##{ AC_FROM_MANY_DOTS
meta AC_FROM_MANY_DOTS __AC_FROM_MANY_DOTS_MINFP
-#score AC_FROM_MANY_DOTS 3.000 # limit
+#score AC_FROM_MANY_DOTS 2.500 # limit
describe AC_FROM_MANY_DOTS Multiple periods in From user name
tflags AC_FROM_MANY_DOTS publish
##} AC_FROM_MANY_DOTS
describe AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
##} AXB_XMAILER_MIMEOLE_OL_024C2
+##{ AXB_X_FF_SEZ_S
+
+header AXB_X_FF_SEZ_S X-Forefront-Antispam-Report =~ /\bSFV\:SPM\b/
+describe AXB_X_FF_SEZ_S Forefront sez this is spam
+##} AXB_X_FF_SEZ_S
+
##{ BANKING_LAWS
body BANKING_LAWS /banking laws/i
tflags BITCOIN_IMGUR publish
##} BITCOIN_IMGUR
-##{ BITCOIN_MALF_HTML
-
-meta BITCOIN_MALF_HTML HTML_EXTRA_CLOSE && (__BITCOIN || __BITCOIN_ID)
-describe BITCOIN_MALF_HTML Bitcoin + malformed HTML
-#score BITCOIN_MALF_HTML 3.500 # limit
-##} BITCOIN_MALF_HTML
-
##{ BITCOIN_MALWARE
meta BITCOIN_MALWARE __BITCOIN_ID && __MY_MALWARE && !BITCOIN_EXTORT_01 && !__NOT_SPOOFED
tflags BITCOIN_PAY_ME publish
##} BITCOIN_PAY_ME
-##{ BITCOIN_PDF
-
-meta BITCOIN_PDF __BITCOIN && __PDF_ATTACH
-describe BITCOIN_PDF "Bitcoin" + PDF attachment
-#score BITCOIN_PDF 2.500 # limit
-##} BITCOIN_PDF
-
##{ BITCOIN_SPAM_01
meta BITCOIN_SPAM_01 __BITCOIN_ID && HTML_MIME_NO_HTML_TAG
endif
##} BITCOIN_SPF_ONLYALL if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
+##{ BITCOIN_TOEQFM
+
+meta BITCOIN_TOEQFM __BITCOIN_TOEQFM
+describe BITCOIN_TOEQFM Bitcoin + To same as From
+#score BITCOIN_TOEQFM 3.500 # limit
+##} BITCOIN_TOEQFM
+
+##{ BITCOIN_VISTA
+
+meta BITCOIN_VISTA __BITCOIN && __VISTA_MSGID
+describe BITCOIN_VISTA Bitcoin + old MSFT msgid format
+#score BITCOIN_VISTA 3.500 # limit
+##} BITCOIN_VISTA
+
##{ BITCOIN_WFH_01
meta BITCOIN_WFH_01 __BITCOIN_WFH_01
describe DRUGS_HDIA Subject mentions "hoodia"
##} DRUGS_HDIA
+##{ DSN_NO_MIMEVERSION
+
+meta DSN_NO_MIMEVERSION (__BOUNCE_RPATH_NULL && !__MIME_VERSION)
+describe DSN_NO_MIMEVERSION Return-Path <> and no MIME-Version: header
+#score DSN_NO_MIMEVERSION 2
+##} DSN_NO_MIMEVERSION
+
##{ DX_TEXT_02
body DX_TEXT_02 /\b(?:change|modif(?:y|ications?)) (?:of|to|(?:yo)?ur) (?:message|sub|comm) stat/i
tflags FACEBOOK_IMG_NOT_RCVD_FB publish
##} FACEBOOK_IMG_NOT_RCVD_FB
-##{ FAKE_REPLY_A1
-
-meta FAKE_REPLY_A1 (__SUBJ_RE && __MISSING_REPLY && __MISSING_REF && __BOTH_INR_AND_REF)
-##} FAKE_REPLY_A1
-
-##{ FAKE_REPLY_B
-
-meta FAKE_REPLY_B (__SUBJ_RE && __MISSING_REPLY && __INR_AND_NO_REF)
-##} FAKE_REPLY_B
-
##{ FAKE_REPLY_C
meta FAKE_REPLY_C (__SUBJ_RE && __MISSING_REF && __NO_INR_YES_REF)
tflags FRNAME_IN_MSG_XPRIO_NO_SUB publish
##} FRNAME_IN_MSG_XPRIO_NO_SUB
-##{ FROMSPACE
-
-describe FROMSPACE Idiosyncratic "From" header format
-header FROMSPACE From:raw =~ /^\s?\"\s/
-##} FROMSPACE
-
-##{ FROM_2_EMAILS_SHORT
-
-meta FROM_2_EMAILS_SHORT __KAM_BODY_LENGTH_LT_512 && (__PDS_FROM_2_EMAILS || __NAME_EMAIL_DIFF)
-describe FROM_2_EMAILS_SHORT Short body and From looks like 2 different emails
-#score FROM_2_EMAILS_SHORT 3.0 # limit
-##} FROM_2_EMAILS_SHORT
-
##{ FROM_ADDR_WS
meta FROM_ADDR_WS __FROM_ADDR_WS && !__RCD_RDNS_MTA_MESSY && !ANY_BOUNCE_MESSAGE && !__FROM_ENCODED_QP && !__RCD_RDNS_MAIL
describe FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
##} FROM_MISSP_MSFT
+##{ FROM_MISSP_PHISH
+
+meta FROM_MISSP_PHISH __FROM_MISSP_PHISH && !__DOS_HAS_LIST_UNSUB
+describe FROM_MISSP_PHISH Malformed, claims to be from financial organization - possible phish
+#score FROM_MISSP_PHISH 3.500 # limit
+##} FROM_MISSP_PHISH
+
##{ FROM_MISSP_REPLYTO
meta FROM_MISSP_REPLYTO __FROM_MISSP_REPLYTO && !__NOT_SPOOFED && !__RCD_RDNS_MTA_MESSY && !__TO___LOWER && !__COMMENT_EXISTS && !__UNSUB_LINK && !__MIME_QP && !__CTYPE_MULTIPART_ALT && !__JM_REACTOR_DATE && !__PLING_QUERY && !__DOS_HAS_LIST_UNSUB
endif
##} FROM_MISSP_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
+##{ FROM_MISSP_TO_UNDISC
+
+meta FROM_MISSP_TO_UNDISC (__FROM_RUNON && __TO_UNDISCLOSED)
+describe FROM_MISSP_TO_UNDISC From misspaced, To undisclosed
+##} FROM_MISSP_TO_UNDISC
+
##{ FROM_MISSP_USER
meta FROM_MISSP_USER (__FROM_RUNON && NSL_RCVD_FROM_USER)
describe FROM_MISSP_USER From misspaced, from "User"
##} FROM_MISSP_USER
-##{ FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
+##{ FROM_MISSP_XPRIO
-if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
- meta FROM_MULTI_NORDNS __FROM_MULTI_NORDNS
- describe FROM_MULTI_NORDNS Multiple From addresses + no rDNS
-endif
-##} FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
+meta FROM_MISSP_XPRIO (__XPRIO && __FROM_MISSPACED) && !__LYRIS_EZLM_REMAILER
+describe FROM_MISSP_XPRIO Misspaced FROM + X-Priority
+#score FROM_MISSP_XPRIO 2.500 # limit
+##} FROM_MISSP_XPRIO
##{ FROM_NEWDOM_BTC if (version >= 3.004001) ifplugin Mail::SpamAssassin::Plugin::AskDNS
header FSL_FAKE_HOTMAIL_RVCD X-Spam-Relays-External =~ /mx[1234]\.hotmail\.com/
##} FSL_FAKE_HOTMAIL_RVCD
+##{ FSL_HAS_TINYURL
+
+uri FSL_HAS_TINYURL /tinyurl\.com\//
+##} FSL_HAS_TINYURL
+
##{ FSL_HELO_BARE_IP_1
meta FSL_HELO_BARE_IP_1 __FSL_HELO_BARE_IP_1 && !ALL_TRUSTED
endif
##} FUZZY_SECURITY ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+##{ FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+ meta FUZZY_TRUSTWALLET __FUZZY_TRUSTWALLET_BODY || __FUZZY_TRUSTWALLET_FROM
+ describe FUZZY_TRUSTWALLET Obfuscated "Trust Wallet", probable phishing
+ tflags FUZZY_TRUSTWALLET publish
+endif
+##} FUZZY_TRUSTWALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
##{ FUZZY_UNSUBSCRIBE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
endif
##} FUZZY_WALLET ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+##{ FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+ meta FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM
+ describe FUZZY_WELLSFARGO Obfuscated "Wells Fargo"
+ tflags FUZZY_WELLSFARGO publish
+endif
+##} FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
##{ GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
endif
##} GAPPY_SALES_LEADS_FREEM if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
-##{ GB_BITCOIN_NH
+##{ GB_BITCOIN_CP
-meta GB_BITCOIN_NH ( __BITCOIN_ID && !__URL_BTC_ID && ( __NEVER_HEAR_EN || __NEVER_HEAR_IT ) )
-describe GB_BITCOIN_NH Localized Bitcoin scam
-#score GB_BITCOIN_NH 3.0 # limit
-##} GB_BITCOIN_NH
+meta GB_BITCOIN_CP ( __GB_BITCOIN_CP_DE || __GB_BITCOIN_CP_ES || __GB_BITCOIN_CP_EN || __GB_BITCOIN_CP_FR || __GB_BITCOIN_CP_IT || __GB_BITCOIN_CP_NL || __GB_BITCOIN_CP_SE )
+describe GB_BITCOIN_CP Localized Bitcoin scam
+#score GB_BITCOIN_CP 3.0 # limit
+##} GB_BITCOIN_CP
##{ GB_CUSTOM_HTM_URI if (version >= 4.000000) if can(Mail::SpamAssassin::Conf::feature_capture_rules)
##{ GB_GOOGLE_OBFUR
-uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.([a-z]{2,3})\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=([0-9])*\&(cad=rja\&uact=([0-9]+)\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(&usg=.{1,50})?/
+uri GB_GOOGLE_OBFUR /^https:\/\/www\.google\.[a-z]{2,3}\/url\?sa=t\&rct=j\&q=\&esrc=s\&source=web\&cd=(?:[0-9])*\&(?:cad=rja\&uact=[0-9]+\&ved=.{1,50}\&)?url=https?:\/\/.{1,50}(?:&usg=.{1,50})?/
describe GB_GOOGLE_OBFUR Obfuscate url through Google redirect
#score GB_GOOGLE_OBFUR 0.75 # limit
tflags GB_GOOGLE_OBFUR publish
##} GB_GOOGLE_OBFUR
-##{ GB_GOOGLE_TRANSL
-
-uri GB_GOOGLE_TRANSL /^https?:\/\/.{10,64}\-(ipfs|xn\-)\-.{2,20}\.translate\.goog\/.{4}\//
-describe GB_GOOGLE_TRANSL Obfuscate url through Google Translate
-#score GB_GOOGLE_TRANSL 0.75 # limit
-##} GB_GOOGLE_TRANSL
-
##{ GB_HASHBL_BTC if (version >= 3.004003) ifplugin Mail::SpamAssassin::Plugin::HashBL
if (version >= 3.004003)
tflags HAS_X_OUTGOING_SPAM_STAT publish
##} HAS_X_OUTGOING_SPAM_STAT
+##{ HDRS_LCASE_IMGONLY
+
+meta HDRS_LCASE_IMGONLY __HDRS_LCASE && __HTML_IMG_ONLY && !__HDRS_LCASE_KNOWN
+describe HDRS_LCASE_IMGONLY Odd capitalization of message headers + image-only HTML
+#score HDRS_LCASE_IMGONLY 0.10 # limit
+##} HDRS_LCASE_IMGONLY
+
##{ HDRS_MISSP
meta HDRS_MISSP __HDRS_MISSP && !ALL_TRUSTED && !(__FROM_ALL_HEX && __SUBJECT_PRESENT_EMPTY)
header HELO_FRIEND X-Spam-Relays-External =~ /^[^\]]+ helo=friend /i
##} HELO_FRIEND
+##{ HELO_LH_HOME
+
+header HELO_LH_HOME X-Spam-Relays-External =~ /^[^\]]+ helo=\S+\.(?:home|lan) /i
+##} HELO_LH_HOME
+
##{ HELO_LH_LD
header HELO_LH_LD X-Spam-Relays-External =~ /^[^\]]+ helo=localhost\.localdomain /i
header HELO_LOCALHOST X-Spam-Relays-External =~ /^[^\]]+ helo=localhost /i
##} HELO_LOCALHOST
+##{ HELO_MISC_IP
+
+meta HELO_MISC_IP (__HELO_MISC_IP && !HELO_DYNAMIC_IPADDR && !HELO_DYNAMIC_IPADDR2 && !HELO_DYNAMIC_SPLIT_IP && !HELO_DYNAMIC_HCC && !HELO_DYNAMIC_DIALIN && ((TVD_RCVD_IP4 + TVD_RCVD_IP + __FSL_HELO_BARE_IP_2) <2))
+describe HELO_MISC_IP Looking for more Dynamic IP Relays
+#score HELO_MISC_IP 0.25
+##} HELO_MISC_IP
+
##{ HELO_NO_DOMAIN
meta HELO_NO_DOMAIN __HELO_NO_DOMAIN && !HELO_LOCALHOST
##{ HK_NAME_DRUGS
-header HK_NAME_DRUGS From:name =~ /(viagra|\bcialis|cialis\b)/mi
+header HK_NAME_DRUGS From:name =~ /(?:viagra|\bcialis|cialis\b)/mi
describe HK_NAME_DRUGS From name contains drugs
#score HK_NAME_DRUGS 2
##} HK_NAME_DRUGS
+##{ HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
+
+ifplugin Mail::SpamAssassin::Plugin::FreeMail
+if (version >= 3.004000)
+ meta HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
+# score HK_NAME_FM_MR_MRS 1.5
+endif
+endif
+##} HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
+
##{ HK_NAME_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
tflags HK_SCAM publish
##} HK_SCAM
-##{ HK_WIN
-
-meta HK_WIN ((__hk_win_2 + __hk_win_3 + __hk_win_4 + __hk_win_5 + __hk_win_7 + __hk_win_8 + __hk_win_9 + __hk_win_0 + __hk_win_a + __hk_win_b + __hk_win_c + __hk_win_d + __hk_win_i + __hk_win_j + __hk_win_l + __hk_win_m + __hk_win_n + __hk_win_o) >= 2)
-#score HK_WIN 1
-##} HK_WIN
-
##{ HOSTED_IMG_DIRECT_MX
-meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS
+meta HOSTED_IMG_DIRECT_MX __HOSTED_IMG_DIRECT_MX && !__DKIM_EXISTS && !__HDR_RCVD_AMAZON
#score HOSTED_IMG_DIRECT_MX 3.500 # limit
describe HOSTED_IMG_DIRECT_MX Image hosted at large ecomm, CDN or hosting site, message direct-to-mx
tflags HOSTED_IMG_DIRECT_MX publish
##{ HOSTED_IMG_MULTI
-meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS
+meta HOSTED_IMG_MULTI __HOSTED_IMG_MULTI && !__DKIM_EXISTS && !__RCD_RDNS_MAIL
#score HOSTED_IMG_MULTI 3.000 # limit
describe HOSTED_IMG_MULTI Multiple images hosted at different large ecomm, CDN or hosting sites, free image sites, or redirected
tflags HOSTED_IMG_MULTI publish
tflags HOSTED_IMG_MULTI_PUB_01 publish
##} HOSTED_IMG_MULTI_PUB_01
+##{ HREF_EMPTY_NORDNS
+
+meta HREF_EMPTY_NORDNS __HREF_EMPTY_NORDNS
+describe HREF_EMPTY_NORDNS Empty href + no rDNS
+#score HREF_EMPTY_NORDNS 2.500 # limit
+tflags HREF_EMPTY_NORDNS publish
+##} HREF_EMPTY_NORDNS
+
+##{ HREF_EMPTY_PHPMAIL
+
+meta HREF_EMPTY_PHPMAIL __HREF_EMPTY_PHPMAIL
+describe HREF_EMPTY_PHPMAIL Empty href + PHP Mailer
+#score HREF_EMPTY_PHPMAIL 2.500 # limit
+tflags HREF_EMPTY_PHPMAIL publish
+##} HREF_EMPTY_PHPMAIL
+
+##{ HREF_EMPTY_XANTIABUSE
+
+meta HREF_EMPTY_XANTIABUSE __HREF_EMPTY_XANTIABUSE
+describe HREF_EMPTY_XANTIABUSE Empty href + X-AntiAbuse
+#score HREF_EMPTY_XANTIABUSE 2.500 # limit
+tflags HREF_EMPTY_XANTIABUSE publish
+##} HREF_EMPTY_XANTIABUSE
+
+##{ HREF_EMPTY_XAUTHED
+
+meta HREF_EMPTY_XAUTHED __HREF_EMPTY_XAUTHED
+describe HREF_EMPTY_XAUTHED Empty href + X-Authenticated-Sender
+#score HREF_EMPTY_XAUTHED 2.500 # limit
+tflags HREF_EMPTY_XAUTHED publish
+##} HREF_EMPTY_XAUTHED
+
+##{ HTML_BADATTR
+
+describe HTML_BADATTR Illegal char in HTML attribute name
+rawbody HTML_BADATTR /<[a-z]{1,10}\s[^>]{1,80}\/(?:src|href)\s*\=/
+#score HTML_BADATTR 1
+tflags HTML_BADATTR publish
+##} HTML_BADATTR
+
##{ HTML_ENTITY_ASCII
meta HTML_ENTITY_ASCII __HTML_ENTITY_ASCII_MINFP
endif
##} HTTPS_HTTP_MISMATCH ifplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
+##{ IMG_DIRECT_TO_MX
+
+meta IMG_DIRECT_TO_MX __DOS_DIRECT_TO_MX && __JPEG_ATTACH && __ONE_IMG && __IMG_LE_300K
+##} IMG_DIRECT_TO_MX
+
##{ IMG_ONLY_FM_DOM_INFO
meta IMG_ONLY_FM_DOM_INFO __HTML_IMG_ONLY && __FROM_DOM_INFO
header KB_RATWARE_OUTLOOK_MID ALL =~ /^Message-Id: <....([0-9a-f]{8})\$([0-9a-f]{8})\$[0-9a-f]{8}\@.{100,400}boundary="----=_NextPart_000_...._\1\.\2"/msi
##} KB_RATWARE_OUTLOOK_MID
+##{ KHOP_FAKE_EBAY
+
+meta KHOP_FAKE_EBAY __EBAY_ADDRESS && !__NOT_SPOOFED
+describe KHOP_FAKE_EBAY Sender falsely claims to be from eBay
+##} KHOP_FAKE_EBAY
+
##{ KHOP_HELO_FCRDNS
meta KHOP_HELO_FCRDNS __HELO_NOT_RDNS && !(__VIA_ML || __freemail_safe || __RCVD_IN_DNSWL || __NOT_SPOOFED || __RDNS_SHORT)
tflags LINKEDIN_IMG_NOT_RCVD_LNKN publish
##} LINKEDIN_IMG_NOT_RCVD_LNKN
+##{ LIST_PARTIAL_SHORT_MSG
+
+meta LIST_PARTIAL_SHORT_MSG __LIST_PARTIAL_SHORT_MSG && !__DKIM_EXISTS
+describe LIST_PARTIAL_SHORT_MSG Incomplete mailing list headers + short message
+#score LIST_PARTIAL_SHORT_MSG 2.500 # limit
+##} LIST_PARTIAL_SHORT_MSG
+
##{ LIST_PRTL_PUMPDUMP
meta LIST_PRTL_PUMPDUMP __LIST_PRTL_PUMPDUMP && !__DKIM_EXISTS
uri LIVEFILESTORE m~livefilestore.com/~
##} LIVEFILESTORE
+##{ LONGLN_LOW_CONTRAST
+
+meta LONGLN_LOW_CONTRAST __LONGLN_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_ERRORS_TO && !__TRAVEL_ITINERARY
+describe LONGLN_LOW_CONTRAST Excessively long line + hidden text
+#score LONGLN_LOW_CONTRAST 2.500 # limit
+##} LONGLN_LOW_CONTRAST
+
##{ LONG_HEX_URI
meta LONG_HEX_URI __128_HEX_URI && !__LCL__KAM_BODY_LENGTH_LT_1024
##{ LONG_TERM_PRICE
-body LONG_TERM_PRICE /long\W+term\W+(target|projected)(\W+price)?/i
+body LONG_TERM_PRICE /long\W+term\W+(?:target|projected)(?:\W+price)?/i
##} LONG_TERM_PRICE
##{ LOOPHOLE_1
header L_SPAM_TOOL_13 Date =~ /\s[+-]\d(?![2358]45)\d[124-9]\d$/
##} L_SPAM_TOOL_13
+##{ MALFORMED_FREEMAIL
+
+meta MALFORMED_FREEMAIL (MISSING_HEADERS||__HDRS_LCASE) && FREEMAIL_FROM
+describe MALFORMED_FREEMAIL Bad headers on message from free email service
+##} MALFORMED_FREEMAIL
+
##{ MALF_HTML_B64
meta MALF_HTML_B64 MIME_BASE64_TEXT && HTML_MIME_NO_HTML_TAG
endif
##} MALW_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+##{ MANY_HDRS_LCASE
+
+describe MANY_HDRS_LCASE Odd capitalization of multiple message headers
+#score MANY_HDRS_LCASE 0.10 # limit
+##} MANY_HDRS_LCASE
+
+##{ MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
+
+if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
+ meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
+endif
+##} MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
+
+##{ MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
+
+ifplugin Mail::SpamAssassin::Plugin::FreeMail
+ meta MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
+endif
+##} MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
+
##{ MANY_SPAN_IN_TEXT
meta MANY_SPAN_IN_TEXT __MANY_SPAN_IN_TEXT && !__VIA_ML
tflags MANY_SPAN_IN_TEXT publish
##} MANY_SPAN_IN_TEXT
+##{ MANY_SUBDOM
+
+meta MANY_SUBDOM __MANY_SUBDOM && !__JM_REACTOR_DATE && !__UNSUB_LINK && !__VIA_ML && !NO_RELAYS && !__UPPERCASE_URI && !__MIME_QP
+describe MANY_SUBDOM Lots and lots of subdomain parts in a URI
+##} MANY_SUBDOM
+
+##{ MAY_BE_FORGED
+
+meta MAY_BE_FORGED __MAY_BE_FORGED && !__NOT_SPOOFED && !__VIA_ML
+describe MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP
+##} MAY_BE_FORGED
+
##{ MID_DEGREES
header MID_DEGREES Message-ID =~ /^<\d{14}\.[A-F0-9]{10}\@[A-Z0-9]+>$/
##{ MIXED_HREF_CASE
-meta MIXED_HREF_CASE __MIXED_HREF_CASE_JH
+meta MIXED_HREF_CASE __MIXED_HREF_CASE && !__LYRIS_EZLM_REMAILER && !__HAS_LIST_ID
describe MIXED_HREF_CASE Has href in mixed case
#score MIXED_HREF_CASE 2.000 # limit
tflags MIXED_HREF_CASE publish
#score MONEY_FROM_MISSP 2.000 # limit
##} MONEY_FROM_MISSP
+##{ MONEY_NOHTML
+
+meta MONEY_NOHTML LOTS_OF_MONEY && __CT_TEXT_PLAIN
+describe MONEY_NOHTML Lots of money in plain text
+#score MONEY_NOHTML 2.500 # limit
+##} MONEY_NOHTML
+
##{ MSGID_DOLLARS_URI_IMG
meta MSGID_DOLLARS_URI_IMG __MSGID_DOLLARS_URI_IMG && !__THREADED && !__HS_SUBJ_RE_FW
#score MSGID_MULTIPLE_AT 0.001
##} MSGID_MULTIPLE_AT
-##{ MSMAIL_PRI_ABNORMAL
+##{ MSGID_NOFQDN1
-meta MSMAIL_PRI_ABNORMAL __MSMAIL_PRI_ABNORMAL && !ALL_TRUSTED && !__ANY_OUTLOOK_MUA && !__HAS_THREAD_INDEX && !__DKIM_EXISTS && !__MSOE_MID_WRONG_CASE && !__HAS_X_MAILER && !__HAS_UA && !__MSMAIL_PRI_HIGH
-describe MSMAIL_PRI_ABNORMAL Email priority often abused
-#score MSMAIL_PRI_ABNORMAL 1.500 # limit
-##} MSMAIL_PRI_ABNORMAL
+meta MSGID_NOFQDN1 __MSGID_NOFQDN1
+describe MSGID_NOFQDN1 Message-ID with no domain name
+##} MSGID_NOFQDN1
##{ MSM_PRIO_REPTO
meta MSOE_MID_WRONG_CASE (__XM_OUTLOOK_EXPRESS && __MSOE_MID_WRONG_CASE && !__MIMEOLE_1106)
##} MSOE_MID_WRONG_CASE
-##{ NAME_EMAIL_DIFF
-
-meta NAME_EMAIL_DIFF __NAME_IS_EMAIL && ! __NAME_EQ_EMAIL
-describe NAME_EMAIL_DIFF Sender NAME is an unrelated email address
-##} NAME_EMAIL_DIFF
-
##{ NA_DOLLARS
body NA_DOLLARS /\b(?:\d{1,3})?Million\b.{0,40}\b(?:Canadian Dollar?s?|US\$|U\.? ?S\.? Dollar)/i
tflags NICE_REPLY_A nice
##} NICE_REPLY_A
+##{ NORDNS_LOW_CONTRAST
+
+meta NORDNS_LOW_CONTRAST __NORDNS_LOW_CONTRAST && !ALL_TRUSTED && !__HAS_CID && !__THREADED
+describe NORDNS_LOW_CONTRAST No rDNS + hidden text
+#score NORDNS_LOW_CONTRAST 2.500 # limit
+##} NORDNS_LOW_CONTRAST
+
##{ NOT_SPAM
body NOT_SPAM /\b(?:(?:this (?:e?-?mail|message)|we) (?:is not|are not|cannot be considered) Spam|ESTE CORREO NO PUEDE SER CONSIDERADO (?:INTRUSIVO|spam)|Diese Nachricht ist KEIN SPAM)/i
endif
##} PART_CID_STOCK_LESS ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
-##{ PDS_BRAND_SUBJ_NAKED_TO
+##{ PDS_BAD_THREAD_QP_64
-meta PDS_BRAND_SUBJ_NAKED_TO __NAKED_TO && __PDS_TO_BRAND_SUBJECT && !MAILING_LIST_MULTI
-describe PDS_BRAND_SUBJ_NAKED_TO Subject starts with To: brand and naked To:
-#score PDS_BRAND_SUBJ_NAKED_TO 1.0
-##} PDS_BRAND_SUBJ_NAKED_TO
+meta PDS_BAD_THREAD_QP_64 __PDS_QP_64 && __HAS_THREAD_INDEX && !__THREAD_INDEX_GOOD
+describe PDS_BAD_THREAD_QP_64 Bad thread header - short QP
+#score PDS_BAD_THREAD_QP_64 1.0
+##} PDS_BAD_THREAD_QP_64
##{ PDS_BTC_ID
#score PDS_DBL_URL_TNB_RUNON 2.0
##} PDS_DBL_URL_TNB_RUNON
+##{ PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+if (version >= 3.004000)
+meta PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024
+describe PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener
+#score PDS_EMPTYSUBJ_URISHRT 1.5 # limit
+endif
+endif
+##} PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+##{ PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+if (version >= 3.004000)
+meta PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
+describe PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener
+#score PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit
+endif
+endif
+##} PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
##{ PDS_FRNOM_TODOM_DBL_URL
meta PDS_FRNOM_TODOM_DBL_URL PDS_FROM_NAME_TO_DOMAIN && __PDS_DOUBLE_URL
tflags PDS_HELO_SPF_FAIL net
##} PDS_HELO_SPF_FAIL
-##{ PDS_RDNS_DYNAMIC_FP
+##{ PDS_HP_HELO_NORDNS
-meta PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC && !__PDS_RDNS_MTA
-#score PDS_RDNS_DYNAMIC_FP 0.01
-describe PDS_RDNS_DYNAMIC_FP RDNS_DYNAMIC with FP steps
-##} PDS_RDNS_DYNAMIC_FP
+meta PDS_HP_HELO_NORDNS RDNS_NONE && __HELO_HIGHPROFILE
+describe PDS_HP_HELO_NORDNS High profile HELO with no sender rDNS
+#score PDS_HP_HELO_NORDNS 1.0
+##} PDS_HP_HELO_NORDNS
-##{ PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
+##{ PDS_NAKED_TO_NUMERO
-meta PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE FREEMAIL_FORGED_REPLYTO && __PDS_TONAME_EQ_TOLOCAL
-describe PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE Forged replyto and __PDS_TONAME_EQ_TOLOCAL
-#score PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE 2.0 # limit
-##} PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
+meta PDS_NAKED_TO_NUMERO __NAKED_TO && __NUMBERONLY_TLD
+describe PDS_NAKED_TO_NUMERO Naked-to, numberonly domain
+#score PDS_NAKED_TO_NUMERO 2.0
+##} PDS_NAKED_TO_NUMERO
-##{ PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
+##{ PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
- meta PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER
- describe PDS_TO_EQ_FROM_NAME From: name same as To: address
+if (version >= 3.004002)
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
+#score PDS_OTHER_BAD_TLD 2.0
+describe PDS_OTHER_BAD_TLD Untrustworthy TLDs
+endif
+endif
+##} PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+
+##{ PDS_PHP_EVAL
+
+meta PDS_PHP_EVAL __PDS_PHP_EVAL1
+describe PDS_PHP_EVAL PHP header shows eval'd code
+#score PDS_PHP_EVAL 1.5
+##} PDS_PHP_EVAL
+
+##{ PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+if (version >= 3.004000)
+meta PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024
+describe PDS_TINYSUBJ_URISHRT Short subject with URL shortener
+#score PDS_TINYSUBJ_URISHRT 1.5 # limit
endif
-##} PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
+endif
+##} PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+##{ PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
+
+meta PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE __PDS_TONAME_EQ_TOLOCAL && __HDRS_LCASE
+describe PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE To: name matches everything in local email - LCASE headers
+#score PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE 2.0 # limit
+##} PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
##{ PHISH_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
tflags PHP_ORIG_SCRIPT publish
##} PHP_ORIG_SCRIPT
+##{ PHP_ORIG_SCRIPT_EVAL
+
+meta PHP_ORIG_SCRIPT_EVAL __PHP_ORIG_SCRIPT_EVAL
+describe PHP_ORIG_SCRIPT_EVAL From suspicious PHP source
+#score PHP_ORIG_SCRIPT_EVAL 3.000 # limit
+##} PHP_ORIG_SCRIPT_EVAL
+
##{ PHP_SCRIPT
meta PHP_SCRIPT __HAS_PHP_SCRIPT && !ALL_TRUSTED && !__PHP_NOVER_MUA && !__TO___LOWER && !__MIME_BASE64 && !__HAS_ANY_EMAIL && !__L_CTE_7BIT
tflags RCVD_DOTEDU_SHORT publish
##} RCVD_DOTEDU_SHORT
+##{ RCVD_DOTEDU_SUSP
+
+meta RCVD_DOTEDU_SUSP __RCVD_DOTEDU_SUSP && !__HAS_X_LOOP && !__HAS_X_REF
+describe RCVD_DOTEDU_SUSP Via .edu MTA + suspicious content
+#score RCVD_DOTEDU_SUSP 2.000 # limit
+##} RCVD_DOTEDU_SUSP
+
##{ RCVD_DOTEDU_SUSP_URI
meta RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_SUSP_URI
header RCVD_FORGED_WROTE2 Received =~ /from [0-9.]+ \(HELO \S+[A-Za-z]+\) by (\S+) with esmtp \(\S+\s\S+\) id \S{6}-\S{6}-\S\S for \S+@\1;/s
##} RCVD_FORGED_WROTE2
+##{ RCVD_IN_IADB_COURT ifplugin Mail::SpamAssassin::Plugin::DNSEval
+
+ifplugin Mail::SpamAssassin::Plugin::DNSEval
+header RCVD_IN_IADB_COURT eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.130')
+describe RCVD_IN_IADB_COURT IADB: Court-ordered email
+tflags RCVD_IN_IADB_COURT net nice
+endif
+##} RCVD_IN_IADB_COURT ifplugin Mail::SpamAssassin::Plugin::DNSEval
+
##{ RCVD_IN_IADB_DK ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
endif
##} RCVD_IN_IADB_GOODMAIL ifplugin Mail::SpamAssassin::Plugin::DNSEval
+##{ RCVD_IN_IADB_LEG_MAND ifplugin Mail::SpamAssassin::Plugin::DNSEval
+
+ifplugin Mail::SpamAssassin::Plugin::DNSEval
+header RCVD_IN_IADB_LEG_MAND eval:check_rbl_sub('iadb-firsttrusted', '127.3.200.120')
+describe RCVD_IN_IADB_LEG_MAND IADB: Legally mandated email
+tflags RCVD_IN_IADB_LEG_MAND net nice
+endif
+##} RCVD_IN_IADB_LEG_MAND ifplugin Mail::SpamAssassin::Plugin::DNSEval
+
##{ RCVD_IN_IADB_LISTED ifplugin Mail::SpamAssassin::Plugin::DNSEval
ifplugin Mail::SpamAssassin::Plugin::DNSEval
tflags RDNS_NUM_TLD_XM publish
##} RDNS_NUM_TLD_XM
-##{ READY_TO_SHIP
-
-body READY_TO_SHIP /(?:(?:in our (?:stock|warehouse|store|storage facility)(?: today| now| right away)?[.,:]\s|our (?:\w+,? ){2,8}(?:is |now )+)Ready (?:to (?:be )?|for )+(?:ship|send|deliver)|ready (?:for shipping|to (?:ship|send)) (?:(?:in|from|by) our (?:warehouse|stock|stor(?:e|age))|(?:to|for)(?: global(?:ly)?| worldwide| customers){2})|(?:(?:our|this|a|great|fine|wonderful|cool|popular) new product|we have(?: \w+){1,6} available|ready) in (?:our )?(?:warehouse|stock|stor(?:e|age))|just arrived in our (?:warehouse|stor(?:e|age))|we will (?:contact the (?:warehouse|logistics|store|storage(?: facility)) to )?arrange (?:the )?(?:shipment|delivery)|a new (?:\w+ ){1,3}in our (?:warehouse|storage)|this (?:new )?(?:merchandise|product|item) is (?:now )?(?:ready (?:to ship )?|available )(?:at|in|from) our (?:warehouse|stock|stor(?:e|age)))/i
-#score READY_TO_SHIP 1.250 # limit
-##} READY_TO_SHIP
-
##{ REPLYTO_WITHOUT_TO_CC
meta REPLYTO_WITHOUT_TO_CC (__HAS_REPLY_TO && !__TOCC_EXISTS)
##{ REPTO_419_FRAUD
-header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:cbn)\@cbofficialmail\.cf|(?:2015(?:5765|648[48]))\@ce\.pucmm\.edu\.do|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|mynewmission|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:blythemasters)\@digitalassetholding\.org|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.instructor|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|walter_anderson))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:info)\@onlinepch\.com|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:info\.(?:clev\.frb|imfamerica)|policyaddmin\.file))\@usa\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i
+header REPTO_419_FRAUD Reply-To:addr =~ /^(?![^\s<>@]+\@(?:(?:gmail|yahoo|outlook|hotmail|aol|yandex|protonmail|qq|consultant)\.com|yahoo\.co\.jp)(?:$|[>,\s]))(?:(?:mail)\@101private\.com|(?:(?:alfredcheuk002|mavis_wanczyk))\@126\.com|(?:(?:alfredcheuk_yuchow|ehagler))\@163\.com|(?:mathew\.yon2)\@abbsinvestment\.com|(?:wang)\@abconline\.hk|(?:ibrahimtafa)\@abienceinvestmentsfze\.com|(?:russia2018worldcuplotto5)\@accountant\.com|(?:midwestern)\@adexec\.com|(?:joxford)\@adm-irs\.com|(?:office)\@admntline\.ml|(?:(?:infovsa|maria\.louge|w(?:bfefft|n\.buffett)))\@aim\.com|(?:(?:attorneygeorgewalter|jessikasingh|lawmensa|travisalex))\@aliyun\.com|(?:(?:deanie_ron|mundo\.europe|richwetton))\@aol\.co\.uk|(?:mrssabah_ibrahim7)\@aol\.fr|(?:support)\@apostlesfoundation\.com|(?:jeromecgb12)\@asia\.com|(?:jefferson)\@athenaeumbd\.com|(?:(?:bllphillips|desousafam05))\@att\.net|(?:atendimento\-multiplus\-banco\-brasil)\@bb\.com|(?:(?:admin|info))\@bhleu\.com|(?:costruire)\@bigmat\.it|(?:susan\.lampard)\@bk\.ru|(?:(?:office\.uk|renataapsilva))\@bol\.com\.br|(?:onmydestiny18)\@boulevardmalls\.com|(?:luciamariacampbell)\@boximail\.com|(?:ochiaisatoruasistbank)\@brew-master\.com|(?:nicola)\@brighenti\.net|(?:mrshelen)\@btarneauds\.com|(?:inter01)\@c2\.hu|(?:judith_faulkner63)\@cash4u\.com|(?:cbn)\@cbofficialmail\.cf|(?:201(?:47237|5(?:5765|648[48])))\@ce\.pucmm\.edu\.do|(?:gregwingo)\@cheapnet\.it|(?:(?:andrelwotti|contact\.roycockrumgrantoffice|dbank12|fbipayment(?:50|600)|harunajim667|manuel\.rabelais|paul\.wilson|r(?:alphwjohnson|ev_markbless)|trustees101))\@citromail\.hu|(?:info)\@classicmail\.co\.za|(?:martin)\@claudiatrincado\.com|(?:irdi33)\@cock\.li|(?:federal_ministrayoffinance)\@comtube\.com|(?:cc(?:hendik|jjdesk))\@consultancydesk\.co\.ua|(?:mundo_seguros)\@contorli\.site|(?:(?:jones\-co|kellyzwo))\@cox\.net|(?:(?:investmentfince\.com|lottery(?:\.support|usa\.com)))\@cpn\.it|(?:(?:angelicainiguez|brunoso|lisatroutman))\@currently\.com|(?:(?:dmalpasswb|i(?:lanasoloshneor|nfo90000)|joseramonjr1|mynewmission|r(?:e(?:covered\-tax|em(?:2018|alhashimi|ealhashimi|hashimi2020))|onconway)))\@daum\.net|(?:info)\@dieterchwarz-charity\.com|(?:blythemasters)\@digitalassetholding\.org|(?:jorgezalesky)\@diplomats\.com|(?:bar_sahil)\@dominionassociates\.uk|(?:zahvoedir)\@donations\.christchurchliverpool\.xyz|(?:(?:abd\.aljassem|claimreview))\@dr\.com|(?:health\-support)\@drjohnashworthherbalmeds\.com|(?:atmpaymentcentttt)\@e-mail\.ua|(?:rogersteare02)\@e1\.ru|(?:jesusgacia)\@eclipso\.email|(?:davison\.warwick)\@eclipso\.eu|(?:(?:denbrink|facebook\.in(?:structor|tructor)|kathy_gerald1965|pch\.cliamdept))\@email\.com|(?:infoleonfredberbst)\@emailgroups\.net|(?:info)\@euro-pinnacle\.com|(?:(?:advancedsegurosespana|monitorunitbelgium))\@europe\.com|(?:us\.secretaryofstate)\@ex\.ua|(?:susanibrahim)\@exclusivemail\.co\.za|(?:lottomax)\@execs\.com|(?:jabufa)\@executivemail\.co\.za|(?:adam_moroney\.esq)\@fedco-usa\.com|(?:steven)\@federalreservebanks\.us|(?:jeferrey)\@financier\.com|(?:mrsdebbielevin)\@firemail\.de|(?:steve_dickson)\@firemail\.eu|(?:harry\.jones)\@firstbondcapital\.com|(?:admindepart)\@firstinlandbnkplc\.com|(?:info)\@fnconsultant\.biz|(?:(?:egolan2|gella1|qatardonations16|smadartsadik|tepnherve00))\@foxmail\.com|(?:zen)\@fpg\.com\.co|(?:mmpaulsmith145)\@frontier\.com|(?:mrchau1)\@gala\.net|(?:info)\@gcbonline\.co\.ua|(?:(?:bn|jb))\@getmaworldwide\.org|(?:info)\@gezimarkt\.com|(?:octaviancm)\@gmx\.co\.uk|(?:(?:ahmet\.broker|f(?:aridaomar|er3nrod1512)|kevin\-office|p\.hamedmoff|rosicboteruff|w(?:alter_anderson|esternunionrespond)))\@gmx\.com|(?:(?:fernrodyup12|harrish|miraiminaki))\@gmx\.fr|(?:juliairis)\@gmx\.net|(?:(?:arthur1alan|joxford))\@gmx\.us|(?:m(?:\.johnson10012|aryclayton123))\@googlemail\.com|(?:solotexglobalcouriercompany)\@groupesgb\.net|(?:raymondchanjp)\@hkmaltd\.org|(?:marketing)\@homebg\.in|(?:christgoldwilliams)\@hotmail\.fr|(?:gtakeshi)\@htisteel\.com|(?:alexgoodwill129)\@ibibo\.com|(?:bo_li)\@imgrantfunds\.com|(?:irdi33)\@inbox\.lt|(?:imffunds)\@inbox\.lv|(?:info\.fidelity\.finance)\@inbox\.ru|(?:(?:a\.josepaulino|jonardossantos|m(?:\.wood|ingmui0012)|offer2021|pierresgift_2021))\@indamail\.hu|(?:lizawong)\@infohsbc\.net|(?:info)\@intarpol-int\.online|(?:jacek_urbanski)\@irishdoorsystemsltd\.com|(?:sheikhwahab)\@islamicfb\.com|(?:mrsfatimahhassan[12])\@itbox\.ro|(?:contactme)\@jimmyofficial\.info|(?:info)\@johannaconsultancy\.com|(?:info)\@johnhenryorg\.com|(?:john)\@johnpedroconsults\.com|(?:(?:annzainab2022|h(?:ashimirrr22|re187390)|lotteryusa\.com|paulagonzalez|re(?:e(?:m\.alhashimi|ninvestor111)|mmhashimi)))\@kakao\.com|(?:europsenderscouriers)\@keemail\.me|(?:a015)\@laposte\.net|(?:johndavid)\@lawdistributionlimited\.com|(?:info)\@lbafltd\.com|(?:ecowascourt)\@legislator\.com|(?:fatih)\@leventsimsek\.com\.tr|(?:olivia_simon)\@lihat\.dds-akaun\.com|(?:pb\-2pb012)\@live\.co\.uk|(?:(?:financiero172|helen_galloway|markjohnson650))\@live\.com|(?:mr\.williamrigule)\@live\.fr|(?:miraminaki)\@lycos\.com|(?:drdanielmminele)\@magicmail\.co\.za|(?:andrewh1)\@mail2banker\.com|(?:bmwofficeinfo)\@mail2consultant\.com|(?:lanxianjun)\@mail2hongkong\.com|(?:bjic)\@mail2one\.com|(?:hwc2)\@mail2world\.com|(?:shillay)\@mail\.bg|(?:(?:a(?:isha\-gaddafi0|yishagddafio|zimhashim2018)|kateclough1|mriamchombo1968|philiproger101))\@mail\.com|(?:ayishagddafio?)\@mail\.ru|(?:(?:publishers_clearinghouse|rev\.williamschurch))\@mail\.uk|(?:mrcheongg2012)\@mailbox\.hu|(?:cb(?:nofficemail|officemail))\@mailsire\.com|(?:managing\-director_schaefflergroup)\@mariaelisabeth\.gisb\.com\.my|(?:doo\.yusin)\@matherline-trade\.com|(?:johannreimann)\@memeware\.net|(?:sarb_bnk086)\@meta\.ua|(?:miguel)\@miguel-sanchez\.com|(?:info)\@morbicera\.com|(?:anjer\.keith)\@ms-fsp-europe\.com|(?:cadpayout01)\@my\.com|(?:me)\@myprivatemail\.website|(?:stephanfalzer)\@myself\.com|(?:(?:benoitdageville2023|nancytseling|reem9999|wujames))\@naver\.com|(?:abel)\@nbdeil\.com|(?:jessicahunt1960)\@net-c\.com|(?:info)\@officepch\.com|(?:lindsaytrembley)\@oimail\.com|(?:(?:accountingdrg|emmy\.marty))\@onet\.eu|(?:(?:allanwoodmarko1|eco\.depo\.services|fred\.grenville))\@onet\.pl|(?:info)\@onlinepch\.com|(?:jarramos)\@ono\.com|(?:pablomancilla1)\@orange\.es|(?:info)\@ousos-elearning\.com|(?:schaefflermariaelisabeth)\@outlook\.de|(?:ahmed3khan)\@outlook\.fr|(?:info\-casino888\.com)\@ozu\.es|(?:info)\@peagent\.net|(?:andrew\.penning)\@penninglegalassociate\.com|(?:wood)\@poczta\.onet\.eu|(?:(?:m(?:aryjosen|boyaeth)|uncch\-info))\@post\.com|(?:martinahrivnakova)\@post\.cz|(?:ffundsremitunits)\@premiumtbnk\.com|(?:santiagomachado)\@presidency\.com|(?:(?:charitylisajohnrobinson700|leonardbain|noelldosi|stwrightsmaxinvestment))\@proton\.me|(?:ecowaspayoffice)\@protonmail\.ch|(?:uni1)\@rayana\.ir|(?:(?:franciscoperezc|garethbull808|mrsrose\.hill|robert\.cota|unionbatmpaymentsection))\@rediffmail\.com|(?:trust\-wallet)\@redirectionsdepartment\.xyz|(?:nidiabustamante)\@registerednurses\.com|(?:info)\@rehapmed\.com|(?:info)\@repsol\.org\.uk|(?:msn)\@resrubini\.com|(?:wanczykmavis101)\@rogers\.com|(?:elena\.santos)\@rollageoup\.com|(?:mrs\.rachel2013)\@safe-mail\.net|(?:deputygov_kuben)\@safrica\.com|(?:enqraward)\@sbcglobal\.net|(?:fbotha2009)\@secsuremail\.com|(?:francisbotha65)\@securesvsmail\.online|(?:smtpfox\-ys2n8)\@semillasdeamor\.com\.co|(?:wils)\@send\.com|(?:ibralsmma)\@seznam\.cz|(?:(?:jimyang77|kentpace))\@sina\.com|(?:stan)\@soborka\.net|(?:dycheseaan)\@sol\.dk|(?:info(?:04|1))\@sony\.com|(?:info\.jschneider)\@spainmail\.com|(?:mroliverbergmuellers)\@specialautokins\.com|(?:barrister_hans)\@stationlibraryjhelum\.com|(?:alexander)\@stny\.rr\.com|(?:fbidirector(?:11|wadc))\@superposta\.com|(?:anders\.karlsson)\@swedbankabgroup\.com|(?:insurance_contl)\@swissmail\.com|(?:nnbank)\@szm\.sk|(?:mhua)\@tbochk\.com|(?:clory)\@technet\.it|(?:billard\.thompson)\@thompsonlawassociates\.com|(?:fabio2016)\@tim\.it|(?:bobby\.william)\@tradent\.net|(?:lopez\.rios)\@udttld\.com|(?:2100973645smsgateway)\@ukraine\.wheat-farmers\.website|(?:info)\@un-grant\.info|(?:(?:david\.r\.malpass|info\.(?:clev\.frb|imfamerica)|kristinewellensteinn|policyaddmin\.file))\@usa\.com|(?:team)\@veraphanteepsuwan\.com|(?:dataphilanthropy)\@vipmail\.hu|(?:bmuczdh)\@virgilio\.it|(?:holt1231)\@w\.cn|(?:daydreamin)\@wanadoo\.fr|(?:weboffice05)\@web\.de|(?:portiaw)\@webbe\.work|(?:b(?:\-calebfirm2007|enklerk\-postpact2|oriscaleb121))\@webmail\.co\.za|(?:(?:elizabethlyonsfield|frboffice|jw\.ny\.frb))\@webmail\.hu|(?:verificationsector)\@webname\.com|(?:tbryant6)\@woh\.rr\.com|(?:henleywatkinss)\@y7mail\.com|(?:johnkwanghooi101)\@yahoo\.c|(?:chapelliermadeleine)\@yahoo\.ca|(?:arroblutt\.paymentoffice)\@yahoo\.cn|(?:bencook5511)\@yahoo\.co\.nz|(?:gloriamoses02)\@yahoo\.co\.th|(?:(?:abigailbanga1975|jeffwilliam207|owengreen70|samue95))\@yahoo\.co\.uk|(?:(?:changgordon946|thomaspeter227))\@yahoo\.com\.hk|(?:boa2cb)\@yahoo\.com\.vn|(?:contactus88\-00)\@yahoo\.es|(?:fortinsandrine)\@yahoo\.fr|(?:dr\.amelia\.george1)\@yandex\.ru|(?:(?:alfred_cheuk_chow|maviswanczyk01))\@yeah\.net|(?:(?:avaethan21|westernunion817))\@ymail\.com|(?:goldfish20123)\@zing\.vn|(?:jefflindsay)\@zoho\.com|(?:(?:benaffleck1977|monicadaniels909))\@zohomail\.com|(?:laprimitivaes)\@zohomail\.eu)$/i
describe REPTO_419_FRAUD Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD 3.000
tflags REPTO_419_FRAUD publish
##{ REPTO_419_FRAUD_AOL
-header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:brajjohn|f\.2[06]|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie)|e(?:ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|isarobinson5\.0|orrainewirangee|ynnpage44)|m(?:_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|officework172|p(?:aulpollard2|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|wattson\.renwick|yurdaaytarkan5))\@aol\.com$/i
+header REPTO_419_FRAUD_AOL Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:brajjohn|f\.2[06]|gneselizabethgiftfoundationssss|ljaber111|meliageorge|nd(?:_bley|rew_hans)|rthur\.alan)|b(?:a(?:anidleewy|rr_luc)|claimdept)|c(?:\.european|allumfoundation|h(?:anprivacy03|eungdavidd|ngeric|ristyruwalt)|laimdept21|ristinabruno38|ustom_service58)|d(?:avid\.kms|hodgkins001|ianwaynie)|e(?:ricalbertdpm|velynjoshua44)|f(?:d\.29|ernandezfernandez3|oundation\.charity)|g(?:arang\.rebeca|eorge_clifford4|roupfacility)|hernandezrosemary632|info\.dieter_charity|jmesaud|k\.doreen00|l(?:\.b162k|erynnewest99|isarobinson5\.0|orrainewirangee|ynnpage44)|m(?:_l\.wanczyk62|a(?:sayohara21|viswanczyk[do])|rs(?:isabelladzsesszika|janetedwards0001|safiagaddafi))|officework172|p(?:aulpollard2|otfolio\.management)|royalpalace2018|s(?:\.fofo|afiiagadafi|ovchan|pwalker721|t(?:aatsloterijnederlands|efano_pessina))|usembassy330|wattson\.renwick|yurdaaytarkan5))\@aol\.com$/i
describe REPTO_419_FRAUD_AOL Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_AOL 3.000
tflags REPTO_419_FRAUD_AOL publish
##{ REPTO_419_FRAUD_GM
-header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976(?:algaddafi|gaddafi25)|gaddafiaam)|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|ttohlawoffice\.tg|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195))|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:a(?:pinolly|rtwrighttownhomesllc)|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavisdonation1))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:nsilva58|stinmoskovitz\.2facebook)|v\.metus)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabethmaria600|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|i(?:idp955|ocastano21)|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy))|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|g(?:8669000|old8080)|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|bed627|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|ttcuckk)|gridrolle2)|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|yce00011)|rawlings007|s4fernado|uliewatson975|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|rnkl1109|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west2289))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ss(?:\.(?:melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:ishaalqadafi1976|ngela454)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|m(?:a(?:ureens847|yaoliver31)|ugan)|r(?:eem362|obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffic(?:e(?:\.012123|rricherd876|windowterms)|ialserviceuae)|hallkenneth1|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|r(?:imecapitalfianceltd|o1nvstream)|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nchoscozfifa|rfiafarfask7)|cott(?:henryjames91|peters7989)|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler2009)|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|peelman1972|t(?:anleyjohn1469|e(?:phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|erryparkins11|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:derleyen52|kponguko|marukareem8|n(?:claimedfunds554|itednation(?:organization70|s(?:8182|councilrefunds)))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|c5000dle|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i
+header REPTO_419_FRAUD_GM Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:01marviswanczyk|1magnumsecuritiesllc|7912richardtony|9porssts9|a(?:\.wafager1|b(?:d(?:97412345|u(?:kfahim|llahmundani019))|u(?:lkareem461|shadi0004))|c(?:count\.optionsmr\.jonasarmstrong|ecere001)|d(?:iallo\.boa|rabidiahmed)|isha(?:1976(?:algaddafi|gaddafi25)|gaddafi(?:aam|sdaughter))|l(?:\.jo60691737|an\.austin(?:041|223)|ex(?:anderpeterson4499|hoffman3319)|ghafrij13|icedoris0000|kasimunadi221|l(?:enholden121|isoncluade11)|nizmaria|ure\.wawrenka1472)|m(?:bassadormarybethleonardl4|ericadeliverycomapny1(?:300|800)|ina(?:ltwaijiri02|medjahed95))|n(?:d(?:rewumehunitedbankforafrica|yfox0022)|n(?:a(?:llee091|sigurlaug458)|ettrevor|jenijohnsonn)|t(?:hony(?:alvaradollc|jblinken61)|o(?:meuenio|niopaco20consultant)))|office1office1|r(?:adka01|chibaldhamble|thur11alan)|shwestwood7|t(?:mcarddepartment0024|tohlawoffice\.tg)|ustinbillmark9|w1614860|z(?:i(?:m(?:\.h(?:ashim\.premj|premji13)|hashim(?:2018|donation2019))|z(?:dake0|george50))|zedineguessous))|b(?:a(?:nkcentralasiahalobca34|ochang7a|r(?:bersmadar75|clays\.kenya\.bank|rister(?:\.fidelisokafor|clarkephillips(?:2(?:02|4)|4[59])|lordruben94)|teld\.huisman01))|bongo593|e(?:alitoniua9|linekra1|n(?:ezero392|gatl80|jaminsarah195)|tsyholden940)|ill\.lawrence0747|laisevodoun|mw(?:automobile242|officeline)|o(?:arddept0|cchenyi)|r(?:andy\.heavenscenttt|endalaporte112)|uff(?:ettwarrene21|ookj)|w1832621)|c(?:1nicele|a(?:pinolly|rtwrighttownhomesllc)|claimsa|elicerez|h(?:a(?:ngching885|r(?:itylisajohnrobinson41|l(?:es(?:luenga01|wrightdepartments)|tonnewmanus1)))|e(?:mchung1011|nchung1011)|ienkwongp)|iticonsultantjohncg0|kruger00017|l(?:axtonpaul00|s79408)|o(?:l(?:edavid77032|husseinharmuchc(?:cj|j)|ombasjuan53)|mp(?:asationsettlement|ensationcommitteboard)|n(?:sult(?:matthias|sto\.u)|tactad00[04]))|pt\.eugenebarash|r(?:abbechambers|ist(?:bru(?:05|n05)|davis67|i1537bru|ydavis(?:donation1|foundation0101)))|ustomerservicelacaixa2)|d(?:29laws|a(?:n(?:008629|i(?:el35508109|shlokija)|n(?:uar4|ydan24532))|tukannuarbinmusa|vi(?:d(?:\.loanfirm18|kaltschmidtmaureend|larbi11|pere337|r(?:amirez\.luis9012|ikhen))|scarolyn334|yax98))|cole77032|e(?:n(?:iwalts|nisclark659)|partmentofstate123|tlefeckhardd)|hsdevice|i(?:ane\.s\.wojcicki|gitalassetholding|plomatsshenry)|minique200|o(?:minicahkye|na(?:ldwilliam1988|tionhelpercare5))|r(?:\.meirh|abodid|davidrhama221|jamesdee|kennedyuzo|meier\.heidi?|owenfrederick)|u(?:breuilgmbh|nsilva58|stinmoskovitz\.2facebook)|v\.metus|willslevens)|e(?:benezero392|christina937|drunity|l(?:i(?:bethgomez(?:175|499)|sabeth(?:gmuer11|maria600)|zabethedw0)|o(?:diesawadogo123|tocashoffice1?))|m(?:2keld|efiele(?:328|g757)|ilyrichmond391)|ngr\.des01|r(?:e(?:nakgeorge123|zcelic0)|ioncarter\.private)|stherkatherine1960|vgpatmow|wynn284)|f(?:\.mikhail025|a(?:ithdesrie511|tme\.mehmed001)|blott47|e(?:deralreservebankdallasdst|lix88995)|g0067333|irstbank(?:49966|6669|k49666)|j569282|l(?:556249|uhmann\.dn)|oundations\.west|p462558|r(?:a(?:100dub132|n(?:c(?:espatrickconnolly(?:5050|4)|iscamendoza960)|k(?:j(?:ane984|ody2|wangg)|linpiesie6)))|eelottosweepstake51)|spero8[02]|u(?:lanlan28|ngg1w))|g(?:00gleggewinner19|a(?:b(?:albertoassociates|riel(?:eschmitt002|kalia1102))|r(?:ciavincent500|ethbull112016))|b(?:528796|ill4880)|e(?:neralwilliamstony990|orgekwame481|raldjhjh11)|i(?:idp955|ocastano21)|l(?:enmoore0011|oriachow5052)|o(?:dfreyscottdonation|glegewinnerteam|o(?:dnessxtra|golteam2019|oglegwiinner219))|r(?:aceobia001|e(?:ant311|energeoffrey776))|veraallen|w522834)|h(?:a(?:r(?:gate2909|ryebert101)|s(?:h(?:imyreem78|mireem801)|sanalshujairy)|uperthilbigbeate|zimissa03)|e(?:atherbrooeke101|cto(?:alon|r(?:castillos653|scastillo6))|l(?:en(?:adamsidaho|giggs88)|pdesk47321))|g(?:8669000|old8080)|i(?:ldad837|toshurui)|o(?:nmackjohn518|rnbeckmajordennis63[478]|seoky(?:34|9))|sbchgm|uichmh)|i(?:1955smael|amannjejosonn|b(?:ed627|rahimelizabeth654)|mf(?:deputyoff000|grantinter)|n(?:fo(?:\.(?:a(?:bogadosmfontana|nnedouglas10)|g00gleclaim|marviswanczyk360|ulmusau)|64240|asminternationalpk|bankofamerikaa|dessk\.dfwairportonline|fdrserve|t(?:ech4st255|tcuckk))|gridrolle2)|rvinekim67|smail(?:eman874|tarkan533))|j(?:35809121|a(?:6002932|888179|m(?:alpriv8un|esokoh82)|n(?:nsjonifer|usensecureprivate)|sonyeungchiwai|vierlesme001)|b(?:5406424|lsuntrust)|c2222222rrr|e(?:fferydean1960|nniannjhsonn|robtt)|josvu|k3311131|m(?:3461128|powellfr)|o(?:edward023|hn(?:\.wilde\.oneplusfinance|a9577|griffn818|nietaylor242|paton\.alphafmc|r(?:awlings956|oxfordjr1)|son(?:deba|wilson(?:389|490))|uba234|walterlove2010)|monkzza|n(?:athanhaskel377|hugo1964|monkssa)|seph(?:acevedo024|babatunde192|ichael41)|vannyanderson001|yce00011)|rawlings007|s4fernado|u(?:liewatson975|sticellawgroup)|w6935997)|k(?:a(?:dulinayulii(?:ia|a)|l(?:iaksandr5|tschmidtdavid8)|malnizar000|rabo\.ramala39|t(?:ebaron(?:barr|xq)|jamess043|rinaziako56))|en(?:mckenziejr|nedy\.sawadogo19)|halidbuhazza99|js09376|kasbu790|o(?:ntakt\.claim|tokairportcargo|watsusho\.co\.ltd\.jp)|r(?:istinewellenstein024|nkl1109)|un(?:gwei7777|ioue28))|l(?:a(?:rrytoms200|ursent892|w(?:officealouancooparation|rencefoundation30))|blackshirepm|e(?:enasinghs97|onidasresearch|rynne(?:0west99|west(?:2289|5412)))|i(?:amfinchus(?:11|3)|ezlnatashavanessa|fecshortt63|li(?:ane\.bettencourt1945|ianchrstph)|nelink008|sa(?:milner001|robin117))|john6132|o(?:ganntomas|rrainewirengee|ughreymargaret67)|p319765|s(?:arbn01|chantal86)|u(?:ckywinners2018|sba\.moored2019)|w94059|y(?:\.cheapiseth909|diawright836|n(?:\.arthur011|cmba440|nmkl3332)))|m(?:a(?:bel\.manaku|ckenzbezos|damkoenig\.ruhama1b|incare655|j(?:ialfutt|or(?:dennishornbeck53|townsend01))|kaltschmidt|ll(?:am\.mlawal|etman2021)|mastar33m|n(?:ankovefimovich|duesq58|fran6(?:30|56)|uelfranco(?:727|donation02|foundation0|spende8))|r(?:i(?:a(?:111dembele|27idemba|3(?:31lucas|51lucas)|hhills00)|opabl26|tinesecurityusa)|kroth456|shalh011|tin(?:amayer903|eziglesiasabogados|jrschwarz)|y(?:franson56|josen(?:62|81)))|thewriaanza|u(?:hin52|noveutileina|rhinck11?)|viswan(?:142|czyk(?:01478|1(?:19|987)|4(?:89|5)|775|foundation45|k112))|xaajn|ydetratt)|brons667|c(?:\.cheadychang76|kenthando)|dredban775|e(?:044386|l(?:aniekreiss1971|lagolan|vidabullock5))|gfrederick80|husameddine|i(?:c(?:h(?:ael\.woosley1972|eal(?:sjohnj|wuu002))|paulla|w954)|k(?:e\.weirsky\.foundational001|h(?:\.fridman|ai(?:\.fridman261|lfridm32)))|ntonjustin98|ss(?:\.(?:aminaibrahim|melisa\.mehmett|yasmineibrahim101)|yaelronen))|jminabii|k(?:ent7117|untjoro52)|m(?:1086771|argaritalouisdreyfus|ohammadaljllilati|rstephen16)|nmalarge|oham(?:edabdul1717|m(?:daljililati1|edshamekh24))|r(?:\.(?:elbahi\.mohammed\.2021|justinmaxwell09|lusee)|cjames001|d517341|eric(?:franck|schmid4002)|hanimuhammad627|jamesmc6|morgangomez56|r(?:echardthomas|ichardanthony1)|s(?:\.(?:janetolsen?|marinakuznetsov|olsenjanett|su(?:sanread12|zarawanmaling))|a(?:ishaalqadafi1976|ngela454|shaalqaddfi117)|catherineyokes|dominiquethomas7777|evelynbrown7|fatimaamiraqureshi1983|gezeria|h(?:amima60|ristinemadeleine)|isabelladz|j(?:ackman123|lleach)|lisamilner08|m(?:a(?:riaelizabethscheffle98|ureens847|yaoliver31)|ugan)|r(?:eem362|obinsanders185|uthsmith9900)|sarahbenjamin103|v(?:eraaellen|ictoriaedmond03))|tomcrist\.ca|viktorzubkovv)|s(?:\.ellagolan56|agent02|golaan4|smadar44)|u(?:ali000111|stadris22)|y(?:burghhugohendrik|racbally))|n(?:aomiiwasaki181|ckniem|eilt(?:9108|rotter968)|icholas\.jose73|obuyuki\.hirano128|tawdglobal|v637245)|o(?:\.peace004|3344nb|ffic(?:e(?:\.012123|rricherd876|windowterms)|ialserviceuae)|hallkenneth1|lenasheve73|marinyandeng|nufoundationclaims|pcwkdw|xfaminternationa1980)|p(?:a(?:trick(?:\.efcc|andfrancessconnolly)|ul(?:eed1969|n8018))|b(?:ph202lay2|rookk0)|e(?:130304|ndingredirections|rezdonlorenzo336|t(?:er(?:\.waddell204|guggi0|kenin73?|stephen4040)|ronasofficepromo))|good60000|hillip\.richead218|ilz37754|olloke|r(?:imecapitalfianceltd|o1nvstream)|trsvermeulen|w178483)|q(?:iquanzhou7|nzeng1)|r(?:19772744|677gfd|a(?:johnfernn|kidy23|lhashimi78|ymondaba200)|e(?:alyh596|beccagarang11|em(?:has(?:himy(?:1978|mail)|m044)|n(?:2214|asser003302))|lpandemic|mittanceofficeasaba|neehii\.omb|plyback00|v(?:\.jamesabel1|ernestcebi|fr(?:ankjackson91|paulwilliams2)))|icha(?:miller18|rd(?:lustig4u|w(?:ahl511|il(?:lis815|son19091))))|josh200000|main2028|o(?:b(?:erthanandez6655|inf036)|naldmorris786|s(?:a\.gomes0044|ekipkalya934))|raya9989|svcdusan|t(?:\.rev\.ericmark05|honrichardshepherd)|u(?:ddicklana561|ssiaworldcuppromo))|s(?:a(?:chingrams|l(?:ehhussienconsult1|imzaid(?:09|7000))|nchoscozfifa|rfiafarfask7)|cott(?:henryjames91|peters7989)|e(?:cretservicce[78]|rgeantrobertbrown1)|g(?:\.offiice\.group|t(?:\.monicab03|ireneb2))|h(?:a(?:msiahmohamadyunusbnegara|nemissler(?:2009|3))|ery(?:\.gtl131|etr03)|inawatrathaksin93)|im(?:lkheng5|onhei47)|op(?:adam3|hiajesse41)|p(?:agentrose|eelman1972)|t(?:anleyjohn1469|e(?:phen(?:7tam|tam1(?:47|6))|venchamberonline))|u(?:iyang(?:\.boc|02)|n\.hor20|san(?:freeman112x|neklatten502)|zana111bah)|weeneyjohnson384)|t(?:a(?:mmywebster24|y(?:ebsouami0|lorcathy362))|ch33555|davalvse|e(?:nreyrosilvana54|rryparkins11)|h(?:ailandbankoffice01|e(?:ara\.choy2|odorosloannis9))|imothymetheny01|lyerdonald613|mason9w4r|o(?:m(?:\.cristdonor|ander231|c(?:hrist1995|rist(?:52|donation12|foundation99|world))|spende480)|ny(?:\.chung760|zimpro11)|pchronodesk|shikazusendo101)|p2911220|tkhan69s)|u(?:derleyen52|kponguko|marukareem8|n(?:claimedfunds554|ited(?:bankforafrica\.plc102|nation(?:organization70|s(?:8182|councilrefunds))))|s(?:alotery2|departmentofjustice80))|v(?:a(?:mamakazlegalchambers|nderwesthuizen560)|e(?:enapatel883|linagreen|neerchris20003|r(?:a(?:aellen7|hollinkvan0)|enichekaterinaekaterina4))|i(?:ctoriaabraham2310|dalpamela85|ngut170|pjeferrey)|johannes271|n935990|owpovertyfoundation)|w(?:a(?:dp4726|hlr(?:5990|ichard18)|ldibeatesieberhagen|nczykm61|rrenebuffett2)|b(?:271981|6159980)|c5000dle|ellensteinfoundation251|hatsappofficial001|i(?:elandherzog\.sw\.herad16|ll(?:clark(?:2618|629)|iamsmartyrs888))|kfinancialservice|orldbankregionalmanageroffice|u\.office212|ww\.moneygram9054)|y(?:\.oguzhan011|anghoseok5|doo974|inglukshinawtra|o(?:ngkm00|usefzongo5722))|z(?:bank8876|enithbankplconline98|kiaslan1963|minhong65|ubkovmrviktor)))\@gmail\.com$/i
describe REPTO_419_FRAUD_GM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_GM 3.000
tflags REPTO_419_FRAUD_GM publish
##{ REPTO_419_FRAUD_HM
-header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:l13139|r\.dukanalycoulibaly)|egorbunova22|faxttransfer\.skyebk\.service\.care\.th|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|mr(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|ulaimaninfante)|t(?:ashacap|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
+header REPTO_419_FRAUD_HM Reply-To:addr =~ /^(?=[^\s<>@]+\@hotmail\.com)(?:(?:a(?:brahambeniam|licewalton7653|n(?:ikal01|nagray00)|zezul\.idrisazezulidris)|c(?:h(?:angxinjuan|oi21)|laytousey)|d(?:ealings100|l13139|r\.dukanalycoulibaly)|egorbunova22|f(?:axttransfer\.skyebk\.service\.care\.th|ridmanmikhail511)|infos(?:43|8)|katabettencourt2018|l(?:e(?:a_edem|galcosme|wisarm44)|ulihongm)|m(?:oneygrampayfund|r(?:abrahambeniamfc|pedrohilldonations|s(?:\.chantal_bill|micheleallison2003)))|n(?:inajohn226|waigwe2765)|ocbc\-ba\-nkonline|powen10001|quickcashloansservices|s(?:a(?:jda\.andleeb|nchamps798)|tuboardgntdirector|ulaimaninfante)|t(?:a(?:baka_williamshsbbc|shacap)|omashntr)|unb(?:2015|int)|yostinbellamohammad))\@hotmail\.com$/i
describe REPTO_419_FRAUD_HM Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_HM 3.000
tflags REPTO_419_FRAUD_HM publish
##{ REPTO_419_FRAUD_OL
-header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|k(?:aujong|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:_elizabeth20|michelleallison|roseallen))|spvt2020)|philcohen0012|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i
+header REPTO_419_FRAUD_OL Reply-To:addr =~ /^(?=[^\s<>@]+\@outlook\.com)(?:(?:a(?:16u71|b(?:rahamwilliamsonrpsltduk|s0000200)|lbertchebe|ndrewgamble7)|b(?:asidris|etty\.c_investment|illgfile203)|c(?:bforeignremitdept|harlie\.j\.goodmand|laimunit\.facebook|ompensationfunding)|d(?:eborahleeconsult|hl(?:customercares|express\.fastservice)|onation_dept|rjonathankuku)|e(?:benezernonyeagwuceozbplc|urope\.win2)|f(?:abienna\.s|iduciarybmw2020|mr01|oundation701|p\.conn|rancescogaetano01)|g(?:20compessdesk|race\.manonfoundation)|j(?:ackson4steve|e(?:anedo1|ssicameir30))|k(?:aujong|officollins)|l(?:\.williams722|ui1480)|m(?:card\.msoftuk|illerjeffreylawchambers|oussa\.sayyid|r(?:\.henrichkisker|antonioguterress|b(?:illgate9|ryandavisuk44)|mduku|s(?:\.olhaoschad|_elizabeth20|michelleallison|roseallen))|spvt2020)|olhalytvynenko20|philcohen0012|r(?:ichardwahlfreegrant|obertleeonly01)|s(?:aaman10|gi2019|t(?:\.monica|eve\.lenkathomson11))|t(?:g331965|oyotadrawboard2019)|unvanzyl_mrs|w(?:esteruniontransferunite7|hatsapp_givewin|inuklotocash2018)))\@outlook\.com$/i
describe REPTO_419_FRAUD_OL Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_OL 3.000
tflags REPTO_419_FRAUD_OL publish
##{ REPTO_419_FRAUD_YH
-header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|en(?:jaminb34|nicholas22)|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
+header REPTO_419_FRAUD_YH Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson13|ilmohammed11|lesiakalina2006|mbassador\.l|nnhester\.usa4)|b(?:a(?:che\.delfine|nk\.phbng14|rr\.thomasclark)|e(?:linekra1144|n(?:jaminb34|nicholas22))|illlawrenceee|riceangela45)|c(?:\.aroline90|abinet_maitre_emmanuel_patris|h(?:arlesscharf112|hoy\.t|jackson65)|juan852|ontelamine|ythiamiller\.un10)|d(?:hamilton9099|r(?:_raymondfung|kobiorah|obiorahkenneth|victorobaji))|e(?:denvictor71|ricalbert24)|f(?:bicompensation_funds|ederal\.r73)|i(?:\.project33411|befranfgnfmf|nfomoney|project32411)|j(?:a(?:ckson\.davis915|netemoon150)|kimyong21|lawrencefrb|ulietjohnsonn)|k(?:altschmidtdavid8|elvinmark629|im(?:\.leang2018?|leang(?:575|90)))|l(?:e(?:a_edem13|hman(?:909|bila))|i(?:m_kaan|sarobinson_555)|o(?:an\.assist|rrainewirengee)|y_cheapiseth(?:11|2019))|m(?:\.kogi81|a(?:itre_arthur\.catheau|rie_avis12)|d(?:\.ps|zsesszika672)|elissalewis4004|o(?:hammedaahil46|keye79)|rs(?:\.esthernicolas|isabella\.dzesszikan)|s\.gracie_olakun)|o(?:biorahkenneth8|legkozyrev1|mranshaalan52)|p(?:ackerkelvin|eterlee1950|rincerasmane)|r(?:alphw(?:\.johnson78|johnson78)|o(?:bertbailey2004|serichard655))|s(?:amthong4040|igurlauganna34|leo25|opheap\.munny|pwalker101|te(?:fanopessina573|vecox\.98))|t(?:\.murasawa|ep1chen|heara\.chhoy|ylerhess\.43)|vanserge2001|will(?:clark0010|smi68)|xianglongdai60|zhaodonghk))\@yahoo\.com$/i
describe REPTO_419_FRAUD_YH Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YH 3.000
tflags REPTO_419_FRAUD_YH publish
##{ REPTO_419_FRAUD_YJ
-header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|r(?:acheljude000|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i
+header REPTO_419_FRAUD_YJ Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.co\.jp)(?:(?:a(?:drianbayford|lainminc73)|d(?:eborahmark2|raymndch)|e(?:d(?:032000100|ithi0iochou)|millybrownnc)|fred_gamba|henrybanko1970|m(?:24erc|aryp1799_8335|eghanbutlerfca|oneygram100|rs_chen_00001)|officefile_0112|r(?:acheljude000|itawi668)|s(?:andrabates418|d203077)))\@yahoo\.co\.jp$/i
describe REPTO_419_FRAUD_YJ Reply-To is known advance fee fraud collector mailbox
#score REPTO_419_FRAUD_YJ 3.000
tflags REPTO_419_FRAUD_YJ publish
tflags REPTO_INFONUMSCOM publish
##} REPTO_INFONUMSCOM
+##{ RISK_FREE
+
+meta RISK_FREE __FRAUD_IOV && !__UNSUB_LINK && !__VIA_ML && !__HTML_LINK_IMAGE && !__SUBSCRIPTION_INFO && !__HS_SUBJ_RE_FW && !__LCL__ENV_AND_HDR_FROM_MATCH
+describe RISK_FREE No risk!
+##} RISK_FREE
+
##{ SB_GIF_AND_NO_URIS
meta SB_GIF_AND_NO_URIS (__GIF_ATTACH&&!__HAS_ANY_URI&&!__HAS_ANY_EMAIL)
##{ SCC_BODY_SINGLE_WORD
-meta SCC_BODY_SINGLE_WORD T_SCC_BODY_TEXT_LINE < 2 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1)
+meta SCC_BODY_SINGLE_WORD T_SCC_BODY_TEXT_LINE < 2 && !__EMPTY_BODY && !__SMIME_MESSAGE && ((__SINGLE_WORD_LINE && !__SINGLE_WORD_SUBJ) || __SINGLE_WORD_LINE > 1)
+describe SCC_BODY_SINGLE_WORD Message body seems like one word
##} SCC_BODY_SINGLE_WORD
+##{ SCC_BODY_URI_ONLY
+
+meta SCC_BODY_URI_ONLY T_SCC_BODY_TEXT_LINE < 2 && __HAS_ANY_URI && !__SMIME_MESSAGE && !T_SCC_IS_DMARC_REP
+describe SCC_BODY_URI_ONLY Very short body with something maybe clickable
+##} SCC_BODY_URI_ONLY
+
##{ SCC_CANSPAM_1
describe SCC_CANSPAM_1 Interesting compliance language
##{ SCC_ISEMM_LID_1B
describe SCC_ISEMM_LID_1B Genericized spammer fingerprint
-header SCC_ISEMM_LID_1B X-Mailer-LID =~ /([56][0-9],)+/
+header SCC_ISEMM_LID_1B X-Mailer-LID =~ /(?:[56][0-9],)+/
tflags SCC_ISEMM_LID_1B publish
#score SCC_ISEMM_LID_1B 1.5
##} SCC_ISEMM_LID_1B
##{ SCC_SPECIAL_GUID
describe SCC_SPECIAL_GUID Unique in a similar way
-rawbody SCC_SPECIAL_GUID /^([[:xdigit:]]{8})-([[:xdigit:]]{4})-([[:xdigit:]]{3})-\3-([[:xdigit:]]{12})$/m
+rawbody SCC_SPECIAL_GUID /^[[:xdigit:]]{8}-[[:xdigit:]]{4}-([[:xdigit:]]{3})-\1-[[:xdigit:]]{12}$/m
tflags SCC_SPECIAL_GUID publish multiple maxhits=15
##} SCC_SPECIAL_GUID
endif
##} SEO_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-##{ SERGIO_SUBJECT_VIAGRA01
-
-header SERGIO_SUBJECT_VIAGRA01 Subject =~ /v[^a-zA-Z0-9]{0,3}[i1l][^a-zA-Z0-9]{0,3}a[^a-zA-Z0-9 ]{0,3}g[^a-zA-Z0-9]{0,3}r[^a-zA-Z0-9]{0,3}a/i
-describe SERGIO_SUBJECT_VIAGRA01 Viagra garbled subject
-##} SERGIO_SUBJECT_VIAGRA01
-
##{ SHOPIFY_IMG_NOT_RCVD_SFY
meta SHOPIFY_IMG_NOT_RCVD_SFY __SHOPIFY_IMG_NOT_RCVD_SFY && !MIME_QP_LONG_LINE && !__RCD_RDNS_MTA_MESSY && !__AC_UNSUB_URI && !__HAS_CAMPAIGNID && !__HAS_SENDER && !__HAS_ORGANIZATION && !__RCD_RDNS_OB && !__DOS_LINK
tflags SHORTENER_SHORT_IMG publish
##} SHORTENER_SHORT_IMG
+##{ SHORTENER_SHORT_SUBJ
+
+meta SHORTENER_SHORT_SUBJ __SHORTENER_SHORT_SUBJ && !__DOS_HAS_LIST_UNSUB && !__HAS_LIST_ID && !__HDR_RCVD_GOOGLE && !__XPRIO
+describe SHORTENER_SHORT_SUBJ URL shortener (avoiding URIBL?) + short subject
+#score SHORTENER_SHORT_SUBJ 3.000 # limit
+##} SHORTENER_SHORT_SUBJ
+
##{ SHORT_HELO_AND_INLINE_IMAGE
meta SHORT_HELO_AND_INLINE_IMAGE (__HELO_NO_DOMAIN && __ANY_IMAGE_ATTACH)
endif
##} SHORT_IMG_SUSP_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+##{ SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
+ifplugin Mail::SpamAssassin::Plugin::WLBLEval
+if (version >= 3.004000)
+meta SHORT_SHORTNER __PDS_MSG_512 && __URL_SHORTENER && !DRUGS_ERECTILE
+describe SHORT_SHORTNER Short body with little more than a link to a shortener
+#score SHORT_SHORTNER 2.0 # limit
+endif
+endif
+##} SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+
##{ SHORT_TERM_PRICE
-body SHORT_TERM_PRICE /short\W+term\W+(target|projected)(\W+price)?/i
+body SHORT_TERM_PRICE /short\W+term\W+(?:target|projected)(?:\W+price)?/i
##} SHORT_TERM_PRICE
+##{ SHY_OBFU_EXPIRE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+ meta SHY_OBFU_EXPIRE __SHY_OBFU_EXPIRE
+ describe SHY_OBFU_EXPIRE Obfuscation, probable phishing
+# score SHY_OBFU_EXPIRE 4.000 # limit
+ tflags SHY_OBFU_EXPIRE publish
+endif
+##} SHY_OBFU_EXPIRE ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
+##{ SHY_OBFU_PASSWORD ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+ meta SHY_OBFU_PASSWORD __SHY_OBFU_PASSWORD
+ describe SHY_OBFU_PASSWORD Obfuscation, probable phishing
+# score SHY_OBFU_PASSWORD 4.000 # limit
+ tflags SHY_OBFU_PASSWORD publish
+endif
+##} SHY_OBFU_PASSWORD ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+
##{ SPAMMY_XMAILER
meta SPAMMY_XMAILER (__XM_OL_28001441||__XM_OL_48072300||__XM_OL_28004682||__XM_OL_10_0_4115||__XM_OL_4_72_2106_4)
describe SPAMMY_XMAILER X-Mailer string is common in spam and not in ham
##} SPAMMY_XMAILER
+##{ SPAM_CWINDOWSNET
+
+uri SPAM_CWINDOWSNET m;^https?://(?=[^/]+\.(?:blob|web)\.core\.windows\.net)(?:(?:aaaabbbbcdertfer(?:131|34)|b(?:9jwpncnsz2cg5bpbojgl|bbbccccddester61|dkbazmjnlvajmjjszdc|ulkma(?:ilmanager(?:im|snrperk|m)|nhegeteam))|calivokavoaka|d(?:fjmteeymhimuokqbwio|sfgdfgsdfg)|e(?:6tidwa3xtdxsxrv6fevh|fnzewdwwwxdormvkltxqj|riogsnkdqsdqsd32l|wialtlgncnagaebsuohhsz)|greatetchtoaitechnologyh|linkbulkmailpromanager|n(?:6w479nhk1tkyo6u1p844s|fnybcmyhaaphiglbzra)|o(?:ovgienjzlmmfkmwoyep|penbankstonecdn)|u(?:lqdjksdsdsd3sd|rqjlnefdqsdfik2k)|z(?:ahriiana59|c2mjw9btnqfgw6ps7ex)))\.(?:blob|web)\.core\.windows\.net/;i
+describe SPAM_CWINDOWSNET Link to known hosted spam or phishing content
+#score SPAM_CWINDOWSNET 3.500
+tflags SPAM_CWINDOWSNET publish
+##} SPAM_CWINDOWSNET
+
##{ SPOOFED_FREEMAIL
meta SPOOFED_FREEMAIL __SPOOFED_FREEMAIL && !__HAS_IN_REPLY_TO && !__FS_SUBJ_RE && !__MSGID_GUID && !__freemail_safe && !__THREADED && !__HDRS_LCASE_KNOWN && !__HDR_RCVD_GOOGLE && !__HDR_RCVD_TONLINEDE
meta STOX_AND_PRICE CURR_PRICE && STOX_REPLY_TYPE
##} STOX_AND_PRICE
-##{ STOX_BOUND_090909_B
-
-header STOX_BOUND_090909_B Content-Type:raw =~ /;\n boundary=\"------------0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]0[0-9]\"$/s
-##} STOX_BOUND_090909_B
-
##{ STOX_REPLY_TYPE
header STOX_REPLY_TYPE Content-Type =~ /text\/plain; .* reply-type=original/
describe SUBJECT_NEEDS_ENCODING Subject includes non-encoded illegal characters
##} SUBJECT_NEEDS_ENCODING
+##{ SUBJ_ATTENTION
+
+meta SUBJ_ATTENTION __SUBJ_ATTENTION && !ALL_TRUSTED
+describe SUBJ_ATTENTION ATTENTION in Subject
+#score SUBJ_ATTENTION 0.500 # limit
+##} SUBJ_ATTENTION
+
##{ SUBJ_BRKN_WORDNUMS
#score SUBJ_BRKN_WORDNUMS 1.500 # limit
endif
##} SUBJ_BRKN_WORDNUMS ifplugin Mail::SpamAssassin::Plugin::DKIM
-##{ SUSP_UTF8_WORD_COMBO
-
-meta SUSP_UTF8_WORD_COMBO __4BYTE_UTF8_WORD && ( __LIST_PARTIAL || __RDNS_NONE || __CLICK_HERE || __PHPMAILER_MUA || __STY_INVIS_3 || __TO___LOWER || __MSGID_OK_DIGITS || __HTML_IMG_ONLY )
-describe SUSP_UTF8_WORD_COMBO Words using only suspicious UTF-8 characters + other signs
-#score SUSP_UTF8_WORD_COMBO 3.000 # limit
-##} SUSP_UTF8_WORD_COMBO
-
##{ SUSP_UTF8_WORD_FROM
meta SUSP_UTF8_WORD_FROM __4BYTE_UTF8_WORD_FROM
#score SUSP_UTF8_WORD_MANY 3.000 # limit
##} SUSP_UTF8_WORD_MANY
-##{ SUSP_UTF8_WORD_SUBJ
-
-meta SUSP_UTF8_WORD_SUBJ __4BYTE_UTF8_WORD_SUBJ
-describe SUSP_UTF8_WORD_SUBJ Word in Subject using only suspicious UTF-8 characters
-#score SUSP_UTF8_WORD_SUBJ 2.000 # limit
-##} SUSP_UTF8_WORD_SUBJ
-
##{ SYSADMIN
meta SYSADMIN __SYSADMIN && !ALL_TRUSTED && !__ANY_TEXT_ATTACH && !__DKIM_EXISTS && !__LCL__ENV_AND_HDR_FROM_MATCH && !__MSGID_OK_DIGITS
endif
##} TO_EQ_FM_DOM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
+##{ TO_EQ_FM_HTML_ONLY
+
+meta TO_EQ_FM_HTML_ONLY __TO_EQ_FM_HTML_ONLY && !ALL_TRUSTED && !__RCD_RDNS_MAIL_MESSY && !__RCD_RDNS_SMTP_MESSY && !__NOT_SPOOFED && !__DKIM_EXISTS && !__ANY_IMAGE_ATTACH && !__FROM_LOWER && !__TAG_EXISTS_CENTER
+describe TO_EQ_FM_HTML_ONLY To == From and HTML only
+##} TO_EQ_FM_HTML_ONLY
+
##{ TO_EQ_FM_SPF_FAIL ifplugin Mail::SpamAssassin::Plugin::SPF
ifplugin Mail::SpamAssassin::Plugin::SPF
describe TVD_SPACED_SUBJECT_WORD3 Entire subject is "UPPERlowerUPPER" with no whitespace
##} TVD_SPACED_SUBJECT_WORD3
-##{ TVD_SPACE_ENC_FM_MIME
+##{ TVD_SPACE_ENCODED
+
+meta TVD_SPACE_ENCODED __TVD_SPACE_ENCODED && !__NOT_SPOOFED && !__VIA_ML && !__HS_SUBJ_RE_FW && !__SUBSCRIPTION_INFO && !__TO_EQ_FROM_DOM && !__RCD_RDNS_MAIL && !__ISO_2022_JP_DELIM
+#score TVD_SPACE_ENCODED 2.500 # limit
+describe TVD_SPACE_ENCODED Space ratio & encoded subject
+##} TVD_SPACE_ENCODED
-meta TVD_SPACE_ENC_FM_MIME __TVD_SPACE_ENCODED && __FROM_NEEDS_MIME && !__ISO_2022_JP_DELIM
-#score TVD_SPACE_ENC_FM_MIME 2.000 # limit
-describe TVD_SPACE_ENC_FM_MIME Space ratio & encoded subject & MIME needed
-##} TVD_SPACE_ENC_FM_MIME
+##{ TVD_SPACE_RATIO_MINFP
+
+meta TVD_SPACE_RATIO_MINFP __TVD_SPACE_RATIO && !__CT_ENCRYPTED && !__X_CRON_ENV && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !ALL_TRUSTED && !__MIME_NO_TEXT && !__LONGLINE && !__THREADED && !__SUBSCRIPTION_INFO && !__VIA_ML && !__HELO_HIGHPROFILE && !__DKIM_EXISTS && !__RCD_RDNS_SMTP_MESSY && !__RCD_RDNS_MAIL && !__EMPTY_BODY && !__XM_APPLEMAIL
+#score TVD_SPACE_RATIO_MINFP 2.500 # limit
+describe TVD_SPACE_RATIO_MINFP Space ratio (vertical text obfuscation?)
+##} TVD_SPACE_RATIO_MINFP
##{ TVD_STOCK1 ifplugin Mail::SpamAssassin::Plugin::BodyEval
describe TVD_SUBJ_FINGER_03 Entire subject is enclosed in asterisks "* like so *"
##} TVD_SUBJ_FINGER_03
+##{ TVD_SUBJ_NUM_OBFU_MINFP
+
+meta TVD_SUBJ_NUM_OBFU_MINFP __TVD_SUBJ_NUM_OBFU && !__RP_MATCHES_RCVD && !__RCD_RDNS_MAIL_MESSY && !__VIA_ML && !__ISO_2022_JP_DELIM && !__NOT_SPOOFED && !__X_CRON_ENV && !__NOT_A_PERSON && !__HAS_THREAD_INDEX && !__THREADED && !__NUMBERS_IN_SUBJ && !__URI_MAILTO
+##} TVD_SUBJ_NUM_OBFU_MINFP
+
##{ TVD_SUBJ_OWE
header TVD_SUBJ_OWE Subject =~ /^\s*(?:\w+\s+)+you\s+(?:\w+\s+)*(?:owe|indebted)\s+(?:\w+\s+)+an\s*other/i
endif
##} T_CDISP_SZ_MANY ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+##{ T_CTE_BAS64 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ meta T_CTE_BAS64 __CTE_BAS64
+ describe T_CTE_BAS64 Malformated Content-Type-Encoding
+# score T_CTE_BAS64 2.000 # limit
+ tflags T_CTE_BAS64 publish
+endif
+##} T_CTE_BAS64 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+
##{ T_CTYPE_NULL ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
endif
##} T_FROMNAME_SPOOFED_EMAIL ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
+##{ T_FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
+
+if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
+ meta T_FROM_MULTI_NORDNS __FROM_MULTI_NORDNS
+ describe T_FROM_MULTI_NORDNS Multiple From addresses + no rDNS
+endif
+##} T_FROM_MULTI_NORDNS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
+
##{ T_FROM_MULTI_SHORT_IMG if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
endif
##} T_FUZZY_SPRM ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-##{ T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-
-ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
- meta T_FUZZY_WELLSFARGO __FUZZY_WELLSFARGO_BODY || __FUZZY_WELLSFARGO_FROM
- describe T_FUZZY_WELLSFARGO Obfuscated "Wells Fargo"
-endif
-##} T_FUZZY_WELLSFARGO ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
-
##{ T_GB_FREEM_FROM_NOT_REPLY ifplugin Mail::SpamAssassin::Plugin::FreeMail ifplugin Mail::SpamAssassin::Plugin::FromNameSpoof
ifplugin Mail::SpamAssassin::Plugin::FreeMail
endif
##} T_HK_NAME_FM_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
-##{ T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
-
-ifplugin Mail::SpamAssassin::Plugin::FreeMail
-if (version >= 3.004000)
- meta T_HK_NAME_FM_MR_MRS __HK_NAME_MR_MRS && FREEMAIL_FROM
-# score T_HK_NAME_FM_MR_MRS 1.5
-endif
-endif
-##} T_HK_NAME_FM_MR_MRS ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
-
##{ T_HK_NAME_FROM ifplugin Mail::SpamAssassin::Plugin::FreeMail if (version >= 3.004000)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
describe T_LOTTO_URI Claims Department URL
##} T_LOTTO_URI
-##{ T_MANY_HDRS_LCASE
-
-describe T_MANY_HDRS_LCASE Odd capitalization of multiple message headers
-#score T_MANY_HDRS_LCASE 0.10 # limit
-##} T_MANY_HDRS_LCASE
-
-##{ T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
-
-if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
- meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
-endif
-##} T_MANY_HDRS_LCASE if !plugin(Mail::SpamAssassin::Plugin::FreeMail)
-
-##{ T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
-
-ifplugin Mail::SpamAssassin::Plugin::FreeMail
- meta T_MANY_HDRS_LCASE __MANY_HDRS_LCASE && !__HDRS_LCASE_KNOWN && !__VIA_ML && !__freemail_safe && !__THREADED && !__UNUSABLE_MSGID && !__DOS_SINGLE_EXT_RELAY && !__DKIM_EXISTS && !__NOT_SPOOFED && !__BUGGED_IMG && !__MIME_QP && !__RDNS_NONE
-endif
-##} T_MANY_HDRS_LCASE ifplugin Mail::SpamAssassin::Plugin::FreeMail
-
##{ T_MANY_PILL_PRICE if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
##{ T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.s?html?\b,i
+ mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.[a-z]?html?\b,i
describe T_OBFU_HTML_ATTACH HTML attachment with non-text MIME type
endif
##} T_OBFU_HTML_ATTACH ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
endif
##} T_PDS_BTC_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-##{ T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-if (version >= 3.004000)
-meta T_PDS_EMPTYSUBJ_URISHRT __URL_SHORTENER && __SUBJECT_EMPTY && __PDS_MSG_1024
-describe T_PDS_EMPTYSUBJ_URISHRT Empty subject with little more than URI shortener
-#score T_PDS_EMPTYSUBJ_URISHRT 1.5 # limit
-endif
-endif
-##} T_PDS_EMPTYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-##{ T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-if (version >= 3.004000)
-meta T_PDS_FREEMAIL_REPLYTO_URISHRT __URL_SHORTENER && __freemail_hdr_replyto && __SUBJ_SHORT && __PDS_HTML_LENGTH_2048
-describe T_PDS_FREEMAIL_REPLYTO_URISHRT Freemail replyto with URI shortener
-#score T_PDS_FREEMAIL_REPLYTO_URISHRT 1.5 # limit
-endif
-endif
-##} T_PDS_FREEMAIL_REPLYTO_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
##{ T_PDS_FROM_2_EMAILS if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
endif
##} T_PDS_NO_FULL_NAME_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-##{ T_PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-
-if (version >= 3.004002)
-ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-header T_PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
-#score T_PDS_OTHER_BAD_TLD 2.0
-describe T_PDS_OTHER_BAD_TLD Untrustworthy TLDs
-endif
-endif
-##} T_PDS_OTHER_BAD_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-
##{ T_PDS_PRO_TLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
endif
##} T_PDS_SHORT_SPOOFED_URL ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-##{ T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+##{ T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
-ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-if (version >= 3.004000)
-meta T_PDS_TINYSUBJ_URISHRT __URL_SHORTENER && __SUBJ_SHORT && __PDS_MSG_1024
-describe T_PDS_TINYSUBJ_URISHRT Short subject with URL shortener
-#score T_PDS_TINYSUBJ_URISHRT 1.5 # limit
-endif
+if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
+ meta T_PDS_TO_EQ_FROM_NAME (__PDS_TO_EQ_FROM_NAME_1 || __PDS_TO_EQ_FROM_NAME_2) && !__HAS_SENDER
+ describe T_PDS_TO_EQ_FROM_NAME From: name same as To: address
endif
-##} T_PDS_TINYSUBJ_URISHRT ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
+##} T_PDS_TO_EQ_FROM_NAME if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
##{ T_PDS_URISHRT_LOCALPART_SUBJ ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
##{ T_SCC_BODY_TEXT_LINE
-meta T_SCC_BODY_TEXT_LINE __SCC_BODY_TEXT_LINE_FULL - __SCC_SUBJECT_HAS_NON_SPACE
-tflags T_SCC_BODY_TEXT_LINE nice
+meta T_SCC_BODY_TEXT_LINE __SCC_BODY_TEXT_LINE_FULL - __SCC_SUBJECT_HAS_NON_SPACE
+tflags T_SCC_BODY_TEXT_LINE nice
##} T_SCC_BODY_TEXT_LINE
##{ T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
endif
##} T_SCC_BOGUS_CTE_1 ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+##{ T_SCC_IS_DMARC_REP
+
+meta T_SCC_IS_DMARC_REP __SCC_DMARC_REP && __MIME_ATTACHMENT
+describe T_SCC_IS_DMARC_REP Message looks like a DMARC report
+tflags T_SCC_IS_DMARC_REP nice
+##} T_SCC_IS_DMARC_REP
+
##{ T_SENT_TO_EMAIL_ADDR if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
describe T_SHARE_50_50 Share the money 50/50
##} T_SHARE_50_50
-##{ T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
-ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-if (version >= 3.004000)
-meta T_SHORT_SHORTNER __PDS_MSG_512 && __URL_SHORTENER && !DRUGS_ERECTILE
-describe T_SHORT_SHORTNER Short body with little more than a link to a shortener
-#score T_SHORT_SHORTNER 2.0 # limit
-endif
-endif
-##} T_SHORT_SHORTNER ifplugin Mail::SpamAssassin::Plugin::WLBLEval if (version >= 3.004000)
-
##{ T_STY_INVIS_DIRECT if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
- meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK
+ meta T_STY_INVIS_DIRECT __STY_INVIS_DIRECT && !__L_BODY_8BITS && !__UNSUB_LINK && !__HDR_RCVD_AMAZON && !__TO___LOWER && !__PDS_DOUBLE_URL && !__MAIL_LINK && !__USING_VERP1 && !__HAS_X_ENTITY_ID && !__RCD_RDNS_SMTP_MESSY && !__RDNS_STATIC
describe T_STY_INVIS_DIRECT HTML hidden text + direct-to-MX
# score T_STY_INVIS_DIRECT 2.500 # limit
endif
endif
##} UNICODE_OBFU_ZW if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+##{ UNICODE_OBFU_ZW_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+
+if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+ meta UNICODE_OBFU_ZW_MANY __UNICODE_OBFU_ZW_10 && !__RCD_RDNS_MAIL_MESSY
+ describe UNICODE_OBFU_ZW_MANY Heavily obfuscating text with hidden characters
+# score UNICODE_OBFU_ZW_MANY 3.000 # limit
+ tflags UNICODE_OBFU_ZW_MANY publish
+endif
+##} UNICODE_OBFU_ZW_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+
##{ UNSUB_GOOG_FORM
meta UNSUB_GOOG_FORM __UNSUB_GOOG_FORM
##{ URI_GOOG_STO_SPAMMY
-uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:1tactc1200|430bc3a2d98b15a0c58bf8df8f938d|5(?:a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|a(?:1discover|4301cda1e5c450bab01|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i
+uri URI_GOOG_STO_SPAMMY m;^https?://storage\.googleapis\.com/(?:(?:0(?:48dg9hjdjsr68rr409tdu516yts8d4s1yteq560dht|584d8aab5db65a3970e|ca91f665e5e9e3bff16)|1(?:479______00\-\-074\-4\-\-\-\-\-\-\-_\-\-\-\-\-\-0894_________\-\-\-\-\-\-\-\-\-______09|f28eb9c708059ce7b58|tactc1200)|2(?:024usa|2accc831928fe7a6d19)|3e6fc78af3b63110d89b|4(?:30bc3a2d98b15a0c58bf8df8f938d|hs3rzdz_r_us\-east\-1)|5(?:34c4e7320793c473d0b|a70f8147b2241c|lose1weight)|7(?:7(?:7burnf4|ancemrani|kneesleeve|metabolism)|88medw4|arshield777|burn7774|savingsoff)|89azr4etr0t6k5jdh4rg9e8udo40kdj1h56gd4xd165jhkd5j04yd156j02|9c32d4d56b8ac7eb1296|a(?:1discover|4301cda1e5c450bab01|d(?:t100visa|vanced1500)|geless(?:brain|t001)|ir0doc5octor|l(?:liedtrust7?|zheimerbrain)|merican(?:ho(?:777|me(?:191|warranty))|w1)|n(?:c77emen777|dersens40|n(?:nuities0102|utsegtsety)|ti(?:1virus|dcfsdfzef))|pp(?:1ointment|empresa|itausa)|sb50118|tividade|udio0254)|b(?:337276797de5b3|6fa8ec81224238ce57a|7772dcb|a(?:ckmedic|th(?:and777|bhow98|dfgdfgdfh|rooomlki))|cvncv7845|d(?:fbgverhg|linkmanager|sgbsehtth|thdethydeth)|e(?:achskinnew|dvgervg|lly(?:00fetyy|gluca)|t(?:ter(?:09909|863|butter008)|umpoiytre))|io(?:swit(?:010|sh0908)|techinvest)|l(?:oo(?:ds(?:hark0508|ug(?:217|ar(?:010|blueprint)))|odsugarerte)|ue(?:0sky|printms0?))|o(?:bby\-dependencies|ostinglive01)|r(?:ain(?:232654|al87484)|i(?:an(?:0(?:101|509)|the0101)|eanfrg)|tghrh)|u(?:kssin|ll(?:gold|market)|rnomegaultra|tter(?:knife|spreader(?:0[48]|news)))|yte01smil1e)|c(?:a(?:99rshield|nvascheap|rt\-checkout|unlimited)|bd(?:11gummies|g(?:m0202|umm(?:ty|y005))|health7417|kfgdfg|sgummys)|dfeesde|ertificat01|hoicehom8270|ircaknee0|jowa|o(?:gnigenix|mp(?:erssac00232|r(?:e(?:essaa001|hensiveamericanhomewarranty|ss(?:a(?:0(?:105|201)|191)|ionsocks))|ovanteanexo))|n(?:7cealed|cealed(?:aff0054|tactical)|defesf|ne5ctrou4t0s)|ptquad5e1r|rrectskin|urankdmeksjsed|verageinsu)|quelleczema|reative14141)|d(?:0ujdusudu9s9u\.appspot\.com|159310a731c3ae80e0c|ac2a3ca82cd6a5f4896|e(?:mentiabrain|nta77fend|rma(?:01247|1correct|587475|7correc7t|acorrectskin|correct(?:001new1|new001|skin|1)|hdth|thbsdrhg)|tranmultas)|g(?:iadikir784|vdevgege)|i(?:abetes7|gitaldots1|recting77|ta0526)|lqjxjdxesmapldjehahnse|msksjskeoncbvevde|rtrebtgh747|ysfunction0707|zdzefef)|e(?:7co7verage|a(?:rsring01|sy(?:1canvas|canvasprints))|ingingears|l(?:eepexperts|iminatorlower)|n(?:e(?:nce7777|rgy(?:0icits|savings))|trega)|rec(?:01tions|tiledysfunction)|t(?:alsprcious|ernal07light)|vent(?:0saves01?|save(?:010?|s010))|xpertwindows(?:0102)?|yes(?:1ight|ightmax))|f(?:4747|d(?:128218622bd3f|fdfdzezr78|zdzelom)|edilty5401|habgfdgbfrtg|i(?:7(?:485612|542512)|d(?:el(?:ity(?:09|217|insulife)|ty(?:gbdtrbr|tyhjudtyu))|iity5660|y001)|ghttinnitusnow(?:(?:911|s))?|ltyredfezz|refig(?:22hting|hting)|tnesswatch|xguca777)|l(?:a(?:sh(?:light7fr7ee|tric540)|tbelly)|oodlight(?:010|slima))|o(?:mrulasugaa|od54451|toswhatsapps)|rgdfgdfh|s(?:dcfzef|efzgefz)|tlkopmdrdfe|u(?:ng(?:01ft|9901|enail010|us(?:eliminator0807|fghgh))|turistic00insol))|g(?:7oldco|cumbmdys|eniusbutter|fhfjgfhfg|hetiop|lu(?:1lossn01k|lossn01k|ster)|old(?:ii00215|trust00)|r(?:7owtmaihn9ew|fgrgrg|ow(?:191|plus11|savage01085))|u(?:ardiao|mm(?:ies11cbd|yss|zdfefzf)|tter(?:0fr1(?:dian)?|protection7))|ympro22)|h(?:4(?:mhoyal1r0|ome1owne1r)|dfghbrh|e(?:1al1t4|a(?:lt(?:h(?:life|news|yhairremedy)|ycbd0909)|rt(?:14141|beat911))|rp(?:ly(?:24701|y0012)|y1414))|ome(?:1security|9865|choice45841|w(?:arranty|rr0216)))|i(?:n(?:formedetranmulta|ogen0065|s(?:1urance7net|7urance7net|t(?:9854|a(?:0541|1heater|863|f(?:atioplo|gregrerg)|hard0(?:0021|605)|nttranslator)|h(?:ard879477|eater001))|urance(?:7net|net))|vest777in)|ron479max5x|tchrelief)|k(?:757474|e(?:ranfvgdgfrder|to(?:0(?:102|202|81477)|191|7(?:878|rim)|adv217|ghghgh|healthnews|jkkfghk|o(?:2(?:22|45)|o7896)|rapid00888|s(?:hark0908|s0479)|toto2323))|iller1111|ne(?:e852|f6565))|l(?:a(?:bcream|wn(?:care3|trugreen001))|e(?:a(?:f7filt7er|nde0585)|ciofve1748)|giesnaturas0|i(?:berty77arran|fefiltrevdf|ve(?:r(?:0health0support|md|supp10)|wirenew024))|o(?:caweb|odlight(?:s0|0)|ss(?:00wrabido0|rapid01245|weightnew85))|u(?:llmattressne000|mi(?:00guard01|agudiidd|g(?:87[56]|uard(?:1074|87585)))))|m(?:a(?:galu|iltrk___newyear2024___g089dh4fg16qs804dsd1jh6g5sq|l(?:4e7e5nhanc7ement|e(?:0(?:1ed|541)|24700|77en|health475))|ttress0707)|e(?:di(?:ca(?:lsupplies|r(?:0085|123n|df747))|p0lanning)|llitox00545|morybooster|t(?:a(?:bolismlos|greens|lspr(?:ciou[0s]|ecious))|f(?:85|dfvde)))|iracl(?:ecannabidiol|sweight[0s]?|weight)|k_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|le(?:3mlemlm3lm\.appspot\.com|n(?:hsances?|shsance0s))|o(?:bile57mint|n(?:5g154g|t(?:ezuma0(?:01|101)|zdzsds))|onmenermaintain\-66j)|p_40g98qf0487415415d04hd7jkyydu84hgsd1\-\-\-2024|s____mailpro\-holiday2024__9s8h7140q6h84e6hs84g6s85d403|w_4098fae4grhtejy9r80t4qt1z984ui94yuiopoikjhnbvx\-\-\-2024|y(?:seniorpe?|theraposture001))|n(?:at(?:ional14587|uralgies)|badefdfg|e(?:sdsd|wtiniggrgr)|inoty74|lmsld|u(?:bupatches|trisd17))|o(?:m(?:eg(?:7aburn|a(?:7burn|n(?:ew|ow00?)))|gaburn)|ne(?:00shot|shot(?:0[01]|124578))|zmenshe)|p(?:a(?:in(?:en01(?:ew|sew)|supp(?:10|l8778)|wenes010)|rtnersav01)|e(?:rsonalized21|tplan85)|ho(?:01to001|tostick004)|leteroid|o(?:rtable(?:heater7|telescope045)|vsedfzef)|r(?:eadvanceds|i(?:mal(?:08544|fhdfh|grow)|ntsvalentine)|otectsecurity)|soidngf8147|ure(?:cbdgummies7|plant7))|r(?:apidecision77|e(?:5model1ro4om|adclub11|direct0gumm0|grow101|n(?:ew(?:al20consult|laemailved)|walllll0065)|v(?:caus181|e(?:alscause|rsirol0101)|kcaus181|scaus181))|i(?:ght0108|ngingearstinnitus|verb1986srt4)|oundupccancer|vices8|yokorout(?:(?:01|s010?))?)|s(?:___mailpro__evolution\-unitedstate_____78f40x1fg0|a(?:fety(?:homes?|shome0?)|mples7nuge7|v(?:age(?:0502|72|999|grow010)|es0even0t|ingsevent)|y(?:byebugs|life004))|coutstonenew|dfgwsd74fg|e(?:curity(?:homenew|providernew)|ni(?:147orperk|orserk77s))|gp008|h(?:arkcbd0808|owersafe)|i(?:gnlaotrrmp|mplex18742)|leepditch|o(?:lbeam004|uthbeach(?:001|skin))|preader35|sgummy777|t(?:ain245|eelprobite77|rictionbp0)|u(?:g(?:ar4701|hdetged)|mmersy0(?:10)?)|zdzdzdzd)|t(?:a(?:cflashlight72|lcumpowder)|e(?:ch________frebulkmnge________teamtechbuy|lescope001|rminix0909|stomus)|h(?:e(?:photostick2804|rasl(?:eeves|ves)|unbreakable)|opinall)|i(?:me0share|nnitus(?:102|new911))|mobile0sur1vey|o(?:enailfungus|p(?:inal|ol(?:\-web|io29034)))|r(?:4ans1lat5or|a(?:balhos|nslato10)|im1life0|ugreen(?:30|s30))|telescope44|unnifgdege)|u(?:berxlm|ltra(?:hgt|omegaburn|u(?:ifipro|wifip)|wifi(?:058|pro002))|n(?:breakable(?:0417|brain0087)|limitedcanvase[es]?)|rgentfung171|s(?:_bulk_click\-mail_oldfrom_9898409486498904948904548094804864xx|bmosquito|6)|tility3in1)|v(?:e(?:7hicle7cov|hi(?:7clesh7|cle01))|frgrerg|i(?:sa(?:alandere?|lander[es]?)|v(?:247w01|int(?:0(?:401|officially)|1010smart|967857)))|szdefzsfzef)|w(?:4enmedicra8|a(?:l(?:k(?:0015|7485|ghghgh|inbath(?:tub44|0))|lkk0409|mart010)|rranhome0012)|defgzegfze|e(?:atherproof|bwhatsfotos|edkiller[1s]?|ight(?:00loss|loss(?:005|newketo))|llgrove90)|i(?:fi(?:booste(?:01|r)|tiop)|n(?:0101|doexpr001))|painen01es)|xcbxcbopiaze|yusdgtduf777|z(?:antacdedzef|ipp874ype57t)))/;i
describe URI_GOOG_STO_SPAMMY Link to spammy content hosted by google storage
#score URI_GOOG_STO_SPAMMY 3.000
tflags URI_GOOG_STO_SPAMMY publish
tflags URI_HEX_IP publish
##} URI_HEX_IP
+##{ URI_IMG_CWINDOWSNET
+
+meta URI_IMG_CWINDOWSNET __URI_IMG_CWINDOWSNET && !__RCD_RDNS_SMTP && !__REPTO_QUOTE && !__URI_DOTEDU
+#score URI_IMG_CWINDOWSNET 3.500 # limit
+describe URI_IMG_CWINDOWSNET Non-MSFT image hosted by Microsoft Azure infra, possible phishing
+tflags URI_IMG_CWINDOWSNET publish
+##} URI_IMG_CWINDOWSNET
+
##{ URI_IMG_WP_REDIR
meta URI_IMG_WP_REDIR __URI_IMG_WP_REDIR
tflags VFY_ACCT_NORDNS publish
##} VFY_ACCT_NORDNS
+##{ VISTA_COST
+
+meta VISTA_COST __VISTA_COST && !__DOS_HAS_LIST_UNSUB
+describe VISTA_COST Old MSFT msgid format + "cost"
+#score VISTA_COST 2.500 # limit
+tflags VISTA_COST publish
+##} VISTA_COST
+
+##{ VISTA_TONOM_EQ_TOLOC
+
+meta VISTA_TONOM_EQ_TOLOC __VISTA_TONOM_EQ_TOLOC && !__MSOE_MID_WRONG_CASE
+describe VISTA_TONOM_EQ_TOLOC Old MSFT msgid format + To display name = username
+#score VISTA_TONOM_EQ_TOLOC 2.500 # limit
+tflags VISTA_TONOM_EQ_TOLOC publish
+##} VISTA_TONOM_EQ_TOLOC
+
##{ VPS_NO_NTLD if (version >= 3.004002) ifplugin Mail::SpamAssassin::Plugin::WLBLEval
if (version >= 3.004002)
tflags WALMART_IMG_NOT_RCVD_WAL publish
##} WALMART_IMG_NOT_RCVD_WAL
+##{ WIKI_IMG
+
+uri WIKI_IMG m,^https?://[^/]+wiki[mp]edia\.org/.+\.(?:png|gif|jpe?g),i
+describe WIKI_IMG Image from wikipedia
+##} WIKI_IMG
+
##{ WORD_INVIS if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
endif
##} WORD_INVIS_MANY if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
+##{ XFER_LOTSA_MONEY
+
+meta XFER_LOTSA_MONEY __XFER_LOTSA_MONEY && !__VIA_ML && !__HAS_SENDER && !__SUBSCRIPTION_INFO
+describe XFER_LOTSA_MONEY Transfer a lot of money
+#score XFER_LOTSA_MONEY 1.000 # limit
+##} XFER_LOTSA_MONEY
+
##{ XM_DIGITS_ONLY
meta XM_DIGITS_ONLY __XM_DIGITS_ONLY
tflags XM_RANDOM publish
##} XM_RANDOM
+##{ XM_RECPTID
+
+meta XM_RECPTID __HAS_XM_RECPTID && !__TAG_EXISTS_SCRIPT && !__REPLYTO_NOREPLY && !__ENVFROM_AMAZONSES && !__DOS_DIRECT_TO_MX && !__FRAUD_PTX
+describe XM_RECPTID Has spammy message header
+#score XM_RECPTID 3.000 # limit
+##} XM_RECPTID
+
##{ XPRIO
describe XPRIO Has X-Priority header
tflags XPRIO_SHORT_SUBJ publish
##} XPRIO_SHORT_SUBJ
+##{ XPRIO_VISTA
+
+meta XPRIO_VISTA __XPRIO_VISTA && !__BITCOIN && !__TO_TOO_MANY
+describe XPRIO_VISTA X-Priority + old MSFT msgid format
+#score XPRIO_VISTA 2.500 # limit
+tflags XPRIO_VISTA publish
+##} XPRIO_VISTA
+
##{ X_MAILER_CME_6543_MSN
header X_MAILER_CME_6543_MSN X-Mailer =~ /^CME-V6\.5\.4\.3; MSN\s*$/
##} X_MAILER_CME_6543_MSN
-##{ YOUR_PERMISSION
-
-meta YOUR_PERMISSION __YOUR_PERM && !__CTYPE_HAS_BOUNDARY && !__DKIM_EXISTS && !__DOS_HAS_LIST_UNSUB && !__CT_TEXT_PLAIN && !__BUGGED_IMG && !__COMMENT_EXISTS
-describe YOUR_PERMISSION With your permission...
-##} YOUR_PERMISSION
-
##{ YOU_INHERIT
meta YOU_INHERIT __YOU_INHERIT
reuse RCVD_IN_IADB_DOPTIN
reuse RCVD_IN_IADB_ML_DOPTIN
reuse RCVD_IN_IADB_OOO
+reuse RCVD_IN_IADB_LEG_MAND
+reuse RCVD_IN_IADB_COURT
reuse RCVD_IN_IADB_MI_CPEAR
reuse RCVD_IN_IADB_UT_CPEAR
reuse RCVD_IN_IADB_MI_CPR_30
replace_rules FUZZY_PAYPAL
replace_rules FUZZY_NORTON
replace_rules FUZZY_OVERSTOCK
+ replace_rules __FUZZY_TRUSTWALLET_BODY
+ replace_rules __FUZZY_TRUSTWALLET_FROM
replace_rules __MY_VICTIM
replace_rules __MY_MALWARE
replace_rules __PAY_ME
replace_rules __YOUR_PERSONAL
replace_rules __HOURS_DEADLINE
replace_rules __EXPLOSIVE_DEVICE
+ replace_tag SHY (?:=ad|[\xc2][\xad]|[\xad]|&\#xad;|&\#173;|­)
+ replace_rules __SHY_OBFU_PASSWORD
+ replace_rules __SHY_OBFU_EXPIRE
replace_rules T_LFUZ_PWRMALE
replace_rules __PDS_BTC_HACKER __PDS_BTC_PIRATE
reuse T_PDS_BTC_AHACKER
reuse T_PDS_DBL_URL_LINKBAIT
reuse PDS_DBL_URL_TNB_RUNON
reuse T_PDS_DBL_URL_ILLEGAL_CHARS
-reuse FROM_2_EMAILS_SHORT
+reuse T_FROM_2_EMAILS_SHORT
reuse T_SHORT_BODY_QUOTE
reuse T_BODY_QUOTE_MALF_MSGID
reuse SPOOFED_FREEMAIL_NO_RDNS
reuse T_PDS_URI_HIDDEN_HELO_NO_DOMAIN
-reuse T_PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
+reuse PDS_TONAME_EQ_TOLOCAL_HDRS_LCASE
reuse T_PDS_TONAME_EQ_TOLOCAL_SHORT
-reuse PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
+reuse T_PDS_TONAME_EQ_TOLOCAL_FREEM_FORGE
reuse T_PDS_TONAME_EQ_TOLOCAL_VSHORT
reuse T_PDS_LITECOIN_ID
reuse PDS_BTC_ID
header __4BYTE_UTF8_WORD_FROM From:name =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
-header __4BYTE_UTF8_WORD_SUBJ Subject =~ /(?:\xf0\x9d[\x90-\x9f][\x80-\xbf]){3,10}/
-
uri __64_ANY_URI m;[/?]\w{64,}$;i
body __ACCESS_RESTORE /\bto (?:(?:restore|regain) access|(?:remove|uplift) (?:the|this) suspens|continue using your (?:account|online|mailbox)|zugreifen wiederhergestellt)/i
uri __AC_CHDSEQ_URI /\/chd[a-z0-9]{20,}/
-header __AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/
+header __AC_FROM_MANY_DOTS From =~ /<(?!do\.not\.reply@)(?:\w{2,}\.){2,}\w+@/i
meta __AC_FROM_MANY_DOTS_MINFP __AC_FROM_MANY_DOTS && !ALL_TRUSTED && !FREEMAIL_FORGED_FROMDOMAIN && !FORGED_GMAIL_RCVD && !__UNSUB_LINK && !__XM_VBULLETIN && !__RDNS_SHORT && !__REPTO_QUOTE && !__FSL_RELAY_GOOGLE && !__HAS_IN_REPLY_TO && !__RCD_RDNS_SMTP && !__HAS_THREAD_INDEX && !__RCD_RDNS_MX_MESSY && !__CTYPE_MULTIPART_MIXED && !__RCD_RDNS_MTA && !__VIA_ML && !__HAS_ERRORS_TO
uri __AC_NDOMLONGNASPX_URI /[A-Za-z]+[0-9]{2}\.[A-Za-z0-9-]+\.me\/(?:[A-Za-z0-9-]{10,}\/){2}[0-9]{8,}\/[A-Za-z]+\.aspx/
-uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(:?php|html)\b/
+uri __AC_NUMS_URI /(?:\/[0-9]+){5}\.[0-9a-zA-Z]+\.(?:php|html)\b/
uri __AC_OUTI_URI /\/outi\b/
meta __BITCOIN_SPAM_07 __BITCOIN_ID && __TO_EQ_FROM
+meta __BITCOIN_TOEQFM __BITCOIN && __TO_EQ_FROM
+
meta __BITCOIN_WFH_01 __BITCOIN && __WFH_01
meta __BITCOIN_XPRIO __XPRIO && (__BITCOIN || __BITCOIN_ID)
body __CLEAN_MAILBOX /\b(?:(?:e-?mail|mail\s?box|violation:|(?-i:CLICK)) (?:quota size|clean(?:-?up))|clean ?up click ?here|(?:please|automatically) reduce (?:your|the) e?-?mail ?box size|reduce (?:your |the )?(?:e?-?mail(?: ?box)? )?size automatically)\b/i
tflags __CLEAN_MAILBOX multiple maxhits=2
-body __CLICK_HERE /\bclick\shere\b/i
-
rawbody __COMMENT_GIBBERISH /<!--(?:\s{1,10}[-\w'"]{1,40}){100}/im
body __COMPENSATION /\b(?:compensat(?:e|ion)|recompensed?|ausgleich)\b/i
rawbody __CONTENT_AFTER_HTML /<\/html>\s*[a-z0-9]/i
+body __COPY_PASTE_DE /Kopieren Sie es und f(?:\xfc|\xc3\xbc)gen Sie es ein|Kopieren \& Einf(?:\xfc|\xc3\xbc)gen/i
+
if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
- body __COPY_PASTE_EN /Copy (and|\+|\&) paste/i
+ body __COPY_PASTE_EN /Copy (?:and|\+|\&) paste/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body __COPY_PASTE_EN /<C><O><P><Y> (?:<A><N><D>|\+|\&) <P><A><S><T><E>/i
endif
+body __COPY_PASTE_ES /copiarlo y pegarlo/i
+
+body __COPY_PASTE_FR /le copier (?:et le|\+) coller/i
+
+body __COPY_PASTE_IT /copiar?lo (?:e|\&) incollar?lo/i
+
+body __COPY_PASTE_NL /kopieer en plak het/i
+
+body __COPY_PASTE_SE /kopiera den och klistra in/i
+
body __COURIER /\bcourier\s(?:company|service)\b/i
header __CR_IN_SUBJ Subject:raw =~ /\015/
+if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
+ meta __CTE_BAS64 0
+endif
+
+ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
+ mimeheader __CTE_BAS64 Content-Transfer-Encoding =~ /\bbas64\b/i
+endif
+
header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w+/i
header __CTYPE_MULTIPART_MIXED Content-Type =~ /multipart\/mixed/i
mimeheader __CT_UTF7 Content-Type =~ /\bcharset=.?utf-7\b/i
endif
-header __DATE_LOWER ALL =~ /date:\s\S{5}/
+header __DATE_LOWER ALL =~ /date: \S{5}/
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
body __DAY_I_EARNED /day,?\sI\s(?:earned|got|received|made|brought\sin)\s\$\s?\d{3}/i
body __EARLY_DEMISE /\buntimely\sdeath\b/i
+header __EBAY_ADDRESS From:addr =~ /[\@.]ebay\.\w\w\w?(?:\.\w\w)?$/i
+
meta __EBAY_IMG_NOT_RCVD_EBAY __URI_IMG_EBAY && !__HDR_RCVD_EBAY
meta __EMAIL_PHISH (__WEBMAIL_ACCT + __MAILBOX_FULL + __MAILBOX_FULL_SE + __CLEAN_MAILBOX + __VALIDATE_MAILBOX + __VALIDATE_MBOX_SE + __UPGR_MAILBOX + __LOCK_MAILBOX + __SYSADMIN + __ATTN_MAIL_USER + __MAIL_ACCT_ACCESS1 + __MAIL_ACCT_ACCESS2 + __ACCESS_REVOKE + __PASSWORD_UPGRADE + __PENDING_MESSAGES + __RELEASE_MESSAGES + __PASSWORD_EXP_CLUMSY + (__TVD_PH_SUBJ_META || __TVD_PH_BODY_META || __TVD_PH_BODY_ACCOUNTS_PRE || __TVD_PH_BODY_ACCOUNTS_POST || __PDS_FROM_NAME_TO_DOMAIN) > 1) && !__EMAIL_PHISH_MANY
body __END_FUTURE_EMAILS /\b(?:end|stop(?! receiving these (?:alerts|emails))|cease|discontinue|removed?|(?:do(?! not wish to receive [\w\s]{0,20}emails)|would|you(?:'d)?) (?:not (?:wish|want|like|desire)|(?:prefer|wish|want|like|desire) not) to|exclude yourself|fore?go)[- ](?:get |receiv(?:ing|e) |or |(?:a-z{1,30} ){0,4}from )?(?:these|our|(?:any )?(?:future|further)) (?:(?:e|ad)?-?m(?:ail(?:ing)?|es+[age]{3})|alert|PSA|marketing|notice)[- ]?(?:ad|update)?s?\b/i
+header __ENVFROM_AMAZONSES EnvelopeFrom =~ /\@amazonses\.com$/
+
header __ENVFROM_GOOG_TRIX EnvelopeFrom =~ /(?:@|=)trix\.bounces\.google\.com(?:$|=)/
meta __ENVFROM_GOOG_TRIX_SPAMMY __ENVFROM_GOOG_TRIX && (__GOOGLE_DOC_SUSP || FREEMAIL_REPLYTO_END_DIGIT || __ADVANCE_FEE_2_NEW || FORGED_GMAIL_RCVD || LOTS_OF_MONEY || __HAS_X_SOURCE_DIR )
header __FROM_ALL_NUMS From:addr =~ /^\d+@/
+header __FROM_AMEX From =~ /american\s?express/i
+
+header __FROM_ASB_BANK From:addr =~ /\basb\.co\.nz$/i
+
+header __FROM_BANK_LOOSE From =~ /ban(?:k|co)/i
+
+header __FROM_CHASE From:addr =~ /chase(?:2?-?paymentech)\.com$/i
+
+header __FROM_CMNWLTH_BANK From:addr =~ /\bcommonwealth\.com\.au$/i
+
header __FROM_DNS From =~ /(?<![^\w.-])dns(?:admin)?\@/i
meta __FROM_DOM_ADMIN __FROM_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
header __FROM_EBAY From:addr =~ /\@ebay\.com$/i
+header __FROM_EBAY_LOOSE From =~ /\be-?bay\b/i
+
header __FROM_EQ_ORG_1 ALL =~ /\nFrom: "?([^\n]+)"? <[^>]+>\n.*Organization: \1\n/ism
ifplugin Mail::SpamAssassin::Plugin::FreeMail
header __FROM_FULL_NAME From:name =~ /^[^a-z[:punct:][:cntrl:]\d\s][^[:punct:][:cntrl:]\d\s]*[[:punct:]\s]+[^a-z[:punct:][:cntrl:]\d\s]/
tflags __FROM_FULL_NAME nice
+header __FROM_HSBC From:addr =~ /\bhsbc\.co\.uk$/i
+
header __FROM_INFO From =~ /(?<![^\w.-])info\@/i
-header __FROM_LOWER ALL =~ /from:\s\S{5}/
+header __FROM_LLOYDSTSB From:addr =~ /\blloyds(?:tsb)\.(?:co\.uk|com)$/i
+
+header __FROM_LOWER ALL =~ /from: \S{5}/
header __FROM_MISSPACED From =~ /^\s*"[^"]*"</
meta __FROM_MISSP_FREEMAIL __FROM_RUNON && (FREEMAIL_FROM || FREEMAIL_REPLYTO)
endif
+meta __FROM_MISSP_PHISH __FROM_MISSPACED && (__FROM_ASB_BANK || __FROM_AMEX || __FROM_BANK_LOOSE || __FROM_CHASE || __FROM_CMNWLTH_BANK || __FROM_EBAY_LOOSE || __FROM_HSBC || __FROM_LLOYDSTSB || __FROM_PAYPAL_LOOSE || __FROM_WELLSFARGO || __FROM_WESTERNUNION)
+
meta __FROM_MISSP_REPLYTO __FROM_RUNON && __HAS_REPLY_TO
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
header __FROM_PAYPAL From:addr =~ /\@paypal\.com$/i
+header __FROM_PAYPAL_LOOSE From =~ /paypal/i
+
header __FROM_RUNON From =~ /\S+<\w+/
header __FROM_RUNON_UNCODED From:raw =~ /\S+(?<!\?=)<\w+/
header __FROM_WEB_DAEMON From:addr =~ /(?:apache|www|web|tomcat|\biis\b).*\@/i
+header __FROM_WELLSFARGO From:addr =~ /wellsfargo\.com$/i
+
+header __FROM_WESTERNUNION From:addr =~ /westernunion\.com$/i
+
header __FROM_WORDY From:addr =~ /^(?:(?:[A-Z][A-Za-z]+|or|&)\.)+[A-Z][A-Za-z]+\@/
if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
header __FSL_HELO_BARE_IP_1 X-Spam-Relays-External =~ /^[^\]]+ helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} [^\]]*auth= /i
+header __FSL_HELO_BARE_IP_2 X-Spam-Relays-Untrusted =~ /helo=(?!127)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} /i
+
header __FSL_HELO_USER_1 X-Spam-Relays-External =~ / helo=user /i
header __FSL_HELO_USER_2 Received =~ /from User(?:\s+by|\s*[\[\(]|$)/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
- body __FUZZY_WELLSFARGO_BODY /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i
+ body __FUZZY_TRUSTWALLET_BODY /(?=<T>)(?!Trust[-\s]?Wallet)<T><R><U><S><T>[-\s]*<W><A><L><L><E><T>/i
+endif
+
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+ header __FUZZY_TRUSTWALLET_FROM From =~ /(?=<T>)(?!Trust[-\s]?Wallet)<T><R><U><S><T>[-\s]*<W><A><L><L><E><T>/i
+endif
+
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+ body __FUZZY_WELLSFARGO_BODY /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>\S{0,2}[-\s]?<F><A><R><G><O>/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
- header __FUZZY_WELLSFARGO_FROM From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>[-\s]?<F><A><R><G><O>/i
+ header __FUZZY_WELLSFARGO_FROM From:name =~ /(?=<W>)(?!Wells[-\s]?Fargo)<W><E><L><L><S>\S{0,2}[-\s]?<F><A><R><G><O>/i
endif
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta __GAPPY_SALES_LEADS_MANY __GAPPY_SALES_LEADS > 2
endif
+meta __GB_BITCOIN_CP_DE ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_DE )
+describe __GB_BITCOIN_CP_DE German Bitcoin scam
+
+meta __GB_BITCOIN_CP_EN ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_EN )
+describe __GB_BITCOIN_CP_EN English Bitcoin scam
+
+meta __GB_BITCOIN_CP_ES ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_ES )
+describe __GB_BITCOIN_CP_ES Spanish Bitcoin scam
+
+meta __GB_BITCOIN_CP_FR ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_FR )
+describe __GB_BITCOIN_CP_FR French Bitcoin scam
+
+meta __GB_BITCOIN_CP_IT ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_IT )
+describe __GB_BITCOIN_CP_IT Italian Bitcoin scam
+
+meta __GB_BITCOIN_CP_NL ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_NL )
+describe __GB_BITCOIN_CP_NL Dutch Bitcoin scam
+
+meta __GB_BITCOIN_CP_SE ( __BITCOIN_ID && !__URL_BTC_ID && __COPY_PASTE_SE )
+describe __GB_BITCOIN_CP_SE Swedish Bitcoin scam
+
if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
uri __GB_CUSTOM_HTM_URI0 m;^https?://.{10,128}(?:\.html?|\.php|\/)?(?:\#|\?&e=)%{GB_TO_ADDR};i
endif
endif
-header __GB_FAKE_RF Subject =~ /(Fw|Re)\:{1,2}[\W+]/i
+header __GB_FAKE_RF Subject =~ /(?:Fw|Re)\:{1,2}[\W+]/i
if (version >= 4.000000)
if can(Mail::SpamAssassin::Conf::feature_capture_rules)
tflags __HAS_HREF multiple maxhits=100
describe __HAS_HREF_ONECASE Has an anchor tag with a href attribute in non-quoted line with consistent case
-rawbody __HAS_HREF_ONECASE /^[^>].*?<(a href|A HREF)=/m
+rawbody __HAS_HREF_ONECASE /^[^>].*?<(?:a href|A HREF)=/m
tflags __HAS_HREF_ONECASE multiple maxhits=100
describe __HAS_IMG_SRC Has an img tag on a non-quoted line
rawbody __HAS_IMG_SRC_DATA /^[^>].*?<img src=['"]data/im
describe __HAS_IMG_SRC_ONECASE Has an img tag on a non-quoted line with consistent case
-rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(img src|IMG SRC)=/m
+rawbody __HAS_IMG_SRC_ONECASE /^[^>].*?<(?:img src|IMG SRC)=/m
tflags __HAS_IMG_SRC_ONECASE multiple maxhits=100
header __HAS_LIST_OPEN exists:List-Open
header __HAS_XM_SID exists:X-Mailer-SID
+header __HAS_X_ANTIABUSE exists:X-AntiAbuse
+
+header __HAS_X_AUTHED_SENDER exists:X-Authenticated-Sender
+
header __HAS_X_EBSERVER exists:X-EBSERVER
+header __HAS_X_ENTITY_ID exists:X-Entity-ID
+
header __HAS_X_LETTER exists:X-Letter
header __HAS_X_NO_RELAY exists:X-No-Relay
header __HELO_HIGHPROFILE X-Spam-Relays-External =~ /^[^\]]+ helo=\S*(?:hotmail|gmail|google|yahoo|msn|microsoft|outlook|paypal|xxx)\.[\w]+\b/i
+header __HELO_MISC_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=[^a-z\?]\S{0,30}(?:\d{1,3}[^\d]){4}[^\]]+ auth= /i
+
header __HELO_NOT_RDNS X-Spam-Relays-External =~ /^[^\]]+ rdns=(\S+) helo=(?!(?i)\1)\S/
header __HELO_NO_DOMAIN X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /
meta __HOSTED_IMG_FREEM ( FREEMAIL_REPLYTO || FREEMAIL_FROM ) && __URI_HOSTED_IMG
-meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG + __URI_IMG_CHANNYPIC + __URI_IMG_TOPHATTER + __URI_IMG_GBTCDN + __URI_IMG_LINKEDIN + __URI_IMG_TUMBLR + __URI_IMG_TAGSTAT + __URI_IMG_FACEBOOK + __URI_IMG_TARINGANET + __URI_IMG_BEBEE + __URI_IMG_EFUSERASSETS + __URI_IMG_IMGBOX_THUMB + __URI_IMG_500PXORG + __URI_IMG_WIXMP + __URI_IMG_POSTIMGCC + __URI_IMG_GTRACING + __URI_IMG_JOOMCDN + __URI_IMG_DHRESOURCE) > 1
+meta __HOSTED_IMG_MULTI ( __URI_IMG_EBAY + __URI_IMG_AMAZON + __URI_IMG_ALICDN + __URI_IMG_WALMART + __URI_IMG_NEWEGG + __URI_IMG_SHOPIFY + __URI_IMG_YTIMG + __URI_IMG_JOOMCDN + __URI_IMG_WISH + __URI_IMG_WP_REDIR + __URI_IMG_STATICBG + __URI_IMG_CHANNYPIC + __URI_IMG_TOPHATTER + __URI_IMG_GBTCDN + __URI_IMG_LINKEDIN + __URI_IMG_TUMBLR + __URI_IMG_TAGSTAT + __URI_IMG_FACEBOOK + __URI_IMG_TARINGANET + __URI_IMG_BEBEE + __URI_IMG_EFUSERASSETS + __URI_IMG_IMGBOX_THUMB + __URI_IMG_500PXORG + __URI_IMG_WIXMP + __URI_IMG_POSTIMGCC + __URI_IMG_GTRACING + __URI_IMG_JOOMCDN + __URI_IMG_DHRESOURCE + __URI_IMG_CWINDOWSNET) > 1
if !plugin(Mail::SpamAssassin::Plugin::ReplaceTags)
- body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
+ body __HOURS_DEADLINE /\b(?:(?:give\syou|gebe\sihnen(?:\snur)?|you\s(?:will\s)?have(?:\sonly|\sjust)?|within)(?:(?:\sthe)?\s(?:last|next))?\s(?:\d+|one|two|three|a few)\s?(?:hours?|hr(?:\s?s)?|days?|stunden)|(?:by|to|until|before)\sthe\send\sof\sthe\s(?:work(?:ing)?\s)?day|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\shours?\sbefore\s(?:sending|releasing|exposing|publishing)|(?:the|your)\sdeadline\s(?:is|will\sbe))\b/i
endif
ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
- body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
+ body __HOURS_DEADLINE /(?:^|\s)(?:(?:<G><I><V><E>\s<Y><O><U>|<G><E><B><E>\s<I><H><N><E><N>(?:\s<N><U><R>)?|<Y><O><U>\s(?:<W><I><L><L>\s)?<H><A><V><E>(?:\s<O><N><L><Y>|\s<J><U><S><T>)?|<W><I><T><H><I><N>)(?:(?:\s<T><H><E>)?\s(?:<L><A><S><T>|<N><E><X><T>))?\s(?:\d+|<O><N><E>|<T><W><O>|<T><H><R><E><E>|<A> <F><E><W>)\s?(?:<H><O><U><R><S>?|<H><R>\s?<S>?|<D><A><Y><S>?|<S><T><U><N><D><E><N>)|(?:<B><Y>|<T><O>|<U><N><T><I><L>|<B><E><F><O><R><E>)\s<T><H><E>\s<E><N><D>\s<O><F>\s<T><H><E>\s(?:<W><O><R><K>(?:<I><N><G>)?\s)?<D><A><Y>|Ich\sgebe\sIhnen\s\d+\sStunden|\d+\s<H><O><U><R><S>?\s<B><E><F><O><R><E>\s(?:<S><E><N><D><I><N><G>|<R><E><L><E><A><S><I><N><G>|<E><X><P><O><S><I><N><G>|<P><U><B><L><I><S><H><I><N><G>)|(?:<T><H><E>|<Y><O><U><R>)\s<D><E><A><D><L><I><N><E>\s(?:<I><S>|<W><I><L><L>\s<B><E>))/i
endif
+rawbody __HREF_EMPTY /href=""/
+
+meta __HREF_EMPTY_NORDNS __HREF_EMPTY && __RDNS_NONE
+
+meta __HREF_EMPTY_PHPMAIL __HREF_EMPTY && (__PHPMAILER_MUA || __XMAIL_PHPMAIL)
+
+meta __HREF_EMPTY_XANTIABUSE __HREF_EMPTY && __HAS_X_ANTIABUSE
+
+meta __HREF_EMPTY_XAUTHED __HREF_EMPTY && __HAS_X_AUTHED_SENDER
+
rawbody __HS_QUOTE /^> /
header __HS_SUBJ_RE_FW Subject =~ /^(?i:re|fw):/
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.s?html?\b,i
+ mimeheader __HTML_ATTACH_01 Content-Type =~ m,\btext/html\b.+\.[a-z]?html?\b,i
endif
if !plugin(Mail::SpamAssassin::Plugin::MIMEHeader)
endif
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
- mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.s?html?\b,i
+ mimeheader __HTML_ATTACH_02 Content-Disposition =~ m,\bfilename="?[^"]+\.[a-z]?html?\b,i
endif
rawbody __HTML_ENTITY_ASCII /(?:&\#(?:(?:\d{1,2}|1[01]\d|12[0-7])|x[0-7][0-9a-f])\s{0,64};\s{0,64}){10}/i
body __INHERIT_PMT /\binheritance\spayment\s/i
-meta __INR_AND_NO_REF (__XM_IMAIL || __XM_APPLEMAIL || __XM_COMMUNIG || __XM_EDMAX || __XM_ELM || __XM_EMUMAIL || __XM_EXMH || __XM_LOTUSN || __XM_MAILCITY || __XM_MAILSMITH || __XM_MSCDO || __XM_MSOUT || __XM_MIMETOOLS || __XM_OPERA6 || __XM_PEGASUS || __XM_QUALCOM || __UA_IMP || __UA_MSOEMAC || __UA_MSENTOUR || __UA_OPERA7)
-
body __INTL_BANK /\b(?:international\s(?:\w+\s)?bank|banque\sinternationale)\b/i
body __INVEST_COUNTRY /\binvest\sin\syour?\scountry\b/i
mimeheader __ISO_ATTACH_MT Content-Type =~ m,\bapplication/x-iso9660-image\b,i
endif
-body __IS_LEGAL /\b(?:(?:(this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i
+body __IS_LEGAL /\b(?:(?:(?:this|esta)\s(?:deal|offer|transac[tc]i(?:o|[\xc3][\xb3])n|proposal|exchange|arrangement|work)|it)?\s[ie]s\s(?:(?:guaranteed|completely|absolutely|perfectly|100%|very|fully)\s)?(?:legal|hitch-free|seguro|legitimate)|legitimate\sarrangement|toute?\sl(?:e|=E9|[\xe9]|[\xc3][\xa9])gale)\b/i
body __IVORY_COAST /\b(?:Cote\s?D.Ivoire|Ivory\s?Coast|Costa\sde\sMarfil)\b/i
body __KAM_HTML_FONT_INVALID eval:html_test('font_invalid_color')
endif
-body __KAM_LOTTO2 /((ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
+body __KAM_LOTTO2 /(?:(?:ticket|serial|lucky) number|secret pin ?code|batch number|reference number|promotion date)/is
header __KB_DATE_CONTAINS_TAB Date:raw =~ /^\t/
meta __LIST_PARTIAL __DOS_HAS_LIST_UNSUB && !__DOS_HAS_LIST_ID
+meta __LIST_PARTIAL_SHORT_MSG __HTML_LENGTH_0000_1024 && __LIST_PARTIAL
+
meta __LIST_PRTL_PUMPDUMP __LIST_PARTIAL && __PD_CNT_1
meta __LIST_PRTL_SAME_USER __LIST_PARTIAL && __TO_EQ_FROM_USR
full __LONGLINE /^[^\r\n]{998}/m
+meta __LONGLN_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __LONGLINE
+
rawbody __LONG_INVIS_DIV /<div\s+style\s*=\s*"(?:(?<!-)visibility\s*:\s*hidden|display\s*:\s*none)\s*">[^<\s]{1400}/i
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
meta __MANY_SPAN_IN_TEXT (__SPAN_BEG_TEXT > 4) && (__SPAN_END_TEXT > 4)
+uri __MANY_SUBDOM m;^https?://(?:[^\./]{1,30}\.){6};i
+
+header __MAY_BE_FORGED Received =~ /\(may be forged\)/
+
header __MID_START_001C Message-ID =~ /^<000001c/
body __MILLIONS /\bmillions\sof\s(?:dollar|euro|pound)/i
rawbody __MIXED_FONT_CASE /<(?!FONT|font)[Ff][Oo][Nn][Tt]\s/
-rawbody __MIXED_HREF_CASE_JH /<[Aa](?i:rea)?\s+(?!HREF|href)[Hh][Rr][Ee][Ff]=/
+describe __MIXED_HREF_CASE Has anchor tags with mixed-up cases in non-quoted lines
+meta __MIXED_HREF_CASE __HAS_HREF - __HAS_HREF_ONECASE > 0
rawbody __MIXED_IMG_CASE_JH /<(?!IMG|img)[Ii][Mm][Gg]\s/
header __MSGID_LIST Message-ID =~ /-\w+\#[\w.]+\.\w{2,4}\@/
tflags __MSGID_LIST nice
-header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m
-
-meta __MSMAIL_PRI_ABNORMAL __HAS_MSMAIL_PRI && !__MSMAIL_PRI_NORMAL
-
-header __MSMAIL_PRI_HIGH X-MSMail-Priority =~ /^(?:high|urgent)$/i
+header __MSGID_NOFQDN1 Message-ID =~ /<[^\@]*>/m
-header __MSMAIL_PRI_NORMAL X-MSMail-Priority =~ /^normal$/i
+header __MSGID_NOFQDN2 Message-ID =~ /<.*\@[A-Za-z0-9]+>/m
meta __MSM_PRIO_REPTO __HAS_MSMAIL_PRI && __HAS_REPLY_TO && __SUBJ_SHORT
header __MTLANDROID_MUA X-Mailer =~ /\bMotorola android mail \d+\.\d/
-header __MUA_TBIRD User-Agent =~ /^Mozilla\/(.*) Thunderbird/
+header __MUA_TBIRD User-Agent =~ /^Mozilla\/.* Thunderbird/
body __MY_FORTUNE /\b(?:my|his|her)\s(?:fortune|heritage)\b/i
header __NAME_IS_EMAIL From:raw =~ /\w\@[\w.-]+\.\w\w+["'`]*\s*<\w+\@\w/
-body __NEVER_HEAR_EN /(never hear me again|destroy all your secrets|not bother you again|leave you alone)/i
-
-body __NEVER_HEAR_IT /eliminare tutti i tuoi segreti|Ti garantisco che non ti disturbe/i
-
meta __NEWEGG_IMG_NOT_RCVD_NEGG __URI_IMG_NEWEGG && !__HDR_RCVD_NEWEGG
body __NEW_PRODUCTS /\bhere are new products|\b(?:Our company|we) (?:has |have )?(?:(?:recently|just|newly) (?:introduce|release|launche)[ds](?: a| our| the)? (?:new|(?:\w+\s){1,5}below)|a new (?!cat\s|kitten\s|dog\s|puppy\s|pet\s|baby\s|child\s|boy\s|girl\s)(?:\w+\s){1,5} here)|recently,? our company (?:launch|releas)ed|\bI want to recommend a new (?:\w+ ){1,5}(?:we|our)\b|latest version of our (?:stock|product)|\b(?:our|a) new (?:\w+ ){1,3}has (?:recently|just) been released/i
body __NIGERIA /\bnigeria\b/i
+meta __NORDNS_LOW_CONTRAST HTML_FONT_LOW_CONTRAST && __RDNS_NONE
+
meta __NOT_A_PERSON __VACATION || ANY_BOUNCE_MESSAGE || __CHALLENGE_RESPONSE || __VIA_ML || __DOS_HAS_LIST_UNSUB || __SENDER_BOT || __UNSUB_LINK || __UNSUB_EMAIL || __MSGID_LIST || __SUBSCRIPTION_INFO
tflags __NOT_A_PERSON nice
header __NSL_RCVD_FROM_41 X-Spam-Relays-External =~ / ip=41\./
describe __NSL_RCVD_FROM_41 Received from 41.0.0.0/8
-header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(\.[a-z]{2,4})?\.[a-z]+$/i
+header __NUMBERONLY_TLD From:addr =~ /\@[0-9]{4,}(?:\.[a-z]{2,4})?\.[a-z]+$/i
header __NUMBERS_IN_SUBJ Subject =~ /\d{3}/
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i
+body __PDS_EXPIRATION_NOTICE /\bexpiration (?:notice|alert|date)\b/i
endif
endif
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
-body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States|USA)/i
+body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (?:United States|USA)/i
endif
endif
+header __PDS_PHP_EVAL1 X-PHP-Originating-Script =~ /eval..'d code/i
+
if !plugin(Mail::SpamAssassin::Plugin::MIMEEval)
meta __PDS_QP_1024 0
endif
meta __PDS_QP_64 (__MIME_QPC > 0) && (__MIME_QPC < 64)
endif
-header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(mta|mail|mx|smtp)\b\S* /i
+header __PDS_RDNS_MTA X-Spam-Relays-External =~ /^[^\]]+ rdns=\S*(?:mta|mail|mx|smtp)\b\S* /i
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header __PDS_TONAME_EQ_TOLOCAL To:raw =~ /^\s*['"]?([^'"]+)['"]? <?\1\@/
-header __PDS_TO_BRAND_SUBJECT ALL =~ /^To:\s+<?[^\@]+\@([^\.]+)\.(?:[^\n]+\n+)*^Subject: \"?\1\b/ism
-
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
- header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
+ header __PDS_TO_EQ_FROM_NAME_1 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\W+(\1)([^\n\w<]++<)?((?!\1)[^\n">]++)>?\n/ism
endif
if can(Mail::SpamAssassin::Conf::perl_min_version_5010000)
- header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n<]{0,80}<)?(\1)>?/ism
+ header __PDS_TO_EQ_FROM_NAME_2 ALL =~ /\nFrom:\W+"([\w+.-]+\@[\w.-]+\.\w\w+)(?:[^\n\w<]{0,80}<)?((?!\1)[^\n">]++)>?\n+(?:[^\n]{1,100}\n+)*To: (?:[^\n<]{0,80}<)?(\1)>?/ism
endif
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header __PHP_NOVER_MUA X-Mailer =~ /^PHP$/
+header __PHP_ORIG_SCRIPT_EVAL X-PHP-Originating-Script =~ /\beval\b.*\bcode\b/i
+
meta __PHP_ORIG_SCRIPT_SONLY __HAS_PHP_ORIG_SCRIPT && (__TVD_SPACE_RATIO || __SINGLE_WORD_SUBJ || __OBFUSCATING_COMMENT_B)
if !(can(Mail::SpamAssassin::Conf::feature_bug6558_free))
body __PUMPDUMP_07 /\b(?:buy|grab it) for (?:around |about |less than )?\d+ cents\b/i
-body __PUMPDUMP_08 /\b?(:sto[ck]{2}|sotk) of the year/i
+body __PUMPDUMP_08 /\b(?:sto[ck]{2}|sotk) of the year/i
body __PUMPDUMP_09 /\b(?:buy|get|snap up|grab) as many shares (?:of it )?as (?:you|I) can\b/i
meta __RCVD_DOTEDU_SHORT __RCVD_DOTEDU_EXT && ( __HTML_IMG_ONLY || __BODY_URI_ONLY || __HTML_LENGTH_1024_1536 )
+meta __RCVD_DOTEDU_SUSP __RCVD_DOTEDU_EXT && ( MIME_QP_LONG_LINE || __TVD_SPACE_RATIO || __FROM_RUNON || __USING_VERP1 )
+
meta __RCVD_DOTEDU_SUSP_URI __RCVD_DOTEDU_EXT && ( __45_ALNUM_URI || __45_ALNUM_URI_O || __64_ANY_URI )
header __RCVD_DOTGOV_EXT X-Spam-Relays-External =~ /\srdns=\S+\.gov\s/i
endif
endif
+header __REPLYTO_NOREPLY Reply-To =~ /\bno-?reply@/i
+
header __REPTO_419_FRAUD_AOL_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@aol\.com)(?:(?:a(?:f\.|ljaber)|c(?:hanprivacy|laimdept|ristinabruno|ustom_service)|dhodgkins|evelynjoshua|f(?:d\.|ernandezfernandez)|george_clifford|hernandezrosemary|k\.doreen|l(?:erynnewest|ynnpage)|m(?:_l\.wanczyk|asayohara|rsjanetedwards)|officework|paulpollard|royalpalace|spwalker|usembassy|yurdaaytarkan))\d+\@aol\.com$/i
-header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|isha1976gaddafi|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug)|thonyjblinken)|office1office|radka|shwestwood|ustinbillmark|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|rister(?:clarkephillips|lordruben)|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah))|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|rist(?:brun?|davis|ydavisdonation)|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:nnisclark|partmentofstate)|minique|ona(?:ldwilliam|tionhelpercare)|rdavidrhama|unsilva)|e(?:benezero|christina|l(?:i(?:bethgomez|sabethmaria|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|k(?:jane|linpiesie)))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|rciavincent)|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|i(?:idp|ocastano)|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem))|e(?:atherbrooeke|ctor(?:castillos|scastillo)|lengiggs)|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:bed|mfdeputyoff|n(?:fo\.annedouglas|gridrolle)|rvinekim|smail(?:eman|tarkan))|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:athanhaskel|hugo)|seph(?:acevedo|babatunde|ichael)|vannyanderson)|rawlings|uliewatson)|k(?:a(?:l(?:iaksandr|tschmidtdavid)|malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|rnkl|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|nelink|sa(?:milner|robin))|john|oughreymargaret|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:ahhills|opabl)|kroth|shalh|tinamayer|y(?:franson|josen))|u(?:hin|rhinck)|viswan(?:czyk(?:(?:foundation|k))?)?)|brons|c\.cheadychang|dredban|elvidabullock|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ss\.yasmineibrahim)|k(?:ent|untjoro)|oham(?:edabdul|m(?:daljililati|edshamekh))|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell)|cjames|ericschmid|hanimuhammad|jamesmc|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|jackman|lisamilner|ma(?:ureens|yaoliver)|r(?:eem|obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth|xfaminternationa)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:alyh|beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|icha(?:miller|rdw(?:ahl|illis))|main|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark|uddicklana)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cott(?:henryjames|peters)|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|op(?:adam|hiajesse)|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|erryparkins|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:derleyen|marukareem|n(?:claimedfunds|itednation(?:organization|s))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut))|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|o(?:ngkm|usefzongo))|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i
+header __REPTO_419_FRAUD_GM_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@gmail\.com)(?:(?:9porssts|a(?:\.wafager|b(?:dullahmundani|u(?:lkareem|shadi))|cecere|isha1976gaddafi|l(?:an\.austin|ex(?:anderpeterson|hoffman)|ghafrij|icedoris|kasimunadi|l(?:enholden|isoncluade)|ure\.wawrenka)|m(?:bassadormarybethleonardl|ericadeliverycomapny|ina(?:ltwaijiri|medjahed))|n(?:dyfox|na(?:llee|sigurlaug)|thonyjblinken)|office1office|radka|shwestwood|tmcarddepartment|ustinbillmark|zi(?:m(?:\.hpremji|hashim(?:donation)?)|z(?:dake|george)))|b(?:a(?:nkcentralasiahalobca|r(?:bersmadar|rister(?:clarkephillips|lordruben)|teld\.huisman))|bongo|e(?:alitoniua|linekra|n(?:ezero|gatl|jaminsarah)|tsyholden)|ill\.lawrence|mwautomobile|oarddept|rendalaporte|uffettwarrene)|c(?:h(?:a(?:ngching|r(?:itylisajohnrobinson|l(?:esluenga|tonnewmanus)))|e(?:mchung|nchung))|iticonsultantjohncg|laxtonpaul|o(?:lombasjuan|ntactad)|rist(?:brun?|davis|ydavis(?:donation|foundation))|ustomerservicelacaixa)|d(?:a(?:nnuar|vi(?:d(?:\.loanfirm|larbi|pere|ramirez\.luis)|scarolyn|yax))|e(?:nnisclark|partmentofstate)|minique|ona(?:ldwilliam|tionhelpercare)|rdavidrhama|unsilva)|e(?:benezero|christina|l(?:i(?:bethgomez|sabeth(?:gmuer|maria)|zabethedw)|o(?:diesawadogo|tocashoffice))|m(?:efieleg?|ilyrichmond)|ngr\.des|re(?:nakgeorge|zcelic)|stherkatherine|wynn)|f(?:\.mikhail|a(?:ithdesrie|tme\.mehmed)|blott|irstbank|r(?:a(?:100dub|n(?:c(?:espatrickconnolly|iscamendoza)|k(?:j(?:ane|ody)|linpiesie)))|eelottosweepstake)|spero|ulanlan)|g(?:00gleggewinner|a(?:briel(?:eschmitt|kalia)|rciavincent)|bill|e(?:neralwilliamstony|orgekwame|raldjhjh)|i(?:idp|ocastano)|l(?:enmoore|oriachow)|oo(?:golteam|oglegwiinner)|r(?:aceobia|e(?:ant|energeoffrey)))|h(?:a(?:r(?:gate|ryebert)|sh(?:imyreem|mireem)|zimissa)|e(?:atherbrooeke|ctor(?:castillos|scastillo)|lengiggs)|gold|ildad|o(?:nmackjohn|rnbeckmajordennis|seoky))|i(?:b(?:ed|rahimelizabeth)|mfdeputyoff|n(?:fo\.(?:annedouglas|marviswanczyk)|gridrolle)|rvinekim|smail(?:eman|tarkan))|j(?:a(?:mesokoh|vierlesme)|efferydean|o(?:edward|hn(?:griffn|nietaylor|r(?:awlings|oxfordjr)|sonwilson|uba|walterlove|a)|n(?:athanhaskel|hugo)|seph(?:acevedo|babatunde|ichael)|vannyanderson)|rawlings|uliewatson)|k(?:a(?:l(?:iaksandr|tschmidtdavid)|malnizar|rabo\.ramala|t(?:jamess|rinaziako))|ennedy\.sawadogo|halidbuhazza|kasbu|r(?:istinewellenstein|nkl)|un(?:gwei|ioue))|l(?:a(?:rrytoms|ursent|wrencefoundation)|e(?:enasinghs|rynne(?:0west|west))|i(?:amfinchus|fecshortt|liane\.bettencourt|nelink|sa(?:milner|robin))|john|oughreymargaret|s(?:arbn|chantal)|u(?:ckywinners|sba\.moored)|y(?:\.cheapiseth|diawright|n(?:\.arthur|cmba|nmkl)))|m(?:a(?:incare|jor(?:dennishornbeck|townsend)|lletman|n(?:duesq|fran|uelfranco(?:(?:donation|foundation|spende))?)|r(?:i(?:ahhills|opabl)|kroth|shalh|tinamayer|y(?:franson|josen))|u(?:hin|rhinck)|viswan(?:czyk(?:(?:foundation|k))?)?)|brons|c\.cheadychang|dredban|el(?:aniekreiss|vidabullock)|gfrederick|i(?:c(?:h(?:ael\.woosley|ealwuu)|w)|k(?:e\.weirsky\.foundational|hai(?:\.fridman|lfridm))|ntonjustin|ss\.yasmineibrahim)|k(?:ent|untjoro)|mrstephen|oham(?:edabdul|m(?:daljililati|edshamekh))|r(?:\.(?:elbahi\.mohammed\.|justinmaxwell)|cjames|ericschmid|hanimuhammad|jamesmc|morgangomez|richardanthony|s(?:\.susanread|a(?:ishaalqadafi|ngela|shaalqaddfi)|dominiquethomas|evelynbrown|fatimaamiraqureshi|hamima|jackman|lisamilner|ma(?:riaelizabethscheffle|ureens|yaoliver)|r(?:eem|obinsanders|uthsmith)|sarahbenjamin|victoriaedmond))|s(?:\.ellagolan|agent|golaan|smadar)|ustadris)|n(?:aomiiwasaki|eilt(?:rotter)?|icholas\.jose|obuyuki\.hirano)|o(?:\.peace|fficerricherd|hallkenneth|lenasheve|xfaminternationa)|p(?:aul(?:eed|n)|b(?:ph202lay|rookk)|e(?:rezdonlorenzo|ter(?:\.waddell|guggi|kenin|stephen))|hillip\.richead)|q(?:iquanzhou|nzeng)|r(?:a(?:kidy|lhashimi|ymondaba)|e(?:alyh|beccagarang|em(?:has(?:himy|m)|n)|plyback|v(?:\.jamesabel|fr(?:ankjackson|paulwilliams)))|icha(?:miller|rdw(?:ahl|illis))|main|o(?:b(?:erthanandez|inf)|naldmorris|s(?:a\.gomes|ekipkalya))|raya|t\.rev\.ericmark|uddicklana)|s(?:a(?:l(?:ehhussienconsult|imzaid)|rfiafarfask)|cott(?:henryjames|peters)|e(?:cretservicce|rgeantrobertbrown)|gt(?:\.monicab|ireneb)|h(?:anemissler|ery(?:\.gtl|etr)|inawatrathaksin)|im(?:lkheng|onhei)|op(?:adam|hiajesse)|peelman|t(?:anleyjohn|ephentam)|u(?:iyang|n\.hor|sanneklatten)|weeneyjohnson)|t(?:a(?:mmywebster|y(?:ebsouami|lorcathy))|e(?:nreyrosilvana|rryparkins)|h(?:ailandbankoffice|e(?:ara\.choy|odorosloannis))|imothymetheny|lyerdonald|o(?:m(?:ander|c(?:hrist|rist(?:(?:donation|foundation))?)|spende)|ny(?:\.chung|zimpro)|shikazusendo))|u(?:derleyen|marukareem|n(?:claimedfunds|ited(?:bankforafrica\.plc|nation(?:organization|s)))|s(?:alotery|departmentofjustice))|v(?:anderwesthuizen|e(?:enapatel|r(?:a(?:aellen|hollinkvan)|enichekaterinaekaterina))|i(?:ctoriaabraham|dalpamela|ngut)|johannes)|w(?:a(?:dp|hlr(?:ichard)?|nczykm|rrenebuffett)|ellensteinfoundation|hatsappofficial|i(?:elandherzog\.sw\.herad|ll(?:clark|iamsmartyrs))|u\.office|ww\.moneygram)|y(?:\.oguzhan|anghoseok|doo|o(?:ngkm|usefzongo))|z(?:bank|enithbankplconline|kiaslan|minhong)))\d+\@gmail\.com$/i
-header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|ilmohammed|lesiakalina|nnhester\.usa)|b(?:ank\.phbng|en(?:jaminb|nicholas)|riceangela)|c(?:\.aroline|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|dhamilton|e(?:denvictor|ricalbert)|federal\.r|j(?:a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye))|o(?:legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|o(?:bertbailey|serichard))|s(?:amthong|igurlauganna|leo|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i
+header __REPTO_419_FRAUD_YH_LOOSE Reply-To:addr =~ /^(?=[^\s<>@]+\@yahoo\.com)(?:(?:a(?:driantongson|ilmohammed|lesiakalina|nnhester\.usa)|b(?:ank\.phbng|e(?:linekra|n(?:jaminb|nicholas))|riceangela)|c(?:\.aroline|h(?:arlesscharf|jackson)|juan|ythiamiller\.un)|dhamilton|e(?:denvictor|ricalbert)|federal\.r|j(?:a(?:ckson\.davis|netemoon)|kimyong)|k(?:altschmidtdavid|elvinmark|im(?:\.leang|leang))|l(?:e(?:a_edem|hman)|isarobinson_|y_cheapiseth)|m(?:\.kogi|arie_avis|dzsesszika|elissalewis|o(?:hammedaahil|keye))|o(?:biorahkenneth|legkozyrev|mranshaalan)|peterlee|r(?:alphw(?:\.johnson|johnson)|o(?:bertbailey|serichard))|s(?:amthong|igurlauganna|leo|pwalker|te(?:fanopessina|vecox\.))|tylerhess\.|vanserge|will(?:clark|smi)|xianglongdai))\d+\@yahoo\.com$/i
header __REPTO_CHN_FREEM Reply-To =~ /\@(?:sina|aliyun)\.com/i
body __SCAM /\bscam(?:m?e[dr])?s?\b/i
-body __SCC_BODY_TEXT_LINE_FULL /^\s*\S/
-tflags __SCC_BODY_TEXT_LINE_FULL multiple maxhits=3
+body __SCC_BODY_TEXT_LINE_FULL /^\s*\S/
+tflags __SCC_BODY_TEXT_LINE_FULL multiple maxhits=3
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __SCC_BOGUS_CTE_1 Content-Transfer-Encoding =~ /^Hexa/i
mimeheader __SCC_CTMPP Content-Type =~ /multipart\/parallel/
endif
-header __SCC_SUBJECT_HAS_NON_SPACE Subject =~ /\S/
+body __SCC_DMARC_REP /(DMARC|aggregate) .{0,12}report/
+
+header __SCC_SUBJECT_HAS_NON_SPACE Subject =~ /\S/
body __SECURITY_DEPT /\bsecurity dep(?:artmen)?t\b/i
meta __SHOPIFY_IMG_NOT_RCVD_SFY __URI_IMG_SHOPIFY && !__HDR_RCVD_SHOPIFY && !__HDR_ENVFROM_SHOPIFY
+meta __SHORTENER_SHORT_SUBJ __URL_SHORTENER && __SUBJ_SHORT
+
uri __SHORT_URL /^https?:\/\/[^\/]{3,6}\.\w\w\/[^\/]{3,8}\/?$/
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+ rawbody __SHY_OBFU_EXPIRE /e(?!xpire)<SHY>{0,3}x<SHY>{0,3}p<SHY>{0,3}i<SHY>{0,3}r<SHY>{0,3}e/i
+endif
+
+ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
+ rawbody __SHY_OBFU_PASSWORD /p(?!assword)<SHY>{0,3}a<SHY>{0,3}s<SHY>{0,3}s<SHY>{0,3}w<SHY>{0,3}o<SHY>{0,3}r<SHY>{0,3}d/i
+endif
+
body __SINGLE_WORD_LINE /^\s?\S{1,60}\s?$/
tflags __SINGLE_WORD_LINE multiple maxhits=2
header __SUBJ_ADMIN Subject =~ /\b(?:(?:sys)?admin(?:istrator)?|server|service|support)\b/i
+header __SUBJ_ATTENTION Subject =~ /ATTENTION/
+
meta __SUBJ_BRKN_WORDNUMS __SUBJ_BROKEN_WORD && __TVD_SUBJ_NUM_OBFU
header __SUBJ_BROKEN_WORD Subject =~ /\s(?!i[PTM][aoh][bcdou]|e[MP]a[is])[a-z]{1,3}[A-Z][a-z]{2}/
meta __SUBJ_DOM_ADMIN __SUBJ_ADMIN && __PDS_FROM_NAME_TO_DOMAIN
-header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*Subject:\s+[^\n]{0,100}\1[>,:\s\n]/ism
+ header __SUBJ_HAS_FROM_1 ALL =~ /\nFrom: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*Subject: [^\n]{0,100}\1[>,:\s\n]/ism
-header __SUBJ_HAS_TO_1 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n+(?:[^\n]{1,200}\n+)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
+header __SUBJ_HAS_TO_1 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>,]+)>?\n+(?:[^\n]{1,200}\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism
-header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n+)*Subject:\s+[^\n]{0,100}\1[^a-z0-9]/ism
+header __SUBJ_HAS_TO_2 ALL =~ /\nReceived:[^\n]{0,200} for <?([^\n\s>;]+)>?;(?:[^\n]+\n+)*Subject: [^\n]{0,100}\1[^a-z0-9]/ism
-header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n+)*To:\s+[^\n]{0,100}\1[^a-z0-9.]/ism
+header __SUBJ_HAS_TO_3 ALL =~ /\nSubject:(?=[^\n]{0,200}@)[^\n]{0,200}([a-z][a-z0-9_.]{3,80}@(?:[a-z0-9_]{1,80}\.){1,4}[a-z]{2,30})(?:[^\n]+\n+)*To: [^\n]{0,100}\1[^a-z0-9.]/ism
header __SUBJ_NOT_SHORT Subject =~ /^.{16}/
meta __THREADED (!__MISSING_REPLY && !__NO_INR_YES_REF) || (__MISSING_REPLY && !__MISSING_REF)
tflags __THREADED nice
-header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[a-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$,
+header __THREAD_INDEX_GOOD Thread-Index =~ m,^A[A-Za-z0-9][A-Za-z0-9+/]{27}(?:[A-Za-z0-9+/]{20})?(?:[AQgw]==|[A-Za-z0-9+/]{7}|[A-Za-z0-9+/]{13}[AEIMQUYcgkosw048]=)$,
header __TO_ALL_NUMS To:addr =~ /^\d+@/
tflags __TO_EQ_FM_DOM_SPF_FAIL net
endif
+meta __TO_EQ_FM_HTML_ONLY __TO_EQ_FROM && MIME_HTML_ONLY
+
if !plugin(Mail::SpamAssassin::Plugin::SPF)
meta __TO_EQ_FM_SPF_FAIL 0
endif
meta __TO_EQ_FROM (__TO_EQ_FROM_1 || __TO_EQ_FROM_2)
describe __TO_EQ_FROM To: same as From:
-header __TO_EQ_FROM_1 ALL =~ /\nFrom:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
+header __TO_EQ_FROM_1 ALL =~ /\nFrom: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To: (?:[^\n]{0,80}<)?\1[>,\s\n]/ism
-header __TO_EQ_FROM_2 ALL =~ /\nTo:\s+(?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\s+(?:[^\n]{0,80}<)?\1[>,\s\n]/ism
+header __TO_EQ_FROM_2 ALL =~ /\nTo: (?:[^\n<]{0,80}<)?([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From: (?:[^\n]{0,80}<)?\1[>,\s\n]/ism
meta __TO_EQ_FROM_DOM (__TO_EQ_FROM_DOM_1 || __TO_EQ_FROM_DOM_2)
describe __TO_EQ_FROM_DOM To: domain same as From: domain
-header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To:\s+[^\n]+@\1[>,\s\n]/ism
+header __TO_EQ_FROM_DOM_1 ALL =~ /\nFrom: [^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*To: [^\n]+@\1[>,\s\n]/ism
-header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo:\s+[^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From:\s+[^\n]+@\1[>,\s\n]/ism
+header __TO_EQ_FROM_DOM_2 ALL =~ /\nTo: [^\n@]{0,80}@([^\n\s>]+)>?\n+(?:[^\n]{1,100}\n+)*From: [^\n]+@\1[>,\s\n]/ism
meta __TO_EQ_FROM_USR (__TO_EQ_FROM_USR_1 || __TO_EQ_FROM_USR_2) && !(__FROM_DNS || __FROM_INFO || __SENDER_BOT)
describe __TO_EQ_FROM_USR To: username same as From: username
meta __TO_NO_BRKTS_PCNT __TO_NO_ARROWS_R && __FB_NUM_PERCNT
+header __TO_TOO_MANY To =~ /(?:,[^,]{1,90}){30}/
+
meta __TO_TOO_MANY_WFH_01 __TO_WAY_TOO_MANY && __WFH_01
header __TO_UNDISCLOSED To =~ /\b(?:undisclosed[-\s]recipients|destinataires inconnus|destinatari nascosti)\b/i
body __TO_YOUR_ORG /\b(?:to|for) your organi[sz]ation\b/i
-header __TO___LOWER ALL =~ /to:\s\S{5}/
+header __TO___LOWER ALL =~ /to: \S{5}/
-body __TRANSFORM_LIFE /\b(transform|change) your (?:daily )?life(?:style)?\b/i
+body __TRANSFORM_LIFE /\b(?:transform|change) your (?:daily )?life(?:style)?\b/i
body __TRAVEL_AGENT /\btravel\sagen(?:t|cy)\b/i
header __TT_BROKEN_VIAGRA Subject =~ /V[:^."%()*\[\\]?I[:^."%()*\[\\]?A[:^."%()*\[\\]?G[:^."%()*\[\\]?R[:^."%()*\[\\]?A/i
-header __TT_OBSCURED_VALIUM Subject =~ /(v|V|\\\/)(a|A|\(a\)|4|@)(l|L|\|)(i|I|1|\xef|\|)(u|U|\(u\))(m|M)/
+header __TT_OBSCURED_VALIUM Subject =~ /(?:v|V|\\\/)(?:a|A|\(a\)|4|@)(?:l|L|\|)(?:i|I|1|\xef|\|)(?:u|U|\(u\))(?:m|M)/
-header __TT_OBSCURED_VIAGRA Subject =~ /(v|V|\\\/)(i|I|1|\xef|\|)(a|A|\(a\)|4|@)(g|G)(r|R)(a|A|\(a\)|4|@)/
+header __TT_OBSCURED_VIAGRA Subject =~ /(?:v|V|\\\/)(?:i|I|1|\xef|\|)(?:a|A|\(a\)|4|@)(?:g|G)(?:r|R)(?:a|A|\(a\)|4|@)/
header __TT_VALIUM Subject =~ /VALIUM/i
header __UA_GNUS User-Agent =~ /^Gnus/
-header __UA_IMP User-Agent =~ /^Internet Messaging Program/
-
header __UA_KMAIL User-Agent =~ /^KMail/
header __UA_KNODE User-Agent =~ /^KNode/
header __UA_MOZ5 User-Agent =~ /^Mozilla\/5/
-header __UA_MSENTOUR User-Agent =~ /^Microsoft-Entourage/
-
header __UA_MSOEMAC User-Agent =~ /^Microsoft-Outlook-Express-Mac/
header __UA_MSOMAC User-Agent =~ /^Microsoft-MacOutlook\/(?:\d+\.){3}/
uri __URI_HEX_IP m;://0x[0-9A-F]{8,}[:/];i
-meta __URI_HOSTED_IMG ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT || __URI_IMG_FACEBOOK || __URI_IMG_TARINGANET || __URI_IMG_BEBEE || __URI_IMG_EFUSERASSETS || __URI_IMG_IMGBOX_THUMB || __URI_IMG_500PXORG || __URI_IMG_WIXMP || __URI_IMG_POSTIMGCC || __URI_IMG_GTRACING || __URI_IMG_JOOMCDN || __URI_IMG_DHRESOURCE )
+meta __URI_HOSTED_IMG ( __URI_IMG_EBAY || __URI_IMG_AMAZON || __URI_IMG_ALICDN || __URI_IMG_WALMART || __URI_IMG_NEWEGG || __URI_IMG_SHOPIFY || __URI_IMG_YTIMG || __URI_IMG_JOOMCDN || __URI_IMG_WISH || __URI_IMG_STATICBG || __URI_IMG_CHANNYPIC || __URI_IMG_TOPHATTER || __URI_IMG_GBTCDN || __URI_IMG_LINKEDIN || __URI_IMG_TUMBLR || __URI_IMG_TAGSTAT || __URI_IMG_FACEBOOK || __URI_IMG_TARINGANET || __URI_IMG_BEBEE || __URI_IMG_EFUSERASSETS || __URI_IMG_IMGBOX_THUMB || __URI_IMG_500PXORG || __URI_IMG_WIXMP || __URI_IMG_POSTIMGCC || __URI_IMG_GTRACING || __URI_IMG_JOOMCDN || __URI_IMG_DHRESOURCE || __URI_IMG_CWINDOWSNET)
uri __URI_IMG_500PXORG m;://drscdn\.500px\.org/photo/;i
uri __URI_IMG_CHANNYPIC m,://www\.channypicture\.com/pic/,i
+uri __URI_IMG_CWINDOWSNET m;://[^.]{12,}\.(?:blob|web)\.core\.windows\.net/.+\.(?:jpe?g|gif|png|webp);i
+
uri __URI_IMG_DHRESOURCE m;://www\.dhresource\.com/.+\.(?:jpe?g|gif|png|webp);i
uri __URI_IMG_EBAY m,://[^/?]+\.ebayimg\.com/,i
uri __URI_IMG_EFUSERASSETS m;://\d+\.efuserassets\.com/\d+/.+\.(?:jpe?g|gif|png|webp);i
-uri __URI_IMG_FACEBOOK m;://([^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i
+uri __URI_IMG_FACEBOOK m;://(?:[^/.]+\.)+fbcdn\.net/v/.+\.(?:jpe?g|gif|png|webp);i
uri __URI_IMG_GBTCDN m;://des\.gbtcdn\.com/storage/store/[0-9a-f/]{30,}\.(?:png|gif|jpe?g|webp)$;i
uri __URI_PRODUCT_AMAZON m,://www\.amazon\.(?:com|co\.uk|[a-z][a-z])/dp/[a-z0-9]{10}/,i
-uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob|images?|photos?)\w)[^.]*\.(?:(?!list-manage\.)[^/.]+\.)+(?:com|net)\b,i
+uri __URI_TRY_3LD m,^https?://(?:try(?!r\.codeschool)|start|get(?!\.adobe)|save|check(?!out)|act|compare|join|learn(?!ing)|request|visit(?!or|\.vermont)|my(?!sub|turbotax|news\.apple|a\.godaddy|account|support|build|blob|images?|photos?)\w)[^.]*\.(?:(?!list-manage|lt\.)[^/.]+\.)+(?:com|net)\b,i
uri __URI_TRY_USME m,^https?://(?:try|start|get|save|check|act|compare|join|learn|request|visit|my)[^.]*\.[^/]+\.(?:us|me|mobi|club)\b,i
header __VACATION Subject =~ /\b(?:vacatio|away|out.of.offic|auto.?re|confirm)/i
tflags __VACATION nice
-body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i
+body __VALIDATE_MAILBOX /\b(?:(?:re-?)?(?:valida(?:te|r)|confirm|set)(?:\S?(?:increase|raise))? (?:your|(?:a )?sua) (?:mail\s?box|(?:e-?)?mail quota|caixa)|confirmar (?:que )?a sua conta (?:de e-?mail|ainda est(?:=E1|[\xe1]|[\xc3][\xa1]) ativa)|wprowadz dane konta ponizej|utrzymania aktywnego konta e-?mail|weryfikacji konta|you (?:have )?(?:failed|refused) to (?:verify|validate)|(?:e-?mail|confirm) verification|verify k?now|logs?in below to (?:\S+\s){0,10}(?:download|release|retrieve) your (?:messages|e?-?mails)|verify [a-z][a-z0-9_]{3,40}@[a-z][a-z0-9]{2,30}\.[a-z]{2,6}|your mailbox [^@\s]{3,30}@\S{3,30} (?:(?:needs to|must) be verified|(?:needs|requires) verification))\b/i
tflags __VALIDATE_MAILBOX multiple maxhits=2
body __VALIDATE_MBOX_SE /(?:\b=E5|[\xe5]|[\xc3][\xa5])terst(?:=E4|\xe4|[\xc3][\xa4])lla ditt konto\b/i
meta __VFY_ACCT_NORDNS __VERIFY_ACCOUNT && __RDNS_NONE
+meta __VISTA_COST __VISTA_MSGID && __FB_COST
+
+meta __VISTA_TONOM_EQ_TOLOC __VISTA_MSGID && __PDS_TONAME_EQ_TOLOCAL
+
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i
header __XEROXWORKCTR_MUA X-Mailer =~ /^WorkCentre \D?\d[\d\.]\d+/
+meta __XFER_LOTSA_MONEY __XFER_MONEY && LOTS_OF_MONEY
+
meta __XFER_MONEY (__WIRE_XFR || __TRUSTED_CHECK || __BANK_DRAFT || __MOVE_MONEY || __TO_YOUR_ACCT || __PAY_YOU || __GIVE_MONEY)
ifplugin Mail::SpamAssassin::Plugin::FreeMail
header __XM_CALYPSO X-Mailer =~ /^Calypso/
-header __XM_COMMUNIG X-Mailer =~ /^CommuniGate/
-
header __XM_DIGITS_ONLY X-Mailer =~ /^\s*\d+\s*$/
header __XM_EC_MESSENGER X-Mailer =~ /\beC-Messenger\b/
-header __XM_EDMAX X-Mailer =~ /^EdMax/
-
-header __XM_ELM X-Mailer =~ /^ELM/
-
-header __XM_EMUMAIL X-Mailer =~ /^EMUmail/
-
-header __XM_EXMH X-Mailer =~ /^exmh/
-
header __XM_FORTE X-Mailer =~ /^Forte Agent \d/
header __XM_GNUS X-Mailer =~ /^Gnus v/
-header __XM_IMAIL X-Mailer =~ /^<IMail v\d/
-
-header __XM_LOTUSN X-Mailer =~ /^Lotus Notes/
-
-header __XM_MAILCITY X-Mailer =~ /^MailCity Service/
-
-header __XM_MAILSMITH X-Mailer =~ /^Mailsmith /
-
header __XM_MHE X-Mailer =~ /^mh-e \d/
-header __XM_MIMETOOLS X-Mailer =~ /^MIME-tools \d/i
-
header __XM_MOZ4 X-Mailer =~ /^Mozilla 4/
-header __XM_MSCDO X-Mailer =~ /^Microsoft CDO/
-
header __XM_MSOE5 X-Mailer =~ /^Microsoft Outlook Express 5/
header __XM_MSOE6 X-Mailer =~ /^Microsoft Outlook Express 6/
-header __XM_MSOUT X-Mailer =~ /^Microsoft Outlook[, ]?\s?[BIC]/ #Build, IMO, CWS
-
header __XM_MS_IN_GENERAL X-Mailer =~ /\bMSCRM\b|Microsoft (?:CDO|Outlook|Office Outlook)\b/
header __XM_OL_10_0_4115 X-Mailer =~ /^Microsoft Outlook, Build 10.0.4115$/
header __XM_OL_4_72_2106_4 X-Mailer =~ /^Microsoft Outlook Express 4.72.2106.4$/
-header __XM_OPERA6 X-Mailer =~ /^Opera 6/
-
header __XM_OUTLOOK_EXPRESS X-Mailer =~ /^Microsoft Outlook Express \d/
-header __XM_PEGASUS X-Mailer =~ /^Pegasus Mail/
-
header __XM_PHPMAILER_FORGED X-Mailer =~ /PHPMailer\s.*version\D+$/
-header __XM_QUALCOM X-Mailer =~ /^QUALCOMM Windows Eudora/
-
header __XM_RANDOM X-Mailer =~ /q(?!(?:q|box|i\s)?mail|\d|[-\w]*=+;)[^u]/i
header __XM_SKYRI X-Mailer =~ /^SKYRiXgreen/
meta __XPRIO_SHORT_SUBJ __XPRIO_MINFP && __SUBJ_SHORT
+meta __XPRIO_VISTA __XPRIO_MINFP && __VISTA_MSGID
+
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader
mimeheader __X_MSO_MT Content-Type =~ m,\bapplication/x-mso\b,i
endif
body __hk_bigmoney /(?:EURO?|USD?|GBP|CFA|\&\#163;|[\xa3\xa4]|\$|sum of).{0,4}(?:[0-9]{3}[^0-9a-z]?[0-9]{3}|[0-9.,]{1,4}(?: ?M\b| ?(?:de )?Mil))/i
-body __hk_win_0 /\byour? e-?mail just w[oi]n/i
-
-body __hk_win_2 /\battn.{0,10}winner/i
-
-body __hk_win_3 /\bhappily aa?nnounce/i
-
-body __hk_win_4 /\bpleas(?:ure|ed) to inform/i
-
-body __hk_win_5 /\b(?:notice the|your) winning/i
-
-body __hk_win_7 /\bcongratulations? to your/i
-
-body __hk_win_8 /\bunexpected luck/i
-
-body __hk_win_9 /\blucky (?:nl )number/i
-
-body __hk_win_a /\bwinning (?:e-?mail|numbers|information)/i
-
-body __hk_win_b /\byour e-?mail (?:address )?(?:has )?w[io]n/i
-
-body __hk_win_c /\bune adresse e-?mail sur internet/i
-
-body __hk_win_d /\bcategory (?:\S{0,5} )?winner of our/i
-
-body __hk_win_i /\bfunds? transfer/i
-
-body __hk_win_j /\b(?:winning|ready for|sum) pay ?out/i
-
-body __hk_win_l /\b(?:make|file) (?:for )?your claim/i
-
-body __hk_win_m /\br.clamation de votre prix/i
-
-body __hk_win_n /\bcollect your prize/i
-
-body __hk_win_o /\bclarification and procedure/i
-
ifplugin Mail::SpamAssassin::Plugin::FreeMail
header __smf_freemail_hdr_replyto eval:check_freemail_header('Reply-To:addr')
endif