_FROM | |
3863 | ||
3864 | meta STOCK_IMG_HDR_FROM (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__TVD_FW_GRAPHIC_ID1&&__HTML_IMG_ONLY) | |
3865 | describe STOCK_IMG_HDR_FROM Stock spam image part, with distinctive From line | |
3866 | ##} STOCK_IMG_HDR_FROM | |
3867 | ||
3868 | ##{ STOCK_IMG_HTML | |
3869 | ||
3870 | meta STOCK_IMG_HTML (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__PART_STOCK_CID&&__HTML_IMG_ONLY) | |
3871 | describe STOCK_IMG_HTML Stock spam image part, with distinctive HTML | |
3872 | ##} STOCK_IMG_HTML | |
3873 | ||
3874 | ##{ STOCK_IMG_OUTLOOK | |
3875 | ||
3876 | meta STOCK_IMG_OUTLOOK (__ANY_IMAGE_ATTACH&&__ENV_AND_HDR_FROM_MATCH&&__XM_MS_IN_GENERAL&&__HTML_LENGTH_1536_2048) | |
3877 | describe STOCK_IMG_OUTLOOK Stock spam image part, with Outlook-like features | |
3878 | ##} STOCK_IMG_OUTLOOK | |
3879 | ||
b780ea8d SI |
3880 | ##{ STOCK_PRICES |
3881 | ||
3882 | meta STOCK_PRICES (SHORT_TERM_PRICE && LONG_TERM_PRICE) | |
3883 | ##} STOCK_PRICES | |
3884 | ||
3885 | ##{ STOCK_TIP | |
3886 | ||
3887 | meta STOCK_TIP __STOCK_TIP && !__DKIM_EXISTS | |
3888 | describe STOCK_TIP Stock tips | |
3889 | #score STOCK_TIP 3.000 # limit | |
3890 | tflags STOCK_TIP publish | |
3891 | ##} STOCK_TIP | |
3892 | ||
3893 | ##{ STOX_AND_PRICE | |
3894 | ||
3895 | meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE | |
3896 | ##} STOX_AND_PRICE | |
3897 | ||
21dcadbf SI |
3898 | ##{ STOX_BOUND_090909_B |
3899 | ||
3900 | header STOX_BOUND_090909_B Content-Type:raw =~ /;\n boundary=\"------------0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]\"$/s | |
3901 | ##} STOX_BOUND_090909_B | |
3902 | ||
b780ea8d SI |
3903 | ##{ STOX_REPLY_TYPE |
3904 | ||
3905 | header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/ | |
3906 | ##} STOX_REPLY_TYPE | |
3907 | ||
3908 | ##{ STOX_REPLY_TYPE_WITHOUT_QUOTES | |
3909 | ||
3910 | meta STOX_REPLY_TYPE_WITHOUT_QUOTES (STOX_REPLY_TYPE && !(__HS_SUBJ_RE_FW || __HS_QUOTE)) | |
3911 | ##} STOX_REPLY_TYPE_WITHOUT_QUOTES | |
3912 | ||
3913 | ##{ SUBJECT_NEEDS_ENCODING | |
3914 | ||
3915 | meta SUBJECT_NEEDS_ENCODING (!__SUBJECT_ENCODED_B64 && !__SUBJECT_ENCODED_QP) && __SUBJECT_NEEDS_MIME | |
31955ede | 3916 | describe SUBJECT_NEEDS_ENCODING Subject includes non-encoded illegal characters |
b780ea8d SI |
3917 | ##} SUBJECT_NEEDS_ENCODING |
3918 | ||
31955ede SI |
3919 | ##{ SUBJ_BRKN_WORDNUMS |
3920 | ||
3921 | #score SUBJ_BRKN_WORDNUMS 1.500 # limit | |
3922 | describe SUBJ_BRKN_WORDNUMS Subject contains odd word breaks and numbers | |
3923 | ##} SUBJ_BRKN_WORDNUMS | |
3924 | ||
3925 | ##{ SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
3926 | ||
3927 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
3928 | meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS | |
3929 | endif | |
3930 | ##} SUBJ_BRKN_WORDNUMS if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
3931 | ||
b780ea8d SI |
3932 | ##{ SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM |
3933 | ||
3934 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
3935 | meta SUBJ_BRKN_WORDNUMS __SUBJ_BRKN_WORDNUMS && !DKIM_SIGNED && !__TO___LOWER | |
b780ea8d SI |
3936 | endif |
3937 | ##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM | |
3938 | ||
fc5290a3 SI |
3939 | ##{ SUSP_UTF8_WORD_COMBO |
3940 | ||
3941 | meta SUSP_UTF8_WORD_COMBO __4BYTE_UTF8_WORD && ( __LIST_PARTIAL || __RDNS_NONE || __CLICK_HERE || __PHPMAILER_MUA || __STY_INVIS_3 || __TO___LOWER || __MSGID_OK_DIGITS || __HTML_IMG_ONLY ) | |
3942 | describe SUSP_UTF8_WORD_COMBO Words using only suspicious UTF-8 characters + other signs | |
3943 | #score SUSP_UTF8_WORD_COMBO 3.000 # limit | |
3944 | ##} SUSP_UTF8_WORD_COMBO | |
3945 | ||
3946 | ##{ SUSP_UTF8_WORD_FROM | |
3947 | ||
3948 | meta SUSP_UTF8_WORD_FROM __4BYTE_UTF8_WORD_FROM | |
3949 | describe SUSP_UTF8_WORD_FROM Word in From name using only suspicious UTF-8 characters | |
3950 | #score SUSP_UTF8_WORD_FROM 2.000 # limit | |
3951 | ##} SUSP_UTF8_WORD_FROM | |
3952 | ||
3953 | ##{ SUSP_UTF8_WORD_MANY | |
3954 | ||
3955 | meta SUSP_UTF8_WORD_MANY __4BYTE_UTF8_WORD_9 | |
3956 | describe SUSP_UTF8_WORD_MANY Many words using only suspicious UTF-8 characters | |
3957 | #score SUSP_UTF8_WORD_MANY 3.000 # limit | |
3958 | ##} SUSP_UTF8_WORD_MANY | |
3959 | ||
31955ede SI |
3960 | ##{ SUSP_UTF8_WORD_SUBJ |
3961 | ||
3962 | meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ | |
3963 | describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters | |
3964 | #score SUSP_UTF8_WORD_SUBJ 2.000 # limit | |
3965 | ##} SUSP_UTF8_WORD_SUBJ | |
b780ea8d SI |
3966 | |
3967 | ##{ SYSADMIN | |
3968 | ||
3969 | meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS | |
3970 | describe SYSADMIN Supposedly from your IT department | |
3971 | #score SYSADMIN 3.500 # limit | |
3972 | tflags SYSADMIN publish | |
3973 | ##} SYSADMIN | |
3974 | ||
46cfc9e2 SI |
3975 | ##{ TAGSTAT_IMG_NOT_RCVD_TGST |
3976 | ||
3977 | meta TAGSTAT_IMG_NOT_RCVD_TGST __TAGSTAT_IMG_NOT_RCVD_TGST | |
3978 | #score TAGSTAT_IMG_NOT_RCVD_TGST 2.000 # limit | |
3979 | describe TAGSTAT_IMG_NOT_RCVD_TGST Tagstat hosted image but message not from Tagstat | |
3980 | tflags TAGSTAT_IMG_NOT_RCVD_TGST publish | |
3981 | ##} TAGSTAT_IMG_NOT_RCVD_TGST | |
3982 | ||
31955ede SI |
3983 | ##{ TARINGANET_IMG_NOT_RCVD_TN |
3984 | ||
3985 | meta TARINGANET_IMG_NOT_RCVD_TN __TARINGANET_IMG_NOT_RCVD_TN | |
3986 | #score TARINGANET_IMG_NOT_RCVD_TN 2.000 # limit | |
3987 | describe TARINGANET_IMG_NOT_RCVD_TN media.taringa.net hosted image but message not from taringa.net | |
3988 | tflags TARINGANET_IMG_NOT_RCVD_TN publish | |
3989 | ##} TARINGANET_IMG_NOT_RCVD_TN | |
3990 | ||
b780ea8d SI |
3991 | ##{ TBIRD_SUSP_MIME_BDRY |
3992 | ||
3993 | meta TBIRD_SUSP_MIME_BDRY __MUA_TBIRD && __TB_MIME_BDRY_NO_Z | |
3994 | describe TBIRD_SUSP_MIME_BDRY Unlikely Thunderbird MIME boundary | |
3995 | ##} TBIRD_SUSP_MIME_BDRY | |
3996 | ||
3997 | ##{ TEQF_USR_IMAGE | |
3998 | ||
3999 | meta TEQF_USR_IMAGE __TO_EQ_FROM_USR_NN_MINFP && __ANY_IMAGE_ATTACH | |
4000 | describe TEQF_USR_IMAGE To and from user nearly same + image | |
4001 | tflags TEQF_USR_IMAGE publish | |
4002 | ##} TEQF_USR_IMAGE | |
4003 | ||
4004 | ##{ TEQF_USR_MSGID_HEX | |
4005 | ||
4006 | meta TEQF_USR_MSGID_HEX __TO_EQ_FROM_USR_NN_MINFP && __MSGID_OK_HEX && !__MSGID_NOFQDN2 | |
4007 | describe TEQF_USR_MSGID_HEX To and from user nearly same + unusual message ID | |
4008 | tflags TEQF_USR_MSGID_HEX publish | |
4009 | ##} TEQF_USR_MSGID_HEX | |
4010 | ||
4011 | ##{ TEQF_USR_MSGID_MALF | |
4012 | ||
4013 | meta TEQF_USR_MSGID_MALF __TO_EQ_FROM_USR_NN_MINFP && __MSGID_NOFQDN2 | |
4014 | describe TEQF_USR_MSGID_MALF To and from user nearly same + malformed message ID | |
4015 | tflags TEQF_USR_MSGID_MALF publish | |
4016 | ##} TEQF_USR_MSGID_MALF | |
4017 | ||
4018 | ##{ THEBAT_UNREG | |
4019 | ||
4020 | header THEBAT_UNREG X-Mailer =~ /^The Bat! .{0,20} UNREG$/ | |
4021 | ##} THEBAT_UNREG | |
4022 | ||
4023 | ##{ THIS_AD | |
4024 | ||
4025 | meta THIS_AD __THIS_AD && !__MOZILLA_MSGID && !__FROM_ENCODED_QP && !__CR_IN_SUBJ && !__RP_MATCHES_RCVD | |
4026 | describe THIS_AD "This ad" and variants | |
4027 | tflags THIS_AD publish | |
4028 | ##} THIS_AD | |
4029 | ||
4030 | ##{ THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4031 | ||
4032 | if (version >= 3.004002) | |
4033 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4034 | meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM | |
4035 | tflags THIS_IS_ADV_SUSP_NTLD publish | |
4036 | describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD | |
4037 | #score THIS_IS_ADV_SUSP_NTLD 1.5 # limit | |
4038 | endif | |
4039 | endif | |
4040 | ##} THIS_IS_ADV_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4041 | ||
4042 | ##{ TONLINE_FAKE_DKIM | |
4043 | ||
4044 | meta TONLINE_FAKE_DKIM __HDR_RCVD_TONLINEDE && __DKIM_EXISTS | |
4045 | describe TONLINE_FAKE_DKIM t-online.de doesn't do DKIM | |
4046 | #score TONLINE_FAKE_DKIM 3.000 # limit | |
4047 | tflags TONLINE_FAKE_DKIM publish | |
4048 | ##} TONLINE_FAKE_DKIM | |
4049 | ||
b780ea8d SI |
4050 | ##{ TO_EQ_FM_DIRECT_MX |
4051 | ||
4052 | meta TO_EQ_FM_DIRECT_MX __TO_EQ_FM_DIRECT_MX && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__CTYPE_MULTIPART_MIXED | |
4053 | describe TO_EQ_FM_DIRECT_MX To == From and direct-to-MX | |
4054 | #score TO_EQ_FM_DIRECT_MX 2.500 # limit | |
4055 | tflags TO_EQ_FM_DIRECT_MX publish | |
4056 | ##} TO_EQ_FM_DIRECT_MX | |
4057 | ||
fc5290a3 SI |
4058 | ##{ TO_EQ_FM_DOM_HTML_IMG |
4059 | ||
4060 | meta TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FM_DOM_HTML_IMG && !__NOT_SPOOFED && !__CTYPE_MULTIPART_ALT && !__IS_EXCH && !__UNSUB_LINK && !__COMMENT_EXISTS && !__FM_TO_ALL_NUMS && !__DKIM_EXISTS && !__HAS_THREAD_INDEX && !__MSGID_JAVAMAIL && !__RP_MATCHES_RCVD | |
4061 | describe TO_EQ_FM_DOM_HTML_IMG To domain == From domain and HTML image link | |
4062 | ##} TO_EQ_FM_DOM_HTML_IMG | |
4063 | ||
b780ea8d SI |
4064 | ##{ TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF |
4065 | ||
4066 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
4067 | meta TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FM_DOM_SPF_FAIL && !__THREADED && !ALL_TRUSTED | |
4068 | describe TO_EQ_FM_DOM_SPF_FAIL To domain == From domain and external SPF failed | |
4069 | tflags TO_EQ_FM_DOM_SPF_FAIL net | |
4070 | endif | |
4071 | ##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
4072 | ||
b780ea8d SI |
4073 | ##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF |
4074 | ||
4075 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
4076 | meta TO_EQ_FM_SPF_FAIL __TO_EQ_FM_SPF_FAIL && !__THREADED && !ALL_TRUSTED | |
4077 | describe TO_EQ_FM_SPF_FAIL To == From and external SPF failed | |
4078 | tflags TO_EQ_FM_SPF_FAIL net | |
4079 | endif | |
4080 | ##} TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF | |
4081 | ||
4082 | ##{ TO_IN_SUBJ | |
4083 | ||
4084 | meta TO_IN_SUBJ __TO_IN_SUBJ && !__VIA_ML && !MISSING_MIMEOLE && !__THREAD_INDEX_GOOD && !__FSL_RELAY_GOOGLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HS_SUBJ_RE_FW | |
4085 | describe TO_IN_SUBJ To address is in Subject | |
4086 | tflags TO_IN_SUBJ publish | |
4087 | #score TO_IN_SUBJ 0.1 | |
4088 | ##} TO_IN_SUBJ | |
4089 | ||
4090 | ##{ TO_NAME_SUBJ_NO_RDNS | |
4091 | ||
4092 | meta TO_NAME_SUBJ_NO_RDNS LOCALPART_IN_SUBJECT && __RDNS_NONE | |
4093 | describe TO_NAME_SUBJ_NO_RDNS Recipient username in subject + no rDNS | |
4094 | #score TO_NAME_SUBJ_NO_RDNS 3.000 # limit | |
4095 | tflags TO_NAME_SUBJ_NO_RDNS publish | |
4096 | ##} TO_NAME_SUBJ_NO_RDNS | |
4097 | ||
4098 | ##{ TO_NO_BRKTS_FROM_MSSP | |
4099 | ||
4100 | meta TO_NO_BRKTS_FROM_MSSP __TO_NO_BRKTS_FROM_RUNON && !__RCD_RDNS_MTA_MESSY && !__CTYPE_MULTIPART_ALT && !__REPTO_QUOTE && !__MIME_QP && !__TO___LOWER && !__BUGGED_IMG && !__SUBJECT_ENCODED_QP && !__VIA_ML && !__FR_SPACING_8 && !__TAG_EXISTS_CENTER && !__RCVD_ZIXMAIL && !__RP_MATCHES_RCVD && !__HAS_SENDER | |
4101 | #score TO_NO_BRKTS_FROM_MSSP 2.50 # max | |
4102 | describe TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems | |
4103 | ##} TO_NO_BRKTS_FROM_MSSP | |
4104 | ||
4105 | ##{ TO_NO_BRKTS_HTML_IMG | |
4106 | ||
4107 | meta TO_NO_BRKTS_HTML_IMG __TO_NO_BRKTS_HTML_IMG && !__FM_TO_ALL_NUMS && !__FROM_FULL_NAME && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__HAS_SENDER && !__THREADED && !__LONGLINE | |
4108 | describe TO_NO_BRKTS_HTML_IMG To: lacks brackets and HTML and one image | |
4109 | #score TO_NO_BRKTS_HTML_IMG 2.000 # limit | |
4110 | tflags TO_NO_BRKTS_HTML_IMG publish | |
4111 | ##} TO_NO_BRKTS_HTML_IMG | |
4112 | ||
4113 | ##{ TO_NO_BRKTS_HTML_ONLY | |
4114 | ||
4115 | meta TO_NO_BRKTS_HTML_ONLY __TO_NO_BRKTS_HTML_ONLY && !RDNS_NONE && !__MIME_QP && !__MSGID_JAVAMAIL && !__CTYPE_CHARSET_QUOTED && !__SUBJECT_ENCODED_B64 && !__VIA_ML && !__MSGID_BEFORE_RECEIVED && !__MIME_BASE64 && !__RCD_RDNS_MAIL_MESSY && !__COMMENT_EXISTS && !LOTS_OF_MONEY && !__TAG_EXISTS_CENTER && !__UPPERCASE_URI && !__UNSUB_LINK && !__RCD_RDNS_MX_MESSY && !__DKIM_EXISTS && !__BUGGED_IMG && !__FM_TO_ALL_NUMS && !__URI_12LTRDOM && !__RDNS_NO_SUBDOM && !__HDRS_LCASE && !__LCL__ENV_AND_HDR_FROM_MATCH | |
4116 | #score TO_NO_BRKTS_HTML_ONLY 2.00 # limit | |
4117 | describe TO_NO_BRKTS_HTML_ONLY To: lacks brackets and HTML only | |
4118 | tflags TO_NO_BRKTS_HTML_ONLY publish | |
4119 | ##} TO_NO_BRKTS_HTML_ONLY | |
4120 | ||
4121 | ##{ TO_NO_BRKTS_MSFT | |
4122 | ||
4123 | meta TO_NO_BRKTS_MSFT __TO_NO_BRKTS_MSFT && !__VIA_ML && !__LYRIS_EZLM_REMAILER && !__THREAD_INDEX_GOOD && !__IS_EXCH && !__UNSUB_LINK && !__NOT_SPOOFED && !__DOS_HAS_LIST_UNSUB && !__NAME_EQ_EMAIL && !__SUBJECT_ENCODED_QP && !__THREADED && !__HAS_THREAD_INDEX && !__HAS_X_REF && !__HAS_IN_REPLY_TO && !__FROM_ENCODED_QP && !__RP_MATCHES_RCVD | |
4124 | describe TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool | |
4125 | #score TO_NO_BRKTS_MSFT 2.50 # limit | |
4126 | ##} TO_NO_BRKTS_MSFT | |
4127 | ||
4128 | ##{ TO_NO_BRKTS_NORDNS_HTML | |
4129 | ||
4130 | meta TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_NORDNS_HTML && !ALL_TRUSTED && !__MSGID_JAVAMAIL && !__MSGID_BEFORE_RECEIVED && !__VIA_ML && !__UA_MUTT && !__COMMENT_EXISTS && !__HTML_LENGTH_384 && !__MIME_BASE64 && !__UPPERCASE_URI && !__TO___LOWER && !__TAG_EXISTS_CENTER && !__LONGLINE && !__DKIM_EXISTS | |
4131 | #score TO_NO_BRKTS_NORDNS_HTML 2.00 # limit | |
4132 | describe TO_NO_BRKTS_NORDNS_HTML To: lacks brackets and no rDNS and HTML only | |
4133 | tflags TO_NO_BRKTS_NORDNS_HTML publish | |
4134 | ##} TO_NO_BRKTS_NORDNS_HTML | |
4135 | ||
4136 | ##{ TO_NO_BRKTS_PCNT | |
4137 | ||
4138 | meta TO_NO_BRKTS_PCNT __TO_NO_BRKTS_PCNT && !__SUBJECT_ENCODED_B64 && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__ISO_2022_JP_DELIM && !__IMS_MSGID && !__THREAD_INDEX_GOOD && !__RCD_RDNS_MX_MESSY && !__UNSUB_LINK && !__LONGLINE && !URI_HEX && !__RP_MATCHES_RCVD && !__MAIL_LINK && !__BUGGED_IMG && !__MIME_QP && !__COMMENT_EXISTS && !__TAG_EXISTS_STYLE && !__LCL__ENV_AND_HDR_FROM_MATCH && !__HAS_X_MAILER && !__HTML_LINK_IMAGE && !__SENDER_BOT && !__DKIM_EXISTS && !__KHOP_NO_FULL_NAME && !__THREADED | |
4139 | describe TO_NO_BRKTS_PCNT To: lacks brackets + percentage | |
4140 | #score TO_NO_BRKTS_PCNT 2.50 # limit | |
4141 | tflags TO_NO_BRKTS_PCNT publish | |
4142 | ##} TO_NO_BRKTS_PCNT | |
4143 | ||
4144 | ##{ TO_TOO_MANY_WFH_01 | |
4145 | ||
4146 | meta TO_TOO_MANY_WFH_01 __TO_TOO_MANY_WFH_01 | |
4147 | describe TO_TOO_MANY_WFH_01 Work-from-Home + many recipients | |
4148 | tflags TO_TOO_MANY_WFH_01 publish | |
4149 | ##} TO_TOO_MANY_WFH_01 | |
4150 | ||
b780ea8d SI |
4151 | ##{ TT_MSGID_TRUNC |
4152 | ||
4153 | header TT_MSGID_TRUNC Message-Id =~ /^\s*<?[^<>\s]+\[\d+$/ | |
4154 | describe TT_MSGID_TRUNC Scora: Message-Id ends after left-bracket + digits | |
4155 | ##} TT_MSGID_TRUNC | |
4156 | ||
4157 | ##{ TT_OBSCURED_VALIUM | |
4158 | ||
4159 | meta TT_OBSCURED_VALIUM ( __TT_BROKEN_VALIUM || __TT_OBSCURED_VALIUM ) && ! __TT_VALIUM | |
4160 | describe TT_OBSCURED_VALIUM Scora: obscured "VALIUM" in subject | |
4161 | ##} TT_OBSCURED_VALIUM | |
4162 | ||
4163 | ##{ TT_OBSCURED_VIAGRA | |
4164 | ||
4165 | meta TT_OBSCURED_VIAGRA ( __TT_BROKEN_VIAGRA || __TT_OBSCURED_VIAGRA ) && ! __TT_VIAGRA | |
4166 | describe TT_OBSCURED_VIAGRA Scora: obscured "VIAGRA" in subject | |
4167 | ##} TT_OBSCURED_VIAGRA | |
4168 | ||
4169 | ##{ TVD_ACT_193 | |
4170 | ||
4171 | body TVD_ACT_193 /\bact of (?:193|nineteen thirty)/i | |
4172 | describe TVD_ACT_193 Message refers to an act passed in the 1930s | |
4173 | ##} TVD_ACT_193 | |
4174 | ||
4175 | ##{ TVD_APPROVED | |
4176 | ||
4177 | body TVD_APPROVED /you.{1,2}re .{0,20}approved/i | |
4178 | describe TVD_APPROVED Body states that the recipient has been approved | |
4179 | ##} TVD_APPROVED | |
4180 | ||
4181 | ##{ TVD_DEAR_HOMEOWNER | |
4182 | ||
4183 | body TVD_DEAR_HOMEOWNER /^dear homeowner/i | |
4184 | describe TVD_DEAR_HOMEOWNER Spam with generic salutation of "dear homeowner" | |
4185 | ##} TVD_DEAR_HOMEOWNER | |
4186 | ||
4187 | ##{ TVD_EB_PHISH | |
4188 | ||
4189 | meta TVD_EB_PHISH __FROM_EBAY && NORMAL_HTTP_TO_IP | |
4190 | ##} TVD_EB_PHISH | |
4191 | ||
4192 | ##{ TVD_ENVFROM_APOST | |
4193 | ||
4194 | header TVD_ENVFROM_APOST EnvelopeFrom =~ /\'/ | |
4195 | describe TVD_ENVFROM_APOST Envelope From contains single-quote | |
4196 | ##} TVD_ENVFROM_APOST | |
4197 | ||
4198 | ##{ TVD_FINGER_02 | |
4199 | ||
4200 | header TVD_FINGER_02 Content-Type =~ /^text\/plain(?:; (?:format=flowed|charset="Windows-1252"|reply-type=original)){3}/i | |
4201 | ##} TVD_FINGER_02 | |
4202 | ||
4203 | ##{ TVD_FLOAT_GENERAL | |
4204 | ||
4205 | rawbody TVD_FLOAT_GENERAL /\bstyle\s*=\s*"[^"]*\bfloat\s*:\s*[a-z]+\s*">\s*[a-zA-Z]+\s*</i | |
4206 | describe TVD_FLOAT_GENERAL Message uses CSS float style | |
4207 | ##} TVD_FLOAT_GENERAL | |
4208 | ||
4209 | ##{ TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4210 | ||
4211 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4212 | body TVD_FUZZY_DEGREE /<inter W1><post P1>\b(?!degree)<D><E><G><R><E><E>\b/i | |
4213 | describe TVD_FUZZY_DEGREE Obfuscation of the word "degree" | |
4214 | endif | |
4215 | ##} TVD_FUZZY_DEGREE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4216 | ||
4217 | ##{ TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4218 | ||
4219 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4220 | body TVD_FUZZY_FINANCE /(?!finance)<F><I><N><A><N><C><E>/i | |
4221 | describe TVD_FUZZY_FINANCE Obfuscation of the word "finance" | |
4222 | endif | |
4223 | ##} TVD_FUZZY_FINANCE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4224 | ||
4225 | ##{ TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4226 | ||
4227 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4228 | body TVD_FUZZY_FIXED_RATE /<inter W2><post P2>(?!fixed rate)<F><I><X><E><D>\s+<R><A><T><E>/i | |
4229 | describe TVD_FUZZY_FIXED_RATE Obfuscation of the phrase "fixed rate" | |
4230 | endif | |
4231 | ##} TVD_FUZZY_FIXED_RATE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4232 | ||
4233 | ##{ TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4234 | ||
4235 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4236 | body TVD_FUZZY_MICROCAP /<inter W2><post P2>(?!microcap)(?!micro-cap)<M><I><C><R><O>-?<C><A><P>/i | |
4237 | describe TVD_FUZZY_MICROCAP Obfuscation of the word "micro-cap" | |
4238 | endif | |
4239 | ##} TVD_FUZZY_MICROCAP ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4240 | ||
4241 | ##{ TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4242 | ||
4243 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4244 | body TVD_FUZZY_PHARMACEUTICAL /<inter W2><post P2>(?!pharmaceutical)<P><H><A><R><M><A><C><E><U><T><I><C><A><L>/i | |
4245 | describe TVD_FUZZY_PHARMACEUTICAL Obfuscation of the word "pharmaceutical" | |
4246 | endif | |
4247 | ##} TVD_FUZZY_PHARMACEUTICAL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4248 | ||
4249 | ##{ TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4250 | ||
4251 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4252 | body TVD_FUZZY_SYMBOL /<inter W2><post P2>(?!symboo?l)<S><Y><M><B><O><L>/i | |
4253 | describe TVD_FUZZY_SYMBOL Obfuscation of the word "symbol" | |
4254 | endif | |
4255 | ##} TVD_FUZZY_SYMBOL ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4256 | ||
4257 | ##{ TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4258 | ||
4259 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4260 | mimeheader TVD_FW_GRAPHIC_NAME_LONG Content-Type =~ /\bname="[a-z]{8,}\.gif/ | |
4261 | describe TVD_FW_GRAPHIC_NAME_LONG Long image attachment name | |
4262 | endif | |
4263 | ##} TVD_FW_GRAPHIC_NAME_LONG ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4264 | ||
4265 | ##{ TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4266 | ||
4267 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4268 | mimeheader TVD_FW_GRAPHIC_NAME_MID Content-Type =~ /\bname="[a-z]{6,7}\.gif/ | |
4269 | describe TVD_FW_GRAPHIC_NAME_MID Medium sized image attachment name | |
4270 | endif | |
4271 | ##} TVD_FW_GRAPHIC_NAME_MID ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4272 | ||
4273 | ##{ TVD_INCREASE_SIZE | |
4274 | ||
4275 | body TVD_INCREASE_SIZE /\bsize of .{1,20}(?:penis|dick|manhood)/i | |
4276 | describe TVD_INCREASE_SIZE Advertising for penis enlargement | |
4277 | ##} TVD_INCREASE_SIZE | |
4278 | ||
b780ea8d SI |
4279 | ##{ TVD_LINK_SAVE |
4280 | ||
4281 | body TVD_LINK_SAVE /\blink to save\b/i | |
4282 | describe TVD_LINK_SAVE Spam with the text "link to save" | |
4283 | ##} TVD_LINK_SAVE | |
4284 | ||
4285 | ##{ TVD_PH_BODY_ACCOUNTS_PRE | |
4286 | ||
4287 | meta TVD_PH_BODY_ACCOUNTS_PRE __TVD_PH_BODY_ACCOUNTS_PRE | |
4288 | describe TVD_PH_BODY_ACCOUNTS_PRE The body matches phrases such as "accounts suspended", "account credited", "account verification" | |
4289 | ##} TVD_PH_BODY_ACCOUNTS_PRE | |
4290 | ||
4291 | ##{ TVD_PH_REC | |
4292 | ||
4293 | body TVD_PH_REC /\byour .{0,40}account .{0,40}record/i | |
4294 | describe TVD_PH_REC Message includes a phrase commonly used in phishing mails | |
4295 | ##} TVD_PH_REC | |
4296 | ||
4297 | ##{ TVD_PH_SEC | |
4298 | ||
4299 | body TVD_PH_SEC /\byour .{0,40}account .{0,40}security/i | |
4300 | describe TVD_PH_SEC Message includes a phrase commonly used in phishing mails | |
4301 | ##} TVD_PH_SEC | |
4302 | ||
4303 | ##{ TVD_PP_PHISH | |
4304 | ||
4305 | meta TVD_PP_PHISH __FROM_PAYPAL && NORMAL_HTTP_TO_IP | |
4306 | ##} TVD_PP_PHISH | |
4307 | ||
4308 | ##{ TVD_QUAL_MEDS | |
4309 | ||
4310 | body TVD_QUAL_MEDS /\bquality med(?:ication)?s\b/i | |
4311 | describe TVD_QUAL_MEDS The body matches phrases such as "quality meds" or "quality medication" | |
4312 | ##} TVD_QUAL_MEDS | |
4313 | ||
4314 | ##{ TVD_RATWARE_CB | |
4315 | ||
4316 | header TVD_RATWARE_CB Content-Type =~ /\bboundary\b.{1,40}qzsoft_directmail_seperator/i | |
4317 | describe TVD_RATWARE_CB Content-Type header that is commonly indicative of ratware | |
4318 | ##} TVD_RATWARE_CB | |
4319 | ||
4320 | ##{ TVD_RATWARE_CB_2 | |
4321 | ||
4322 | header TVD_RATWARE_CB_2 Content-Type =~ /\bboundary\s*=\s*"?-+\d+=+\.MRA/ | |
4323 | describe TVD_RATWARE_CB_2 Content-Type header that is commonly indicative of ratware | |
4324 | ##} TVD_RATWARE_CB_2 | |
4325 | ||
4326 | ##{ TVD_RATWARE_MSGID_02 | |
4327 | ||
4328 | header TVD_RATWARE_MSGID_02 Message-ID =~ /^[^<]*<[a-z]+\@/ | |
4329 | describe TVD_RATWARE_MSGID_02 Ratware with a Message-ID header that is entirely lower-case | |
4330 | ##} TVD_RATWARE_MSGID_02 | |
4331 | ||
4332 | ##{ TVD_RCVD_IP | |
4333 | ||
4334 | header TVD_RCVD_IP Received =~ /^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/ | |
4335 | describe TVD_RCVD_IP Message was received from an IP address | |
4336 | ##} TVD_RCVD_IP | |
4337 | ||
4338 | ##{ TVD_RCVD_IP4 | |
4339 | ||
4340 | header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/ | |
4341 | describe TVD_RCVD_IP4 Message was received from an IPv4 address | |
4342 | ##} TVD_RCVD_IP4 | |
4343 | ||
4344 | ##{ TVD_RCVD_SPACE_BRACKET | |
4345 | ||
4346 | header TVD_RCVD_SPACE_BRACKET Received =~ /\(\[(?!unix)[^\[\]]*\s/i | |
4347 | ##} TVD_RCVD_SPACE_BRACKET | |
4348 | ||
4349 | ##{ TVD_SECTION | |
4350 | ||
4351 | body TVD_SECTION /\bSection (?:27A|21B)/i | |
4352 | describe TVD_SECTION References to specific legal codes | |
4353 | ##} TVD_SECTION | |
4354 | ||
4355 | ##{ TVD_SILLY_URI_OBFU | |
4356 | ||
4357 | body TVD_SILLY_URI_OBFU m!https?://[a-z0-9-]+\.[a-z0-9-]*\.?[^a-z0-9.:/\s"'\@?\)>-]+[a-z0-9.-]*[a-z]{3}(?:\s|$)!i | |
4358 | describe TVD_SILLY_URI_OBFU URI obfuscation that can fool a URIBL or a uri rule | |
4359 | ##} TVD_SILLY_URI_OBFU | |
4360 | ||
4361 | ##{ TVD_SPACED_SUBJECT_WORD3 | |
4362 | ||
4363 | header TVD_SPACED_SUBJECT_WORD3 Subject =~ /^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/ | |
4364 | describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace | |
4365 | ##} TVD_SPACED_SUBJECT_WORD3 | |
4366 | ||
fc5290a3 SI |
4367 | ##{ TVD_SPACE_ENC_FM_MIME |
4368 | ||
4369 | meta TVD_SPACE_ENC_FM_MIME __TVD_SPACE_ENCODED && __FROM_NEEDS_MIME && !__ISO_2022_JP_DELIM | |
4370 | #score TVD_SPACE_ENC_FM_MIME 2.000 # limit | |
4371 | describe TVD_SPACE_ENC_FM_MIME Space ratio & encoded subject & MIME needed | |
4372 | ##} TVD_SPACE_ENC_FM_MIME | |
4373 | ||
b780ea8d SI |
4374 | ##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval |
4375 | ||
4376 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
4377 | body TVD_STOCK1 eval:check_stock_info('2') | |
4378 | describe TVD_STOCK1 Spam related to stock trading | |
4379 | endif | |
4380 | ##} TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
4381 | ||
4382 | ##{ TVD_SUBJ_ACC_NUM | |
4383 | ||
4384 | header TVD_SUBJ_ACC_NUM Subject =~ /\b[a-zA-Z]+ [\#\s]{1,4}\d+[A-Z]+/ | |
4385 | describe TVD_SUBJ_ACC_NUM Subject has spammy looking monetary reference | |
4386 | ##} TVD_SUBJ_ACC_NUM | |
4387 | ||
4388 | ##{ TVD_SUBJ_FINGER_03 | |
4389 | ||
4390 | header TVD_SUBJ_FINGER_03 Subject =~ /^\s*\*\s+(?:\w+\W+)+\*\s*$/ | |
4391 | describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *" | |
4392 | ##} TVD_SUBJ_FINGER_03 | |
4393 | ||
b780ea8d SI |
4394 | ##{ TVD_SUBJ_OWE |
4395 | ||
4396 | header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i | |
4397 | describe TVD_SUBJ_OWE Subject line states that the recipieint is in debt | |
4398 | ##} TVD_SUBJ_OWE | |
4399 | ||
4400 | ##{ TVD_SUBJ_WIPE_DEBT | |
4401 | ||
4402 | header TVD_SUBJ_WIPE_DEBT Subject =~ /(?:wipe out|remove|get (?:rid|out) of|eradicate) .{0,20}(?:owe|debt|obligation)/i | |
4403 | describe TVD_SUBJ_WIPE_DEBT Spam advertising a way to eliminate debt | |
4404 | ##} TVD_SUBJ_WIPE_DEBT | |
4405 | ||
4406 | ##{ TVD_VISIT_PHARMA | |
4407 | ||
4408 | body TVD_VISIT_PHARMA /Online Ph.rmacy/i | |
4409 | describe TVD_VISIT_PHARMA Body mentions online pharmacy | |
4410 | ##} TVD_VISIT_PHARMA | |
4411 | ||
4412 | ##{ TVD_VIS_HIDDEN | |
4413 | ||
4414 | rawbody TVD_VIS_HIDDEN /<TEXTAREA[^>]+style\s*=\s*"visibility:\s*hidden\b/i | |
4415 | describe TVD_VIS_HIDDEN Invisible textarea HTML tags | |
4416 | ##} TVD_VIS_HIDDEN | |
4417 | ||
4418 | ##{ TW_GIBBERISH_MANY | |
4419 | ||
4420 | meta TW_GIBBERISH_MANY __TENWORD_GIBBERISH > 20 | |
4421 | describe TW_GIBBERISH_MANY Lots of gibberish text to spoof pattern matching filters | |
4422 | #score TW_GIBBERISH_MANY 2.000 # limit | |
4423 | tflags TW_GIBBERISH_MANY publish | |
4424 | ##} TW_GIBBERISH_MANY | |
4425 | ||
4426 | ##{ T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4427 | ||
4428 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4429 | meta T_ACH_CANCELLED_EXE __ACH_CANCELLED_EXE | |
4430 | describe T_ACH_CANCELLED_EXE "ACH cancelled" probable malware | |
4431 | endif | |
4432 | ##} T_ACH_CANCELLED_EXE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4433 | ||
dfdd1e08 SI |
4434 | ##{ T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
4435 | ||
4436 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4437 | meta T_ANY_PILL_PRICE (__PILL_PRICE_01 || __PILL_PRICE_02) && !__NOT_A_PERSON | |
4438 | describe T_ANY_PILL_PRICE Prices for pills | |
4439 | endif | |
4440 | ##} T_ANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4441 | ||
b780ea8d SI |
4442 | ##{ T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
4443 | ||
4444 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4445 | mimeheader T_CDISP_SZ_MANY Content-Disposition =~ /\bsize\s?=\s?\d.*\bsize\s?=\s?\d/ | |
4446 | describe T_CDISP_SZ_MANY Suspicious MIME header | |
4447 | # score T_CDISP_SZ_MANY 2.0 # limit | |
4448 | endif | |
4449 | ##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4450 | ||
dfdd1e08 SI |
4451 | ##{ T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
4452 | ||
4453 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4454 | meta T_CTYPE_NULL __CTYPE_NULL | |
4455 | describe T_CTYPE_NULL Malformed Content-Type header | |
4456 | endif | |
4457 | ##} T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4458 | ||
31955ede SI |
4459 | ##{ T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval |
4460 | ||
4461 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
4462 | header T_DATE_IN_FUTURE_96_Q eval:check_for_shifted_date('96', '2920') | |
4463 | describe T_DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date | |
4464 | endif | |
4465 | ##} T_DATE_IN_FUTURE_96_Q ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
4466 | ||
b780ea8d SI |
4467 | ##{ T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
4468 | ||
4469 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4470 | meta T_DOC_ATTACH_NO_EXT __ATTACH_NAME_NO_EXT && (__PDF_ATTACH_MT || __DOC_ATTACH_MT) | |
4471 | describe T_DOC_ATTACH_NO_EXT Document attachment with suspicious name | |
4472 | endif | |
4473 | ##} T_DOC_ATTACH_NO_EXT ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4474 | ||
4475 | ##{ T_DOS_OUTLOOK_TO_MX_IMAGE | |
4476 | ||
4477 | meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH | |
4478 | describe T_DOS_OUTLOOK_TO_MX_IMAGE Direct to MX with Outlook headers and an image | |
4479 | ##} T_DOS_OUTLOOK_TO_MX_IMAGE | |
4480 | ||
4481 | ##{ T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4482 | ||
4483 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4484 | mimeheader T_DOS_ZIP_HARDCORE Content-Type =~ /^application\/zip;\sname="hardcore\.zip"$/ | |
4485 | describe T_DOS_ZIP_HARDCORE hardcore.zip file attached; quite certainly a virus | |
4486 | # score T_DOS_ZIP_HARDCORE 2.5 | |
4487 | endif | |
4488 | ##} T_DOS_ZIP_HARDCORE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4489 | ||
4490 | ##{ T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
4491 | ||
4492 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4493 | if (version >= 3.004000) | |
dfdd1e08 | 4494 | meta T_DRUGS_ERECTILE_SHORT_SHORTNER __PDS_HTML_LENGTH_1024 && __URL_SHORTENER && DRUGS_ERECTILE |
b780ea8d SI |
4495 | describe T_DRUGS_ERECTILE_SHORT_SHORTNER Short erectile drugs advert with T_URL_SHORTENER |
4496 | #score T_DRUGS_ERECTILE_SHORT_SHORTNER 1.5 # limit | |
4497 | endif | |
4498 | endif | |
4499 | ##} T_DRUGS_ERECTILE_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
4500 | ||
4501 | ##{ T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4502 | ||
4503 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4504 | meta T_FILL_THIS_FORM_FRAUD_PHISH __FILL_THIS_FORM_FRAUD_PHISH && !__SPOOFED_URL && !__VIA_ML && !__HAS_IN_REPLY_TO && !__THREADED && !__HDR_RCVD_SHOPIFY && !__HAS_ERRORS_TO | |
4505 | describe T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) | |
4506 | endif | |
4507 | ##} T_FILL_THIS_FORM_FRAUD_PHISH ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4508 | ||
4509 | ##{ T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4510 | ||
4511 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4512 | meta T_FILL_THIS_FORM_LOAN __FILL_THIS_FORM_LOAN && !__COMMENT_EXISTS && !__HTML_LINK_IMAGE | |
4513 | describe T_FILL_THIS_FORM_LOAN Answer loan question(s) | |
4514 | # score T_FILL_THIS_FORM_LOAN 2.0 | |
4515 | endif | |
4516 | ##} T_FILL_THIS_FORM_LOAN ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4517 | ||
4518 | ##{ T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4519 | ||
4520 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4521 | meta T_FILL_THIS_FORM_SHORT __FILL_THIS_FORM_SHORT && !__VIA_ML && !__MSGID_JAVAMAIL | |
4522 | describe T_FILL_THIS_FORM_SHORT Fill in a short form with personal information | |
4523 | # score T_FILL_THIS_FORM_SHORT 1.00 # limit | |
4524 | endif | |
4525 | ##} T_FILL_THIS_FORM_SHORT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4526 | ||
b780ea8d SI |
4527 | ##{ T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo |
4528 | ||
4529 | ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
4530 | meta T_FORGED_TBIRD_IMG_SIZE __FORGED_TBIRD_IMG && __ONE_IMG && __IMG_LE_300K | |
4531 | describe T_FORGED_TBIRD_IMG_SIZE Likely forged Thunderbird image spam | |
4532 | endif | |
4533 | ##} T_FORGED_TBIRD_IMG_SIZE ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
4534 | ||
4535 | ##{ T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4536 | ||
4537 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4538 | meta T_FREEMAIL_DOC_PDF __FREEMAIL_DOC_PDF | |
4539 | describe T_FREEMAIL_DOC_PDF MS document or PDF attachment, from freemail | |
4540 | endif | |
4541 | ##} T_FREEMAIL_DOC_PDF ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4542 | ||
dfdd1e08 SI |
4543 | ##{ T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail |
4544 | ||
4545 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4546 | meta T_FREEMAIL_DOC_PDF_BCC __FREEMAIL_DOC_PDF && __TO_UNDISCLOSED | |
4547 | describe T_FREEMAIL_DOC_PDF_BCC MS document or PDF attachment, from freemail, all recipients hidden | |
4548 | endif | |
4549 | ##} T_FREEMAIL_DOC_PDF_BCC ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4550 | ||
b780ea8d SI |
4551 | ##{ T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail |
4552 | ||
4553 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4554 | meta T_FREEMAIL_RVW_ATTCH (__PLS_REVIEW || __DLND_ATTACH) && __FREEMAIL_DOC_PDF | |
4555 | describe T_FREEMAIL_RVW_ATTCH Please review attached document, from freemail | |
4556 | endif | |
4557 | ##} T_FREEMAIL_RVW_ATTCH ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4558 | ||
4559 | ##{ T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4560 | ||
4561 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4562 | meta T_FROMNAME_EQUALS_TO __PLUGIN_FROMNAME_EQUALS_TO | |
4563 | describe T_FROMNAME_EQUALS_TO From:name matches To: | |
4564 | #score T_FROMNAME_EQUALS_TO 1.0 | |
4565 | tflags T_FROMNAME_EQUALS_TO publish | |
4566 | endif | |
4567 | ##} T_FROMNAME_EQUALS_TO ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4568 | ||
4569 | ##{ T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4570 | ||
4571 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4572 | meta T_FROMNAME_SPOOFED_EMAIL (__PLUGIN_FROMNAME_SPOOF && !__VIA_ML && !__VIA_RESIGNER && !__RP_MATCHES_RCVD) | |
4573 | describe T_FROMNAME_SPOOFED_EMAIL From:name looks like a spoofed email | |
4574 | #score T_FROMNAME_SPOOFED_EMAIL 0.3 | |
4575 | tflags T_FROMNAME_SPOOFED_EMAIL publish | |
4576 | endif | |
4577 | ##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4578 | ||
4579 | ##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
4580 | ||
4581 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
4582 | meta T_FROM_MULTI_SHORT_IMG __FROM_MULTI_SHORT_IMG && !__RCD_RDNS_MX_MESSY | |
4583 | describe T_FROM_MULTI_SHORT_IMG Multiple From addresses + short message with image | |
4584 | endif | |
4585 | ##} T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
4586 | ||
4587 | ##{ T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4588 | ||
4589 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4590 | body T_FUZZY_OPTOUT /(?:$|\W)(?=<O>)(?!opt[-\s]?out)<O><P><T>[-\s]?<O><U><T>(?:$|\W)/i | |
4591 | describe T_FUZZY_OPTOUT Obfuscated opt-out text | |
4592 | endif | |
4593 | ##} T_FUZZY_OPTOUT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4594 | ||
4595 | ##{ T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4596 | ||
4597 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4598 | body T_FUZZY_SPRM /<inter W1><post P2><S><P><U><R><M>/i | |
4599 | endif | |
4600 | ##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4601 | ||
4602 | ##{ T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4603 | ||
4604 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4605 | meta T_FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM | |
4606 | describe T_FUZZY_WELLSFARGO Obfuscated "Wells Fargo" | |
4607 | endif | |
4608 | ##} T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4609 | ||
4610 | ##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4611 | ||
4612 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4613 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4614 | meta T_GB_FREEM_FROM_NOT_REPLY ( !__FROM_EQ_REPLY && FREEMAIL_FROM && FREEMAIL_REPLYTO ) | |
4615 | describe T_GB_FREEM_FROM_NOT_REPLY From: and Reply-To: have different freemail domains | |
4616 | # score T_GB_FREEM_FROM_NOT_REPLY 1.500 # limit | |
4617 | tflags T_GB_FREEM_FROM_NOT_REPLY publish | |
4618 | endif | |
4619 | endif | |
4620 | ##} T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4621 | ||
4622 | ##{ T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4623 | ||
4624 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4625 | meta T_GB_FROMNAME_SPOOFED_EMAIL_IP ( T_FROMNAME_SPOOFED_EMAIL && !__NOT_SPOOFED ) | |
4626 | describe T_GB_FROMNAME_SPOOFED_EMAIL_IP From:name looks like a spoofed email from a spoofed ip | |
4627 | # score T_GB_FROMNAME_SPOOFED_EMAIL_IP 0.50 # limit | |
4628 | tflags T_GB_FROMNAME_SPOOFED_EMAIL_IP publish | |
4629 | endif | |
4630 | ##} T_GB_FROMNAME_SPOOFED_EMAIL_IP ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
4631 | ||
fc5290a3 SI |
4632 | ##{ T_GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) |
4633 | ||
4634 | if (version >= 4.000000) | |
4635 | if can(Mail::SpamAssassin::Conf::feature_capture_rules) | |
4636 | uri T_GB_STORAGE_GOOGLE_EMAIL m|^https?://storage\.cloud\.google\.com/.{4,128}\#%{GB_TO_ADDR}|i | |
4637 | describe T_GB_STORAGE_GOOGLE_EMAIL Google storage cloud abuse | |
4638 | # score T_GB_STORAGE_GOOGLE_EMAIL 2.000 # limit | |
4639 | tflags T_GB_STORAGE_GOOGLE_EMAIL publish | |
4640 | endif | |
4641 | endif | |
4642 | ##} T_GB_STORAGE_GOOGLE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) | |
4643 | ||
31955ede SI |
4644 | ##{ T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail |
4645 | ||
4646 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
dfdd1e08 | 4647 | meta T_GB_WEBFORM ( ( __XMAIL_CODEIGN || __XMAIL_PHPMAIL ) && __URL_SHORTENER && FREEMAIL_FROM ) |
31955ede SI |
4648 | describe T_GB_WEBFORM Webform with url shortener |
4649 | # score T_GB_WEBFORM 1.500 # limit | |
4650 | endif | |
4651 | ##} T_GB_WEBFORM ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4652 | ||
fc5290a3 SI |
4653 | ##{ T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) |
4654 | ||
4655 | if (version >= 4.000000) | |
4656 | if can(Mail::SpamAssassin::Conf::feature_capture_rules) | |
4657 | uri T_GB_YOUTUBE_EMAIL m|^https?://(?:www\.)?youtube\.com/attribution_link\?.{20,256}/%{GB_TO_ADDR}|i | |
4658 | describe T_GB_YOUTUBE_EMAIL Youtube attribution links abuse | |
4659 | # score T_GB_YOUTUBE_EMAIL 2.000 # limit | |
4660 | endif | |
4661 | endif | |
4662 | ##} T_GB_YOUTUBE_EMAIL if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules) | |
4663 | ||
4664 | ##{ T_HDRS_LCASE | |
4665 | ||
4666 | describe T_HDRS_LCASE Odd capitalization of message header | |
4667 | #score T_HDRS_LCASE 0.10 # limit | |
4668 | ##} T_HDRS_LCASE | |
4669 | ||
4670 | ##{ T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
4671 | ||
4672 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
4673 | meta T_HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO | |
4674 | endif | |
4675 | ##} T_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
4676 | ||
4677 | ##{ T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4678 | ||
4679 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4680 | meta T_HDRS_LCASE __HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__BUGGED_IMG && !__SUBSCRIPTION_INFO && !NO_RELAYS && !__RDNS_NONE && !__MIME_BASE64 && !__SUBJECT_ENCODED_B64 && !__RCD_RDNS_MX_MESSY && !__HTML_LINK_IMAGE && !__RDNS_SHORT && !__TAG_EXISTS_STYLE && !ALL_TRUSTED && !__NOT_SPOOFED && !__RCD_RDNS_SMTP_MESSY && !__NAKED_TO | |
4681 | endif | |
4682 | ##} T_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4683 | ||
b780ea8d SI |
4684 | ##{ T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) |
4685 | ||
4686 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4687 | if (version >= 3.004000) | |
4688 | meta T_HK_NAME_FM_FROM __HK_NAME_FROM && FREEMAIL_FROM | |
4689 | # score T_HK_NAME_FM_FROM 1.5 | |
4690 | endif | |
4691 | endif | |
4692 | ##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
4693 | ||
31955ede SI |
4694 | ##{ T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) |
4695 | ||
4696 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4697 | if (version >= 3.004000) | |
4698 | meta T_HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM | |
4699 | # score T_HK_NAME_FM_MR_MRS 1.5 | |
4700 | endif | |
4701 | endif | |
4702 | ##} T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
4703 | ||
b780ea8d SI |
4704 | ##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) |
4705 | ||
4706 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4707 | if (version >= 3.004000) | |
4708 | meta T_HK_NAME_FROM __HK_NAME_FROM && !FREEMAIL_FROM | |
4709 | # score T_HK_NAME_FROM 1.0 | |
4710 | endif | |
4711 | endif | |
4712 | ##} T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000) | |
4713 | ||
dfdd1e08 SI |
4714 | ##{ T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
4715 | ||
4716 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4717 | meta T_HK_SPAMMY_FILENAME __HK_SPAMMY_CTFN || __HK_SPAMMY_CDFN | |
4718 | endif | |
4719 | ##} T_HK_SPAMMY_FILENAME ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4720 | ||
b780ea8d SI |
4721 | ##{ T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
4722 | ||
4723 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4724 | meta T_HTML_ATTACH __HTML_ATTACH_01 || __HTML_ATTACH_02 | |
4725 | describe T_HTML_ATTACH HTML attachment to bypass scanning? | |
4726 | endif | |
4727 | ##} T_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4728 | ||
fc5290a3 SI |
4729 | ##{ T_HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval |
4730 | ||
4731 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4732 | meta T_HTML_TAG_BALANCE_CENTER __HTML_TAG_BALANCE_CENTER && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY | |
4733 | describe T_HTML_TAG_BALANCE_CENTER Malformatted HTML | |
4734 | endif | |
4735 | ##} T_HTML_TAG_BALANCE_CENTER ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4736 | ||
b780ea8d SI |
4737 | ##{ T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
4738 | ||
4739 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4740 | meta T_ISO_ATTACH __ISO_ATTACH || __ISO_ATTACH_MT | |
4741 | describe T_ISO_ATTACH ISO attachment - possible malware delivery | |
4742 | # score T_ISO_ATTACH 3.000 # limit | |
4743 | endif | |
4744 | ##} T_ISO_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4745 | ||
4746 | ##{ T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4747 | ||
4748 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4749 | meta T_KAM_HTML_FONT_INVALID __KAM_HTML_FONT_INVALID | |
4750 | describe T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML | |
4751 | #score T_KAM_HTML_FONT_INVALID 0.1 | |
4752 | endif | |
4753 | ##} T_KAM_HTML_FONT_INVALID ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
4754 | ||
4755 | ##{ T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4756 | ||
4757 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4758 | meta T_LARGE_PCT_AFTER_MANY __LARGE_PERCENT_AFTER > 3 | |
4759 | describe T_LARGE_PCT_AFTER_MANY Many large percentages after... | |
4760 | endif | |
4761 | ##} T_LARGE_PCT_AFTER_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4762 | ||
4763 | ##{ T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4764 | ||
4765 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4766 | body T_LFUZ_PWRMALE /<inter W1><post P2><P><O><W><E><R><M><A><L><E>/i | |
4767 | endif | |
4768 | ##} T_LFUZ_PWRMALE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4769 | ||
fc5290a3 SI |
4770 | ##{ T_LOTTO_AGENT |
4771 | ||
4772 | meta T_LOTTO_AGENT __LOTTO_AGENT && !__HAS_IN_REPLY_TO && !__THREADED && !__TO_YOUR_ORG && !__DKIM_EXISTS && !__TRAVEL_ITINERARY && !__AUTO_ACCIDENT && !__HAS_ERRORS_TO && !__RP_MATCHES_RCVD | |
4773 | describe T_LOTTO_AGENT Claims Agent | |
4774 | #score T_LOTTO_AGENT 1.50 # limit | |
4775 | ##} T_LOTTO_AGENT | |
4776 | ||
b780ea8d SI |
4777 | ##{ T_LOTTO_AGENT_FM |
4778 | ||
4779 | header T_LOTTO_AGENT_FM From =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize[\s_.]transfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i | |
4780 | describe T_LOTTO_AGENT_FM Claims Agent | |
4781 | ##} T_LOTTO_AGENT_FM | |
4782 | ||
4783 | ##{ T_LOTTO_AGENT_RPLY | |
4784 | ||
4785 | meta T_LOTTO_AGENT_RPLY __LOTTO_AGENT_RPLY && !__TO_YOUR_ORG | |
4786 | describe T_LOTTO_AGENT_RPLY Claims Agent | |
4787 | ##} T_LOTTO_AGENT_RPLY | |
4788 | ||
4789 | ##{ T_LOTTO_URI | |
4790 | ||
4791 | uri T_LOTTO_URI /(?:claim(?:s|ing)?(?:[-_]?processing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)?[-_]?rem+it+ance|award)[-_]?(?:department|dept|unit|group|committee|office|agent|manager|secretary)/i | |
4792 | describe T_LOTTO_URI Claims Department URL | |
4793 | ##} T_LOTTO_URI | |
4794 | ||
dfdd1e08 SI |
4795 | ##{ T_MANY_HDRS_LCASE |
4796 | ||
4797 | describe T_MANY_HDRS_LCASE Odd capitalization of multiple message headers | |
4798 | #score T_MANY_HDRS_LCASE 0.10 # limit | |
4799 | ##} T_MANY_HDRS_LCASE | |
4800 | ||
4801 | ##{ T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
4802 | ||
4803 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
4804 | meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE | |
4805 | endif | |
4806 | ##} T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
4807 | ||
4808 | ##{ T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4809 | ||
4810 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4811 | meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE | |
4812 | endif | |
4813 | ##} T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
4814 | ||
b780ea8d SI |
4815 | ##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
4816 | ||
4817 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4818 | meta T_MANY_PILL_PRICE (__PILL_PRICE_01 + __PILL_PRICE_02) > 2 | |
4819 | describe T_MANY_PILL_PRICE Prices for many pills | |
4820 | endif | |
4821 | ##} T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
4822 | ||
4823 | ##{ T_MIME_MALF if (version >= 3.004000) | |
4824 | ||
4825 | if (version >= 3.004000) | |
4826 | meta T_MIME_MALF __MIME_MALF && !ALL_TRUSTED | |
4827 | describe T_MIME_MALF Malformed MIME: headers in body | |
4828 | # score T_MIME_MALF 2.00 # limit | |
4829 | endif | |
4830 | ##} T_MIME_MALF if (version >= 3.004000) | |
4831 | ||
4832 | ##{ T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4833 | ||
4834 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4835 | meta T_MONEY_PERCENT LOTS_OF_MONEY && (__PCT_FOR_YOU || __PCT_OF_PMTS || __FIFTY_FIFTY) | |
4836 | describe T_MONEY_PERCENT X% of a lot of money for you | |
4837 | endif | |
4838 | ##} T_MONEY_PERCENT ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4839 | ||
4840 | ##{ T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4841 | ||
4842 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4843 | meta T_OBFU_ATTACH_MISSP __FROM_RUNON && (T_OBFU_HTML_ATTACH || OBFU_TEXT_ATTACH || T_OBFU_DOC_ATTACH || T_OBFU_PDF_ATTACH || T_OBFU_JPG_ATTACH || T_OBFU_GIF_ATTACH) | |
4844 | describe T_OBFU_ATTACH_MISSP Obfuscated attachment type and misspaced From | |
4845 | endif | |
4846 | ##} T_OBFU_ATTACH_MISSP ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4847 | ||
4848 | ##{ T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4849 | ||
4850 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4851 | mimeheader T_OBFU_DOC_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.(?:doc|rtf)\b,i | |
4852 | describe T_OBFU_DOC_ATTACH MS Document attachment with generic MIME type | |
4853 | endif | |
4854 | ##} T_OBFU_DOC_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4855 | ||
4856 | ##{ T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4857 | ||
4858 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4859 | mimeheader T_OBFU_GIF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.gif\b,i | |
4860 | describe T_OBFU_GIF_ATTACH GIF attachment with generic MIME type | |
4861 | endif | |
4862 | ##} T_OBFU_GIF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4863 | ||
4864 | ##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4865 | ||
4866 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
dfdd1e08 | 4867 | mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.s?html?\b,i |
b780ea8d SI |
4868 | describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type |
4869 | endif | |
4870 | ##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4871 | ||
4872 | ##{ T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4873 | ||
4874 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4875 | meta T_OBFU_HTML_ATT_MALW __ZIP_ATTACH_NOFN && __HTML_ATTACH_02 | |
4876 | describe T_OBFU_HTML_ATT_MALW HTML attachment with incorrect MIME type - possible malware | |
4877 | endif | |
4878 | ##} T_OBFU_HTML_ATT_MALW ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4879 | ||
4880 | ##{ T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4881 | ||
4882 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4883 | mimeheader T_OBFU_JPG_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.jpe?g\b,i | |
4884 | describe T_OBFU_JPG_ATTACH JPG attachment with generic MIME type | |
4885 | endif | |
4886 | ##} T_OBFU_JPG_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4887 | ||
4888 | ##{ T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4889 | ||
4890 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4891 | mimeheader T_OBFU_PDF_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.pdf\b,i | |
4892 | describe T_OBFU_PDF_ATTACH PDF attachment with generic MIME type | |
4893 | endif | |
4894 | ##} T_OBFU_PDF_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
4895 | ||
dfdd1e08 SI |
4896 | ##{ T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval |
4897 | ||
4898 | if (version >= 3.004002) | |
4899 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4900 | meta T_OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA | |
4901 | describe T_OFFER_ONLY_AMERICA Offer only available to US | |
4902 | #score T_OFFER_ONLY_AMERICA 2.0 # limit | |
4903 | endif | |
4904 | endif | |
4905 | ##} T_OFFER_ONLY_AMERICA if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4906 | ||
b780ea8d SI |
4907 | ##{ T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
4908 | ||
4909 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4910 | meta T_PDS_BTC_AHACKER ( __PDS_BTC_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) | |
4911 | describe T_PDS_BTC_AHACKER Bitcoin Hacker | |
4912 | # score T_PDS_BTC_AHACKER 3.0 # limit | |
4913 | endif | |
4914 | ##} T_PDS_BTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4915 | ||
4916 | ##{ T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4917 | ||
4918 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4919 | meta T_PDS_BTC_HACKER ( __PDS_BTC_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) | |
4920 | describe T_PDS_BTC_HACKER Bitcoin Hacker | |
4921 | # score T_PDS_BTC_HACKER 2.0 # limit | |
4922 | endif | |
4923 | ##} T_PDS_BTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4924 | ||
fc5290a3 SI |
4925 | ##{ T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval |
4926 | ||
4927 | if (version >= 3.004002) | |
4928 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4929 | meta T_PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD ) | |
4930 | describe T_PDS_BTC_NTLD Bitcoin suspect NTLD | |
4931 | #score T_PDS_BTC_NTLD 2.0 # limit | |
4932 | endif | |
4933 | endif | |
4934 | ##} T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4935 | ||
4936 | ##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
4937 | ||
4938 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4939 | if (version >= 3.004000) | |
4940 | meta T_PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024 | |
4941 | describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener | |
4942 | #score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit | |
4943 | endif | |
4944 | endif | |
4945 | ##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
4946 | ||
b780ea8d SI |
4947 | ##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) |
4948 | ||
4949 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4950 | if (version >= 3.004000) | |
dfdd1e08 | 4951 | meta T_PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 |
b780ea8d SI |
4952 | describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener |
4953 | #score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit | |
4954 | endif | |
4955 | endif | |
4956 | ##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
4957 | ||
21dcadbf | 4958 | ##{ T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) |
31955ede | 4959 | |
21dcadbf SI |
4960 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) |
4961 | meta T_PDS_FROM_2_EMAILS __PDS_FROM_2_EMAILS && !__VIA_ML && !__VIA_RESIGNER && !__MSGID_JAVAMAIL && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__DKIM_EXISTS | |
4962 | describe T_PDS_FROM_2_EMAILS From header has multiple different addresses | |
4963 | # score T_PDS_FROM_2_EMAILS 3.500 # limit | |
31955ede | 4964 | endif |
21dcadbf | 4965 | ##} T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) |
31955ede | 4966 | |
fc5290a3 SI |
4967 | ##{ T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) |
4968 | ||
4969 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4970 | if (version >= 3.004000) | |
4971 | meta T_PDS_FROM_2_EMAILS_SHRTNER __URL_SHORTENER && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF) && __BODY_URI_ONLY | |
4972 | describe T_PDS_FROM_2_EMAILS_SHRTNER From 2 emails short email with little more than a URI shortener | |
4973 | #score T_PDS_FROM_2_EMAILS_SHRTNER 1.5 # limit | |
4974 | endif | |
4975 | endif | |
4976 | ##} T_PDS_FROM_2_EMAILS_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
4977 | ||
b780ea8d SI |
4978 | ##{ T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
4979 | ||
4980 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4981 | meta T_PDS_LTC_AHACKER ( __PDS_LITECOIN_ID && __PDS_BTC_BADFROM && __PDS_BTC_ANON ) | |
4982 | describe T_PDS_LTC_AHACKER Litecoin Hacker | |
4983 | # score T_PDS_LTC_AHACKER 3.0 # limit | |
4984 | endif | |
4985 | ##} T_PDS_LTC_AHACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4986 | ||
4987 | ##{ T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4988 | ||
4989 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4990 | meta T_PDS_LTC_HACKER ( __PDS_LITECOIN_ID && __PDS_BTC_ANON && !__PDS_BTC_BADFROM ) | |
4991 | describe T_PDS_LTC_HACKER Litecoin Hacker | |
4992 | # score T_PDS_LTC_HACKER 2.0 # limit | |
4993 | endif | |
4994 | ##} T_PDS_LTC_HACKER ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
4995 | ||
fc5290a3 SI |
4996 | ##{ T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) |
4997 | ||
4998 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
4999 | if (version >= 3.004000) | |
5000 | meta T_PDS_NO_FULL_NAME_SPOOFED_URL __PDS_MSG_1024 && __KHOP_NO_FULL_NAME && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) | |
5001 | describe T_PDS_NO_FULL_NAME_SPOOFED_URL HTML message short, T_SPOOFED_URL and T_KHOP_NO_FULL_NAME | |
5002 | #score T_PDS_NO_FULL_NAME_SPOOFED_URL 0.75 # limit | |
5003 | endif | |
5004 | endif | |
5005 | ##} T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5006 | ||
21dcadbf SI |
5007 | ##{ T_PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval |
5008 | ||
5009 | if (version >= 3.004002) | |
5010 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5011 | header T_PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD') | |
5012 | #score T_PDS_OTHER_BAD_TLD 2.0 | |
5013 | describe T_PDS_OTHER_BAD_TLD Untrustworthy TLDs | |
5014 | endif | |
5015 | endif | |
5016 | ##} T_PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5017 | ||
b780ea8d SI |
5018 | ##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval |
5019 | ||
5020 | if (version >= 3.004002) | |
5021 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5022 | header T_PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO') | |
5023 | #score T_PDS_PRO_TLD 1.0 | |
5024 | describe T_PDS_PRO_TLD .pro TLD | |
5025 | endif | |
5026 | endif | |
5027 | ##} T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5028 | ||
5029 | ##{ T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5030 | ||
5031 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5032 | if (version >= 3.004000) | |
dfdd1e08 | 5033 | meta T_PDS_SHORTFWD_URISHRT __URL_SHORTENER && (__THREADED || __HAS_IN_REPLY_TO || __HAS_THREAD_INDEX || __URI_MAILTO || __REPTO_QUOTE) && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048 |
b780ea8d SI |
5034 | describe T_PDS_SHORTFWD_URISHRT Threaded email with URI shortener |
5035 | #score T_PDS_SHORTFWD_URISHRT 1.5 # limit | |
5036 | endif | |
5037 | endif | |
5038 | ##} T_PDS_SHORTFWD_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5039 | ||
31955ede SI |
5040 | ##{ T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) |
5041 | ||
5042 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5043 | if (version >= 3.004000) | |
dfdd1e08 | 5044 | meta T_PDS_SHORTFWD_URISHRT_FP __URL_SHORTENER && __HS_SUBJ_RE_FW && __PDS_MSG_512 |
31955ede SI |
5045 | describe T_PDS_SHORTFWD_URISHRT_FP Apparently a short fwd/re with URI shortener |
5046 | #score T_PDS_SHORTFWD_URISHRT_FP 1.5 # limit | |
5047 | endif | |
5048 | endif | |
5049 | ##} T_PDS_SHORTFWD_URISHRT_FP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5050 | ||
5051 | ##{ T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5052 | ||
5053 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5054 | if (version >= 3.004000) | |
dfdd1e08 | 5055 | meta T_PDS_SHORTFWD_URISHRT_QP __URL_SHORTENER && __HS_SUBJ_RE_FW && __T_PDS_MSG_512 && !T_PDS_SHORTFWD_URISHRT_FP |
31955ede SI |
5056 | describe T_PDS_SHORTFWD_URISHRT_QP Apparently a short fwd/re with URI shortener |
5057 | #score T_PDS_SHORTFWD_URISHRT_QP 1.5 # limit | |
5058 | endif | |
5059 | endif | |
5060 | ##} T_PDS_SHORTFWD_URISHRT_QP ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5061 | ||
fc5290a3 | 5062 | ##{ T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) |
b780ea8d | 5063 | |
fc5290a3 SI |
5064 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval |
5065 | if (version >= 3.004000) | |
5066 | meta T_PDS_SHORT_SPOOFED_URL __PDS_MSG_1024 && __SPOOFED_URL && !(__VIA_ML || __SENDER_BOT || __YAHOO_BULK || __UNSUB_LINK || __THREADED || __URL_SHORTENER) | |
5067 | describe T_PDS_SHORT_SPOOFED_URL HTML message short and T_SPOOFED_URL (S_U_FP) | |
5068 | #score T_PDS_SHORT_SPOOFED_URL 2.0 | |
b780ea8d | 5069 | endif |
fc5290a3 SI |
5070 | endif |
5071 | ##} T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5072 | ||
5073 | ##{ T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5074 | ||
5075 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5076 | if (version >= 3.004000) | |
5077 | meta T_PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024 | |
5078 | describe T_PDS_TINYSUBJ_URISHRT Short subject with URL shortener | |
5079 | #score T_PDS_TINYSUBJ_URISHRT 1.5 # limit | |
5080 | endif | |
5081 | endif | |
5082 | ##} T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
cabe596e SI |
5083 | |
5084 | ##{ T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5085 | ||
5086 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5087 | if (version >= 3.004000) | |
dfdd1e08 | 5088 | meta T_PDS_URISHRT_LOCALPART_SUBJ LOCALPART_IN_SUBJECT && __URL_SHORTENER && __PDS_MSG_1024 |
cabe596e SI |
5089 | describe T_PDS_URISHRT_LOCALPART_SUBJ Localpart of To in subject |
5090 | #score T_PDS_URISHRT_LOCALPART_SUBJ 1.0 | |
5091 | endif | |
5092 | endif | |
5093 | ##} T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
b780ea8d | 5094 | |
dfdd1e08 SI |
5095 | ##{ T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
5096 | ||
5097 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5098 | meta T_PHOTO_EDITING_DIRECT (__PHOTO_RETOUCHING && __DOS_DIRECT_TO_MX) && !ALL_TRUSTED && !__HAS_HREF | |
5099 | describe T_PHOTO_EDITING_DIRECT Image editing service, direct to MX | |
5100 | # score T_PHOTO_EDITING_DIRECT 3.000 # limit | |
5101 | endif | |
5102 | ##} T_PHOTO_EDITING_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5103 | ||
5104 | ##{ T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
46cfc9e2 | 5105 | |
dfdd1e08 SI |
5106 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
5107 | meta T_PHOTO_EDITING_FREEM __PHOTO_RETOUCHING > 4 && (__REPTO_CHN_FREEM || __freemail_hdr_replyto) | |
5108 | describe T_PHOTO_EDITING_FREEM Image editing service, freemail or CHN replyto | |
5109 | # score T_PHOTO_EDITING_FREEM 3.750 # limit | |
5110 | endif | |
5111 | ##} T_PHOTO_EDITING_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
46cfc9e2 | 5112 | |
b780ea8d SI |
5113 | ##{ T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { |
5114 | ||
5115 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { | |
5116 | meta T_REMOTE_IMAGE __REMOTE_IMAGE | |
5117 | describe T_REMOTE_IMAGE Message contains an external image | |
5118 | endif | |
5119 | ##} T_REMOTE_IMAGE ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { | |
5120 | ||
fc5290a3 SI |
5121 | ##{ T_SCC_BODY_TEXT_LINE |
5122 | ||
5123 | meta T_SCC_BODY_TEXT_LINE __SCC_BODY_TEXT_LINE_FULL - __SCC_SUBJECT_HAS_NON_SPACE | |
5124 | tflags T_SCC_BODY_TEXT_LINE nice | |
5125 | ##} T_SCC_BODY_TEXT_LINE | |
5126 | ||
5127 | ##{ T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5128 | ||
5129 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5130 | meta T_SCC_BOGUS_CTE_1 __SCC_BOGUS_CTE_1 | |
5131 | describe T_SCC_BOGUS_CTE_1 Bogus Content-Transfer-Encoding header | |
5132 | tflags T_SCC_BOGUS_CTE_1 publish | |
5133 | endif | |
5134 | ##} T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5135 | ||
b780ea8d SI |
5136 | ##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval |
5137 | ||
5138 | if (version >= 3.004002) | |
5139 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5140 | meta T_SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR | |
5141 | describe T_SENT_TO_EMAIL_ADDR Email was sent to email address | |
5142 | #score T_SENT_TO_EMAIL_ADDR 2.0 # limit | |
5143 | endif | |
5144 | endif | |
5145 | ##} T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5146 | ||
5147 | ##{ T_SHARE_50_50 | |
5148 | ||
5149 | meta T_SHARE_50_50 (__SHARE_IT || __AGREED_RATIO) && __FIFTY_FIFTY | |
5150 | describe T_SHARE_50_50 Share the money 50/50 | |
5151 | ##} T_SHARE_50_50 | |
5152 | ||
fc5290a3 SI |
5153 | ##{ T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) |
5154 | ||
5155 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5156 | if (version >= 3.004000) | |
5157 | meta T_SHORT_SHORTNER __PDS_MSG_512 && __URL_SHORTENER && !DRUGS_ERECTILE | |
5158 | describe T_SHORT_SHORTNER Short body with little more than a link to a shortener | |
5159 | #score T_SHORT_SHORTNER 2.0 # limit | |
5160 | endif | |
5161 | endif | |
5162 | ##} T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5163 | ||
b780ea8d SI |
5164 | ##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
5165 | ||
5166 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5167 | meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK | |
5168 | describe T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX | |
5169 | # score T_STY_INVIS_DIRECT 2.500 # limit | |
5170 | endif | |
5171 | ##} T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5172 | ||
5173 | ##{ T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5174 | ||
5175 | if (version >= 3.004002) | |
5176 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5177 | meta T_SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD | |
5178 | describe T_SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money | |
5179 | #score T_SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit | |
5180 | endif | |
5181 | endif | |
5182 | ##} T_SUSPNTLD_EXPIRATION_EXTORT if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5183 | ||
5184 | ##{ T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5185 | ||
5186 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5187 | if (version >= 3.004000) | |
5188 | meta T_TONOM_EQ_TOLOC_SHRT_PSHRTNER __PDS_SHORT_URL && __PDS_TONAME_EQ_TOLOCAL && __SUBJ_SHORT | |
5189 | describe T_TONOM_EQ_TOLOC_SHRT_PSHRTNER Short subject with potential shortener and To:name eq To:local | |
5190 | #score T_TONOM_EQ_TOLOC_SHRT_PSHRTNER 1.5 # limit | |
5191 | endif | |
5192 | endif | |
5193 | ##} T_TONOM_EQ_TOLOC_SHRT_PSHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5194 | ||
fc5290a3 SI |
5195 | ##{ T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) |
5196 | ||
5197 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5198 | if (version >= 3.004000) | |
5199 | meta T_TONOM_EQ_TOLOC_SHRT_SHRTNER __URL_SHORTENER && __PDS_TONAME_EQ_TOLOCAL && __PDS_MSG_1024 | |
5200 | describe T_TONOM_EQ_TOLOC_SHRT_SHRTNER Short email with shortener and To:name eq To:local | |
5201 | #score T_TONOM_EQ_TOLOC_SHRT_SHRTNER 1.5 # limit | |
5202 | endif | |
5203 | endif | |
5204 | ##} T_TONOM_EQ_TOLOC_SHRT_SHRTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5205 | ||
b780ea8d SI |
5206 | ##{ T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags |
5207 | ||
5208 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5209 | body T_TVD_FUZZY_SECTOR /(?!sector)<S><E><C><T><O><R>/i | |
5210 | endif | |
5211 | ##} T_TVD_FUZZY_SECTOR ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5212 | ||
5213 | ##{ T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5214 | ||
5215 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5216 | body T_TVD_FUZZY_SECURITIES /<inter W2><post P2>(?!securities)(?!security,? es)<S><E><C><U><R><I><T><I><E><S>/i | |
5217 | endif | |
5218 | ##} T_TVD_FUZZY_SECURITIES ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
5219 | ||
5220 | ##{ T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5221 | ||
5222 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5223 | mimeheader T_TVD_FW_GRAPHIC_ID2 Content-Id =~ /<(?:[0-9A-F]{8}\.){3}[0-9A-F]{8}/ | |
5224 | endif | |
5225 | ##} T_TVD_FW_GRAPHIC_ID2 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5226 | ||
5227 | ##{ T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5228 | ||
5229 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5230 | body T_TVD_MIME_EPI eval:check_msg_parse_flags('mime_epilogue_exists') | |
5231 | endif | |
5232 | ##} T_TVD_MIME_EPI ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5233 | ||
5234 | ##{ T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5235 | ||
5236 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5237 | body T_TVD_MIME_NO_HEADERS eval:check_msg_parse_flags('missing_mime_headers') | |
5238 | endif | |
5239 | ##} T_TVD_MIME_NO_HEADERS ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
5240 | ||
5241 | ##{ T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5242 | ||
5243 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5244 | meta T_WON_MONEY_ATTACH __YOU_WON && LOTS_OF_MONEY && (__PDF_ATTACH || __DOC_ATTACH) | |
5245 | describe T_WON_MONEY_ATTACH You won lots of money! See attachment. | |
5246 | endif | |
5247 | ##} T_WON_MONEY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5248 | ||
5249 | ##{ T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5250 | ||
5251 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5252 | meta T_WON_NBDY_ATTACH __YOU_WON && __EMPTY_BODY && (__PDF_ATTACH || __DOC_ATTACH || __GIF_ATTACH || __JPEG_ATTACH) | |
5253 | describe T_WON_NBDY_ATTACH You won lots of money! See attachment. | |
5254 | endif | |
5255 | ##} T_WON_NBDY_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5256 | ||
fc5290a3 SI |
5257 | ##{ T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) |
5258 | ||
5259 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5260 | if (version >= 3.004000) | |
5261 | meta T_XPRIO_URL_SHORTNER __XPRIO_MINFP && __URL_SHORTENER | |
5262 | describe T_XPRIO_URL_SHORTNER X-Priority header and short URL | |
5263 | #score T_XPRIO_URL_SHORTNER 1.0 # limit | |
5264 | endif | |
5265 | endif | |
5266 | ##} T_XPRIO_URL_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000) | |
5267 | ||
b780ea8d SI |
5268 | ##{ T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
5269 | ||
5270 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5271 | meta T_ZW_OBFU_BITCOIN __UNICODE_OBFU_ZW && __BITCOIN_ID | |
5272 | describe T_ZW_OBFU_BITCOIN Obfuscated text + bitcoin ID - possible extortion | |
5273 | # score T_ZW_OBFU_BITCOIN 2.500 # limit | |
5274 | endif | |
5275 | ##} T_ZW_OBFU_BITCOIN if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5276 | ||
dfdd1e08 SI |
5277 | ##{ T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
5278 | ||
5279 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5280 | meta T_ZW_OBFU_FREEM __UNICODE_OBFU_ZW && __freemail_hdr_replyto | |
5281 | describe T_ZW_OBFU_FREEM Obfuscated text + freemail | |
5282 | # score T_ZW_OBFU_FREEM 2.000 # limit | |
5283 | endif | |
5284 | ##} T_ZW_OBFU_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5285 | ||
b780ea8d SI |
5286 | ##{ T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
5287 | ||
5288 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5289 | meta T_ZW_OBFU_FROMTOSUBJ __UNICODE_OBFU_ZW && FROM_IN_TO_AND_SUBJ | |
5290 | describe T_ZW_OBFU_FROMTOSUBJ Obfuscated text + from in to and subject | |
5291 | # score T_ZW_OBFU_FROMTOSUBJ 2.000 # limit | |
5292 | endif | |
5293 | ##} T_ZW_OBFU_FROMTOSUBJ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5294 | ||
5295 | ##{ UC_GIBBERISH_OBFU | |
5296 | ||
5297 | meta UC_GIBBERISH_OBFU (__UC_GIBB_OBFU > 1) && !__RP_MATCHES_RCVD && !__VIA_ML && !__DKIM_EXISTS && !ALL_TRUSTED | |
5298 | describe UC_GIBBERISH_OBFU Multiple instances of "word VERYLONGGIBBERISH word" | |
5299 | #score UC_GIBBERISH_OBFU 3.000 # Limit | |
5300 | tflags UC_GIBBERISH_OBFU publish | |
5301 | ##} UC_GIBBERISH_OBFU | |
5302 | ||
5303 | ##{ UNDISC_FREEM | |
5304 | ||
5305 | meta UNDISC_FREEM __UNDISC_FREEM | |
5306 | describe UNDISC_FREEM Undisclosed recipients + freemail reply-to | |
5307 | tflags UNDISC_FREEM publish | |
5308 | ##} UNDISC_FREEM | |
5309 | ||
5310 | ##{ UNDISC_MONEY | |
5311 | ||
5312 | meta UNDISC_MONEY __UNDISC_MONEY && !__VIA_ML && !__MSGID_HEXISH | |
5313 | describe UNDISC_MONEY Undisclosed recipients + money/fraud signs | |
5314 | tflags UNDISC_MONEY publish | |
5315 | ##} UNDISC_MONEY | |
5316 | ||
5317 | ##{ UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5318 | ||
5319 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5320 | meta UNICODE_OBFU_ASC __UNICODE_OBFU_ASC && !__SPAN_BEG_TEXT && !HTML_IMAGE_ONLY_32 | |
5321 | describe UNICODE_OBFU_ASC Obfuscating text with unicode | |
5322 | # score UNICODE_OBFU_ASC 2.500 # limit | |
5323 | tflags UNICODE_OBFU_ASC publish | |
5324 | endif | |
5325 | ##} UNICODE_OBFU_ASC if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5326 | ||
5327 | ##{ UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5328 | ||
5329 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5330 | meta UNICODE_OBFU_ZW __UNICODE_OBFU_ZW_2 && !__SUBSCRIPTION_INFO && !__RCD_RDNS_MAIL_MESSY && !__DOS_HAS_LIST_ID && !__USING_VERP1 && !__DOS_HAS_LIST_UNSUB && !__RCD_RDNS_SMTP && !__DKIM_EXISTS | |
5331 | describe UNICODE_OBFU_ZW Obfuscating text with hidden characters | |
5332 | # score UNICODE_OBFU_ZW 3.500 # limit | |
5333 | tflags UNICODE_OBFU_ZW publish | |
5334 | endif | |
5335 | ##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5336 | ||
dfdd1e08 SI |
5337 | ##{ UNSUB_GOOG_FORM |
5338 | ||
5339 | meta UNSUB_GOOG_FORM __UNSUB_GOOG_FORM | |
5340 | describe UNSUB_GOOG_FORM Unsubscribe via Google Docs form | |
5341 | #score UNSUB_GOOG_FORM 2.500 # limit | |
5342 | tflags UNSUB_GOOG_FORM publish | |
5343 | ##} UNSUB_GOOG_FORM | |
5344 | ||
b780ea8d SI |
5345 | ##{ URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL |
5346 | ||
5347 | ifplugin Mail::SpamAssassin::Plugin::URIDNSBL | |
5348 | urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net A 2 | |
5349 | body URIBL_RHS_DOB eval:check_uridnsbl('URIBL_RHS_DOB') | |
5350 | describe URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) | |
5351 | tflags URIBL_RHS_DOB net | |
5352 | endif | |
5353 | ##} URIBL_RHS_DOB ifplugin Mail::SpamAssassin::Plugin::URIDNSBL | |
5354 | ||
5355 | ##{ URI_ADOBESPARK | |
5356 | ||
5357 | meta URI_ADOBESPARK __URI_ADOBESPARK | |
5358 | #score URI_ADOBESPARK 3.500 # limit | |
5359 | tflags URI_ADOBESPARK publish | |
5360 | ##} URI_ADOBESPARK | |
5361 | ||
5362 | ##{ URI_AZURE_CLOUDAPP | |
5363 | ||
5364 | meta URI_AZURE_CLOUDAPP __URI_AZURE_CLOUDAPP && __NAKED_TO && !__HDR_RCVD_GOOGLE | |
5365 | describe URI_AZURE_CLOUDAPP Link to hosted azure web application, possible phishing | |
5366 | #score URI_AZURE_CLOUDAPP 3.000 # limit | |
5367 | tflags URI_AZURE_CLOUDAPP publish | |
5368 | ##} URI_AZURE_CLOUDAPP | |
5369 | ||
5370 | ##{ URI_DASHGOVEDU | |
5371 | ||
5372 | meta URI_DASHGOVEDU __URI_DASHGOVEDU | |
5373 | describe URI_DASHGOVEDU Suspicious domain name | |
5374 | #score URI_DASHGOVEDU 3.500 # limit | |
5375 | tflags URI_DASHGOVEDU publish | |
5376 | ##} URI_DASHGOVEDU | |
5377 | ||
5378 | ##{ URI_DATA | |
5379 | ||
5380 | meta URI_DATA __URI_DATA && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__HAS_ERRORS_TO && !__VIA_ML && !__ENV_AND_HDR_FROM_MATCH && !__DOS_HAS_LIST_UNSUB | |
5381 | describe URI_DATA "data:" URI - possible malware or phish | |
5382 | #score URI_DATA 3.250 # limit | |
5383 | tflags URI_DATA publish | |
5384 | ##} URI_DATA | |
5385 | ||
b780ea8d SI |
5386 | ##{ URI_DOTEDU |
5387 | ||
5388 | meta URI_DOTEDU __URI_DOTEDU && !__RCVD_DOTEDU_EXT && !__DOS_HAS_LIST_UNSUB && !__VIA_ML && !__HAS_X_MAILER && !ALL_TRUSTED && !__UNSUB_LINK && !__RDNS_SHORT && !__MAIL_LINK | |
5389 | describe URI_DOTEDU Has .edu URI | |
5390 | #score URI_DOTEDU 2.000 # limit | |
5391 | tflags URI_DOTEDU publish | |
5392 | ##} URI_DOTEDU | |
5393 | ||
5394 | ##{ URI_DOTEDU_ENTITY | |
5395 | ||
5396 | meta URI_DOTEDU_ENTITY __URI_DOTEDU_ENTITY && !__SUBSCRIPTION_INFO | |
5397 | describe URI_DOTEDU_ENTITY Via .edu MTA + suspicious HTML content | |
5398 | #score URI_DOTEDU_ENTITY 3.000 # limit | |
5399 | tflags URI_DOTEDU_ENTITY publish | |
5400 | ##} URI_DOTEDU_ENTITY | |
5401 | ||
5402 | ##{ URI_DOTTY_HEX | |
5403 | ||
5404 | meta URI_DOTTY_HEX __URI_DOTTY_HEX | |
5405 | describe URI_DOTTY_HEX Suspicious URI format | |
5406 | tflags URI_DOTTY_HEX publish | |
5407 | ##} URI_DOTTY_HEX | |
5408 | ||
5409 | ##{ URI_DQ_UNSUB | |
5410 | ||
5411 | meta URI_DQ_UNSUB __URI_DQ_UNSUB | |
5412 | describe URI_DQ_UNSUB IP-address unsubscribe URI | |
5413 | tflags URI_DQ_UNSUB publish | |
5414 | ##} URI_DQ_UNSUB | |
5415 | ||
5416 | ##{ URI_FIREBASEAPP | |
5417 | ||
5418 | meta URI_FIREBASEAPP __URI_FIREBASEAPP || __URI_WEBAPP | |
5419 | describe URI_FIREBASEAPP Link to hosted firebase web application, possible phishing | |
5420 | #score URI_FIREBASEAPP 3.000 # limit | |
5421 | tflags URI_FIREBASEAPP publish | |
5422 | ##} URI_FIREBASEAPP | |
5423 | ||
5424 | ##{ URI_GOOGLE_PROXY | |
5425 | ||
5426 | meta URI_GOOGLE_PROXY __URI_GOOGLE_PROXY && !__FSL_RELAY_GOOGLE && !__TO___LOWER && !__MSGID_OK_HEX && !__HAS_CAMPAIGNID | |
5427 | describe URI_GOOGLE_PROXY Accessing a blacklisted URI or obscuring source of phish via Google proxy? | |
5428 | tflags URI_GOOGLE_PROXY publish | |
5429 | ##} URI_GOOGLE_PROXY | |
5430 | ||
5431 | ##{ URI_GOOG_STO_SPAMMY | |
5432 | ||
fc5290a3 | 5433 | uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:1tactc1200|430bc3a2d98b15a0c58bf8df8f938d|5(?:a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|a(?:1discover|4301cda1e5c450bab01|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i |
b780ea8d SI |
5434 | describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage |
5435 | #score URI_GOOG_STO_SPAMMY 3.000 | |
5436 | tflags URI_GOOG_STO_SPAMMY publish | |
5437 | ##} URI_GOOG_STO_SPAMMY | |
5438 | ||
5439 | ##{ URI_HEX_IP | |
5440 | ||
5441 | meta URI_HEX_IP __URI_HEX_IP | |
5442 | #score URI_HEX_IP 2.500 # limit | |
5443 | describe URI_HEX_IP URI with hex-encoded IP-address host | |
5444 | tflags URI_HEX_IP publish | |
5445 | ##} URI_HEX_IP | |
5446 | ||
5447 | ##{ URI_IMG_WP_REDIR | |
5448 | ||
5449 | meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR | |
5450 | #score URI_IMG_WP_REDIR 3.000 # limit | |
5451 | describe URI_IMG_WP_REDIR Image via WordPress "accelerator" proxy | |
5452 | tflags URI_IMG_WP_REDIR publish | |
5453 | ##} URI_IMG_WP_REDIR | |
5454 | ||
5455 | ##{ URI_LONG_REPEAT | |
5456 | ||
5457 | meta URI_LONG_REPEAT __URI_LONG_REPEAT | |
31955ede | 5458 | describe URI_LONG_REPEAT Long identical host+domain |
b780ea8d SI |
5459 | #score URI_LONG_REPEAT 2.500 # limit |
5460 | tflags URI_LONG_REPEAT publish | |
5461 | ##} URI_LONG_REPEAT | |
5462 | ||
5463 | ##{ URI_MALWARE_SCMS | |
5464 | ||
5465 | uri URI_MALWARE_SCMS /\.SettingContent-ms\b/i | |
5466 | describe URI_MALWARE_SCMS Link to malware exploit download (.SettingContent-ms file) | |
5467 | tflags URI_MALWARE_SCMS publish | |
5468 | ##} URI_MALWARE_SCMS | |
5469 | ||
5470 | ##{ URI_ONLY_MSGID_MALF | |
5471 | ||
5472 | meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO && !RCVD_IN_DNSWL_LOW | |
5473 | tflags URI_ONLY_MSGID_MALF net | |
5474 | meta URI_ONLY_MSGID_MALF __URI_ONLY_MSGID_MALF && !__RP_MATCHES_RCVD && !__URI_MAILTO && !__NOT_SPOOFED && !__DKIM_EXISTS && !__MSGID_JAVAMAIL && !__HAS_REPLY_TO | |
5475 | describe URI_ONLY_MSGID_MALF URI only + malformed message ID | |
5476 | #score URI_ONLY_MSGID_MALF 2.000 # limit | |
5477 | tflags URI_ONLY_MSGID_MALF publish | |
5478 | ##} URI_ONLY_MSGID_MALF | |
5479 | ||
5480 | ##{ URI_OPTOUT_3LD | |
5481 | ||
5482 | uri URI_OPTOUT_3LD m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:com|net)\b,i | |
5483 | describe URI_OPTOUT_3LD Opt-out URI, suspicious hostname | |
5484 | #score URI_OPTOUT_3LD 2.000 # limit | |
5485 | tflags URI_OPTOUT_3LD publish | |
5486 | ##} URI_OPTOUT_3LD | |
5487 | ||
5488 | ##{ URI_OPTOUT_USME | |
5489 | ||
5490 | uri URI_OPTOUT_USME m,^https?://(?:quit|bye|remove|exit|leave|disallow|halt|stop|end|herego|out|discontinue)\d*\.[^/]+\.(?:us|me|mobi|club)\b,i | |
5491 | describe URI_OPTOUT_USME Opt-out URI, unusual TLD | |
5492 | tflags URI_OPTOUT_USME publish | |
5493 | ##} URI_OPTOUT_USME | |
5494 | ||
5495 | ##{ URI_PHISH | |
5496 | ||
5497 | describe URI_PHISH Phishing using web form | |
5498 | #score URI_PHISH 4.00 # limit | |
5499 | tflags URI_PHISH publish | |
5500 | ##} URI_PHISH | |
5501 | ||
5502 | ##{ URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
5503 | ||
5504 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
5505 | meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT | |
5506 | endif | |
5507 | ##} URI_PHISH if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
5508 | ||
5509 | ##{ URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5510 | ||
5511 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5512 | meta URI_PHISH __URI_PHISH && !ALL_TRUSTED && !__UNSUB_LINK && !__TAG_EXISTS_CENTER && !__HAS_SENDER && !__CAN_HELP && !__VIA_ML && !__UPPERCASE_URI && !__HAS_CC && !__NUMBERS_IN_SUBJ && !__PCT_FOR_YOU && !__MOZILLA_MSGID && !__FB_COST && !__hk_bigmoney && !__REMOTE_IMAGE && !__HELO_HIGHPROFILE && !__RCD_RDNS_SMTP_MESSY && !__BUGGED_IMG && !__FB_TOUR && !__RCVD_DOTGOV_EXT | |
5513 | endif | |
5514 | ##} URI_PHISH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
5515 | ||
5516 | ##{ URI_PHP_REDIR | |
5517 | ||
5518 | meta URI_PHP_REDIR __URI_PHP_REDIR && !__USING_VERP1 && !__RCD_RDNS_MTA | |
5519 | #score URI_PHP_REDIR 3.500 # limit | |
5520 | describe URI_PHP_REDIR PHP redirect to different URL (link obfuscation) | |
5521 | tflags URI_PHP_REDIR publish | |
5522 | ##} URI_PHP_REDIR | |
5523 | ||
5524 | ##{ URI_TRY_3LD | |
5525 | ||
dfdd1e08 | 5526 | meta URI_TRY_3LD __URI_TRY_3LD && !__HAS_ERRORS_TO && !__HDR_RCVD_ALIBABA && !__HDR_CASE_REVERSED && !__XM_EC_MESSENGER && !__CHARITY && !__URI_DOTEDU && !__HAS_X_REF && !__HDR_RCVD_APPLE |
b780ea8d SI |
5527 | describe URI_TRY_3LD "Try it" URI, suspicious hostname |
5528 | #score URI_TRY_3LD 2.000 # limit | |
5529 | tflags URI_TRY_3LD publish | |
5530 | ##} URI_TRY_3LD | |
5531 | ||
5532 | ##{ URI_TRY_USME | |
5533 | ||
5534 | meta URI_TRY_USME __URI_TRY_USME && !__DKIM_EXISTS | |
5535 | describe URI_TRY_USME "Try it" URI, unusual TLD | |
cabe596e | 5536 | #score URI_TRY_USME 2.000 # limit |
b780ea8d SI |
5537 | tflags URI_TRY_USME publish |
5538 | ##} URI_TRY_USME | |
5539 | ||
5540 | ##{ URI_WPADMIN | |
5541 | ||
5542 | meta URI_WPADMIN __URI_WPADMIN | |
5543 | describe URI_WPADMIN WordPress login/admin URI, possible phishing | |
5544 | tflags URI_WPADMIN publish | |
5545 | ##} URI_WPADMIN | |
5546 | ||
5547 | ##{ URI_WP_DIRINDEX | |
5548 | ||
5549 | meta URI_WP_DIRINDEX __URI_WPDIRINDEX | |
5550 | describe URI_WP_DIRINDEX URI for compromised WordPress site, possible malware | |
5551 | #score URI_WP_DIRINDEX 3.500 # limit | |
5552 | tflags URI_WP_DIRINDEX publish | |
5553 | ##} URI_WP_DIRINDEX | |
5554 | ||
5555 | ##{ URI_WP_HACKED | |
5556 | ||
5557 | meta URI_WP_HACKED (__URI_WPCONTENT || __URI_WPINCLUDES) && !__VIA_ML && !__HAS_ERRORS_TO && !__RCD_RDNS_SMTP && !__THREADED && !ALL_TRUSTED && !__NOT_SPOOFED | |
5558 | describe URI_WP_HACKED URI for compromised WordPress site, possible malware | |
5559 | #score URI_WP_HACKED 3.500 # limit | |
5560 | tflags URI_WP_HACKED publish | |
5561 | ##} URI_WP_HACKED | |
5562 | ||
5563 | ##{ URI_WP_HACKED_2 | |
5564 | ||
5565 | meta URI_WP_HACKED_2 (__PS_TEST_LOC_WP && !URI_WP_HACKED) && !__HAS_LIST_ID && !__THREADED && !__USING_VERP1 | |
5566 | describe URI_WP_HACKED_2 URI for compromised WordPress site, possible malware | |
5567 | #score URI_WP_HACKED_2 2.500 # limit | |
5568 | tflags URI_WP_HACKED_2 publish | |
5569 | ##} URI_WP_HACKED_2 | |
5570 | ||
5571 | ##{ USB_DRIVES | |
5572 | ||
5573 | meta USB_DRIVES __SUBJ_USB_DRIVES | |
5574 | describe USB_DRIVES Trying to sell custom USB flash drives | |
5575 | #score USB_DRIVES 2.000 # limit | |
5576 | tflags USB_DRIVES publish | |
5577 | ##} USB_DRIVES | |
5578 | ||
5579 | ##{ VFY_ACCT_NORDNS | |
5580 | ||
5581 | meta VFY_ACCT_NORDNS __VFY_ACCT_NORDNS && !__STY_INVIS_MANY | |
5582 | describe VFY_ACCT_NORDNS Verify your account to a poorly-configured MTA - probable phishing | |
5583 | #score VFY_ACCT_NORDNS 3.000 # limit | |
5584 | tflags VFY_ACCT_NORDNS publish | |
5585 | ##} VFY_ACCT_NORDNS | |
5586 | ||
5587 | ##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5588 | ||
5589 | if (version >= 3.004002) | |
5590 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5591 | meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD | |
5592 | tflags VPS_NO_NTLD publish | |
5593 | describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD | |
5594 | #score VPS_NO_NTLD 1.0 # limit | |
5595 | endif | |
5596 | endif | |
5597 | ##} VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
5598 | ||
5599 | ##{ WALMART_IMG_NOT_RCVD_WAL | |
5600 | ||
5601 | meta WALMART_IMG_NOT_RCVD_WAL __WALMART_IMG_NOT_RCVD_WAL && !__DKIM_EXISTS | |
5602 | #score WALMART_IMG_NOT_RCVD_WAL 2.500 # limit | |
5603 | describe WALMART_IMG_NOT_RCVD_WAL Walmart hosted image but message not from Walmart | |
5604 | tflags WALMART_IMG_NOT_RCVD_WAL publish | |
5605 | ##} WALMART_IMG_NOT_RCVD_WAL | |
5606 | ||
b780ea8d SI |
5607 | ##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
5608 | ||
5609 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5610 | meta WORD_INVIS __WORD_INVIS_MINFP && !WORD_INVIS_MANY | |
5611 | describe WORD_INVIS A hidden word | |
5612 | # score WORD_INVIS 3.000 # limit | |
5613 | tflags WORD_INVIS publish | |
5614 | endif | |
5615 | ##} WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5616 | ||
5617 | ##{ WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5618 | ||
5619 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5620 | meta WORD_INVIS_MANY __WORD_INVIS_2 | |
5621 | describe WORD_INVIS_MANY Multiple individual hidden words | |
5622 | # score WORD_INVIS_MANY 3.000 # limit | |
5623 | tflags WORD_INVIS_MANY publish | |
5624 | endif | |
5625 | ##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
5626 | ||
b780ea8d SI |
5627 | ##{ XM_DIGITS_ONLY |
5628 | ||
5629 | meta XM_DIGITS_ONLY __XM_DIGITS_ONLY | |
5630 | describe XM_DIGITS_ONLY X-Mailer malformed | |
5631 | #score XM_DIGITS_ONLY 3.000 # limit | |
5632 | tflags XM_DIGITS_ONLY publish | |
5633 | ##} XM_DIGITS_ONLY | |
5634 | ||
b780ea8d SI |
5635 | ##{ XM_PHPMAILER_FORGED |
5636 | ||
5637 | meta XM_PHPMAILER_FORGED __XM_PHPMAILER_FORGED | |
5638 | describe XM_PHPMAILER_FORGED Apparently forged header | |
5639 | tflags XM_PHPMAILER_FORGED publish | |
5640 | ##} XM_PHPMAILER_FORGED | |
5641 | ||
5642 | ##{ XM_RANDOM | |
5643 | ||
46cfc9e2 | 5644 | meta XM_RANDOM __XM_RANDOM && !__STY_INVIS_3 && !__HAS_IN_REPLY_TO && !__XM_UC_ONLY && !__XM_ASPQMAIL && !__XM_VERY_LONG |
b780ea8d | 5645 | describe XM_RANDOM X-Mailer apparently random |
46cfc9e2 | 5646 | #score XM_RANDOM 2.500 # limit |
b780ea8d SI |
5647 | tflags XM_RANDOM publish |
5648 | ##} XM_RANDOM | |
5649 | ||
b780ea8d SI |
5650 | ##{ XPRIO |
5651 | ||
5652 | describe XPRIO Has X-Priority header | |
5653 | #score XPRIO 2.250 # limit | |
5654 | tflags XPRIO publish | |
5655 | ##} XPRIO | |
5656 | ||
5657 | ##{ XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
5658 | ||
5659 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
5660 | meta XPRIO __XPRIO_MINFP | |
5661 | endif | |
5662 | ##} XPRIO if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
5663 | ||
5664 | ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5665 | ||
5666 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5667 | tflags XPRIO net | |
5668 | endif | |
5669 | ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5670 | ||
5671 | ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
5672 | ||
5673 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5674 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
31955ede | 5675 | meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE |
b780ea8d SI |
5676 | endif |
5677 | endif | |
5678 | ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
5679 | ||
5680 | ##{ XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF | |
5681 | ||
5682 | ifplugin Mail::SpamAssassin::Plugin::DKIM | |
5683 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
31955ede | 5684 | meta XPRIO __XPRIO_MINFP && !DKIM_SIGNED && !DKIM_VALID && !DKIM_VALID_AU && !RCVD_IN_DNSWL_NONE && !SPF_PASS |
b780ea8d SI |
5685 | endif |
5686 | endif | |
5687 | ##} XPRIO ifplugin Mail::SpamAssassin::Plugin::DKIM ifplugin Mail::SpamAssassin::Plugin::SPF | |
5688 | ||
5689 | ##{ XPRIO_SHORT_SUBJ | |
5690 | ||
5691 | meta XPRIO_SHORT_SUBJ __XPRIO_SHORT_SUBJ && !__MSM_PRIO_REPTO && !ALL_TRUSTED && !__DKIM_EXISTS && !__RELAY_THRU_WWW && !__CTYPE_HAS_BOUNDARY && !__RCD_RDNS_MTA && !__HAS_HREF | |
5692 | describe XPRIO_SHORT_SUBJ Has X Priority header + short subject | |
5693 | #score XPRIO_SHORT_SUBJ 2.500 # limit | |
5694 | tflags XPRIO_SHORT_SUBJ publish | |
5695 | ##} XPRIO_SHORT_SUBJ | |
5696 | ||
b780ea8d SI |
5697 | ##{ X_MAILER_CME_6543_MSN |
5698 | ||
5699 | header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/ | |
5700 | ##} X_MAILER_CME_6543_MSN | |
5701 | ||
fc5290a3 SI |
5702 | ##{ YOUR_PERMISSION |
5703 | ||
5704 | meta YOUR_PERMISSION __YOUR_PERM && !__CTYPE_HAS_BOUNDARY && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__CT_TEXT_PLAIN && !__BUGGED_IMG && !__COMMENT_EXISTS | |
5705 | describe YOUR_PERMISSION With your permission... | |
5706 | ##} YOUR_PERMISSION | |
5707 | ||
b780ea8d SI |
5708 | ##{ YOU_INHERIT |
5709 | ||
5710 | meta YOU_INHERIT __YOU_INHERIT | |
5711 | describe YOU_INHERIT Discussing your inheritance | |
5712 | ##} YOU_INHERIT | |
5713 | ||
5714 | ##{ bayes_ignore_header_sandbox | |
5715 | ||
21dcadbf SI |
5716 | bayes_ignore_header ARC-Authentication-Results |
5717 | bayes_ignore_header ARC-Message-Signature | |
5718 | bayes_ignore_header ARC-Seal | |
5719 | bayes_ignore_header Authentication-Results | |
5720 | bayes_ignore_header Auto-Submitted | |
5721 | bayes_ignore_header Autocrypt | |
5722 | bayes_ignore_header CTCH-SenderID-TotalSpam | |
5723 | bayes_ignore_header IronPort-SDR | |
5724 | bayes_ignore_header List-Archive | |
5725 | bayes_ignore_header List-Help | |
5726 | bayes_ignore_header List-Id | |
5727 | bayes_ignore_header List-Post | |
5728 | bayes_ignore_header List-Subscribe | |
5729 | bayes_ignore_header List-Unsubscribe | |
5730 | bayes_ignore_header Mailing-List | |
5731 | bayes_ignore_header Precedence | |
5732 | bayes_ignore_header Received-SPF | |
5733 | bayes_ignore_header suggested_attachment_session_id | |
b780ea8d SI |
5734 | bayes_ignore_header X-ACL-Warn |
5735 | bayes_ignore_header X-Alimail-AntiSpam | |
5736 | bayes_ignore_header X-Amavis-Modified | |
5737 | bayes_ignore_header X-Anti-Spam | |
5738 | bayes_ignore_header X-Anti-Virus | |
5739 | bayes_ignore_header X-Anti-Virus-Version | |
5740 | bayes_ignore_header X-AntiAbuse | |
5741 | bayes_ignore_header X-Antispam | |
5742 | bayes_ignore_header X-Antivirus | |
5743 | bayes_ignore_header X-Antivirus-Code | |
5744 | bayes_ignore_header X-Antivirus-Status | |
5745 | bayes_ignore_header X-Antivirus-Version | |
5746 | bayes_ignore_header x-aol-global-disposition | |
5747 | bayes_ignore_header X-ASF-Spam-Status | |
5748 | bayes_ignore_header X-ASG-Debug-ID | |
5749 | bayes_ignore_header X-ASG-Orig-Subj | |
5750 | bayes_ignore_header X-ASG-Recipient-Whitelist | |
5751 | bayes_ignore_header X-ASG-Tag | |
5752 | bayes_ignore_header X-Assp-Version | |
21dcadbf | 5753 | bayes_ignore_header X-Attachment-Id |
b780ea8d SI |
5754 | bayes_ignore_header X-Authority-Analysis |
5755 | bayes_ignore_header X-Authvirus | |
5756 | bayes_ignore_header X-Auto-Response-Suppress | |
5757 | bayes_ignore_header X-AV-Do-Run | |
5758 | bayes_ignore_header X-AV-Status | |
5759 | bayes_ignore_header x-avast-antispam | |
5760 | bayes_ignore_header X-Backend | |
5761 | bayes_ignore_header X-Barracuda-Apparent-Source-IP | |
5762 | bayes_ignore_header X-Barracuda-Bayes | |
5763 | bayes_ignore_header X-Barracuda-BBL-IP | |
5764 | bayes_ignore_header X-Barracuda-BRTS-Status | |
5765 | bayes_ignore_header X-Barracuda-BRTS-URL-Found | |
5766 | bayes_ignore_header X-Barracuda-Connect | |
5767 | bayes_ignore_header X-Barracuda-Encrypted | |
5768 | bayes_ignore_header X-Barracuda-Envelope-From | |
5769 | bayes_ignore_header X-Barracuda-Fingerprint-Found | |
5770 | bayes_ignore_header X-Barracuda-Orig-Rcpt | |
5771 | bayes_ignore_header X-Barracuda-RBL-IP | |
5772 | bayes_ignore_header X-Barracuda-RBL-Trusted-Forwarder | |
5773 | bayes_ignore_header X-Barracuda-Spam-Report | |
5774 | bayes_ignore_header X-Barracuda-Spam-Score | |
5775 | bayes_ignore_header X-Barracuda-Spam-Status | |
5776 | bayes_ignore_header X-Barracuda-Start-Time | |
5777 | bayes_ignore_header X-Barracuda-UID | |
5778 | bayes_ignore_header X-Barracuda-URL | |
5779 | bayes_ignore_header X-Barracuda-Virus-Alert | |
5780 | bayes_ignore_header X-Bayes-Prob | |
5781 | bayes_ignore_header X-Bayesian-Result | |
21dcadbf | 5782 | bayes_ignore_header X-BeenThere |
b780ea8d SI |
5783 | bayes_ignore_header X-BitDefender-Spam |
5784 | bayes_ignore_header X-BitDefender-SpamStamp | |
5785 | bayes_ignore_header X-BL | |
5786 | bayes_ignore_header X-Bogosity | |
5787 | bayes_ignore_header X-Boxtrapper | |
5788 | bayes_ignore_header X-Brightmail-Tracker | |
5789 | bayes_ignore_header X-BTI-AntiSpam | |
5790 | bayes_ignore_header X-Bugzilla-Version | |
5791 | bayes_ignore_header X-CanIt-Geo | |
5792 | bayes_ignore_header X-Canit-Stats-ID | |
5793 | bayes_ignore_header X-CanItPRO-Stream | |
5794 | bayes_ignore_header X-Clapf-spamicity | |
21dcadbf | 5795 | bayes_ignore_header X-ClientProxiedBy |
b780ea8d SI |
5796 | bayes_ignore_header X-Cloud-Security |
5797 | bayes_ignore_header X-CM-Score | |
5798 | bayes_ignore_header X-CMAE-Analysis | |
5799 | bayes_ignore_header X-CMAE-Match | |
5800 | bayes_ignore_header X-CMAE-Score | |
5801 | bayes_ignore_header X-CMAE-Verdict | |
5802 | bayes_ignore_header X-CNFS-Analysis | |
5803 | bayes_ignore_header X-Company | |
21dcadbf | 5804 | bayes_ignore_header X-Complaints-To |
b780ea8d SI |
5805 | bayes_ignore_header X-Coremail-Antispam |
5806 | bayes_ignore_header X-CRM114-CacheID | |
5807 | bayes_ignore_header X-CRM114-Status | |
5808 | bayes_ignore_header X-CRM114-Version | |
5809 | bayes_ignore_header X-CT-Spam | |
5810 | bayes_ignore_header X-CTCH-SenderID | |
5811 | bayes_ignore_header X-CTCH-SenderID-TotalBulk | |
5812 | bayes_ignore_header X-CTCH-SenderID-TotalConfirmed | |
5813 | bayes_ignore_header X-CTCH-SenderID-TotalMessages | |
5814 | bayes_ignore_header X-CTCH-SenderID-TotalRecipients | |
5815 | bayes_ignore_header X-CTCH-SenderID-TotalSpam | |
5816 | bayes_ignore_header X-CTCH-SenderID-TotalSuspected | |
5817 | bayes_ignore_header X-CTCH-SenderID-TotalVirus | |
5818 | bayes_ignore_header X-CTCH-Spam | |
5819 | bayes_ignore_header X-CTCH-VOD | |
21dcadbf | 5820 | bayes_ignore_header X-Delivered-To |
b780ea8d SI |
5821 | bayes_ignore_header X-Drweb-SpamState |
5822 | bayes_ignore_header X-DSPAM-Confidence | |
5823 | bayes_ignore_header X-DSPAM-Factors | |
5824 | bayes_ignore_header X-DSPAM-Improbability | |
5825 | bayes_ignore_header X-DSPAM-Probability | |
5826 | bayes_ignore_header X-DSPAM-Processed | |
5827 | bayes_ignore_header X-DSPAM-Result | |
5828 | bayes_ignore_header X-DSPAM-Signature | |
5829 | bayes_ignore_header x-eavas | |
5830 | bayes_ignore_header x-eavas-action | |
5831 | bayes_ignore_header x-eavas-eavasid | |
5832 | bayes_ignore_header X-Enigmail-Version | |
5833 | bayes_ignore_header X-EsetId | |
5834 | bayes_ignore_header X-EsetResult | |
5835 | bayes_ignore_header X-Exchange-Antispam-Report | |
21dcadbf | 5836 | bayes_ignore_header X-Exchange-Antispam-Report-CFA-Test |
b780ea8d SI |
5837 | bayes_ignore_header X-ExtloopSabreCommercials1 |
5838 | bayes_ignore_header X-EYOU-SPAMVALUE | |
5839 | bayes_ignore_header X-FB-OUTBOUND-SPAM | |
5840 | bayes_ignore_header X-FEAS-SBL | |
5841 | bayes_ignore_header X-FILTER-SCORE | |
5842 | bayes_ignore_header X-Forefront-Antispam-Report | |
21dcadbf | 5843 | bayes_ignore_header X-Forefront-Antispam-Report-Untrusted |
b780ea8d | 5844 | bayes_ignore_header X-Forefront-PRVS |
21dcadbf | 5845 | bayes_ignore_header X-Freemail-From |
b780ea8d SI |
5846 | bayes_ignore_header X-Fuglu-Spamstatus |
5847 | bayes_ignore_header X-Fuglu-Suspect | |
5848 | bayes_ignore_header X-getmail-filter-classifier | |
5849 | bayes_ignore_header X-GFIME-MASPAM | |
21dcadbf | 5850 | bayes_ignore_header X-Gm-Message-State |
b780ea8d SI |
5851 | bayes_ignore_header X-Gmane-NNTP-Posting-Host |
5852 | bayes_ignore_header X-GMX-Antispam | |
5853 | bayes_ignore_header X-GMX-Antivirus | |
21dcadbf | 5854 | bayes_ignore_header X-Google-DKIM-Signature |
b780ea8d SI |
5855 | bayes_ignore_header X-He-Spam |
5856 | bayes_ignore_header X-hMailServer-Spam | |
5857 | bayes_ignore_header X-IAS | |
5858 | bayes_ignore_header X-iGspam-global | |
5859 | bayes_ignore_header X-Injected-Via-Gmane | |
5860 | bayes_ignore_header X-Interia-Antivirus | |
5861 | bayes_ignore_header X-IP-Spam-Verdict | |
5862 | bayes_ignore_header X-Ironport | |
5863 | bayes_ignore_header X-IronPort-Anti-Spam-Filtered | |
5864 | bayes_ignore_header X-IronPort-Anti-Spam-Result | |
5865 | bayes_ignore_header X-IronPort-AV | |
5866 | bayes_ignore_header X-Ironport-HAT | |
5867 | bayes_ignore_header X-Ironport-HOSTNAME | |
5868 | bayes_ignore_header X-Ironport-LNR | |
5869 | bayes_ignore_header X-Ironport-MessageFilter | |
5870 | bayes_ignore_header X-Ironport-MFP | |
5871 | bayes_ignore_header X-Ironport-MID | |
5872 | bayes_ignore_header X-IronPort-Outgoing-Antispam | |
5873 | bayes_ignore_header X-Ironport-RIF | |
5874 | bayes_ignore_header X-Ironport-SBRS | |
5875 | bayes_ignore_header X-Ironport-SENDER | |
5876 | bayes_ignore_header X-Ironport-SUBJECT | |
5877 | bayes_ignore_header X-Junk-Score | |
5878 | bayes_ignore_header X-Junkmail | |
21dcadbf | 5879 | bayes_ignore_header X-Klms-Anti |
b780ea8d SI |
5880 | bayes_ignore_header X-KLMS-AntiPhishing |
5881 | bayes_ignore_header X-Klms-Antispam | |
5882 | bayes_ignore_header X-KLMS-AntiSpam-Info | |
5883 | bayes_ignore_header X-KLMS-AntiSpam-Interceptor-Info | |
5884 | bayes_ignore_header X-KLMS-AntiSpam-Lua-Profiles | |
5885 | bayes_ignore_header X-KLMS-AntiSpam-Method | |
5886 | bayes_ignore_header X-KLMS-AntiSpam-Moebius-Timestamps | |
5887 | bayes_ignore_header X-KLMS-AntiSpam-Rate | |
5888 | bayes_ignore_header X-KLMS-AntiSpam-Status | |
5889 | bayes_ignore_header X-KLMS-AntiSpam-Version | |
5890 | bayes_ignore_header X-KLMS-AntiVirus | |
5891 | bayes_ignore_header X-KLMS-AntiVirus-Status | |
5892 | bayes_ignore_header X-KLMS-Message-Action | |
5893 | bayes_ignore_header X-KLMS-Rule-ID | |
5894 | bayes_ignore_header X-KMail-EncryptionState | |
5895 | bayes_ignore_header X-KMail-MDN-Sent | |
5896 | bayes_ignore_header X-KMail-SignatureState | |
21dcadbf SI |
5897 | bayes_ignore_header X-Kse-Anti |
5898 | bayes_ignore_header X-Loom-IP | |
b780ea8d SI |
5899 | bayes_ignore_header X-MailCleaner-SpamChec |
5900 | bayes_ignore_header X-MailCleaner-SpamCheck | |
5901 | bayes_ignore_header X-MailFoundry | |
21dcadbf SI |
5902 | bayes_ignore_header X-Mailman-Version |
5903 | bayes_ignore_header X-MDAV-Processed | |
b780ea8d SI |
5904 | bayes_ignore_header X-MDMailLookup-Result |
5905 | bayes_ignore_header X-ME-Bayesian | |
5906 | bayes_ignore_header X-ME-Content | |
5907 | bayes_ignore_header X-MessageFilter | |
21dcadbf SI |
5908 | bayes_ignore_header x-microsoft-antispam |
5909 | bayes_ignore_header X-Microsoft-Antispam-Message-Info | |
5910 | bayes_ignore_header X-Microsoft-Antispam-Message-Info-Original | |
5911 | bayes_ignore_header X-Microsoft-Antispam-Untrusted | |
5912 | bayes_ignore_header X-Microsoft-Exchange-Diagnostics | |
b780ea8d | 5913 | bayes_ignore_header X-Mlf-Version |
21dcadbf SI |
5914 | bayes_ignore_header X-Mozilla-Keys |
5915 | bayes_ignore_header X-Mozilla-Status | |
5916 | bayes_ignore_header X-Mozilla-Status2 | |
5917 | bayes_ignore_header x-ms-exchange-antispam-messagedata | |
5918 | bayes_ignore_header x-ms-exchange-antispam-messagedata-0 | |
5919 | bayes_ignore_header X-MS-Exchange-CrossTenant-AuthAs | |
5920 | bayes_ignore_header X-MS-Exchange-CrossTenant-AuthSource | |
5921 | bayes_ignore_header X-MS-Exchange-CrossTenant-FromEntityHeader | |
5922 | bayes_ignore_header x-ms-exchange-crosstenant-id | |
5923 | bayes_ignore_header x-ms-exchange-crosstenant-network-message-id | |
5924 | bayes_ignore_header X-MS-Exchange-CrossTenant-OriginalArrivalTime | |
5925 | bayes_ignore_header x-ms-exchange-crosstenant-rms-persistedconsumerorg | |
5926 | bayes_ignore_header X-MS-Exchange-CrossTenant-userprincipalname | |
5927 | bayes_ignore_header x-ms-exchange-slblob-mailprops | |
5928 | bayes_ignore_header X-MS-Exchange-Transport-CrossTenantHeadersStamped | |
5929 | bayes_ignore_header x-ms-office365-filtering-correlation-id | |
5930 | bayes_ignore_header X-MS-TrafficTypeDiagnostic | |
5931 | bayes_ignore_header X-MSFBL | |
5932 | bayes_ignore_header X-MSMail-Priority | |
b780ea8d SI |
5933 | bayes_ignore_header X-MXScan-AntiSpam |
5934 | bayes_ignore_header X-MXScan-AntiVirus | |
5935 | bayes_ignore_header X-MXScan-Country-Sequence | |
5936 | bayes_ignore_header X-MXScan-License | |
5937 | bayes_ignore_header X-MXScan-Msgid | |
5938 | bayes_ignore_header X-MXScan-ProcessingTime | |
5939 | bayes_ignore_header X-MXScan-Scan | |
5940 | bayes_ignore_header X-NAI-Spam-Flag | |
5941 | bayes_ignore_header X-NAI-Spam-Rules | |
5942 | bayes_ignore_header X-NAI-Spam-Score | |
5943 | bayes_ignore_header X-NAI-Spam-Threshold | |
5944 | bayes_ignore_header X-NetStation-Status | |
21dcadbf SI |
5945 | bayes_ignore_header X-No-Relay |
5946 | bayes_ignore_header X-OriginatorOrg | |
b780ea8d SI |
5947 | bayes_ignore_header X-OVH-SPAMCAUSE |
5948 | bayes_ignore_header X-OVH-SPAMCAUSE: | |
5949 | bayes_ignore_header X-OVH-SPAMSCORE | |
5950 | bayes_ignore_header X-OVH-SPAMSTATE | |
5951 | bayes_ignore_header X-PerlMx-Spam | |
5952 | bayes_ignore_header X-PerlMx-Virus-Scanned | |
5953 | bayes_ignore_header X-PFSI-Info | |
5954 | bayes_ignore_header X-PMX-Spam | |
5955 | bayes_ignore_header X-PMX-Version | |
5956 | bayes_ignore_header X-Policy-Service | |
5957 | bayes_ignore_header X-policyd-weight | |
5958 | bayes_ignore_header X-PreRBLs | |
5959 | bayes_ignore_header X-Probable-Spam | |
5960 | bayes_ignore_header X-PROLinux-SpamCheck | |
5961 | bayes_ignore_header X-Proofpoint-Spam-Reason | |
5962 | bayes_ignore_header X-Proofpoint-Virus-Version | |
21dcadbf | 5963 | bayes_ignore_header X-Provags-ID |
b780ea8d SI |
5964 | bayes_ignore_header x-purgate-eavas: clean |
5965 | bayes_ignore_header x-purgate-id | |
5966 | bayes_ignore_header x-purgate-size | |
5967 | bayes_ignore_header x-purgate-type | |
5968 | bayes_ignore_header X-Qmail-Scanner-Diagnostics | |
5969 | bayes_ignore_header X-Qmail-Scanner-MOVED-X-Spam-Status | |
5970 | bayes_ignore_header X-Quarantine-ID | |
21dcadbf | 5971 | bayes_ignore_header X-Received |
b780ea8d SI |
5972 | bayes_ignore_header X-RSpam-Report |
5973 | bayes_ignore_header X-SA-Do-Not-Run | |
5974 | bayes_ignore_header X-SA-Exim-Version | |
5975 | bayes_ignore_header X-Scanned-by | |
21dcadbf SI |
5976 | bayes_ignore_header X-ServerMaster-MailScanner |
5977 | bayes_ignore_header X-SG-EID | |
5978 | bayes_ignore_header X-SG-ID | |
b780ea8d SI |
5979 | bayes_ignore_header X-SmarterMail-CustomSpamHeader |
5980 | bayes_ignore_header X-Spam | |
5981 | bayes_ignore_header X-Spam-Action | |
5982 | bayes_ignore_header X-SPAM-AISP | |
5983 | bayes_ignore_header X-Spam-Check-By | |
5984 | bayes_ignore_header X-Spam-Checker-Version | |
5985 | bayes_ignore_header X-Spam-CMAE-Analysis | |
5986 | bayes_ignore_header X-Spam-CMAESCORE | |
5987 | bayes_ignore_header X-Spam-CTCH-RefID | |
5988 | bayes_ignore_header X-Spam-Flag | |
5989 | bayes_ignore_header X-Spam-Level | |
5990 | bayes_ignore_header X-Spam-Processed | |
5991 | bayes_ignore_header X-Spam-Report | |
5992 | bayes_ignore_header X-Spam-Scanned | |
5993 | bayes_ignore_header X-Spam-Score | |
5994 | bayes_ignore_header X-Spam-Score-Int | |
5995 | bayes_ignore_header X-Spam-SmartLearn | |
5996 | bayes_ignore_header X-Spam-Status | |
5997 | bayes_ignore_header X-Spam-Threshold | |
5998 | bayes_ignore_header X-Spam_bar | |
5999 | bayes_ignore_header X-Spambayes-Classification | |
6000 | bayes_ignore_header X-SpamExperts-Domain | |
6001 | bayes_ignore_header X-SpamExperts-Outgoing-Class | |
6002 | bayes_ignore_header X-SpamExperts-Outgoing-Evidence | |
6003 | bayes_ignore_header X-SpamExperts-Username | |
6004 | bayes_ignore_header X-Spamfilter-host | |
6005 | bayes_ignore_header X-Spamina-Bogosity | |
6006 | bayes_ignore_header X-Spamina-Spam-Report | |
6007 | bayes_ignore_header X-Spamina-Spam-Score | |
6008 | bayes_ignore_header X-SpamInfo | |
6009 | bayes_ignore_header X-Spamsave | |
6010 | bayes_ignore_header X-SpamTest-Group-ID | |
6011 | bayes_ignore_header X-SpamTest-Info | |
6012 | bayes_ignore_header X-SpamTest-Method | |
6013 | bayes_ignore_header X-SpamTest-Rate | |
6014 | bayes_ignore_header X-SpamTest-SPF | |
6015 | bayes_ignore_header X-SpamTest-Status | |
6016 | bayes_ignore_header X-SpamTest-Status-Extended | |
6017 | bayes_ignore_header X-SPF-Scan-By | |
6018 | bayes_ignore_header X-STA-Metric | |
6019 | bayes_ignore_header X-STA-NotSpam | |
6020 | bayes_ignore_header X-STA-Spam | |
6021 | bayes_ignore_header X-StarScan-Version | |
6022 | bayes_ignore_header X-SurGATE-Result | |
6023 | bayes_ignore_header X-SWITCHham-Score | |
6024 | bayes_ignore_header X-UI-Filterresults | |
6025 | bayes_ignore_header X-UI-Loop | |
6026 | bayes_ignore_header X-UI-Out-Filterresults | |
6027 | bayes_ignore_header X-Univie-Spam-Checker-Version | |
6028 | bayes_ignore_header X-Univie-Virus-Scan | |
6029 | bayes_ignore_header X-Virus | |
6030 | bayes_ignore_header X-Virus-Checker-Version | |
6031 | bayes_ignore_header X-Virus-Scanned | |
6032 | bayes_ignore_header X-Virus-Scanner-Result | |
6033 | bayes_ignore_header X-Virus-Scanner-Version | |
6034 | bayes_ignore_header X-Virus-Status | |
6035 | bayes_ignore_header X-VirusChecked | |
6036 | bayes_ignore_header X-VR-SCORE | |
6037 | bayes_ignore_header X-VR-SPAMCAUSE | |
6038 | bayes_ignore_header X-VR-STATUS | |
6039 | bayes_ignore_header X-WatchGuard-Mail-Client-IP | |
6040 | bayes_ignore_header X-WatchGuard-Mail-From | |
6041 | bayes_ignore_header X-WatchGuard-Mail-Recipients | |
6042 | bayes_ignore_header X-WatchGuard-Spam-ID | |
6043 | bayes_ignore_header X-WatchGuard-Spam-Score | |
6044 | bayes_ignore_header X-Whitelist-Domain | |
6045 | bayes_ignore_header X-WUM-CCI | |
21dcadbf SI |
6046 | bayes_ignore_header X_CMAE_Category |
6047 | ##} bayes_ignore_header_sandbox | |
b780ea8d SI |
6048 | |
6049 | ##{ if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox | |
6050 | ||
6051 | if (version >= 3.004001) | |
6052 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
6053 | askdns __FROM_FMBLA_NEWDOM _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.2$/ | |
6054 | askdns __FROM_FMBLA_NEWDOM14 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.14$/ | |
6055 | askdns __FROM_FMBLA_NEWDOM28 _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.2\.0\.28$/ | |
6056 | askdns __FROM_FMBLA_NDBLOCKED _AUTHORDOMAIN_.fresh.fmb.la. A /^127\.255\.255\.255$/ | |
6057 | reuse FROM_FMBLA_NEWDOM | |
6058 | reuse FROM_FMBLA_NEWDOM14 | |
6059 | reuse FROM_FMBLA_NEWDOM28 | |
6060 | reuse FROM_FMBLA_NDBLOCKED | |
6061 | reuse __PDS_NEWDOMAIN | |
6062 | reuse FROM_NUMBERO_NEWDOMAIN | |
6063 | reuse FROM_NEWDOM_BTC | |
6064 | askdns __PDS_SPF_ONLYALL _SENDERDOMAIN_ TXT /^v=spf1 \+all$/ | |
6065 | reuse BITCOIN_SPF_ONLYALL | |
6066 | endif | |
6067 | endif | |
6068 | ##} if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox | |
6069 | ||
6070 | ##{ if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox | |
6071 | ||
6072 | if (version >= 3.004002) | |
6073 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
6074 | enlist_addrlist (PAYPAL) *@paypal.com *@paypal.co.uk *@paypal.de *@paypal.com.au *@paypal.it | |
6075 | enlist_addrlist (PAYPAL) *@paypal.es *@paypal.fr *@paypal.de *@paypal.com.hk | |
6076 | enlist_addrlist (PAYPAL) *@*.paypal.com *@*.paypal.co.uk | |
6077 | reuse __FROM_ADDRLIST_PAYPAL | |
6078 | reuse FROM_PAYPAL_SPOOF | |
6079 | enlist_addrlist (BANKS) *@abbey.co.uk *@abbey.com *@abbeyinternational.com *@abbeyinternational.co.uk *@abbeynational.com *@abbeynational.co.uk | |
6080 | enlist_addrlist (BANKS) *@allianceleicester.com *@allianceleicester.co.uk *@alliance-leicester.com *@alliance-leicester.co.uk | |
6081 | enlist_addrlist (BANKS) *@bankofamerica.com *@bankofamerica.co.uk | |
6082 | enlist_addrlist (BANKS) *@barclaycard.com *@barclays.com | |
6083 | enlist_addrlist (BANKS) *@citibank.com | |
6084 | enlist_addrlist (BANKS) *@firstdirect.com *@firstdirect.co.uk | |
6085 | enlist_addrlist (BANKS) *@halifax.com *@halifax.co.uk *@halifax-online.co.uk *@halifax-online.com | |
6086 | enlist_addrlist (BANKS) *@hbos.com *@hbos.co.uk | |
6087 | enlist_addrlist (BANKS) *@hsbc.com *@hsbc.co.uk *@hsbc.hk *@hsbcgroup.com *@hsbcgroup.co.uk | |
6088 | enlist_addrlist (BANKS) *@lloydstsb.com *@lloydstsb.co.uk *@lloyds.com | |
6089 | enlist_addrlist (BANKS) *@mbna.com | |
6090 | enlist_addrlist (BANKS) *@nationwide.com *@nationwide.co.uk | |
6091 | enlist_addrlist (BANKS) *@natwest.com *@natwest.co.uk | |
6092 | enlist_addrlist (BANKS) *@santander.com *@santander.co.uk | |
6093 | enlist_addrlist (BANKS) *@standardbank.co.za | |
6094 | enlist_addrlist (BANKS) *@ybonline.co.uk *@ybonline.com | |
6095 | reuse __FROM_ADDRLIST_BANKS | |
6096 | reuse FROM_BANK_NOAUTH | |
6097 | enlist_addrlist (GOV) *@*.gov | |
6098 | enlist_addrlist (GOV) *@*.gov.uk *@parliament.uk *@*.parliament.uk | |
6099 | reuse __FROM_ADDRLIST_GOV | |
6100 | reuse FROM_GOV_SPOOF | |
6101 | reuse FROM_GOV_DKIM_AU | |
6102 | reuse FROM_GOV_REPLYTO_FREEMAIL | |
6103 | enlist_addrlist (SUSP_NTLD) *@*.icu | |
6104 | enlist_addrlist (SUSP_NTLD) *@*.online | |
6105 | enlist_addrlist (SUSP_NTLD) *@*.work | |
6106 | enlist_addrlist (SUSP_NTLD) *@*.date | |
6107 | enlist_addrlist (SUSP_NTLD) *@*.top | |
6108 | enlist_addrlist (SUSP_NTLD) *@*.fun | |
6109 | enlist_addrlist (SUSP_NTLD) *@*.life | |
6110 | enlist_addrlist (SUSP_NTLD) *@*.review | |
b780ea8d SI |
6111 | enlist_addrlist (SUSP_NTLD) *@*.bid |
6112 | enlist_addrlist (SUSP_NTLD) *@*.stream | |
b780ea8d SI |
6113 | enlist_addrlist (SUSP_NTLD) *@*.gdn |
6114 | enlist_addrlist (SUSP_NTLD) *@*.click | |
6115 | enlist_addrlist (SUSP_NTLD) *@*.world | |
6116 | enlist_addrlist (SUSP_NTLD) *@*.fit | |
6117 | enlist_addrlist (SUSP_NTLD) *@*.ooo | |
6118 | enlist_addrlist (SUSP_NTLD) *@*.faith | |
6119 | enlist_addrlist (SUSP_NTLD) *@*.buzz | |
6120 | enlist_addrlist (SUSP_NTLD) *@*.trade | |
6121 | enlist_addrlist (SUSP_NTLD) *@*.cyou | |
6122 | enlist_addrlist (SUSP_NTLD) *@*.vip | |
6123 | enlist_uri_host (SUSP_URI_NTLD) icu | |
6124 | enlist_uri_host (SUSP_URI_NTLD) online | |
6125 | enlist_uri_host (SUSP_URI_NTLD) work | |
6126 | enlist_uri_host (SUSP_URI_NTLD) date | |
6127 | enlist_uri_host (SUSP_URI_NTLD) top | |
6128 | enlist_uri_host (SUSP_URI_NTLD) fun | |
6129 | enlist_uri_host (SUSP_URI_NTLD) life | |
6130 | enlist_uri_host (SUSP_URI_NTLD) review | |
b780ea8d SI |
6131 | enlist_uri_host (SUSP_URI_NTLD) bid |
6132 | enlist_uri_host (SUSP_URI_NTLD) stream | |
b780ea8d SI |
6133 | enlist_uri_host (SUSP_URI_NTLD) gdn |
6134 | enlist_uri_host (SUSP_URI_NTLD) click | |
6135 | enlist_uri_host (SUSP_URI_NTLD) world | |
6136 | enlist_uri_host (SUSP_URI_NTLD) fit | |
6137 | enlist_uri_host (SUSP_URI_NTLD) ooo | |
6138 | enlist_uri_host (SUSP_URI_NTLD) faith | |
6139 | enlist_uri_host (SUSP_URI_NTLD) buzz | |
6140 | enlist_uri_host (SUSP_URI_NTLD) trade | |
6141 | enlist_uri_host (SUSP_URI_NTLD) cyou | |
6142 | enlist_uri_host (SUSP_URI_NTLD) vip | |
6143 | enlist_uri_host (SUSP_URI_NTLD_PRO) pro | |
6144 | reuse __FROM_ADDRLIST_SUSPNTLD | |
6145 | reuse __REPLYTO_ADDRLIST_SUSPNTLD | |
6146 | reuse FROM_SUSPICIOUS_NTLD | |
6147 | reuse GOOGLE_DRIVE_REPLY_BAD_NTLD | |
6148 | reuse VPS_NO_NTLD | |
6149 | endif | |
6150 | endif | |
6151 | ##} if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval_sandbox | |
6152 | ||
6153 | ##{ if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox | |
6154 | ||
6155 | if (version >= 3.004003) | |
6156 | ifplugin Mail::SpamAssassin::Plugin::HashBL | |
dfdd1e08 SI |
6157 | priority GB_HASHBL_BTC -100 |
6158 | reuse GB_HASHBL_BTC | |
b780ea8d SI |
6159 | endif |
6160 | endif | |
6161 | ##} if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL_sandbox | |
6162 | ||
6163 | ##{ if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox | |
6164 | ||
6165 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
6166 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
6167 | replace_tag lcase_e (?:e|\xc3[\xa8\xa9\xaa\xab]|\xc4[\x93\x95\x97\x99\x9b]|\xc8[\x85\x87\x80]|\xcf\xb5|\xd0\xb5|\xd1[\x90\x91\x94\xb3]|\xd2[\xbc\xbd\xbe\xbf]|\xd3[\x07\xa9\xab]) | |
6168 | replace_rules __E_LIKE_LETTER | |
6169 | endif | |
6170 | endif | |
6171 | ##} if can(Mail::SpamAssassin::Conf::feature_bug6558_free) ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox | |
6172 | ||
6173 | ##{ ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox | |
6174 | ||
6175 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
6176 | askdns __DKIMWL_FREEMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.3\.\d+$/ | |
6177 | reuse __DKIMWL_FREEMAIL | |
6178 | askdns __DKIMWL_BULKMAIL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.2\.\d+$/ | |
6179 | reuse __DKIMWL_BULKMAIL | |
6180 | askdns __DKIMWL_WL_HI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.5$/ | |
6181 | reuse __DKIMWL_WL_HI | |
6182 | askdns __DKIMWL_WL_MEDHI _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.4$/ | |
6183 | reuse __DKIMWL_WL_MEDHI | |
6184 | askdns __DKIMWL_WL_MED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.3$/ | |
6185 | reuse __DKIMWL_WL_MED | |
6186 | askdns __DKIMWL_WL_BL _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.\d+\.\d+\.0$/ | |
6187 | reuse __DKIMWL_WL_BL | |
6188 | askdns __DKIMWL_BLOCKED _DKIMDOMAIN_.lookup.dkimwl.org A /^127\.255\.255\.255$/ | |
6189 | reuse __DKIMWL_BLOCKED | |
6190 | reuse DKIMWL_WL_HIGH | |
6191 | reuse DKIMWL_WL_MEDHI | |
6192 | reuse DKIMWL_WL_MED | |
6193 | reuse DKIMWL_BL | |
6194 | reuse DKIMWL_BLOCKED | |
6195 | askdns __HELO_DNS _LASTEXTERNALHELO_ A /./ | |
6196 | endif | |
6197 | ##} ifplugin Mail::SpamAssassin::Plugin::AskDNS_sandbox | |
6198 | ||
6199 | ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox | |
6200 | ||
6201 | ifplugin Mail::SpamAssassin::Plugin::DNSEval # { | |
6202 | reuse RCVD_IN_PSBL | |
6203 | endif | |
6204 | ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval # {_sandbox | |
6205 | ||
6206 | ##{ ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox | |
6207 | ||
6208 | ifplugin Mail::SpamAssassin::Plugin::DNSEval | |
6209 | reuse RCVD_IN_IADB_LISTED | |
6210 | reuse RCVD_IN_IADB_EDDB | |
6211 | reuse RCVD_IN_IADB_EPIA | |
6212 | reuse RCVD_IN_IADB_SPF | |
6213 | reuse RCVD_IN_IADB_SENDERID | |
6214 | reuse RCVD_IN_IADB_DK | |
6215 | reuse RCVD_IN_IADB_RDNS | |
6216 | reuse RCVD_IN_IADB_GOODMAIL | |
6217 | reuse RCVD_IN_IADB_NOCONTROL | |
6218 | reuse RCVD_IN_IADB_OPTOUTONLY | |
6219 | reuse RCVD_IN_IADB_UNVERIFIED_1 | |
6220 | reuse RCVD_IN_IADB_UNVERIFIED_2 | |
6221 | reuse RCVD_IN_IADB_LOOSE | |
6222 | reuse RCVD_IN_IADB_OPTIN_LT50 | |
6223 | reuse RCVD_IN_IADB_OPTIN_GT50 | |
6224 | reuse RCVD_IN_IADB_OPTIN | |
6225 | reuse RCVD_IN_IADB_DOPTIN_LT50 | |
6226 | reuse RCVD_IN_IADB_DOPTIN_GT50 | |
6227 | reuse RCVD_IN_IADB_DOPTIN | |
6228 | reuse RCVD_IN_IADB_ML_DOPTIN | |
6229 | reuse RCVD_IN_IADB_OOO | |
6230 | reuse RCVD_IN_IADB_MI_CPEAR | |
6231 | reuse RCVD_IN_IADB_UT_CPEAR | |
6232 | reuse RCVD_IN_IADB_MI_CPR_30 | |
6233 | reuse RCVD_IN_IADB_UT_CPR_30 | |
6234 | reuse RCVD_IN_IADB_MI_CPR_MAT | |
6235 | reuse RCVD_IN_IADB_UT_CPR_MAT | |
6236 | endif | |
6237 | ##} ifplugin Mail::SpamAssassin::Plugin::DNSEval_sandbox | |
6238 | ||
6239 | ##{ ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox | |
6240 | ||
6241 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
6242 | fns_ignore_dkim linkedin.com googlegroups.com yahoogroups.com yahoogroups.de | |
6243 | fns_ignore_headers List-Id | |
6244 | fns_check 1 | |
6245 | reuse __PLUGIN_FROMNAME_SPOOF | |
6246 | reuse __PLUGIN_FROMNAME_EQUALS_TO | |
6247 | endif | |
6248 | ##} ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof_sandbox | |
6249 | ||
6250 | ##{ ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox | |
6251 | ||
6252 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
6253 | replace_rules T_FUZZY_SPRM | |
6254 | replace_rules FUZZY_MERIDIA | |
6255 | replace_rules TVD_FUZZY_PHARMACEUTICAL | |
6256 | replace_rules TVD_FUZZY_SYMBOL | |
6257 | replace_rules T_TVD_FUZZY_SECURITIES | |
6258 | replace_rules TVD_FUZZY_FINANCE | |
6259 | replace_rules TVD_FUZZY_FIXED_RATE | |
6260 | replace_rules TVD_FUZZY_MICROCAP | |
6261 | replace_rules T_TVD_FUZZY_SECTOR | |
6262 | replace_rules TVD_FUZZY_DEGREE | |
6263 | replace_rules __COPY_PASTE_EN | |
6264 | replace_tag FF_LNNO (?:(?:\d{1,3}(?:[)}\]:.,]{1,80}|(?:st|nd|rd|th)[)}\]:.,]{0,3})|\W?\([\div]{1,5}\)|\W?\{\d{1,3}\}|\[\d{1,3}\]|\*{1,5}|\#{1,5}|\(?[A-K][)}\]:.,]{1,3})\s?) | |
6265 | replace_tag FF_YOUR (?:a?\s?copy\sof\s)?(?:(?:your|din|seu|twoje)[\s,:]{1,5})?(?:present\s|c[uo]rrent\s|full(?:st[\xe4]ndigt)?\s?|complete\s|direct\s|private?\s|valid\s|personal\s|nuvarande\s|vollst[\xe4]ndige\s|aktuelle\s|pe\s(?:ne\s)?){0,3} | |
6266 | replace_tag ANDOR (?:\s?[\/&+,]\s?|\sor\s|\sand?\s) | |
6267 | replace_tag NUMBER (?:(?:ruf)?num(?:[bm]er)?\(?s?\)?|nos?\.|no\b|n[\xb0]|\#s?|nbrs?\.?) | |
6268 | replace_tag FF_SUFFIX (?:\sin\s(?:full|words)|\scompleto)?:?(?:\s?[({][^)}]{1,30}[)}])? | |
6269 | replace_tag FF_BLANK1 (?:[\s:;]{0,4}(?:(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){3,100})) | |
6270 | replace_tag FF_BLANK2 (?:[^-=_.,:;*\w]{0,3}(?:[-=_.,:;*\s\x85]|&\#\d{1,3};|[\xe2][\x80][\xa6]){1,100}) | |
6271 | replace_tag FF_A1 (?:(?:countr?y|city|province|ter+itory|(?:zip|post(?:al)?)(?:\s?code)?|st?ates?|ad+res+e?)<ANDOR>?){1,3}(?:\sof\s(?:residence|birth|employment|citizenship|origin))? | |
6272 | replace_tag FF_A2 (?:(?:contact|full|house|home|resident[ia]+l|busines+|mailing|work|delivery|ship+ing|post(?:al)?|of+ice|e-?mail|bostads|wohn)<ANDOR>?){0,3}\s?(?:ad+res+[es]{0,2}|location|endere[\xe7]o)(?:\sline)?(?:\s[0-9])? | |
6273 | replace_tag FF_N1 (?:company|first|last|all|busines+|legal|ben[ei]ficiary|user|vollstaendigen)?\s?(?:name?[sn]?|navne|nome|nazwy)(?:<ANDOR>ad+res+)? | |
6274 | replace_tag FF_P1 (?:(?:(?:busines+|contact|fax|voice|house|home|mobile?|cel+(?:ular)?|of+ice|tel+e?(?:\s?(?:ph|f)one?)?|(?:ph|f)one|private)(?:\s(?:ph|f)one)?<ANDOR>?){1,3}(?:\s?<NUMBER>)?<ANDOR>?){1,3} | |
6275 | replace_tag FF_M1 (?:(?:ages?|marital\s?statu[se]|sex|gender|male\sor\sfemale|(?:date\s(?:of\s)?)?birth|religion|nationality|(?:user )?email|next\sof\skin|alter|staatsangehoerigkeit|nationalitet|idade|weik)<ANDOR>?){1,3} | |
6276 | replace_tag FF_L1 (?:(?:previous\s)?work(?:ing)\s?experience|employment|position|profes+ion|(?:monthly|an+ual)?\s?income|purpose\sof\sl(?:oa|ao)n|an+ual\sturn\s?over|l(?:oa|ao)n\sduration|oc+up[ae]tion(?:\/position)?s?|(?:l(?:oa|ao)n\s|the\s)?amount(?:\sneed(ed)?|\sdesired)?(?:\s(?:as|of)\sloan)?|beruf|zaw(?:=F3|[\xf3])d) | |
6277 | replace_tag FF_F1 (?:(?:bank(?:ing)?|beneficiary|billing|acc(?:oun)?t|rout(?:ing)?|swift|receiver|user)<ANDOR>?){1,3}\s(?:(?:name|ad+res+(?:es)?|location|code|details|institution|a\/c|<NUMBER>)<ANDOR>?){1,3} | |
6278 | replace_tag FF_F2 (?:(?:(?:international\s)?driver'?s?\sli[sc]+(?:en[sc]e)?|pas+\s?port|id\scard|[ia]d(?:entification|entity)(?:\s(?:card|<NUMBER>|papers?))?)<ANDOR>?){1,3}(?:\s<NUMBER>)? | |
6279 | replace_tag FF_F3 (?:picture|zdj\scie|test\squestion|answer|amount\swon|(?:inheritance\s)?funds?\svalue|(?:e-?mail\s)?pas+word|e-?mai?l\sid|amount\s[\w\s]{0,30}lost[\w\s]{0,15}) | |
6280 | replace_tag FF_F4 (?:log[-\s]?in|(?:e-?mail\s)?user)\s?names? | |
6281 | replace_tag FF_F5 (?:ref(?:erence)?|batch|win+ing|award|billet)[-\s]?<NUMBER> | |
6282 | replace_tag FF_ALL (?:<FF_A1>|<FF_A2>|<FF_N1>|<FF_P1>|<FF_M1>|<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>|<FF_L1>) | |
6283 | replace_rules __FILL_THIS_FORM_LONG1 | |
6284 | replace_rules __FILL_THIS_FORM_LONG2 | |
6285 | replace_rules __FILL_THIS_FORM_PARTIAL | |
6286 | replace_rules __FILL_THIS_FORM_PARTIAL_RAW | |
6287 | replace_rules __FILL_THIS_FORM_SHORT1 | |
6288 | replace_rules __FILL_THIS_FORM_SHORT2 | |
6289 | replace_rules __FILL_THIS_FORM_LOAN1 | |
6290 | replace_rules __FILL_THIS_FORM_FRAUD_PHISH1 | |
6291 | replace_tag CURRENCY (?:[\(\[]?(?:\bU[Ss][D\$]{0,2}|\$(?:US)?|usd|USD|CAD|GBP|=[Aa][34]|\xa3|&\#16[34];|(?i:pounds\ssterling)|\xa4|EUR(?:OS?)?|(?:d')?[Ee]uro?s?|(?i:eur)\sde|CHF|FCFA|d[\xf3]lares\sde\slos\sE+\.\s?U+\.)[\]\)]?) | |
6292 | replace_tag GB_UK \b(?:U\.?K\.?|(?:Great\s)?Brit(?:ain|ish)|G\.?B\.?)\b | |
6293 | replace_tag NUM_NOT_DATE [1-9](?!\d\d\d\.\d\d\.\d\d\s)(?!\d?\.\d\d?\.\d\d\d\d\s) | |
6294 | replace_tag NUM_NOT_DATE_IP <NUM_NOT_DATE>(?!\d{0,2}(?:\.0|\.[1-2]\d{0,2}){3}(?:\D|$)) | |
6295 | replace_rules __LOTSA_MONEY_00 __LOTSA_MONEY_01 __LOTSA_MONEY_02 __LOTSA_MONEY_03 __LOTSA_MONEY_04 | |
6296 | replace_tag PERCENT \b(?:\d\d|ten|[a-z]+teen|(?:twen|thir|fou?r|fif)ty(?:-?[a-z]+)?)\s?(?:%|percent) | |
6297 | replace_rules __PCT_FOR_YOU_1 __PCT_FOR_YOU_2 __PCT_FOR_YOU_3 __PCT_OF_PMTS | |
6298 | replace_rules T_FUZZY_OPTOUT | |
6299 | replace_rules __FRT_PRICE | |
6300 | replace_rules FUZZY_UNSUBSCRIBE | |
6301 | replace_rules FUZZY_ANDROID | |
6302 | replace_rules FUZZY_PROMOTION | |
6303 | replace_rules FUZZY_PRIVACY | |
6304 | replace_rules FUZZY_BROWSER | |
6305 | replace_rules FUZZY_SAVINGS | |
6306 | replace_rules FUZZY_IMPORTANT | |
6307 | replace_rules FUZZY_SECURITY | |
6308 | replace_rules __FUZZY_DR_OZ | |
6309 | replace_rules FUZZY_CLICK_HERE | |
6310 | replace_rules FUZZY_BITCOIN | |
6311 | replace_rules __BITCOIN | |
6312 | replace_rules FUZZY_WALLET | |
6313 | replace_rules __FUZZY_MONERO | |
6314 | replace_rules __FUZZY_WELLSFARGO_BODY | |
6315 | replace_rules __FUZZY_WELLSFARGO_FROM | |
6316 | replace_rules __FUZZY_PORN | |
6317 | replace_rules FUZZY_AMAZON | |
6318 | replace_rules FUZZY_APPLE | |
6319 | replace_rules FUZZY_MICROSOFT | |
6320 | replace_rules FUZZY_FACEBOOK | |
6321 | replace_rules FUZZY_PAYPAL | |
6322 | replace_rules FUZZY_NORTON | |
6323 | replace_rules FUZZY_OVERSTOCK | |
6324 | replace_rules __MY_VICTIM | |
6325 | replace_rules __MY_MALWARE | |
6326 | replace_rules __PAY_ME | |
6327 | replace_rules __YOUR_PASSWORD | |
6328 | replace_rules __YOUR_WEBCAM | |
6329 | replace_rules __YOUR_ONAN | |
6330 | replace_rules __YOUR_PERSONAL | |
6331 | replace_rules __HOURS_DEADLINE | |
6332 | replace_rules __EXPLOSIVE_DEVICE | |
6333 | replace_rules T_LFUZ_PWRMALE | |
6334 | replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE | |
6335 | reuse T_PDS_BTC_AHACKER | |
6336 | reuse T_PDS_BTC_HACKER | |
6337 | reuse T_PDS_LTC_AHACKER | |
6338 | reuse T_PDS_LTC_HACKER | |
6339 | endif | |
6340 | ##} ifplugin Mail::SpamAssassin::Plugin::ReplaceTags_sandbox | |
6341 | ||
6342 | ##{ ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox | |
6343 | ||
6344 | ifplugin Mail::SpamAssassin::Plugin::URIDNSBL | |
6345 | reuse URIBL_RHS_DOB | |
6346 | endif | |
6347 | ##} ifplugin Mail::SpamAssassin::Plugin::URIDNSBL_sandbox | |
6348 | ||
6349 | ##{ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox | |
6350 | ||
6351 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
6352 | if (version >= 3.004000) | |
6353 | enlist_uri_host (PDS_CASHSHORTENER) cutpaid.com | |
6354 | enlist_uri_host (PDS_CASHSHORTENER) caat.site | |
6355 | enlist_uri_host (PDS_CASHSHORTENER) triabicia.com | |
6356 | enlist_uri_host (PDS_CASHSHORTENER) 2xs.io | |
6357 | enlist_uri_host (PDS_CASHSHORTENER) ocest.site | |
6358 | enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz | |
6359 | enlist_uri_host (PDS_CASHSHORTENER) waar.site | |
6360 | enlist_uri_host (PDS_CASHSHORTENER) cpmlink.net | |
6361 | enlist_uri_host (PDS_CASHSHORTENER) cowner.net | |
6362 | enlist_uri_host (PDS_CASHSHORTENER) adfoc.us | |
6363 | enlist_uri_host (PDS_CASHSHORTENER) shrinkhere.xyz | |
6364 | enlist_uri_host (PDS_CASHSHORTENER) gurl.pw | |
6365 | enlist_uri_host (PDS_CASHSHORTENER) shortearn.eu | |
6366 | enlist_uri_host (PDS_CASHSHORTENER) spiin.xyz | |
6367 | enlist_uri_host (PDS_CASHSHORTENER) libittarc.com | |
6368 | enlist_uri_host (PDS_CASHSHORTENER) pc.cd | |
6369 | enlist_uri_host (PDS_CASHSHORTENER) fc.lc | |
6370 | enlist_uri_host (PDS_CASHSHORTENER) dares.xyz | |
6371 | enlist_uri_host (PDS_CASHSHORTENER) trendlouds.com | |
6372 | enlist_uri_host (PDS_CASHSHORTENER) yogaf.xyz | |
6373 | enlist_uri_host (PDS_CASHSHORTENER) cobs.xyz | |
6374 | enlist_uri_host (PDS_CASHSHORTENER) olnew.xyz | |
6375 | enlist_uri_host (PDS_CASHSHORTENER) cleft.xyz | |
6376 | enlist_uri_host (PDS_CASHSHORTENER) 7r6.com | |
6377 | enlist_uri_host (PDS_CASHSHORTENER) mitly.us | |
6378 | enlist_uri_host (PDS_CASHSHORTENER) kutpay.com | |
6379 | enlist_uri_host (PDS_CASHSHORTENER) gsurl.me | |
6380 | enlist_uri_host (PDS_CASHSHORTENER) gurl.ly | |
6381 | enlist_uri_host (PDS_CASHSHORTENER) gsurl.in | |
6382 | enlist_uri_host (PDS_CASHSHORTENER) acitoate.com | |
6383 | enlist_uri_host (PDS_CASHSHORTENER) aclabink.com | |
6384 | enlist_uri_host (PDS_CASHSHORTENER) activeation.com | |
6385 | enlist_uri_host (PDS_CASHSHORTENER) activeterium.com | |
6386 | enlist_uri_host (PDS_CASHSHORTENER) adflyforum.com | |
6387 | enlist_uri_host (PDS_CASHSHORTENER) adflymail.com | |
6388 | enlist_uri_host (PDS_CASHSHORTENER) adult.xyz | |
6389 | enlist_uri_host (PDS_CASHSHORTENER) agileurbia.com | |
6390 | enlist_uri_host (PDS_CASHSHORTENER) atomcurve.com | |
6391 | enlist_uri_host (PDS_CASHSHORTENER) ay.gy | |
6392 | enlist_uri_host (PDS_CASHSHORTENER) battleate.com | |
6393 | enlist_uri_host (PDS_CASHSHORTENER) biastonu.com | |
6394 | enlist_uri_host (PDS_CASHSHORTENER) bitigee.com | |
6395 | enlist_uri_host (PDS_CASHSHORTENER) briskrange.com | |
6396 | enlist_uri_host (PDS_CASHSHORTENER) brisktopia.com | |
6397 | enlist_uri_host (PDS_CASHSHORTENER) casualient.com | |
6398 | enlist_uri_host (PDS_CASHSHORTENER) clesolea.com | |
6399 | enlist_uri_host (PDS_CASHSHORTENER) code404.biz | |
6400 | enlist_uri_host (PDS_CASHSHORTENER) coginator.com | |
6401 | enlist_uri_host (PDS_CASHSHORTENER) cogismith.com | |
6402 | enlist_uri_host (PDS_CASHSHORTENER) covelign.com | |
6403 | enlist_uri_host (PDS_CASHSHORTENER) crefranek.com | |
6404 | enlist_uri_host (PDS_CASHSHORTENER) dashsphere.com | |
6405 | enlist_uri_host (PDS_CASHSHORTENER) dataurbia.com | |
6406 | enlist_uri_host (PDS_CASHSHORTENER) deciomm.com | |
6407 | enlist_uri_host (PDS_CASHSHORTENER) ducolomal.com | |
6408 | enlist_uri_host (PDS_CASHSHORTENER) east-jones.com | |
6409 | enlist_uri_host (PDS_CASHSHORTENER) ecleneue.com | |
6410 | enlist_uri_host (PDS_CASHSHORTENER) ellevolaw.com | |
6411 | enlist_uri_host (PDS_CASHSHORTENER) endroudo.com | |
6412 | enlist_uri_host (PDS_CASHSHORTENER) eunsetee.com | |
6413 | enlist_uri_host (PDS_CASHSHORTENER) fainbory.com | |
6414 | enlist_uri_host (PDS_CASHSHORTENER) fasttory.com | |
6415 | enlist_uri_host (PDS_CASHSHORTENER) fawright.com | |
6416 | enlist_uri_host (PDS_CASHSHORTENER) flyserve.co | |
6417 | enlist_uri_host (PDS_CASHSHORTENER) greponozy.com | |
6418 | enlist_uri_host (PDS_CASHSHORTENER) homoluath.com | |
6419 | enlist_uri_host (PDS_CASHSHORTENER) hopigrarn.com | |
6420 | enlist_uri_host (PDS_CASHSHORTENER) infopade.com | |
6421 | enlist_uri_host (PDS_CASHSHORTENER) j.gs | |
6422 | enlist_uri_host (PDS_CASHSHORTENER) kaitect.com | |
6423 | enlist_uri_host (PDS_CASHSHORTENER) kializer.com | |
6424 | enlist_uri_host (PDS_CASHSHORTENER) kibuilder.com | |
6425 | enlist_uri_host (PDS_CASHSHORTENER) kimechanic.com | |
6426 | enlist_uri_host (PDS_CASHSHORTENER) kudoflow.com | |
6427 | enlist_uri_host (PDS_CASHSHORTENER) legeerook.com | |
6428 | enlist_uri_host (PDS_CASHSHORTENER) libittarc.com | |
6429 | enlist_uri_host (PDS_CASHSHORTENER) linkjaunt.com | |
6430 | enlist_uri_host (PDS_CASHSHORTENER) locinealy.com | |
6431 | enlist_uri_host (PDS_CASHSHORTENER) maetrimal.com | |
6432 | enlist_uri_host (PDS_CASHSHORTENER) metastead.com | |
6433 | enlist_uri_host (PDS_CASHSHORTENER) mmoity.com | |
6434 | enlist_uri_host (PDS_CASHSHORTENER) mondoagram.com | |
6435 | enlist_uri_host (PDS_CASHSHORTENER) neswery.com | |
6436 | enlist_uri_host (PDS_CASHSHORTENER) nimbleinity.com | |
6437 | enlist_uri_host (PDS_CASHSHORTENER) onisedeo.com | |
6438 | enlist_uri_host (PDS_CASHSHORTENER) optitopt.com | |
6439 | enlist_uri_host (PDS_CASHSHORTENER) picocurl.com | |
6440 | enlist_uri_host (PDS_CASHSHORTENER) pladollmo.com | |
6441 | enlist_uri_host (PDS_CASHSHORTENER) preofery.com | |
6442 | enlist_uri_host (PDS_CASHSHORTENER) prereheus.com | |
6443 | enlist_uri_host (PDS_CASHSHORTENER) q.gs | |
6444 | enlist_uri_host (PDS_CASHSHORTENER) quainator.com | |
6445 | enlist_uri_host (PDS_CASHSHORTENER) quamiller.com | |
6446 | enlist_uri_host (PDS_CASHSHORTENER) queuecosm.bid | |
6447 | enlist_uri_host (PDS_CASHSHORTENER) raboninco.com | |
6448 | enlist_uri_host (PDS_CASHSHORTENER) rapidteria.com | |
6449 | enlist_uri_host (PDS_CASHSHORTENER) rapidtory.com | |
6450 | enlist_uri_host (PDS_CASHSHORTENER) sapolatsu.com | |
6451 | enlist_uri_host (PDS_CASHSHORTENER) scapognel.com | |
6452 | enlist_uri_host (PDS_CASHSHORTENER) simizer.com | |
6453 | enlist_uri_host (PDS_CASHSHORTENER) skamaker.com | |
6454 | enlist_uri_host (PDS_CASHSHORTENER) skamason.com | |
6455 | enlist_uri_host (PDS_CASHSHORTENER) sluppend.com | |
6456 | enlist_uri_host (PDS_CASHSHORTENER) sprysphere.com | |
6457 | enlist_uri_host (PDS_CASHSHORTENER) streamvoyage.com | |
6458 | enlist_uri_host (PDS_CASHSHORTENER) swarife.com | |
6459 | enlist_uri_host (PDS_CASHSHORTENER) swiftation.com | |
6460 | enlist_uri_host (PDS_CASHSHORTENER) swifttopia.com | |
6461 | enlist_uri_host (PDS_CASHSHORTENER) techigo.com | |
6462 | enlist_uri_host (PDS_CASHSHORTENER) threadsphere.bid | |
6463 | enlist_uri_host (PDS_CASHSHORTENER) tinyical.com | |
6464 | enlist_uri_host (PDS_CASHSHORTENER) tonancos.com | |
6465 | enlist_uri_host (PDS_CASHSHORTENER) triabicia.com | |
6466 | enlist_uri_host (PDS_CASHSHORTENER) turboagram.com | |
6467 | enlist_uri_host (PDS_CASHSHORTENER) twineer.com | |
6468 | enlist_uri_host (PDS_CASHSHORTENER) twiriock.com | |
6469 | enlist_uri_host (PDS_CASHSHORTENER) userlab66.com | |
6470 | enlist_uri_host (PDS_CASHSHORTENER) vaugette.com | |
6471 | enlist_uri_host (PDS_CASHSHORTENER) velocicosm.com | |
6472 | enlist_uri_host (PDS_CASHSHORTENER) velociterium.com | |
6473 | enlist_uri_host (PDS_CASHSHORTENER) viahold.com | |
6474 | enlist_uri_host (PDS_CASHSHORTENER) vializer.com | |
6475 | enlist_uri_host (PDS_CASHSHORTENER) viwright.com | |
6476 | enlist_uri_host (PDS_CASHSHORTENER) whareotiv.com | |
6477 | enlist_uri_host (PDS_CASHSHORTENER) wirecellar.com | |
6478 | enlist_uri_host (PDS_CASHSHORTENER) x19.biz | |
6479 | enlist_uri_host (PDS_CASHSHORTENER) x19network.com | |
6480 | enlist_uri_host (PDS_CASHSHORTENER) yabuilder.com | |
6481 | enlist_uri_host (PDS_CASHSHORTENER) yamechanic.com | |
6482 | enlist_uri_host (PDS_CASHSHORTENER) yoalizer.com | |
6483 | enlist_uri_host (PDS_CASHSHORTENER) yobuilder.com | |
6484 | enlist_uri_host (PDS_CASHSHORTENER) yoineer.com | |
6485 | enlist_uri_host (PDS_CASHSHORTENER) yoitect.com | |
6486 | enlist_uri_host (PDS_CASHSHORTENER) zipansion.com | |
6487 | enlist_uri_host (PDS_CASHSHORTENER) zipteria.com | |
6488 | enlist_uri_host (PDS_CASHSHORTENER) zipvale.com | |
b780ea8d SI |
6489 | reuse T_PDS_SHORTFWD_URISHRT |
6490 | endif | |
6491 | endif | |
6492 | ##} ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)_sandbox | |
6493 | ||
6494 | ##{ redirector_pattern_sandbox | |
6495 | ||
6496 | redirector_pattern m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&\#])'i | |
6497 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&\#])'i | |
6498 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:site|inurl):(.*?)(?:$|%20|[\s+&\#])'i | |
6499 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&\#])'i | |
6500 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&\#])'i | |
6501 | redirector_pattern m'^https?:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/pagead/iclk\?.*?(?<=[?&])adurl=(.*?)(?:$|[&\#])'i | |
6502 | redirector_pattern m'^https?:/*(?:\w+\.)?aol\.com/redir\.adp\?.*(?<=[?&])_url=(.*?)(?:$|[&\#])'i | |
6503 | redirector_pattern m'^https?/*(?:\w+\.)?facebook\.com/l/;(.*)'i | |
6504 | ##} redirector_pattern_sandbox | |
6505 | ||
6506 | ##{ reuse_sandbox | |
6507 | ||
6508 | reuse T_PDS_HIDDEN_UK_BUSINESSLOAN | |
6509 | reuse T_PDS_DOUBLE_URL | |
6510 | reuse T_PDS_DBL_URL_LINKBAIT | |
6511 | reuse PDS_DBL_URL_TNB_RUNON | |
6512 | reuse T_PDS_DBL_URL_ILLEGAL_CHARS | |
fc5290a3 | 6513 | reuse FROM_2_EMAILS_SHORT |
b780ea8d SI |
6514 | reuse T_SHORT_BODY_QUOTE |
6515 | reuse T_BODY_QUOTE_MALF_MSGID | |
6516 | reuse SPOOFED_FREEMAIL_NO_RDNS | |
6517 | reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN | |
dfdd1e08 | 6518 | reuse T_PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE |
46cfc9e2 | 6519 | reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT |
b780ea8d | 6520 | reuse PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE |
fc5290a3 | 6521 | reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT |
b780ea8d SI |
6522 | reuse T_PDS_LITECOIN_ID |
6523 | reuse PDS_BTC_ID | |
6524 | reuse PDS_BTC_MSGID | |
6525 | reuse __PDS_GOOGLE_DRIVE_SHARE_1 | |
6526 | reuse __PDS_GOOGLE_DRIVE_SHARE_2 | |
6527 | reuse __PDS_GOOGLE_DRIVE_SHARE_3 | |
6528 | reuse __PDS_GOOGLE_DRIVE_SHARE | |
6529 | reuse T_GOOGLE_DRIVE_DEAR_SOMETHING | |
6530 | reuse __PDS_GOOGLE_DRIVE_FILE | |
6531 | reuse __SHORT_BODY_G_DRIVE | |
6532 | reuse __SHORT_BODY_G_DRIVE_DYN | |
31955ede SI |
6533 | reuse T_SHORT_BODY_G_DRIVE_DYN |
6534 | reuse T_FROM_NAME_EQ_TO_G_DRIVE | |
b780ea8d SI |
6535 | ##} reuse_sandbox |
6536 | ||
6537 | ||
6538 | uri __128_ALNUM_URI m;[/?][0-9a-z]{128,}$;i | |
6539 | ||
6540 | uri __128_HEX_URI m,/[0-9a-f]{128}, | |
6541 | ||
6542 | uri __128_LC_URI m;[/?][a-z]{128,}$; | |
6543 | ||
6544 | uri __45_ALNUM_IMG m;/[0-9a-z]{45,}/\w+\.(?:png|gif|jpe?g)$;i | |
6545 | ||
6546 | uri __45_ALNUM_URI m;[/?][0-9a-z]{45,}$;i | |
6547 | ||
6548 | meta __45_ALNUM_URI_O __45_ALNUM_URI && !__64_ANY_URI && !__128_ALNUM_URI && !__128_LC_URI | |
6549 | ||
fc5290a3 SI |
6550 | body __4BYTE_UTF8_WORD /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ |
6551 | tflags __4BYTE_UTF8_WORD multiple maxhits=10 | |
6552 | ||
6553 | meta __4BYTE_UTF8_WORD_9 __4BYTE_UTF8_WORD > 9 | |
6554 | ||
6555 | header __4BYTE_UTF8_WORD_FROM From:name =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ | |
6556 | ||
31955ede SI |
6557 | header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/ |
6558 | ||
b780ea8d SI |
6559 | uri __64_ANY_URI m;[/?]\w{64,}$;i |
6560 | ||
6561 | body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i | |
6562 | ||
6563 | body __ACCESS_REVOKE /(?:(?:temporary|permanent) (?:de-?activation|removal) of your (?:\w{1,30} )?(?:access|account)|Ihre Kreditkarte wird gesperrt)/i | |
6564 | ||
6565 | body __ACCESS_SUSPENDED /\b(?:(?:access|account|e?-?mails) (?:suspension|(?:has|have) (?:been )?(?:temporar(?:il)?y (?:been )?)?(?:suspended|blocked|locked|blacklisted))|suspend (?:you from|your) access(?:ing)?|suspen(?:sion|se|ded) noti(?:ce|fication))\b/i | |
6566 | tflags __ACCESS_SUSPENDED multiple maxhits=2 | |
6567 | ||
6568 | body __ACCOUNT_DISRUPT /\b(?:ensure (?:that )?your (?:account|access) is not (?:disrupted|suspended|interrupted)|(?:avoid|incoming) (?:[a-z]+ ){0,5}e?-?mails? (?:from )?being rejected|avoid (?:account|e?-?mail(?: ?box)? )?(?:shut ?down|suspension|locking|termination|expiration)|will terminate (?:your|its) service)\b/i | |
6569 | tflags __ACCOUNT_DISRUPT multiple maxhits=2 | |
6570 | ||
6571 | body __ACCOUNT_ERROR /\b(?:your account (?:is|appears to be) (?:incorrect|missing|in error|invalid))\b/i | |
6572 | ||
6573 | body __ACCOUNT_REACTIV /(?:(?:account|access) (?:has been )?(?:successfully )?(?:reviewed and )?re-?(?:activat(?:ion|ed)|new(?:al|ed))|(?:unlock|re-?activate|restore|recover) (?:your|the|this) (?:account|access))/i | |
6574 | ||
6575 | body __ACCOUNT_SECURE /\b(?:make your (?:"?[^\@\s]+\@\S+"? |e-?mail )?account more secure|Ihre Kreditkarte weist einige Sicherheitsprobleme)\b/i | |
6576 | ||
6577 | body __ACCOUNT_UPGRADE /\b(?:upgrade (?:of )your (?:account|access)|your (?:access|account) is[\w\s]{0,40}being upgraded|Weiter zur Aktualisierung)\b/i | |
6578 | ||
6579 | meta __ACCT_PHISH (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __PDS_FROM_NAME_TO_DOMAIN) > 1 && !__ACCT_PHISH_MANY | |
6580 | ||
6581 | meta __ACCT_PHISH_MANY (__ACCESS_SUSPENDED + __ACCESS_RESTORE + __ACCESS_REVOKE + __VERIFY_ACCOUNT + __FAILED_LOGINS + __ACCOUNT_REACTIV + __SECURITY_DEPT + __ACCOUNT_ERROR + __ACCOUNT_DISRUPT + __ACCOUNT_UPGRADE + __ACCOUNT_SECURE + __SUSPICION_LOGIN + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + __PDS_FROM_NAME_TO_DOMAIN) > 3 | |
6582 | ||
6583 | body __ACH_CANCELLED_01 /\b(?:(?-i:ACH)|dividend)[-_ ](?:payment|transfer|transaction|was)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i | |
6584 | ||
6585 | body __ACH_CANCELLED_02 /(?:rejected|cancel+ed|declined|your)[-_ ](?:(?-i:ACH)|direct[-_ ]deposit)[-_ ](?:payment|transfer|transaction|declin(?:ed|ing))/i | |
6586 | ||
6587 | body __ACH_CANCELLED_03 /\bwire[-_ ]?(?:payment|transfer|transaction)[-_ ](?:(?:was|is)[-_ ])?(?:rejected|cancel+ed|declined|disabled|not[-_ ]accepted|(?:technical )?error)/i | |
6588 | ||
6589 | body __ACH_CANCELLED_04 /\bregarding[-_ ]your[-_ ]direct[-_ ]deposit[-_ ]via[-_ ](?-i:ACH)/i | |
6590 | ||
6591 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
6592 | meta __ACH_CANCELLED_EXE (__ACH_CANCELLED_01 || __ACH_CANCELLED_02 || __ACH_CANCELLED_03 || __ACH_CANCELLED_04) && __EXE_ATTACH | |
6593 | endif | |
6594 | ||
6595 | uri __AC_1SEQC_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/C\// | |
6596 | ||
6597 | uri __AC_1SEQV_URI /\/1[a-z0-9]8[a-z0-9_]{20,}\/V\// | |
6598 | ||
6599 | uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/ | |
6600 | ||
6601 | header __AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/ | |
6602 | ||
6603 | meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO | |
6604 | ||
6605 | rawbody __AC_HTML_ENTITY_BONANZA_SHRT_RAW /(?:&[A-Z0-9\#]{2,};\s{0,64}){10}/i | |
6606 | ||
6607 | uri __AC_LAND_URI /\/land\// | |
6608 | ||
6609 | uri __AC_LONGSEQ_URI /\/[A-Z0-9]{50,}\.(?:php|html|cgi)\b/ | |
6610 | ||
6611 | uri __AC_MHDSEQ_URI /\/mhd[a-z0-9]{20,}/ | |
6612 | ||
6613 | uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/ | |
6614 | ||
6615 | uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(:?php|html)\b/ | |
6616 | ||
6617 | uri __AC_OUTI_URI /\/outi\b/ | |
6618 | ||
6619 | uri __AC_OUTL_URI /\/outl\b/ | |
6620 | ||
6621 | uri __AC_PHPOFFSUB_URI /\/php\/off\/[0-9.]+\/sub\// | |
6622 | ||
6623 | uri __AC_PHPOFFTOP_URI /\/php\/off\/[0-9.]+\/top\// | |
6624 | ||
6625 | uri __AC_POSTHTMLEXTRAS /(?:main[0-9]?|mian|start(?:page)?|info(?:page|source|center)?|(?:one|view)?(?:site|source)(?:view|[0-9])?|(?:hub|file)one|index(?:[0-9]|page)?|mediafile|userlink|faction1)[.,]html?\/\w{2,}\b/i | |
6626 | ||
6627 | uri __AC_POSTIMGEXTRAS /(?:(?:main|external|hosted|new|file)?(?:im(?:g|age)?|user|one)s?-?(?:view(?:er)?|file|map|finder|portal|hub|online)?s?|library|media(?:source|-?files?)?|main|png|view|begin|file|port|space|webpics|host)(?:[-]?(?:[0-9]|one|two|three|four|five|six|seven|eight|nine))?[.,](?:jpe?g|png|gif)\/\w{2,}\b/i | |
6628 | ||
6629 | meta __AC_POST_EXTRAS (__AC_POSTHTMLEXTRAS || __AC_POSTIMGEXTRAS) | |
6630 | ||
6631 | uri __AC_PUNCTNUMS_URI /\.com\/[A-Za-z+=\/.?_-]{4,}[0-9]{9,12}[a-z0-9]{1,2}[A-Za-z+=\/.?_-]+[0-9]{7,9}[A-Za-z+=\/.?_-]{6,}[0-9]{7,9}\b/ | |
6632 | ||
6633 | uri __AC_REPORT_URI /\/report\// | |
6634 | ||
6635 | uri __AC_RMOVE_URI /\/r\/move\/[0-9]+\// | |
6636 | ||
31955ede | 6637 | rawbody __AC_TINY_FONT /(?:font-size)\s*:\s*[1-3]\s*(?:em|p[tx]|%)?(?:\s*!important)?\s*[";]/i |
b780ea8d SI |
6638 | |
6639 | uri __AC_UHDSEQ_URI /\/uhd[a-z0-9]{20,}/ | |
6640 | ||
6641 | uri __AC_UNSUB_URI /\/unsub\// | |
6642 | ||
6643 | body __ADMAIL /(?:\b|_)ad-?(?:mail|message)s?(?:\b|_)/i | |
6644 | ||
6645 | body __ADMITS_SPAM /\bth(?:e[- ]+above|is)(?:\?+s|[- ]+is)[- ]+(?:intended[- ]+as[- ]+)?an?[- ]+(?:e-?mail[- ]+)?[a@]dvert[i1l]sement\b/i | |
6646 | ||
46cfc9e2 SI |
6647 | body __ADULTDATINGCOMPANY_BODY /\bAdultDatingCompany\b/i |
6648 | ||
6649 | header __ADULTDATINGCOMPANY_FROM From:name =~ /\bAdultDatingCompany\b/i | |
6650 | ||
6651 | header __ADULTDATINGCOMPANY_REPTO Reply-To:name =~ /\bAdultDatingCompany\b/i | |
6652 | ||
fc5290a3 | 6653 | meta __ADVANCE_FEE_2_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 1) && !__THREAD_INDEX_GOOD |
b780ea8d SI |
6654 | |
6655 | meta __ADVANCE_FEE_2_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW | |
6656 | ||
6657 | meta __ADVANCE_FEE_2_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW | |
6658 | ||
6659 | meta __ADVANCE_FEE_2_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_2_NEW | |
6660 | ||
fc5290a3 | 6661 | meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 2) && !__THREAD_INDEX_GOOD |
b780ea8d SI |
6662 | |
6663 | meta __ADVANCE_FEE_3_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW | |
6664 | ||
6665 | meta __ADVANCE_FEE_3_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW | |
6666 | ||
6667 | meta __ADVANCE_FEE_3_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_3_NEW | |
6668 | ||
fc5290a3 | 6669 | meta __ADVANCE_FEE_4_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 3) && !__THREAD_INDEX_GOOD |
b780ea8d SI |
6670 | |
6671 | meta __ADVANCE_FEE_4_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW | |
6672 | ||
6673 | meta __ADVANCE_FEE_4_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW | |
6674 | ||
6675 | meta __ADVANCE_FEE_4_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_4_NEW | |
6676 | ||
fc5290a3 | 6677 | meta __ADVANCE_FEE_5_NEW (__AFRICAN_STATE + __ATM_CARD + __BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU + __FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP + __FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK + __FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY + __FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT + __FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT + __INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + T_LOTTO_AGENT + T_LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT + __THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __URG_BIZ + __YOUR_CONSIGNMENT + __YOUR_FUND + __YOUR_PERM + __YOU_WON > 4) && !__THREAD_INDEX_GOOD |
b780ea8d SI |
6678 | |
6679 | meta __ADVANCE_FEE_5_NEW_FORM __FILL_THIS_FORM && !LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW | |
6680 | ||
6681 | meta __ADVANCE_FEE_5_NEW_FRM_MNY __FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW | |
6682 | ||
6683 | meta __ADVANCE_FEE_5_NEW_MONEY !__FILL_THIS_FORM && LOTS_OF_MONEY && __ADVANCE_FEE_5_NEW | |
6684 | ||
6685 | body __AFF_004470_NUMBER /(?:\+|00|011)\W{0,3}44\W{0,3}0?\W{0,3}70/ | |
6686 | ||
6687 | body __AFF_LOTTERY /(?:lottery|winner)/i | |
6688 | ||
6689 | meta __AFRICAN_STATE (__NIGERIA || __IVORY_COAST || __BURKINA_FASO || __GHANA || __BENIN || __AFR_UNION) | |
6690 | ||
6691 | body __AFR_UNION /\bafrican\sunion\b/i | |
6692 | ||
6693 | body __AGREED_RATIO /\b(?:agreed|sharing)\s(?:ratios?|percent\w+)\b/i | |
6694 | ||
6695 | meta __ALIBABA_IMG_NOT_RCVD_ALI __URI_IMG_ALICDN && !__HDR_RCVD_ALIBABA | |
6696 | ||
6697 | header __AMADEUSMS_MUA X-Mailer =~ /^Amadeus Messaging Server/ | |
6698 | ||
46cfc9e2 | 6699 | meta __AMAZON_IMG_NOT_RCVD_AMZN __URI_IMG_AMAZON && !__HDR_RCVD_AMAZON && !__HDR_RCVD_AMAZON_HELO |
b780ea8d SI |
6700 | |
6701 | body __AM_DYING /\b(?:am\s(?:\S+\s)?dying|terminally\sill|cancer|en\sphase\sterminale|(?:become|is|devenu|maladie)\sincurable|que\sje\smeurs)\b/i | |
6702 | ||
6703 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
6704 | mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /\bimage\//i | |
6705 | endif | |
6706 | ||
6707 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
6708 | meta __ANY_TEXT_ATTACH 0 | |
6709 | endif | |
6710 | ||
6711 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
6712 | mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i | |
6713 | endif | |
6714 | ||
6715 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
6716 | mimeheader __ANY_TEXT_ATTACH_DOC Content-Type =~ /text\/\w+/i | |
6717 | endif | |
6718 | ||
6719 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
6720 | body __APP_DEVELOPMENT /\b(?:mobile apps|(?:apps?|portal) (?:dev(?:elop(?:ment|ed))?|design|test(?:ing)?|U[IX]|maintenance|support)|(?:we |can |have )+(?:design(?:ed)?|buil[dt]|maintain(?:ed)?|created?)(?: over| more than)?[\s0-9]+apps|different platforms|we are (?:[-a-z]+ ){1,4}(?:software|apps?) (?:company|develop(?:ers|ment)))\b/i | |
6721 | tflags __APP_DEVELOPMENT multiple maxhits=6 | |
6722 | endif | |
6723 | ||
6724 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
6725 | meta __APP_DEVELOPMENT_MANY __APP_DEVELOPMENT > 5 | |
6726 | endif | |
6727 | ||
6728 | body __ATM_CARD /\b(?:your|the|this|through|via|by\smeans\sof\|that\sa|issue\s(?:(?:to|for)\s)?you\sa)[\s\(](?:\w{1,20}\s)?(?:atm|debit|(?:money[\s-]?gram\s)?fast\scash)(?:\smaster|swift|value?|cash)?[\s\)]card/i | |
6729 | ||
46cfc9e2 SI |
6730 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
6731 | meta __ATTACH_MSO_MHTML __TEXT_XML_MT && __MSO_THEME_MT && __X_MSO_MT | |
6732 | endif | |
6733 | ||
b780ea8d SI |
6734 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) |
6735 | meta __ATTACH_NAME_NO_EXT 0 | |
6736 | endif | |
6737 | ||
6738 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
6739 | mimeheader __ATTACH_NAME_NO_EXT Content-Type =~ m,\bname\s?=\s?"(?!=\?)[^."]+",i | |
6740 | endif | |
6741 | ||
6742 | body __ATTN_MAIL_USER /\b(?:att(?:entio)?n|dear|caro) (?:web ?(?:mail)?\s\S\s)?(?:web ?|e-?)?mail (?:user|DO USU(?:=E1|[\xe1]|[\xc3][\xa1])RIO)[:;,]/i | |
6743 | ||
6744 | body __AUTO_ACCIDENT /auto(?:mobile)? accident/i | |
6745 | ||
6746 | header __AXB_MO_OL_024C2 X-MimeOLE =~ /Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2600\.0000/ | |
6747 | ||
b780ea8d SI |
6748 | header __AXB_XM_OL_024C2 X-Mailer =~ /Microsoft\ Outlook\ Express\ 6\.00\.2600\.0000/ |
6749 | ||
b780ea8d SI |
6750 | body __BACK_SCRATCH /\bmutual+y?\s(?:benefi(?:t|cial)|interest)\b/i |
6751 | ||
6752 | body __BANK_DRAFT /\bbank\sdraft/i | |
6753 | ||
6754 | body __BARRISTER /\b(?:barrister|solicitor at law|barr\.)/i | |
6755 | ||
31955ede SI |
6756 | meta __BEBEE_IMG_NOT_RCVD_BB __URI_IMG_BEBEE && !__HDR_RCVD_BEBEE |
6757 | ||
b780ea8d SI |
6758 | body __BENEFICIARY /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])n(?:e|=E9|[\xe9]|[\xc3][\xa9])fi(?:c|sh)i?ai?r(?:y|ies|es?)/i |
6759 | ||
6760 | body __BENIN /\bb(?:e|=E9|[\xe9]|[\xc3][\xa9])nin\b/i | |
6761 | ||
6762 | body __BIGNUM_EMAILS /\b(?:thousand|million|\d[,1-9]{0,6}(?:[,0]{2,}k?|k))\s(?:(?!and|or|your|place|baby|suspicious|supportive|subpoenaed)\w+\s)?(?:e-?mail(?:(?![-:.\)\>\]])s?|\saddresses)|fax numbers|leads|names)\b/i | |
6763 | tflags __BIGNUM_EMAILS multiple maxhits=5 | |
6764 | ||
6765 | meta __BIGNUM_EMAILS_3 __BIGNUM_EMAILS > 2 | |
6766 | ||
6767 | meta __BIGNUM_EMAILS_FREEM __BIGNUM_EMAILS && __freemail_hdr_replyto | |
6768 | ||
6769 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
6770 | body __BITCOIN /\bB[-\s]?i[-\s]?t[-\s]?c[-\s]?o[-\s]?i[-\s]?n\b/i | |
6771 | endif | |
6772 | ||
6773 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
6774 | body __BITCOIN /<B>[-\s]?<I>[-\s]?<T>[-\s]?<C>[-\s]?<O>[-\s]?<I>[-\s]?<N>/i | |
6775 | endif | |
6776 | ||
6777 | body __BITCOIN_ID /\b(?<!=)(?:[13](?:(?:[-_=\s][a-km-zA-HJ-NP-Z1-9]){29,34}|[a-km-zA-HJ-NP-Z1-9]{29,34})|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90}|b[-_=\s]c[-_=\s]1(?:[-_=\s][acdefghjklmnpqrstuvwxyz234567890]){30,90})\b/ | |
6778 | ||
6779 | meta __BITCOIN_IMGUR __IMGUR_IMG && __BITCOIN | |
6780 | ||
6781 | meta __BITCOIN_OBFU_SUBJ __BITCOIN && __SUBJ_OBFU_PUNCT | |
6782 | ||
6783 | meta __BITCOIN_SPAM_02 __BITCOIN_ID && __BOTH_INR_AND_REF | |
6784 | ||
6785 | meta __BITCOIN_SPAM_05 __BITCOIN_ID && __SPOOFED_FREEMAIL | |
6786 | ||
6787 | meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM | |
6788 | ||
6789 | meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01 | |
6790 | ||
6791 | meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID) | |
6792 | ||
21dcadbf SI |
6793 | meta __BODY_SINGLE_URI (__BODY_SINGLE_WORD && __HAS_ANY_URI) |
6794 | ||
6795 | meta __BODY_SINGLE_WORD __BODY_TEXT_LINE < 3 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1) | |
6796 | ||
b780ea8d SI |
6797 | body __BODY_STARTS_WITH_FROM_LINE /^From \S+ \S\S\S \S\S\S .. ..:..:.. \S+\s+\S+\: /s |
6798 | ||
6799 | body __BODY_TEXT_LINE /^\s*\S/ | |
6800 | tflags __BODY_TEXT_LINE multiple maxhits=3 | |
6801 | ||
6802 | meta __BODY_URI_ONLY __BODY_TEXT_LINE < 3 && __HAS_ANY_URI && !__SMIME_MESSAGE | |
6803 | ||
6804 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
6805 | full __BOGUS_MIME_HDR /\bContent-[XYZ]-[a-z]{6,15}:\s+[a-z]{6,15}\b/ | |
6806 | tflags __BOGUS_MIME_HDR multiple maxhits=8 | |
6807 | endif | |
6808 | ||
6809 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
6810 | meta __BOGUS_MIME_HDR_MANY __BOGUS_MIME_HDR > 7 | |
6811 | endif | |
6812 | ||
6813 | header __BOGUS_MIME_VER_02 MIME-Version =~ /^(?!.*\b1\.0\b).+/ | |
6814 | ||
6815 | meta __BOGUS_MSM_HDRS __HAS_MSMAIL_PRI && __MSOE_MID_WRONG_CASE && __HDR_ORDER_FTSDMCXXXX | |
6816 | ||
6817 | body __BONUS_LAST_DAY /\b(?:last|final) day of the (?:\$\d+ |\d+ dollars? )?bonus offer(?:ing)?\b/i | |
6818 | ||
6819 | meta __BOTH_INR_AND_REF (__XM_BALSA || __XM_CALYPSO || __XM_FORTE || __XM_MHE || __XM_SQRLMAIL || __XM_SYLPHEED || __THEBAT_MUA || __XM_VM || __XM_XIMEVOL || __UA_KMAIL || __UA_MOZ5 || __UA_OPERA7) | |
6820 | ||
6821 | body __BTC_OBFU_2 /\b\W{0,10}b(?!it[-\s]?coin)\W{0,10}i\W{0,10}t\W{0,10}c\W{0,10}o\W{0,10}i\W{0,10}n\W{0,10}\b/i | |
6822 | ||
6823 | body __BTC_OBFU_3 /\b\W{0,10}b(?!tc\b)\W{0,10}t\W{0,10}c\W{0,10}\b/i | |
6824 | ||
6825 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
6826 | body __BTC_OBFU_4 /\bb(?!itcoin)[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n\b/i | |
6827 | endif | |
6828 | ||
6829 | body __BTC_OBFU_5 /&\#x62;&\#x69;&\#x74;&\#x63;&\#x6F;&\#x69;&\#x6E;/i | |
6830 | ||
6831 | rawbody __BUGGED_IMG m{<img\b[^>]{0,100}\ssrc=.?https?://[^>]{6,80}(?:\?[^>]{8}|[^a-z](?![a-f]{3}|20\d\d[01]\d[0-3]\d)[0-9a-f]{8})}i | |
6832 | ||
6833 | body __BURKINA_FASO /\bburkina\s?faso\b/i | |
6834 | ||
6835 | body __CANT_SEE_AD_1 /\b(?:can(?:no|')?t|(?:aren'?t[-,!\s]{1,3}|not[-,!\s]{1,3}|un)able[-,!\s]{1,3}to)[-,!\s]{1,3}(?:(?!our|this|the)\w{1,12}[-,\s]{1,3}){1,2}(?:our|this|the)[-.,\s*]{1,3}(?:commercial[-.,\s]{1,3}|ad(?:v[-.]?ert[i1l]se-?ment)?[-.,\s]{1,3}|images |newsletter |mailing ){1,2}(?:at all|(?:(?:down )?(?:below|underneath))|in (?:your|this) mail|(?:due to|because(?: of)?|as|from) (?:no |missing |unloaded |blocked )?(?:images|graphics))\b/i | |
6836 | ||
6837 | body __CANT_SEE_AD_2 /\b(?:issue|problem|trouble) (?:getting|viewing|with) (?:(?:our|the) )?(?:message|content|e-?mail|details)(?: below)?[.?] (?:please|go ahead and) (?:click|browse)\b/i | |
6838 | ||
6839 | body __CAN_HELP /\bcan help\b/i | |
6840 | ||
6841 | body __CASHPRZ /cash prize of/ | |
6842 | ||
6843 | body __CHARITY /\b(?:charit(?:y|[ai]ble)|orphans?|homeless|orphelins|sans\sabri)\b/i | |
6844 | ||
6845 | body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i | |
6846 | tflags __CLEAN_MAILBOX multiple maxhits=2 | |
6847 | ||
fc5290a3 SI |
6848 | body __CLICK_HERE /\bclick\shere\b/i |
6849 | ||
b780ea8d SI |
6850 | rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im |
6851 | ||
6852 | body __COMPENSATION /\b(?:compensat(?:e|ion)|recompensed?|ausgleich)\b/i | |
6853 | ||
6854 | body __CONTACT_ATTY /\bcontact(?:er)?\s(?:my|(?:de\s)?mon)\s(?:barrister|attou?rney|lawyer|avocat|gestionnaire)\b/i | |
6855 | ||
6856 | body __CONTACT_YOU /\b(?:contact(?:ing)\syou|vous\scontacter?)\b/i | |
6857 | ||
6858 | rawbody __CONTENT_AFTER_HTML /<\/html>\s*[a-z0-9]/i | |
6859 | ||
6860 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
6861 | body __COPY_PASTE_EN /Copy (and|\+|\&) paste/i | |
6862 | endif | |
6863 | ||
6864 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
6865 | body __COPY_PASTE_EN /<C><O><P><Y> (?:<A><N><D>|\+|\&) <P><A><S><T><E>/i | |
6866 | endif | |
6867 | ||
6868 | body __COURIER /\bcourier\s(?:company|service)\b/i | |
6869 | ||
6870 | header __CR_IN_SUBJ Subject:raw =~ /\015/ | |
6871 | ||
6872 | header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i | |
6873 | ||
6874 | header __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i | |
6875 | ||
6876 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
6877 | meta __CTYPE_NULL 0 | |
6878 | endif | |
6879 | ||
6880 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
6881 | mimeheader __CTYPE_NULL Content-Type =~ /^\s*;/ | |
6882 | endif | |
6883 | ||
6884 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
6885 | mimeheader __CTYPE_ONETAB_GIF Content-Type:raw =~ /^image\/gif;\n\tname=\".+?\"$/s | |
6886 | endif | |
6887 | ||
6888 | header __CT_ENCRYPTED Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/ | |
6889 | ||
6890 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
6891 | mimeheader __CT_UTF7 Content-Type =~ /\bcharset=.?utf-7\b/i | |
6892 | endif | |
6893 | ||
6894 | header __DATE_LOWER ALL =~ /date:\s\S{5}/ | |
6895 | ||
6896 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
6897 | body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i | |
6898 | tflags __DAY_I_EARNED multiple maxhits=4 | |
6899 | endif | |
6900 | ||
6901 | body __DBLCLAIM /avoid double claiming/ | |
6902 | ||
6903 | body __DEAD_PARENT /\b(?:my|meu)\s(?:(?:deceased|dead)\s(?:father|mother|husband)|(?:father|dad|mother|mom|husband|marido)(?:'?s)?\s(?:death|died|passed\saway|murder|was\s(?:killed|murdered|poisoned)|faleceu))/i | |
6904 | ||
6905 | body __DEAL /\b(?:(?:business|financial|this|the|mutual|die(?:se)?r?|cette|profitable)\s(?:deal|transa[ck]tion|proposal|off[er]{2}|venture|suggestion|partnership)|your\spartnership)/i | |
6906 | ||
6907 | body __DECEASED /\b(?:the|my|your|der|du|le|meu?)\s(?:deceased|late|verstorbenen|d(?:i|e|=E9|[\xe9]|[\xc3][\xa9])funto?|d(?:e|=E9|[\xe9]|[\xc3][\xa9])nt|falecido)\b/i | |
6908 | ||
6909 | body __DESTROY_ME /\b(?:destroy|hunt|quemar)\sm[eyi]\b/i | |
6910 | ||
6911 | body __DESTROY_YOU /\b(?:destroy\syou|deine Zukunft zerst\S{1,3}ren)/i | |
6912 | ||
6913 | body __DIED_IN /\bdied\sin\b/i | |
6914 | ||
6915 | body __DIPLOMATIC /\bdiplomatic\b/i | |
6916 | ||
6917 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
6918 | tflags __DKIMWL_BLOCKED net | |
6919 | endif | |
6920 | ||
6921 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
6922 | tflags __DKIMWL_BULKMAIL net | |
6923 | endif | |
6924 | ||
6925 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
6926 | tflags __DKIMWL_FREEMAIL net | |
6927 | endif | |
6928 | ||
6929 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
6930 | tflags __DKIMWL_WL_BL net | |
6931 | endif | |
6932 | ||
6933 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
6934 | tflags __DKIMWL_WL_HI net | |
6935 | endif | |
6936 | ||
6937 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
6938 | tflags __DKIMWL_WL_MED net | |
6939 | endif | |
6940 | ||
6941 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
6942 | tflags __DKIMWL_WL_MEDHI net | |
6943 | endif | |
6944 | ||
6945 | header __DKIM_EXISTS exists:DKIM-Signature | |
6946 | tflags __DKIM_EXISTS nice | |
6947 | ||
6948 | body __DLND_ATTACH /\bdownload\sthe\sattach(?:ed|ment)\b/i | |
6949 | ||
6950 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
6951 | meta __DOC_ATTACH 0 | |
6952 | endif | |
6953 | ||
6954 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
6955 | meta __DOC_ATTACH (__DOC_ATTACH_MT || __DOC_ATTACH_FN1 || __DOC_ATTACH_FN2) | |
6956 | endif | |
6957 | ||
6958 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
6959 | meta __DOC_ATTACH_FN1 0 | |
6960 | endif | |
6961 | ||
6962 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
6963 | mimeheader __DOC_ATTACH_FN1 Content-Type =~ /="[^"]+\.(?:docx?|rtf)"/i | |
6964 | endif | |
6965 | ||
6966 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
6967 | meta __DOC_ATTACH_FN2 0 | |
6968 | endif | |
6969 | ||
6970 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
6971 | mimeheader __DOC_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.(?:docx?|rtf)"/i | |
6972 | endif | |
6973 | ||
6974 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
6975 | meta __DOC_ATTACH_MT 0 | |
6976 | endif | |
6977 | ||
6978 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
6979 | mimeheader __DOC_ATTACH_MT Content-Type =~ m,\bapplication/(?:msword|rtf|vnd\.ms-word|vnd\.openxmlformats-officedocument\.wordprocessingml\.document)\b,i | |
6980 | endif | |
6981 | ||
6982 | body __DORMANT_ACCT /\b(?:(?:dormant|abandoned|left\s?over)\s(?:account|fund|transaction|sum|deposit)|fonds\sdorment)/i | |
6983 | ||
6984 | body __DOS_BODY_FRI /\bfri(?:day)?\b/i | |
6985 | ||
6986 | body __DOS_BODY_MON /\bmon(?:day)?\b/i | |
6987 | ||
6988 | body __DOS_BODY_SAT /\bsat(?:day)?\b/i | |
6989 | ||
6990 | body __DOS_BODY_STOCK /\bstock\b/i | |
6991 | ||
6992 | body __DOS_BODY_SUN /\bsun(?:day)?\b/i | |
6993 | ||
6994 | body __DOS_BODY_THU /\bthu(?:r(?:s(?:day)?)?)?\b/i | |
6995 | ||
6996 | body __DOS_BODY_TICKER /\b[A-Z]{4}\.(?:OB|PK)\b/ | |
6997 | ||
6998 | body __DOS_BODY_TUE /\btue(?:s(?:day)?)?\b/i | |
6999 | ||
7000 | body __DOS_BODY_WED /\bwed(?:nesday)?\b/i | |
7001 | ||
7002 | body __DOS_COMING_TO_YOUR_PLACE /I (?:am|might(?: be)?) c[a-z]?o[a-z]?m[a-z]?(?:i[a-z]?n[a-z]?g[a-z]{0,2}|e down) to y[!a-z]{2,4}r (?:city|place[a-z]{0,2}|co[a-z]?u[a-z]?n[a-z]?t[a-z]?ry) in (?:f[a-z]?e[a-z]?w|\d{1,2}) (?:day|week)s/ | |
7003 | ||
7004 | body __DOS_CORRESPOND_EMAIL /correspond with me using my email/ | |
7005 | ||
7006 | meta __DOS_DIRECT_TO_MX __DOS_SINGLE_EXT_RELAY && !__DOS_HAS_LIST_ID && !__DOS_HAS_LIST_UNSUB && !__DOS_HAS_MAILING_LIST && !__DOS_RELAYED_EXT | |
7007 | ||
7008 | meta __DOS_DIRECT_TO_MX_UNTRUSTED __DOS_DIRECT_TO_MX && !ALL_TRUSTED | |
7009 | ||
7010 | body __DOS_DROP_ME_A_LINE /Drop me a line at/ | |
7011 | ||
7012 | body __DOS_EMAIL_DIRECTLY /(?:Email m[a-z]?e|address) direc(?:tl|lt)y at/ | |
7013 | ||
7014 | body __DOS_FIN_ADVANTAGE /\bfinancial advantage/i | |
7015 | ||
7016 | uri __DOS_HAS_ANY_URI /^\w+:\/\// | |
7017 | ||
7018 | header __DOS_HAS_LIST_ID exists:List-ID | |
7019 | ||
7020 | header __DOS_HAS_LIST_UNSUB exists:List-Unsubscribe | |
7021 | ||
7022 | header __DOS_HAS_MAILING_LIST exists:Mailing-List | |
7023 | ||
7024 | body __DOS_HI /^Hi,$/ | |
7025 | ||
7026 | body __DOS_I_AM_25 /I a.?m 25/ | |
7027 | ||
7028 | body __DOS_I_DRIVE_A /I drive a/ | |
7029 | ||
7030 | body __DOS_LET_GO_JOB /I was (?:let go|fired|layed off|dismissed) from a job I h(?:el|a)d for (?:2\d years|\d{3} months)/ | |
7031 | ||
7032 | body __DOS_LINK /\blink\b/ | |
7033 | ||
7034 | body __DOS_MEET_EACH_OTHER /(?:meet each other|[Mm]ay ?be we can meet)/ | |
7035 | ||
7036 | header __DOS_MSGID_DIGITS10 Message-ID =~ /<1[013-9]\d{8}\@.*>/ | |
7037 | ||
7038 | header __DOS_MSGID_DIGITS9 Message-ID =~ /<\d{9}\@.*>/ | |
7039 | ||
7040 | body __DOS_MY_OLD_JOB /my old job/ | |
7041 | ||
7042 | body __DOS_PERSONAL_EMAIL /personal email at/ | |
7043 | ||
7044 | header __DOS_RCVD_FRI Received =~ / Fri, / | |
7045 | ||
7046 | header __DOS_RCVD_MON Received =~ / Mon, / | |
7047 | ||
7048 | header __DOS_RCVD_SAT Received =~ / Sat, / | |
7049 | ||
7050 | header __DOS_RCVD_SUN Received =~ / Sun, / | |
7051 | ||
7052 | header __DOS_RCVD_THU Received =~ / Thu, / | |
7053 | ||
7054 | header __DOS_RCVD_TUE Received =~ / Tue, / | |
7055 | ||
7056 | header __DOS_RCVD_WED Received =~ / Wed, / | |
7057 | ||
7058 | meta __DOS_REF_2_WK_DAYS (__DOS_RCVD_MON && __DOS_BODY_WED) || (__DOS_RCVD_TUE && __DOS_BODY_THU) || (__DOS_RCVD_WED && __DOS_BODY_FRI) || (__DOS_RCVD_THU && __DOS_BODY_MON) || (__DOS_RCVD_FRI && __DOS_BODY_TUE) || (__DOS_RCVD_SAT && __DOS_BODY_TUE) || (__DOS_RCVD_SUN && __DOS_BODY_TUE) | |
7059 | ||
7060 | meta __DOS_REF_NEXT_WK_DAY (__DOS_RCVD_MON && __DOS_BODY_TUE) || (__DOS_RCVD_TUE && __DOS_BODY_WED) || (__DOS_RCVD_WED && __DOS_BODY_THU) || (__DOS_RCVD_THU && __DOS_BODY_FRI) || (__DOS_RCVD_FRI && __DOS_BODY_MON) || (__DOS_RCVD_SAT && __DOS_BODY_MON) || (__DOS_RCVD_SUN && __DOS_BODY_MON) | |
7061 | ||
7062 | meta __DOS_REF_TODAY (__DOS_RCVD_MON && __DOS_BODY_MON) || (__DOS_RCVD_TUE && __DOS_BODY_TUE) || (__DOS_RCVD_WED && __DOS_BODY_WED) || (__DOS_RCVD_THU && __DOS_BODY_THU) || (__DOS_RCVD_FRI && __DOS_BODY_FRI) || (__DOS_RCVD_SAT && __DOS_BODY_SAT) || (__DOS_RCVD_SUN && __DOS_BODY_SUN) | |
7063 | ||
7064 | header __DOS_RELAYED_EXT ALL-EXTERNAL =~ /(?:^|\n)[Rr][eE][cC][eE][iI][vV][eE][dD]:\s.+\n[Rr][eE][cC][eE][iI][vV][eE][dD]:\s/s | |
7065 | ||
7066 | header __DOS_SINGLE_EXT_RELAY X-Spam-Relays-External =~ /^\[ [^\]]+ \]$/ | |
7067 | ||
7068 | body __DOS_STEADY_COURSE /\bsteady (?:and increasing )?course\b/i | |
7069 | ||
7070 | body __DOS_STRONG_CF /\bstrong cash flow/i | |
7071 | ||
7072 | body __DOS_TAKING_HOME /Taking home \d (?:digit level|figures) in \d{1,2} months/ | |
7073 | ||
7074 | body __DOS_WRITE_ME_AT /[Ww].?r.?i.?t.?e me at/ | |
7075 | ||
7076 | meta __DOTGOV_IMAGE __URI_DOTGOV && __REMOTE_IMAGE | |
7077 | ||
7078 | meta __DYNAMIC_IMGUR __IMGUR_IMG && __RDNS_DYNAMIC_IPADDR | |
7079 | ||
7080 | body __EARLY_DEMISE /\buntimely\sdeath\b/i | |
7081 | ||
b780ea8d SI |
7082 | meta __EBAY_IMG_NOT_RCVD_EBAY __URI_IMG_EBAY && !__HDR_RCVD_EBAY |
7083 | ||
7084 | meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY | |
7085 | ||
46cfc9e2 | 7086 | meta __EMAIL_PHISH_MANY (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + __TO_IN_SUBJ + __SUBJ_DOM_ADMIN + __FROM_DOM_ADMIN + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN || __TO_IN_SUBJ) > 3) |
b780ea8d SI |
7087 | |
7088 | meta __EMPTY_BODY __BODY_TEXT_LINE < 2 && !__SMIME_MESSAGE | |
7089 | ||
7090 | body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i | |
7091 | ||
b780ea8d SI |
7092 | header __ENVFROM_GOOG_TRIX EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/ |
7093 | ||
7094 | meta __ENVFROM_GOOG_TRIX_SPAMMY __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR ) | |
7095 | ||
7096 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7097 | meta __EXE_ATTACH 0 | |
7098 | endif | |
7099 | ||
7100 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7101 | mimeheader __EXE_ATTACH Content-Type =~ /\.exe\b/i | |
7102 | endif | |
7103 | ||
7104 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7105 | body __EXPLOSIVE_DEVICE /\b(?:explosive\sdevice|bomb)\b/i | |
7106 | endif | |
7107 | ||
7108 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7109 | body __EXPLOSIVE_DEVICE /(?:^|\s)(?:<E><X><P><L><O><S><I><V><E>\s<D><E><V><I><C><E>|<B><O><M><B>)\s/i | |
7110 | endif | |
7111 | ||
7112 | meta __EXTORT_MANY (__MY_MALWARE + __PAY_ME + __MY_VICTIM + __YOUR_WEBCAM + __YOUR_ONAN + __YOUR_PERSONAL + __HOURS_DEADLINE + __YOUR_PASSWORD + LOCALPART_IN_SUBJECT + __DESTROY_ME + __DESTROY_YOU + __EXPLOSIVE_DEVICE + __PAXFUL + __HUSH_HUSH) > 3 | |
7113 | ||
7114 | body __EX_CUSTOMER /\b(?:(?:dead|deceased|late|verstorbenen|death\sof\sthe)\s(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|depositor|mr\.|kunde|engr?\.?)|titulaire\sdu\scompte\sest\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|invest[eo]r\sdied|(?:e|=E9|[\xe9]|[\xc3][\xa9])tranger\sd(?:e|=E9|[\xe9]|[\xc3][\xa9])c(?:e|=E9|[\xe9]|[\xc3][\xa9])d(?:e|=E9|[\xe9]|[\xc3][\xa9])|(?:[ck]lient|customer|ac+ount|invest[eo]r|beneficiary|mr\.|kunde|engr?\.?)\s(?:[a-z]{1,10}\s)?(?:dead|deceased|verstorbenen))/i | |
7115 | ||
7116 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7117 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7118 | body __E_LIKE_LETTER /<lcase_e>/ | |
7119 | tflags __E_LIKE_LETTER multiple maxhits=320 | |
7120 | endif | |
7121 | endif | |
7122 | ||
31955ede SI |
7123 | meta __FACEBOOK_IMG_NOT_RCVD_FB __URI_IMG_FACEBOOK && !__HDR_RCVD_FACEBOOK |
7124 | ||
b780ea8d SI |
7125 | body __FAILED_LOGINS /unsuc+es+ful log-?[io]n at+empts/i |
7126 | ||
7127 | body __FBI_BODY_SHOUT_1 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/ | |
7128 | ||
7129 | rawbody __FBI_BODY_SHOUT_2 /^FEDERAL BUREAU OF INVESTIGATIONS?\b/m | |
7130 | ||
7131 | header __FBI_FM_DOM From:addr =~ /\bfbi\.gov$/ | |
7132 | ||
7133 | header __FBI_FM_NAME From:name =~ /federal\sbureau\sof\sinvestigation/i | |
7134 | ||
7135 | header __FBI_RCVD_DOM X-Spam-Relays-External =~ / rdns=\S+\bfbi\.gov / | |
7136 | ||
7137 | meta __FBI_SPOOF (__FBI_FM_NAME || __FBI_FM_DOM || __FBI_BODY_SHOUT_1 || __FBI_BODY_SHOUT_2) && !__FBI_RCVD_DOM && __HAS_REPLY_TO | |
7138 | ||
7139 | body __FB_COST /\bcost\b/i | |
7140 | ||
7141 | body __FB_NUM_PERCNT /\d\s?\%/ | |
7142 | ||
7143 | body __FB_S_PRICE /pri{1,2}c[a-z]?e/i | |
7144 | ||
7145 | body __FB_S_STOCK /\bstock/i | |
7146 | ||
7147 | body __FB_TOUR /\btour/i | |
7148 | ||
7149 | body __FEES /\b(?:security|safe\w*|courier|registration|pay|paid|up-?front|processing|delivery|transfer|keeping)[\s\w]{0,15}\s(?:fee|charge)s?\b/i | |
7150 | ||
7151 | body __FIFTY_FIFTY /\b(?:50|fifty)(?:%?[\/:]50%?|%|\spercent)/i | |
7152 | ||
7153 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7154 | meta __FILL_THIS_FORM 0 | |
7155 | endif | |
7156 | ||
7157 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7158 | meta __FILL_THIS_FORM (__FILL_THIS_FORM_LONG || __FILL_THIS_FORM_PARTIAL > 4 || __FILL_THIS_FORM_PARTIAL_RAW > 4) | |
7159 | endif | |
7160 | ||
7161 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7162 | meta __FILL_THIS_FORM_FRAUD_PHISH 0 | |
7163 | endif | |
7164 | ||
7165 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7166 | meta __FILL_THIS_FORM_FRAUD_PHISH (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FILL_THIS_FORM_FRAUD_PHISH1 || __EMAIL_PHISH || __ACCT_PHISH) | |
7167 | endif | |
7168 | ||
7169 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7170 | meta __FILL_THIS_FORM_FRAUD_PHISH1 0 | |
7171 | endif | |
7172 | ||
7173 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7174 | body __FILL_THIS_FORM_FRAUD_PHISH1 /<FF_YOUR>(?:<FF_F1>|<FF_F2>|<FF_F3>|<FF_F4>|<FF_F5>)<FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i | |
7175 | endif | |
7176 | ||
7177 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7178 | meta __FILL_THIS_FORM_LOAN 0 | |
7179 | endif | |
7180 | ||
7181 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7182 | meta __FILL_THIS_FORM_LOAN __FILL_THIS_FORM && __FILL_THIS_FORM_LOAN1 | |
7183 | endif | |
7184 | ||
7185 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7186 | meta __FILL_THIS_FORM_LOAN1 0 | |
7187 | endif | |
7188 | ||
7189 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7190 | body __FILL_THIS_FORM_LOAN1 /<FF_YOUR><FF_L1><FF_SUFFIX>(?:<FF_BLANK1>|<FF_BLANK2>$)/i | |
7191 | endif | |
7192 | ||
7193 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7194 | meta __FILL_THIS_FORM_LONG 0 | |
7195 | endif | |
7196 | ||
7197 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7198 | meta __FILL_THIS_FORM_LONG __FILL_THIS_FORM_LONG1 || __FILL_THIS_FORM_LONG2 | |
7199 | endif | |
7200 | ||
7201 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7202 | meta __FILL_THIS_FORM_LONG1 0 | |
7203 | endif | |
7204 | ||
7205 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7206 | body __FILL_THIS_FORM_LONG1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i | |
7207 | endif | |
7208 | ||
7209 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7210 | meta __FILL_THIS_FORM_LONG2 0 | |
7211 | endif | |
7212 | ||
7213 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7214 | body __FILL_THIS_FORM_LONG2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>(?:P[a-z\.\s]{10,30})?|<ANDOR>)){5}/i | |
7215 | endif | |
7216 | ||
7217 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7218 | meta __FILL_THIS_FORM_PARTIAL 0 | |
7219 | endif | |
7220 | ||
7221 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7222 | body __FILL_THIS_FORM_PARTIAL /^\s?<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20){1,4}$)/im | |
7223 | tflags __FILL_THIS_FORM_PARTIAL multiple maxhits=5 | |
7224 | endif | |
7225 | ||
7226 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7227 | meta __FILL_THIS_FORM_PARTIAL_RAW 0 | |
7228 | endif | |
7229 | ||
7230 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7231 | rawbody __FILL_THIS_FORM_PARTIAL_RAW /^(?>\s{0,50})<FF_LNNO>?<FF_YOUR>(?:<FF_ALL><ANDOR>?){1,3}<FF_SUFFIX>(?:<FF_BLANK1>|(?:[-=_.,:;*\s]|=20| |<\/\w+>){0,4}$)/im | |
7232 | tflags __FILL_THIS_FORM_PARTIAL_RAW multiple maxhits=5 | |
7233 | endif | |
7234 | ||
7235 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7236 | meta __FILL_THIS_FORM_SHORT 0 | |
7237 | endif | |
7238 | ||
7239 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7240 | meta __FILL_THIS_FORM_SHORT !__FILL_THIS_FORM && (__FILL_THIS_FORM_SHORT1 || __FILL_THIS_FORM_SHORT2 || __FILL_THIS_FORM_PARTIAL > 2 || __FILL_THIS_FORM_PARTIAL_RAW > 2) | |
7241 | endif | |
7242 | ||
7243 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7244 | meta __FILL_THIS_FORM_SHORT1 0 | |
7245 | endif | |
7246 | ||
7247 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7248 | body __FILL_THIS_FORM_SHORT1 /(?:<FF_LNNO><FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i | |
7249 | endif | |
7250 | ||
7251 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7252 | meta __FILL_THIS_FORM_SHORT2 0 | |
7253 | endif | |
7254 | ||
7255 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7256 | body __FILL_THIS_FORM_SHORT2 /(?:<FF_YOUR><FF_ALL><FF_SUFFIX>(?:<FF_BLANK2>|<ANDOR>)){3}/i | |
7257 | endif | |
7258 | ||
7259 | header __FLASHMAIL_MUA X-Mailer =~ /^NetEase Flash Mail \d/ | |
7260 | ||
7261 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7262 | meta __FM_MY_PRICE __FB_S_PRICE | |
7263 | endif | |
7264 | ||
7265 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7266 | meta __FM_MY_PRICE (__FB_S_PRICE || __FRT_PRICE) | |
7267 | endif | |
7268 | ||
7269 | meta __FM_TO_ALL_NUMS __FROM_ALL_NUMS && __TO_ALL_NUMS | |
7270 | ||
7271 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7272 | rawbody __FONT_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|pc|ch|rem|lh|vmax|%)|0+(?:\.0\d*)(?:em|ex|in))(?:\s[a-z]|\s*[;'])|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w/i | |
7273 | tflags __FONT_INVIS multiple maxhits=11 | |
7274 | endif | |
7275 | ||
7276 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7277 | meta __FONT_INVIS_10 __FONT_INVIS > 10 | |
7278 | endif | |
7279 | ||
7280 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7281 | meta __FONT_INVIS_2 __FONT_INVIS > 2 | |
7282 | endif | |
7283 | ||
7284 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7285 | meta __FONT_INVIS_5 __FONT_INVIS > 5 | |
7286 | endif | |
7287 | ||
7288 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7289 | meta __FONT_INVIS_CENTER __FONT_INVIS && __TAG_EXISTS_CENTER | |
7290 | endif | |
7291 | ||
7292 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7293 | meta __FONT_INVIS_DIRECT __FONT_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED | |
7294 | endif | |
7295 | ||
7296 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7297 | meta __FONT_INVIS_DOTGOV __FONT_INVIS && __URI_DOTGOV | |
7298 | endif | |
7299 | ||
7300 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7301 | meta __FONT_INVIS_HTML_NOHTML __FONT_INVIS && HTML_MIME_NO_HTML_TAG | |
7302 | endif | |
7303 | ||
7304 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7305 | meta __FONT_INVIS_LONG_LINE __FONT_INVIS && __LONGLINE | |
7306 | endif | |
7307 | ||
7308 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7309 | meta __FONT_INVIS_MANY __FONT_INVIS_2 | |
7310 | endif | |
7311 | ||
7312 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7313 | meta __FONT_INVIS_MSGID __FONT_INVIS && __MSGID_OK_HOST | |
7314 | endif | |
7315 | ||
7316 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7317 | meta __FONT_INVIS_NORDNS __FONT_INVIS && __RDNS_NONE | |
7318 | endif | |
7319 | ||
7320 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7321 | meta __FONT_INVIS_SINGLET __FONT_INVIS && __HTML_SINGLET | |
7322 | endif | |
7323 | ||
7324 | header __FORGED_MUA_POSTFIX0 User-Agent =~ /Postfix/ | |
7325 | ||
7326 | header __FORGED_MUA_POSTFIX1 X-Mailer =~ /Postfix/ | |
7327 | ||
31955ede SI |
7328 | header __FORGED_RELAY_MUA_TO_MX X-Spam-Relays-External =~ /^\[ ip=(?!127)([\d.]+) [^\[]*\[ ip=\1 [^\[]+ helo=(!(?!(?:10|127|169\.254|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.)| )[^\[]+$/ |
7329 | ||
b780ea8d SI |
7330 | meta __FORGED_TBIRD_IMG __MUA_TBIRD && __JPEG_ATTACH && __MIME_BDRY_0D0D |
7331 | describe __FORGED_TBIRD_IMG Possibly forged Thunderbird image spam | |
7332 | ||
fc5290a3 | 7333 | meta __FORM_FRAUD (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 1) |
b780ea8d | 7334 | |
fc5290a3 | 7335 | meta __FORM_FRAUD_3 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) |
b780ea8d | 7336 | |
fc5290a3 | 7337 | meta __FORM_FRAUD_5 (__FILL_THIS_FORM || __FILL_THIS_FORM_SHORT) && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) |
b780ea8d | 7338 | |
b780ea8d SI |
7339 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) |
7340 | body __FOR_SALE_LTP /00\.? (?:less 10%|LTP)/i | |
7341 | tflags __FOR_SALE_LTP multiple maxhits=11 | |
7342 | endif | |
7343 | ||
7344 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7345 | meta __FOR_SALE_LTP_MANY __FOR_SALE_LTP > 10 | |
7346 | endif | |
7347 | ||
7348 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7349 | body __FOR_SALE_NET /00\.? NET/i | |
7350 | tflags __FOR_SALE_NET multiple maxhits=11 | |
7351 | endif | |
7352 | ||
7353 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7354 | meta __FOR_SALE_NET_MANY __FOR_SALE_NET > 10 | |
7355 | endif | |
7356 | ||
7357 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7358 | body __FOR_SALE_OBO /\bor best offer\b/i | |
7359 | tflags __FOR_SALE_OBO multiple maxhits=6 | |
7360 | endif | |
7361 | ||
7362 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7363 | meta __FOR_SALE_OBO_MANY __FOR_SALE_OBO > 5 | |
7364 | endif | |
7365 | ||
7366 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7367 | body __FOR_SALE_PRC_100K /\bprice:? \$\d\d\d,\d\d\d/i | |
7368 | tflags __FOR_SALE_PRC_100K multiple maxhits=11 | |
7369 | endif | |
7370 | ||
7371 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7372 | meta __FOR_SALE_PRC_100K_MANY __FOR_SALE_PRC_100K > 5 | |
7373 | endif | |
7374 | ||
7375 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7376 | body __FOR_SALE_PRC_10K /\bprice:? \$\d\d,\d\d\d/i | |
7377 | tflags __FOR_SALE_PRC_10K multiple maxhits=11 | |
7378 | endif | |
7379 | ||
7380 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7381 | meta __FOR_SALE_PRC_10K_MANY __FOR_SALE_PRC_10K > 10 | |
7382 | endif | |
7383 | ||
7384 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7385 | body __FOR_SALE_PRC_1K /\bprice:? \$\d,?\d\d\d[.\s]/i | |
7386 | tflags __FOR_SALE_PRC_1K multiple maxhits=11 | |
7387 | endif | |
7388 | ||
7389 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7390 | meta __FOR_SALE_PRC_1K_MANY __FOR_SALE_PRC_1K > 10 | |
7391 | endif | |
7392 | ||
7393 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7394 | rawbody __FOR_SALE_PRC_EOL /\s\$\d{1,3},\d00(?:\.00)?$/m | |
7395 | tflags __FOR_SALE_PRC_EOL multiple maxhits=11 | |
7396 | endif | |
7397 | ||
7398 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7399 | meta __FOR_SALE_PRC_EOL_MANY __FOR_SALE_PRC_EOL > 10 | |
7400 | endif | |
7401 | ||
7402 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7403 | meta __FOR_SALE_PRC_MANY (__FOR_SALE_PRC_1K + __FOR_SALE_PRC_10K + __FOR_SALE_PRC_100K) > 20 | |
7404 | endif | |
7405 | ||
7406 | body __FOUND_YOU /\b(?:I|we)\sfound\syour?\b/i | |
7407 | ||
7408 | body __FRAUD /\b(?:de)?fraud/i | |
7409 | ||
7410 | body __FRAUD_IOV /\b(?:no risks?|risky?[- ]{0,3}free|free of risks?|100% safe|v\S{1,3}llig Risikofrei ist)\b/i | |
7411 | ||
7412 | body __FRAUD_PTX /\b(?:ass?ass?inat(?:ed|ion)|murder(?:e?d)?|poison(?:e?d)?|kill(?:ed|ing|ers)\b[^.]{0,99}\b(?:war veterans|rebels?)|les tueurs)\b/i | |
7413 | ||
7414 | body __FRAUD_XWW /\b(?:honest(?:ly)?\sco(?:-?operat(?:e|ion)|llaborat(?:e|ion))|ehrliche\szusammenarbeit|sichere [kc]o+p[eo]ration|col+aboration\swith\sme)\b/i | |
7415 | ||
7416 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
7417 | header __FREEMAIL_DISPTO eval:check_freemail_header('Disposition-Notification-To') | |
7418 | endif | |
7419 | ||
7420 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
7421 | meta __FREEMAIL_DOC_PDF (__DOC_ATTACH || __PDF_ATTACH) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) | |
7422 | endif | |
7423 | ||
7424 | meta __FREEMAIL_WFH_01 (FREEMAIL_FROM || FREEMAIL_REPLYTO) && __WFH_01 | |
7425 | ||
7426 | meta __FREEM_FRNUM_UNICD_EMPTY FREEMAIL_FROM && __FROM_ALL_NUMS && __FROM_ENCODED_B64 && __SUBJECT_ENCODED_B64 && __EMPTY_BODY | |
7427 | ||
7428 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
7429 | meta __FROM_41_FREEMAIL 0 | |
7430 | endif | |
7431 | ||
7432 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
7433 | meta __FROM_41_FREEMAIL (__NSL_ORIG_FROM_41 || __NSL_RCVD_FROM_41) && (FREEMAIL_FROM || FREEMAIL_REPLYTO) && !__THREADED | |
7434 | describe __FROM_41_FREEMAIL Sent from Africa + freemail provider | |
7435 | endif | |
7436 | ||
7437 | if (version >= 3.004002) | |
7438 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
7439 | header __FROM_ADDRLIST_BANKS eval:check_from_in_list('BANKS') | |
7440 | endif | |
7441 | endif | |
7442 | ||
7443 | if (version >= 3.004002) | |
7444 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
7445 | header __FROM_ADDRLIST_GOV eval:check_from_in_list('GOV') | |
7446 | endif | |
7447 | endif | |
7448 | ||
7449 | if (version >= 3.004002) | |
7450 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
7451 | header __FROM_ADDRLIST_PAYPAL eval:check_from_in_list('PAYPAL') | |
7452 | endif | |
7453 | endif | |
7454 | ||
7455 | if (version >= 3.004002) | |
7456 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
7457 | header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD') | |
7458 | endif | |
7459 | endif | |
7460 | ||
7461 | header __FROM_ADDR_WS From:addr =~ /\s/ | |
7462 | ||
7463 | header __FROM_ADMIN From =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i | |
7464 | ||
7465 | header __FROM_ALL_HEX From:addr =~ /^(?!(?:19|20)\d\d[01]\d[0-3]\d)(?![0-9a-f]*[a-f]{3})[0-9a-f]+\@/ | |
7466 | ||
7467 | header __FROM_ALL_NUMS From:addr =~ /^\d+@/ | |
7468 | ||
7469 | header __FROM_DNS From =~ /(?<![^\w.-])dns(?:admin)?\@/i | |
7470 | ||
7471 | meta __FROM_DOM_ADMIN __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN | |
7472 | ||
7473 | header __FROM_DOM_INFO From:addr =~ /\.info$/i | |
7474 | ||
7475 | header __FROM_EBAY From:addr =~ /\@ebay\.com$/i | |
7476 | ||
46cfc9e2 SI |
7477 | header __FROM_EQ_ORG_1 ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism |
7478 | ||
b780ea8d SI |
7479 | ifplugin Mail::SpamAssassin::Plugin::FreeMail |
7480 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
7481 | header __FROM_EQ_REPLY eval:check_fromname_equals_replyto() | |
7482 | endif | |
7483 | endif | |
7484 | ||
7485 | if (version >= 3.004001) | |
7486 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7487 | tflags __FROM_FMBLA_NDBLOCKED net | |
7488 | endif | |
7489 | endif | |
7490 | ||
7491 | if (version >= 3.004001) | |
7492 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7493 | tflags __FROM_FMBLA_NEWDOM net | |
7494 | endif | |
7495 | endif | |
7496 | ||
7497 | if (version >= 3.004001) | |
7498 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7499 | tflags __FROM_FMBLA_NEWDOM14 net | |
7500 | endif | |
7501 | endif | |
7502 | ||
7503 | if (version >= 3.004001) | |
7504 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7505 | tflags __FROM_FMBLA_NEWDOM28 net | |
7506 | endif | |
7507 | endif | |
7508 | ||
7509 | header __FROM_FULL_NAME From:name =~ /^[^a-z[:punct:][:cntrl:]\d\s][^[:punct:][:cntrl:]\d\s]*[[:punct:]\s]+[^a-z[:punct:][:cntrl:]\d\s]/ | |
7510 | tflags __FROM_FULL_NAME nice | |
7511 | ||
7512 | header __FROM_INFO From =~ /(?<![^\w.-])info\@/i | |
7513 | ||
7514 | header __FROM_LOWER ALL =~ /from:\s\S{5}/ | |
7515 | ||
7516 | header __FROM_MISSPACED From =~ /^\s*"[^"]*"</ | |
7517 | ||
7518 | meta __FROM_MISSP_EH_MATCH __FROM_RUNON_UNCODED && __LCL__ENV_AND_HDR_FROM_MATCH | |
7519 | ||
7520 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
7521 | meta __FROM_MISSP_FREEMAIL 0 | |
7522 | endif | |
7523 | ||
7524 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
7525 | meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO) | |
7526 | endif | |
7527 | ||
7528 | meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO | |
7529 | ||
7530 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
7531 | meta __FROM_MULTI_NORDNS __PDS_FROM_2_EMAILS && __RDNS_NONE | |
7532 | endif | |
7533 | ||
7534 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
7535 | meta __FROM_MULTI_SHORT_IMG __PDS_FROM_2_EMAILS && (HTML_IMAGE_ONLY_16 || HTML_SHORT_LINK_IMG_2 || __HTML_IMG_ONLY) | |
7536 | endif | |
7537 | ||
46cfc9e2 SI |
7538 | header __FROM_NAME_APPLECOM From:name =~ /\bapple\.com\b/i |
7539 | ||
7540 | header __FROM_NAME_EBAYCOM From:name =~ /\bebay\.com\b/i | |
7541 | ||
b780ea8d SI |
7542 | full __FROM_NAME_IN_MSG /^From:\s+([^<]\S+\s\S+)\s(?=.{1,2048}^\1\r?$)/sm |
7543 | ||
46cfc9e2 SI |
7544 | header __FROM_NAME_PAYPALCOM From:name =~ /\bpaypal\.com\b/i |
7545 | ||
b780ea8d SI |
7546 | header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i |
7547 | ||
7548 | header __FROM_RUNON From =~ /\S+<\w+/ | |
7549 | ||
7550 | header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/ | |
7551 | ||
7552 | header __FROM_WEB_DAEMON From:addr =~ /(?:apache|www|web|tomcat|\biis\b).*\@/i | |
7553 | ||
7554 | header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/ | |
7555 | ||
7556 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7557 | meta __FRT_PRICE 0 | |
7558 | endif | |
7559 | ||
7560 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7561 | body __FRT_PRICE /<inter SP2><post P2>\b(?!price)<P><R><IX><C><E>\b/i | |
7562 | endif | |
7563 | ||
7564 | rawbody __FR_SPACING_8 /[a-z0-9]{6}\s{8}[a-z0-9]{5}/i | |
7565 | ||
7566 | header __FSL_HAS_LIST_UNSUB exists:List-Unsubscribe | |
7567 | ||
7568 | header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i | |
7569 | ||
b780ea8d SI |
7570 | header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i |
7571 | ||
7572 | header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i | |
7573 | ||
7574 | header __FSL_HELO_USER_3 Received =~ /(?:eh|he)lo(?:=|\s)User\)/i | |
7575 | ||
7576 | header __FSL_RELAY_GOOGLE X-Spam-Relays-External =~ /^[^\]]+ rdns=[^ ]+\.google\.com\.? /i | |
7577 | ||
7578 | header __FS_SUBJ_RE Subject =~ /^Re: / | |
7579 | ||
7580 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7581 | body __FUZZY_DR_OZ /(?=<D>)(?!(?-i:D(?:r.|octor)(?:\s| )Oz))(?:<R>|<O><C>(?:<T><O><R>)?)\.?<WS>*<O><Z>(?:$|\W)/i | |
7582 | endif | |
7583 | ||
7584 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7585 | meta __FUZZY_MONERO 0 | |
7586 | endif | |
7587 | ||
7588 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7589 | body __FUZZY_MONERO /(?=<M>)(?!monero)<M><O><N><E><R><O>/i | |
7590 | endif | |
7591 | ||
7592 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7593 | body __FUZZY_PORN /(?=<P>)(?!pornograph?(?:y|i[ca]|er))<P><O><R><N><O><G><R><A><P><H>?(?:<Y>|<I><C>|<E><R>)/i | |
7594 | endif | |
7595 | ||
7596 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7597 | body __FUZZY_WELLSFARGO_BODY /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i | |
7598 | endif | |
7599 | ||
7600 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7601 | header __FUZZY_WELLSFARGO_FROM From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i | |
7602 | endif | |
7603 | ||
7604 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7605 | body __GAPPY_SALES_LEADS /\b(?:business|e?-?mail|your|marketing|advertising)\s(?!sales|leads|campaign)(?:s\s?a\s?l\s?e\s?s|l\s?e\s?a\s?d\s?s|c\s?a\s?m\s?p\s?a\s?i\s?g\s?n)\b/i | |
7606 | tflags __GAPPY_SALES_LEADS multiple maxhits=3 | |
7607 | endif | |
7608 | ||
7609 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7610 | meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2 | |
7611 | endif | |
7612 | ||
dfdd1e08 SI |
7613 | if (version >= 4.000000) |
7614 | if can(Mail::SpamAssassin::Conf::feature_capture_rules) | |
fc5290a3 | 7615 | uri __GB_CUSTOM_HTM_URI0 m;^https?://.{10,128}(?:\.html?|\.php|\/)?(?:\#|\?&e=)%{GB_TO_ADDR};i |
dfdd1e08 SI |
7616 | endif |
7617 | endif | |
7618 | ||
7619 | if (version >= 4.000000) | |
7620 | if can(Mail::SpamAssassin::Conf::feature_capture_rules) | |
7621 | uri __GB_CUSTOM_HTM_URI1 m|^https?://.{10,64}\=https?://.{4,64}\#%{GB_TO_ADDR}|i | |
7622 | endif | |
7623 | endif | |
7624 | ||
7625 | if (version >= 4.000000) | |
7626 | if can(Mail::SpamAssassin::Conf::feature_capture_rules) | |
fc5290a3 | 7627 | uri __GB_CUSTOM_HTM_URI2 m;^https?://.{10,256}(?:\/\?)?(?:(?<!blocker)email=|audit\#|wapp\#)%{GB_TO_ADDR};i |
dfdd1e08 SI |
7628 | endif |
7629 | endif | |
7630 | ||
7631 | if (version >= 4.000000) | |
7632 | if can(Mail::SpamAssassin::Conf::feature_capture_rules) | |
7633 | uri __GB_DRUPAL_URI m|^https?://.{10,64}/default/files/(?:\@)?\#%{GB_TO_ADDR}|i | |
7634 | endif | |
7635 | endif | |
7636 | ||
46cfc9e2 | 7637 | header __GB_FAKE_RF Subject =~ /(Fw|Re)\:{1,2}[\W+]/i |
b780ea8d | 7638 | |
dfdd1e08 SI |
7639 | if (version >= 4.000000) |
7640 | if can(Mail::SpamAssassin::Conf::feature_capture_rules) | |
7641 | header __GB_TO_ADDR To:addr =~ /(?<GB_TO_ADDR>.*)/ | |
7642 | endif | |
7643 | endif | |
31955ede | 7644 | |
b780ea8d SI |
7645 | body __GHANA /\bghana\b/i |
7646 | ||
7647 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7648 | mimeheader __GIF_ATTACH Content-Type =~ /^image\/gif\b/i | |
7649 | endif | |
7650 | ||
7651 | body __GIVE_MONEY /\b(?:(?:give\syou\s(?:this\s)?(?:money|fund|inheritance))|(?:donated?\s(?:\w\+\s){0,3}(?:the\ssum\sof|(?:(?:the|this|some)\s(?:money|funds?|inheritance)|to\s)(?:you|(?:(?:the|a)\s)?church|charit(?:y|ies)|humanit\w+|needy|poor|orphan(?:age)?s?|philanthropists\?)))|de vous donner cet argent|faire don de la somme|voudrais en faire don|tego funduszu do dom(?:=F3|[\xf3])w (?:dziecka|wdowy))\b/i | |
7652 | ||
7653 | meta __GOOGLE_DOCS_PHISH_1 __URI_GOOGLE_DOC && (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST) | |
7654 | ||
7655 | meta __GOOGLE_DOCS_PHISH_2 __URI_GOOGLE_DOC && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY | |
7656 | ||
7657 | meta __GOOGLE_DOC_SUSP __URI_GOOGLE_DOC && (__HAS_DOMAINKEY_SIG || __RDNS_NONE || __SYSADMIN || __STY_INVIS || LOTS_OF_MONEY || __XFER_MONEY || __ADVANCE_FEE_2_NEW) && !ALL_TRUSTED | |
7658 | ||
7659 | uri __GOOG_MALWARE_DNLD m;^https?://[^/]*\.google\.com/[^?]*url\?.*[\?&/]download;i | |
7660 | ||
7661 | uri __GOOG_REDIR m;^https?://[^/]*\.google\.com/url\?;i | |
7662 | ||
7663 | meta __GOOG_STO_HTML_PHISH __URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) && !__EMAIL_PHISH_MANY && !__ACCT_PHISH_MANY | |
7664 | ||
7665 | meta __GOOG_STO_IMG_HTML_1 __URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML | |
7666 | ||
7667 | meta __GOOG_STO_IMG_NOHTML __URI_GOOG_STO_IMG && !__URI_GOOG_STO_HTML | |
7668 | ||
7669 | meta __GOOG_STO_NOIMG_HTML !__URI_GOOG_STO_IMG && __URI_GOOG_STO_HTML | |
7670 | ||
7671 | body __HAS_ANY_EMAIL /\w@\S+\.\w/ | |
7672 | ||
7673 | uri __HAS_ANY_URI /^\w+:\/\// | |
7674 | ||
7675 | header __HAS_CAMPAIGNID exists:X-Campaignid | |
7676 | ||
7677 | header __HAS_CID exists:X-CID | |
7678 | ||
7679 | header __HAS_COMPLAINT_TO exists:Complaint-To | |
7680 | ||
7681 | header __HAS_DOMAINKEY_SIG exists:DomainKey-Signature | |
7682 | ||
7683 | describe __HAS_HREF Has an anchor tag with a href attribute in non-quoted line | |
7684 | rawbody __HAS_HREF /^[^>].*?<a href=/im | |
7685 | tflags __HAS_HREF multiple maxhits=100 | |
7686 | ||
7687 | describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case | |
7688 | rawbody __HAS_HREF_ONECASE /^[^>].*?<(a href|A HREF)=/m | |
7689 | tflags __HAS_HREF_ONECASE multiple maxhits=100 | |
7690 | ||
7691 | describe __HAS_IMG_SRC Has an img tag on a non-quoted line | |
7692 | rawbody __HAS_IMG_SRC /^[^>].*?<img src=/im | |
7693 | tflags __HAS_IMG_SRC multiple maxhits=100 | |
7694 | ||
7695 | rawbody __HAS_IMG_SRC_DATA /^[^>].*?<img src=['"]data/im | |
7696 | ||
7697 | describe __HAS_IMG_SRC_ONECASE Has an img tag on a non-quoted line with consistent case | |
7698 | rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(img src|IMG SRC)=/m | |
7699 | tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100 | |
7700 | ||
7701 | header __HAS_LIST_OPEN exists:List-Open | |
7702 | ||
7703 | header __HAS_LOGID exists:logid | |
7704 | ||
7705 | header __HAS_MESSAGEID exists:MessageID | |
7706 | ||
7707 | header __HAS_PHP_ORIG_SCRIPT exists:X-PHP-Originating-Script | |
7708 | ||
7709 | header __HAS_PHP_SCRIPT exists:X-PHP-Script | |
7710 | ||
7711 | header __HAS_THREAD_INDEX exists:Thread-Index | |
7712 | ||
7713 | header __HAS_TRACKING_CODE exists:Tracking-Code | |
7714 | ||
7715 | body __HAS_WON_01 /\bque ha ganado\b/i | |
7716 | ||
7717 | header __HAS_XM_LID exists:X-Mailer-LID | |
7718 | ||
7719 | header __HAS_XM_RECPTID exists:X-Mailer-RecptId | |
7720 | ||
7721 | header __HAS_XM_SENTBY exists:X-Mailer-Sent-By | |
7722 | ||
7723 | header __HAS_XM_SID exists:X-Mailer-SID | |
7724 | ||
7725 | header __HAS_X_EBSERVER exists:X-EBSERVER | |
7726 | ||
7727 | header __HAS_X_LETTER exists:X-Letter | |
7728 | ||
7729 | header __HAS_X_NO_RELAY exists:X-No-Relay | |
7730 | ||
7731 | header __HAS_X_OUTGOING_SPAM_STAT exists:X-OutGoing-Spam-Status | |
7732 | ||
31955ede SI |
7733 | header __HAS_X_SENDER exists:X-Sender |
7734 | ||
b780ea8d SI |
7735 | header __HAS_X_SOURCE_DIR exists:X-Source-Dir |
7736 | ||
7737 | header __HDRS_LCASE ALL =~ /\n(?:Message-id|Content-type|X-MSMail-priority|from|subject|to|cc|Disposition-notification-to):/sm | |
7738 | tflags __HDRS_LCASE multiple maxhits=3 | |
7739 | ||
7740 | meta __HDRS_LCASE_KNOWN __MSGID_JAVAMAIL || __UA_MSOEMAC || __UA_MSOMAC || __MSGID_APPLEMAIL || __MSGID_HEX_UID || __MSGID_HEXISH | |
7741 | ||
7742 | header __HDRS_MISSP ALL:raw =~ /^(?:Subject|From|To|Reply-To):\S/ism | |
7743 | ||
cabe596e SI |
7744 | header __HDR_CASE_REVERSED ALL =~ /^(?!DomainKey)[^-:\s]*[a-z][A-Z]/m |
7745 | tflags __HDR_CASE_REVERSED multiple maxhits=4 | |
7746 | ||
31955ede SI |
7747 | header __HDR_ENVFROM_SHOPIFY X-Spam-Relays-External =~ /\shelo=\S+\.mailer\.shopify\.com\s(?:[^\]\s]+\s)*envfrom=\S+\.shopifyemail\.com\s/ |
7748 | ||
b780ea8d SI |
7749 | header __HDR_ORDER_FTSDMCXXXX ALL =~ /\nFrom: .{1,80}?\nTo: .{1,80}?\nSubject: .{1,200}?\nDate: .{1,40}?\nMIME-Version: .{1,40}?\nContent-Type: .{1,120}?\nX-Priority: .{1,40}?\nX-MSMail-Priority: .{1,40}?\nX-Mailer: .{1,80}?\nX-MimeOLE:/s |
7750 | ||
7751 | header __HDR_RCVD_ALIBABA X-Spam-Relays-External =~ /\srdns=\S+\.alibaba\.com\s/ | |
7752 | ||
7753 | header __HDR_RCVD_AMAZON X-Spam-Relays-External =~ /\srdns=\S+\.amazon(?:ses)?\.com\s/ | |
7754 | ||
46cfc9e2 SI |
7755 | header __HDR_RCVD_AMAZON_HELO X-Spam-Relays-External =~ /\srdns=\shelo=[^.]+\.smtp-out\.amazonses\.com\s/ |
7756 | ||
7757 | header __HDR_RCVD_APPLE X-Spam-Relays-External =~ /\srdns=\S+\.apple\.com\s/ | |
7758 | ||
31955ede SI |
7759 | header __HDR_RCVD_BEBEE X-Spam-Relays-External =~ /\srdns=\S+\.bebee\.com\s/ |
7760 | ||
b780ea8d SI |
7761 | header __HDR_RCVD_EBAY X-Spam-Relays-External =~ /\srdns=\S+\.ebay\.com\s/ |
7762 | ||
31955ede SI |
7763 | header __HDR_RCVD_FACEBOOK X-Spam-Relays-External =~ /\srdns=\S+\.facebook\.com\s/ |
7764 | ||
b780ea8d SI |
7765 | header __HDR_RCVD_GOOGLE X-Spam-Relays-External =~ / rdns=mail-\S+\.google\.com\.?\s/ |
7766 | ||
7767 | header __HDR_RCVD_KEEPA X-Spam-Relays-External =~ /\srdns=\S+\.keepa\.com\s/ | |
7768 | ||
46cfc9e2 SI |
7769 | header __HDR_RCVD_LINKEDIN X-Spam-Relays-External =~ /\srdns=\S+\.linkedin\.com\s/ |
7770 | ||
b780ea8d SI |
7771 | header __HDR_RCVD_NEWEGG X-Spam-Relays-External =~ /\srdns=\S+\.newegg\.com\s/ |
7772 | ||
46cfc9e2 SI |
7773 | header __HDR_RCVD_PAYPAL X-Spam-Relays-External =~ /\srdns=\S+\.paypal\.com\s/ |
7774 | ||
b780ea8d SI |
7775 | header __HDR_RCVD_SHOPIFY X-Spam-Relays-External =~ /\srdns=\S+\.shopify\.com\s/ |
7776 | ||
46cfc9e2 SI |
7777 | header __HDR_RCVD_TAGSTAT X-Spam-Relays-External =~ /\srdns=\S+\.tagstat\.com\s/ |
7778 | ||
31955ede SI |
7779 | header __HDR_RCVD_TARINGANET X-Spam-Relays-External =~ /\srdns=\S+\.taringa\.net\s/ |
7780 | ||
b780ea8d SI |
7781 | header __HDR_RCVD_TONLINEDE X-Spam-Relays-External =~ /\srdns=\S+\.t-online\.de\s/ |
7782 | ||
7783 | header __HDR_RCVD_WALMART X-Spam-Relays-External =~ /\srdns=\S+\.walmart\.com\s/ | |
7784 | ||
7785 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
7786 | tflags __HELO_DNS net | |
7787 | endif | |
7788 | ||
7789 | header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i | |
7790 | ||
b780ea8d SI |
7791 | header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/ |
7792 | ||
7793 | header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ / | |
7794 | ||
7795 | body __HEXHASHWORD_S2EU /\s[A-Z]?[a-z]{1,15}\s(?![a-z]{10,20}\s)[a-z]{0,10}(?!-?\d{1,5}-)(?!\d{10}\s)(?:(?!--)[-0-9a-f]){10,64}(?:[g-z][a-z]{0,10})?\s[A-Z]?[a-z]{1,15}\b/ | |
7796 | tflags __HEXHASHWORD_S2EU multiple maxhits=4 | |
7797 | ||
7798 | body __HK_LOTTO_2 /\blot(?:eri[ej]|t(?:ery|o)) ?(?:(?:inter)?national|foundation|mercato|univers|euro ?million|e-?mail|euro-pw|bill ?gates|swiss|prestige|cristal|am.ricaine|coca.?cola|fiduciary|department)/i | |
7799 | ||
7800 | body __HK_LOTTO_BALLOT /\b(?:promotional|on.?line|computer|internet|e-?mail|fran.aise) (?:ballot|draw|sweepstake)/i | |
7801 | ||
7802 | body __HK_LOTTO_STAATS /\bstaatsloteri/i | |
7803 | ||
7804 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
7805 | if (version >= 3.004000) | |
7806 | header __HK_NAME_FROM From:name =~ /^FROM\b/mi | |
7807 | endif | |
7808 | endif | |
7809 | ||
7810 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
7811 | if (version >= 3.004000) | |
7812 | header __HK_NAME_MR_MRS From:name =~ /^M(?:RS?|ISS)\b/mi | |
7813 | endif | |
7814 | endif | |
7815 | ||
7816 | body __HK_SCAM_N15 /\b(?:account (?:overseas?|offshore)|(?:overseas?|offshore) account)\b/i | |
7817 | ||
7818 | body __HK_SCAM_N16 /\b(?:arrangement secret|secret arrangement)\b/i | |
7819 | ||
7820 | body __HK_SCAM_N2 /\bnext of kin\b/i | |
7821 | ||
7822 | body __HK_SCAM_N3 /\bdirect telephone numbers?\b/i | |
7823 | ||
7824 | body __HK_SCAM_N8 /\byour compensation\b/i | |
7825 | ||
7826 | body __HK_SCAM_S1 /pay you the sum of/i | |
7827 | ||
7828 | body __HK_SCAM_S15 /(?:discovered a dormant account|can you be my partner)/i | |
7829 | ||
7830 | body __HK_SCAM_S25 /\bbank (?:in|of) ghana/i | |
7831 | ||
7832 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7833 | mimeheader __HK_SPAMMY_CDFN Content-Disposition =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi | |
7834 | endif | |
7835 | ||
7836 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7837 | mimeheader __HK_SPAMMY_CTFN Content-Type =~ /name=.*?(?:lot(?:eri[ej]|t(?:ery|o))|award|prize|winn(?:er|ing)|microsoft|congrat|urgent)/mi | |
7838 | endif | |
7839 | ||
31955ede | 7840 | meta __HOSTED_IMG_DIRECT_MX __DOS_DIRECT_TO_MX && __URI_HOSTED_IMG |
b780ea8d | 7841 | |
31955ede | 7842 | meta __HOSTED_IMG_DQ_UNSUB __URI_DQ_UNSUB && __URI_HOSTED_IMG |
b780ea8d | 7843 | |
31955ede | 7844 | meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && __URI_HOSTED_IMG |
b780ea8d | 7845 | |
31955ede | 7846 | meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG + __URI_IMG_CHANNYPIC + __URI_IMG_TOPHATTER + __URI_IMG_GBTCDN + __URI_IMG_LINKEDIN + __URI_IMG_TUMBLR + __URI_IMG_TAGSTAT + __URI_IMG_FACEBOOK + __URI_IMG_TARINGANET + __URI_IMG_BEBEE + __URI_IMG_EFUSERASSETS + __URI_IMG_IMGBOX_THUMB + __URI_IMG_500PXORG + __URI_IMG_WIXMP + __URI_IMG_POSTIMGCC + __URI_IMG_GTRACING + __URI_IMG_JOOMCDN + __URI_IMG_DHRESOURCE) > 1 |
b780ea8d SI |
7847 | |
7848 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
7849 | body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i | |
7850 | endif | |
7851 | ||
7852 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
7853 | body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i | |
7854 | endif | |
7855 | ||
7856 | rawbody __HS_QUOTE /^> / | |
7857 | ||
7858 | header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/ | |
7859 | ||
7860 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7861 | meta __HTML_ATTACH_01 0 | |
7862 | endif | |
7863 | ||
7864 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
dfdd1e08 | 7865 | mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.s?html?\b,i |
b780ea8d SI |
7866 | endif |
7867 | ||
7868 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7869 | meta __HTML_ATTACH_02 0 | |
7870 | endif | |
7871 | ||
7872 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
dfdd1e08 | 7873 | mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.s?html?\b,i |
b780ea8d SI |
7874 | endif |
7875 | ||
7876 | rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i | |
7877 | ||
7878 | meta __HTML_ENTITY_ASCII_MINFP __HTML_ENTITY_ASCII && !__DKIM_EXISTS && !__RCD_RDNS_SMTP && !__RCD_RDNS_SMTP_MESSY && !__JM_REACTOR_DATE && !__HAS_ERRORS_TO && !__L_BODY_8BITS && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML | |
7879 | ||
31955ede | 7880 | meta __HTML_ENTITY_ASCII_TINY __HTML_ENTITY_ASCII && (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT) |
b780ea8d SI |
7881 | |
7882 | rawbody __HTML_FONT_TINY_01 /font-size:\s{0,5}[0-4]px;/i | |
7883 | ||
31955ede SI |
7884 | rawbody __HTML_FONT_TINY_02 /<font\s[^>]{0,80}size\s*=\s*["']?-(?:[2-9]|[1-9]\d+)["']?[^>]{0,80}>/i |
7885 | ||
7886 | meta __HTML_FONT_TINY_NORDNS (__HTML_FONT_TINY_01 || __HTML_FONT_TINY_02 || __AC_TINY_FONT) && __RDNS_NONE | |
7887 | ||
b780ea8d SI |
7888 | rawbody __HTML_OFF_PAGE /;(?:top|left):-\d{3,9}px;/i |
7889 | ||
7890 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7891 | rawbody __HTML_SHRT_CMNT_OBFU /\w<!--\s*\w+\s*-->\w/ | |
7892 | tflags __HTML_SHRT_CMNT_OBFU multiple maxhits=10 | |
7893 | endif | |
7894 | ||
7895 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
7896 | meta __HTML_SHRT_CMNT_OBFU_MANY __HTML_SHRT_CMNT_OBFU > 5 && HTML_MESSAGE | |
7897 | endif | |
7898 | ||
7899 | rawbody __HTML_SINGLET />\s*(?:[a-z"]|&\#(?:\d+|x[0-9a-f]+);)\s*</i | |
7900 | tflags __HTML_SINGLET multiple maxhits=21 | |
7901 | ||
7902 | meta __HTML_SINGLET_10 __HTML_SINGLET > 10 | |
7903 | ||
7904 | meta __HTML_SINGLET_MANY __HTML_SINGLET > 20 | |
7905 | ||
7906 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
7907 | body __HTML_TAG_BALANCE_CENTER eval:html_tag_balance('center', '!= 0') | |
7908 | endif | |
7909 | ||
7910 | body __HUSH_HUSH /\b(?:confiden[tc]i[ae]l(?:\b|ity\b|it(?:=E9|[\xe9]|[\xc3][\xa9]))|private\b|secr[e\xe8](?:te?|cy)\b|sensitive\b|concealed\b|obscured?\b|discre(?:et|tion)\b|very\sdiscrete|top\ssecret|vertraulich(?:en)?\b|geheim\b|priv(?:e|=E9|[\xe9]|[\xc3][\xa9]))/i | |
7911 | ||
7912 | uri __IMGUR_IMG m,^https?://(?:[^.]+\.)?imgur\.com/[a-z0-9]{7}\.(?:png|gif|jpe?g)$,i | |
7913 | tflags __IMGUR_IMG multiple maxhits=4 | |
7914 | ||
7915 | meta __IMGUR_IMG_2 __IMGUR_IMG == 2 | |
7916 | ||
7917 | meta __IMGUR_IMG_3 __IMGUR_IMG == 3 | |
7918 | ||
7919 | if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) | |
7920 | meta __IMG_LE_300K 0 | |
7921 | endif | |
7922 | ||
7923 | ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
7924 | body __IMG_LE_300K eval:pixel_coverage('all',62500,300000) | |
7925 | endif | |
7926 | ||
7927 | body __INHERIT_PMT /\binheritance\spayment\s/i | |
7928 | ||
fc5290a3 SI |
7929 | meta __INR_AND_NO_REF (__XM_IMAIL || __XM_APPLEMAIL || __XM_COMMUNIG || __XM_EDMAX || __XM_ELM || __XM_EMUMAIL || __XM_EXMH || __XM_LOTUSN || __XM_MAILCITY || __XM_MAILSMITH || __XM_MSCDO || __XM_MSOUT || __XM_MIMETOOLS || __XM_OPERA6 || __XM_PEGASUS || __XM_QUALCOM || __UA_IMP || __UA_MSOEMAC || __UA_MSENTOUR || __UA_OPERA7) |
7930 | ||
b780ea8d SI |
7931 | body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i |
7932 | ||
7933 | body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i | |
7934 | ||
7935 | body __INVEST_MONEY /\binvest(?:ir)?\s(?:this|ces|d[ae]s|sur ce|de ces)\s(?:money|f[ou]nds?)\b/i | |
7936 | ||
7937 | header __IP_IN_RELAY X-Spam-Relays-External =~ /^\[ ip=(\d+)\.(\d+)\.(\d+)\.(\d+) (?:[^\]]* )?(?:rdns|helo)=\S*(?:\1\D\2\D\3\D\4|\4\D\3\D\2\D\1)/ | |
7938 | ||
7939 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7940 | meta __ISO_ATTACH 0 | |
7941 | endif | |
7942 | ||
7943 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7944 | mimeheader __ISO_ATTACH Content-Disposition =~ m,\bfilename="?[^"]+\.iso[";$],i | |
7945 | endif | |
7946 | ||
7947 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
7948 | meta __ISO_ATTACH_MT 0 | |
7949 | endif | |
7950 | ||
7951 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7952 | mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i | |
7953 | endif | |
7954 | ||
7955 | body __IS_LEGAL /\b(?:(?:(this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i | |
7956 | ||
7957 | body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i | |
7958 | ||
7959 | body __I_INHERIT /\b(?:I|eu)\s[a-z\s]{0,30}(?:inherited|herdei)\b/i | |
7960 | ||
7961 | body __I_WILL_YOU /\bwill(?:ed)?\s(?:[a-z\s]{0,20}(?:fortune|money|\$[\d,]+[a-z]{0,9})\s)?to\syou\b/i | |
7962 | ||
7963 | header __JM_REACTOR_DATE Date =~ / \+0000$/ | |
7964 | ||
7965 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7966 | mimeheader __JPEG_ATTACH Content-Type =~ /image\/jpe?g/i | |
7967 | endif | |
7968 | ||
7969 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
7970 | mimeheader __KAM_BLOCK_UTF7_2 Content-Type =~ /charset=(?:unicode-\d+-\d+-)?utf-7/i | |
7971 | endif | |
7972 | ||
7973 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
7974 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
7975 | body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024') | |
7976 | describe __KAM_BODY_LENGTH_LT_1024 The length of the body of the email is less than 1024 bytes. | |
7977 | endif | |
7978 | endif | |
7979 | ||
7980 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
7981 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
7982 | body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128') | |
7983 | describe __KAM_BODY_LENGTH_LT_128 The length of the body of the email is less than 128 bytes. | |
7984 | endif | |
7985 | endif | |
7986 | ||
7987 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
7988 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
7989 | body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256') | |
7990 | describe __KAM_BODY_LENGTH_LT_256 The length of the body of the email is less than 256 bytes. | |
7991 | endif | |
7992 | endif | |
7993 | ||
7994 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
7995 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
7996 | body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512') | |
7997 | describe __KAM_BODY_LENGTH_LT_512 The length of the body of the email is less than 512 bytes. | |
7998 | endif | |
7999 | endif | |
8000 | ||
8001 | if !plugin(Mail::SpamAssassin::Plugin::HTMLEval) | |
8002 | meta __KAM_HTML_FONT_INVALID 0 | |
8003 | endif | |
8004 | ||
8005 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
8006 | body __KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color') | |
8007 | endif | |
8008 | ||
8009 | body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is | |
8010 | ||
8011 | header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/ | |
8012 | ||
8013 | header __KB_MSGID_OUTLOOK_888 Message-Id =~ /^<[0-9a-f]{8}(?:\$[0-9a-f]{8}){2}\@/ | |
8014 | ||
8015 | meta __KHOP_NO_FULL_NAME !(__NOT_A_PERSON || __FROM_ENCODED_QP || __FROM_NEEDS_MIME || __FROM_FULL_NAME) | |
8016 | ||
8017 | if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
8018 | meta __LARGE_PERCENT_AFTER 0 | |
8019 | endif | |
8020 | ||
8021 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8022 | body __LARGE_PERCENT_AFTER /\d{3}% after/i | |
8023 | tflags __LARGE_PERCENT_AFTER multiple maxhits=4 | |
8024 | endif | |
8025 | ||
8026 | if !plugin(Mail::SpamAssassin::Plugin::HeaderEval) | |
8027 | meta __LCL__ENV_AND_HDR_FROM_MATCH 0 | |
8028 | endif | |
8029 | ||
8030 | ifplugin Mail::SpamAssassin::Plugin::HeaderEval | |
8031 | meta __LCL__ENV_AND_HDR_FROM_MATCH __ENV_AND_HDR_FROM_MATCH | |
8032 | endif | |
8033 | ||
8034 | if !plugin(Mail::SpamAssassin::Plugin::BodyEval) | |
8035 | meta __LCL__KAM_BODY_LENGTH_LT_1024 0 | |
8036 | endif | |
8037 | ||
8038 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8039 | if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) | |
8040 | meta __LCL__KAM_BODY_LENGTH_LT_1024 0 | |
8041 | endif | |
8042 | endif | |
8043 | ||
8044 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8045 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8046 | meta __LCL__KAM_BODY_LENGTH_LT_1024 __KAM_BODY_LENGTH_LT_1024 | |
8047 | endif | |
8048 | endif | |
8049 | ||
8050 | if !plugin(Mail::SpamAssassin::Plugin::BodyEval) | |
8051 | meta __LCL__KAM_BODY_LENGTH_LT_128 0 | |
8052 | endif | |
8053 | ||
8054 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8055 | if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) | |
8056 | meta __LCL__KAM_BODY_LENGTH_LT_128 0 | |
8057 | endif | |
8058 | endif | |
8059 | ||
8060 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8061 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8062 | meta __LCL__KAM_BODY_LENGTH_LT_128 __KAM_BODY_LENGTH_LT_128 | |
8063 | endif | |
8064 | endif | |
8065 | ||
8066 | if !plugin(Mail::SpamAssassin::Plugin::BodyEval) | |
8067 | meta __LCL__KAM_BODY_LENGTH_LT_512 0 | |
8068 | endif | |
8069 | ||
8070 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8071 | if !(can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length)) | |
8072 | meta __LCL__KAM_BODY_LENGTH_LT_512 0 | |
8073 | endif | |
8074 | endif | |
8075 | ||
8076 | ifplugin Mail::SpamAssassin::Plugin::BodyEval | |
8077 | if can(Mail::SpamAssassin::Plugin::BodyEval::has_check_body_length) | |
8078 | meta __LCL__KAM_BODY_LENGTH_LT_512 __KAM_BODY_LENGTH_LT_512 | |
8079 | endif | |
8080 | endif | |
8081 | ||
46cfc9e2 SI |
8082 | meta __LINKED_IMG_NOT_RCVD_LINK __URI_IMG_LINKEDIN && !__HDR_RCVD_LINKEDIN |
8083 | ||
b780ea8d SI |
8084 | meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID |
8085 | ||
8086 | meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1 | |
8087 | ||
8088 | meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR | |
8089 | ||
8090 | body __LITECOIN_ID /\b(?<!=)[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b/ | |
8091 | ||
8092 | uri __LOCAL_PP_NONPPURL m'https?://(?:[A-Za-z0-9-_]+)\.(?!paypal\.com)(?:[A-Za-z0-9-_\.]+)'i | |
8093 | ||
8094 | body __LOCK_MAILBOX /\b(?:(?:deactivate|lock(?: up)?|lose ac+ess to|los[se] (?:of )?(?:important )?(?:information|mail|messages) in) (?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|your (?:mail\s?box|(?:(?:web ?|e-?)mail)(?: account)?) (?:(?:will|may) be(?:come)? )?(?:in-?a(?:ctive|cess[ia]ble)|locked|disabled|deleted|removed)\b|ditt konto vara "?deaktiverad"?|begr(?:=E4|\xe4|[\xc3][\xa4])nsad tillg(?:=E5|[\xe5]|[\xc3][\xa5])ng till din brevl(?:=E5|[\xe5]|[\xc3][\xa5])da|contas? de (?:web ?|e-?)mail (?:ser(?:=E1|[\xe1]|[\xc3][\xa1]) (?:desativado|exclu(?:=ED|[\xed]|[\xc3][\xad])do)|(?:=E9|[\xe9]|[\xc3][\xa9]) exclu(?:=ED|[\xed]|[\xc3][\xad])do)|destruir a sua caixa de (?:correio|entrada)|tw(?:=F3|[\xf3])j konto zostalo ograniczone|straci swoje e-?mail na sta[\xc5][\x82]e|konto zostanie automatycznie wy[\xc5][\x82][\xc4][\x85]czona|e-?mail account[^.]{0,30}deactivated (?:in|from) our (?:database|system|server)|you will be deactivated|(?:account|e?-?mail(?: ?box)?) (?:will (?:be )?)?(?:shut ?down|expire|deactivate)|we have (?:stopped|suspended) (?:processing|accepting) (?:any )?(?:incoming|new|fresh) email)/i | |
8095 | tflags __LOCK_MAILBOX multiple maxhits=2 | |
8096 | ||
8097 | full __LONGLINE /^[^\r\n]{998}/m | |
8098 | ||
8099 | rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i | |
8100 | ||
8101 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8102 | meta __LONG_STY_INVIS __STY_INVIS && __LONGLINE | |
8103 | endif | |
8104 | ||
8105 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8106 | meta __LOTSA_MONEY_00 0 | |
8107 | endif | |
8108 | ||
8109 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8110 | body __LOTSA_MONEY_00 /<CURRENCY>[\s\.]?<NUM_NOT_DATE>[\dOo][,\.][\dOo]{3}(?:(?!\d)|\b)/ | |
8111 | endif | |
8112 | ||
8113 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8114 | meta __LOTSA_MONEY_01 0 | |
8115 | endif | |
8116 | ||
8117 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8118 | body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo](?<!\.00)\b/ | |
8119 | endif | |
8120 | ||
8121 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8122 | meta __LOTSA_MONEY_02 0 | |
8123 | endif | |
8124 | ||
8125 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8126 | body __LOTSA_MONEY_02 /(?<![-\d])<NUM_NOT_DATE_IP>[\d.,\sOo]{5,20}[\dOo][\)\]\(]?\s?(?:<CURRENCY>|Pounds|(?i:dollars?|bucks))\b/ | |
8127 | endif | |
8128 | ||
8129 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8130 | meta __LOTSA_MONEY_03 0 | |
8131 | endif | |
8132 | ||
8133 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8134 | body __LOTSA_MONEY_03 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)<NUM_NOT_DATE>[\d.,\sOo]{0,5}[\)\]]?\s?(?i:M(?i:il+)?\b|mil+(?i:io|<O>)n|hund?[re]+a?[dt]|thousand|tausend|milh[\xf5]es)/ | |
8135 | endif | |
8136 | ||
8137 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8138 | meta __LOTSA_MONEY_04 0 | |
8139 | endif | |
8140 | ||
8141 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8142 | body __LOTSA_MONEY_04 /(?:(?<![-\d])<NUM_NOT_DATE>[\d\.,]{0,4}(?:M|\smilli?one?s|\s?mln)|million(?!s)|mill<O>n|hund?rea?d(?!s)[^\.]{1,25}thousand(?!s)|cents?[^\.]{1,25}mille|hundert[^\.]{1,30}tausend|ientos?[^\.]{1,20}mil|cent[a-z\s]{1,20}mil\s[a-z]{1,20}centos)[^\.\$]{0,50}?(?:(?:U\.?\s?S\.?\s?(?:A\.?\s?)?|united\s?states\s|E\.\s?U\.\s|canad(?:ian|a)\s|(?:ia\s)?de\s)?d(?:[o\xf3]|[\xc3][\xb3])l+are?s?|\bbucks|USD|GBP|<GB_UK>\spounds?|(?:<GB_UK>\s)?pounds?\ssterling|pounds(?!\sof)|(?:d'\s?)?euros?|francs?)\b/i | |
8143 | endif | |
8144 | ||
8145 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8146 | meta __LOTSA_MONEY_05 0 | |
8147 | endif | |
8148 | ||
8149 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8150 | body __LOTSA_MONEY_05 /(?:(?:sum|value|amount)\sof\s)<NUM_NOT_DATE_IP>[\d.,\sO]{7,20}[\dO\.][\)\]\(\s]{0,3}(?:pounds?|dollars?|euros?|bucks)\b/i | |
8151 | endif | |
8152 | ||
8153 | meta __LOTTO_ADMITS __LOTTO_ADMITS_1 || __LOTTO_ADMITS_2 || __LOTTO_ADMITS_3 || __LOTTO_ATTACH_1 || __LOTTO_ATTACH_2 | |
8154 | ||
8155 | body __LOTTO_ADMITS_1 /\b(?:on-?line|e-?mail|ballot|(?:inter)?national|state|(?:UK|euro)[- ]?(?:mil+ions?|PW)|Canada|Microsoft|MSN|internet|mega|jackpot+|Royal Heritage|foundation|cash\sgrant|mercato|univers|staatsloterij|bill\s?gates|Olympics?|swiss|this|est[ea]|internationaux de gagnants de)(?:\s(?!lot|swe|prom)\w{1,20}){0,3}\s?(?:lot(?:to|t+ery|eri[ea])|sweepstakes?|promo(?:tion|cao|cion)?|jackpot+)\b/i | |
8156 | ||
8157 | body __LOTTO_ADMITS_2 /\b(?:free)?(?:lot(?:to|tery|erie)|sweepstakes)\s(?:(?:inter)?na[tz]ional|department|bureau|group|award|microsoft)/i | |
8158 | ||
8159 | uri __LOTTO_ADMITS_3 /lott+ery/i | |
8160 | ||
8161 | meta __LOTTO_AGENT __LOTTO_AGENT_01 || __LOTTO_AGENT_02 | |
8162 | ||
8163 | body __LOTTO_AGENT_01 /\b(?:(?:(?:the|y?our)(?:\s\w{1,20})?|contact|accredited|listed)\sclaim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:prize|international|intl|foreign|win+ing)(?:[\s,.]+(?:rem+it+ance|settlement|payment|payout|award|transfer))+|payment|payout|immunity|(?<!memory\s)grants?(?!\smanager))\s?(?:agent|manager|officer|secretary|director|mgr\b)/i | |
8164 | ||
8165 | body __LOTTO_AGENT_02 /\blot+ery[^\.]{1,40} ticket agent/i | |
8166 | ||
8167 | header __LOTTO_AGENT_RPLY Reply-To =~ /(?:claim(?:s|ing)?(?:[\s_.]processing)?|fiducia\w+|dispatch|reimbursement|payout|prize\stransfer|(?:international|foreign|win+ing)[\s_.]rem+it+ance)[\s_.]?(?:agent|manager|officer|secretary|director|department|dept)/i | |
8168 | ||
8169 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8170 | meta __LOTTO_ATTACH_1 0 | |
8171 | endif | |
8172 | ||
8173 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8174 | mimeheader __LOTTO_ATTACH_1 Content-Type =~ /lott(?:o|ery)/i | |
8175 | endif | |
8176 | ||
8177 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8178 | meta __LOTTO_ATTACH_2 0 | |
8179 | endif | |
8180 | ||
8181 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8182 | mimeheader __LOTTO_ATTACH_2 Content-Disposition =~ /lott(?:o|ery)/i | |
8183 | endif | |
8184 | ||
8185 | body __LOTTO_DEPT /\b(?:claim(?:s|ing)?(?:\sprocessing)?|fiducia\w+|reimbursement|(?:international|foreign|win+ing)(?:\s(?:rem+it+ance|settlement|payment|award))+|payment|award|compensation|lot+ery)(?:\s\w+)?\s?(?:department|dept|unit|group|committee|bureau)/i | |
8186 | ||
8187 | body __LOTTO_RELATED /\b(?:lot+(?:o|ery)|sweepstakes)\s(?:prize|draw(?:s|ing)?|(?:ge)?win(?:n?er|n?ing)?|jackpot+|award|fund|com+it+e+|com+is+ion|guild|promotion|promocao|program|day|online|company|(?:in)?corporat|agent|co[-,]?ordinator|team)/i | |
8188 | ||
8189 | body __LOTTO_VERIFY /\bpromo\sverification/i | |
8190 | ||
8191 | body __LOTTO_WINNINGS /\b(?:claim|process(?:ing)?|transfert?(?:\s\w+)?|redeem|payment|virement|zahlung|reivindicar|demandar|remise)\s(?:(?:[a-z]{1,5}\s)?(?:your|of|the|this|de|ihrer|seu|tu)\s)+(?:win+ings?|money|(?:cash\s)?prize|award|f[ou]nds?|grant|gewinne|premio|gain)\b/i | |
8192 | ||
8193 | body __LOTTO_WIN_01 /\bwin+ing\s(?:prize|number|notification|draw|check|cheque|details|information|payment)/i | |
8194 | ||
8195 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8196 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8197 | body __LOWER_E /e/ | |
8198 | tflags __LOWER_E multiple maxhits=230 | |
8199 | endif | |
8200 | endif | |
8201 | ||
8202 | body __LUCKY_WINNER /\b(?:lucky|gl.cklich(?:en)?|afortunados)\s(?:(?:ge)?win+ers?|ganador(?:es)?|individuals?)\b/i | |
8203 | ||
8204 | body __LUCRATIVE /\b(?:lucrative|profitable|tr[\xe8]s\ssalutaire)\b/i | |
8205 | ||
fc5290a3 | 8206 | header __LUNSUB_BEFORE_SUBJDT ALL =~ /^List-unsubscribe: (?:[^\n]+\n+){1,40}^(?:Subject|Date): /ism |
46cfc9e2 | 8207 | |
b780ea8d SI |
8208 | rawbody __L_BODY_8BITS /[\x80-\xff]/ |
8209 | ||
8210 | header __L_CTE_7BIT Content-Transfer-Encoding =~ /^7bit$/ | |
8211 | ||
dfdd1e08 SI |
8212 | header __L_CTE_8BIT Content-Transfer-Encoding =~ /^8bit$/ |
8213 | ||
b780ea8d SI |
8214 | body __MAILBOX_FULL /\b(?:you(?:r (?:mail\s?box|(?:e-?|web ?)mail))? (?:is (?:almost )?full|quota is running low|(?:quota )?ha(?:s|ve) (?:reached|exceeded|passed) (?:the|your|it'?s?) (?:university )?(?:size|storage|set|(?:e-?|web ?)mail|quota|folder|mail ?box)[\/\s](?:limit |quota |account )+)|over your mail\s?box (?:size )?(?:limit|quota)|maximum mail\s?box (?:size )?(?:limit|quota) exceeded|sua (?:conta|caixa) de (?:(?:e-?|web ?)mail|correio) (?:excedeu (?:sua|o) limite|est(?:=E1|[\xe1]|[\xc3][\xa1]) quase cheio))\b/i |
8215 | ||
8216 | body __MAILBOX_FULL_SE /(?:\b=F6|[\xf6]|[\xc3][\xb6])verskridit gr(?:=E4|[\xe4]|[\xc3][\xa4])nsen f(?:=F6|[\xf6]|[\xc3][\xb6])r din postl(?:=E5|[\xe5]|[\xc3][\xa5])da\b/i | |
8217 | ||
8218 | header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/ | |
8219 | ||
8220 | body __MAIL_ACCT_ACCESS1 /\b(?:your (?:web ?|e-?)?mail (?:account|log-?in) (?:has )?been accessed|r(?:=F3|[\xf3])zne komputery zalogowaniu sie)\b/i | |
8221 | ||
8222 | body __MAIL_ACCT_ACCESS2 /\blo+se ac+es+ to your (?:web|e-?)?mail ?(?:account|log-?in|box|address)\b/i | |
8223 | ||
8224 | uri __MAIL_LINK /\?.{0,200}\w\@[\w-]{1,20}.\w\w\w?\b/i | |
8225 | tflags __MAIL_LINK nice | |
8226 | ||
8227 | body __MAKE_XTRA_DOLLAR /\bmake an extra dollar\b/i | |
8228 | ||
8229 | header __MALF_MIME_VER MIME-Version =~ /^1\.0\S/ | |
8230 | ||
8231 | meta __MALWARE_NORDNS __MY_MALWARE && __RDNS_NONE | |
8232 | ||
8233 | meta __MALWARE_PASSWORD __MY_MALWARE && __PASSWORD | |
8234 | ||
8235 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8236 | meta __MALW_ATTACH __MALW_ATTACH_01_01 || __MALW_ATTACH_01_02 || __MALW_ATTACH_02_01 || __MALW_ATTACH_02_02 | |
8237 | endif | |
8238 | ||
8239 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8240 | meta __MALW_ATTACH_01_01 0 | |
8241 | endif | |
8242 | ||
8243 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8244 | mimeheader __MALW_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]+|\*(?:\d+\*)?=(?:UTF-8'')?\S+)\.SettingContent-ms\b/i | |
8245 | endif | |
8246 | ||
8247 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8248 | meta __MALW_ATTACH_01_02 0 | |
8249 | endif | |
8250 | ||
8251 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8252 | mimeheader __MALW_ATTACH_01_02 Content-Type =~ /\bname="?[^"]+\.SettingContent-ms\b/i | |
8253 | endif | |
8254 | ||
8255 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8256 | meta __MALW_ATTACH_02_01 0 | |
8257 | endif | |
8258 | ||
8259 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
cabe596e | 8260 | mimeheader __MALW_ATTACH_02_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:invoice|statement|payment(?: advice)?|(?:[.,_]|%C2%B7|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i |
b780ea8d SI |
8261 | endif |
8262 | ||
8263 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8264 | meta __MALW_ATTACH_02_02 0 | |
8265 | endif | |
8266 | ||
8267 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
cabe596e | 8268 | mimeheader __MALW_ATTACH_02_02 Content-Type =~ /\bname="?[^"]*(?:invoice|statement|payment(?: advice)?|(?:[.,_]|[\xc2][\xb7])(?:pdf|img|png|gif|jpe?g))\.(?:ace|zip|rar|r17|[7g]?z|iso)[";$]/i |
b780ea8d SI |
8269 | endif |
8270 | ||
8271 | meta __MANY_HDRS_LCASE __HDRS_LCASE > 1 | |
8272 | ||
8273 | meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4) | |
8274 | ||
b780ea8d SI |
8275 | header __MID_START_001C Message-ID =~ /^<000001c/ |
8276 | ||
8277 | body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i | |
8278 | ||
8279 | header __MIMEOLE_1106 X-MimeOLE =~ /^Produced By Microsoft MimeOLE V6.00.2800.1106$/ | |
8280 | ||
8281 | meta __MIMEOLE_DIRECT_TO_MX __HAS_MIMEOLE && __DOS_DIRECT_TO_MX | |
8282 | ||
8283 | header __MIME_BDRY_0D0D Content-Type =~ /boundary="-{12}(?:0[1-9]){12}/ | |
8284 | ||
8285 | if !((version >= 3.004000)) | |
8286 | meta __MIME_CTYPE_IN_BODY 0 | |
8287 | endif | |
8288 | ||
8289 | if (version >= 3.004000) | |
8290 | body __MIME_CTYPE_IN_BODY /^Content-Type:\s/ | |
8291 | endif | |
8292 | ||
8293 | if !((version >= 3.004000)) | |
8294 | meta __MIME_MALF 0 | |
8295 | endif | |
8296 | ||
8297 | if (version >= 3.004000) | |
8298 | meta __MIME_MALF __CTYPE_MULTIPART_ANY && __MIME_CTYPE_IN_BODY | |
8299 | endif | |
8300 | ||
8301 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8302 | meta __MIME_NO_TEXT 0 | |
8303 | endif | |
8304 | ||
8305 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8306 | meta __MIME_NO_TEXT (__CTYPE_MULTIPART_ANY && !__ANY_TEXT_ATTACH) | |
8307 | endif | |
8308 | ||
8309 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
8310 | rawbody __MIME_QPC eval:check_for_mime('mime_qp_count') | |
8311 | endif | |
8312 | ||
8313 | header __MISSING_REF References =~ /^UNSET$/ [if-unset: UNSET] | |
8314 | ||
8315 | header __MISSING_REPLY In-Reply-To =~ /^UNSET$/ [if-unset: UNSET] | |
8316 | ||
8317 | rawbody __MIXED_AREA_CASE /<(?!AREA|area)[Aa][Rr][Ee][Aa]\s/ | |
8318 | ||
8319 | rawbody __MIXED_CENTER_CASE /<(?!CENTER|center)[Cc][Ee][Nn][Tt][Ee][Rr]>/ | |
8320 | ||
8321 | rawbody __MIXED_FONT_CASE /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/ | |
8322 | ||
8323 | rawbody __MIXED_HREF_CASE_JH /<[Aa](?i:rea)?\s+(?!HREF|href)[Hh][Rr][Ee][Ff]=/ | |
8324 | ||
8325 | rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/ | |
8326 | ||
8327 | header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ | |
8328 | ||
8329 | meta __MONERO (__MONERO_ID || __MONERO_CURNCY || __URI_MONERO || __FUZZY_MONERO) | |
8330 | ||
8331 | body __MONERO_CURNCY /Monero \(XMR\)/ | |
8332 | ||
8333 | body __MONERO_ID /\b4[0-9AB][1-9A-HJ-NP-Za-km-z]{93,104}\b/ | |
8334 | ||
dfdd1e08 SI |
8335 | meta __MONEY_ATM_CARD LOTS_OF_MONEY && __ATM_CARD |
8336 | ||
b780ea8d SI |
8337 | meta __MONEY_FORM LOTS_OF_MONEY && __FILL_THIS_FORM |
8338 | ||
8339 | meta __MONEY_FORM_SHORT LOTS_OF_MONEY && __FILL_THIS_FORM_SHORT | |
8340 | ||
fc5290a3 | 8341 | meta __MONEY_FRAUD_3 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 3) |
b780ea8d | 8342 | |
fc5290a3 | 8343 | meta __MONEY_FRAUD_5 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 5) |
b780ea8d | 8344 | |
fc5290a3 | 8345 | meta __MONEY_FRAUD_8 LOTS_OF_MONEY && (__FRAUD_VQE + __FRAUD_KJV + __FRAUD_IRJ + __FRAUD_NEB + __FRAUD_XJR + __FRAUD_DPR + __FRAUD_BEP + __FRAUD_TDP + __FRAUD_GAN + __FRAUD_IRT + __FRAUD_AON + __FRAUD_WNY + __FRAUD_IPK + __FRAUD_QXX + __FRAUD_IOV + __FRAUD_MLY + __FRAUD_ULK + __FRAUD_BGP + __FRAUD_YWW + __FRAUD_JYG + __FRAUD_XWW + __FRAUD_UUY + __FRAUD_SNT + __FRAUD_JNB + __FRAUD_QFY + __FRAUD_WDR + __FRAUD_WFC + __FRAUD_AUM + __FRAUD_MCQ + __FRAUD_PVN + __FRAUD_FVU + __FRAUD_CKF + __FRAUD_MQO + __FRAUD_TCC + __FRAUD_GBW + __FRAUD_AXF + __FRAUD_THJ + __FRAUD_YQV + __FRAUD_YJA + __FRAUD_YPO + __FRAUD_UOQ + __AFRICAN_STATE + __AGREED_RATIO + __AM_DYING + __ATM_CARD + __BACK_SCRATCH + __BARRISTER + __BENEFICIARY + __COMPENSATION + __CONTACT_ATTY + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL + DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIED_IN + __DIPLOMATIC + __DORMANT_ACCT + __EARLY_DEMISE + EMRCP + __EX_CUSTOMER + __FEES + __FIFTY_FIFTY + __FOUND_YOU + __FRAUD + __FRAUD_PTX + __HUSH_HUSH + __I_INHERIT + __INHERIT_PMT + __INTL_BANK + __INVEST_COUNTRY + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 + __LOTTO_ADMITS + T_LOTTO_AGENT + __LOTTO_DEPT + __LOTTO_RELATED + __LOTTO_VERIFY + T_LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER + __LUCRATIVE + __MILLIONS + __MY_FORTUNE + __NEXT_OF_KIN + __NOT_DEAD_YET + __NOT_SCAM + __OUR_BEHALF + __SCAM + __SHARE_IT + __SUM_OF_FUND + __SURVIVORS + __THEY_INHERIT + __TRTMT_DEFILED + __TRUNK_BOX + __UN + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY + __YOU_ASSIST + __YOU_INHERIT + __YOUR_BANK + __YOUR_FUND + __YOUR_PERM + __YOUR_PROFIT + __YOU_WON + T_LOTTO_AGENT_FM + T_LOTTO_AGENT_RPLY + __PCT_FOR_YOU + __PCT_OF_PMTS + __RANDOM_PICK + __CHARITY > 8) |
b780ea8d SI |
8346 | |
8347 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
8348 | meta __MONEY_FREEMAIL_REPTO LOTS_OF_MONEY && __freemail_hdr_replyto | |
8349 | endif | |
8350 | ||
fc5290a3 SI |
8351 | meta __MONEY_FROM_41 __NSL_RCVD_FROM_41 && LOTS_OF_MONEY |
8352 | ||
b780ea8d SI |
8353 | body __MOVE_MONEY /\b(?:(?:receive|re-?profile|transfer(?:ring|ir|t)?|release|repatriat(?:e|ion)|rapatrier|secure|r(?:e|=E9|[\xe9]|[\xc3][\xa9])clamation|possession|virer|dona(?:te|r)|depositante|dep[\xc3][\xb3]sito)\s(?:th(?:e(?:se)?|is)|d[ae]s|sur ce|de ce[st]|cet|est[eao]s?|del?)|re-?profiling|receive|re-?locat(?:e|ing)(?:\s\w{1,15})?)\s(?:of\s|your\s|the\s){0,2}(?:sums?\sof\s|inheritance\s)?(?:proceeds|funds?|money|balance|account|g[eo]ld|compte|fond[so]{1,2}|dinero|argent)\b/i |
8354 | ||
8355 | meta __MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_MAYBE && __HAS_ANY_URI && __HTML_LINK_IMAGE | |
8356 | ||
8357 | header __MSGID_GUID Message-ID =~ /^<?[0-9a-f]{8}-(?:[0-9a-f]{4}-){3}[0-9a-f]{12}\@/i | |
8358 | ||
8359 | header __MSGID_HEXISH Message-ID =~ /^<?OF[0-9A-F]{8}\.[0-9A-F]{8}-ON[0-9A-F]{8}\.[0-9A-F]{8}(?:-[0-9A-F]{8}\.[0-9A-F]{8})?\@/ | |
8360 | ||
8361 | header __MSGID_HEX_UID Message-ID =~ /^<?[0-9A-F]{8}\.[0-9A-F]{2,5}%[a-zA-Z]/ | |
8362 | ||
8363 | header __MSGID_JAVAMAIL Message-ID =~ /\.JavaMail\./ | |
8364 | tflags __MSGID_JAVAMAIL nice | |
8365 | ||
8366 | header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/ | |
8367 | tflags __MSGID_LIST nice | |
8368 | ||
b780ea8d SI |
8369 | header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m |
8370 | ||
8371 | meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL | |
8372 | ||
8373 | header __MSMAIL_PRI_HIGH X-MSMail-Priority =~ /^(?:high|urgent)$/i | |
8374 | ||
8375 | header __MSMAIL_PRI_NORMAL X-MSMail-Priority =~ /^normal$/i | |
8376 | ||
8377 | meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT | |
8378 | ||
8379 | header __MSOE_MID_WRONG_CASE ALL =~ /\nMessage-Id: / | |
8380 | ||
46cfc9e2 SI |
8381 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
8382 | mimeheader __MSO_THEME_MT Content-Type =~ m,\bapplication/vnd.ms-officetheme\b,i | |
8383 | endif | |
8384 | ||
b780ea8d SI |
8385 | header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/ |
8386 | ||
8387 | header __MUA_TBIRD User-Agent =~ /^Mozilla\/(.*) Thunderbird/ | |
8388 | ||
8389 | body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i | |
8390 | ||
8391 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8392 | body __MY_MALWARE /\b(?:(?:I(?:'ve|\shave)?\s(?:put|set\s?up|installed|buil[td]\sin|placed)\s(?:a\s)?|my\s(?:personal\s|background\s|hidden\s)?)(?:mal+ware|virus|spy\s?ware|trojan|program\srecorded|expl[o0]it|backdoor|(?:sneaky\s|hidden\s|malicious\s)+(?:app|stuff))|(?:application|mal+ware)[^\.]{1,30}(?:enable[sd]|allow(?:s|ed))\sme\sto\s(?:access|control)|I\s(?:contaminated|infected|hacked|toxified|poisoned)\s(?:your|this)\s(?:machine|computer|gadget|(?:smart\s?)?phone|device|email)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|mein\shinterhältiges\sProgramm|I\s?am\s?a\s?hacker|(?:(?:trojan|virus|spyware|mal+ware)\s)+giv(?:es|ing)\sme)\b/i | |
8393 | endif | |
8394 | ||
8395 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8396 | body __MY_MALWARE /(?:^|\s)(?:(?:<I>(?:'<V><E>|\s<H><A><V><E>)?\s(?:<P><U><T><|><S><E><T>\s?<U><P>|<I><N><S><T><A><L><L><E><D>|<B><U><I><L>(?:<T>|<D>)\s<I><N>|<P><L><A><C><E><D>)\s(?:<A>\s)?|<M><Y>\s(?:<P><E><R><S><O><N><A><L>\s|<B><A><C><K><G><R><O><U><N><D>\s|<H><I><D><D><E><N>\s)?)(?:<M><A><L>+<W><A><R><E>|<V><I><R><U><S>|<S><P><Y>\s?<W><A><R><E>|<T><R><O><J><A><N>|<P><R><O><G><R><A><M>\s<R><E><C><O><R><D><E><D>|<E><X><P><L>(?:<O>|0)<I><T>|<B><A><C><K><D><O><O><R>|(?:<S><N><E><A><K><Y>\s|<H><I><D><D><E><N>\s|<M><A><L><I><C><I><O><U><S>\s)+(?:<A><P><P>|<S><T><U><F><F>))|(?:<A><P><P><L><I><C><A><T><I><O><N>|<M><A><L>+<W><A><R><E>)[^\.]{1,30}(?:<E><N><A><B><L><E>(?:<D>|<S>)|<A><L><L><O><W>(?:<S>|<E><D>))\s<M><E>\s<T><O>\s(?:<A><C><C><E><S><S>|<C><O><N><T><R><O><L>)|<I>\s(?:<C><O><N><T><A><M><I><N><A><T><E><D>|<I><N><F><E><C><T><E><D>|<H><A><C><K><E><D>|<T><O><X><I><F><I><E><D>|<P><O><I><S><O><N><E><D>)\s(?:<Y><O><U><R>|<T><H><I><S>)\s(?:<M><A><C><H><I><N><E>|<C><O><M><P><U><T><E><R>|<G><A><D><G><E><T>|(?:<S><M><A><R><T>\s?)?<P><H><O><N><E>|<D><E><V><I><C><E>|<E><M><A><I><L>)|Anwendung\s[^\.]{1,50}\sich\sauf\salle\sIhre\sdarauf\sgespeicherten\sDateien\szugreifen\skann|<M><E><I><N>\s<H><I><N><T><E><R><H><A><L><T><I><G><E><S>\s<P><R><O><G><R><A><M>+|<I>\s?<A><M>\s?<A>\s?<H><A><C><K><E><R>|(?:(?:<T><R><O><J><A><N>|<V><I><R><U><S>|<S><P><Y><W><A><R><E>|<M><A><L>+<W><A><R><E>)\s)+<G><I><V>(?:<E><S>|<I><N><G>)\s<M><E>)[\s\.,]/i | |
8397 | endif | |
8398 | ||
8399 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8400 | body __MY_VICTIM /\b(?:hi|hello),?(?:\smy)?\s(?:victim|prey)\b/i | |
8401 | endif | |
8402 | ||
8403 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8404 | body __MY_VICTIM /(?:<H><I>|<H><E><L><L><O>),?(?:\s<M><Y>)?\s(?:<V><I><C><T><I><M>|<P><R><E><Y>)/i | |
8405 | endif | |
8406 | ||
8407 | header __NAKED_TO To =~ /^[^\s<>]+\@[^\s<>]+$/ | |
8408 | ||
8409 | meta __NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL | |
8410 | ||
8411 | header __NAME_EQ_EMAIL From:raw =~ /([\w+.-]+\@[\w.-]+\.\w\w+)["'`\s]*<\s*\1>/i | |
8412 | ||
8413 | header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/ | |
8414 | ||
dfdd1e08 SI |
8415 | body __NEVER_HEAR_EN /(never hear me again|destroy all your secrets|not bother you again|leave you alone)/i |
8416 | ||
8417 | body __NEVER_HEAR_IT /eliminare tutti i tuoi segreti|Ti garantisco che non ti disturbe/i | |
8418 | ||
b780ea8d SI |
8419 | meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG |
8420 | ||
31955ede SI |
8421 | body __NEW_PRODUCTS /\bhere are new products|\b(?:Our company|we) (?:has |have )?(?:(?:recently|just|newly) (?:introduce|release|launche)[ds](?: a| our| the)? (?:new|(?:\w+\s){1,5}below)|a new (?!cat\s|kitten\s|dog\s|puppy\s|pet\s|baby\s|child\s|boy\s|girl\s)(?:\w+\s){1,5} here)|recently,? our company (?:launch|releas)ed|\bI want to recommend a new (?:\w+ ){1,5}(?:we|our)\b|latest version of our (?:stock|product)|\b(?:our|a) new (?:\w+ ){1,3}has (?:recently|just) been released/i |
8422 | ||
b780ea8d SI |
8423 | body __NEXT_OF_KIN /\bnext[-\s]of[-\s]kin\b/i |
8424 | ||
8425 | body __NIGERIA /\bnigeria\b/i | |
8426 | ||
8427 | meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO | |
8428 | tflags __NOT_A_PERSON nice | |
8429 | ||
8430 | body __NOT_DEAD_YET /\b(?:will\sinherit|que\sherede|your\sdeath|your?\sbeing\sdead)\b/i | |
8431 | ||
8432 | body __NOT_SCAM /\b(?:not\sa\sscam|(?:not|never)\sscam\syou)\b/i | |
8433 | ||
8434 | tflags __NOT_SPOOFED nice | |
8435 | ||
8436 | if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) | |
8437 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
8438 | meta __NOT_SPOOFED DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, no SPF | |
8439 | endif | |
8440 | endif | |
8441 | ||
8442 | if !(!plugin(Mail::SpamAssassin::Plugin::DKIM)) | |
8443 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
8444 | meta __NOT_SPOOFED SPF_PASS || DKIM_VALID || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # yes DKIM, yes SPF | |
8445 | endif | |
8446 | endif | |
8447 | ||
8448 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
8449 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
8450 | meta __NOT_SPOOFED __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, no SPF. | |
8451 | endif | |
8452 | endif | |
8453 | ||
8454 | if !plugin(Mail::SpamAssassin::Plugin::DKIM) | |
8455 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
8456 | meta __NOT_SPOOFED SPF_PASS || __DKIM_EXISTS || !__LAST_EXTERNAL_RELAY_NO_AUTH || ALL_TRUSTED # no DKIM, yes SPF | |
8457 | endif | |
8458 | endif | |
8459 | ||
8460 | meta __NO_INR_YES_REF (__XM_GNUS || __XM_MSOE5 || __XM_MSOE6 || __XM_MOZ4 || __XM_SKYRI || __XM_WWWMAIL || __UA_GNUS || __UA_KNODE || __UA_MUTT || __UA_PAN || __UA_XNEWS) | |
8461 | ||
8462 | header __NSL_ORIG_FROM_41 X-Originating-IP =~ /^(?:.+\[)?41\./ | |
8463 | describe __NSL_ORIG_FROM_41 Originates from 41.0.0.0/8 | |
8464 | ||
8465 | header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./ | |
8466 | describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8 | |
8467 | ||
b780ea8d SI |
8468 | header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i |
8469 | ||
8470 | header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/ | |
8471 | ||
8472 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8473 | meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) | |
8474 | endif | |
8475 | ||
8476 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8477 | meta __OBFU_BITCOIN ( __BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) | |
8478 | endif | |
8479 | ||
8480 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8481 | meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || __BTC_OBFU_4 || __BTC_OBFU_5 ) ) | |
8482 | endif | |
8483 | ||
8484 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8485 | meta __OBFU_BITCOIN_NOID ( !__BITCOIN_ID && ( __BTC_OBFU_2 || __BTC_OBFU_3 || FUZZY_BITCOIN || __BTC_OBFU_5 ) ) | |
8486 | endif | |
8487 | ||
8488 | body __OBFU_UNSUB_UL /(?:click_here|remove_your|our_e?mail|this_list|to_unsubscribe|future_e?mail|our_list)/ | |
8489 | ||
8490 | if !plugin(Mail::SpamAssassin::Plugin::ImageInfo) | |
8491 | meta __ONE_IMG 0 | |
8492 | endif | |
8493 | ||
8494 | ifplugin Mail::SpamAssassin::Plugin::ImageInfo | |
8495 | body __ONE_IMG eval:image_count('all',1,1) | |
8496 | endif | |
8497 | ||
8498 | header __OPERA_MID_NON_OP Message-ID =~ /^<[^o][^p]\./ | |
8499 | ||
b780ea8d SI |
8500 | body __OUR_BEHALF /\b(?:on\s(?:my|our)\sbehalf|of\sbehalf\sof)\b/i |
8501 | ||
8502 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8503 | mimeheader __PART_CID_STOCK_LESS Content-ID =~ /^<00[a-f0-9]{10}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[A-Za-z]+>$/ | |
8504 | endif | |
8505 | ||
8506 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8507 | mimeheader __PART_STOCK_CD_F Content-Disposition =~ /filename/ | |
8508 | endif | |
8509 | ||
8510 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8511 | mimeheader __PART_STOCK_CID Content-ID =~ /^<[a-f0-9]{12}\$[a-f0-9]{8}\$[a-f0-9]{8}\@[^\s\.]+>$/ | |
8512 | endif | |
8513 | ||
8514 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8515 | mimeheader __PART_STOCK_CL Content-Location =~ /./ | |
8516 | endif | |
8517 | ||
8518 | body __PASSIVE_INCOME /\bpassive income\b/i | |
8519 | ||
8520 | body __PASSWORD /\bp[-\s_]?a[-\s_]?s[-\s_]?s[-\s_]?w[-\s_]?o[-\s_]?r[-\s_]?d\b/i | |
8521 | ||
8522 | body __PASSWORD_EXP_CLUMSY /\bpassword is due for expiration yesterday\b/i | |
8523 | ||
8524 | body __PASSWORD_UPGRADE /\bpassword upgrade\b/i | |
8525 | ||
8526 | body __PAXFUL /\bp-?a+-?x+-?f-?u+-?l\b/i | |
8527 | ||
8528 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8529 | body __PAY_ME /\b(?:pay\sme|(?:(?:send|transmit|give)\s(?:to\s)?me|(?:send(?:en\ssie)?|transfer)\s(?:the\samount\sof|exactly|genau)|I\swant|den\sbetrag\svon|payment\sof)\s(?:[\d,'.\$£]+\s?(?:usd?|eur?(?:os)?|gbp|BTC)?|bitcoin|BTC)|(?:make|perform|send|transmit)\sthe\spayment|amount\sfor\smy\ssilence|(?:pay|fund)\sthis\s(?:bitcoin|monero)[-\s](?:address|wallet|brieftasche)|my bribe(?:ry)?)\b/i | |
8530 | endif | |
8531 | ||
8532 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8533 | body __PAY_ME /(?:^|\s)(?:<P><A><Y>\s<M><E>|(?:(?:<S><E><N><D>|<T><R><A><N><S><M><I><T>|<G><I><V><E>)\s(?:<T><O>\s)?<M><E>|(?:<S><E><N><D>(?:<E><N>\s<S><I><E>)?|<T><R><A><N><S><F><E><R>)\s(?:<T><H><E>\s<A><M><O><U><N><T>\s<O><F>|<E><X><A><C><T><L><Y>|<G><E><N><A><U>)|<I>\s<W><A><N><T>|<D><E><N>\s<B><E><T><R><A><G>\s<V><O><N>|<P><A><Y><M><E><N><T>\s<O><F>)\s(?:[\d,'.\$£]+\s?(?:<U><S><D>?|<E><U><R>?(?:<O><S>)?|<G><B><P>|<B><T><C>)?|<B><I><T><C><O><I><N>|<B><T><C>)|(?:<M><A><K><E>|<P><E><R><F><O><R><M>|<S><E><N><D>|<T><R><A><N><S><M><I><T>)\s<T><H><E>\s<P><A><Y><M><E><N><T>|<A><M><O><U><N><T>\s<F><O><R>\s<M><Y>\s<S><I><L><E><N><C><E>|(?:<P><A><Y>|<F><U><N><D>)\s<T><H><I><S>\s(?:<B><I><T><C><O><I><N>|<M><O><N><E><R><O>)[-\s](?:<A><D><D><R><E><S><S>|<W><A><L><L><E><T>|<B><R><I><E><F><T><A><S><C><H><E>|<M><Y> <B><R><I><B><E>(?:<R><Y>)?))[\s\.,]/i | |
8534 | endif | |
8535 | ||
8536 | body __PAY_YOU /\bpay\syou\b/ | |
8537 | ||
8538 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8539 | meta __PCT_FOR_YOU 0 | |
8540 | endif | |
8541 | ||
8542 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8543 | meta __PCT_FOR_YOU __PCT_FOR_YOU_1 || __PCT_FOR_YOU_2 || __PCT_FOR_YOU_3 || T_SHARE_50_50 | |
8544 | endif | |
8545 | ||
8546 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8547 | meta __PCT_FOR_YOU_1 0 | |
8548 | endif | |
8549 | ||
8550 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8551 | body __PCT_FOR_YOU_1 /<PERCENT>[\s)]{0,3}(?:(?:of\s[\w\s]{0,35}?)?(?:for|to|as)\syour?|(?:[^\s.]{1,15}\s)?an uns beide)/i | |
8552 | endif | |
8553 | ||
8554 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8555 | meta __PCT_FOR_YOU_2 0 | |
8556 | endif | |
8557 | ||
8558 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8559 | body __PCT_FOR_YOU_2 /\b(?:(?:give|offer)\syou|vous\s(?:aurez\sdroit\s(?:=E0|[\xe0])|donnerai|all(?:e|=E9|[\xe9]|[\xc3][\xa9])\srecevoir\sautour\sde)|ihnen)\s<PERCENT>/i | |
8560 | endif | |
8561 | ||
8562 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8563 | meta __PCT_FOR_YOU_3 0 | |
8564 | endif | |
8565 | ||
8566 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8567 | body __PCT_FOR_YOU_3 /\byour?\s(?!can)(?:(?!you)\w{1,15}\s){0,10}(?:(?:share|entiti?le(?:d|ment)?|percentage|fee|assist(?:ance)?|comp[ea]nsat(?:ed?|tion)|reward(?:ed)?|renumerat(?:e|tion)|com+is+ion|paid|deduct|account|tage|(?:will|shall|would|(?:are|stand|going)\sto)\s(?:be\s)?(?:tak(?:e|ing)|earn|get(?:ting)?|remit|subtract|with+old)|(?:deduct|taken?|subtract(?:ed)?)\syour|keep(?:ing)?|receiv(?:e|ing)|retain(?:ing)?|have|half|giv(?:en|ing)|paid|(?:give|pay|offer)\s(?:me|you|him)|bank\saccount|to\s(?:take|use)|(?:time|country)\sand|ratio\sof)(?:\s(?!you)\w{1,15}){0,10})\s(?<!by\s)(?<!up\sto\s)<PERCENT>/i | |
8568 | endif | |
8569 | ||
8570 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
8571 | meta __PCT_OF_PMTS 0 | |
8572 | endif | |
8573 | ||
8574 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8575 | body __PCT_OF_PMTS /<PERCENT>[\s)]+(?:of\s[\w\s]{0,35}?)?(?:of|du|de)\s(?:(?:the|la)\s)?(?:total\s)?(?:payments?|rem+it+ances?|capital|chec(?:k|que)s?|mon(?:ey|ies)|suma?)/i | |
8576 | endif | |
8577 | ||
8578 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8579 | meta __PDF_ATTACH 0 | |
8580 | endif | |
8581 | ||
8582 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8583 | meta __PDF_ATTACH (__PDF_ATTACH_MT || __PDF_ATTACH_FN1 || __PDF_ATTACH_FN2) | |
8584 | endif | |
8585 | ||
8586 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8587 | meta __PDF_ATTACH_FN1 0 | |
8588 | endif | |
8589 | ||
8590 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8591 | mimeheader __PDF_ATTACH_FN1 Content-Type =~ /="[^"]+\.pdf"/i | |
8592 | endif | |
8593 | ||
8594 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8595 | meta __PDF_ATTACH_FN2 0 | |
8596 | endif | |
8597 | ||
8598 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8599 | mimeheader __PDF_ATTACH_FN2 Content-Disposition =~ /="[^"]+\.pdf"/i | |
8600 | endif | |
8601 | ||
8602 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
8603 | meta __PDF_ATTACH_MT 0 | |
8604 | endif | |
8605 | ||
8606 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8607 | mimeheader __PDF_ATTACH_MT Content-Type =~ m,\bapplication/pdf\b,i | |
8608 | endif | |
8609 | ||
8610 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8611 | header __PDS_BTC_ANON From:name =~ /\bAnon/ | |
8612 | endif | |
8613 | ||
8614 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8615 | meta __PDS_BTC_BADFROM ( __PDS_BTC_HACKER || __PDS_BTC_PIRATE ) | |
8616 | endif | |
8617 | ||
8618 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8619 | header __PDS_BTC_HACKER From:name =~ /h<A>ck<E>r/i | |
8620 | endif | |
8621 | ||
8622 | meta __PDS_BTC_ID ( __BITCOIN_ID && !__URL_BTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) | |
8623 | ||
8624 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
8625 | header __PDS_BTC_PIRATE From:name =~ /p<I>r<A>t<E>/i | |
8626 | endif | |
8627 | ||
8628 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8629 | if (version >= 3.004000) | |
8630 | header __PDS_CASHSHORTENER eval:check_uri_host_listed('PDS_CASHSHORTENER') | |
8631 | endif | |
8632 | endif | |
8633 | ||
8634 | uri __PDS_DOUBLE_URL m;https?://[\S]+(?:\?|=)https?://[\S]+[\w]+$; | |
8635 | ||
8636 | if (version >= 3.004002) | |
8637 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8638 | body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i | |
8639 | endif | |
8640 | endif | |
8641 | ||
8642 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
8643 | header __PDS_FROM_2_EMAILS From =~ /(?:^|<|"| )([\w+.-]+\@[\w.-]+\.\w\w++)(?:[^\n\w<]{0,80})?<(?!\1)[^\n\s]*\@/i | |
8644 | endif | |
8645 | ||
8646 | header __PDS_FROM_GMAIL From:addr =~ /\@g(?:oogle)?mail\.com$/i | |
8647 | ||
fc5290a3 | 8648 | header __PDS_FROM_NAME_TO_DOMAIN ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\n+To:[^\n]+\@\1/ism |
b780ea8d SI |
8649 | |
8650 | header __PDS_GMAIL_MID Message-Id =~ /\@mail.gmail.com>$/ | |
8651 | ||
8652 | meta __PDS_GOOGLE_DRIVE_SHARE (__PDS_GOOGLE_DRIVE_SHARE_1 + __PDS_GOOGLE_DRIVE_SHARE_2 + __PDS_GOOGLE_DRIVE_SHARE_3 >= 2) | |
8653 | ||
8654 | header __PDS_GOOGLE_DRIVE_SHARE_1 References =~ /\@docs\-share\.google\.com\>/ | |
8655 | ||
8656 | header __PDS_GOOGLE_DRIVE_SHARE_2 From:addr =~ /^drive\-shares\-noreply\@google\.com$/ | |
8657 | ||
8658 | header __PDS_GOOGLE_DRIVE_SHARE_3 X-Envelope-From:addr =~ /\@doclist\.bounces\.google\.com$/ | |
8659 | ||
8660 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
8661 | meta __PDS_HP_HELO_NODNS (__HELO_HIGHPROFILE && !__HELO_DNS) | |
8662 | tflags __PDS_HP_HELO_NODNS net | |
8663 | endif | |
8664 | ||
8665 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
8666 | meta __PDS_HTML_LENGTH_1024 __HTML_LENGTH_0000_1024 | |
8667 | endif | |
8668 | ||
8669 | ifplugin Mail::SpamAssassin::Plugin::HTMLEval | |
8670 | meta __PDS_HTML_LENGTH_2048 __HTML_LENGTH_0000_1024 || __HTML_LENGTH_1024_1536 || __HTML_LENGTH_1536_2048 | |
8671 | endif | |
8672 | ||
8673 | meta __PDS_LITECOIN_ID (__LITECOIN_ID && !__URL_LTC_ID && !__HAS_IMG_SRC_DATA && !__BUGGED_IMG) | |
8674 | ||
8675 | meta __PDS_MSG_1024 (__KAM_BODY_LENGTH_LT_1024 || __PDS_HTML_LENGTH_1024) | |
8676 | ||
8677 | meta __PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512) | |
8678 | ||
8679 | if (version >= 3.004001) | |
8680 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
8681 | meta __PDS_NEWDOMAIN (__FROM_FMBLA_NEWDOM || __FROM_FMBLA_NEWDOM14 || __FROM_FMBLA_NEWDOM28) | |
8682 | tflags __PDS_NEWDOMAIN net | |
8683 | endif | |
8684 | endif | |
8685 | ||
8686 | if (version >= 3.004002) | |
8687 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8688 | body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States|USA)/i | |
8689 | endif | |
8690 | endif | |
8691 | ||
8692 | if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) | |
8693 | meta __PDS_QP_1024 0 | |
8694 | endif | |
8695 | ||
8696 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
8697 | meta __PDS_QP_1024 (__MIME_QPC > 0) && (__MIME_QPC < 1024) | |
8698 | endif | |
8699 | ||
8700 | if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) | |
8701 | meta __PDS_QP_128 0 | |
8702 | endif | |
8703 | ||
8704 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
8705 | meta __PDS_QP_128 (__MIME_QPC > 0) && (__MIME_QPC < 128) | |
8706 | endif | |
8707 | ||
8708 | if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) | |
8709 | meta __PDS_QP_512 0 | |
8710 | endif | |
8711 | ||
8712 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
8713 | meta __PDS_QP_512 (__MIME_QPC > 0) && (__MIME_QPC < 512) | |
8714 | endif | |
8715 | ||
8716 | if !plugin(Mail::SpamAssassin::Plugin::MIMEEval) | |
8717 | meta __PDS_QP_64 0 | |
8718 | endif | |
8719 | ||
8720 | ifplugin Mail::SpamAssassin::Plugin::MIMEEval | |
8721 | meta __PDS_QP_64 (__MIME_QPC > 0) && (__MIME_QPC < 64) | |
8722 | endif | |
8723 | ||
8724 | header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(mta|mail|mx|smtp)\b\S* /i | |
8725 | ||
8726 | if (version >= 3.004002) | |
8727 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8728 | body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i | |
8729 | endif | |
8730 | endif | |
8731 | ||
8732 | if (version >= 3.004002) | |
8733 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8734 | body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i | |
8735 | endif | |
8736 | endif | |
8737 | ||
8738 | if (version >= 3.004002) | |
8739 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8740 | body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i | |
8741 | endif | |
8742 | endif | |
8743 | ||
8744 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8745 | if (version >= 3.004000) | |
dfdd1e08 | 8746 | meta __PDS_SHORT_URL __SHORT_URL && !__URL_SHORTENER && !ALL_TRUSTED |
b780ea8d SI |
8747 | endif |
8748 | endif | |
8749 | ||
8750 | if (version >= 3.004001) | |
8751 | ifplugin Mail::SpamAssassin::Plugin::AskDNS | |
8752 | tflags __PDS_SPF_ONLYALL net | |
8753 | endif | |
8754 | endif | |
8755 | ||
46cfc9e2 SI |
8756 | meta __PDS_SPOOF_GMAIL_MID __PDS_FROM_GMAIL && !__PDS_GMAIL_MID && !__FSL_RELAY_GOOGLE |
8757 | ||
b780ea8d SI |
8758 | header __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? <?\1\@/ |
8759 | ||
fc5290a3 SI |
8760 | header __PDS_TO_BRAND_SUBJECT ALL =~ /^To:\s+<?[^\@]+\@([^\.]+)\.(?:[^\n]+\n+)*^Subject: \"?\1\b/ism |
8761 | ||
b780ea8d | 8762 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) |
fc5290a3 | 8763 | header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism |
b780ea8d SI |
8764 | endif |
8765 | ||
8766 | if can(Mail::SpamAssassin::Conf::perl_min_version_5010000) | |
fc5290a3 | 8767 | header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism |
b780ea8d SI |
8768 | endif |
8769 | ||
8770 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8771 | if (version >= 3.004000) | |
dfdd1e08 | 8772 | meta __PDS_TO_SUBJ_URISHRT __TO_IN_SUBJ && __URL_SHORTENER && __PDS_MSG_1024 |
b780ea8d SI |
8773 | endif |
8774 | endif | |
8775 | ||
8776 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8777 | if (version >= 3.004000) | |
dfdd1e08 | 8778 | meta __PDS_URISHORTENER __URL_SHORTENER |
b780ea8d SI |
8779 | endif |
8780 | endif | |
8781 | ||
8782 | meta __PD_CNT_1 (__PUMPDUMP_01+__PUMPDUMP_02+__PUMPDUMP_03+__PUMPDUMP_04+__PUMPDUMP_05+__PUMPDUMP_06+__PUMPDUMP_07+__PUMPDUMP_08+__PUMPDUMP_09+__PUMPDUMP_10) > 0 | |
8783 | ||
8784 | body __PENDING_MESSAGES /\b(?:messages pending|(?:your|\d+[\])}]?) (?:pending|un(?:delivered|received)) (?:messages|e?-?mails))\b/i | |
8785 | ||
8786 | body __PERFECT_BINARY /\bperfect binary option\b/i | |
8787 | ||
8788 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8789 | mimeheader __PHISH_ATTACH_01_01 Content-Disposition =~ /\bfilename(?:="?[^"]*|\*(?:\d+\*)?=(?:UTF-8'')?\S*)(?:\.|%C2%B7|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i | |
8790 | endif | |
8791 | ||
8792 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
8793 | mimeheader __PHISH_ATTACH_01_02 Content-Type =~ /\bname="?[^"]*(?:\.|[\xc2][\xb7]|_)(?:pdf|docx?)\.html?[";$]/i | |
8794 | endif | |
8795 | ||
8796 | meta __PHISH_FBASE_01 (__URI_FIREBASEAPP || __URI_WEBAPP) && __PDS_FROM_NAME_TO_DOMAIN && __MAIL_LINK | |
8797 | ||
8798 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8799 | body __PHOTO_RETOUCHING /\b(?:(?:retouching|(?:image|photo|pic)s? (?:[a-z]{1,15} ){0,3}(?:edit(?:ing|ors)|team|(?:cut+|mask|clip+|clean|crop+|resiz|enhanc|etch)ing|cut+(?:ing)?[-\s]?out|enhancement|manipulation|restoration|compositing|working|(?:color|contrast|brightnes+|background|make-?up) (?:cor+ection|change)|solution|work|services?)|(?<!that\s)(?<!\.\s)your (?:imag(?:es|ing)|pics)|photo\s?shop (?:expert|service)s?|(?:deliver (?:the|your) |(?:(?:send|throw|ship|drop|deliver|give|provide|e-?mail) us|(?:cut+(?:ing)?[-\s]?out|masking|(?:test|edit)(?:ing)?) (?:for|of|on|with)) (?:(?:an?|one|your|some|sample|test|example|the) )+)(?:image|photo|pic)s?|(?:proces+|edit)(?:\sover|\smore th[ae]n)? \d{2,5}\D? (?:image|photo|pic)s|improv(?:e|ing) (?:(?:image|photo|picture|pic) (?:quality|lighting)|(?:(?:image|photo|picture|pic) )?(?:resolution|contrast|background|color))|cor+ecting (?:color|contrast|brightnes+|background))\b|(?:e-?com+erce|website|jew[el]+r(?:[y's]+|ies)|model+(?:s|ing)?|products?|portraits?|graduation['s]*|school['s]*|bab(?:[y's]+|ies)|famil(?:[y's]+|ies)|kids|wedding|beauty|glamou?r|catalog['s]*|store['s]*|shop['s]*|(?:cut+(?:ing)?[-\s]?out|clip+ing\spath|(?:all|any) kinds? of|enhance|retouch|edit(?:ing)?)[,;]?(?:\s[a-z]{1,15}){0,4})\s(?:image|photo|pic)s?(?:[.,?]|$|\sand\b|\sor\b|\setc\b)|\b(?:imag(?:es|ing)|photos)\s\d+$)/i | |
8800 | tflags __PHOTO_RETOUCHING multiple maxhits=5 | |
8801 | endif | |
8802 | ||
8803 | header __PHPMAILER_MUA X-Mailer =~ /^PHPMailer\b/ | |
8804 | ||
8805 | meta __PHP_MUA __PHP_MUA_1 || __PHP_MUA_2 | |
8806 | ||
8807 | header __PHP_MUA_1 X-Mailer =~ /^PHP\s?v?\/?\d\./ | |
8808 | ||
8809 | header __PHP_MUA_2 X-Mailer =~ /^PHP\d$/ | |
8810 | ||
8811 | header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/ | |
8812 | ||
8813 | meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B) | |
8814 | ||
8815 | if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
8816 | meta __PILL_PRICE_01 0 | |
8817 | endif | |
8818 | ||
8819 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8820 | body __PILL_PRICE_01 m;(?=[\d .f])(?:free|[\d .]{3}(?:/|per|each)) ?(?=[ptc])(?:pill|tablet|cap(?:sule|let))s?\b;i | |
8821 | tflags __PILL_PRICE_01 multiple maxhits=3 | |
8822 | endif | |
8823 | ||
8824 | if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free)) | |
8825 | meta __PILL_PRICE_02 0 | |
8826 | endif | |
8827 | ||
8828 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
8829 | body __PILL_PRICE_02 /(?=[ptc])(?:pill|tablet|cap(?:sule|let))s[-= :]{1,5}\$?[\d .]{3}/i | |
8830 | tflags __PILL_PRICE_02 multiple maxhits=3 | |
8831 | endif | |
8832 | ||
8833 | body __PLS_REVIEW /\b(?:please|kindly)\s(?:(?:re)?view|see)(?:\s\w+)?\sattach(?:ed|ment)\b/i | |
8834 | ||
8835 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
8836 | header __PLUGIN_FROMNAME_EQUALS_TO eval:check_fromname_equals_to() | |
8837 | endif | |
8838 | ||
8839 | ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof | |
8840 | header __PLUGIN_FROMNAME_SPOOF eval:check_fromname_spoof() | |
8841 | endif | |
8842 | ||
8843 | uri __PS_TEST_LOC_WP m;/(?:wp-content/plugins|wp-content/themes|wp-includes|modules/mod_wdbanners|includes/|google_recommends|mt-static|data/module)/.{1,128}(?!\.gif|\.jpg|\.png|\.bmp|\.ico|\.pdf|\.svg)[^?]{4}(?:\?[^?]{1,5})?$;i | |
8844 | ||
8845 | body __PUMPDUMP_01 /\b(?:times|multiply|tripl(?:e|ing)|quadrupl(?:e|ing)|quintupl(?:e|ing)) (?:your|an) (?:princip(?:al|le)|investment)\b/i | |
8846 | ||
8847 | body __PUMPDUMP_02 /\b(?:sto[ck]{2}|share price) (?:will |may |is (?:(?:about|poised|positioned|ready) to |gonna ))?(?:triple|quadruple|quintuple|soar|go(?:es?) (?:nuts|crazy|sky high|way up))\b/i | |
8848 | ||
8849 | body __PUMPDUMP_03 /\bbuy (?:[^.!]{1,30} )?(?:(?:(?:mon|tues|wednes|thurs|fri)day|tomorrow) (?:first thing|open|morning)|(?:first thing|opens|before) (?:(?:mon|tues|wednes|thurs|fri)day|tomorrow))/i | |
8850 | ||
8851 | body __PUMPDUMP_04 /\bmake you (?:big bucks|hundreds|thousands)\b/i | |
8852 | ||
8853 | body __PUMPDUMP_05 /\b(?:tripled|quadrupled|quintupled|(?:shares|value|company) (?:go up|increase|has (?:increased|gained)) (?:by|more than) [a-z\s]{0,20}\d+(?: times| percent| ?%)) (?:and that )?in (?:(?:\d|a (?:span of|few)) days|a very short period)\b/i | |
8854 | ||
8855 | body __PUMPDUMP_06 /\brecommend(?:ed|s)? (?:a|this) (?:company|stock)\b/i | |
8856 | ||
8857 | body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i | |
8858 | ||
8859 | body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i | |
8860 | ||
8861 | body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i | |
8862 | ||
8863 | body __PUMPDUMP_10 /\btrading at (?:such )?a (?:bargain|cheap|low)\b/i | |
8864 | ||
8865 | body __RANDOM_PICK /\b(?:random(?:ly)?\s(?:\w+\s)?(?:select(?:ion|ed)|pick(?:ed)?|computer)|(?:select|pick)ed\s(?:at\s)?random(?:ly)?|(?:esco(?:g|lh)idos|seleccion) (?:aleatoria(?:mente)?|al azar))\b/i | |
8866 | ||
8867 | header __RAND_HEADER ALL =~ /^(?!Accept-Language|Authentication-Results|Content-|DomainKey-Signature|DKIM-|List-|MIME-|Received-SPF|Return-Path|Thread-|User-Agent|Tracking-Code)(?:[a-z]{4,}-[a-z]{3,}|[a-z]{3,}-[a-z]{4,}):\s+\d(?=\S{6,}\s*$)[\da-f]*(?:[-.]\w+)*\s*$/ism | |
8868 | tflags __RAND_HEADER multiple maxhits=4 | |
8869 | ||
8870 | meta __RAND_HEADER_2 __RAND_HEADER > 1 | |
8871 | ||
8872 | header __RAND_MKTG_HEADER ALL =~ /^X-(?:[a-z]{2}){1,2}-(?:EBS|(?:Tracking|Subscriber|Delivery|Customer|Campaign)-[DSU]?id):/ism | |
8873 | ||
8874 | header __RATWARE_BOUND_A ALL =~ /^Message-Id: <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{10,400}boundary="----=_NextPart_000_...._\1\./msi # " | |
8875 | ||
8876 | header __RATWARE_BOUND_B ALL =~ /boundary="----=_NextPart_000_...._([0-9a-f]{8})\..{10,400}^Message-Id: <....\1\$[0-9a-f]{8}\$/msi # " | |
8877 | ||
8878 | header __RCD_RDNS_MAIL X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmail[^a-z]/i | |
8879 | tflags __RCD_RDNS_MAIL nice | |
8880 | ||
8881 | header __RCD_RDNS_MAIL_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mail/i | |
8882 | tflags __RCD_RDNS_MAIL_MESSY nice | |
8883 | ||
8884 | header __RCD_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmta[^a-z]/i | |
8885 | tflags __RCD_RDNS_MTA nice | |
8886 | ||
8887 | header __RCD_RDNS_MTA_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mta/i | |
8888 | tflags __RCD_RDNS_MTA_MESSY nice | |
8889 | ||
8890 | header __RCD_RDNS_MX X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bmx[^a-z]/i | |
8891 | tflags __RCD_RDNS_MX nice | |
8892 | ||
8893 | header __RCD_RDNS_MX_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*mx/ | |
8894 | tflags __RCD_RDNS_MX_MESSY nice | |
8895 | ||
8896 | header __RCD_RDNS_OB X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\boutbounds?[^a-z]/i | |
8897 | tflags __RCD_RDNS_OB nice | |
8898 | ||
8899 | header __RCD_RDNS_SMTP X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*\bsmtps?[^a-z]/i | |
8900 | tflags __RCD_RDNS_SMTP nice | |
8901 | ||
8902 | header __RCD_RDNS_SMTP_MESSY X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*smtp/ | |
8903 | tflags __RCD_RDNS_SMTP_MESSY nice | |
8904 | ||
46cfc9e2 | 8905 | header __RCVD_DOTEDU_EXT X-Spam-Relays-External =~ /\srdns=\S+\.edu\s/i |
b780ea8d SI |
8906 | |
8907 | meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 ) | |
8908 | ||
8909 | meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI ) | |
8910 | ||
46cfc9e2 | 8911 | header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i |
b780ea8d SI |
8912 | |
8913 | header __RCVD_ZIXMAIL X-Spam-Relays-Untrusted =~ / helo=smtpout\.zixmail\.net / | |
8914 | ||
8915 | header __RDNS_LONG X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{30}/ | |
8916 | ||
8917 | header __RDNS_NO_SUBDOM X-Spam-Relays-External =~ /^[^\]]+ rdns=[^. ]*\.\w+ / | |
8918 | ||
8919 | header __RDNS_NUMERIC_TLD X-Spam-Relays-External =~ /\srdns=\S+\.\d+\s/ | |
8920 | ||
8921 | header __RDNS_SHORT X-Spam-Relays-External =~ /^[^\]]+ rdns=\S{4,14} / | |
8922 | ||
8923 | body __RECEIVE_BONUS /\byou(?:'ll)?(?: also| will)* (?:rec[ei]*ve|get|earn|collect|be (?:awarded|handed|remitted|given|paid|(?:greeted|welcomed|started) with)) (?:an? )?(?:gift|bonus|extra)(?: of|:)? \$[\d,]+/i | |
8924 | ||
8925 | header __RELAY_THRU_WWW Received =~ /from (?:[^ \@]+\@)?www\./ | |
8926 | ||
8927 | body __RELEASE_MESSAGES /\b(?:release messages|(?:retrieve|release|download) your(?: undelivered|unreceived|held|pending)? e?-?mails|(?:e?-?mails|messages).{1,20}download them now)\b/i | |
8928 | ||
8929 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # { | |
8930 | meta __REMOTE_IMAGE (__HTML_IMG_ONLY || __HTML_LINK_IMAGE) && !(__SUBSCRIPTION_INFO || __VIA_ML || __SENDER_BOT || __ANY_IMAGE_ATTACH) | |
8931 | endif | |
8932 | ||
8933 | if (version >= 3.004002) | |
8934 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8935 | header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD') | |
8936 | endif | |
8937 | endif | |
8938 | ||
dfdd1e08 | 8939 | header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|c(?:hanprivacy|laimdept|ristinabruno|ustom_service)|dhodgkins|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|ynnpage)|m(?:_l\.wanczyk|asayohara|rsjanetedwards)|officework|paulpollard|royalpalace|spwalker|usembassy|yurdaaytarkan))\d+\@aol\.com$/i |
b780ea8d | 8940 | |
fc5290a3 | 8941 | header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|isha1976gaddafi|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug)|thonyjblinken)|office1office|radka|shwestwood|ustinbillmark|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|rister(?:clarkephillips|lordruben)|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah))|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|rist(?:brun?|davis|ydavisdonation)|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:nnisclark|partmentofstate)|minique|ona(?:ldwilliam|tionhelpercare)|rdavidrhama|unsilva)|e(?:benezero|christina|l(?:i(?:bethgomez|sabethmaria|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|k(?:jane|linpiesie)))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|rciavincent)|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|i(?:idp|ocastano)|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem))|e(?:atherbrooeke|ctor(?:castillos|scastillo)|lengiggs)|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:bed|mfdeputyoff|n(?:fo\.annedouglas|gridrolle)|rvinekim|smail(?:eman|tarkan))|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:athanhaskel|hugo)|seph(?:acevedo|babatunde|ichael)|vannyanderson)|rawlings|uliewatson)|k(?:a(?:l(?:iaksandr|tschmidtdavid)|malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|rnkl|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|nelink|sa(?:milner|robin))|john|oughreymargaret|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:ahhills|opabl)|kroth|shalh|tinamayer|y(?:franson|josen))|u(?:hin|rhinck)|viswan(?:czyk(?:(?:foundation|k))?)?)|brons|c\.cheadychang|dredban|elvidabullock|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ss\.yasmineibrahim)|k(?:ent|untjoro)|oham(?:edabdul|m(?:daljililati|edshamekh))|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell)|cjames|ericschmid|hanimuhammad|jamesmc|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|jackman|lisamilner|ma(?:ureens|yaoliver)|r(?:eem|obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth|xfaminternationa)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:alyh|beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|icha(?:miller|rdw(?:ahl|illis))|main|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark|uddicklana)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cott(?:henryjames|peters)|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|op(?:adam|hiajesse)|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|erryparkins|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:derleyen|marukareem|n(?:claimedfunds|itednation(?:organization|s))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut))|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|o(?:ngkm|usefzongo))|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i |
b780ea8d | 8942 | |
dfdd1e08 | 8943 | header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|ilmohammed|lesiakalina|nnhester\.usa)|b(?:ank\.phbng|en(?:jaminb|nicholas)|riceangela)|c(?:\.aroline|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|dhamilton|e(?:denvictor|ricalbert)|federal\.r|j(?:a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye))|o(?:legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|o(?:bertbailey|serichard))|s(?:amthong|igurlauganna|leo|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i |
b780ea8d SI |
8944 | |
8945 | header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i | |
8946 | ||
dfdd1e08 SI |
8947 | header __REPTO_INFONUMSCOM Reply-To:addr =~ /^info@\d{5,}\.com$/i |
8948 | ||
b780ea8d SI |
8949 | header __REPTO_RUS_FREEM Reply-To =~ /\@mail\.ru/i |
8950 | ||
8951 | if !((version >= 3.003000)) | |
8952 | meta __RP_MATCHES_RCVD 0 | |
8953 | endif | |
8954 | ||
8955 | if (version >= 3.003000) | |
8956 | if !plugin(Mail::SpamAssassin::Plugin::WLBLEval) | |
8957 | meta __RP_MATCHES_RCVD 0 | |
8958 | endif | |
8959 | endif | |
8960 | ||
8961 | if (version >= 3.003000) | |
8962 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
8963 | header __RP_MATCHES_RCVD eval:check_mailfrom_matches_rcvd() | |
8964 | endif | |
8965 | endif | |
8966 | ||
8967 | body __SCAM /\bscam(?:m?e[dr])?s?\b/i | |
8968 | ||
fc5290a3 SI |
8969 | body __SCC_BODY_TEXT_LINE_FULL /^\s*\S/ |
8970 | tflags __SCC_BODY_TEXT_LINE_FULL multiple maxhits=3 | |
8971 | ||
dfdd1e08 SI |
8972 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
8973 | mimeheader __SCC_BOGUS_CTE_1 Content-Transfer-Encoding =~ /^Hexa/i | |
8974 | endif | |
46cfc9e2 | 8975 | |
dfdd1e08 SI |
8976 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
8977 | mimeheader __SCC_CTMPP Content-Type =~ /multipart\/parallel/ | |
8978 | endif | |
46cfc9e2 | 8979 | |
fc5290a3 SI |
8980 | header __SCC_SUBJECT_HAS_NON_SPACE Subject =~ /\S/ |
8981 | ||
b780ea8d SI |
8982 | body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i |
8983 | ||
8984 | header __SENDER_BOT ALL =~ /(?:not?\W?repl[yi]|bounce|contact|daemon|subscri|report|respon[ds]e?r?s?\b|\b(?:root|news|nobody|agent|(?:post|web)?master|manag|send(?:er|ing)?|out|(?:bot|web|www)\b))[^\@ >]{0,5}s?\@\w/i | |
8985 | tflags __SENDER_BOT nice | |
8986 | ||
8987 | uri __SENDGRID_REDIR m,://u\d+\.ct\.sendgrid\.net/ls/click\?upn=, | |
8988 | ||
8989 | meta __SENDGRID_REDIR_NOPHISH __SENDGRID_REDIR && !__SENDGRID_REDIR_PHISH | |
8990 | ||
31955ede | 8991 | meta __SENDGRID_REDIR_PHISH __SENDGRID_REDIR && ( __PDS_FROM_NAME_TO_DOMAIN || __FORGED_RELAY_MUA_TO_MX || __TO_IN_SUBJ ) |
b780ea8d SI |
8992 | |
8993 | body __SHARE_IT /\b(?:(?:share|allocate|teilen|parteger(?:ez|ons)?|partage)\s(?:th(?:e|is)|das|les?|des)\s(?:proceeds|funds?|money|balance|account|geld|compte|fonds)|partager(?:ez|ons)? (?:avec (?:vous|moi)|ratio|suivant un pourcentage))\b/i | |
8994 | ||
31955ede | 8995 | meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY && !__HDR_ENVFROM_SHOPIFY |
46cfc9e2 | 8996 | |
b780ea8d SI |
8997 | uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/ |
8998 | ||
8999 | body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/ | |
9000 | tflags __SINGLE_WORD_LINE multiple maxhits=2 | |
9001 | ||
9002 | header __SINGLE_WORD_SUBJ Subject =~ /^\s*\S{1,60}\s*$/ | |
9003 | ||
9004 | header __SMIME_MESSAGE Content-Type =~ /application\/pkcs7-mime;/i | |
9005 | ||
9006 | rawbody __SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/ | |
9007 | tflags __SPAN_BEG_TEXT multiple maxhits=5 | |
9008 | ||
9009 | rawbody __SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/ | |
9010 | tflags __SPAN_END_TEXT multiple maxhits=5 | |
9011 | ||
9012 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9013 | meta __SPF_FULL_PASS 0 | |
9014 | endif | |
9015 | ||
9016 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9017 | meta __SPF_FULL_PASS (SPF_PASS && SPF_HELO_PASS) | |
9018 | tflags __SPF_FULL_PASS net | |
9019 | endif | |
9020 | ||
9021 | if !plugin(Mail::SpamAssassin::Plugin::SPF) | |
9022 | meta __SPF_RANDOM_SENDER 0 | |
9023 | endif | |
9024 | ||
9025 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9026 | meta __SPF_RANDOM_SENDER (SPF_HELO_PASS && !SPF_PASS) | |
9027 | tflags __SPF_RANDOM_SENDER net | |
9028 | endif | |
9029 | ||
9030 | meta __SPOOFED_FREEMAIL !__NOT_SPOOFED && FREEMAIL_FROM | |
9031 | tflags __SPOOFED_FREEMAIL net | |
9032 | ||
9033 | meta __SPOOFED_FREEM_REPTO __SPOOFED_FREEMAIL && FREEMAIL_REPLYTO | |
9034 | tflags __SPOOFED_FREEM_REPTO net | |
9035 | ||
9036 | rawbody __SPOOFED_URL m/<a\s[^>]{0,2048}\bhref=(?:3D)?.?(https?:[^>"'\# ]{8,29}[^>"'\# :\/?&=])[^>]{0,2048}>(?:[^<]{0,1024}<(?!\/a)[^>]{1,1024}>){0,99}\s{0,10}(?!\1)https?[^\w<]{1,3}[^<]{5}/i | |
9037 | ||
9038 | meta __STATIC_XPRIO_OLE __XPRIO && __RDNS_STATIC && __HAS_MIMEOLE | |
9039 | ||
9040 | body __STAY_HOME /\b(?:going out of|leaving)(?: your)? (?:home|house|residence)\b/i | |
9041 | ||
9042 | body __STOCK_TIP /\bsto[ck]{2}\s?tip\b/i | |
9043 | ||
9044 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9045 | rawbody __STY_INVIS /\bstyle\s*=\s*"[^">]{0,80}(?:(?<!-)visibility\s*:\s*hidden\s*|display\s*:\s*none\s*)[;"!]/i | |
9046 | tflags __STY_INVIS multiple maxhits=6 | |
9047 | endif | |
9048 | ||
9049 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9050 | meta __STY_INVIS_1 __STY_INVIS == 1 | |
9051 | endif | |
9052 | ||
9053 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
46cfc9e2 | 9054 | meta __STY_INVIS_1_MINFP __STY_INVIS_1 && !MIME_QP_LONG_LINE && !__MOZILLA_MSGID |
b780ea8d SI |
9055 | endif |
9056 | ||
9057 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9058 | meta __STY_INVIS_2 __STY_INVIS > 1 | |
9059 | endif | |
9060 | ||
9061 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9062 | meta __STY_INVIS_3 __STY_INVIS > 2 | |
9063 | endif | |
9064 | ||
9065 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9066 | meta __STY_INVIS_DIRECT __STY_INVIS && __DOS_DIRECT_TO_MX_UNTRUSTED | |
9067 | endif | |
9068 | ||
9069 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9070 | meta __STY_INVIS_MANY __STY_INVIS > 5 | |
9071 | endif | |
9072 | ||
9073 | header __SUBJECT_EMPTY Subject:raw =~ /^\s*$/ | |
9074 | ||
9075 | meta __SUBJECT_PRESENT_EMPTY __HAS_SUBJECT && __SUBJECT_EMPTY | |
9076 | ||
9077 | header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i | |
9078 | ||
9079 | meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU | |
9080 | ||
9081 | header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/ | |
9082 | tflags __SUBJ_BROKEN_WORD multiple maxhits=2 | |
9083 | ||
9084 | meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN | |
9085 | ||
fc5290a3 | 9086 | header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ism |
b780ea8d | 9087 | |
fc5290a3 | 9088 | header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n+(?:[^\n]{1,200}\n+)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism |
b780ea8d | 9089 | |
fc5290a3 | 9090 | header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n+)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism |
b780ea8d | 9091 | |
fc5290a3 | 9092 | header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n+)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism |
b780ea8d SI |
9093 | |
9094 | header __SUBJ_NOT_SHORT Subject =~ /^.{16}/ | |
9095 | ||
9096 | header __SUBJ_OBFU_PUNCT Subject =~ /(?:[-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;][a-z][-~`"!@\#$%^&*()_+={}|\\\/?<>,.:;\s]|(?:[a-z][~`"!@\#$%^&*()_+={}|\\?<>,.:;][a-z](?![a-z])))/i | |
9097 | tflags __SUBJ_OBFU_PUNCT multiple maxhits=4 | |
9098 | ||
9099 | header __SUBJ_RE Subject =~ /^(?:R[eE]|S[vV]|V[sS]|A[wW]):/ | |
9100 | ||
9101 | header __SUBJ_SHORT Subject =~ /^.{0,8}$/ | |
9102 | ||
b780ea8d SI |
9103 | header __SUBJ_USB_DRIVES Subject =~ /\bUSB (?:[Ff]lash )?[Dd]rives\b/ |
9104 | ||
9105 | body __SUBSCRIPTION_INFO /\b(?:e?newsletters?|(?:un)?(?:subscrib|register)|you(?:r| are) subscri(?:b|ption)|opt(?:.|ing)?out\b|further info|you do ?n[o']t w(?:ish|ant)|remov\w{1,3}.{1,9}\blists?\b|to your white.?list)/i | |
9106 | tflags __SUBSCRIPTION_INFO nice | |
9107 | ||
9108 | body __SUM_OF_FUND /\b(?:sum|release|freigabe)\s(?:of|der)\s(?:amount|fund|investment|mittel)\b/i | |
9109 | ||
9110 | body __SURVEY /\bsurvey\b/i | |
9111 | ||
9112 | body __SURVIVORS /\b(?:widow|son|daughter|husband|wife|brother|sister|attorney|vi(?:=FA|[\xfa]|[\xc3][\xba])va|esposa|veuve)\s(?:of|to|do|de)\s(?:the\s)?(?:late|falecido|finales|feu|d(?:e|=E9|[\xe9]|[\xc3][\xa9])funt|mr\.?)\s\w+\b/i | |
9113 | ||
9114 | body __SUSPICION_LOGIN /\bsuspicion login\b/i | |
9115 | ||
9116 | body __SYSADMIN /\b(?:help?[- ]?desk|(?:(?:web ?)?mail ?|sys(?:tem )?)admin(?:istrator)|local[- ]host|(?:support|upgrade|management|security|admin(?:istrat(?:or|ion))?) (?:team|center)|message from administrator|university mail server copyright|suporte t(?:=E9|[\xe9]|[\xc3][\xa9])cnico|administrador do sistema)\b/i | |
9117 | ||
46cfc9e2 SI |
9118 | meta __TAGSTAT_IMG_NOT_RCVD_TGST __URI_IMG_TAGSTAT && !__HDR_RCVD_TAGSTAT |
9119 | ||
31955ede SI |
9120 | meta __TARINGANET_IMG_NOT_RCVD_TN __URI_IMG_TARINGANET && !__HDR_RCVD_TARINGANET |
9121 | ||
b780ea8d SI |
9122 | header __TB_MIME_BDRY_NO_Z Content-Type =~ /boundary="-{8,}(?:[1-9]){16}/ |
9123 | ||
9124 | rawbody __TENWORD_GIBBERISH /^\s*(?:[a-z]+\s+){10}\.$/m | |
9125 | tflags __TENWORD_GIBBERISH multiple maxhits=21 | |
9126 | ||
46cfc9e2 SI |
9127 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
9128 | mimeheader __TEXT_XML_MT Content-Type =~ m,\btext/xml\b,i | |
9129 | endif | |
9130 | ||
b780ea8d SI |
9131 | body __THEY_INHERIT /\b(?:inherit\sth(?:e|is)\smoney|herede\sest[ea]\sdinero)\b/i |
9132 | ||
9133 | body __THIS_AD /(?:\b|_)this[- _]+(?:ad(?:vert[i1l]sement)?|promo(?:tion)?)s?(?:\b|_)/i | |
9134 | ||
9135 | meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF) | |
9136 | tflags __THREADED nice | |
9137 | ||
9138 | header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$, | |
9139 | ||
9140 | header __TO_ALL_NUMS To:addr =~ /^\d+@/ | |
9141 | ||
9142 | meta __TO_EQ_FM_DIRECT_MX __TO_EQ_FROM && __DOS_DIRECT_TO_MX | |
9143 | ||
fc5290a3 SI |
9144 | meta __TO_EQ_FM_DOM_HTML_IMG __TO_EQ_FROM_DOM && __HTML_LINK_IMAGE |
9145 | ||
b780ea8d SI |
9146 | if !plugin(Mail::SpamAssassin::Plugin::SPF) |
9147 | meta __TO_EQ_FM_DOM_SPF_FAIL 0 | |
9148 | endif | |
9149 | ||
9150 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9151 | meta __TO_EQ_FM_DOM_SPF_FAIL __TO_EQ_FROM_DOM && SPF_FAIL | |
9152 | tflags __TO_EQ_FM_DOM_SPF_FAIL net | |
9153 | endif | |
9154 | ||
b780ea8d SI |
9155 | if !plugin(Mail::SpamAssassin::Plugin::SPF) |
9156 | meta __TO_EQ_FM_SPF_FAIL 0 | |
9157 | endif | |
9158 | ||
9159 | ifplugin Mail::SpamAssassin::Plugin::SPF | |
9160 | meta __TO_EQ_FM_SPF_FAIL __TO_EQ_FROM && SPF_FAIL | |
9161 | tflags __TO_EQ_FM_SPF_FAIL net | |
9162 | endif | |
9163 | ||
9164 | meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2) | |
9165 | describe __TO_EQ_FROM To: same as From: | |
9166 | ||
fc5290a3 | 9167 | header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism |
b780ea8d | 9168 | |
fc5290a3 | 9169 | header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism |
b780ea8d SI |
9170 | |
9171 | meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2) | |
9172 | describe __TO_EQ_FROM_DOM To: domain same as From: domain | |
9173 | ||
fc5290a3 | 9174 | header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To:\s+[^\n]+@\1[>,\s\n]/ism |
b780ea8d | 9175 | |
fc5290a3 | 9176 | header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\s+[^\n]+@\1[>,\s\n]/ism |
b780ea8d SI |
9177 | |
9178 | meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) | |
9179 | describe __TO_EQ_FROM_USR To: username same as From: username | |
9180 | ||
fc5290a3 | 9181 | header __TO_EQ_FROM_USR_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism |
b780ea8d | 9182 | |
fc5290a3 | 9183 | header __TO_EQ_FROM_USR_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]+)\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1[\@>,\s\n]/ism |
b780ea8d SI |
9184 | |
9185 | meta __TO_EQ_FROM_USR_NN (__TO_EQ_FROM_USR_NN_1 || __TO_EQ_FROM_USR_NN_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT) | |
9186 | describe __TO_EQ_FROM_USR_NN To: username same as From: username sans trailing nums | |
9187 | ||
fc5290a3 | 9188 | header __TO_EQ_FROM_USR_NN_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism |
b780ea8d | 9189 | |
fc5290a3 | 9190 | header __TO_EQ_FROM_USR_NN_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s\@>]{4,80}?)\d*\@[^\n\s]+>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1\d*[\@>,\s\n]/ism |
b780ea8d SI |
9191 | |
9192 | meta __TO_EQ_FROM_USR_NN_MINFP __TO_EQ_FROM_USR_NN && !__TO_EQ_FROM_USR_1 && !__TO_EQ_FROM && !__TO_EQ_FROM_DOM && !__LCL__ENV_AND_HDR_FROM_MATCH && !__DKIM_EXISTS && !__NOT_SPOOFED && !__RCD_RDNS_SMTP && !__RCD_RDNS_MX_MESSY && !__THREADED | |
9193 | ||
9194 | meta __TO_IN_SUBJ (__SUBJ_HAS_TO_1 || __SUBJ_HAS_TO_2 || __SUBJ_HAS_TO_3) | |
9195 | ||
9196 | header __TO_NO_ARROWS_R To !~ /(?:>$|>,)/ | |
9197 | ||
9198 | if !plugin(Mail::SpamAssassin::Plugin::FreeMail) | |
9199 | meta __TO_NO_BRKTS_FREEMAIL 0 | |
9200 | endif | |
9201 | ||
9202 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
9203 | meta __TO_NO_BRKTS_FREEMAIL __TO_NO_ARROWS_R && (FREEMAIL_FROM || FREEMAIL_REPLYTO) | |
9204 | endif | |
9205 | ||
9206 | meta __TO_NO_BRKTS_FROM_RUNON __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && __FROM_RUNON | |
9207 | ||
9208 | meta __TO_NO_BRKTS_HTML_IMG __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && HTML_MESSAGE && __ONE_IMG | |
9209 | ||
9210 | meta __TO_NO_BRKTS_HTML_ONLY __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && MIME_HTML_ONLY | |
9211 | ||
9212 | meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS) | |
9213 | ||
9214 | meta __TO_NO_BRKTS_NORDNS_HTML __TO_NO_BRKTS_HTML_ONLY && RDNS_NONE | |
9215 | ||
9216 | meta __TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT | |
9217 | ||
9218 | meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01 | |
9219 | ||
9220 | header __TO_UNDISCLOSED To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i | |
9221 | ||
9222 | header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/ | |
9223 | ||
9224 | body __TO_YOUR_ACCT /\b(?:(?:f[uo]nds|money|f[uo]ndo|dinheiro|bank)\s(?:\w{1,10}\s){0,4}(?:transfer(?:red)?|transferido|sont)|\d+)\s(?:to|para|en)\s(?:your?|sua|votre)\s(?:account|conta|pos+es+ion)/i | |
9225 | ||
9226 | body __TO_YOUR_ORG /\b(?:to|for) your organi[sz]ation\b/i | |
9227 | ||
9228 | header __TO___LOWER ALL =~ /to:\s\S{5}/ | |
9229 | ||
9230 | body __TRANSFORM_LIFE /\b(transform|change) your (?:daily )?life(?:style)?\b/i | |
9231 | ||
9232 | body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i | |
9233 | ||
9234 | body __TRAVEL_BUSINESS /\bbusiness\stravel\b/i | |
9235 | ||
9236 | body __TRAVEL_ITINERARY /(?:travel|ticketed|your|current) itinerary/i | |
9237 | ||
9238 | meta __TRAVEL_MANY (__TRAVEL_PROFILE + __TRAVEL_RESERV + __TRAVEL_BUSINESS + __TRAVEL_AGENT) > 2 | |
9239 | ||
9240 | body __TRAVEL_PROFILE /\btravel+er\sprofile\b/i | |
9241 | ||
9242 | body __TRAVEL_RESERV /\b(?:reservation\s(?:confirmed|number)|travel\sreservations?)\b/i | |
9243 | ||
9244 | body __TRTMT_DEFILED /\bdefiled\sall\s(?:forms\sof\s)?(?:medical\s)?treatments?\b/i | |
9245 | ||
9246 | body __TRUNK_BOX /\b(?:(?:trunk|metallic|proof|security|consignment)\sbox(?:es)?|sealed\ssafe|une mallette m(?:e|=E9|[\xe9]|[\xc3][\xa9])tallique)\b/i | |
9247 | ||
9248 | body __TRUSTED_CHECK /\b(?:cashier'?s?|certified)\sche(?:ck|que)/i | |
9249 | ||
9250 | header __TT_BROKEN_VALIUM Subject =~ /V[:^."%()*\[\\]?A[:^."%()*\[\\]?L[:^."%()*\[\\]?I[:^."%()*\[\\]?U[:^."%()*\[\\]?M/i | |
9251 | ||
9252 | header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i | |
9253 | ||
9254 | header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/ | |
9255 | ||
9256 | header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/ | |
9257 | ||
9258 | header __TT_VALIUM Subject =~ /VALIUM/i | |
9259 | ||
9260 | header __TT_VIAGRA Subject =~ /VIAGRA/i | |
9261 | ||
9262 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9263 | mimeheader __TVD_FW_GRAPHIC_ID1 Content-Id =~ /<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/ | |
9264 | endif | |
9265 | ||
9266 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9267 | mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i | |
9268 | endif | |
9269 | ||
9270 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9271 | mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i | |
9272 | endif | |
9273 | ||
9274 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9275 | mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i | |
9276 | endif | |
9277 | ||
9278 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9279 | mimeheader __TVD_OUTLOOK_IMG Content-Id =~ /<image\d+\.(?:gif|jpe?g|png)\@/ | |
9280 | endif | |
9281 | ||
9282 | body __TVD_PH_BODY_01 /\baccount .{0,20}placed? [io]n restricted status/i | |
9283 | ||
9284 | body __TVD_PH_BODY_02 /\brecords (?:[a-z_,-]+ )+?(?:feature|(?:a|re)ward)/i | |
9285 | ||
9286 | body __TVD_PH_BODY_03 /\byou(?:'ve| have) been (?:[a-z_,-]+ )+?payment/i | |
9287 | ||
9288 | body __TVD_PH_BODY_04 /\bfunds? (?!transfer from)(?!from)(?!in)(?!via)(?:[a-z_,-]+ )+?to your (?:[a-z_,-]+ )*?account/i | |
9289 | ||
9290 | body __TVD_PH_BODY_05 /\bthis is (?:[a-z_,-]+ )+?protect (?:[a-z_,-]+ )+?your/i | |
9291 | ||
9292 | body __TVD_PH_BODY_06 /Dear [a-z]+ bank (?:member|customer)/i | |
9293 | ||
9294 | body __TVD_PH_BODY_07 /\bguarantee the safety of your (?:[a-z_,-]+ )*?account/i | |
9295 | ||
9296 | body __TVD_PH_BODY_08 /\bmultiple password failures/i | |
9297 | ||
9298 | body __TVD_PH_BODY_ACCOUNTS_POST /\b(?:(?:[dr]e-?)?activat[a-z]*|(?:re-?)?validate|secure|restore|confirm|update|suspend) (?!your)(?:[a-z_,-]+ )+?accounts?\b/i | |
9299 | ||
9300 | body __TVD_PH_BODY_ACCOUNTS_PRE /\baccounts? (?:[a-z_,-]+ )+?(?:record[a-z]*|suspen[a-z]+|notif(?:y|ication)|updated|verifications?|credited)\b/i | |
9301 | ||
9302 | meta __TVD_PH_BODY_META __TVD_PH_BODY_01 || __TVD_PH_BODY_02 || __TVD_PH_BODY_03 || __TVD_PH_BODY_04 || __TVD_PH_BODY_05 || __TVD_PH_BODY_06 || __TVD_PH_BODY_07 || __TVD_PH_BODY_08 | |
9303 | ||
9304 | header __TVD_PH_SUBJ_00 Subject =~ /\brewards? survey\b/i | |
9305 | ||
9306 | header __TVD_PH_SUBJ_02 Subject =~ /\byour payment has been sent\b/i | |
9307 | ||
9308 | header __TVD_PH_SUBJ_04 Subject =~ /\baccounts? profile\b/i | |
9309 | ||
9310 | header __TVD_PH_SUBJ_15 Subject =~ /\binvestment for (?:[a-z_,-]+ )*?to(?:morrow|day)\b/i | |
9311 | ||
9312 | header __TVD_PH_SUBJ_17 Subject =~ /\bremove limitations?\b/i | |
9313 | ||
9314 | header __TVD_PH_SUBJ_18 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?changes\b/i | |
9315 | ||
9316 | header __TVD_PH_SUBJ_19 Subject =~ /\bmessage (?:[a-z_,-]+ )*?bank\b/i | |
9317 | ||
9318 | header __TVD_PH_SUBJ_29 Subject =~ /^notice(?::|[\s\W]*$)/i | |
9319 | ||
9320 | header __TVD_PH_SUBJ_31 Subject =~ /\bsecurity (?:[a-z_,-]+ )*?verification\b/i | |
9321 | ||
9322 | header __TVD_PH_SUBJ_36 Subject =~ /\bconsumer notice\b/i | |
9323 | ||
9324 | header __TVD_PH_SUBJ_37 Subject =~ /\bvalued member[a-z]*\b/i | |
9325 | ||
9326 | header __TVD_PH_SUBJ_38 Subject =~ /\bonline bank[a-z]*\b/i | |
9327 | ||
9328 | header __TVD_PH_SUBJ_39 Subject =~ /\bonline department\b/i | |
9329 | ||
9330 | header __TVD_PH_SUBJ_41 Subject =~ /\bunusual activity\b/i | |
9331 | ||
9332 | header __TVD_PH_SUBJ_52 Subject =~ /\b(?:account|online) profile\b/i | |
9333 | ||
9334 | header __TVD_PH_SUBJ_54 Subject =~ /\bun-?authorized access(?:es)?\b/i | |
9335 | ||
9336 | header __TVD_PH_SUBJ_56 Subject =~ /\brespond now\b/i | |
9337 | ||
9338 | header __TVD_PH_SUBJ_58 Subject =~ /\bbilling service\b/i | |
9339 | ||
9340 | header __TVD_PH_SUBJ_59 Subject =~ /\bquestion from (?:[a-z_,-]+ )*?member\b/i | |
9341 | ||
9342 | header __TVD_PH_SUBJ_ACCESS_POST Subject =~ /\b(?:(?:re-?)?activat[a-z]*|secure|verify|restore|flagged|limited|unusual|report|notif(?:y|ication)|suspen(?:d|ded|sion)) (?:[a-z_,-]+ )*?access\b/i | |
9343 | ||
9344 | meta __TVD_PH_SUBJ_META __TVD_PH_SUBJ_00 || __TVD_PH_SUBJ_02 || __TVD_PH_SUBJ_04 || __TVD_PH_SUBJ_15 || __TVD_PH_SUBJ_17 || __TVD_PH_SUBJ_18 || __TVD_PH_SUBJ_19 || __TVD_PH_SUBJ_29 || __TVD_PH_SUBJ_31 || __TVD_PH_SUBJ_36 || __TVD_PH_SUBJ_37 || __TVD_PH_SUBJ_38 || __TVD_PH_SUBJ_39 || __TVD_PH_SUBJ_41 || __TVD_PH_SUBJ_52 || __TVD_PH_SUBJ_54 || __TVD_PH_SUBJ_56 || __TVD_PH_SUBJ_58 || __TVD_PH_SUBJ_59 || __TVD_PH_SUBJ_ACCESS_POST | |
9345 | ||
fc5290a3 SI |
9346 | meta __TVD_SPACE_ENCODED (__TVD_SPACE_RATIO && __SUBJECT_ENCODED_B64 && !__SUBJECT_UTF8_B_ENCODED) |
9347 | ||
b780ea8d SI |
9348 | if !plugin(Mail::SpamAssassin::Plugin::BodyEval) |
9349 | meta __TVD_SPACE_RATIO 0 | |
9350 | endif | |
9351 | ||
9352 | header __TVD_SUBJ_NUM_OBFU Subject =~ /[a-z]{3,}\d+[a-z]{2,}/i | |
9353 | ||
9354 | meta __T_PDS_MSG_512 (__KAM_BODY_LENGTH_LT_512 || __HTML_LENGTH_512 || __PDS_QP_512) | |
9355 | ||
9356 | header __UA_GNUS User-Agent =~ /^Gnus/ | |
9357 | ||
fc5290a3 SI |
9358 | header __UA_IMP User-Agent =~ /^Internet Messaging Program/ |
9359 | ||
b780ea8d SI |
9360 | header __UA_KMAIL User-Agent =~ /^KMail/ |
9361 | ||
9362 | header __UA_KNODE User-Agent =~ /^KNode/ | |
9363 | ||
9364 | header __UA_MOZ5 User-Agent =~ /^Mozilla\/5/ | |
9365 | ||
fc5290a3 SI |
9366 | header __UA_MSENTOUR User-Agent =~ /^Microsoft-Entourage/ |
9367 | ||
b780ea8d SI |
9368 | header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/ |
9369 | ||
9370 | header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/ | |
9371 | ||
9372 | header __UA_MUTT User-Agent =~ /^Mutt/ | |
9373 | ||
9374 | header __UA_OPERA7 User-Agent =~ /^Opera7/ | |
9375 | ||
9376 | header __UA_PAN User-Agent =~ /^Pan/ | |
9377 | ||
9378 | header __UA_XNEWS User-Agent =~ /^Xnews/ | |
9379 | ||
9380 | body __UC_GIBB_OBFU /\b[A-Za-z][a-z]{0,20}[,;)]?\s[A-Z]{16,}[a-z]?\s[A-Za-z][a-z]{1,15}\b/ | |
9381 | tflags __UC_GIBB_OBFU multiple maxhits=2 | |
9382 | ||
9383 | body __UN /\bunited\snations?\b/i | |
9384 | ||
9385 | meta __UNDISC_FREEM __TO_UNDISCLOSED && __freemail_replyto | |
9386 | ||
9387 | meta __UNDISC_MONEY __TO_UNDISCLOSED && (__ADVANCE_FEE_2_NEW || LOTS_OF_MONEY) | |
9388 | ||
9389 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9390 | body __UNICODE_OBFU_ASC /[a-z0-9\s](?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9]{1,8}(?:\xd0[\xb0\xb5\xbe]|\xd1[\x80\x81])+[a-z0-9\s]/i | |
9391 | tflags __UNICODE_OBFU_ASC multiple maxhits=10 | |
9392 | endif | |
9393 | ||
9394 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9395 | meta __UNICODE_OBFU_ASC_MANY __UNICODE_OBFU_ASC > 9 | |
9396 | endif | |
9397 | ||
9398 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9399 | body __UNICODE_OBFU_ZW /[a-z0-9\s](?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+(?!\s)[a-z0-9\s]{1,8}(?:\x9d|\xe2\x80[\x8b\x8c\x8d]|\xef\xbb\xbf)+[a-z0-9\s]/i | |
9400 | tflags __UNICODE_OBFU_ZW multiple maxhits=10 | |
9401 | endif | |
9402 | ||
9403 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9404 | meta __UNICODE_OBFU_ZW_10 __UNICODE_OBFU_ZW > 9 | |
9405 | endif | |
9406 | ||
9407 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9408 | meta __UNICODE_OBFU_ZW_2 __UNICODE_OBFU_ZW > 1 | |
9409 | endif | |
9410 | ||
9411 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9412 | meta __UNICODE_OBFU_ZW_3 __UNICODE_OBFU_ZW > 2 | |
9413 | endif | |
9414 | ||
9415 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9416 | meta __UNICODE_OBFU_ZW_5 __UNICODE_OBFU_ZW > 4 | |
9417 | endif | |
9418 | ||
9419 | body __UNSUB_EMAIL /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b[-a-z_0-9.+=]{0,60}\@[a-z0-9][-a-z_0-9.]{4,20}(?:[^a-z_0-9.-]|$)/i | |
9420 | tflags __UNSUB_EMAIL nice | |
9421 | ||
dfdd1e08 SI |
9422 | body __UNSUB_GOOG_FORM m,Unsub?sc?ribe\s<?https?://docs\.google\.com/forms/,i |
9423 | ||
b780ea8d SI |
9424 | uri __UNSUB_LINK /\b(?:(?:un)?subscri(?:ber?|ptions?)|abuses?|opt(?:ing)?.?out)\b/i |
9425 | tflags __UNSUB_LINK nice | |
9426 | ||
9427 | body __UPGR_MAILBOX /\b(?:up(?:g[ra]+d(?:e|ing)|date) (?:(?:[hw]as|and)\s(?:[a-z]+\s){1,5})?(?:o[nf] )?(?:your )?(?:mail\s?box|(?:web ?|e-?)mail)|(?:web ?|e-?)mail Upgrade cuenta|atualiz(?:e|ar) (?:a|sua) caixa de correio|click\S{0,10} (?:here(?:[:\.\s]{0,5}\S{0,10}http\S{10,80})?|below)(?: link)? to (?:(?:complete|finish|increase) )?(?:(?:the|this|your)\s)?(?:up(?:date|grade)|(?:web ?|e-?)?mail(?:\s?box)? (?:size|quota|limit))|utrzymania aktywnego konta|request (?:for )additional storage|you (?:have )?(?:failed|refused) to up(?:date|grade))\b/i | |
9428 | ||
9429 | uri __UPPERCASE_URI /^[^:A-Z]+[A-Z]/ | |
9430 | ||
9431 | uri __URI_12LTRDOM m,://(?:[^./]+\.)*[a-z]{12}\.[^./]+/,i | |
9432 | ||
9433 | uri __URI_ADOBESPARK m,https?://branchlink\.adobespark\.com/,i | |
9434 | ||
9435 | uri __URI_AZURE_CLOUDAPP m,://(?:[^./]+\.)+cloudapp\.azure\.com/, | |
9436 | ||
9437 | uri __URI_DASHGOVEDU m,://[^/]*-(?:gov|edu)\.com/,i | |
9438 | ||
9439 | uri __URI_DATA /^data:(?!image\/)[a-z]/i | |
9440 | ||
9441 | uri __URI_DBL_DOM m,^https?://[^.]+\.(?!amazon\.com)([^/]+)/.*https?://[^.]+\.\1/,i | |
9442 | ||
b780ea8d SI |
9443 | uri __URI_DOTEDU m;^https?://(?:[^./]+\.)+edu/;i |
9444 | ||
9445 | meta __URI_DOTEDU_ENTITY __URI_DOTEDU && __AC_HTML_ENTITY_BONANZA_SHRT_RAW | |
9446 | ||
9447 | uri __URI_DOTGOV m;^https?://(?:[^./]+\.)+gov/;i | |
9448 | ||
9449 | uri __URI_DOTTY_HEX /(?:\.[0-9a-f]{2}){30}/ | |
9450 | ||
9451 | uri __URI_DQ_UNSUB m;^[a-z]+://(?:\d+\.){3}\d+/.*unsubscribe;i | |
9452 | ||
9453 | uri __URI_FIREBASEAPP m,://[^./]+\.firebaseapp\.com/, | |
9454 | ||
9455 | uri __URI_GOOGLE_DOC m,^https?://docs\.google\.com/(?:[^/]+/)*(?:view(?:form)?\?(?:[^&]+&)*(?:id|formkey|usp)=|document/),i | |
9456 | ||
9457 | uri __URI_GOOGLE_DRV m,^https?://(?:drive\.google|googledrive)\.com/,i | |
9458 | ||
9459 | uri __URI_GOOGLE_PROXY m;^https?://[^.]+\.googleusercontent\.com/proxy/;i | |
9460 | ||
46cfc9e2 SI |
9461 | uri __URI_GOOG_STO_EMAIL m;^https?://(?:firebase)?storage\.googleapis\.com/.*[a-z0-9]@(?:[a-z0-9]{2,20}\.){1,3}[a-z]{2,3}$;i |
9462 | ||
b780ea8d SI |
9463 | uri __URI_GOOG_STO_HTML m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.html?(?:$|\?),i |
9464 | tflags __URI_GOOG_STO_HTML multiple maxhits=5 | |
9465 | ||
46cfc9e2 | 9466 | uri __URI_GOOG_STO_IMG m,^https?://(?:firebase)?storage\.googleapis\.com/.*\.(?:png|jpe?g|gif)$,i |
b780ea8d SI |
9467 | tflags __URI_GOOG_STO_IMG multiple maxhits=5 |
9468 | ||
9469 | uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i | |
9470 | ||
31955ede | 9471 | meta __URI_HOSTED_IMG ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT || __URI_IMG_FACEBOOK || __URI_IMG_TARINGANET || __URI_IMG_BEBEE || __URI_IMG_EFUSERASSETS || __URI_IMG_IMGBOX_THUMB || __URI_IMG_500PXORG || __URI_IMG_WIXMP || __URI_IMG_POSTIMGCC || __URI_IMG_GTRACING || __URI_IMG_JOOMCDN || __URI_IMG_DHRESOURCE ) |
b780ea8d | 9472 | |
31955ede SI |
9473 | uri __URI_IMG_500PXORG m;://drscdn\.500px\.org/photo/;i |
9474 | ||
9475 | uri __URI_IMG_ALICDN m,//(?:[^/.]+\.)*alicdn\.com/.+\.(?:jpe?g|gif|png|webp),i | |
9476 | ||
9477 | uri __URI_IMG_AMAZON m,://[^/?]+\.(?:ssl-)?(?:images|media)-amazon\.com/.*\.(?:png|gif|jpe?g|webp)$,i | |
9478 | ||
9479 | uri __URI_IMG_BEBEE m;://contents\.bebee\.com/users/.+\.(?:jpe?g|gif|png|webp);i | |
b780ea8d SI |
9480 | |
9481 | uri __URI_IMG_CHANNYPIC m,://www\.channypicture\.com/pic/,i | |
9482 | ||
31955ede SI |
9483 | uri __URI_IMG_DHRESOURCE m;://www\.dhresource\.com/.+\.(?:jpe?g|gif|png|webp);i |
9484 | ||
b780ea8d SI |
9485 | uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i |
9486 | ||
31955ede SI |
9487 | uri __URI_IMG_EFUSERASSETS m;://\d+\.efuserassets\.com/\d+/.+\.(?:jpe?g|gif|png|webp);i |
9488 | ||
9489 | uri __URI_IMG_FACEBOOK m;://([^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i | |
9490 | ||
9491 | uri __URI_IMG_GBTCDN m;://des\.gbtcdn\.com/storage/store/[0-9a-f/]{30,}\.(?:png|gif|jpe?g|webp)$;i | |
9492 | ||
31955ede SI |
9493 | uri __URI_IMG_GTRACING m;://shopify\.gtracing\.com/img/.+\.(?:jpe?g|gif|png|webp);i |
9494 | ||
9495 | uri __URI_IMG_IMGBOX_THUMB m;://thumbs\d*\.imgbox\.com/.+\.(?:jpe?g|gif|png|webp);i | |
cabe596e | 9496 | |
b780ea8d | 9497 | uri __URI_IMG_JOOMCDN m,://img\.joomcdn\.net/,i |
31955ede | 9498 | uri __URI_IMG_JOOMCDN m;://img\.joomcdn\.net/.+\.(?:jpe?g|gif|png|webp);i |
b780ea8d | 9499 | |
46cfc9e2 SI |
9500 | uri __URI_IMG_LINKEDIN m;://media-exp\d\.licdn\.com/dms/image/;i |
9501 | ||
b780ea8d SI |
9502 | uri __URI_IMG_NEWEGG m,://[^/?]+\.neweggimages\.com/,i |
9503 | ||
31955ede SI |
9504 | uri __URI_IMG_POSTIMGCC m;://i\.postimg\.cc/.+\.(?:jpe?g|gif|png|webp);i |
9505 | ||
9506 | uri __URI_IMG_SHOPIFY m,://cdn\.shopify\.com/.+\.(?:jpe?g|gif|png|webp),i | |
b780ea8d SI |
9507 | |
9508 | uri __URI_IMG_STATICBG m,://imgaz\.staticbg\.com/images/,i | |
9509 | ||
31955ede SI |
9510 | uri __URI_IMG_TAGSTAT m;://i\d+\.tagstat\.com/.+\.(?:jpe?g|gif|png|webp);i |
9511 | ||
9512 | uri __URI_IMG_TARINGANET m;://media\.taringa\.net/knn/;i | |
46cfc9e2 | 9513 | |
cabe596e SI |
9514 | uri __URI_IMG_TOPHATTER m;://images\.tophatter\.com/[0-9a-f]{30,}/;i |
9515 | ||
31955ede | 9516 | uri __URI_IMG_TUMBLR m;://\d+\.media\.tumblr\.com/.+\.(?:jpe?g|gif|png|webp);i |
46cfc9e2 | 9517 | |
b780ea8d SI |
9518 | uri __URI_IMG_WALMART m,://[^/?]+\.walmartimages\.com/,i |
9519 | ||
9520 | uri __URI_IMG_WISH m,://contestimg\.wish\.com/,i | |
9521 | ||
31955ede SI |
9522 | uri __URI_IMG_WIXMP m;://images-wixmp-[0-9a-f]{20,}\.wixmp\.com/;i |
9523 | ||
b780ea8d SI |
9524 | uri __URI_IMG_WP_REDIR m;://i[02]\.wp\.com/.*\.(?:jpe?g|gif|png)$;i |
9525 | ||
9526 | uri __URI_IMG_YTIMG m,://[^/?]+\.ytimg\.com/,i | |
9527 | ||
31955ede | 9528 | uri __URI_LONG_REPEAT m;(?:://|@)(?:\w+\.)*(\w{7,}\.)\1;i |
b780ea8d SI |
9529 | |
9530 | uri __URI_MAILTO /^mailto:/i | |
9531 | tflags __URI_MAILTO multiple maxhits=16 | |
9532 | ||
9533 | uri __URI_MONERO /buy-monero/i | |
9534 | ||
9535 | meta __URI_ONLY_MSGID_MALF __BODY_URI_ONLY && __MSGID_NOFQDN2 | |
9536 | ||
9537 | meta __URI_PHISH __HAS_ANY_URI && !__URI_GOOGLE_DOC && !__URI_GOOG_STO_HTML && (__EMAIL_PHISH || __ACCT_PHISH) | |
9538 | ||
9539 | uri __URI_PHP_REDIR m;/redirect\.php\?;i | |
9540 | ||
46cfc9e2 SI |
9541 | uri __URI_PRODUCT_AMAZON m,://www\.amazon\.(?:com|co\.uk|[a-z][a-z])/dp/[a-z0-9]{10}/,i |
9542 | ||
dfdd1e08 | 9543 | uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob|images?|photos?)\w)[^.]*\.(?:(?!list-manage\.)[^/.]+\.)+(?:com|net)\b,i |
cabe596e | 9544 | |
b780ea8d SI |
9545 | uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i |
9546 | ||
9547 | uri __URI_WEBAPP m,://[^./]+\.web\.app/, | |
9548 | ||
9549 | uri __URI_WPADMIN m,/wp-admin/\w+/,i | |
9550 | ||
9551 | uri __URI_WPCONTENT m,/wp-content/.*\.(?:php|html?)\b,i | |
9552 | ||
9553 | uri __URI_WPDIRINDEX m,/wp-(?:content|includes)/.*/$,i | |
9554 | ||
9555 | uri __URI_WPINCLUDES m,/wp-includes/.*\.(?:php|html?)\b,i | |
9556 | ||
9557 | uri __URL_BTC_ID m;[/.](?:[13][a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[acdefghjklmnpqrstuvwxyz234567890]{30,90})(?:/|$); | |
9558 | ||
9559 | uri __URL_LTC_ID m;[/.][LM3][a-km-zA-HJ-NP-Z1-9]{26,33}(?:/|$); | |
9560 | ||
b780ea8d SI |
9561 | header __USING_VERP1 Return-Path =~ /[+-].*=/ |
9562 | ||
9563 | header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i | |
9564 | tflags __VACATION nice | |
9565 | ||
46cfc9e2 | 9566 | body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i |
b780ea8d SI |
9567 | tflags __VALIDATE_MAILBOX multiple maxhits=2 |
9568 | ||
9569 | body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i | |
9570 | ||
9571 | body __VERIFY_ACCOUNT /(?:confirm|updated?|verif(?:y|ied)) (?:your|the) (?:(?:account|current|billing|personal|online)? ?(?:records?|information|account|identity|access|data|login)|"?[^\@\s]+\@\S+"? (?:account|mail ?box)|confirm verification|verify k?now|Ihre Angaben .berpr.ft und best.tigt)/i | |
9572 | tflags __VERIFY_ACCOUNT multiple maxhits=2 | |
9573 | ||
9574 | meta __VFY_ACCT_NORDNS __VERIFY_ACCOUNT && __RDNS_NONE | |
9575 | ||
9576 | if (version >= 3.004002) | |
9577 | ifplugin Mail::SpamAssassin::Plugin::WLBLEval | |
9578 | header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i | |
9579 | endif | |
9580 | endif | |
9581 | ||
9582 | meta __WALMART_IMG_NOT_RCVD_WAL __URI_IMG_WALMART && !__HDR_RCVD_WALMART | |
9583 | ||
9584 | body __WEBMAIL_ACCT /\byour web ?mail account/i | |
9585 | ||
9586 | body __WE_PAID /\bwe have (?:already )?(?:paid|sent|remitted|issued) \$?\d+(?:,\d+)* (?:thousand )?(?:dollars )?to our (?:users|subscribers|members|clients|affiliates|partners)\b/i | |
9587 | ||
9588 | meta __WFH_01 ( __PERFECT_BINARY + __WE_PAID + __MAKE_XTRA_DOLLAR + __BONUS_LAST_DAY + __PASSIVE_INCOME + __WITHOUT_EFFORT + __TRANSFORM_LIFE + __STAY_HOME + __RECEIVE_BONUS ) > 2 | |
9589 | ||
9590 | body __WIDOW /\b(?:widow(?:e[rd])'?s?|veuve)\b/i | |
9591 | ||
9592 | body __WILL_LEGAL /\b(?:codicil|last\stestament|probate|executor|intestate|bequest|mandamus)\b/i | |
9593 | ||
9594 | body __WIRE_XFR /\b(?:wire|telegraph(?:ic)?|bank)\s?transfer/i | |
9595 | ||
9596 | body __WITHOUT_EFFORT /\bwith(?:out(?: a(?:ny)?| the)?| no)(?: great| special| extra)? effort\b/i | |
9597 | ||
9598 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9599 | rawbody __WORD_INVIS /<(?!style)[a-z]+\s[^>]{1,80}(?:font(?:-size)?\s*:\s*(?:0*[01](?:\.\d+)?(?:px|pt|Q|vw|vh|vmin)|0+(?:\.\d+)?(?:cm|mm|in|pc|em|ex|ch|rem|lh|vmax))\s*[;'a-z]|['"\s;]color\s*:\s*transparent\s*[;'])[^>]{0,80}>\w{1,20}</i | |
9600 | tflags __WORD_INVIS multiple maxhits=6 | |
9601 | endif | |
9602 | ||
9603 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9604 | meta __WORD_INVIS_2 __WORD_INVIS > 1 | |
9605 | endif | |
9606 | ||
9607 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9608 | meta __WORD_INVIS_5 __WORD_INVIS > 5 | |
9609 | endif | |
9610 | ||
9611 | if can(Mail::SpamAssassin::Conf::feature_bug6558_free) | |
9612 | meta __WORD_INVIS_MINFP __WORD_INVIS && !__SURVEY && !MIME_QP_LONG_LINE && !__FB_TOUR && !__MSGID_GUID | |
9613 | endif | |
9614 | ||
9615 | header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/ | |
9616 | ||
b780ea8d SI |
9617 | meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY) |
9618 | ||
31955ede SI |
9619 | ifplugin Mail::SpamAssassin::Plugin::FreeMail |
9620 | header __XMAIL_CODEIGN X-Mailer =~ /CodeIgniter/ | |
9621 | endif | |
9622 | ||
9623 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
9624 | header __XMAIL_PHPMAIL X-Mailer =~ /PHPMailer/ | |
9625 | endif | |
9626 | ||
fc5290a3 SI |
9627 | header __XM_APPLEMAIL X-Mailer =~ /^Apple Mail/ |
9628 | ||
46cfc9e2 SI |
9629 | header __XM_ASPQMAIL X-Mailer =~ /^AspQMail/ |
9630 | ||
b780ea8d SI |
9631 | header __XM_BALSA X-Mailer =~ /^Balsa \d/ |
9632 | ||
9633 | header __XM_CALYPSO X-Mailer =~ /^Calypso/ | |
9634 | ||
fc5290a3 SI |
9635 | header __XM_COMMUNIG X-Mailer =~ /^CommuniGate/ |
9636 | ||
b780ea8d SI |
9637 | header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/ |
9638 | ||
cabe596e SI |
9639 | header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/ |
9640 | ||
fc5290a3 SI |
9641 | header __XM_EDMAX X-Mailer =~ /^EdMax/ |
9642 | ||
9643 | header __XM_ELM X-Mailer =~ /^ELM/ | |
9644 | ||
9645 | header __XM_EMUMAIL X-Mailer =~ /^EMUmail/ | |
9646 | ||
9647 | header __XM_EXMH X-Mailer =~ /^exmh/ | |
9648 | ||
b780ea8d SI |
9649 | header __XM_FORTE X-Mailer =~ /^Forte Agent \d/ |
9650 | ||
9651 | header __XM_GNUS X-Mailer =~ /^Gnus v/ | |
9652 | ||
fc5290a3 SI |
9653 | header __XM_IMAIL X-Mailer =~ /^<IMail v\d/ |
9654 | ||
9655 | header __XM_LOTUSN X-Mailer =~ /^Lotus Notes/ | |
9656 | ||
9657 | header __XM_MAILCITY X-Mailer =~ /^MailCity Service/ | |
9658 | ||
9659 | header __XM_MAILSMITH X-Mailer =~ /^Mailsmith / | |
9660 | ||
b780ea8d SI |
9661 | header __XM_MHE X-Mailer =~ /^mh-e \d/ |
9662 | ||
fc5290a3 SI |
9663 | header __XM_MIMETOOLS X-Mailer =~ /^MIME-tools \d/i |
9664 | ||
b780ea8d SI |
9665 | header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/ |
9666 | ||
fc5290a3 SI |
9667 | header __XM_MSCDO X-Mailer =~ /^Microsoft CDO/ |
9668 | ||
b780ea8d SI |
9669 | header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/ |
9670 | ||
9671 | header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/ | |
9672 | ||
fc5290a3 SI |
9673 | header __XM_MSOUT X-Mailer =~ /^Microsoft Outlook[, ]?\s?[BIC]/ #Build, IMO, CWS |
9674 | ||
b780ea8d SI |
9675 | header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/ |
9676 | ||
9677 | header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/ | |
9678 | ||
9679 | header __XM_OL_28001441 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.1441$/ | |
9680 | ||
9681 | header __XM_OL_28004682 X-Mailer =~ /^Microsoft Outlook Express 6.00.2800.4682$/ | |
9682 | ||
9683 | header __XM_OL_48072300 X-Mailer =~ /^Microsoft Outlook Express 5.50.4807.2300$/ | |
9684 | ||
9685 | header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/ | |
9686 | ||
fc5290a3 SI |
9687 | header __XM_OPERA6 X-Mailer =~ /^Opera 6/ |
9688 | ||
b780ea8d SI |
9689 | header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/ |
9690 | ||
fc5290a3 SI |
9691 | header __XM_PEGASUS X-Mailer =~ /^Pegasus Mail/ |
9692 | ||
b780ea8d SI |
9693 | header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/ |
9694 | ||
fc5290a3 SI |
9695 | header __XM_QUALCOM X-Mailer =~ /^QUALCOMM Windows Eudora/ |
9696 | ||
dfdd1e08 | 9697 | header __XM_RANDOM X-Mailer =~ /q(?!(?:q|box|i\s)?mail|\d|[-\w]*=+;)[^u]/i |
b780ea8d SI |
9698 | |
9699 | header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/ | |
9700 | ||
9701 | header __XM_SQRLMAIL X-Mailer =~ /^SquirrelMail/ | |
9702 | ||
9703 | header __XM_SYLPHEED X-Mailer =~ /^Sylpheed/ | |
9704 | ||
9705 | header __XM_UC_ONLY X-Mailer =~ /^[^a-z]+$/ | |
9706 | ||
46cfc9e2 SI |
9707 | header __XM_VERY_LONG X-Mailer =~ /.{50}/ |
9708 | ||
b780ea8d SI |
9709 | header __XM_VM X-Mailer =~ /^VM \d/ |
9710 | ||
9711 | header __XM_WWWMAIL X-Mailer =~ /^WWW-Mail \d/ | |
9712 | ||
9713 | header __XM_XIMEVOL X-Mailer =~ /^Ximian Evolution/ | |
9714 | ||
31955ede | 9715 | meta __XPRIO_MINFP __XPRIO && !__CT_ENCRYPTED && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__HAS_IMG_SRC && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__PHPMAILER_MUA && !__AC_TINY_FONT && !__HAS_PHP_SCRIPT && !__DOS_HAS_LIST_UNSUB && !__HAS_IMG_SRC_ONECASE && !__NAKED_TO && !__HAS_THREAD_INDEX && !__HAS_TNEF && !__HAS_SENDER && !__UNPARSEABLE_RELAY_COUNT && !__PDS_RDNS_MTA && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MX_MESSY && !__TO___LOWER && !__FROM_WORDY && !__RP_MATCHES_RCVD && !__DKIM_EXISTS && !__FROM_WEB_DAEMON && !__RDNS_SHORT && !__L_BODY_8BITS && !__HAS_X_SENDER |
b780ea8d SI |
9716 | |
9717 | meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT | |
9718 | ||
46cfc9e2 SI |
9719 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader |
9720 | mimeheader __X_MSO_MT Content-Type =~ m,\bapplication/x-mso\b,i | |
9721 | endif | |
9722 | ||
b780ea8d SI |
9723 | body __YOUR_BANK /\byour?\s(?:full\s)?bank(?:ing)?\sinformations?\b/i |
9724 | ||
9725 | body __YOUR_CONSIGNMENT /\b(?:received?|pa(?:y|id)|sen[dt]|h[oe]ld|delay(?:ed)?|impound(?:ed)?|released?|ship(?:ped)?)\syour(?:\s\w+)?\sconsignment\b/i | |
9726 | ||
9727 | body __YOUR_FUND /\b(?:your|ihr)\s(?:unpaid\s|win+ing\s|ap+roved\s|foreign\s|overdue\s|outstanding\s|contract\s|inheritance\s|nicht\sausbezahlten\s){0,3}(?:fund|f\su\sn\sd|payment|geld)\b/i | |
9728 | ||
9729 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9730 | body __YOUR_ONAN /\b(?:your?|ihrer)\s(?:ma+s+t+[ur]+b+a+t+(?:ion|ing|e)(?:svideo)?|onanism|solitary\ssex|hand\sfucking|Selbstbefriedigung|(?:pleasur(?:e|ing)|satisfy(?:ing)?)\syourself)\b/i | |
9731 | endif | |
9732 | ||
9733 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9734 | body __YOUR_ONAN /(?:^|\s)(?:<Y><O><U><R>?|<I><H><R><E><R>)\s(?:<M>+<A>+<S>+<T>+(?:<U>|<R>)+<B>+<A>+<T>+(?:<I><O><N>|<I><N><G>|<E>)(?:<S><V><I><D><E><O>)?|<O><N><A><N><I><S><M>|<S><O><L><I><T><A><R><Y>\s<S><E><X>|<H><A><N><D>\s<F><U><C><K><I><N><G>|<S><E><L><B><S><T><B><E><F><R><I><E><D><I><G><U><N><G>|(?:<P><L><E><A><S><U><R>(?:<E>|<I><N><G>)|<S><A><T><I><S><F><Y>(?:<I><N><G>)?)\s<Y><O><U><R><S><E><L><F>)/i | |
9735 | endif | |
9736 | ||
9737 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9738 | body __YOUR_PASSWORD /\b(?:your|(?:change|modify|update|reset|alter|fix)\sthe)\s(?:account\s|e-?mail\s)?(?:pass[-\s_]?word|pswd)\b/i | |
9739 | endif | |
9740 | ||
9741 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9742 | body __YOUR_PASSWORD /(?:^|\s)(?:<Y><O><U><R>|(?:<C><H><A><N><G><E>|<M><O><D><I><F><Y>|<U><P><D><A><T><E>|<R><E><S><E><T>|<A><L><T><E><R>|<F><I><X>)\s<T><H><E>)\s(?:<A><C><C><O><U><N><T>\s|<E>-?<M><A><I><L>\s)?(?:<P><A><S><S>[-\s_]?<W><O><R><D>|<P><S><W><D>\s)/i | |
9743 | endif | |
9744 | ||
9745 | body __YOUR_PERM /\byour\spermission\b/i | |
9746 | ||
9747 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9748 | body __YOUR_PERSONAL /\b(?:your\s(?:personal|private|social\scontact|address|friends)\s(?:info(?:rmation)?|data|details|book|secrets)|all\s(?:of\s)?your\s(?:files|contacts|secrets|correspondence))\b/i | |
9749 | endif | |
9750 | ||
9751 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9752 | body __YOUR_PERSONAL /(?:^|\s)(?:<Y><O><U><R>\s(?:<P><E><R><S><O><N><A><L>|<P><R><I><V><A><T><E>|<S><O><C><I><A><L>\s<C><O><N><T><A><C><T>|<A><D><D><R><E><S><S>|<F><R><I><E><N><D><S>)\s(?:<I><N><F><O>(?:<R><M><A><T><I><O><N>)?|<D><A><T><A>|<D><E><T><A><I><L><S>|<B><O><O><K>|<S><E><C><R><E><T><S>)|<A><L><L>\s(?:<O><F>\s)?<Y><O><U><R>\s(?:<F><I><L><E><S>|<C><O><N><T><A><C><T><S>|<S><E><C><R><E><T><S>|<C><O><R><R><E><S><P><O><N><D><E><N><C><E>))[\s\.,]/i | |
9753 | endif | |
9754 | ||
9755 | body __YOUR_PROFIT /\byour?\sprofit/i | |
9756 | ||
9757 | if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags) | |
9758 | body __YOUR_WEBCAM /\b(?:from|your|with|and|on)\s(?:(?:screen|desktop|microphone)\sand\s|own\s)?(?:web[-\s]?|front[-\s]?|network\s|your\s)camer+a/i | |
9759 | endif | |
9760 | ||
9761 | ifplugin Mail::SpamAssassin::Plugin::ReplaceTags | |
9762 | body __YOUR_WEBCAM /(?:^|\s)(?:<F><R><O><M>|<Y><O><U><R>|<W><I><T><H>|<A><N><D>|<O><N>)\s(?:(?:<S><C><R><E><E><N>|<D><E><S><K><T><O><P>|<M><I><C><R><O><P><H><O><N><E>)\s<A><N><D>\s|<O><W><N>\s)?(?:<W><E><B>[-\s]?|<F><R><O><N><T>[-\s]?|<N><E><T><W><O><R><K>\s|<Y><O><U><R>\s)<C><A><M><E><R>+<A>/i | |
9763 | endif | |
9764 | ||
9765 | body __YOU_ASSIST /\b(?:your\sas+istan(?:ce|t)|votre\s(?:as+istance|aide))\b/i | |
9766 | ||
9767 | body __YOU_INHERIT /\byour\s[a-z\s]{0,30}inherit+ance\b/i | |
9768 | ||
9769 | meta __YOU_WON __YOU_WON_01 || __YOU_WON_02 || __YOU_WON_03 || __YOU_WON_04 || __HAS_WON_01 || (__YOU_WON_05 && (__MOVE_MONEY || __GIVE_MONEY)) | |
9770 | ||
9771 | body __YOU_WON_01 /\byou(?:r|'re|'ve|'ll|\shave|\sdid)?\s(?:e-?mail\s)?(?:\w+\s){0,2}(?:a\s)?w[io]n+(?:er|ing)?(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i | |
9772 | ||
9773 | body __YOU_WON_02 /\bw[io]n\s(?:(?:for|by)\s)?your?\b/i | |
9774 | ||
9775 | body __YOU_WON_03 /\b(?:your?|win+ing|win+ers?|beneficiaries|participants?|individuals?|address(?:es)?|accounts?|emails?)(?:\s[-a-z\s]{4,40})?\s(?:w(?:ere|as)|ha(?:ve|s) be(?:en)?)\s(?:automatically\s)?(?:(?:randomly|raffly)\s(?:selected|cho+sen|cho+sing|picked)|(?:selected|cho+sen|cho+sing|picked)\s(?:[a-z\s]{2,40}?\srandom(?:ly)?|online|lottery|computer\s(?:ballot|wahlgang))|(?:selected|cho+sen|cho+sing|picked)(?:\sas?|\sthe){0,3}\swin+er)/i | |
9776 | ||
9777 | body __YOU_WON_04 /\bqu[ei]\s?(?:vous (?:[\xc3][\xaa]|=C3=AA|[\xea]|e)tes\s?gagnant|en\scons(?:e|=E9|[\xe9]|[\xc3][\xa9])quence\sgagne)\b/i | |
9778 | ||
9779 | body __YOU_WON_05 /\bI won(?!\xe2\x80\x99t)(?![`'\x92]t)\b/i | |
9780 | ||
9781 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
9782 | meta __ZIP_ATTACH_MT 0 | |
9783 | endif | |
9784 | ||
9785 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9786 | mimeheader __ZIP_ATTACH_MT Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)\b,i | |
9787 | endif | |
9788 | ||
9789 | if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader) | |
9790 | meta __ZIP_ATTACH_NOFN 0 | |
9791 | endif | |
9792 | ||
9793 | ifplugin Mail::SpamAssassin::Plugin::MIMEHeader | |
9794 | mimeheader __ZIP_ATTACH_NOFN Content-Type =~ m,\bapplication/(?:zip|x-(?:zip-)?compress(?:ed)?)[;\s]*$,i | |
9795 | endif | |
9796 | ||
9797 | ifplugin Mail::SpamAssassin::Plugin::FreeMail | |
9798 | header __freemail_mailreplyto eval:check_freemail_header('Mail-Reply-To') | |
9799 | endif | |
9800 | ||
9801 | body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i | |
9802 | ||
21dcadbf SI |
9803 | body __hk_win_0 /\byour? e-?mail just w[oi]n/i |
9804 | ||
9805 | body __hk_win_2 /\battn.{0,10}winner/i | |
9806 | ||
9807 | body __hk_win_3 /\bhappily aa?nnounce/i | |
9808 | ||
9809 | body __hk_win_4 /\bpleas(?:ure|ed) to inform/i | |
9810 | ||
9811 | body __hk_win_5 /\b(?:notice the|your) winning/i | |
9812 | ||
9813 | body __hk_win_7 /\bcongratulations? to your/i | |
9814 | ||
9815 | body __hk_win_8 /\bunexpected luck/i | |
9816 | ||
9817 | body __hk_win_9 /\blucky (?:nl )number/i | |
9818 | ||
9819 | body __hk_win_a /\bwinning (?:e-?mail|numbers|information)/i | |
9820 | ||
9821 | body __hk_win_b /\byour e-?mail (?:address )?(?:has )?w[io]n/i | |
9822 | ||
9823 | body __hk_win_c /\bune adresse e-?mail sur internet/i | |
9824 | ||
9825 | body __hk_win_d /\bcategory (?:\S{0,5} )?winner of our/i | |
9826 | ||
9827 | body __hk_win_i /\bfunds? transfer/i | |
9828 | ||
9829 | body __hk_win_j /\b(?:winning|ready for|sum) pay ?out/i | |
9830 | ||
9831 | body __hk_win_l /\b(?:make|file) (?:for )?your claim/i | |
9832 | ||
9833 | body __hk_win_m /\br.clamation de votre prix/i | |
9834 | ||
9835 | body __hk_win_n /\bcollect your prize/i | |
9836 | ||
9837 | body __hk_win_o /\bclarification and procedure/i | |
9838 | ||
b780ea8d SI |
9839 | ifplugin Mail::SpamAssassin::Plugin::FreeMail |
9840 | header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr') | |
9841 | endif |